/src/botan/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PKCS #1 v1.5 Type 2 (encryption) padding |
3 | | * (C) 1999-2007,2015,2016 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/eme_pkcs.h> |
9 | | #include <botan/exceptn.h> |
10 | | #include <botan/rng.h> |
11 | | #include <botan/internal/ct_utils.h> |
12 | | |
13 | | namespace Botan { |
14 | | |
15 | | /* |
16 | | * PKCS1 Pad Operation |
17 | | */ |
18 | | secure_vector<uint8_t> EME_PKCS1v15::pad(const uint8_t in[], size_t inlen, |
19 | | size_t key_length, |
20 | | RandomNumberGenerator& rng) const |
21 | 0 | { |
22 | 0 | key_length /= 8; |
23 | |
|
24 | 0 | if(inlen > maximum_input_size(key_length * 8)) |
25 | 0 | { |
26 | 0 | throw Invalid_Argument("PKCS1: Input is too large"); |
27 | 0 | } |
28 | | |
29 | 0 | secure_vector<uint8_t> out(key_length); |
30 | |
|
31 | 0 | out[0] = 0x02; |
32 | 0 | rng.randomize(out.data() + 1, (key_length - inlen - 2)); |
33 | |
|
34 | 0 | for(size_t j = 1; j != key_length - inlen - 1; ++j) |
35 | 0 | { |
36 | 0 | if(out[j] == 0) |
37 | 0 | { |
38 | 0 | out[j] = rng.next_nonzero_byte(); |
39 | 0 | } |
40 | 0 | } |
41 | |
|
42 | 0 | buffer_insert(out, key_length - inlen, in, inlen); |
43 | |
|
44 | 0 | return out; |
45 | 0 | } |
46 | | |
47 | | /* |
48 | | * PKCS1 Unpad Operation |
49 | | */ |
50 | | secure_vector<uint8_t> EME_PKCS1v15::unpad(uint8_t& valid_mask, |
51 | | const uint8_t in[], size_t inlen) const |
52 | 167 | { |
53 | | /* |
54 | | * RSA decryption pads the ciphertext up to the modulus size, so this only |
55 | | * occurs with very (!) small keys, or when fuzzing. |
56 | | * |
57 | | * 11 bytes == 00,02 + 8 bytes mandatory padding + 00 |
58 | | */ |
59 | 167 | if(inlen < 11) |
60 | 39 | { |
61 | 39 | valid_mask = false; |
62 | 39 | return secure_vector<uint8_t>(); |
63 | 39 | } |
64 | | |
65 | 128 | CT::poison(in, inlen); |
66 | | |
67 | 128 | CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared(); |
68 | 128 | CT::Mask<uint8_t> seen_zero_m = CT::Mask<uint8_t>::cleared(); |
69 | 128 | size_t delim_idx = 2; // initial 0002 |
70 | | |
71 | 128 | bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[0], 0); |
72 | 128 | bad_input_m |= ~CT::Mask<uint8_t>::is_equal(in[1], 2); |
73 | | |
74 | 222k | for(size_t i = 2; i < inlen; ++i) |
75 | 222k | { |
76 | 222k | const auto is_zero_m = CT::Mask<uint8_t>::is_zero(in[i]); |
77 | 222k | delim_idx += seen_zero_m.if_not_set_return(1); |
78 | 222k | seen_zero_m |= is_zero_m; |
79 | 222k | } |
80 | | |
81 | | // no zero delim -> bad padding |
82 | 128 | bad_input_m |= ~seen_zero_m; |
83 | | /* |
84 | | delim indicates < 8 bytes padding -> bad padding |
85 | | |
86 | | We require 11 here because we are counting also the 00 delim byte |
87 | | */ |
88 | 128 | bad_input_m |= CT::Mask<uint8_t>(CT::Mask<size_t>::is_lt(delim_idx, 11)); |
89 | | |
90 | 128 | valid_mask = (~bad_input_m).unpoisoned_value(); |
91 | 128 | const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, in, inlen, delim_idx); |
92 | | |
93 | 128 | CT::unpoison(in, inlen); |
94 | | |
95 | 128 | return output; |
96 | 167 | } |
97 | | |
98 | | /* |
99 | | * Return the max input size for a given key size |
100 | | */ |
101 | | size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const |
102 | 0 | { |
103 | 0 | if(keybits / 8 > 10) |
104 | 0 | return ((keybits / 8) - 10); |
105 | 0 | else |
106 | 0 | return 0; |
107 | 0 | } |
108 | | |
109 | | } |