Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/pk_pad/eme_oaep/oaep.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* OAEP
3
* (C) 1999-2010,2015,2018 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#include <botan/internal/oaep.h>
9
#include <botan/internal/mgf1.h>
10
#include <botan/exceptn.h>
11
#include <botan/rng.h>
12
#include <botan/internal/ct_utils.h>
13
14
namespace Botan {
15
16
/*
17
* OAEP Pad Operation
18
*/
19
secure_vector<uint8_t> OAEP::pad(const uint8_t in[], size_t in_length,
20
                             size_t key_length,
21
                             RandomNumberGenerator& rng) const
22
0
   {
23
0
   key_length /= 8;
24
25
0
   if(in_length > maximum_input_size(key_length * 8))
26
0
      {
27
0
      throw Invalid_Argument("OAEP: Input is too large");
28
0
      }
29
30
0
   secure_vector<uint8_t> out(key_length);
31
32
0
   rng.randomize(out.data(), m_Phash.size());
33
34
0
   buffer_insert(out, m_Phash.size(), m_Phash.data(), m_Phash.size());
35
0
   out[out.size() - in_length - 1] = 0x01;
36
0
   buffer_insert(out, out.size() - in_length, in, in_length);
37
38
0
   mgf1_mask(*m_mgf1_hash,
39
0
             out.data(), m_Phash.size(),
40
0
             &out[m_Phash.size()], out.size() - m_Phash.size());
41
42
0
   mgf1_mask(*m_mgf1_hash,
43
0
             &out[m_Phash.size()], out.size() - m_Phash.size(),
44
0
             out.data(), m_Phash.size());
45
46
0
   return out;
47
0
   }
48
49
/*
50
* OAEP Unpad Operation
51
*/
52
secure_vector<uint8_t> OAEP::unpad(uint8_t& valid_mask,
53
                                   const uint8_t in[], size_t in_length) const
54
0
   {
55
   /*
56
   Must be careful about error messages here; if an attacker can
57
   distinguish them, it is easy to use the differences as an oracle to
58
   find the secret key, as described in "A Chosen Ciphertext Attack on
59
   RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in
60
   PKCS #1 v2.0", James Manger, Crypto 2001
61
62
   Also have to be careful about timing attacks! Pointed out by Falko
63
   Strenzke.
64
65
   According to the standard (Section 7.1.1), the encryptor always
66
   creates a message as follows:
67
      i. Concatenate a single octet with hexadecimal value 0x00,
68
         maskedSeed, and maskedDB to form an encoded message EM of
69
         length k octets as
70
            EM = 0x00 || maskedSeed || maskedDB.
71
   where k is the length of the modulus N.
72
   Therefore, the first byte can always be skipped safely.
73
   */
74
75
0
   const uint8_t skip_first = CT::Mask<uint8_t>::is_zero(in[0]).if_set_return(1);
76
77
0
   secure_vector<uint8_t> input(in + skip_first, in + in_length);
78
79
0
   const size_t hlen = m_Phash.size();
80
81
0
   mgf1_mask(*m_mgf1_hash,
82
0
             &input[hlen], input.size() - hlen,
83
0
             input.data(), hlen);
84
85
0
   mgf1_mask(*m_mgf1_hash,
86
0
             input.data(), hlen,
87
0
             &input[hlen], input.size() - hlen);
88
89
0
   return oaep_find_delim(valid_mask, input.data(), input.size(), m_Phash);
90
0
   }
91
92
secure_vector<uint8_t>
93
oaep_find_delim(uint8_t& valid_mask,
94
                const uint8_t input[], size_t input_len,
95
                const secure_vector<uint8_t>& Phash)
96
189
   {
97
189
   const size_t hlen = Phash.size();
98
99
   // Too short to be valid, reject immediately
100
189
   if(input_len < 1 + 2*hlen)
101
6
      {
102
6
      return secure_vector<uint8_t>();
103
6
      }
104
105
183
   CT::poison(input, input_len);
106
107
183
   size_t delim_idx = 2 * hlen;
108
183
   CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
109
183
   CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
110
111
180k
   for(size_t i = delim_idx; i < input_len; ++i)
112
180k
      {
113
180k
      const auto zero_m = CT::Mask<uint8_t>::is_zero(input[i]);
114
180k
      const auto one_m = CT::Mask<uint8_t>::is_equal(input[i], 1);
115
116
180k
      const auto add_m = waiting_for_delim & zero_m;
117
118
180k
      bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
119
120
180k
      delim_idx += add_m.if_set_return(1);
121
122
180k
      waiting_for_delim &= zero_m;
123
180k
      }
124
125
   // If we never saw any non-zero byte, then it's not valid input
126
183
   bad_input_m |= waiting_for_delim;
127
183
   bad_input_m |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(&input[hlen], Phash.data(), hlen));
128
129
183
   delim_idx += 1;
130
131
183
   valid_mask = (~bad_input_m).unpoisoned_value();
132
183
   const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, input, input_len, delim_idx);
133
134
183
   CT::unpoison(input, input_len);
135
136
183
   return output;
137
183
   }
138
139
/*
140
* Return the max input size for a given key size
141
*/
142
size_t OAEP::maximum_input_size(size_t keybits) const
143
0
   {
144
0
   if(keybits / 8 > 2*m_Phash.size() + 1)
145
0
      return ((keybits / 8) - 2*m_Phash.size() - 1);
146
0
   else
147
0
      return 0;
148
0
   }
149
150
OAEP::OAEP(std::unique_ptr<HashFunction> hash,
151
           const std::string& P) :
152
   m_mgf1_hash(std::move(hash))
153
0
   {
154
0
   m_Phash = m_mgf1_hash->process(P);
155
0
   }
156
157
OAEP::OAEP(std::unique_ptr<HashFunction> hash,
158
           std::unique_ptr<HashFunction> mgf1_hash,
159
           const std::string& P) :
160
   m_mgf1_hash(std::move(mgf1_hash))
161
0
   {
162
0
   auto phash = std::move(hash);
163
0
   m_Phash = phash->process(P);
164
0
   }
165
166
}