Botan 3.6.1
Crypto and TLS for C&
pssr.cpp
Go to the documentation of this file.
1/*
2* PSSR
3* (C) 1999-2007,2017,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/pssr.h>
9
10#include <botan/exceptn.h>
11#include <botan/mem_ops.h>
12#include <botan/rng.h>
13#include <botan/internal/bit_ops.h>
14#include <botan/internal/ct_utils.h>
15#include <botan/internal/mgf1.h>
16#include <botan/internal/stl_util.h>
17#include <array>
18
19namespace Botan {
20
21namespace {
22
23/*
24* PSSR Encode Operation
25*/
26std::vector<uint8_t> pss_encode(HashFunction& hash,
27 const std::vector<uint8_t>& msg,
28 const std::vector<uint8_t>& salt,
29 size_t output_bits) {
30 const size_t HASH_SIZE = hash.output_length();
31
32 if(msg.size() != HASH_SIZE) {
33 throw Encoding_Error("Cannot encode PSS string, input length invalid for hash");
34 }
35 if(output_bits < 8 * HASH_SIZE + 8 * salt.size() + 9) {
36 throw Encoding_Error("Cannot encode PSS string, output length too small");
37 }
38
39 const size_t output_length = ceil_tobytes(output_bits);
40 const uint8_t db0_mask = 0xFF >> (8 * output_length - output_bits);
41
42 std::array<uint8_t, 8> padding = {0};
43 hash.update(padding);
44 hash.update(msg);
45 hash.update(salt);
46 std::vector<uint8_t> H = hash.final_stdvec();
47
48 const size_t db_len = output_length - HASH_SIZE - 1;
49 std::vector<uint8_t> EM(output_length);
50
51 BufferStuffer stuffer(EM);
52 stuffer.append(0x00, stuffer.remaining_capacity() - (1 + salt.size() + H.size() + 1));
53 stuffer.append(0x01);
54 stuffer.append(salt);
55
56 mgf1_mask(hash, H.data(), H.size(), EM.data(), db_len);
57 EM[0] &= db0_mask;
58
59 stuffer.append(H);
60 stuffer.append(0xBC);
61 BOTAN_ASSERT_NOMSG(stuffer.full());
62
63 return EM;
64}
65
66bool pss_verify(HashFunction& hash,
67 const std::vector<uint8_t>& pss_repr,
68 const std::vector<uint8_t>& message_hash,
69 size_t key_bits,
70 size_t* out_salt_size) {
71 const size_t HASH_SIZE = hash.output_length();
72 const size_t key_bytes = ceil_tobytes(key_bits);
73
74 if(key_bits < 8 * HASH_SIZE + 9) {
75 return false;
76 }
77
78 if(message_hash.size() != HASH_SIZE) {
79 return false;
80 }
81
82 if(pss_repr.size() > key_bytes || pss_repr.size() <= 1) {
83 return false;
84 }
85
86 if(pss_repr[pss_repr.size() - 1] != 0xBC) {
87 return false;
88 }
89
90 std::vector<uint8_t> coded = pss_repr;
91 if(coded.size() < key_bytes) {
92 std::vector<uint8_t> temp(key_bytes);
93 BufferStuffer stuffer(temp);
94 stuffer.append(0x00, stuffer.remaining_capacity() - coded.size());
95 stuffer.append(coded);
96 coded = temp;
97 }
98
99 const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
100 if(TOP_BITS > 8 - high_bit(coded[0])) {
101 return false;
102 }
103
104 uint8_t* DB = coded.data();
105 const size_t DB_size = coded.size() - HASH_SIZE - 1;
106
107 const uint8_t* H = &coded[DB_size];
108 const size_t H_size = HASH_SIZE;
109
110 mgf1_mask(hash, H, H_size, DB, DB_size);
111 DB[0] &= 0xFF >> TOP_BITS;
112
113 size_t salt_offset = 0;
114 for(size_t j = 0; j != DB_size; ++j) {
115 if(DB[j] == 0x01) {
116 salt_offset = j + 1;
117 break;
118 }
119 if(DB[j]) {
120 return false;
121 }
122 }
123 if(salt_offset == 0) {
124 return false;
125 }
126
127 const size_t salt_size = DB_size - salt_offset;
128
129 std::array<uint8_t, 8> padding = {0};
130 hash.update(padding);
131 hash.update(message_hash);
132 hash.update(&DB[salt_offset], salt_size);
133
134 const std::vector<uint8_t> H2 = hash.final_stdvec();
135
136 const bool ok = CT::is_equal(H, H2.data(), HASH_SIZE).as_bool();
137
138 if(out_salt_size && ok) {
139 *out_salt_size = salt_size;
140 }
141
142 return ok;
143}
144
145} // namespace
146
147PSSR::PSSR(std::unique_ptr<HashFunction> hash) :
148 m_hash(std::move(hash)), m_salt_size(m_hash->output_length()), m_required_salt_len(false) {}
149
150PSSR::PSSR(std::unique_ptr<HashFunction> hash, size_t salt_size) :
151 m_hash(std::move(hash)), m_salt_size(salt_size), m_required_salt_len(true) {}
152
153/*
154* PSSR Update Operation
155*/
156void PSSR::update(const uint8_t input[], size_t length) {
157 m_hash->update(input, length);
158}
159
160/*
161* Return the raw (unencoded) data
162*/
163std::vector<uint8_t> PSSR::raw_data() {
164 return m_hash->final_stdvec();
165}
166
167std::vector<uint8_t> PSSR::encoding_of(const std::vector<uint8_t>& msg,
168 size_t output_bits,
169 RandomNumberGenerator& rng) {
170 const auto salt = rng.random_vec<std::vector<uint8_t>>(m_salt_size);
171 return pss_encode(*m_hash, msg, salt, output_bits);
172}
173
174/*
175* PSSR Decode/Verify Operation
176*/
177bool PSSR::verify(const std::vector<uint8_t>& coded, const std::vector<uint8_t>& raw, size_t key_bits) {
178 size_t salt_size = 0;
179 const bool ok = pss_verify(*m_hash, coded, raw, key_bits, &salt_size);
180
181 if(m_required_salt_len && salt_size != m_salt_size) {
182 return false;
183 }
184
185 return ok;
186}
187
188std::string PSSR::name() const {
189 return "EMSA4(" + m_hash->name() + ",MGF1," + std::to_string(m_salt_size) + ")";
190}
191
192PSSR_Raw::PSSR_Raw(std::unique_ptr<HashFunction> hash) :
193 m_hash(std::move(hash)), m_salt_size(m_hash->output_length()), m_required_salt_len(false) {}
194
195PSSR_Raw::PSSR_Raw(std::unique_ptr<HashFunction> hash, size_t salt_size) :
196 m_hash(std::move(hash)), m_salt_size(salt_size), m_required_salt_len(true) {}
197
198/*
199* PSSR_Raw Update Operation
200*/
201void PSSR_Raw::update(const uint8_t input[], size_t length) {
202 m_msg.insert(m_msg.end(), input, input + length);
203}
204
205/*
206* Return the raw (unencoded) data
207*/
208std::vector<uint8_t> PSSR_Raw::raw_data() {
209 std::vector<uint8_t> ret;
210 std::swap(ret, m_msg);
211
212 if(ret.size() != m_hash->output_length()) {
213 throw Encoding_Error("PSSR_Raw Bad input length, did not match hash");
214 }
215
216 return ret;
217}
218
219std::vector<uint8_t> PSSR_Raw::encoding_of(const std::vector<uint8_t>& msg,
220 size_t output_bits,
221 RandomNumberGenerator& rng) {
222 const auto salt = rng.random_vec<std::vector<uint8_t>>(m_salt_size);
223 return pss_encode(*m_hash, msg, salt, output_bits);
224}
225
226/*
227* PSSR_Raw Decode/Verify Operation
228*/
229bool PSSR_Raw::verify(const std::vector<uint8_t>& coded, const std::vector<uint8_t>& raw, size_t key_bits) {
230 size_t salt_size = 0;
231 const bool ok = pss_verify(*m_hash, coded, raw, key_bits, &salt_size);
232
233 if(m_required_salt_len && salt_size != m_salt_size) {
234 return false;
235 }
236
237 return ok;
238}
239
240std::string PSSR_Raw::name() const {
241 return "PSSR_Raw(" + m_hash->name() + ",MGF1," + std::to_string(m_salt_size) + ")";
242}
243
244} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::PSSR_Raw::PSSR_Raw
PSSR_Raw(std::unique_ptr< HashFunction > hash)
Definition pssr.cpp:192
Botan::PSSR_Raw::name
std::string name() const override
Definition pssr.cpp:240
Botan::PSSR::name
std::string name() const override
Definition pssr.cpp:188
Botan::PSSR::PSSR
PSSR(std::unique_ptr< HashFunction > hash)
Definition pssr.cpp:147
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:759
Botan::mgf1_mask
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition mgf1.cpp:15
Botan::high_bit
constexpr size_t high_bit(T n)
Definition bit_ops.h:58
Botan::ceil_tobytes
constexpr T ceil_tobytes(T bits)
Definition bit_ops.h:157
Generated by doxygen 1.12.0