8#include <botan/internal/pssr.h>
10#include <botan/exceptn.h>
11#include <botan/mem_ops.h>
13#include <botan/internal/bit_ops.h>
14#include <botan/internal/ct_utils.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/mgf1.h>
17#include <botan/internal/stl_util.h>
27std::vector<uint8_t> pss_encode(HashFunction& hash,
28 const std::vector<uint8_t>& msg,
29 const std::vector<uint8_t>& salt,
31 const size_t HASH_SIZE = hash.output_length();
33 if(msg.size() != HASH_SIZE) {
34 throw Encoding_Error(
"Cannot encode PSS string, input length invalid for hash");
36 if(output_bits < 8 * HASH_SIZE + 8 * salt.size() + 9) {
37 throw Encoding_Error(
"Cannot encode PSS string, output length too small");
41 const uint8_t db0_mask = 0xFF >> (8 * output_length - output_bits);
43 std::array<uint8_t, 8> padding = {0};
47 std::vector<uint8_t> H = hash.final_stdvec();
49 const size_t db_len = output_length - HASH_SIZE - 1;
50 std::vector<uint8_t> EM(output_length);
52 BufferStuffer stuffer(EM);
53 stuffer.append(0x00, stuffer.remaining_capacity() - (1 + salt.size() + H.size() + 1));
57 mgf1_mask(hash, H.data(), H.size(), EM.data(), db_len);
67bool pss_verify(HashFunction& hash,
68 const std::vector<uint8_t>& pss_repr,
69 const std::vector<uint8_t>& message_hash,
71 size_t* out_salt_size) {
72 const size_t HASH_SIZE = hash.output_length();
75 if(key_bits < 8 * HASH_SIZE + 9) {
79 if(message_hash.size() != HASH_SIZE) {
83 if(pss_repr.size() > key_bytes || pss_repr.size() <= 1) {
87 if(pss_repr[pss_repr.size() - 1] != 0xBC) {
91 std::vector<uint8_t> coded = pss_repr;
92 if(coded.size() < key_bytes) {
93 std::vector<uint8_t> temp(key_bytes);
94 BufferStuffer stuffer(temp);
95 stuffer.append(0x00, stuffer.remaining_capacity() - coded.size());
96 stuffer.append(coded);
100 const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
101 if(TOP_BITS > 8 -
high_bit(coded[0])) {
105 uint8_t* DB = coded.data();
106 const size_t DB_size = coded.size() - HASH_SIZE - 1;
108 const uint8_t* H = &coded[DB_size];
109 const size_t H_size = HASH_SIZE;
112 DB[0] &= 0xFF >> TOP_BITS;
114 size_t salt_offset = 0;
115 for(
size_t j = 0; j != DB_size; ++j) {
124 if(salt_offset == 0) {
128 const size_t salt_size = DB_size - salt_offset;
130 std::array<uint8_t, 8> padding = {0};
131 hash.update(padding);
132 hash.update(message_hash);
133 hash.update(&DB[salt_offset], salt_size);
135 const std::vector<uint8_t> H2 = hash.final_stdvec();
137 const bool ok =
CT::is_equal(H, H2.data(), HASH_SIZE).as_bool();
139 if(out_salt_size && ok) {
140 *out_salt_size = salt_size;
149 m_hash(std::move(hash)), m_salt_size(m_hash->output_length()), m_required_salt_len(false) {}
151PSSR::PSSR(std::unique_ptr<HashFunction> hash,
size_t salt_size) :
152 m_hash(std::move(hash)), m_salt_size(salt_size), m_required_salt_len(true) {}
151PSSR::PSSR(std::unique_ptr<HashFunction> hash,
size_t salt_size) : {
…}
157void PSSR::update(
const uint8_t input[],
size_t length) {
158 m_hash->update(input, length);
164std::vector<uint8_t> PSSR::raw_data() {
165 return m_hash->final_stdvec();
168std::vector<uint8_t> PSSR::encoding_of(
const std::vector<uint8_t>& msg,
170 RandomNumberGenerator& rng) {
171 const auto salt = rng.random_vec<std::vector<uint8_t>>(m_salt_size);
172 return pss_encode(*m_hash, msg, salt, output_bits);
178bool PSSR::verify(
const std::vector<uint8_t>& coded,
const std::vector<uint8_t>& raw,
size_t key_bits) {
179 size_t salt_size = 0;
180 const bool ok = pss_verify(*m_hash, coded, raw, key_bits, &salt_size);
182 if(m_required_salt_len && salt_size != m_salt_size) {
190 return fmt(
"PSS({},MGF1,{})", m_hash->name(), m_salt_size);
194 m_hash(std::move(hash)), m_salt_size(m_hash->output_length()), m_required_salt_len(false) {}
197 m_hash(std::move(hash)), m_salt_size(salt_size), m_required_salt_len(true) {}
202void PSSR_Raw::update(
const uint8_t input[],
size_t length) {
203 m_msg.insert(m_msg.end(), input, input + length);
209std::vector<uint8_t> PSSR_Raw::raw_data() {
210 std::vector<uint8_t> ret;
211 std::swap(ret, m_msg);
213 if(ret.size() != m_hash->output_length()) {
214 throw Encoding_Error(
"PSSR_Raw Bad input length, did not match hash");
220std::vector<uint8_t> PSSR_Raw::encoding_of(
const std::vector<uint8_t>& msg,
222 RandomNumberGenerator& rng) {
223 const auto salt = rng.random_vec<std::vector<uint8_t>>(m_salt_size);
224 return pss_encode(*m_hash, msg, salt, output_bits);
230bool PSSR_Raw::verify(
const std::vector<uint8_t>& coded,
const std::vector<uint8_t>& raw,
size_t key_bits) {
231 size_t salt_size = 0;
232 const bool ok = pss_verify(*m_hash, coded, raw, key_bits, &salt_size);
234 if(m_required_salt_len && salt_size != m_salt_size) {
242 return fmt(
"PSS_Raw({},MGF1,{})", m_hash->name(), m_salt_size);
#define BOTAN_ASSERT_NOMSG(expr)
PSSR_Raw(std::unique_ptr< HashFunction > hash)
std::string name() const override
std::string name() const override
PSSR(std::unique_ptr< HashFunction > hash)
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
std::string fmt(std::string_view format, const T &... args)
constexpr size_t high_bit(T n)
constexpr T ceil_tobytes(T bits)