8 #include <botan/pssr.h>
9 #include <botan/mgf1.h>
10 #include <botan/internal/bit_ops.h>
17 void PSSR::update(
const uint8_t input[],
size_t length)
19 m_hash->update(input, length);
25 secure_vector<uint8_t> PSSR::raw_data()
27 return m_hash->final();
33 secure_vector<uint8_t> PSSR::encoding_of(
const secure_vector<uint8_t>& msg,
35 RandomNumberGenerator& rng)
37 const size_t HASH_SIZE = m_hash->output_length();
39 if(msg.size() != HASH_SIZE)
40 throw Encoding_Error(
"PSSR::encoding_of: Bad input length");
41 if(output_bits < 8*HASH_SIZE + 8*m_SALT_SIZE + 9)
42 throw Encoding_Error(
"PSSR::encoding_of: Output length is too small");
44 const size_t output_length = (output_bits + 7) / 8;
46 secure_vector<uint8_t> salt = rng.random_vec(m_SALT_SIZE);
48 for(
size_t j = 0; j != 8; ++j)
52 secure_vector<uint8_t> H = m_hash->final();
54 secure_vector<uint8_t> EM(output_length);
56 EM[output_length - HASH_SIZE - m_SALT_SIZE - 2] = 0x01;
57 buffer_insert(EM, output_length - 1 - HASH_SIZE - m_SALT_SIZE, salt);
58 mgf1_mask(*m_hash, H.data(), HASH_SIZE, EM.data(), output_length - HASH_SIZE - 1);
59 EM[0] &= 0xFF >> (8 * ((output_bits + 7) / 8) - output_bits);
61 EM[output_length-1] = 0xBC;
69 bool PSSR::verify(
const secure_vector<uint8_t>& const_coded,
70 const secure_vector<uint8_t>& raw,
size_t key_bits)
72 const size_t HASH_SIZE = m_hash->output_length();
73 const size_t KEY_BYTES = (key_bits + 7) / 8;
75 if(key_bits < 8*HASH_SIZE + 9)
78 if(raw.size() != HASH_SIZE)
81 if(const_coded.size() > KEY_BYTES || const_coded.size() <= 1)
84 if(const_coded[const_coded.size()-1] != 0xBC)
87 secure_vector<uint8_t> coded = const_coded;
88 if(coded.size() < KEY_BYTES)
90 secure_vector<uint8_t> temp(KEY_BYTES);
95 const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
96 if(TOP_BITS > 8 -
high_bit(coded[0]))
99 uint8_t* DB = coded.data();
100 const size_t DB_size = coded.size() - HASH_SIZE - 1;
102 const uint8_t* H = &coded[DB_size];
103 const size_t H_size = HASH_SIZE;
105 mgf1_mask(*m_hash, H, H_size, DB, DB_size);
106 DB[0] &= 0xFF >> TOP_BITS;
108 size_t salt_offset = 0;
109 for(
size_t j = 0; j != DB_size; ++j)
112 { salt_offset = j + 1;
break; }
119 for(
size_t j = 0; j != 8; ++j)
122 m_hash->update(&DB[salt_offset], DB_size - salt_offset);
123 secure_vector<uint8_t> H2 = m_hash->final();
125 return same_mem(H, H2.data(), HASH_SIZE);
129 m_SALT_SIZE(h->output_length()),
m_hash(h)
134 m_SALT_SIZE(salt_size),
m_hash(h)
bool same_mem(const T *p1, const T *p2, size_t n)
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
std::unique_ptr< HashFunction > m_hash