aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pk_pad
diff options
context:
space:
mode:
authorlloyd <[email protected]>2014-01-10 03:41:59 +0000
committerlloyd <[email protected]>2014-01-10 03:41:59 +0000
commit6894dca64c04936d07048c0e8cbf7e25858548c3 (patch)
tree5d572bfde9fe667dab14e3f04b5285a85d8acd95 /src/lib/pk_pad
parent9efa3be92442afb3d0b69890a36c7f122df18eda (diff)
Move lib into src
Diffstat (limited to 'src/lib/pk_pad')
-rw-r--r--src/lib/pk_pad/eme.cpp50
-rw-r--r--src/lib/pk_pad/eme.h109
-rw-r--r--src/lib/pk_pad/eme1/eme1.cpp130
-rw-r--r--src/lib/pk_pad/eme1/eme1.h43
-rw-r--r--src/lib/pk_pad/eme1/info.txt9
-rw-r--r--src/lib/pk_pad/eme_pkcs/eme_pkcs.cpp70
-rw-r--r--src/lib/pk_pad/eme_pkcs/eme_pkcs.h30
-rw-r--r--src/lib/pk_pad/eme_pkcs/info.txt1
-rw-r--r--src/lib/pk_pad/emsa.h68
-rw-r--r--src/lib/pk_pad/emsa1/emsa1.cpp105
-rw-r--r--src/lib/pk_pad/emsa1/emsa1.h48
-rw-r--r--src/lib/pk_pad/emsa1/info.txt5
-rw-r--r--src/lib/pk_pad/emsa1_bsi/emsa1_bsi.cpp29
-rw-r--r--src/lib/pk_pad/emsa1_bsi/emsa1_bsi.h35
-rw-r--r--src/lib/pk_pad/emsa1_bsi/info.txt5
-rw-r--r--src/lib/pk_pad/emsa2/emsa2.cpp112
-rw-r--r--src/lib/pk_pad/emsa2/emsa2.h45
-rw-r--r--src/lib/pk_pad/emsa2/info.txt6
-rw-r--r--src/lib/pk_pad/emsa3/emsa3.cpp152
-rw-r--r--src/lib/pk_pad/emsa3/emsa3.h68
-rw-r--r--src/lib/pk_pad/emsa3/info.txt6
-rw-r--r--src/lib/pk_pad/emsa4/emsa4.cpp146
-rw-r--r--src/lib/pk_pad/emsa4/emsa4.h51
-rw-r--r--src/lib/pk_pad/emsa4/info.txt7
-rw-r--r--src/lib/pk_pad/emsa_raw/emsa_raw.cpp68
-rw-r--r--src/lib/pk_pad/emsa_raw/emsa_raw.h35
-rw-r--r--src/lib/pk_pad/emsa_raw/info.txt1
-rw-r--r--src/lib/pk_pad/get_pk_pad.cpp139
-rw-r--r--src/lib/pk_pad/hash_id/hash_id.cpp129
-rw-r--r--src/lib/pk_pad/hash_id/hash_id.h34
-rw-r--r--src/lib/pk_pad/hash_id/info.txt5
-rw-r--r--src/lib/pk_pad/info.txt8
32 files changed, 1749 insertions, 0 deletions
diff --git a/src/lib/pk_pad/eme.cpp b/src/lib/pk_pad/eme.cpp
new file mode 100644
index 000000000..f90239d8c
--- /dev/null
+++ b/src/lib/pk_pad/eme.cpp
@@ -0,0 +1,50 @@
+/*
+* EME Base Class
+* (C) 1999-2008 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/eme.h>
+
+namespace Botan {
+
+/*
+* Encode a message
+*/
+secure_vector<byte> EME::encode(const byte msg[], size_t msg_len,
+ size_t key_bits,
+ RandomNumberGenerator& rng) const
+ {
+ return pad(msg, msg_len, key_bits, rng);
+ }
+
+/*
+* Encode a message
+*/
+secure_vector<byte> EME::encode(const secure_vector<byte>& msg,
+ size_t key_bits,
+ RandomNumberGenerator& rng) const
+ {
+ return pad(&msg[0], msg.size(), key_bits, rng);
+ }
+
+/*
+* Decode a message
+*/
+secure_vector<byte> EME::decode(const byte msg[], size_t msg_len,
+ size_t key_bits) const
+ {
+ return unpad(msg, msg_len, key_bits);
+ }
+
+/*
+* Decode a message
+*/
+secure_vector<byte> EME::decode(const secure_vector<byte>& msg,
+ size_t key_bits) const
+ {
+ return unpad(&msg[0], msg.size(), key_bits);
+ }
+
+}
diff --git a/src/lib/pk_pad/eme.h b/src/lib/pk_pad/eme.h
new file mode 100644
index 000000000..358b4f144
--- /dev/null
+++ b/src/lib/pk_pad/eme.h
@@ -0,0 +1,109 @@
+/*
+* EME Classes
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PUBKEY_EME_ENCRYPTION_PAD_H__
+#define BOTAN_PUBKEY_EME_ENCRYPTION_PAD_H__
+
+#include <botan/secmem.h>
+#include <botan/rng.h>
+
+namespace Botan {
+
+/**
+* Encoding Method for Encryption
+*/
+class BOTAN_DLL EME
+ {
+ public:
+ /**
+ * Return the maximum input size in bytes we can support
+ * @param keybits the size of the key in bits
+ * @return upper bound of input in bytes
+ */
+ virtual size_t maximum_input_size(size_t keybits) const = 0;
+
+ /**
+ * Encode an input
+ * @param in the plaintext
+ * @param in_length length of plaintext in bytes
+ * @param key_length length of the key in bits
+ * @param rng a random number generator
+ * @return encoded plaintext
+ */
+ secure_vector<byte> encode(const byte in[],
+ size_t in_length,
+ size_t key_length,
+ RandomNumberGenerator& rng) const;
+
+ /**
+ * Encode an input
+ * @param in the plaintext
+ * @param key_length length of the key in bits
+ * @param rng a random number generator
+ * @return encoded plaintext
+ */
+ secure_vector<byte> encode(const secure_vector<byte>& in,
+ size_t key_length,
+ RandomNumberGenerator& rng) const;
+
+ /**
+ * Decode an input
+ * @param in the encoded plaintext
+ * @param in_length length of encoded plaintext in bytes
+ * @param key_length length of the key in bits
+ * @return plaintext
+ */
+ secure_vector<byte> decode(const byte in[],
+ size_t in_length,
+ size_t key_length) const;
+
+ /**
+ * Decode an input
+ * @param in the encoded plaintext
+ * @param key_length length of the key in bits
+ * @return plaintext
+ */
+ secure_vector<byte> decode(const secure_vector<byte>& in,
+ size_t key_length) const;
+
+ virtual ~EME() {}
+ private:
+ /**
+ * Encode an input
+ * @param in the plaintext
+ * @param in_length length of plaintext in bytes
+ * @param key_length length of the key in bits
+ * @param rng a random number generator
+ * @return encoded plaintext
+ */
+ virtual secure_vector<byte> pad(const byte in[],
+ size_t in_length,
+ size_t key_length,
+ RandomNumberGenerator& rng) const = 0;
+
+ /**
+ * Decode an input
+ * @param in the encoded plaintext
+ * @param in_length length of encoded plaintext in bytes
+ * @param key_length length of the key in bits
+ * @return plaintext
+ */
+ virtual secure_vector<byte> unpad(const byte in[],
+ size_t in_length,
+ size_t key_length) const = 0;
+ };
+
+/**
+* Factory method for EME (message-encoding methods for encryption) objects
+* @param algo_spec the name of the EME to create
+* @return pointer to newly allocated object of that type
+*/
+BOTAN_DLL EME* get_eme(const std::string& algo_spec);
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/eme1/eme1.cpp b/src/lib/pk_pad/eme1/eme1.cpp
new file mode 100644
index 000000000..dadb44d0a
--- /dev/null
+++ b/src/lib/pk_pad/eme1/eme1.cpp
@@ -0,0 +1,130 @@
+/*
+* EME1 (aka OAEP)
+* (C) 1999-2010 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/eme1.h>
+#include <botan/mgf1.h>
+#include <botan/mem_ops.h>
+#include <memory>
+
+namespace Botan {
+
+/*
+* EME1 Pad Operation
+*/
+secure_vector<byte> EME1::pad(const byte in[], size_t in_length,
+ size_t key_length,
+ RandomNumberGenerator& rng) const
+ {
+ key_length /= 8;
+
+ if(key_length < in_length + 2*Phash.size() + 1)
+ throw Invalid_Argument("EME1: Input is too large");
+
+ secure_vector<byte> out(key_length);
+
+ rng.randomize(&out[0], Phash.size());
+
+ buffer_insert(out, Phash.size(), &Phash[0], Phash.size());
+ out[out.size() - in_length - 1] = 0x01;
+ buffer_insert(out, out.size() - in_length, in, in_length);
+
+ mgf->mask(&out[0], Phash.size(),
+ &out[Phash.size()], out.size() - Phash.size());
+
+ mgf->mask(&out[Phash.size()], out.size() - Phash.size(),
+ &out[0], Phash.size());
+
+ return out;
+ }
+
+/*
+* EME1 Unpad Operation
+*/
+secure_vector<byte> EME1::unpad(const byte in[], size_t in_length,
+ size_t key_length) const
+ {
+ /*
+ Must be careful about error messages here; if an attacker can
+ distinguish them, it is easy to use the differences as an oracle to
+ find the secret key, as described in "A Chosen Ciphertext Attack on
+ RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in
+ PKCS #1 v2.0", James Manger, Crypto 2001
+
+ Also have to be careful about timing attacks! Pointed out by Falko
+ Strenzke.
+ */
+
+ key_length /= 8;
+
+ // Invalid input: truncate to zero length input, causing later
+ // checks to fail
+ if(in_length > key_length)
+ in_length = 0;
+
+ secure_vector<byte> input(key_length);
+ buffer_insert(input, key_length - in_length, in, in_length);
+
+ mgf->mask(&input[Phash.size()], input.size() - Phash.size(),
+ &input[0], Phash.size());
+ mgf->mask(&input[0], Phash.size(),
+ &input[Phash.size()], input.size() - Phash.size());
+
+ bool waiting_for_delim = true;
+ bool bad_input = false;
+ size_t delim_idx = 2 * Phash.size();
+
+ /*
+ * GCC 4.5 on x86-64 compiles this in a way that is still vunerable
+ * to timing analysis. Other compilers, or GCC on other platforms,
+ * may or may not.
+ */
+ for(size_t i = delim_idx; i < input.size(); ++i)
+ {
+ const bool zero_p = !input[i];
+ const bool one_p = input[i] == 0x01;
+
+ const bool add_1 = waiting_for_delim && zero_p;
+
+ bad_input |= waiting_for_delim && !(zero_p || one_p);
+
+ delim_idx += add_1;
+
+ waiting_for_delim &= zero_p;
+ }
+
+ // If we never saw any non-zero byte, then it's not valid input
+ bad_input |= waiting_for_delim;
+
+ bad_input |= !same_mem(&input[Phash.size()], &Phash[0], Phash.size());
+
+ if(bad_input)
+ throw Decoding_Error("Invalid EME1 encoding");
+
+ return secure_vector<byte>(&input[delim_idx + 1], &input[input.size()]);
+ }
+
+/*
+* Return the max input size for a given key size
+*/
+size_t EME1::maximum_input_size(size_t keybits) const
+ {
+ if(keybits / 8 > 2*Phash.size() + 1)
+ return ((keybits / 8) - 2*Phash.size() - 1);
+ else
+ return 0;
+ }
+
+/*
+* EME1 Constructor
+*/
+EME1::EME1(HashFunction* hash, const std::string& P)
+ {
+ Phash = hash->process(P);
+ mgf = new MGF1(hash);
+ }
+
+}
diff --git a/src/lib/pk_pad/eme1/eme1.h b/src/lib/pk_pad/eme1/eme1.h
new file mode 100644
index 000000000..eb6fc6bf5
--- /dev/null
+++ b/src/lib/pk_pad/eme1/eme1.h
@@ -0,0 +1,43 @@
+/*
+* EME1
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EME1_H__
+#define BOTAN_EME1_H__
+
+#include <botan/eme.h>
+#include <botan/kdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* EME1, aka OAEP
+*/
+class BOTAN_DLL EME1 : public EME
+ {
+ public:
+ size_t maximum_input_size(size_t) const;
+
+ /**
+ * @param hash object to use for hashing (takes ownership)
+ * @param P an optional label. Normally empty.
+ */
+ EME1(HashFunction* hash, const std::string& P = "");
+
+ ~EME1() { delete mgf; }
+ private:
+ secure_vector<byte> pad(const byte[], size_t, size_t,
+ RandomNumberGenerator&) const;
+ secure_vector<byte> unpad(const byte[], size_t, size_t) const;
+
+ secure_vector<byte> Phash;
+ MGF* mgf;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/eme1/info.txt b/src/lib/pk_pad/eme1/info.txt
new file mode 100644
index 000000000..7e911f495
--- /dev/null
+++ b/src/lib/pk_pad/eme1/info.txt
@@ -0,0 +1,9 @@
+define EME1 20131128
+
+load_on auto
+
+<requires>
+hash
+kdf
+mgf1
+</requires>
diff --git a/src/lib/pk_pad/eme_pkcs/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs/eme_pkcs.cpp
new file mode 100644
index 000000000..0e7d1fc30
--- /dev/null
+++ b/src/lib/pk_pad/eme_pkcs/eme_pkcs.cpp
@@ -0,0 +1,70 @@
+/*
+* PKCS1 EME
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/eme_pkcs.h>
+
+namespace Botan {
+
+/*
+* PKCS1 Pad Operation
+*/
+secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen,
+ size_t olen,
+ RandomNumberGenerator& rng) const
+ {
+ olen /= 8;
+
+ if(olen < 10)
+ throw Encoding_Error("PKCS1: Output space too small");
+ if(inlen > olen - 10)
+ throw Encoding_Error("PKCS1: Input is too large");
+
+ secure_vector<byte> out(olen);
+
+ out[0] = 0x02;
+ for(size_t j = 1; j != olen - inlen - 1; ++j)
+ while(out[j] == 0)
+ out[j] = rng.next_byte();
+ buffer_insert(out, olen - inlen, in, inlen);
+
+ return out;
+ }
+
+/*
+* PKCS1 Unpad Operation
+*/
+secure_vector<byte> EME_PKCS1v15::unpad(const byte in[], size_t inlen,
+ size_t key_len) const
+ {
+ if(inlen != key_len / 8 || inlen < 10 || in[0] != 0x02)
+ throw Decoding_Error("PKCS1::unpad");
+
+ size_t seperator = 0;
+ for(size_t j = 0; j != inlen; ++j)
+ if(in[j] == 0)
+ {
+ seperator = j;
+ break;
+ }
+ if(seperator < 9)
+ throw Decoding_Error("PKCS1::unpad");
+
+ return secure_vector<byte>(&in[seperator + 1], &in[inlen]);
+ }
+
+/*
+* Return the max input size for a given key size
+*/
+size_t EME_PKCS1v15::maximum_input_size(size_t keybits) const
+ {
+ if(keybits / 8 > 10)
+ return ((keybits / 8) - 10);
+ else
+ return 0;
+ }
+
+}
diff --git a/src/lib/pk_pad/eme_pkcs/eme_pkcs.h b/src/lib/pk_pad/eme_pkcs/eme_pkcs.h
new file mode 100644
index 000000000..2808e18d6
--- /dev/null
+++ b/src/lib/pk_pad/eme_pkcs/eme_pkcs.h
@@ -0,0 +1,30 @@
+/*
+* EME PKCS#1 v1.5
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EME_PKCS1_H__
+#define BOTAN_EME_PKCS1_H__
+
+#include <botan/eme.h>
+
+namespace Botan {
+
+/**
+* EME from PKCS #1 v1.5
+*/
+class BOTAN_DLL EME_PKCS1v15 : public EME
+ {
+ public:
+ size_t maximum_input_size(size_t) const;
+ private:
+ secure_vector<byte> pad(const byte[], size_t, size_t,
+ RandomNumberGenerator&) const;
+ secure_vector<byte> unpad(const byte[], size_t, size_t) const;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/eme_pkcs/info.txt b/src/lib/pk_pad/eme_pkcs/info.txt
new file mode 100644
index 000000000..432aaf8eb
--- /dev/null
+++ b/src/lib/pk_pad/eme_pkcs/info.txt
@@ -0,0 +1 @@
+define EME_PKCS1v15 20131128
diff --git a/src/lib/pk_pad/emsa.h b/src/lib/pk_pad/emsa.h
new file mode 100644
index 000000000..5db01ec12
--- /dev/null
+++ b/src/lib/pk_pad/emsa.h
@@ -0,0 +1,68 @@
+/*
+* EMSA Classes
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PUBKEY_EMSA_H__
+#define BOTAN_PUBKEY_EMSA_H__
+
+#include <botan/secmem.h>
+#include <botan/rng.h>
+
+namespace Botan {
+
+/**
+* Encoding Method for Signatures, Appendix
+*/
+class BOTAN_DLL EMSA
+ {
+ public:
+ /**
+ * Add more data to the signature computation
+ * @param input some data
+ * @param length length of input in bytes
+ */
+ virtual void update(const byte input[], size_t length) = 0;
+
+ /**
+ * @return raw hash
+ */
+ virtual secure_vector<byte> raw_data() = 0;
+
+ /**
+ * Return the encoding of a message
+ * @param msg the result of raw_data()
+ * @param output_bits the desired output bit size
+ * @param rng a random number generator
+ * @return encoded signature
+ */
+ virtual secure_vector<byte> encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator& rng) = 0;
+
+ /**
+ * Verify the encoding
+ * @param coded the received (coded) message representative
+ * @param raw the computed (local, uncoded) message representative
+ * @param key_bits the size of the key in bits
+ * @return true if coded is a valid encoding of raw, otherwise false
+ */
+ virtual bool verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw,
+ size_t key_bits) = 0;
+ virtual ~EMSA() {}
+ };
+
+/**
+* Factory method for EMSA (message-encoding methods for signatures
+* with appendix) objects
+* @param algo_spec the name of the EME to create
+* @return pointer to newly allocated object of that type
+*/
+BOTAN_DLL EMSA* get_emsa(const std::string& algo_spec);
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa1/emsa1.cpp b/src/lib/pk_pad/emsa1/emsa1.cpp
new file mode 100644
index 000000000..2358023f8
--- /dev/null
+++ b/src/lib/pk_pad/emsa1/emsa1.cpp
@@ -0,0 +1,105 @@
+/*
+* EMSA1
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa1.h>
+
+namespace Botan {
+
+namespace {
+
+secure_vector<byte> emsa1_encoding(const secure_vector<byte>& msg,
+ size_t output_bits)
+ {
+ if(8*msg.size() <= output_bits)
+ return msg;
+
+ size_t shift = 8*msg.size() - output_bits;
+
+ size_t byte_shift = shift / 8, bit_shift = shift % 8;
+ secure_vector<byte> digest(msg.size() - byte_shift);
+
+ for(size_t j = 0; j != msg.size() - byte_shift; ++j)
+ digest[j] = msg[j];
+
+ if(bit_shift)
+ {
+ byte carry = 0;
+ for(size_t j = 0; j != digest.size(); ++j)
+ {
+ byte temp = digest[j];
+ digest[j] = (temp >> bit_shift) | carry;
+ carry = (temp << (8 - bit_shift));
+ }
+ }
+ return digest;
+ }
+
+}
+
+/*
+* EMSA1 Update Operation
+*/
+void EMSA1::update(const byte input[], size_t length)
+ {
+ hash->update(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA1::raw_data()
+ {
+ return hash->final();
+ }
+
+/*
+* EMSA1 Encode Operation
+*/
+secure_vector<byte> EMSA1::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator&)
+ {
+ if(msg.size() != hash->output_length())
+ throw Encoding_Error("EMSA1::encoding_of: Invalid size for input");
+ return emsa1_encoding(msg, output_bits);
+ }
+
+/*
+* EMSA1 Decode/Verify Operation
+*/
+bool EMSA1::verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw, size_t key_bits)
+ {
+ try {
+ if(raw.size() != hash->output_length())
+ throw Encoding_Error("EMSA1::encoding_of: Invalid size for input");
+
+ secure_vector<byte> our_coding = emsa1_encoding(raw, key_bits);
+
+ if(our_coding == coded) return true;
+ if(our_coding.empty() || our_coding[0] != 0) return false;
+ if(our_coding.size() <= coded.size()) return false;
+
+ size_t offset = 0;
+ while(offset < our_coding.size() && our_coding[offset] == 0)
+ ++offset;
+ if(our_coding.size() - offset != coded.size())
+ return false;
+
+ for(size_t j = 0; j != coded.size(); ++j)
+ if(coded[j] != our_coding[j+offset])
+ return false;
+
+ return true;
+ }
+ catch(Invalid_Argument)
+ {
+ return false;
+ }
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa1/emsa1.h b/src/lib/pk_pad/emsa1/emsa1.h
new file mode 100644
index 000000000..f84ca5ae7
--- /dev/null
+++ b/src/lib/pk_pad/emsa1/emsa1.h
@@ -0,0 +1,48 @@
+/*
+* EMSA1
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA1_H__
+#define BOTAN_EMSA1_H__
+
+#include <botan/emsa.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* EMSA1 from IEEE 1363
+* Essentially, sign the hash directly
+*/
+class BOTAN_DLL EMSA1 : public EMSA
+ {
+ public:
+ /**
+ * @param h the hash object to use
+ */
+ EMSA1(HashFunction* h) : hash(h) {}
+ ~EMSA1() { delete hash; }
+ protected:
+ /**
+ * @return const pointer to the underlying hash
+ */
+ const HashFunction* hash_ptr() const { return hash; }
+ private:
+ void update(const byte[], size_t);
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+
+ HashFunction* hash;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa1/info.txt b/src/lib/pk_pad/emsa1/info.txt
new file mode 100644
index 000000000..83d9744e6
--- /dev/null
+++ b/src/lib/pk_pad/emsa1/info.txt
@@ -0,0 +1,5 @@
+define EMSA1 20131128
+
+<requires>
+hash
+</requires>
diff --git a/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.cpp b/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.cpp
new file mode 100644
index 000000000..9096edfbf
--- /dev/null
+++ b/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.cpp
@@ -0,0 +1,29 @@
+/*
+* EMSA1 BSI
+* (C) 1999-2008 Jack Lloyd
+* 2008 Falko Strenzke, FlexSecure GmbH
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa1_bsi.h>
+
+namespace Botan {
+
+/*
+* EMSA1 BSI Encode Operation
+*/
+secure_vector<byte> EMSA1_BSI::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator&)
+ {
+ if(msg.size() != hash_ptr()->output_length())
+ throw Encoding_Error("EMSA1_BSI::encoding_of: Invalid size for input");
+
+ if(8*msg.size() <= output_bits)
+ return msg;
+
+ throw Encoding_Error("EMSA1_BSI::encoding_of: max key input size exceeded");
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.h b/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.h
new file mode 100644
index 000000000..1b90f48df
--- /dev/null
+++ b/src/lib/pk_pad/emsa1_bsi/emsa1_bsi.h
@@ -0,0 +1,35 @@
+/*
+* EMSA1 BSI Variant
+* (C) 1999-2008 Jack Lloyd
+* 2007 FlexSecure GmbH
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA1_BSI_H__
+#define BOTAN_EMSA1_BSI_H__
+
+#include <botan/emsa1.h>
+
+namespace Botan {
+
+/**
+EMSA1_BSI is a variant of EMSA1 specified by the BSI. It accepts only
+hash values which are less or equal than the maximum key length. The
+implementation comes from InSiTo
+*/
+class BOTAN_DLL EMSA1_BSI : public EMSA1
+ {
+ public:
+ /**
+ * @param hash the hash object to use
+ */
+ EMSA1_BSI(HashFunction* hash) : EMSA1(hash) {}
+ private:
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa1_bsi/info.txt b/src/lib/pk_pad/emsa1_bsi/info.txt
new file mode 100644
index 000000000..021c99720
--- /dev/null
+++ b/src/lib/pk_pad/emsa1_bsi/info.txt
@@ -0,0 +1,5 @@
+define EMSA1_BSI 20131128
+
+<requires>
+emsa1
+</requires>
diff --git a/src/lib/pk_pad/emsa2/emsa2.cpp b/src/lib/pk_pad/emsa2/emsa2.cpp
new file mode 100644
index 000000000..02a3dbe72
--- /dev/null
+++ b/src/lib/pk_pad/emsa2/emsa2.cpp
@@ -0,0 +1,112 @@
+/*
+* EMSA2
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa2.h>
+#include <botan/hash_id.h>
+
+namespace Botan {
+
+namespace {
+
+/*
+* EMSA2 Encode Operation
+*/
+secure_vector<byte> emsa2_encoding(const secure_vector<byte>& msg,
+ size_t output_bits,
+ const secure_vector<byte>& empty_hash,
+ byte hash_id)
+ {
+ const size_t HASH_SIZE = empty_hash.size();
+
+ size_t output_length = (output_bits + 1) / 8;
+
+ if(msg.size() != HASH_SIZE)
+ throw Encoding_Error("EMSA2::encoding_of: Bad input length");
+ if(output_length < HASH_SIZE + 4)
+ throw Encoding_Error("EMSA2::encoding_of: Output length is too small");
+
+ bool empty = true;
+ for(size_t j = 0; j != HASH_SIZE; ++j)
+ if(empty_hash[j] != msg[j])
+ empty = false;
+
+ secure_vector<byte> output(output_length);
+
+ output[0] = (empty ? 0x4B : 0x6B);
+ output[output_length - 3 - HASH_SIZE] = 0xBA;
+ set_mem(&output[1], output_length - 4 - HASH_SIZE, 0xBB);
+ buffer_insert(output, output_length - (HASH_SIZE + 2), &msg[0], msg.size());
+ output[output_length-2] = hash_id;
+ output[output_length-1] = 0xCC;
+
+ return output;
+ }
+
+}
+
+/*
+* EMSA2 Update Operation
+*/
+void EMSA2::update(const byte input[], size_t length)
+ {
+ hash->update(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA2::raw_data()
+ {
+ return hash->final();
+ }
+
+/*
+* EMSA2 Encode Operation
+*/
+secure_vector<byte> EMSA2::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator&)
+ {
+ return emsa2_encoding(msg, output_bits, empty_hash, hash_id);
+ }
+
+/*
+* EMSA2 Verify Operation
+*/
+bool EMSA2::verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw,
+ size_t key_bits)
+ {
+ try
+ {
+ return (coded == emsa2_encoding(raw, key_bits,
+ empty_hash, hash_id));
+ }
+ catch(...)
+ {
+ return false;
+ }
+ }
+
+/*
+* EMSA2 Constructor
+*/
+EMSA2::EMSA2(HashFunction* hash_in) : hash(hash_in)
+ {
+ empty_hash = hash->final();
+
+ const std::string hash_name = hash->name();
+ hash_id = ieee1363_hash_id(hash_name);
+
+ if(hash_id == 0)
+ {
+ delete hash;
+ throw Encoding_Error("EMSA2 no hash identifier for " + hash_name);
+ }
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa2/emsa2.h b/src/lib/pk_pad/emsa2/emsa2.h
new file mode 100644
index 000000000..fb0cecb21
--- /dev/null
+++ b/src/lib/pk_pad/emsa2/emsa2.h
@@ -0,0 +1,45 @@
+/*
+* EMSA2
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA2_H__
+#define BOTAN_EMSA2_H__
+
+#include <botan/emsa.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* EMSA2 from IEEE 1363
+* Useful for Rabin-Williams
+*/
+class BOTAN_DLL EMSA2 : public EMSA
+ {
+ public:
+ /**
+ * @param hash the hash object to use
+ */
+ EMSA2(HashFunction* hash);
+ ~EMSA2() { delete hash; }
+ private:
+ void update(const byte[], size_t);
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+
+ secure_vector<byte> empty_hash;
+ HashFunction* hash;
+ byte hash_id;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa2/info.txt b/src/lib/pk_pad/emsa2/info.txt
new file mode 100644
index 000000000..0c9bd2289
--- /dev/null
+++ b/src/lib/pk_pad/emsa2/info.txt
@@ -0,0 +1,6 @@
+define EMSA2 20131128
+
+<requires>
+hash
+hash_id
+</requires>
diff --git a/src/lib/pk_pad/emsa3/emsa3.cpp b/src/lib/pk_pad/emsa3/emsa3.cpp
new file mode 100644
index 000000000..0d603c508
--- /dev/null
+++ b/src/lib/pk_pad/emsa3/emsa3.cpp
@@ -0,0 +1,152 @@
+/*
+* EMSA3 and EMSA3_Raw
+* (C) 1999-2008 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa3.h>
+#include <botan/hash_id.h>
+
+namespace Botan {
+
+namespace {
+
+/*
+* EMSA3 Encode Operation
+*/
+secure_vector<byte> emsa3_encoding(const secure_vector<byte>& msg,
+ size_t output_bits,
+ const byte hash_id[],
+ size_t hash_id_length)
+ {
+ size_t output_length = output_bits / 8;
+ if(output_length < hash_id_length + msg.size() + 10)
+ throw Encoding_Error("emsa3_encoding: Output length is too small");
+
+ secure_vector<byte> T(output_length);
+ const size_t P_LENGTH = output_length - msg.size() - hash_id_length - 2;
+
+ T[0] = 0x01;
+ set_mem(&T[1], P_LENGTH, 0xFF);
+ T[P_LENGTH+1] = 0x00;
+ buffer_insert(T, P_LENGTH+2, hash_id, hash_id_length);
+ buffer_insert(T, output_length-msg.size(), &msg[0], msg.size());
+ return T;
+ }
+
+}
+
+/*
+* EMSA3 Update Operation
+*/
+void EMSA3::update(const byte input[], size_t length)
+ {
+ hash->update(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA3::raw_data()
+ {
+ return hash->final();
+ }
+
+/*
+* EMSA3 Encode Operation
+*/
+secure_vector<byte> EMSA3::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator&)
+ {
+ if(msg.size() != hash->output_length())
+ throw Encoding_Error("EMSA3::encoding_of: Bad input length");
+
+ return emsa3_encoding(msg, output_bits,
+ &hash_id[0], hash_id.size());
+ }
+
+/*
+* Default signature decoding
+*/
+bool EMSA3::verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw,
+ size_t key_bits)
+ {
+ if(raw.size() != hash->output_length())
+ return false;
+
+ try
+ {
+ return (coded == emsa3_encoding(raw, key_bits,
+ &hash_id[0], hash_id.size()));
+ }
+ catch(...)
+ {
+ return false;
+ }
+ }
+
+/*
+* EMSA3 Constructor
+*/
+EMSA3::EMSA3(HashFunction* hash_in) : hash(hash_in)
+ {
+ hash_id = pkcs_hash_id(hash->name());
+ }
+
+/*
+* EMSA3 Destructor
+*/
+EMSA3::~EMSA3()
+ {
+ delete hash;
+ }
+
+/*
+* EMSA3_Raw Update Operation
+*/
+void EMSA3_Raw::update(const byte input[], size_t length)
+ {
+ message += std::make_pair(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA3_Raw::raw_data()
+ {
+ secure_vector<byte> ret;
+ std::swap(ret, message);
+ return ret;
+ }
+
+/*
+* EMSA3_Raw Encode Operation
+*/
+secure_vector<byte> EMSA3_Raw::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator&)
+ {
+ return emsa3_encoding(msg, output_bits, nullptr, 0);
+ }
+
+/*
+* Default signature decoding
+*/
+bool EMSA3_Raw::verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw,
+ size_t key_bits)
+ {
+ try
+ {
+ return (coded == emsa3_encoding(raw, key_bits, nullptr, 0));
+ }
+ catch(...)
+ {
+ return false;
+ }
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa3/emsa3.h b/src/lib/pk_pad/emsa3/emsa3.h
new file mode 100644
index 000000000..9fbda67ee
--- /dev/null
+++ b/src/lib/pk_pad/emsa3/emsa3.h
@@ -0,0 +1,68 @@
+/*
+* EMSA3 and EMSA3_Raw
+* (C) 1999-2008 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA3_H__
+#define BOTAN_EMSA3_H__
+
+#include <botan/emsa.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+/**
+* EMSA3 from IEEE 1363
+* aka PKCS #1 v1.5 signature padding
+* aka PKCS #1 block type 1
+*/
+class BOTAN_DLL EMSA3 : public EMSA
+ {
+ public:
+ /**
+ * @param hash the hash object to use
+ */
+ EMSA3(HashFunction* hash);
+ ~EMSA3();
+
+ void update(const byte[], size_t);
+
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+ private:
+ HashFunction* hash;
+ std::vector<byte> hash_id;
+ };
+
+/**
+* EMSA3_Raw which is EMSA3 without a hash or digest id (which
+* according to QCA docs is "identical to PKCS#11's CKM_RSA_PKCS
+* mechanism", something I have not confirmed)
+*/
+class BOTAN_DLL EMSA3_Raw : public EMSA
+ {
+ public:
+ void update(const byte[], size_t);
+
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+
+ private:
+ secure_vector<byte> message;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa3/info.txt b/src/lib/pk_pad/emsa3/info.txt
new file mode 100644
index 000000000..aea998f13
--- /dev/null
+++ b/src/lib/pk_pad/emsa3/info.txt
@@ -0,0 +1,6 @@
+define EMSA3 20131128
+
+<requires>
+hash
+hash_id
+</requires>
diff --git a/src/lib/pk_pad/emsa4/emsa4.cpp b/src/lib/pk_pad/emsa4/emsa4.cpp
new file mode 100644
index 000000000..c8b8cbc6a
--- /dev/null
+++ b/src/lib/pk_pad/emsa4/emsa4.cpp
@@ -0,0 +1,146 @@
+/*
+* EMSA4
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa4.h>
+#include <botan/mgf1.h>
+#include <botan/internal/bit_ops.h>
+
+namespace Botan {
+
+/*
+* EMSA4 Update Operation
+*/
+void EMSA4::update(const byte input[], size_t length)
+ {
+ hash->update(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA4::raw_data()
+ {
+ return hash->final();
+ }
+
+/*
+* EMSA4 Encode Operation
+*/
+secure_vector<byte> EMSA4::encoding_of(const secure_vector<byte>& msg,
+ size_t output_bits,
+ RandomNumberGenerator& rng)
+ {
+ const size_t HASH_SIZE = hash->output_length();
+
+ if(msg.size() != HASH_SIZE)
+ throw Encoding_Error("EMSA4::encoding_of: Bad input length");
+ if(output_bits < 8*HASH_SIZE + 8*SALT_SIZE + 9)
+ throw Encoding_Error("EMSA4::encoding_of: Output length is too small");
+
+ const size_t output_length = (output_bits + 7) / 8;
+
+ secure_vector<byte> salt = rng.random_vec(SALT_SIZE);
+
+ for(size_t j = 0; j != 8; ++j)
+ hash->update(0);
+ hash->update(msg);
+ hash->update(salt);
+ secure_vector<byte> H = hash->final();
+
+ secure_vector<byte> EM(output_length);
+
+ EM[output_length - HASH_SIZE - SALT_SIZE - 2] = 0x01;
+ buffer_insert(EM, output_length - 1 - HASH_SIZE - SALT_SIZE, salt);
+ mgf->mask(&H[0], HASH_SIZE, &EM[0], output_length - HASH_SIZE - 1);
+ EM[0] &= 0xFF >> (8 * ((output_bits + 7) / 8) - output_bits);
+ buffer_insert(EM, output_length - 1 - HASH_SIZE, H);
+ EM[output_length-1] = 0xBC;
+
+ return EM;
+ }
+
+/*
+* EMSA4 Decode/Verify Operation
+*/
+bool EMSA4::verify(const secure_vector<byte>& const_coded,
+ const secure_vector<byte>& raw, size_t key_bits)
+ {
+ const size_t HASH_SIZE = hash->output_length();
+ const size_t KEY_BYTES = (key_bits + 7) / 8;
+
+ if(key_bits < 8*HASH_SIZE + 9)
+ return false;
+
+ if(raw.size() != HASH_SIZE)
+ return false;
+
+ if(const_coded.size() > KEY_BYTES || const_coded.size() <= 1)
+ return false;
+
+ if(const_coded[const_coded.size()-1] != 0xBC)
+ return false;
+
+ secure_vector<byte> coded = const_coded;
+ if(coded.size() < KEY_BYTES)
+ {
+ secure_vector<byte> temp(KEY_BYTES);
+ buffer_insert(temp, KEY_BYTES - coded.size(), coded);
+ coded = temp;
+ }
+
+ const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
+ if(TOP_BITS > 8 - high_bit(coded[0]))
+ return false;
+
+ byte* DB = &coded[0];
+ const size_t DB_size = coded.size() - HASH_SIZE - 1;
+
+ const byte* H = &coded[DB_size];
+ const size_t H_size = HASH_SIZE;
+
+ mgf->mask(&H[0], H_size, &DB[0], DB_size);
+ DB[0] &= 0xFF >> TOP_BITS;
+
+ size_t salt_offset = 0;
+ for(size_t j = 0; j != DB_size; ++j)
+ {
+ if(DB[j] == 0x01)
+ { salt_offset = j + 1; break; }
+ if(DB[j])
+ return false;
+ }
+ if(salt_offset == 0)
+ return false;
+
+ for(size_t j = 0; j != 8; ++j)
+ hash->update(0);
+ hash->update(raw);
+ hash->update(&DB[salt_offset], DB_size - salt_offset);
+ secure_vector<byte> H2 = hash->final();
+
+ return same_mem(&H[0], &H2[0], HASH_SIZE);
+ }
+
+/*
+* EMSA4 Constructor
+*/
+EMSA4::EMSA4(HashFunction* h) :
+ SALT_SIZE(h->output_length()), hash(h)
+ {
+ mgf = new MGF1(hash->clone());
+ }
+
+/*
+* EMSA4 Constructor
+*/
+EMSA4::EMSA4(HashFunction* h, size_t salt_size) :
+ SALT_SIZE(salt_size), hash(h)
+ {
+ mgf = new MGF1(hash->clone());
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa4/emsa4.h b/src/lib/pk_pad/emsa4/emsa4.h
new file mode 100644
index 000000000..44bf5a429
--- /dev/null
+++ b/src/lib/pk_pad/emsa4/emsa4.h
@@ -0,0 +1,51 @@
+/*
+* EMSA4
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA4_H__
+#define BOTAN_EMSA4_H__
+
+#include <botan/emsa.h>
+#include <botan/hash.h>
+#include <botan/kdf.h>
+
+namespace Botan {
+
+/**
+* EMSA4 aka PSS-R
+*/
+class BOTAN_DLL EMSA4 : public EMSA
+ {
+ public:
+ /**
+ * @param hash the hash object to use
+ */
+ EMSA4(HashFunction* hash);
+
+ /**
+ * @param hash the hash object to use
+ * @param salt_size the size of the salt to use in bytes
+ */
+ EMSA4(HashFunction* hash, size_t salt_size);
+
+ ~EMSA4() { delete hash; delete mgf; }
+ private:
+ void update(const byte[], size_t);
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator& rng);
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+
+ size_t SALT_SIZE;
+ HashFunction* hash;
+ const MGF* mgf;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa4/info.txt b/src/lib/pk_pad/emsa4/info.txt
new file mode 100644
index 000000000..b7ea466ce
--- /dev/null
+++ b/src/lib/pk_pad/emsa4/info.txt
@@ -0,0 +1,7 @@
+define EMSA4 20131128
+
+<requires>
+hash
+kdf
+mgf1
+</requires>
diff --git a/src/lib/pk_pad/emsa_raw/emsa_raw.cpp b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp
new file mode 100644
index 000000000..cb0f99e9c
--- /dev/null
+++ b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp
@@ -0,0 +1,68 @@
+/*
+* EMSA-Raw
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa_raw.h>
+
+namespace Botan {
+
+/*
+* EMSA-Raw Encode Operation
+*/
+void EMSA_Raw::update(const byte input[], size_t length)
+ {
+ message += std::make_pair(input, length);
+ }
+
+/*
+* Return the raw (unencoded) data
+*/
+secure_vector<byte> EMSA_Raw::raw_data()
+ {
+ secure_vector<byte> output;
+ std::swap(message, output);
+ return output;
+ }
+
+/*
+* EMSA-Raw Encode Operation
+*/
+secure_vector<byte> EMSA_Raw::encoding_of(const secure_vector<byte>& msg,
+ size_t,
+ RandomNumberGenerator&)
+ {
+ return msg;
+ }
+
+/*
+* EMSA-Raw Verify Operation
+*/
+bool EMSA_Raw::verify(const secure_vector<byte>& coded,
+ const secure_vector<byte>& raw,
+ size_t)
+ {
+ if(coded.size() == raw.size())
+ return (coded == raw);
+
+ if(coded.size() > raw.size())
+ return false;
+
+ // handle zero padding differences
+ const size_t leading_zeros_expected = raw.size() - coded.size();
+
+ bool same_modulo_leading_zeros = true;
+
+ for(size_t i = 0; i != leading_zeros_expected; ++i)
+ if(raw[i])
+ same_modulo_leading_zeros = false;
+
+ if(!same_mem(&coded[0], &raw[leading_zeros_expected], coded.size()))
+ same_modulo_leading_zeros = false;
+
+ return same_modulo_leading_zeros;
+ }
+
+}
diff --git a/src/lib/pk_pad/emsa_raw/emsa_raw.h b/src/lib/pk_pad/emsa_raw/emsa_raw.h
new file mode 100644
index 000000000..8ab763575
--- /dev/null
+++ b/src/lib/pk_pad/emsa_raw/emsa_raw.h
@@ -0,0 +1,35 @@
+/*
+* EMSA-Raw
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_EMSA_RAW_H__
+#define BOTAN_EMSA_RAW_H__
+
+#include <botan/emsa.h>
+
+namespace Botan {
+
+/**
+* EMSA-Raw - sign inputs directly
+* Don't use this unless you know what you are doing.
+*/
+class BOTAN_DLL EMSA_Raw : public EMSA
+ {
+ private:
+ void update(const byte[], size_t);
+ secure_vector<byte> raw_data();
+
+ secure_vector<byte> encoding_of(const secure_vector<byte>&, size_t,
+ RandomNumberGenerator&);
+ bool verify(const secure_vector<byte>&, const secure_vector<byte>&,
+ size_t);
+
+ secure_vector<byte> message;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/emsa_raw/info.txt b/src/lib/pk_pad/emsa_raw/info.txt
new file mode 100644
index 000000000..f01d1bfa2
--- /dev/null
+++ b/src/lib/pk_pad/emsa_raw/info.txt
@@ -0,0 +1 @@
+define EMSA_RAW 20131128
diff --git a/src/lib/pk_pad/get_pk_pad.cpp b/src/lib/pk_pad/get_pk_pad.cpp
new file mode 100644
index 000000000..8c27b1fa1
--- /dev/null
+++ b/src/lib/pk_pad/get_pk_pad.cpp
@@ -0,0 +1,139 @@
+/*
+* EMSA/EME Retrieval
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/emsa.h>
+#include <botan/eme.h>
+#include <botan/libstate.h>
+#include <botan/scan_name.h>
+
+#if defined(BOTAN_HAS_EMSA1)
+ #include <botan/emsa1.h>
+#endif
+
+#if defined(BOTAN_HAS_EMSA1_BSI)
+ #include <botan/emsa1_bsi.h>
+#endif
+
+#if defined(BOTAN_HAS_EMSA2)
+ #include <botan/emsa2.h>
+#endif
+
+#if defined(BOTAN_HAS_EMSA3)
+ #include <botan/emsa3.h>
+#endif
+
+#if defined(BOTAN_HAS_EMSA4)
+ #include <botan/emsa4.h>
+#endif
+
+#if defined(BOTAN_HAS_EMSA_RAW)
+ #include <botan/emsa_raw.h>
+#endif
+
+#if defined(BOTAN_HAS_EME1)
+ #include <botan/eme1.h>
+#endif
+
+#if defined(BOTAN_HAS_EME_PKCS1v15)
+ #include <botan/eme_pkcs.h>
+#endif
+
+namespace Botan {
+
+/*
+* Get an EMSA by name
+*/
+EMSA* get_emsa(const std::string& algo_spec)
+ {
+ SCAN_Name request(algo_spec);
+
+ Algorithm_Factory& af = global_state().algorithm_factory();
+
+#if defined(BOTAN_HAS_EMSA_RAW)
+ if(request.algo_name() == "Raw" && request.arg_count() == 0)
+ return new EMSA_Raw;
+#endif
+
+#if defined(BOTAN_HAS_EMSA1)
+ if(request.algo_name() == "EMSA1" && request.arg_count() == 1)
+ {
+ if(request.arg(0) == "Raw")
+ return new EMSA_Raw;
+ return new EMSA1(af.make_hash_function(request.arg(0)));
+ }
+#endif
+
+#if defined(BOTAN_HAS_EMSA1_BSI)
+ if(request.algo_name() == "EMSA1_BSI" && request.arg_count() == 1)
+ return new EMSA1_BSI(af.make_hash_function(request.arg(0)));
+#endif
+
+#if defined(BOTAN_HAS_EMSA2)
+ if(request.algo_name() == "EMSA2" && request.arg_count() == 1)
+ return new EMSA2(af.make_hash_function(request.arg(0)));
+#endif
+
+#if defined(BOTAN_HAS_EMSA3)
+ if(request.algo_name() == "EMSA3" && request.arg_count() == 1)
+ {
+ if(request.arg(0) == "Raw")
+ return new EMSA3_Raw;
+ return new EMSA3(af.make_hash_function(request.arg(0)));
+ }
+#endif
+
+#if defined(BOTAN_HAS_EMSA4)
+ if(request.algo_name() == "EMSA4" && request.arg_count_between(1, 3))
+ {
+ // 3 args: Hash, MGF, salt size (MGF is hardcoded MGF1 in Botan)
+ if(request.arg_count() == 1)
+ return new EMSA4(af.make_hash_function(request.arg(0)));
+
+ if(request.arg_count() == 2 && request.arg(1) != "MGF1")
+ return new EMSA4(af.make_hash_function(request.arg(0)));
+
+ if(request.arg_count() == 3)
+ return new EMSA4(af.make_hash_function(request.arg(0)),
+ request.arg_as_integer(2, 0));
+ }
+#endif
+
+ throw Algorithm_Not_Found(algo_spec);
+ }
+
+/*
+* Get an EME by name
+*/
+EME* get_eme(const std::string& algo_spec)
+ {
+ SCAN_Name request(algo_spec);
+
+ Algorithm_Factory& af = global_state().algorithm_factory();
+
+ if(request.algo_name() == "Raw")
+ return nullptr; // No padding
+
+#if defined(BOTAN_HAS_EME_PKCS1v15)
+ if(request.algo_name() == "PKCS1v15" && request.arg_count() == 0)
+ return new EME_PKCS1v15;
+#endif
+
+#if defined(BOTAN_HAS_EME1)
+ if(request.algo_name() == "EME1" && request.arg_count_between(1, 2))
+ {
+ if(request.arg_count() == 1 ||
+ (request.arg_count() == 2 && request.arg(1) == "MGF1"))
+ {
+ return new EME1(af.make_hash_function(request.arg(0)));
+ }
+ }
+#endif
+
+ throw Algorithm_Not_Found(algo_spec);
+ }
+
+}
diff --git a/src/lib/pk_pad/hash_id/hash_id.cpp b/src/lib/pk_pad/hash_id/hash_id.cpp
new file mode 100644
index 000000000..a60e53352
--- /dev/null
+++ b/src/lib/pk_pad/hash_id/hash_id.cpp
@@ -0,0 +1,129 @@
+/*
+* Hash Function Identification
+* (C) 1999-2008 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/hash_id.h>
+#include <botan/exceptn.h>
+
+namespace Botan {
+
+namespace {
+
+const byte MD2_PKCS_ID[] = {
+0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86,
+0xF7, 0x0D, 0x02, 0x02, 0x05, 0x00, 0x04, 0x10 };
+
+const byte MD5_PKCS_ID[] = {
+0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86,
+0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
+
+const byte RIPEMD_128_PKCS_ID[] = {
+0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02,
+0x02, 0x05, 0x00, 0x04, 0x14 };
+
+const byte RIPEMD_160_PKCS_ID[] = {
+0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02,
+0x01, 0x05, 0x00, 0x04, 0x14 };
+
+const byte SHA_160_PKCS_ID[] = {
+0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02,
+0x1A, 0x05, 0x00, 0x04, 0x14 };
+
+const byte SHA_224_PKCS_ID[] = {
+0x30, 0x2D, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C };
+
+const byte SHA_256_PKCS_ID[] = {
+0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
+
+const byte SHA_384_PKCS_ID[] = {
+0x30, 0x41, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 };
+
+const byte SHA_512_PKCS_ID[] = {
+0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 };
+
+const byte TIGER_PKCS_ID[] = {
+0x30, 0x29, 0x30, 0x0D, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04,
+0x01, 0xDA, 0x47, 0x0C, 0x02, 0x05, 0x00, 0x04, 0x18 };
+
+}
+
+/*
+* HashID as specified by PKCS
+*/
+std::vector<byte> pkcs_hash_id(const std::string& name)
+ {
+ // Special case for SSL/TLS RSA signatures
+ if(name == "Parallel(MD5,SHA-160)")
+ return std::vector<byte>();
+
+ if(name == "MD2")
+ return std::vector<byte>(MD2_PKCS_ID,
+ MD2_PKCS_ID + sizeof(MD2_PKCS_ID));
+
+ if(name == "MD5")
+ return std::vector<byte>(MD5_PKCS_ID,
+ MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
+
+ if(name == "RIPEMD-128")
+ return std::vector<byte>(RIPEMD_128_PKCS_ID,
+ RIPEMD_128_PKCS_ID + sizeof(RIPEMD_128_PKCS_ID));
+
+ if(name == "RIPEMD-160")
+ return std::vector<byte>(RIPEMD_160_PKCS_ID,
+ RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
+
+ if(name == "SHA-160")
+ return std::vector<byte>(SHA_160_PKCS_ID,
+ SHA_160_PKCS_ID + sizeof(SHA_160_PKCS_ID));
+
+ if(name == "SHA-224")
+ return std::vector<byte>(SHA_224_PKCS_ID,
+ SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
+
+ if(name == "SHA-256")
+ return std::vector<byte>(SHA_256_PKCS_ID,
+ SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
+
+ if(name == "SHA-384")
+ return std::vector<byte>(SHA_384_PKCS_ID,
+ SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
+
+ if(name == "SHA-512")
+ return std::vector<byte>(SHA_512_PKCS_ID,
+ SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
+
+ if(name == "Tiger(24,3)")
+ return std::vector<byte>(TIGER_PKCS_ID,
+ TIGER_PKCS_ID + sizeof(TIGER_PKCS_ID));
+
+ throw Invalid_Argument("No PKCS #1 identifier for " + name);
+ }
+
+/*
+* HashID as specified by IEEE 1363/X9.31
+*/
+byte ieee1363_hash_id(const std::string& name)
+ {
+ if(name == "SHA-160") return 0x33;
+
+ if(name == "SHA-224") return 0x38;
+ if(name == "SHA-256") return 0x34;
+ if(name == "SHA-384") return 0x36;
+ if(name == "SHA-512") return 0x35;
+
+ if(name == "RIPEMD-160") return 0x31;
+ if(name == "RIPEMD-128") return 0x32;
+
+ if(name == "Whirlpool") return 0x37;
+
+ return 0;
+ }
+
+}
diff --git a/src/lib/pk_pad/hash_id/hash_id.h b/src/lib/pk_pad/hash_id/hash_id.h
new file mode 100644
index 000000000..070e7ddb9
--- /dev/null
+++ b/src/lib/pk_pad/hash_id/hash_id.h
@@ -0,0 +1,34 @@
+/*
+* Hash Function Identification
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_HASHID_H__
+#define BOTAN_HASHID_H__
+
+#include <botan/secmem.h>
+#include <string>
+
+namespace Botan {
+
+/**
+* Return the PKCS #1 hash identifier
+* @see RFC 3447 section 9.2
+* @param hash_name the name of the hash function
+* @return byte sequence identifying the hash
+* @throw Invalid_Argument if the hash has no known PKCS #1 hash id
+*/
+BOTAN_DLL std::vector<byte> pkcs_hash_id(const std::string& hash_name);
+
+/**
+* Return the IEEE 1363 hash identifier
+* @param hash_name the name of the hash function
+* @return byte code identifying the hash, or 0 if not known
+*/
+BOTAN_DLL byte ieee1363_hash_id(const std::string& hash_name);
+
+}
+
+#endif
diff --git a/src/lib/pk_pad/hash_id/info.txt b/src/lib/pk_pad/hash_id/info.txt
new file mode 100644
index 000000000..e6df99b6f
--- /dev/null
+++ b/src/lib/pk_pad/hash_id/info.txt
@@ -0,0 +1,5 @@
+define HASH_ID 20131128
+
+<requires>
+alloc
+</requires>
diff --git a/src/lib/pk_pad/info.txt b/src/lib/pk_pad/info.txt
new file mode 100644
index 000000000..5c6a9e4a7
--- /dev/null
+++ b/src/lib/pk_pad/info.txt
@@ -0,0 +1,8 @@
+define PK_PADDING 20131128
+
+load_on auto
+
+<requires>
+alloc
+rng
+</requires>