Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Tree: bee4c86719
Branches Tags
borg
/
darc
/
oaep.py

oaep.py 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. from Crypto.Util.number import long_to_bytes
    2. 

  2. from Crypto.Hash import SHA
    3. 

  3. 

  4. from .helpers import IntegrityError
    5. 

  5. 

  6. def _xor_bytes(a, b):
    7. 

  7.     return ''.join(chr(ord(x[0]) ^ ord(x[1])) for x in zip(a, b))
    8. 

  8. 

  9. 

  10. def MGF1(seed, mask_len, hash=SHA):
    11. 

  11.     """MGF1 is a Mask Generation Function based on hash function
    12. 

  12.     """
    13. 

  13.     T = ''.join(hash.new(seed + long_to_bytes(c, 4)).digest()
    14. 

  14.                 for c in range(1 + mask_len / hash.digest_size))
    15. 

  15.     return T[:mask_len]
    16. 

  16. 

  17. 

  18. class OAEP(object):
    19. 

  19.     """Optimal Asymmetric Encryption Padding
    20. 

  20.     """
    21. 

  21.     def __init__(self, k, hash=SHA, MGF=MGF1):
    22. 

  22.         self.k = k
    23. 

  23.         self.hash = hash
    24. 

  24.         self.MGF = MGF
    25. 

  25. 

  26.     def encode(self, msg, seed, label=''):
    27. 

  27.         # FIXME: length checks
    28. 

  28.         if len(msg) > self.k - 2 * self.hash.digest_size - 2:
    29. 

  29.             raise ValueError('message too long')
    30. 

  30.         label_hash = self.hash.new(label).digest()
    31. 

  31.         padding = '\0' * (self.k - len(msg) - 2 * self.hash.digest_size - 2)
    32. 

  32.         datablock = '%s%s\1%s' % (label_hash, padding, msg)
    33. 

  33.         datablock_mask = self.MGF(seed, self.k - self.hash.digest_size - 1, self.hash)
    34. 

  34.         masked_db = _xor_bytes(datablock, datablock_mask)
    35. 

  35.         seed_mask = self.MGF(masked_db, self.hash.digest_size, self.hash)
    36. 

  36.         masked_seed = _xor_bytes(seed, seed_mask)
    37. 

  37.         return '\0%s%s' % (masked_seed, masked_db)
    38. 

  38. 

  39.     def decode(self, ciphertext, label=''):
    40. 

  40.         if len(ciphertext) < self.k:
    41. 

  41.             ciphertext = ('\0' * (self.k - len(ciphertext))) + ciphertext
    42. 

  42.         label_hash = self.hash.new(label).digest()
    43. 

  43.         masked_seed = ciphertext[1:self.hash.digest_size + 1]
    44. 

  44.         masked_db = ciphertext[-(self.k - self.hash.digest_size - 1):]
    45. 

  45.         seed_mask = self.MGF(masked_db, self.hash.digest_size, self.hash)
    46. 

  46.         seed = _xor_bytes(masked_seed, seed_mask)
    47. 

  47.         datablock_mask = self.MGF(seed, self.k - self.hash.digest_size - 1, self.hash)
    48. 

  48.         datablock = _xor_bytes(masked_db, datablock_mask)
    49. 

  49.         label_hash2 = datablock[:self.hash.digest_size]
    50. 

  50.         data = datablock[self.hash.digest_size:].lstrip('\0')
    51. 

  51.         if (ciphertext[0] != '\0' or
    52. 

  52.             label_hash != label_hash2 or
    53. 

  53.             data[0] != '\1'):
    54. 

  54.             raise IntegrityError('decryption error')
    55. 

  55.         return data[1:]
    56. 

  56. 

  57. 

  58. def test():
    59. 

  59.     from Crypto.Hash import SHA256
    60. 

  60.     import os
    61. 

  61.     import random
    62. 

  62.     oaep = OAEP(256, SHA256)
    63. 

  63.     for x in range(1000):
    64. 

  64.         M = os.urandom(random.randint(0, 100))
    65. 

  65.         EM = oaep.encode(M, os.urandom(32))
    66. 

  66.         assert len(EM) == oaep.k
    67. 

  67.         assert oaep.decode(EM) == M
    68. 

  68. 

  69. if __name__ == '__main__':
    70. 

  70.     test()
    71. 

  71.