{-# LANGUAGE MultiParamTypeClasses, FunctionalDependencies #-} {-# LANGUAGE ParallelListComp #-} {-| Maintainer: Thomas.DuBuisson@gmail.com Stability: beta Portability: portable This is the heart of the crypto-api package. By making (or having) an instance of Hash, AsymCipher, BlockCipher or StreamCipher you provide (or obtain) access to any infrastructure built on these primitives include block cipher modes of operation, hashing, hmac, signing, etc. These classes allow users to build routines that are agnostic to the algorithm used so changing algorithms is as simple as changing a type signature. -} module Crypto.Classes ( -- * Hash class and helper functions Hash(..) , hashFunc' , hashFunc -- * Cipher classes and helper functions , BlockCipher(..) , blockSizeBytes , keyLengthBytes , buildKeyIO , buildKeyGen , StreamCipher(..) , buildStreamKeyIO , buildStreamKeyGen , AsymCipher(..) , buildKeyPairIO , buildKeyPairGen , Signing(..) , buildSigningKeyPairIO , buildSigningKeyPairGen -- * Misc helper functions , encode , zeroIV , incIV , getIV, getIVIO , chunkFor, chunkFor' , module Crypto.Util , module Crypto.Types ) where import Data.Data import Data.Typeable import Data.Serialize import qualified Data.Serialize.Get as SG import qualified Data.Serialize.Put as SP import qualified Data.ByteString.Lazy as L import qualified Data.ByteString as B import qualified Data.ByteString.Internal as I import Data.ByteString.Unsafe (unsafeUseAsCStringLen) import Control.Monad.Trans.Class (lift) import Control.Monad.Trans.State (StateT(..), runStateT) import Control.Monad (liftM) import Data.Bits import Data.List (foldl', genericDrop) import Data.Word (Word8, Word16, Word64) import Data.Tagged import Data.Proxy import Crypto.Types import Crypto.Random import Crypto.Util import System.IO.Unsafe (unsafePerformIO) import Foreign (Ptr) import Foreign.C (CChar(..), CInt(..)) import System.Entropy import {-# SOURCE #-} Crypto.Modes -- |The Hash class is intended as the generic interface -- targeted by maintainers of Haskell digest implementations. -- Using this generic interface, higher level functions -- such as 'hash' and 'hash'' provide a useful API -- for comsumers of hash implementations. -- -- Any instantiated implementation must handle unaligned data. -- -- Minimum complete definition: 'outputLength', 'blockLength', 'initialCtx', -- 'updateCtx', and 'finalize'. class (Serialize d, Eq d, Ord d) => Hash ctx d | d -> ctx, ctx -> d where outputLength :: Tagged d BitLength -- ^ The size of the digest when encoded blockLength :: Tagged d BitLength -- ^ The amount of data operated on in each round of the digest computation initialCtx :: ctx -- ^ An initial context, provided with the first call to 'updateCtx' updateCtx :: ctx -> B.ByteString -> ctx -- ^ Used to update a context, repeatedly called until all data is exhausted -- must operate correctly for imputs of @n*blockLength@ bytes for @n `elem` [0..]@ finalize :: ctx -> B.ByteString -> d -- ^ Finializing a context, plus any message data less than the block size, into a digest -- |Hash a lazy ByteString, creating a digest hash :: (Hash ctx d) => L.ByteString -> d hash msg = res where res = finalize ctx end ctx = foldl' updateCtx initialCtx blks (blks,end) = makeBlocks msg blockLen blockLen = (blockLength .::. res) `div` 8 -- |Hash a strict ByteString, creating a digest hash' :: (Hash ctx d) => B.ByteString -> d hash' msg = res where res = finalize (updateCtx initialCtx top) end (top, end) = B.splitAt remlen msg remlen = B.length msg - (B.length msg `rem` bLen) bLen = blockLength `for` res `div` 8 -- |Obtain a lazy hash function whose result is the same type -- as the given digest, which is discarded. If the type is already inferred then -- consider using the 'hash' function instead. hashFunc :: Hash c d => d -> (L.ByteString -> d) hashFunc d = f where f = hash a = f undefined `asTypeOf` d -- |Obtain a strict hash function whose result is the same type -- as the given digest, which is discarded. If the type is already inferred then -- consider using the 'hash'' function instead. hashFunc' :: Hash c d => d -> (B.ByteString -> d) hashFunc' d = f where f = hash' a = f undefined `asTypeOf` d {-# INLINABLE makeBlocks #-} makeBlocks :: L.ByteString -> ByteLength -> ([B.ByteString], B.ByteString) makeBlocks msg len = go (L.toChunks msg) where go [] = ([],B.empty) go (x:xs) | B.length x >= len = let l = B.length x - B.length x `rem` len (top,end) = B.splitAt l x (rest,trueEnd) = go (end:xs) in (top:rest, trueEnd) | otherwise = case xs of [] -> ([], x) (a:as) -> go (B.append x a : as) -- |The BlockCipher class is intended as the generic interface -- targeted by maintainers of Haskell cipher implementations. -- -- Minimum complete definition: blockSize, encryptBlock, decryptBlock, -- buildKey, and keyLength. -- -- Instances must handle unaligned data class ( Serialize k) => BlockCipher k where blockSize :: Tagged k BitLength -- ^ The size of a single block; the smallest unit on which the cipher operates. encryptBlock :: k -> B.ByteString -> B.ByteString -- ^ encrypt data of size @n*blockSize@ where @n `elem` [0..]@ (ecb encryption) decryptBlock :: k -> B.ByteString -> B.ByteString -- ^ decrypt data of size @n*blockSize@ where @n `elem` [0..]@ (ecb decryption) buildKey :: B.ByteString -> Maybe k -- ^ smart constructor for keys from a bytestring. keyLength :: Tagged k BitLength -- ^ length of the cryptographic key -- * Modes of operation over strict bytestrings -- | Electronic Cookbook (encryption) ecb :: k -> B.ByteString -> B.ByteString ecb = modeEcb' -- | Electronic Cookbook (decryption) unEcb :: k -> B.ByteString -> B.ByteString unEcb = modeUnEcb' -- | Cipherblock Chaining (encryption) cbc :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) cbc = modeCbc' -- | Cipherblock Chaining (decryption) unCbc :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) unCbc = modeUnCbc' -- | Counter (encryption) ctr :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) ctr = modeCtr' incIV -- | Counter (decryption) unCtr :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) unCtr = modeUnCtr' incIV -- | Counter (encryption) ctrLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) ctrLazy = modeCtr incIV -- | Counter (decryption) unCtrLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) unCtrLazy = modeUnCtr incIV -- | Ciphertext feedback (encryption) cfb :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) cfb = modeCfb' -- | Ciphertext feedback (decryption) unCfb :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) unCfb = modeUnCfb' -- | Output feedback (encryption) ofb :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) ofb = modeOfb' -- | Output feedback (decryption) unOfb :: k -> IV k -> B.ByteString -> (B.ByteString, IV k) unOfb = modeUnOfb' -- |Cipher block chaining encryption for lazy bytestrings cbcLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) cbcLazy = modeCbc -- |Cipher block chaining decryption for lazy bytestrings unCbcLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) unCbcLazy = modeUnCbc -- |SIV (Synthetic IV) mode for lazy bytestrings. The third argument is -- the optional list of bytestrings to be authenticated but not -- encrypted As required by the specification this algorithm may -- return nothing when certain constraints aren't met. sivLazy :: k -> k -> [L.ByteString] -> L.ByteString -> Maybe L.ByteString sivLazy = modeSiv -- |SIV (Synthetic IV) for lazy bytestrings. The third argument is the -- optional list of bytestrings to be authenticated but not encrypted. -- As required by the specification this algorithm may return nothing -- when authentication fails. unSivLazy :: k -> k -> [L.ByteString] -> L.ByteString -> Maybe L.ByteString unSivLazy = modeUnSiv -- |SIV (Synthetic IV) mode for strict bytestrings. First argument is -- the optional list of bytestrings to be authenticated but not -- encrypted. As required by the specification this algorithm may -- return nothing when certain constraints aren't met. siv :: k -> k -> [B.ByteString] -> B.ByteString -> Maybe B.ByteString siv = modeSiv' -- |SIV (Synthetic IV) for strict bytestrings First argument is the -- optional list of bytestrings to be authenticated but not encrypted -- As required by the specification this algorithm may return nothing -- when authentication fails. unSiv :: k -> k -> [B.ByteString] -> B.ByteString -> Maybe B.ByteString unSiv = modeUnSiv' -- |Cook book mode - not really a mode at all. If you don't know what you're doing, don't use this mode^H^H^H^H library. ecbLazy :: k -> L.ByteString -> L.ByteString ecbLazy = modeEcb -- |ECB decrypt, complementary to `ecb`. unEcbLazy :: k -> L.ByteString -> L.ByteString unEcbLazy = modeUnEcb -- |Ciphertext feed-back encryption mode for lazy bytestrings (with s -- == blockSize) cfbLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) cfbLazy = modeCfb -- |Ciphertext feed-back decryption mode for lazy bytestrings (with s -- == blockSize) unCfbLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) unCfbLazy = modeUnCfb -- |Output feedback mode for lazy bytestrings ofbLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) ofbLazy = modeOfb -- |Output feedback mode for lazy bytestrings unOfbLazy :: k -> IV k -> L.ByteString -> (L.ByteString, IV k) unOfbLazy = modeUnOfb -- |Output feedback mode for lazy bytestrings modeOfb :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeOfb = modeUnOfb {-# INLINEABLE modeOfb #-} -- |Output feedback mode for lazy bytestrings modeUnOfb :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeUnOfb k (IV iv) msg = let ivStr = drop 1 (iterate (encryptBlock k) iv) ivLen = fromIntegral (B.length iv) newIV = IV . B.concat . L.toChunks . L.take ivLen . L.drop (L.length msg) . L.fromChunks $ ivStr in (zwp (L.fromChunks ivStr) msg, newIV) {-# INLINEABLE modeUnOfb #-} -- |Ciphertext feed-back encryption mode for lazy bytestrings (with s -- == blockSize) modeCfb :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeCfb k (IV v) msg = let blks = chunkFor k msg (cs,ivF) = go v blks in (L.fromChunks cs, IV ivF) where go iv [] = ([],iv) go iv (b:bs) = let c = zwp' (encryptBlock k iv) b (cs,ivFinal) = go c bs in (c:cs, ivFinal) {-# INLINEABLE modeCfb #-} -- |Ciphertext feed-back decryption mode for lazy bytestrings (with s -- == blockSize) modeUnCfb :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeUnCfb k (IV v) msg = let blks = chunkFor k msg (ps, ivF) = go v blks in (L.fromChunks ps, IV ivF) where go iv [] = ([], iv) go iv (b:bs) = let p = zwp' (encryptBlock k iv) b (ps, ivF) = go b bs in (p:ps, ivF) {-# INLINEABLE modeUnCfb #-} -- |Obtain an `IV` using the provided CryptoRandomGenerator. getIV :: (BlockCipher k, CryptoRandomGen g) => g -> Either GenError (IV k, g) getIV g = let bytes = ivBlockSizeBytes iv gen = genBytes bytes g fromRight (Right x) = x iv = IV (fst . fromRight $ gen) in case gen of Left err -> Left err Right (bs,g') | B.length bs == bytes -> Right (iv, g') | otherwise -> Left (GenErrorOther "Generator failed to provide requested number of bytes") {-# INLINEABLE getIV #-} -- | Obtain an 'IV' using the system entropy (see 'System.Entropy') getIVIO :: (BlockCipher k) => IO (IV k) getIVIO = do let p = Proxy getTypedIV :: BlockCipher k => Proxy k -> IO (IV k) getTypedIV pr = liftM IV (getEntropy (proxy blockSize pr `div` 8)) iv <- getTypedIV p return (iv `asProxyTypeOf` ivProxy p) {-# INLINEABLE getIVIO #-} ivProxy :: Proxy k -> Proxy (IV k) ivProxy = const Proxy deIVProxy :: Proxy (IV k) -> Proxy k deIVProxy = const Proxy -- |Cook book mode - not really a mode at all. If you don't know what you're doing, don't use this mode^H^H^H^H library. modeEcb :: BlockCipher k => k -> L.ByteString -> L.ByteString modeEcb k msg = let chunks = chunkFor k msg in L.fromChunks $ map (encryptBlock k) chunks {-# INLINEABLE modeEcb #-} -- |ECB decrypt, complementary to `ecb`. modeUnEcb :: BlockCipher k => k -> L.ByteString -> L.ByteString modeUnEcb k msg = let chunks = chunkFor k msg in L.fromChunks $ map (decryptBlock k) chunks {-# INLINEABLE modeUnEcb #-} -- |SIV (Synthetic IV) mode for lazy bytestrings. The third argument is -- the optional list of bytestrings to be authenticated but not -- encrypted As required by the specification this algorithm may -- return nothing when certain constraints aren't met. modeSiv :: BlockCipher k => k -> k -> [L.ByteString] -> L.ByteString -> Maybe L.ByteString modeSiv k1 k2 xs m | length xs > bSizeb - 1 = Nothing | otherwise = Just . L.append iv . fst . ctrLazy k2 (IV . sivMask . B.concat . L.toChunks $ iv) $ m where bSize = fromIntegral $ blockSizeBytes `for` k1 bSizeb = fromIntegral $ blockSize `for` k1 iv = cMacStar k1 $ xs ++ [m] -- |SIV (Synthetic IV) for lazy bytestrings. The third argument is the -- optional list of bytestrings to be authenticated but not encrypted. -- As required by the specification this algorithm may return nothing -- when authentication fails. modeUnSiv :: BlockCipher k => k -> k -> [L.ByteString] -> L.ByteString -> Maybe L.ByteString modeUnSiv k1 k2 xs c | length xs > bSizeb - 1 = Nothing | L.length c < fromIntegral bSize = Nothing | iv /= (cMacStar k1 $ xs ++ [dm]) = Nothing | otherwise = Just dm where bSize = fromIntegral $ blockSizeBytes `for` k1 bSizeb = fromIntegral $ blockSize `for` k1 (iv,m) = L.splitAt (fromIntegral bSize) c dm = fst $ modeUnCtr incIV k2 (IV $ sivMask $ B.concat $ L.toChunks iv) m -- |SIV (Synthetic IV) mode for strict bytestrings. First argument is -- the optional list of bytestrings to be authenticated but not -- encrypted. As required by the specification this algorithm may -- return nothing when certain constraints aren't met. modeSiv' :: BlockCipher k => k -> k -> [B.ByteString] -> B.ByteString -> Maybe B.ByteString modeSiv' k1 k2 xs m | length xs > bSizeb - 1 = Nothing | otherwise = Just $ B.append iv $ fst $ Crypto.Classes.ctr k2 (IV $ sivMask iv) m where bSize = fromIntegral $ blockSizeBytes `for` k1 bSizeb = fromIntegral $ blockSize `for` k1 iv = cMacStar' k1 $ xs ++ [m] -- |SIV (Synthetic IV) for strict bytestrings First argument is the -- optional list of bytestrings to be authenticated but not encrypted -- As required by the specification this algorithm may return nothing -- when authentication fails. modeUnSiv' :: BlockCipher k => k -> k -> [B.ByteString] -> B.ByteString -> Maybe B.ByteString modeUnSiv' k1 k2 xs c | length xs > bSizeb - 1 = Nothing | B.length c < bSize = Nothing | iv /= (cMacStar' k1 $ xs ++ [dm]) = Nothing | otherwise = Just dm where bSize = fromIntegral $ blockSizeBytes `for` k1 bSizeb = fromIntegral $ blockSize `for` k1 (iv,m) = B.splitAt bSize c dm = fst $ Crypto.Classes.unCtr k2 (IV $ sivMask iv) m modeCbc :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeCbc k (IV v) plaintext = let blks = chunkFor k plaintext (cts, iv) = go blks v in (L.fromChunks cts, IV iv) where go [] iv = ([], iv) go (b:bs) iv = let c = encryptBlock k (zwp' iv b) (cs, ivFinal) = go bs c in (c:cs, ivFinal) {-# INLINEABLE modeCbc #-} modeUnCbc :: BlockCipher k => k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeUnCbc k (IV v) ciphertext = let blks = chunkFor k ciphertext (pts, iv) = go blks v in (L.fromChunks pts, IV iv) where go [] iv = ([], iv) go (c:cs) iv = let p = zwp' (decryptBlock k c) iv (ps, ivFinal) = go cs c in (p:ps, ivFinal) {-# INLINEABLE modeUnCbc #-} -- |Counter mode for lazy bytestrings modeCtr :: BlockCipher k => (IV k -> IV k) -> k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeCtr = modeUnCtr -- |Counter mode for lazy bytestrings modeUnCtr :: BlockCipher k => (IV k -> IV k) -> k -> IV k -> L.ByteString -> (L.ByteString, IV k) modeUnCtr f k (IV iv) msg = let ivStr = iterate f $ IV iv ivLen = fromIntegral $ B.length iv newIV = head $ genericDrop ((ivLen - 1 + L.length msg) `div` ivLen) ivStr in (zwp (L.fromChunks $ map (encryptBlock k) $ map initializationVector ivStr) msg, newIV) -- |The number of bytes in a block cipher block blockSizeBytes :: (BlockCipher k) => Tagged k ByteLength blockSizeBytes = fmap (`div` 8) blockSize -- |The number of bytes in a block cipher key (assuming it is an even -- multiple of 8 bits) keyLengthBytes :: (BlockCipher k) => Tagged k ByteLength keyLengthBytes = fmap (`div` 8) keyLength -- |Build a symmetric key using the system entropy (see 'System.Entropy') buildKeyIO :: (BlockCipher k) => IO k buildKeyIO = buildKeyM getEntropy fail -- |Build a symmetric key using a given 'Crypto.Random.CryptoRandomGen' buildKeyGen :: (BlockCipher k, CryptoRandomGen g) => g -> Either GenError (k, g) buildKeyGen = runStateT (buildKeyM (StateT . genBytes) (lift . Left . GenErrorOther)) buildKeyM :: (BlockCipher k, Monad m) => (Int -> m B.ByteString) -> (String -> m k) -> m k buildKeyM getMore err = go (0::Int) where go 1000 = err "Tried 1000 times to generate a key from the system entropy.\ \ No keys were returned! Perhaps the system entropy is broken\ \ or perhaps the BlockCipher instance being used has a non-flat\ \ keyspace." go i = do let bs = keyLength kd <- getMore ((7 + untag bs) `div` 8) case buildKey kd of Nothing -> go (i+1) Just k -> return $ k `asTaggedTypeOf` bs -- |Asymetric ciphers (common ones being RSA or EC based) class AsymCipher p v | p -> v, v -> p where buildKeyPair :: CryptoRandomGen g => g -> BitLength -> Either GenError ((p,v),g) -- ^ build a public/private key pair using the provided generator encryptAsym :: (CryptoRandomGen g) => g -> p -> B.ByteString -> Either GenError (B.ByteString, g) -- ^ Asymetric encryption decryptAsym :: (CryptoRandomGen g) => g -> v -> B.ByteString -> Either GenError (B.ByteString, g) -- ^ Asymetric decryption publicKeyLength :: p -> BitLength privateKeyLength :: v -> BitLength -- |Build a pair of asymmetric keys using the system random generator. -- WARNING: This function opens a file handle which will never be closed! buildKeyPairIO :: AsymCipher p v => BitLength -> IO (Either GenError (p,v)) buildKeyPairIO bl = do g <- newGenIO :: IO SystemRandom case buildKeyPair g bl of Left err -> return (Left err) Right (k,_) -> return (Right k) -- |Flipped 'buildKeyPair' for ease of use with state monads. buildKeyPairGen :: (CryptoRandomGen g, AsymCipher p v) => BitLength -> g -> Either GenError ((p,v),g) buildKeyPairGen = flip buildKeyPair -- | A stream cipher class. Instance are expected to work on messages as small as one byte -- The length of the resulting cipher text should be equal -- to the length of the input message. class (Serialize k) => StreamCipher k iv | k -> iv where buildStreamKey :: B.ByteString -> Maybe k encryptStream :: k -> iv -> B.ByteString -> (B.ByteString, iv) decryptStream :: k -> iv -> B.ByteString -> (B.ByteString, iv) streamKeyLength :: Tagged k BitLength -- |Build a stream key using the system random generator buildStreamKeyIO :: StreamCipher k iv => IO k buildStreamKeyIO = buildStreamKeyM getEntropy fail -- |Build a stream key using the provided random generator buildStreamKeyGen :: (StreamCipher k iv, CryptoRandomGen g) => g -> Either GenError (k, g) buildStreamKeyGen = runStateT (buildStreamKeyM (StateT . genBytes) (lift . Left . GenErrorOther)) buildStreamKeyM :: (Monad m, StreamCipher k iv) => (Int -> m B.ByteString) -> (String -> m k) -> m k buildStreamKeyM getMore err = go (0::Int) where go 1000 = err "Tried 1000 times to generate a stream key from the system entropy.\ \ No keys were returned! Perhaps the system entropy is broken\ \ or perhaps the BlockCipher instance being used has a non-flat\ \ keyspace." go i = do let k = streamKeyLength kd <- getMore ((untag k + 7) `div` 8) case buildStreamKey kd of Nothing -> go (i+1) Just k' -> return $ k' `asTaggedTypeOf` k -- | A class for signing operations which inherently can not be as generic -- as asymetric ciphers (ex: DSA). class (Serialize p, Serialize v) => Signing p v | p -> v, v -> p where sign :: CryptoRandomGen g => g -> v -> L.ByteString -> Either GenError (B.ByteString, g) verify :: p -> L.ByteString -> B.ByteString -> Bool buildSigningPair :: CryptoRandomGen g => g -> BitLength -> Either GenError ((p, v), g) signingKeyLength :: v -> BitLength verifyingKeyLength :: p -> BitLength -- |Build a signing key using the system random generator -- WARNING: This function opens a file handle which will never be closed! buildSigningKeyPairIO :: (Signing p v) => BitLength -> IO (Either GenError (p,v)) buildSigningKeyPairIO bl = do g <- newGenIO :: IO SystemRandom case buildSigningPair g bl of Left err -> return $ Left err Right (k,_) -> return $ Right k -- |Flipped 'buildSigningPair' for ease of use with state monads. buildSigningKeyPairGen :: (Signing p v, CryptoRandomGen g) => BitLength -> g -> Either GenError ((p, v), g) buildSigningKeyPairGen = flip buildSigningPair -- | Like `ecb` but for strict bytestrings modeEcb' :: BlockCipher k => k -> B.ByteString -> B.ByteString modeEcb' k msg = let chunks = chunkFor' k msg in B.concat $ map (encryptBlock k) chunks {-# INLINE modeEcb' #-} -- |Decryption complement to `ecb'` modeUnEcb' :: BlockCipher k => k -> B.ByteString -> B.ByteString modeUnEcb' k ct = let chunks = chunkFor' k ct in B.concat $ map (decryptBlock k) chunks {-# INLINE modeUnEcb' #-} -- |Cipher block chaining encryption mode on strict bytestrings modeCbc' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeCbc' k (IV v) plaintext = let blks = chunkFor' k plaintext (cts, iv) = go blks v in (B.concat cts, IV iv) where go [] iv = ([], iv) go (b:bs) iv = let c = encryptBlock k (zwp' iv b) (cs, ivFinal) = go bs c in (c:cs, ivFinal) {-# INLINEABLE modeCbc' #-} -- |Cipher block chaining decryption for strict bytestrings modeUnCbc' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeUnCbc' k (IV v) ciphertext = let blks = chunkFor' k ciphertext (pts, iv) = go blks v in (B.concat pts, IV iv) where go [] iv = ([], iv) go (c:cs) iv = let p = zwp' (decryptBlock k c) iv (ps, ivFinal) = go cs c in (p:ps, ivFinal) {-# INLINEABLE modeUnCbc' #-} -- |Output feedback mode for strict bytestrings modeOfb' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeOfb' = modeUnOfb' {-# INLINEABLE modeOfb' #-} -- |Output feedback mode for strict bytestrings modeUnOfb' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeUnOfb' k (IV iv) msg = let ivStr = collect (B.length msg + ivLen) (drop 1 (iterate (encryptBlock k) iv)) ivLen = B.length iv mLen = fromIntegral (B.length msg) newIV = IV . B.concat . L.toChunks . L.take (fromIntegral ivLen) . L.drop mLen . L.fromChunks $ ivStr in (zwp' (B.concat ivStr) msg, newIV) {-# INLINEABLE modeUnOfb' #-} -- |Counter mode for strict bytestrings modeCtr' :: BlockCipher k => (IV k -> IV k) -> k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeCtr' = modeUnCtr' {-# INLINEABLE modeCtr' #-} -- |Counter mode for strict bytestrings modeUnCtr' :: BlockCipher k => (IV k -> IV k) -> k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeUnCtr' f k iv msg = let fa (st,IV iv) c | B.null st = fa (encryptBlock k iv, f (IV iv)) c | otherwise = let Just (s,nst) = B.uncons st in ((nst,IV iv),xor c s) ((_,newIV),res) = B.mapAccumL fa (B.empty,iv) msg in (res,newIV) {-# INLINEABLE modeUnCtr' #-} -- |Ciphertext feed-back encryption mode for strict bytestrings (with -- s == blockSize) modeCfb' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeCfb' k (IV v) msg = let blks = chunkFor' k msg (cs,ivF) = go v blks in (B.concat cs, IV ivF) where go iv [] = ([],iv) go iv (b:bs) = let c = zwp' (encryptBlock k iv) b (cs,ivFinal) = go c bs in (c:cs, ivFinal) {-# INLINEABLE modeCfb' #-} -- |Ciphertext feed-back decryption mode for strict bytestrings (with s == blockSize) modeUnCfb' :: BlockCipher k => k -> IV k -> B.ByteString -> (B.ByteString, IV k) modeUnCfb' k (IV v) msg = let blks = chunkFor' k msg (ps, ivF) = go v blks in (B.concat ps, IV ivF) where go iv [] = ([], iv) go iv (b:bs) = let p = zwp' (encryptBlock k iv) b (ps, ivF) = go b bs in (p:ps, ivF) {-# INLINEABLE modeUnCfb' #-} toChunks :: Int -> B.ByteString -> [B.ByteString] toChunks n val = go val where go b | B.length b == 0 = [] | otherwise = let (h,t) = B.splitAt n b in h : go t -- |Increase an `IV` by one. This is way faster than decoding, -- increasing, encoding incIV :: BlockCipher k => IV k -> IV k incIV (IV b) = IV $ snd $ B.mapAccumR (incw) 1 b where incw :: Word16 -> Word8 -> (Word16, Word8) incw i w = let nw=i+(fromIntegral w) in (shiftR nw 8, fromIntegral nw) -- |Obtain an `IV` made only of zeroes zeroIV :: (BlockCipher k) => IV k zeroIV = iv where bytes = ivBlockSizeBytes iv iv = IV $ B.replicate bytes 0 zeroIVcwc :: BlockCipher k => IV k zeroIVcwc = iv where bytes = ivBlockSizeBytes iv - 5 -- a constant of cwc (4 bytes for ctr mode, 1 for a sort of header on the iv) iv = IV $ B.replicate bytes 0 -- Break a bytestring into block size chunks. chunkFor :: (BlockCipher k) => k -> L.ByteString -> [B.ByteString] chunkFor k = go where blkSz = (blockSize `for` k) `div` 8 blkSzI = fromIntegral blkSz go bs | L.length bs < blkSzI = [] | otherwise = let (blk,rest) = L.splitAt blkSzI bs in B.concat (L.toChunks blk) : go rest {-# INLINE chunkFor #-} -- Break a bytestring into block size chunks. chunkFor' :: (BlockCipher k) => k -> B.ByteString -> [B.ByteString] chunkFor' k = go where blkSz = (blockSize `for` k) `div` 8 go bs | B.length bs < blkSz = [] | otherwise = let (blk,rest) = B.splitAt blkSz bs in blk : go rest {-# INLINE chunkFor' #-} -- |Create the mask for SIV based ciphers sivMask :: B.ByteString -> B.ByteString sivMask b = snd $ B.mapAccumR (go) 0 b where go :: Int -> Word8 -> (Int,Word8) go 24 w = (32,clearBit w 7) go 56 w = (64,clearBit w 7) go n w = (n+8,w) ivBlockSizeBytes :: BlockCipher k => IV k -> Int ivBlockSizeBytes iv = let p = deIVProxy (proxyOf iv) in proxy blockSize p `div` 8 where proxyOf :: a -> Proxy a proxyOf = const Proxy {-# INLINEABLE ivBlockSizeBytes #-} instance (BlockCipher k) => Serialize (IV k) where get = do let p = Proxy doGet :: BlockCipher k => Proxy k -> Get (IV k) doGet pr = liftM IV (SG.getByteString (proxy blockSizeBytes pr)) iv <- doGet p return (iv `asProxyTypeOf` ivProxy p) put (IV iv) = SP.putByteString iv