Botan::PK_Decryptor_EME Class Reference

#include <pubkey.h>

Inheritance diagram for Botan::PK_Decryptor_EME:

Public Member Functions
secure_vector< uint8_t >	decrypt (const uint8_t in[], size_t length) const
secure_vector< uint8_t >	decrypt (std::span< const uint8_t > in) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
secure_vector< uint8_t >	decrypt_or_random (const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents) const
PK_Decryptor_EME &	operator= (const PK_Decryptor_EME &)=delete
PK_Decryptor_EME &	operator= (PK_Decryptor_EME &&) noexcept
	PK_Decryptor_EME (const PK_Decryptor_EME &)=delete
	PK_Decryptor_EME (const Private_Key &key, RandomNumberGenerator &rng, std::string_view eme, std::string_view provider="")
	PK_Decryptor_EME (PK_Decryptor_EME &&) noexcept
size_t	plaintext_length (size_t ptext_len) const override
	~PK_Decryptor_EME () override

Detailed Description

Decryption with an MR algorithm and an EME.

Definition at line 515 of file pubkey.h.

Constructor & Destructor Documentation

PK_Decryptor_EME() [1/3]

Botan::PK_Decryptor_EME::PK_Decryptor_EME	(	const Private_Key &	key,
		RandomNumberGenerator &	rng,
		std::string_view	eme,
		std::string_view	provider = "" )

Construct an instance.

Parameters

key	the key to use inside the decryptor
rng	the random generator to use
eme	the EME to use
provider	the provider to use

Definition at line 113 of file pubkey.cpp.

                                                            {
   m_op = key.create_decryption_op(rng, padding, provider);
   if(!m_op) {
      throw Invalid_Argument(fmt("Key type {} does not support decryption", key.algo_name()));
   }
}

References Botan::Asymmetric_Key::algo_name(), Botan::Private_Key::create_decryption_op(), and Botan::fmt().

~PK_Decryptor_EME()

Botan::PK_Decryptor_EME::~PK_Decryptor_EME ( )

overridedefault

PK_Decryptor_EME() [2/3]

Botan::PK_Decryptor_EME::PK_Decryptor_EME ( const PK_Decryptor_EME & )

delete

PK_Decryptor_EME() [3/3]

Botan::PK_Decryptor_EME::PK_Decryptor_EME ( PK_Decryptor_EME && )

defaultnoexcept

Member Function Documentation

decrypt() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( const uint8_t in[], size_t length ) const

inherited

Decrypt a ciphertext, throwing an exception if the input seems to be invalid (eg due to an accidental or malicious error in the ciphertext).

Parameters

in	the ciphertext as a byte array
length	the length of the above byte array

Returns

decrypted message

Definition at line 22 of file pubkey.cpp.

                                                                                    {
   uint8_t valid_mask = 0;
 
   secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
 
   if(valid_mask == 0) {
      throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
   }
 
   return decoded;
}

Referenced by Botan::KeyPair::encryption_consistency_check().

decrypt() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt ( std::span< const uint8_t > in ) const

inlineinherited

Same as above, but taking a vector

Parameters

in	the ciphertext

Returns

decrypted message

Definition at line 96 of file pubkey.h.

{ return decrypt(in.data(), in.size()); }

References Botan::PK_Decryptor::decrypt().

Referenced by Botan::PK_Decryptor::decrypt().

decrypt_or_random() [1/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Definition at line 79 of file pubkey.cpp.

                                                                                         {
   return decrypt_or_random(in, length, expected_pt_len, rng, nullptr, nullptr, 0);
}

References Botan::PK_Decryptor::decrypt_or_random().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::PK_Decryptor::decrypt_or_random().

decrypt_or_random() [2/2]

secure_vector< uint8_t > Botan::PK_Decryptor::decrypt_or_random ( const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator & rng, const uint8_t required_content_bytes[], const uint8_t required_content_offsets[], size_t required_contents ) const

inherited

Decrypt a ciphertext. If the ciphertext is invalid (eg due to invalid padding) or is not the expected length, instead returns a random string of the expected length. Use to avoid oracle attacks, especially against PKCS #1 v1.5 decryption.

Additionally checks (also in const time) that: contents[required_content_offsets[i]] == required_content_bytes[i] for 0 <= i < required_contents

Used for example in TLS, which encodes the client version in the content bytes: if there is any timing variation the version check can be used as an oracle to recover the key.

Definition at line 34 of file pubkey.cpp.

                                                                                              {
   const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
 
   uint8_t decrypt_valid = 0;
   secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
 
   auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
   valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
 
   decoded.resize(expected_pt_len);
 
   for(size_t i = 0; i != required_contents_length; ++i) {
      /*
      These values are chosen by the application and for TLS are constants,
      so this early failure via assert is fine since we know 0,1 < 48
 
      If there is a protocol that has content checks on the key where
      the expected offsets are controllable by the attacker this could
      still leak.
 
      Alternately could always reduce the offset modulo the length?
      */
 
      const uint8_t exp = required_content_bytes[i];
      const uint8_t off = required_content_offsets[i];
 
      BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
 
      auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
 
      valid_mask &= eq;
   }
 
   // If valid_mask is false, assign fake pre master instead
   valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
 
   return decoded;
}

References BOTAN_ASSERT, Botan::CT::Mask< T >::is_equal(), and Botan::RandomNumberGenerator::random_vec().

operator=() [1/2]

PK_Decryptor_EME & Botan::PK_Decryptor_EME::operator= ( const PK_Decryptor_EME & )

delete

operator=() [2/2]

PK_Decryptor_EME & Botan::PK_Decryptor_EME::operator= ( PK_Decryptor_EME && )

defaultnoexcept

plaintext_length()

size_t Botan::PK_Decryptor_EME::plaintext_length ( size_t ctext_len ) const

overridevirtual

Return an upper bound on the plaintext length for a particular ciphertext input length

Implements Botan::PK_Decryptor.

Definition at line 128 of file pubkey.cpp.

                                                                {
   return m_op->plaintext_length(ctext_len);
}

References plaintext_length().

Referenced by plaintext_length().

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/pubkey.h
• src/lib/pubkey/pubkey.cpp