From e4fba9b8f4c4f876d0dc470ed3cbe7066f939cd3 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Tue, 6 Jun 2017 12:06:38 +0700 Subject: Fix paths for previous commit --- crypto/crypto.csproj | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index 90b858cb0..ab7413788 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -5454,22 +5454,22 @@ BuildAction = "Compile" /> -- cgit 1.4.1 From 4589defc7197db8d49edc67a354a34ce2ce5928b Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Wed, 7 Jun 2017 14:40:24 +0700 Subject: Specific exception TlsFatalAlertReceived for peer fatal alerts --- crypto/BouncyCastle.Android.csproj | 2 ++ crypto/BouncyCastle.csproj | 2 ++ crypto/BouncyCastle.iOS.csproj | 2 ++ crypto/crypto.csproj | 10 ++++++++ crypto/src/crypto/tls/TlsException.cs | 14 +++++++++++ crypto/src/crypto/tls/TlsFatalAlert.cs | 3 +-- crypto/src/crypto/tls/TlsFatalAlertReceived.cs | 21 +++++++++++++++++ crypto/src/crypto/tls/TlsProtocol.cs | 32 ++++++++++++-------------- 8 files changed, 67 insertions(+), 19 deletions(-) create mode 100644 crypto/src/crypto/tls/TlsException.cs create mode 100644 crypto/src/crypto/tls/TlsFatalAlertReceived.cs diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj index ca279bf25..921331f9a 100644 --- a/crypto/BouncyCastle.Android.csproj +++ b/crypto/BouncyCastle.Android.csproj @@ -1064,8 +1064,10 @@ + + diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj index 387dd0835..ed2ce50ad 100644 --- a/crypto/BouncyCastle.csproj +++ b/crypto/BouncyCastle.csproj @@ -1058,8 +1058,10 @@ + + diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj index fb15014e3..8d5d3032f 100644 --- a/crypto/BouncyCastle.iOS.csproj +++ b/crypto/BouncyCastle.iOS.csproj @@ -1059,8 +1059,10 @@ + + diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index ab7413788..026a2fe1b 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -5178,6 +5178,11 @@ SubType = "Code" BuildAction = "Compile" /> + + Date: Thu, 8 Jun 2017 14:11:29 +0700 Subject: Add latest extension type values from IANA registry --- crypto/src/crypto/tls/ExtensionType.cs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/crypto/src/crypto/tls/ExtensionType.cs b/crypto/src/crypto/tls/ExtensionType.cs index bff9332a0..f17210b80 100644 --- a/crypto/src/crypto/tls/ExtensionType.cs +++ b/crypto/src/crypto/tls/ExtensionType.cs @@ -98,6 +98,16 @@ namespace Org.BouncyCastle.Crypto.Tls */ public const int extended_master_secret = 23; + /* + * draft-ietf-tokbind-negotiation-08 + */ + public static readonly int DRAFT_token_binding = 24; + + /* + * RFC 7924 + */ + public const int cached_info = 25; + /* * RFC 5077 7. */ -- cgit 1.4.1 From 08629c3971a95d19e431c5cdb38cccbb8e5f79c0 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Thu, 8 Jun 2017 19:00:24 +0700 Subject: Add explicit limit for sequence numbers --- crypto/src/crypto/tls/RecordStream.cs | 36 +++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/crypto/src/crypto/tls/RecordStream.cs b/crypto/src/crypto/tls/RecordStream.cs index 46673cf7e..5d556ad06 100644 --- a/crypto/src/crypto/tls/RecordStream.cs +++ b/crypto/src/crypto/tls/RecordStream.cs @@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Crypto.Tls private Stream mOutput; private TlsCompression mPendingCompression = null, mReadCompression = null, mWriteCompression = null; private TlsCipher mPendingCipher = null, mReadCipher = null, mWriteCipher = null; - private long mReadSeqNo = 0, mWriteSeqNo = 0; + private SequenceNumber mReadSeqNo = new SequenceNumber(), mWriteSeqNo = new SequenceNumber(); private MemoryStream mBuffer = new MemoryStream(); private TlsHandshakeHash mHandshakeHash = null; @@ -100,7 +100,7 @@ namespace Org.BouncyCastle.Crypto.Tls this.mWriteCompression = this.mPendingCompression; this.mWriteCipher = this.mPendingCipher; - this.mWriteSeqNo = 0; + this.mWriteSeqNo = new SequenceNumber(); } internal virtual void ReceivedReadCipherSpec() @@ -110,7 +110,7 @@ namespace Org.BouncyCastle.Crypto.Tls this.mReadCompression = this.mPendingCompression; this.mReadCipher = this.mPendingCipher; - this.mReadSeqNo = 0; + this.mReadSeqNo = new SequenceNumber(); } internal virtual void FinaliseHandshake() @@ -203,7 +203,9 @@ namespace Org.BouncyCastle.Crypto.Tls internal virtual byte[] DecodeAndVerify(byte type, Stream input, int len) { byte[] buf = TlsUtilities.ReadFully(len, input); - byte[] decoded = mReadCipher.DecodeCiphertext(mReadSeqNo++, type, buf, 0, buf.Length); + + long seqNo = mReadSeqNo.NextValue(AlertDescription.unexpected_message); + byte[] decoded = mReadCipher.DecodeCiphertext(seqNo, type, buf, 0, buf.Length); CheckLength(decoded.Length, mCompressedLimit, AlertDescription.record_overflow); @@ -262,10 +264,12 @@ namespace Org.BouncyCastle.Crypto.Tls Stream cOut = mWriteCompression.Compress(mBuffer); + long seqNo = mWriteSeqNo.NextValue(AlertDescription.internal_error); + byte[] ciphertext; if (cOut == mBuffer) { - ciphertext = mWriteCipher.EncodePlaintext(mWriteSeqNo++, type, plaintext, plaintextOffset, plaintextLength); + ciphertext = mWriteCipher.EncodePlaintext(seqNo, type, plaintext, plaintextOffset, plaintextLength); } else { @@ -279,7 +283,7 @@ namespace Org.BouncyCastle.Crypto.Tls */ CheckLength(compressed.Length, plaintextLength + 1024, AlertDescription.internal_error); - ciphertext = mWriteCipher.EncodePlaintext(mWriteSeqNo++, type, compressed, 0, compressed.Length); + ciphertext = mWriteCipher.EncodePlaintext(seqNo, type, compressed, 0, compressed.Length); } /* @@ -384,5 +388,25 @@ namespace Org.BouncyCastle.Crypto.Tls mOuter.mHandshakeHash.BlockUpdate(buf, off, len); } } + + private class SequenceNumber + { + private long value = 0L; + private bool exhausted = false; + + internal long NextValue(byte alertDescription) + { + if (exhausted) + { + throw new TlsFatalAlert(alertDescription); + } + long result = value; + if (++value == 0) + { + exhausted = true; + } + return result; + } + } } } -- cgit 1.4.1 From 53a508e381f21061c8c6f49f8c19c703faab2a38 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 12:36:38 +0700 Subject: Improved header control in ArmoredOutputStream - in particular, supports removing the default version header --- crypto/src/bcpg/ArmoredOutputStream.cs | 47 ++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/crypto/src/bcpg/ArmoredOutputStream.cs b/crypto/src/bcpg/ArmoredOutputStream.cs index 1f0e412d8..dae6b98e5 100644 --- a/crypto/src/bcpg/ArmoredOutputStream.cs +++ b/crypto/src/bcpg/ArmoredOutputStream.cs @@ -20,6 +20,8 @@ namespace Org.BouncyCastle.Bcpg public class ArmoredOutputStream : BaseOutputStream { + public static readonly string HeaderVersion = "Version"; + private static readonly byte[] encodingTable = { (byte)'A', (byte)'B', (byte)'C', (byte)'D', (byte)'E', (byte)'F', (byte)'G', @@ -101,35 +103,43 @@ namespace Org.BouncyCastle.Bcpg private static readonly string footerStart = "-----END PGP "; private static readonly string footerTail = "-----"; - private static readonly string version = "BCPG C# v" + AssemblyInfo.Version; + private static readonly string Version = "BCPG C# v" + AssemblyInfo.Version; private readonly IDictionary headers; public ArmoredOutputStream(Stream outStream) { this.outStream = outStream; - this.headers = Platform.CreateHashtable(); - this.headers["Version"] = version; + this.headers = Platform.CreateHashtable(1); + this.headers.Add(HeaderVersion, Version); } public ArmoredOutputStream(Stream outStream, IDictionary headers) { this.outStream = outStream; this.headers = Platform.CreateHashtable(headers); - this.headers["Version"] = version; + if (!this.headers.Contains(HeaderVersion)) + { + this.headers.Add(HeaderVersion, Version); + } } /** - * Set an additional header entry. + * Set an additional header entry. A null value will clear the entry for name. * * @param name the name of the header entry. * @param v the value of the header entry. */ - public void SetHeader( - string name, - string v) + public void SetHeader(string name, string v) { - headers[name] = v; + if (v == null) + { + headers.Remove(name); + } + else + { + headers[name] = v; + } } /** @@ -137,8 +147,14 @@ namespace Org.BouncyCastle.Bcpg */ public void ResetHeaders() { + string version = (string)headers[HeaderVersion]; + headers.Clear(); - headers["Version"] = version; + + if (version != null) + { + headers[HeaderVersion] = Version; + } } /** @@ -248,14 +264,17 @@ namespace Org.BouncyCastle.Bcpg } DoWrite(headerStart + type + headerTail + nl); - WriteHeaderEntry("Version", (string) headers["Version"]); + if (headers.Contains(HeaderVersion)) + { + WriteHeaderEntry(HeaderVersion, (string)headers[HeaderVersion]); + } foreach (DictionaryEntry de in headers) { - string k = (string) de.Key; - if (k != "Version") + string k = (string)de.Key; + if (k != HeaderVersion) { - string v = (string) de.Value; + string v = (string)de.Value; WriteHeaderEntry(k, v); } } -- cgit 1.4.1 From ad4984a18872b8540b48d21207d7cb3bb622aa74 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 12:57:45 +0700 Subject: Comments --- crypto/src/bcpg/ArmoredOutputStream.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/src/bcpg/ArmoredOutputStream.cs b/crypto/src/bcpg/ArmoredOutputStream.cs index dae6b98e5..7a5066ec3 100644 --- a/crypto/src/bcpg/ArmoredOutputStream.cs +++ b/crypto/src/bcpg/ArmoredOutputStream.cs @@ -143,7 +143,7 @@ namespace Org.BouncyCastle.Bcpg } /** - * Reset the headers to only contain a Version string. + * Reset the headers to only contain a Version string (if one is present). */ public void ResetHeaders() { -- cgit 1.4.1 From b5b1ad3e9abdaada947513b5a4940e93c4aae210 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 12:58:17 +0700 Subject: Add explicit length check on OAEP input --- crypto/src/crypto/encodings/OaepEncoding.cs | 2 ++ crypto/test/src/crypto/test/RsaTest.cs | 29 +++++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/crypto/src/crypto/encodings/OaepEncoding.cs b/crypto/src/crypto/encodings/OaepEncoding.cs index cb23b1710..9f5c563c2 100644 --- a/crypto/src/crypto/encodings/OaepEncoding.cs +++ b/crypto/src/crypto/encodings/OaepEncoding.cs @@ -137,6 +137,8 @@ namespace Org.BouncyCastle.Crypto.Encodings int inOff, int inLen) { + Check.DataLength(inLen > GetInputBlockSize(), "input data too long"); + byte[] block = new byte[GetInputBlockSize() + 1 + 2 * defHash.Length]; // diff --git a/crypto/test/src/crypto/test/RsaTest.cs b/crypto/test/src/crypto/test/RsaTest.cs index c343f0ba5..d0cbedace 100644 --- a/crypto/test/src/crypto/test/RsaTest.cs +++ b/crypto/test/src/crypto/test/RsaTest.cs @@ -192,13 +192,34 @@ namespace Org.BouncyCastle.Crypto.Tests { Fail("failed OAEP Test"); } - } - // TODO Move this when other JCE tests are ported from Java - /** + // check for oversized input + byte[] message = new byte[87]; + RsaEngine rsaEngine = new RsaEngine(); + IAsymmetricBlockCipher cipher = new OaepEncoding(rsaEngine, new Sha1Digest(), new Sha1Digest(), message); + cipher.Init(true, new ParametersWithRandom(pubParameters, new SecureRandom())); + + try + { + cipher.ProcessBlock(message, 0, message.Length); + + Fail("no exception thrown"); + } + catch (DataLengthException e) + { + IsTrue("message mismatch", "input data too long".Equals(e.Message)); + } + catch (InvalidCipherTextException e) + { + Fail("failed - exception " + e.ToString(), e); + } + } + + // TODO Move this when other JCE tests are ported from Java + /** * signature with a "forged signature" (sig block not at end of plain text) */ - private void doTestBadSig()//PrivateKey priv, PublicKey pub) + private void doTestBadSig()//PrivateKey priv, PublicKey pub) { // Signature sig = Signature.getInstance("SHA1WithRSAEncryption", "BC"); ISigner sig = SignerUtilities.GetSigner("SHA1WithRSAEncryption"); -- cgit 1.4.1 From 58b2040d36be9f1271b93a7fae752dc8975a881e Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 14:41:16 +0700 Subject: Add point validation to EC public key constructors --- .../src/crypto/parameters/ECPublicKeyParameters.cs | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/crypto/src/crypto/parameters/ECPublicKeyParameters.cs b/crypto/src/crypto/parameters/ECPublicKeyParameters.cs index 1eb665da9..474e5d82c 100644 --- a/crypto/src/crypto/parameters/ECPublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/ECPublicKeyParameters.cs @@ -9,6 +9,21 @@ namespace Org.BouncyCastle.Crypto.Parameters public class ECPublicKeyParameters : ECKeyParameters { + private static ECPoint Validate(ECPoint q) + { + if (q == null) + throw new ArgumentNullException("q"); + if (q.IsInfinity) + throw new ArgumentException("point at infinity", "q"); + + q = q.Normalize(); + + if (!q.IsValid()) + throw new ArgumentException("point not on curve", "q"); + + return q; + } + private readonly ECPoint q; public ECPublicKeyParameters( @@ -27,7 +42,7 @@ namespace Org.BouncyCastle.Crypto.Parameters if (q == null) throw new ArgumentNullException("q"); - this.q = q.Normalize(); + this.q = Validate(q); } public ECPublicKeyParameters( @@ -39,7 +54,7 @@ namespace Org.BouncyCastle.Crypto.Parameters if (q == null) throw new ArgumentNullException("q"); - this.q = q.Normalize(); + this.q = Validate(q); } public ECPublicKeyParameters( @@ -51,7 +66,7 @@ namespace Org.BouncyCastle.Crypto.Parameters if (q == null) throw new ArgumentNullException("q"); - this.q = q.Normalize(); + this.q = Validate(q); } public ECPoint Q -- cgit 1.4.1 From dab58845745b1936666d91c0f2ccc47d5cb5c8a4 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 14:56:27 +0700 Subject: Add validation to DSA public key constructor --- crypto/src/crypto/parameters/DsaPublicKeyParameters.cs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/src/crypto/parameters/DsaPublicKeyParameters.cs b/crypto/src/crypto/parameters/DsaPublicKeyParameters.cs index f11f858f3..3a81bfdd0 100644 --- a/crypto/src/crypto/parameters/DsaPublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/DsaPublicKeyParameters.cs @@ -7,6 +7,22 @@ namespace Org.BouncyCastle.Crypto.Parameters public class DsaPublicKeyParameters : DsaKeyParameters { + private static BigInteger Validate(BigInteger y, DsaParameters parameters) + { + // we can't validate without params, fortunately we can't use the key either... + if (parameters != null) + { + if (y.CompareTo(BigInteger.Two) < 0 + || y.CompareTo(parameters.P.Subtract(BigInteger.Two)) > 0 + || !y.ModPow(parameters.Q, parameters.P).Equals(BigInteger.One)) + { + throw new ArgumentException("y value does not appear to be in correct group"); + } + } + + return y; + } + private readonly BigInteger y; public DsaPublicKeyParameters( @@ -17,7 +33,7 @@ namespace Org.BouncyCastle.Crypto.Parameters if (y == null) throw new ArgumentNullException("y"); - this.y = y; + this.y = Validate(y, parameters); } public BigInteger Y -- cgit 1.4.1 From a7e03daa1cb6604a945133427c7c9cfc5e08720c Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 15:06:20 +0700 Subject: Add validation to DH public key constructor --- .../src/crypto/parameters/DHPublicKeyParameters.cs | 29 ++++++++++++++++------ 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/crypto/src/crypto/parameters/DHPublicKeyParameters.cs b/crypto/src/crypto/parameters/DHPublicKeyParameters.cs index e79375f71..1704c47dc 100644 --- a/crypto/src/crypto/parameters/DHPublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/DHPublicKeyParameters.cs @@ -8,6 +8,25 @@ namespace Org.BouncyCastle.Crypto.Parameters public class DHPublicKeyParameters : DHKeyParameters { + private static BigInteger Validate(BigInteger y, DHParameters dhParams) + { + if (y == null) + throw new ArgumentNullException("y"); + + // TLS check + if (y.CompareTo(BigInteger.Two) < 0 || y.CompareTo(dhParams.P.Subtract(BigInteger.Two)) > 0) + throw new ArgumentException("invalid DH public key", "y"); + + // we can't validate without Q. + if (dhParams.Q != null + && !y.ModPow(dhParams.Q, dhParams.P).Equals(BigInteger.One)) + { + throw new ArgumentException("y value does not appear to be in correct group", "y"); + } + + return y; + } + private readonly BigInteger y; public DHPublicKeyParameters( @@ -15,10 +34,7 @@ namespace Org.BouncyCastle.Crypto.Parameters DHParameters parameters) : base(false, parameters) { - if (y == null) - throw new ArgumentNullException("y"); - - this.y = y; + this.y = Validate(y, parameters); } public DHPublicKeyParameters( @@ -27,10 +43,7 @@ namespace Org.BouncyCastle.Crypto.Parameters DerObjectIdentifier algorithmOid) : base(false, parameters, algorithmOid) { - if (y == null) - throw new ArgumentNullException("y"); - - this.y = y; + this.y = Validate(y, parameters); } public BigInteger Y -- cgit 1.4.1 From c8354a4635bc66c4878eca13b0c0ebc9da266839 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 17:38:17 +0700 Subject: Add validation to RSA public key constructor --- crypto/src/crypto/parameters/RsaKeyParameters.cs | 24 +++++++++++++++++++++++- crypto/test/src/crypto/test/RsaTest.cs | 4 ++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/crypto/src/crypto/parameters/RsaKeyParameters.cs b/crypto/src/crypto/parameters/RsaKeyParameters.cs index 72c0d806f..5480f0561 100644 --- a/crypto/src/crypto/parameters/RsaKeyParameters.cs +++ b/crypto/src/crypto/parameters/RsaKeyParameters.cs @@ -8,6 +8,26 @@ namespace Org.BouncyCastle.Crypto.Parameters public class RsaKeyParameters : AsymmetricKeyParameter { + // the value is the product of the 132 smallest primes from 3 to 751 + private static BigInteger SmallPrimesProduct = new BigInteger( + "8138E8A0FCF3A4E84A771D40FD305D7F4AA59306D7251DE54D98AF8FE95729A1" + + "F73D893FA424CD2EDC8636A6C3285E022B0E3866A565AE8108EED8591CD4FE8D" + + "2CE86165A978D719EBF647F362D33FCA29CD179FB42401CBAF3DF0C614056F9C" + + "8F3CFD51E474AFB6BC6974F78DB8ABA8E9E517FDED658591AB7502BD41849462F", + 16); + + private static BigInteger Validate(BigInteger modulus) + { + if ((modulus.IntValue & 1) == 0) + throw new ArgumentException("RSA modulus is even", "modulus"); + if (!modulus.Gcd(SmallPrimesProduct).Equals(BigInteger.One)) + throw new ArgumentException("RSA modulus has a small prime factor"); + + // TODO: add additional primePower/Composite test - expensive!! + + return modulus; + } + private readonly BigInteger modulus; private readonly BigInteger exponent; @@ -25,8 +45,10 @@ namespace Org.BouncyCastle.Crypto.Parameters throw new ArgumentException("Not a valid RSA modulus", "modulus"); if (exponent.SignValue <= 0) throw new ArgumentException("Not a valid RSA exponent", "exponent"); + if (!isPrivate && (exponent.IntValue & 1) == 0) + throw new ArgumentException("RSA publicExponent is even", "exponent"); - this.modulus = modulus; + this.modulus = Validate(modulus); this.exponent = exponent; } diff --git a/crypto/test/src/crypto/test/RsaTest.cs b/crypto/test/src/crypto/test/RsaTest.cs index d0cbedace..e3fc18d02 100644 --- a/crypto/test/src/crypto/test/RsaTest.cs +++ b/crypto/test/src/crypto/test/RsaTest.cs @@ -563,7 +563,7 @@ namespace Org.BouncyCastle.Crypto.Tests } genParam = new RsaKeyGenerationParameters( - BigInteger.ValueOf(0x11), new SecureRandom(), 16, 25); + BigInteger.ValueOf(0x11), new SecureRandom(), 128, 25); pGen.Init(genParam); for (int i = 0; i < 100; ++i) @@ -572,7 +572,7 @@ namespace Org.BouncyCastle.Crypto.Tests RsaPrivateCrtKeyParameters privKey = (RsaPrivateCrtKeyParameters) pair.Private; BigInteger pqDiff = privKey.P.Subtract(privKey.Q).Abs(); - if (pqDiff.BitLength < 5) + if (pqDiff.BitLength < 42) { Fail("P and Q too close in RSA key pair"); } -- cgit 1.4.1 From 56d5b48ee27c091a00e6aee4e6fa196634dea32b Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 19:11:59 +0700 Subject: Port of latest encodings work from Java --- crypto/src/crypto/encodings/OaepEncoding.cs | 60 ++++++------ crypto/src/crypto/encodings/Pkcs1Encoding.cs | 132 +++++++++++++------------- crypto/test/src/crypto/test/OAEPTest.cs | 43 ++++++++- crypto/test/src/crypto/test/RSABlindedTest.cs | 8 +- crypto/test/src/crypto/test/RsaTest.cs | 93 +++++++++++++----- 5 files changed, 211 insertions(+), 125 deletions(-) diff --git a/crypto/src/crypto/encodings/OaepEncoding.cs b/crypto/src/crypto/encodings/OaepEncoding.cs index 9f5c563c2..287876f12 100644 --- a/crypto/src/crypto/encodings/OaepEncoding.cs +++ b/crypto/src/crypto/encodings/OaepEncoding.cs @@ -3,6 +3,7 @@ using System; using Org.BouncyCastle.Crypto.Digests; using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Crypto.Encodings { @@ -13,7 +14,6 @@ namespace Org.BouncyCastle.Crypto.Encodings : IAsymmetricBlockCipher { private byte[] defHash; - private IDigest hash; private IDigest mgf1Hash; private IAsymmetricBlockCipher engine; @@ -48,10 +48,11 @@ namespace Org.BouncyCastle.Crypto.Encodings byte[] encodingParams) { this.engine = cipher; - this.hash = hash; this.mgf1Hash = mgf1Hash; this.defHash = new byte[hash.GetDigestSize()]; + hash.Reset(); + if (encodingParams != null) { hash.BlockUpdate(encodingParams, 0, encodingParams.Length); @@ -204,28 +205,17 @@ namespace Org.BouncyCastle.Crypto.Encodings int inLen) { byte[] data = engine.ProcessBlock(inBytes, inOff, inLen); - byte[] block; + byte[] block = new byte[engine.GetOutputBlockSize()]; // // as we may have zeros in our leading bytes for the block we produced // on encryption, we need to make sure our decrypted block comes back // the same size. // - if (data.Length < engine.GetOutputBlockSize()) - { - block = new byte[engine.GetOutputBlockSize()]; - Array.Copy(data, 0, block, block.Length - data.Length, data.Length); - } - else - { - block = data; - } + Array.Copy(data, 0, block, block.Length - data.Length, data.Length); - if (block.Length < (2 * defHash.Length) + 1) - { - throw new InvalidCipherTextException("data too short"); - } + bool shortData = (block.Length < (2 * defHash.Length) + 1); // // unmask the seed. @@ -252,36 +242,39 @@ namespace Org.BouncyCastle.Crypto.Encodings // check the hash of the encoding params. // long check to try to avoid this been a source of a timing attack. // + bool defHashWrong = false; + + for (int i = 0; i != defHash.Length; i++) { - int diff = 0; - for (int i = 0; i < defHash.Length; ++i) + if (defHash[i] != block[defHash.Length + i]) { - diff |= (byte)(defHash[i] ^ block[defHash.Length + i]); + defHashWrong = true; } - - if (diff != 0) - throw new InvalidCipherTextException("data hash wrong"); } // // find the data block // - int start; - for (start = 2 * defHash.Length; start != block.Length; start++) + int start = block.Length; + + for (int index = 2 * defHash.Length; index != block.Length; index++) { - if (block[start] != 0) + if (block[index] != 0 & start == block.Length) { - break; + start = index; } } - if (start > (block.Length - 1) || block[start] != 1) - { - throw new InvalidCipherTextException("data start wrong " + start); - } + bool dataStartWrong = (start > (block.Length - 1) | block[start] != 1); start++; + if (defHashWrong | shortData | dataStartWrong) + { + Arrays.Fill(block, 0); + throw new InvalidCipherTextException("data wrong"); + } + // // extract the data block // @@ -319,9 +312,9 @@ namespace Org.BouncyCastle.Crypto.Encodings byte[] C = new byte[4]; int counter = 0; - hash.Reset(); + mgf1Hash.Reset(); - do + while (counter < (length / hashBuf.Length)) { ItoOSP(counter, C); @@ -330,8 +323,9 @@ namespace Org.BouncyCastle.Crypto.Encodings mgf1Hash.DoFinal(hashBuf, 0); Array.Copy(hashBuf, 0, mask, counter * hashBuf.Length, hashBuf.Length); + + counter++; } - while (++counter < (length / hashBuf.Length)); if ((counter * hashBuf.Length) < length) { diff --git a/crypto/src/crypto/encodings/Pkcs1Encoding.cs b/crypto/src/crypto/encodings/Pkcs1Encoding.cs index 35fd96abe..b2d60fe4c 100644 --- a/crypto/src/crypto/encodings/Pkcs1Encoding.cs +++ b/crypto/src/crypto/encodings/Pkcs1Encoding.cs @@ -45,16 +45,18 @@ namespace Org.BouncyCastle.Crypto.Encodings } - private SecureRandom random; - private IAsymmetricBlockCipher engine; - private bool forEncryption; - private bool forPrivateKey; - private bool useStrictLength; - private int pLen = -1; - private byte[] fallback = null; + private SecureRandom random; + private IAsymmetricBlockCipher engine; + private bool forEncryption; + private bool forPrivateKey; + private bool useStrictLength; + private int pLen = -1; + private byte[] fallback = null; + private byte[] blockBuffer = null; /** * Basic constructor. + * * @param cipher */ public Pkcs1Encoding( @@ -104,9 +106,7 @@ namespace Org.BouncyCastle.Crypto.Encodings get { return engine.AlgorithmName + "/PKCS1Padding"; } } - public void Init( - bool forEncryption, - ICipherParameters parameters) + public void Init(bool forEncryption, ICipherParameters parameters) { AsymmetricKeyParameter kParam; if (parameters is ParametersWithRandom) @@ -126,6 +126,10 @@ namespace Org.BouncyCastle.Crypto.Encodings this.forPrivateKey = kParam.IsPrivate; this.forEncryption = forEncryption; + this.blockBuffer = new byte[engine.GetOutputBlockSize()]; + + if (pLen > 0 && fallback == null && random == null) + throw new ArgumentException("encoder requires random"); } public int GetInputBlockSize() @@ -255,7 +259,6 @@ namespace Org.BouncyCastle.Crypto.Encodings * @param inLen Length of the encrypted block. * @param pLen Length of the desired output. * @return The plaintext without padding, or a random value if the padding was incorrect. - * * @throws InvalidCipherTextException */ private byte[] DecodeBlockOrRandom(byte[] input, int inOff, int inLen) @@ -264,7 +267,7 @@ namespace Org.BouncyCastle.Crypto.Encodings throw new InvalidCipherTextException("sorry, this method is only for decryption, not for signing"); byte[] block = engine.ProcessBlock(input, inOff, inLen); - byte[] random = null; + byte[] random; if (this.fallback == null) { random = new byte[this.pLen]; @@ -275,37 +278,25 @@ namespace Org.BouncyCastle.Crypto.Encodings random = fallback; } - /* - * TODO: This is a potential dangerous side channel. However, you can - * fix this by changing the RSA engine in a way, that it will always - * return blocks of the same length and prepend them with 0 bytes if - * needed. - */ - if (block.Length < GetOutputBlockSize()) - throw new InvalidCipherTextException("block truncated"); + byte[] data = (useStrictLength & (block.Length != engine.GetOutputBlockSize())) ? blockBuffer : block; - /* - * TODO: Potential side channel. Fix it by making the engine always - * return blocks of the correct length. - */ - if (useStrictLength && block.Length != engine.GetOutputBlockSize()) - throw new InvalidCipherTextException("block incorrect size"); - - /* - * Check the padding. - */ - int correct = Pkcs1Encoding.CheckPkcs1Encoding(block, this.pLen); + /* + * Check the padding. + */ + int correct = CheckPkcs1Encoding(data, this.pLen); - /* - * Now, to a constant time constant memory copy of the decrypted value - * or the random value, depending on the validity of the padding. - */ + /* + * Now, to a constant time constant memory copy of the decrypted value + * or the random value, depending on the validity of the padding. + */ byte[] result = new byte[this.pLen]; for (int i = 0; i < this.pLen; i++) { - result[i] = (byte)((block[i+(block.Length-pLen)]&(~correct)) | (random[i]&correct)); + result[i] = (byte)((data[i + (data.Length - pLen)] & (~correct)) | (random[i] & correct)); } + Arrays.Fill(data, 0); + return result; } @@ -327,56 +318,67 @@ namespace Org.BouncyCastle.Crypto.Encodings } byte[] block = engine.ProcessBlock(input, inOff, inLen); + bool incorrectLength = (useStrictLength & (block.Length != engine.GetOutputBlockSize())); + byte[] data; if (block.Length < GetOutputBlockSize()) { - throw new InvalidCipherTextException("block truncated"); + data = blockBuffer; } - - byte type = block[0]; - - if (type != 1 && type != 2) + else { - throw new InvalidCipherTextException("unknown block type"); + data = block; } - if (useStrictLength && block.Length != engine.GetOutputBlockSize()) - { - throw new InvalidCipherTextException("block incorrect size"); - } + byte expectedType = (byte)(forPrivateKey ? 2 : 1); + byte type = data[0]; + + bool badType = (type != expectedType); // // find and extract the message block. // - int start; - for (start = 1; start != block.Length; start++) - { - byte pad = block[start]; + int start = FindStart(type, data); - if (pad == 0) - { - break; - } + start++; // data should start at the next byte - if (type == 1 && pad != (byte)0xff) - { - throw new InvalidCipherTextException("block padding incorrect"); - } + if (badType | (start < HeaderLength)) + { + Arrays.Fill(data, 0); + throw new InvalidCipherTextException("block incorrect"); } - start++; // data should start at the next byte - - if (start > block.Length || start < HeaderLength) + // if we get this far, it's likely to be a genuine encoding error + if (incorrectLength) { - throw new InvalidCipherTextException("no data in block"); + Arrays.Fill(data, 0); + throw new InvalidCipherTextException("block incorrect size"); } - byte[] result = new byte[block.Length - start]; + byte[] result = new byte[data.Length - start]; - Array.Copy(block, start, result, 0, result.Length); + Array.Copy(data, start, result, 0, result.Length); return result; } - } + private int FindStart(byte type, byte[] block) + { + int start = -1; + bool padErr = false; + + for (int i = 1; i != block.Length; i++) + { + byte pad = block[i]; + + if (pad == 0 & start < 0) + { + start = i; + } + padErr |= ((type == 1) & (start < 0) & (pad != (byte)0xff)); + } + + return padErr ? -1 : start; + } + } } diff --git a/crypto/test/src/crypto/test/OAEPTest.cs b/crypto/test/src/crypto/test/OAEPTest.cs index ee48a183d..bc1dd9292 100644 --- a/crypto/test/src/crypto/test/OAEPTest.cs +++ b/crypto/test/src/crypto/test/OAEPTest.cs @@ -5,7 +5,7 @@ using NUnit.Framework; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.Pkcs; using Org.BouncyCastle.Asn1.X509; -using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Digests; using Org.BouncyCastle.Crypto.Encodings; using Org.BouncyCastle.Crypto.Engines; using Org.BouncyCastle.Crypto.Parameters; @@ -779,6 +779,47 @@ namespace Org.BouncyCastle.Crypto.Tests OaepVecTest(1027, 4, pubParam, privParam, seed_1027_4, input_1027_4, output_1027_4); OaepVecTest(1027, 5, pubParam, privParam, seed_1027_5, input_1027_5, output_1027_5); OaepVecTest(1027, 6, pubParam, privParam, seed_1027_6, input_1027_6, output_1027_6); + + // + // OAEP - public encrypt, private decrypt differring hashes + // + IAsymmetricBlockCipher cipher = new OaepEncoding(new RsaEngine(), new Sha256Digest(), new Sha1Digest(), new byte[10]); + + cipher.Init(true, new ParametersWithRandom(pubParam, new SecureRandom())); + + byte[] input = new byte[10]; + + byte[] output = cipher.ProcessBlock(input, 0, input.Length); + + cipher.Init(false, privParam); + + output = cipher.ProcessBlock(output, 0, output.Length); + + for (int i = 0; i != input.Length; i++) + { + if (output[i] != input[i]) + { + Fail("mixed digest failed decoding"); + } + } + + cipher = new OaepEncoding(new RsaEngine(), new Sha1Digest(), new Sha256Digest(), new byte[10]); + + cipher.Init(true, new ParametersWithRandom(pubParam, new SecureRandom())); + + output = cipher.ProcessBlock(input, 0, input.Length); + + cipher.Init(false, privParam); + + output = cipher.ProcessBlock(output, 0, output.Length); + + for (int i = 0; i != input.Length; i++) + { + if (output[i] != input[i]) + { + Fail("mixed digest failed decoding"); + } + } } public static void Main( diff --git a/crypto/test/src/crypto/test/RSABlindedTest.cs b/crypto/test/src/crypto/test/RSABlindedTest.cs index 80d6e8e49..75b9f3a07 100644 --- a/crypto/test/src/crypto/test/RSABlindedTest.cs +++ b/crypto/test/src/crypto/test/RSABlindedTest.cs @@ -103,22 +103,22 @@ namespace Org.BouncyCastle.Crypto.Tests private void doTestTruncatedPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, truncatedDataBlock, "block truncated"); + checkForPkcs1Exception(pubParameters, privParameters, truncatedDataBlock, "block incorrect"); } private void doTestDudPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, dudBlock, "unknown block type"); + checkForPkcs1Exception(pubParameters, privParameters, dudBlock, "block incorrect"); } private void doTestWrongPaddingPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, incorrectPadding, "block padding incorrect"); + checkForPkcs1Exception(pubParameters, privParameters, incorrectPadding, "block incorrect"); } private void doTestMissingDataPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, missingDataBlock, "no data in block"); + checkForPkcs1Exception(pubParameters, privParameters, missingDataBlock, "block incorrect"); } private void checkForPkcs1Exception(RsaKeyParameters pubParameters, RsaKeyParameters privParameters, byte[] inputData, string expectedMessage) diff --git a/crypto/test/src/crypto/test/RsaTest.cs b/crypto/test/src/crypto/test/RsaTest.cs index e3fc18d02..e9f30cae9 100644 --- a/crypto/test/src/crypto/test/RsaTest.cs +++ b/crypto/test/src/crypto/test/RsaTest.cs @@ -54,10 +54,11 @@ namespace Org.BouncyCastle.Crypto.Tests eng.Init(true, privParameters); byte[] data = null; + byte[] overSized = null; - try - { - data = eng.ProcessBlock(oversizedSig, 0, oversizedSig.Length); + try + { + overSized = data = eng.ProcessBlock(oversizedSig, 0, oversizedSig.Length); } catch (Exception e) { @@ -70,7 +71,7 @@ namespace Org.BouncyCastle.Crypto.Tests try { - data = eng.ProcessBlock(data, 0, data.Length); + data = eng.ProcessBlock(overSized, 0, overSized.Length); Fail("oversized signature block not recognised"); } @@ -82,9 +83,22 @@ namespace Org.BouncyCastle.Crypto.Tests } } + eng = new Pkcs1Encoding(new RsaEngine(), Hex.Decode("feedbeeffeedbeeffeedbeef")); + eng.Init(false, new ParametersWithRandom(privParameters, new SecureRandom())); + + try + { + data = eng.ProcessBlock(overSized, 0, overSized.Length); + IsTrue("not fallback", Arrays.AreEqual(Hex.Decode("feedbeeffeedbeeffeedbeef"), data)); + } + catch (InvalidCipherTextException e) + { + Fail("RSA: failed - exception " + e.ToString(), e); + } - // Create the encoding with StrictLengthEnabled=false (done thru environment in Java version) - Pkcs1Encoding.StrictLengthEnabled = false; + + // Create the encoding with StrictLengthEnabled=false (done thru environment in Java version) + Pkcs1Encoding.StrictLengthEnabled = false; eng = new Pkcs1Encoding(new RsaEngine()); @@ -92,7 +106,7 @@ namespace Org.BouncyCastle.Crypto.Tests try { - data = eng.ProcessBlock(data, 0, data.Length); + data = eng.ProcessBlock(overSized, 0, overSized.Length); } catch (InvalidCipherTextException e) { @@ -104,22 +118,22 @@ namespace Org.BouncyCastle.Crypto.Tests private void doTestTruncatedPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, truncatedDataBlock, "block truncated"); + checkForPkcs1Exception(pubParameters, privParameters, truncatedDataBlock, "block incorrect"); } private void doTestDudPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, dudBlock, "unknown block type"); + checkForPkcs1Exception(pubParameters, privParameters, dudBlock, "block incorrect"); } private void doTestWrongPaddingPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, incorrectPadding, "block padding incorrect"); + checkForPkcs1Exception(pubParameters, privParameters, incorrectPadding, "block incorrect"); } private void doTestMissingDataPkcs1Block(RsaKeyParameters pubParameters, RsaKeyParameters privParameters) { - checkForPkcs1Exception(pubParameters, privParameters, missingDataBlock, "no data in block"); + checkForPkcs1Exception(pubParameters, privParameters, missingDataBlock, "block incorrect"); } private void checkForPkcs1Exception(RsaKeyParameters pubParameters, RsaKeyParameters privParameters, byte[] inputData, string expectedMessage) @@ -431,30 +445,65 @@ namespace Org.BouncyCastle.Crypto.Tests eng.Init(false, privParameters); - try - { - data = eng.ProcessBlock(data, 0, data.Length); + byte[] plainData = null; + try + { + plainData = eng.ProcessBlock(data, 0, data.Length); } catch (Exception e) { Fail("failed - exception " + e.ToString()); } - if (!input.Equals(Hex.ToHexString(data))) - { - Fail("failed PKCS1 public/private Test"); + if (!input.Equals(Hex.ToHexString(plainData))) + { + Fail("failed PKCS1 public/private Test"); } - // - // PKCS1 - private encrypt, public decrypt - // - eng = new Pkcs1Encoding(((Pkcs1Encoding)eng).GetUnderlyingCipher()); + Pkcs1Encoding fEng = new Pkcs1Encoding(new RsaEngine(), input.Length / 2); + fEng.Init(false, new ParametersWithRandom(privParameters, new SecureRandom())); + try + { + plainData = fEng.ProcessBlock(data, 0, data.Length); + } + catch (Exception e) + { + Fail("failed - exception " + e.ToString(), e); + } + + if (!input.Equals(Hex.ToHexString(plainData))) + { + Fail("failed PKCS1 public/private fixed Test"); + } + + fEng = new Pkcs1Encoding(new RsaEngine(), input.Length); + fEng.Init(false, new ParametersWithRandom(privParameters, new SecureRandom())); + try + { + data = fEng.ProcessBlock(data, 0, data.Length); + } + catch (Exception e) + { + Fail("failed - exception " + e.ToString(), e); + } + + if (input.Equals(Hex.ToHexString(data))) + { + Fail("failed to recognise incorrect plaint text length"); + } + + data = plainData; + + // + // PKCS1 - private encrypt, public decrypt + // + eng = new Pkcs1Encoding(((Pkcs1Encoding)eng).GetUnderlyingCipher()); eng.Init(true, privParameters); try { - data = eng.ProcessBlock(data, 0, data.Length); + data = eng.ProcessBlock(plainData, 0, plainData.Length); } catch (Exception e) { -- cgit 1.4.1 From 726f9cf1b8d319aa9df17cc97104b66e7fa6a5c1 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 19:22:34 +0700 Subject: Fix algorithm name for ChaCha7539Engine --- crypto/src/crypto/engines/ChaCha7539Engine.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/src/crypto/engines/ChaCha7539Engine.cs b/crypto/src/crypto/engines/ChaCha7539Engine.cs index 5a12be016..af4163a02 100644 --- a/crypto/src/crypto/engines/ChaCha7539Engine.cs +++ b/crypto/src/crypto/engines/ChaCha7539Engine.cs @@ -19,7 +19,7 @@ namespace Org.BouncyCastle.Crypto.Engines public override string AlgorithmName { - get { return "ChaCha" + rounds; } + get { return "ChaCha7539" + rounds; } } protected override int NonceSize -- cgit 1.4.1 From 6d6fb006877101242633b56095b011bcf0046ab3 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 19:26:00 +0700 Subject: Write exception message to Console.Err --- crypto/test/src/crypto/examples/DESExample.cs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/crypto/test/src/crypto/examples/DESExample.cs b/crypto/test/src/crypto/examples/DESExample.cs index c026d3159..788fd643f 100644 --- a/crypto/test/src/crypto/examples/DESExample.cs +++ b/crypto/test/src/crypto/examples/DESExample.cs @@ -247,10 +247,11 @@ namespace Org.BouncyCastle.Crypto.Examples outStr.Flush(); outStr.Close(); } - catch (IOException) + catch (IOException closing) { - } - } + Console.Error.WriteLine("exception closing resources: " + closing.Message); + } + } /* * This method performs all the encryption and writes -- cgit 1.4.1 From d36b4cb85edd929b76c3c4f2ab3df31d758cfaf3 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 19:41:15 +0700 Subject: Add PKCS OIDs for SHA512-224/256 sigs - refactor to use OID branching --- crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs | 37 +++++++++++++++------------ 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs index 042911a06..535bbbf82 100644 --- a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs +++ b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs @@ -9,23 +9,28 @@ namespace Org.BouncyCastle.Asn1.Pkcs // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } // public const string Pkcs1 = "1.2.840.113549.1.1"; + internal static readonly DerObjectIdentifier Pkcs1Oid = new DerObjectIdentifier(Pkcs1); + + public static readonly DerObjectIdentifier RsaEncryption = Pkcs1Oid.Branch("1"); + public static readonly DerObjectIdentifier MD2WithRsaEncryption = Pkcs1Oid.Branch("2"); + public static readonly DerObjectIdentifier MD4WithRsaEncryption = Pkcs1Oid.Branch("3"); + public static readonly DerObjectIdentifier MD5WithRsaEncryption = Pkcs1Oid.Branch("4"); + public static readonly DerObjectIdentifier Sha1WithRsaEncryption = Pkcs1Oid.Branch("5"); + public static readonly DerObjectIdentifier SrsaOaepEncryptionSet = Pkcs1Oid.Branch("6"); + public static readonly DerObjectIdentifier IdRsaesOaep = Pkcs1Oid.Branch("7"); + public static readonly DerObjectIdentifier IdMgf1 = Pkcs1Oid.Branch("8"); + public static readonly DerObjectIdentifier IdPSpecified = Pkcs1Oid.Branch("9"); + public static readonly DerObjectIdentifier IdRsassaPss = Pkcs1Oid.Branch("10"); + public static readonly DerObjectIdentifier Sha256WithRsaEncryption = Pkcs1Oid.Branch("11"); + public static readonly DerObjectIdentifier Sha384WithRsaEncryption = Pkcs1Oid.Branch("12"); + public static readonly DerObjectIdentifier Sha512WithRsaEncryption = Pkcs1Oid.Branch("13"); + public static readonly DerObjectIdentifier Sha224WithRsaEncryption = Pkcs1Oid.Branch("14"); + /** PKCS#1: 1.2.840.113549.1.1.15 */ + public static readonly DerObjectIdentifier Sha512_224WithRSAEncryption = Pkcs1Oid.Branch("15"); + /** PKCS#1: 1.2.840.113549.1.1.16 */ + public static readonly DerObjectIdentifier Sha512_256WithRSAEncryption = Pkcs1Oid.Branch("16"); - public static readonly DerObjectIdentifier RsaEncryption = new DerObjectIdentifier(Pkcs1 + ".1"); - public static readonly DerObjectIdentifier MD2WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".2"); - public static readonly DerObjectIdentifier MD4WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".3"); - public static readonly DerObjectIdentifier MD5WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".4"); - public static readonly DerObjectIdentifier Sha1WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".5"); - public static readonly DerObjectIdentifier SrsaOaepEncryptionSet = new DerObjectIdentifier(Pkcs1 + ".6"); - public static readonly DerObjectIdentifier IdRsaesOaep = new DerObjectIdentifier(Pkcs1 + ".7"); - public static readonly DerObjectIdentifier IdMgf1 = new DerObjectIdentifier(Pkcs1 + ".8"); - public static readonly DerObjectIdentifier IdPSpecified = new DerObjectIdentifier(Pkcs1 + ".9"); - public static readonly DerObjectIdentifier IdRsassaPss = new DerObjectIdentifier(Pkcs1 + ".10"); - public static readonly DerObjectIdentifier Sha256WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".11"); - public static readonly DerObjectIdentifier Sha384WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".12"); - public static readonly DerObjectIdentifier Sha512WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".13"); - public static readonly DerObjectIdentifier Sha224WithRsaEncryption = new DerObjectIdentifier(Pkcs1 + ".14"); - - // + // // pkcs-3 OBJECT IDENTIFIER ::= { // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 3 } // -- cgit 1.4.1 From 60fbca299669c59edea32f393c0991e8a90df10f Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 20:07:01 +0700 Subject: Update xmldoc --- crypto/src/asn1/Asn1Object.cs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/src/asn1/Asn1Object.cs b/crypto/src/asn1/Asn1Object.cs index a86fdbb4a..4faa81ac8 100644 --- a/crypto/src/asn1/Asn1Object.cs +++ b/crypto/src/asn1/Asn1Object.cs @@ -6,11 +6,13 @@ namespace Org.BouncyCastle.Asn1 public abstract class Asn1Object : Asn1Encodable { - /// Create a base ASN.1 object from a byte array. - /// The byte array to parse. - /// The base ASN.1 object represented by the byte array. - /// If there is a problem parsing the data. - public static Asn1Object FromByteArray( + /// Create a base ASN.1 object from a byte array. + /// The byte array to parse. + /// The base ASN.1 object represented by the byte array. + /// + /// If there is a problem parsing the data, or parsing an object did not exhaust the available data. + /// + public static Asn1Object FromByteArray( byte[] data) { try -- cgit 1.4.1 From de9a5f1debfe184c48ca76aadfebb86cf08cbdb0 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 9 Jun 2017 20:08:35 +0700 Subject: Port missing test cases from Java - Switch to newer test format --- crypto/test/src/asn1/test/MiscTest.cs | 126 ++++++++++++++++++++++++---------- 1 file changed, 90 insertions(+), 36 deletions(-) diff --git a/crypto/test/src/asn1/test/MiscTest.cs b/crypto/test/src/asn1/test/MiscTest.cs index 42f5dbd01..6b8411996 100644 --- a/crypto/test/src/asn1/test/MiscTest.cs +++ b/crypto/test/src/asn1/test/MiscTest.cs @@ -12,9 +12,72 @@ namespace Org.BouncyCastle.Asn1.Tests { [TestFixture] public class MiscTest - : ITest + : SimpleTest { - public ITestResult Perform() + private void DoShouldFailOnExtraData() + { + // basic construction + DerBitString s1 = new DerBitString(new byte[0], 0); + + Asn1Object.FromByteArray(s1.GetEncoded()); + + Asn1Object.FromByteArray(new BerSequence(s1).GetEncoded()); + + try + { + Asn1Object obj = Asn1Object.FromByteArray(Arrays.Concatenate(s1.GetEncoded(), new byte[1])); + Fail("no exception"); + } + catch (IOException e) + { + //if (!"Extra data detected in stream".Equals(e.Message)) + if (!"extra data found after object".Equals(e.Message)) + { + Fail("wrong exception"); + } + } + } + + private void DoDerIntegerTest() + { + try + { + new DerInteger(new byte[] { 0, 0, 0, 1}); + } + catch (ArgumentException e) + { + IsTrue("wrong exc", "malformed integer".Equals(e.Message)); + } + + try + { + new DerInteger(new byte[] {(byte)0xff, (byte)0x80, 0, 1}); + } + catch (ArgumentException e) + { + IsTrue("wrong exc", "malformed integer".Equals(e.Message)); + } + + try + { + new DerEnumerated(new byte[] { 0, 0, 0, 1}); + } + catch (ArgumentException e) + { + IsTrue("wrong exc", "malformed enumerated".Equals(e.Message)); + } + + try + { + new DerEnumerated(new byte[] {(byte)0xff, (byte)0x80, 0, 1}); + } + catch (ArgumentException e) + { + IsTrue("wrong exc", "malformed enumerated".Equals(e.Message)); + } + } + + public override void PerformTest() { byte[] testIv = { 1, 2, 3, 4, 5, 6, 7, 8 }; @@ -29,47 +92,41 @@ namespace Org.BouncyCastle.Asn1.Tests byte[] data = Base64.Decode("MA4ECAECAwQFBgcIAgIAgAMCBSAWBWhlbGxvMAoECAECAwQFBgcIFgtodHRwOi8vdGVzdA=="); - try + MemoryStream bOut = new MemoryStream(); + Asn1OutputStream aOut = new Asn1OutputStream(bOut); + + for (int i = 0; i != values.Length; i++) { - MemoryStream bOut = new MemoryStream(); - Asn1OutputStream aOut = new Asn1OutputStream(bOut); + aOut.WriteObject(values[i]); + } - for (int i = 0; i != values.Length; i++) - { - aOut.WriteObject(values[i]); - } + if (!Arrays.AreEqual(bOut.ToArray(), data)) + { + Fail("Failed data check"); + } - if (!Arrays.AreEqual(bOut.ToArray(), data)) - { - return new SimpleTestResult(false, Name + ": Failed data check"); - } + Asn1InputStream aIn = new Asn1InputStream(bOut.ToArray()); - Asn1InputStream aIn = new Asn1InputStream(bOut.ToArray()); + for (int i = 0; i != values.Length; i++) + { + Asn1Object o = aIn.ReadObject(); - for (int i = 0; i != values.Length; i++) + if (!values[i].Equals(o)) { - Asn1Object o = aIn.ReadObject(); - - if (!values[i].Equals(o)) - { - return new SimpleTestResult(false, Name + ": Failed equality test for " + o); - } - - if (o.GetHashCode() != values[i].GetHashCode()) - { - return new SimpleTestResult(false, Name + ": Failed hashCode test for " + o); - } + Fail("Failed equality test for " + o); } - return new SimpleTestResult(true, Name + ": Okay"); - } - catch (Exception e) - { - return new SimpleTestResult(false, Name + ": Failed - exception " + e.ToString(), e); + if (o.GetHashCode() != values[i].GetHashCode()) + { + Fail("Failed hashCode test for " + o); + } } + + DoShouldFailOnExtraData(); + DoDerIntegerTest(); } - public string Name + public override string Name { get { return "Misc"; } } @@ -77,10 +134,7 @@ namespace Org.BouncyCastle.Asn1.Tests public static void Main( string[] args) { - ITest test = new MiscTest(); - ITestResult result = test.Perform(); - - Console.WriteLine(result); + RunTest(new MiscTest()); } [Test] -- cgit 1.4.1 From 30ff2c5b236c329cc31aa15b6ddf9d66a4f00001 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 12:46:05 +0700 Subject: Mark RFC5114 DH groups as Obsolete --- crypto/src/crypto/agreement/DHStandardGroups.cs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/crypto/src/crypto/agreement/DHStandardGroups.cs b/crypto/src/crypto/agreement/DHStandardGroups.cs index 93b65af98..425a9784c 100644 --- a/crypto/src/crypto/agreement/DHStandardGroups.cs +++ b/crypto/src/crypto/agreement/DHStandardGroups.cs @@ -161,6 +161,11 @@ namespace Org.BouncyCastle.Crypto.Agreement + "909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28A" + "D662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24" + "855E6EEB22B3B2E5"; private static readonly string rfc5114_1024_160_q = "F518AA8781A8DF278ABA4E7D64B7CB9D49462353"; + + /// + /// Existence of a "hidden SNFS" backdoor cannot be ruled out. see https://eprint.iacr.org/2016/961.pdf . + /// + [Obsolete("Existence of a 'hidden SNFS' backdoor cannot be ruled out.")] public static readonly DHParameters rfc5114_1024_160 = FromPGQ(rfc5114_1024_160_p, rfc5114_1024_160_g, rfc5114_1024_160_q); @@ -177,6 +182,11 @@ namespace Org.BouncyCastle.Crypto.Agreement + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" + "81BC087F2A7065B384B890D3191F2BFA"; private static readonly string rfc5114_2048_224_q = "801C0D34C58D93FE997177101F80535A4738CEBCBF389A99B36371EB"; + + /// + /// Existence of a "hidden SNFS" backdoor cannot be ruled out. see https://eprint.iacr.org/2016/961.pdf . + /// + [Obsolete("Existence of a 'hidden SNFS' backdoor cannot be ruled out.")] public static readonly DHParameters rfc5114_2048_224 = FromPGQ(rfc5114_2048_224_p, rfc5114_2048_224_g, rfc5114_2048_224_q); @@ -194,6 +204,11 @@ namespace Org.BouncyCastle.Crypto.Agreement + "184B523D1DB246C32F63078490F00EF8D647D148D4795451" + "5E2327CFEF98C582664B4C0F6CC41659"; private static readonly string rfc5114_2048_256_q = "8CF83642A709A097B447997640129DA299B1A47D1EB3750B" + "A308B0FE64F5FBD3"; + + /// + /// Existence of a "hidden SNFS" backdoor cannot be ruled out. see https://eprint.iacr.org/2016/961.pdf . + /// + [Obsolete("Existence of a 'hidden SNFS' backdoor cannot be ruled out.")] public static readonly DHParameters rfc5114_2048_256 = FromPGQ(rfc5114_2048_256_p, rfc5114_2048_256_g, rfc5114_2048_256_q); -- cgit 1.4.1 From 00b8d26b9d7de162931ae6e01e39289975501de0 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 12:58:54 +0700 Subject: Add result checks in DH agreements --- crypto/src/crypto/agreement/DHAgreement.cs | 14 ++++++++------ crypto/src/crypto/agreement/DHBasicAgreement.cs | 8 +++++--- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/crypto/src/crypto/agreement/DHAgreement.cs b/crypto/src/crypto/agreement/DHAgreement.cs index d214caafe..b5af104f9 100644 --- a/crypto/src/crypto/agreement/DHAgreement.cs +++ b/crypto/src/crypto/agreement/DHAgreement.cs @@ -81,13 +81,15 @@ namespace Org.BouncyCastle.Crypto.Agreement throw new ArgumentNullException("message"); if (!pub.Parameters.Equals(dhParams)) - { throw new ArgumentException("Diffie-Hellman public key has wrong parameters."); - } - BigInteger p = dhParams.P; + BigInteger p = dhParams.P; - return message.ModPow(key.X, p).Multiply(pub.Y.ModPow(privateValue, p)).Mod(p); - } - } + BigInteger result = pub.Y.ModPow(privateValue, p); + if (result.Equals(BigInteger.One)) + throw new InvalidOperationException("Shared key can't be 1"); + + return message.ModPow(key.X, p).Multiply(result).Mod(p); + } + } } diff --git a/crypto/src/crypto/agreement/DHBasicAgreement.cs b/crypto/src/crypto/agreement/DHBasicAgreement.cs index 75b5e9db5..d6f017e32 100644 --- a/crypto/src/crypto/agreement/DHBasicAgreement.cs +++ b/crypto/src/crypto/agreement/DHBasicAgreement.cs @@ -54,11 +54,13 @@ namespace Org.BouncyCastle.Crypto.Agreement DHPublicKeyParameters pub = (DHPublicKeyParameters)pubKey; if (!pub.Parameters.Equals(dhParams)) - { throw new ArgumentException("Diffie-Hellman public key has wrong parameters."); - } - return pub.Y.ModPow(key.X, dhParams.P); + BigInteger result = pub.Y.ModPow(key.X, dhParams.P); + if (result.Equals(BigInteger.One)) + throw new InvalidOperationException("Shared key can't be 1"); + + return result; } } } -- cgit 1.4.1 From ff94748205290f6684a64fcccf8579b561371a56 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 14:00:03 +0700 Subject: Added s box allocation to AesEngine - mark AesFastEngine obsolete and replace all usages with AesEngine --- crypto/src/crypto/engines/AesEngine.cs | 19 ++++++++++------- crypto/src/crypto/engines/AesFastEngine.cs | 5 +++++ crypto/src/security/CipherUtilities.cs | 6 +++--- crypto/src/security/MacUtilities.cs | 2 +- crypto/src/security/WrapperUtilities.cs | 2 +- crypto/test/src/crypto/prng/test/CtrDrbgTest.cs | 26 +++++++++++------------ crypto/test/src/crypto/test/CMacTest.cs | 2 +- crypto/test/src/crypto/test/EAXTest.cs | 6 +++--- crypto/test/src/crypto/test/GCMTest.cs | 2 +- crypto/test/src/crypto/test/GMacTest.cs | 4 ++-- crypto/test/src/crypto/test/Poly1305Test.cs | 8 +++---- crypto/test/src/security/test/SecureRandomTest.cs | 4 ++-- 12 files changed, 47 insertions(+), 39 deletions(-) diff --git a/crypto/src/crypto/engines/AesEngine.cs b/crypto/src/crypto/engines/AesEngine.cs index ba62af4da..91bdf69ef 100644 --- a/crypto/src/crypto/engines/AesEngine.cs +++ b/crypto/src/crypto/engines/AesEngine.cs @@ -429,6 +429,8 @@ namespace Org.BouncyCastle.Crypto.Engines private uint C0, C1, C2, C3; private bool forEncryption; + private byte[] s; + private const int BLOCK_SIZE = 16; /** @@ -459,6 +461,7 @@ namespace Org.BouncyCastle.Crypto.Engines WorkingKey = GenerateWorkingKey(keyParameter.GetKey(), forEncryption); this.forEncryption = forEncryption; + this.s = Arrays.Clone(forEncryption ? S : Si); } public virtual string AlgorithmName @@ -560,10 +563,10 @@ namespace Org.BouncyCastle.Crypto.Engines // the final round's table is a simple function of S so we don't use a whole other four tables for it kw = KW[r]; - this.C0 = (uint)S[r0 & 255] ^ (((uint)S[(r1 >> 8) & 255]) << 8) ^ (((uint)S[(r2 >> 16) & 255]) << 16) ^ (((uint)S[(r3 >> 24) & 255]) << 24) ^ kw[0]; - this.C1 = (uint)S[r1 & 255] ^ (((uint)S[(r2 >> 8) & 255]) << 8) ^ (((uint)S[(r3 >> 16) & 255]) << 16) ^ (((uint)S[(r0 >> 24) & 255]) << 24) ^ kw[1]; - this.C2 = (uint)S[r2 & 255] ^ (((uint)S[(r3 >> 8) & 255]) << 8) ^ (((uint)S[(r0 >> 16) & 255]) << 16) ^ (((uint)S[(r1 >> 24) & 255]) << 24) ^ kw[2]; - this.C3 = (uint)S[r3 & 255] ^ (((uint)S[(r0 >> 8) & 255]) << 8) ^ (((uint)S[(r1 >> 16) & 255]) << 16) ^ (((uint)S[(r2 >> 24) & 255]) << 24) ^ kw[3]; + this.C0 = (uint)S[r0 & 255] ^ (((uint)S[(r1 >> 8) & 255]) << 8) ^ (((uint)s[(r2 >> 16) & 255]) << 16) ^ (((uint)s[(r3 >> 24) & 255]) << 24) ^ kw[0]; + this.C1 = (uint)s[r1 & 255] ^ (((uint)S[(r2 >> 8) & 255]) << 8) ^ (((uint)S[(r3 >> 16) & 255]) << 16) ^ (((uint)s[(r0 >> 24) & 255]) << 24) ^ kw[1]; + this.C2 = (uint)s[r2 & 255] ^ (((uint)S[(r3 >> 8) & 255]) << 8) ^ (((uint)S[(r0 >> 16) & 255]) << 16) ^ (((uint)S[(r1 >> 24) & 255]) << 24) ^ kw[2]; + this.C3 = (uint)s[r3 & 255] ^ (((uint)s[(r0 >> 8) & 255]) << 8) ^ (((uint)s[(r1 >> 16) & 255]) << 16) ^ (((uint)S[(r2 >> 24) & 255]) << 24) ^ kw[3]; } private void DecryptBlock(uint[][] KW) @@ -598,10 +601,10 @@ namespace Org.BouncyCastle.Crypto.Engines // the final round's table is a simple function of Si so we don't use a whole other four tables for it kw = KW[0]; - this.C0 = (uint)Si[r0 & 255] ^ (((uint)Si[(r3 >> 8) & 255]) << 8) ^ (((uint)Si[(r2 >> 16) & 255]) << 16) ^ (((uint)Si[(r1 >> 24) & 255]) << 24) ^ kw[0]; - this.C1 = (uint)Si[r1 & 255] ^ (((uint)Si[(r0 >> 8) & 255]) << 8) ^ (((uint)Si[(r3 >> 16) & 255]) << 16) ^ (((uint)Si[(r2 >> 24) & 255]) << 24) ^ kw[1]; - this.C2 = (uint)Si[r2 & 255] ^ (((uint)Si[(r1 >> 8) & 255]) << 8) ^ (((uint)Si[(r0 >> 16) & 255]) << 16) ^ (((uint)Si[(r3 >> 24) & 255]) << 24) ^ kw[2]; - this.C3 = (uint)Si[r3 & 255] ^ (((uint)Si[(r2 >> 8) & 255]) << 8) ^ (((uint)Si[(r1 >> 16) & 255]) << 16) ^ (((uint)Si[(r0 >> 24) & 255]) << 24) ^ kw[3]; + this.C0 = (uint)Si[r0 & 255] ^ (((uint)s[(r3 >> 8) & 255]) << 8) ^ (((uint)s[(r2 >> 16) & 255]) << 16) ^ (((uint)Si[(r1 >> 24) & 255]) << 24) ^ kw[0]; + this.C1 = (uint)s[r1 & 255] ^ (((uint)s[(r0 >> 8) & 255]) << 8) ^ (((uint)Si[(r3 >> 16) & 255]) << 16) ^ (((uint)s[(r2 >> 24) & 255]) << 24) ^ kw[1]; + this.C2 = (uint)s[r2 & 255] ^ (((uint)Si[(r1 >> 8) & 255]) << 8) ^ (((uint)Si[(r0 >> 16) & 255]) << 16) ^ (((uint)s[(r3 >> 24) & 255]) << 24) ^ kw[2]; + this.C3 = (uint)Si[r3 & 255] ^ (((uint)s[(r2 >> 8) & 255]) << 8) ^ (((uint)s[(r1 >> 16) & 255]) << 16) ^ (((uint)s[(r0 >> 24) & 255]) << 24) ^ kw[3]; } } } diff --git a/crypto/src/crypto/engines/AesFastEngine.cs b/crypto/src/crypto/engines/AesFastEngine.cs index 3a9c3a89e..9d3a86fd2 100644 --- a/crypto/src/crypto/engines/AesFastEngine.cs +++ b/crypto/src/crypto/engines/AesFastEngine.cs @@ -31,6 +31,11 @@ namespace Org.BouncyCastle.Crypto.Engines * This file contains the fast version with 8Kbytes of static tables for round precomputation *

*/ + /// + /// Unfortunately this class has a few side channel issues. + /// In an environment where encryption/decryption may be closely observed it should not be used. + /// + [Obsolete("Use AesEngine instead")] public class AesFastEngine : IBlockCipher { diff --git a/crypto/src/security/CipherUtilities.cs b/crypto/src/security/CipherUtilities.cs index 3217f3183..de05bc9ef 100644 --- a/crypto/src/security/CipherUtilities.cs +++ b/crypto/src/security/CipherUtilities.cs @@ -323,7 +323,7 @@ namespace Org.BouncyCastle.Security "PBEWITHMD5AND256BITAES-CBC-OPENSSL")) { return new PaddedBufferedBlockCipher( - new CbcBlockCipher(new AesFastEngine())); + new CbcBlockCipher(new AesEngine())); } } } @@ -358,7 +358,7 @@ namespace Org.BouncyCastle.Security switch (cipherAlgorithm) { case CipherAlgorithm.AES: - blockCipher = new AesFastEngine(); + blockCipher = new AesEngine(); break; case CipherAlgorithm.ARC4: streamCipher = new RC4Engine(); @@ -722,7 +722,7 @@ namespace Org.BouncyCastle.Security { switch (cipherAlgorithm) { - case CipherAlgorithm.AES: return new AesFastEngine(); + case CipherAlgorithm.AES: return new AesEngine(); case CipherAlgorithm.BLOWFISH: return new BlowfishEngine(); case CipherAlgorithm.CAMELLIA: return new CamelliaEngine(); case CipherAlgorithm.CAST5: return new Cast5Engine(); diff --git a/crypto/src/security/MacUtilities.cs b/crypto/src/security/MacUtilities.cs index fab9b1d41..278f3bec1 100644 --- a/crypto/src/security/MacUtilities.cs +++ b/crypto/src/security/MacUtilities.cs @@ -136,7 +136,7 @@ namespace Org.BouncyCastle.Security if (mechanism == "AESCMAC") { - return new CMac(new AesFastEngine()); + return new CMac(new AesEngine()); } if (mechanism == "DESMAC") { diff --git a/crypto/src/security/WrapperUtilities.cs b/crypto/src/security/WrapperUtilities.cs index ce31ea519..c57632081 100644 --- a/crypto/src/security/WrapperUtilities.cs +++ b/crypto/src/security/WrapperUtilities.cs @@ -78,7 +78,7 @@ namespace Org.BouncyCastle.Security case WrapAlgorithm.RC2WRAP: return new RC2WrapEngine(); case WrapAlgorithm.SEEDWRAP: return new SeedWrapEngine(); case WrapAlgorithm.DESEDERFC3211WRAP: return new Rfc3211WrapEngine(new DesEdeEngine()); - case WrapAlgorithm.AESRFC3211WRAP: return new Rfc3211WrapEngine(new AesFastEngine()); + case WrapAlgorithm.AESRFC3211WRAP: return new Rfc3211WrapEngine(new AesEngine()); case WrapAlgorithm.CAMELLIARFC3211WRAP: return new Rfc3211WrapEngine(new CamelliaEngine()); } } diff --git a/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs b/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs index 44b08f3a6..4dc09f4e8 100644 --- a/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs +++ b/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs @@ -149,7 +149,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBC"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -161,7 +161,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test } ), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -175,7 +175,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -188,7 +188,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -200,7 +200,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test } ), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -214,7 +214,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -227,7 +227,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F"), new DrbgTestVector( - new AesFastEngine(), 192, + new AesEngine(), 192, new Bit320EntropyProvider().Get(320), false, "202122232425262728292A2B", @@ -240,7 +240,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667"), new DrbgTestVector( - new AesFastEngine(), 192, + new AesEngine(), 192, new Bit320EntropyProvider().Get(320), true, "202122232425262728292A2B", @@ -253,7 +253,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), false, "202122232425262728292A2B2C2D2E2F", @@ -268,7 +268,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -282,7 +282,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -295,7 +295,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -310,7 +310,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", diff --git a/crypto/test/src/crypto/test/CMacTest.cs b/crypto/test/src/crypto/test/CMacTest.cs index d71b69f98..23ae7cb88 100644 --- a/crypto/test/src/crypto/test/CMacTest.cs +++ b/crypto/test/src/crypto/test/CMacTest.cs @@ -57,7 +57,7 @@ namespace Org.BouncyCastle.Crypto.Tests public override void PerformTest() { - IBlockCipher cipher = new AesFastEngine(); + IBlockCipher cipher = new AesEngine(); IMac mac = new CMac(cipher, 128); //128 bytes key diff --git a/crypto/test/src/crypto/test/EAXTest.cs b/crypto/test/src/crypto/test/EAXTest.cs index c6be118b2..838f26a1b 100644 --- a/crypto/test/src/crypto/test/EAXTest.cs +++ b/crypto/test/src/crypto/test/EAXTest.cs @@ -186,8 +186,8 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] t, byte[] c) { - EaxBlockCipher encEax = new EaxBlockCipher(new AesFastEngine()); - EaxBlockCipher decEax = new EaxBlockCipher(new AesFastEngine()); + EaxBlockCipher encEax = new EaxBlockCipher(new AesEngine()); + EaxBlockCipher decEax = new EaxBlockCipher(new AesEngine()); AeadParameters parameters = new AeadParameters(new KeyParameter(k), macSize, n, a); encEax.Init(true, parameters); @@ -313,7 +313,7 @@ namespace Org.BouncyCastle.Crypto.Tests srng.NextBytes(datIn); srng.NextBytes(key); - AesFastEngine engine = new AesFastEngine(); + IBlockCipher engine = new AesEngine(); KeyParameter sessKey = new KeyParameter(key); EaxBlockCipher eaxCipher = new EaxBlockCipher(engine); diff --git a/crypto/test/src/crypto/test/GCMTest.cs b/crypto/test/src/crypto/test/GCMTest.cs index 943ffdad4..3f7418fb2 100644 --- a/crypto/test/src/crypto/test/GCMTest.cs +++ b/crypto/test/src/crypto/test/GCMTest.cs @@ -327,7 +327,7 @@ namespace Org.BouncyCastle.Crypto.Tests protected IBlockCipher CreateAesEngine() { - return new AesFastEngine(); + return new AesEngine(); } private void DoTestExceptions() diff --git a/crypto/test/src/crypto/test/GMacTest.cs b/crypto/test/src/crypto/test/GMacTest.cs index 383ff96b7..62088b976 100644 --- a/crypto/test/src/crypto/test/GMacTest.cs +++ b/crypto/test/src/crypto/test/GMacTest.cs @@ -107,7 +107,7 @@ namespace Org.BouncyCastle.Crypto.Tests { TestCase testCase = TEST_VECTORS[i]; - IMac mac = new GMac(new GcmBlockCipher(new AesFastEngine()), testCase.getTag().Length * 8); + IMac mac = new GMac(new GcmBlockCipher(new AesEngine()), testCase.getTag().Length * 8); ICipherParameters key = new KeyParameter(testCase.getKey()); mac.Init(new ParametersWithIV(key, testCase.getIv())); @@ -125,7 +125,7 @@ namespace Org.BouncyCastle.Crypto.Tests { try { - GMac mac = new GMac(new GcmBlockCipher(new AesFastEngine()), size); + GMac mac = new GMac(new GcmBlockCipher(new AesEngine()), size); mac.Init(new ParametersWithIV(null, new byte[16])); Fail("Expected failure for illegal mac size " + size); } diff --git a/crypto/test/src/crypto/test/Poly1305Test.cs b/crypto/test/src/crypto/test/Poly1305Test.cs index cfbff787e..7aaceb99e 100644 --- a/crypto/test/src/crypto/test/Poly1305Test.cs +++ b/crypto/test/src/crypto/test/Poly1305Test.cs @@ -129,7 +129,7 @@ namespace Org.BouncyCastle.Crypto.Tests } else { - mac = new Poly1305(new AesFastEngine()); + mac = new Poly1305(new AesEngine()); mac.Init(new ParametersWithIV(new KeyParameter(tc.key), tc.nonce)); } mac.BlockUpdate(tc.message, 0, tc.message.Length); @@ -151,7 +151,7 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] output = new byte[16]; int c = 0; - IMac mac = new Poly1305(new AesFastEngine()); + IMac mac = new Poly1305(new AesEngine()); for (int loop = 0; loop < 13; loop++) { len = 0; @@ -228,7 +228,7 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] output = new byte[16]; // Generate baseline - IMac poly = new Poly1305(new AesFastEngine()); + IMac poly = new Poly1305(new AesEngine()); poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16])); poly.BlockUpdate(m, 0, m.Length); @@ -274,7 +274,7 @@ namespace Org.BouncyCastle.Crypto.Tests gen.Init(new KeyGenerationParameters(new SecureRandom(), 256)); byte[] k = gen.GenerateKey(); - IMac poly = new Poly1305(new AesFastEngine()); + IMac poly = new Poly1305(new AesEngine()); poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16])); try diff --git a/crypto/test/src/security/test/SecureRandomTest.cs b/crypto/test/src/security/test/SecureRandomTest.cs index f1d83b29c..98bf75508 100644 --- a/crypto/test/src/security/test/SecureRandomTest.cs +++ b/crypto/test/src/security/test/SecureRandomTest.cs @@ -68,7 +68,7 @@ namespace Org.BouncyCastle.Security.Tests [Test] public void TestSP800Ctr() { - SecureRandom random = new SP800SecureRandomBuilder().BuildCtr(new AesFastEngine(), 256, new byte[32], false); + SecureRandom random = new SP800SecureRandomBuilder().BuildCtr(new AesEngine(), 256, new byte[32], false); CheckSecureRandom(random); } @@ -110,7 +110,7 @@ namespace Org.BouncyCastle.Security.Tests [Test] public void TestX931() { - SecureRandom random = new X931SecureRandomBuilder().Build(new AesFastEngine(), new KeyParameter(new byte[16]), false); + SecureRandom random = new X931SecureRandomBuilder().Build(new AesEngine(), new KeyParameter(new byte[16]), false); CheckSecureRandom(random); } -- cgit 1.4.1 From 4362f11288b1c5abd7c9c31b094e19e9f035ede5 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 18:30:41 +0700 Subject: Checks on DH peer public key --- crypto/src/crypto/agreement/DHAgreement.cs | 6 +- crypto/src/crypto/agreement/DHBasicAgreement.cs | 8 +- .../src/crypto/parameters/DHPublicKeyParameters.cs | 2 +- crypto/test/src/test/DHTest.cs | 93 ++++++++++++++++++++++ 4 files changed, 106 insertions(+), 3 deletions(-) diff --git a/crypto/src/crypto/agreement/DHAgreement.cs b/crypto/src/crypto/agreement/DHAgreement.cs index b5af104f9..e988c0d53 100644 --- a/crypto/src/crypto/agreement/DHAgreement.cs +++ b/crypto/src/crypto/agreement/DHAgreement.cs @@ -85,7 +85,11 @@ namespace Org.BouncyCastle.Crypto.Agreement BigInteger p = dhParams.P; - BigInteger result = pub.Y.ModPow(privateValue, p); + BigInteger peerY = pub.Y; + if (peerY == null || peerY.CompareTo(BigInteger.One) <= 0 || peerY.CompareTo(p.Subtract(BigInteger.One)) >= 0) + throw new ArgumentException("Diffie-Hellman public key is weak"); + + BigInteger result = peerY.ModPow(privateValue, p); if (result.Equals(BigInteger.One)) throw new InvalidOperationException("Shared key can't be 1"); diff --git a/crypto/src/crypto/agreement/DHBasicAgreement.cs b/crypto/src/crypto/agreement/DHBasicAgreement.cs index d6f017e32..6c3fe6595 100644 --- a/crypto/src/crypto/agreement/DHBasicAgreement.cs +++ b/crypto/src/crypto/agreement/DHBasicAgreement.cs @@ -56,7 +56,13 @@ namespace Org.BouncyCastle.Crypto.Agreement if (!pub.Parameters.Equals(dhParams)) throw new ArgumentException("Diffie-Hellman public key has wrong parameters."); - BigInteger result = pub.Y.ModPow(key.X, dhParams.P); + BigInteger p = dhParams.P; + + BigInteger peerY = pub.Y; + if (peerY == null || peerY.CompareTo(BigInteger.One) <= 0 || peerY.CompareTo(p.Subtract(BigInteger.One)) >= 0) + throw new ArgumentException("Diffie-Hellman public key is weak"); + + BigInteger result = peerY.ModPow(key.X, p); if (result.Equals(BigInteger.One)) throw new InvalidOperationException("Shared key can't be 1"); diff --git a/crypto/src/crypto/parameters/DHPublicKeyParameters.cs b/crypto/src/crypto/parameters/DHPublicKeyParameters.cs index 1704c47dc..e7aeeff19 100644 --- a/crypto/src/crypto/parameters/DHPublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/DHPublicKeyParameters.cs @@ -46,7 +46,7 @@ namespace Org.BouncyCastle.Crypto.Parameters this.y = Validate(y, parameters); } - public BigInteger Y + public virtual BigInteger Y { get { return y; } } diff --git a/crypto/test/src/test/DHTest.cs b/crypto/test/src/test/DHTest.cs index 18a0d84d6..fca487008 100644 --- a/crypto/test/src/test/DHTest.cs +++ b/crypto/test/src/test/DHTest.cs @@ -633,6 +633,98 @@ namespace Org.BouncyCastle.Tests } } + internal static readonly string Message = "Hello"; + + internal static readonly SecureRandom rand = new SecureRandom(); + + public static DHParameters Ike2048() + { + BigInteger p = new BigInteger( + "ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74" + + "020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f1437" + + "4fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7ed" + + "ee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf05" + + "98da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb" + + "9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3b" + + "e39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf695581718" + + "3995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff", 16); + BigInteger g = new BigInteger("2"); + return new DHParameters(p, g); + } + + internal class DHWeakPubKey + : DHPublicKeyParameters + { + private readonly BigInteger weakY; + + public DHWeakPubKey(BigInteger weakY, DHParameters parameters) + : base(BigInteger.Two, parameters) + { + this.weakY = weakY; + } + + public override BigInteger Y + { + get { return weakY; } + } + } + + /** + * Tests whether a provider accepts invalid public keys that result in predictable shared secrets. + * This test is based on RFC 2785, Section 4 and NIST SP 800-56A, + * If an attacker can modify both public keys in an ephemeral-ephemeral key agreement scheme then + * it may be possible to coerce both parties into computing the same predictable shared key. + *

+ * Note: the test is quite whimsical. If the prime p is not a safe prime then the provider itself + * cannot prevent all small-subgroup attacks because of the missing parameter q in the + * Diffie-Hellman parameters. Implementations must add additional countermeasures such as the ones + * proposed in RFC 2785. + */ + [Test] + public void TestSubgroupConfinement() + { + DHParameters parameters = Ike2048(); + BigInteger p = parameters.P, g = parameters.G; + + IAsymmetricCipherKeyPairGenerator keyGen = GeneratorUtilities.GetKeyPairGenerator("DH"); + + //keyGen.initialize(params); + keyGen.Init(new DHKeyGenerationParameters(new SecureRandom(), parameters)); + + AsymmetricCipherKeyPair kp = keyGen.GenerateKeyPair(); + AsymmetricKeyParameter priv = kp.Private; + + IBasicAgreement ka = AgreementUtilities.GetBasicAgreement("DH"); + + BigInteger[] weakPublicKeys = { BigInteger.Zero, BigInteger.One, p.Subtract(BigInteger.One), p, + p.Add(BigInteger.One), BigInteger.One.Negate() }; + + foreach (BigInteger weakKey in weakPublicKeys) + { + try + { + new DHPublicKeyParameters(weakKey, parameters); + Fail("Generated weak public key"); + } + catch (ArgumentException ex) + { + IsTrue("wrong message (constructor)", Platform.StartsWith(ex.Message, "invalid DH public key")); + } + + ka.Init(priv); + + try + { + ka.CalculateAgreement(new DHWeakPubKey(weakKey, parameters)); + Fail("Generated secrets with weak public key"); + } + catch (ArgumentException ex) + { + IsTrue("wrong message (CalculateAgreement)", "Diffie-Hellman public key is weak".Equals(ex.Message)); + } + } + } + public override void PerformTest() { TestEnc(); @@ -640,6 +732,7 @@ namespace Org.BouncyCastle.Tests TestECDH(); TestECDHC(); TestExceptions(); + TestSubgroupConfinement(); } public static void Main( -- cgit 1.4.1 From 06be229c35c4e6161f570fcdb48cd758f4e0a587 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 18:40:12 +0700 Subject: Alert when anonymous server sends CertificateRequest --- crypto/src/crypto/tls/TlsDHKeyExchange.cs | 3 +++ crypto/src/crypto/tls/TlsECDHKeyExchange.cs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/crypto/src/crypto/tls/TlsDHKeyExchange.cs b/crypto/src/crypto/tls/TlsDHKeyExchange.cs index eec9daaca..d179068bb 100644 --- a/crypto/src/crypto/tls/TlsDHKeyExchange.cs +++ b/crypto/src/crypto/tls/TlsDHKeyExchange.cs @@ -151,6 +151,9 @@ namespace Org.BouncyCastle.Crypto.Tls public override void ValidateCertificateRequest(CertificateRequest certificateRequest) { + if (mKeyExchange == KeyExchangeAlgorithm.DH_anon) + throw new TlsFatalAlert(AlertDescription.handshake_failure); + byte[] types = certificateRequest.CertificateTypes; for (int i = 0; i < types.Length; ++i) { diff --git a/crypto/src/crypto/tls/TlsECDHKeyExchange.cs b/crypto/src/crypto/tls/TlsECDHKeyExchange.cs index 03c162904..c508fb993 100644 --- a/crypto/src/crypto/tls/TlsECDHKeyExchange.cs +++ b/crypto/src/crypto/tls/TlsECDHKeyExchange.cs @@ -153,6 +153,9 @@ namespace Org.BouncyCastle.Crypto.Tls public override void ValidateCertificateRequest(CertificateRequest certificateRequest) { + if (mKeyExchange == KeyExchangeAlgorithm.ECDH_anon) + throw new TlsFatalAlert(AlertDescription.handshake_failure); + /* * RFC 4492 3. [...] The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable with * ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is prohibited because -- cgit 1.4.1 From 02d523d352f37b7e1f59474dc422d8ba9bb8d5fe Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 18:43:22 +0700 Subject: Added expired certificates on CRL extension --- crypto/src/asn1/x509/X509Extensions.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/crypto/src/asn1/x509/X509Extensions.cs b/crypto/src/asn1/x509/X509Extensions.cs index 2ef73f629..049d728bb 100644 --- a/crypto/src/asn1/x509/X509Extensions.cs +++ b/crypto/src/asn1/x509/X509Extensions.cs @@ -164,6 +164,11 @@ namespace Org.BouncyCastle.Asn1.X509 */ public static readonly DerObjectIdentifier TargetInformation = new DerObjectIdentifier("2.5.29.55"); + /** + * Expired Certificates on CRL extension + */ + public static readonly DerObjectIdentifier ExpiredCertsOnCrl = new DerObjectIdentifier("2.5.29.60"); + private readonly IDictionary extensions = Platform.CreateHashtable(); private readonly IList ordering; -- cgit 1.4.1 From a7031a60eb1ea3859f012bc34c0bae7cbcd7de54 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 19:37:28 +0700 Subject: Update GCMBlockCipher from Java API - includes basic nonce-reuse protections --- crypto/src/crypto/modes/GCMBlockCipher.cs | 70 ++++++++++++++++++++++++++++--- crypto/test/src/crypto/test/GCMTest.cs | 50 ++++++++++++++++++---- 2 files changed, 106 insertions(+), 14 deletions(-) diff --git a/crypto/src/crypto/modes/GCMBlockCipher.cs b/crypto/src/crypto/modes/GCMBlockCipher.cs index 9d940fe75..a6cd00401 100644 --- a/crypto/src/crypto/modes/GCMBlockCipher.cs +++ b/crypto/src/crypto/modes/GCMBlockCipher.cs @@ -23,7 +23,9 @@ namespace Org.BouncyCastle.Crypto.Modes // These fields are set by Init and not modified by processing private bool forEncryption; + private bool initialised; private int macSize; + private byte[] lastKey; private byte[] nonce; private byte[] initialAssociatedText; private byte[] H; @@ -90,14 +92,16 @@ namespace Org.BouncyCastle.Crypto.Modes { this.forEncryption = forEncryption; this.macBlock = null; + this.initialised = true; KeyParameter keyParam; + byte[] newNonce = null; if (parameters is AeadParameters) { AeadParameters param = (AeadParameters)parameters; - nonce = param.GetNonce(); + newNonce = param.GetNonce(); initialAssociatedText = param.GetAssociatedText(); int macSizeBits = param.MacSize; @@ -113,7 +117,7 @@ namespace Org.BouncyCastle.Crypto.Modes { ParametersWithIV param = (ParametersWithIV)parameters; - nonce = param.GetIV(); + newNonce = param.GetIV(); initialAssociatedText = null; macSize = 16; keyParam = (KeyParameter)param.Parameters; @@ -126,11 +130,32 @@ namespace Org.BouncyCastle.Crypto.Modes int bufLength = forEncryption ? BlockSize : (BlockSize + macSize); this.bufBlock = new byte[bufLength]; - if (nonce == null || nonce.Length < 1) + if (newNonce == null || newNonce.Length < 1) { throw new ArgumentException("IV must be at least 1 byte"); } + if (forEncryption) + { + if (nonce != null && Arrays.AreEqual(nonce, newNonce)) + { + if (keyParam == null) + { + throw new ArgumentException("cannot reuse nonce for GCM encryption"); + } + if (lastKey != null && Arrays.AreEqual(lastKey, keyParam.GetKey())) + { + throw new ArgumentException("cannot reuse nonce for GCM encryption"); + } + } + } + + nonce = newNonce; + if (keyParam != null) + { + lastKey = keyParam.GetKey(); + } + // TODO Restrict macSize to 16 if nonce length not 12? // Cipher always used in forward mode @@ -186,7 +211,9 @@ namespace Org.BouncyCastle.Crypto.Modes public virtual byte[] GetMac() { - return Arrays.Clone(macBlock); + return macBlock == null + ? new byte[macSize] + : Arrays.Clone(macBlock); } public virtual int GetOutputSize( @@ -219,6 +246,8 @@ namespace Org.BouncyCastle.Crypto.Modes public virtual void ProcessAadByte(byte input) { + CheckStatus(); + atBlock[atBlockPos] = input; if (++atBlockPos == BlockSize) { @@ -231,6 +260,8 @@ namespace Org.BouncyCastle.Crypto.Modes public virtual void ProcessAadBytes(byte[] inBytes, int inOff, int len) { + CheckStatus(); + for (int i = 0; i < len; ++i) { atBlock[atBlockPos] = inBytes[inOff + i]; @@ -270,6 +301,8 @@ namespace Org.BouncyCastle.Crypto.Modes byte[] output, int outOff) { + CheckStatus(); + bufBlock[bufOff] = input; if (++bufOff == bufBlock.Length) { @@ -286,6 +319,8 @@ namespace Org.BouncyCastle.Crypto.Modes byte[] output, int outOff) { + CheckStatus(); + if (input.Length < (inOff + len)) throw new DataLengthException("Input buffer too short"); @@ -325,6 +360,8 @@ namespace Org.BouncyCastle.Crypto.Modes public int DoFinal(byte[] output, int outOff) { + CheckStatus(); + if (totalLength == 0) { InitCipher(); @@ -441,6 +478,8 @@ namespace Org.BouncyCastle.Crypto.Modes { cipher.Reset(); + // note: we do not reset the nonce. + S = new byte[BlockSize]; S_at = new byte[BlockSize]; S_atPre = new byte[BlockSize]; @@ -463,9 +502,16 @@ namespace Org.BouncyCastle.Crypto.Modes macBlock = null; } - if (initialAssociatedText != null) + if (forEncryption) { - ProcessAadBytes(initialAssociatedText, 0, initialAssociatedText.Length); + initialised = false; + } + else + { + if (initialAssociatedText != null) + { + ProcessAadBytes(initialAssociatedText, 0, initialAssociatedText.Length); + } } } @@ -532,5 +578,17 @@ namespace Org.BouncyCastle.Crypto.Modes cipher.ProcessBlock(counter, 0, tmp, 0); return tmp; } + + private void CheckStatus() + { + if (!initialised) + { + if (forEncryption) + { + throw new InvalidOperationException("GCM cipher cannot be reused for encryption"); + } + throw new InvalidOperationException("GCM cipher needs to be initialised"); + } + } } } diff --git a/crypto/test/src/crypto/test/GCMTest.cs b/crypto/test/src/crypto/test/GCMTest.cs index 3f7418fb2..e5e5fc43e 100644 --- a/crypto/test/src/crypto/test/GCMTest.cs +++ b/crypto/test/src/crypto/test/GCMTest.cs @@ -357,12 +357,38 @@ namespace Org.BouncyCastle.Crypto.Tests } // TODO - //AEADTestUtil.testReset(this, new GCMBlockCipher(createAESEngine()), new GCMBlockCipher(createAESEngine()), new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[16])); //AEADTestUtil.testTampering(this, gcm, new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[16])); - //AEADTestUtil.testOutputSizes(this, new GCMBlockCipher(createAESEngine()), new AEADParameters(new KeyParameter( - // new byte[16]), 128, new byte[16])); - //AEADTestUtil.testBufferSizeChecks(this, new GCMBlockCipher(createAESEngine()), new AEADParameters( - // new KeyParameter(new byte[16]), 128, new byte[16])); + + //byte[] P = Strings.toByteArray("Hello world!"); + //byte[] buf = new byte[100]; + + //GCMBlockCipher c = new GCMBlockCipher(createAESEngine()); + //AEADParameters aeadParameters = new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[16]); + //c.init(true, aeadParameters); + + //c.processBytes(P, 0, P.length, buf, 0); + + //c.doFinal(buf, 0); + + //try + //{ + // c.doFinal(buf, 0); + // fail("no exception on reuse"); + //} + //catch (IllegalStateException e) + //{ + // isTrue("wrong message", e.getMessage().equals("GCM cipher cannot be reused for encryption")); + //} + + //try + //{ + // c.init(true, aeadParameters); + // fail("no exception on reuse"); + //} + //catch (IllegalArgumentException e) + //{ + // isTrue("wrong message", e.getMessage().equals("cannot reuse nonce for GCM encryption")); + //} } private void RunTestCase(string[] testVector) @@ -433,13 +459,21 @@ namespace Org.BouncyCastle.Crypto.Tests GcmBlockCipher encCipher = InitCipher(encM, true, parameters); GcmBlockCipher decCipher = InitCipher(decM, false, parameters); CheckTestCase(encCipher, decCipher, testName, SA, P, C, T); + encCipher = InitCipher(encM, true, parameters); CheckTestCase(encCipher, decCipher, testName + " (reused)", SA, P, C, T); // Key reuse AeadParameters keyReuseParams = AeadTestUtilities.ReuseKey(parameters); - encCipher.Init(true, keyReuseParams); - decCipher.Init(false, keyReuseParams); - CheckTestCase(encCipher, decCipher, testName + " (key reuse)", SA, P, C, T); + + try + { + encCipher.Init(true, keyReuseParams); + Fail("no exception"); + } + catch (ArgumentException e) + { + IsTrue("wrong message", "cannot reuse nonce for GCM encryption".Equals(e.Message)); + } } private GcmBlockCipher InitCipher( -- cgit 1.4.1 From 90076c81bd0110c75678fe3c4c958dcec5d3daba Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 20:06:41 +0700 Subject: Stop decoding exceptions escaping from GetDecoderStream --- crypto/src/openpgp/PgpUtilities.cs | 81 +++++++++++++++----------- crypto/test/src/openpgp/test/PGPArmoredTest.cs | 17 ++++++ 2 files changed, 63 insertions(+), 35 deletions(-) diff --git a/crypto/src/openpgp/PgpUtilities.cs b/crypto/src/openpgp/PgpUtilities.cs index 055f99636..7d96dee8d 100644 --- a/crypto/src/openpgp/PgpUtilities.cs +++ b/crypto/src/openpgp/PgpUtilities.cs @@ -417,7 +417,20 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp return inputStream; } - else + + if (!IsPossiblyBase64(ch)) + { + inputStream.Position = markedPos; + + return new ArmoredInputStream(inputStream); + } + + byte[] buf = new byte[ReadAhead]; + int count = 1; + int index = 1; + + buf[0] = (byte)ch; + while (count != ReadAhead && (ch = inputStream.ReadByte()) >= 0) { if (!IsPossiblyBase64(ch)) { @@ -426,51 +439,49 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp return new ArmoredInputStream(inputStream); } - byte[] buf = new byte[ReadAhead]; - int count = 1; - int index = 1; - - buf[0] = (byte)ch; - while (count != ReadAhead && (ch = inputStream.ReadByte()) >= 0) + if (ch != '\n' && ch != '\r') { - if (!IsPossiblyBase64(ch)) - { - inputStream.Position = markedPos; + buf[index++] = (byte)ch; + } - return new ArmoredInputStream(inputStream); - } + count++; + } - if (ch != '\n' && ch != '\r') - { - buf[index++] = (byte)ch; - } + inputStream.Position = markedPos; - count++; - } + // + // nothing but new lines, little else, assume regular armoring + // + if (count < 4) + { + return new ArmoredInputStream(inputStream); + } - inputStream.Position = markedPos; + // + // test our non-blank data + // + byte[] firstBlock = new byte[8]; - // - // nothing but new lines, little else, assume regular armoring - // - if (count < 4) - { - return new ArmoredInputStream(inputStream); - } + Array.Copy(buf, 0, firstBlock, 0, firstBlock.Length); - // - // test our non-blank data - // - byte[] firstBlock = new byte[8]; - Array.Copy(buf, 0, firstBlock, 0, firstBlock.Length); - byte[] decoded = Base64.Decode(firstBlock); + try + { + byte[] decoded = Base64.Decode(firstBlock); - // + // // it's a base64 PGP block. // - bool hasHeaders = (decoded[0] & 0x80) == 0; + bool hasHeaders = (decoded[0] & 0x80) == 0; - return new ArmoredInputStream(inputStream, hasHeaders); + return new ArmoredInputStream(inputStream, hasHeaders); + } + catch (IOException e) + { + throw e; + } + catch (Exception e) + { + throw new IOException(e.Message); } } diff --git a/crypto/test/src/openpgp/test/PGPArmoredTest.cs b/crypto/test/src/openpgp/test/PGPArmoredTest.cs index aa13477ed..e48827a35 100644 --- a/crypto/test/src/openpgp/test/PGPArmoredTest.cs +++ b/crypto/test/src/openpgp/test/PGPArmoredTest.cs @@ -87,6 +87,22 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests return matches; } + private void pgpUtilTest() + { + // check decoder exception isn't escaping. + MemoryStream bIn = new MemoryStream(Strings.ToByteArray("abcde"), false); + + try + { + PgpUtilities.GetDecoderStream(bIn); + Fail("no exception"); + } + catch (IOException) + { + // expected: ignore. + } + } + private void blankLineTest() { byte[] blankLineBytes = Encoding.ASCII.GetBytes(blankLineData); @@ -241,6 +257,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests } blankLineTest(); + pgpUtilTest(); } public override string Name -- cgit 1.4.1 From c4794df16c0376050a9aff613d7b2327e9087f65 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 20:28:52 +0700 Subject: Added byte[] return when macBlock not set. --- crypto/src/crypto/modes/OCBBlockCipher.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/src/crypto/modes/OCBBlockCipher.cs b/crypto/src/crypto/modes/OCBBlockCipher.cs index e7dc466e6..91fdfff18 100644 --- a/crypto/src/crypto/modes/OCBBlockCipher.cs +++ b/crypto/src/crypto/modes/OCBBlockCipher.cs @@ -237,7 +237,9 @@ namespace Org.BouncyCastle.Crypto.Modes public virtual byte[] GetMac() { - return Arrays.Clone(macBlock); + return macBlock == null + ? new byte[macSize] + : Arrays.Clone(macBlock); } public virtual int GetOutputSize(int len) -- cgit 1.4.1 From a0fd16c00237ba5f59fb5e3fd4901f7b3c1aa97e Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 20:44:56 +0700 Subject: Misc. asn1 changes from Java API --- crypto/src/asn1/crmf/CertReqMsg.cs | 7 +++++++ crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs | 15 +++++++++++++++ crypto/src/asn1/x509/KeyPurposeId.cs | 2 ++ 3 files changed, 24 insertions(+) diff --git a/crypto/src/asn1/crmf/CertReqMsg.cs b/crypto/src/asn1/crmf/CertReqMsg.cs index 20fd4179a..03ce32d99 100644 --- a/crypto/src/asn1/crmf/CertReqMsg.cs +++ b/crypto/src/asn1/crmf/CertReqMsg.cs @@ -39,6 +39,13 @@ namespace Org.BouncyCastle.Asn1.Crmf return null; } + public static CertReqMsg GetInstance( + Asn1TaggedObject obj, + bool isExplicit) + { + return GetInstance(Asn1Sequence.GetInstance(obj, isExplicit)); + } + /** * Creates a new CertReqMsg. * @param certReq CertRequest diff --git a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs index 535bbbf82..1a9a03e9f 100644 --- a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs +++ b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs @@ -200,6 +200,7 @@ namespace Org.BouncyCastle.Asn1.Pkcs // rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2)} // public const string IdAA = "1.2.840.113549.1.9.16.2"; + public static readonly DerObjectIdentifier IdAAOid = new DerObjectIdentifier(IdAA); public static readonly DerObjectIdentifier IdAAContentHint = new DerObjectIdentifier(IdAA + ".4"); // See RFC 2634 public static readonly DerObjectIdentifier IdAAMsgSigDigest = new DerObjectIdentifier(IdAA + ".5"); @@ -234,6 +235,20 @@ namespace Org.BouncyCastle.Asn1.Pkcs public static readonly DerObjectIdentifier IdAAEtsCertCrlTimestamp = new DerObjectIdentifier(IdAA + ".26"); public static readonly DerObjectIdentifier IdAAEtsArchiveTimestamp = new DerObjectIdentifier(IdAA + ".27"); + /** PKCS#9: 1.2.840.113549.1.9.16.6.2.37 - RFC 4108 */ + public static readonly DerObjectIdentifier IdAADecryptKeyID = IdAAOid.Branch("37"); + + /** PKCS#9: 1.2.840.113549.1.9.16.6.2.38 - RFC 4108 */ + public static readonly DerObjectIdentifier IdAAImplCryptoAlgs = IdAAOid.Branch("38"); + + /** PKCS#9: 1.2.840.113549.1.9.16.2.54 RFC7030*/ + public static readonly DerObjectIdentifier IdAAAsymmDecryptKeyID = IdAAOid.Branch("54"); + + /** PKCS#9: 1.2.840.113549.1.9.16.2.43 RFC7030*/ + public static readonly DerObjectIdentifier IdAAImplCompressAlgs = IdAAOid.Branch("43"); + /** PKCS#9: 1.2.840.113549.1.9.16.2.40 RFC7030*/ + public static readonly DerObjectIdentifier IdAACommunityIdentifiers = IdAAOid.Branch("40"); + [Obsolete("Use 'IdAAEtsSigPolicyID' instead")] public static readonly DerObjectIdentifier IdAASigPolicyID = IdAAEtsSigPolicyID; [Obsolete("Use 'IdAAEtsCommitmentType' instead")] diff --git a/crypto/src/asn1/x509/KeyPurposeId.cs b/crypto/src/asn1/x509/KeyPurposeId.cs index 4b48a9b51..1a564b97a 100644 --- a/crypto/src/asn1/x509/KeyPurposeId.cs +++ b/crypto/src/asn1/x509/KeyPurposeId.cs @@ -32,5 +32,7 @@ namespace Org.BouncyCastle.Asn1.X509 // microsoft key purpose ids // public static readonly KeyPurposeID IdKPSmartCardLogon = new KeyPurposeID("1.3.6.1.4.1.311.20.2.2"); + + public static readonly KeyPurposeID IdKPMacAddress = new KeyPurposeID("1.3.6.1.1.1.1.22"); } } -- cgit 1.4.1 From b8b7617bad7608602b1940fc3911b2b93c69d7f4 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 21:14:54 +0700 Subject: Update CHACHA20_POLY1305 out of draft range --- crypto/src/crypto/tls/EncryptionAlgorithm.cs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/src/crypto/tls/EncryptionAlgorithm.cs b/crypto/src/crypto/tls/EncryptionAlgorithm.cs index 96037ed20..45eef18e3 100644 --- a/crypto/src/crypto/tls/EncryptionAlgorithm.cs +++ b/crypto/src/crypto/tls/EncryptionAlgorithm.cs @@ -56,10 +56,9 @@ namespace Org.BouncyCastle.Crypto.Tls public const int CAMELLIA_256_GCM = 20; /* - * draft-ietf-tls-chacha20-poly1305-04 + * RFC 7905 */ - public const int CHACHA20_POLY1305 = 102; - [Obsolete] public const int AEAD_CHACHA20_POLY1305 = CHACHA20_POLY1305; + public const int CHACHA20_POLY1305 = 21; /* * draft-zauner-tls-aes-ocb-04 -- cgit 1.4.1 From a6593fddf3d6ddd81fd53caa4a7b983564d3ba9f Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 21:21:34 +0700 Subject: Misc. asn1 changes from Java API --- crypto/src/asn1/pkcs/CertificationRequest.cs | 3 +- crypto/src/asn1/pkcs/CertificationRequestInfo.cs | 43 +++++++++++++++--------- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/crypto/src/asn1/pkcs/CertificationRequest.cs b/crypto/src/asn1/pkcs/CertificationRequest.cs index 35bdd56eb..98caa2268 100644 --- a/crypto/src/asn1/pkcs/CertificationRequest.cs +++ b/crypto/src/asn1/pkcs/CertificationRequest.cs @@ -47,7 +47,8 @@ namespace Org.BouncyCastle.Asn1.Pkcs this.sigBits = signature; } - public CertificationRequest( + [Obsolete("Use 'GetInstance' instead")] + public CertificationRequest( Asn1Sequence seq) { if (seq.Count != 3) diff --git a/crypto/src/asn1/pkcs/CertificationRequestInfo.cs b/crypto/src/asn1/pkcs/CertificationRequestInfo.cs index d57753235..6d980131e 100644 --- a/crypto/src/asn1/pkcs/CertificationRequestInfo.cs +++ b/crypto/src/asn1/pkcs/CertificationRequestInfo.cs @@ -1,7 +1,6 @@ using System; using Org.BouncyCastle.Asn1.X509; -using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Asn1.Pkcs { @@ -31,20 +30,13 @@ namespace Org.BouncyCastle.Asn1.Pkcs internal SubjectPublicKeyInfo subjectPKInfo; internal Asn1Set attributes; - public static CertificationRequestInfo GetInstance( - object obj) + public static CertificationRequestInfo GetInstance(object obj) { if (obj is CertificationRequestInfo) - { - return (CertificationRequestInfo) obj; - } - - if (obj is Asn1Sequence) - { - return new CertificationRequestInfo((Asn1Sequence) obj); - } - - throw new ArgumentException("Unknown object in factory: " + Platform.GetTypeName(obj), "obj"); + return (CertificationRequestInfo)obj; + if (obj != null) + return new CertificationRequestInfo(Asn1Sequence.GetInstance(obj)); + return null; } public CertificationRequestInfo( @@ -56,7 +48,9 @@ namespace Org.BouncyCastle.Asn1.Pkcs this.subjectPKInfo = pkInfo; this.attributes = attributes; - if (subject == null || version == null || subjectPKInfo == null) + ValidateAttributes(attributes); + + if (subject == null || version == null || subjectPKInfo == null) { throw new ArgumentException( "Not all mandatory fields set in CertificationRequestInfo generator."); @@ -81,7 +75,9 @@ namespace Org.BouncyCastle.Asn1.Pkcs attributes = Asn1Set.GetInstance(tagobj, false); } - if (subject == null || version == null || subjectPKInfo == null) + ValidateAttributes(attributes); + + if (subject == null || version == null || subjectPKInfo == null) { throw new ArgumentException( "Not all mandatory fields set in CertificationRequestInfo generator."); @@ -120,5 +116,22 @@ namespace Org.BouncyCastle.Asn1.Pkcs return new DerSequence(v); } + + private static void ValidateAttributes(Asn1Set attributes) + { + if (attributes == null) + return; + + foreach (Asn1Encodable ae in attributes) + { + Asn1Object obj = ae.ToAsn1Object(); + AttributePkcs attr = AttributePkcs.GetInstance(obj); + if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtChallengePassword)) + { + if (attr.AttrValues.Count != 1) + throw new ArgumentException("challengePassword attribute must have one value"); + } + } + } } } -- cgit 1.4.1 From db0c88a3eae79a534ff1854089cff24fbf46c7e2 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 21:48:14 +0700 Subject: Additional fix to GOFB mode --- crypto/src/crypto/modes/GOFBBlockCipher.cs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/src/crypto/modes/GOFBBlockCipher.cs b/crypto/src/crypto/modes/GOFBBlockCipher.cs index 4299f11a9..436b58a1d 100644 --- a/crypto/src/crypto/modes/GOFBBlockCipher.cs +++ b/crypto/src/crypto/modes/GOFBBlockCipher.cs @@ -171,7 +171,10 @@ namespace Org.BouncyCastle.Crypto.Modes N4 += C1; if (N4 < C1) // addition is mod (2**32 - 1) { - N4++; + if (N4 > 0) + { + N4++; + } } intTobytes(N3, ofbV, 0); intTobytes(N4, ofbV, 4); -- cgit 1.4.1 From 80c81b9413658a2d68102fed6e0be1f44b5b1dd9 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 21:51:59 +0700 Subject: Add Ed25519 OID --- crypto/src/asn1/gnu/GNUObjectIdentifiers.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs b/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs index 9311a3ac1..b322ef233 100644 --- a/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs +++ b/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs @@ -27,5 +27,10 @@ namespace Org.BouncyCastle.Asn1.Gnu public static readonly DerObjectIdentifier Serpent256Cfb = new DerObjectIdentifier("1.3.6.1.4.1.11591.13.2.44"); // Serpent-256-CFB public static readonly DerObjectIdentifier Crc = new DerObjectIdentifier("1.3.6.1.4.1.11591.14"); // CRC algorithms public static readonly DerObjectIdentifier Crc32 = new DerObjectIdentifier("1.3.6.1.4.1.11591.14.1"); // CRC 32 + + /** 1.3.6.1.4.1.11591.15 - ellipticCurve */ + public static readonly DerObjectIdentifier EllipticCurve = new DerObjectIdentifier("1.3.6.1.4.1.11591.15"); + + public static readonly DerObjectIdentifier Ed25519 = EllipticCurve.Branch("1"); } } -- cgit 1.4.1 From b8b3198c285952625ee00b36a809d6b8a2853a82 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 21:57:14 +0700 Subject: Add Reseed method to SP800SecureRandom --- crypto/src/crypto/prng/SP800SecureRandom.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/crypto/src/crypto/prng/SP800SecureRandom.cs b/crypto/src/crypto/prng/SP800SecureRandom.cs index 5c5bda399..ac69e27e2 100644 --- a/crypto/src/crypto/prng/SP800SecureRandom.cs +++ b/crypto/src/crypto/prng/SP800SecureRandom.cs @@ -76,5 +76,12 @@ namespace Org.BouncyCastle.Crypto.Prng { return EntropyUtilities.GenerateSeed(mEntropySource, numBytes); } + + ///

Force a reseed of the DRBG. + /// optional additional input + public virtual void Reseed(byte[] additionalInput) + { + mDrbg.Reseed(additionalInput); + } } } -- cgit 1.4.1 From 5c185fa4dbb26af89b5cab888013f490e378ff36 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 22:09:39 +0700 Subject: Fix reset for ISO9792-2 scheme --- crypto/src/crypto/signers/Iso9796d2PssSigner.cs | 5 ++++- crypto/src/crypto/signers/Iso9796d2Signer.cs | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/crypto/src/crypto/signers/Iso9796d2PssSigner.cs b/crypto/src/crypto/signers/Iso9796d2PssSigner.cs index 3aa2e3719..6b8037095 100644 --- a/crypto/src/crypto/signers/Iso9796d2PssSigner.cs +++ b/crypto/src/crypto/signers/Iso9796d2PssSigner.cs @@ -516,6 +516,7 @@ namespace Org.BouncyCastle.Crypto.Signers if (!isOkay) { fullMessage = false; + messageLength = 0; ClearBlock(recoveredMessage); return false; } @@ -528,12 +529,14 @@ namespace Org.BouncyCastle.Crypto.Signers { if (!IsSameAs(mBuf, recoveredMessage)) { + messageLength = 0; ClearBlock(mBuf); return false; } - messageLength = 0; } + messageLength = 0; + ClearBlock(mBuf); return true; } diff --git a/crypto/src/crypto/signers/Iso9796d2Signer.cs b/crypto/src/crypto/signers/Iso9796d2Signer.cs index b90ed8f0b..303913068 100644 --- a/crypto/src/crypto/signers/Iso9796d2Signer.cs +++ b/crypto/src/crypto/signers/Iso9796d2Signer.cs @@ -360,6 +360,8 @@ namespace Org.BouncyCastle.Crypto.Signers byte[] b = cipher.ProcessBlock(block, 0, block.Length); + messageLength = 0; + ClearBlock(mBuf); ClearBlock(block); @@ -526,11 +528,15 @@ namespace Org.BouncyCastle.Crypto.Signers ClearBlock(mBuf); ClearBlock(block); + messageLength = 0; + return true; } private bool ReturnFalse(byte[] block) { + messageLength = 0; + ClearBlock(mBuf); ClearBlock(block); -- cgit 1.4.1 From 6198fad8061760809fa1e6d3ca48e96fe40f51d3 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sun, 11 Jun 2017 20:30:29 +0700 Subject: Fix race condition --- crypto/src/crypto/prng/SP800SecureRandom.cs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/crypto/src/crypto/prng/SP800SecureRandom.cs b/crypto/src/crypto/prng/SP800SecureRandom.cs index ac69e27e2..30c838c1b 100644 --- a/crypto/src/crypto/prng/SP800SecureRandom.cs +++ b/crypto/src/crypto/prng/SP800SecureRandom.cs @@ -81,7 +81,15 @@ namespace Org.BouncyCastle.Crypto.Prng /// optional additional input public virtual void Reseed(byte[] additionalInput) { - mDrbg.Reseed(additionalInput); + lock (this) + { + if (mDrbg == null) + { + mDrbg = mDrbgProvider.Get(mEntropySource); + } + + mDrbg.Reseed(additionalInput); + } } } } -- cgit 1.4.1 From dd37f66328b428d0ba40d059b779a5f939994326 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sun, 11 Jun 2017 21:12:44 +0700 Subject: Improve TLS exception handling --- crypto/src/crypto/tls/TlsNoCloseNotifyException.cs | 4 + crypto/src/crypto/tls/TlsProtocol.cs | 279 +++++++++++---------- crypto/src/crypto/tls/TlsServerProtocol.cs | 6 +- 3 files changed, 149 insertions(+), 140 deletions(-) diff --git a/crypto/src/crypto/tls/TlsNoCloseNotifyException.cs b/crypto/src/crypto/tls/TlsNoCloseNotifyException.cs index 72159ba47..0bafd820b 100644 --- a/crypto/src/crypto/tls/TlsNoCloseNotifyException.cs +++ b/crypto/src/crypto/tls/TlsNoCloseNotifyException.cs @@ -15,5 +15,9 @@ namespace Org.BouncyCastle.Crypto.Tls public class TlsNoCloseNotifyException : EndOfStreamException { + public TlsNoCloseNotifyException() + : base("No close_notify alert received before connection closed") + { + } } } diff --git a/crypto/src/crypto/tls/TlsProtocol.cs b/crypto/src/crypto/tls/TlsProtocol.cs index 20ea3ede6..72151d414 100644 --- a/crypto/src/crypto/tls/TlsProtocol.cs +++ b/crypto/src/crypto/tls/TlsProtocol.cs @@ -108,16 +108,95 @@ namespace Org.BouncyCastle.Crypto.Tls protected abstract TlsPeer Peer { get; } + protected virtual void HandleAlertMessage(byte alertLevel, byte alertDescription) + { + Peer.NotifyAlertReceived(alertLevel, alertDescription); + + if (alertLevel == AlertLevel.warning) + { + HandleAlertWarningMessage(alertDescription); + } + else + { + HandleFailure(); + + throw new TlsFatalAlertReceived(alertDescription); + } + } + + protected virtual void HandleAlertWarningMessage(byte alertDescription) + { + /* + * RFC 5246 7.2.1. The other party MUST respond with a close_notify alert of its own + * and close down the connection immediately, discarding any pending writes. + */ + if (alertDescription == AlertDescription.close_notify) + { + if (!mAppDataReady) + throw new TlsFatalAlert(AlertDescription.handshake_failure); + + HandleClose(false); + } + } + protected virtual void HandleChangeCipherSpecMessage() { } - protected abstract void HandleHandshakeMessage(byte type, MemoryStream buf); + protected virtual void HandleClose(bool user_canceled) + { + if (!mClosed) + { + this.mClosed = true; + + if (user_canceled && !mAppDataReady) + { + RaiseAlertWarning(AlertDescription.user_canceled, "User canceled handshake"); + } + + RaiseAlertWarning(AlertDescription.close_notify, "Connection closed"); + + mRecordStream.SafeClose(); + + if (!mAppDataReady) + { + CleanupHandshake(); + } + } + } + + protected virtual void HandleException(byte alertDescription, string message, Exception cause) + { + if (!mClosed) + { + RaiseAlertFatal(alertDescription, message, cause); + + HandleFailure(); + } + } - protected virtual void HandleWarningMessage(byte description) + protected virtual void HandleFailure() { + this.mClosed = true; + this.mFailedWithError = true; + + /* + * RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated + * without proper close_notify messages with level equal to warning. + */ + // TODO This isn't quite in the right place. Also, as of TLS 1.1 the above is obsolete. + InvalidateSession(); + + mRecordStream.SafeClose(); + + if (!mAppDataReady) + { + CleanupHandshake(); + } } + protected abstract void HandleHandshakeMessage(byte type, MemoryStream buf); + protected virtual void ApplyMaxFragmentLengthExtension() { if (mSecurityParameters.maxFragmentLength >= 0) @@ -366,49 +445,11 @@ namespace Org.BouncyCastle.Crypto.Tls /* * An alert is always 2 bytes. Read the alert. */ - byte[] tmp = mAlertQueue.RemoveData(2, 0); - byte level = tmp[0]; - byte description = tmp[1]; - - Peer.NotifyAlertReceived(level, description); - - if (level == AlertLevel.fatal) - { - /* - * RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated - * without proper close_notify messages with level equal to warning. - */ - InvalidateSession(); - - this.mFailedWithError = true; - this.mClosed = true; - - mRecordStream.SafeClose(); - if (!mAppDataReady) - { - CleanupHandshake(); - } - - throw new TlsFatalAlertReceived(description); - } - - /* - * RFC 5246 7.2.1. The other party MUST respond with a close_notify alert of its own - * and close down the connection immediately, discarding any pending writes. - */ - if (description == AlertDescription.close_notify) - { - if (!mAppDataReady) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - HandleClose(false); - } + byte[] alert = mAlertQueue.RemoveData(2, 0); + byte alertLevel = alert[0]; + byte alertDescription = alert[1]; - /* - * If it is just a warning, we continue. - */ - HandleWarningMessage(description); + HandleAlertMessage(alertLevel, alertDescription); } } @@ -491,45 +532,55 @@ namespace Org.BouncyCastle.Crypto.Tls } catch (TlsFatalAlert e) { - this.FailWithError(AlertLevel.fatal, e.AlertDescription, "Failed to read record", e); + HandleException(e.AlertDescription, "Failed to read record", e); throw e; } - catch (Exception e) + catch (IOException e) { - this.FailWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to read record", e); + HandleException(AlertDescription.internal_error, "Failed to read record", e); throw e; } + catch (Exception e) + { + HandleException(AlertDescription.internal_error, "Failed to read record", e); + throw new TlsFatalAlert(AlertDescription.internal_error, e); + } } protected virtual void SafeReadRecord() { try { - if (!mRecordStream.ReadRecord()) - { - if (!mAppDataReady) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - throw new TlsNoCloseNotifyException(); - } + if (mRecordStream.ReadRecord()) + return; + + if (!mAppDataReady) + throw new TlsFatalAlert(AlertDescription.handshake_failure); + } + catch (TlsFatalAlertReceived e) + { + // Connection failure already handled at source + throw e; } catch (TlsFatalAlert e) { - if (!mClosed) - { - this.FailWithError(AlertLevel.fatal, e.AlertDescription, "Failed to read record", e); - } + HandleException(e.AlertDescription, "Failed to read record", e); throw e; } - catch (Exception e) + catch (IOException e) { - if (!mClosed) - { - this.FailWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to read record", e); - } + HandleException(AlertDescription.internal_error, "Failed to read record", e); throw e; } + catch (Exception e) + { + HandleException(AlertDescription.internal_error, "Failed to read record", e); + throw new TlsFatalAlert(AlertDescription.internal_error, e); + } + + HandleFailure(); + + throw new TlsNoCloseNotifyException(); } protected virtual void SafeWriteRecord(byte type, byte[] buf, int offset, int len) @@ -540,20 +591,19 @@ namespace Org.BouncyCastle.Crypto.Tls } catch (TlsFatalAlert e) { - if (!mClosed) - { - this.FailWithError(AlertLevel.fatal, e.AlertDescription, "Failed to write record", e); - } + HandleException(e.AlertDescription, "Failed to write record", e); throw e; } - catch (Exception e) + catch (IOException e) { - if (!mClosed) - { - this.FailWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to write record", e); - } + HandleException(AlertDescription.internal_error, "Failed to write record", e); throw e; } + catch (Exception e) + { + HandleException(AlertDescription.internal_error, "Failed to write record", e); + throw new TlsFatalAlert(AlertDescription.internal_error, e); + } } /** @@ -830,50 +880,6 @@ namespace Org.BouncyCastle.Crypto.Tls return mOutputBuffer.Read(buffer, offset, length); } - /** - * Terminate this connection with an alert. Can be used for normal closure too. - * - * @param alertLevel - * See {@link AlertLevel} for values. - * @param alertDescription - * See {@link AlertDescription} for values. - * @throws IOException - * If alert was fatal. - */ - protected virtual void FailWithError(byte alertLevel, byte alertDescription, string message, Exception cause) - { - /* - * Check if the connection is still open. - */ - if (!mClosed) - { - /* - * Prepare the message - */ - this.mClosed = true; - - if (alertLevel == AlertLevel.fatal) - { - /* - * RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated - * without proper close_notify messages with level equal to warning. - */ - // TODO This isn't quite in the right place. Also, as of TLS 1.1 the above is obsolete. - InvalidateSession(); - - this.mFailedWithError = true; - } - RaiseAlert(alertLevel, alertDescription, message, cause); - mRecordStream.SafeClose(); - if (alertLevel != AlertLevel.fatal) - { - return; - } - } - - throw new IOException("TLS connection failed"); - } - protected virtual void InvalidateSession() { if (this.mSessionParameters != null) @@ -910,18 +916,29 @@ namespace Org.BouncyCastle.Crypto.Tls } } - protected virtual void RaiseAlert(byte alertLevel, byte alertDescription, string message, Exception cause) + protected virtual void RaiseAlertFatal(byte alertDescription, string message, Exception cause) { - Peer.NotifyAlertRaised(alertLevel, alertDescription, message, cause); + Peer.NotifyAlertRaised(AlertLevel.fatal, alertDescription, message, cause); - byte[] error = new byte[]{ alertLevel, alertDescription }; + byte[] alert = new byte[]{ AlertLevel.fatal, alertDescription }; - SafeWriteRecord(ContentType.alert, error, 0, 2); + try + { + mRecordStream.WriteRecord(ContentType.alert, alert, 0, 2); + } + catch (Exception) + { + // We are already processing an exception, so just ignore this + } } - protected virtual void RaiseWarning(byte alertDescription, string message) + protected virtual void RaiseAlertWarning(byte alertDescription, string message) { - RaiseAlert(AlertLevel.warning, alertDescription, message, null); + Peer.NotifyAlertRaised(AlertLevel.warning, alertDescription, message, null); + + byte[] alert = new byte[]{ AlertLevel.warning, alertDescription }; + + SafeWriteRecord(ContentType.alert, alert, 0, 2); } protected virtual void SendCertificateMessage(Certificate certificate) @@ -940,7 +957,7 @@ namespace Org.BouncyCastle.Crypto.Tls if (serverVersion.IsSsl) { string errorMessage = serverVersion.ToString() + " client didn't provide credentials"; - RaiseWarning(AlertDescription.no_certificate, errorMessage); + RaiseAlertWarning(AlertDescription.no_certificate, errorMessage); return; } } @@ -999,18 +1016,6 @@ namespace Org.BouncyCastle.Crypto.Tls HandleClose(true); } - protected virtual void HandleClose(bool user_canceled) - { - if (!mClosed) - { - if (user_canceled && !mAppDataReady) - { - RaiseWarning(AlertDescription.user_canceled, "User canceled handshake"); - } - this.FailWithError(AlertLevel.warning, AlertDescription.close_notify, "Connection closed", null); - } - } - protected internal virtual void Flush() { mRecordStream.Flush(); @@ -1046,7 +1051,7 @@ namespace Org.BouncyCastle.Crypto.Tls if (TlsUtilities.IsSsl(Context)) throw new TlsFatalAlert(AlertDescription.handshake_failure); - RaiseWarning(AlertDescription.no_renegotiation, "Renegotiation not supported"); + RaiseAlertWarning(AlertDescription.no_renegotiation, "Renegotiation not supported"); } /** diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index 298c9f42d..c2bfbcb74 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -386,11 +386,11 @@ namespace Org.BouncyCastle.Crypto.Tls } } - protected override void HandleWarningMessage(byte description) + protected override void HandleAlertWarningMessage(byte alertDescription) { - base.HandleWarningMessage(description); + base.HandleAlertWarningMessage(alertDescription); - switch (description) + switch (alertDescription) { case AlertDescription.no_certificate: { -- cgit 1.4.1 From 76e3e8a975c97f959abd6b45e9b9b94c0087f93e Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 16 Jun 2017 09:53:56 +0700 Subject: Use slightly improved addition chain for sm2p256v1 field sqrt --- .../src/math/ec/custom/gm/SM2P256V1FieldElement.cs | 42 +++++++++++----------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs b/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs index 669c73bd2..4f6428f9e 100644 --- a/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs +++ b/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs @@ -143,13 +143,13 @@ namespace Org.BouncyCastle.Math.EC.Custom.GM uint[] x2 = Nat256.Create(); SM2P256V1Field.Square(x1, x2); SM2P256V1Field.Multiply(x2, x1, x2); - uint[] x3 = x2; - SM2P256V1Field.Square(x2, x3); - SM2P256V1Field.Multiply(x3, x1, x3); + uint[] x4 = Nat256.Create(); + SM2P256V1Field.SquareN(x2, 2, x4); + SM2P256V1Field.Multiply(x4, x2, x4); uint[] x6 = Nat256.Create(); - SM2P256V1Field.SquareN(x3, 3, x6); - SM2P256V1Field.Multiply(x6, x3, x6); - uint[] x12 = x3; + SM2P256V1Field.SquareN(x4, 2, x6); + SM2P256V1Field.Multiply(x6, x2, x6); + uint[] x12 = x2; SM2P256V1Field.SquareN(x6, 6, x12); SM2P256V1Field.Multiply(x12, x6, x12); uint[] x24 = Nat256.Create(); @@ -162,25 +162,23 @@ namespace Org.BouncyCastle.Math.EC.Custom.GM SM2P256V1Field.Square(x30, x31); SM2P256V1Field.Multiply(x31, x1, x31); - uint[] t1 = x31; - SM2P256V1Field.Square(x31, t1); + uint[] t1 = x24; + SM2P256V1Field.SquareN(x31, 31, t1); - uint[] x32 = x12; - SM2P256V1Field.Multiply(t1, x1, x32); + uint[] x62 = x30; + SM2P256V1Field.Multiply(t1, x31, x62); SM2P256V1Field.SquareN(t1, 32, t1); - SM2P256V1Field.Multiply(t1, x32, t1); - - uint[] t2 = x24; - SM2P256V1Field.SquareN(t1, 32, t2); - SM2P256V1Field.Multiply(t2, x1, t2); - SM2P256V1Field.SquareN(t2, 32, t2); - SM2P256V1Field.Multiply(t2, t1, t2); - SM2P256V1Field.SquareN(t2, 32, t2); - SM2P256V1Field.Multiply(t2, x32, t2); - SM2P256V1Field.SquareN(t2, 32, t2); - SM2P256V1Field.Multiply(t2, x1, t2); - SM2P256V1Field.SquareN(t2, 62, t1); + SM2P256V1Field.Multiply(t1, x62, t1); + SM2P256V1Field.SquareN(t1, 62, t1); + SM2P256V1Field.Multiply(t1, x62, t1); + SM2P256V1Field.SquareN(t1, 4, t1); + SM2P256V1Field.Multiply(t1, x4, t1); + SM2P256V1Field.SquareN(t1, 32, t1); + SM2P256V1Field.Multiply(t1, x1, t1); + SM2P256V1Field.SquareN(t1, 62, t1); + + uint[] t2 = x4; SM2P256V1Field.Square(t1, t2); return Nat256.Eq(x1, t2) ? new SM2P256V1FieldElement(t1) : null; -- cgit 1.4.1 From 7b7e632102dc6e27f6183d86fd423e2be9e58696 Mon Sep 17 00:00:00 2001 From: David Hook Date: Sun, 25 Jun 2017 18:08:58 +1000 Subject: Initial cut of DSTU7564 digest and HMAC. --- crypto/src/crypto/digests/DSTU7564Digest.cs | 550 ++++++++++++++++++++++++++++ crypto/src/crypto/macs/DSTU7564Mac.cs | 156 ++++++++ crypto/test/src/crypto/test/DSTU7564Test.cs | 479 ++++++++++++++++++++++++ 3 files changed, 1185 insertions(+) create mode 100644 crypto/src/crypto/digests/DSTU7564Digest.cs create mode 100644 crypto/src/crypto/macs/DSTU7564Mac.cs create mode 100644 crypto/test/src/crypto/test/DSTU7564Test.cs diff --git a/crypto/src/crypto/digests/DSTU7564Digest.cs b/crypto/src/crypto/digests/DSTU7564Digest.cs new file mode 100644 index 000000000..9a785a5c9 --- /dev/null +++ b/crypto/src/crypto/digests/DSTU7564Digest.cs @@ -0,0 +1,550 @@ +using System; + +using Org.BouncyCastle.Crypto.Engines; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Crypto.Utilities; +//using Org.BouncyCastle.Utilities; + + +using Org.BouncyCastle.Utilities.Encoders; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Digests +{ + /** + * implementation of Ukrainian DSTU 7564 hash function + */ + public class Dstu7564Digest : IDigest, IMemoable + { + private const int ROWS = 8; + private const int REDUCTION_POLYNOMIAL = 0x011d; + private const int BITS_IN_BYTE = 8; + + + private const int NB_512 = 8; //Number of 8-byte words in state for <=256-bit hash code. + private const int NB_1024 = 16; //Number of 8-byte words in state for <=512-bit hash code. + + private const int NR_512 = 10; //Number of rounds for 512-bit state. + private const int NR_1024 = 14; //Number of rounds for 1024-bit state. + + private const int STATE_BYTE_SIZE_512 = ROWS * NB_512; + private const int STATE_BYTE_SIZE_1024 = ROWS * NB_1024; + + private int hashSize; + private int blockSize; + + + + private int columns; + private int rounds; + + + private byte[] padded_; + + private byte[][] state_; + + private ulong inputLength; + private int bufOff; + private byte[] buf; + + public Dstu7564Digest(Dstu7564Digest digest) + { + copyIn(digest); + } + + private void copyIn(Dstu7564Digest digest) + { + this.hashSize = digest.hashSize; + this.blockSize = digest.blockSize; + + this.columns = digest.columns; + this.rounds = digest.rounds; + + this.padded_ = Arrays.Clone(digest.padded_); + this.state_ = new byte[digest.state_.Length][]; + for (int i = 0; i != this.state_.Length; i++) + { + this.state_[i] = Arrays.Clone(digest.state_[i]); + } + + this.inputLength = digest.inputLength; + this.bufOff = digest.bufOff; + this.buf = Arrays.Clone(digest.buf); + } + + public Dstu7564Digest(int hashSizeBits) + { + if (hashSizeBits == 256 || hashSizeBits == 384 || hashSizeBits == 512) + { + this.hashSize = hashSizeBits / 8; + } + else + { + throw new ArgumentException("Hash size is not recommended. Use 256 or 384 or 512 size"); + } + + if (hashSizeBits > 256) + { + this.blockSize = 1024 / 8; + this.columns = NB_1024; + this.rounds = NR_1024; + this.state_ = new byte[STATE_BYTE_SIZE_1024][]; + + } + else + { + this.blockSize = 512 / 8; + this.columns = NB_512; + this.rounds = NR_512; + this.state_ = new byte[STATE_BYTE_SIZE_512][]; + + } + + //Console.WriteLine("length: " + state_.Length); + + for (int i = 0; i < state_.Length; i++) + { + this.state_[i] = new byte[columns]; + } + + this.state_[0][0] = (byte)state_.Length; + + this.hashSize = hashSizeBits / 8; + + this.padded_ = null; + this.buf = new byte[blockSize]; + } + + public string AlgorithmName + { + get { return "DSTU7564"; } + } + + + public virtual void BlockUpdate(byte[] input, int inOff, int length) + { + while (bufOff != 0 && length > 0) + { + Update(input[inOff++]); + length--; + } + + if (length > 0) + { + while (length > blockSize) + { + ProcessBlock(input, inOff); + inOff += blockSize; + inputLength += (ulong)blockSize; + length -= blockSize; + } + + while (length > 0) + { + Update(input[inOff++]); + length--; + } + } + } + + protected byte[] Pad(byte[] input, int inOff, int length) + { + //Console.WriteLine(length); + + byte[] padded; + if (blockSize - length < 13) // terminator byte + 96 bits of length + { + padded = new byte[2 * blockSize]; + } + else + { + padded = new byte[blockSize]; + } + + + Array.Copy(input, inOff, padded, 0, length); + padded[length] = 0x80; + Pack.UInt64_To_LE(inputLength * 8, padded, padded.Length - 12); + + return padded; + } + + protected void ProcessBlock(byte[] input, int inOff) + { + byte[][] temp1 = new byte[STATE_BYTE_SIZE_1024][]; + byte[][] temp2 = new byte[STATE_BYTE_SIZE_1024][]; + + for (int i = 0; i < state_.Length; i++) + { + temp1[i] = new byte[ROWS]; + temp2[i] = new byte[ROWS]; + } + + for (int i = 0; i < ROWS; ++i) + { + for (int j = 0; j < columns; ++j) + { + //Console.WriteLine("row = {0}, column = {1}", i, j); + + temp1[j][i] = (byte)(state_[j][i] ^ input[j * ROWS + i + inOff]); + temp2[j][i] = input[j * ROWS + i + inOff]; + + } + + } + + P(temp1); + + Q(temp2); + + for (int i = 0; i < ROWS; ++i) + { + for (int j = 0; j < columns; ++j) + { + state_[j][i] ^= (byte)(temp1[j][i] ^ temp2[j][i]); + + } + + } + } + + public int DoFinal(byte[] output, int outOff) + { + padded_ = Pad(buf, 0, bufOff); + + ProcessBlock(padded_, 0); + + + //Console.WriteLine(stateLine.Length); + + byte[][] temp = new byte[STATE_BYTE_SIZE_1024][]; + for (int i = 0; i < state_.Length; i++) + { + temp[i] = new byte[ROWS]; + Array.Copy(state_[i], temp[i], ROWS); + } + + P(temp); + + for (int i = 0; i < ROWS; ++i) + { + for (int j = 0; j < columns; ++j) + { + state_[j][i] ^= temp[j][i]; + //Console.Write("{0:x} ", state_[j][i]); + } + //Console.WriteLine(); + } + + byte[] stateLine = new byte[ROWS * columns]; + int stateLineIndex = 0; + for (int j = 0; j < columns; ++j) + { + for (int i = 0; i < ROWS; ++i) + { + + stateLine[stateLineIndex] = state_[j][i]; + stateLineIndex++; + + //Console.WriteLine("index = {0}, row = {1}, column = {2}", stateLineIndex, i, j); + + } + } + + //Console.WriteLine("final: " + Hex.ToHexString(stateLine)); + //Console.WriteLine(stateLine.Length); + + Array.Copy(stateLine, stateLine.Length - hashSize, output, outOff, hashSize); + + Reset(); + + return hashSize; + } + + public void Reset() + { + for (int bufferIndex = 0; bufferIndex < state_.Length; bufferIndex++) + { + state_[bufferIndex] = new byte[columns]; + } + + state_[0][0] = (byte)state_.Length; + + inputLength = 0; + bufOff = 0; + + Arrays.Fill(buf, (byte)0); + Arrays.Fill(padded_, (byte)0); + } + + public int GetDigestSize() + { + return hashSize; + } + + public int GetByteLength() + { + return blockSize; + } + + public void Update(byte input) + { + buf[bufOff++] = input; + if (bufOff == blockSize) + { + ProcessBlock(buf, 0); + bufOff = 0; + } + inputLength++; + } + + void SubBytes(byte[][] state) + { + int i, j; + for (i = 0; i < ROWS; ++i) + { + for (j = 0; j < columns; ++j) + { + state[j][i] = sBoxes[i % 4][state[j][i]]; + } + } + } + + void ShiftBytes(byte[][] state) + { + int i, j; + byte[] temp = new byte[NB_1024]; + int shift = -1; + for (i = 0; i < ROWS; ++i) + { + if ((i == ROWS - 1) && (columns == NB_1024)) + { + shift = 11; + } + else + { + ++shift; + } + for (j = 0; j < columns; ++j) + { + temp[(j + shift) % columns] = state[j][i]; + } + for (j = 0; j < columns; ++j) + { + state[j][i] = temp[j]; + } + } + } + + byte MultiplyGF(byte x, byte y) + { + int i; + byte r = 0; + byte hbit = 0; + for (i = 0; i < BITS_IN_BYTE; ++i) + { + if ((y & 0x1) == 1) + { + r ^= x; + } + + hbit = (byte)(x & 0x80); + + x <<= 1; + + if (hbit == 0x80) + { + x = (byte)((int)x ^ REDUCTION_POLYNOMIAL); + } + + y >>= 1; + } + return r; + } + + private void MixColumns(byte[][] state) + { + int i, row, col, b; + byte product; + byte[] result = new byte[ROWS]; + + for (col = 0; col < columns; ++col) + { + Array.Clear(result, 0, ROWS); + for (row = ROWS - 1; row >= 0; --row) + { + product = 0; + for (b = ROWS - 1; b >= 0; --b) + { + product ^= MultiplyGF(state[col][b], mds_matrix[row][b]); + } + result[row] = product; + } + for (i = 0; i < ROWS; ++i) + { + state[col][i] = result[i]; + } + } + } + + void AddRoundConstantP(byte[][] state, int round) + { + int i; + for (i = 0; i < columns; ++i) + { + state[i][0] ^= (byte)((i * 0x10) ^ round); + } + } + + void AddRoundConstantQ(byte[][] state, int round) + { + int j; + UInt64[] s = new UInt64[columns]; + + for (j = 0; j < columns; j++) + { + s[j] = Pack.LE_To_UInt64(state[j]); + + s[j] = s[j] + (0x00F0F0F0F0F0F0F3UL ^ ((((UInt64)(columns - j - 1) * 0x10UL) ^ (UInt64)round) << (7 * 8))); + + state[j] = Pack.UInt64_To_LE(s[j]); + } + } + + void P(byte[][] state) + { + int i; + for (i = 0; i < rounds; ++i) + { + AddRoundConstantP(state, i); + SubBytes(state); + ShiftBytes(state); + MixColumns(state); + } + } + + void Q(byte[][] state) + { + int i; + for (i = 0; i < rounds; ++i) + { + AddRoundConstantQ(state, i); + SubBytes(state); + ShiftBytes(state); + MixColumns(state); + } + } + + public IMemoable Copy() + { + return new Dstu7564Digest(this); + } + + public void Reset(IMemoable other) + { + Dstu7564Digest d = (Dstu7564Digest)other; + + copyIn(d); + } + + private readonly byte[][] mds_matrix = new byte[][] + { + new byte[] {0x01, 0x01, 0x05, 0x01, 0x08, 0x06, 0x07, 0x04}, + new byte[] {0x04, 0x01, 0x01, 0x05, 0x01, 0x08, 0x06, 0x07}, + new byte[] {0x07, 0x04, 0x01, 0x01, 0x05, 0x01, 0x08, 0x06}, + new byte[] {0x06, 0x07, 0x04, 0x01, 0x01, 0x05, 0x01, 0x08}, + new byte[] {0x08, 0x06, 0x07, 0x04, 0x01, 0x01, 0x05, 0x01}, + new byte[] {0x01, 0x08, 0x06, 0x07, 0x04, 0x01, 0x01, 0x05}, + new byte[] {0x05, 0x01, 0x08, 0x06, 0x07, 0x04, 0x01, 0x01}, + new byte[] {0x01, 0x05, 0x01, 0x08, 0x06, 0x07, 0x04, 0x01} + }; + + + + + private readonly byte[][] sBoxes = new byte[][] + { + new byte[] + { + 0xa8, 0x43, 0x5f, 0x06, 0x6b, 0x75, 0x6c, 0x59, 0x71, 0xdf, 0x87, 0x95, 0x17, 0xf0, 0xd8, 0x09, + 0x6d, 0xf3, 0x1d, 0xcb, 0xc9, 0x4d, 0x2c, 0xaf, 0x79, 0xe0, 0x97, 0xfd, 0x6f, 0x4b, 0x45, 0x39, + 0x3e, 0xdd, 0xa3, 0x4f, 0xb4, 0xb6, 0x9a, 0x0e, 0x1f, 0xbf, 0x15, 0xe1, 0x49, 0xd2, 0x93, 0xc6, + 0x92, 0x72, 0x9e, 0x61, 0xd1, 0x63, 0xfa, 0xee, 0xf4, 0x19, 0xd5, 0xad, 0x58, 0xa4, 0xbb, 0xa1, + 0xdc, 0xf2, 0x83, 0x37, 0x42, 0xe4, 0x7a, 0x32, 0x9c, 0xcc, 0xab, 0x4a, 0x8f, 0x6e, 0x04, 0x27, + 0x2e, 0xe7, 0xe2, 0x5a, 0x96, 0x16, 0x23, 0x2b, 0xc2, 0x65, 0x66, 0x0f, 0xbc, 0xa9, 0x47, 0x41, + 0x34, 0x48, 0xfc, 0xb7, 0x6a, 0x88, 0xa5, 0x53, 0x86, 0xf9, 0x5b, 0xdb, 0x38, 0x7b, 0xc3, 0x1e, + 0x22, 0x33, 0x24, 0x28, 0x36, 0xc7, 0xb2, 0x3b, 0x8e, 0x77, 0xba, 0xf5, 0x14, 0x9f, 0x08, 0x55, + 0x9b, 0x4c, 0xfe, 0x60, 0x5c, 0xda, 0x18, 0x46, 0xcd, 0x7d, 0x21, 0xb0, 0x3f, 0x1b, 0x89, 0xff, + 0xeb, 0x84, 0x69, 0x3a, 0x9d, 0xd7, 0xd3, 0x70, 0x67, 0x40, 0xb5, 0xde, 0x5d, 0x30, 0x91, 0xb1, + 0x78, 0x11, 0x01, 0xe5, 0x00, 0x68, 0x98, 0xa0, 0xc5, 0x02, 0xa6, 0x74, 0x2d, 0x0b, 0xa2, 0x76, + 0xb3, 0xbe, 0xce, 0xbd, 0xae, 0xe9, 0x8a, 0x31, 0x1c, 0xec, 0xf1, 0x99, 0x94, 0xaa, 0xf6, 0x26, + 0x2f, 0xef, 0xe8, 0x8c, 0x35, 0x03, 0xd4, 0x7f, 0xfb, 0x05, 0xc1, 0x5e, 0x90, 0x20, 0x3d, 0x82, + 0xf7, 0xea, 0x0a, 0x0d, 0x7e, 0xf8, 0x50, 0x1a, 0xc4, 0x07, 0x57, 0xb8, 0x3c, 0x62, 0xe3, 0xc8, + 0xac, 0x52, 0x64, 0x10, 0xd0, 0xd9, 0x13, 0x0c, 0x12, 0x29, 0x51, 0xb9, 0xcf, 0xd6, 0x73, 0x8d, + 0x81, 0x54, 0xc0, 0xed, 0x4e, 0x44, 0xa7, 0x2a, 0x85, 0x25, 0xe6, 0xca, 0x7c, 0x8b, 0x56, 0x80 + }, + + new byte[] + { + 0xce, 0xbb, 0xeb, 0x92, 0xea, 0xcb, 0x13, 0xc1, 0xe9, 0x3a, 0xd6, 0xb2, 0xd2, 0x90, 0x17, 0xf8, + 0x42, 0x15, 0x56, 0xb4, 0x65, 0x1c, 0x88, 0x43, 0xc5, 0x5c, 0x36, 0xba, 0xf5, 0x57, 0x67, 0x8d, + 0x31, 0xf6, 0x64, 0x58, 0x9e, 0xf4, 0x22, 0xaa, 0x75, 0x0f, 0x02, 0xb1, 0xdf, 0x6d, 0x73, 0x4d, + 0x7c, 0x26, 0x2e, 0xf7, 0x08, 0x5d, 0x44, 0x3e, 0x9f, 0x14, 0xc8, 0xae, 0x54, 0x10, 0xd8, 0xbc, + 0x1a, 0x6b, 0x69, 0xf3, 0xbd, 0x33, 0xab, 0xfa, 0xd1, 0x9b, 0x68, 0x4e, 0x16, 0x95, 0x91, 0xee, + 0x4c, 0x63, 0x8e, 0x5b, 0xcc, 0x3c, 0x19, 0xa1, 0x81, 0x49, 0x7b, 0xd9, 0x6f, 0x37, 0x60, 0xca, + 0xe7, 0x2b, 0x48, 0xfd, 0x96, 0x45, 0xfc, 0x41, 0x12, 0x0d, 0x79, 0xe5, 0x89, 0x8c, 0xe3, 0x20, + 0x30, 0xdc, 0xb7, 0x6c, 0x4a, 0xb5, 0x3f, 0x97, 0xd4, 0x62, 0x2d, 0x06, 0xa4, 0xa5, 0x83, 0x5f, + 0x2a, 0xda, 0xc9, 0x00, 0x7e, 0xa2, 0x55, 0xbf, 0x11, 0xd5, 0x9c, 0xcf, 0x0e, 0x0a, 0x3d, 0x51, + 0x7d, 0x93, 0x1b, 0xfe, 0xc4, 0x47, 0x09, 0x86, 0x0b, 0x8f, 0x9d, 0x6a, 0x07, 0xb9, 0xb0, 0x98, + 0x18, 0x32, 0x71, 0x4b, 0xef, 0x3b, 0x70, 0xa0, 0xe4, 0x40, 0xff, 0xc3, 0xa9, 0xe6, 0x78, 0xf9, + 0x8b, 0x46, 0x80, 0x1e, 0x38, 0xe1, 0xb8, 0xa8, 0xe0, 0x0c, 0x23, 0x76, 0x1d, 0x25, 0x24, 0x05, + 0xf1, 0x6e, 0x94, 0x28, 0x9a, 0x84, 0xe8, 0xa3, 0x4f, 0x77, 0xd3, 0x85, 0xe2, 0x52, 0xf2, 0x82, + 0x50, 0x7a, 0x2f, 0x74, 0x53, 0xb3, 0x61, 0xaf, 0x39, 0x35, 0xde, 0xcd, 0x1f, 0x99, 0xac, 0xad, + 0x72, 0x2c, 0xdd, 0xd0, 0x87, 0xbe, 0x5e, 0xa6, 0xec, 0x04, 0xc6, 0x03, 0x34, 0xfb, 0xdb, 0x59, + 0xb6, 0xc2, 0x01, 0xf0, 0x5a, 0xed, 0xa7, 0x66, 0x21, 0x7f, 0x8a, 0x27, 0xc7, 0xc0, 0x29, 0xd7 + }, + + new byte[] + { + 0x93, 0xd9, 0x9a, 0xb5, 0x98, 0x22, 0x45, 0xfc, 0xba, 0x6a, 0xdf, 0x02, 0x9f, 0xdc, 0x51, 0x59, + 0x4a, 0x17, 0x2b, 0xc2, 0x94, 0xf4, 0xbb, 0xa3, 0x62, 0xe4, 0x71, 0xd4, 0xcd, 0x70, 0x16, 0xe1, + 0x49, 0x3c, 0xc0, 0xd8, 0x5c, 0x9b, 0xad, 0x85, 0x53, 0xa1, 0x7a, 0xc8, 0x2d, 0xe0, 0xd1, 0x72, + 0xa6, 0x2c, 0xc4, 0xe3, 0x76, 0x78, 0xb7, 0xb4, 0x09, 0x3b, 0x0e, 0x41, 0x4c, 0xde, 0xb2, 0x90, + 0x25, 0xa5, 0xd7, 0x03, 0x11, 0x00, 0xc3, 0x2e, 0x92, 0xef, 0x4e, 0x12, 0x9d, 0x7d, 0xcb, 0x35, + 0x10, 0xd5, 0x4f, 0x9e, 0x4d, 0xa9, 0x55, 0xc6, 0xd0, 0x7b, 0x18, 0x97, 0xd3, 0x36, 0xe6, 0x48, + 0x56, 0x81, 0x8f, 0x77, 0xcc, 0x9c, 0xb9, 0xe2, 0xac, 0xb8, 0x2f, 0x15, 0xa4, 0x7c, 0xda, 0x38, + 0x1e, 0x0b, 0x05, 0xd6, 0x14, 0x6e, 0x6c, 0x7e, 0x66, 0xfd, 0xb1, 0xe5, 0x60, 0xaf, 0x5e, 0x33, + 0x87, 0xc9, 0xf0, 0x5d, 0x6d, 0x3f, 0x88, 0x8d, 0xc7, 0xf7, 0x1d, 0xe9, 0xec, 0xed, 0x80, 0x29, + 0x27, 0xcf, 0x99, 0xa8, 0x50, 0x0f, 0x37, 0x24, 0x28, 0x30, 0x95, 0xd2, 0x3e, 0x5b, 0x40, 0x83, + 0xb3, 0x69, 0x57, 0x1f, 0x07, 0x1c, 0x8a, 0xbc, 0x20, 0xeb, 0xce, 0x8e, 0xab, 0xee, 0x31, 0xa2, + 0x73, 0xf9, 0xca, 0x3a, 0x1a, 0xfb, 0x0d, 0xc1, 0xfe, 0xfa, 0xf2, 0x6f, 0xbd, 0x96, 0xdd, 0x43, + 0x52, 0xb6, 0x08, 0xf3, 0xae, 0xbe, 0x19, 0x89, 0x32, 0x26, 0xb0, 0xea, 0x4b, 0x64, 0x84, 0x82, + 0x6b, 0xf5, 0x79, 0xbf, 0x01, 0x5f, 0x75, 0x63, 0x1b, 0x23, 0x3d, 0x68, 0x2a, 0x65, 0xe8, 0x91, + 0xf6, 0xff, 0x13, 0x58, 0xf1, 0x47, 0x0a, 0x7f, 0xc5, 0xa7, 0xe7, 0x61, 0x5a, 0x06, 0x46, 0x44, + 0x42, 0x04, 0xa0, 0xdb, 0x39, 0x86, 0x54, 0xaa, 0x8c, 0x34, 0x21, 0x8b, 0xf8, 0x0c, 0x74, 0x67 + }, + + new byte[] + { + 0x68, 0x8d, 0xca, 0x4d, 0x73, 0x4b, 0x4e, 0x2a, 0xd4, 0x52, 0x26, 0xb3, 0x54, 0x1e, 0x19, 0x1f, + 0x22, 0x03, 0x46, 0x3d, 0x2d, 0x4a, 0x53, 0x83, 0x13, 0x8a, 0xb7, 0xd5, 0x25, 0x79, 0xf5, 0xbd, + 0x58, 0x2f, 0x0d, 0x02, 0xed, 0x51, 0x9e, 0x11, 0xf2, 0x3e, 0x55, 0x5e, 0xd1, 0x16, 0x3c, 0x66, + 0x70, 0x5d, 0xf3, 0x45, 0x40, 0xcc, 0xe8, 0x94, 0x56, 0x08, 0xce, 0x1a, 0x3a, 0xd2, 0xe1, 0xdf, + 0xb5, 0x38, 0x6e, 0x0e, 0xe5, 0xf4, 0xf9, 0x86, 0xe9, 0x4f, 0xd6, 0x85, 0x23, 0xcf, 0x32, 0x99, + 0x31, 0x14, 0xae, 0xee, 0xc8, 0x48, 0xd3, 0x30, 0xa1, 0x92, 0x41, 0xb1, 0x18, 0xc4, 0x2c, 0x71, + 0x72, 0x44, 0x15, 0xfd, 0x37, 0xbe, 0x5f, 0xaa, 0x9b, 0x88, 0xd8, 0xab, 0x89, 0x9c, 0xfa, 0x60, + 0xea, 0xbc, 0x62, 0x0c, 0x24, 0xa6, 0xa8, 0xec, 0x67, 0x20, 0xdb, 0x7c, 0x28, 0xdd, 0xac, 0x5b, + 0x34, 0x7e, 0x10, 0xf1, 0x7b, 0x8f, 0x63, 0xa0, 0x05, 0x9a, 0x43, 0x77, 0x21, 0xbf, 0x27, 0x09, + 0xc3, 0x9f, 0xb6, 0xd7, 0x29, 0xc2, 0xeb, 0xc0, 0xa4, 0x8b, 0x8c, 0x1d, 0xfb, 0xff, 0xc1, 0xb2, + 0x97, 0x2e, 0xf8, 0x65, 0xf6, 0x75, 0x07, 0x04, 0x49, 0x33, 0xe4, 0xd9, 0xb9, 0xd0, 0x42, 0xc7, + 0x6c, 0x90, 0x00, 0x8e, 0x6f, 0x50, 0x01, 0xc5, 0xda, 0x47, 0x3f, 0xcd, 0x69, 0xa2, 0xe2, 0x7a, + 0xa7, 0xc6, 0x93, 0x0f, 0x0a, 0x06, 0xe6, 0x2b, 0x96, 0xa3, 0x1c, 0xaf, 0x6a, 0x12, 0x84, 0x39, + 0xe7, 0xb0, 0x82, 0xf7, 0xfe, 0x9d, 0x87, 0x5c, 0x81, 0x35, 0xde, 0xb4, 0xa5, 0xfc, 0x80, 0xef, + 0xcb, 0xbb, 0x6b, 0x76, 0xba, 0x5a, 0x7d, 0x78, 0x0b, 0x95, 0xe3, 0xad, 0x74, 0x98, 0x3b, 0x36, + 0x64, 0x6d, 0xdc, 0xf0, 0x59, 0xa9, 0x4c, 0x17, 0x7f, 0x91, 0xb8, 0xc9, 0x57, 0x1b, 0xe0, 0x61 + } + }; + + + } +} diff --git a/crypto/src/crypto/macs/DSTU7564Mac.cs b/crypto/src/crypto/macs/DSTU7564Mac.cs new file mode 100644 index 000000000..a5f984270 --- /dev/null +++ b/crypto/src/crypto/macs/DSTU7564Mac.cs @@ -0,0 +1,156 @@ +using System; + +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Crypto.Utilities; + +namespace Org.BouncyCastle.Crypto.Macs +{ + /// + /// Implementation of DSTU7564 mac mode + /// + public class DSTU7564Mac : IMac + { + private Dstu7564Digest engine; + private int macSize; + + private ulong inputLength; + + byte[] paddedKey; + byte[] invertedKey; + byte[] paddedInput; + + public string AlgorithmName + { + get + { + return "DSTU7564Mac"; + } + } + + public DSTU7564Mac(int macSizeBits) + { + engine = new Dstu7564Digest(macSizeBits); + macSize = macSizeBits / 8; + } + + public void Init(ICipherParameters parameters) + { + if (parameters is KeyParameter) + { + byte[] key = ((KeyParameter)parameters).GetKey(); + + invertedKey = new byte[key.Length]; + + paddedKey = PadKey(key); + + for (int byteIndex = 0; byteIndex < invertedKey.Length; byteIndex++) + { + invertedKey[byteIndex] = (byte)(key[byteIndex] ^ (byte)0xFF); + } + } + else + { + throw new ArgumentException("Bad parameter passed"); + } + + engine.BlockUpdate(paddedKey, 0, paddedKey.Length); + } + + public int GetMacSize() + { + return macSize; + } + + public void BlockUpdate(byte[] input, int inOff, int len) + { + if (input.Length - inOff < len) + { + throw new DataLengthException("Input buffer too short"); + } + + if (paddedKey == null) + { + throw new InvalidOperationException(AlgorithmName + " not initialised"); + } + + engine.BlockUpdate(input, inOff, len); + inputLength += (ulong)len; + + } + + public void Update(byte input) + { + engine.Update(input); + inputLength++; + } + + public int DoFinal(byte[] output, int outOff) + { + if (output.Length - outOff < macSize) + { + throw new DataLengthException("Output buffer too short"); + } + if (paddedKey == null) + { + throw new InvalidOperationException(AlgorithmName + " not initialised"); + } + + Pad(); + + engine.BlockUpdate(invertedKey, 0, invertedKey.Length); + + inputLength = 0; + + return engine.DoFinal(output, outOff); + } + + public void Reset() + { + inputLength = 0; + engine.Reset(); + if (paddedKey != null) + { + engine.BlockUpdate(paddedKey, 0, paddedKey.Length); + } + } + + private void Pad() + { + int extra = engine.GetByteLength() - (int)(inputLength % (ulong)engine.GetByteLength()); + if (extra < 13) // terminator byte + 96 bits of length + { + extra += engine.GetByteLength(); + } + + byte[] padded = new byte[extra]; + + padded[0] = (byte)0x80; // Defined in standard; + + // Defined in standard; + Pack.UInt64_To_LE(inputLength * 8, padded, padded.Length - 12); + + engine.BlockUpdate(padded, 0, padded.Length); + } + + private byte[] PadKey(byte[] input) + { + int paddedLen = ((input.Length + engine.GetByteLength() - 1) / engine.GetByteLength()) *engine.GetByteLength(); + + int extra = engine.GetByteLength() - (int)(input.Length % engine.GetByteLength()); + if (extra < 13) // terminator byte + 96 bits of length + { + paddedLen += engine.GetByteLength(); + } + + byte[] padded = new byte[paddedLen]; + + Array.Copy(input, 0, padded, 0, input.Length); + + padded[input.Length] = (byte)0x80; // Defined in standard; + Pack.UInt32_To_LE((uint)(input.Length * 8), padded, padded.Length - 12); // Defined in standard; + + return padded; + } + } +} diff --git a/crypto/test/src/crypto/test/DSTU7564Test.cs b/crypto/test/src/crypto/test/DSTU7564Test.cs new file mode 100644 index 000000000..d83311463 --- /dev/null +++ b/crypto/test/src/crypto/test/DSTU7564Test.cs @@ -0,0 +1,479 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Utilities.Encoders; +using Org.BouncyCastle.Utilities.Test; +using Org.BouncyCastle.Crypto.Macs; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Tests +{ + /** + * standard vector test for SHA-384 from FIPS Draft 180-2. + * + * Note, the first two vectors are _not_ from the draft, the last three are. + */ + [TestFixture] + public class Dstu7564Test + : DigestTest + { + private static string[] messages = + { + "", + "a", + "abc", + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" + }; + + private static string[] digests = + { + "cd5101d1ccdf0d1d1f4ada56e888cd724ca1a0838a3521e7131d4fb78d0f5eb6", + "c51a1d639596fb613d86557314a150c40f8fff3de48bc93a3b03c161f4105ee4", + "0bd1b36109f1318411a0517315aa46b8839df06622a278676f5487996c9cfc04", + "02621dbb53f2c7001be64d7308ecb80d21ba7797c92e98d1efc240d41e4c414b" + }; + + public Dstu7564Test() + : base(new Dstu7564Digest(256), messages, digests) + { + } + + public override void PerformTest() + { + base.PerformTest(); + + hash256Tests(); + hash384Tests(); + hash512Tests(); + macTests(); + overflowTest(); + } + + private void overflowTest() + { + int macBitSize = 256; + byte[] input = new byte[1024]; + for (int i = 0; i != input.Length; i++) + { + input[i] = (byte)(i & 0xff); + } + byte[] key = Hex.Decode("1F1E1D1C1B1A191817161514131211100F0E0D0C0B0A09080706050403020100"); + + byte[] expectedMac = Hex.Decode("165382df70adcb040b17c1aced117d26d598b239ab631271a05f6d0f875ae9ea"); + byte[] mac = new byte[macBitSize / 8]; + + DSTU7564Mac dstu7564mac = new DSTU7564Mac(macBitSize); + + dstu7564mac.Init(new KeyParameter(key)); + dstu7564mac.BlockUpdate(input, 0, input.Length); + dstu7564mac.DoFinal(mac, 0); + + if (!Arrays.AreEqual(expectedMac, mac)) + { + Fail("Failed overflow test 2 - expected " + + Hex.ToHexString(expectedMac) + + " got " + Hex.ToHexString(mac)); + } + + macBitSize = 256; + input = new byte[1023]; + for (int i = 0; i != input.Length; i++) + { + input[i] = (byte)(i & 0xff); + } + key = Hex.Decode("1F1E1D1C1B1A191817161514131211100F0E0D0C0B0A09080706050403020100"); + + expectedMac = Hex.Decode("ed45f163e694d990d2d835dca2f3f869a55a31396c8138161b190d5914d50686"); + mac = new byte[macBitSize / 8]; + + dstu7564mac = new DSTU7564Mac(macBitSize); + + dstu7564mac.Init(new KeyParameter(key)); + dstu7564mac.BlockUpdate(input, 0, input.Length); + dstu7564mac.DoFinal(mac, 0); + + if (!Arrays.AreEqual(expectedMac, mac)) + { + Fail("Failed overflow test 3 - expected " + + Hex.ToHexString(expectedMac) + + " got " + Hex.ToHexString(mac)); + } + + Dstu7564Digest digest = new Dstu7564Digest(macBitSize); + byte[] expectedDigest = Hex.Decode("97e84ee3b7ca2e9b0148878e88da09152952de7dd66e45d1b50ec4640932f527"); + byte[] digestBuf = new byte[macBitSize / 8]; + + digest.BlockUpdate(input, 0, input.Length); + digest.DoFinal(digestBuf, 0); + + if (!Arrays.AreEqual(expectedDigest, digestBuf)) + { + Fail("Failed overflow test 4 - expected " + + Hex.ToHexString(expectedDigest) + + " got " + Hex.ToHexString(digestBuf)); + } + + expectedDigest = Hex.Decode("6f8f0a3f8261af77581ab01cb89d4cb5ed87ca1d9954f11d5586e94b45c82fb8"); + + input = new byte[51]; + for (int i = 0; i != input.Length; i++) + { + input[i] = (byte)(i & 0xff); + } + + digest.BlockUpdate(input, 0, input.Length); + digest.DoFinal(digestBuf, 0); + + if (!Arrays.AreEqual(expectedDigest, digestBuf)) + { + Fail("Failed overflow test 5 - expected " + + Hex.ToHexString(expectedDigest) + + " got " + Hex.ToHexString(digestBuf)); + } + + input = new byte[52]; + for (int i = 0; i != input.Length; i++) + { + input[i] = (byte)(i & 0xff); + } + + expectedDigest = Hex.Decode("2d60e14ead298848031a3321ebf9e8e5263228c498e2d8ba8a857d4979aca4b3"); + + digest.BlockUpdate(input, 0, input.Length); + digest.DoFinal(digestBuf, 0); + + if (!Arrays.AreEqual(expectedDigest, digestBuf)) + { + Fail("Failed overflow test 6 - expected " + + Hex.ToHexString(expectedDigest) + + " got " + Hex.ToHexString(digestBuf)); + } + } + + private void macTests() + { + + //test1 + int macBitSize = 256; + byte[] input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E"); + byte[] key = Hex.Decode("1F1E1D1C1B1A191817161514131211100F0E0D0C0B0A09080706050403020100"); + + byte[] expectedMac = Hex.Decode("B60594D56FA79BA210314C72C2495087CCD0A99FC04ACFE2A39EF669925D98EE"); + byte[] mac = new byte[macBitSize / 8]; + + DSTU7564Mac dstu7564mac = new DSTU7564Mac(macBitSize); + + dstu7564mac.Init(new KeyParameter(key)); + dstu7564mac.BlockUpdate(input, 0, input.Length); + dstu7564mac.DoFinal(mac, 0); + + if (!Arrays.AreEqual(expectedMac, mac)) + { + Fail("Failed mac test 1 - expected " + + Hex.ToHexString(expectedMac) + + " got " + Hex.ToHexString(mac)); + } + + //test 2 + macBitSize = 384; + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E"); + key = Hex.Decode("2F2E2D2C2B2A292827262524232221201F1E1D1C1B1A191817161514131211100F0E0D0C0B0A09080706050403020100"); + + expectedMac = Hex.Decode("BEBFD8D730336F043ABACB41829E79A4D320AEDDD8D14024D5B805DA70C396FA295C281A38B30AE728A304B3F5AE490E"); + mac = new byte[macBitSize / 8]; + + dstu7564mac = new DSTU7564Mac(macBitSize); + + dstu7564mac.Init(new KeyParameter(key)); + dstu7564mac.BlockUpdate(input, 0, input.Length); + dstu7564mac.DoFinal(mac, 0); + + if (!Arrays.AreEqual(expectedMac, mac)) + { + Fail("Failed mac test 2 - expected " + + Hex.ToHexString(expectedMac) + + " got " + Hex.ToHexString(mac)); + } + + //test 3 + macBitSize = 512; + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E"); + key = Hex.Decode("3F3E3D3C3B3A393837363534333231302F2E2D2C2B2A292827262524232221201F1E1D1C1B1A191817161514131211100F0E0D0C0B0A09080706050403020100"); + + expectedMac = Hex.Decode("F270043C06A5C37E65D9D791C5FBFB966E5EE709F8F54019C9A55B76CA40B70100579F269CEC24E347A9D864614CF3ABBF6610742E4DB3BD2ABC000387C49D24"); + mac = new byte[macBitSize / 8]; + + dstu7564mac = new DSTU7564Mac(macBitSize); + + dstu7564mac.Init(new KeyParameter(key)); + dstu7564mac.BlockUpdate(input, 0, input.Length); + dstu7564mac.DoFinal(mac, 0); + + if (!Arrays.AreEqual(expectedMac, mac)) + { + Fail("Failed mac test 3 - expected " + + Hex.ToHexString(expectedMac) + + " got " + Hex.ToHexString(mac)); + } + } + + private void hash512Tests() + { + + int hashBitSize = 512; + + //test 1 + byte[] input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F"); + byte[] expectedHash = Hex.Decode("3813E2109118CDFB5A6D5E72F7208DCCC80A2DFB3AFDFB02F46992B5EDBE536B3560DD1D7E29C6F53978AF58B444E37BA685C0DD910533BA5D78EFFFC13DE62A"); + byte[] hash = new byte[hashBitSize / 8]; + + + Dstu7564Digest dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 1 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 2 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F"); + expectedHash = Hex.Decode("76ED1AC28B1D0143013FFA87213B4090B356441263C13E03FA060A8CADA32B979635657F256B15D5FCA4A174DE029F0B1B4387C878FCC1C00E8705D783FD7FFE"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 2 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 3 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF"); + expectedHash = Hex.Decode("0DD03D7350C409CB3C29C25893A0724F6B133FA8B9EB90A64D1A8FA93B56556611EB187D715A956B107E3BFC76482298133A9CE8CBC0BD5E1436A5B197284F7E"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 3 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 4 + input = Hex.Decode("FF"); + expectedHash = Hex.Decode("871B18CF754B72740307A97B449ABEB32B64444CC0D5A4D65830AE5456837A72D8458F12C8F06C98C616ABE11897F86263B5CB77C420FB375374BEC52B6D0292"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 4 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 5 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF"); + expectedHash = Hex.Decode("B189BFE987F682F5F167F0D7FA565330E126B6E592B1C55D44299064EF95B1A57F3C2D0ECF17869D1D199EBBD02E8857FB8ADD67A8C31F56CD82C016CF743121"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 5 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + + //test 6 + input = Hex.Decode(""); + expectedHash = Hex.Decode("656B2F4CD71462388B64A37043EA55DBE445D452AECD46C3298343314EF04019BCFA3F04265A9857F91BE91FCE197096187CEDA78C9C1C021C294A0689198538"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-512 test 6 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + } + + private void hash384Tests() + { + + int hashBitSize = 384; + + //test 1 + byte[] input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E"); + byte[] expectedHash = Hex.Decode("D9021692D84E5175735654846BA751E6D0ED0FAC36DFBC0841287DCB0B5584C75016C3DECC2A6E47C50B2F3811E351B8"); + byte[] hash = new byte[hashBitSize / 8]; + + + Dstu7564Digest dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-384 test 1 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + } + + private void hash256Tests() + { + + int hashBitSize = 256; + + //test 1 + byte[] input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F"); + byte[] expectedHash = Hex.Decode("08F4EE6F1BE6903B324C4E27990CB24EF69DD58DBE84813EE0A52F6631239875"); + byte[] hash = new byte[hashBitSize / 8]; + + + Dstu7564Digest dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 1 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 2 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F"); + expectedHash = Hex.Decode("0A9474E645A7D25E255E9E89FFF42EC7EB31349007059284F0B182E452BDA882"); + hash = new byte[hashBitSize / 8]; + + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 2 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 3 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF"); + expectedHash = Hex.Decode("D305A32B963D149DC765F68594505D4077024F836C1BF03806E1624CE176C08F"); + hash = new byte[hashBitSize / 8]; + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 3 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 4 + input = Hex.Decode("FF"); + expectedHash = Hex.Decode("EA7677CA4526555680441C117982EA14059EA6D0D7124D6ECDB3DEEC49E890F4"); + hash = new byte[hashBitSize / 8]; + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 4 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 5 + input = Hex.Decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E"); + expectedHash = Hex.Decode("1075C8B0CB910F116BDA5FA1F19C29CF8ECC75CAFF7208BA2994B68FC56E8D16"); + hash = new byte[hashBitSize / 8]; + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 5 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + + //test 6 + input = Hex.Decode(""); + expectedHash = Hex.Decode("CD5101D1CCDF0D1D1F4ADA56E888CD724CA1A0838A3521E7131D4FB78D0F5EB6"); + hash = new byte[hashBitSize / 8]; + + dstu7564 = new Dstu7564Digest(hashBitSize); + dstu7564.BlockUpdate(input, 0, input.Length); + dstu7564.DoFinal(hash, 0); + + if (!Arrays.AreEqual(expectedHash, hash)) + { + Fail("Failed hash-256 test 6 - expected " + + Hex.ToHexString(expectedHash) + + " got " + Hex.ToHexString(hash)); + } + } + + protected override IDigest CloneDigest(IDigest digest) + { + return new Dstu7564Digest((Dstu7564Digest)digest); + } + + public static void Main( + string[] args) + { + RunTest(new Dstu7564Test()); + } + + [Test] + public void TestFunction() + { + string resultText = Perform().ToString(); + Console.WriteLine(resultText); + Assert.AreEqual(Name + ": Okay", resultText); + } + } +} -- cgit 1.4.1