path: root/common/crypto.cpp

//========= Copyright Valve Corporation, All rights reserved. ============//
//
// Purpose:
//
// $NoKeywords: $
//=============================================================================

// Note: not using precompiled headers.  The crypto++ headers create gunk that anyone including them
//       has to link to, so they can't be included in the global project file.  They also contain
//       string functions which are deprecated by the global project file so they can't be included after, either.
//       So we can't use the global precompiled header, need to manually include the things we need.

#include "winlite.h"

#ifdef POSIX
#include <sys/types.h>
#include <sys/socket.h>
#endif

/* this stuff needs to be before the crypto headers, as it relies on memdbg, which doesn't 
   do the right thing in the face of xdebug getting included below */
// tier0
//#include "tier0/tier0.h"
#include "tier0/basetypes.h"
#include "tier0/vprof.h"
//#include "constants.h"
#include "vstdlib/vstdlib.h"
#include "strtools.h"
//#include "version.h"
//#include "globals.h"
//#include "ivalidate.h"
#include "tier1/utlvector.h"
#include "simplebitstring.h"
#include "tier1/checksum_sha1.h"
#include "tier0/memdbgon.h"
#include "tier0/tslist.h"
#include "tier0/memdbgoff.h"


#ifdef ENABLE_OPENSSLCONNECTION
#define USE_OPENSSL_AES_DECRYPT 1
#endif

#ifdef USE_OPENSSL_AES_DECRYPT
// openssl optimized AES routines
#include "openssl/aes.h"
#if defined(_M_IX86) || defined (_M_X64) || defined(__i386__) || defined(__x86_64__)
#include <emmintrin.h>
#endif 
#endif

// crypto ++
#include "tier0/valve_off.h"
#include "../external/crypto++-5.6.3/cryptopushdisablewarnings.h"
#if _MSC_VER < 1400 // doesn't work with vc8, things below need xdebug
#define _XDEBUG_		// keep crypto++-5.2 from including xdebug
// these are defined in xdebug and used in some subsequent headers, define them to be our version
#define _NEW_CRT			new
#define _DELETE_CRT(_P)		delete (_P)
#define _DELETE_CRT_VEC(_P)	delete[] (_P)
#define _STRING_CRT			string
#endif
#define CRYPTOPP_DLL
#undef min
#undef max
#undef Verify
#define VPROF_BUDGETGROUP_ENCRYPTION				_T("Encryption")
#define SPEW_CRYPTO "crypto"
const int k_cMedBuff = 1024;					// medium buffer 

#if defined(GNUC)
#pragma GCC diagnostic ignored "-Wshadow"
#endif

#include "../external/crypto++-5.6.3/cryptlib.h"
#include "../external/crypto++-5.6.3/osrng.h"
#include "../external/crypto++-5.6.3/crc.h"
#include "../external/crypto++-5.6.3/modes.h"
#include "../external/crypto++-5.6.3/files.h"
#include "../external/crypto++-5.6.3/hex.h"
#include "../external/crypto++-5.6.3/base64.h"
#include "../external/crypto++-5.6.3/base32.h"
#include "../external/crypto++-5.6.3/words.h"
#include "../external/crypto++-5.6.3/rsa.h"
#include "../external/crypto++-5.6.3/aes.h"
#include "../external/crypto++-5.6.3/hmac.h"
#include "../external/crypto++-5.6.3/zlib.h"
#include "../external/crypto++-5.6.3/gzip.h"
#include "../external/crypto++-5.6.3/pwdbased.h"
using namespace CryptoPP;
typedef AutoSeededX917RNG<AES> CAutoSeededRNG;
#include "../external/crypto++-5.6.3/cryptopopdisablewarnings.h"

#if defined(GNUC)
#pragma GCC diagnostic warning "-Wshadow"
#endif

#include "tier0/memdbgon.h"
#include "tier0/valve_on.h"

#include "crypto.h"
#define max(a,b)  (((a) > (b)) ? (a) : (b))
#define min(a,b)  (((a) < (b)) ? (a) : (b))


// list of auto-seeded RNG pointers
// these are very expensive to construct, so it makes sense to cache them
CTSList<CAutoSeededRNG> g_tslistPAutoSeededRNG;

// to avoid deconstructor order issuses we allow to manually free the list
void FreeListRNG()
{
	g_tslistPAutoSeededRNG.Purge();
}

//-----------------------------------------------------------------------------
// Purpose: thread-safe access to a pool of cryptoPP random number generators
//-----------------------------------------------------------------------------
class CPoolAllocatedRNG
{
public:
	CPoolAllocatedRNG()
	{
		m_pRNGNode = g_tslistPAutoSeededRNG.Pop();
		if ( !m_pRNGNode )
		{
			m_pRNGNode = new CTSList<CAutoSeededRNG>::Node_t;
		}
	}

	~CPoolAllocatedRNG()
	{
		g_tslistPAutoSeededRNG.Push( m_pRNGNode );
	}

	CAutoSeededRNG &GetRNG()
	{
		return m_pRNGNode->elem;
	}

private:
	CTSList<CAutoSeededRNG>::Node_t *m_pRNGNode;
};

// force run this static construction code 
class CGlobalInitConstructor
{
public:
	CGlobalInitConstructor()
	{
		// we have to use this function once since the underlying static constructor
		// is not thread safe. See use of MicrosoftCryptoProvider in Crypto++
		CAutoSeededRNG rng;
		rng.GenerateByte();
	}
};

volatile static CGlobalInitConstructor s_StaticCryptoConstructor;

//-----------------------------------------------------------------------------
// Purpose: Encrypts the specified data with the specified key.  Uses AES (Rijndael) symmetric
//			encryption.  The encrypted data may then be decrypted by calling SymmetricDecrypt
//			with the same key.
// Input:	pubPlaintextData -	Data to be encrypted
//			cubPlaintextData -	Size of data to be encrypted
//			pIV				 -	Pointer to initialization vector
//			cubIV			 -	Size of initialization vector
//			pubEncryptedData -  Pointer to buffer to receive encrypted data
//			pcubEncryptedData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for encrypted data.  When the method returns, this will contain
//								the actual size of the encrypted data.
//			pubKey -			the key to encrypt the data with
//			cubKey -			Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if encryption failed
//-----------------------------------------------------------------------------
bool CCrypto::SymmetricEncryptWithIV( const uint8 *pubPlaintextData, const uint32 cubPlaintextData, 
									  const uint8 *pIV, const uint32 cubIV,
									  uint8 *pubEncryptedData, uint32 *pcubEncryptedData,
									  const uint8 *pubKey, const uint32 cubKey )
{
	VPROF_BUDGET( "CCrypto::SymmetricEncrypt", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubPlaintextData );
	Assert( cubPlaintextData );
	Assert( pubEncryptedData );
	Assert( pcubEncryptedData );
	Assert( *pcubEncryptedData );
	Assert( pubKey );
	Assert( k_nSymmetricKeyLen == cubKey );	// the only key length supported is k_nSymmetricKeyLen

	bool bRet = false;

	uint32 cubEncryptedData = *pcubEncryptedData;	// remember how big the caller's buffer is
	bool bUseTempBuffer = false;
	uint8 *pTemp = pubEncryptedData;


	//
	// Crypto++ does not play well with overlapping buffers. If the buffers are
	// overlapping, then allocate some temp space to use for the encryption.
	//
	// It does work fine with _identical_ buffers.
	//
	if ( ( pubEncryptedData + cubEncryptedData >= pubPlaintextData ) &&
		( pubPlaintextData + cubPlaintextData >= pubEncryptedData ) )
	{
		pTemp = new uint8[cubEncryptedData];
		bUseTempBuffer = true;
	}

	try		// handle any exceptions crypto++ may throw
	{	
		if ( pTemp != NULL )
		{
			AESEncryption aesEncrypt( pubKey, cubKey );

			byte rgubIVEncrypted[k_cMedBuff];
			Assert( Q_ARRAYSIZE( rgubIVEncrypted ) >= aesEncrypt.BlockSize() );
			Assert( pIV != NULL && cubIV >= aesEncrypt.BlockSize() );

			ArraySink * pOutputSink = new ArraySink( pTemp, *pcubEncryptedData );

			// encrypt the initial vector with the key
			aesEncrypt.ProcessBlock( pIV, rgubIVEncrypted );

			// store the encrypted IV in the output - the recipient will need it
			pOutputSink->Put( rgubIVEncrypted, aesEncrypt.BlockSize() );

			// encrypt the message, given the key & IV
			CBC_Mode_ExternalCipher::Encryption cipher( aesEncrypt, pIV );
			// Note: StreamTransformationFilter now owns the pointer to pOutputSink and will
			// free it when the filter goes out of scope and destructs
			StreamTransformationFilter filter( cipher, pOutputSink );
			filter.Put( (byte *) pubPlaintextData, cubPlaintextData );
			filter.MessageEnd();
			// return length of encrypted data to caller
			*pcubEncryptedData = pOutputSink->TotalPutLength();
			// CryptoPP may leave garbage hanging around in the caller's buffer past the stated output length.
			// Just to be safe, zero out caller's buffer from end out output to end of max buffer
			if ( bUseTempBuffer )
			{
				Q_memcpy( pubEncryptedData, pTemp, *pcubEncryptedData );
			}
			Q_memset( pubEncryptedData + *pcubEncryptedData, 0, (cubEncryptedData - *pcubEncryptedData ) );
			bRet = true;
		}
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::SymmetricEncrypt: crypto++ threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	if ( bUseTempBuffer )
	{
		delete[] pTemp;
	}

	return bRet;
}

//-----------------------------------------------------------------------------
// Purpose: Encrypts the specified data with the specified key.  Uses AES (Rijndael) symmetric
//			encryption.  The encrypted data may then be decrypted by calling SymmetricDecrypt
//			with the same key.  Generates a random initialization vector of the
//			appropriate size.
// Input:	pubPlaintextData -	Data to be encrypted
//			cubPlaintextData -	Size of data to be encrypted
//			pubEncryptedData -  Pointer to buffer to receive encrypted data
//			pcubEncryptedData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for encrypted data.  When the method returns, this will contain
//								the actual size of the encrypted data.
//			pubKey -			the key to encrypt the data with
//			cubKey -			Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if encryption failed
//-----------------------------------------------------------------------------

bool CCrypto::SymmetricEncrypt( const uint8 *pubPlaintextData, const uint32 cubPlaintextData, 
								uint8 *pubEncryptedData, uint32 *pcubEncryptedData,
								const uint8 *pubKey, const uint32 cubKey )
{
	bool bRet = false;

	//
	// Generate a random IV
	//
	AESEncryption aesEncrypt( pubKey, cubKey );
	byte rgubIV[k_cMedBuff];
	CPoolAllocatedRNG rng;
	rng.GetRNG().GenerateBlock( rgubIV, aesEncrypt.BlockSize() );

	bRet = SymmetricEncryptWithIV( pubPlaintextData, cubPlaintextData, rgubIV, aesEncrypt.BlockSize(), pubEncryptedData, pcubEncryptedData, pubKey, cubKey );

	return bRet;
}


#ifdef USE_OPENSSL_AES_DECRYPT

// Local helper to perform AES+CBC decryption using optimized OpenSSL AES routines
static bool BDecryptAESUsingOpenSSL( const uint8 *pubEncryptedData, uint32 cubEncryptedData, uint8 *pubPlaintextData, uint32 *pcubPlaintextData, AES_KEY *key, const uint8 *pIV )
{
	COMPILE_TIME_ASSERT( k_nSymmetricBlockSize == 16 );

	// Block cipher encrypted text must be a multiple of the block size
	if ( cubEncryptedData % k_nSymmetricBlockSize != 0 )
		return false;

	// Enough input? Requirement is one padded final block
	if ( cubEncryptedData < k_nSymmetricBlockSize )
		return false;

	// Enough output space for all the full non-final blocks?
	if ( *pcubPlaintextData < cubEncryptedData - k_nSymmetricBlockSize )
		return false;

	uint8 rgubWorking[k_nSymmetricBlockSize];
	uint32 nDecrypted = 0;

	// Process non-final blocks
#if defined(_M_IX86) || defined (_M_X64) || defined(__i386__) || defined(__x86_64__)
	// ... believe it or not, Steam client on Windows supports Athlon XP without SSE2
	if ( !IsWindows() || GetCPUInformation().m_bSSE2 )
	{
		while ( nDecrypted < cubEncryptedData - k_nSymmetricBlockSize )
		{
			AES_decrypt( pubEncryptedData + nDecrypted, rgubWorking, key );
			__m128i m128Temp = _mm_xor_si128( _mm_loadu_si128( (__m128i*)pIV ), _mm_loadu_si128( (__m128i*)rgubWorking ) );
			pIV = pubEncryptedData + nDecrypted;
			nDecrypted += k_nSymmetricBlockSize;
			_mm_storeu_si128( (__m128i* RESTRICT)( pubPlaintextData + nDecrypted - k_nSymmetricBlockSize ), m128Temp );
		}
	}
	else
#endif
	{
		while ( nDecrypted < cubEncryptedData - k_nSymmetricBlockSize )
		{
			AES_decrypt( pubEncryptedData + nDecrypted, rgubWorking, key );
			for ( int i = 0; i < k_nSymmetricBlockSize; ++i )
				pubPlaintextData[nDecrypted + i] = rgubWorking[i] ^ pIV[i];
			pIV = pubEncryptedData + nDecrypted;
			nDecrypted += k_nSymmetricBlockSize;
		}
	}

	// Process final block into rgubWorking for padding inspection
	Assert( nDecrypted == cubEncryptedData - k_nSymmetricBlockSize );
	AES_decrypt( pubEncryptedData + nDecrypted, rgubWorking, key );
	for ( int i = 0; i < k_nSymmetricBlockSize; ++i )
		rgubWorking[i] ^= pIV[i];
	
	// Get final block padding length and make sure it is backfilled properly (PKCS#5)
	uint8 pad = rgubWorking[ k_nSymmetricBlockSize - 1 ];
	if ( pad < 1 || pad > k_nSymmetricBlockSize )
		return false;
	for ( int i = k_nSymmetricBlockSize - pad; i < k_nSymmetricBlockSize; ++i )
		if ( rgubWorking[i] != pad )
			return false;

    // Check that we have enough space for final bytes
    if ( *pcubPlaintextData < nDecrypted + k_nSymmetricBlockSize - pad )
        return false;
    
	// Write any non-pad bytes from rgubWorking to pubPlaintextData
	for ( int i = 0; i < k_nSymmetricBlockSize - pad; ++i )
		pubPlaintextData[nDecrypted++] = rgubWorking[i];

	// The old CryptoPP path zeros out the entire destination buffer, but that
	// behavior isn't documented or even expected. We'll just zero out one byte
	// in case anyone relies on string termination, but that zero isn't counted.
	if ( *pcubPlaintextData > nDecrypted )
		pubPlaintextData[nDecrypted] = 0;

	*pcubPlaintextData = nDecrypted;
	return true;
}

#else

/* function, not method */
static bool SymmetricDecryptWorker( const uint8 *pubEncryptedData, uint32 cubEncryptedData, 
									const uint8 * pIV, uint32 cubIV,
									uint8 *pubPlaintextData, uint32 *pcubPlaintextData, 
									AESDecryption &aesDecrypt )
{
	VPROF_BUDGET( "CCrypto::SymmetricDecrypt", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubEncryptedData );
	Assert( cubEncryptedData);
	Assert( pIV );
	Assert( cubIV );
	Assert( pubPlaintextData );
	Assert( pcubPlaintextData );
	Assert( *pcubPlaintextData );

	bool bRet = false;

	uint32 cubPlaintextData = *pcubPlaintextData;	// remember how big the caller's buffer is
	bool bUseTempBuffer = false;
	uint8* pTemp = pubPlaintextData;

	//
	// Crypto++ does not play nice with decrypting in place. If the buffers are
	// overlapping, then allocate some temp space to use for the decryption.
	//
	// It does work fine with _identical_ buffers, but due to the way we store
	// the IV in the returned encrypted data we never actually hit that case.
	//
	if ( ( pubEncryptedData + cubEncryptedData >= pubPlaintextData ) &&
		 ( pubPlaintextData + cubPlaintextData >= pubEncryptedData ) )
	{
		pTemp = new uint8[cubPlaintextData];
		bUseTempBuffer = true;
	}

	try		// handle any exceptions crypto++ may throw
	{
		if ( pTemp != NULL )
		{
			CryptoPP::ArraySink* pOutputSink = new CryptoPP::ArraySink( pTemp, *pcubPlaintextData );
			CryptoPP::CBC_Mode_ExternalCipher::Decryption cbc( aesDecrypt, pIV );
			// Note: StreamTransformationFilter now owns the pointer to pOutputSink and will
			// free it when the filter goes out of scope and destructs
			CryptoPP::StreamTransformationFilter padding( cbc, pOutputSink );
			padding.Put( pubEncryptedData, cubEncryptedData );
			padding.MessageEnd();
			// return length of decrypted data to caller
			*pcubPlaintextData = pOutputSink->TotalPutLength();
			// CryptoPP may leave garbage hanging around in the caller's buffer past the stated output length.
			// Just to be safe, zero out caller's buffer from end out output to end of max buffer
			if ( bUseTempBuffer )
			{
				Q_memcpy( pubPlaintextData, pTemp, *pcubPlaintextData );
			}
			Q_memset( pubPlaintextData + *pcubPlaintextData, 0, (cubPlaintextData - *pcubPlaintextData ) );

			bRet = true;
		}
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 4, "CCrypto::SymmetricDecrypt: crypto++ threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	if ( bUseTempBuffer )
	{
		delete[] pTemp;
	}

	return bRet;
}

#endif


//-----------------------------------------------------------------------------
// Purpose: Decrypts the specified data with the specified key.  Uses AES (Rijndael) symmetric
//			decryption.  
// Input:	pubEncryptedData -	Data to be decrypted
//			cubEncryptedData -	Size of data to be decrypted
//			pubPlaintextData -  Pointer to buffer to receive decrypted data
//			pcubPlaintextData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for decrypted data.  When the method returns, this will contain
//								the actual size of the decrypted data.
//			pubKey -			the key to decrypt the data with
//			cubKey -			Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if decryption failed
//-----------------------------------------------------------------------------
bool CCrypto::SymmetricDecrypt( const uint8 *pubEncryptedData, uint32 cubEncryptedData, 
							   uint8 *pubPlaintextData, uint32 *pcubPlaintextData, 
							   const uint8 *pubKey, const uint32 cubKey )
{
	Assert( pubEncryptedData );
	Assert( cubEncryptedData);
	Assert( pubPlaintextData );
	Assert( pcubPlaintextData );
	Assert( *pcubPlaintextData );
	Assert( pubKey );
	Assert( k_nSymmetricKeyLen == cubKey );	// the only key length supported is k_nSymmetricKeyLen

	// the initialization vector (IV) must be stored in the first block of bytes.
	// If the size of encrypted data is not at least the block size, it is not valid
	if ( cubEncryptedData < k_nSymmetricBlockSize )
		return false;

#ifdef USE_OPENSSL_AES_DECRYPT

	AES_KEY key;
	if ( AES_set_decrypt_key( pubKey, cubKey * 8, &key ) < 0 )
		return false;

	// Our first block is straight AES block encryption of IV with user key, no XOR.
	uint8 rgubIV[ k_nSymmetricBlockSize ];
	AES_decrypt( pubEncryptedData, rgubIV, &key );
	pubEncryptedData += k_nSymmetricBlockSize;
	cubEncryptedData -= k_nSymmetricBlockSize;

	return BDecryptAESUsingOpenSSL( pubEncryptedData, cubEncryptedData, pubPlaintextData, pcubPlaintextData, &key, rgubIV );

#else

	AESDecryption aesDecrypt( pubKey, cubKey );
	Assert( k_nSymmetricBlockSize == aesDecrypt.BlockSize() );

	// Decrypt the IV
	byte rgubIV[k_cMedBuff];
	Assert( Q_ARRAYSIZE( rgubIV ) >= aesDecrypt.BlockSize() );
	aesDecrypt.ProcessBlock( pubEncryptedData, rgubIV );

	// We have now consumed the IV, so remove it from the front of the message
	pubEncryptedData += k_nSymmetricBlockSize;
	cubEncryptedData -= k_nSymmetricBlockSize;

	// given the IV stored in the message, and the key, decrypt the message
	return SymmetricDecryptWorker( pubEncryptedData, cubEncryptedData,
		rgubIV, aesDecrypt.BlockSize(),
		pubPlaintextData, pcubPlaintextData,
		aesDecrypt );

#endif
}

//-----------------------------------------------------------------------------
// Purpose: Decrypts the specified data with the specified key.  Uses AES (Rijndael) symmetric
//			decryption.  
// Input:	pubEncryptedData -	Data to be decrypted
//			cubEncryptedData -	Size of data to be decrypted
//			pIV -				Initialization vector. Byte array one block in size.
//			cubIV -				size of IV. This should be 16 (one block, 128 bits)
//			pubPlaintextData -  Pointer to buffer to receive decrypted data
//			pcubPlaintextData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for decrypted data.  When the method returns, this will contain
//								the actual size of the decrypted data.
//			pubKey -			the key to decrypt the data with
//			cubKey -			Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if decryption failed
//-----------------------------------------------------------------------------
bool CCrypto::SymmetricDecryptWithIV( const uint8 *pubEncryptedData, uint32 cubEncryptedData, 
								const uint8 * pIV, uint32 cubIV,
								uint8 *pubPlaintextData, uint32 *pcubPlaintextData, 
								const uint8 *pubKey, const uint32 cubKey )
{
	Assert( pubEncryptedData );
	Assert( cubEncryptedData);
	Assert( pIV );
	Assert( cubIV );
	Assert( pubPlaintextData );
	Assert( pcubPlaintextData );
	Assert( *pcubPlaintextData );
	Assert( pubKey );
	Assert( k_nSymmetricKeyLen == cubKey );	// the only key length supported is k_nSymmetricKeyLen

	// IV input into CBC must be exactly one block size
	if ( cubIV != k_nSymmetricBlockSize )
		return false;

#ifdef USE_OPENSSL_AES_DECRYPT

	AES_KEY key;
	if ( AES_set_decrypt_key( pubKey, cubKey * 8, &key ) < 0 )
		return false;

	return BDecryptAESUsingOpenSSL( pubEncryptedData, cubEncryptedData, pubPlaintextData, pcubPlaintextData, &key, pIV );

#else

	AESDecryption aesDecrypt( pubKey, cubKey );
	Assert( k_nSymmetricBlockSize == aesDecrypt.BlockSize() );

	return SymmetricDecryptWorker( pubEncryptedData, cubEncryptedData,
		pIV, cubIV,
		pubPlaintextData, pcubPlaintextData,
		aesDecrypt );

#endif
}


//-----------------------------------------------------------------------------
// Purpose: For specified plaintext data size, returns what size of symmetric
//			encrypted data will be
//-----------------------------------------------------------------------------
uint32 CCrypto::GetSymmetricEncryptedSize( uint32 cubPlaintextData )
{
	// empirically determined encrypted size as function of plaintext size for AES encryption
	uint k_cubBlock = 16;
	uint k_cubHeader = 16;
	return k_cubHeader + ( ( cubPlaintextData / k_cubBlock ) * k_cubBlock ) + k_cubBlock;
}


//-----------------------------------------------------------------------------
// Purpose: Encrypts the specified data with the specified text password.  
//			Uses the SHA256 hash of the password as the key for AES (Rijndael) symmetric
//			encryption. A SHA1 HMAC of the result is appended, for authentication on 
//			the receiving end.
//			The encrypted data may then be decrypted by calling DecryptWithPasswordAndAuthenticate
//			with the same password.
// Input:	pubPlaintextData -	Data to be encrypted
//			cubPlaintextData -	Size of data to be encrypted
//			pubEncryptedData -  Pointer to buffer to receive encrypted data
//			pcubEncryptedData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for encrypted data.  When the method returns, this will contain
//								the actual size of the encrypted data.
//			pchPassword -		text password
// Output:  true if successful, false if encryption failed
//-----------------------------------------------------------------------------
bool CCrypto::EncryptWithPasswordAndHMAC( const uint8 *pubPlaintextData, uint32 cubPlaintextData,
								 uint8 * pubEncryptedData, uint32 * pcubEncryptedData,
								 const char *pchPassword )
{
	//
	// Generate a random IV
	//
	byte rgubIV[k_nSymmetricBlockSize];
	CPoolAllocatedRNG rng;
	rng.GetRNG().GenerateBlock( rgubIV, k_nSymmetricBlockSize );

	return EncryptWithPasswordAndHMACWithIV( pubPlaintextData, cubPlaintextData, rgubIV, k_nSymmetricBlockSize, pubEncryptedData, pcubEncryptedData, pchPassword );
}


//-----------------------------------------------------------------------------
// Purpose: Encrypts the specified data with the specified text password.  
//			Uses the SHA256 hash of the password as the key for AES (Rijndael) symmetric
//			encryption. A SHA1 HMAC of the result is appended, for authentication on 
//			the receiving end.
//			The encrypted data may then be decrypted by calling DecryptWithPasswordAndAuthenticate
//			with the same password.
// Input:	pubPlaintextData -	Data to be encrypted
//			cubPlaintextData -	Size of data to be encrypted
//			pIV -				IV to use for AES encryption. Should be random and never used before unless you know
//								exactly what you're doing.
//			cubIV -				size of the IV - should be same ase the AES blocksize.
//			pubEncryptedData -  Pointer to buffer to receive encrypted data
//			pcubEncryptedData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for encrypted data.  When the method returns, this will contain
//								the actual size of the encrypted data.
//			pchPassword -		text password
// Output:  true if successful, false if encryption failed
//-----------------------------------------------------------------------------
bool CCrypto::EncryptWithPasswordAndHMACWithIV( const uint8 *pubPlaintextData, uint32 cubPlaintextData,
								 const uint8 * pIV, uint32 cubIV,
								 uint8 * pubEncryptedData, uint32 * pcubEncryptedData,
								 const char *pchPassword )
{
	uint8 rgubKey[k_nSymmetricKeyLen];
	if ( !pchPassword || !pchPassword[0] )
		return false;

	if ( !cubPlaintextData )
		return false;

	uint32 cubBuffer = *pcubEncryptedData;
	uint32 cubExpectedResult = GetSymmetricEncryptedSize( cubPlaintextData ) + sizeof( SHADigest_t );

	if ( cubBuffer < cubExpectedResult )
		return false;

	try
	{
		CryptoPP::SHA256().CalculateDigest( rgubKey, (const uint8 *)pchPassword, Q_strlen( pchPassword ) );
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 4, "CCrypto::EncryptWithPassword: crypto++ threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
		return false;
	}

	bool bRet = SymmetricEncryptWithIV( pubPlaintextData, cubPlaintextData, pIV, cubIV, pubEncryptedData, pcubEncryptedData, rgubKey, k_nSymmetricKeyLen );
	if ( bRet )
	{
		// calc HMAC
		uint32 cubEncrypted = *pcubEncryptedData;
		*pcubEncryptedData += sizeof( SHADigest_t );
		if ( cubBuffer < *pcubEncryptedData )
			return false;

		SHADigest_t *pHMAC = (SHADigest_t*)( pubEncryptedData + cubEncrypted );
		bRet = CCrypto::GenerateHMAC( pubEncryptedData, cubEncrypted, rgubKey, k_nSymmetricKeyLen, pHMAC );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Decrypts the specified data with the specified password.  Uses AES (Rijndael) symmetric
//			decryption. First, the HMAC is verified - if it is not correct, then we know that
//			the key is incorrect or the data is corrupted, and the decryption fails.
// Input:	pubEncryptedData -	Data to be decrypted
//			cubEncryptedData -	Size of data to be decrypted
//			pubPlaintextData -  Pointer to buffer to receive decrypted data
//			pcubPlaintextData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for decrypted data.  When the method returns, this will contain
//								the actual size of the decrypted data.
//			pchPassword -		the text password to decrypt the data with
// Output:  true if successful, false if decryption failed
//-----------------------------------------------------------------------------
bool CCrypto::DecryptWithPasswordAndAuthenticate( const uint8 * pubEncryptedData, uint32 cubEncryptedData, 
								 uint8 * pubPlaintextData, uint32 * pcubPlaintextData,
								 const char *pchPassword )
{
	uint8 rgubKey[k_nSymmetricKeyLen];
	if ( !pchPassword || !pchPassword[0] )
		return false;

	if ( cubEncryptedData <= sizeof( SHADigest_t ) )
		return false;

	try
	{
		CryptoPP::SHA256().CalculateDigest( rgubKey, (const uint8 *)pchPassword, Q_strlen( pchPassword ) );
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 4, "CCrypto::EncryptWithPassword: crypto++ threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
		return false;
	}

	uint32 cubCiphertext = cubEncryptedData - sizeof( SHADigest_t );
	SHADigest_t *pHMAC = (SHADigest_t*)( pubEncryptedData + cubCiphertext  );
	SHADigest_t hmacActual;
	bool bRet = CCrypto::GenerateHMAC( pubEncryptedData, cubCiphertext, rgubKey, k_nSymmetricKeyLen, &hmacActual );

	if ( bRet )
	{
		// invalid ciphertext or key
		if ( Q_memcmp( &hmacActual, pHMAC, sizeof( SHADigest_t ) ) )
			return false;
		
		bRet = SymmetricDecrypt( pubEncryptedData, cubCiphertext, pubPlaintextData, pcubPlaintextData, rgubKey, k_nSymmetricKeyLen );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Generates a new pair of private/public RSA keys
// Input:	pubPublicKey -		Pointer to buffer to receive public key (should be of size k_nRSAKeyLenMax)
//			pcubPublicKey -		Pointer to variable that contains size of pubPublicKey buffer.  At exit,
//								this is filled in with the actual size of the public key
// 			pubPrivateKey -		Pointer to buffer to receive private key (should be of size k_nRSAKeyLenMax)
//			pcubPrivateKey -	Pointer to variable that contains size of pubPrivateKey buffer.  At exit,
//								this is filled in with the actual size of the private key
// Output:  true if successful, false if key generation failed
//-----------------------------------------------------------------------------
bool CCrypto::RSAGenerateKeys( uint8 *pubPublicKey, uint32 *pcubPublicKey, uint8 *pubPrivateKey, uint32 *pcubPrivateKey )
{
	VPROF_BUDGET( "CCrypto::RSAGenerateKeys", VPROF_BUDGETGROUP_ENCRYPTION );
	bool bRet = false;
	Assert( pubPublicKey );
	Assert( pcubPublicKey );
	Assert( pubPrivateKey );
	Assert( pcubPrivateKey );

	try		// handle any exceptions crypto++ may throw
	{
		// generate private key
		ArraySink arraySinkPrivateKey( pubPrivateKey, *pcubPrivateKey );
		CPoolAllocatedRNG rng;
		RSAES_OAEP_SHA_Decryptor priv( rng.GetRNG(), k_nRSAKeyBits );
		priv.DEREncode( arraySinkPrivateKey );
		*pcubPrivateKey = arraySinkPrivateKey.TotalPutLength();
		// generate public key
		ArraySink arraySinkPublicKey( pubPublicKey, *pcubPublicKey );
		RSAES_OAEP_SHA_Encryptor pub(priv);
		pub.DEREncode( arraySinkPublicKey );
		*pcubPublicKey = arraySinkPublicKey.TotalPutLength();
		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSAGenerateKeys: crypto++ threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Encrypts the specified data with the specified RSA public key.  
//			The encrypted data may then be decrypted by calling RSADecrypt with the
//			corresponding RSA private key.
// Input:	pubPlaintextData -	Data to be encrypted
//			cubPlaintextData -	Size of data to be encrypted
//			pubEncryptedData -  Pointer to buffer to receive encrypted data
//			pcubEncryptedData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for encrypted data.  When the method returns, this will contain
//								the actual size of the encrypted data.
//			pubPublicKey -		the RSA public key to encrypt the data with
//			cubPublicKey -		Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if encryption failed
//-----------------------------------------------------------------------------
bool CCrypto::RSAEncrypt( const uint8 *pubPlaintextData, uint32 cubPlaintextData, 
						  uint8 *pubEncryptedData, uint32 *pcubEncryptedData, 
						  const uint8 *pubPublicKey, const uint32 cubPublicKey )
{
	VPROF_BUDGET( "CCrypto::RSAEncrypt", VPROF_BUDGETGROUP_ENCRYPTION );
	bool bRet = false;
	Assert( cubPlaintextData > 0 );	// must pass in some data

	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePublicKey( pubPublicKey, cubPublicKey, true );
		RSAES_OAEP_SHA_Encryptor rsaEncryptor( stringSourcePublicKey );

		// calculate how many blocks of encryption will we need to do
		AssertFatal( rsaEncryptor.FixedMaxPlaintextLength() <= ULONG_MAX );
		uint32 cBlocks = 1 + ( ( cubPlaintextData - 1 ) / (uint32)rsaEncryptor.FixedMaxPlaintextLength() );
		// calculate how big the output will be
		AssertFatal( rsaEncryptor.FixedCiphertextLength() <= ULONG_MAX / cBlocks );
		uint32 cubCipherText = cBlocks * (uint32)rsaEncryptor.FixedCiphertextLength();
		Assert( cubCipherText > 0 );

		// ensure there is sufficient room in output buffer for result
		if ( cubCipherText > ( *pcubEncryptedData ) )
		{
			AssertMsg2( false, "CCrypto::RSAEncrypt: insufficient output buffer for encryption, needed %d got %d\n",
						cubCipherText, *pcubEncryptedData );
			return false;
		}

		// encrypt the message, using as many blocks as required
		CPoolAllocatedRNG rng;
		for ( uint32 nBlock = 0; nBlock < cBlocks; nBlock++ )
		{
			// encrypt either all remaining plaintext, or maximum allowed plaintext per RSA encryption operation
			uint32 cubToEncrypt = min( cubPlaintextData, (uint32)rsaEncryptor.FixedMaxPlaintextLength() );
			// encrypt the plaintext
			rsaEncryptor.Encrypt( rng.GetRNG(), pubPlaintextData, cubToEncrypt, pubEncryptedData );
			// adjust input and output pointers and remaining plaintext byte count
			pubPlaintextData += cubToEncrypt;
			cubPlaintextData -= cubToEncrypt;
			pubEncryptedData += rsaEncryptor.FixedCiphertextLength();
		}
		Assert( 0 == cubPlaintextData );		// should have no remaining plaintext to encrypt
		*pcubEncryptedData = cubCipherText;

		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSAEncrypt: Encrypt() threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Decrypts the specified data with the specified RSA private key 
// Input:	pubEncryptedData -	Data to be decrypted
//			cubEncryptedData -	Size of data to be decrypted
//			pubPlaintextData -  Pointer to buffer to receive decrypted data
//			pcubPlaintextData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for decrypted data.  When the method returns, this will contain
//								the actual size of the decrypted data.
//			pubPrivateKey -		the RSA private key key to decrypt the data with
//			cubPrivateKey -		Size of the key (must be k_nSymmetricKeyLen)
// Output:  true if successful, false if decryption failed
//-----------------------------------------------------------------------------
bool CCrypto::RSADecrypt( const uint8 *pubEncryptedData, uint32 cubEncryptedData, 
						  uint8 *pubPlaintextData, uint32 *pcubPlaintextData, 
						  const uint8 *pubPrivateKey, const uint32 cubPrivateKey )
{
	VPROF_BUDGET( "CCrypto::RSADecrypt", VPROF_BUDGETGROUP_ENCRYPTION );
	bool bRet = false;

	Assert( cubEncryptedData > 0 );	// must pass in some data

	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePrivateKey( pubPrivateKey, cubPrivateKey, true );
		RSAES_OAEP_SHA_Decryptor rsaDecryptor( stringSourcePrivateKey );

		// calculate how many blocks of decryption will we need to do
		AssertFatal( rsaDecryptor.FixedCiphertextLength() <= ULONG_MAX );
		uint32 cubFixedCiphertextLength = (uint32)rsaDecryptor.FixedCiphertextLength();
		// Ensure encrypted data is valid and has length that is exact multiple of 128 bytes
		if ( 0 != ( cubEncryptedData % cubFixedCiphertextLength ) )
		{
			DMsg( SPEW_CRYPTO, 2, "CCrypto::RSADecrypt: invalid ciphertext length %d, needs to be a multiple of %d\n",
				cubEncryptedData, cubFixedCiphertextLength );
			return false;
		}
		uint32 cBlocks = cubEncryptedData / cubFixedCiphertextLength;

		// calculate how big the maximum output will be
		size_t cubMaxPlaintext = rsaDecryptor.MaxPlaintextLength( rsaDecryptor.FixedCiphertextLength() );
		AssertFatal( cubMaxPlaintext <= ULONG_MAX / cBlocks );
		uint32 cubPlaintextDataMax = cBlocks * (uint32)cubMaxPlaintext;
		Assert( cubPlaintextDataMax > 0 );
		// ensure there is sufficient room in output buffer for result
		if ( cubPlaintextDataMax >= ( *pcubPlaintextData ) )
		{
			AssertMsg2( false, "CCrypto::RSADecrypt: insufficient output buffer for decryption, needed %d got %d\n",
						cubPlaintextDataMax, *pcubPlaintextData );
			return false;
		}

		// decrypt the data, using as many blocks as required
		CPoolAllocatedRNG rng;
		uint32 cubPlaintextData = 0;
		for ( uint32 nBlock = 0; nBlock < cBlocks; nBlock++ )
		{
			// decrypt one block (always of fixed size)
			int cubToDecrypt = cubFixedCiphertextLength;
			DecodingResult decodingResult = rsaDecryptor.Decrypt( rng.GetRNG(), pubEncryptedData, cubToDecrypt, pubPlaintextData );
			if ( !decodingResult.isValidCoding )
			{
				DMsg( SPEW_CRYPTO, 2, "CCrypto::RSADecrypt: failed to decrypt\n" );
				return false;
			}
			// adjust input and output pointers and remaining encrypted byte count
			pubEncryptedData += cubToDecrypt;
			cubEncryptedData -= cubToDecrypt;
			pubPlaintextData += decodingResult.messageLength;
			AssertFatal( decodingResult.messageLength <= ULONG_MAX );
			cubPlaintextData += (uint32)decodingResult.messageLength;
		}
		Assert( 0 == cubEncryptedData );	// should have no remaining encrypted data to decrypt
		*pcubPlaintextData = cubPlaintextData;

		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSADecrypt: Decrypt() threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Decrypts the specified data with the specified RSA PUBLIC key,
//			using no padding (eg un-padded signature).
// Input:	pubEncryptedData -	Data to be decrypted
//			cubEncryptedData -	Size of data to be decrypted
//			pubPlaintextData -  Pointer to buffer to receive decrypted data
//			pcubPlaintextData - Pointer to a variable that at time of call contains the size of
//								the receive buffer for decrypted data.  When the method returns, this will contain
//								the actual size of the decrypted data.
//			pubPublicKey -		the RSA public key key to decrypt the data with
//			cubPublicKey -		Size of the key
// Output:  true if successful, false if decryption failed
//-----------------------------------------------------------------------------
bool CCrypto::RSAPublicDecrypt_NoPadding( const uint8 *pubEncryptedData, uint32 cubEncryptedData, 
						 uint8 *pubPlaintextData, uint32 *pcubPlaintextData, 
						 const uint8 *pubPublicKey, const uint32 cubPublicKey )
{
	VPROF_BUDGET( "CCrypto::RSADecrypt", VPROF_BUDGETGROUP_ENCRYPTION );
	bool bRet = false;

	Assert( cubEncryptedData > 0 );	// must pass in some data

	// BUGBUG taylor
	// This probably only works for reasonably small ciphertext sizes.

	try		// handle any exceptions crypto++-5.2 may throw
	{
		StringSource stringSourcePublicKey( pubPublicKey, cubPublicKey, true );

		// 1. We need to use a Verifier because a Decryptor expects a private key,
		// which is encoded differently
		// 2. We are using neither PKCS1v15 padding nor SHA in any way, we are simply
		// using this object as a means of instantiating the key decryption function
		RSASSA_PKCS1v15_SHA_Verifier pub( stringSourcePublicKey );

		// Ask for the data to be decrypted
		// Caveat: this may "succeed" even if the ciphertext is bogus, so it
		// is up to the caller to do any MAC or other sanity checking
		Integer x = pub.AccessKey().ApplyFunction(Integer(pubEncryptedData, cubEncryptedData));

		// Result is an 'Integer', essentially a string of bytes for our
		// purposes though.
		uint32 nBytes = x.ByteCount();
		if ( nBytes > *pcubPlaintextData )
		{
			return false;
		}

		// don't tell it to encode to the full buffer size, because it will
		// pre-pad with zeros. Just squeeze it in to the first nBytes of the
		// buffer.
		x.Encode( pubPlaintextData, nBytes );
		*pcubPlaintextData = nBytes;

		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSAPublicDecrypt_NoPadding: Decrypt() threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Generates an RSA signature block for the specified data with the specified
//			RSA private key.  The signature can be verified by calling RSAVerifySignature
//			with the RSA public key.
// Input:	pubData -			Data to be signed
//			cubData -			Size of data to be signed
//			pubSignature -		Pointer to buffer to receive signature block
//			pcubSignature -		Pointer to a variable that at time of call contains the size of
//								the pubSignature buffer.  When the method returns, this will contain
//								the actual size of the signature block
//			pubPrivateKey -		The RSA private key to use to sign the data
//			cubPrivateKey -		Size of the key
// Output:  true if successful, false if signature failed
//-----------------------------------------------------------------------------
bool CCrypto::RSASign( const uint8 *pubData, const uint32 cubData, 
					   uint8 *pubSignature, uint32 *pcubSignature,
					   const uint8 *pubPrivateKey, const uint32 cubPrivateKey )
{
	VPROF_BUDGET( "CCrypto::RSASign", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( pubPrivateKey );
	Assert( cubPrivateKey > 0 );
	Assert( pubSignature );
	Assert( pcubSignature );
	bool bRet = false;
	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePrivateKey( pubPrivateKey, cubPrivateKey, true );
		RSASSA_PKCS1v15_SHA_Signer rsaSigner( stringSourcePrivateKey );
		CPoolAllocatedRNG rng;
		size_t len = rsaSigner.SignMessage( rng.GetRNG(), (byte *)pubData, cubData, pubSignature );
		AssertFatal( len <= ULONG_MAX );
		*pcubSignature = (uint32)len;
		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSASign: SignMessage threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Verifies that signature block is authentic for given data & RSA public key
// Input:	pubData -			Data that was signed
//			cubData -			Size of data that was signed signed
//			pubSignature -		Signature block
//			cubSignature -		Size of signature block
//			pubPublicKey -		The RSA public key to use to verify the signature 
//								(must be from same pair as RSA private key used to generate signature)
//			cubPublicKey -		Size of the key
// Output:  true if successful and signature is authentic, false if signature does not match or other error
//-----------------------------------------------------------------------------
bool CCrypto::RSAVerifySignature( const uint8 *pubData, const uint32 cubData, 
								  const uint8 *pubSignature, const uint32 cubSignature, 
								  const uint8 *pubPublicKey, const uint32 cubPublicKey )
{
	VPROF_BUDGET( "CCrypto::RSAVerifySignature", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( pubSignature );
	Assert( pubPublicKey );

	bool bRet = false;	
	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePublicKey( pubPublicKey, cubPublicKey, true );
		RSASSA_PKCS1v15_SHA_Verifier pub( stringSourcePublicKey );
		bRet = pub.VerifyMessage( pubData, cubData, pubSignature, cubSignature );
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSASign: VerifyMessage threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}

//-----------------------------------------------------------------------------
// Purpose: Generates an RSA signature block for the specified data with the specified
//			RSA private key.  The signature can be verified by calling RSAVerifySignature
//			with the RSA public key.
// Input:	pubData -			Data to be signed
//			cubData -			Size of data to be signed
//			pubSignature -		Pointer to buffer to receive signature block
//			pcubSignature -		Pointer to a variable that at time of call contains the size of
//								the pubSignature buffer.  When the method returns, this will contain
//								the actual size of the signature block
//			pubPrivateKey -		The RSA private key to use to sign the data
//			cubPrivateKey -		Size of the key
// Output:  true if successful, false if signature failed
//-----------------------------------------------------------------------------
bool CCrypto::RSASignSHA256( const uint8 *pubData, const uint32 cubData, 
					   uint8 *pubSignature, uint32 *pcubSignature,
					   const uint8 *pubPrivateKey, const uint32 cubPrivateKey )
{
	VPROF_BUDGET( "CCrypto::RSASign", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( pubPrivateKey );
	Assert( cubPrivateKey > 0 );
	Assert( pubSignature );
	Assert( pcubSignature );
	bool bRet = false;
	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePrivateKey( pubPrivateKey, cubPrivateKey, true );
		RSASS<PKCS1v15, SHA256>::Signer rsaSigner( stringSourcePrivateKey );
		CPoolAllocatedRNG rng;
		size_t len = rsaSigner.SignMessage( rng.GetRNG(), (byte *)pubData, cubData, pubSignature );
		AssertFatal( len <= ULONG_MAX );
		*pcubSignature = (uint32)len;
		bRet = true;
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSASign: SignMessage threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Verifies that signature block is authentic for given data & RSA public key
// Input:	pubData -			Data that was signed
//			cubData -			Size of data that was signed signed
//			pubSignature -		Signature block
//			cubSignature -		Size of signature block
//			pubPublicKey -		The RSA public key to use to verify the signature 
//								(must be from same pair as RSA private key used to generate signature)
//			cubPublicKey -		Size of the key
// Output:  true if successful and signature is authentic, false if signature does not match or other error
//-----------------------------------------------------------------------------
bool CCrypto::RSAVerifySignatureSHA256( const uint8 *pubData, const uint32 cubData, 
								  const uint8 *pubSignature, const uint32 cubSignature, 
								  const uint8 *pubPublicKey, const uint32 cubPublicKey )
{
	VPROF_BUDGET( "CCrypto::RSAVerifySignature", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( pubSignature );
	Assert( pubPublicKey );

	bool bRet = false;	
	try		// handle any exceptions crypto++ may throw
	{
		StringSource stringSourcePublicKey( pubPublicKey, cubPublicKey, true );
		RSASS<PKCS1v15, SHA256>::Verifier pub( stringSourcePublicKey );
		bRet = pub.VerifyMessage( pubData, cubData, pubSignature, cubSignature );
	}
	catch ( Exception e ) 
	{
		DMsg( SPEW_CRYPTO, 2, "CCrypto::RSASign: VerifyMessage threw exception %s (%d)\n",
			e.what(), e.GetErrorType() );
	}

	return bRet;
}


//-----------------------------------------------------------------------------
// Purpose: Hex-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
// Input:	pubData -			Data to encode
//			cubData -			Size of data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			cchEncodedData -	Size of pchEncodedData buffer
//-----------------------------------------------------------------------------
bool CCrypto::HexEncode( const uint8 *pubData, const uint32 cubData, char *pchEncodedData, uint32 cchEncodedData )
{
	VPROF_BUDGET( "CCrypto::HexEncode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( cubData );
	Assert( pchEncodedData );
	Assert( cchEncodedData > 0 );

	if ( cchEncodedData < ( ( cubData * 2 ) + 1 ) )
	{
		Assert( cchEncodedData >= ( cubData * 2 ) + 1 );  // expands to 2x input + NULL, must have room in output buffer
		*pchEncodedData = '\0';
		return false;
	}

	ArraySink * pArraySinkOutput = new ArraySink( (byte *) pchEncodedData, cchEncodedData );
	// Note: HexEncoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	HexEncoder hexEncoder( pArraySinkOutput );
	hexEncoder.Put( pubData, cubData );
	hexEncoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	if ( len >= cchEncodedData )
	{
		AssertMsg2( false, "CCrypto::HexEncode: insufficient output buffer for encoding, needed %d got %d\n",
					len, cchEncodedData );
		return false;
	}

	pchEncodedData[len] = 0;	// NULL-terminate
	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Hex-decodes a block of data.  (Text -> binary representation.)  
// Input:	pchData -			Null-terminated hex-encoded string 
//			pubDecodedData -	Pointer to buffer to store output in
//			pcubDecodedData -	Pointer to variable that contains size of
//								output buffer.  At exit, is filled in with actual size
//								of decoded data.
//-----------------------------------------------------------------------------
bool CCrypto::HexDecode( const char *pchData, uint8 *pubDecodedData, uint32 *pcubDecodedData )
{
	VPROF_BUDGET( "CCrypto::HexDecode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pchData );
	Assert( pubDecodedData );
	Assert( pcubDecodedData );
	Assert( *pcubDecodedData );

	ArraySink * pArraySinkOutput = new ArraySink( pubDecodedData, *pcubDecodedData );
	// Note: HexEncoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	HexDecoder hexDecoder( pArraySinkOutput );
	hexDecoder.Put( (byte *) pchData, Q_strlen( pchData ) );
	hexDecoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	if ( len > *pcubDecodedData )
	{
		AssertMsg2( false, "CCrypto::HexDecode: insufficient output buffer for decoding, needed %d got %d\n",
					len, *pcubDecodedData );
		return false;
	}
	*pcubDecodedData = len;

	return true;
}


static const int k_LineBreakEveryNGroups = 18; // line break every 18 groups of 4 characters (every 72 characters)

//-----------------------------------------------------------------------------
// Purpose: Returns the expected buffer size that should be passed to Base64Encode.
// Input:	cubData -			Size of data to encode
//			bInsertLineBreaks -	If line breaks should be inserted automatically
//-----------------------------------------------------------------------------
uint32 CCrypto::Base64EncodeMaxOutput( const uint32 cubData, const char *pszLineBreak )
{
	// terminating null + 4 chars per 3-byte group + line break after every 18 groups (72 output chars) + final line break
	uint32 nGroups = (cubData+2)/3;
	str_size cchRequired = 1 + nGroups*4 + ( pszLineBreak ? Q_strlen(pszLineBreak)*(1+(nGroups-1)/k_LineBreakEveryNGroups) : 0 );
	return cchRequired;
}


//-----------------------------------------------------------------------------
// Purpose: Base64-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
// Input:	pubData -			Data to encode
//			cubData -			Size of data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			cchEncodedData -	Size of pchEncodedData buffer
//			bInsertLineBreaks -	If "\n" line breaks should be inserted automatically
//-----------------------------------------------------------------------------
bool CCrypto::Base64Encode( const uint8 *pubData, uint32 cubData, char *pchEncodedData, uint32 cchEncodedData, bool bInsertLineBreaks )
{
	const char *pszLineBreak = bInsertLineBreaks ? "\n" : NULL;
	uint32 cchRequired = Base64EncodeMaxOutput( cubData, pszLineBreak );
	(void)cchRequired;
	AssertMsg2( cchEncodedData >= cchRequired, "CCrypto::Base64Encode: insufficient output buffer for encoding, needed %d got %d\n", cchRequired, cchEncodedData );
	return Base64Encode( pubData, cubData, pchEncodedData, &cchEncodedData, pszLineBreak );
}

//-----------------------------------------------------------------------------
// Purpose: Base64-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
// Input:	pubData -			Data to encode
//			cubData -			Size of data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			pcchEncodedData -	Pointer to size of pchEncodedData buffer; adjusted to number of characters written (before NULL)
//			pszLineBreak -		String to be inserted every 72 characters; empty string or NULL pointer for no line breaks
// Note: if pchEncodedData is NULL and *pcchEncodedData is zero, *pcchEncodedData is filled with the actual required length
// for output. A simpler approximation for maximum output size is (cubData * 4 / 3) + 5 if there are no linebreaks.
//-----------------------------------------------------------------------------
bool CCrypto::Base64Encode( const uint8 *pubData, uint32 cubData, char *pchEncodedData, uint32* pcchEncodedData, const char *pszLineBreak )
{
	VPROF_BUDGET( "CCrypto::Base64Encode", VPROF_BUDGETGROUP_ENCRYPTION );
	
	if ( pchEncodedData == NULL )
	{
		AssertMsg( *pcchEncodedData == 0, "NULL output buffer with non-zero size passed to Base64Encode" );
		*pcchEncodedData = Base64EncodeMaxOutput( cubData, pszLineBreak );
		return true;
	}
	
	const uint8 *pubDataEnd = pubData + cubData;
	char *pchEncodedDataStart = pchEncodedData;
	str_size unLineBreakLen = pszLineBreak ? Q_strlen( pszLineBreak ) : 0;
	int nNextLineBreak = unLineBreakLen ? k_LineBreakEveryNGroups : INT_MAX;

	const char * const pszBase64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

	uint32 cchEncodedData = *pcchEncodedData;
	if ( cchEncodedData == 0 )
		goto out_of_space;

	--cchEncodedData; // pre-decrement for the terminating null so we don't forget about it

	// input 3 x 8-bit, output 4 x 6-bit
	while ( pubDataEnd - pubData >= 3 )
	{
		if ( cchEncodedData < 4 + unLineBreakLen )
			goto out_of_space;
		
		if ( nNextLineBreak == 0 )
		{
			memcpy( pchEncodedData, pszLineBreak, unLineBreakLen );
			pchEncodedData += unLineBreakLen;
			cchEncodedData -= unLineBreakLen;
			nNextLineBreak = k_LineBreakEveryNGroups;
		}

		uint32 un24BitsData;
		un24BitsData  = (uint32) pubData[0] << 16;
		un24BitsData |= (uint32) pubData[1] << 8;
		un24BitsData |= (uint32) pubData[2];
		pubData += 3;

		pchEncodedData[0] = pszBase64Chars[ (un24BitsData >> 18) & 63 ];
		pchEncodedData[1] = pszBase64Chars[ (un24BitsData >> 12) & 63 ];
		pchEncodedData[2] = pszBase64Chars[ (un24BitsData >>  6) & 63 ];
		pchEncodedData[3] = pszBase64Chars[ (un24BitsData      ) & 63 ];
		pchEncodedData += 4;
		cchEncodedData -= 4;
		--nNextLineBreak;
	}

	// Clean up remaining 1 or 2 bytes of input, pad output with '='
	if ( pubData != pubDataEnd )
	{
		if ( cchEncodedData < 4 + unLineBreakLen )
			goto out_of_space;

		if ( nNextLineBreak == 0 )
		{
			memcpy( pchEncodedData, pszLineBreak, unLineBreakLen );
			pchEncodedData += unLineBreakLen;
			cchEncodedData -= unLineBreakLen;
		}

		uint32 un24BitsData;
		un24BitsData = (uint32) pubData[0] << 16;
		if ( pubData+1 != pubDataEnd )
		{
			un24BitsData |= (uint32) pubData[1] << 8;
		}
		pchEncodedData[0] = pszBase64Chars[ (un24BitsData >> 18) & 63 ];
		pchEncodedData[1] = pszBase64Chars[ (un24BitsData >> 12) & 63 ];
		pchEncodedData[2] = pubData+1 != pubDataEnd ? pszBase64Chars[ (un24BitsData >> 6) & 63 ] : '=';
		pchEncodedData[3] = '=';
		pchEncodedData += 4;
		cchEncodedData -= 4;
	}

	if ( unLineBreakLen )
	{
		if ( cchEncodedData < unLineBreakLen )
			goto out_of_space;
		memcpy( pchEncodedData, pszLineBreak, unLineBreakLen );
		pchEncodedData += unLineBreakLen;
		cchEncodedData -= unLineBreakLen;
	}

	*pchEncodedData = 0;
	*pcchEncodedData = pchEncodedData - pchEncodedDataStart;
	return true;

out_of_space:
	*pchEncodedData = 0;
	*pcchEncodedData = Base64EncodeMaxOutput( cubData, pszLineBreak );
	AssertMsg( false, "CCrypto::Base64Encode: insufficient output buffer (up to n*4/3+5 bytes required, plus linebreaks)" );
	return false;
}


//-----------------------------------------------------------------------------
// Purpose: Base64-decodes a block of data.  (Text -> binary representation.)  
// Input:	pchData -			Null-terminated hex-encoded string 
//			pubDecodedData -	Pointer to buffer to store output in
//			pcubDecodedData -	Pointer to variable that contains size of
//								output buffer.  At exit, is filled in with actual size
//								of decoded data.
// Note: if NULL is passed as the output buffer and *pcubDecodedData is zero, the function
// will calculate the actual required size and place it in *pcubDecodedData. A simpler upper
// bound on the required size is ( strlen(pchData)*3/4 + 1 ).
//-----------------------------------------------------------------------------
bool CCrypto::Base64Decode( const char *pchData, uint8 *pubDecodedData, uint32 *pcubDecodedData, bool bIgnoreInvalidCharacters )
{
	return Base64Decode( pchData, ~0u, pubDecodedData, pcubDecodedData, bIgnoreInvalidCharacters );
}

//-----------------------------------------------------------------------------
// Purpose: Base64-decodes a block of data.  (Text -> binary representation.)  
// Input:	pchData -			base64-encoded string, null terminated
//			cchDataMax -		maximum length of string unless a null is encountered first
//			pubDecodedData -	Pointer to buffer to store output in
//			pcubDecodedData -	Pointer to variable that contains size of
//								output buffer.  At exit, is filled in with actual size
//								of decoded data.
// Note: if NULL is passed as the output buffer and *pcubDecodedData is zero, the function
// will calculate the actual required size and place it in *pcubDecodedData. A simpler upper
// bound on the required size is ( strlen(pchData)*3/4 + 2 ).
//-----------------------------------------------------------------------------
bool CCrypto::Base64Decode( const char *pchData, uint32 cchDataMax, uint8 *pubDecodedData, uint32 *pcubDecodedData, bool bIgnoreInvalidCharacters )
{
	VPROF_BUDGET( "CCrypto::Base64Decode", VPROF_BUDGETGROUP_ENCRYPTION );
	
	uint32 cubDecodedData = *pcubDecodedData;
	uint32 cubDecodedDataOrig = cubDecodedData;

	if ( pubDecodedData == NULL )
	{
		AssertMsg( *pcubDecodedData == 0, "NULL output buffer with non-zero size passed to Base64Decode" );
		cubDecodedDataOrig = cubDecodedData = ~0u;
	}
	
	// valid base64 character range: '+' (0x2B) to 'z' (0x7A)
	// table entries are 0-63, -1 for invalid entries, -2 for '='
	static const char rgchInvBase64[] = {
		62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61,
		-1, -1, -1, -2, -1, -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,
		 8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22,
		23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31,
		32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46,
		47, 48, 49, 50, 51
	};
	COMPILE_TIME_ASSERT( Q_ARRAYSIZE(rgchInvBase64) == 0x7A - 0x2B + 1 );

	uint32 un24BitsWithSentinel = 1;
	while ( cchDataMax-- > 0 )
	{
		char c = *pchData++;

		if ( (uint8)(c - 0x2B) >= Q_ARRAYSIZE( rgchInvBase64 ) )
		{
			if ( c == '\0' )
				break;

			if ( !bIgnoreInvalidCharacters && !( c == '\r' || c == '\n' || c == '\t' || c == ' ' ) )
				goto decode_failed;
			else
				continue;
		}

		c = rgchInvBase64[(uint8)(c - 0x2B)];
		if ( c < 0 )
		{
			if ( c == -2 ) // -2 -> terminating '='
				break;

			if ( !bIgnoreInvalidCharacters )
				goto decode_failed;
			else
				continue;
		}

		un24BitsWithSentinel <<= 6;
		un24BitsWithSentinel |= c;
		if ( un24BitsWithSentinel & (1<<24) )
		{
			if ( cubDecodedData < 3 ) // out of space? go to final write logic
				break;
			if ( pubDecodedData )
			{
				pubDecodedData[0] = (uint8)( un24BitsWithSentinel >> 16 );
				pubDecodedData[1] = (uint8)( un24BitsWithSentinel >> 8);
				pubDecodedData[2] = (uint8)( un24BitsWithSentinel );
				pubDecodedData += 3;
			}
			cubDecodedData -= 3;
			un24BitsWithSentinel = 1;
		}
	}

	// If un24BitsWithSentinel contains data, output the remaining full bytes
	if ( un24BitsWithSentinel >= (1<<6) )
	{
		// Possibilities are 3, 2, 1, or 0 full output bytes.
		int nWriteBytes = 3;
		while ( un24BitsWithSentinel < (1<<24) )
		{
			nWriteBytes--;
			un24BitsWithSentinel <<= 6;
		}

		// Write completed bytes to output
		while ( nWriteBytes-- > 0 )
		{
			if ( cubDecodedData == 0 )
			{
				AssertMsg( false, "CCrypto::Base64Decode: insufficient output buffer (up to n*3/4+2 bytes required)" );
				goto decode_failed;
			}
			if ( pubDecodedData )
			{
				*pubDecodedData++ = (uint8)(un24BitsWithSentinel >> 16);
			}
			--cubDecodedData;
			un24BitsWithSentinel <<= 8;
		}
	}
	
	*pcubDecodedData = cubDecodedDataOrig - cubDecodedData;
	return true;

decode_failed:
	*pcubDecodedData = cubDecodedDataOrig - cubDecodedData;
	return false;
}


//-----------------------------------------------------------------------------
// Purpose: Generate a SHA1 hash
// Input:	pchInput -			Plaintext string of item to hash (null terminated)
//			pOutDigest -		Pointer to receive hashed digest output
//-----------------------------------------------------------------------------
bool CCrypto::GenerateSHA1Digest( const uint8 *pubInput, const int cubInput, SHADigest_t *pOutDigest )
{
	VPROF_BUDGET( "CCrypto::GenerateSHA1Digest", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubInput );
	Assert( cubInput > 0 );
	Assert( pOutDigest );

	bool bSuccess = true;
	try
	{
		CryptoPP::SHA().CalculateDigest( *pOutDigest, pubInput, cubInput );
	}
	catch(...)
	{
		bSuccess = false;
	}

	return bSuccess;
}


//-----------------------------------------------------------------------------
// Purpose: Generate a hash Salt - be careful, over-writing an existing salt
// will render the hashed value unverifiable.
//-----------------------------------------------------------------------------
bool CCrypto::GenerateSalt( Salt_t *pSalt )
{
	VPROF_BUDGET( "CCrypto::GenerateSalt", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pSalt );

	bool bSuccess = true;
	try
	{
		CPoolAllocatedRNG rng;
		rng.GetRNG().GenerateBlock( (byte*)pSalt, sizeof(Salt_t) );
	}
	catch(...)
	{
		bSuccess = false;
	}

	return bSuccess;
}


//-----------------------------------------------------------------------------
// Purpose: Generate a SHA1 hash using a salt.
// Input:	pchInput -			Plaintext string of item to hash (null terminated)
//			pSalt -				Salt
//			pOutDigest -		Pointer to receive salted digest output
//-----------------------------------------------------------------------------
bool CCrypto::GenerateSaltedSHA1Digest( const char *pchInput, const Salt_t *pSalt, SHADigest_t *pOutDigest )
{
	VPROF_BUDGET( "CCrypto::GenerateSaltedSHA1Digest", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pchInput );
	Assert( pSalt );
	Assert( pOutDigest );

	int iInputLen = Q_strlen( pchInput );
	uint8 *pubSaltedInput = new uint8[ iInputLen + sizeof( Salt_t ) ];

	// Insert half the salt before the input string and half at the end.
	// This is probably unnecessary (to split the salt) but we're stuck with it for historical reasons.
	uint8 *pubCursor = pubSaltedInput;
	Q_memcpy( pubCursor, (uint8 *)pSalt, sizeof(Salt_t) / 2 );
	pubCursor += sizeof( Salt_t ) / 2;
	Q_memcpy( pubCursor, pchInput, iInputLen );
	pubCursor += iInputLen;
	Q_memcpy( pubCursor, (uint8 *)pSalt + sizeof(Salt_t) / 2, sizeof(Salt_t) / 2 );

	bool bSuccess = true;
	try
	{
		CryptoPP::SHA().CalculateDigest( *pOutDigest, pubSaltedInput, iInputLen + sizeof( Salt_t ) );
	}
	catch(...)
	{
		bSuccess = false;
	}

	delete [] pubSaltedInput;

	return bSuccess;
}


//-----------------------------------------------------------------------------
// Purpose: Generates a random block of data
//-----------------------------------------------------------------------------
bool CCrypto::GenerateRandomBlock( uint8 *pubDest, int cubDest )
{
	CPoolAllocatedRNG rng;
	rng.GetRNG().GenerateBlock( pubDest, cubDest );

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Generate a keyed-hash MAC using SHA1
// Input:	pubData -			Plaintext data to digest
//			cubData -			length of data
//			pubKey -			key to use in HMAC
//			cubKey -			length of key
//			pOutDigest -		Pointer to receive hashed digest output
//-----------------------------------------------------------------------------
bool CCrypto::GenerateHMAC( const uint8 *pubData, uint32 cubData, const uint8 *pubKey, uint32 cubKey, SHADigest_t *pOutputDigest )
{
	VPROF_BUDGET( "CCrypto::GenerateHMAC", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( cubData > 0 );
	Assert( pubKey );
	Assert( cubKey > 0 );
	Assert( pOutputDigest );

	bool bSuccess = true;
	try
	{
		CryptoPP::HMAC< CryptoPP::SHA1 > hmac( pubKey, cubKey );
		hmac.CalculateDigest( *pOutputDigest, pubData, cubData );
	}
	catch(...)
	{
		bSuccess = false;
	}

	return bSuccess;
}


//-----------------------------------------------------------------------------
// Purpose: Generate a keyed-hash MAC using SHA-256
//-----------------------------------------------------------------------------
bool CCrypto::GenerateHMAC256( const uint8 *pubData, uint32 cubData, const uint8 *pubKey, uint32 cubKey, SHA256Digest_t *pOutputDigest )
{
	VPROF_BUDGET( "CCrypto::GenerateHMAC256", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( cubData > 0 );
	Assert( pubKey );
	Assert( cubKey > 0 );
	Assert( pOutputDigest );

	bool bSuccess = true;
	try
	{
		CryptoPP::HMAC< CryptoPP::SHA256 > hmac( pubKey, cubKey );
		hmac.CalculateDigest( *pOutputDigest, pubData, cubData );
	}
	catch(...)
	{
		bSuccess = false;
	}

	return bSuccess;
}


bool CCrypto::BGzipBuffer( const uint8 *pubData, uint32 cubData, CCryptoOutBuffer &bufOutput )
{
	bool bSuccess = true;
	try
	{
		std::string gzip_output;
		StringSource( (byte *)pubData, cubData, true, new Gzip( new StringSink( gzip_output ) ) ); 
		bufOutput.Set( (uint8*)gzip_output.c_str(), (uint32)gzip_output.length() );
	}
	catch( ... )
	{
		bSuccess = false;
	}
	return bSuccess;
}


bool CCrypto::BGunzipBuffer( const uint8 *pubData, uint32 cubData, CCryptoOutBuffer &bufOutput   )
{
	bool bSuccess = true;
	try
	{
		std::string gunzip_output;
		StringSource( (byte *)pubData, cubData, true, new Gunzip( new StringSink( gunzip_output ) ) ); 
		bufOutput.Set( (uint8*)gunzip_output.c_str(), (uint32)gunzip_output.length() );
	}
	catch( ... )
	{
		bSuccess = false;
	}
	return bSuccess;
}


//! These are all needed to get around stack-overflow bug in Initialize()
class HexDecoderTKS : public HexDecoder
{
public:
	HexDecoderTKS(BufferedTransformation *attachment, const int *pnDecodingArray)
		: HexDecoder(attachment) 
	{
		BaseN_Decoder::IsolatedInitialize( MakeParameters( Name::DecodingLookupArray(), pnDecodingArray )( Name::Log2Base(), 4 ) );
	}
};

class Base32DecoderTKS : public Base32Decoder
{
public:
	Base32DecoderTKS(BufferedTransformation *attachment, const int *pnDecodingArray)
		: Base32Decoder(attachment)
	{
		BaseN_Decoder::IsolatedInitialize( MakeParameters( Name::DecodingLookupArray(), pnDecodingArray )( Name::Log2Base(), 5 ) );
	}
};


//-----------------------------------------------------------------------------
// Purpose: Implement hex encoding / decoding using a custom lookup table.
//			This is a class because the decoding is done via a generated 
//			reverse-lookup table, and to save time it's best to just create
//			that table once.
//-----------------------------------------------------------------------------
CCustomHexEncoder::CCustomHexEncoder( const char *pchEncodingTable )
{
	m_bValidEncoding = false;
	if ( Q_strlen( pchEncodingTable ) == sizeof( m_rgubEncodingTable ) )
	{
		Q_memcpy( m_rgubEncodingTable, pchEncodingTable, sizeof( m_rgubEncodingTable ) );

		BaseN_Decoder::InitializeDecodingLookupArray( m_rgnDecodingTable, m_rgubEncodingTable, 16, false );
		m_bValidEncoding = true;
	}
	else
	{
		AssertMsg( false, "CCrypto::CustomHexEncoder: Improper encoding table\n" );
	}
}


//-----------------------------------------------------------------------------
// Purpose: Destructor
//-----------------------------------------------------------------------------
CCustomHexEncoder::~CCustomHexEncoder()
{
}


//-----------------------------------------------------------------------------
// Purpose: Hex-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
//			Uses the supplied custom encoding characters
// Input:	pubData -			Data to encode
//			cubData -			Size of data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			cchEncodedData -	Size of pchEncodedData buffer
//-----------------------------------------------------------------------------
bool CCustomHexEncoder::Encode( const uint8 *pubData, const uint32 cubData, char *pchEncodedData, uint32 cchEncodedData )
{
	VPROF_BUDGET( "CCrypto::CustomHexEncode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( cubData );
	Assert( pchEncodedData );
	Assert( cchEncodedData > 0 );

	if ( !m_bValidEncoding )
		return false;

	ArraySink * pArraySinkOutput = new ArraySink( (byte *) pchEncodedData, cchEncodedData );
	// Note: HexEncoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	HexEncoder hexEncoder( pArraySinkOutput );
	hexEncoder.IsolatedInitialize( MakeParameters( Name::EncodingLookupArray(), (const uint8 *)m_rgubEncodingTable ) );
	hexEncoder.Put( pubData, cubData );
	hexEncoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	pchEncodedData[len] = 0;	// NULL-terminate
	if ( len >= cchEncodedData )
	{
		AssertMsg2( false, "CCrypto::CustomHexEncode: insufficient output buffer for encoding, needed %d got %d\n",
			len, cchEncodedData );
		return false;
	}

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Hex-decodes a block of data.  (Text -> binary representation.)  
//			With custom encoding-table
// Input:	pchData -			Null-terminated hex-encoded string 
//			pubDecodedData -	Pointer to buffer to store output in
//			pcubDecodedData -	Pointer to variable that contains size of
//								output buffer.  At exit, is filled in with actual size
//								of decoded data.
//-----------------------------------------------------------------------------
bool CCustomHexEncoder::Decode( const char *pchData, uint8 *pubDecodedData, uint32 *pcubDecodedData )
{
	VPROF_BUDGET( "CCrypto::CustomHexDecode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pchData );
	Assert( pubDecodedData );
	Assert( pcubDecodedData );
	Assert( *pcubDecodedData );

	if ( !m_bValidEncoding )
		return false;

	ArraySink * pArraySinkOutput = new ArraySink( pubDecodedData, *pcubDecodedData );
	// Note: HexEncoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	HexDecoderTKS hexDecoder( pArraySinkOutput, (const int *)m_rgnDecodingTable );
	hexDecoder.Put( (byte *) pchData, Q_strlen( pchData ) );
	hexDecoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	if ( len > *pcubDecodedData )
	{
		AssertMsg2( false, "CCrypto::CustomHexDecode: insufficient output buffer for decoding, needed %d got %d\n",
			len, *pcubDecodedData );
		return false;
	}
	*pcubDecodedData = len;

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Implement hex encoding / decoding using a custom lookup table.
//			This is a class because the decoding is done via a generated 
//			reverse-lookup table, and to save time it's best to just create
//			that table once.
//-----------------------------------------------------------------------------
CCustomBase32Encoder::CCustomBase32Encoder( const char *pchEncodingTable )
{
	m_bValidEncoding = false;
	if ( Q_strlen( pchEncodingTable ) == sizeof( m_rgubEncodingTable ) )
	{
		Q_memcpy( m_rgubEncodingTable, pchEncodingTable, sizeof( m_rgubEncodingTable ) );

		BaseN_Decoder::InitializeDecodingLookupArray( m_rgnDecodingTable, m_rgubEncodingTable, 32, false );
		m_bValidEncoding = true;
	}
	else
	{
		AssertMsg( false, "CCrypto::CustomBase32Encoder: Improper encoding table\n" );
	}
}


//-----------------------------------------------------------------------------
// Purpose: Destructor
//-----------------------------------------------------------------------------
CCustomBase32Encoder::~CCustomBase32Encoder()
{
}


//-----------------------------------------------------------------------------
// Purpose: Base32-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
//			Uses the supplied custom encoding table
// Input:	pubData -			Data to encode
//			cubData -			Size of data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			cchEncodedData -	Size of pchEncodedData buffer
//-----------------------------------------------------------------------------
bool CCustomBase32Encoder::Encode( const uint8 *pubData, const uint32 cubData, char *pchEncodedData, uint32 cchEncodedData )
{
	VPROF_BUDGET( "CCrypto::CustomBase32Encode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pubData );
	Assert( cubData );
	Assert( pchEncodedData );
	Assert( cchEncodedData > 0 );

	if ( !m_bValidEncoding )
		return false;

	ArraySink * pArraySinkOutput = new ArraySink( (byte *) pchEncodedData, cchEncodedData );
	// Note: Base32Encoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	Base32Encoder base32Encoder( pArraySinkOutput );
	base32Encoder.IsolatedInitialize( MakeParameters( Name::EncodingLookupArray(), (const uint8 *)m_rgubEncodingTable ) );
	base32Encoder.Put( pubData, cubData );
	base32Encoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	pchEncodedData[len] = 0;	// NULL-terminate
	if ( len >= cchEncodedData )
	{
		AssertMsg2( false, "CCrypto::CustomBase32Encode: insufficient output buffer for encoding, needed %d got %d\n",
			len, cchEncodedData );
		return false;
	}

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Base32-decodes a block of data.  (Text -> binary representation.)  
//			With custom encoding table
// Input:	pchData -			Null-terminated hex-encoded string 
//			pubDecodedData -	Pointer to buffer to store output in
//			pcubDecodedData -	Pointer to variable that contains size of
//								output buffer.  At exit, is filled in with actual size
//								of decoded data.
//-----------------------------------------------------------------------------
bool CCustomBase32Encoder::Decode( const char *pchData, uint8 *pubDecodedData, uint32 *pcubDecodedData )
{
	VPROF_BUDGET( "CCrypto::CustomBase32Decode", VPROF_BUDGETGROUP_ENCRYPTION );
	Assert( pchData );
	Assert( pubDecodedData );
	Assert( pcubDecodedData );
	Assert( *pcubDecodedData );

	if ( !m_bValidEncoding )
		return false;

	ArraySink * pArraySinkOutput = new ArraySink( pubDecodedData, *pcubDecodedData );
	// Note: Base32Encoder now owns the pointer to pOutputSink and will free it when the encoder goes out of scope and destructs
	Base32DecoderTKS base32Decoder( pArraySinkOutput, (const int *)m_rgnDecodingTable );
	base32Decoder.Put( (byte *) pchData, Q_strlen( pchData ) );
	base32Decoder.MessageEnd();

	uint32 len = pArraySinkOutput->TotalPutLength();
	if ( len > *pcubDecodedData )
	{
		AssertMsg2( false, "CCrypto::CustomBase32Decode: insufficient output buffer for decoding, needed %d got %d\n",
			len, *pcubDecodedData );
		return false;
	}
	*pcubDecodedData = len;

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Base32-encodes a block of data.  (Binary -> text representation.)  The output
//			is null-terminated and can be treated as a string.
//			Uses the supplied custom encoding table, and a bit-stream input source
//			(not necessarily an integer number of bytes).
// Input:	pBitStringData -	Data to encode
//			pchEncodedData -	Pointer to string buffer to store output in
//			cchEncodedData -	Size of pchEncodedData buffer
//-----------------------------------------------------------------------------
bool CCustomBase32Encoder::Encode( CSimpleBitString *pBitStringData, char *pchEncodedData, uint32 cchEncodedData )
{
	// This is useful if you have, say, 125 bits of information and
	// want to encode them into 25 base32-encoded characters. 
	uint32 cBits = pBitStringData->GetCurrNumBits();

	uint32 cCharacters = (cBits / 5);
	uint32 cBitsRemainder = cBits % 5;
	if ( cBitsRemainder )
		cCharacters++;

	// GTE because of NULL
	if ( cCharacters >= cchEncodedData )
		return false;

	CSimpleBitString::iterator itBitString( *pBitStringData );
	uint ich = 0;
	for ( ; ich < cCharacters; ++ich )
	{
		uint32 unCodon = itBitString.GetNextBits( 5 );
		// Pad w/ zero bits to integer num codons
		if ( ich == (cCharacters - 1) )
			unCodon <<= cBitsRemainder;

		pchEncodedData[ich] = m_rgubEncodingTable[ unCodon ];
	}

	// NULL
	pchEncodedData[ich] = 0;

	return true;
}


//-----------------------------------------------------------------------------
// Purpose: Base32-decodes a block of data.  (Text -> binary representation.)  
//			With custom encoding table, and a BitString output
// Input:	pchData -				Null-terminated base32-encoded string 
//			pBitStringDecodedData -	Pointer to BitString to receive decoded data
//-----------------------------------------------------------------------------
bool CCustomBase32Encoder::Decode( const char *pchData, CSimpleBitString *pBitStringDecodedData )
{
	// Note: 25 base32-encoded characters contain 125 bits of information.
	// Decoded into a byte buffer, this yields 15 bytes plus 5 bits of padding.
	// Decoded into a CSimpleBitString, it will yield all 125 bits
	while ( *pchData )
	{
		uint32 unData = m_rgnDecodingTable[(unsigned)*pchData++];
		if ( unData == 0xFFFFFFFF )
			return false;

		pBitStringDecodedData->AppendBits( unData, 5 );
	}

	return true;
}

#ifdef DBGFLAG_VALIDATE
//-----------------------------------------------------------------------------
// Purpose: validates memory structures
//-----------------------------------------------------------------------------
void CCrypto::ValidateStatics( CValidator &validator, const char *pchName )
{
	ValidateObj( g_tslistPAutoSeededRNG );
}
#endif // DBGFLAG_VALIDATE


//-----------------------------------------------------------------------------
// Purpose: Given a plaintext password, check whether it matches an existing
// hash
//-----------------------------------------------------------------------------
bool CCrypto::BValidatePasswordHash( const char *pchInput, EPasswordHashAlg hashType, const PasswordHash_t &DigestStored, const Salt_t &Salt, PasswordHash_t *pDigestComputed )
{
	VPROF_BUDGET( "CCrypto::BValidatePasswordHash", VPROF_BUDGETGROUP_ENCRYPTION );

	bool bResult = false;
	size_t cDigest = k_HashLengths[hashType];
	Assert( cDigest != 0 );
	PasswordHash_t tmpDigest;
	PasswordHash_t *pOutputDigest = pDigestComputed;
	if ( pOutputDigest == NULL )
	{
		pOutputDigest = &tmpDigest;
	}

	BGeneratePasswordHash( pchInput, hashType, Salt, *pOutputDigest );
	bResult = ( 0 == Q_memcmp( &DigestStored, pOutputDigest, cDigest ) );

	return bResult;
}

//-----------------------------------------------------------------------------
// Purpose: Given a plaintext password and salt, generate a password hash of 
// the requested type.
//-----------------------------------------------------------------------------
bool CCrypto::BGeneratePasswordHash( const char *pchInput, EPasswordHashAlg hashType, const Salt_t &Salt, PasswordHash_t &OutPasswordHash )
{
	VPROF_BUDGET( "CCrypto::BGeneratePasswordHash", VPROF_BUDGETGROUP_ENCRYPTION );

	bool bResult = false;
	size_t cDigest = k_HashLengths[hashType];

	switch ( hashType )
	{
	case k_EHashSHA1:
		bResult = CCrypto::GenerateSaltedSHA1Digest( pchInput, &Salt, (SHADigest_t *)&OutPasswordHash.sha );
		break;
	case k_EHashBigPassword:
	{
		//
		// This is a fake algorithm to test widening of the column.  It's a salted SHA-1 hash with 0x01 padding
		// on either side of it.
		//
		size_t cDigestSHA1 = k_HashLengths[k_EHashSHA1];
		size_t cPadding = ( cDigest - cDigestSHA1 ) / 2;
		
		AssertMsg( ( ( cDigest - cDigestSHA1 ) % 2 ) == 0, "Invalid hash width for k_EHashBigPassword, needs to be even." );

		CCrypto::GenerateSaltedSHA1Digest( pchInput, &Salt, (SHADigest_t *)( (uint8 *)&OutPasswordHash.bigpassword + cPadding ) );
		Q_memset( (uint8 *)&OutPasswordHash, 0x01, cPadding );
		Q_memset( (uint8 *)&OutPasswordHash + cPadding + cDigestSHA1 , 0x01, cPadding );
		bResult = true;
		break;
	}
	case k_EHashPBKDF2_1000:
		bResult = CCrypto::BGeneratePBKDF2Hash( pchInput, Salt, 1000, OutPasswordHash );
		break;
	case k_EHashPBKDF2_5000:
		bResult = CCrypto::BGeneratePBKDF2Hash( pchInput, Salt, 5000, OutPasswordHash );
		break;
	case k_EHashPBKDF2_10000:
		bResult = CCrypto::BGeneratePBKDF2Hash( pchInput, Salt, 10000, OutPasswordHash );
		break;
	case k_EHashSHA1WrappedWithPBKDF2_10000:
		bResult = CCrypto::BGenerateWrappedSHA1PasswordHash( pchInput, Salt, 10000, OutPasswordHash );
		break;
	default:
		AssertMsg1( false, "Invalid password hash type %u passed to BGeneratePasswordHash\n", hashType );
		bResult = false;
	}

	return bResult;
}

//-----------------------------------------------------------------------------
// Purpose: Given a plaintext password and salt and a count of rounds, generate a PBKDF2 hash
//			with the requested number of rounds.
//-----------------------------------------------------------------------------
bool CCrypto::BGeneratePBKDF2Hash( const char* pchInput, const Salt_t &Salt, unsigned int rounds, PasswordHash_t &OutPasswordHash )
{
	PKCS5_PBKDF2_HMAC<SHA256> pbkdf;

	unsigned int iterations = pbkdf.DeriveKey( (byte *)&OutPasswordHash.pbkdf2, sizeof(OutPasswordHash.pbkdf2), 0, (const byte *)pchInput, Q_strlen(pchInput), (const byte *)&Salt, sizeof(Salt), rounds );

	return ( iterations == rounds );
}


//-----------------------------------------------------------------------------
// Purpose: Given a plaintext password and salt and a count of rounds, generate a SHA1 hash wrapped with
//			a PBKDF2 hash with the specified number of rounds.
//			Used to provide a stronger password hash for accounts that haven't logged in in a while.
//-----------------------------------------------------------------------------
bool CCrypto::BGenerateWrappedSHA1PasswordHash( const char *pchInput, const Salt_t &Salt, unsigned int rounds, PasswordHash_t &OutPasswordHash )
{
	bool bResult;
	bResult = CCrypto::GenerateSaltedSHA1Digest( pchInput, &Salt, (SHADigest_t *)&OutPasswordHash.sha );
	if ( bResult )
	{
		PKCS5_PBKDF2_HMAC<SHA256> pbkdf;
		unsigned int iterations = pbkdf.DeriveKey( (byte *)&OutPasswordHash.pbkdf2, sizeof(OutPasswordHash.pbkdf2), 0, (const byte *)&OutPasswordHash.sha, sizeof(OutPasswordHash.sha), (const byte *)&Salt, sizeof(Salt), rounds );

		bResult = ( iterations == rounds );
	}
	return bResult;
}

//-----------------------------------------------------------------------------
// Purpose: Given an existing password hash and salt, attempt to construct a stronger
//			password hash and return the new hash type.
//
//			Currently the only transformation available is from a SHA1 (or BigPassword)
//			hash to a PBKDF2 hash with 10,000 rounds.  In the future this function
//			may be extended to allow additional transformations.
//-----------------------------------------------------------------------------
bool CCrypto::BUpgradeOrWrapPasswordHash( PasswordHash_t &InPasswordHash, EPasswordHashAlg hashTypeIn, const Salt_t &Salt, PasswordHash_t &OutPasswordHash, EPasswordHashAlg &hashTypeOut )
{
	bool bResult = true;;

	if ( hashTypeIn == k_EHashSHA1 || hashTypeIn == k_EHashBigPassword )
	{
		//
		// Can wrap a SHA1 hash with any PBKDF variant, but right now only 10,000 rounds is
		// implemented.
		//
		if ( hashTypeOut == k_EHashPBKDF2_10000 )
		{
			hashTypeOut = k_EHashSHA1WrappedWithPBKDF2_10000;

			byte * pbHash;
			if ( hashTypeIn == k_EHashSHA1 )
			{
				pbHash = (byte *)&InPasswordHash.sha;
			}
			else
			{
				//
				// Need to unroll BigPasswordHash into unpadded SHA1
				//
				size_t cDigest = k_HashLengths[k_EHashBigPassword];
				size_t cDigestSHA1 = k_HashLengths[k_EHashSHA1];
				size_t cPadding = ( cDigest - cDigestSHA1 ) / 2;

				AssertMsg( ( ( cDigest - cDigestSHA1 ) % 2 ) == 0, "Invalid hash width for k_EHashBigPassword, needs to be even." );
				pbHash = (byte *)&InPasswordHash.sha + cPadding;
			}

			PKCS5_PBKDF2_HMAC<SHA256> pbkdf;
			PasswordHash_t passOut;
			unsigned int iterations = pbkdf.DeriveKey( (byte *)passOut.pbkdf2, sizeof(passOut.pbkdf2), 0, pbHash, k_HashLengths[k_EHashSHA1], (const byte *)&Salt, sizeof(Salt), 10000 );

			bResult = ( iterations == 10000 );
			if ( bResult )
			{
				Q_memcpy( &OutPasswordHash, &passOut, sizeof(OutPasswordHash) );
			}
		}
		else
		{
			Assert( hashTypeOut == k_EHashPBKDF2_10000 );
			bResult = false;
		}
	}
	else
	{
		bResult = false;
		Assert( false );
	}

	return bResult;
}