Botan  1.11.34
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::PK_Decryptor Class Referenceabstract

#include <pubkey.h>

Inheritance diagram for Botan::PK_Decryptor:
Botan::DLIES_Decryptor Botan::ECIES_Decryptor Botan::PK_Decryptor_EME

Public Member Functions

secure_vector< bytedecrypt (const byte in[], size_t length) const
 
template<typename Alloc >
secure_vector< bytedecrypt (const std::vector< byte, Alloc > &in) const
 
secure_vector< bytedecrypt_or_random (const byte in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
 
secure_vector< bytedecrypt_or_random (const byte in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng, const byte required_content_bytes[], const byte required_content_offsets[], size_t required_contents) const
 
PK_Decryptoroperator= (const PK_Decryptor &)=delete
 
 PK_Decryptor ()
 
 PK_Decryptor (const PK_Decryptor &)=delete
 
virtual ~PK_Decryptor ()=default
 

Detailed Description

Public Key Decryptor

Definition at line 84 of file pubkey.h.

Constructor & Destructor Documentation

§ PK_Decryptor() [1/2]

Botan::PK_Decryptor::PK_Decryptor ( )
inline

Definition at line 144 of file pubkey.h.

144 {}

§ ~PK_Decryptor()

virtual Botan::PK_Decryptor::~PK_Decryptor ( )
virtualdefault

§ PK_Decryptor() [2/2]

Botan::PK_Decryptor::PK_Decryptor ( const PK_Decryptor )
delete

Member Function Documentation

§ decrypt() [1/2]

secure_vector< byte > Botan::PK_Decryptor::decrypt ( const byte  in[],
size_t  length 
) const

Decrypt a ciphertext, throwing an exception if the input seems to be invalid (eg due to an accidental or malicious error in the ciphertext).

Parameters
inthe ciphertext as a byte array
lengththe length of the above byte array
Returns
decrypted message

Definition at line 16 of file pubkey.cpp.

Referenced by Botan::KeyPair::encryption_consistency_check().

17  {
18  byte valid_mask = 0;
19 
20  secure_vector<byte> decoded = do_decrypt(valid_mask, in, length);
21 
22  if(valid_mask == 0)
23  throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
24 
25  return decoded;
26  }
std::uint8_t byte
Definition: types.h:31

§ decrypt() [2/2]

template<typename Alloc >
secure_vector<byte> Botan::PK_Decryptor::decrypt ( const std::vector< byte, Alloc > &  in) const
inline

Same as above, but taking a vector

Parameters
inthe ciphertext
Returns
decrypted message

Definition at line 104 of file pubkey.h.

References Botan::CryptoBox::decrypt().

105  {
106  return decrypt(in.data(), in.size());
107  }
secure_vector< byte > decrypt(const byte in[], size_t length) const
Definition: pubkey.cpp:16

§ decrypt_or_random() [1/2]

secure_vector< byte > Botan::PK_Decryptor::decrypt_or_random ( const byte  in[],
size_t  length,
size_t  expected_pt_len,
RandomNumberGenerator rng 
) const

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Definition at line 77 of file pubkey.cpp.

81  {
82  return decrypt_or_random(in, length, expected_pt_len, rng,
83  nullptr, nullptr, 0);
84  }
secure_vector< byte > decrypt_or_random(const byte in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:77

§ decrypt_or_random() [2/2]

secure_vector< byte > Botan::PK_Decryptor::decrypt_or_random ( const byte  in[],
size_t  length,
size_t  expected_pt_len,
RandomNumberGenerator rng,
const byte  required_content_bytes[],
const byte  required_content_offsets[],
size_t  required_contents 
) const

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Additionally checks (also in const time) that: contents[required_content_offsets[i]] == required_content_bytes[i] for 0 <= i < required_contents

Used for example in TLS, which encodes the client version in the content bytes: if there is any timing variation the version check can be used as an oracle to recover the key.

Definition at line 29 of file pubkey.cpp.

References BOTAN_ASSERT, Botan::CT::conditional_copy_mem(), Botan::CT::is_equal(), and Botan::RandomNumberGenerator::random_vec().

36  {
37  const secure_vector<byte> fake_pms = rng.random_vec(expected_pt_len);
38 
39  byte valid_mask = 0;
40  secure_vector<byte> decoded = do_decrypt(valid_mask, in, length);
41 
42  valid_mask &= CT::is_equal(decoded.size(), expected_pt_len);
43 
44  decoded.resize(expected_pt_len);
45 
46  for(size_t i = 0; i != required_contents_length; ++i)
47  {
48  /*
49  These values are chosen by the application and for TLS are constants,
50  so this early failure via assert is fine since we know 0,1 < 48
51 
52  If there is a protocol that has content checks on the key where
53  the expected offsets are controllable by the attacker this could
54  still leak.
55 
56  Alternately could always reduce the offset modulo the length?
57  */
58 
59  const byte exp = required_content_bytes[i];
60  const byte off = required_content_offsets[i];
61 
62  BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
63 
64  valid_mask &= CT::is_equal(decoded[off], exp);
65  }
66 
67  CT::conditional_copy_mem(valid_mask,
68  /*output*/decoded.data(),
69  /*from0*/decoded.data(),
70  /*from1*/fake_pms.data(),
71  expected_pt_len);
72 
73  return decoded;
74  }
void conditional_copy_mem(T value, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:138
T is_equal(T x, T y)
Definition: ct_utils.h:116
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
std::uint8_t byte
Definition: types.h:31

§ operator=()

PK_Decryptor& Botan::PK_Decryptor::operator= ( const PK_Decryptor )
delete

The documentation for this class was generated from the following files: