doxygen/xmd_8cpp_source.html

/*

* (C) 2019,2020,2021,2024 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/xmd.h>


#include <botan/exceptn.h>

#include <botan/hash.h>

#include <botan/internal/fmt.h>

#include <vector>


namespace Botan {


void expand_message_xmd(std::string_view hash_fn,

                        std::span<uint8_t> output,

                        std::span<const uint8_t> input,

                        std::span<const uint8_t> domain_sep) {

   if(domain_sep.size() > 0xFF) {

      // RFC 9380 has a specification for handling this

      throw Not_Implemented("XMD does not currently implement oversize DST handling");

   }


   const uint8_t domain_sep_len = static_cast<uint8_t>(domain_sep.size());


   auto hash = HashFunction::create_or_throw(hash_fn);

   const size_t block_size = hash->hash_block_size();

   if(block_size == 0) {

      throw Invalid_Argument(fmt("expand_message_xmd cannot be used with {}", hash_fn));

   }


   const size_t hash_output_size = hash->output_length();

   if(output.size() > 255 * hash_output_size || output.size() > 0xFFFF) {

      throw Invalid_Argument("expand_message_xmd requested output length too long");

   }


   // Compute b_0 = H(msg_prime) = H(Z_pad || msg || l_i_b_str || 0x00 || DST_prime)


   hash->update(std::vector<uint8_t>(block_size));

   hash->update(input);

   hash->update_be(static_cast<uint16_t>(output.size()));

   hash->update(0x00);

   hash->update(domain_sep);

   hash->update(domain_sep_len);


   const secure_vector<uint8_t> b_0 = hash->final();


   // Compute b_1 = H(b_0 || 0x01 || DST_prime)


   hash->update(b_0);

   hash->update(0x01);

   hash->update(domain_sep);

   hash->update(domain_sep_len);


   secure_vector<uint8_t> b_i = hash->final();


   uint8_t cnt = 2;

   for(;;) {

      const size_t produced = std::min(output.size(), hash_output_size);


      copy_mem(&output[0], b_i.data(), produced);

      output = output.subspan(produced);


      if(output.empty()) {

         break;

      }


      // Now compute the next b_i if needed


      b_i ^= b_0;

      hash->update(b_i);

      hash->update(cnt);

      hash->update(domain_sep);

      hash->update(domain_sep_len);

      hash->final(b_i);

      cnt += 1;

   }

}


}  // namespace Botan

Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Not_Implemented
Definition exceptn.h:334

Botan
Definition alg_id.cpp:13

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::expand_message_xmd
void expand_message_xmd(std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep)
Definition xmd.cpp:16

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147