From 32d8dfa48a1f249173056e82bb87e34f07759226 Mon Sep 17 00:00:00 2001 From: Darnell Andries Date: Thu, 27 Jun 2024 16:37:30 -0700 Subject: [PATCH] Update anonymous-credentials and brave-miracl --- .../anonymous_credentials/rs/Cargo.lock | 52 +- .../rust/anonymous_credentials/v0_1/BUILD.gn | 14 +- .../v0_1/README.chromium | 6 +- third_party/rust/brave_miracl/v0_1/BUILD.gn | 68 +- .../rust/brave_miracl/v0_1/README.chromium | 6 +- .../rust/chromium_crates_io/Cargo.lock | 4 +- .../rust/chromium_crates_io/Cargo.toml | 2 +- .../rust/chromium_crates_io/gnrt_config.toml | 4 +- .../.cargo_vcs_info.json | 6 - .../.cargo-checksum.json | 0 .../.cargo_vcs_info.json | 6 + .../.gitignore | 0 .../Cargo.toml | 2 +- .../Cargo.toml.orig | 4 +- .../LICENSE | 0 .../README.md | 0 .../src/data.rs | 19 +- .../src/join.rs | 0 .../src/lib.rs | 16 + .../src/sign.rs | 0 .../src/util.rs | 0 .../brave-miracl-0.1.2/.cargo_vcs_info.json | 6 - .../brave-miracl-0.1.2/src/dilithium.rs | 1199 --------------- .../vendor/brave-miracl-0.1.2/src/kyber.rs | 719 --------- .../vendor/brave-miracl-0.1.2/src/x509.rs | 1285 ---------------- .../.cargo-checksum.json | 0 .../brave-miracl-0.1.3/.cargo_vcs_info.json | 6 + .../.gitignore | 0 .../.gitmodules | 0 .../Cargo.toml | 2 +- .../Cargo.toml.orig | 2 +- .../LICENSE | 0 .../README.md | 0 .../src/aes.rs | 105 +- .../src/arch.rs | 0 .../src/bn254/big.rs | 0 .../src/bn254/bls.rs | 2 +- .../src/bn254/dbig.rs | 0 .../src/bn254/ecdh.rs | 0 .../src/bn254/ecp.rs | 0 .../src/bn254/ecp2.rs | 0 .../src/bn254/eddsa.rs | 0 .../src/bn254/fp.rs | 0 .../src/bn254/fp12.rs | 0 .../src/bn254/fp2.rs | 0 .../src/bn254/fp4.rs | 0 .../src/bn254/hpke.rs | 0 .../src/bn254/mod.rs | 0 .../src/bn254/mpin.rs | 0 .../src/bn254/pair.rs | 0 .../src/bn254/rom.rs | 0 .../brave-miracl-0.1.3/src/dilithium.rs | 1248 ++++++++++++++++ .../src/gcm.rs | 35 +- .../src/hash256.rs | 100 +- .../src/hash384.rs | 172 ++- .../src/hash512.rs | 172 ++- .../src/hmac.rs | 389 +++-- .../vendor/brave-miracl-0.1.3/src/kyber.rs | 728 +++++++++ .../src/lib.rs | 13 +- .../src/main.rs | 0 .../src/nhs.rs | 0 .../src/rand.rs | 4 +- .../src/sha3.rs | 177 +-- .../src/share.rs | 91 +- .../vendor/brave-miracl-0.1.3/src/x509.rs | 1311 +++++++++++++++++ 65 files changed, 4137 insertions(+), 3838 deletions(-) delete mode 100644 third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo_vcs_info.json rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/.cargo-checksum.json (100%) create mode 100644 third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo_vcs_info.json rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/.gitignore (100%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/Cargo.toml (98%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/Cargo.toml.orig (83%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/LICENSE (100%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/README.md (100%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/src/data.rs (91%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/src/join.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/src/lib.rs (90%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/src/sign.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{anonymous-credentials-0.1.3 => anonymous-credentials-0.1.4}/src/util.rs (100%) delete mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/.cargo_vcs_info.json delete mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/dilithium.rs delete mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/kyber.rs delete mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/x509.rs rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/.cargo-checksum.json (100%) create mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/.cargo_vcs_info.json rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/.gitignore (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/.gitmodules (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/Cargo.toml (98%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/Cargo.toml.orig (96%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/LICENSE (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/README.md (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/aes.rs (94%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/arch.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/big.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/bls.rs (97%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/dbig.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/ecdh.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/ecp.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/ecp2.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/eddsa.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/fp.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/fp12.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/fp2.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/fp4.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/hpke.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/mod.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/mpin.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/pair.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/bn254/rom.rs (100%) create mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/dilithium.rs rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/gcm.rs (95%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/hash256.rs (77%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/hash384.rs (69%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/hash512.rs (69%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/hmac.rs (70%) create mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/kyber.rs rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/lib.rs (99%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/main.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/nhs.rs (100%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/rand.rs (99%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/sha3.rs (64%) rename third_party/rust/chromium_crates_io/vendor/{brave-miracl-0.1.2 => brave-miracl-0.1.3}/src/share.rs (72%) create mode 100644 third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/x509.rs diff --git a/components/web_discovery/browser/anonymous_credentials/rs/Cargo.lock b/components/web_discovery/browser/anonymous_credentials/rs/Cargo.lock index 20ff89ce66fc..cefc9fa91611 100644 --- a/components/web_discovery/browser/anonymous_credentials/rs/Cargo.lock +++ b/components/web_discovery/browser/anonymous_credentials/rs/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "anonymous-credentials" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1acf2ababbdec2b27c687c7bc761c314055af0453f70f2df2417b686b475c3df" +checksum = "92cf8b44719f5d7259b63e8d729b6a1d04ef475984b463048ef3fb14a1f65884" dependencies = [ "brave-miracl", "lazy_static", @@ -24,15 +24,15 @@ dependencies = [ [[package]] name = "brave-miracl" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22bc3fa88a8cf37713577f7123a18636092c7ef2b6651eee2409fb0f9569f3b3" +checksum = "1529922eb7ce7b0f2cae0be12f200c17bebd5e0141019be023ddd50a8fd435f4" [[package]] name = "cc" -version = "1.0.95" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" +checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d" [[package]] name = "cfg-if" @@ -42,9 +42,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cxx" -version = "1.0.121" +version = "1.0.124" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21db378d04296a84d8b7d047c36bb3954f0b46529db725d7e62fb02f9ba53ccc" +checksum = "273dcfd3acd4e1e276af13ed2a43eea7001318823e7a726a6b3ed39b4acc0b82" dependencies = [ "cc", "cxxbridge-flags", @@ -54,15 +54,15 @@ dependencies = [ [[package]] name = "cxxbridge-flags" -version = "1.0.121" +version = "1.0.124" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be8dcadd2e2fb4a501e1d9e93d6e88e6ea494306d8272069c92d5a9edf8855c0" +checksum = "839fcd5e43464614ffaa989eaf1c139ef1f0c51672a1ed08023307fa1b909ccd" [[package]] name = "cxxbridge-macro" -version = "1.0.121" +version = "1.0.124" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad08a837629ad949b73d032c637653d069e909cffe4ee7870b02301939ce39cc" +checksum = "4b2c1c1776b986979be68bb2285da855f8d8a35851a769fca8740df7c3d07877" dependencies = [ "proc-macro2", "quote", @@ -71,9 +71,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c" +checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", "libc", @@ -82,15 +82,15 @@ dependencies = [ [[package]] name = "lazy_static" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" [[package]] name = "libc" -version = "0.2.153" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "link-cplusplus" @@ -109,9 +109,9 @@ checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" [[package]] name = "proc-macro2" -version = "1.0.81" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" +checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" dependencies = [ "unicode-ident", ] @@ -157,9 +157,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.60" +version = "2.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" +checksum = "901fa70d88b9d6c98022e23b4136f9f3e54e4662c3bc1bd1d84a42a9a0f0c1e9" dependencies = [ "proc-macro2", "quote", @@ -168,18 +168,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.59" +version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0126ad08bff79f29fc3ae6a55cc72352056dfff61e3ff8bb7129476d44b23aa" +checksum = "c546c80d6be4bc6a00c0f01730c08df82eaa7a7a61f11d656526506112cc1709" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.59" +version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1cd413b5d558b4c5bf3680e324a6fa5014e7b7c067a51e69dbdf47eb7148b66" +checksum = "46c3384250002a6d5af4d114f2845d37b57521033f30d5c3f46c4d70e1197533" dependencies = [ "proc-macro2", "quote", diff --git a/third_party/rust/anonymous_credentials/v0_1/BUILD.gn b/third_party/rust/anonymous_credentials/v0_1/BUILD.gn index 0bee7aeebbbb..2e45251529ac 100644 --- a/third_party/rust/anonymous_credentials/v0_1/BUILD.gn +++ b/third_party/rust/anonymous_credentials/v0_1/BUILD.gn @@ -13,19 +13,19 @@ cargo_crate("lib") { crate_name = "anonymous_credentials" epoch = "0.1" crate_type = "rlib" - crate_root = "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/lib.rs" + crate_root = "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/lib.rs" sources = [ - "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/data.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/join.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/lib.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/sign.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/util.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/data.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/join.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/lib.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/sign.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/util.rs", ] inputs = [] build_native_rust_unit_tests = false edition = "2021" - cargo_pkg_version = "0.1.3" + cargo_pkg_version = "0.1.4" cargo_pkg_authors = "Darnell Andries " cargo_pkg_name = "anonymous-credentials" cargo_pkg_description = "Implementation of Direct Anonymous Attestation for the Web Discovery Project" diff --git a/third_party/rust/anonymous_credentials/v0_1/README.chromium b/third_party/rust/anonymous_credentials/v0_1/README.chromium index 7fac2b8be3a4..f4773521c386 100644 --- a/third_party/rust/anonymous_credentials/v0_1/README.chromium +++ b/third_party/rust/anonymous_credentials/v0_1/README.chromium @@ -1,9 +1,9 @@ Name: anonymous-credentials URL: https://crates.io/crates/anonymous-credentials Description: Implementation of Direct Anonymous Attestation for the Web Discovery Project -Version: 0.1.3 +Version: 0.1.4 Security Critical: yes Shipped: yes License: Mozilla Public License 2.0 -License File: //brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/LICENSE -Revision: 54001a03a26180747ed3a748acf7706c8f8bb8e7 +License File: //brave/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/LICENSE +Revision: 39c1a940b4ef9cb01c0a21c04a64a581c905426d diff --git a/third_party/rust/brave_miracl/v0_1/BUILD.gn b/third_party/rust/brave_miracl/v0_1/BUILD.gn index 2dc062bd8aa5..28a360c7d608 100644 --- a/third_party/rust/brave_miracl/v0_1/BUILD.gn +++ b/third_party/rust/brave_miracl/v0_1/BUILD.gn @@ -13,46 +13,46 @@ cargo_crate("lib") { crate_name = "brave_miracl" epoch = "0.1" crate_type = "rlib" - crate_root = "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/lib.rs" + crate_root = "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/lib.rs" sources = [ - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/aes.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/arch.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/big.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/bls.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/dbig.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecdh.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp2.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/eddsa.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp12.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp2.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp4.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/hpke.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mod.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mpin.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/pair.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/rom.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/dilithium.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/gcm.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash256.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash384.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash512.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hmac.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/kyber.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/lib.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/main.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/nhs.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/rand.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/sha3.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/share.rs", - "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/x509.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/aes.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/arch.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/big.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/bls.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/dbig.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecdh.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp2.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/eddsa.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp12.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp2.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp4.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/hpke.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mod.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mpin.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/pair.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/rom.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/dilithium.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/gcm.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash256.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash384.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash512.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hmac.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/kyber.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/lib.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/main.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/nhs.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/rand.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/sha3.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/share.rs", + "//brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/x509.rs", ] inputs = [] build_native_rust_unit_tests = false edition = "2021" - cargo_pkg_version = "0.1.2" + cargo_pkg_version = "0.1.3" cargo_pkg_authors = "Mike Scott " cargo_pkg_name = "brave-miracl" cargo_pkg_description = diff --git a/third_party/rust/brave_miracl/v0_1/README.chromium b/third_party/rust/brave_miracl/v0_1/README.chromium index 8803bec03fbb..2220ddbaabca 100644 --- a/third_party/rust/brave_miracl/v0_1/README.chromium +++ b/third_party/rust/brave_miracl/v0_1/README.chromium @@ -1,9 +1,9 @@ Name: brave-miracl URL: https://crates.io/crates/brave-miracl Description: Subset of the MIRACL Core library that includes the bn254 elliptic curve -Version: 0.1.2 +Version: 0.1.3 Security Critical: yes Shipped: yes License: Apache 2.0 -License File: //brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/LICENSE -Revision: 4294e2675ef3016ec941d2011b93226832fb8431 +License File: //brave/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/LICENSE +Revision: fb447a11105dae466ddd7f9eb666a30cbceff539 diff --git a/third_party/rust/chromium_crates_io/Cargo.lock b/third_party/rust/chromium_crates_io/Cargo.lock index edd1b87e1b0f..b38bd5e523f2 100644 --- a/third_party/rust/chromium_crates_io/Cargo.lock +++ b/third_party/rust/chromium_crates_io/Cargo.lock @@ -102,7 +102,7 @@ dependencies = [ [[package]] name = "anonymous-credentials" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" dependencies = [ "brave-miracl", @@ -272,7 +272,7 @@ dependencies = [ [[package]] name = "brave-miracl" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] diff --git a/third_party/rust/chromium_crates_io/Cargo.toml b/third_party/rust/chromium_crates_io/Cargo.toml index 6a5a3443ec32..2d0019787aae 100644 --- a/third_party/rust/chromium_crates_io/Cargo.toml +++ b/third_party/rust/chromium_crates_io/Cargo.toml @@ -81,7 +81,7 @@ package = "constellation-cxx" path = "../../../components/challenge_bypass_ristretto/rust/cxx" package = "challenge-bypass-ristretto-cxx" -[patch.crates-io.anonymous-credentials_v0_1] +[patch.crates-io.anonymous-credentials-cxx_v0_1] path = "../../../components/web_discovery/browser/anonymous_credentials/rs" package = "anonymous-credentials-cxx" diff --git a/third_party/rust/chromium_crates_io/gnrt_config.toml b/third_party/rust/chromium_crates_io/gnrt_config.toml index b75efa445cea..b47bfbbbf57e 100644 --- a/third_party/rust/chromium_crates_io/gnrt_config.toml +++ b/third_party/rust/chromium_crates_io/gnrt_config.toml @@ -110,8 +110,8 @@ if (target_os == "android" && target_cpu == "arm64") { } ''' } -[crate.anonymous_credentials] -license_files = ['LICENCE'] +[crate.anonymous-credentials] +license_files = ['LICENSE'] [crate.ansi_term] license_files = ['LICENCE'] diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo_vcs_info.json b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo_vcs_info.json deleted file mode 100644 index caa8d9ccd7d4..000000000000 --- a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo_vcs_info.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "git": { - "sha1": "54001a03a26180747ed3a748acf7706c8f8bb8e7" - }, - "path_in_vcs": "" -} \ No newline at end of file diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo-checksum.json b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo-checksum.json similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.cargo-checksum.json rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo-checksum.json diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo_vcs_info.json b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo_vcs_info.json new file mode 100644 index 000000000000..db43b7fcd30e --- /dev/null +++ b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.cargo_vcs_info.json @@ -0,0 +1,6 @@ +{ + "git": { + "sha1": "39c1a940b4ef9cb01c0a21c04a64a581c905426d" + }, + "path_in_vcs": "" +} \ No newline at end of file diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.gitignore b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.gitignore similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/.gitignore rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/.gitignore diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml similarity index 98% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml index 62e3f2249448..7624650084b5 100644 --- a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml +++ b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml @@ -12,7 +12,7 @@ [package] edition = "2021" name = "anonymous-credentials" -version = "0.1.3" +version = "0.1.4" authors = ["Darnell Andries "] description = "Implementation of Direct Anonymous Attestation for the Web Discovery Project" readme = "README.md" diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml.orig b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml.orig similarity index 83% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml.orig rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml.orig index fb480d37bc81..d8cf642a798e 100644 --- a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/Cargo.toml.orig +++ b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/Cargo.toml.orig @@ -1,6 +1,6 @@ [package] name = "anonymous-credentials" -version = "0.1.3" +version = "0.1.4" edition = "2021" authors = ["Darnell Andries "] description = "Implementation of Direct Anonymous Attestation for the Web Discovery Project" @@ -12,7 +12,7 @@ categories = ["cryptography"] [dependencies] lazy_static = "1.4" rand = "0.8" -brave-miracl = { version = "0.1", features = ["std"] } +brave-miracl = { version = "0.1", features = ["std"], path = "../miracl-rs" } thiserror = "1.0" [dev-dependencies] diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/LICENSE b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/LICENSE similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/LICENSE rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/LICENSE diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/README.md b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/README.md similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/README.md rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/README.md diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/data.rs b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/data.rs similarity index 91% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/data.rs rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/data.rs index 91fb515e1cff..9952399319ed 100644 --- a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/data.rs +++ b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/data.rs @@ -18,17 +18,21 @@ pub const JOIN_RESPONSE_SIZE: usize = USER_CREDENTIALS_SIZE + ECP_PROOF_SIZE; pub const GROUP_PUBLIC_KEY_SIZE: usize = ECP2_COMPAT_SIZE * 2 + BIG_SIZE * 4; pub const SIGNATURE_SIZE: usize = ECP_SIZE * 5 + ECP_PROOF_SIZE; +/// A "join" request to be sent to the issuer. pub struct JoinRequest { pub(crate) q: ECP, // G1 ** gsk pub(crate) proof: ECPProof, } +/// A "join" response from the issuer, to be used +/// to generate DAA credentials. pub struct JoinResponse { pub(crate) cred: UserCredentials, pub(crate) proof: ECPProof, } +/// DAA credentials to be used for signing messages. pub struct UserCredentials { pub(crate) a: ECP, pub(crate) b: ECP, @@ -36,6 +40,7 @@ pub struct UserCredentials { pub(crate) d: ECP, } +/// A DAA signature to be sent to the verifier. pub struct Signature { pub(crate) a: ECP, pub(crate) b: ECP, @@ -46,6 +51,9 @@ pub struct Signature { pub(crate) proof: ECPProof, } +/// A group public key published by the issuer. +/// This is required to finish the "join" process +/// and acquire credentials. pub struct GroupPublicKey { pub(crate) x: ECP2, // G2 ** x pub(crate) y: ECP2, // G2 ** y @@ -57,15 +65,20 @@ pub struct GroupPublicKey { pub(crate) sy: BIG, } -pub struct ECPProof { - pub(crate) c: BIG, - pub(crate) s: BIG, +pub(crate) struct ECPProof { + pub c: BIG, + pub s: BIG, } +/// Wrapper for a big number. pub struct CredentialBIG(pub(crate) BIG); +/// A result of starting the "join" process to acquire credentials. pub struct StartJoinResult { + /// Private key which should be persisted for finishing the "join" + /// process and future signing requests. pub gsk: CredentialBIG, + /// The join request to be sent to the issuer. pub join_msg: JoinRequest, } diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/join.rs b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/join.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/join.rs rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/join.rs diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/lib.rs b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/lib.rs similarity index 90% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/lib.rs rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/lib.rs index b0a5767be942..ac9a3bfb5ad5 100644 --- a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/lib.rs +++ b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/lib.rs @@ -1,3 +1,8 @@ +//! Partial implementation of Direct Anonymous Attestation (DAA) for the Web Discovery Project. +//! Only signer functions are available. Performs the same elliptic curve operations as the [original C library](https://github.com/whotracksme/anonymous-credentials). +//! +//! bn254 is the only supported curve for this library. + mod data; mod join; mod sign; @@ -37,18 +42,22 @@ pub enum CredentialError { pub type Result = std::result::Result; +/// Creates and manages Direct Anonymous Attestation credentials +/// using the bn254 curve. pub struct CredentialManager { rng: RAND, gsk_and_credentials: Option<(CredentialBIG, UserCredentials)>, } impl CredentialManager { + /// Creates new manager with random seed. pub fn new() -> Self { let mut entropy = [0u8; 128]; OsRng::default().fill_bytes(&mut entropy); Self::new_with_seed(&entropy) } + /// Creates new manager with fixed seed. Should only be used for testing. pub fn new_with_seed(entropy: &[u8]) -> Self { let mut rng = RAND::new(); @@ -60,10 +69,14 @@ impl CredentialManager { } } + /// Creates a "join" requests to be sent to the credential issuer, + /// for a given challenge. pub fn start_join(&mut self, challenge: &[u8]) -> StartJoinResult { start_join(&mut self.rng, challenge) } + /// Processes a "join" response from the issuer, and returns anonymous + /// credentials. pub fn finish_join( &mut self, public_key: &GroupPublicKey, @@ -73,10 +86,13 @@ impl CredentialManager { finish_join(public_key, gsk, join_resp) } + /// Sets the key and credentials to be used for signing requests. pub fn set_gsk_and_credentials(&mut self, gsk: CredentialBIG, credentials: UserCredentials) { self.gsk_and_credentials = Some((gsk, credentials)); } + /// Signs a message using the pre-set credentials and a given basename. + /// Returns a signature to be sent to the verifier. pub fn sign(&mut self, msg: &[u8], basename: &[u8]) -> Result { match &self.gsk_and_credentials { Some((gsk, credentials)) => Ok(sign(&mut self.rng, gsk, credentials, msg, basename)), diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/sign.rs b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/sign.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/sign.rs rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/sign.rs diff --git a/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/util.rs b/third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/util.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.3/src/util.rs rename to third_party/rust/chromium_crates_io/vendor/anonymous-credentials-0.1.4/src/util.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/.cargo_vcs_info.json b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/.cargo_vcs_info.json deleted file mode 100644 index a2ca3d221cd8..000000000000 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/.cargo_vcs_info.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "git": { - "sha1": "4294e2675ef3016ec941d2011b93226832fb8431" - }, - "path_in_vcs": "" -} \ No newline at end of file diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/dilithium.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/dilithium.rs deleted file mode 100644 index e9c31b7ff59e..000000000000 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/dilithium.rs +++ /dev/null @@ -1,1199 +0,0 @@ -/* - * Copyright (c) 2012-2020 MIRACL UK Ltd. - * - * This file is part of MIRACL Core - * (see https://github.com/miracl/core). - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* Dilithium API high-level functions. Constant time where it matters. Slow (spends nearly all of its time running SHA3) but small. - -Note that the Matrix A is calculated on-the-fly to keep memory requirement minimal -But this makes all stages much slower -Note that -1. Matrix A can just be generated randomly for Key generation (without using SHA3 which is very slow) -2. A precalculated A can be included in the public key, for use by signature and verification (which blows up public key size) -3. Precalculating A for signature calculation means that the A does not have to re-calculated for each attempt to find a good signature - -Might be simpler to wait for hardware support for SHA3! - - M.Scott 30/09/2021 -*/ - -use crate::sha3; -use crate::sha3::SHA3; - -//q= 8380417 -const LGN: usize = 8; -const DEGREE: usize = 1< i32 { - let m = (t as u32).wrapping_mul(ND); - (((m as u64) * (PRIME as u64) + t) >> 32) as i32 -} - -fn nres(x: i32) -> i32 { - redc((x as u64) * R2MODP) -} - -fn modmul(a: i32, b: i32) -> i32 { - redc((a as u64) * (b as u64)) -} - -fn poly_pos(p: &mut [i32]) { - for j in 0..DEGREE { - p[j] += (p[j]>>31)&PRIME; - } -} -// NTT code - -// Important! -// nres(x); ntt(x) -// nres(y); ntt(y) -// z=x*y -// intt(z); -// redc(z); - -// is equivalent to (note that nres() and redc() cancel out) - -// ntt(x); -// nres(y); ntt(y); -// z=x*y -// intt(z) - -// is equivalent to - -// ntt(x) -// ntt(y) -// z=x*y -// intt(z) -// nres(z) - -// In all cases z ends up in normal (non-Montgomery) form! -// So the conversion to Montgomery form can be "pushed" through the calculation. - -// Here intt(z) <- intt(z);nres(z); -// Combining is more efficient -// note that ntt() and intt() are not mutually inverse - -/* Cooley-Tukey NTT */ -/* Excess of 2 allowed on input - coefficients must be < 2*PRIME */ -fn ntt(x: &mut [i32]) { - let mut t = DEGREE / 2; - let q = PRIME; - - /* Make positive */ - poly_pos(x); - - let mut m = 1; - while m < DEGREE { - let mut k = 0; - for i in 0..m { - let s = ROOTS[m + i]; - for j in k..k + t { - let u = x[j]; - let v = modmul(x[j + t], s); - x[j] = u + v; - x[j + t] = u + 2 * q - v; - } - k += 2 * t; - } - t /= 2; - m *= 2; - } -} - -/* Gentleman-Sande INTT */ -/* Excess of 2 allowed on input - coefficients must be < 2*PRIME */ -/* Output fully reduced */ - -const NTTL: usize = 2; // maybe could be 1? - -fn intt(x: &mut [i32]) { - let mut t = 1; - let q = PRIME; - let mut m = DEGREE / 2; - let mut n=LGN; - while m >= 1 { - let lim=NTTL>>n; - n-=1; - let mut k = 0; - for i in 0..m { - let s = IROOTS[m + i]; - for j in k..k + t { - let u:i32; - let v:i32; - if m> 31) & q; - } -} - -fn nres_it(p: &mut [i32]) { - for i in 0..DEGREE { - p[i] = nres(p[i]); - } -} - -fn redc_it(p: &mut [i32]) { - for i in 0..DEGREE { - p[i] = redc(p[i] as u64); - } -} - -fn poly_copy(p1: &mut [i32], p3: &[i32]) { - for i in 0..DEGREE { - p1[i] = p3[i]; - } -} - -fn poly_scopy(p1: &mut [i32], p3: &[i8]) { - for i in 0..DEGREE { - p1[i] = p3[i] as i32; - } -} - -fn poly_mcopy(p1: &mut [i32], p3: &[i16]) { - for i in 0..DEGREE { - p1[i] = p3[i] as i32; - } -} - -fn poly_zero(p1: &mut [i32]) { - for i in 0..DEGREE { - p1[i] = 0; - } -} - -fn poly_negate(p1: &mut [i32], p3: &[i32]) { - for i in 0..DEGREE { - p1[i] = PRIME-p3[i]; - } -} - -fn poly_mul(p1: &mut [i32], p3: &[i32]) { - for i in 0..DEGREE { - p1[i] = modmul(p1[i], p3[i]); - } -} - -fn poly_add(p1: &mut [i32], p3: &[i32]) { - for i in 0..DEGREE { - p1[i] += p3[i]; - } -} - -fn poly_sub(p1: &mut [i32], p3: &[i32]) { - for i in 0..DEGREE { - p1[i] += PRIME - p3[i]; - } -} - -/* reduces inputs < 2q */ -fn poly_soft_reduce(poly: &mut [i32]) { - for i in 0..DEGREE { - let e = poly[i] - PRIME; - poly[i] = e + ((e >> 31) & PRIME); - } -} - -/* fully reduces modulo q */ -fn poly_hard_reduce(poly: &mut [i32]) { - for i in 0..DEGREE { - let mut e = modmul(poly[i], ONE); - e -= PRIME; - poly[i] = e + ((e >> 31) & PRIME); - } -} - -// Generate a[i][j] from rho -fn expandaij(rho: &[u8],aij: &mut [i32],i:usize,j:usize) { - let mut buff: [u8; 4*DEGREE] = [0; 4*DEGREE]; - let mut sh = SHA3::new(sha3::SHAKE128); - for m in 0..32 { - sh.process(rho[m]) - } - sh.process(j as u8); - sh.process(i as u8); - sh.shake(&mut buff, 4*DEGREE); - let mut m=0; - let mut n=0; - while m=PRIME { - continue; - } - aij[m]=cf; - m+=1; - } -} - -// array t has ab active bits per word -// extract bytes from array of words -// if mx!=0 then -mx<=t[i]<=+mx -fn nextbyte32(ab: usize,mx: usize,t: &[i32],ptr:&mut usize,bts: &mut usize) -> u8 { - let mut left=ab-*bts; - let mut w=t[*ptr]; - let mxm=mx as i32; - if mxm!=0 { - w=mxm-w; - } - let mut r=w>>*bts; - let mut i=0; - while left<8 { - i+=1; - w=t[(*ptr)+i]; - if mxm!=0 { - w=mxm-w; - } - r |= w<=ab { - *bts -= ab; - *ptr+=1; - } - return r as u8; -} - -fn nextbyte16(ab: usize,mx: usize,t: &[i16],ptr:&mut usize,bts: &mut usize) -> u8 { - let mut left=ab-*bts; - let mut w=t[*ptr]; - let mxm=mx as i16; - if mxm!=0 { - w=mxm-w; - } - let mut r=w>>*bts; - let mut i=0; - while left<8 { - i+=1; - w=t[(*ptr)+i]; - if mxm!=0 { - w=mxm-w; - } - r |= w<=ab { - *bts -= ab; - *ptr += 1; - } - return r as u8; -} - -fn nextbyte8(ab: usize,mx: usize,t: &[i8],ptr:&mut usize,bts: &mut usize) -> u8 { - let mut left=ab-*bts; - let mut w=t[*ptr]; - let mxm=mx as i8; - if mxm!=0 { - w=mxm-w; - } - let mut r=w>>*bts; - let mut i=0; - while left<8 { - i+=1; - w=t[(*ptr)+i]; - if mxm!=0 { - w=mxm-w; - } - r |= w<=ab { - *bts -= ab; - *ptr+=1; - } - return r as u8; -} - -fn nextword(ab: usize,mx: usize,t: &[u8],ptr:&mut usize,bts: &mut usize) -> i32 { - let mut r=(t[*ptr]>>*bts) as i32; - let mxm=mx as i32; - let mask=(1<=8 { - *bts -= 8; - *ptr+=1; - } - w=r&mask; - if mxm!=0 { - w=mxm-w; - } - return w; -} - -fn pack_pk(params: &[usize],pk: &mut [u8],rho: &[u8],t1: &[i16]) { - let ck=params[3]; - for i in 0..32 { - pk[i]=rho[i]; - } - let mut ptr=0 as usize; - let mut bts=0 as usize; - let mut n=32; - for _ in 0..(ck*DEGREE*TD)/8 { - pk[n]=nextbyte16(TD,0,t1,&mut ptr,&mut bts); - n += 1; - } -} - -fn unpack_pk(params: &[usize],rho: &mut [u8],t1: &mut [i16],pk: &[u8]) { - let ck=params[3]; - for i in 0..32 { - rho[i]=pk[i]; - } - let mut ptr=0 as usize; - let mut bts=0 as usize; - for i in 0..ck*DEGREE { - t1[i]=nextword(TD,0,&pk[32..],&mut ptr,&mut bts) as i16; - } -} - -fn pack_sk(params: &[usize],sk: &mut [u8],rho: &[u8],bk: &[u8],tr: &[u8],s1: &[i8],s2: &[i8],t0: &[i16]) { - let ck=params[3]; - let el=params[4]; - let eta=params[5]; - let lg2eta1=params[6]; - - for i in 0..32 { - sk[i]=rho[i]; - } - let mut n=32; - for i in 0..32 { - sk[n]=bk[i]; n+=1; - } - for i in 0..32 { - sk[n]=tr[i]; n+=1; - } - let mut ptr=0 as usize; - let mut bts=0 as usize; - - for _ in 0..(el*DEGREE*lg2eta1)/8 { - sk[n]=nextbyte8(lg2eta1,eta,s1,&mut ptr,&mut bts); - n += 1; - } - ptr=0; bts=0; - for _ in 0..(ck*DEGREE*lg2eta1)/8 { - sk[n]=nextbyte8(lg2eta1,eta,s2,&mut ptr,&mut bts); - n += 1; - } - ptr=0; bts=0; - for _ in 0..(ck*DEGREE*D)/8 { - sk[n]=nextbyte16(D,1<<(D-1),t0,&mut ptr,&mut bts); - n += 1; - } -} - -fn unpack_sk(params: &[usize],rho: &mut [u8],bk: &mut [u8],tr: &mut [u8],s1: &mut [i8],s2: &mut [i8],t0: &mut [i16],sk: &[u8]) { - let ck=params[3]; - let el=params[4]; - let eta=params[5]; - let lg2eta1=params[6]; - - for i in 0..32 { - rho[i]=sk[i]; - } - let mut n=32; - for i in 0..32 { - bk[i]=sk[n]; n+=1; - } - for i in 0..32 { - tr[i]=sk[n]; n+=1; - } - let mut ptr=0 as usize; - let mut bts=0 as usize; - - for i in 0..el*DEGREE { - s1[i]=nextword(lg2eta1,eta,&sk[n..],&mut ptr,&mut bts) as i8; - } - n += ptr; - ptr=0; bts=0; - for i in 0..ck*DEGREE { - s2[i]=nextword(lg2eta1,eta,&sk[n..],&mut ptr,&mut bts) as i8; - } - n += ptr; - ptr=0; bts=0; - for i in 0..ck*DEGREE { - t0[i]=nextword(D,1<<(D-1),&sk[n..],&mut ptr,&mut bts) as i16; - } -} - -// pack signature - changes z -fn pack_sig(params: &[usize],sig: &mut [u8],z: &mut [i32],ct: &[u8],h: &[u8]) { - let lg=params[1]; - let gamma1=1<PRIME/2 { - t -= PRIME; - } - t=gamma1-t; - z[row+m]=t; - } - } - for _ in 0..(el*DEGREE*(lg+1))/8 { - sig[n]=nextbyte32(lg+1,0,z,&mut ptr,&mut bts); - n+=1; - } - for i in 0..omega+ck { - sig[n]=h[i]; - n+=1; - } -} - -fn unpack_sig(params: &[usize],z: &mut [i32],ct: &mut [u8],h: &mut [u8],sig: &[u8]) { - let lg=params[1]; - let gamma1=1<>8)&0xff) as u8); - sh.shake(&mut buff, 272); - - let eta=params[5]; - let lg2eta1=params[6]; - - let mut ptr=0 as usize; - let mut bts=0 as usize; - for m in 0..DEGREE { - loop { - s[m]=nextword(lg2eta1,0,&buff,&mut ptr,&mut bts) as i8; - if s[m]<=2*(eta as i8) { - break; - } - } - s[m]=(eta as i8)-s[m]; - } -} - -fn sample_y(params: &[usize],k: usize,rhod: &[u8],y: &mut [i32]) { - let lg=params[1]; - let gamma1=1<>8) as u8); - sh.shake(&mut buff, ((lg+1)*DEGREE)/8); - - let mut ptr=0 as usize; - let mut bts=0 as usize; - - for m in 0..DEGREE { - let mut w=nextword(lg+1,0,&buff,&mut ptr,&mut bts); - w=gamma1-w; - let t=w>>31; - y[row+m]=w+(PRIME&t); - } - } -} - -fn crh1(params: &[usize],h: &mut [u8],rho: &[u8],t1: &[i16]) { - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..32 { - sh.process(rho[j]); - } - let ck=params[3]; - let mut ptr=0 as usize; - let mut bts=0 as usize; - - for _ in 0..(ck*DEGREE*TD)/8 { - sh.process(nextbyte16(TD,0,t1,&mut ptr,&mut bts)); - } - sh.shake(h, 32); -} - -fn crh2(h: &mut [u8],tr: &[u8],mess: &[u8]) { - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..32 { - sh.process(tr[j]); - } - for j in 0..mess.len() { - sh.process(mess[j]); - } - sh.shake(h, 64); -} - -fn crh3(h: &mut [u8],bk: &[u8],mu: &[u8]) { - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..32 { - sh.process(bk[j]); - } - for j in 0..64 { - sh.process(mu[j]); - } - sh.shake(h, 64); -} - -fn h4(params: &[usize],ct: &mut [u8], mu: &[u8],w1: &[i8]) { - let ck=params[3]; - let dv=params[2]; - let mut w1b=4; - if dv==88 { - w1b=6; - } - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..64 { - sh.process(mu[j]); - } - - let mut ptr=0 as usize; - let mut bts=0 as usize; - - for _ in 0..(ck*DEGREE*w1b)/8 { - sh.process(nextbyte8(w1b,0,w1,&mut ptr,&mut bts)); - } - sh.shake(ct, 32); -} - -fn sampleinball(params: &[usize],ct: &[u8],c: &mut [i32]) { - let tau=params[0]; - let mut buff: [u8; 136] = [0; 136]; - let mut signs: [u8; 8] = [0; 8]; - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..32 { - sh.process(ct[j]); - } - sh.shake(&mut buff,136); - for i in 0..8 { - signs[i]=buff[i]; - } - let mut k=8; - let mut b=0; - poly_zero(c); - let mut j:usize; - let mut n=1; - let mut sn=signs[0]; - for i in DEGREE-tau..DEGREE { - loop { - j=buff[k] as usize; k+=1; - if j<=i { - break; - } - } - c[i]=c[j]; - c[j]=1-2*((sn as i32)&1); - sn >>= 1; b += 1; - if b==8 { - sn=signs[n]; n += 1; b=0; - } - } -} - -fn p2r(r0: &mut i32) -> i16 { - let d=(1<>D; - *r0-=r1 << D; - return r1 as i16; -} - -fn power2round(t: &[i32],t0: &mut [i16],t1: &mut [i16]) { - for m in 0..DEGREE { - let mut w=t[m]; - t1[m]=p2r(&mut w); - t0[m]=w as i16; - } -} - -fn decompose_lo(params: &[usize],a: i32) -> i32 { - let dv=params[2]; - let mut a1=(a+127) >> 7; - let gamma2:i32; - if dv==32 { - a1 = (a1*1025+(1<<21))>>22; - a1 &= 15; - gamma2=(PRIME-1)/32; - - } else { // 88 - a1 = (a1*11275 + (1 << 23)) >> 24; - a1 ^= ((43 - a1) >> 31) & a1; - gamma2=(PRIME-1)/88; - } - - let mut a0=a-a1*2*gamma2; - a0 -= (((PRIME-1)/2-a0)>>31)&PRIME; - a0 += (a0>>31)&PRIME; - return a0; -} - -fn decompose_hi(params: &[usize],a: i32) -> i8 { - let dv=params[2]; - - let mut a1=(a+127) >> 7; - if dv==32 { - a1 = (a1*1025+(1<<21))>>22; - a1 &= 15; - } else { // 88 - a1 = (a1*11275 + (1 << 23)) >> 24; - a1 ^= ((43 - a1) >> 31) & a1; - } - return a1 as i8; -} - -fn lobits(params: &[usize],r0: &mut [i32],r: &[i32]) { - for m in 0..DEGREE { - r0[m]=decompose_lo(params,r[m]); - } -} - -fn hibits(params: &[usize],r1: &mut [i8],r: &[i32]) { - for m in 0..DEGREE { - r1[m]=decompose_hi(params,r[m]); - } -} - -fn makepartialhint(params: &[usize],h: &mut [u8],hptr: usize,z: &[i32],r: &[i32]) -> usize { - let mut ptr=hptr; - let omega=params[7]; - for m in 0..DEGREE { - let a0=decompose_hi(params,r[m]); - let mut rz=r[m]+z[m]; - rz-=PRIME; - rz=rz+((rz>>31)&PRIME); - let a1=decompose_hi(params,rz); - if a0!=a1 { - if ptr>=omega { - return omega+1; - } - h[ptr]=(m&0xff) as u8; ptr += 1; - } - } - return ptr; -} - -fn usepartialhint(params: &[usize],r: &mut [i8],h: &[u8], hptr: usize,i: usize,w: &[i32]) -> usize{ - let mut ptr=hptr; - let dv=params[2] as i32; - let omega=params[7]; - let md=(dv/2) as i8; - - for m in 0..DEGREE { - let mut a1=decompose_hi(params,w[m]); - if m==h[ptr] as usize && ptr= md { - a1 -= md; - } - } else { - a1 -= 1; - if a1<0 { - a1 += md; - } - } - } - r[m]=a1; - } - return ptr; -} - -fn infinity_norm(w: &[i32]) -> i32 { - let mut n=0 as i32; - for m in 0..DEGREE { - let mut az=w[m]; - if az>PRIME/2 { - az=PRIME-az; - } - if az>n { - n=az; - } - } - return n; -} - -fn keypair(params: &[usize],tau: &[u8],sk: &mut [u8],pk: &mut [u8]) { - let mut sh = SHA3::new(sha3::SHAKE256); - let mut buff: [u8; 128] = [0; 128]; - let mut rho: [u8; 32] = [0; 32]; - let mut rhod: [u8; 64] = [0; 64]; - let mut bk: [u8; 32] = [0; 32]; - let mut tr: [u8; 32] = [0; 32]; - let mut aij: [i32; DEGREE] = [0; DEGREE]; - let mut s1: [i8; MAXL*DEGREE] = [0; MAXL*DEGREE]; - let mut s2: [i8; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut t0: [i16; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut t1: [i16; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut w: [i32; DEGREE] = [0; DEGREE]; - let mut r: [i32; DEGREE] = [0; DEGREE]; - - let ck=params[3]; - let el=params[4]; - - for i in 0..32 { - sh.process(tau[i]); - } - sh.shake(&mut buff,128); - for i in 0..32 { - rho[i] = buff[i]; - bk[i] = buff[i+96]; - } - for i in 0..64 { - rhod[i] = buff[i+32]; - } - - for i in 0..el { - let row=DEGREE*i; - sample_sn(params,&rhod,&mut s1[row..],i); - } - - for i in 0..ck { - let row=DEGREE*i; - sample_sn(params,&rhod,&mut s2[row..],el+i); - poly_zero(&mut r); - for j in 0..el { - poly_scopy(&mut w,&s1[j*DEGREE..]); - ntt(&mut w); - expandaij(&rho,&mut aij,i,j); - poly_mul(&mut w,&aij); - poly_add(&mut r,&w); - } - poly_hard_reduce(&mut r); - intt(&mut r); - poly_scopy(&mut w,&s2[row..]); - poly_pos(&mut w); - poly_add(&mut r,&w); - poly_soft_reduce(&mut r); - power2round(&r,&mut t0[row..],&mut t1[row..]); - } - crh1(params,&mut tr,&rho,&t1); - pack_pk(params,pk,&rho,&t1); - pack_sk(params,sk,&rho,&bk,&tr,&s1,&s2,&t0); -} - -fn signature(params: &[usize],sk: &[u8],m: &[u8],sig: &mut[u8]) -> usize { - let mut rho: [u8; 32] = [0; 32]; - let mut bk: [u8; 32] = [0; 32]; - let mut ct: [u8; 32] = [0; 32]; - let mut tr: [u8; 32] = [0; 32]; - let mut mu: [u8; 64] = [0; 64]; - let mut rhod: [u8; 64] = [0; 64]; - let mut hint: [u8; 100] = [0; 100]; - - //let mut aij: [i32; DEGREE] = [0; DEGREE]; - let mut s1: [i8; MAXL*DEGREE] = [0; MAXL*DEGREE]; - let mut s2: [i8; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut t0: [i16; MAXK*DEGREE] = [0; MAXK*DEGREE]; - - let mut y: [i32; MAXL*DEGREE] = [0; MAXL*DEGREE]; - let mut ay: [i32; MAXK*DEGREE] = [0; MAXK*DEGREE]; - - let mut w1: [i8; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut c: [i32; DEGREE] = [0; DEGREE]; - let mut w: [i32; DEGREE] = [0; DEGREE]; - let mut r: [i32; DEGREE] = [0; DEGREE]; - - let tau=params[0]; - let lg=params[1]; - let gamma1=(1<=gamma1-beta { - badone=true; - break; - } - } - if badone { - continue; - } -// Calculate ay=w-c.s2 and r0=lobits(w-c.s2) - let mut nh=0; - for i in 0..omega+ck { - hint[i]=0; - } - for i in 0..ck { - let row=DEGREE*i; - poly_scopy(&mut w,&s2[row..]); - ntt(&mut w); - poly_mul(&mut w,&c); - intt(&mut w); - poly_sub(&mut ay[row..],&w); - poly_soft_reduce(&mut ay[row..]); - lobits(params,&mut w,&ay[row..]); - if infinity_norm(&w) >= gamma2-beta { - badone=true; - break; - } - poly_mcopy(&mut w,&t0[row..]); - ntt(&mut w); - poly_mul(&mut w,&c); - intt(&mut w); - poly_negate(&mut r,&w); - if infinity_norm(&r) >= gamma2 { - badone=true; - break; - } - poly_sub(&mut ay[row..],&r); - poly_soft_reduce(&mut ay[row..]); - nh=makepartialhint(params,&mut hint,nh,&r,&ay[row..]); - if nh>omega { - badone=true; - break; - } - hint[omega+i]=nh as u8; - } - if badone { - continue; - } - break; - } - pack_sig(params,sig,&mut y,&ct,&hint); - return k; -} - -fn verify(params: &[usize],pk: &[u8],m: &[u8],sig: &[u8]) -> bool { - let mut rho: [u8; 32] = [0; 32]; - let mut ct: [u8; 32] = [0; 32]; - let mut cct: [u8; 32] = [0; 32]; - let mut tr: [u8; 32] = [0; 32]; - let mut mu: [u8; 64] = [0; 64]; - let mut hint: [u8; 100] = [0; 100]; - - let mut z: [i32; MAXL*DEGREE] = [0; MAXL*DEGREE]; - let mut t1: [i16; MAXK*DEGREE] = [0; MAXK*DEGREE]; - let mut w1d: [i8; MAXK*DEGREE] = [0; MAXK*DEGREE]; - - let mut aij: [i32; DEGREE] = [0; DEGREE]; - let mut c: [i32; DEGREE] = [0; DEGREE]; - let mut w: [i32; DEGREE] = [0; DEGREE]; - let mut r: [i32; DEGREE] = [0; DEGREE]; - - let tau=params[0]; - let lg=params[1]; - let gamma1=(1<= gamma1-beta { - return false; - } - ntt(&mut z[row..]); - } - crh1(params,&mut tr,&rho,&t1); - crh2(&mut mu,&tr,m); - - sampleinball(params,&ct,&mut c); - ntt(&mut c); - -// Calculate az - let mut hints=0; - for i in 0..ck { - let row=DEGREE*i; - poly_zero(&mut r); - for j in 0..el { - poly_copy(&mut w,&z[j*DEGREE..]); - expandaij(&rho,&mut aij,i,j); - poly_mul(&mut w,&aij); - poly_add(&mut r,&w); - } - poly_hard_reduce(&mut r); - -// Calculate Az-ct1.2^d - for m in 0..DEGREE { - w[m]=((t1[row+m]) as i32) << D; - } - ntt(&mut w); - poly_mul(&mut w,&c); - poly_sub(&mut r,&w); - intt(&mut r); - - hints=usepartialhint(params,&mut w1d[row..],&mut hint,hints,i,&r); - if hints>omega { - return false; - } - } - - h4(params,&mut cct,&mu,&w1d); - - for i in 0..32 { - if ct[i]!=cct[i] { - return false; - } - } - return true; -} - -// Dilithium API - -pub fn keypair_2(tau: &[u8],sk: &mut [u8],pk: &mut [u8]) { - keypair(&PARAMS_2,tau,sk,pk); -} - -pub fn signature_2(sk: &[u8],m: &[u8],sig: &mut[u8]) -> usize { - return signature(&PARAMS_2,sk,m,sig); -} - -pub fn verify_2(pk: &[u8],m: &[u8],sig: &[u8]) -> bool { - return verify(&PARAMS_2,pk,m,sig); -} - - -pub fn keypair_3(tau: &[u8],sk: &mut [u8],pk: &mut [u8]) { - keypair(&PARAMS_3,tau,sk,pk); -} - -pub fn signature_3(sk: &[u8],m: &[u8],sig: &mut[u8]) -> usize { - return signature(&PARAMS_3,sk,m,sig); -} - -pub fn verify_3(pk: &[u8],m: &[u8],sig: &[u8]) -> bool { - return verify(&PARAMS_3,pk,m,sig); -} - - -pub fn keypair_5(tau: &[u8],sk: &mut [u8],pk: &mut [u8]) { - keypair(&PARAMS_5,tau,sk,pk); -} - -pub fn signature_5(sk: &[u8],m: &[u8],sig: &mut[u8]) -> usize { - return signature(&PARAMS_5,sk,m,sig); -} - -pub fn verify_5(pk: &[u8],m: &[u8],sig: &[u8]) -> bool { - return verify(&PARAMS_5,pk,m,sig); -} diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/kyber.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/kyber.rs deleted file mode 100644 index fdd96edd7673..000000000000 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/kyber.rs +++ /dev/null @@ -1,719 +0,0 @@ -/* - * Copyright (c) 2012-2020 MIRACL UK Ltd. - * - * This file is part of MIRACL Core - * (see https://github.com/miracl/core). - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* Kyber API high-level functions. Constant time where it matters. Slow (spends nearly all of its time running SHA3) but small. - - M.Scott 06/07/2022 -*/ - -use crate::sha3; -use crate::sha3::SHA3; - -const LGN: usize = 8; -const DEGREE: usize = 1< i16 { - let dp=PRIME as i32; - let dt=(((a&0xffff)*QINV)&0xffff) as i16; - let t=((a-((dt as i32)*dp))>>16) as i16; - return t; -} - -fn barrett_reduce(a: i16) -> i16 { - let da=a as i32; - let mut t=((BARC*da + TWO25) >> 26) as i16; - t*=PRIME; - return a-t; -} - -fn fqmul(a: i16, b: i16) -> i16 { - return montgomery_reduce((a as i32)*(b as i32)); -} - -fn ntt(r: &mut [i16]) { - let mut k=1; - let mut len=128; - while len>=2 { - let mut start=0; - while start<256 { - let zeta=ZETAS[k]; k+=1; - let mut j=start; - while j>= 1; - } -} - -fn invntt(r: &mut [i16]) { - let f=1441 as i16; - let mut k=127; - let mut len=2; - while len<=128 { - let mut start=0; - while start<256 { - let zeta=ZETAS[k]; k-=1; - let mut j=start; - while j i16 { - let wd=n/8; - let bt=n%8; - return ((b[wd]>>bt)&1) as i16; -} - -fn cbd(bts: &[u8],eta: usize,f: &mut [i16]) { - for i in 0..DEGREE { - let mut a=0 as i16; - let mut b=0 as i16; - for j in 0..eta { - a+=getbit(bts,2*i*eta+j); - b+=getbit(bts,2*i*eta+eta+j); - } - f[i] = a-b; - } -} - -// extract ab bits into word from dense byte stream -fn nextword(ab: usize,t: &[u8],ptr: &mut usize,bts: &mut usize) -> i16 { - let mut r=(t[*ptr]>>(*bts)) as i16; - let mask=((1<=8 { - *bts -= 8; - *ptr += 1; - } - return r&mask; -} - -fn nextbyte16(ab: usize,t: &[i16],ptr: &mut usize,bts: &mut usize) -> u8 { - let mut left=ab-(*bts); - let mut i=0; - let mut w=t[*ptr]; w+=(w>>15)&PRIME; - let mut r=w>>(*bts); - while left<8 { - i+=1; - w=t[(*ptr)+i]; w+=(w>>15)&PRIME; - r|=w<=ab { - *bts -= ab; - *ptr += 1; - } - return (r&0xff) as u8; -} - -fn encode(t: &[i16],len: usize,l: usize,pack: &mut [u8]) { - let mut ptr=0; - let mut bts=0; - for n in 0..len*(DEGREE*l)/8 { - pack[n]=nextbyte16(l,t,&mut ptr, &mut bts); - } -} - -// return 0 if encoding is unchanged -fn chk_encode(t: &[i16],len: usize,l: usize,pack: &[u8]) -> u8 { - let mut ptr=0; - let mut bts=0; - let mut diff=0 as u8; - for n in 0..len*(DEGREE*l)/8 { - let m=nextbyte16(l,t,&mut ptr, &mut bts); - diff|=m^pack[n]; - } - return diff; -} - -fn decode(pack: &[u8],l: usize,t: &mut [i16],len: usize) { - let mut ptr=0; - let mut bts=0; - for i in 0..len*DEGREE { - t[i]=nextword(l,pack,&mut ptr,&mut bts); - } -} - -// Bernsteins safe division by 0xD01 -fn safediv(xx: i32) -> i32 { - let mut x=xx; - let mut q = 0 as i32; - - let mut qpart = (((x as i64)*645083)>>31) as i32; - x -= qpart*0xD01; q += qpart; - - qpart = ((((x as i64)*645083)>>31) as i32)+1; - x -= qpart*0xD01; q += qpart+(x>>31); - - return q; -} - -fn compress(t: &mut [i16],len:usize,d:usize) { - let twod=(1<>15)&PRIME; - t[i]= (safediv(twod*(t[i] as i32)+dp/2)&(twod-1)) as i16; - } -} -fn decompress(t: &mut [i16],len:usize,d:usize) { - let twod1=(1<<(d-1)) as i32; - let dp=PRIME as i32; - for i in 0..len*DEGREE { - t[i]=((dp*(t[i] as i32)+twod1)>>d) as i16; - } -} - - -fn cpa_keypair(params: &[usize],tau: &[u8],sk: &mut [u8],pk: &mut [u8]) { - let mut rho:[u8;32]=[0;32]; - let mut sigma:[u8;33]=[0;33]; - let mut buff:[u8;256]=[0;256]; - - let mut r:[i16;DEGREE]=[0;DEGREE]; - let mut w:[i16;DEGREE]=[0;DEGREE]; - let mut aij:[i16;DEGREE]=[0;DEGREE]; - let mut s:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let mut e:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let mut p:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - - let mut sh = SHA3::new(sha3::HASH512); - - let ck=params[0]; - let eta1=params[1]; - let public_key_size=32+ck*(DEGREE*3)/2; - - for i in 0..32 { - sh.process(tau[i]); - } - sh.hash(&mut buff); - for i in 0..32 { - rho[i]=buff[i]; - sigma[i]=buff[i+32]; - } - sigma[32]=0; - -// create s - for i in 0..ck { - sh=SHA3::new(sha3::SHAKE256); - for j in 0..33 { - sh.process(sigma[j]); - } - sh.shake(&mut buff,64*eta1); - cbd(&buff,eta1,&mut s[i*DEGREE..]); - sigma[32] += 1; - } - -// create e - for i in 0..ck { - sh=SHA3::new(sha3::SHAKE256); - for j in 0..33 { - sh.process(sigma[j]); - } - sh.shake(&mut buff,64*eta1); - cbd(&buff,eta1,&mut e[i*DEGREE..]); - sigma[32] += 1; - } - - for k in 0..ck { - let row=k*DEGREE; - poly_ntt(&mut s[row..]); - poly_ntt(&mut e[row..]); - } - - for i in 0..ck { - let row=i*DEGREE; - expandaij(&rho,&mut aij,i,0); - poly_mul(&mut r,&aij,&s); - for j in 1..ck { - expandaij(&rho,&mut aij,i,j); - poly_mul(&mut w,&s[j*DEGREE..],&aij); - poly_acc(&mut r,&w); - } - poly_reduce(&mut r); - poly_tomont(&mut r); - poly_add(&mut p[row..],&r,&e[row..]); - poly_reduce(&mut p[row..]); - } - - encode(&s,ck,12,sk); - encode(&p,ck,12,pk); - for i in 0..32 { - pk[public_key_size-32+i]=rho[i]; - } -} - -fn cpa_base_encrypt(params: &[usize],coins: &[u8],pk: &[u8],ss: &[u8],u: &mut [i16],v: &mut [i16]) { - let mut rho:[u8;32]=[0;32]; - let mut sigma:[u8;33]=[0;33]; - let mut buff:[u8;256]=[0;256]; - - let mut r:[i16;DEGREE]=[0;DEGREE]; - let mut w:[i16;DEGREE]=[0;DEGREE]; - let mut aij:[i16;DEGREE]=[0;DEGREE]; - let mut q:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let mut p:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - - let ck=params[0]; - let eta1=params[1]; - let eta2=params[2]; - let du=params[3]; - let dv=params[4]; - let public_key_size=32+ck*(DEGREE*3)/2; - - for i in 0..32 { - sigma[i]=coins[i]; - } - sigma[32]=0; - for i in 0..32 { - rho[i]=pk[i+public_key_size-32]; - } -// create q - for i in 0..ck { - let mut sh=SHA3::new(sha3::SHAKE256); - for j in 0..33 { - sh.process(sigma[j]); - } - sh.shake(&mut buff,64*eta1); - cbd(&buff,eta1,&mut q[i*DEGREE..]); - sigma[32] += 1; - } -// create e1 - for i in 0..ck { - let mut sh=SHA3::new(sha3::SHAKE256); - for j in 0..33 { - sh.process(sigma[j]); - } - sh.shake(&mut buff,64*eta2); - cbd(&buff,eta1,&mut u[i*DEGREE..]); - sigma[32] += 1; - } - for i in 0..ck { - let row=DEGREE*i; - poly_ntt(&mut q[row..]); - } - - for i in 0..ck { - let row=i*DEGREE; - expandaij(&rho,&mut aij,0,i); - poly_mul(&mut r,&aij,&q); - for j in 1..ck { - expandaij(&rho,&mut aij,j,i); - poly_mul(&mut w,&q[j*DEGREE..],&aij); - poly_acc(&mut r,&w); - } - poly_reduce(&mut r); - poly_invntt(&mut r); - poly_acc(&mut u[row..],&r); - poly_reduce(&mut u[row..]); - } - - decode(&pk,12,&mut p,ck); - - poly_mul(v,&p,&q); - for i in 1..ck { - let row=DEGREE*i; - poly_mul(&mut r,&p[row..],&q[row..]); - poly_acc(v,&r); - } - poly_invntt(v); - - let mut sh = SHA3::new(sha3::SHAKE256); - for j in 0..33 { - sh.process(sigma[j]); - } - sh.shake(&mut buff,64*eta2); - cbd(&buff,eta1,&mut w); // e2 - - poly_acc(v,&w); - - decode(&ss,1,&mut r,1); - decompress(&mut r,1,1); - poly_acc(v,&r); - poly_reduce(v); - compress(u,ck,du); - compress(v,1,dv); -} - -fn cpa_encrypt(params: &[usize],coins: &[u8],pk: &[u8],ss: &[u8],ct: &mut [u8]) { - let mut v:[i16;DEGREE]=[0;DEGREE]; - let mut u:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let ck=params[0]; - let du=params[3]; - let dv=params[4]; - let ciphertext_size=(du*ck+dv)*DEGREE/8; - cpa_base_encrypt(params,coins,pk,ss,&mut u,&mut v); - encode(&u,ck,du,ct); - encode(&v,1,dv,&mut ct[ciphertext_size-(dv*DEGREE/8)..]); -} - -// Re-encrypt and check that ct is OK (if so return is zero) -fn cpa_check_encrypt(params: &[usize],coins: &[u8],pk: &[u8],ss: &[u8],ct: &[u8]) -> u8 { - let mut v:[i16;DEGREE]=[0;DEGREE]; - let mut u:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let ck=params[0]; - let du=params[3]; - let dv=params[4]; - let ciphertext_size=(du*ck+dv)*DEGREE/8; - cpa_base_encrypt(params,coins,pk,ss,&mut u,&mut v); - let d1=chk_encode(&u,ck,du,ct); - let d2=chk_encode(&v,1,dv,&ct[ciphertext_size-(dv*DEGREE/8)..]); - if (d1|d2)==0 { - return 0; - } else { - return 0xff; - } -} - -fn cpa_decrypt(params: &[usize],sk: &[u8],ct: &[u8],ss: &mut [u8]) { - let mut w:[i16;DEGREE]=[0;DEGREE]; - let mut v:[i16;DEGREE]=[0;DEGREE]; - let mut r:[i16;DEGREE]=[0;DEGREE]; - let mut u:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - let mut s:[i16;MAXK*DEGREE]=[0;MAXK*DEGREE]; - - let ck=params[0]; - let du=params[3]; - let dv=params[4]; - - decode(ct,du,&mut u,ck); - decode(&ct[(du*ck*DEGREE)/8..],dv,&mut v,1); - decompress(&mut u,ck,du); - decompress(&mut v,1,dv); - decode(sk,12,&mut s,ck); - - poly_ntt(&mut u); - poly_mul(&mut w,&u,&s); - for i in 1..ck { - let row=DEGREE*i; - poly_ntt(&mut u[row..]); - poly_mul(&mut r,&u[row..],&s[row..]); - poly_acc(&mut w,&r); - } - poly_reduce(&mut w); - poly_invntt(&mut w); - poly_dec(&mut v,&w); - compress(&mut v,1,1); - encode(&v,1,1,ss); -} - -fn cca_keypair(params: &[usize],randbytes64: &[u8],sk: &mut [u8],pk: &mut [u8]) { - let ck=params[0]; - let secret_cpa_key_size=ck*(DEGREE*3)/2; - let public_key_size=32+ck*(DEGREE*3)/2; - - cpa_keypair(params,randbytes64,sk,pk); - for i in 0..public_key_size { - sk[i+secret_cpa_key_size]=pk[i]; - } - let mut sh = SHA3::new(sha3::HASH256); - for i in 0..public_key_size { - sh.process(pk[i]); - } - sh.hash(&mut sk[secret_cpa_key_size+public_key_size..]); - for i in 0..32 { - sk[i+secret_cpa_key_size+public_key_size+32]=randbytes64[i+32]; - } -} - -fn cca_encrypt(params: &[usize],randbytes32: &[u8],pk: &[u8],ss: &mut [u8],ct: &mut [u8]) { - let mut hm:[u8;32]=[0;32]; - let mut h:[u8;32]=[0;32]; - let mut g:[u8;64]=[0;64]; - let ck=params[0]; - let du=params[3]; - let dv=params[4]; - let public_key_size=32+ck*(DEGREE*3)/2; - let ciphertext_size=(du*ck+dv)*DEGREE/8; - let shared_secret_size=params[5]; - - let mut sh = SHA3::new(sha3::HASH256); - for i in 0..32 { - sh.process(randbytes32[i]); - } - sh.hash(&mut hm); - - sh = SHA3::new(sha3::HASH256); - for i in 0..public_key_size { - sh.process(pk[i]); - } - sh.hash(&mut h); - - sh = SHA3::new(sha3::HASH512); - sh.process_array(&hm); - sh.process_array(&h); - sh.hash(&mut g); - cpa_encrypt(params,&g[32..],&pk,&hm,ct); - - sh = SHA3::new(sha3::HASH256); - for i in 0..ciphertext_size { - sh.process(ct[i]); - } - sh.hash(&mut h); - sh = SHA3::new(sha3::SHAKE256); - sh.process_array(&g[0..32]); - sh.process_array(&h); - sh.shake(ss,shared_secret_size); -} - -fn cca_decrypt(params: &[usize],sk: &[u8],ct: &[u8],ss: &mut [u8]) { - let mut m:[u8;32]=[0;32]; - let mut g:[u8;64]=[0;64]; - let ck=params[0]; - let secret_cpa_key_size=ck*(DEGREE*3)/2; - let public_key_size=32+ck*(DEGREE*3)/2; - let shared_secret_size=params[5]; - - let pk=&sk[secret_cpa_key_size..secret_cpa_key_size+public_key_size]; - let h=&sk[secret_cpa_key_size+public_key_size..secret_cpa_key_size+public_key_size+32]; - let z=&sk[secret_cpa_key_size+public_key_size+32..secret_cpa_key_size+public_key_size+64]; - - cpa_decrypt(params,sk,ct,&mut m); - - let mut sh = SHA3::new(sha3::HASH512); - sh.process_array(&m); - sh.process_array(h); - sh.hash(&mut g); - - let mask=cpa_check_encrypt(params,&g[32..],pk,&m,ct); // FO check ct is correct - - for i in 0..32 { - g[i]^=(g[i]^z[i])&mask; - } - - sh = SHA3::new(sha3::HASH256); - sh.process_array(&ct); - sh.hash(&mut m); - - sh = SHA3::new(sha3::SHAKE256); - sh.process_array(&g[0..32]); - sh.process_array(&m); - sh.shake(ss,shared_secret_size); -} - -// ********************* Kyber API ****************************** - -pub fn keypair_512(randbytes64: &[u8],sk: &mut [u8],pk: &mut [u8]) { - cca_keypair(&PARAMS_512,randbytes64,sk,pk); -} - -pub fn keypair_768(randbytes64: &[u8],sk: &mut [u8],pk: &mut [u8]) { - cca_keypair(&PARAMS_768,randbytes64,sk,pk); -} - -pub fn keypair_1024(randbytes64: &[u8],sk: &mut [u8],pk: &mut [u8]) { - cca_keypair(&PARAMS_1024,randbytes64,sk,pk); -} - -pub fn encrypt_512(randbytes32: &[u8],pk: &[u8],ss: &mut [u8],ct: &mut [u8]) { - cca_encrypt(&PARAMS_512,randbytes32,pk,ss,ct); -} - -pub fn encrypt_768(randbytes32: &[u8],pk: &[u8],ss: &mut [u8],ct: &mut [u8]) { - cca_encrypt(&PARAMS_768,randbytes32,pk,ss,ct); -} - -pub fn encrypt_1024(randbytes32: &[u8],pk: &[u8],ss: &mut [u8],ct: &mut [u8]) { - cca_encrypt(&PARAMS_1024,randbytes32,pk,ss,ct); -} - -pub fn decrypt_512(sk: &[u8],ct: &[u8],ss: &mut [u8]) { - cca_decrypt(&PARAMS_512,sk,ct,ss); -} - -pub fn decrypt_768(sk: &[u8],ct: &[u8],ss: &mut [u8]) { - cca_decrypt(&PARAMS_768,sk,ct,ss); -} - -pub fn decrypt_1024(sk: &[u8],ct: &[u8],ss: &mut [u8]) { - cca_decrypt(&PARAMS_1024,sk,ct,ss); -} diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/x509.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/x509.rs deleted file mode 100644 index e1891b22940f..000000000000 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/x509.rs +++ /dev/null @@ -1,1285 +0,0 @@ -/* - * Copyright (c) 2012-2020 MIRACL UK Ltd. - * - * This file is part of MIRACL Core - * (see https://github.com/miracl/core). - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* CORE X.509 Functions */ - -pub struct PKTYPE { - pub kind: usize, - pub hash: usize, - pub curve: usize, - pub len: usize, -} - -pub struct FDTYPE { - pub index: usize, - pub length: usize, -} - -// Supported Encryption/Signature Methods - -pub const ECC:usize = 1; -pub const RSA:usize = 2; -pub const ECD:usize = 3; // for Ed25519 and Ed448 -pub const PQ:usize = 4; - -// Supported Hash functions - -pub const H256:usize = 2; -pub const H384:usize = 3; -pub const H512:usize = 4; -pub const SHAKE256:usize = 5; - -// Supported Curves - -pub const USE_NIST256:usize = 4; /**< For the NIST 256-bit standard curve - WEIERSTRASS only */ -pub const USE_ED25519:usize = 1; /**< Bernstein's Modulus 2^255-19 - EDWARDS only */ -pub const USE_ED448:usize = 5; -//const USE_BRAINPOOL:usize = 2; /**< For Brainpool 256-bit curve - WEIERSTRASS only */ -//const USE_ANSSI:usize = 3; /**< For French 256-bit standard curve - WEIERSTRASS only */ -pub const USE_NIST384:usize = 10; /**< For the NIST 384-bit standard curve - WEIERSTRASS only */ -pub const USE_NIST521:usize = 12; /**< For the NIST 521-bit standard curve - WEIERSTRASS only */ - -const ANY: u8 = 0x00; -const SEQ: u8 = 0x30; -const OID: u8 = 0x006; -const INT: u8 = 0x02; -const NUL: u8 = 0x05; -//const ZER: u8 = 0x00; -//const UTF: u8 = 0x0C; -const UTC: u8 = 0x17; -const GTM: u8 = 0x18; -//const LOG: u8 = 0x01; -const BIT: u8 = 0x03; -const OCT: u8 = 0x04; -//const STR: u8 = 0x13; -const SET: u8 = 0x31; -//const IA5: u8 = 0x16; -const EXT: u8 = 0xA3; -const DNS: u8 = 0x82; - -// Define some OIDs -// Elliptic Curve with SHA256 - -const ECCSHA256:[u8;8]=[0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02]; -const ECCSHA384:[u8;8]=[0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03]; -const ECCSHA512:[u8;8]=[0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04]; -const ECPK:[u8;7]=[0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]; -const EDPK25519:[u8;3]=[0x2b, 0x65, 0x70]; -const EDPK448:[u8;3]=[0x2b, 0x65, 0x71]; -const PRIME25519:[u8;9]=[0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01]; -const PRIME256V1:[u8;8]=[0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]; -const SECP384R1:[u8;5]=[0x2B, 0x81, 0x04, 0x00, 0x22]; -const SECP521R1:[u8;5]=[0x2B, 0x81, 0x04, 0x00, 0x23]; -const RSAPK:[u8;9]=[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01]; -const RSASHA256:[u8;9]=[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b]; -const RSASHA384:[u8;9]=[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0]; -const RSASHA512:[u8;9]=[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d]; -const DILITHIUM3:[u8;11]=[0x2b, 0x06, 0x01, 0x04, 0x01, 0x02, 0x82, 0x0B, 0x07, 0x06, 0x05]; -// Cert details - -pub const CN:[u8;3]=[0x55, 0x04, 0x06]; // countryName -pub const SN:[u8;3]=[0x55, 0x04, 0x08]; // stateName -pub const LN:[u8;3]=[0x55, 0x04, 0x07]; // localName -pub const ON:[u8;3]=[0x55, 0x04, 0x0A]; // orgName -pub const UN:[u8;3]=[0x55, 0x04, 0x0B]; // unitName -pub const MN:[u8;3]=[0x55, 0x04, 0x03]; // myName -pub const EN:[u8;9]=[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01]; // emailName - -// Extensions -pub const AN:[u8;3]=[0x55,0x1D,0x11]; // altName -pub const KU:[u8;3]=[0x55,0x1D,0x0F]; // keyUsage -pub const BC:[u8;3]=[0x55,0x1D,0x13]; // basicConstraints - -fn getalen(tag: u8,b:&[u8],j:usize) -> usize { - let mut k=j; - let mut len:usize; - if tag!=0 && b[k]!=tag { - return 0; - } - k+=1; - if b[k] == 0x81 { - k+=1; - len=b[k] as usize; - } else if b[k]==0x82 { - k+=1; - len=256*(b[k] as usize); k+=1; - len+= b[k] as usize; - } else { - len=b[k] as usize; - if len>127 { - return 0; - } - } - return len; -} - -fn skip(len: usize) -> usize { - if len<128 { - return 2; - } - if len<256 { - return 3; - } - return 4; -} - -fn bround(len:usize) -> usize { - if len%8 == 0 { - return len; - } - return len+(8-len%8); -} - -impl PKTYPE { - pub fn new() -> PKTYPE { - PKTYPE { - kind: 0, - hash: 0, - curve:0, - len:0, - } - } -} - -impl FDTYPE { - pub fn new() -> FDTYPE { - FDTYPE { - index: 0, - length: 0, - } - } -} - -// Input private key in PKCS#8 format -// e.g. openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -// e.g. openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout key.pem -out ecdsacert.pem -// extract private key from uncompressed key.pem into octet -// For RSA octet = p|q|dp|dq|c where pk->len is multiple of 5 -// For ECC octet = k -pub fn extract_private_key(c: &[u8],pk: &mut [u8]) -> PKTYPE { - let mut soid:[u8;12]=[0;12]; - let mut ret=PKTYPE::new(); - let mut j=0 as usize; - let pklen=pk.len(); - - let mut len=getalen(SEQ,c,j); // Check for expected SEQ clause, and get length - if len == 0 { // if not a SEQ clause, there is a problem, exit - return ret; - } - j+=skip(len); // skip over length to clause contents. - if len+j != c.len() { - return ret; - } - len=getalen(INT,c,j); - if len == 0 { // if not a SEQ clause, there is a problem, exit - return ret; - } - j+=skip(len)+len; - len=getalen(SEQ,c,j); - if len == 0 { // if not a SEQ clause, there is a problem, exit - return ret; - } - j+=skip(len); -// extract OID - len=getalen(OID,c,j); - if len==0 { - return ret; - } - j+=skip(len); - - let mut fin=j+len; - if len>soid.len() { - return ret; - } - let mut slen=0; - while jpklen { - return ret; - } - ret.len=rlen; - for i in 0..rlen-len { - pk[i]=0; - } - for i in rlen-len..rlen { - pk[i]=c[j]; - j+=1; - } - ret.kind = ECD; - ret.curve = USE_ED25519; - } - if EDPK448 == soid[0..slen] { - len=getalen(OCT,c,j); - if len==0 { - return ret; - } - j+=skip(len); - len=getalen(OCT,c,j); - if len==0 { - return ret; - } - j+=skip(len); - let rlen=57; - if rlen>pklen { - return ret; - } - ret.len=rlen; - for i in 0..rlen-len { - pk[i]=0; - } - for i in rlen-len..rlen { - pk[i]=c[j]; - j+=1; - } - ret.kind = ECD; - ret.curve = USE_ED448; - } - if DILITHIUM3 == soid[0..slen] { - len=getalen(OCT,c,j); - if len==0 { - return ret; - } - j+=skip(len); - len=getalen(OCT,c,j); - if len==0 { - return ret; - } - j+=skip(len); - let mut tlen=len; - if tlen>pk.len() { - tlen=pk.len(); - } - - for i in 0..tlen { - pk[i]=c[j]; - j+=1; - } - ret.len=tlen; - ret.kind=PQ; - ret.curve=8*tlen; - } - if ECPK == soid[0..slen] { - len=getalen(OID,c,j); - if len==0 { - return ret; - } - j+=skip(len); - - fin=j+len; - if len>soid.len() { - return ret; - } - slen=0; - while jpklen { - ret.curve=0; - ret.len=0; - return ret; - } - ret.len=rlen; - for i in 0..rlen-len { - pk[i]=0; - } - for i in rlen-len..rlen { - pk[i]=c[j]; - j+=1; - } - } - if RSAPK == soid[0..slen] { - len=getalen(NUL,c,j); - if len!=0 { - return ret; - } - j+=skip(len); - - len=getalen(OCT,c,j); - if len==0 { - return ret; - } - j+=skip(len); - - len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j+=skip(len); - - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len)+len; // jump over version - - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len)+len; // jump over n - - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len)+len; // jump over e - - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len)+len; // jump over d - - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len); // get p - - if c[j]==0 { - j+=1; - len-=1; - } - let mut rlen=bround(len); - - if 5*rlen>pklen { - return ret; - } - - for i in 0..rlen-len { - pk[i]=0; - } - for i in rlen-len..rlen { - pk[i]=c[j]; - j+=1; - } - - let flen=rlen; // should be same length for all - for k in 1..5 { - len=getalen(INT,c,j); - if len==0 { - return ret; - } - j+=skip(len); // get q,dp,dq,c - if c[j]==0 { - j+=1; - len-=1; - } - rlen=bround(len); - if rlen!=flen { - return ret; - } - for i in 0..rlen-len { - pk[i]=0; - } - for i in rlen-len..rlen { - pk[k*flen+i]=c[j]; - j+=1; - } - } - ret.len=5*flen; - ret.kind=RSA; - ret.curve=16*flen; - } - return ret; -} - -// Input signed cert as octet, and extract signature -// Return 0 for failure, ECC for Elliptic Curve signature, RSA for RSA signature -// Note that signature type is not provided here - its the type of the public key that -// is used to verify it that matters, and which determines for example the curve to be used! -pub fn extract_cert_sig(sc: &[u8],sig: &mut [u8]) -> PKTYPE { - let mut soid:[u8;12]=[0;12]; - let mut ret=PKTYPE::new(); - let mut j=0 as usize; - let mut len=getalen(SEQ,sc,j); // Check for expected SEQ clause, and get length - let siglen=sig.len(); - - if len == 0 { // if not a SEQ clause, there is a problem, exit - return ret; - } - j+=skip(len); // skip over length to clause contents. Add len to skip clause - if len+j != sc.len() { - return ret; - } - len=getalen(SEQ,sc,j); - if len==0 { - return ret; - } - j+=skip(len) + len; // jump over cert to signature OID - len=getalen(SEQ,sc,j); - if len==0 { - return ret; - } - j+=skip(len); - let sj=j+len; // Needed to jump over signature OID - -// dive in to extract OID - len=getalen(OID,sc,j); - if len==0 { - return ret; - } - j+=skip(len); - let mut fin=j+len; - if len>soid.len() { - return ret; - } - - let mut slen=0; - while jsiglen { - ret.kind=0; - return ret; - } - ret.len=len; - slen=0; - fin=j+len; - while jsiglen { - ret.kind=0; - return ret; - } - ret.len=2*rlen; - - slen=0; - for _ in 0..ex { - sig[slen]=0; - slen+=1; - } - fin=j+len; - while jsiglen { - ret.kind=0; - ret.curve=0; - return ret; - } - ret.len=rlen; - slen=0; - for _ in 0..ex { - sig[slen]=0; - slen+=1; - } - fin=j+len; - while jsiglen { - ret.kind=0; - ret.curve=0; - return ret; - } - ret.len=len; - slen=0; - fin=j+len; - while j usize { - let mut j:usize=0; - - let mut len=getalen(SEQ,sc,j); - if len==0 { - return 0; - } - j+=skip(len); - - let k=j; - len=getalen(SEQ,sc,j); - if len==0 { - return 0; - } - j+=skip(len); - let fin=j+len; - *ptr=k; - return fin-k; -} - -// Extract certificate from signed cert -pub fn extract_cert(sc: &[u8],cert: &mut [u8]) -> usize { - let mut ptr=0; - let n=find_cert(sc,&mut ptr); - let k=ptr; - let fin=n+k; - if fin-k>cert.len() { - return 0; - } - for i in k..fin { - cert[i-k]=sc[i]; - } - return n; -} - -// extract pointer to ASN.1 raw public Key inside certificate, and return its length; -// let public_key=&c[ptr..ptr+len] -pub fn find_public_key(c: &[u8],ptr: &mut usize) -> usize { - let mut j:usize=0; - let mut len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j+=skip(len); - - if len+j != c.len() { - return 0; - } - - len=getalen(ANY,c,j); - if len==0 { - return 0; - } - j+=skip(len)+len; //jump over version clause - - len=getalen(INT,c,j); - if len>0 { - j+=skip(len)+len; // jump over serial number clause (if there is one) - } - - len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j+=skip(len)+len; // jump over signature algorithm - - len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j += skip(len) + len; // skip issuer - - len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j += skip(len) + len; // skip validity - - len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j += skip(len) + len; // skip subject - - let k=j; - len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j += skip(len); // - - let fin=j+len; - *ptr=k; - return fin-k; -} - -// get Public details from ASN.1 description -pub fn get_public_key(c: &[u8],key: &mut [u8]) -> PKTYPE { - let mut koid:[u8;12]=[0;12]; - let mut ret=PKTYPE::new(); - let mut j=0; - let keylen=key.len(); - - let mut len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j += skip(len); // - - len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j += skip(len); // - -// ** Maybe dive in and check Public Key OIDs here? -// ecpublicKey & prime256v1, secp384r1 or secp521r1 for ECC -// rsapublicKey for RSA - - let sj=j+len; - - len=getalen(OID,c,j); - if len==0 { - return ret; - } - j += skip(len); - - let mut fin=j+len; - if len>koid.len() { - return ret; - } - let mut slen=0; - while jkoid.len() { - ret.kind=0; - return ret; - } - slen=0; - while jkeylen { - ret.kind=0; - return ret; - } - ret.len=len; - fin=j+len; - slen=0; - while jkeylen { - ret.kind=0; - return ret; - } - ret.len=len; - fin=j+len; - slen=0; - while j PKTYPE { - let mut ptr=0; - let pklen = find_public_key(c,&mut ptr); // ptr is pointer into certificate, at start of ASN.1 raw public key - let cc=&c[ptr..ptr+pklen]; - return get_public_key(&cc,key); -} - -pub fn find_issuer(c: &[u8]) -> FDTYPE { - let mut j:usize=0; - let mut ret=FDTYPE::new(); - let mut len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j += skip(len); - - if len+j!=c.len() { - return ret; - } - - len=getalen(ANY,c,j); - if len==0 { - return ret; - } - j += skip(len)+len; // jump over version clause - - len=getalen(INT,c,j); - if len>0 { - j+=skip(len)+len; // jump over serial number clause (if there is one) - } - - len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j += skip(len) + len; // jump over signature algorithm - - len=getalen(SEQ,c,j); - ret.index=j; - ret.length=len+skip(len); - - return ret; -} - -pub fn find_validity(c: &[u8]) -> usize { - let pos=find_issuer(c); - let j=pos.index+pos.length; // skip issuer - - //let mut j=find_issuer(c); - //let len=getalen(SEQ,c,j); - //if len==0 { - // return 0; - //} - //j+=skip(len)+len; // skip issuer - return j; -} - -pub fn find_subject(c: &[u8]) -> FDTYPE { - let mut j=find_validity(c); - let mut ret=FDTYPE::new(); - let mut len=getalen(SEQ,c,j); - if len==0 { - return ret; - } - j+=skip(len)+len; // skip validity - - len=getalen(SEQ,c,j); - ret.index=j; - ret.length=len+skip(len); - - return ret; -} - -pub fn self_signed(c: &[u8]) -> bool { - let ksub=find_subject(c); - let kiss=find_issuer(c); - - if ksub.length!=kiss.length { - return false; - } - -// let sublen=getalen(SEQ,c,ksub); -// let isslen=getalen(SEQ,c,kiss); -// if sublen != isslen { -// return false; -// } -// ksub+=skip(sublen); -// kiss+=skip(isslen); - let mut m:u8=0; - for i in 0..ksub.length { - m |= c[i+ksub.index]-c[i+kiss.index]; - } - if m!=0 { - return false; - } - return true; -} - -// NOTE: When extracting cert information, we actually return just an index to the data inside the cert, and maybe its length -// So no memory is assigned to store cert info. It is the callers responsibility to allocate such memory if required, and copy -// cert information into it. - -// Find entity property indicated by SOID, given start of issuer or subject field. Return index in cert, flen=length of field - -pub fn find_entity_property(c: &[u8],soid: &[u8],start: usize) -> FDTYPE { - let mut ret=FDTYPE::new(); - let mut foid:[u8;32]=[0;32]; - let mut j=start; - let tlen=getalen(SEQ,c,j); - if tlen==0 { - return ret; - } - j+=skip(tlen); - let k=j; - while jfoid.len() { - return ret; - } - let mut flen:usize=0; - while j usize { - let mut j=start; - let mut len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j+=skip(len); - - len=getalen(UTC,c,j); - if len==0 { // could be generalised time - len=getalen(GTM,c,j); - if len==0 { - return 0; - } - j += skip(len); - j +=2; // skip century - } else { - j+=skip(len); - } - return j; -} - -pub fn find_expiry_date(c: &[u8],start: usize) -> usize { - let mut j=start; - let mut len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j+=skip(len); - - len=getalen(UTC,c,j); - if len==0 { - len=getalen(GTM,c,j); - if len==0 { - return 0; - } - } - j+=skip(len)+len; - - len=getalen(UTC,c,j); - if len==0 { // could be generalised time - len=getalen(GTM,c,j); - if len==0 { - return 0; - } - j += skip(len); - j +=2; // skip century - } else { - j+=skip(len); - } - return j; -} - -pub fn find_extensions(c: &[u8]) -> usize { - let pos=find_subject(c); - let mut j=pos.index+pos.length; - -// let mut len=getalen(SEQ,c,j); -// if len==0 { -// return 0; -// } -// j+=skip(len)+len; // skip subject - - let len=getalen(SEQ,c,j); - if len==0 { - return 0; - } - j+=skip(len)+len; // skip public key - - if j>=c.len() { - return 0; - } - return j; -} - -pub fn find_extension(c: &[u8],soid: &[u8],start:usize) -> FDTYPE { - let mut ret=FDTYPE::new(); - let mut foid:[u8;32]=[0;32]; - - let mut j=start; - let tlen=getalen(EXT,c,j); - if tlen==0 { - return ret; - } - j+=skip(tlen); - - let tlen=getalen(SEQ,c,j); - if tlen==0 { - return ret; - } - j+=skip(tlen); - - let k=j; - while jfoid.len() { - return ret; - } - let mut flen:usize=0; - while j bool { - if start==0 { - return false; - } - let mut j=start; - let mut tlen=getalen(OCT,c,j); - if tlen==0 { - return false; - } - j+=skip(tlen); - - tlen=getalen(SEQ,c,j); - if tlen==0 { - return false; - } - j+=skip(tlen); - let k=j; - while j"] exclude = [ "/miracl-core", diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/Cargo.toml.orig b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/Cargo.toml.orig similarity index 96% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/Cargo.toml.orig rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/Cargo.toml.orig index 92fbebeec901..13ebaef9e368 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/Cargo.toml.orig +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/Cargo.toml.orig @@ -1,6 +1,6 @@ [package] name = "brave-miracl" -version = "0.1.2" +version = "0.1.3" edition = "2021" authors = ["Mike Scott "] description = "Subset of the MIRACL Core library that includes the bn254 elliptic curve" diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/LICENSE b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/LICENSE similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/LICENSE rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/LICENSE diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/README.md b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/README.md similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/README.md rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/README.md diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/aes.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/aes.rs similarity index 94% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/aes.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/aes.rs index 65b0fa41d320..1242e351b807 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/aes.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/aes.rs @@ -174,7 +174,7 @@ const RTABLE: [u32; 256] = [ ]; pub struct AES { -// nk: usize, + // nk: usize, nr: usize, mode: usize, fkey: [u32; 60], @@ -182,7 +182,6 @@ pub struct AES { pub f: [u8; 16], } - fn rotl8(x: u32) -> u32 { ((x) << 8) | ((x) >> 24) } @@ -197,10 +196,7 @@ fn rotl24(x: u32) -> u32 { fn pack(b: [u8; 4]) -> u32 { /* pack bytes into a 32-bit Word */ - ((b[3] as u32) << 24) - | ((b[2] as u32) << 16) - | ((b[1] as u32) << 8) - | (b[0] as u32) + ((b[3] as u32) << 24) | ((b[2] as u32) << 16) | ((b[1] as u32) << 8) | (b[0] as u32) } fn unpack(a: u32) -> [u8; 4] { @@ -241,10 +237,7 @@ fn product(x: u32, y: u32) -> u8 { let xb = unpack(x); let yb = unpack(y); - bmul(xb[0], yb[0]) - ^ bmul(xb[1], yb[1]) - ^ bmul(xb[2], yb[2]) - ^ bmul(xb[3], yb[3]) + bmul(xb[0], yb[0]) ^ bmul(xb[1], yb[1]) ^ bmul(xb[2], yb[2]) ^ bmul(xb[3], yb[3]) } fn invmixcol(x: u32) -> u32 { @@ -271,10 +264,9 @@ fn increment(f: &mut [u8; 16]) { } impl AES { - pub fn new() -> AES { AES { -// nk: 0, + // nk: 0, nr: 0, mode: 0, fkey: [0; 60], @@ -329,33 +321,32 @@ impl AES { j = nk; let mut k = 0; while j < n { - self.fkey[j] = - self.fkey[j - nk] ^ subbyte(rotl24(self.fkey[j - 1])) ^ (RCO[k] as u32); - if nk<=6 { - for i in 1..nk { - if (i + j) >= n { - break; - } - self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; - } - } else { - for i in 1..4 { - if (i + j) >= n { - break; - } - self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; - } - - if (j + 4) < n { - self.fkey[j + 4] = self.fkey[j + 4 - nk] ^ subbyte(self.fkey[j + 3]); - } - for i in 5..nk { - if (i + j) >= n { - break; - } - self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; - } - } + self.fkey[j] = self.fkey[j - nk] ^ subbyte(rotl24(self.fkey[j - 1])) ^ (RCO[k] as u32); + if nk <= 6 { + for i in 1..nk { + if (i + j) >= n { + break; + } + self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; + } + } else { + for i in 1..4 { + if (i + j) >= n { + break; + } + self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; + } + + if (j + 4) < n { + self.fkey[j + 4] = self.fkey[j + 4 - nk] ^ subbyte(self.fkey[j + 3]); + } + for i in 5..nk { + if (i + j) >= n { + break; + } + self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1]; + } + } j += nk; k += 1; } @@ -433,9 +424,7 @@ impl AES { k += 4; for j in 0..4 { - let t = p[j]; - p[j] = q[j]; - q[j] = t; + core::mem::swap(&mut p[j], &mut q[j]); } } @@ -521,9 +510,7 @@ impl AES { k += 4; for j in 0..4 { - let t = p[j]; - p[j] = q[j]; - q[j] = t; + core::mem::swap(&mut p[j], &mut q[j]); } } @@ -637,9 +624,7 @@ impl AES { 0 } - _ => { - 0 - } + _ => 0, } } @@ -716,9 +701,7 @@ impl AES { 0 } - _ => { - 0 - } + _ => 0, } } @@ -736,7 +719,7 @@ impl AES { } /* AES encryption/decryption. Encrypt byte array m using key k and returns ciphertext c */ -pub fn cbc_iv0_encrypt(k: &[u8], m: &[u8],c: &mut [u8]) -> usize { +pub fn cbc_iv0_encrypt(k: &[u8], m: &[u8], c: &mut [u8]) -> usize { /* AES CBC encryption, with Null IV and key K */ /* Input is from an octet string m, output is to an octet string c */ /* Input is padded as necessary to make up a full final block */ @@ -768,7 +751,8 @@ pub fn cbc_iv0_encrypt(k: &[u8], m: &[u8],c: &mut [u8]) -> usize { a.encrypt(&mut buff); for j in 0..16 { if opt < c.len() { - c[opt]=buff[j]; opt+=1; + c[opt] = buff[j]; + opt += 1; } } } @@ -783,8 +767,9 @@ pub fn cbc_iv0_encrypt(k: &[u8], m: &[u8],c: &mut [u8]) -> usize { a.encrypt(&mut buff); for j in 0..16 { - if opt usize { break; } for j in 0..16 { - if opt usize { if !bad { for i in 0..16 - padlen { - if opt usize { diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/dbig.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/dbig.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/dbig.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/dbig.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecdh.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecdh.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecdh.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecdh.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp2.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp2.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/ecp2.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/ecp2.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/eddsa.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/eddsa.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/eddsa.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/eddsa.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp12.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp12.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp12.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp12.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp2.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp2.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp2.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp2.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp4.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp4.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/fp4.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/fp4.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/hpke.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/hpke.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/hpke.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/hpke.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mod.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mod.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mod.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mod.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mpin.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mpin.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/mpin.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/mpin.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/pair.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/pair.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/pair.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/pair.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/rom.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/rom.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/bn254/rom.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/bn254/rom.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/dilithium.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/dilithium.rs new file mode 100644 index 000000000000..8f5b186b640e --- /dev/null +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/dilithium.rs @@ -0,0 +1,1248 @@ +/* + * Copyright (c) 2012-2020 MIRACL UK Ltd. + * + * This file is part of MIRACL Core + * (see https://github.com/miracl/core). + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* Dilithium API high-level functions. Constant time where it matters. Slow (spends nearly all of its time running SHA3) but small. + +Note that the Matrix A is calculated on-the-fly to keep memory requirement minimal +But this makes all stages much slower +Note that +1. Matrix A can just be generated randomly for Key generation (without using SHA3 which is very slow) +2. A precalculated A can be included in the public key, for use by signature and verification (which blows up public key size) +3. Precalculating A for signature calculation means that the A does not have to re-calculated for each attempt to find a good signature + +Might be simpler to wait for hardware support for SHA3! + + M.Scott 30/09/2021 +*/ + +use crate::sha3; +use crate::sha3::SHA3; + +//q= 8380417 +const LGN: usize = 8; +const DEGREE: usize = 1 << LGN; +const PRIME: i32 = 0x7fe001; +const D: usize = 13; +const TD: usize = 23 - D; + +const ONE: i32 = 0x3FFE00; // R mod Q +const COMBO: i32 = 0xA3FA; // ONE*inv mod Q +const ND: u32 = 0xFC7FDFFF; // 1/(R-Q) mod R +const R2MODP: u64 = 0x2419FF; // R^2 mod Q + +const MAXLG: usize = 19; +const MAXK: usize = 8; // could reduce these if not using highest security +const MAXL: usize = 7; +const YBYTES: usize = ((MAXLG + 1) * DEGREE) / 8; + +pub const SK_SIZE_2: usize = 32 * 3 + DEGREE * (4 * 13 + 4 * 3 + 4 * 3) / 8; +pub const PK_SIZE_2: usize = (4 * DEGREE * TD) / 8 + 32; +pub const SIG_SIZE_2: usize = (DEGREE * 4 * (17 + 1)) / 8 + 80 + 4 + 32; + +pub const SK_SIZE_3: usize = 32 * 3 + DEGREE * (6 * 13 + 5 * 4 + 6 * 4) / 8; +pub const PK_SIZE_3: usize = (6 * DEGREE * TD) / 8 + 32; +pub const SIG_SIZE_3: usize = (DEGREE * 5 * (19 + 1)) / 8 + 55 + 6 + 32; + +pub const SK_SIZE_5: usize = 32 * 3 + DEGREE * (8 * 13 + 7 * 3 + 8 * 3) / 8; +pub const PK_SIZE_5: usize = (8 * DEGREE * TD) / 8 + 32; +pub const SIG_SIZE_5: usize = (DEGREE * 7 * (19 + 1)) / 8 + 75 + 8 + 32; + +// parameters for each security level +// tau,gamma1,gamma2,K,L,eta,lg(2*eta+1),omega +const PARAMS_2: [usize; 8] = [39, 17, 88, 4, 4, 2, 3, 80]; +const PARAMS_3: [usize; 8] = [49, 19, 32, 6, 5, 4, 4, 55]; +const PARAMS_5: [usize; 8] = [60, 19, 32, 8, 7, 2, 3, 75]; + +const ROOTS: [i32; 256] = [ + 0x3ffe00, 0x64f7, 0x581103, 0x77f504, 0x39e44, 0x740119, 0x728129, 0x71e24, 0x1bde2b, 0x23e92b, + 0x7a64ae, 0x5ff480, 0x2f9a75, 0x53db0a, 0x2f7a49, 0x28e527, 0x299658, 0xfa070, 0x6f65a5, + 0x36b788, 0x777d91, 0x6ecaa1, 0x27f968, 0x5fb37c, 0x5f8dd7, 0x44fae8, 0x6a84f8, 0x4ddc99, + 0x1ad035, 0x7f9423, 0x3d3201, 0x445c5, 0x294a67, 0x17620, 0x2ef4cd, 0x35dec5, 0x668504, + 0x49102d, 0x5927d5, 0x3bbeaf, 0x44f586, 0x516e7d, 0x368a96, 0x541e42, 0x360400, 0x7b4a4e, + 0x23d69c, 0x77a55e, 0x65f23e, 0x66cad7, 0x357e1e, 0x458f5a, 0x35843f, 0x5f3618, 0x67745d, + 0x38738c, 0xc63a8, 0x81b9a, 0xe8f76, 0x3b3853, 0x3b8534, 0x58dc31, 0x1f9d54, 0x552f2e, + 0x43e6e6, 0x688c82, 0x47c1d0, 0x51781a, 0x69b65e, 0x3509ee, 0x2135c7, 0x67afbc, 0x6caf76, + 0x1d9772, 0x419073, 0x709cf7, 0x4f3281, 0x4fb2af, 0x4870e1, 0x1efca, 0x3410f2, 0x70de86, + 0x20c638, 0x296e9f, 0x5297a4, 0x47844c, 0x799a6e, 0x5a140a, 0x75a283, 0x6d2114, 0x7f863c, + 0x6be9f8, 0x7a0bde, 0x1495d4, 0x1c4563, 0x6a0c63, 0x4cdbea, 0x40af0, 0x7c417, 0x2f4588, 0xad00, + 0x6f16bf, 0xdcd44, 0x3c675a, 0x470bcb, 0x7fbe7f, 0x193948, 0x4e49c1, 0x24756c, 0x7ca7e0, + 0xb98a1, 0x6bc809, 0x2e46c, 0x49a809, 0x3036c2, 0x639ff7, 0x5b1c94, 0x7d2ae1, 0x141305, + 0x147792, 0x139e25, 0x67b0e1, 0x737945, 0x69e803, 0x51cea3, 0x44a79d, 0x488058, 0x3a97d9, + 0x1fea93, 0x33ff5a, 0x2358d4, 0x3a41f8, 0x4cdf73, 0x223dfb, 0x5a8ba0, 0x498423, 0x412f5, + 0x252587, 0x6d04f1, 0x359b5d, 0x4a28a1, 0x4682fd, 0x6d9b57, 0x4f25df, 0xdbe5e, 0x1c5e1a, + 0xde0e6, 0xc7f5a, 0x78f83, 0x67428b, 0x7f3705, 0x77e6fd, 0x75e022, 0x503af7, 0x1f0084, + 0x30ef86, 0x49997e, 0x77dcd7, 0x742593, 0x4901c3, 0x53919, 0x4610c, 0x5aad42, 0x3eb01b, + 0x3472e7, 0x4ce03c, 0x1a7cc7, 0x31924, 0x2b5ee5, 0x291199, 0x585a3b, 0x134d71, 0x3de11c, + 0x130984, 0x25f051, 0x185a46, 0x466519, 0x1314be, 0x283891, 0x49bb91, 0x52308a, 0x1c853f, + 0x1d0b4b, 0x6fd6a7, 0x6b88bf, 0x12e11b, 0x4d3e3f, 0x6a0d30, 0x78fde5, 0x1406c7, 0x327283, + 0x61ed6f, 0x6c5954, 0x1d4099, 0x590579, 0x6ae5ae, 0x16e405, 0xbdbe7, 0x221de8, 0x33f8cf, + 0x779935, 0x54aa0d, 0x665ff9, 0x63b158, 0x58711c, 0x470c13, 0x910d8, 0x463e20, 0x612659, + 0x251d8b, 0x2573b7, 0x7d5c90, 0x1ddd98, 0x336898, 0x2d4bb, 0x6d73a8, 0x4f4cbf, 0x27c1c, + 0x18aa08, 0x2dfd71, 0xc5ca5, 0x19379a, 0x478168, 0x646c3e, 0x51813d, 0x35c539, 0x3b0115, + 0x41dc0, 0x21c4f7, 0x70fbf5, 0x1a35e7, 0x7340e, 0x795d46, 0x1a4cd0, 0x645caf, 0x1d2668, + 0x666e99, 0x6f0634, 0x7be5db, 0x455fdc, 0x530765, 0x5dc1b0, 0x7973de, 0x5cfd0a, 0x2cc93, + 0x70f806, 0x189c2a, 0x49c5aa, 0x776a51, 0x3bcf2c, 0x7f234f, 0x6b16e0, 0x3c15ca, 0x155e68, + 0x72f6b7, 0x1e29ce, +]; +const IROOTS: [i32; 256] = [ + 0x3ffe00, 0x7f7b0a, 0x7eafd, 0x27cefe, 0x78c1dd, 0xd5ed8, 0xbdee8, 0x7c41bd, 0x56fada, + 0x5065b8, 0x2c04f7, 0x50458c, 0x1feb81, 0x57b53, 0x5bf6d6, 0x6401d6, 0x7b9a3c, 0x42ae00, + 0x4bde, 0x650fcc, 0x320368, 0x155b09, 0x3ae519, 0x20522a, 0x202c85, 0x57e699, 0x111560, + 0x86270, 0x492879, 0x107a5c, 0x703f91, 0x5649a9, 0x2ab0d3, 0x6042ad, 0x2703d0, 0x445acd, + 0x44a7ae, 0x71508b, 0x77c467, 0x737c59, 0x476c75, 0x186ba4, 0x20a9e9, 0x4a5bc2, 0x3a50a7, + 0x4a61e3, 0x19152a, 0x19edc3, 0x83aa3, 0x5c0965, 0x495b3, 0x49dc01, 0x2bc1bf, 0x49556b, + 0x2e7184, 0x3aea7b, 0x442152, 0x26b82c, 0x36cfd4, 0x195afd, 0x4a013c, 0x50eb34, 0x7e69e1, + 0x56959a, 0x454828, 0x375fa9, 0x3b3864, 0x2e115e, 0x15f7fe, 0xc66bc, 0x182f20, 0x6c41dc, + 0x6b686f, 0x6bccfc, 0x2b520, 0x24c36d, 0x1c400a, 0x4fa93f, 0x3637f8, 0x7cfb95, 0x1417f8, + 0x744760, 0x33821, 0x5b6a95, 0x319640, 0x66a6b9, 0x2182, 0x38d436, 0x4378a7, 0x7212bd, + 0x10c942, 0x7f3301, 0x509a79, 0x781bea, 0x7bd511, 0x330417, 0x15d39e, 0x639a9e, 0x6b4a2d, + 0x5d423, 0x13f609, 0x59c5, 0x12beed, 0xa3d7e, 0x25cbf7, 0x64593, 0x385bb5, 0x2d485d, 0x567162, + 0x5f19c9, 0xf017b, 0x4bcf0f, 0x7df037, 0x376f20, 0x302d52, 0x30ad80, 0xf430a, 0x3e4f8e, + 0x62488f, 0x13308b, 0x183045, 0x5eaa3a, 0x4ad613, 0x1629a3, 0x2e67e7, 0x381e31, 0x17537f, + 0x3bf91b, 0x61b633, 0xce94a, 0x6a8199, 0x43ca37, 0x14c921, 0xbcb2, 0x4410d5, 0x875b0, 0x361a57, + 0x6743d7, 0xee7fb, 0x7d136e, 0x22e2f7, 0x66c23, 0x221e51, 0x2cd89c, 0x3a8025, 0x3fa26, + 0x10d9cd, 0x197168, 0x62b999, 0x1b8352, 0x659331, 0x682bb, 0x78abf3, 0x65aa1a, 0xee40c, + 0x5e1b0a, 0x7bc241, 0x44deec, 0x4a1ac8, 0x2e5ec4, 0x1b73c3, 0x385e99, 0x66a867, 0x73835c, + 0x51e290, 0x6735f9, 0x7d63e5, 0x309342, 0x126c59, 0x7d0b46, 0x4c7769, 0x620269, 0x28371, + 0x5a6c4a, 0x5ac276, 0x1eb9a8, 0x39a1e1, 0x76cf29, 0x38d3ee, 0x276ee5, 0x1c2ea9, 0x198008, + 0x2b35f4, 0x846cc, 0x4be732, 0x5dc219, 0x74041a, 0x68fbfc, 0x14fa53, 0x26da88, 0x629f68, + 0x1386ad, 0x1df292, 0x4d6d7e, 0x6bd93a, 0x6e21c, 0x15d2d1, 0x32a1c2, 0x6cfee6, 0x145742, + 0x10095a, 0x62d4b6, 0x635ac2, 0x2daf77, 0x362470, 0x57a770, 0x6ccb43, 0x397ae8, 0x6785bb, + 0x59efb0, 0x6cd67d, 0x41fee5, 0x6c9290, 0x2785c6, 0x56ce68, 0x54811c, 0x7cc6dd, 0x65633a, + 0x32ffc5, 0x4b6d1a, 0x412fe6, 0x2532bf, 0x7b7ef5, 0x7aa6e8, 0x36de3e, 0xbba6e, 0x8032a, + 0x364683, 0x4ef07b, 0x60df7d, 0x2fa50a, 0x9ffdf, 0x7f904, 0xa8fc, 0x189d76, 0x78507e, 0x7360a7, + 0x71ff1b, 0x6381e7, 0x7221a3, 0x30ba22, 0x1244aa, 0x395d04, 0x35b760, 0x4a44a4, 0x12db10, + 0x5aba7a, 0x7bcd0c, 0x365bde, 0x255461, 0x5da206, 0x33008e, 0x459e09, 0x5c872d, 0x4be0a7, + 0x5ff56e, +]; + +/* Montgomery stuff */ + +fn redc(t: u64) -> i32 { + let m = (t as u32).wrapping_mul(ND); + (((m as u64) * (PRIME as u64) + t) >> 32) as i32 +} + +fn nres(x: i32) -> i32 { + redc((x as u64) * R2MODP) +} + +fn modmul(a: i32, b: i32) -> i32 { + redc((a as u64) * (b as u64)) +} + +fn poly_pos(p: &mut [i32]) { + for j in 0..DEGREE { + p[j] += (p[j] >> 31) & PRIME; + } +} +// NTT code + +// Important! +// nres(x); ntt(x) +// nres(y); ntt(y) +// z=x*y +// intt(z); +// redc(z); + +// is equivalent to (note that nres() and redc() cancel out) + +// ntt(x); +// nres(y); ntt(y); +// z=x*y +// intt(z) + +// is equivalent to + +// ntt(x) +// ntt(y) +// z=x*y +// intt(z) +// nres(z) + +// In all cases z ends up in normal (non-Montgomery) form! +// So the conversion to Montgomery form can be "pushed" through the calculation. + +// Here intt(z) <- intt(z);nres(z); +// Combining is more efficient +// note that ntt() and intt() are not mutually inverse + +/* Cooley-Tukey NTT */ +/* Excess of 2 allowed on input - coefficients must be < 2*PRIME */ +fn ntt(x: &mut [i32]) { + let mut t = DEGREE / 2; + let q = PRIME; + + /* Make positive */ + poly_pos(x); + + let mut m = 1; + while m < DEGREE { + let mut k = 0; + for i in 0..m { + let s = ROOTS[m + i]; + for j in k..k + t { + let u = x[j]; + let v = modmul(x[j + t], s); + x[j] = u + v; + x[j + t] = u + 2 * q - v; + } + k += 2 * t; + } + t /= 2; + m *= 2; + } +} + +/* Gentleman-Sande INTT */ +/* Excess of 2 allowed on input - coefficients must be < 2*PRIME */ +/* Output fully reduced */ + +const NTTL: usize = 2; // maybe could be 1? + +fn intt(x: &mut [i32]) { + let mut t = 1; + let q = PRIME; + let mut m = DEGREE / 2; + let mut n = LGN; + while m >= 1 { + let lim = NTTL >> n; + n -= 1; + let mut k = 0; + for i in 0..m { + let s = IROOTS[m + i]; + for j in k..k + t { + let u: i32; + let v: i32; + if m < NTTL && j < k + lim { + u = modmul(x[j], ONE); + v = modmul(x[j + t], ONE); + } else { + u = x[j]; + v = x[j + t]; + } + x[j] = u + v; + let w = u + ((DEGREE / NTTL) as i32) * q - v; + x[j + t] = modmul(w, s); + } + k += 2 * t; + } + t *= 2; + m /= 2; + } + + // fully reduce, nres combined with 1/DEGREE + for j in 0..DEGREE { + x[j] = modmul(x[j], COMBO); + x[j] -= q; + x[j] += (x[j] >> 31) & q; + } +} + +fn nres_it(p: &mut [i32]) { + for i in 0..DEGREE { + p[i] = nres(p[i]); + } +} + +fn redc_it(p: &mut [i32]) { + for i in 0..DEGREE { + p[i] = redc(p[i] as u64); + } +} + +fn poly_copy(p1: &mut [i32], p3: &[i32]) { + for i in 0..DEGREE { + p1[i] = p3[i]; + } +} + +fn poly_scopy(p1: &mut [i32], p3: &[i8]) { + for i in 0..DEGREE { + p1[i] = p3[i] as i32; + } +} + +fn poly_mcopy(p1: &mut [i32], p3: &[i16]) { + for i in 0..DEGREE { + p1[i] = p3[i] as i32; + } +} + +fn poly_zero(p1: &mut [i32]) { + for i in 0..DEGREE { + p1[i] = 0; + } +} + +fn poly_negate(p1: &mut [i32], p3: &[i32]) { + for i in 0..DEGREE { + p1[i] = PRIME - p3[i]; + } +} + +fn poly_mul(p1: &mut [i32], p3: &[i32]) { + for i in 0..DEGREE { + p1[i] = modmul(p1[i], p3[i]); + } +} + +fn poly_add(p1: &mut [i32], p3: &[i32]) { + for i in 0..DEGREE { + p1[i] += p3[i]; + } +} + +fn poly_sub(p1: &mut [i32], p3: &[i32]) { + for i in 0..DEGREE { + p1[i] += PRIME - p3[i]; + } +} + +/* reduces inputs < 2q */ +fn poly_soft_reduce(poly: &mut [i32]) { + for i in 0..DEGREE { + let e = poly[i] - PRIME; + poly[i] = e + ((e >> 31) & PRIME); + } +} + +/* fully reduces modulo q */ +fn poly_hard_reduce(poly: &mut [i32]) { + for i in 0..DEGREE { + let mut e = modmul(poly[i], ONE); + e -= PRIME; + poly[i] = e + ((e >> 31) & PRIME); + } +} + +// Generate a[i][j] from rho +fn expandaij(rho: &[u8], aij: &mut [i32], i: usize, j: usize) { + let mut buff: [u8; 4 * DEGREE] = [0; 4 * DEGREE]; + let mut sh = SHA3::new(sha3::SHAKE128); + for m in 0..32 { + sh.process(rho[m]) + } + sh.process(j as u8); + sh.process(i as u8); + sh.shake(&mut buff, 4 * DEGREE); + let mut m = 0; + let mut n = 0; + while m < DEGREE { + let b0 = buff[n] as u32; + let b1 = buff[n + 1] as u32; + let b2 = buff[n + 2] as u32; + let cf = (((b2 & 0x7f) << 16) + (b1 << 8) + b0) as i32; + n += 3; + if cf >= PRIME { + continue; + } + aij[m] = cf; + m += 1; + } +} + +// array t has ab active bits per word +// extract bytes from array of words +// if mx!=0 then -mx<=t[i]<=+mx +fn nextbyte32(ab: usize, mx: usize, t: &[i32], ptr: &mut usize, bts: &mut usize) -> u8 { + let mut left = ab - *bts; + let mut w = t[*ptr]; + let mxm = mx as i32; + if mxm != 0 { + w = mxm - w; + } + let mut r = w >> *bts; + let mut i = 0; + while left < 8 { + i += 1; + w = t[(*ptr) + i]; + if mxm != 0 { + w = mxm - w; + } + r |= w << left; + left += ab; + } + *bts += 8; + while *bts >= ab { + *bts -= ab; + *ptr += 1; + } + r as u8 +} + +fn nextbyte16(ab: usize, mx: usize, t: &[i16], ptr: &mut usize, bts: &mut usize) -> u8 { + let mut left = ab - *bts; + let mut w = t[*ptr]; + let mxm = mx as i16; + if mxm != 0 { + w = mxm - w; + } + let mut r = w >> *bts; + let mut i = 0; + while left < 8 { + i += 1; + w = t[(*ptr) + i]; + if mxm != 0 { + w = mxm - w; + } + r |= w << left; + left += ab; + } + *bts += 8; + while *bts >= ab { + *bts -= ab; + *ptr += 1; + } + r as u8 +} + +fn nextbyte8(ab: usize, mx: usize, t: &[i8], ptr: &mut usize, bts: &mut usize) -> u8 { + let mut left = ab - *bts; + let mut w = t[*ptr]; + let mxm = mx as i8; + if mxm != 0 { + w = mxm - w; + } + let mut r = w >> *bts; + let mut i = 0; + while left < 8 { + i += 1; + w = t[(*ptr) + i]; + if mxm != 0 { + w = mxm - w; + } + r |= w << left; + left += ab; + } + *bts += 8; + while *bts >= ab { + *bts -= ab; + *ptr += 1; + } + r as u8 +} + +fn nextword(ab: usize, mx: usize, t: &[u8], ptr: &mut usize, bts: &mut usize) -> i32 { + let mut r = (t[*ptr] >> *bts) as i32; + let mxm = mx as i32; + let mask = (1 << ab) - 1; + let mut w: i32; + let mut i = 0; + let mut gotbits = 8 - *bts; + while gotbits < ab { + i += 1; + w = t[(*ptr) + i] as i32; + r |= w << gotbits; + gotbits += 8; + } + *bts += ab; + while *bts >= 8 { + *bts -= 8; + *ptr += 1; + } + w = r & mask; + if mxm != 0 { + w = mxm - w; + } + w +} + +fn pack_pk(params: &[usize], pk: &mut [u8], rho: &[u8], t1: &[i16]) { + let ck = params[3]; + for i in 0..32 { + pk[i] = rho[i]; + } + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + let mut n = 32; + for _ in 0..(ck * DEGREE * TD) / 8 { + pk[n] = nextbyte16(TD, 0, t1, &mut ptr, &mut bts); + n += 1; + } +} + +fn unpack_pk(params: &[usize], rho: &mut [u8], t1: &mut [i16], pk: &[u8]) { + let ck = params[3]; + for i in 0..32 { + rho[i] = pk[i]; + } + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + for i in 0..ck * DEGREE { + t1[i] = nextword(TD, 0, &pk[32..], &mut ptr, &mut bts) as i16; + } +} + +fn pack_sk( + params: &[usize], + sk: &mut [u8], + rho: &[u8], + bk: &[u8], + tr: &[u8], + s1: &[i8], + s2: &[i8], + t0: &[i16], +) { + let ck = params[3]; + let el = params[4]; + let eta = params[5]; + let lg2eta1 = params[6]; + + for i in 0..32 { + sk[i] = rho[i]; + } + let mut n = 32; + for i in 0..32 { + sk[n] = bk[i]; + n += 1; + } + for i in 0..32 { + sk[n] = tr[i]; + n += 1; + } + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for _ in 0..(el * DEGREE * lg2eta1) / 8 { + sk[n] = nextbyte8(lg2eta1, eta, s1, &mut ptr, &mut bts); + n += 1; + } + ptr = 0; + bts = 0; + for _ in 0..(ck * DEGREE * lg2eta1) / 8 { + sk[n] = nextbyte8(lg2eta1, eta, s2, &mut ptr, &mut bts); + n += 1; + } + ptr = 0; + bts = 0; + for _ in 0..(ck * DEGREE * D) / 8 { + sk[n] = nextbyte16(D, 1 << (D - 1), t0, &mut ptr, &mut bts); + n += 1; + } +} + +fn unpack_sk( + params: &[usize], + rho: &mut [u8], + bk: &mut [u8], + tr: &mut [u8], + s1: &mut [i8], + s2: &mut [i8], + t0: &mut [i16], + sk: &[u8], +) { + let ck = params[3]; + let el = params[4]; + let eta = params[5]; + let lg2eta1 = params[6]; + + for i in 0..32 { + rho[i] = sk[i]; + } + let mut n = 32; + for i in 0..32 { + bk[i] = sk[n]; + n += 1; + } + for i in 0..32 { + tr[i] = sk[n]; + n += 1; + } + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for i in 0..el * DEGREE { + s1[i] = nextword(lg2eta1, eta, &sk[n..], &mut ptr, &mut bts) as i8; + } + n += ptr; + ptr = 0; + bts = 0; + for i in 0..ck * DEGREE { + s2[i] = nextword(lg2eta1, eta, &sk[n..], &mut ptr, &mut bts) as i8; + } + n += ptr; + ptr = 0; + bts = 0; + for i in 0..ck * DEGREE { + t0[i] = nextword(D, 1 << (D - 1), &sk[n..], &mut ptr, &mut bts) as i16; + } +} + +// pack signature - changes z +fn pack_sig(params: &[usize], sig: &mut [u8], z: &mut [i32], ct: &[u8], h: &[u8]) { + let lg = params[1]; + let gamma1 = 1 << lg; + let ck = params[3]; + let el = params[4]; + let omega = params[7]; + + for i in 0..32 { + sig[i] = ct[i]; + } + let mut n = 32; + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for i in 0..el { + let row = DEGREE * i; + for m in 0..DEGREE { + let mut t = z[row + m]; + if t > PRIME / 2 { + t -= PRIME; + } + t = gamma1 - t; + z[row + m] = t; + } + } + for _ in 0..(el * DEGREE * (lg + 1)) / 8 { + sig[n] = nextbyte32(lg + 1, 0, z, &mut ptr, &mut bts); + n += 1; + } + for i in 0..omega + ck { + sig[n] = h[i]; + n += 1; + } +} + +fn unpack_sig(params: &[usize], z: &mut [i32], ct: &mut [u8], h: &mut [u8], sig: &[u8]) { + let lg = params[1]; + let gamma1 = 1 << lg; + let ck = params[3]; + let el = params[4]; + let omega = params[7]; + + for i in 0..32 { + ct[i] = sig[i]; + } + + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for i in 0..el * DEGREE { + let mut t = nextword(lg + 1, 0, &sig[32..], &mut ptr, &mut bts); + t = gamma1 - t; + if t < 0 { + t += PRIME; + } + z[i] = t; + } + let mut m = 32 + (el * DEGREE * (lg + 1)) / 8; + for i in 0..omega + ck { + h[i] = sig[m]; + m += 1; + } +} + +fn sample_sn(params: &[usize], rhod: &[u8], s: &mut [i8], n: usize) { + let mut buff: [u8; 272] = [0; 272]; + let mut sh = SHA3::new(sha3::SHAKE256); + for m in 0..64 { + sh.process(rhod[m]); + } + sh.process((n & 0xff) as u8); + sh.process(((n >> 8) & 0xff) as u8); + sh.shake(&mut buff, 272); + + let eta = params[5]; + let lg2eta1 = params[6]; + + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + for m in 0..DEGREE { + loop { + s[m] = nextword(lg2eta1, 0, &buff, &mut ptr, &mut bts) as i8; + if s[m] <= 2 * (eta as i8) { + break; + } + } + s[m] = (eta as i8) - s[m]; + } +} + +fn sample_y(params: &[usize], k: usize, rhod: &[u8], y: &mut [i32]) { + let lg = params[1]; + let gamma1 = 1 << lg; + let el = params[4]; + let mut buff: [u8; YBYTES] = [0; YBYTES]; + for i in 0..el { + let row = DEGREE * i; + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..64 { + sh.process(rhod[j]); + } + let ki = k + i; + sh.process((ki & 0xff) as u8); + sh.process((ki >> 8) as u8); + sh.shake(&mut buff, ((lg + 1) * DEGREE) / 8); + + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for m in 0..DEGREE { + let mut w = nextword(lg + 1, 0, &buff, &mut ptr, &mut bts); + w = gamma1 - w; + let t = w >> 31; + y[row + m] = w + (PRIME & t); + } + } +} + +fn crh1(params: &[usize], h: &mut [u8], rho: &[u8], t1: &[i16]) { + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..32 { + sh.process(rho[j]); + } + let ck = params[3]; + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for _ in 0..(ck * DEGREE * TD) / 8 { + sh.process(nextbyte16(TD, 0, t1, &mut ptr, &mut bts)); + } + sh.shake(h, 32); +} + +fn crh2(h: &mut [u8], tr: &[u8], mess: &[u8]) { + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..32 { + sh.process(tr[j]); + } + for j in 0..mess.len() { + sh.process(mess[j]); + } + sh.shake(h, 64); +} + +fn crh3(h: &mut [u8], bk: &[u8], mu: &[u8]) { + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..32 { + sh.process(bk[j]); + } + for j in 0..64 { + sh.process(mu[j]); + } + sh.shake(h, 64); +} + +fn h4(params: &[usize], ct: &mut [u8], mu: &[u8], w1: &[i8]) { + let ck = params[3]; + let dv = params[2]; + let mut w1b = 4; + if dv == 88 { + w1b = 6; + } + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..64 { + sh.process(mu[j]); + } + + let mut ptr = 0 as usize; + let mut bts = 0 as usize; + + for _ in 0..(ck * DEGREE * w1b) / 8 { + sh.process(nextbyte8(w1b, 0, w1, &mut ptr, &mut bts)); + } + sh.shake(ct, 32); +} + +fn sampleinball(params: &[usize], ct: &[u8], c: &mut [i32]) { + let tau = params[0]; + let mut buff: [u8; 136] = [0; 136]; + let mut signs: [u8; 8] = [0; 8]; + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..32 { + sh.process(ct[j]); + } + sh.shake(&mut buff, 136); + for i in 0..8 { + signs[i] = buff[i]; + } + let mut k = 8; + let mut b = 0; + poly_zero(c); + let mut j: usize; + let mut n = 1; + let mut sn = signs[0]; + for i in DEGREE - tau..DEGREE { + loop { + j = buff[k] as usize; + k += 1; + if j <= i { + break; + } + } + c[i] = c[j]; + c[j] = 1 - 2 * ((sn as i32) & 1); + sn >>= 1; + b += 1; + if b == 8 { + sn = signs[n]; + n += 1; + b = 0; + } + } +} + +fn p2r(r0: &mut i32) -> i16 { + let d = (1 << D) as i32; + let r1 = (*r0 + d / 2 - 1) >> D; + *r0 -= r1 << D; + r1 as i16 +} + +fn power2round(t: &[i32], t0: &mut [i16], t1: &mut [i16]) { + for m in 0..DEGREE { + let mut w = t[m]; + t1[m] = p2r(&mut w); + t0[m] = w as i16; + } +} + +fn decompose_lo(params: &[usize], a: i32) -> i32 { + let dv = params[2]; + let mut a1 = (a + 127) >> 7; + let gamma2: i32; + if dv == 32 { + a1 = (a1 * 1025 + (1 << 21)) >> 22; + a1 &= 15; + gamma2 = (PRIME - 1) / 32; + } else { + // 88 + a1 = (a1 * 11275 + (1 << 23)) >> 24; + a1 ^= ((43 - a1) >> 31) & a1; + gamma2 = (PRIME - 1) / 88; + } + + let mut a0 = a - a1 * 2 * gamma2; + a0 -= (((PRIME - 1) / 2 - a0) >> 31) & PRIME; + a0 += (a0 >> 31) & PRIME; + a0 +} + +fn decompose_hi(params: &[usize], a: i32) -> i8 { + let dv = params[2]; + + let mut a1 = (a + 127) >> 7; + if dv == 32 { + a1 = (a1 * 1025 + (1 << 21)) >> 22; + a1 &= 15; + } else { + // 88 + a1 = (a1 * 11275 + (1 << 23)) >> 24; + a1 ^= ((43 - a1) >> 31) & a1; + } + a1 as i8 +} + +fn lobits(params: &[usize], r0: &mut [i32], r: &[i32]) { + for m in 0..DEGREE { + r0[m] = decompose_lo(params, r[m]); + } +} + +fn hibits(params: &[usize], r1: &mut [i8], r: &[i32]) { + for m in 0..DEGREE { + r1[m] = decompose_hi(params, r[m]); + } +} + +fn makepartialhint(params: &[usize], h: &mut [u8], hptr: usize, z: &[i32], r: &[i32]) -> usize { + let mut ptr = hptr; + let omega = params[7]; + for m in 0..DEGREE { + let a0 = decompose_hi(params, r[m]); + let mut rz = r[m] + z[m]; + rz -= PRIME; + rz = rz + ((rz >> 31) & PRIME); + let a1 = decompose_hi(params, rz); + if a0 != a1 { + if ptr >= omega { + return omega + 1; + } + h[ptr] = (m & 0xff) as u8; + ptr += 1; + } + } + ptr +} + +fn usepartialhint( + params: &[usize], + r: &mut [i8], + h: &[u8], + hptr: usize, + i: usize, + w: &[i32], +) -> usize { + let mut ptr = hptr; + let dv = params[2] as i32; + let omega = params[7]; + let md = (dv / 2) as i8; + + for m in 0..DEGREE { + let mut a1 = decompose_hi(params, w[m]); + if m == h[ptr] as usize && ptr < h[omega + i] as usize { + ptr += 1; + let a0 = decompose_lo(params, w[m]); + if a0 <= PRIME / 2 { + a1 += 1; + if a1 >= md { + a1 -= md; + } + } else { + a1 -= 1; + if a1 < 0 { + a1 += md; + } + } + } + r[m] = a1; + } + ptr +} + +fn infinity_norm(w: &[i32]) -> i32 { + let mut n = 0 as i32; + for m in 0..DEGREE { + let mut az = w[m]; + if az > PRIME / 2 { + az = PRIME - az; + } + if az > n { + n = az; + } + } + n +} + +fn keypair(params: &[usize], tau: &[u8], sk: &mut [u8], pk: &mut [u8]) { + let mut sh = SHA3::new(sha3::SHAKE256); + let mut buff: [u8; 128] = [0; 128]; + let mut rho: [u8; 32] = [0; 32]; + let mut rhod: [u8; 64] = [0; 64]; + let mut bk: [u8; 32] = [0; 32]; + let mut tr: [u8; 32] = [0; 32]; + let mut aij: [i32; DEGREE] = [0; DEGREE]; + let mut s1: [i8; MAXL * DEGREE] = [0; MAXL * DEGREE]; + let mut s2: [i8; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut t0: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut t1: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut w: [i32; DEGREE] = [0; DEGREE]; + let mut r: [i32; DEGREE] = [0; DEGREE]; + + let ck = params[3]; + let el = params[4]; + + for i in 0..32 { + sh.process(tau[i]); + } + sh.shake(&mut buff, 128); + for i in 0..32 { + rho[i] = buff[i]; + bk[i] = buff[i + 96]; + } + for i in 0..64 { + rhod[i] = buff[i + 32]; + } + + for i in 0..el { + let row = DEGREE * i; + sample_sn(params, &rhod, &mut s1[row..], i); + } + + for i in 0..ck { + let row = DEGREE * i; + sample_sn(params, &rhod, &mut s2[row..], el + i); + poly_zero(&mut r); + for j in 0..el { + poly_scopy(&mut w, &s1[j * DEGREE..]); + ntt(&mut w); + expandaij(&rho, &mut aij, i, j); + poly_mul(&mut w, &aij); + poly_add(&mut r, &w); + } + poly_hard_reduce(&mut r); + intt(&mut r); + poly_scopy(&mut w, &s2[row..]); + poly_pos(&mut w); + poly_add(&mut r, &w); + poly_soft_reduce(&mut r); + power2round(&r, &mut t0[row..], &mut t1[row..]); + } + crh1(params, &mut tr, &rho, &t1); + pack_pk(params, pk, &rho, &t1); + pack_sk(params, sk, &rho, &bk, &tr, &s1, &s2, &t0); +} + +fn signature(params: &[usize], sk: &[u8], m: &[u8], sig: &mut [u8]) -> usize { + let mut rho: [u8; 32] = [0; 32]; + let mut bk: [u8; 32] = [0; 32]; + let mut ct: [u8; 32] = [0; 32]; + let mut tr: [u8; 32] = [0; 32]; + let mut mu: [u8; 64] = [0; 64]; + let mut rhod: [u8; 64] = [0; 64]; + let mut hint: [u8; 100] = [0; 100]; + + //let mut aij: [i32; DEGREE] = [0; DEGREE]; + let mut s1: [i8; MAXL * DEGREE] = [0; MAXL * DEGREE]; + let mut s2: [i8; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut t0: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let mut y: [i32; MAXL * DEGREE] = [0; MAXL * DEGREE]; + let mut ay: [i32; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let mut w1: [i8; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut c: [i32; DEGREE] = [0; DEGREE]; + let mut w: [i32; DEGREE] = [0; DEGREE]; + let mut r: [i32; DEGREE] = [0; DEGREE]; + + let tau = params[0]; + let lg = params[1]; + let gamma1 = (1 << lg) as i32; + let dv = params[2] as i32; + let gamma2 = (PRIME - 1) / dv; + let ck = params[3]; + let el = params[4]; + let eta = params[5]; + let beta = (tau * eta) as i32; + let omega = params[7]; + + unpack_sk( + params, &mut rho, &mut bk, &mut tr, &mut s1, &mut s2, &mut t0, &sk, + ); + + // signature + crh2(&mut mu, &tr, m); + crh3(&mut rhod, &bk, &mu); + let mut k = 0; + + loop { + let fk = k * el; + k += 1; + sample_y(params, fk, &rhod, &mut y); + // NTT y + for i in 0..el { + let row = DEGREE * i; + ntt(&mut y[row..]); + } + // Calculate ay + for i in 0..ck { + let row = DEGREE * i; + poly_zero(&mut r); + for j in 0..el { + poly_copy(&mut w, &y[j * DEGREE..]); + expandaij(&rho, &mut c, i, j); + poly_mul(&mut w, &c); + poly_add(&mut r, &w); + } + poly_hard_reduce(&mut r); + intt(&mut r); + poly_copy(&mut ay[row..], &r); + // Calculate w1 + hibits(params, &mut w1[row..], &ay[row..]); + } + // Calculate c + h4(params, &mut ct, &mu, &w1); + sampleinball(params, &ct, &mut c); + let mut badone = false; + // Calculate z=y+c.s1 + ntt(&mut c); + for i in 0..el { + let row = DEGREE * i; + poly_scopy(&mut w, &s1[row..]); + ntt(&mut w); + poly_mul(&mut w, &c); + + nres_it(&mut w); + poly_add(&mut y[row..], &w); // re-use y for z + redc_it(&mut y[row..]); // unNTT y + intt(&mut y[row..]); + + poly_soft_reduce(&mut y[row..]); + if infinity_norm(&y[row..]) >= gamma1 - beta { + badone = true; + break; + } + } + if badone { + continue; + } + // Calculate ay=w-c.s2 and r0=lobits(w-c.s2) + let mut nh = 0; + for i in 0..omega + ck { + hint[i] = 0; + } + for i in 0..ck { + let row = DEGREE * i; + poly_scopy(&mut w, &s2[row..]); + ntt(&mut w); + poly_mul(&mut w, &c); + intt(&mut w); + poly_sub(&mut ay[row..], &w); + poly_soft_reduce(&mut ay[row..]); + lobits(params, &mut w, &ay[row..]); + if infinity_norm(&w) >= gamma2 - beta { + badone = true; + break; + } + poly_mcopy(&mut w, &t0[row..]); + ntt(&mut w); + poly_mul(&mut w, &c); + intt(&mut w); + poly_negate(&mut r, &w); + if infinity_norm(&r) >= gamma2 { + badone = true; + break; + } + poly_sub(&mut ay[row..], &r); + poly_soft_reduce(&mut ay[row..]); + nh = makepartialhint(params, &mut hint, nh, &r, &ay[row..]); + if nh > omega { + badone = true; + break; + } + hint[omega + i] = nh as u8; + } + if badone { + continue; + } + break; + } + pack_sig(params, sig, &mut y, &ct, &hint); + k +} + +fn verify(params: &[usize], pk: &[u8], m: &[u8], sig: &[u8]) -> bool { + let mut rho: [u8; 32] = [0; 32]; + let mut ct: [u8; 32] = [0; 32]; + let mut cct: [u8; 32] = [0; 32]; + let mut tr: [u8; 32] = [0; 32]; + let mut mu: [u8; 64] = [0; 64]; + let mut hint: [u8; 100] = [0; 100]; + + let mut z: [i32; MAXL * DEGREE] = [0; MAXL * DEGREE]; + let mut t1: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut w1d: [i8; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let mut aij: [i32; DEGREE] = [0; DEGREE]; + let mut c: [i32; DEGREE] = [0; DEGREE]; + let mut w: [i32; DEGREE] = [0; DEGREE]; + let mut r: [i32; DEGREE] = [0; DEGREE]; + + let tau = params[0]; + let lg = params[1]; + let gamma1 = (1 << lg) as i32; + let ck = params[3]; + let el = params[4]; + let eta = params[5]; + let beta = (tau * eta) as i32; + let omega = params[7]; + + unpack_pk(params, &mut rho, &mut t1, pk); + unpack_sig(params, &mut z, &mut ct, &mut hint, sig); + + for i in 0..el { + let row = DEGREE * i; + if infinity_norm(&z[row..]) >= gamma1 - beta { + return false; + } + ntt(&mut z[row..]); + } + crh1(params, &mut tr, &rho, &t1); + crh2(&mut mu, &tr, m); + + sampleinball(params, &ct, &mut c); + ntt(&mut c); + + // Calculate az + let mut hints = 0; + for i in 0..ck { + let row = DEGREE * i; + poly_zero(&mut r); + for j in 0..el { + poly_copy(&mut w, &z[j * DEGREE..]); + expandaij(&rho, &mut aij, i, j); + poly_mul(&mut w, &aij); + poly_add(&mut r, &w); + } + poly_hard_reduce(&mut r); + + // Calculate Az-ct1.2^d + for m in 0..DEGREE { + w[m] = ((t1[row + m]) as i32) << D; + } + ntt(&mut w); + poly_mul(&mut w, &c); + poly_sub(&mut r, &w); + intt(&mut r); + + hints = usepartialhint(params, &mut w1d[row..], &mut hint, hints, i, &r); + if hints > omega { + return false; + } + } + + h4(params, &mut cct, &mu, &w1d); + + for i in 0..32 { + if ct[i] != cct[i] { + return false; + } + } + true +} + +// Dilithium API + +pub fn keypair_2(tau: &[u8], sk: &mut [u8], pk: &mut [u8]) { + keypair(&PARAMS_2, tau, sk, pk); +} + +pub fn signature_2(sk: &[u8], m: &[u8], sig: &mut [u8]) -> usize { + signature(&PARAMS_2, sk, m, sig) +} + +pub fn verify_2(pk: &[u8], m: &[u8], sig: &[u8]) -> bool { + verify(&PARAMS_2, pk, m, sig) +} + +pub fn keypair_3(tau: &[u8], sk: &mut [u8], pk: &mut [u8]) { + keypair(&PARAMS_3, tau, sk, pk); +} + +pub fn signature_3(sk: &[u8], m: &[u8], sig: &mut [u8]) -> usize { + signature(&PARAMS_3, sk, m, sig) +} + +pub fn verify_3(pk: &[u8], m: &[u8], sig: &[u8]) -> bool { + verify(&PARAMS_3, pk, m, sig) +} + +pub fn keypair_5(tau: &[u8], sk: &mut [u8], pk: &mut [u8]) { + keypair(&PARAMS_5, tau, sk, pk); +} + +pub fn signature_5(sk: &[u8], m: &[u8], sig: &mut [u8]) -> usize { + signature(&PARAMS_5, sk, m, sig) +} + +pub fn verify_5(pk: &[u8], m: &[u8], sig: &[u8]) -> bool { + verify(&PARAMS_5, pk, m, sig) +} diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/gcm.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/gcm.rs similarity index 95% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/gcm.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/gcm.rs index 310b02b972cc..27c20d0c0581 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/gcm.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/gcm.rs @@ -42,10 +42,7 @@ pub struct GCM { impl GCM { fn pack(b: [u8; 4]) -> u32 { /* pack bytes into a 32-bit Word */ - ((b[0] as u32) << 24) - | ((b[1] as u32) << 16) - | ((b[2] as u32) << 8) - | (b[3] as u32) + ((b[0] as u32) << 24) | ((b[1] as u32) << 16) | ((b[2] as u32) << 8) | (b[3] as u32) } fn unpack(a: u32) -> [u8; 4] { @@ -299,7 +296,7 @@ impl GCM { if let Some(sp) = plain { cipher[j] = sp[j] ^ cb[i]; } else { - cipher[j] ^=cb[i]; + cipher[j] ^= cb[i]; } self.statex[i] ^= cipher[j]; @@ -353,7 +350,7 @@ impl GCM { if j >= len { break; } - let oc:u8; + let oc: u8; if let Some(sc) = cipher { oc = sc[j]; } else { @@ -377,7 +374,7 @@ impl GCM { } /* Finish and extract Tag */ - pub fn finish(&mut self,tag: &mut [u8], extract: bool) { + pub fn finish(&mut self, tag: &mut [u8], extract: bool) { /* Finish off GHASH and extract tag (MAC) */ self.wrap(); /* extract tag */ @@ -427,20 +424,20 @@ impl GCM { } } -pub fn encrypt(c: &mut [u8],t: &mut [u8],k: &[u8],iv: &[u8],h: &[u8],p: &[u8]) { - let mut g=GCM::new(); - g.init(k.len(),k,iv.len(),iv); - g.add_header(h,h.len()); - g.add_plain(c,Some(p),p.len()); - g.finish(t,true) +pub fn encrypt(c: &mut [u8], t: &mut [u8], k: &[u8], iv: &[u8], h: &[u8], p: &[u8]) { + let mut g = GCM::new(); + g.init(k.len(), k, iv.len(), iv); + g.add_header(h, h.len()); + g.add_plain(c, Some(p), p.len()); + g.finish(t, true) } -pub fn decrypt(p: &mut [u8],t: &mut [u8],k: &[u8],iv: &[u8],h: &[u8],c: &[u8]) { - let mut g=GCM::new(); - g.init(k.len(),k,iv.len(),iv); - g.add_header(h,h.len()); - g.add_cipher(p,Some(c),c.len()); - g.finish(t,true); +pub fn decrypt(p: &mut [u8], t: &mut [u8], k: &[u8], iv: &[u8], h: &[u8], c: &[u8]) { + let mut g = GCM::new(); + g.init(k.len(), k, iv.len(), iv); + g.add_header(h, h.len()); + g.add_cipher(p, Some(c), c.len()); + g.finish(t, true); } /* diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash256.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash256.rs similarity index 77% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash256.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash256.rs index 8a7b7668a8db..9c23f9b54121 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash256.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash256.rs @@ -74,53 +74,77 @@ impl HASH256 { HASH256::s(17, x) ^ HASH256::s(19, x) ^ HASH256::r(10, x) } - pub fn as_bytes(&self,array: &mut [u8]) { - let mut ptr=0; + pub fn as_bytes(&self, array: &mut [u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=self.length[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.length[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..8 { - let mut t=self.h[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.h[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..64 { - let mut t=self.w[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.w[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } } - pub fn from_bytes(&mut self,array: &[u8]) { - let mut ptr=0; + pub fn from_bytes(&mut self, array: &[u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=array[ptr+3] as u32; - t=256*t+(array[ptr+2] as u32); - t=256*t+(array[ptr+1] as u32); - t=256*t+(array[ptr] as u32); - self.length[i]=t; ptr+=4; + let mut t = array[ptr + 3] as u32; + t = 256 * t + (array[ptr + 2] as u32); + t = 256 * t + (array[ptr + 1] as u32); + t = 256 * t + (array[ptr] as u32); + self.length[i] = t; + ptr += 4; } for i in 0..8 { - let mut t=array[ptr+3] as u32; - t=256*t+(array[ptr+2] as u32); - t=256*t+(array[ptr+1] as u32); - t=256*t+(array[ptr] as u32); - self.h[i]=t; ptr+=4; + let mut t = array[ptr + 3] as u32; + t = 256 * t + (array[ptr + 2] as u32); + t = 256 * t + (array[ptr + 1] as u32); + t = 256 * t + (array[ptr] as u32); + self.h[i] = t; + ptr += 4; } for i in 0..64 { - let mut t=array[ptr+3] as u32; - t=256*t+(array[ptr+2] as u32); - t=256*t+(array[ptr+1] as u32); - t=256*t+(array[ptr] as u32); - self.w[i]=t; ptr+=4; + let mut t = array[ptr + 3] as u32; + t = 256 * t + (array[ptr + 2] as u32); + t = 256 * t + (array[ptr + 1] as u32); + t = 256 * t + (array[ptr] as u32); + self.w[i] = t; + ptr += 4; } } @@ -201,15 +225,15 @@ impl HASH256 { h: [0; 8], w: [0; 64], }; - nh.length[0]=hh.length[0]; - nh.length[1]=hh.length[1]; + nh.length[0] = hh.length[0]; + nh.length[1] = hh.length[1]; for i in 0..64 { nh.w[i] = hh.w[i]; } for i in 0..8 { nh.h[i] = hh.h[i]; } - nh + nh } /* process a single byte */ @@ -266,7 +290,7 @@ impl HASH256 { } pub fn continuing_hash(&self) -> [u8; 32] { - let mut sh=HASH256::new_copy(self); + let mut sh = HASH256::new_copy(self); sh.hash() } } diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash384.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash384.rs similarity index 69% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash384.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash384.rs index 3b41197cc160..4c0b8e2d72f3 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash384.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash384.rs @@ -147,77 +147,125 @@ impl HASH384 { HASH384::s(19, x) ^ HASH384::s(61, x) ^ HASH384::r(6, x) } - pub fn as_bytes(&self,array: &mut [u8]) { - let mut ptr=0; + pub fn as_bytes(&self, array: &mut [u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=self.length[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.length[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..8 { - let mut t=self.h[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.h[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..80 { - let mut t=self.w[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.w[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } } - pub fn from_bytes(&mut self,array: &[u8]) { - let mut ptr=0; + pub fn from_bytes(&mut self, array: &[u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.length[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.length[i] = t; + ptr += 8; } for i in 0..8 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.h[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.h[i] = t; + ptr += 8; } for i in 0..80 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.w[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.w[i] = t; + ptr += 8; } } @@ -298,15 +346,15 @@ impl HASH384 { h: [0; 8], w: [0; 80], }; - nh.length[0]=hh.length[0]; - nh.length[1]=hh.length[1]; + nh.length[0] = hh.length[0]; + nh.length[1] = hh.length[1]; for i in 0..80 { nh.w[i] = hh.w[i]; } for i in 0..8 { nh.h[i] = hh.h[i]; } - nh + nh } /* process a single byte */ @@ -362,7 +410,7 @@ impl HASH384 { digest } pub fn continuing_hash(&self) -> [u8; 48] { - let mut sh=HASH384::new_copy(self); + let mut sh = HASH384::new_copy(self); sh.hash() } } diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash512.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash512.rs similarity index 69% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash512.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash512.rs index 94f8cca6468f..206f9762549d 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hash512.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hash512.rs @@ -147,77 +147,125 @@ impl HASH512 { HASH512::s(19, x) ^ HASH512::s(61, x) ^ HASH512::r(6, x) } - pub fn as_bytes(&self,array: &mut [u8]) { - let mut ptr=0; + pub fn as_bytes(&self, array: &mut [u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=self.length[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.length[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..8 { - let mut t=self.h[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.h[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } for i in 0..80 { - let mut t=self.w[i]; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=(t%256) as u8; t/=256; ptr+=1; - array[ptr]=t as u8; ptr+=1; + let mut t = self.w[i]; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = (t % 256) as u8; + t /= 256; + ptr += 1; + array[ptr] = t as u8; + ptr += 1; } } - pub fn from_bytes(&mut self,array: &[u8]) { - let mut ptr=0; + pub fn from_bytes(&mut self, array: &[u8]) { + let mut ptr = 0; for i in 0..2 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.length[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.length[i] = t; + ptr += 8; } for i in 0..8 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.h[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.h[i] = t; + ptr += 8; } for i in 0..80 { - let mut t=array[ptr+7] as u64; - t=256*t+(array[ptr+6] as u64); - t=256*t+(array[ptr+5] as u64); - t=256*t+(array[ptr+4] as u64); - t=256*t+(array[ptr+3] as u64); - t=256*t+(array[ptr+2] as u64); - t=256*t+(array[ptr+1] as u64); - t=256*t+(array[ptr] as u64); - self.w[i]=t; ptr+=8; + let mut t = array[ptr + 7] as u64; + t = 256 * t + (array[ptr + 6] as u64); + t = 256 * t + (array[ptr + 5] as u64); + t = 256 * t + (array[ptr + 4] as u64); + t = 256 * t + (array[ptr + 3] as u64); + t = 256 * t + (array[ptr + 2] as u64); + t = 256 * t + (array[ptr + 1] as u64); + t = 256 * t + (array[ptr] as u64); + self.w[i] = t; + ptr += 8; } } @@ -298,15 +346,15 @@ impl HASH512 { h: [0; 8], w: [0; 80], }; - nh.length[0]=hh.length[0]; - nh.length[1]=hh.length[1]; + nh.length[0] = hh.length[0]; + nh.length[1] = hh.length[1]; for i in 0..80 { nh.w[i] = hh.w[i]; } for i in 0..8 { nh.h[i] = hh.h[i]; } - nh + nh } /* process a single byte */ @@ -362,7 +410,7 @@ impl HASH512 { digest } pub fn continuing_hash(&self) -> [u8; 64] { - let mut sh=HASH512::new_copy(self); + let mut sh = HASH512::new_copy(self); sh.hash() } } diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hmac.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hmac.rs similarity index 70% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hmac.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hmac.rs index eb2dc0a6c16d..1b2f3e894e8a 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/hmac.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/hmac.rs @@ -17,12 +17,11 @@ * limitations under the License. */ - use crate::hash256::HASH256; use crate::hash384::HASH384; use crate::hash512::HASH512; -use crate::sha3::SHA3; use crate::rand::RAND; +use crate::sha3::SHA3; pub const MC_SHA2: usize = 2; pub const MC_SHA3: usize = 3; @@ -31,11 +30,18 @@ pub const SHA384: usize = 48; pub const SHA512: usize = 64; #[allow(non_snake_case)] - /* General Purpose Hash function */ - #[allow(clippy::too_many_arguments)] -pub fn GPhashit(hash: usize, sha: usize,w: &mut [u8],pad: usize,zpad: usize,a: Option<&[u8]>, n: isize, b: Option<&[u8]>) { +pub fn GPhashit( + hash: usize, + sha: usize, + w: &mut [u8], + pad: usize, + zpad: usize, + a: Option<&[u8]>, + n: isize, + b: Option<&[u8]>, +) { let mut r: [u8; 64] = [0; 64]; if hash == MC_SHA2 { @@ -133,8 +139,8 @@ pub fn GPhashit(hash: usize, sha: usize,w: &mut [u8],pad: usize,zpad: usize,a: O } #[allow(non_snake_case)] -pub fn SPhashit(hash: usize, sha: usize,w: &mut [u8],a: Option<&[u8]>) { - GPhashit(hash,sha,w,0,0,a,-1,None); +pub fn SPhashit(hash: usize, sha: usize, w: &mut [u8], a: Option<&[u8]>) { + GPhashit(hash, sha, w, 0, 0, a, -1, None); } pub fn inttobytes(n: usize, b: &mut [u8]) { @@ -159,7 +165,7 @@ pub fn kdf2(hash: usize, sha: usize, z: &[u8], p: Option<&[u8]>, olen: usize, k: for counter in 1..cthreshold + 1 { let mut b: [u8; 64] = [0; 64]; - GPhashit(hash, sha, &mut b,0,0,Some(z), counter as isize, p); + GPhashit(hash, sha, &mut b, 0, 0, Some(z), counter as isize, p); if lk + hlen > olen { for i in 0..(olen % hlen) { k[lk] = b[i]; @@ -177,7 +183,15 @@ pub fn kdf2(hash: usize, sha: usize, z: &[u8], p: Option<&[u8]>, olen: usize, k: /* Password based Key Derivation Function */ /* Input password p, salt s, and repeat count */ /* Output key of length olen */ -pub fn pbkdf2(hash: usize, sha: usize, pass: &[u8], salt: &[u8], rep: usize, olen: usize, k: &mut [u8]) { +pub fn pbkdf2( + hash: usize, + sha: usize, + pass: &[u8], + salt: &[u8], + rep: usize, + olen: usize, + k: &mut [u8], +) { let mut d = olen / sha; if olen % sha != 0 { d += 1 @@ -222,15 +236,15 @@ pub fn pbkdf2(hash: usize, sha: usize, pass: &[u8], salt: &[u8], rep: usize, ole } fn blksize(hash: usize, sha: usize) -> usize { - let mut lb=0; + let mut lb = 0; if hash == MC_SHA2 { - lb=64; + lb = 64; if sha > 32 { - lb=128; + lb = 128; } } if hash == MC_SHA3 { - lb=200-2*sha; + lb = 200 - 2 * sha; } lb } @@ -243,7 +257,7 @@ pub fn hmac1(hash: usize, sha: usize, tag: &mut [u8], olen: usize, k: &[u8], m: let mut b: [u8; 64] = [0; 64]; /* Not good */ let mut k0: [u8; 128] = [0; 128]; - let lb=blksize(hash,sha); + let lb = blksize(hash, sha); if lb == 0 { return false; } @@ -253,7 +267,7 @@ pub fn hmac1(hash: usize, sha: usize, tag: &mut [u8], olen: usize, k: &[u8], m: } if k.len() > lb { - SPhashit(hash,sha,&mut b,Some(k)); + SPhashit(hash, sha, &mut b, Some(k)); //GPhashit(hash, sha, &mut b,0,0,k, 0, None); for i in 0..sha { k0[i] = b[i] @@ -268,63 +282,79 @@ pub fn hmac1(hash: usize, sha: usize, tag: &mut [u8], olen: usize, k: &[u8], m: k0[i] ^= 0x36 } - GPhashit(hash, sha, &mut b,0,0,Some(&k0[0..lb]), -1, Some(m)); + GPhashit(hash, sha, &mut b, 0, 0, Some(&k0[0..lb]), -1, Some(m)); for i in 0..lb { k0[i] ^= 0x6a } - GPhashit(hash, sha, tag,olen,0,Some(&k0[0..lb]), -1, Some(&b[0..sha])); + GPhashit( + hash, + sha, + tag, + olen, + 0, + Some(&k0[0..lb]), + -1, + Some(&b[0..sha]), + ); true } -pub fn hkdf_extract(hash: usize, hlen: usize, prk: &mut [u8],salt: Option<&[u8]>,ikm: &[u8]) { - if let Some(x)=salt { - hmac1(hash,hlen,prk,hlen,x,ikm); +pub fn hkdf_extract(hash: usize, hlen: usize, prk: &mut [u8], salt: Option<&[u8]>, ikm: &[u8]) { + if let Some(x) = salt { + hmac1(hash, hlen, prk, hlen, x, ikm); } else { let h: [u8; 64] = [0; 64]; - hmac1(hash,hlen,prk,hlen,&h[0..hlen],ikm); + hmac1(hash, hlen, prk, hlen, &h[0..hlen], ikm); } } pub fn hkdf_expand(hash: usize, hlen: usize, okm: &mut [u8], olen: usize, prk: &[u8], info: &[u8]) { - let n=olen/hlen; - let flen=olen%hlen; + let n = olen / hlen; + let flen = olen % hlen; - let mut t: [u8; 1024] = [0; 1024]; // >= info.length+hlen+1 + let mut t: [u8; 1024] = [0; 1024]; // >= info.length+hlen+1 let mut k: [u8; 64] = [0; 64]; - let mut l=0; - let mut m=0; + let mut l = 0; + let mut m = 0; for i in 1..=n { for j in 0..info.len() { - t[l]=info[j]; l+=1; + t[l] = info[j]; + l += 1; } - t[l]=i as u8; l+=1; - hmac1(hash,hlen,&mut k,hlen,prk,&t[0..l]); - l=0; + t[l] = i as u8; + l += 1; + hmac1(hash, hlen, &mut k, hlen, prk, &t[0..l]); + l = 0; for j in 0..hlen { - okm[m]=k[j]; m+=1; - t[l]=k[j]; l+=1; + okm[m] = k[j]; + m += 1; + t[l] = k[j]; + l += 1; } } - if flen>0 { + if flen > 0 { for j in 0..info.len() { - t[l]=info[j]; l+=1; + t[l] = info[j]; + l += 1; } - t[l]=(n+1) as u8; l+=1; - hmac1(hash,hlen,&mut k,flen,prk,&t[0..l]); + t[l] = (n + 1) as u8; + l += 1; + hmac1(hash, hlen, &mut k, flen, prk, &t[0..l]); for j in 0..flen { - okm[m]=k[j]; m+=1; + okm[m] = k[j]; + m += 1; } } } -fn ceil(a: usize,b: usize) -> usize { - (a-1)/b+1 +fn ceil(a: usize, b: usize) -> usize { + (a - 1) / b + 1 } -pub fn xof_expand(hlen: usize,okm: &mut [u8],olen: usize,dst: &[u8],msg: &[u8]) { +pub fn xof_expand(hlen: usize, okm: &mut [u8], olen: usize, dst: &[u8], msg: &[u8]) { let mut h = SHA3::new(hlen); for i in 0..msg.len() { h.process(msg[i]); @@ -337,13 +367,22 @@ pub fn xof_expand(hlen: usize,okm: &mut [u8],olen: usize,dst: &[u8],msg: &[u8]) } h.process((dst.len() & 0xff) as u8); - h.shake(okm,olen); + h.shake(okm, olen); } -pub fn xmd_expand(hash: usize,hlen: usize,okm: &mut [u8],olen: usize,dst: &[u8],msg: &[u8]) { - let mut w:[u8; 64]=[0;64]; +pub fn xmd_expand(hash: usize, hlen: usize, okm: &mut [u8], olen: usize, dst: &[u8], msg: &[u8]) { + let mut w: [u8; 64] = [0; 64]; if dst.len() >= 256 { - GPhashit(hash, hlen, &mut w, 0, 0, Some(b"H2C-OVERSIZE-DST-"), -1, Some(&dst)); + GPhashit( + hash, + hlen, + &mut w, + 0, + 0, + Some(b"H2C-OVERSIZE-DST-"), + -1, + Some(&dst), + ); xmd_expand_short_dst(hash, hlen, okm, olen, &w[0..hlen], msg); } else { xmd_expand_short_dst(hash, hlen, okm, olen, dst, msg); @@ -351,49 +390,72 @@ pub fn xmd_expand(hash: usize,hlen: usize,okm: &mut [u8],olen: usize,dst: &[u8], } // Assumes dst.len() < 256. -fn xmd_expand_short_dst(hash: usize,hlen: usize,okm: &mut [u8],olen: usize,dst: &[u8],msg: &[u8]) { - +fn xmd_expand_short_dst( + hash: usize, + hlen: usize, + okm: &mut [u8], + olen: usize, + dst: &[u8], + msg: &[u8], +) { let mut tmp: [u8; 260] = [0; 260]; - let mut h0: [u8; 64]=[0;64]; - let mut h1: [u8; 64]=[0;64]; - let mut h2: [u8; 64]=[0;64]; + let mut h0: [u8; 64] = [0; 64]; + let mut h1: [u8; 64] = [0; 64]; + let mut h2: [u8; 64] = [0; 64]; - let ell=ceil(olen,hlen); - let blk=blksize(hash,hlen); - tmp[0]=((olen >> 8) & 0xff) as u8; - tmp[1]=(olen & 0xff) as u8; - tmp[2]=0; + let ell = ceil(olen, hlen); + let blk = blksize(hash, hlen); + tmp[0] = ((olen >> 8) & 0xff) as u8; + tmp[1] = (olen & 0xff) as u8; + tmp[2] = 0; for j in 0..dst.len() { - tmp[3+j]=dst[j]; - } - tmp[3+dst.len()]=(dst.len() & 0xff) as u8; - - GPhashit(hash, hlen, &mut h0, 0, blk, Some(msg), -1, Some(&tmp[0..dst.len()+4])); - - let mut k=0; - for i in 1..=ell { - for j in 0..hlen { - h1[j]^=h0[j]; - h2[j]=h1[j]; - } - tmp[0]=i as u8; - - for j in 0..dst.len() { - tmp[1+j]=dst[j]; - } - tmp[1+dst.len()]=(dst.len() & 0xff) as u8; - - GPhashit(hash, hlen, &mut h1, 0, 0, Some(&h2[0..hlen]), -1, Some(&tmp[0..dst.len()+2])); + tmp[3 + j] = dst[j]; + } + tmp[3 + dst.len()] = (dst.len() & 0xff) as u8; + + GPhashit( + hash, + hlen, + &mut h0, + 0, + blk, + Some(msg), + -1, + Some(&tmp[0..dst.len() + 4]), + ); + + let mut k = 0; + for i in 1..=ell { + for j in 0..hlen { + h1[j] ^= h0[j]; + h2[j] = h1[j]; + } + tmp[0] = i as u8; + + for j in 0..dst.len() { + tmp[1 + j] = dst[j]; + } + tmp[1 + dst.len()] = (dst.len() & 0xff) as u8; + + GPhashit( + hash, + hlen, + &mut h1, + 0, + 0, + Some(&h2[0..hlen]), + -1, + Some(&tmp[0..dst.len() + 2]), + ); for j in 0..hlen { - okm[k]=h1[j]; - k+=1; - if k==olen { + okm[k] = h1[j]; + k += 1; + if k == olen { break; } } } - } /* Mask Generation Function */ @@ -412,7 +474,7 @@ pub fn mgf1(sha: usize, z: &[u8], olen: usize, k: &mut [u8]) { } for counter in 0..cthreshold { let mut b: [u8; 64] = [0; 64]; - GPhashit(MC_SHA2,sha,&mut b,0,0,Some(z),counter as isize,None); + GPhashit(MC_SHA2, sha, &mut b, 0, 0, Some(z), counter as isize, None); //hashit(sha, Some(z), counter as isize, &mut b); if j + hlen > olen { @@ -439,7 +501,7 @@ pub fn mgf1xor(sha: usize, z: &[u8], olen: usize, k: &mut [u8]) { } for counter in 0..cthreshold { let mut b: [u8; 64] = [0; 64]; - GPhashit(MC_SHA2,sha,&mut b,0,0,Some(z),counter as isize,None); + GPhashit(MC_SHA2, sha, &mut b, 0, 0, Some(z), counter as isize, None); if j + hlen > olen { for i in 0..(olen % hlen) { @@ -470,7 +532,7 @@ const SHA512ID: [u8; 19] = [ 0x00, 0x04, 0x40, ]; -pub fn pkcs15(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { +pub fn pkcs15(sha: usize, m: &[u8], w: &mut [u8], rfs: usize) -> bool { let olen = rfs; let hlen = sha; let idlen = 19; @@ -479,7 +541,7 @@ pub fn pkcs15(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { if olen < idlen + hlen + 10 { return false; } - SPhashit(MC_SHA2,sha,&mut b,Some(m)); + SPhashit(MC_SHA2, sha, &mut b, Some(m)); for i in 0..w.len() { w[i] = 0 @@ -523,13 +585,19 @@ pub fn pkcs15(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { // Alternate PKCS 1.5 /* SHAXXX identifier strings */ const SHA256IDB: [u8; 17] = [ - 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, 0x20]; + 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, + 0x20, +]; const SHA384IDB: [u8; 17] = [ - 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x04, 0x30]; + 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x04, + 0x30, +]; const SHA512IDB: [u8; 17] = [ - 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x04, 0x40]; + 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x04, + 0x40, +]; -pub fn pkcs15b(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { +pub fn pkcs15b(sha: usize, m: &[u8], w: &mut [u8], rfs: usize) -> bool { let olen = rfs; let hlen = sha; let idlen = 17; @@ -538,7 +606,7 @@ pub fn pkcs15b(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { if olen < idlen + hlen + 10 { return false; } - SPhashit(MC_SHA2,sha,&mut b,Some(m)); + SPhashit(MC_SHA2, sha, &mut b, Some(m)); for i in 0..w.len() { w[i] = 0 } @@ -579,112 +647,118 @@ pub fn pkcs15b(sha: usize, m: &[u8], w: &mut [u8],rfs: usize) -> bool { } pub fn pss_encode(sha: usize, m: &[u8], rng: &mut RAND, f: &mut [u8], rfs: usize) -> bool { - let emlen=rfs; - let embits=8*emlen-1; - let hlen=sha; - let mut h:[u8;64]=[0;64]; + let emlen = rfs; + let embits = 8 * emlen - 1; + let hlen = sha; + let mut h: [u8; 64] = [0; 64]; let mut salt: [u8; 64] = [0; 64]; - let mut md: [u8;136]=[0;136]; + let mut md: [u8; 136] = [0; 136]; for i in 0..hlen { salt[i] = rng.getbyte() } - let mask=(0xff as u8)>> (8*emlen-embits); - SPhashit(MC_SHA2,sha,&mut h,Some(m)); - if emlen> (8 * emlen - embits); + SPhashit(MC_SHA2, sha, &mut h, Some(m)); + if emlen < hlen + hlen + 2 { return false; } for i in 0..8 { - md[i]=0; + md[i] = 0; } for i in 0..hlen { - md[8+i]=h[i]; + md[8 + i] = h[i]; } for i in 0..hlen { - md[8+hlen+i]=salt[i]; + md[8 + hlen + i] = salt[i]; } - SPhashit(MC_SHA2,sha,&mut h,Some(&md[0..8+hlen+hlen])); - for i in 0..emlen-hlen-hlen-2 { - f[i]=0; + SPhashit(MC_SHA2, sha, &mut h, Some(&md[0..8 + hlen + hlen])); + for i in 0..emlen - hlen - hlen - 2 { + f[i] = 0; } - f[emlen-hlen-hlen-2]=0x01; + f[emlen - hlen - hlen - 2] = 0x01; for i in 0..hlen { - f[emlen+i-hlen-hlen-1]=salt[i]; + f[emlen + i - hlen - hlen - 1] = salt[i]; } - mgf1xor(sha,&h[0..hlen],emlen-hlen-1,f); - f[0]&=mask; + mgf1xor(sha, &h[0..hlen], emlen - hlen - 1, f); + f[0] &= mask; for i in 0..hlen { - f[emlen+i-hlen-1]=h[i]; + f[emlen + i - hlen - 1] = h[i]; } - f[emlen-1]=0xbc as u8; + f[emlen - 1] = 0xbc as u8; true } -pub fn pss_verify(sha: usize, m: &[u8],f: &[u8]) -> bool { - let emlen=f.len(); - let embits=8*emlen-1; - let hlen=sha; - let mut db:[u8;512]=[0;512]; - let mut hmask:[u8;64]=[0;64]; - let mut h:[u8;64]=[0;64]; +pub fn pss_verify(sha: usize, m: &[u8], f: &[u8]) -> bool { + let emlen = f.len(); + let embits = 8 * emlen - 1; + let hlen = sha; + let mut db: [u8; 512] = [0; 512]; + let mut hmask: [u8; 64] = [0; 64]; + let mut h: [u8; 64] = [0; 64]; let mut salt: [u8; 64] = [0; 64]; - let mut md: [u8;136]=[0;136]; - let mask=(0xff as u8)>> (8*emlen-embits); + let mut md: [u8; 136] = [0; 136]; + let mask = (0xff as u8) >> (8 * emlen - embits); - SPhashit(MC_SHA2,sha,&mut hmask,Some(m)); - if emlen, f: &mut [u8], rfs: usize) -> bool { +pub fn oaep_encode( + sha: usize, + m: &[u8], + rng: &mut RAND, + p: Option<&[u8]>, + f: &mut [u8], + rfs: usize, +) -> bool { let olen = rfs - 1; let mlen = m.len(); @@ -699,7 +773,7 @@ pub fn oaep_encode(sha: usize, m: &[u8], rng: &mut RAND, p: Option<&[u8]>, f: &m let mut dbmask: [u8; 512] = [0; 512]; - SPhashit(MC_SHA2,sha,f,p); + SPhashit(MC_SHA2, sha, f, p); //hashit(sha, p, -1, f); let slen = olen - mlen - hlen - seedlen - 1; @@ -743,7 +817,7 @@ pub fn oaep_encode(sha: usize, m: &[u8], rng: &mut RAND, p: Option<&[u8]>, f: &m } /* OAEP Message Decoding for Decryption */ -pub fn oaep_decode(sha: usize, p: Option<&[u8]>, f: &mut [u8],rfs :usize) -> usize { +pub fn oaep_decode(sha: usize, p: Option<&[u8]>, f: &mut [u8], rfs: usize) -> usize { let olen = rfs - 1; let hlen = sha; @@ -765,7 +839,7 @@ pub fn oaep_decode(sha: usize, p: Option<&[u8]>, f: &mut [u8],rfs :usize) -> usi f[i] = 0; } } - SPhashit(MC_SHA2,sha,&mut chash,p); + SPhashit(MC_SHA2, sha, &mut chash, p); //hashit(sha, p, -1, &mut chash); let x = f[0]; @@ -783,9 +857,9 @@ pub fn oaep_decode(sha: usize, p: Option<&[u8]>, f: &mut [u8],rfs :usize) -> usi dbmask[i] ^= f[i] } - let mut comp=0; + let mut comp = 0; for i in 0..hlen { - comp |= (chash[i]^dbmask[i]) as usize; + comp |= (chash[i] ^ dbmask[i]) as usize; } for i in 0..olen - seedlen - hlen { @@ -797,18 +871,18 @@ pub fn oaep_decode(sha: usize, p: Option<&[u8]>, f: &mut [u8],rfs :usize) -> usi chash[i] = 0 } -// find first non-zero t in array - let mut k=0; - let mut t=0; - let m=olen-seedlen-hlen; + // find first non-zero t in array + let mut k = 0; + let mut t = 0; + let m = olen - seedlen - hlen; for i in 0..m { - if t==0 && dbmask[i]!=0 { - k=i; - t=dbmask[i]; + if t == 0 && dbmask[i] != 0 { + k = i; + t = dbmask[i]; } } - if comp!=0 || x != 0 || t != 0x01 { + if comp != 0 || x != 0 || t != 0x01 { for i in 0..olen - seedlen { dbmask[i] = 0 } @@ -867,4 +941,3 @@ use core::hmac; */ - diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/kyber.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/kyber.rs new file mode 100644 index 000000000000..e7a8ef762170 --- /dev/null +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/kyber.rs @@ -0,0 +1,728 @@ +/* + * Copyright (c) 2012-2020 MIRACL UK Ltd. + * + * This file is part of MIRACL Core + * (see https://github.com/miracl/core). + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* Kyber API high-level functions. Constant time where it matters. Slow (spends nearly all of its time running SHA3) but small. + + M.Scott 06/07/2022 +*/ + +use crate::sha3; +use crate::sha3::SHA3; + +const LGN: usize = 8; +const DEGREE: usize = 1 << LGN; +const PRIME: i16 = 0xD01; + +const ONE: i16 = 0x549; // r mod q +const QINV: i32 = -3327; // -1/q mod 2^16 + //const TWO26: i32 = 1<<26; // 2^26 +const TWO25: i32 = 1 << 25; // 2^25 +const BARC: i32 = 20159; // ((TWO26 + PRIME/2)/PRIME) + +pub const SECRET_CPA_SIZE_512: usize = 2 * (DEGREE * 3) / 2; +pub const PUBLIC_SIZE_512: usize = 32 + 2 * (DEGREE * 3) / 2; +pub const CIPHERTEXT_SIZE_512: usize = (10 * 2 + 4) * DEGREE / 8; +pub const SECRET_CCA_SIZE_512: usize = SECRET_CPA_SIZE_512 + PUBLIC_SIZE_512 + 64; +pub const SHARED_SECRET_512: usize = 32; + +pub const SECRET_CPA_SIZE_768: usize = 3 * (DEGREE * 3) / 2; +pub const PUBLIC_SIZE_768: usize = 32 + 3 * (DEGREE * 3) / 2; +pub const CIPHERTEXT_SIZE_768: usize = (10 * 3 + 4) * DEGREE / 8; +pub const SECRET_CCA_SIZE_768: usize = SECRET_CPA_SIZE_768 + PUBLIC_SIZE_768 + 64; +pub const SHARED_SECRET_768: usize = 32; + +pub const SECRET_CPA_SIZE_1024: usize = 4 * (DEGREE * 3) / 2; +pub const PUBLIC_SIZE_1024: usize = 32 + 4 * (DEGREE * 3) / 2; +pub const CIPHERTEXT_SIZE_1024: usize = (11 * 4 + 5) * DEGREE / 8; +pub const SECRET_CCA_SIZE_1024: usize = SECRET_CPA_SIZE_1024 + PUBLIC_SIZE_1024 + 64; +pub const SHARED_SECRET_1024: usize = 32; + +pub const MAXK: usize = 4; + +// parameters for each security level +// K,eta1,eta2,du,dv,shared secret +const PARAMS_512: [usize; 6] = [2, 3, 2, 10, 4, 32]; +const PARAMS_768: [usize; 6] = [3, 2, 2, 10, 4, 32]; +const PARAMS_1024: [usize; 6] = [4, 2, 2, 11, 5, 32]; + +/* Start of public domain reference implementation code - translated from https://github.com/pq-crystals/kyber */ + +const ZETAS: [i16; 128] = [ + -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, + 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, + 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469, + -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, + -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246, + 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, + 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185, + -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628, +]; +/* +fn printbinary(array: &[u8]) { + for i in 0..array.len() { + print!("{:02X}", array[i]) + } + println!("") +} +*/ +/* Montgomery stuff */ + +fn montgomery_reduce(a: i32) -> i16 { + let dp = PRIME as i32; + let dt = (((a & 0xffff) * QINV) & 0xffff) as i16; + let t = ((a - ((dt as i32) * dp)) >> 16) as i16; + t +} + +fn barrett_reduce(a: i16) -> i16 { + let da = a as i32; + let mut t = ((BARC * da + TWO25) >> 26) as i16; + t *= PRIME; + a - t +} + +fn fqmul(a: i16, b: i16) -> i16 { + montgomery_reduce((a as i32) * (b as i32)) +} + +fn ntt(r: &mut [i16]) { + let mut k = 1; + let mut len = 128; + while len >= 2 { + let mut start = 0; + while start < 256 { + let zeta = ZETAS[k]; + k += 1; + let mut j = start; + while j < start + len { + let t = fqmul(zeta, r[j + len]); + r[j + len] = r[j] - t; + r[j] += t; + j += 1; + } + start = j + len + } + len >>= 1; + } +} + +fn invntt(r: &mut [i16]) { + let f = 1441 as i16; + let mut k = 127; + let mut len = 2; + while len <= 128 { + let mut start = 0; + while start < 256 { + let zeta = ZETAS[k]; + k -= 1; + let mut j = start; + while j < start + len { + let t = r[j]; + r[j] = barrett_reduce(t + r[j + len]); // problem here + r[j + len] -= t; + r[j + len] = fqmul(zeta, r[j + len]); + j += 1; + } + start = j + len; + } + len <<= 1; + } + for j in 0..256 { + r[j] = fqmul(r[j], f); + } +} + +fn basemul(r: &mut [i16], a: &[i16], b: &[i16], zeta: i16) { + r[0] = fqmul(a[1], b[1]); + r[0] = fqmul(r[0], zeta); + r[0] += fqmul(a[0], b[0]); + r[1] = fqmul(a[0], b[1]); + r[1] += fqmul(a[1], b[0]); +} + +fn poly_reduce(r: &mut [i16]) { + for i in 0..DEGREE { + r[i] = barrett_reduce(r[i]); + } +} + +fn poly_ntt(r: &mut [i16]) { + ntt(r); + poly_reduce(r); +} + +fn poly_invntt(r: &mut [i16]) { + invntt(r); +} + +// Note r must be distinct from a and b +fn poly_mul(r: &mut [i16], a: &[i16], b: &[i16]) { + for i in 0..DEGREE / 4 { + let x = 4 * i; + let y = x + 2; + let z = x + 4; + basemul(&mut r[x..y], &a[x..y], &b[x..y], ZETAS[64 + i]); + basemul(&mut r[y..z], &a[y..z], &b[y..z], -ZETAS[64 + i]); + } +} + +fn poly_tomont(r: &mut [i16]) { + for i in 0..DEGREE { + r[i] = montgomery_reduce((r[i] as i32) * (ONE as i32)); + } +} + +/* End of public domain reference code use */ + +fn poly_add(p1: &mut [i16], p2: &[i16], p3: &[i16]) { + for i in 0..DEGREE { + p1[i] = p2[i] + p3[i]; + } +} + +fn poly_acc(p1: &mut [i16], p3: &[i16]) { + for i in 0..DEGREE { + p1[i] += p3[i]; + } +} + +fn poly_dec(p1: &mut [i16], p3: &[i16]) { + for i in 0..DEGREE { + p1[i] -= p3[i]; + } +} + +// Generate a[i][j] from rho +fn expandaij(rho: &[u8], aij: &mut [i16], i: usize, j: usize) { + let mut buff: [u8; 3 * DEGREE] = [0; 3 * DEGREE]; + let mut sh = SHA3::new(sha3::SHAKE128); + for m in 0..32 { + sh.process(rho[m]) + } + sh.process(j as u8); + sh.process(i as u8); + sh.shake(&mut buff, 3 * DEGREE); + let mut m = 0; + let mut n = 0; + let dp = PRIME as u32; + while n < DEGREE { + let d1 = (buff[m] as u32) + 256 * ((buff[m + 1] & 0x0f) as u32); + let d2 = ((buff[m + 1] / 16) as u32) + 16 * (buff[m + 2] as u32); + if d1 < dp { + aij[n] = d1 as i16; + n += 1; + } + if d2 < dp && n < DEGREE { + aij[n] = d2 as i16; + n += 1; + } + m += 3; + } +} + +fn getbit(b: &[u8], n: usize) -> i16 { + let wd = n / 8; + let bt = n % 8; + ((b[wd] >> bt) & 1) as i16 +} + +fn cbd(bts: &[u8], eta: usize, f: &mut [i16]) { + for i in 0..DEGREE { + let mut a = 0 as i16; + let mut b = 0 as i16; + for j in 0..eta { + a += getbit(bts, 2 * i * eta + j); + b += getbit(bts, 2 * i * eta + eta + j); + } + f[i] = a - b; + } +} + +// extract ab bits into word from dense byte stream +fn nextword(ab: usize, t: &[u8], ptr: &mut usize, bts: &mut usize) -> i16 { + let mut r = (t[*ptr] >> (*bts)) as i16; + let mask = ((1 << ab) - 1) as i16; + let mut i = 0; + let mut gotbits = 8 - (*bts); // bits left in current byte + while gotbits < ab { + i += 1; + let w = t[(*ptr) + i] as i16; + r |= w << gotbits; + gotbits += 8; + } + *bts += ab; + while *bts >= 8 { + *bts -= 8; + *ptr += 1; + } + r & mask +} + +fn nextbyte16(ab: usize, t: &[i16], ptr: &mut usize, bts: &mut usize) -> u8 { + let mut left = ab - (*bts); + let mut i = 0; + let mut w = t[*ptr]; + w += (w >> 15) & PRIME; + let mut r = w >> (*bts); + while left < 8 { + i += 1; + w = t[(*ptr) + i]; + w += (w >> 15) & PRIME; + r |= w << left; + left += ab; + } + *bts += 8; + while *bts >= ab { + *bts -= ab; + *ptr += 1; + } + (r & 0xff) as u8 +} + +fn encode(t: &[i16], len: usize, l: usize, pack: &mut [u8]) { + let mut ptr = 0; + let mut bts = 0; + for n in 0..len * (DEGREE * l) / 8 { + pack[n] = nextbyte16(l, t, &mut ptr, &mut bts); + } +} + +// return 0 if encoding is unchanged +fn chk_encode(t: &[i16], len: usize, l: usize, pack: &[u8]) -> u8 { + let mut ptr = 0; + let mut bts = 0; + let mut diff = 0 as u8; + for n in 0..len * (DEGREE * l) / 8 { + let m = nextbyte16(l, t, &mut ptr, &mut bts); + diff |= m ^ pack[n]; + } + diff +} + +fn decode(pack: &[u8], l: usize, t: &mut [i16], len: usize) { + let mut ptr = 0; + let mut bts = 0; + for i in 0..len * DEGREE { + t[i] = nextword(l, pack, &mut ptr, &mut bts); + } +} + +// Bernsteins safe division by 0xD01 +fn safediv(xx: i32) -> i32 { + let mut x = xx; + let mut q = 0 as i32; + + let mut qpart = (((x as i64) * 645083) >> 31) as i32; + x -= qpart * 0xD01; + q += qpart; + + qpart = ((((x as i64) * 645083) >> 31) as i32) + 1; + x -= qpart * 0xD01; + q += qpart + (x >> 31); + + q +} + +fn compress(t: &mut [i16], len: usize, d: usize) { + let twod = (1 << d) as i32; + let dp = PRIME as i32; + for i in 0..len * DEGREE { + t[i] += (t[i] >> 15) & PRIME; + t[i] = (safediv(twod * (t[i] as i32) + dp / 2) & (twod - 1)) as i16; + } +} +fn decompress(t: &mut [i16], len: usize, d: usize) { + let twod1 = (1 << (d - 1)) as i32; + let dp = PRIME as i32; + for i in 0..len * DEGREE { + t[i] = ((dp * (t[i] as i32) + twod1) >> d) as i16; + } +} + +fn cpa_keypair(params: &[usize], tau: &[u8], sk: &mut [u8], pk: &mut [u8]) { + let mut rho: [u8; 32] = [0; 32]; + let mut sigma: [u8; 33] = [0; 33]; + let mut buff: [u8; 256] = [0; 256]; + + let mut r: [i16; DEGREE] = [0; DEGREE]; + let mut w: [i16; DEGREE] = [0; DEGREE]; + let mut aij: [i16; DEGREE] = [0; DEGREE]; + let mut s: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut e: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut p: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let mut sh = SHA3::new(sha3::HASH512); + + let ck = params[0]; + let eta1 = params[1]; + let public_key_size = 32 + ck * (DEGREE * 3) / 2; + + for i in 0..32 { + sh.process(tau[i]); + } + sh.hash(&mut buff); + for i in 0..32 { + rho[i] = buff[i]; + sigma[i] = buff[i + 32]; + } + sigma[32] = 0; + + // create s + for i in 0..ck { + sh = SHA3::new(sha3::SHAKE256); + for j in 0..33 { + sh.process(sigma[j]); + } + sh.shake(&mut buff, 64 * eta1); + cbd(&buff, eta1, &mut s[i * DEGREE..]); + sigma[32] += 1; + } + + // create e + for i in 0..ck { + sh = SHA3::new(sha3::SHAKE256); + for j in 0..33 { + sh.process(sigma[j]); + } + sh.shake(&mut buff, 64 * eta1); + cbd(&buff, eta1, &mut e[i * DEGREE..]); + sigma[32] += 1; + } + + for k in 0..ck { + let row = k * DEGREE; + poly_ntt(&mut s[row..]); + poly_ntt(&mut e[row..]); + } + + for i in 0..ck { + let row = i * DEGREE; + expandaij(&rho, &mut aij, i, 0); + poly_mul(&mut r, &aij, &s); + for j in 1..ck { + expandaij(&rho, &mut aij, i, j); + poly_mul(&mut w, &s[j * DEGREE..], &aij); + poly_acc(&mut r, &w); + } + poly_reduce(&mut r); + poly_tomont(&mut r); + poly_add(&mut p[row..], &r, &e[row..]); + poly_reduce(&mut p[row..]); + } + + encode(&s, ck, 12, sk); + encode(&p, ck, 12, pk); + for i in 0..32 { + pk[public_key_size - 32 + i] = rho[i]; + } +} + +fn cpa_base_encrypt( + params: &[usize], + coins: &[u8], + pk: &[u8], + ss: &[u8], + u: &mut [i16], + v: &mut [i16], +) { + let mut rho: [u8; 32] = [0; 32]; + let mut sigma: [u8; 33] = [0; 33]; + let mut buff: [u8; 256] = [0; 256]; + + let mut r: [i16; DEGREE] = [0; DEGREE]; + let mut w: [i16; DEGREE] = [0; DEGREE]; + let mut aij: [i16; DEGREE] = [0; DEGREE]; + let mut q: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut p: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let ck = params[0]; + let eta1 = params[1]; + let eta2 = params[2]; + let du = params[3]; + let dv = params[4]; + let public_key_size = 32 + ck * (DEGREE * 3) / 2; + + for i in 0..32 { + sigma[i] = coins[i]; + } + sigma[32] = 0; + for i in 0..32 { + rho[i] = pk[i + public_key_size - 32]; + } + // create q + for i in 0..ck { + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..33 { + sh.process(sigma[j]); + } + sh.shake(&mut buff, 64 * eta1); + cbd(&buff, eta1, &mut q[i * DEGREE..]); + sigma[32] += 1; + } + // create e1 + for i in 0..ck { + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..33 { + sh.process(sigma[j]); + } + sh.shake(&mut buff, 64 * eta2); + cbd(&buff, eta1, &mut u[i * DEGREE..]); + sigma[32] += 1; + } + for i in 0..ck { + let row = DEGREE * i; + poly_ntt(&mut q[row..]); + } + + for i in 0..ck { + let row = i * DEGREE; + expandaij(&rho, &mut aij, 0, i); + poly_mul(&mut r, &aij, &q); + for j in 1..ck { + expandaij(&rho, &mut aij, j, i); + poly_mul(&mut w, &q[j * DEGREE..], &aij); + poly_acc(&mut r, &w); + } + poly_reduce(&mut r); + poly_invntt(&mut r); + poly_acc(&mut u[row..], &r); + poly_reduce(&mut u[row..]); + } + + decode(&pk, 12, &mut p, ck); + + poly_mul(v, &p, &q); + for i in 1..ck { + let row = DEGREE * i; + poly_mul(&mut r, &p[row..], &q[row..]); + poly_acc(v, &r); + } + poly_invntt(v); + + let mut sh = SHA3::new(sha3::SHAKE256); + for j in 0..33 { + sh.process(sigma[j]); + } + sh.shake(&mut buff, 64 * eta2); + cbd(&buff, eta1, &mut w); // e2 + + poly_acc(v, &w); + + decode(&ss, 1, &mut r, 1); + decompress(&mut r, 1, 1); + poly_acc(v, &r); + poly_reduce(v); + compress(u, ck, du); + compress(v, 1, dv); +} + +fn cpa_encrypt(params: &[usize], coins: &[u8], pk: &[u8], ss: &[u8], ct: &mut [u8]) { + let mut v: [i16; DEGREE] = [0; DEGREE]; + let mut u: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let ck = params[0]; + let du = params[3]; + let dv = params[4]; + let ciphertext_size = (du * ck + dv) * DEGREE / 8; + cpa_base_encrypt(params, coins, pk, ss, &mut u, &mut v); + encode(&u, ck, du, ct); + encode(&v, 1, dv, &mut ct[ciphertext_size - (dv * DEGREE / 8)..]); +} + +// Re-encrypt and check that ct is OK (if so return is zero) +fn cpa_check_encrypt(params: &[usize], coins: &[u8], pk: &[u8], ss: &[u8], ct: &[u8]) -> u8 { + let mut v: [i16; DEGREE] = [0; DEGREE]; + let mut u: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let ck = params[0]; + let du = params[3]; + let dv = params[4]; + let ciphertext_size = (du * ck + dv) * DEGREE / 8; + cpa_base_encrypt(params, coins, pk, ss, &mut u, &mut v); + let d1 = chk_encode(&u, ck, du, ct); + let d2 = chk_encode(&v, 1, dv, &ct[ciphertext_size - (dv * DEGREE / 8)..]); + if (d1 | d2) == 0 { + 0 + } else { + 0xff + } +} + +fn cpa_decrypt(params: &[usize], sk: &[u8], ct: &[u8], ss: &mut [u8]) { + let mut w: [i16; DEGREE] = [0; DEGREE]; + let mut v: [i16; DEGREE] = [0; DEGREE]; + let mut r: [i16; DEGREE] = [0; DEGREE]; + let mut u: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + let mut s: [i16; MAXK * DEGREE] = [0; MAXK * DEGREE]; + + let ck = params[0]; + let du = params[3]; + let dv = params[4]; + + decode(ct, du, &mut u, ck); + decode(&ct[(du * ck * DEGREE) / 8..], dv, &mut v, 1); + decompress(&mut u, ck, du); + decompress(&mut v, 1, dv); + decode(sk, 12, &mut s, ck); + + poly_ntt(&mut u); + poly_mul(&mut w, &u, &s); + for i in 1..ck { + let row = DEGREE * i; + poly_ntt(&mut u[row..]); + poly_mul(&mut r, &u[row..], &s[row..]); + poly_acc(&mut w, &r); + } + poly_reduce(&mut w); + poly_invntt(&mut w); + poly_dec(&mut v, &w); + compress(&mut v, 1, 1); + encode(&v, 1, 1, ss); +} + +fn cca_keypair(params: &[usize], randbytes64: &[u8], sk: &mut [u8], pk: &mut [u8]) { + let ck = params[0]; + let secret_cpa_key_size = ck * (DEGREE * 3) / 2; + let public_key_size = 32 + ck * (DEGREE * 3) / 2; + + cpa_keypair(params, randbytes64, sk, pk); + for i in 0..public_key_size { + sk[i + secret_cpa_key_size] = pk[i]; + } + let mut sh = SHA3::new(sha3::HASH256); + for i in 0..public_key_size { + sh.process(pk[i]); + } + sh.hash(&mut sk[secret_cpa_key_size + public_key_size..]); + for i in 0..32 { + sk[i + secret_cpa_key_size + public_key_size + 32] = randbytes64[i + 32]; + } +} + +fn cca_encrypt(params: &[usize], randbytes32: &[u8], pk: &[u8], ss: &mut [u8], ct: &mut [u8]) { + let mut hm: [u8; 32] = [0; 32]; + let mut h: [u8; 32] = [0; 32]; + let mut g: [u8; 64] = [0; 64]; + let ck = params[0]; + let du = params[3]; + let dv = params[4]; + let public_key_size = 32 + ck * (DEGREE * 3) / 2; + let ciphertext_size = (du * ck + dv) * DEGREE / 8; + let shared_secret_size = params[5]; + + let mut sh = SHA3::new(sha3::HASH256); + for i in 0..32 { + sh.process(randbytes32[i]); + } + sh.hash(&mut hm); + + sh = SHA3::new(sha3::HASH256); + for i in 0..public_key_size { + sh.process(pk[i]); + } + sh.hash(&mut h); + + sh = SHA3::new(sha3::HASH512); + sh.process_array(&hm); + sh.process_array(&h); + sh.hash(&mut g); + cpa_encrypt(params, &g[32..], &pk, &hm, ct); + + sh = SHA3::new(sha3::HASH256); + for i in 0..ciphertext_size { + sh.process(ct[i]); + } + sh.hash(&mut h); + sh = SHA3::new(sha3::SHAKE256); + sh.process_array(&g[0..32]); + sh.process_array(&h); + sh.shake(ss, shared_secret_size); +} + +fn cca_decrypt(params: &[usize], sk: &[u8], ct: &[u8], ss: &mut [u8]) { + let mut m: [u8; 32] = [0; 32]; + let mut g: [u8; 64] = [0; 64]; + let ck = params[0]; + let secret_cpa_key_size = ck * (DEGREE * 3) / 2; + let public_key_size = 32 + ck * (DEGREE * 3) / 2; + let shared_secret_size = params[5]; + + let pk = &sk[secret_cpa_key_size..secret_cpa_key_size + public_key_size]; + let h = &sk[secret_cpa_key_size + public_key_size..secret_cpa_key_size + public_key_size + 32]; + let z = + &sk[secret_cpa_key_size + public_key_size + 32..secret_cpa_key_size + public_key_size + 64]; + + cpa_decrypt(params, sk, ct, &mut m); + + let mut sh = SHA3::new(sha3::HASH512); + sh.process_array(&m); + sh.process_array(h); + sh.hash(&mut g); + + let mask = cpa_check_encrypt(params, &g[32..], pk, &m, ct); // FO check ct is correct + + for i in 0..32 { + g[i] ^= (g[i] ^ z[i]) & mask; + } + + sh = SHA3::new(sha3::HASH256); + sh.process_array(&ct); + sh.hash(&mut m); + + sh = SHA3::new(sha3::SHAKE256); + sh.process_array(&g[0..32]); + sh.process_array(&m); + sh.shake(ss, shared_secret_size); +} + +// ********************* Kyber API ****************************** + +pub fn keypair_512(randbytes64: &[u8], sk: &mut [u8], pk: &mut [u8]) { + cca_keypair(&PARAMS_512, randbytes64, sk, pk); +} + +pub fn keypair_768(randbytes64: &[u8], sk: &mut [u8], pk: &mut [u8]) { + cca_keypair(&PARAMS_768, randbytes64, sk, pk); +} + +pub fn keypair_1024(randbytes64: &[u8], sk: &mut [u8], pk: &mut [u8]) { + cca_keypair(&PARAMS_1024, randbytes64, sk, pk); +} + +pub fn encrypt_512(randbytes32: &[u8], pk: &[u8], ss: &mut [u8], ct: &mut [u8]) { + cca_encrypt(&PARAMS_512, randbytes32, pk, ss, ct); +} + +pub fn encrypt_768(randbytes32: &[u8], pk: &[u8], ss: &mut [u8], ct: &mut [u8]) { + cca_encrypt(&PARAMS_768, randbytes32, pk, ss, ct); +} + +pub fn encrypt_1024(randbytes32: &[u8], pk: &[u8], ss: &mut [u8], ct: &mut [u8]) { + cca_encrypt(&PARAMS_1024, randbytes32, pk, ss, ct); +} + +pub fn decrypt_512(sk: &[u8], ct: &[u8], ss: &mut [u8]) { + cca_decrypt(&PARAMS_512, sk, ct, ss); +} + +pub fn decrypt_768(sk: &[u8], ct: &[u8], ss: &mut [u8]) { + cca_decrypt(&PARAMS_768, sk, ct, ss); +} + +pub fn decrypt_1024(sk: &[u8], ct: &[u8], ss: &mut [u8]) { + cca_decrypt(&PARAMS_1024, sk, ct, ss); +} diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/lib.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/lib.rs similarity index 99% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/lib.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/lib.rs index 7d2ebe7e4536..e1b2139f8ad8 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/lib.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/lib.rs @@ -19,23 +19,22 @@ // comment out if debugging with print macros !!! #![cfg_attr(not(feature = "std"), no_std)] - #![allow(clippy::many_single_char_names)] #![allow(clippy::needless_range_loop)] #![allow(clippy::manual_memcpy)] #![allow(clippy::new_without_default)] -pub mod arch; pub mod aes; +pub mod arch; +pub mod dilithium; pub mod gcm; -pub mod hmac; pub mod hash256; pub mod hash384; pub mod hash512; +pub mod hmac; +pub mod kyber; +pub mod nhs; pub mod rand; -pub mod share; pub mod sha3; -pub mod nhs; -pub mod dilithium; -pub mod kyber; +pub mod share; pub mod x509; pub mod bn254; diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/main.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/main.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/main.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/main.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/nhs.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/nhs.rs similarity index 100% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/nhs.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/nhs.rs diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/rand.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/rand.rs similarity index 99% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/rand.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/rand.rs index 5d099ecd0a50..73ea088cfbc6 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/rand.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/rand.rs @@ -164,9 +164,7 @@ impl RAND { } } - - -/* test main program +/* test main program fn main() { let mut raw : [u8;100]=[0;100]; diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/sha3.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/sha3.rs similarity index 64% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/sha3.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/sha3.rs index 43f47a42f5ee..d3bd6d6cc98b 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/sha3.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/sha3.rs @@ -58,7 +58,7 @@ pub struct SHA3 { rate: usize, len: usize, //s: [[u64; 5]; 5], - s: [u64;25], + s: [u64; 25], } impl SHA3 { @@ -68,77 +68,77 @@ impl SHA3 { fn transform(&mut self) { for k in 0..ROUNDS { - let c0=self.s[0]^self.s[5]^self.s[10]^self.s[15]^self.s[20]; - let c1=self.s[1]^self.s[6]^self.s[11]^self.s[16]^self.s[21]; - let c2=self.s[2]^self.s[7]^self.s[12]^self.s[17]^self.s[22]; - let c3=self.s[3]^self.s[8]^self.s[13]^self.s[18]^self.s[23]; - let c4=self.s[4]^self.s[9]^self.s[14]^self.s[19]^self.s[24]; - - let d0=c4^SHA3::rotl(c1,1); - let d1=c0^SHA3::rotl(c2,1); - let d2=c1^SHA3::rotl(c3,1); - let d3=c2^SHA3::rotl(c4,1); - let d4=c3^SHA3::rotl(c0,1); - - let b00 = self.s[0]^d0; - let b02 = SHA3::rotl(self.s[1]^d1, 1); - let b04 = SHA3::rotl(self.s[2]^d2, 62); - let b01 = SHA3::rotl(self.s[3]^d3, 28); - let b03 = SHA3::rotl(self.s[4]^d4, 27); - - let b13 = SHA3::rotl(self.s[5]^d0, 36); - let b10 = SHA3::rotl(self.s[6]^d1, 44); - let b12 = SHA3::rotl(self.s[7]^d2, 6); - let b14 = SHA3::rotl(self.s[8]^d3, 55); - let b11 = SHA3::rotl(self.s[9]^d4, 20); - - let b21 = SHA3::rotl(self.s[10]^d0, 3); - let b23 = SHA3::rotl(self.s[11]^d1, 10); - let b20 = SHA3::rotl(self.s[12]^d2, 43); - let b22 = SHA3::rotl(self.s[13]^d3, 25); - let b24 = SHA3::rotl(self.s[14]^d4, 39); - - let b34 = SHA3::rotl(self.s[15]^d0, 41); - let b31 = SHA3::rotl(self.s[16]^d1, 45); - let b33 = SHA3::rotl(self.s[17]^d2, 15); - let b30 = SHA3::rotl(self.s[18]^d3, 21); - let b32 = SHA3::rotl(self.s[19]^d4, 8); - - let b42 = SHA3::rotl(self.s[20]^d0, 18); - let b44 = SHA3::rotl(self.s[21]^d1, 2); - let b41 = SHA3::rotl(self.s[22]^d2, 61); - let b43 = SHA3::rotl(self.s[23]^d3, 56); - let b40 = SHA3::rotl(self.s[24]^d4, 14); - - self.s[0]=b00^(!b10&b20); - self.s[1]=b10^(!b20&b30); - self.s[2]=b20^(!b30&b40); - self.s[3]=b30^(!b40&b00); - self.s[4]=b40^(!b00&b10); - - self.s[5]=b01^(!b11&b21); - self.s[6]=b11^(!b21&b31); - self.s[7]=b21^(!b31&b41); - self.s[8]=b31^(!b41&b01); - self.s[9]=b41^(!b01&b11); - - self.s[10]=b02^(!b12&b22); - self.s[11]=b12^(!b22&b32); - self.s[12]=b22^(!b32&b42); - self.s[13]=b32^(!b42&b02); - self.s[14]=b42^(!b02&b12); - - self.s[15]=b03^(!b13&b23); - self.s[16]=b13^(!b23&b33); - self.s[17]=b23^(!b33&b43); - self.s[18]=b33^(!b43&b03); - self.s[19]=b43^(!b03&b13); - - self.s[20]=b04^(!b14&b24); - self.s[21]=b14^(!b24&b34); - self.s[22]=b24^(!b34&b44); - self.s[23]=b34^(!b44&b04); - self.s[24]=b44^(!b04&b14); + let c0 = self.s[0] ^ self.s[5] ^ self.s[10] ^ self.s[15] ^ self.s[20]; + let c1 = self.s[1] ^ self.s[6] ^ self.s[11] ^ self.s[16] ^ self.s[21]; + let c2 = self.s[2] ^ self.s[7] ^ self.s[12] ^ self.s[17] ^ self.s[22]; + let c3 = self.s[3] ^ self.s[8] ^ self.s[13] ^ self.s[18] ^ self.s[23]; + let c4 = self.s[4] ^ self.s[9] ^ self.s[14] ^ self.s[19] ^ self.s[24]; + + let d0 = c4 ^ SHA3::rotl(c1, 1); + let d1 = c0 ^ SHA3::rotl(c2, 1); + let d2 = c1 ^ SHA3::rotl(c3, 1); + let d3 = c2 ^ SHA3::rotl(c4, 1); + let d4 = c3 ^ SHA3::rotl(c0, 1); + + let b00 = self.s[0] ^ d0; + let b02 = SHA3::rotl(self.s[1] ^ d1, 1); + let b04 = SHA3::rotl(self.s[2] ^ d2, 62); + let b01 = SHA3::rotl(self.s[3] ^ d3, 28); + let b03 = SHA3::rotl(self.s[4] ^ d4, 27); + + let b13 = SHA3::rotl(self.s[5] ^ d0, 36); + let b10 = SHA3::rotl(self.s[6] ^ d1, 44); + let b12 = SHA3::rotl(self.s[7] ^ d2, 6); + let b14 = SHA3::rotl(self.s[8] ^ d3, 55); + let b11 = SHA3::rotl(self.s[9] ^ d4, 20); + + let b21 = SHA3::rotl(self.s[10] ^ d0, 3); + let b23 = SHA3::rotl(self.s[11] ^ d1, 10); + let b20 = SHA3::rotl(self.s[12] ^ d2, 43); + let b22 = SHA3::rotl(self.s[13] ^ d3, 25); + let b24 = SHA3::rotl(self.s[14] ^ d4, 39); + + let b34 = SHA3::rotl(self.s[15] ^ d0, 41); + let b31 = SHA3::rotl(self.s[16] ^ d1, 45); + let b33 = SHA3::rotl(self.s[17] ^ d2, 15); + let b30 = SHA3::rotl(self.s[18] ^ d3, 21); + let b32 = SHA3::rotl(self.s[19] ^ d4, 8); + + let b42 = SHA3::rotl(self.s[20] ^ d0, 18); + let b44 = SHA3::rotl(self.s[21] ^ d1, 2); + let b41 = SHA3::rotl(self.s[22] ^ d2, 61); + let b43 = SHA3::rotl(self.s[23] ^ d3, 56); + let b40 = SHA3::rotl(self.s[24] ^ d4, 14); + + self.s[0] = b00 ^ (!b10 & b20); + self.s[1] = b10 ^ (!b20 & b30); + self.s[2] = b20 ^ (!b30 & b40); + self.s[3] = b30 ^ (!b40 & b00); + self.s[4] = b40 ^ (!b00 & b10); + + self.s[5] = b01 ^ (!b11 & b21); + self.s[6] = b11 ^ (!b21 & b31); + self.s[7] = b21 ^ (!b31 & b41); + self.s[8] = b31 ^ (!b41 & b01); + self.s[9] = b41 ^ (!b01 & b11); + + self.s[10] = b02 ^ (!b12 & b22); + self.s[11] = b12 ^ (!b22 & b32); + self.s[12] = b22 ^ (!b32 & b42); + self.s[13] = b32 ^ (!b42 & b02); + self.s[14] = b42 ^ (!b02 & b12); + + self.s[15] = b03 ^ (!b13 & b23); + self.s[16] = b13 ^ (!b23 & b33); + self.s[17] = b23 ^ (!b33 & b43); + self.s[18] = b33 ^ (!b43 & b03); + self.s[19] = b43 ^ (!b03 & b13); + + self.s[20] = b04 ^ (!b14 & b24); + self.s[21] = b14 ^ (!b24 & b34); + self.s[22] = b24 ^ (!b34 & b44); + self.s[23] = b34 ^ (!b44 & b04); + self.s[24] = b44 ^ (!b04 & b14); self.s[0] ^= RC[k]; } @@ -173,9 +173,9 @@ impl SHA3 { len: 0, s: [0; 25], }; - nh.length=hh.length; - nh.len=hh.len; - nh.rate=hh.rate; + nh.length = hh.length; + nh.len = hh.len; + nh.rate = hh.rate; for i in 0..25 { nh.s[i] = hh.s[i]; } @@ -191,7 +191,7 @@ impl SHA3 { self.s[ind] ^= (byt as u64) << (8 * b); self.length += 1; if self.length == self.rate { - self.length=0; + self.length = 0; self.transform(); } } @@ -214,13 +214,13 @@ impl SHA3 { pub fn squeeze(&mut self, buff: &mut [u8], olen: usize) { let mut m = 0; - let nb=olen/self.rate; + let nb = olen / self.rate; for _ in 0..nb { - for i in 0..self.rate/8 { - let mut el=self.s[i]; + for i in 0..self.rate / 8 { + let mut el = self.s[i]; for _ in 0..8 { - buff[m]=(el & 0xff) as u8; + buff[m] = (el & 0xff) as u8; m += 1; el >>= 8; } @@ -228,11 +228,12 @@ impl SHA3 { self.transform(); } - let mut i=0; - while m= olen { break; @@ -241,7 +242,7 @@ impl SHA3 { } } -/* + /* loop { for i in 0..25 { let mut el = self.s[i]; @@ -284,7 +285,7 @@ impl SHA3 { } pub fn continuing_hash(&mut self, digest: &mut [u8]) { - let mut sh=SHA3::new_copy(self); + let mut sh = SHA3::new_copy(self); sh.hash(digest) } @@ -303,8 +304,8 @@ impl SHA3 { } pub fn continuing_shake(&mut self, digest: &mut [u8], olen: usize) { - let mut sh=SHA3::new_copy(self); - sh.shake(digest,olen); + let mut sh = SHA3::new_copy(self); + sh.shake(digest, olen); } } diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/share.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/share.rs similarity index 72% rename from third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/share.rs rename to third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/share.rs index 4c434d64c9ce..a48f91b17316 100644 --- a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.2/src/share.rs +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/share.rs @@ -60,11 +60,11 @@ const LTAB: [u8; 256] = [ pub struct SHARE<'a> { id: u8, nsr: u8, - b: &'a [u8] + b: &'a [u8], } fn mul(x: u8, y: u8) -> u8 { -/* x.y= AntiLog(Log(x) + Log(y)) */ + /* x.y= AntiLog(Log(x) + Log(y)) */ let ix = (x as usize) & 0xff; let iy = (y as usize) & 0xff; let lx = (LTAB[ix] as usize) & 0xff; @@ -77,64 +77,77 @@ fn mul(x: u8, y: u8) -> u8 { } } -fn add(x: u8,y: u8) -> u8 { - x^y +fn add(x: u8, y: u8) -> u8 { + x ^ y } fn inv(x: u8) -> u8 { - let ix = (x as usize) & 0xff; - let lx = (LTAB[ix] as usize) & 0xff; - PTAB[255-lx] + let ix = (x as usize) & 0xff; + let lx = (LTAB[ix] as usize) & 0xff; + PTAB[255 - lx] } /* Lagrange interpolation */ fn interpolate(n: usize, x: &[u8], y: &[u8]) -> u8 { - let mut yp=0 as u8; + let mut yp = 0 as u8; for i in 0..n { - let mut p=1 as u8; + let mut p = 1 as u8; for j in 0..n { - if i!=j { - p=mul(p,mul(x[j],inv(add(x[i],x[j])))); + if i != j { + p = mul(p, mul(x[j], inv(add(x[i], x[j])))); } } - yp=add(yp,mul(p,y[i])); + yp = add(yp, mul(p, y[i])); } yp } impl<'a> SHARE<'a> { - -/* Return a share of M */ -/* input id - Unique share ID */ -/* input nsr - Number of shares required for recovery */ -/* input Message M to be shared */ -/* input Random number generator rng to be used */ -/* return share structure */ -// must bind lifetime of the byte array stored by structure, to lifetime of s - pub fn new(ident: usize,numshare: usize,s: &'a mut [u8],m: &[u8], rng: &mut RAND) -> SHARE<'a> { - if ident<1 || ident>=256 || numshare<2 || numshare>=256 { - return SHARE{id:0,nsr:0,b:s}; + /* Return a share of M */ + /* input id - Unique share ID */ + /* input nsr - Number of shares required for recovery */ + /* input Message M to be shared */ + /* input Random number generator rng to be used */ + /* return share structure */ + // must bind lifetime of the byte array stored by structure, to lifetime of s + pub fn new( + ident: usize, + numshare: usize, + s: &'a mut [u8], + m: &[u8], + rng: &mut RAND, + ) -> SHARE<'a> { + if ident < 1 || ident >= 256 || numshare < 2 || numshare >= 256 { + return SHARE { + id: 0, + nsr: 0, + b: s, + }; } - let len=m.len(); + let len = m.len(); for j in 0..len { - let mut x=ident as u8; - s[j]=m[j]; + let mut x = ident as u8; + s[j] = m[j]; for _ in 1..numshare { - s[j]=add(s[j],mul(rng.getbyte(),x)); - x=mul(x,ident as u8); + s[j] = add(s[j], mul(rng.getbyte(), x)); + x = mul(x, ident as u8); } } - SHARE{id: ident as u8,nsr: numshare as u8,b:s} + SHARE { + id: ident as u8, + nsr: numshare as u8, + b: s, + } } -/* recover M from shares */ - pub fn recover(m: &mut [u8],s: &[SHARE]) { - let len=s[0].b.len(); - let nsr=s[0].nsr as usize; - if nsr!=s.len() { + /* recover M from shares */ + pub fn recover(m: &mut [u8], s: &[SHARE]) { + let len = s[0].b.len(); + let nsr = s[0].nsr as usize; + if nsr != s.len() { return; } for i in 1..nsr { - if s[i].nsr as usize != nsr || s[i].b.len()!=len { + if s[i].nsr as usize != nsr || s[i].b.len() != len { return; } } @@ -143,12 +156,10 @@ impl<'a> SHARE<'a> { for j in 0..len { for i in 0..nsr { - x[i]=s[i].id; - y[i]=s[i].b[j]; + x[i] = s[i].id; + y[i] = s[i].b[j]; } - m[j]=interpolate(nsr,&x,&y); + m[j] = interpolate(nsr, &x, &y); } } } - - diff --git a/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/x509.rs b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/x509.rs new file mode 100644 index 000000000000..0602946c6ef7 --- /dev/null +++ b/third_party/rust/chromium_crates_io/vendor/brave-miracl-0.1.3/src/x509.rs @@ -0,0 +1,1311 @@ +/* + * Copyright (c) 2012-2020 MIRACL UK Ltd. + * + * This file is part of MIRACL Core + * (see https://github.com/miracl/core). + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* CORE X.509 Functions */ + +pub struct PKTYPE { + pub kind: usize, + pub hash: usize, + pub curve: usize, + pub len: usize, +} + +pub struct FDTYPE { + pub index: usize, + pub length: usize, +} + +// Supported Encryption/Signature Methods + +pub const ECC: usize = 1; +pub const RSA: usize = 2; +pub const ECD: usize = 3; // for Ed25519 and Ed448 +pub const PQ: usize = 4; + +// Supported Hash functions + +pub const H256: usize = 2; +pub const H384: usize = 3; +pub const H512: usize = 4; +pub const SHAKE256: usize = 5; + +// Supported Curves + +pub const USE_NIST256: usize = 4; +/**< For the NIST 256-bit standard curve - WEIERSTRASS only */ +pub const USE_ED25519: usize = 1; +/**< Bernstein's Modulus 2^255-19 - EDWARDS only */ +pub const USE_ED448: usize = 5; +//const USE_BRAINPOOL:usize = 2; /**< For Brainpool 256-bit curve - WEIERSTRASS only */ +//const USE_ANSSI:usize = 3; /**< For French 256-bit standard curve - WEIERSTRASS only */ +pub const USE_NIST384: usize = 10; +/**< For the NIST 384-bit standard curve - WEIERSTRASS only */ +pub const USE_NIST521: usize = 12; +/**< For the NIST 521-bit standard curve - WEIERSTRASS only */ + +const ANY: u8 = 0x00; +const SEQ: u8 = 0x30; +const OID: u8 = 0x006; +const INT: u8 = 0x02; +const NUL: u8 = 0x05; +//const ZER: u8 = 0x00; +//const UTF: u8 = 0x0C; +const UTC: u8 = 0x17; +const GTM: u8 = 0x18; +//const LOG: u8 = 0x01; +const BIT: u8 = 0x03; +const OCT: u8 = 0x04; +//const STR: u8 = 0x13; +const SET: u8 = 0x31; +//const IA5: u8 = 0x16; +const EXT: u8 = 0xA3; +const DNS: u8 = 0x82; + +// Define some OIDs +// Elliptic Curve with SHA256 + +const ECCSHA256: [u8; 8] = [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02]; +const ECCSHA384: [u8; 8] = [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03]; +const ECCSHA512: [u8; 8] = [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04]; +const ECPK: [u8; 7] = [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]; +const EDPK25519: [u8; 3] = [0x2b, 0x65, 0x70]; +const EDPK448: [u8; 3] = [0x2b, 0x65, 0x71]; +const PRIME25519: [u8; 9] = [0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01]; +const PRIME256V1: [u8; 8] = [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]; +const SECP384R1: [u8; 5] = [0x2B, 0x81, 0x04, 0x00, 0x22]; +const SECP521R1: [u8; 5] = [0x2B, 0x81, 0x04, 0x00, 0x23]; +const RSAPK: [u8; 9] = [0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01]; +const RSASHA256: [u8; 9] = [0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b]; +const RSASHA384: [u8; 9] = [0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0]; +const RSASHA512: [u8; 9] = [0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d]; +const DILITHIUM3: [u8; 11] = [ + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x02, 0x82, 0x0B, 0x07, 0x06, 0x05, +]; +// Cert details + +pub const CN: [u8; 3] = [0x55, 0x04, 0x06]; // countryName +pub const SN: [u8; 3] = [0x55, 0x04, 0x08]; // stateName +pub const LN: [u8; 3] = [0x55, 0x04, 0x07]; // localName +pub const ON: [u8; 3] = [0x55, 0x04, 0x0A]; // orgName +pub const UN: [u8; 3] = [0x55, 0x04, 0x0B]; // unitName +pub const MN: [u8; 3] = [0x55, 0x04, 0x03]; // myName +pub const EN: [u8; 9] = [0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01]; // emailName + +// Extensions +pub const AN: [u8; 3] = [0x55, 0x1D, 0x11]; // altName +pub const KU: [u8; 3] = [0x55, 0x1D, 0x0F]; // keyUsage +pub const BC: [u8; 3] = [0x55, 0x1D, 0x13]; // basicConstraints + +fn getalen(tag: u8, b: &[u8], j: usize) -> usize { + let mut k = j; + let mut len: usize; + if tag != 0 && b[k] != tag { + return 0; + } + k += 1; + if b[k] == 0x81 { + k += 1; + len = b[k] as usize; + } else if b[k] == 0x82 { + k += 1; + len = 256 * (b[k] as usize); + k += 1; + len += b[k] as usize; + } else { + len = b[k] as usize; + if len > 127 { + return 0; + } + } + len +} + +fn skip(len: usize) -> usize { + if len < 128 { + return 2; + } + if len < 256 { + return 3; + } + 4 +} + +fn bround(len: usize) -> usize { + if len % 8 == 0 { + return len; + } + len + (8 - len % 8) +} + +impl PKTYPE { + pub fn new() -> PKTYPE { + PKTYPE { + kind: 0, + hash: 0, + curve: 0, + len: 0, + } + } +} + +impl FDTYPE { + pub fn new() -> FDTYPE { + FDTYPE { + index: 0, + length: 0, + } + } +} + +// Input private key in PKCS#8 format +// e.g. openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 +// e.g. openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout key.pem -out ecdsacert.pem +// extract private key from uncompressed key.pem into octet +// For RSA octet = p|q|dp|dq|c where pk->len is multiple of 5 +// For ECC octet = k +pub fn extract_private_key(c: &[u8], pk: &mut [u8]) -> PKTYPE { + let mut soid: [u8; 12] = [0; 12]; + let mut ret = PKTYPE::new(); + let mut j = 0 as usize; + let pklen = pk.len(); + + let mut len = getalen(SEQ, c, j); // Check for expected SEQ clause, and get length + if len == 0 { + // if not a SEQ clause, there is a problem, exit + return ret; + } + j += skip(len); // skip over length to clause contents. + if len + j != c.len() { + return ret; + } + len = getalen(INT, c, j); + if len == 0 { + // if not a SEQ clause, there is a problem, exit + return ret; + } + j += skip(len) + len; + len = getalen(SEQ, c, j); + if len == 0 { + // if not a SEQ clause, there is a problem, exit + return ret; + } + j += skip(len); + // extract OID + len = getalen(OID, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + let mut fin = j + len; + if len > soid.len() { + return ret; + } + let mut slen = 0; + while j < fin { + soid[slen] = c[j]; + slen += 1; + j += 1; + } + j = fin; + if EDPK25519 == soid[0..slen] { + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + let rlen = 32; + if rlen > pklen { + return ret; + } + ret.len = rlen; + for i in 0..rlen - len { + pk[i] = 0; + } + for i in rlen - len..rlen { + pk[i] = c[j]; + j += 1; + } + ret.kind = ECD; + ret.curve = USE_ED25519; + } + if EDPK448 == soid[0..slen] { + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + let rlen = 57; + if rlen > pklen { + return ret; + } + ret.len = rlen; + for i in 0..rlen - len { + pk[i] = 0; + } + for i in rlen - len..rlen { + pk[i] = c[j]; + j += 1; + } + ret.kind = ECD; + ret.curve = USE_ED448; + } + if DILITHIUM3 == soid[0..slen] { + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + let mut tlen = len; + if tlen > pk.len() { + tlen = pk.len(); + } + + for i in 0..tlen { + pk[i] = c[j]; + j += 1; + } + ret.len = tlen; + ret.kind = PQ; + ret.curve = 8 * tlen; + } + if ECPK == soid[0..slen] { + len = getalen(OID, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + fin = j + len; + if len > soid.len() { + return ret; + } + slen = 0; + while j < fin { + soid[slen] = c[j]; + slen += 1; + j += 1; + } + j = fin; + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over version + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + ret.kind = ECC; + let mut rlen = 0; + if PRIME256V1 == soid[0..slen] { + ret.curve = USE_NIST256; + rlen = 32; + } + if SECP384R1 == soid[0..slen] { + ret.curve = USE_NIST384; + rlen = 48; + } + if SECP521R1 == soid[0..slen] { + ret.curve = USE_NIST521; + rlen = 66; + } + if rlen > pklen { + ret.curve = 0; + ret.len = 0; + return ret; + } + ret.len = rlen; + for i in 0..rlen - len { + pk[i] = 0; + } + for i in rlen - len..rlen { + pk[i] = c[j]; + j += 1; + } + } + if RSAPK == soid[0..slen] { + len = getalen(NUL, c, j); + if len != 0 { + return ret; + } + j += skip(len); + + len = getalen(OCT, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over version + + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over n + + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over e + + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over d + + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len); // get p + + if c[j] == 0 { + j += 1; + len -= 1; + } + let mut rlen = bround(len); + + if 5 * rlen > pklen { + return ret; + } + + for i in 0..rlen - len { + pk[i] = 0; + } + for i in rlen - len..rlen { + pk[i] = c[j]; + j += 1; + } + + let flen = rlen; // should be same length for all + for k in 1..5 { + len = getalen(INT, c, j); + if len == 0 { + return ret; + } + j += skip(len); // get q,dp,dq,c + if c[j] == 0 { + j += 1; + len -= 1; + } + rlen = bround(len); + if rlen != flen { + return ret; + } + for i in 0..rlen - len { + pk[i] = 0; + } + for i in rlen - len..rlen { + pk[k * flen + i] = c[j]; + j += 1; + } + } + ret.len = 5 * flen; + ret.kind = RSA; + ret.curve = 16 * flen; + } + ret +} + +// Input signed cert as octet, and extract signature +// Return 0 for failure, ECC for Elliptic Curve signature, RSA for RSA signature +// Note that signature type is not provided here - its the type of the public key that +// is used to verify it that matters, and which determines for example the curve to be used! +pub fn extract_cert_sig(sc: &[u8], sig: &mut [u8]) -> PKTYPE { + let mut soid: [u8; 12] = [0; 12]; + let mut ret = PKTYPE::new(); + let mut j = 0 as usize; + let mut len = getalen(SEQ, sc, j); // Check for expected SEQ clause, and get length + let siglen = sig.len(); + + if len == 0 { + // if not a SEQ clause, there is a problem, exit + return ret; + } + j += skip(len); // skip over length to clause contents. Add len to skip clause + if len + j != sc.len() { + return ret; + } + len = getalen(SEQ, sc, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over cert to signature OID + len = getalen(SEQ, sc, j); + if len == 0 { + return ret; + } + j += skip(len); + let sj = j + len; // Needed to jump over signature OID + + // dive in to extract OID + len = getalen(OID, sc, j); + if len == 0 { + return ret; + } + j += skip(len); + let mut fin = j + len; + if len > soid.len() { + return ret; + } + + let mut slen = 0; + while j < fin { + soid[slen] = sc[j]; + slen += 1; + j += 1; + } + if EDPK25519 == soid[0..slen] { + ret.kind = ECD; + ret.hash = H512; + } + if EDPK448 == soid[0..slen] { + ret.kind = ECD; + ret.hash = SHAKE256; + } + if ECCSHA256 == soid[0..slen] { + ret.kind = ECC; + ret.hash = H256; + } + if ECCSHA384 == soid[0..slen] { + ret.kind = ECC; + ret.hash = H384; + } + if ECCSHA512 == soid[0..slen] { + ret.kind = ECC; + ret.hash = H512; + } + if RSASHA256 == soid[0..slen] { + ret.kind = RSA; + ret.hash = H256; + } + if RSASHA384 == soid[0..slen] { + ret.kind = RSA; + ret.hash = H384; + } + if RSASHA512 == soid[0..slen] { + ret.kind = RSA; + ret.hash = H512; + } + if DILITHIUM3 == soid[0..slen] { + ret.kind = PQ; + ret.hash = 0; // hash type is implicit + } + if ret.kind == 0 { + return ret; // unsupported type + } + + j = sj; + len = getalen(BIT, sc, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + j += 1; + len -= 1; // skip bit shift (hopefully 0!) + + if ret.kind == ECD { + if len > siglen { + ret.kind = 0; + return ret; + } + ret.len = len; + slen = 0; + fin = j + len; + while j < fin { + sig[slen] = sc[j]; + j += 1; + slen += 1; + } + if ret.hash == H512 { + ret.curve = USE_ED25519; + } + if ret.hash == SHAKE256 { + ret.curve = USE_ED448; + } + } + + if ret.kind == ECC { + len = getalen(SEQ, sc, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + + // pick up r part of signature + len = getalen(INT, sc, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + if sc[j] == 0 { + // skip leading zero + j += 1; + len -= 1; + } + let mut rlen = bround(len); + let mut ex = rlen - len; + + if 2 * rlen > siglen { + ret.kind = 0; + return ret; + } + ret.len = 2 * rlen; + + slen = 0; + for _ in 0..ex { + sig[slen] = 0; + slen += 1; + } + fin = j + len; + while j < fin { + sig[slen] = sc[j]; + j += 1; + slen += 1; + } + // pick up s part of signature + len = getalen(INT, sc, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + if sc[j] == 0 { + // skip leading zero + j += 1; + len -= 1; + } + rlen = bround(len); + ex = rlen - len; + for _ in 0..ex { + sig[slen] = 0; + slen += 1; + } + fin = j + len; + while j < fin { + sig[slen] = sc[j]; + j += 1; + slen += 1; + } + if ret.hash == H256 { + ret.curve = USE_NIST256; + } + if ret.hash == H384 { + ret.curve = USE_NIST384; + } + if ret.hash == H512 { + ret.curve = USE_NIST521; + } + } + if ret.kind == RSA { + let rlen = bround(len); + let ex = rlen - len; + if rlen > siglen { + ret.kind = 0; + ret.curve = 0; + return ret; + } + ret.len = rlen; + slen = 0; + for _ in 0..ex { + sig[slen] = 0; + slen += 1; + } + fin = j + len; + while j < fin { + sig[slen] = sc[j]; + j += 1; + slen += 1; + } + ret.curve = 8 * rlen; + } + if ret.kind == PQ { + if len > siglen { + ret.kind = 0; + ret.curve = 0; + return ret; + } + ret.len = len; + slen = 0; + fin = j + len; + while j < fin { + sig[slen] = sc[j]; + j += 1; + slen += 1; + } + ret.curve = 8 * len; + } + ret +} + +// Extract pointer to cert inside signed cert, and return its length; +// let cert=&sc[ptr..ptr+len] +pub fn find_cert(sc: &[u8], ptr: &mut usize) -> usize { + let mut j: usize = 0; + + let mut len = getalen(SEQ, sc, j); + if len == 0 { + return 0; + } + j += skip(len); + + let k = j; + len = getalen(SEQ, sc, j); + if len == 0 { + return 0; + } + j += skip(len); + let fin = j + len; + *ptr = k; + fin - k +} + +// Extract certificate from signed cert +pub fn extract_cert(sc: &[u8], cert: &mut [u8]) -> usize { + let mut ptr = 0; + let n = find_cert(sc, &mut ptr); + let k = ptr; + let fin = n + k; + if fin - k > cert.len() { + return 0; + } + for i in k..fin { + cert[i - k] = sc[i]; + } + n +} + +// extract pointer to ASN.1 raw public Key inside certificate, and return its length; +// let public_key=&c[ptr..ptr+len] +pub fn find_public_key(c: &[u8], ptr: &mut usize) -> usize { + let mut j: usize = 0; + let mut len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len); + + if len + j != c.len() { + return 0; + } + + len = getalen(ANY, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; //jump over version clause + + len = getalen(INT, c, j); + if len > 0 { + j += skip(len) + len; // jump over serial number clause (if there is one) + } + + len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; // jump over signature algorithm + + len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; // skip issuer + + len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; // skip validity + + len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; // skip subject + + let k = j; + len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len); // + + let fin = j + len; + *ptr = k; + fin - k +} + +// get Public details from ASN.1 description +pub fn get_public_key(c: &[u8], key: &mut [u8]) -> PKTYPE { + let mut koid: [u8; 12] = [0; 12]; + let mut ret = PKTYPE::new(); + let mut j = 0; + let keylen = key.len(); + + let mut len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); // + + len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); // + + // ** Maybe dive in and check Public Key OIDs here? + // ecpublicKey & prime256v1, secp384r1 or secp521r1 for ECC + // rsapublicKey for RSA + + let sj = j + len; + + len = getalen(OID, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + let mut fin = j + len; + if len > koid.len() { + return ret; + } + let mut slen = 0; + while j < fin { + koid[slen] = c[j]; + slen += 1; + j += 1; + } + ret.kind = 0; + if ECPK == koid[0..slen] { + ret.kind = ECC; + } + if EDPK25519 == koid[0..slen] { + ret.kind = ECD; + ret.curve = USE_ED25519 + } + if EDPK448 == koid[0..slen] { + ret.kind = ECD; + ret.curve = USE_ED448 + } + if RSAPK == koid[0..slen] { + ret.kind = RSA; + } + if DILITHIUM3 == koid[0..slen] { + ret.kind = PQ; + } + + if ret.kind == 0 { + return ret; + } + if ret.kind == ECC { + len = getalen(OID, c, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + + fin = j + len; + if len > koid.len() { + ret.kind = 0; + return ret; + } + slen = 0; + while j < fin { + koid[slen] = c[j]; + slen += 1; + j += 1; + } + if PRIME25519 == koid[0..slen] { + ret.curve = USE_ED25519; + } + if PRIME256V1 == koid[0..slen] { + ret.curve = USE_NIST256; + } + if SECP384R1 == koid[0..slen] { + ret.curve = USE_NIST384; + } + if SECP521R1 == koid[0..slen] { + ret.curve = USE_NIST521; + } + } + j = sj; + + len = getalen(BIT, c, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + j += 1; + len -= 1; // skip bit shift (hopefully 0!) + + if ret.kind == ECC || ret.kind == ECD || ret.kind == PQ { + if len > keylen { + ret.kind = 0; + return ret; + } + ret.len = len; + fin = j + len; + slen = 0; + while j < fin { + key[slen] = c[j]; + slen += 1; + j += 1; + } + } + if ret.kind == PQ { + ret.curve = 8 * len; + } + if ret.kind == RSA { + // Key is (modulus,exponent) - assume exponent is 65537 + len = getalen(SEQ, c, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + + len = getalen(INT, c, j); + if len == 0 { + ret.kind = 0; + return ret; + } + j += skip(len); + if c[j] == 0 { + j += 1; + len -= 1; + } + if len > keylen { + ret.kind = 0; + return ret; + } + ret.len = len; + fin = j + len; + slen = 0; + while j < fin { + key[slen] = c[j]; + slen += 1; + j += 1; + } + ret.curve = 8 * len; + } + ret +} + +// Extract Public Key from inside Certificate +pub fn extract_public_key(c: &[u8], key: &mut [u8]) -> PKTYPE { + let mut ptr = 0; + let pklen = find_public_key(c, &mut ptr); // ptr is pointer into certificate, at start of ASN.1 raw public key + let cc = &c[ptr..ptr + pklen]; + get_public_key(&cc, key) +} + +pub fn find_issuer(c: &[u8]) -> FDTYPE { + let mut j: usize = 0; + let mut ret = FDTYPE::new(); + let mut len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); + + if len + j != c.len() { + return ret; + } + + len = getalen(ANY, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over version clause + + len = getalen(INT, c, j); + if len > 0 { + j += skip(len) + len; // jump over serial number clause (if there is one) + } + + len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // jump over signature algorithm + + len = getalen(SEQ, c, j); + ret.index = j; + ret.length = len + skip(len); + + ret +} + +pub fn find_validity(c: &[u8]) -> usize { + let pos = find_issuer(c); + let j = pos.index + pos.length; // skip issuer + + //let mut j=find_issuer(c); + //let len=getalen(SEQ,c,j); + //if len==0 { + // return 0; + //} + //j+=skip(len)+len; // skip issuer + j +} + +pub fn find_subject(c: &[u8]) -> FDTYPE { + let mut j = find_validity(c); + let mut ret = FDTYPE::new(); + let mut len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len) + len; // skip validity + + len = getalen(SEQ, c, j); + ret.index = j; + ret.length = len + skip(len); + + ret +} + +pub fn self_signed(c: &[u8]) -> bool { + let ksub = find_subject(c); + let kiss = find_issuer(c); + + if ksub.length != kiss.length { + return false; + } + + // let sublen=getalen(SEQ,c,ksub); + // let isslen=getalen(SEQ,c,kiss); + // if sublen != isslen { + // return false; + // } + // ksub+=skip(sublen); + // kiss+=skip(isslen); + let mut m: u8 = 0; + for i in 0..ksub.length { + m |= c[i + ksub.index] - c[i + kiss.index]; + } + if m != 0 { + return false; + } + true +} + +// NOTE: When extracting cert information, we actually return just an index to the data inside the cert, and maybe its length +// So no memory is assigned to store cert info. It is the callers responsibility to allocate such memory if required, and copy +// cert information into it. + +// Find entity property indicated by SOID, given start of issuer or subject field. Return index in cert, flen=length of field + +pub fn find_entity_property(c: &[u8], soid: &[u8], start: usize) -> FDTYPE { + let mut ret = FDTYPE::new(); + let mut foid: [u8; 32] = [0; 32]; + let mut j = start; + let tlen = getalen(SEQ, c, j); + if tlen == 0 { + return ret; + } + j += skip(tlen); + let k = j; + while j < k + tlen { + let mut len = getalen(SET, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); + len = getalen(OID, c, j); + if len == 0 { + return ret; + } + j += skip(len); + let fin = j + len; + if len > foid.len() { + return ret; + } + let mut flen: usize = 0; + while j < fin { + foid[flen] = c[j]; + flen += 1; + j += 1; + } + len = getalen(ANY, c, j); // get text, could be any type + if len == 0 { + return ret; + } + j += skip(len); + if foid[0..flen] == *soid { + ret.index = j; // if its the right one.. + ret.length = len; + return ret; + } + j += len; // skip over it + } + ret +} + +pub fn find_start_date(c: &[u8], start: usize) -> usize { + let mut j = start; + let mut len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len); + + len = getalen(UTC, c, j); + if len == 0 { + // could be generalised time + len = getalen(GTM, c, j); + if len == 0 { + return 0; + } + j += skip(len); + j += 2; // skip century + } else { + j += skip(len); + } + + j +} + +pub fn find_expiry_date(c: &[u8], start: usize) -> usize { + let mut j = start; + let mut len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len); + + len = getalen(UTC, c, j); + if len == 0 { + len = getalen(GTM, c, j); + if len == 0 { + return 0; + } + } + j += skip(len) + len; + + len = getalen(UTC, c, j); + if len == 0 { + // could be generalised time + len = getalen(GTM, c, j); + if len == 0 { + return 0; + } + j += skip(len); + j += 2; // skip century + } else { + j += skip(len); + } + + j +} + +pub fn find_extensions(c: &[u8]) -> usize { + let pos = find_subject(c); + let mut j = pos.index + pos.length; + + // let mut len=getalen(SEQ,c,j); + // if len==0 { + // return 0; + // } + // j+=skip(len)+len; // skip subject + + let len = getalen(SEQ, c, j); + if len == 0 { + return 0; + } + j += skip(len) + len; // skip public key + + if j >= c.len() { + return 0; + } + + j +} + +pub fn find_extension(c: &[u8], soid: &[u8], start: usize) -> FDTYPE { + let mut ret = FDTYPE::new(); + let mut foid: [u8; 32] = [0; 32]; + + let mut j = start; + let tlen = getalen(EXT, c, j); + if tlen == 0 { + return ret; + } + j += skip(tlen); + + let tlen = getalen(SEQ, c, j); + if tlen == 0 { + return ret; + } + j += skip(tlen); + + let k = j; + while j < k + tlen { + let mut len = getalen(SEQ, c, j); + if len == 0 { + return ret; + } + j += skip(len); + let nj = j + len; + len = getalen(OID, c, j); + j += skip(len); + let fin = j + len; + if len > foid.len() { + return ret; + } + let mut flen: usize = 0; + while j < fin { + foid[flen] = c[j]; + flen += 1; + j += 1; + } + if foid[0..flen] == *soid { + ret.index = j; // if its the right one.. + ret.length = nj - j; + return ret; + } + j = nj; // skip over this extension + } + + ret +} + +// return 1 if name found, else 0, where name is URL +// input cert, and pointer to SAN extension +// Takes wild-card into consideration + +pub fn find_alt_name(c: &[u8], start: usize, name: &[u8]) -> bool { + if start == 0 { + return false; + } + let mut j = start; + let mut tlen = getalen(OCT, c, j); + if tlen == 0 { + return false; + } + j += skip(tlen); + + tlen = getalen(SEQ, c, j); + if tlen == 0 { + return false; + } + j += skip(tlen); + let k = j; + while j < k + tlen { + let tag = c[j]; + let mut len = getalen(ANY, c, j); + if len == 0 { + return false; + } + j += skip(len); // ?? If its not dns, skip over it j+=len + if tag != DNS { + // only interested in URLs + j += len; + continue; + } + let mut cmp = true; + let mut m = 0; + let nlen = name.len(); + if c[j] == b'*' { + j += 1; + len -= 1; // skip over * + while m < nlen { + // advance to first . + if name[m] == b'.' { + break; + } + m += 1; + } + } + for _ in 0..len { + if m == nlen { + // name has ended before comparison completed + cmp = false; + j += 1; + continue; + } + if c[j] != name[m] { + cmp = false; + } + m += 1; + j += 1; + } + if m != nlen { + cmp = false; + } + if cmp { + return true; + } + } + + false +}