Coverage Report

Created: 2024-11-21 07:03

/src/cryptopp/gfpcrypt.h
Line
Count
Source (jump to first uncovered line)
1
// gfpcrypt.h - originally written and placed in the public domain by Wei Dai
2
//              RFC6979 deterministic signatures added by Douglas Roark
3
//              ECGDSA added by Jeffrey Walton
4
5
/// \file gfpcrypt.h
6
/// \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
7
8
#ifndef CRYPTOPP_GFPCRYPT_H
9
#define CRYPTOPP_GFPCRYPT_H
10
11
#include "config.h"
12
13
#if CRYPTOPP_MSC_VERSION
14
# pragma warning(push)
15
# pragma warning(disable: 4189 4231 4275)
16
#endif
17
18
#include "cryptlib.h"
19
#include "pubkey.h"
20
#include "integer.h"
21
#include "modexppc.h"
22
#include "algparam.h"
23
#include "smartptr.h"
24
#include "sha.h"
25
#include "asn.h"
26
#include "hmac.h"
27
#include "misc.h"
28
29
NAMESPACE_BEGIN(CryptoPP)
30
31
CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
32
33
/// \brief Integer-based GroupParameters specialization
34
class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
35
{
36
    typedef DL_GroupParameters_IntegerBased ThisClass;
37
38
public:
39
0
    virtual ~DL_GroupParameters_IntegerBased() {}
40
41
    /// \brief Initialize a group parameters over integers
42
    /// \param params the group parameters
43
    void Initialize(const DL_GroupParameters_IntegerBased &params)
44
0
        {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
45
46
    /// \brief Create a group parameters over integers
47
    /// \param rng a RandomNumberGenerator derived class
48
    /// \param pbits the size of p, in bits
49
    /// \details This function overload of Initialize() creates a new private key because it
50
    ///  takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
51
    ///  then use one of the other Initialize() overloads.
52
    void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
53
0
        {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
54
55
    /// \brief Initialize a group parameters over integers
56
    /// \param p the modulus
57
    /// \param g the generator
58
    void Initialize(const Integer &p, const Integer &g)
59
0
        {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
60
61
    /// \brief Initialize a group parameters over integers
62
    /// \param p the modulus
63
    /// \param q the subgroup order
64
    /// \param g the generator
65
    void Initialize(const Integer &p, const Integer &q, const Integer &g)
66
0
        {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
67
68
    // ASN1Object interface
69
    void BERDecode(BufferedTransformation &bt);
70
    void DEREncode(BufferedTransformation &bt) const;
71
72
    /// \brief Generate a random key
73
    /// \param rng a RandomNumberGenerator to produce keying material
74
    /// \param alg additional initialization parameters
75
    /// \details Recognised NameValuePairs are ModulusSize and
76
    ///  SubgroupOrderSize (optional)
77
    /// \throw KeyingErr if a key can't be generated or algorithm parameters
78
    ///  are invalid
79
    void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
80
81
    /// \brief Get a named value
82
    /// \param name the name of the object or value to retrieve
83
    /// \param valueType reference to a variable that receives the value
84
    /// \param pValue void pointer to a variable that receives the value
85
    /// \return true if the value was retrieved, false otherwise
86
    /// \details GetVoidValue() retrieves the value of name if it exists.
87
    /// \note GetVoidValue() is an internal function and should be implemented
88
    ///  by derived classes. Users should use one of the other functions instead.
89
    /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
90
    ///  GetRequiredParameter() and GetRequiredIntParameter()
91
    bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
92
93
    /// \brief Initialize or reinitialize this key
94
    /// \param source NameValuePairs to assign
95
    void AssignFrom(const NameValuePairs &source);
96
97
    // DL_GroupParameters
98
0
    const Integer & GetSubgroupOrder() const {return m_q;}
99
0
    Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
100
    bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
101
    bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
102
103
    /// \brief Determine if subgroup membership check is fast
104
    /// \return true or false
105
0
    bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
106
107
    /// \brief Encodes the element
108
    /// \param reversible flag indicating the encoding format
109
    /// \param element reference to the element to encode
110
    /// \param encoded destination byte array for the encoded element
111
    /// \details EncodeElement() must be implemented in a derived class.
112
    /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
113
    /// \sa GetEncodedElementSize(), DecodeElement(), <A
114
    ///  HREF="http://github.com/weidai11/cryptopp/issues/40">Cygwin
115
    ///  i386 crash at -O3</A>
116
    void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
117
118
    /// \brief Retrieve the encoded element's size
119
    /// \param reversible flag indicating the encoding format
120
    /// \return encoded element's size, in bytes
121
    /// \details The format of the encoded element varies by the underlying
122
    ///  type of the element and the reversible flag.
123
    /// \sa EncodeElement(), DecodeElement()
124
    unsigned int GetEncodedElementSize(bool reversible) const;
125
126
    /// \brief Decodes the element
127
    /// \param encoded byte array with the encoded element
128
    /// \param checkForGroupMembership flag indicating if the element should be validated
129
    /// \return Element after decoding
130
    /// \details DecodeElement() must be implemented in a derived class.
131
    /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
132
    /// \sa GetEncodedElementSize(), EncodeElement()
133
    Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
134
135
    /// \brief Converts an element to an Integer
136
    /// \param element the element to convert to an Integer
137
    /// \return Element after converting to an Integer
138
    /// \details ConvertElementToInteger() must be implemented in a derived class.
139
    Integer ConvertElementToInteger(const Element &element) const
140
0
        {return element;}
141
142
    /// \brief Retrieve the maximum exponent for the group
143
    /// \return the maximum exponent for the group
144
    Integer GetMaxExponent() const;
145
146
    /// \brief Retrieve the OID of the algorithm
147
    /// \return OID of the algorithm
148
    OID GetAlgorithmID() const;
149
150
    /// \brief Retrieve the modulus for the group
151
    /// \return the modulus for the group
152
    virtual const Integer & GetModulus() const =0;
153
154
    /// \brief Set group parameters
155
    /// \param p the prime modulus
156
    /// \param g the group generator
157
    virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
158
159
    /// \brief Set subgroup order
160
    /// \param q the subgroup order
161
    void SetSubgroupOrder(const Integer &q)
162
0
        {m_q = q; ParametersChanged();}
163
164
0
    static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
165
166
protected:
167
    Integer ComputeGroupOrder(const Integer &modulus) const
168
0
        {return modulus-(GetFieldType() == 1 ? 1 : -1);}
169
170
    // GF(p) = 1, GF(p^2) = 2
171
    virtual int GetFieldType() const =0;
172
    virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
173
174
private:
175
    Integer m_q;
176
};
177
178
/// \brief Integer-based GroupParameters default implementation
179
/// \tparam GROUP_PRECOMP group parameters precomputation specialization
180
/// \tparam BASE_PRECOMP base class precomputation specialization
181
template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> >
182
class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
183
{
184
    typedef DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> ThisClass;
185
186
public:
187
    typedef typename GROUP_PRECOMP::Element Element;
188
189
0
    virtual ~DL_GroupParameters_IntegerBasedImpl() {}
190
191
    // GeneratibleCryptoMaterial interface
192
    bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
193
0
        {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
194
195
    void AssignFrom(const NameValuePairs &source)
196
0
        {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
197
198
    // DL_GroupParameters
199
0
    const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
200
0
    DL_FixedBasePrecomputation<Element> & AccessBasePrecomputation() {return this->m_gpc;}
201
202
    // IntegerGroupParameters
203
    /// \brief Retrieve the modulus for the group
204
    /// \return the modulus for the group
205
0
    const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
206
207
    /// \brief Retrieves a reference to the group generator
208
    /// \return const reference to the group generator
209
0
    const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
210
211
    void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g)        // these have to be set together
212
0
        {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
213
214
    // non-inherited
215
    bool operator==(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
216
0
        {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
217
    bool operator!=(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
218
0
        {return !operator==(rhs);}
219
};
220
221
CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>;
222
223
/// \brief GF(p) group parameters
224
class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
225
{
226
public:
227
0
    virtual ~DL_GroupParameters_GFP() {}
228
229
    /// \brief Determines if an element is an identity
230
    /// \param element element to check
231
    /// \return true if the element is an identity, false otherwise
232
    /// \details The identity element or or neutral element is a special element
233
    ///  in a group that leaves other elements unchanged when combined with it.
234
    /// \details IsIdentity() must be implemented in a derived class.
235
0
    bool IsIdentity(const Integer &element) const {return element == Integer::One();}
236
237
    /// \brief Exponentiates a base to multiple exponents
238
    /// \param results an array of Elements
239
    /// \param base the base to raise to the exponents
240
    /// \param exponents an array of exponents
241
    /// \param exponentsCount the number of exponents in the array
242
    /// \details SimultaneousExponentiate() raises the base to each exponent in
243
    ///  the exponents array and stores the result at the respective position in
244
    ///  the results array.
245
    /// \details SimultaneousExponentiate() must be implemented in a derived class.
246
    /// \pre <tt>COUNTOF(results) == exponentsCount</tt>
247
    /// \pre <tt>COUNTOF(exponents) == exponentsCount</tt>
248
    void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
249
250
    /// \brief Get a named value
251
    /// \param name the name of the object or value to retrieve
252
    /// \param valueType reference to a variable that receives the value
253
    /// \param pValue void pointer to a variable that receives the value
254
    /// \return true if the value was retrieved, false otherwise
255
    /// \details GetVoidValue() retrieves the value of name if it exists.
256
    /// \note GetVoidValue() is an internal function and should be implemented
257
    ///  by derived classes. Users should use one of the other functions instead.
258
    /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
259
    ///  GetRequiredParameter() and GetRequiredIntParameter()
260
    bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
261
0
    {
262
0
        return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
263
0
    }
264
265
    // used by MQV
266
    Element MultiplyElements(const Element &a, const Element &b) const;
267
    Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
268
269
protected:
270
0
    int GetFieldType() const {return 1;}
271
};
272
273
/// \brief GF(p) group parameters that default to safe primes
274
class CRYPTOPP_DLL DL_GroupParameters_GFP_DefaultSafePrime : public DL_GroupParameters_GFP
275
{
276
public:
277
    typedef NoCofactorMultiplication DefaultCofactorOption;
278
279
0
    virtual ~DL_GroupParameters_GFP_DefaultSafePrime() {}
280
281
protected:
282
0
    unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
283
};
284
285
/// ElGamal encryption for safe interop
286
/// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
287
///  (in)security of ElGamal in OpenPGP</A>,
288
///  <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
289
///  <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
290
/// \since Crypto++ 8.6
291
class CRYPTOPP_DLL DL_GroupParameters_ElGamal : public DL_GroupParameters_GFP_DefaultSafePrime
292
{
293
public:
294
    typedef NoCofactorMultiplication DefaultCofactorOption;
295
296
0
    virtual ~DL_GroupParameters_ElGamal() {}
297
298
  Integer GetMaxExponent() const
299
0
  {
300
0
    return GetSubgroupOrder()-1;
301
0
  }
302
};
303
304
/// \brief GDSA algorithm
305
/// \tparam T FieldElement type or class
306
/// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
307
template <class T>
308
class DL_Algorithm_GDSA : public DL_ElgamalLikeSignatureAlgorithm<T>
309
{
310
public:
311
0
    CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::StaticAlgorithmName()
312
313
0
    virtual ~DL_Algorithm_GDSA() {}
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::~DL_Algorithm_GDSA()
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::~DL_Algorithm_GDSA()
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::~DL_Algorithm_GDSA()
314
315
    void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
316
0
    {
317
0
        const Integer &q = params.GetSubgroupOrder();
318
0
        r %= q;
319
0
        Integer kInv = k.InverseMod(q);
320
0
        s = (kInv * (x*r + e)) % q;
321
0
        CRYPTOPP_ASSERT(!!r && !!s);
322
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::Integer> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::ECPPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::Sign(CryptoPP::DL_GroupParameters<CryptoPP::EC2NPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer&, CryptoPP::Integer&) const
323
324
    bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
325
0
    {
326
0
        const Integer &q = params.GetSubgroupOrder();
327
0
        if (r>=q || r<1 || s>=q || s<1)
328
0
            return false;
329
330
0
        Integer w = s.InverseMod(q);
331
0
        Integer u1 = (e * w) % q;
332
0
        Integer u2 = (r * w) % q;
333
        // verify r == (g^u1 * y^u2 mod p) mod q
334
0
        return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
335
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::Integer>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::Integer> const&, CryptoPP::DL_PublicKey<CryptoPP::Integer> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::ECPPoint>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::ECPPoint> const&, CryptoPP::DL_PublicKey<CryptoPP::ECPPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_GDSA<CryptoPP::EC2NPoint>::Verify(CryptoPP::DL_GroupParameters<CryptoPP::EC2NPoint> const&, CryptoPP::DL_PublicKey<CryptoPP::EC2NPoint> const&, CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
336
};
337
338
/// \brief DSA signature algorithm based on RFC 6979
339
/// \tparam T FieldElement type or class
340
/// \tparam H HashTransformation derived class
341
/// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
342
/// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
343
///  Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
344
/// \since Crypto++ 6.0
345
template <class T, class H>
346
class DL_Algorithm_DSA_RFC6979 : public DL_Algorithm_GDSA<T>, public DeterministicSignatureAlgorithm
347
{
348
public:
349
0
    CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";}
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::StaticAlgorithmName()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::StaticAlgorithmName()
350
351
0
    virtual ~DL_Algorithm_DSA_RFC6979() {}
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::~DL_Algorithm_DSA_RFC6979()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::~DL_Algorithm_DSA_RFC6979()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::~DL_Algorithm_DSA_RFC6979()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::~DL_Algorithm_DSA_RFC6979()
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::~DL_Algorithm_DSA_RFC6979()
352
353
    bool IsProbabilistic() const
354
0
        {return false;}
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::IsProbabilistic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::IsProbabilistic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::IsProbabilistic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::IsProbabilistic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::IsProbabilistic() const
355
    bool IsDeterministic() const
356
0
        {return true;}
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::IsDeterministic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::IsDeterministic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::IsDeterministic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::IsDeterministic() const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::IsDeterministic() const
357
358
    // Deterministic K
359
    Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
360
0
    {
361
0
        static const byte zero = 0, one = 1;
362
0
        const size_t qlen = q.BitCount();
363
0
        const size_t rlen = BitsToBytes(qlen);
364
365
        // Step (a) - formatted E(m)
366
0
        SecByteBlock BH(e.MinEncodedSize());
367
0
        e.Encode(BH, BH.size());
368
0
        BH = bits2octets(BH, q);
369
370
        // Step (a) - private key to byte array
371
0
        SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize()));
372
0
        x.Encode(BX, BX.size());
373
374
        // Step (b)
375
0
        SecByteBlock V(H::DIGESTSIZE);
376
0
        std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one);
377
378
        // Step (c)
379
0
        SecByteBlock K(H::DIGESTSIZE);
380
0
        std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero);
381
382
        // Step (d)
383
0
        m_hmac.SetKey(K, K.size());
384
0
        m_hmac.Update(V, V.size());
385
0
        m_hmac.Update(&zero, 1);
386
0
        m_hmac.Update(BX, BX.size());
387
0
        m_hmac.Update(BH, BH.size());
388
0
        m_hmac.TruncatedFinal(K, K.size());
389
390
        // Step (e)
391
0
        m_hmac.SetKey(K, K.size());
392
0
        m_hmac.Update(V, V.size());
393
0
        m_hmac.TruncatedFinal(V, V.size());
394
395
        // Step (f)
396
0
        m_hmac.SetKey(K, K.size());
397
0
        m_hmac.Update(V, V.size());
398
0
        m_hmac.Update(&one, 1);
399
0
        m_hmac.Update(BX, BX.size());
400
0
        m_hmac.Update(BH, BH.size());
401
0
        m_hmac.TruncatedFinal(K, K.size());
402
403
        // Step (g)
404
0
        m_hmac.SetKey(K, K.size());
405
0
        m_hmac.Update(V, V.size());
406
0
        m_hmac.TruncatedFinal(V, V.size());
407
408
0
        Integer k;
409
0
        SecByteBlock temp(rlen);
410
0
        for (;;)
411
0
        {
412
            // We want qlen bits, but we support only hash functions with an output length
413
            //   multiple of 8; hence, we will gather rlen bits, i.e., rolen octets.
414
0
            size_t toff = 0;
415
0
            while (toff < rlen)
416
0
            {
417
0
                m_hmac.Update(V, V.size());
418
0
                m_hmac.TruncatedFinal(V, V.size());
419
420
0
                size_t cc = STDMIN(V.size(), temp.size() - toff);
421
0
                memcpy_s(temp+toff, temp.size() - toff, V, cc);
422
0
                toff += cc;
423
0
            }
424
425
0
            k = bits2int(temp, qlen);
426
0
            if (k > 0 && k < q)
427
0
                break;
428
429
            // k is not in the proper range; update K and V, and loop.
430
0
            m_hmac.Update(V, V.size());
431
0
            m_hmac.Update(&zero, 1);
432
0
            m_hmac.TruncatedFinal(K, K.size());
433
434
0
            m_hmac.SetKey(K, K.size());
435
0
            m_hmac.Update(V, V.size());
436
0
            m_hmac.TruncatedFinal(V, V.size());
437
0
        }
438
439
0
        return k;
440
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::GenerateRandom(CryptoPP::Integer const&, CryptoPP::Integer const&, CryptoPP::Integer const&) const
441
442
protected:
443
444
    Integer bits2int(const SecByteBlock& bits, size_t qlen) const
445
0
    {
446
0
        Integer ret(bits, bits.size());
447
0
        size_t blen = bits.size()*8;
448
449
0
        if (blen > qlen)
450
0
            ret >>= blen - qlen;
451
452
0
        return ret;
453
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::bits2int(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, unsigned long) const
454
455
    // RFC 6979 support function. Takes an integer and converts it into bytes that
456
    // are the same length as an elliptic curve's order.
457
    SecByteBlock int2octets(const Integer& val, size_t rlen) const
458
0
    {
459
0
        SecByteBlock block(val.MinEncodedSize());
460
0
        val.Encode(block, val.MinEncodedSize());
461
462
0
        if (block.size() == rlen)
463
0
            return block;
464
465
        // The least significant bytes are the ones we need to preserve.
466
0
        SecByteBlock t(rlen);
467
0
        if (block.size() > rlen)
468
0
        {
469
0
            size_t offset = block.size() - rlen;
470
0
            std::memcpy(t, block + offset, rlen);
471
0
        }
472
0
        else // block.size() < rlen
473
0
        {
474
0
            size_t offset = rlen - block.size();
475
0
            std::memset(t, '\x00', offset);
476
0
            std::memcpy(t + offset, block, rlen - offset);
477
0
        }
478
479
0
        return t;
480
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::int2octets(CryptoPP::Integer const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::int2octets(CryptoPP::Integer const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::int2octets(CryptoPP::Integer const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::int2octets(CryptoPP::Integer const&, unsigned long) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::int2octets(CryptoPP::Integer const&, unsigned long) const
481
482
    // Turn a stream of bits into a set of bytes with the same length as an elliptic
483
    // curve's order.
484
    SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const
485
0
    {
486
0
        Integer b2 = bits2int(in, q.BitCount());
487
0
        Integer b1 = b2 - q;
488
0
        return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount());
489
0
    }
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA1>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA224>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA256>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA384>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const
Unexecuted instantiation: CryptoPP::DL_Algorithm_DSA_RFC6979<CryptoPP::Integer, CryptoPP::SHA512>::bits2octets(CryptoPP::SecBlock<unsigned char, CryptoPP::AllocatorWithCleanup<unsigned char, false> > const&, CryptoPP::Integer const&) const
490
491
private:
492
    mutable H m_hash;
493
    mutable HMAC<H> m_hmac;
494
};
495
496
/// \brief German Digital Signature Algorithm
497
/// \tparam T FieldElement type or class
498
/// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
499
/// \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the
500
///  signature algorithm is only defined over elliptic curves. However, the library design is such that the
501
///  generic algorithm reside in <tt>gfpcrypt.h</tt>.
502
/// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">
503
///  The Digital Signature Scheme ECGDSA (October 24, 2006)</A>
504
template <class T>
505
class DL_Algorithm_GDSA_ISO15946 : public DL_ElgamalLikeSignatureAlgorithm<T>
506
{
507
public:
508
    CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";}
509
510
    virtual ~DL_Algorithm_GDSA_ISO15946() {}
511
512
    void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
513
    {
514
        const Integer &q = params.GetSubgroupOrder();
515
        // r = x(k * G) mod q
516
        r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q;
517
        // s = (k * r - h(m)) * d_A mod q
518
        s = (k * r - e) * x % q;
519
        CRYPTOPP_ASSERT(!!r && !!s);
520
    }
521
522
    bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
523
    {
524
        const Integer &q = params.GetSubgroupOrder();
525
        if (r>=q || r<1 || s>=q || s<1)
526
            return false;
527
528
        const Integer& rInv = r.InverseMod(q);
529
        const Integer u1 = (rInv * e) % q;
530
        const Integer u2 = (rInv * s) % q;
531
        // verify x(G^u1 + P_A^u2) mod q
532
        return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
533
    }
534
};
535
536
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
537
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>;
538
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>;
539
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>;
540
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>;
541
CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>;
542
543
/// \brief NR algorithm
544
/// \tparam T FieldElement type or class
545
/// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
546
template <class T>
547
class DL_Algorithm_NR : public DL_ElgamalLikeSignatureAlgorithm<T>
548
{
549
public:
550
    CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";}
551
552
    virtual ~DL_Algorithm_NR() {}
553
554
    void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
555
    {
556
        const Integer &q = params.GetSubgroupOrder();
557
        r = (r + e) % q;
558
        s = (k - x*r) % q;
559
        CRYPTOPP_ASSERT(!!r);
560
    }
561
562
    bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
563
    {
564
        const Integer &q = params.GetSubgroupOrder();
565
        if (r>=q || r<1 || s>=q)
566
            return false;
567
568
        // check r == (m_g^s * m_y^r + m) mod m_q
569
        return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
570
    }
571
};
572
573
/// \brief Discrete Log (DL) public key in GF(p) groups
574
/// \tparam GP GroupParameters derived class
575
/// \details DSA public key format is defined in 7.3.3 of RFC 2459. The    private key format is defined in 12.9 of PKCS #11 v2.10.
576
template <class GP>
577
class DL_PublicKey_GFP : public DL_PublicKeyImpl<GP>
578
{
579
public:
580
0
    virtual ~DL_PublicKey_GFP() {}
581
582
    /// \brief Initialize a public key over GF(p)
583
    /// \param params the group parameters
584
    /// \param y the public element
585
    void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
586
0
        {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
587
588
    /// \brief Initialize a public key over GF(p)
589
    /// \param p the modulus
590
    /// \param g the generator
591
    /// \param y the public element
592
    void Initialize(const Integer &p, const Integer &g, const Integer &y)
593
0
        {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
594
595
    /// \brief Initialize a public key over GF(p)
596
    /// \param p the modulus
597
    /// \param q the subgroup order
598
    /// \param g the generator
599
    /// \param y the public element
600
    void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
601
0
        {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
602
603
    // X509PublicKey
604
    void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
605
0
        {this->SetPublicElement(Integer(bt));}
606
    void DEREncodePublicKey(BufferedTransformation &bt) const
607
0
        {this->GetPublicElement().DEREncode(bt);}
608
};
609
610
/// \brief Discrete Log (DL) private key in GF(p) groups
611
/// \tparam GP GroupParameters derived class
612
template <class GP>
613
class DL_PrivateKey_GFP : public DL_PrivateKeyImpl<GP>
614
{
615
public:
616
    virtual ~DL_PrivateKey_GFP();
617
618
    /// \brief Create a private key
619
    /// \param rng a RandomNumberGenerator derived class
620
    /// \param modulusBits the size of the modulus, in bits
621
    /// \details This function overload of Initialize() creates a new private key because it
622
    ///  takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
623
    ///  then use one of the other Initialize() overloads.
624
    void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
625
0
        {this->GenerateRandomWithKeySize(rng, modulusBits);}
626
627
    /// \brief Create a private key
628
    /// \param rng a RandomNumberGenerator derived class
629
    /// \param p the modulus
630
    /// \param g the generator
631
    /// \details This function overload of Initialize() creates a new private key because it
632
    ///  takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
633
    ///  then use one of the other Initialize() overloads.
634
    void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
635
0
        {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
636
637
    /// \brief Create a private key
638
    /// \param rng a RandomNumberGenerator derived class
639
    /// \param p the modulus
640
    /// \param q the subgroup order
641
    /// \param g the generator
642
    /// \details This function overload of Initialize() creates a new private key because it
643
    ///  takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
644
    ///  then use one of the other Initialize() overloads.
645
    void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
646
0
        {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
647
648
    /// \brief Initialize a private key over GF(p)
649
    /// \param params the group parameters
650
    /// \param x the private exponent
651
    void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
652
0
        {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
653
654
    /// \brief Initialize a private key over GF(p)
655
    /// \param p the modulus
656
    /// \param g the generator
657
    /// \param x the private exponent
658
    void Initialize(const Integer &p, const Integer &g, const Integer &x)
659
0
        {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
660
661
    /// \brief Initialize a private key over GF(p)
662
    /// \param p the modulus
663
    /// \param q the subgroup order
664
    /// \param g the generator
665
    /// \param x the private exponent
666
    void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
667
0
        {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
668
};
669
670
// Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499
671
template <class GP>
672
0
DL_PrivateKey_GFP<GP>::~DL_PrivateKey_GFP() {}
673
674
/// \brief Discrete Log (DL) signing/verification keys in GF(p) groups
675
struct DL_SignatureKeys_GFP
676
{
677
    typedef DL_GroupParameters_GFP GroupParameters;
678
    typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
679
    typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
680
};
681
682
/// \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups
683
struct DL_CryptoKeys_GFP
684
{
685
    typedef DL_GroupParameters_GFP_DefaultSafePrime GroupParameters;
686
    typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
687
    typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
688
};
689
690
/// ElGamal encryption keys for safe interop
691
/// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
692
///  (in)security of ElGamal in OpenPGP</A>,
693
///  <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
694
///  <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
695
/// \since Crypto++ 8.6
696
struct DL_CryptoKeys_ElGamal
697
{
698
    typedef DL_GroupParameters_ElGamal GroupParameters;
699
    typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
700
    typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
701
};
702
703
/// \brief DSA signature scheme
704
/// \tparam H HashTransformation derived class
705
/// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
706
/// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
707
template <class H>
708
struct GDSA : public DL_SS<
709
    DL_SignatureKeys_GFP,
710
    DL_Algorithm_GDSA<Integer>,
711
    DL_SignatureMessageEncodingMethod_DSA,
712
    H>
713
{
714
};
715
716
/// \brief NR signature scheme
717
/// \tparam H HashTransformation derived class
718
/// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a>
719
template <class H>
720
struct NR : public DL_SS<
721
    DL_SignatureKeys_GFP,
722
    DL_Algorithm_NR<Integer>,
723
    DL_SignatureMessageEncodingMethod_NR,
724
    H>
725
{
726
};
727
728
/// \brief DSA group parameters
729
/// \details These are GF(p) group parameters that are allowed by the DSA standard
730
/// \sa DL_Keys_DSA
731
/// \since Crypto++ 1.0
732
class CRYPTOPP_DLL DL_GroupParameters_DSA : public DL_GroupParameters_GFP
733
{
734
public:
735
0
    virtual ~DL_GroupParameters_DSA() {}
736
737
    /// \brief Check the group for errors
738
    /// \param rng RandomNumberGenerator for objects which use randomized testing
739
    /// \param level level of thoroughness
740
    /// \return true if the tests succeed, false otherwise
741
    /// \details ValidateGroup() also checks that the lengths of p and q are allowed
742
    ///  by the DSA standard.
743
    /// \details There are four levels of thoroughness:
744
    ///  <ul>
745
    ///  <li>0 - using this object won't cause a crash or exception
746
    ///  <li>1 - this object will probably function, and encrypt, sign, other operations correctly
747
    ///  <li>2 - ensure this object will function correctly, and perform reasonable security checks
748
    ///  <li>3 - perform reasonable security checks, and do checks that may take a long time
749
    ///  </ul>
750
    /// \details Level 0 does not require a RandomNumberGenerator. A NullRNG() can be used for level 0.
751
    ///  Level 1 may not check for weak keys and such. Levels 2 and 3 are recommended.
752
    bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
753
754
    /// \brief Generate a random key or crypto parameters
755
    /// \param rng a RandomNumberGenerator to produce keying material
756
    /// \param alg additional initialization parameters
757
    /// \details NameValuePairs can be ModulusSize alone; or Modulus, SubgroupOrder, and
758
    ///  SubgroupGenerator. ModulusSize must be between <tt>DSA::MIN_PRIME_LENGTH</tt> and
759
    ///  <tt>DSA::MAX_PRIME_LENGTH</tt>, and divisible by <tt>DSA::PRIME_LENGTH_MULTIPLE</tt>.
760
    /// \details An example of changing the modulus size using NameValuePairs is shown below.
761
    /// <pre>
762
    ///  AlgorithmParameters params = MakeParameters
763
    ///    (Name::ModulusSize(), 2048);
764
    ///
765
    ///  DL_GroupParameters_DSA groupParams;
766
    ///  groupParams.GenerateRandom(prng, params);
767
    /// </pre>
768
    /// \throw KeyingErr if a key can't be generated or algorithm parameters are invalid.
769
    void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
770
771
    /// \brief Check the prime length for errors
772
    /// \param pbits number of bits in the prime number
773
    /// \return true if the tests succeed, false otherwise
774
    static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
775
0
        {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
776
777
    /// \brief DSA prime length
778
    enum {
779
        /// \brief Minimum prime length
780
        MIN_PRIME_LENGTH = 1024,
781
        /// \brief Maximum prime length
782
        MAX_PRIME_LENGTH = 3072,
783
        /// \brief Prime length multiple
784
        PRIME_LENGTH_MULTIPLE = 1024
785
    };
786
};
787
788
template <class H>
789
class DSA2;
790
791
/// \brief DSA keys
792
/// \sa DL_GroupParameters_DSA
793
/// \since Crypto++ 1.0
794
struct DL_Keys_DSA
795
{
796
    typedef DL_PublicKey_GFP<DL_GroupParameters_DSA> PublicKey;
797
    typedef DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> > PrivateKey;
798
};
799
800
/// \brief DSA signature scheme
801
/// \tparam H HashTransformation derived class
802
/// \details The class is named DSA2 instead of DSA for backwards compatibility because
803
///  DSA was a non-template class.
804
/// \details DSA default method GenerateRandom uses a 2048-bit modulus and a 224-bit subgoup by default.
805
///  The modulus can be changed using the following code:
806
/// <pre>
807
///  DSA::PrivateKey privateKey;
808
///  privateKey.GenerateRandomWithKeySize(prng, 2048);
809
/// </pre>
810
/// \details The subgroup order can be changed using the following code:
811
/// <pre>
812
///  AlgorithmParameters params = MakeParameters
813
///    (Name::ModulusSize(), 2048)
814
///    (Name::SubgroupOrderSize(), 256);
815
///
816
///  DSA::PrivateKey privateKey;
817
///  privateKey.GenerateRandom(prng, params);
818
/// </pre>
819
/// \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3,
820
///  <a href="https://www.cryptopp.com/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a> on the wiki, and
821
///  <a href="https://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</a> on the wiki.
822
/// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2, Crypto++ 6.1 for 2048-bit modulus.
823
template <class H>
824
class DSA2 : public DL_SS<
825
    DL_Keys_DSA,
826
    DL_Algorithm_GDSA<Integer>,
827
    DL_SignatureMessageEncodingMethod_DSA,
828
    H,
829
    DSA2<H> >
830
{
831
public:
832
0
    static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
833
};
834
835
/// \brief DSA deterministic signature scheme
836
/// \tparam H HashTransformation derived class
837
/// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
838
/// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
839
template <class H>
840
struct DSA_RFC6979 : public DL_SS<
841
    DL_SignatureKeys_GFP,
842
    DL_Algorithm_DSA_RFC6979<Integer, H>,
843
    DL_SignatureMessageEncodingMethod_DSA,
844
    H,
845
    DSA_RFC6979<H> >
846
{
847
    static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();}
848
};
849
850
/// DSA with SHA-1, typedef'd for backwards compatibility
851
typedef DSA2<SHA1> DSA;
852
853
CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
854
CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
855
CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> >;
856
857
/// \brief P1363 based XOR Encryption Method
858
/// \tparam MAC MessageAuthenticationCode derived class used for MAC computation
859
/// \tparam DHAES_MODE flag indicating DHAES mode
860
/// \tparam LABEL_OCTETS flag indicating the label is octet count
861
/// \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an
862
///  early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated
863
///  Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
864
/// \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with
865
///  <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
866
/// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with
867
///  <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
868
/// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters.
869
/// \since Crypto++ 4.0
870
template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false>
871
class DL_EncryptionAlgorithm_Xor : public DL_SymmetricEncryptionAlgorithm
872
{
873
public:
874
    virtual ~DL_EncryptionAlgorithm_Xor() {}
875
876
    bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
877
    size_t GetSymmetricKeyLength(size_t plaintextLength) const
878
        {return plaintextLength + static_cast<size_t>(MAC::DEFAULT_KEYLENGTH);}
879
    size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
880
        {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
881
    size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
882
        {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));}
883
    void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs &parameters) const
884
    {
885
        CRYPTOPP_UNUSED(rng);
886
        const byte *cipherKey = NULLPTR, *macKey = NULLPTR;
887
        if (DHAES_MODE)
888
        {
889
            macKey = key;
890
            cipherKey = key + MAC::DEFAULT_KEYLENGTH;
891
        }
892
        else
893
        {
894
            cipherKey = key;
895
            macKey = key + plaintextLength;
896
        }
897
898
        ConstByteArrayParameter encodingParameters;
899
        parameters.GetValue(Name::EncodingParameters(), encodingParameters);
900
901
        if (plaintextLength)    // Coverity finding
902
            xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
903
904
        MAC mac(macKey);
905
        mac.Update(ciphertext, plaintextLength);
906
        mac.Update(encodingParameters.begin(), encodingParameters.size());
907
        if (DHAES_MODE)
908
        {
909
            byte L[8];
910
            PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
911
            mac.Update(L, 8);
912
        }
913
        mac.Final(ciphertext + plaintextLength);
914
    }
915
    DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs &parameters) const
916
    {
917
        size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
918
        const byte *cipherKey, *macKey;
919
        if (DHAES_MODE)
920
        {
921
            macKey = key;
922
            cipherKey = key + MAC::DEFAULT_KEYLENGTH;
923
        }
924
        else
925
        {
926
            cipherKey = key;
927
            macKey = key + plaintextLength;
928
        }
929
930
        ConstByteArrayParameter encodingParameters;
931
        parameters.GetValue(Name::EncodingParameters(), encodingParameters);
932
933
        MAC mac(macKey);
934
        mac.Update(ciphertext, plaintextLength);
935
        mac.Update(encodingParameters.begin(), encodingParameters.size());
936
        if (DHAES_MODE)
937
        {
938
            byte L[8];
939
            PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
940
            mac.Update(L, 8);
941
        }
942
        if (!mac.Verify(ciphertext + plaintextLength))
943
            return DecodingResult();
944
945
        if (plaintextLength)    // Coverity finding
946
            xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
947
948
        return DecodingResult(plaintextLength);
949
    }
950
};
951
952
/// \brief P1363 based Key Derivation Method
953
/// \tparam T FieldElement type or class
954
/// \tparam DHAES_MODE flag indicating DHAES mode
955
/// \tparam KDF key derivation function
956
/// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
957
template <class T, bool DHAES_MODE, class KDF>
958
class DL_KeyDerivationAlgorithm_P1363 : public DL_KeyDerivationAlgorithm<T>
959
{
960
public:
961
    virtual ~DL_KeyDerivationAlgorithm_P1363() {}
962
963
    bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
964
    void Derive(const DL_GroupParameters<T> &params, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs &parameters) const
965
    {
966
        SecByteBlock agreedSecret;
967
        if (DHAES_MODE)
968
        {
969
            agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
970
            params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
971
            params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
972
        }
973
        else
974
        {
975
            agreedSecret.New(params.GetEncodedElementSize(false));
976
            params.EncodeElement(false, agreedElement, agreedSecret);
977
        }
978
979
        ConstByteArrayParameter derivationParameters;
980
        parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
981
        KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
982
    }
983
};
984
985
/// \brief Discrete Log Integrated Encryption Scheme
986
/// \tparam COFACTOR_OPTION cofactor multiplication option
987
/// \tparam HASH HashTransformation derived class used for key drivation and MAC computation
988
/// \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label
989
/// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
990
/// \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM)
991
///  with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
992
///  <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
993
///  You should prefer an Integrated Encryption Scheme over homegrown schemes.
994
/// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
995
///  SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
996
///  Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
997
/// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with
998
///  <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
999
/// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES
1000
///  template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
1001
/// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
1002
///  <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
1003
///  SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
1004
///  security provided by the MAC. The hash is also used in the key derivation function as a PRF.
1005
/// \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor.
1006
/// <pre>
1007
///    AutoSeededRandomPool prng;
1008
///    DL_PrivateKey_GFP<DL_GroupParameters_GFP> key;
1009
///    key.Initialize(prng, 2048);
1010
///
1011
///    DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
1012
///    DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
1013
/// </pre>
1014
/// \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>,
1015
///  Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
1016
///  Curve Integrated Encryption Schemes</A>
1017
/// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
1018
template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false>
1019
struct DLIES
1020
    : public DL_ES<
1021
        DL_CryptoKeys_GFP,
1022
        DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
1023
        DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >,
1024
        DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
1025
        DLIES<> >
1026
{
1027
    static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";}    // TODO: fix this after name is standardized
1028
};
1029
1030
NAMESPACE_END
1031
1032
#if CRYPTOPP_MSC_VERSION
1033
# pragma warning(pop)
1034
#endif
1035
1036
#endif