From 2a3e60f45d6d91f1c3bfcff45f38706cc07ce773 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Tue, 23 Jan 2024 10:29:02 +0100
Subject: [PATCH] StrongAdapter<> for bitvector

---
 .../pubkey/classic_mceliece/cmce_decaps.cpp   |   3 +-
 .../classic_mceliece/cmce_field_ordering.cpp  |   4 +-
 .../classic_mceliece/cmce_keys_internal.cpp   |   2 +-
 .../pubkey/classic_mceliece/cmce_matrix.cpp   |   4 +-
 src/lib/utils/bitvector.h                     | 218 ++++++++++++++----
 src/tests/test_utils_bitvector.cpp            |  63 ++++-
 6 files changed, 236 insertions(+), 58 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 790c22a3ba5..08230b9282c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -92,7 +92,8 @@ std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decod
    BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
    big_c.resize(m_key->params().n());
 
-   auto syndrome = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as_locked());
+   auto syndrome =
+      compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as<secure_bitvector>());
    auto locator = berlekamp_massey(m_key->params(), syndrome);
 
    std::vector<Classic_McEliece_GF> images;
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index 386d3f37a91..c80969066dc 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -310,8 +310,8 @@ void Classic_McEliece_Field_Ordering::permute_with_pivots(const Classic_McEliece
    for(size_t p_idx = 1; p_idx <= Classic_McEliece_Parameters::mu(); ++p_idx) {
       size_t p_counter = 0;
       for(size_t col = 0; col < Classic_McEliece_Parameters::nu(); ++col) {
-         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>());
-         p_counter += CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>()).if_set_return(1);
+         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.at(col).as<size_t>());
+         p_counter += CT::Mask<size_t>::expand(pivots.at(col).as<size_t>()).if_set_return(1);
          auto mask_is_current_pivot = CT::Mask<size_t>::is_equal(p_idx, p_counter);
          (mask_is_pivot_set & mask_is_current_pivot)
             .conditional_swap(m_pi.get().at(col_offset + col), m_pi.get().at(col_offset + p_idx - 1));
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index 56d0cd42bf2..6e0bc36897c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -108,7 +108,7 @@ std::shared_ptr<Classic_McEliece_PublicKeyInternal> Classic_McEliece_PublicKeyIn
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
    }
    auto& [pk_matrix, pivot] = pk_matrix_and_pivot.value();
-   if(!pivot.get().subvector(0, pivot.size() / 2).all() || !pivot.get().subvector(pivot.size() / 2).none()) {
+   if(!pivot.subvector(0, pivot.size() / 2).all() || !pivot.subvector(pivot.size() / 2).none()) {
       // There should not be a pivot other than 0xff ff ff ff 00 00 00 00. Otherwise
       // the gauss algorithm failed effectively.
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index 3910afaa6ca..eea7185f77d 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -121,7 +121,7 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
    for(auto pivot_idx : pivot_indices) {
       for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
          auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
-         pivots.get().at(i) = mask_is_at_current_idx.select(1, pivots.get().at(i).as<size_t>());
+         pivots.at(i) = mask_is_at_current_idx.select(1, pivots.at(i).as<size_t>());
       }
    }
 
@@ -252,6 +252,6 @@ bitvector Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params
    }
 
    BOTAN_ASSERT_NOMSG(pk_slicer.empty());
-   return s.as_unlocked();
+   return s.as<bitvector>();
 }
 }  // namespace Botan
diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index 2c127191722..5a6c6020ab5 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -2,8 +2,8 @@
  * An abstraction for an arbitrarily large bitvector that can
  * optionally use the secure_allocator.
  *
- * (C) 2023 Jack Lloyd
- * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ * (C) 2023-2024 Jack Lloyd
+ * (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
  *
  * Botan is released under the Simplified BSD License (see license.txt)
  */
@@ -15,6 +15,7 @@
 #include <botan/exceptn.h>
 #include <botan/mem_ops.h>
 #include <botan/secmem.h>
+#include <botan/strong_type.h>
 #include <botan/internal/bit_ops.h>
 #include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
@@ -29,6 +30,21 @@
 
 namespace Botan {
 
+template <template <typename> typename AllocatorT>
+class bitvector_base;
+
+template <typename T>
+struct is_bitvector : std::false_type {};
+
+template <template <typename> typename T>
+struct is_bitvector<bitvector_base<T>> : std::true_type {};
+
+template <typename T>
+constexpr static bool is_bitvector_v = is_bitvector<T>::value;
+
+template <typename T>
+concept bitvectorish = is_bitvector_v<T> || (is_strong_type_v<T> && is_bitvector_v<typename T::wrapped_type>);
+
 namespace detail {
 
 template <typename T0, typename... Ts>
@@ -96,6 +112,24 @@ concept predicate_blockwise_processing_callback =
    (blockwise_processing_callback_with_mask<FnT, ParamTs...> &&
     std::same_as<bool, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., first_t<ParamTs...>>>);
 
+template <bitvectorish T>
+auto& unwrap(T& bv) {
+   if constexpr(is_bitvector_v<T>) {
+      return bv;
+   } else {
+      return bv.get();
+   }
+}
+
+template <bitvectorish T>
+const auto& unwrap(const T& bv) {
+   if constexpr(is_bitvector_v<T>) {
+      return bv;
+   } else {
+      return bv.get();
+   }
+}
+
 template <typename T>
 class bitvector_iterator {
    private:
@@ -361,23 +395,22 @@ class bitvector_base final {
       }
 
       /**
-       * @returns a copy of this bitvector as a secure_bitvector
+       * @returns copies this bitvector into a new bitvector of type @p OutT
        */
-      auto as_locked() const { return subvector<secure_allocator>(0, size()); }
-
-      /**
-       * @returns a copy of this bitvector as a standard-allocated bitvector
-       */
-      auto as_unlocked() const { return subvector<std::allocator>(0, size()); }
+      template <bitvectorish OutT>
+      OutT as() const {
+         return subvector<OutT>(0, size());
+      }
 
       /**
        * @returns true if @p other contains the same bit pattern as this
        */
-      template <template <typename> typename OtherAllocatorT>
-      bool equals(const bitvector_base<OtherAllocatorT>& other) const noexcept {
+      template <bitvectorish OtherT>
+      bool equals(const OtherT& other) const noexcept {
          return size() == other.size() &&
-                full_range_operation(
-                   []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) { return lhs == rhs; }, *this, other);
+                full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) { return lhs == rhs; },
+                                     *this,
+                                     detail::unwrap(other));
       }
 
       /// @name Serialization
@@ -609,26 +642,31 @@ class bitvector_base final {
        * Creates a new bitvector with a subsection of this bitvector starting at
        * @p pos copying exactly @p length bits.
        */
-      template <template <typename> typename NewAllocatorT = AllocatorT>
+      template <bitvectorish OutT = bitvector_base<AllocatorT>>
       auto subvector(size_type pos, std::optional<size_type> length = std::nullopt) const {
          size_type bitlen = length.value_or(size() - pos);
          BOTAN_ARG_CHECK(pos + bitlen <= size(), "Not enough bits to copy");
 
-         bitvector_base<NewAllocatorT> newvector(bitlen);
+         OutT newvector(bitlen);
+
+         // Handle bitvectors that are wrapped in strong types
+         auto& newvector_unwrapped = detail::unwrap(newvector);
+         using unwrapped_type = std::remove_cvref_t<decltype(newvector_unwrapped)>;
+         static_assert(is_bitvector_v<unwrapped_type>);
 
          if(bitlen > 0) {
             if(pos % 8 == 0) {
                copy_mem(
-                  newvector.m_blocks,
+                  newvector_unwrapped.m_blocks,
                   std::span{m_blocks}.subspan(block_index(pos), block_index(pos + bitlen - 1) - block_index(pos) + 1));
             } else {
                BitRangeOperator<const bitvector_base<AllocatorT>, BitRangeAlignment::no_alignment> from_op(
                   *this, pos, bitlen);
-               BitRangeOperator<bitvector_base<NewAllocatorT>> to_op(newvector, 0, bitlen);
+               BitRangeOperator<unwrapped_type> to_op(detail::unwrap(newvector_unwrapped), 0, bitlen);
                range_operation([](auto /* to */, auto from) { return from; }, to_op, from_op);
             }
 
-            newvector.zero_unused_bits();
+            newvector_unwrapped.zero_unused_bits();
          }
 
          return newvector;
@@ -646,24 +684,27 @@ class bitvector_base final {
          return newbv;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator|=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs | rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator|=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs | rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator&=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs & rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator&=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs & rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator^=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs ^ rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator^=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs ^ rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
@@ -682,8 +723,8 @@ class bitvector_base final {
        *
        * omitting runtime dependence on any of the parameters.
        */
-      template <template <typename> typename OtherAllocatorT>
-      void ct_conditional_xor(bool condition, const bitvector_base<OtherAllocatorT>& other) {
+      template <bitvectorish OtherT>
+      void ct_conditional_xor(bool condition, const OtherT& other) {
          BOTAN_ASSERT_NOMSG(m_bits == other.m_bits);
          BOTAN_ASSERT_NOMSG(m_blocks.size() == other.m_blocks.size());
 
@@ -702,7 +743,7 @@ class bitvector_base final {
             },
          };
 
-         full_range_operation(maybe_xor, *this, other);
+         full_range_operation(maybe_xor, *this, detail::unwrap(other));
       }
 
       /// @}
@@ -761,6 +802,7 @@ class bitvector_base final {
        * compile time (with the template parameter `alignment`).
        */
       template <typename BitvectorT, auto alignment = BitRangeAlignment::byte_aligned>
+         requires is_bitvector_v<std::remove_cvref_t<BitvectorT>>
       class BitRangeOperator {
          private:
             constexpr static bool is_const() { return std::is_const_v<BitvectorT>; }
@@ -1062,7 +1104,8 @@ class bitvector_base final {
        * Apply @p fn to all bit blocks in the bitvector(s).
        */
       template <typename FnT, typename... BitvectorTs>
-         requires(detail::blockwise_processing_callback<FnT, BitvectorTs...>)
+         requires(detail::blockwise_processing_callback<FnT, BitvectorTs...> &&
+                  (is_bitvector_v<std::remove_cvref_t<BitvectorTs>> && ... && true))
       static bool full_range_operation(FnT&& fn, BitvectorTs&... bitvecs) {
          BOTAN_ASSERT(has_equal_lengths(bitvecs...), "all bitvectors have the same length");
          return range_operation(std::forward<FnT>(fn), BitRangeOperator<BitvectorTs>(bitvecs)...);
@@ -1103,11 +1146,12 @@ namespace detail {
  * If one of the allocators is a Botan::secure_allocator, this will always
  * prefer it. Otherwise, the allocator of @p lhs will be used as a default.
  */
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
-                                        const bitvector_base<AllocatorT2>& rhs) {
-   constexpr bool needs_secure_allocator = std::remove_cvref_t<decltype(lhs)>::uses_secure_allocator ||
-                                           std::remove_cvref_t<decltype(rhs)>::uses_secure_allocator;
+template <bitvectorish T1, bitvectorish T2>
+constexpr auto copy_lhs_allocator_aware(const T1& lhs, const T2& rhs) {
+   const auto& lhs_unwrapped = detail::unwrap(lhs);
+   const auto& rhs_unwrapped = detail::unwrap(rhs);
+   constexpr bool needs_secure_allocator = std::remove_cvref_t<decltype(lhs_unwrapped)>::uses_secure_allocator ||
+                                           std::remove_cvref_t<decltype(rhs_unwrapped)>::uses_secure_allocator;
 
    if constexpr(needs_secure_allocator) {
       return lhs.template as<secure_bitvector>();
@@ -1118,37 +1162,113 @@ constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
 
 }  // namespace detail
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator|(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator|(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res |= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator&(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator&(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res &= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator^(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator^(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res ^= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-bool operator==(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+bool operator==(const T1& lhs, const T2& rhs) {
    return lhs.equals(rhs);
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-bool operator!=(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+bool operator!=(const T1& lhs, const T2& rhs) {
    return lhs.equals(rhs);
 }
 
+namespace detail {
+
+/**
+ * A Strong<> adapter for arbitrarily large bitvectors
+ */
+template <concepts::container T>
+   requires is_bitvector_v<T>
+class Strong_Adapter<T> : public Container_Strong_Adapter_Base<T> {
+   public:
+      using size_type = typename T::size_type;
+
+   public:
+      using Container_Strong_Adapter_Base<T>::Container_Strong_Adapter_Base;
+
+      auto at(size_type i) const { return this->get().at(i); }
+
+      auto at(size_type i) { return this->get().at(i); }
+
+      auto set(size_type i) { return this->get().set(i); }
+
+      auto unset(size_type i) { return this->get().unset(i); }
+
+      auto flip(size_type i) { return this->get().flip(i); }
+
+      auto flip() { return this->get().flip(); }
+
+      template <typename OutT>
+      auto as() const {
+         return this->get().template as<OutT>();
+      }
+
+      template <typename OutT = T>
+      auto subvector(size_type pos, std::optional<size_type> length = std::nullopt) const {
+         return this->get().template subvector<OutT>(pos, length);
+      }
+
+      auto push_back(bool b) { return this->get().push_back(b); }
+
+      auto pop_back() { return this->get().pop_back(); }
+
+      auto front() const { return this->get().front(); }
+
+      auto front() { return this->get().front(); }
+
+      auto back() const { return this->get().back(); }
+
+      auto back() { return this->get().back(); }
+
+      auto any() const { return this->get().any(); }
+
+      auto all() const { return this->get().all(); }
+
+      auto none() const { return this->get().none(); }
+
+      auto has_odd_hamming_weight() const { return this->get().has_odd_hamming_weight(); }
+
+      auto from_bytes(std::span<const uint8_t> bytes, std::optional<size_type> bits = std::nullopt) {
+         return this->get().from_bytes(bytes, bits);
+      }
+
+      template <typename OutT = T>
+      auto to_bytes() const {
+         return this->get().template to_bytes<OutT>();
+      }
+
+      auto to_bytes(std::span<uint8_t> out) const { return this->get().to_bytes(out); }
+
+      auto to_string() const { return this->get().to_string(); }
+
+      auto capacity() const { return this->get().capacity(); }
+
+      auto reserve(size_type n) { return this->get().reserve(n); }
+};
+
+}  // namespace detail
+
 }  // namespace Botan
 
 #endif
diff --git a/src/tests/test_utils_bitvector.cpp b/src/tests/test_utils_bitvector.cpp
index 8199a01bd80..8dba40ac399 100644
--- a/src/tests/test_utils_bitvector.cpp
+++ b/src/tests/test_utils_bitvector.cpp
@@ -1,6 +1,6 @@
 /*
- * (C) 2023 Jack Lloyd
- * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ * (C) 2023-2024 Jack Lloyd
+ * (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
  *
  * Botan is released under the Simplified BSD License (see license.txt)
  */
@@ -910,6 +910,62 @@ std::vector<Test::Result> test_bitvector_iterators() {
    };
 }
 
+using TestBitvector = Botan::Strong<Botan::bitvector, struct TestBitvector_>;
+using TestSecureBitvector = Botan::Strong<Botan::secure_bitvector, struct TestBitvector_>;
+
+Test::Result test_bitvector_strongtype_adapter() {
+   Test::Result result("Bitvector in strong type");
+
+   TestBitvector bv1(10);
+
+   result.confirm("bv1 is not empty", !bv1.empty());
+   result.test_eq("bv1 has size 10", bv1.size(), size_t(10));
+
+   bv1[0] = true;
+   bv1.at(1) = true;
+   bv1.set(2);
+   bv1.unset(3);
+   bv1.flip(4);
+   bv1.push_back(true);
+   bv1.push_back(false);
+   bv1.pop_back();
+
+   result.confirm("bv1 front is set", bv1.front());
+   result.confirm("bv1 back is set", bv1.back());
+   result.confirm("bv1 has some one bits", bv1.any());
+   result.confirm("bv1 is not all zero", !bv1.none());
+   result.confirm("bv1 is not all one", !bv1.all());
+
+   result.test_eq("hamming weight of bv1", bv1.has_odd_hamming_weight(), true);
+
+   for(size_t i = 0; auto bit : bv1) {
+      const bool expected = (i == 0 || i == 1 || i == 2 || i == 4 || i == 10);
+      result.confirm(Botan::fmt("bv1 bit {} is set", i), bit == expected);
+      ++i;
+   }
+
+   bv1.flip();
+
+   for(size_t i = 0; auto bit : bv1) {
+      const bool expected = (i == 0 || i == 1 || i == 2 || i == 4 || i == 10);
+      result.confirm(Botan::fmt("bv1 bit {} is set", i), bit != expected);
+      ++i;
+   }
+
+   auto bv2 = bv1.as<TestSecureBitvector>();
+
+   auto bv3 = bv1 | bv2;
+   result.confirm("bv3 is a secure_bitvector", std::same_as<Botan::secure_bitvector, decltype(bv3)>);
+
+   auto bv4 = bv2.subvector<TestSecureBitvector>(0, 5);
+   result.confirm("bv4 is a TestSecureBitvector", std::same_as<TestSecureBitvector, decltype(bv4)>);
+
+   const auto str = bv4.to_string();
+   result.test_eq("bv4 to_string", str, "00010");
+
+   return result;
+}
+
 }  // namespace
 
 BOTAN_REGISTER_TEST_FN("utils",
@@ -922,6 +978,7 @@ BOTAN_REGISTER_TEST_FN("utils",
                        test_bitvector_serialization,
                        test_bitvector_constant_time_operations,
                        test_bitvector_conditional_xor_workload,
-                       test_bitvector_iterators);
+                       test_bitvector_iterators,
+                       test_bitvector_strongtype_adapter);
 
 }  // namespace Botan_Tests