doxygen/eme__pkcs_8cpp_source.html

/*

* PKCS #1 v1.5 Type 2 (encryption) padding

* (C) 1999-2007,2015,2016 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/eme_pkcs.h>

#include <botan/exceptn.h>

#include <botan/rng.h>

#include <botan/internal/ct_utils.h>


namespace Botan {


/*

* PKCS1 Pad Operation

*/

secure_vector<uint8_t> EME_PKCS1v15::pad(const uint8_t in[], size_t inlen,

                                     size_t key_length,

                                     RandomNumberGenerator& rng) const

   {

   key_length /= 8;


   if(inlen > maximum_input_size(key_length * 8))

      {

      throw Invalid_Argument("PKCS1: Input is too large");

      }


   secure_vector<uint8_t> out(key_length);


   out[0] = 0x02;

   rng.randomize(out.data() + 1, (key_length - inlen - 2));


   for(size_t j = 1; j != key_length - inlen - 1; ++j)

      {

      if(out[j] == 0)

         {

         out[j] = rng.next_nonzero_byte();

         }

      }


   buffer_insert(out, key_length - inlen, in, inlen);


   return out;

   }


/*

* PKCS1 Unpad Operation

*/

secure_vector<uint8_t> EME_PKCS1v15::unpad(uint8_t& valid_mask,

                                        const uint8_t in[], size_t inlen) const

   {

   /*

   * RSA decryption pads the ciphertext up to the modulus size, so this only

   * occurs with very (!) small keys, or when fuzzing.

   *

   * 11 bytes == 00,02 + 8 bytes mandatory padding + 00

   */

   if(inlen < 11)

      {

      valid_mask = false;

      return secure_vector<uint8_t>();

      }


   CT::poison(in, inlen);


   CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();

   CT::Mask<uint8_t> seen_zero_m = CT::Mask<uint8_t>::cleared();

   size_t delim_idx = 2; // initial 0002


   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[0], 0);

   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[1], 2);


   for(size_t i = 2; i < inlen; ++i)

      {

      const auto is_zero_m = CT::Mask<uint8_t>::is_zero(in[i]);

      delim_idx += seen_zero_m.if_not_set_return(1);

      seen_zero_m |= is_zero_m;

      }


   // no zero delim -> bad padding

   bad_input_m |= ~seen_zero_m;

   /*

   delim indicates < 8 bytes padding -> bad padding


   We require 11 here because we are counting also the 00 delim byte

   */

   bad_input_m |= CT::Mask<uint8_t>(CT::Mask<size_t>::is_lt(delim_idx, 11));


   valid_mask = (~bad_input_m).unpoisoned_value();

   auto output = CT::copy_output(bad_input_m, in, inlen, delim_idx);


   CT::unpoison(in, inlen);


   return output;

   }


/*

* Return the max input size for a given key size

*/

size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const

   {

   if(keybits / 8 > 10)

      return ((keybits / 8) - 10);

   else

      return 0;

   }


}

Botan::CT::Mask
Definition: ct_utils.h:87

Botan::CT::Mask::is_zero
static Mask< T > is_zero(T x)
Definition: ct_utils.h:139

Botan::CT::Mask::if_not_set_return
T if_not_set_return(T x) const
Definition: ct_utils.h:278

Botan::CT::Mask::cleared
static Mask< T > cleared()
Definition: ct_utils.h:113

Botan::EME_PKCS1v15::pad
secure_vector< uint8_t > pad(const uint8_t[], size_t, size_t, RandomNumberGenerator &) const override
Definition: eme_pkcs.cpp:18

Botan::EME_PKCS1v15::maximum_input_size
size_t maximum_input_size(size_t) const override
Definition: eme_pkcs.cpp:101

Botan::EME_PKCS1v15::unpad
secure_vector< uint8_t > unpad(uint8_t &valid_mask, const uint8_t in[], size_t in_len) const override
Definition: eme_pkcs.cpp:50

Botan::Invalid_Argument
Definition: exceptn.h:133

Botan::RandomNumberGenerator
Definition: rng.h:31

Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition: rng.h:53

Botan::RandomNumberGenerator::next_nonzero_byte
uint8_t next_nonzero_byte()
Definition: rng.h:231

Botan::CT::poison
void poison(const T *p, size_t n)
Definition: ct_utils.h:48

Botan::CT::copy_output
secure_vector< uint8_t > copy_output(CT::Mask< uint8_t > bad_input_u8, const uint8_t input[], size_t input_length, size_t offset)
Definition: ct_utils.cpp:11

Botan::CT::unpoison
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:58

Botan
Definition: alg_id.cpp:12

Botan::buffer_insert
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
Definition: mem_ops.h:221

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64