Rename the various pubkey padding schemes to match the common names.

Way back when, following IEEE 1363 naming seemed like a good idea. But not so much.

3 files changed, 189 insertions, 0 deletions

diff --git a/src/lib/pk_pad/emsa_pssr/info.txt b/src/lib/pk_pad/emsa_pssr/info.txt
new file mode 100644
index 000000000..349cc0988
--- /dev/null
+++ b/src/lib/pk_pad/emsa_pssr/info.txt
@@ -0,0 +1,6 @@
+define EMSA_PSSR 20131128
+
+<requires>
+hash
+mgf1
+</requires>
diff --git a/src/lib/pk_pad/emsa_pssr/pssr.cpp b/src/lib/pk_pad/emsa_pssr/pssr.cpp
new file mode 100644
index 000000000..663d8089c
--- /dev/null
+++ b/src/lib/pk_pad/emsa_pssr/pssr.cpp
@@ -0,0 +1,134 @@
+/*
+* PSSR
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/pssr.h>
+#include <botan/mgf1.h>
+#include <botan/internal/bit_ops.h>
+#include <botan/internal/xor_buf.h>
+
+namespace Botan {
+
+/*
+* PSSR Update Operation
+*/
+void PSSR::update(const byte input[], size_t length)
+   {
+   hash->update(input, length);
+   }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> PSSR::raw_data()
+   {
+   return hash->final();
+   }
+
+/*
+* PSSR Encode Operation
+*/
+secure_vector<byte> PSSR::encoding_of(const secure_vector<byte>& msg,
+                                      size_t output_bits,
+                                      RandomNumberGenerator& rng)
+   {
+   const size_t HASH_SIZE = hash->output_length();
+
+   if(msg.size() != HASH_SIZE)
+      throw Encoding_Error("PSSR::encoding_of: Bad input length");
+   if(output_bits < 8*HASH_SIZE + 8*SALT_SIZE + 9)
+      throw Encoding_Error("PSSR::encoding_of: Output length is too small");
+
+   const size_t output_length = (output_bits + 7) / 8;
+
+   secure_vector<byte> salt = rng.random_vec(SALT_SIZE);
+
+   for(size_t j = 0; j != 8; ++j)
+      hash->update(0);
+   hash->update(msg);
+   hash->update(salt);
+   secure_vector<byte> H = hash->final();
+
+   secure_vector<byte> EM(output_length);
+
+   EM[output_length - HASH_SIZE - SALT_SIZE - 2] = 0x01;
+   buffer_insert(EM, output_length - 1 - HASH_SIZE - SALT_SIZE, salt);
+   mgf1_mask(*hash, &H[0], HASH_SIZE, &EM[0], output_length - HASH_SIZE - 1);
+   EM[0] &= 0xFF >> (8 * ((output_bits + 7) / 8) - output_bits);
+   buffer_insert(EM, output_length - 1 - HASH_SIZE, H);
+   EM[output_length-1] = 0xBC;
+
+   return EM;
+   }
+
+/*
+* PSSR Decode/Verify Operation
+*/
+bool PSSR::verify(const secure_vector<byte>& const_coded,
+                   const secure_vector<byte>& raw, size_t key_bits)
+   {
+   const size_t HASH_SIZE = hash->output_length();
+   const size_t KEY_BYTES = (key_bits + 7) / 8;
+
+   if(key_bits < 8*HASH_SIZE + 9)
+      return false;
+
+   if(raw.size() != HASH_SIZE)
+      return false;
+
+   if(const_coded.size() > KEY_BYTES || const_coded.size() <= 1)
+      return false;
+
+   if(const_coded[const_coded.size()-1] != 0xBC)
+      return false;
+
+   secure_vector<byte> coded = const_coded;
+   if(coded.size() < KEY_BYTES)
+      {
+      secure_vector<byte> temp(KEY_BYTES);
+      buffer_insert(temp, KEY_BYTES - coded.size(), coded);
+      coded = temp;
+      }
+
+   const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
+   if(TOP_BITS > 8 - high_bit(coded[0]))
+      return false;
+
+   byte* DB = &coded[0];
+   const size_t DB_size = coded.size() - HASH_SIZE - 1;
+
+   const byte* H = &coded[DB_size];
+   const size_t H_size = HASH_SIZE;
+
+   mgf1_mask(*hash, &H[0], H_size, &DB[0], DB_size);
+   DB[0] &= 0xFF >> TOP_BITS;
+
+   size_t salt_offset = 0;
+   for(size_t j = 0; j != DB_size; ++j)
+      {
+      if(DB[j] == 0x01)
+         { salt_offset = j + 1; break; }
+      if(DB[j])
+         return false;
+      }
+   if(salt_offset == 0)
+      return false;
+
+   for(size_t j = 0; j != 8; ++j)
+      hash->update(0);
+   hash->update(raw);
+   hash->update(&DB[salt_offset], DB_size - salt_offset);
+   secure_vector<byte> H2 = hash->final();
+
+   return same_mem(&H[0], &H2[0], HASH_SIZE);
+   }
+
+PSSR::PSSR(HashFunction* h, size_t salt_size) :
+   SALT_SIZE(salt_size ? salt_size : h->output_length()), hash(h)
+   {
+   }
+
+}
diff --git a/src/lib/pk_pad/emsa_pssr/pssr.h b/src/lib/pk_pad/emsa_pssr/pssr.h
new file mode 100644
index 000000000..19f490607
--- /dev/null
+++ b/src/lib/pk_pad/emsa_pssr/pssr.h
@@ -0,0 +1,49 @@
+/*
+* PSSR
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PSSR_H__
+#define BOTAN_PSSR_H__
+
+#include <botan/emsa.h>
+#include <botan/hash.h>
+#include <memory>
+
+namespace Botan {
+
+/**
+* PSSR (called EMSA4 in IEEE 1363 and in old versions of the library)
+*/
+class BOTAN_DLL PSSR : public EMSA
+   {
+   public:
+
+      /**
+      * @param hash the hash object to use
+      * @param salt_size the size of the salt to use in bytes
+      *        or zero to use the default
+      */
+      PSSR(HashFunction* hash, size_t salt_size = 0);
+   private:
+      void update(const byte input[], size_t length);
+
+      secure_vector<byte> raw_data();
+
+      secure_vector<byte> encoding_of(const secure_vector<byte>& msg,
+                                      size_t output_bits,
+                                      RandomNumberGenerator& rng);
+
+      bool verify(const secure_vector<byte>& coded,
+                  const secure_vector<byte>& raw,
+                  size_t key_bits);
+
+      size_t SALT_SIZE;
+      std::unique_ptr<HashFunction> hash;
+   };
+
+}
+
+#endif