/src/botan/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp

Source
/*
* PKCS #1 v1.5 Type 2 (encryption) padding
* (C) 1999-2007,2015,2016 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/eme_pkcs.h>
#include <botan/exceptn.h>
#include <botan/rng.h>
#include <botan/internal/ct_utils.h>

namespace Botan {

/*
* PKCS1 Pad Operation
*/
secure_vector<uint8_t> EME_PKCS1v15::pad(const uint8_t in[], size_t inlen,
                                     size_t key_length,
                                     RandomNumberGenerator& rng) const
   {
   key_length /= 8;

   if(inlen > maximum_input_size(key_length * 8))
      {
      throw Invalid_Argument("PKCS1: Input is too large");
      }

   secure_vector<uint8_t> out(key_length);

   out[0] = 0x02;
   rng.randomize(out.data() + 1, (key_length - inlen - 2));

   for(size_t j = 1; j != key_length - inlen - 1; ++j)
      {
      if(out[j] == 0)
         {
         out[j] = rng.next_nonzero_byte();
         }
      }

   buffer_insert(out, key_length - inlen, in, inlen);

   return out;
   }

/*
* PKCS1 Unpad Operation
*/
secure_vector<uint8_t> EME_PKCS1v15::unpad(uint8_t& valid_mask,
                                        const uint8_t in[], size_t inlen) const
   {
   /*
   * RSA decryption pads the ciphertext up to the modulus size, so this only
   * occurs with very (!) small keys, or when fuzzing.
   *
   * 11 bytes == 00,02 + 8 bytes mandatory padding + 00
   */
   if(inlen < 11)
      {
      valid_mask = false;
      return secure_vector<uint8_t>();
      }

   CT::poison(in, inlen);

   CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
   CT::Mask<uint8_t> seen_zero_m = CT::Mask<uint8_t>::cleared();
   size_t delim_idx = 2; // initial 0002

   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[0], 0);
   bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[1], 2);

   for(size_t i = 2; i < inlen; ++i)
      {
      const auto is_zero_m = CT::Mask<uint8_t>::is_zero(in[i]);
      delim_idx += seen_zero_m.if_not_set_return(1);
      seen_zero_m |= is_zero_m;
      }

   // no zero delim -> bad padding
   bad_input_m |= ~seen_zero_m;
   /*
   delim indicates < 8 bytes padding -> bad padding

   We require 11 here because we are counting also the 00 delim byte
   */
   bad_input_m |= CT::Mask<uint8_t>(CT::Mask<size_t>::is_lt(delim_idx, 11));

   valid_mask = (~bad_input_m).unpoisoned_value();
   const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, in, inlen, delim_idx);

   CT::unpoison(in, inlen);

   return output;
   }

/*
* Return the max input size for a given key size
*/
size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const
   {
   if(keybits / 8 > 10)
      return ((keybits / 8) - 10);
   else
      return 0;
   }

}

Line	Count	Source
1		/*
2		* PKCS #1 v1.5 Type 2 (encryption) padding
3		* (C) 1999-2007,2015,2016 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/eme_pkcs.h>
9		#include <botan/exceptn.h>
10		#include <botan/rng.h>
11		#include <botan/internal/ct_utils.h>
12
13		namespace Botan {
14
15		/*
16		* PKCS1 Pad Operation
17		*/
18		secure_vector<uint8_t> EME_PKCS1v15::pad(const uint8_t in[], size_t inlen,
19		size_t key_length,
20		RandomNumberGenerator& rng) const
21	62	{
22	62	key_length /= 8;
23	62
24	62	if(inlen > maximum_input_size(key_length * 8))
25	3	{
26	3	throw Invalid_Argument("PKCS1: Input is too large");
27	3	}
28	59
29	59	secure_vector<uint8_t> out(key_length);
30	59
31	59	out[0] = 0x02;
32	59	rng.randomize(out.data() + 1, (key_length - inlen - 2));
33	59
34	4.25k	for(size_t j = 1; j != key_length - inlen - 1; ++j)
35	4.19k	{
36	4.19k	if(out[j] == 0)
37	10	{
38	10	out[j] = rng.next_nonzero_byte();
39	10	}
40	4.19k	}
41	59
42	59	buffer_insert(out, key_length - inlen, in, inlen);
43	59
44	59	return out;
45	59	}
46
47		/*
48		* PKCS1 Unpad Operation
49		*/
50		secure_vector<uint8_t> EME_PKCS1v15::unpad(uint8_t& valid_mask,
51		const uint8_t in[], size_t inlen) const
52	210	{
53	210	/*
54	210	* RSA decryption pads the ciphertext up to the modulus size, so this only
55	210	* occurs with very (!) small keys, or when fuzzing.
56	210	*
57	210	* 11 bytes == 00,02 + 8 bytes mandatory padding + 00
58	210	*/
59	210	if(inlen < 11)
60	35	{
61	35	valid_mask = false;
62	35	return secure_vector<uint8_t>();
63	35	}
64	175
65	175	CT::poison(in, inlen);
66	175
67	175	CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
68	175	CT::Mask<uint8_t> seen_zero_m = CT::Mask<uint8_t>::cleared();
69	175	size_t delim_idx = 2; // initial 0002
70	175
71	175	bad_input_m \|= ~CT::Mask<uint8_t>::is_equal(in[0], 0);
72	175	bad_input_m \|= ~CT::Mask<uint8_t>::is_equal(in[1], 2);
73	175
74	227k	for(size_t i = 2; i < inlen; ++i)
75	227k	{
76	227k	const auto is_zero_m = CT::Mask<uint8_t>::is_zero(in[i]);
77	227k	delim_idx += seen_zero_m.if_not_set_return(1);
78	227k	seen_zero_m \|= is_zero_m;
79	227k	}
80	175
81	175	// no zero delim -> bad padding
82	175	bad_input_m \|= ~seen_zero_m;
83	175	/*
84	175	delim indicates < 8 bytes padding -> bad padding
85	175
86	175	We require 11 here because we are counting also the 00 delim byte
87	175	*/
88	175	bad_input_m \|= CT::Mask<uint8_t>(CT::Mask<size_t>::is_lt(delim_idx, 11));
89	175
90	175	valid_mask = (~bad_input_m).unpoisoned_value();
91	175	const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, in, inlen, delim_idx);
92	175
93	175	CT::unpoison(in, inlen);
94	175
95	175	return output;
96	175	}
97
98		/*
99		* Return the max input size for a given key size
100		*/
101		size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const
102	62	{
103	62	if(keybits / 8 > 10)
104	61	return ((keybits / 8) - 10);
105	1	else
106	1	return 0;
107	62	}
108
109		}

Coverage Report

Created: 2020-06-30 13:58