/src/botan/src/lib/pk_pad/eme_oaep/oaep.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OAEP |
3 | | * (C) 1999-2010,2015,2018 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/oaep.h> |
9 | | #include <botan/internal/mgf1.h> |
10 | | #include <botan/exceptn.h> |
11 | | #include <botan/rng.h> |
12 | | #include <botan/internal/ct_utils.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | /* |
17 | | * OAEP Pad Operation |
18 | | */ |
19 | | secure_vector<uint8_t> OAEP::pad(const uint8_t in[], size_t in_length, |
20 | | size_t key_length, |
21 | | RandomNumberGenerator& rng) const |
22 | 0 | { |
23 | 0 | key_length /= 8; |
24 | |
|
25 | 0 | if(in_length > maximum_input_size(key_length * 8)) |
26 | 0 | { |
27 | 0 | throw Invalid_Argument("OAEP: Input is too large"); |
28 | 0 | } |
29 | | |
30 | 0 | secure_vector<uint8_t> out(key_length); |
31 | |
|
32 | 0 | rng.randomize(out.data(), m_Phash.size()); |
33 | |
|
34 | 0 | buffer_insert(out, m_Phash.size(), m_Phash.data(), m_Phash.size()); |
35 | 0 | out[out.size() - in_length - 1] = 0x01; |
36 | 0 | buffer_insert(out, out.size() - in_length, in, in_length); |
37 | |
|
38 | 0 | mgf1_mask(*m_mgf1_hash, |
39 | 0 | out.data(), m_Phash.size(), |
40 | 0 | &out[m_Phash.size()], out.size() - m_Phash.size()); |
41 | |
|
42 | 0 | mgf1_mask(*m_mgf1_hash, |
43 | 0 | &out[m_Phash.size()], out.size() - m_Phash.size(), |
44 | 0 | out.data(), m_Phash.size()); |
45 | |
|
46 | 0 | return out; |
47 | 0 | } |
48 | | |
49 | | /* |
50 | | * OAEP Unpad Operation |
51 | | */ |
52 | | secure_vector<uint8_t> OAEP::unpad(uint8_t& valid_mask, |
53 | | const uint8_t in[], size_t in_length) const |
54 | 0 | { |
55 | | /* |
56 | | Must be careful about error messages here; if an attacker can |
57 | | distinguish them, it is easy to use the differences as an oracle to |
58 | | find the secret key, as described in "A Chosen Ciphertext Attack on |
59 | | RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in |
60 | | PKCS #1 v2.0", James Manger, Crypto 2001 |
61 | | |
62 | | Also have to be careful about timing attacks! Pointed out by Falko |
63 | | Strenzke. |
64 | | |
65 | | According to the standard (Section 7.1.1), the encryptor always |
66 | | creates a message as follows: |
67 | | i. Concatenate a single octet with hexadecimal value 0x00, |
68 | | maskedSeed, and maskedDB to form an encoded message EM of |
69 | | length k octets as |
70 | | EM = 0x00 || maskedSeed || maskedDB. |
71 | | where k is the length of the modulus N. |
72 | | Therefore, the first byte can always be skipped safely. |
73 | | */ |
74 | |
|
75 | 0 | const uint8_t skip_first = CT::Mask<uint8_t>::is_zero(in[0]).if_set_return(1); |
76 | |
|
77 | 0 | secure_vector<uint8_t> input(in + skip_first, in + in_length); |
78 | |
|
79 | 0 | const size_t hlen = m_Phash.size(); |
80 | |
|
81 | 0 | mgf1_mask(*m_mgf1_hash, |
82 | 0 | &input[hlen], input.size() - hlen, |
83 | 0 | input.data(), hlen); |
84 | |
|
85 | 0 | mgf1_mask(*m_mgf1_hash, |
86 | 0 | input.data(), hlen, |
87 | 0 | &input[hlen], input.size() - hlen); |
88 | |
|
89 | 0 | return oaep_find_delim(valid_mask, input.data(), input.size(), m_Phash); |
90 | 0 | } |
91 | | |
92 | | secure_vector<uint8_t> |
93 | | oaep_find_delim(uint8_t& valid_mask, |
94 | | const uint8_t input[], size_t input_len, |
95 | | const secure_vector<uint8_t>& Phash) |
96 | 189 | { |
97 | 189 | const size_t hlen = Phash.size(); |
98 | | |
99 | | // Too short to be valid, reject immediately |
100 | 189 | if(input_len < 1 + 2*hlen) |
101 | 6 | { |
102 | 6 | return secure_vector<uint8_t>(); |
103 | 6 | } |
104 | | |
105 | 183 | CT::poison(input, input_len); |
106 | | |
107 | 183 | size_t delim_idx = 2 * hlen; |
108 | 183 | CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set(); |
109 | 183 | CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared(); |
110 | | |
111 | 180k | for(size_t i = delim_idx; i < input_len; ++i) |
112 | 180k | { |
113 | 180k | const auto zero_m = CT::Mask<uint8_t>::is_zero(input[i]); |
114 | 180k | const auto one_m = CT::Mask<uint8_t>::is_equal(input[i], 1); |
115 | | |
116 | 180k | const auto add_m = waiting_for_delim & zero_m; |
117 | | |
118 | 180k | bad_input_m |= waiting_for_delim & ~(zero_m | one_m); |
119 | | |
120 | 180k | delim_idx += add_m.if_set_return(1); |
121 | | |
122 | 180k | waiting_for_delim &= zero_m; |
123 | 180k | } |
124 | | |
125 | | // If we never saw any non-zero byte, then it's not valid input |
126 | 183 | bad_input_m |= waiting_for_delim; |
127 | 183 | bad_input_m |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(&input[hlen], Phash.data(), hlen)); |
128 | | |
129 | 183 | delim_idx += 1; |
130 | | |
131 | 183 | valid_mask = (~bad_input_m).unpoisoned_value(); |
132 | 183 | const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, input, input_len, delim_idx); |
133 | | |
134 | 183 | CT::unpoison(input, input_len); |
135 | | |
136 | 183 | return output; |
137 | 183 | } |
138 | | |
139 | | /* |
140 | | * Return the max input size for a given key size |
141 | | */ |
142 | | size_t OAEP::maximum_input_size(size_t keybits) const |
143 | 0 | { |
144 | 0 | if(keybits / 8 > 2*m_Phash.size() + 1) |
145 | 0 | return ((keybits / 8) - 2*m_Phash.size() - 1); |
146 | 0 | else |
147 | 0 | return 0; |
148 | 0 | } |
149 | | |
150 | | OAEP::OAEP(std::unique_ptr<HashFunction> hash, |
151 | | const std::string& P) : |
152 | | m_mgf1_hash(std::move(hash)) |
153 | 0 | { |
154 | 0 | m_Phash = m_mgf1_hash->process(P); |
155 | 0 | } |
156 | | |
157 | | OAEP::OAEP(std::unique_ptr<HashFunction> hash, |
158 | | std::unique_ptr<HashFunction> mgf1_hash, |
159 | | const std::string& P) : |
160 | | m_mgf1_hash(std::move(mgf1_hash)) |
161 | 0 | { |
162 | 0 | auto phash = std::move(hash); |
163 | 0 | m_Phash = phash->process(P); |
164 | 0 | } |
165 | | |
166 | | } |