Botan::DLIES_Decryptor Class Reference

#include <dlies.h>

Inheritance diagram for Botan::DLIES_Decryptor:

Public Member Functions
secure_vector< uint8_t >	decrypt (const uint8_t in[], size_t length) const
secure_vector< uint8_t >	decrypt (std::span< const uint8_t > in) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents) const
	DLIES_Decryptor (const DH_PrivateKey &own_priv_key, RandomNumberGenerator &rng, std::unique_ptr< KDF > kdf, std::unique_ptr< Cipher_Mode > cipher, size_t cipher_key_len, std::unique_ptr< MessageAuthenticationCode > mac, size_t mac_key_len=20)
	DLIES_Decryptor (const DH_PrivateKey &own_priv_key, RandomNumberGenerator &rng, std::unique_ptr< KDF > kdf, std::unique_ptr< MessageAuthenticationCode > mac, size_t mac_key_len=20)
void	set_initialization_vector (const InitializationVector &iv)
	Set the initialization vector for the data decryption method.

Detailed Description

DLIES Decryption

Definition at line 90 of file dlies.h.

Constructor & Destructor Documentation

DLIES_Decryptor() [1/2]

Botan::DLIES_Decryptor::DLIES_Decryptor	(	const DH_PrivateKey &	own_priv_key,
		RandomNumberGenerator &	rng,
		std::unique_ptr< KDF >	kdf,
		std::unique_ptr< MessageAuthenticationCode >	mac,
		size_t	mac_key_len = 20 )

Stream mode: use KDF to provide a stream of bytes to xor with the message

Parameters

own_priv_key	own (ephemeral) DH private key
rng	the RNG to use
kdf	the KDF that should be used
mac	the MAC function that should be used
mac_key_len	key length of the MAC function. Default = 20 bytes

input = (ephemeral) public key + ciphertext + tag

Definition at line 115 of file dlies.cpp.

                                                        :
      DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

DLIES_Decryptor() [2/2]

Botan::DLIES_Decryptor::DLIES_Decryptor	(	const DH_PrivateKey &	own_priv_key,
		RandomNumberGenerator &	rng,
		std::unique_ptr< KDF >	kdf,
		std::unique_ptr< Cipher_Mode >	cipher,
		size_t	cipher_key_len,
		std::unique_ptr< MessageAuthenticationCode >	mac,
		size_t	mac_key_len = 20 )

Block cipher mode

Parameters

own_priv_key	own (ephemeral) DH private key
rng	the RNG to use
kdf	the KDF that should be used
cipher	the block cipher that should be used
cipher_key_len	the key length of the block cipher
mac	the MAC function that should be used
mac_key_len	key length of the MAC function. Default = 20 bytes

input = (ephemeral) public key + ciphertext + tag

Definition at line 96 of file dlies.cpp.

                                                        :
      m_pub_key_size(own_priv_key.public_value().size()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

References BOTAN_ASSERT_NONNULL.

Member Function Documentation

decrypt() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( const uint8_t in[], size_t length ) const

inherited

Decrypt a ciphertext, throwing an exception if the input seems to be invalid (eg due to an accidental or malicious error in the ciphertext).

Parameters

in	the ciphertext as a byte array
length	the length of the above byte array

Returns

decrypted message

Definition at line 22 of file pubkey.cpp.

                                                                                    {
   uint8_t valid_mask = 0;
 
   secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
 
   if(valid_mask == 0) {
      throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
   }
 
   return decoded;
}

Referenced by Botan::KeyPair::encryption_consistency_check().

decrypt() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( std::span< const uint8_t > in ) const

inlineinherited

Same as above, but taking a vector

Parameters

in	the ciphertext

Returns

decrypted message

Definition at line 96 of file pubkey.h.

{ return decrypt(in.data(), in.size()); }

References Botan::PK_Decryptor::decrypt().

Referenced by Botan::PK_Decryptor::decrypt().

decrypt_or_random() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Definition at line 79 of file pubkey.cpp.

                                                                                         {
   return decrypt_or_random(in, length, expected_pt_len, rng, nullptr, nullptr, 0);
}

References Botan::PK_Decryptor::decrypt_or_random().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::PK_Decryptor::decrypt_or_random().

decrypt_or_random() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Additionally checks (also in const time) that: contents[required_content_offsets[i]] == required_content_bytes[i] for 0 <= i < required_contents

Used for example in TLS, which encodes the client version in the content bytes: if there is any timing variation the version check can be used as an oracle to recover the key.

Definition at line 34 of file pubkey.cpp.

                                                                                              {
   const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
 
   uint8_t decrypt_valid = 0;
   secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
 
   auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
   valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
 
   decoded.resize(expected_pt_len);
 
   for(size_t i = 0; i != required_contents_length; ++i) {
      /*
      These values are chosen by the application and for TLS are constants,
      so this early failure via assert is fine since we know 0,1 < 48
 
      If there is a protocol that has content checks on the key where
      the expected offsets are controllable by the attacker this could
      still leak.
 
      Alternately could always reduce the offset modulo the length?
      */
 
      const uint8_t exp = required_content_bytes[i];
      const uint8_t off = required_content_offsets[i];
 
      BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
 
      auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
 
      valid_mask &= eq;
   }
 
   // If valid_mask is false, assign fake pre master instead
   valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
 
   return decoded;
}

References BOTAN_ASSERT, Botan::CT::Mask< T >::is_equal(), and Botan::RandomNumberGenerator::random_vec().

set_initialization_vector()

void Botan::DLIES_Decryptor::set_initialization_vector ( const InitializationVector & iv )

inline

Set the initialization vector for the data decryption method.

Definition at line 131 of file dlies.h.

{ m_iv = iv; }

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/dlies/dlies.h
• src/lib/pubkey/dlies/dlies.cpp