8 #include <botan/oaep.h>
9 #include <botan/mgf1.h>
10 #include <botan/internal/ct_utils.h>
17 secure_vector<uint8_t> OAEP::pad(
const uint8_t in[],
size_t in_length,
19 RandomNumberGenerator& rng)
const
25 throw Invalid_Argument(
"OAEP: Input is too large");
28 secure_vector<uint8_t> out(key_length);
30 rng.randomize(out.data(), m_Phash.size());
32 buffer_insert(out, m_Phash.size(), m_Phash.data(), m_Phash.size());
33 out[out.size() - in_length - 1] = 0x01;
37 out.data(), m_Phash.size(),
38 &out[m_Phash.size()], out.size() - m_Phash.size());
41 &out[m_Phash.size()], out.size() - m_Phash.size(),
42 out.data(), m_Phash.size());
50 secure_vector<uint8_t> OAEP::unpad(uint8_t& valid_mask,
51 const uint8_t in[],
size_t in_length)
const
73 uint8_t skip_first = CT::is_zero<uint8_t>(in[0]) & 0x01;
75 secure_vector<uint8_t> input(in + skip_first, in + in_length);
79 const size_t hlen = m_Phash.size();
82 &input[hlen], input.size() - hlen,
87 &input[hlen], input.size() - hlen);
89 size_t delim_idx = 2 * hlen;
90 uint8_t waiting_for_delim = 0xFF;
91 uint8_t bad_input = 0;
93 for(
size_t i = delim_idx; i < input.size(); ++i)
95 const uint8_t zero_m = CT::is_zero<uint8_t>(input[i]);
96 const uint8_t one_m = CT::is_equal<uint8_t>(input[i], 1);
98 const uint8_t add_m = waiting_for_delim & zero_m;
100 bad_input |= waiting_for_delim & ~(zero_m | one_m);
102 delim_idx += CT::select<uint8_t>(add_m, 1, 0);
104 waiting_for_delim &= zero_m;
108 bad_input |= waiting_for_delim;
109 bad_input |= CT::is_equal<uint8_t>(
same_mem(&input[hlen], m_Phash.data(), hlen),
false);
115 valid_mask = ~bad_input;
117 secure_vector<uint8_t> output(input.begin() + delim_idx + 1, input.end());
128 if(keybits / 8 > 2*m_Phash.size() + 1)
129 return ((keybits / 8) - 2*m_Phash.size() - 1);
139 m_Phash = m_hash->process(P);
bool same_mem(const T *p1, const T *p2, size_t n)
void poison(const T *p, size_t n)
void cond_zero_mem(T cond, T *array, size_t elems)
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
OAEP(HashFunction *hash, const std::string &P="")
void unpoison(const T *p, size_t n)
size_t maximum_input_size(size_t) const override
std::unique_ptr< HashFunction > m_hash