Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
Line
Count
Source
1
/*
2
* PKCS #1 v1.5 Type 2 (encryption) padding
3
* (C) 1999-2007,2015,2016 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#include <botan/eme_pkcs.h>
9
#include <botan/exceptn.h>
10
#include <botan/rng.h>
11
#include <botan/internal/ct_utils.h>
12
13
namespace Botan {
14
15
/*
16
* PKCS1 Pad Operation
17
*/
18
secure_vector<uint8_t> EME_PKCS1v15::pad(const uint8_t in[], size_t inlen,
19
                                     size_t key_length,
20
                                     RandomNumberGenerator& rng) const
21
55
   {
22
55
   key_length /= 8;
23
55
24
55
   if(inlen > maximum_input_size(key_length * 8))
25
3
      {
26
3
      throw Invalid_Argument("PKCS1: Input is too large");
27
3
      }
28
52
29
52
   secure_vector<uint8_t> out(key_length);
30
52
31
52
   out[0] = 0x02;
32
52
   rng.randomize(out.data() + 1, (key_length - inlen - 2));
33
52
34
4.01k
   for(size_t j = 1; j != key_length - inlen - 1; ++j)
35
3.96k
      {
36
3.96k
      if(out[j] == 0)
37
14
         {
38
14
         out[j] = rng.next_nonzero_byte();
39
14
         }
40
3.96k
      }
41
52
42
52
   buffer_insert(out, key_length - inlen, in, inlen);
43
52
44
52
   return out;
45
52
   }
46
47
/*
48
* PKCS1 Unpad Operation
49
*/
50
secure_vector<uint8_t> EME_PKCS1v15::unpad(uint8_t& valid_mask,
51
                                        const uint8_t in[], size_t inlen) const
52
190
   {
53
190
   /*
54
190
   * RSA decryption pads the ciphertext up to the modulus size, so this only
55
190
   * occurs with very (!) small keys, or when fuzzing.
56
190
   *
57
190
   * 11 bytes == 00,02 + 8 bytes mandatory padding + 00
58
190
   */
59
190
   if(inlen < 11)
60
33
      {
61
33
      valid_mask = false;
62
33
      return secure_vector<uint8_t>();
63
33
      }
64
157
65
157
   CT::poison(in, inlen);
66
157
67
157
   CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
68
157
   CT::Mask<uint8_t> seen_zero_m = CT::Mask<uint8_t>::cleared();
69
157
   size_t delim_idx = 2; // initial 0002
70
157
71
157
   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[0], 0);
72
157
   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[1], 2);
73
157
74
213k
   for(size_t i = 2; i < inlen; ++i)
75
213k
      {
76
213k
      const auto is_zero_m = CT::Mask<uint8_t>::is_zero(in[i]);
77
213k
      delim_idx += seen_zero_m.if_not_set_return(1);
78
213k
      seen_zero_m |= is_zero_m;
79
213k
      }
80
157
81
157
   // no zero delim -> bad padding
82
157
   bad_input_m |= ~seen_zero_m;
83
157
   /*
84
157
   delim indicates < 8 bytes padding -> bad padding
85
157
86
157
   We require 11 here because we are counting also the 00 delim byte
87
157
   */
88
157
   bad_input_m |= CT::Mask<uint8_t>(CT::Mask<size_t>::is_lt(delim_idx, 11));
89
157
90
157
   valid_mask = (~bad_input_m).unpoisoned_value();
91
157
   const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, in, inlen, delim_idx);
92
157
93
157
   CT::unpoison(in, inlen);
94
157
95
157
   return output;
96
157
   }
97
98
/*
99
* Return the max input size for a given key size
100
*/
101
size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const
102
55
   {
103
55
   if(keybits / 8 > 10)
104
52
      return ((keybits / 8) - 10);
105
3
   else
106
3
      return 0;
107
55
   }
108
109
}