diff --git a/Libraries/LibCrypto/PK/Code/Code.h b/Libraries/LibCrypto/PK/Code/Code.h deleted file mode 100644 index e720d37b4eb..00000000000 --- a/Libraries/LibCrypto/PK/Code/Code.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2020, Ali Mohammad Pur - * - * SPDX-License-Identifier: BSD-2-Clause - */ - -#pragma once - -#include -#include - -namespace Crypto::PK { - -template -class Code { -public: - template - Code(Args... args) - : m_hasher(args...) - { - } - - virtual void encode(ReadonlyBytes in, ByteBuffer& out, size_t em_bits) = 0; - virtual VerificationConsistency verify(ReadonlyBytes msg, ReadonlyBytes emsg, size_t em_bits) = 0; - - HashFunction const& hasher() const { return m_hasher; } - HashFunction& hasher() { return m_hasher; } - -protected: - virtual ~Code() = default; - - HashFunction m_hasher; -}; - -} diff --git a/Libraries/LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h b/Libraries/LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h deleted file mode 100644 index 794652ccf01..00000000000 --- a/Libraries/LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Copyright (c) 2022, Michiel Visser - * - * SPDX-License-Identifier: BSD-2-Clause - */ - -#pragma once - -#include -#include -#include -#include -#include - -namespace Crypto::PK { - -template -class EMSA_PKCS1_V1_5 : public Code { -public: - template - EMSA_PKCS1_V1_5(Args... args) - : Code(args...) - { - } - - virtual void encode(ReadonlyBytes in, ByteBuffer& out, size_t em_bits) override - { - auto& hash_fn = this->hasher(); - hash_fn.update(in); - auto message_digest = hash_fn.digest(); - auto message_digest_size = message_digest.bytes().size(); - - auto digest_info = hash_function_digest_info(); - auto encoded_message_length = digest_info.size() + message_digest_size; - - auto em_bytes = (em_bits + 7) / 8; - // RFC8017 section 9.2: 3. If emLen < tLen + 11, output "intended encoded message length too short" and stop. - if (em_bytes < encoded_message_length + 11) { - dbgln("EMSA-PKCS1-V1_5-ENCODE: intended encoded message length too short"); - return; - } - - auto offset = 0; - // Build the padding 0x0001ffff..ff00 - out[offset++] = 0x00; - out[offset++] = 0x01; - for (size_t i = 0; i < em_bytes - encoded_message_length - 3; i++) - out[offset++] = 0xff; - out[offset++] = 0x00; - // Add the digest info and message digest - out.overwrite(offset, digest_info.data(), digest_info.size()); - offset += digest_info.size(); - out.overwrite(offset, message_digest.immutable_data(), message_digest.data_length()); - } - - virtual VerificationConsistency verify(ReadonlyBytes msg, ReadonlyBytes emsg, size_t em_bits) override - { - auto em_bytes = (em_bits + 7) / 8; - auto buffer_result = ByteBuffer::create_uninitialized(em_bytes); - if (buffer_result.is_error()) { - dbgln("EMSA-PKCS1-V1_5-VERIFY: out of memory"); - return VerificationConsistency::Inconsistent; - } - auto buffer = buffer_result.release_value(); - - // Encode the supplied message into the buffer - encode(msg, buffer, em_bits); - - // Check that the expected message matches the encoded original message - if (emsg != buffer) { - return VerificationConsistency::Inconsistent; - } - return VerificationConsistency::Consistent; - } - -private: - inline ReadonlyBytes hash_function_digest_info(); -}; - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - return { "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10", 18 }; -} - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - return { "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15 }; -} - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - return { "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19 }; -} - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - return { "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19 }; -} - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - return { "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19 }; -} - -template<> -inline ReadonlyBytes EMSA_PKCS1_V1_5::hash_function_digest_info() -{ - // RFC8017 section 9.2 notes 1 - switch (hasher().kind()) { - case Hash::HashKind::MD5: - return { "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10", 18 }; - case Hash::HashKind::SHA1: - return { "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15 }; - case Hash::HashKind::SHA256: - return { "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19 }; - case Hash::HashKind::SHA384: - return { "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19 }; - case Hash::HashKind::SHA512: - return { "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19 }; - case Hash::HashKind::None: - default: - VERIFY_NOT_REACHED(); - } -} - -} diff --git a/Libraries/LibCrypto/Padding/OAEP.h b/Libraries/LibCrypto/Padding/OAEP.h deleted file mode 100644 index 6359c164d7e..00000000000 --- a/Libraries/LibCrypto/Padding/OAEP.h +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (c) 2024, stelar7 - * - * SPDX-License-Identifier: BSD-2-Clause - */ - -#pragma once - -#include -#include -#include -#include -#include -#include - -namespace Crypto::Padding { - -// https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1 -class OAEP { -public: - // https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1.1 - template - static ErrorOr encode(ReadonlyBytes message, ReadonlyBytes parameters, size_t length, Function seed_function = fill_with_random) - { - // FIXME: 1. If the length of P is greater than the input limitation for the - // hash function (2^61-1 octets for SHA-1) then output "parameter string - // too long" and stop. - - // 2. If ||M|| > emLen - 2hLen - 1 then output "message too long" and stop. - auto h_len = HashFunction::digest_size(); - auto max_message_size = length - (2 * h_len) - 1; - if (message.size() > max_message_size) - return Error::from_string_literal("message too long"); - - // 3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero octets. The length of PS may be 0. - auto padding_size = length - message.size() - (2 * h_len) - 1; - auto ps = TRY(ByteBuffer::create_zeroed(padding_size)); - - // 4. Let pHash = Hash(P), an octet string of length hLen. - auto hash = HashFunction::create(); - hash->update(parameters); - auto digest = hash->digest(); - auto p_hash = digest.bytes(); - - // 5. Concatenate pHash, PS, the message M, and other padding to form a data block DB as: DB = pHash || PS || 01 || M - auto db = TRY(ByteBuffer::create_uninitialized(0)); - TRY(db.try_append(p_hash)); - TRY(db.try_append(ps.bytes())); - TRY(db.try_append(0x01)); - TRY(db.try_append(message)); - - // 6. Generate a random octet string seed of length hLen. - auto seed = TRY(ByteBuffer::create_uninitialized(h_len)); - seed_function(seed); - - // 7. Let dbMask = MGF(seed, emLen-hLen). - auto db_mask = TRY(MaskGenerationFunction::template mgf1(seed, length - h_len)); - - // 8. Let maskedDB = DB \xor dbMask. - auto masked_db = TRY(ByteBuffer::xor_buffers(db, db_mask)); - - // 9. Let seedMask = MGF(maskedDB, hLen). - auto seed_mask = TRY(MaskGenerationFunction::template mgf1(masked_db, h_len)); - - // 10. Let maskedSeed = seed \xor seedMask. - auto masked_seed = TRY(ByteBuffer::xor_buffers(seed, seed_mask)); - - // 11. Let EM = maskedSeed || maskedDB. - auto em = TRY(ByteBuffer::create_uninitialized(0)); - TRY(em.try_append(masked_seed)); - TRY(em.try_append(masked_db)); - - // 12. Output EM. - return em; - } - - // https://www.rfc-editor.org/rfc/rfc3447#section-7.1.1 - template - static ErrorOr eme_encode(ReadonlyBytes message, ReadonlyBytes label, u32 rsa_modulus_n, Function seed_function = fill_with_random) - { - // FIXME: 1. If the length of L is greater than the input limitation for the - // hash function (2^61 - 1 octets for SHA-1), output "label too - // long" and stop. - - // 2. If mLen > k - 2hLen - 2, output "message too long" and stop. - auto m_len = message.size(); - auto k = rsa_modulus_n; - auto h_len = HashFunction::digest_size(); - auto max_message_size = k - (2 * h_len) - 2; - - if (m_len > max_message_size) - return Error::from_string_view("message too long"sv); - - // 3. If the label L is not provided, let L be the empty string. Let lHash = Hash(L), an octet string of length hLen. - auto hash = HashFunction::create(); - hash->update(label); - auto digest = hash->digest(); - auto l_hash = digest.bytes(); - - // 4. Generate an octet string PS consisting of k - mLen - 2hLen - 2 zero octets. The length of PS may be zero. - auto ps_size = k - m_len - (2 * h_len) - 2; - auto ps = TRY(ByteBuffer::create_zeroed(ps_size)); - - // 5. Concatenate lHash, PS, a single octet with hexadecimal value 0x01, and the message M - // to form a data block DB of length k - hLen - 1 octets as DB = lHash || PS || 0x01 || M. - auto db = TRY(ByteBuffer::create_uninitialized(0)); - TRY(db.try_append(l_hash)); - TRY(db.try_append(ps.bytes())); - TRY(db.try_append(0x01)); - TRY(db.try_append(message)); - - // 6. Generate a random octet string seed of length hLen. - auto seed = TRY(ByteBuffer::create_uninitialized(h_len)); - seed_function(seed); - - // 7. Let dbMask = MGF(seed, k - hLen - 1). - auto db_mask = TRY(MaskGenerationFunction::template mgf1(seed, k - h_len - 1)); - - // 8. Let maskedDB = DB \xor dbMask. - auto masked_db = TRY(ByteBuffer::xor_buffers(db, db_mask)); - - // 9. Let seedMask = MGF(maskedDB, hLen). - auto seed_mask = TRY(MaskGenerationFunction::template mgf1(masked_db, h_len)); - - // 10. Let maskedSeed = seed \xor seedMask. - auto masked_seed = TRY(ByteBuffer::xor_buffers(seed, seed_mask)); - - // 11. Concatenate a single octet with hexadecimal value 0x00, maskedSeed, and maskedDB - // to form an encoded message EM of length k octets as EM = 0x00 || maskedSeed || maskedDB. - auto em = TRY(ByteBuffer::create_uninitialized(0)); - TRY(em.try_append(0x00)); - TRY(em.try_append(masked_seed)); - TRY(em.try_append(masked_db)); - - // 12. Output EM. - return em; - } - - // https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1.2 - template - static ErrorOr decode(ReadonlyBytes encoded_message, ReadonlyBytes parameters) - { - // FIXME: 1. If the length of P is greater than the input limitation for the - // hash function (2^61-1 octets for SHA-1) then output "parameter string - // too long" and stop. - - // 2. If ||EM|| < 2hLen+1, then output "decoding error" and stop. - auto h_len = HashFunction::digest_size(); - auto max_message_size = (2 * h_len) + 1; - if (encoded_message.size() < max_message_size) - return Error::from_string_view("decoding error"sv); - - // 3. Let maskedSeed be the first hLen octets of EM and let maskedDB be the remaining ||EM|| - hLen octets. - auto masked_seed = encoded_message.slice(0, h_len); - auto masked_db = encoded_message.slice(h_len, encoded_message.size() - h_len); - - // 4. Let seedMask = MGF(maskedDB, hLen). - auto seed_mask = TRY(MaskGenerationFunction::template mgf1(masked_db, h_len)); - - // 5. Let seed = maskedSeed \xor seedMask. - auto seed = TRY(ByteBuffer::xor_buffers(masked_seed, seed_mask)); - - // 6. Let dbMask = MGF(seed, ||EM|| - hLen). - auto db_mask = TRY(MaskGenerationFunction::template mgf1(seed, encoded_message.size() - h_len)); - - // 7. Let DB = maskedDB \xor dbMask. - auto db = TRY(ByteBuffer::xor_buffers(masked_db, db_mask)); - - // 8. Let pHash = Hash(P), an octet string of length hLen. - HashFunction hash; - hash.update(parameters); - auto digest = hash.digest(); - auto p_hash = digest.bytes(); - - // 9. Separate DB into an octet string pHash' consisting of the first hLen octets of DB, - // a (possibly empty) octet string PS consisting of consecutive zero octets following pHash', - // and a message M as: DB = pHash' || PS || 01 || M - auto p_hash_prime = TRY(db.slice(0, h_len)); - - size_t i = h_len; - for (; i < db.size(); ++i) { - if (db[i] == 0x01) - break; - } - - // If there is no 01 octet to separate PS from M, output "decoding error" and stop. - if (i == db.size()) - return Error::from_string_view("decoding error"sv); - - auto ps = TRY(db.slice(h_len, i - h_len)); - auto message = TRY(db.slice(i + 1, db.size() - i - 1)); - - // 10. If pHash' does not equal pHash, output "decoding error" and stop. - if (p_hash_prime.span() != p_hash) - return Error::from_string_view("decoding error"sv); - - // 11. Output M. - return message; - } - - // https://www.rfc-editor.org/rfc/rfc3447#section-7.1.2 - template - static ErrorOr eme_decode(ReadonlyBytes encoded_message, ReadonlyBytes label, u32 rsa_modulus_n) - { - auto h_len = HashFunction::digest_size(); - auto k = rsa_modulus_n; - - // 1. If the label L is not provided, let L be the empty string. - // Let lHash = Hash(L), an octet string of length hLen (see the note in Section 7.1.1). - auto hash = HashFunction::create(); - hash->update(label); - auto digest = hash->digest(); - auto l_hash = digest.bytes(); - - // 2. Separate the encoded message EM into - // a single octet Y, - // an octet string maskedSeed of length hLen, - // and an octet string maskedDB of length k - hLen - 1 - // as EM = Y || maskedSeed || maskedDB. - auto y = encoded_message[0]; - auto masked_seed = encoded_message.slice(1, h_len); - auto masked_db = encoded_message.slice(h_len + 1, k - h_len - 1); - - // 3. Let seedMask = MGF(maskedDB, hLen). - auto seed_mask = TRY(MaskGenerationFunction::template mgf1(masked_db, h_len)); - - // 4. Let seed = maskedSeed \xor seedMask. - auto seed = TRY(ByteBuffer::xor_buffers(masked_seed, seed_mask)); - - // 5. Let dbMask = MGF(seed, k - hLen - 1). - auto db_mask = TRY(MaskGenerationFunction::template mgf1(seed, k - h_len - 1)); - - // 6. Let DB = maskedDB \xor dbMask. - auto db = TRY(ByteBuffer::xor_buffers(masked_db, db_mask)); - - // 7. Separate DB into - // an octet string lHash' of length hLen, - // a (possibly empty) padding string PS consisting of octets withhexadecimal value 0x00, - // and a message M - // as DB = lHash' || PS || 0x01 || M. - auto l_hash_prime = TRY(db.slice(0, h_len)); - - size_t i = h_len; - for (; i < db.size(); ++i) { - if (db[i] == 0x01) - break; - } - - auto message = TRY(db.slice(i + 1, db.size() - i - 1)); - - // NOTE: We have to make sure to do all these steps before returning an error due to timing attacks - bool is_valid = true; - - // If there is no octet with hexadecimal value 0x01 to separate PS from M, - if (i == db.size()) - is_valid = false; - - // if lHash does not equal lHash', - if (l_hash_prime.span() != l_hash) - is_valid = false; - - // if Y is nonzero, output "decryption error" and stop. - if (y != 0x00) - is_valid = false; - - if (!is_valid) - return Error::from_string_view("decryption error"sv); - - // 8. Output the message M. - return message; - } -}; - -}