mirrors/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-01-22 09:12:13 -05:00
Code Issues Projects Releases Packages Wiki Activity

LibCrypto: Remove old unused padding schemes and codes

Browse source
This commit is contained in:
devgianlu 2024-12-25 22:40:55 +01:00 committed by Ali Mohammad Pur
parent a59b48cffc
commit 24e374d7e1
Notes: github-actions[bot] 2025-01-13 16:01:13 +00:00 
Author: https://github.com/devgianlu
Commit: https://github.com/LadybirdBrowser/ladybird/commit/24e374d7e1b
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3234
3 changed files with 0 additions and 445 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
Libraries/LibCrypto/PK/Code/Code.h
View file

@ -1,35 +0,0 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#pragma once
#include <LibCrypto/Hash/HashFunction.h>
#include <LibCrypto/Verification.h>
namespace Crypto::PK {
template<typename HashFunction>
class Code {
public:
template<typename... Args>
Code(Args... args)
: m_hasher(args...)
{
}
virtual void encode(ReadonlyBytes in, ByteBuffer& out, size_t em_bits) = 0;
virtual VerificationConsistency verify(ReadonlyBytes msg, ReadonlyBytes emsg, size_t em_bits) = 0;
HashFunction const& hasher() const { return m_hasher; }
HashFunction& hasher() { return m_hasher; }
protected:
virtual ~Code() = default;
HashFunction m_hasher;
};
}

136
Libraries/LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h
View file

@ -1,136 +0,0 @@
/*
* Copyright (c) 2022, Michiel Visser <opensource@webmichiel.nl>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#pragma once
#include <LibCrypto/Hash/HashManager.h>
#include <LibCrypto/Hash/MD5.h>
#include <LibCrypto/Hash/SHA1.h>
#include <LibCrypto/Hash/SHA2.h>
#include <LibCrypto/PK/Code/Code.h>
namespace Crypto::PK {
template<typename HashFunction>
class EMSA_PKCS1_V1_5 : public Code<HashFunction> {
public:
template<typename... Args>
EMSA_PKCS1_V1_5(Args... args)
: Code<HashFunction>(args...)
{
}
virtual void encode(ReadonlyBytes in, ByteBuffer& out, size_t em_bits) override
{
auto& hash_fn = this->hasher();
hash_fn.update(in);
auto message_digest = hash_fn.digest();
auto message_digest_size = message_digest.bytes().size();
auto digest_info = hash_function_digest_info();
auto encoded_message_length = digest_info.size() + message_digest_size;
auto em_bytes = (em_bits + 7) / 8;
// RFC8017 section 9.2: 3. If emLen < tLen + 11, output "intended encoded message length too short" and stop.
if (em_bytes < encoded_message_length + 11) {
dbgln("EMSA-PKCS1-V1_5-ENCODE: intended encoded message length too short");
return;
}
auto offset = 0;
// Build the padding 0x0001ffff..ff00
out[offset++] = 0x00;
out[offset++] = 0x01;
for (size_t i = 0; i < em_bytes - encoded_message_length - 3; i++)
out[offset++] = 0xff;
out[offset++] = 0x00;
// Add the digest info and message digest
out.overwrite(offset, digest_info.data(), digest_info.size());
offset += digest_info.size();
out.overwrite(offset, message_digest.immutable_data(), message_digest.data_length());
}
virtual VerificationConsistency verify(ReadonlyBytes msg, ReadonlyBytes emsg, size_t em_bits) override
{
auto em_bytes = (em_bits + 7) / 8;
auto buffer_result = ByteBuffer::create_uninitialized(em_bytes);
if (buffer_result.is_error()) {
dbgln("EMSA-PKCS1-V1_5-VERIFY: out of memory");
return VerificationConsistency::Inconsistent;
}
auto buffer = buffer_result.release_value();
// Encode the supplied message into the buffer
encode(msg, buffer, em_bits);
// Check that the expected message matches the encoded original message
if (emsg != buffer) {
return VerificationConsistency::Inconsistent;
}
return VerificationConsistency::Consistent;
}
private:
inline ReadonlyBytes hash_function_digest_info();
};
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::MD5>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
return { "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10", 18 };
}
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::SHA1>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
return { "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15 };
}
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::SHA256>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
return { "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19 };
}
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::SHA384>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
return { "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19 };
}
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::SHA512>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
return { "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19 };
}
template<>
inline ReadonlyBytes EMSA_PKCS1_V1_5<Crypto::Hash::Manager>::hash_function_digest_info()
{
// RFC8017 section 9.2 notes 1
switch (hasher().kind()) {
case Hash::HashKind::MD5:
return { "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10", 18 };
case Hash::HashKind::SHA1:
return { "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15 };
case Hash::HashKind::SHA256:
return { "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19 };
case Hash::HashKind::SHA384:
return { "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19 };
case Hash::HashKind::SHA512:
return { "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19 };
case Hash::HashKind::None:
default:
VERIFY_NOT_REACHED();
}
}
}

274
Libraries/LibCrypto/Padding/OAEP.h
View file

@ -1,274 +0,0 @@
/*
* Copyright (c) 2024, stelar7 <dudedbz@gmail.com>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#pragma once
#include <AK/ByteBuffer.h>
#include <AK/ByteReader.h>
#include <AK/Endian.h>
#include <AK/Function.h>
#include <AK/Random.h>
#include <LibCrypto/BigInt/UnsignedBigInteger.h>
namespace Crypto::Padding {
// https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1
class OAEP {
public:
// https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1.1
template<typename HashFunction, typename MaskGenerationFunction>
static ErrorOr<ByteBuffer> encode(ReadonlyBytes message, ReadonlyBytes parameters, size_t length, Function<void(Bytes)> seed_function = fill_with_random)
{
// FIXME: 1. If the length of P is greater than the input limitation for the
// hash function (2^61-1 octets for SHA-1) then output "parameter string
// too long" and stop.
// 2. If ||M|| > emLen - 2hLen - 1 then output "message too long" and stop.
auto h_len = HashFunction::digest_size();
auto max_message_size = length - (2 * h_len) - 1;
if (message.size() > max_message_size)
return Error::from_string_literal("message too long");
// 3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero octets. The length of PS may be 0.
auto padding_size = length - message.size() - (2 * h_len) - 1;
auto ps = TRY(ByteBuffer::create_zeroed(padding_size));
// 4. Let pHash = Hash(P), an octet string of length hLen.
auto hash = HashFunction::create();
hash->update(parameters);
auto digest = hash->digest();
auto p_hash = digest.bytes();
// 5. Concatenate pHash, PS, the message M, and other padding to form a data block DB as: DB = pHash || PS || 01 || M
auto db = TRY(ByteBuffer::create_uninitialized(0));
TRY(db.try_append(p_hash));
TRY(db.try_append(ps.bytes()));
TRY(db.try_append(0x01));
TRY(db.try_append(message));
// 6. Generate a random octet string seed of length hLen.
auto seed = TRY(ByteBuffer::create_uninitialized(h_len));
seed_function(seed);
// 7. Let dbMask = MGF(seed, emLen-hLen).
auto db_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(seed, length - h_len));
// 8. Let maskedDB = DB \xor dbMask.
auto masked_db = TRY(ByteBuffer::xor_buffers(db, db_mask));
// 9. Let seedMask = MGF(maskedDB, hLen).
auto seed_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(masked_db, h_len));
// 10. Let maskedSeed = seed \xor seedMask.
auto masked_seed = TRY(ByteBuffer::xor_buffers(seed, seed_mask));
// 11. Let EM = maskedSeed || maskedDB.
auto em = TRY(ByteBuffer::create_uninitialized(0));
TRY(em.try_append(masked_seed));
TRY(em.try_append(masked_db));
// 12. Output EM.
return em;
}
// https://www.rfc-editor.org/rfc/rfc3447#section-7.1.1
template<typename HashFunction, typename MaskGenerationFunction>
static ErrorOr<ByteBuffer> eme_encode(ReadonlyBytes message, ReadonlyBytes label, u32 rsa_modulus_n, Function<void(Bytes)> seed_function = fill_with_random)
{
// FIXME: 1. If the length of L is greater than the input limitation for the
// hash function (2^61 - 1 octets for SHA-1), output "label too
// long" and stop.
// 2. If mLen > k - 2hLen - 2, output "message too long" and stop.
auto m_len = message.size();
auto k = rsa_modulus_n;
auto h_len = HashFunction::digest_size();
auto max_message_size = k - (2 * h_len) - 2;
if (m_len > max_message_size)
return Error::from_string_view("message too long"sv);
// 3. If the label L is not provided, let L be the empty string. Let lHash = Hash(L), an octet string of length hLen.
auto hash = HashFunction::create();
hash->update(label);
auto digest = hash->digest();
auto l_hash = digest.bytes();
// 4. Generate an octet string PS consisting of k - mLen - 2hLen - 2 zero octets. The length of PS may be zero.
auto ps_size = k - m_len - (2 * h_len) - 2;
auto ps = TRY(ByteBuffer::create_zeroed(ps_size));
// 5. Concatenate lHash, PS, a single octet with hexadecimal value 0x01, and the message M
// to form a data block DB of length k - hLen - 1 octets as DB = lHash || PS || 0x01 || M.
auto db = TRY(ByteBuffer::create_uninitialized(0));
TRY(db.try_append(l_hash));
TRY(db.try_append(ps.bytes()));
TRY(db.try_append(0x01));
TRY(db.try_append(message));
// 6. Generate a random octet string seed of length hLen.
auto seed = TRY(ByteBuffer::create_uninitialized(h_len));
seed_function(seed);
// 7. Let dbMask = MGF(seed, k - hLen - 1).
auto db_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(seed, k - h_len - 1));
// 8. Let maskedDB = DB \xor dbMask.
auto masked_db = TRY(ByteBuffer::xor_buffers(db, db_mask));
// 9. Let seedMask = MGF(maskedDB, hLen).
auto seed_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(masked_db, h_len));
// 10. Let maskedSeed = seed \xor seedMask.
auto masked_seed = TRY(ByteBuffer::xor_buffers(seed, seed_mask));
// 11. Concatenate a single octet with hexadecimal value 0x00, maskedSeed, and maskedDB
// to form an encoded message EM of length k octets as EM = 0x00 || maskedSeed || maskedDB.
auto em = TRY(ByteBuffer::create_uninitialized(0));
TRY(em.try_append(0x00));
TRY(em.try_append(masked_seed));
TRY(em.try_append(masked_db));
// 12. Output EM.
return em;
}
// https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1.2
template<typename HashFunction, typename MaskGenerationFunction>
static ErrorOr<ByteBuffer> decode(ReadonlyBytes encoded_message, ReadonlyBytes parameters)
{
// FIXME: 1. If the length of P is greater than the input limitation for the
// hash function (2^61-1 octets for SHA-1) then output "parameter string
// too long" and stop.
// 2. If ||EM|| < 2hLen+1, then output "decoding error" and stop.
auto h_len = HashFunction::digest_size();
auto max_message_size = (2 * h_len) + 1;
if (encoded_message.size() < max_message_size)
return Error::from_string_view("decoding error"sv);
// 3. Let maskedSeed be the first hLen octets of EM and let maskedDB be the remaining ||EM|| - hLen octets.
auto masked_seed = encoded_message.slice(0, h_len);
auto masked_db = encoded_message.slice(h_len, encoded_message.size() - h_len);
// 4. Let seedMask = MGF(maskedDB, hLen).
auto seed_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(masked_db, h_len));
// 5. Let seed = maskedSeed \xor seedMask.
auto seed = TRY(ByteBuffer::xor_buffers(masked_seed, seed_mask));
// 6. Let dbMask = MGF(seed, ||EM|| - hLen).
auto db_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(seed, encoded_message.size() - h_len));
// 7. Let DB = maskedDB \xor dbMask.
auto db = TRY(ByteBuffer::xor_buffers(masked_db, db_mask));
// 8. Let pHash = Hash(P), an octet string of length hLen.
HashFunction hash;
hash.update(parameters);
auto digest = hash.digest();
auto p_hash = digest.bytes();
// 9. Separate DB into an octet string pHash' consisting of the first hLen octets of DB,
// a (possibly empty) octet string PS consisting of consecutive zero octets following pHash',
// and a message M as: DB = pHash' || PS || 01 || M
auto p_hash_prime = TRY(db.slice(0, h_len));
size_t i = h_len;
for (; i < db.size(); ++i) {
if (db[i] == 0x01)
break;
}
// If there is no 01 octet to separate PS from M, output "decoding error" and stop.
if (i == db.size())
return Error::from_string_view("decoding error"sv);
auto ps = TRY(db.slice(h_len, i - h_len));
auto message = TRY(db.slice(i + 1, db.size() - i - 1));
// 10. If pHash' does not equal pHash, output "decoding error" and stop.
if (p_hash_prime.span() != p_hash)
return Error::from_string_view("decoding error"sv);
// 11. Output M.
return message;
}
// https://www.rfc-editor.org/rfc/rfc3447#section-7.1.2
template<typename HashFunction, typename MaskGenerationFunction>
static ErrorOr<ByteBuffer> eme_decode(ReadonlyBytes encoded_message, ReadonlyBytes label, u32 rsa_modulus_n)
{
auto h_len = HashFunction::digest_size();
auto k = rsa_modulus_n;
// 1. If the label L is not provided, let L be the empty string.
// Let lHash = Hash(L), an octet string of length hLen (see the note in Section 7.1.1).
auto hash = HashFunction::create();
hash->update(label);
auto digest = hash->digest();
auto l_hash = digest.bytes();
// 2. Separate the encoded message EM into
// a single octet Y,
// an octet string maskedSeed of length hLen,
// and an octet string maskedDB of length k - hLen - 1
// as EM = Y || maskedSeed || maskedDB.
auto y = encoded_message[0];
auto masked_seed = encoded_message.slice(1, h_len);
auto masked_db = encoded_message.slice(h_len + 1, k - h_len - 1);
// 3. Let seedMask = MGF(maskedDB, hLen).
auto seed_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(masked_db, h_len));
// 4. Let seed = maskedSeed \xor seedMask.
auto seed = TRY(ByteBuffer::xor_buffers(masked_seed, seed_mask));
// 5. Let dbMask = MGF(seed, k - hLen - 1).
auto db_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(seed, k - h_len - 1));
// 6. Let DB = maskedDB \xor dbMask.
auto db = TRY(ByteBuffer::xor_buffers(masked_db, db_mask));
// 7. Separate DB into
// an octet string lHash' of length hLen,
// a (possibly empty) padding string PS consisting of octets withhexadecimal value 0x00,
// and a message M
// as DB = lHash' || PS || 0x01 || M.
auto l_hash_prime = TRY(db.slice(0, h_len));
size_t i = h_len;
for (; i < db.size(); ++i) {
if (db[i] == 0x01)
break;
}
auto message = TRY(db.slice(i + 1, db.size() - i - 1));
// NOTE: We have to make sure to do all these steps before returning an error due to timing attacks
bool is_valid = true;
// If there is no octet with hexadecimal value 0x01 to separate PS from M,
if (i == db.size())
is_valid = false;
// if lHash does not equal lHash',
if (l_hash_prime.span() != l_hash)
is_valid = false;
// if Y is nonzero, output "decryption error" and stop.
if (y != 0x00)
is_valid = false;
if (!is_valid)
return Error::from_string_view("decryption error"sv);
// 8. Output the message M.
return message;
}
};
}