-/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved.
- *
- * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT
- * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE
- * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE
- * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE,
- * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL
- * EXPOSE YOU TO LIABILITY.
- ***************************************************************************
- *
- * FeeFEED.c - generic, portable FEED encryption object, expanionless version
- *
- * Revision History
- * ----------------
- * 10/06/98 ap
- * Changed to compile with C++.
- * 20 Jan 1998 at Apple
- * Mods for primeType == PT_GENERAL case.
- * 12 Jun 1997 at Apple
- * Was curveOrderJustify(), is lesserX1OrderJustify()
- * 31 Mar 1997 at Apple
- * Fixed initialRS leak
- * 3 Mar 1997 at Apple
- * Trimmed plainBlockSize by one byte if q mod 8 = 0
- * 30 Jan 1997 at NeXT
- * Created.
- */
-
-/*
- * FIXME - a reusable init function would be nice (i.e., free up
- * session-dependent state and re-init it)...
- */
-#include "ckconfig.h"
-
-#if CRYPTKIT_ASYMMETRIC_ENABLE
-
-#include "feeTypes.h"
-#include "feeFEED.h"
-#include "feeFEEDExp.h"
-#include "feePublicKey.h"
-#include "feePublicKeyPrivate.h"
-#include "elliptic.h"
-#include "falloc.h"
-#include "feeRandom.h"
-#include "ckutilities.h"
-#include "feeFunctions.h"
-#include "platform.h"
-#include "curveParams.h"
-#include "feeDebug.h"
-#include <stdlib.h>
-#include <stdio.h>
-
-#define FEED_DEBUG 0
-#define BUFFER_DEBUG 0
-#if BUFFER_DEBUG
-#define bprintf(s) printf s
-#else
-#define bprintf(s)
-#endif
-
-/*
- * Minimum combined size of random r and s, in bytes. For small q sizes,
- * r and s may be even smaller, but we never truncate them to smaller than
- * this.
- * This must be kept in sync with constant of same name in FEED.java.
- */
-#define RS_MIN_SIZE 16
-
-/*
- * Private data.
- */
-typedef struct {
- curveParams *cp;
-
- /*
- * the clues are initially (r * ourPriv * theirPub(+/-)).
- */
- giant cluePlus;
- giant clueMinus;
-
- /*
- * sPlus and sMinus are based on the random s generated at encrypt
- * time. Values are s * x1{Plus,Minus}.
- */
- giant sPlus;
- giant sMinus;
- giant r; /* random, generated at encrypt time */
- unsigned plainBlockSize; /* plaintext block size */
- unsigned cipherBlockSize; /* ciphertext block size */
- unsigned char *initialRS; /* initial random R,S as bytes */
- unsigned initialRSSize; /* in bytes */
- feeFEEDExp feedExp; /* for encr/decr r+s params */
-
- /*
- * The first few blocks of ciphertext in a stream are the 2:1-FEED
- * encrypted r and s parameters. While decrypting, we stash incoming
- * ciphertext in rsCtext until we get enough ciphertext to decrypt
- * initialRS. RsBlockCount keeps a running count of the
- * cipherBlocks received. When rsBlockCount == rsSizeCipherBlocks, we
- * FEEDExp-decrypt rsCtext to get r and s (actually, to get
- * initialRS; r and s are extraced later in initFromRS()).
- *
- * During encrypt, if rsBlockCount is zero, the first thing we send as
- * ciphertext is the FEED-encrypted initialRS.
- */
- unsigned char *rsCtext; /* buffer for encrypted initialRS */
- unsigned rsBlockCount; /* running total of incoming rs
- * cipherblocks */
-
- int forEncrypt; /* added for feeFEED*TextSize() */
-
- /*
- * These are calculated at init time - for encrypt and
- * decrypt - as an optimization.
- */
- unsigned rsCtextSize; /* number of meaningful bytes in
- * rsCtext */
- unsigned rsSizeCipherBlocks; /* # of our cipherblocks holding
- * rsCtext */
-
- /*
- * temporary variables used for encrypt/decrypt. The values in these
- * are not needed to be kept from block to block; we just
- * alloc them once per lifetime of a feeFEED object as an optimization.
- */
- giant xp; /* plaintext */
- giant xm; /* ciphertext */
- giant tmp1; /* scratch */
- giant tmp2; /* scratch */
-} feedInst;
-
-/*
- * "zero residue" indicator.
- */
-#define RESID_ZERO 0xff
-
-/*
- * cons up:
- * cluePlus(0)
- * clueMinus(0)
- * sPlus
- * sMinus
- * r
- * Assumes:
- * cluePlus = clueMinus = ourPriv * theirPub
- * initialRS
- * initialRSSize
- * cp
- *
- * Called at feeFEEDNewWithPubKey while encrypting, or upon decrypting
- * first block of data.
- */
-static feeReturn initFromRS(feedInst *finst)
-{
- giant s;
- unsigned rSize = finst->initialRSSize / 2;
-
- #if FEED_DEBUG
- if((finst->initialRS == NULL) ||
- (finst->cp == NULL) ||
- (finst->cluePlus == NULL) ||
- (finst->clueMinus == NULL) ||
- (finst->initialRSSize == 0)) {
- dbgLog(("initFromRS: resource shortage\n"));
- return FR_Internal;
- }
- #endif // FEED_DEBUG
-
- finst->r = giant_with_data(finst->initialRS, rSize);
- s = giant_with_data(finst->initialRS+rSize, rSize);
-
- #if FEED_DEBUG
- if(isZero(finst->r)) {
- printf("initFromRS: r = 0! initialRSSize = %d; encr = %s\n",
- finst->initialRSSize,
- (finst->rsCtext == NULL) ? "TRUE" : "FALSE");
- }
- if(isZero(s)) {
- printf("initFromRS: s = 0! initialRSSize = %d; encr = %s\n",
- finst->initialRSSize,
- (finst->rsCtext == NULL) ? "TRUE" : "FALSE");
- }
- #endif // FEE_DEBUG
- /*
- * Justify r and s to be in [2, minimumX1Order].
- */
- lesserX1OrderJustify(finst->r, finst->cp);
- lesserX1OrderJustify(s, finst->cp);
-
- /*
- * sPlus = s * x1Plus
- * sMinus = s * x1Minus
- */
- finst->sPlus = newGiant(finst->cp->maxDigits);
- finst->sMinus = newGiant(finst->cp->maxDigits);
- gtog(finst->cp->x1Plus, finst->sPlus);
- elliptic_simple(finst->sPlus, s, finst->cp);
- gtog(finst->cp->x1Minus, finst->sMinus);
- elliptic_simple(finst->sMinus, s, finst->cp);
-
- /*
- * And finally, the initial clues. They are currently set to
- * ourPriv * theirPub.
- */
- #if FEED_DEBUG
- printf("cluePlus : "); printGiant(finst->cluePlus);
- printf("clueMinus: "); printGiant(finst->clueMinus);
- #endif // FEED_EEBUG
-
- elliptic_simple(finst->cluePlus, finst->r, finst->cp);
- elliptic_simple(finst->clueMinus, finst->r, finst->cp);
-
- #if FEED_DEBUG
- printf("r : "); printGiant(finst->r);
- printf("s : "); printGiant(s);
- printf("sPlus : "); printGiant(finst->sPlus);
- printf("sMinus : "); printGiant(finst->sMinus);
- printf("cluePlus : "); printGiant(finst->cluePlus);
- printf("clueMinus: "); printGiant(finst->clueMinus);
- #endif // FEED_DEBUG
-
- freeGiant(s);
- return FR_Success;
-}
-
-/*
- * Alloc and init a feeFEED object associated with specified public and
- * private keys.
- */
-feeFEED feeFEEDNewWithPubKey(feePubKey myPrivKey,
- feePubKey theirPubKey,
- int forEncrypt, // 0 ==> decrypt 1 ==> encrypt
- feeRandFcn randFcn, // optional
- void *randRef)
-{
- feedInst *finst;
- giant privGiant;
- key k;
- unsigned expPlainSize;
- unsigned expCipherSize;
- unsigned expBlocks;
-
- if(!curveParamsEquivalent(feePubKeyCurveParams(theirPubKey),
- feePubKeyCurveParams(myPrivKey))) {
- dbgLog(("feeFEEDNewWithPubKey: Incompatible Keys\n"));
- return NULL;
- }
- finst = (feedInst*) fmalloc(sizeof(feedInst));
- bzero(finst, sizeof(feedInst));
- finst->forEncrypt = forEncrypt;
- finst->cp = curveParamsCopy(feePubKeyCurveParams(theirPubKey));
- finst->rsBlockCount = 0;
- finst->xp = newGiant(finst->cp->maxDigits);
- finst->xm = newGiant(finst->cp->maxDigits);
- finst->tmp1 = newGiant(finst->cp->maxDigits);
- if(forEncrypt) {
- finst->tmp2 = newGiant(finst->cp->maxDigits);
- }
-
- /*
- * cluePlus = ourPriv * theirPub+
- * clueMinus = ourPriv * theirPub-
- */
- finst->cluePlus = newGiant(finst->cp->maxDigits);
- finst->clueMinus = newGiant(finst->cp->maxDigits);
- privGiant = feePubKeyPrivData(myPrivKey);
- if(privGiant == NULL) {
- dbgLog(("feeFEEDNewWithPubKey: no private key\n"));
- goto abort;
- }
- k = feePubKeyPlusCurve(theirPubKey);
- gtog(k->x, finst->cluePlus); // cluePlus = theirPub+
- elliptic_simple(finst->cluePlus, privGiant, finst->cp);
- k = feePubKeyMinusCurve(theirPubKey);
- gtog(k->x, finst->clueMinus); // theirPub-
- elliptic_simple(finst->clueMinus, privGiant, finst->cp);
-
- /*
- * Set up block sizes.
- */
- if(finst->cp->primeType == FPT_General) {
- unsigned blen = bitlen(finst->cp->basePrime);
-
- finst->plainBlockSize = blen / 8;
- if((blen & 0x7) == 0) {
- /*
- * round down some more...
- */
- finst->plainBlockSize--;
- }
- }
- else {
- finst->plainBlockSize = finst->cp->q / 8;
- if(((finst->cp->q & 0x7) == 0) && (finst->cp->k > 0)) {
- /*
- * Special case, with q mod 8 == 0. Here we have to
- * trim back the plainBlockSize by one byte.
- */
- finst->plainBlockSize--;
- }
- }
- finst->cipherBlockSize = finst->cp->minBytes + 1;
-
- /*
- * the size of initialRS is subject to tweaking - if we make it
- * not a multiple of plainBlockSize, we save one FEEDExp cipherBlock
- * in our ciphertext.
- */
- finst->initialRSSize = finst->plainBlockSize * 2;
- if(finst->initialRSSize > RS_MIN_SIZE) {
- unsigned minPlainBlocks;
- unsigned maxSize;
-
- /*
- * How many plainblocks to hold RS_MIN_SIZE?
- */
- minPlainBlocks = (RS_MIN_SIZE + finst->plainBlockSize - 1) /
- finst->plainBlockSize;
-
- /*
- * Max size = that many plainblocks, less 2 bytes (to avoid
- * extra residue block).
- */
- maxSize = minPlainBlocks * finst->plainBlockSize - 2;
-
- /*
- * But don't bother with more than 2 plainblocks worth
- */
- if(finst->initialRSSize > maxSize) {
- finst->initialRSSize = maxSize;
- }
- }
- /* else leave it alone, that's small enough */
-
- if(forEncrypt) {
- feeRand frand = NULL;
-
- /*
- * Encrypt-capable FEEDExp object
- */
- finst->feedExp = feeFEEDExpNewWithPubKey(theirPubKey,
- randFcn,
- randRef);
- if(finst->feedExp == NULL) {
- goto abort;
- }
-
- /*
- * Generate initial r and s data.
- */
- finst->initialRS = (unsigned char*) fmalloc(finst->initialRSSize);
- if(randFcn != NULL) {
- randFcn(randRef, finst->initialRS, finst->initialRSSize);
- }
- else {
- frand = feeRandAlloc();
- feeRandBytes(frand, finst->initialRS, finst->initialRSSize);
- feeRandFree(frand);
- }
- if(initFromRS(finst)) {
- goto abort;
- }
- }
- else {
- /*
- * Decrypt-capable FEEDExp object
- */
- finst->feedExp = feeFEEDExpNewWithPubKey(myPrivKey,
- randFcn,
- randRef);
- if(finst->feedExp == NULL) {
- goto abort;
- }
-
- }
-
- /*
- * Figure out how many of our cipherblocks it takes to hold
- * a FEEDExp-encrypted initialRS. If initialRSSize is an exact
- * multiple of expPlainSize, we get an additional feedExp
- * residue block.
- */
- expPlainSize = feeFEEDExpPlainBlockSize(finst->feedExp);
- expCipherSize = feeFEEDExpCipherBlockSize(finst->feedExp);
- expBlocks = (finst->initialRSSize + expPlainSize - 1) /
- expPlainSize;
- if((finst->initialRSSize % expPlainSize) == 0) {
- expBlocks++;
- }
-
- /*
- * Total meaningful bytes of encrypted initialRS
- */
- finst->rsCtextSize = expBlocks * expCipherSize;
-
- /*
- * Number of our cipherblocks it takes to hold rsCtextSize
- */
- finst->rsSizeCipherBlocks = (finst->rsCtextSize +
- finst->cipherBlockSize - 1) / finst->cipherBlockSize;
- if(!forEncrypt) {
- finst->rsCtext = (unsigned char*) fmalloc(finst->rsSizeCipherBlocks *
- finst->cipherBlockSize);
- }
-
- /*
- * Sanity check...
- */
- #if FEED_DEBUG
- {
- unsigned fexpBlockSize = feeFEEDExpCipherBlockSize(finst->feedExp);
-
- /*
- * FEEDExp has one more giant in ciphertext, plaintext is
- * same size
- */
- if((finst->cipherBlockSize + finst->cp->minBytes) !=
- fexpBlockSize) {
- dbgLog(("feeFEEDNewWithPubKey: FEEDExp CBlock Size "
- "screwup\n"));
- goto abort;
- }
- fexpBlockSize = feeFEEDExpPlainBlockSize(finst->feedExp);
- if(fexpBlockSize != finst->plainBlockSize) {
- dbgLog(("feeFEEDNewWithPubKey: FEEDExp PBlock Size "
- "screwup\n"));
- goto abort;
- }
- }
- #endif // FEED_DEBUG
-
- return finst;
-
-abort:
- feeFEEDFree(finst);
- return NULL;
-}
-
-void feeFEEDFree(feeFEED feed)
-{
- feedInst *finst = (feedInst*) feed;
-
- if(finst->cp) {
- freeCurveParams(finst->cp);
- }
- if(finst->initialRS) {
- ffree(finst->initialRS);
- }
- if(finst->cluePlus) {
- freeGiant(finst->cluePlus);
- }
- if(finst->clueMinus) {
- freeGiant(finst->clueMinus);
- }
- if(finst->sPlus) {
- freeGiant(finst->sPlus);
- }
- if(finst->sMinus) {
- freeGiant(finst->sMinus);
- }
- if(finst->r) {
- freeGiant(finst->r);
- }
- if(finst->feedExp) {
- feeFEEDExpFree(finst->feedExp);
- }
- if(finst->rsCtext) {
- ffree(finst->rsCtext);
- }
- if(finst->xp) {
- freeGiant(finst->xp);
- }
- if(finst->xm) {
- freeGiant(finst->xm);
- }
- if(finst->tmp1) {
- freeGiant(finst->tmp1);
- }
- if(finst->tmp2) {
- freeGiant(finst->tmp2);
- }
- ffree(finst);
-}
-
-unsigned feeFEEDPlainBlockSize(feeFEED feed)
-{
- feedInst *finst = (feedInst *) feed;
-
- return finst->plainBlockSize;
-}
-
-unsigned feeFEEDCipherBlockSize(feeFEED feed)
-{
- feedInst *finst = (feedInst *) feed;
-
- return finst->cipherBlockSize;
-}
-
-/*
- * Calculate size of buffer currently needed to encrypt one block of
- * plaintext. Also used to calculate required input during decrypt
- * to get any output.
- */
-unsigned feeFEEDCipherBufSize(feeFEED feed,
- int finalBlock)
-{
- feedInst *finst = (feedInst *) feed;
- unsigned blocks = 1; // always at least one block of ciphertext
-
- if(finst->rsBlockCount == 0) {
- /* haven't sent/seen encrypted RS yet */
- blocks += finst->rsSizeCipherBlocks;
- }
-
- if(finalBlock) {
- /* only needed if ptext is aligned, but tell caller to malloc */
- blocks++;
- }
- bprintf(("$$$ feeFEEDCipherBufSize( %s, %s): rtn 0x%x\n",
- finst->forEncrypt ? "encrypt" : "decrypt",
- finalBlock ? " final" : "!final",
- blocks * finst->cipherBlockSize));
- return blocks * finst->cipherBlockSize;
-}
-
-/*
- * Return the size of ciphertext currently needed to encrypt specified
- * size of plaintext. Also can be used to calculate size of ciphertext
- * which can be decrypted into specified size of plaintext.
- */
-unsigned feeFEEDCipherTextSize(feeFEED feed,
- unsigned plainTextSize,
- int finalBlock)
-{
- feedInst *finst = (feedInst *) feed;
-
- /* how many blocks of plaintext? */
- unsigned blocks = (plainTextSize + finst->plainBlockSize - 1) /
- finst->plainBlockSize;
-
- if(finst->forEncrypt) {
- /* have we generated RS? */
- if(finst->rsBlockCount == 0) {
- /* haven't sent encrypted RS yet */
- blocks += finst->rsSizeCipherBlocks;
- }
-
- /* final? residue? */
- if(finalBlock) {
- if((plainTextSize % finst->plainBlockSize) == 0) {
- blocks++;
- }
- }
- } /* encrypting */
- else {
- /*
- * Decrypting - how much ciphertext can we decrypt safely into
- * specified plaintext? Add in RS if we haven't seen it all
- * yet.
- */
- #if BUFFER_DEBUG
- if(finst->rsBlockCount > finst->rsSizeCipherBlocks) {
- printf("******HEY! rsBlockCount overflow! (blockCount %d rsSize %d)\n",
- finst->rsBlockCount, finst->rsSizeCipherBlocks);
- }
- #endif
- blocks += (finst->rsSizeCipherBlocks - finst->rsBlockCount);
- }
- bprintf(("$$$ feeFEEDCipherTextSize(%s, %s, 0x%x): rtn 0x%x\n",
- finst->forEncrypt ? "encrypt" : "decrypt",
- finalBlock ? " final" : "!final",
- plainTextSize, blocks * finst->cipherBlockSize));
- return blocks * finst->cipherBlockSize;
-}
-
-/*
- * Return the size of plaintext currently needed to decrypt specified size
- * of ciphertext. Also can be used to calculate size of plaintext
- * which can be encrypted into specified size of ciphertext.
- */
-unsigned feeFEEDPlainTextSize(feeFEED feed,
- unsigned cipherTextSize,
- int finalBlock) // ignored if !forEncrypt
-{
- feedInst *finst = (feedInst *) feed;
-
- /* start with basic cipher block count */
- unsigned cipherBlocks = (cipherTextSize + finst->cipherBlockSize - 1) /
- finst->cipherBlockSize;
-
- /* where are we in the RS stream? */
- unsigned rsBlocksToGo = finst->rsSizeCipherBlocks - finst->rsBlockCount;
- if(finst->forEncrypt) {
- /*
- * Encrypting, seeking plaintext size we can encrypt given
- * a specified size of ciphertext.
- */
- if(rsBlocksToGo >= cipherBlocks) {
- /* no room! next encrypt would overflow ctext buffer! */
- return 0;
- }
- cipherBlocks -= rsBlocksToGo;
-
- /* another constraint - residue */
- if(finalBlock) {
- if(cipherBlocks) {
- /* skip if already zero... */
- cipherBlocks--;
- }
- }
- } /* encrypting */
- else {
- /* decrypting */
- if(rsBlocksToGo >= cipherBlocks) {
- /* still processing RS, no plaintext will be generated. Play it real
- * safe and just tell caller one block. */
- cipherBlocks = 1;
- }
- else {
- /* diminish by size of RS to be gobbled with no output */
- cipherBlocks -= rsBlocksToGo;
- }
- }
- bprintf(("$$$ feeFEEDPlainTextSize( %s, %s, 0x%x): rtn 0x%x\n",
- finst->forEncrypt ? "encrypt" : "decrypt",
- finalBlock ? " final" : "!final",
- cipherTextSize, cipherBlocks * finst->plainBlockSize));
- return cipherBlocks * finst->plainBlockSize;
-}
-
-/*
- * Bits in last byte of cipherblock
- */
-#define CLUE_BIT 0x01 /* 1 ==> plus curve */
-#define CLUE_PLUS 0x01
-#define CLUE_MINUS 0x00
-#define PARITY_BIT 0x02 /* 1 ==> plus 's' arg to elliptic_add() */
-#define PARITY_PLUS 0x02
-#define PARITY_MINUS 0x00
-
-/*
- * Encrypt a block or less of data. Caller malloc's cipherText.
- * Generates up to feeFEEDCipherBufSize() bytes of ciphertext.
- */
-feeReturn feeFEEDEncryptBlock(feeFEED feed,
- const unsigned char *plainText,
- unsigned plainTextLen,
- unsigned char *cipherText,
- unsigned *cipherTextLen, // RETURNED
- int finalBlock)
-{
- feedInst *finst = (feedInst *) feed;
- unsigned ctextLen = 0;
- feeReturn frtn = FR_Success;
- int whichCurve;
- giant thisClue; // not alloc'd or freed
- giant thisS; // ditto
- unsigned char clueByte;
-
- if(plainTextLen > finst->plainBlockSize) {
- return FR_IllegalArg;
- }
- if((plainTextLen < finst->plainBlockSize) && !finalBlock) {
- return FR_IllegalArg;
- }
- if(finst->initialRS == NULL) {
- /*
- * Init'd for decrypt?
- */
- return FR_IllegalArg;
- }
-
- /*
- * First block - encrypt initialRS via FEEDExp
- */
- if(finst->rsBlockCount == 0) {
- unsigned char *thisCtext; // malloc's by FEEDExp
- unsigned padLen;
-
- if(finst->initialRS == NULL) {
- /*
- * init'd for decrypt or reused
- */
- dbgLog(("feeFEEDEncryptBlock: NULL initialRS!\n"));
- return FR_IllegalArg;
- }
-
- frtn = feeFEEDExpEncrypt(finst->feedExp,
- finst->initialRS,
- finst->initialRSSize,
- &thisCtext,
- &ctextLen);
- if(frtn) {
- /*
- * Should never happen...
- */
- dbgLog(("feeFEEDEncryptBlock: error writing encrypted"
- " initialRS (%s)\n", feeReturnString(frtn)));
- return FR_Internal;
- }
- bcopy(thisCtext, cipherText, ctextLen);
- cipherText += ctextLen;
- ffree(thisCtext);
-
- finst->rsBlockCount = finst->rsSizeCipherBlocks;
- padLen = finst->cipherBlockSize -
- (ctextLen % finst->cipherBlockSize); // zeros to write
-
- #if 0 /* FEED_DEBUG */
-
- /*
- * Hard-coded assumptions and tests about initRSSize...
- * Currently we assume that initRSSize % expBlockSize = 0
- */
- if((ctextLen / finst->cipherBlockSize) != 5) {
- dbgLog(("feeFEEDEncryptBlock: cipherblock size screwup (1)\n"));
- return FR_Internal;
- }
- if(padLen != 3) {
- dbgLog(("feeFEEDEncryptBlock: cipherblock size screwup (2)\n"));
- return FR_Internal;
- }
- #endif // FEED_DEBUG
-
- /*
- * pad to multiple of (our) cipherblock size.
- */
- while(padLen) {
- *cipherText++ = 0;
- ctextLen++;
- padLen--;
- }
- }
-
- /*
- * plaintext to giant xp
- */
- if(finalBlock) {
- unsigned char *ptext = (unsigned char*) fmalloc(finst->plainBlockSize);
- bzero(ptext, finst->plainBlockSize);
- if(plainTextLen) {
- /*
- * skip for empty block with resid length 0
- */
- bcopy(plainText, ptext, plainTextLen);
- }
- if(plainTextLen < finst->plainBlockSize) {
- if(plainTextLen == 0) {
- /*
- * Special case - resid block with no actual plaintext.
- * Can't actually write zero here; it screws up
- * deserializing the giant during decrypt
- */
- ptext[finst->plainBlockSize - 1] = RESID_ZERO;
- bprintf(("=== FEED encrypt: RESID_ZERO\n"));
- }
- else {
- ptext[finst->plainBlockSize - 1] = plainTextLen;
- bprintf(("=== FEED encrypt: resid len 0x%x\n", plainTextLen));
- }
- }
- /*
- * else handle evenly aligned case (i.e., finalBlock true
- * and (plainTextLen == plainBlockSize)) below...
- */
- deserializeGiant(ptext, finst->xp, finst->plainBlockSize);
- ffree(ptext);
- }
- else {
- deserializeGiant(plainText, finst->xp, plainTextLen);
- }
-
- /*
- * encrypt xp
- * xm = xp + clue(+/-)
- * determine parity needed to restore xp
- * parity = ((xm + clue(+/-) == xp) ? 1 : -1
- * and adjust clue
- * clue[n+1] = r * clue[n] + (s * P1)
- */
- whichCurve = which_curve(finst->xp, finst->cp);
- if(whichCurve == CURVE_PLUS) {
- thisClue = finst->cluePlus;
- thisS = finst->sPlus;
- clueByte = CLUE_PLUS;
- }
- else {
- thisClue = finst->clueMinus;
- thisS = finst->sMinus;
- clueByte = CLUE_MINUS;
- }
- // calculate xm
- elliptic_add(thisClue, finst->xp, finst->xm, finst->cp, SIGN_PLUS);
- // save xm + clue in tmp1
- elliptic_add(finst->xm, thisClue, finst->tmp1, finst->cp, SIGN_PLUS);
- // Adjust clue
- elliptic_simple(thisClue, finst->r, finst->cp);
- gtog(thisClue, finst->tmp2);
- elliptic_add(finst->tmp2, thisS, thisClue, finst->cp, SIGN_PLUS);
-
- /*
- * Calculate parity
- */
- if(gcompg(finst->tmp1, finst->xp) == 0) {
- clueByte |= PARITY_PLUS;
- }
-
- /*
- * Ciphertext = (xm, clueByte)
- */
- serializeGiant(finst->xm, cipherText, finst->cp->minBytes);
- cipherText += finst->cp->minBytes;
- ctextLen += finst->cp->minBytes;
- *cipherText++ = clueByte;
- ctextLen++;
-
- #if FEED_DEBUG
- printf("encrypt clue %d\n", clueByte);
- printf(" xp : "); printGiant(finst->xp);
- printf(" xm : "); printGiant(finst->xm);
- printf(" cluePlus :"); printGiant(finst->cluePlus);
- printf(" clueMinus :"); printGiant(finst->clueMinus);
- #endif // FEED_DEBUG
-
- if(finalBlock && (plainTextLen == finst->plainBlockSize)) {
- /*
- * Special case: finalBlock true, plainTextLen == blockSize.
- * In this case we generate one more block of ciphertext,
- * with a resid length of zero.
- */
- unsigned moreCipher; // additional cipherLen
-
- frtn = feeFEEDEncryptBlock(feed,
- NULL, // plainText not used
- 0, // resid
- cipherText, // append...
- &moreCipher,
- 1);
- if(frtn == FR_Success) {
- ctextLen += moreCipher;
- }
- }
- bprintf(("=== FEED encryptBlock ptextLen 0x%x ctextLen 0x%x\n",
- plainTextLen, ctextLen));
-
- *cipherTextLen = ctextLen;
- return frtn;
-}
-
-/*
- * Decrypt (exactly) a block of data. Caller malloc's plainText. Always
- * generates feeFEEDPlainBlockSize of plaintext, unless finalBlock is
- * non-zero (in which case feeFEEDPlainBlockSize or less bytes of plainText are
- * generated).
- */
-feeReturn feeFEEDDecryptBlock(feeFEED feed,
- const unsigned char *cipherText,
- unsigned cipherTextLen,
- unsigned char *plainText,
- unsigned *plainTextLen, // RETURNED
- int finalBlock)
-{
- feedInst *finst = (feedInst *) feed;
- feeReturn frtn = FR_Success;
- unsigned char clueByte;
- giant thisClue; // not alloc'd
- giant thisS; // ditto
- int parity;
-
- if(finst->rsCtext == NULL) {
- /*
- * Init'd for encrypt?
- */
- return FR_IllegalArg;
- }
- if(cipherTextLen != finst->cipherBlockSize) {
- dbgLog(("feeFEEDDecryptBlock: bad cipherTextLen\n"));
- return FR_IllegalArg;
- }
- if(finst->rsBlockCount < finst->rsSizeCipherBlocks) {
- /*
- * Processing initialRS, FEEDExp-encrypted
- */
- unsigned char *rsPtr = finst->rsCtext +
- (finst->rsBlockCount * finst->cipherBlockSize);
- unsigned feedExpCipherSize;
-
- if(finalBlock) {
- dbgLog(("feeFEEDDecryptBlock: incomplete initialRS\n"));
- return FR_BadCipherText;
- }
- bcopy(cipherText, rsPtr, finst->cipherBlockSize);
- finst->rsBlockCount++;
- if(finst->rsBlockCount < finst->rsSizeCipherBlocks) {
- /*
- * Not done with this yet...
- */
- bprintf(("=== FEED Decrypt: gobbled 0x%x bytes ctext, no ptext (1)\n",
- cipherTextLen));
- *plainTextLen = 0;
- return FR_Success;
- }
-
- #if FEED_DEBUG
- if((finst->rsBlockCount * finst->cipherBlockSize) <
- finst->rsCtextSize) {
- dbgLog(("feeFEEDDecryptBlock: rsCtextSize underflow!\n"));
- return FR_Internal;
- }
- #endif // FEED_DEBUG
-
- /*
- * OK, we should have the FEEDExp ciphertext for initialRS
- * in rsCtext. Note the last few bytes are extra; we don't
- * pass them to FEEDExp.
- */
- feedExpCipherSize = feeFEEDCipherBlockSize(finst->feedExp);
- frtn = feeFEEDExpDecrypt(finst->feedExp,
- finst->rsCtext,
- finst->rsCtextSize,
- &finst->initialRS,
- &finst->initialRSSize);
- if(frtn) {
- dbgLog(("feeFEEDDecryptBlock: error decrypting "
- "initialRS (%s)\n", feeReturnString(frtn)));
- return FR_BadCipherText;
- }
-
- /*
- * we already know how long this should be...
- */
- if(finst->initialRSSize != finst->initialRSSize) {
- dbgLog(("feeFEEDDecryptBlock: initialRS sync error\n"));
- return FR_BadCipherText;
- }
-
- /*
- * Set up clues
- */
- if(initFromRS(finst)) {
- dbgLog(("feeFEEDDecryptBlock: bad initialRS\n"));
- return FR_BadCipherText;
- }
- else {
- /*
- * Normal completion of last cipherblock containing
- * initialRS.
- */
- bprintf(("=== FEED Decrypt: gobbled 0x%x bytes ctext, no ptext (2)\n",
- cipherTextLen));
- *plainTextLen = 0;
- return FR_Success;
- }
- }
-
- /*
- * grab xm and clueByte from cipherText
- */
- deserializeGiant(cipherText, finst->xm, finst->cp->minBytes);
- cipherText += finst->cp->minBytes;
- clueByte = *cipherText;
-
- if((clueByte & CLUE_BIT) == CLUE_PLUS) {
- thisClue = finst->cluePlus;
- thisS = finst->sPlus;
- }
- else {
- thisClue = finst->clueMinus;
- thisS = finst->sMinus;
- }
- if((clueByte & PARITY_BIT) == PARITY_PLUS) {
- parity = SIGN_PLUS;
- }
- else {
- parity = SIGN_MINUS;
- }
-
- /*
- * recover xp
- * xp = xm + clue(+/-) w/parity
- * adjust clue
- * clue[n+1] = r * clue[n] + (s * P1)
- */
- elliptic_add(thisClue, finst->xm, finst->xp, finst->cp, parity);
-
- elliptic_simple(thisClue, finst->r, finst->cp);
- gtog(thisClue, finst->tmp1);
- elliptic_add(finst->tmp1, thisS, thisClue, finst->cp, SIGN_PLUS);
-
- /*
- * plaintext in xp
- */
- #if FEED_DEBUG
- printf("decrypt clue %d\n", clueByte);
- printf(" xp : "); printGiant(finst->xp);
- printf(" xm : "); printGiant(finst->xm);
- printf(" cluePlus :"); printGiant(finst->cluePlus);
- printf(" clueMinus :"); printGiant(finst->clueMinus);
- #endif // FEED_DEBUG
-
- if(finalBlock) {
- /*
- * Snag data from xp in order to find out how much to move to
- * *plainText
- */
- unsigned char *ptext = (unsigned char*) fmalloc(finst->plainBlockSize);
-
- serializeGiant(finst->xp, ptext, finst->plainBlockSize);
- *plainTextLen = ptext[finst->plainBlockSize - 1];
- if(*plainTextLen == RESID_ZERO) {
- bprintf(("=== FEED Decrypt: RESID_ZERO\n"));
- *plainTextLen = 0;
- }
- else if(*plainTextLen > (finst->plainBlockSize - 1)) {
- dbgLog(("feeFEEDDecryptBlock: ptext overflow!\n"));
- bprintf(("feeFEEDDecryptBlock: ptext overflow!\n"));
- frtn = FR_BadCipherText;
- }
- else {
- bprintf(("=== FEED Decrypt: resid len 0x%x\n", *plainTextLen));
- bcopy(ptext, plainText, *plainTextLen);
- }
- ffree(ptext);
- }
- else {
- *plainTextLen = finst->plainBlockSize;
- serializeGiant(finst->xp, plainText, *plainTextLen);
- }
- bprintf(("=== FEED decryptBlock ptextLen 0x%x ctextLen 0x%x\n",
- *plainTextLen, cipherTextLen));
-
- return frtn;
-}
-
-/*
- * Convenience routines to encrypt & decrypt multi-block data.
- */
-feeReturn feeFEEDEncrypt(feeFEED feed,
- const unsigned char *plainText,
- unsigned plainTextLen,
- unsigned char **cipherText, // malloc'd and RETURNED
- unsigned *cipherTextLen) // RETURNED
-{
- const unsigned char *ptext; // per block
- unsigned ptextLen; // total to go
- unsigned thisPtextLen; // per block
- unsigned char *ctext; // per block
- unsigned ctextLen; // per block
- unsigned char *ctextResult; // to return
- unsigned ctextResultLen; // size of ctextResult
- unsigned char *ctextPtr;
- unsigned ctextLenTotal; // running total
- feeReturn frtn;
- int finalBlock;
- unsigned numBlocks;
- unsigned plainBlockSize;
- #if FEE_DEBUG
- unsigned expectedCtextSize;
-
- expectedCtextSize = feeFEEDCipherTextSize(feed, plainTextLen, 1);
- #endif
-
- if(plainTextLen == 0) {
- dbgLog(("feeFEEDDecrypt: NULL plainText\n"));
- return FR_IllegalArg;
- }
-
- ptext = plainText;
- ptextLen = plainTextLen;
- ctext = (unsigned char*) fmalloc(feeFEEDCipherBufSize(feed, 1));
- plainBlockSize = feeFEEDPlainBlockSize(feed);
- numBlocks = (plainTextLen + plainBlockSize - 1)/plainBlockSize;
-
- /*
- * Calculate the worst-case size needed to hold all of the ciphertext
- */
- ctextResultLen = feeFEEDCipherTextSize(feed, plainTextLen, 1);
- ctextResult = (unsigned char*) fmalloc(ctextResultLen);
- ctextPtr = ctextResult;
- ctextLenTotal = 0;
-
- while(1) {
- if(ptextLen <= plainBlockSize) {
- finalBlock = 1;
- thisPtextLen = ptextLen;
- }
- else {
- finalBlock = 0;
- thisPtextLen = plainBlockSize;
- }
- frtn = feeFEEDEncryptBlock(feed,
- ptext,
- thisPtextLen,
- ctext,
- &ctextLen,
- finalBlock);
- if(frtn) {
- dbgLog(("feeFEEDEncrypt: encrypt error: %s\n",
- feeReturnString(frtn)));
- break;
- }
- if(ctextLen == 0) {
- dbgLog(("feeFEEDEncrypt: null ciphertext\n"));
- frtn = FR_Internal;
- break;
- }
- bcopy(ctext, ctextPtr, ctextLen);
- ctextLenTotal += ctextLen;
- if(ctextLenTotal > ctextResultLen) {
- dbgLog(("feeFEEDEncrypt: ciphertext overflow\n"));
- frtn = FR_Internal;
- break;
- }
- if(finalBlock) {
- break;
- }
- ctextPtr += ctextLen;
- ptext += thisPtextLen;
- ptextLen -= thisPtextLen;
- }
-
- ffree(ctext);
- if(frtn) {
- ffree(ctextResult);
- *cipherText = NULL;
- *cipherTextLen = 0;
- }
- else {
- *cipherText = ctextResult;
- *cipherTextLen = ctextLenTotal;
- #if FEE_DEBUG
- if(expectedCtextSize != ctextLenTotal) {
- printf("feeFEEDEncrypt: feeFEEDCipherTextSize error!\n");
- printf("ptext %d exp ctext %d actual ctext %d\n",
- plainTextLen,
- expectedCtextSize,
- ctextLenTotal);
- }
- #endif // FEE_DEBUG
- }
- return frtn;
-
-}
-
-feeReturn feeFEEDDecrypt(feeFEED feed,
- const unsigned char *cipherText,
- unsigned cipherTextLen,
- unsigned char **plainText, // malloc'd and RETURNED
- unsigned *plainTextLen) // RETURNED
-{
- const unsigned char *ctext;
- unsigned ctextLen; // total to go
- unsigned char *ptext; // per block
- unsigned ptextLen; // per block
- unsigned char *ptextResult; // to return
- unsigned char *ptextPtr;
- unsigned ptextLenTotal; // running total
- feeReturn frtn = FR_Success;
- int finalBlock;
- unsigned numBlocks;
- unsigned plainBlockSize = feeFEEDPlainBlockSize(feed);
- unsigned cipherBlockSize = feeFEEDCipherBlockSize(feed);
-
- if(cipherTextLen % cipherBlockSize) {
- dbgLog(("feeFEEDDecrypt: unaligned cipherText\n"));
- return FR_BadCipherText;
- }
- if(cipherTextLen == 0) {
- dbgLog(("feeFEEDDecrypt: NULL cipherText\n"));
- return FR_BadCipherText;
- }
-
- ptext = (unsigned char*) fmalloc(plainBlockSize);
- ctext = cipherText;
- ctextLen = cipherTextLen;
- numBlocks = cipherTextLen / cipherBlockSize;
- ptextResult = (unsigned char*) fmalloc(plainBlockSize * numBlocks);
- ptextPtr = ptextResult;
- ptextLenTotal = 0;
-
- while(ctextLen) {
- if(ctextLen == cipherBlockSize) {
- finalBlock = 1;
- }
- else {
- finalBlock = 0;
- }
- frtn = feeFEEDDecryptBlock(feed,
- ctext,
- cipherBlockSize,
- ptext,
- &ptextLen,
- finalBlock);
- if(frtn) {
- dbgLog(("feeFEEDDecryptBlock: %s\n",
- feeReturnString(frtn)));
- break;
- }
- if(ptextLen) {
- if(ptextLen > plainBlockSize) {
- dbgLog(("feeFEEDDecrypt: ptext overflow!\n"));
- frtn = FR_Internal;
- break;
- }
- bcopy(ptext, ptextPtr, ptextLen);
- ptextPtr += ptextLen;
- ptextLenTotal += ptextLen;
- }
- /*
- * note ptextLen == 0 is normal termination case for
- * plainTextLen % plainBlockSize == 0.
- * Also expected for first 4 blocks of ciphertext;
- * proceed (we break when ctextLen is exhausted).
- */
- ctext += cipherBlockSize;
- ctextLen -= cipherBlockSize;
- }
-
- ffree(ptext);
- if(frtn) {
- ffree(ptextResult);
- *plainText = NULL;
- *plainTextLen = 0;
- }
- else {
- *plainText = ptextResult;
- *plainTextLen = ptextLenTotal;
- }
- return frtn;
-
-}
-
-#endif /* CRYPTKIT_ASYMMETRIC_ENABLE */
projects / apple / security.git / blobdiff