1/* BEGIN_HEADER */ 2#include "mbedtls/rsa.h" 3#include "mbedtls/md.h" 4/* END_HEADER */ 5 6/* BEGIN_DEPENDENCIES 7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C 8 * END_DEPENDENCIES 9 */ 10 11/* BEGIN_CASE */ 12void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, 13 int radix_E, char * input_E, int hash, 14 data_t * message_str, data_t * rnd_buf, 15 data_t * result_str, int result ) 16{ 17 unsigned char output[128]; 18 mbedtls_rsa_context ctx; 19 mbedtls_test_rnd_buf_info info; 20 mbedtls_mpi N, E; 21 22 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 23 info.fallback_p_rng = NULL; 24 info.buf = rnd_buf->x; 25 info.length = rnd_buf->len; 26 27 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 28 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 29 memset( output, 0x00, sizeof( output ) ); 30 31 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 32 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 33 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 34 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 35 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 36 37 if( message_str->len == 0 ) 38 message_str->x = NULL; 39 TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, 40 &mbedtls_test_rnd_buffer_rand, 41 &info, MBEDTLS_RSA_PUBLIC, 42 message_str->len, message_str->x, 43 output ) == result ); 44 45 if( result == 0 ) 46 { 47 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 48 ctx.len, result_str->len ) == 0 ); 49 } 50 51exit: 52 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 53 mbedtls_rsa_free( &ctx ); 54} 55/* END_CASE */ 56 57/* BEGIN_CASE */ 58void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, 59 int radix_Q, char * input_Q, int radix_N, 60 char * input_N, int radix_E, char * input_E, 61 int hash, data_t * result_str, 62 char * seed, data_t * message_str, 63 int result ) 64{ 65 unsigned char output[128]; 66 mbedtls_rsa_context ctx; 67 size_t output_len; 68 mbedtls_test_rnd_pseudo_info rnd_info; 69 mbedtls_mpi N, P, Q, E; 70 ((void) seed); 71 72 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 73 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 74 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 75 76 memset( output, 0x00, sizeof( output ) ); 77 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 78 79 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 80 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 81 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 82 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 83 84 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 85 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 86 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 87 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 88 89 if( result_str->len == 0 ) 90 { 91 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 92 &mbedtls_test_rnd_pseudo_rand, 93 &rnd_info, 94 MBEDTLS_RSA_PRIVATE, 95 &output_len, message_str->x, 96 NULL, 0 ) == result ); 97 } 98 else 99 { 100 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 101 &mbedtls_test_rnd_pseudo_rand, 102 &rnd_info, MBEDTLS_RSA_PRIVATE, 103 &output_len, message_str->x, 104 output, 1000 ) == result ); 105 if( result == 0 ) 106 { 107 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 108 output_len, 109 result_str->len) == 0 ); 110 } 111 } 112 113exit: 114 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 115 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 116 mbedtls_rsa_free( &ctx ); 117} 118/* END_CASE */ 119 120/* BEGIN_CASE */ 121void pkcs1_v15_decode( int mode, 122 data_t *input, 123 int expected_plaintext_length_arg, 124 int output_size_arg, 125 int expected_result ) 126{ 127 size_t expected_plaintext_length = expected_plaintext_length_arg; 128 size_t output_size = output_size_arg; 129 mbedtls_test_rnd_pseudo_info rnd_info; 130 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi; 131 mbedtls_rsa_context ctx; 132 static unsigned char N[128] = { 133 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5, 134 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec, 135 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5, 136 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73, 137 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5, 138 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde, 139 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d, 140 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e, 141 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2, 142 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1, 143 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46, 144 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec, 145 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33, 146 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11, 147 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12, 148 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb 149 }; 150 static unsigned char E[1] = { 0x03 }; 151 static unsigned char P[64] = { 152 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8, 153 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8, 154 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd, 155 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9, 156 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5, 157 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55, 158 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1, 159 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b 160 }; 161 static unsigned char Q[64] = { 162 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b, 163 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03, 164 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c, 165 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e, 166 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83, 167 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc, 168 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca, 169 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1 170 }; 171 unsigned char original[128]; 172 unsigned char intermediate[128]; 173 static unsigned char default_content[128] = { 174 /* A randomly generated pattern. */ 175 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a, 176 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19, 177 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58, 178 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4, 179 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50, 180 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa, 181 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08, 182 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf, 183 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70, 184 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef, 185 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a, 186 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2, 187 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b, 188 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde, 189 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d, 190 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42 191 }; 192 unsigned char final[128]; 193 size_t output_length = 0x7EA0; 194 195 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 196 mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi ); 197 mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi ); 198 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); 199 200 TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 ); 201 TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 ); 202 TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 ); 203 TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 ); 204 205 TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi, 206 NULL, &Empi ) == 0 ); 207 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 208 209 TEST_ASSERT( input->len <= sizeof( N ) ); 210 memcpy( original, input->x, input->len ); 211 memset( original + input->len, 'd', sizeof( original ) - input->len ); 212 if( mode == MBEDTLS_RSA_PRIVATE ) 213 TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 ); 214 else 215 TEST_ASSERT( mbedtls_rsa_private( &ctx, &mbedtls_test_rnd_pseudo_rand, 216 &rnd_info, original, 217 intermediate ) == 0 ); 218 219 memcpy( final, default_content, sizeof( final ) ); 220 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 221 &mbedtls_test_rnd_pseudo_rand, 222 &rnd_info, mode, &output_length, 223 intermediate, final, 224 output_size ) == expected_result ); 225 if( expected_result == 0 ) 226 { 227 TEST_ASSERT( output_length == expected_plaintext_length ); 228 TEST_ASSERT( memcmp( original + sizeof( N ) - output_length, 229 final, 230 output_length ) == 0 ); 231 } 232 else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING || 233 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ) 234 { 235 size_t max_payload_length = 236 output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size; 237 size_t i; 238 size_t count = 0; 239 240#if !defined(MBEDTLS_RSA_ALT) 241 /* Check that the output in invalid cases is what the default 242 * implementation currently does. Alternative implementations 243 * may produce different output, so we only perform these precise 244 * checks when using the default implementation. */ 245 TEST_ASSERT( output_length == max_payload_length ); 246 for( i = 0; i < max_payload_length; i++ ) 247 TEST_ASSERT( final[i] == 0 ); 248#endif 249 /* Even in alternative implementations, the outputs must have 250 * changed, otherwise it indicates at least a timing vulnerability 251 * because no write to the outputs is performed in the bad case. */ 252 TEST_ASSERT( output_length != 0x7EA0 ); 253 for( i = 0; i < max_payload_length; i++ ) 254 count += ( final[i] == default_content[i] ); 255 /* If more than 16 bytes are unchanged in final, that's evidence 256 * that final wasn't overwritten. */ 257 TEST_ASSERT( count < 16 ); 258 } 259 260exit: 261 mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi ); 262 mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi ); 263 mbedtls_rsa_free( &ctx ); 264} 265/* END_CASE */ 266 267/* BEGIN_CASE */ 268void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, 269 char * input_Q, int radix_N, char * input_N, 270 int radix_E, char * input_E, int digest, int hash, 271 data_t * message_str, data_t * rnd_buf, 272 data_t * result_str, int result ) 273{ 274 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 275 unsigned char output[128]; 276 mbedtls_rsa_context ctx; 277 mbedtls_mpi N, P, Q, E; 278 mbedtls_test_rnd_buf_info info; 279 280 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 281 info.fallback_p_rng = NULL; 282 info.buf = rnd_buf->x; 283 info.length = rnd_buf->len; 284 285 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 286 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 287 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 288 289 memset( hash_result, 0x00, sizeof( hash_result ) ); 290 memset( output, 0x00, sizeof( output ) ); 291 292 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 293 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 294 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 295 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 296 297 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 298 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 299 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 300 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 301 302 303 if( mbedtls_md_info_from_type( digest ) != NULL ) 304 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); 305 306 TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_buffer_rand, 307 &info, MBEDTLS_RSA_PRIVATE, digest, 308 0, hash_result, output ) == result ); 309 if( result == 0 ) 310 { 311 312 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 313 ctx.len, result_str->len ) == 0 ); 314 } 315 316exit: 317 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 318 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 319 mbedtls_rsa_free( &ctx ); 320} 321/* END_CASE */ 322 323/* BEGIN_CASE */ 324void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, 325 int radix_E, char * input_E, int digest, 326 int hash, data_t * message_str, char * salt, 327 data_t * result_str, int result ) 328{ 329 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 330 mbedtls_rsa_context ctx; 331 mbedtls_mpi N, E; 332 ((void) salt); 333 334 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 335 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 336 memset( hash_result, 0x00, sizeof( hash_result ) ); 337 338 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 339 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 340 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 341 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 342 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 343 344 345 if( mbedtls_md_info_from_type( digest ) != NULL ) 346 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); 347 348 TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); 349 350exit: 351 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 352 mbedtls_rsa_free( &ctx ); 353} 354/* END_CASE */ 355
