diff options
| author | lloyd <[email protected]> | 2014-01-01 21:20:55 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2014-01-01 21:20:55 +0000 |
| commit | 197dc467dec28a04c3b2f30da7cef122dfbb13e9 (patch) | |
| tree | cdbd3ddaec051c72f0a757db461973d90c37b97a /src/pk_pad/eme1 | |
| parent | 62faac373c07cfe10bc8c309e89ebdd30d8e5eaa (diff) | |
Shuffle things around. Add NIST X.509 test to build.
Diffstat (limited to 'src/pk_pad/eme1')
| -rw-r--r-- | src/pk_pad/eme1/eme1.cpp | 130 | ||||
| -rw-r--r-- | src/pk_pad/eme1/eme1.h | 43 | ||||
| -rw-r--r-- | src/pk_pad/eme1/info.txt | 9 |
3 files changed, 0 insertions, 182 deletions
diff --git a/src/pk_pad/eme1/eme1.cpp b/src/pk_pad/eme1/eme1.cpp deleted file mode 100644 index dadb44d0a..000000000 --- a/src/pk_pad/eme1/eme1.cpp +++ /dev/null @@ -1,130 +0,0 @@ -/* -* EME1 (aka OAEP) -* (C) 1999-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/eme1.h> -#include <botan/mgf1.h> -#include <botan/mem_ops.h> -#include <memory> - -namespace Botan { - -/* -* EME1 Pad Operation -*/ -secure_vector<byte> EME1::pad(const byte in[], size_t in_length, - size_t key_length, - RandomNumberGenerator& rng) const - { - key_length /= 8; - - if(key_length < in_length + 2*Phash.size() + 1) - throw Invalid_Argument("EME1: Input is too large"); - - secure_vector<byte> out(key_length); - - rng.randomize(&out[0], Phash.size()); - - buffer_insert(out, Phash.size(), &Phash[0], Phash.size()); - out[out.size() - in_length - 1] = 0x01; - buffer_insert(out, out.size() - in_length, in, in_length); - - mgf->mask(&out[0], Phash.size(), - &out[Phash.size()], out.size() - Phash.size()); - - mgf->mask(&out[Phash.size()], out.size() - Phash.size(), - &out[0], Phash.size()); - - return out; - } - -/* -* EME1 Unpad Operation -*/ -secure_vector<byte> EME1::unpad(const byte in[], size_t in_length, - size_t key_length) const - { - /* - Must be careful about error messages here; if an attacker can - distinguish them, it is easy to use the differences as an oracle to - find the secret key, as described in "A Chosen Ciphertext Attack on - RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in - PKCS #1 v2.0", James Manger, Crypto 2001 - - Also have to be careful about timing attacks! Pointed out by Falko - Strenzke. - */ - - key_length /= 8; - - // Invalid input: truncate to zero length input, causing later - // checks to fail - if(in_length > key_length) - in_length = 0; - - secure_vector<byte> input(key_length); - buffer_insert(input, key_length - in_length, in, in_length); - - mgf->mask(&input[Phash.size()], input.size() - Phash.size(), - &input[0], Phash.size()); - mgf->mask(&input[0], Phash.size(), - &input[Phash.size()], input.size() - Phash.size()); - - bool waiting_for_delim = true; - bool bad_input = false; - size_t delim_idx = 2 * Phash.size(); - - /* - * GCC 4.5 on x86-64 compiles this in a way that is still vunerable - * to timing analysis. Other compilers, or GCC on other platforms, - * may or may not. - */ - for(size_t i = delim_idx; i < input.size(); ++i) - { - const bool zero_p = !input[i]; - const bool one_p = input[i] == 0x01; - - const bool add_1 = waiting_for_delim && zero_p; - - bad_input |= waiting_for_delim && !(zero_p || one_p); - - delim_idx += add_1; - - waiting_for_delim &= zero_p; - } - - // If we never saw any non-zero byte, then it's not valid input - bad_input |= waiting_for_delim; - - bad_input |= !same_mem(&input[Phash.size()], &Phash[0], Phash.size()); - - if(bad_input) - throw Decoding_Error("Invalid EME1 encoding"); - - return secure_vector<byte>(&input[delim_idx + 1], &input[input.size()]); - } - -/* -* Return the max input size for a given key size -*/ -size_t EME1::maximum_input_size(size_t keybits) const - { - if(keybits / 8 > 2*Phash.size() + 1) - return ((keybits / 8) - 2*Phash.size() - 1); - else - return 0; - } - -/* -* EME1 Constructor -*/ -EME1::EME1(HashFunction* hash, const std::string& P) - { - Phash = hash->process(P); - mgf = new MGF1(hash); - } - -} diff --git a/src/pk_pad/eme1/eme1.h b/src/pk_pad/eme1/eme1.h deleted file mode 100644 index eb6fc6bf5..000000000 --- a/src/pk_pad/eme1/eme1.h +++ /dev/null @@ -1,43 +0,0 @@ -/* -* EME1 -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EME1_H__ -#define BOTAN_EME1_H__ - -#include <botan/eme.h> -#include <botan/kdf.h> -#include <botan/hash.h> - -namespace Botan { - -/** -* EME1, aka OAEP -*/ -class BOTAN_DLL EME1 : public EME - { - public: - size_t maximum_input_size(size_t) const; - - /** - * @param hash object to use for hashing (takes ownership) - * @param P an optional label. Normally empty. - */ - EME1(HashFunction* hash, const std::string& P = ""); - - ~EME1() { delete mgf; } - private: - secure_vector<byte> pad(const byte[], size_t, size_t, - RandomNumberGenerator&) const; - secure_vector<byte> unpad(const byte[], size_t, size_t) const; - - secure_vector<byte> Phash; - MGF* mgf; - }; - -} - -#endif diff --git a/src/pk_pad/eme1/info.txt b/src/pk_pad/eme1/info.txt deleted file mode 100644 index 7e911f495..000000000 --- a/src/pk_pad/eme1/info.txt +++ /dev/null @@ -1,9 +0,0 @@ -define EME1 20131128 - -load_on auto - -<requires> -hash -kdf -mgf1 -</requires> |