sc: stream cipher abstraction applied to arcfour

A minor bug was discovered in padding of short message signatures. If is
silently fixed, causing some (very minor) incompatibility of signatures
with previous versions.

ChangeLog

@@ -1,6 +1,9 @@
 
 Codecrypt ChangeLog
 
+- virtualize the stream ciphers
+- fix fmtseq short message padding bug (fixed by previous)
+
 1.5
 
 - add hashfile support with -S

src/algos_enc.cpp

@@ -246,14 +246,13 @@ static bool message_unpad (std::vector<byte> in, bvector&out,
  * otherwise it probably fails. miserably.
  */
 
-#define arcfour_discard 4096
-
 template < class pubkey_type,
          int plainsize,
          int ciphersize,
          int errorcount,
          class hash_type,
          class pad_hash_type,
+         class scipher,
          int ranksize >
 static int fo_encrypt (const bvector&plain, bvector&cipher,
                        sencode* pubkey, prng&rng)
@@ -304,17 +303,13 @@ static int fo_encrypt (const bvector&plain, bvector&cipher,
 	if (Pub.encrypt (mce_plain, cipher, ev) ) return 5;
 
 	//encrypt the message part (xor with arcfour)
-	arcfour<byte> arc;
+	scipher sc;
-	arc.init (8);
+	sc.init ();
 	//whole key must be tossed in, so split if when necessary
-	for (i = 0; i < (K.size() >> 8); ++i) {
+	sc.load_key (K);
-		std::vector<byte> subkey (K.begin() + (i << 8),
+
-		                          MIN (K.end(),
+	//encrypt
-		                               K.begin() + ( (i + 1) << 8) ) );
+	for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ sc.gen();
-		arc.load_key (subkey);
-	}
-	arc.discard (arcfour_discard);
-	for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ arc.gen();
 
 	//append the message part to the ciphertext
 	cipher.resize (ciphersize + (M.size() << 3) );
@@ -330,6 +325,7 @@ template < class privkey_type,
          int errorcount,
          class hash_type,
          class pad_hash_type,
+         class scipher,
          int ranksize >
 static int fo_decrypt (const bvector&cipher, bvector&plain,
                        sencode* privkey)
@@ -370,18 +366,13 @@ static int fo_decrypt (const bvector&cipher, bvector&plain,
 		if (cipher[ciphersize + i]) M[i >> 3] |= 1 << (i & 0x7);
 
 	//prepare arcfour
-	arcfour<byte> arc;
+	scipher sc;
-	arc.init (8);
+	sc.init ();
 	//stuff in the whole key
-	for (i = 0; i < (K.size() >> 8); ++i) {
+	sc.load_key (K);
-		std::vector<byte> subkey (K.begin() + (i << 8),
+
-		                          MIN (K.end(),
-		                               K.begin() + ( (i + 1) << 8) ) );
-		arc.load_key (subkey);
-	}
-	arc.discard (arcfour_discard);
 	//decrypt the message part
-	for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ arc.gen();
+	for (i = 0; i < M.size(); ++i) M[i] = M[i] ^ sc.gen();
 
 	//compute the hash of K+M
 	std::vector<byte>H, M2;
@@ -413,6 +404,8 @@ static int fo_decrypt (const bvector&cipher, bvector&plain,
  * Instances for actual encryption/descryption algorithms
  */
 
+typedef arcfour<byte, 8, 4096> arcfour_fo_cipher;
+
 #if HAVE_CRYPTOPP==1
 
 #include "sha_hash.h"
@@ -426,6 +419,7 @@ int algo_mceqd128::encrypt (const bvector&plain, bvector&cipher,
 	       2048, 4096, 128,
 	       sha256hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       816 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -438,6 +432,7 @@ int algo_mceqd192::encrypt (const bvector&plain, bvector&cipher,
 	       2816, 6912, 256,
 	       sha384hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       1574 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -450,6 +445,7 @@ int algo_mceqd256::encrypt (const bvector&plain, bvector&cipher,
 	       4096, 8192, 256,
 	       sha512hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       1638 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -462,6 +458,7 @@ int algo_mceqd128::decrypt (const bvector&cipher, bvector&plain,
 	       2048, 4096, 128,
 	       sha256hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       816 >
 	       (cipher, plain, privkey);
 }
@@ -474,6 +471,7 @@ int algo_mceqd192::decrypt (const bvector&cipher, bvector&plain,
 	       2816, 6912, 256,
 	       sha384hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       1574 >
 	       (cipher, plain, privkey);
 }
@@ -486,6 +484,7 @@ int algo_mceqd256::decrypt (const bvector&cipher, bvector&plain,
 	       4096, 8192, 256,
 	       sha512hash,
 	       rmd128hash,
+	       arcfour_fo_cipher,
 	       1638 >
 	       (cipher, plain, privkey);
 }
@@ -502,6 +501,7 @@ int algo_mceqd128cube::encrypt (const bvector&plain, bvector&cipher,
 	       2048, 4096, 128,
 	       cube256hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       816 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -514,6 +514,7 @@ int algo_mceqd192cube::encrypt (const bvector&plain, bvector&cipher,
 	       2816, 6912, 256,
 	       cube384hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       1574 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -526,6 +527,7 @@ int algo_mceqd256cube::encrypt (const bvector&plain, bvector&cipher,
 	       4096, 8192, 256,
 	       cube512hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       1638 >
 	       (plain, cipher, pubkey, rng);
 }
@@ -538,6 +540,7 @@ int algo_mceqd128cube::decrypt (const bvector&cipher, bvector&plain,
 	       2048, 4096, 128,
 	       cube256hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       816 >
 	       (cipher, plain, privkey);
 }
@@ -550,6 +553,7 @@ int algo_mceqd192cube::decrypt (const bvector&cipher, bvector&plain,
 	       2816, 6912, 256,
 	       cube384hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       1574 >
 	       (cipher, plain, privkey);
 }
@@ -562,6 +566,7 @@ int algo_mceqd256cube::decrypt (const bvector&cipher, bvector&plain,
 	       4096, 8192, 256,
 	       cube512hash,
 	       cube128hash,
+	       arcfour_fo_cipher,
 	       1638 >
 	       (cipher, plain, privkey);
 }

src/algos_sig.cpp

@@ -55,6 +55,8 @@
 
 #define MIN(a,b) ((a)<(b)?(a):(b))
 
+typedef arcfour<byte, 8, 256> padding_generator;
+
 static void msg_pad (const bvector&in, std::vector<byte>&out, size_t minsize)
 {
 	uint i;
@@ -66,17 +68,10 @@ static void msg_pad (const bvector&in, std::vector<byte>&out, size_t minsize)
 
 	if (out.size() >= minsize) return;
 
-	arcfour<byte> g;
+	padding_generator g;
-	g.init (8);
+	g.init ();
-
 	//stuff in as much seed material as possible
-	for (i = 0; i < (out.size() >> 8); ++i) {
+	g.load_key (out);
-		std::vector<byte> sub (out.begin() + (i << 8),
-		                       MIN (out.end(),
-		                            out.begin() + ( (i + 1) << 8) ) );
-		g.load_key (sub);
-	}
-	g.discard (256);
 
 	i = out.size();
 	out.resize (minsize);

src/arcfour.h

@@ -19,17 +19,18 @@
 #ifndef _ccr_rc4_h_
 #define _ccr_rc4_h_
 
+#include "sc.h"
+
 #include <vector>
 
-#include <sys/types.h>
+template<class inttype = byte, int bits = 8, int disc_bytes = 0>
-
+class arcfour : public streamcipher
-template<class inttype> class arcfour
 {
 	std::vector<inttype> S;
 	inttype I, J;
 	inttype mask;
 public:
-	bool init (unsigned bits) {
+	bool init () {
 		size_t Ssize = 1 << bits;
 		if (bits > 8 * sizeof (inttype) ) return false;
 		I = J = 0;
@@ -46,16 +47,32 @@ public:
 		S.clear();
 	}
 
-	void load_key (const std::vector<inttype>&K) {
+	void load_key (const inttype*begin, const inttype*end) {
-		inttype j = 0, t;
+		inttype j, t;
-		for (size_t i = 0; i <= mask; ++i) {
+		size_t i;
-			j = (j + S[i] + K[i % K.size()]) & mask;
+		const inttype *keypos;
+
+		//eat whole key iteratively, even if longer than permutation
+		for (; begin < end; begin += mask + 1) {
+			j = 0;
+			for (i = 0, keypos = begin;
+			     i <= mask;
+			     ++i, ++keypos) {
+				if (keypos >= end) keypos = begin; //rotate
+				j = (j + S[i] + (*keypos) ) & mask;
 				t = S[j];
 				S[j] = S[i];
 				S[i] = t;
 			}
 		}
 
+		discard (disc_bytes);
+	}
+
+	void load_key (const std::vector<inttype>&K) {
+		load_key (& (K[0]), & (K[K.size()]) );
+	}
+
 	inttype gen() {
 		I = (I + 1) & mask;
 		J = (J + S[I]) & mask;
@@ -68,13 +85,20 @@ public:
 		return S[ (S[I] + S[J]) & mask];
 	}
 
-	void discard (size_t n) {
+	void gen (size_t n, inttype*out) {
+		if (out)
+			for (size_t i = 0; i < n; ++i) out[i] = gen();
+		else
 			for (size_t i = 0; i < n; ++i) gen();
 	}
 
 	void gen (size_t n, std::vector<inttype>&out) {
 		out.resize (n);
-		for (size_t i = 0; i < n; ++i) out[i] = gen();
+		gen (n, & (out[0]) );
+	}
+
+	size_t block_size() {
+		return 1;
 	}
 };
 

src/fmtseq.cpp

@@ -21,10 +21,12 @@
 
 using namespace fmtseq;
 
-void prepare_keygen (arcfour<byte>& kg, const std::vector<byte>&SK, uint idx)
+typedef arcfour<byte, 8, 0> privgen;
+
+void prepare_keygen (privgen& kg, const std::vector<byte>&SK, uint idx)
 {
 	kg.clear();
-	kg.init (8);
+	kg.init ();
 	kg.load_key (SK);
 	std::vector<byte>tmp;
 	while (idx) {
@@ -34,6 +36,8 @@ void prepare_keygen (arcfour<byte>& kg, const std::vector<byte>&SK, uint idx)
 	tmp.resize (16, 0); //prevent chaining to other numbers
 	kg.load_key (tmp);
 	kg.discard (4096);
+	//discarding is done manually here,
+	//for the purpose of double key loading.
 }
 
 static void add_zero_checksum (bvector& v)
@@ -135,7 +139,7 @@ static bool check_privkey (privkey&priv, hash_func&hf)
 static void update_privkey (privkey&priv, hash_func&hf)
 {
 	uint i, j;
-	arcfour<byte> generator;
+	privgen generator;
 	std::vector<byte> x, Y;
 	uint commitments = fmtseq_commitments (priv.hs);
 
@@ -289,7 +293,7 @@ int fmtseq::generate (pubkey&pub, privkey&priv,
 
 	uint commitments = fmtseq_commitments (hs);
 
-	arcfour<byte> generator;
+	privgen generator;
 	std::vector<byte> x, Y;
 
 	alloc_exist (priv);
@@ -384,7 +388,7 @@ int privkey::sign (const bvector& hash, bvector& sig, hash_func& hf)
 
 	Sig.reserve (hf.size() * (commitments + h * l) );
 	//first, compute the commitments and push them to the signature
-	arcfour<byte> generator;
+	privgen generator;
 	prepare_keygen (generator, SK, sigs_used);
 	for (i = 0; i < commitments; ++i) {
 		//generate x_i

src/generator.cpp

@@ -41,6 +41,5 @@ void arcfour_rng::seed (uint bits, bool quick)
 	f.close();
 
 	r.load_key (s);
-	r.discard (4096);
 }
 

src/generator.h

@@ -25,10 +25,10 @@
 class arcfour_rng : public prng
 {
 public:
-	arcfour<byte> r;
+	arcfour<byte, 8, 4096> r;
 
 	arcfour_rng() {
-		r.init (8);
+		r.init ();
 	}
 
 	~arcfour_rng() {

src/sc.h

@@ -0,0 +1,41 @@
+
+/*
+ * This file is part of Codecrypt.
+ *
+ * Codecrypt is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * Codecrypt is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Codecrypt. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _ccr_sc_h_
+#define _ccr_sc_h_
+
+#include "types.h"
+
+#include <sys/types.h>
+
+class streamcipher
+{
+public:
+	virtual bool init() = 0;
+	virtual void clear() = 0;
+	virtual void load_key (const byte*begin, const byte*end) = 0;
+	virtual byte gen() = 0;
+	virtual void gen (size_t n, byte*out) = 0;
+	virtual size_t block_size() = 0;
+
+	void discard (size_t n) {
+		gen (n, 0);
+	}
+};
+
+#endif