Botan::DLIES_Decryptor Class Reference

#include <dlies.h>

Inheritance diagram for Botan::DLIES_Decryptor:

Public Member Functions
secure_vector< uint8_t >	decrypt (const uint8_t in[], size_t length) const
secure_vector< uint8_t >	decrypt (std::span< const uint8_t > in) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents) const
	DLIES_Decryptor (const DH_PrivateKey &own_priv_key, RandomNumberGenerator &rng, std::unique_ptr< KDF > kdf, std::unique_ptr< Cipher_Mode > cipher, size_t cipher_key_len, std::unique_ptr< MessageAuthenticationCode > mac, size_t mac_key_len=20)
	DLIES_Decryptor (const DH_PrivateKey &own_priv_key, RandomNumberGenerator &rng, std::unique_ptr< KDF > kdf, std::unique_ptr< MessageAuthenticationCode > mac, size_t mac_key_len=20)
void	set_initialization_vector (const InitializationVector &iv)
	Set the initialization vector for the data decryption method.

Detailed Description

DLIES Decryption

Definition at line 92 of file dlies.h.

Constructor & Destructor Documentation

DLIES_Decryptor() [1/2]

Botan::DLIES_Decryptor::DLIES_Decryptor	(	const DH_PrivateKey &	own_priv_key,
		RandomNumberGenerator &	rng,
		std::unique_ptr< KDF >	kdf,
		std::unique_ptr< MessageAuthenticationCode >	mac,
		size_t	mac_key_len = 20 )

Stream mode: use KDF to provide a stream of bytes to xor with the message

Parameters

own_priv_key	own (ephemeral) DH private key
rng	the RNG to use
kdf	the KDF that should be used
mac	the MAC function that should be used
mac_key_len	key length of the MAC function. Default = 20 bytes

input = (ephemeral) public key + ciphertext + tag

Definition at line 116 of file dlies.cpp.

                                                        :
      DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

References DLIES_Decryptor().

Referenced by DLIES_Decryptor().

DLIES_Decryptor() [2/2]

Botan::DLIES_Decryptor::DLIES_Decryptor	(	const DH_PrivateKey &	own_priv_key,
		RandomNumberGenerator &	rng,
		std::unique_ptr< KDF >	kdf,
		std::unique_ptr< Cipher_Mode >	cipher,
		size_t	cipher_key_len,
		std::unique_ptr< MessageAuthenticationCode >	mac,
		size_t	mac_key_len = 20 )

Block cipher mode

Parameters

own_priv_key	own (ephemeral) DH private key
rng	the RNG to use
kdf	the KDF that should be used
cipher	the block cipher that should be used
cipher_key_len	the key length of the block cipher
mac	the MAC function that should be used
mac_key_len	key length of the MAC function. Default = 20 bytes

input = (ephemeral) public key + ciphertext + tag

Definition at line 97 of file dlies.cpp.

                                                        :
      m_pub_key_size(own_priv_key.public_value().size()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

References BOTAN_ASSERT_NONNULL.

Member Function Documentation

decrypt() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( const uint8_t in[], size_t length ) const

inherited

Decrypt a ciphertext, throwing an exception if the input seems to be invalid (eg due to an accidental or malicious error in the ciphertext).

Parameters

in	the ciphertext as a byte array
length	the length of the above byte array

Returns

decrypted message

Definition at line 23 of file pubkey.cpp.

                                                                                    {
   uint8_t valid_mask = 0;
 
   secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
 
   if(valid_mask == 0) {
      throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
   }
 
   return decoded;
}

Referenced by Botan::KeyPair::encryption_consistency_check().

decrypt() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( std::span< const uint8_t > in ) const

inlineinherited

Same as above, but taking a vector

Parameters

in	the ciphertext

Returns

decrypted message

Definition at line 96 of file pubkey.h.

{ return decrypt(in.data(), in.size()); }

References decrypt().

Referenced by decrypt().

decrypt_or_random() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Definition at line 87 of file pubkey.cpp.

                                                                                         {
   return decrypt_or_random(in, length, expected_pt_len, rng, nullptr, nullptr, 0);
}

References decrypt_or_random().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and decrypt_or_random().

decrypt_or_random() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Additionally checks (also in const time) that: contents[required_content_offsets[i]] == required_content_bytes[i] for 0 <= i < required_contents

Used for example in TLS, which encodes the client version in the content bytes: if there is any timing variation the version check can be used as an oracle to recover the key.

Definition at line 35 of file pubkey.cpp.

                                                                                              {
   const secure_vector<uint8_t> fake_pms = [&]() {
      auto pms = rng.random_vec(expected_pt_len);
 
      for(size_t i = 0; i != required_contents_length; ++i) {
         const uint8_t exp = required_content_bytes[i];
 
         /*
         If an offset repeats we don't detect this and just return a PMS that satisfies
         the last requested index. If the requested (idx,value) tuple is the same, that's
         fine and just redundant. If they disagree, decryption will always fail, since the
         same byte cannot possibly have two distinct values.
         */
         const uint8_t off = required_content_offsets[i];
         BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
         pms[off] = exp;
      }
 
      return pms;
   }();
 
   uint8_t decrypt_valid = 0;
   secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
 
   auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
   valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(decoded.size(), expected_pt_len));
 
   decoded.resize(expected_pt_len);
 
   for(size_t i = 0; i != required_contents_length; ++i) {
      const uint8_t exp = required_content_bytes[i];
 
      // We know off is in range because we already checked it when creating the fake premaster above
      const uint8_t off = required_content_offsets[i];
 
      auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
 
      valid_mask &= eq;
   }
 
   // If valid_mask is false, assign fake pre master instead
   valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
 
   return decoded;
}

References BOTAN_ASSERT, Botan::CT::Mask< T >::is_equal(), and Botan::RandomNumberGenerator::random_vec().

set_initialization_vector()

void Botan::DLIES_Decryptor::set_initialization_vector ( const InitializationVector & iv )

inline

Set the initialization vector for the data decryption method.

Definition at line 133 of file dlies.h.

{ m_iv = iv; }

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/dlies/dlies.h
• src/lib/pubkey/dlies/dlies.cpp