Clean up PK decryption encoding.

Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.

7 files changed, 34 insertions, 36 deletions

diff --git a/src/lib/pk_pad/eme.h b/src/lib/pk_pad/eme.h
index f4c85da70..9c72cb023 100644
--- a/src/lib/pk_pad/eme.h
+++ b/src/lib/pk_pad/eme.h
@@ -65,8 +65,8 @@ class BOTAN_DLL EME
       */
       virtual secure_vector<byte> unpad(byte& valid_mask,
                                         const byte in[],
-                                        size_t in_len,
-                                        size_t key_length) const = 0;
+                                        size_t in_len) const = 0;
+
       /**
       * Encode an input
       * @param in the plaintext
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index 894368e2d..0ae0d8554 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -61,8 +61,7 @@ secure_vector<byte> OAEP::pad(const byte in[], size_t in_length,
 * OAEP Unpad Operation
 */
 secure_vector<byte> OAEP::unpad(byte& valid_mask,
-                                const byte in[], size_t in_length,
-                                size_t key_length) const
+                                const byte in[], size_t in_length) const
    {
    /*
    Must be careful about error messages here; if an attacker can
@@ -75,15 +74,13 @@ secure_vector<byte> OAEP::unpad(byte& valid_mask,
    Strenzke.
    */
 
-   key_length /= 8;
-
-   // Invalid input: truncate to zero length input, causing later
-   // checks to fail
-   if(in_length > key_length)
-      in_length = 0;
+   if(in[0] == 0)
+      {
+      in += 1;
+      in_length -= 1;
+      }
 
-   secure_vector<byte> input(key_length);
-   buffer_insert(input, key_length - in_length, in, in_length);
+   secure_vector<byte> input(in, in + in_length);
 
    CT::poison(input.data(), input.size());
 
diff --git a/src/lib/pk_pad/eme_oaep/oaep.h b/src/lib/pk_pad/eme_oaep/oaep.h
index dce706613..8b21ea81d 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.h
+++ b/src/lib/pk_pad/eme_oaep/oaep.h
@@ -36,8 +36,7 @@ class BOTAN_DLL OAEP final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
 
       secure_vector<byte> m_Phash;
       std::unique_ptr<HashFunction> m_hash;
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
index 4780fe43b..8148b7bc9 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
@@ -1,6 +1,6 @@
 /*
 * PKCS #1 v1.5 Type 2 (encryption) padding
-* (C) 1999-2007,2015 Jack Lloyd
+* (C) 1999-2007,2015,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -27,8 +27,16 @@ secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen,
    secure_vector<byte> out(olen);
 
    out[0] = 0x02;
+   rng.randomize(out.data() + 1, (olen - inlen - 2));
+
    for(size_t j = 1; j != olen - inlen - 1; ++j)
-      out[j] = rng.next_nonzero_byte();
+      {
+      if(out[j] == 0)
+         {
+         out[j] = rng.next_nonzero_byte();
+         }
+      }
+
    buffer_insert(out, olen - inlen, in, inlen);
 
    return out;
@@ -38,21 +46,18 @@ secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen,
 * PKCS1 Unpad Operation
 */
 secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
-                                        const byte in[], size_t inlen,
-                                        size_t key_len) const
+                                        const byte in[], size_t inlen) const
    {
-   if(inlen != key_len / 8 || inlen < 10)
-      throw Decoding_Error("PKCS1::unpad");
-
    CT::poison(in, inlen);
 
    byte bad_input_m = 0;
    byte seen_zero_m = 0;
    size_t delim_idx = 0;
 
-   bad_input_m |= ~CT::is_equal<byte>(in[0], 2);
+   bad_input_m |= ~CT::is_equal<byte>(in[0], 0);
+   bad_input_m |= ~CT::is_equal<byte>(in[1], 2);
 
-   for(size_t i = 1; i != inlen; ++i)
+   for(size_t i = 2; i < inlen; ++i)
       {
       const byte is_zero_m = CT::is_zero<byte>(in[i]);
 
@@ -63,12 +68,13 @@ secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
       }
 
    bad_input_m |= ~seen_zero_m;
+   bad_input_m |= CT::is_less<size_t>(delim_idx, 8);
 
    CT::unpoison(in, inlen);
    CT::unpoison(bad_input_m);
    CT::unpoison(delim_idx);
 
-   secure_vector<byte> output(&in[delim_idx + 1], &in[inlen]);
+   secure_vector<byte> output(&in[delim_idx + 2], &in[inlen]);
    CT::cond_zero_mem(bad_input_m, output.data(), output.size());
    valid_mask = ~bad_input_m;
    return output;
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
index d5f8879d6..006b39997 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
@@ -25,8 +25,7 @@ class BOTAN_DLL EME_PKCS1v15 final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
    };
 
 }
diff --git a/src/lib/pk_pad/eme_raw/eme_raw.cpp b/src/lib/pk_pad/eme_raw/eme_raw.cpp
index 5c5dd6e40..84fd6f545 100644
--- a/src/lib/pk_pad/eme_raw/eme_raw.cpp
+++ b/src/lib/pk_pad/eme_raw/eme_raw.cpp
@@ -1,29 +1,27 @@
 /*
-* (C) 2015 Jack Lloyd
+* (C) 2015,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
 
-#include <botan/internal/bit_ops.h>
 #include <botan/eme_raw.h>
+#include <botan/internal/bit_ops.h>
+#include <botan/internal/ct_utils.h>
 
 namespace Botan {
 
 secure_vector<byte> EME_Raw::pad(const byte in[], size_t in_length,
-                                 size_t key_bits,
+                                 size_t,
                                  RandomNumberGenerator&) const
    {
-   if(in_length > 0 && (8*(in_length - 1) + high_bit(in[0]) > key_bits))
-      throw Invalid_Argument("EME_Raw: Input is too large");
    return secure_vector<byte>(in, in + in_length);
    }
 
 secure_vector<byte> EME_Raw::unpad(byte& valid_mask,
-                                   const byte in[], size_t in_length,
-                                   size_t) const
+                                   const byte in[], size_t in_length) const
    {
    valid_mask = 0xFF;
-   return secure_vector<byte>(in, in + in_length);
+   return CT::strip_leading_zeros(in, in_length);
    }
 
 size_t EME_Raw::maximum_input_size(size_t keybits) const
diff --git a/src/lib/pk_pad/eme_raw/eme_raw.h b/src/lib/pk_pad/eme_raw/eme_raw.h
index 60d23323c..fa30c684e 100644
--- a/src/lib/pk_pad/eme_raw/eme_raw.h
+++ b/src/lib/pk_pad/eme_raw/eme_raw.h
@@ -23,8 +23,7 @@ class BOTAN_DLL EME_Raw final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
    };
 
 }