Botan  2.1.0
Crypto and TLS for C++11
pssr.cpp
Go to the documentation of this file.
1 /*
2 * PSSR
3 * (C) 1999-2007 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/pssr.h>
9 #include <botan/mgf1.h>
10 #include <botan/internal/bit_ops.h>
11 
12 namespace Botan {
13 
14 /*
15 * PSSR Update Operation
16 */
17 void PSSR::update(const uint8_t input[], size_t length)
18  {
19  m_hash->update(input, length);
20  }
21 
22 /*
23 * Return the raw (unencoded) data
24 */
25 secure_vector<uint8_t> PSSR::raw_data()
26  {
27  return m_hash->final();
28  }
29 
30 /*
31 * PSSR Encode Operation
32 */
33 secure_vector<uint8_t> PSSR::encoding_of(const secure_vector<uint8_t>& msg,
34  size_t output_bits,
35  RandomNumberGenerator& rng)
36  {
37  const size_t HASH_SIZE = m_hash->output_length();
38 
39  if(msg.size() != HASH_SIZE)
40  throw Encoding_Error("PSSR::encoding_of: Bad input length");
41  if(output_bits < 8*HASH_SIZE + 8*m_SALT_SIZE + 9)
42  throw Encoding_Error("PSSR::encoding_of: Output length is too small");
43 
44  const size_t output_length = (output_bits + 7) / 8;
45 
46  secure_vector<uint8_t> salt = rng.random_vec(m_SALT_SIZE);
47 
48  for(size_t j = 0; j != 8; ++j)
49  m_hash->update(0);
50  m_hash->update(msg);
51  m_hash->update(salt);
52  secure_vector<uint8_t> H = m_hash->final();
53 
54  secure_vector<uint8_t> EM(output_length);
55 
56  EM[output_length - HASH_SIZE - m_SALT_SIZE - 2] = 0x01;
57  buffer_insert(EM, output_length - 1 - HASH_SIZE - m_SALT_SIZE, salt);
58  mgf1_mask(*m_hash, H.data(), HASH_SIZE, EM.data(), output_length - HASH_SIZE - 1);
59  EM[0] &= 0xFF >> (8 * ((output_bits + 7) / 8) - output_bits);
60  buffer_insert(EM, output_length - 1 - HASH_SIZE, H);
61  EM[output_length-1] = 0xBC;
62 
63  return EM;
64  }
65 
66 /*
67 * PSSR Decode/Verify Operation
68 */
69 bool PSSR::verify(const secure_vector<uint8_t>& const_coded,
70  const secure_vector<uint8_t>& raw, size_t key_bits)
71  {
72  const size_t HASH_SIZE = m_hash->output_length();
73  const size_t KEY_BYTES = (key_bits + 7) / 8;
74 
75  if(key_bits < 8*HASH_SIZE + 9)
76  return false;
77 
78  if(raw.size() != HASH_SIZE)
79  return false;
80 
81  if(const_coded.size() > KEY_BYTES || const_coded.size() <= 1)
82  return false;
83 
84  if(const_coded[const_coded.size()-1] != 0xBC)
85  return false;
86 
87  secure_vector<uint8_t> coded = const_coded;
88  if(coded.size() < KEY_BYTES)
89  {
90  secure_vector<uint8_t> temp(KEY_BYTES);
91  buffer_insert(temp, KEY_BYTES - coded.size(), coded);
92  coded = temp;
93  }
94 
95  const size_t TOP_BITS = 8 * ((key_bits + 7) / 8) - key_bits;
96  if(TOP_BITS > 8 - high_bit(coded[0]))
97  return false;
98 
99  uint8_t* DB = coded.data();
100  const size_t DB_size = coded.size() - HASH_SIZE - 1;
101 
102  const uint8_t* H = &coded[DB_size];
103  const size_t H_size = HASH_SIZE;
104 
105  mgf1_mask(*m_hash, H, H_size, DB, DB_size);
106  DB[0] &= 0xFF >> TOP_BITS;
107 
108  size_t salt_offset = 0;
109  for(size_t j = 0; j != DB_size; ++j)
110  {
111  if(DB[j] == 0x01)
112  { salt_offset = j + 1; break; }
113  if(DB[j])
114  return false;
115  }
116  if(salt_offset == 0)
117  return false;
118 
119  for(size_t j = 0; j != 8; ++j)
120  m_hash->update(0);
121  m_hash->update(raw);
122  m_hash->update(&DB[salt_offset], DB_size - salt_offset);
123  secure_vector<uint8_t> H2 = m_hash->final();
124 
125  return same_mem(H, H2.data(), HASH_SIZE);
126  }
127 
129  m_SALT_SIZE(h->output_length()), m_hash(h)
130  {
131  }
132 
134  m_SALT_SIZE(salt_size), m_hash(h)
135  {
136  }
137 
138 }
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:98
size_t salt_size
size_t high_bit(T n)
Definition: bit_ops.h:37
Definition: alg_id.cpp:13
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition: mgf1.cpp:14
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
Definition: secmem.h:133
PSSR(HashFunction *hash)
Definition: pssr.cpp:128
std::unique_ptr< HashFunction > m_hash
Definition: tpm.cpp:439