From e687629323aba6e738609a1702754ba7833cbd63 Mon Sep 17 00:00:00 2001 From: Mirek Kratochvil Date: Wed, 19 Mar 2014 09:30:59 +0100 Subject: [PATCH] sc: stream cipher abstraction applied to arcfour A minor bug was discovered in padding of short message signatures. If is silently fixed, causing some (very minor) incompatibility of signatures with previous versions. --- ChangeLog | 3 +++ src/algos_enc.cpp | 49 ++++++++++++++++++++++++-------------------- src/algos_sig.cpp | 15 +++++--------- src/arcfour.h | 52 ++++++++++++++++++++++++++++++++++------------- src/fmtseq.cpp | 14 ++++++++----- src/generator.cpp | 1 - src/generator.h | 4 ++-- src/sc.h | 41 +++++++++++++++++++++++++++++++++++++ 8 files changed, 125 insertions(+), 54 deletions(-) create mode 100644 src/sc.h diff --git a/ChangeLog b/ChangeLog index 07bdeca..f5f4bec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ Codecrypt ChangeLog +- virtualize the stream ciphers +- fix fmtseq short message padding bug (fixed by previous) + 1.5 - add hashfile support with -S diff --git a/src/algos_enc.cpp b/src/algos_enc.cpp index 5a0a224..3b1f702 100644 --- a/src/algos_enc.cpp +++ b/src/algos_enc.cpp @@ -246,14 +246,13 @@ static bool message_unpad (std::vector in, bvector&out, * otherwise it probably fails. miserably. */ -#define arcfour_discard 4096 - template < class pubkey_type, int plainsize, int ciphersize, int errorcount, class hash_type, class pad_hash_type, + class scipher, int ranksize > static int fo_encrypt (const bvector&plain, bvector&cipher, sencode* pubkey, prng&rng) @@ -304,17 +303,13 @@ static int fo_encrypt (const bvector&plain, bvector&cipher, if (Pub.encrypt (mce_plain, cipher, ev) ) return 5; //encrypt the message part (xor with arcfour) - arcfour arc; - arc.init (8); + scipher sc; + sc.init (); //whole key must be tossed in, so split if when necessary - for (i = 0; i < (K.size() >> 8); ++i) { - std::vector subkey (K.begin() + (i << 8), - MIN (K.end(), - K.begin() + ( (i + 1) << 8) ) ); - arc.load_key (subkey); - } - arc.discard (arcfour_discard); - for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ arc.gen(); + sc.load_key (K); + + //encrypt + for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ sc.gen(); //append the message part to the ciphertext cipher.resize (ciphersize + (M.size() << 3) ); @@ -330,6 +325,7 @@ template < class privkey_type, int errorcount, class hash_type, class pad_hash_type, + class scipher, int ranksize > static int fo_decrypt (const bvector&cipher, bvector&plain, sencode* privkey) @@ -370,18 +366,13 @@ static int fo_decrypt (const bvector&cipher, bvector&plain, if (cipher[ciphersize + i]) M[i >> 3] |= 1 << (i & 0x7); //prepare arcfour - arcfour arc; - arc.init (8); + scipher sc; + sc.init (); //stuff in the whole key - for (i = 0; i < (K.size() >> 8); ++i) { - std::vector subkey (K.begin() + (i << 8), - MIN (K.end(), - K.begin() + ( (i + 1) << 8) ) ); - arc.load_key (subkey); - } - arc.discard (arcfour_discard); + sc.load_key (K); + //decrypt the message part - for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ arc.gen(); + for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ sc.gen(); //compute the hash of K+M std::vectorH, M2; @@ -413,6 +404,8 @@ static int fo_decrypt (const bvector&cipher, bvector&plain, * Instances for actual encryption/descryption algorithms */ +typedef arcfour arcfour_fo_cipher; + #if HAVE_CRYPTOPP==1 #include "sha_hash.h" @@ -426,6 +419,7 @@ int algo_mceqd128::encrypt (const bvector&plain, bvector&cipher, 2048, 4096, 128, sha256hash, rmd128hash, + arcfour_fo_cipher, 816 > (plain, cipher, pubkey, rng); } @@ -438,6 +432,7 @@ int algo_mceqd192::encrypt (const bvector&plain, bvector&cipher, 2816, 6912, 256, sha384hash, rmd128hash, + arcfour_fo_cipher, 1574 > (plain, cipher, pubkey, rng); } @@ -450,6 +445,7 @@ int algo_mceqd256::encrypt (const bvector&plain, bvector&cipher, 4096, 8192, 256, sha512hash, rmd128hash, + arcfour_fo_cipher, 1638 > (plain, cipher, pubkey, rng); } @@ -462,6 +458,7 @@ int algo_mceqd128::decrypt (const bvector&cipher, bvector&plain, 2048, 4096, 128, sha256hash, rmd128hash, + arcfour_fo_cipher, 816 > (cipher, plain, privkey); } @@ -474,6 +471,7 @@ int algo_mceqd192::decrypt (const bvector&cipher, bvector&plain, 2816, 6912, 256, sha384hash, rmd128hash, + arcfour_fo_cipher, 1574 > (cipher, plain, privkey); } @@ -486,6 +484,7 @@ int algo_mceqd256::decrypt (const bvector&cipher, bvector&plain, 4096, 8192, 256, sha512hash, rmd128hash, + arcfour_fo_cipher, 1638 > (cipher, plain, privkey); } @@ -502,6 +501,7 @@ int algo_mceqd128cube::encrypt (const bvector&plain, bvector&cipher, 2048, 4096, 128, cube256hash, cube128hash, + arcfour_fo_cipher, 816 > (plain, cipher, pubkey, rng); } @@ -514,6 +514,7 @@ int algo_mceqd192cube::encrypt (const bvector&plain, bvector&cipher, 2816, 6912, 256, cube384hash, cube128hash, + arcfour_fo_cipher, 1574 > (plain, cipher, pubkey, rng); } @@ -526,6 +527,7 @@ int algo_mceqd256cube::encrypt (const bvector&plain, bvector&cipher, 4096, 8192, 256, cube512hash, cube128hash, + arcfour_fo_cipher, 1638 > (plain, cipher, pubkey, rng); } @@ -538,6 +540,7 @@ int algo_mceqd128cube::decrypt (const bvector&cipher, bvector&plain, 2048, 4096, 128, cube256hash, cube128hash, + arcfour_fo_cipher, 816 > (cipher, plain, privkey); } @@ -550,6 +553,7 @@ int algo_mceqd192cube::decrypt (const bvector&cipher, bvector&plain, 2816, 6912, 256, cube384hash, cube128hash, + arcfour_fo_cipher, 1574 > (cipher, plain, privkey); } @@ -562,6 +566,7 @@ int algo_mceqd256cube::decrypt (const bvector&cipher, bvector&plain, 4096, 8192, 256, cube512hash, cube128hash, + arcfour_fo_cipher, 1638 > (cipher, plain, privkey); } diff --git a/src/algos_sig.cpp b/src/algos_sig.cpp index 3dbaf4e..f9a7477 100644 --- a/src/algos_sig.cpp +++ b/src/algos_sig.cpp @@ -55,6 +55,8 @@ #define MIN(a,b) ((a)<(b)?(a):(b)) +typedef arcfour padding_generator; + static void msg_pad (const bvector&in, std::vector&out, size_t minsize) { uint i; @@ -66,17 +68,10 @@ static void msg_pad (const bvector&in, std::vector&out, size_t minsize) if (out.size() >= minsize) return; - arcfour g; - g.init (8); - + padding_generator g; + g.init (); //stuff in as much seed material as possible - for (i = 0; i < (out.size() >> 8); ++i) { - std::vector sub (out.begin() + (i << 8), - MIN (out.end(), - out.begin() + ( (i + 1) << 8) ) ); - g.load_key (sub); - } - g.discard (256); + g.load_key (out); i = out.size(); out.resize (minsize); diff --git a/src/arcfour.h b/src/arcfour.h index a7e7fa3..842a72a 100644 --- a/src/arcfour.h +++ b/src/arcfour.h @@ -19,17 +19,18 @@ #ifndef _ccr_rc4_h_ #define _ccr_rc4_h_ +#include "sc.h" + #include -#include - -template class arcfour +template +class arcfour : public streamcipher { std::vector S; inttype I, J; inttype mask; public: - bool init (unsigned bits) { + bool init () { size_t Ssize = 1 << bits; if (bits > 8 * sizeof (inttype) ) return false; I = J = 0; @@ -46,14 +47,30 @@ public: S.clear(); } - void load_key (const std::vector&K) { - inttype j = 0, t; - for (size_t i = 0; i <= mask; ++i) { - j = (j + S[i] + K[i % K.size()]) & mask; - t = S[j]; - S[j] = S[i]; - S[i] = t; + void load_key (const inttype*begin, const inttype*end) { + inttype j, t; + size_t i; + const inttype *keypos; + + //eat whole key iteratively, even if longer than permutation + for (; begin < end; begin += mask + 1) { + j = 0; + for (i = 0, keypos = begin; + i <= mask; + ++i, ++keypos) { + if (keypos >= end) keypos = begin; //rotate + j = (j + S[i] + (*keypos) ) & mask; + t = S[j]; + S[j] = S[i]; + S[i] = t; + } } + + discard (disc_bytes); + } + + void load_key (const std::vector&K) { + load_key (& (K[0]), & (K[K.size()]) ); } inttype gen() { @@ -68,13 +85,20 @@ public: return S[ (S[I] + S[J]) & mask]; } - void discard (size_t n) { - for (size_t i = 0; i < n; ++i) gen(); + void gen (size_t n, inttype*out) { + if (out) + for (size_t i = 0; i < n; ++i) out[i] = gen(); + else + for (size_t i = 0; i < n; ++i) gen(); } void gen (size_t n, std::vector&out) { out.resize (n); - for (size_t i = 0; i < n; ++i) out[i] = gen(); + gen (n, & (out[0]) ); + } + + size_t block_size() { + return 1; } }; diff --git a/src/fmtseq.cpp b/src/fmtseq.cpp index b0e2617..856dd43 100644 --- a/src/fmtseq.cpp +++ b/src/fmtseq.cpp @@ -21,10 +21,12 @@ using namespace fmtseq; -void prepare_keygen (arcfour& kg, const std::vector&SK, uint idx) +typedef arcfour privgen; + +void prepare_keygen (privgen& kg, const std::vector&SK, uint idx) { kg.clear(); - kg.init (8); + kg.init (); kg.load_key (SK); std::vectortmp; while (idx) { @@ -34,6 +36,8 @@ void prepare_keygen (arcfour& kg, const std::vector&SK, uint idx) tmp.resize (16, 0); //prevent chaining to other numbers kg.load_key (tmp); kg.discard (4096); + //discarding is done manually here, + //for the purpose of double key loading. } static void add_zero_checksum (bvector& v) @@ -135,7 +139,7 @@ static bool check_privkey (privkey&priv, hash_func&hf) static void update_privkey (privkey&priv, hash_func&hf) { uint i, j; - arcfour generator; + privgen generator; std::vector x, Y; uint commitments = fmtseq_commitments (priv.hs); @@ -289,7 +293,7 @@ int fmtseq::generate (pubkey&pub, privkey&priv, uint commitments = fmtseq_commitments (hs); - arcfour generator; + privgen generator; std::vector x, Y; alloc_exist (priv); @@ -384,7 +388,7 @@ int privkey::sign (const bvector& hash, bvector& sig, hash_func& hf) Sig.reserve (hf.size() * (commitments + h * l) ); //first, compute the commitments and push them to the signature - arcfour generator; + privgen generator; prepare_keygen (generator, SK, sigs_used); for (i = 0; i < commitments; ++i) { //generate x_i diff --git a/src/generator.cpp b/src/generator.cpp index 5425ed7..e593497 100644 --- a/src/generator.cpp +++ b/src/generator.cpp @@ -41,6 +41,5 @@ void arcfour_rng::seed (uint bits, bool quick) f.close(); r.load_key (s); - r.discard (4096); } diff --git a/src/generator.h b/src/generator.h index 8c73c93..44c67a1 100644 --- a/src/generator.h +++ b/src/generator.h @@ -25,10 +25,10 @@ class arcfour_rng : public prng { public: - arcfour r; + arcfour r; arcfour_rng() { - r.init (8); + r.init (); } ~arcfour_rng() { diff --git a/src/sc.h b/src/sc.h new file mode 100644 index 0000000..e64259f --- /dev/null +++ b/src/sc.h @@ -0,0 +1,41 @@ + +/* + * This file is part of Codecrypt. + * + * Codecrypt is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or (at + * your option) any later version. + * + * Codecrypt is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Codecrypt. If not, see . + */ + +#ifndef _ccr_sc_h_ +#define _ccr_sc_h_ + +#include "types.h" + +#include + +class streamcipher +{ +public: + virtual bool init() = 0; + virtual void clear() = 0; + virtual void load_key (const byte*begin, const byte*end) = 0; + virtual byte gen() = 0; + virtual void gen (size_t n, byte*out) = 0; + virtual size_t block_size() = 0; + + void discard (size_t n) { + gen (n, 0); + } +}; + +#endif