1/* BEGIN_HEADER */ 2#include "mbedtls/rsa.h" 3#include "mbedtls/md.h" 4/* END_HEADER */ 5 6/* BEGIN_DEPENDENCIES 7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C 8 * END_DEPENDENCIES 9 */ 10 11/* BEGIN_CASE */ 12void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, 13 int radix_E, char * input_E, int hash, 14 data_t * message_str, data_t * rnd_buf, 15 data_t * result_str, int result ) 16{ 17 unsigned char output[128]; 18 mbedtls_rsa_context ctx; 19 mbedtls_test_rnd_buf_info info; 20 mbedtls_mpi N, E; 21 22 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 23 info.fallback_p_rng = NULL; 24 info.buf = rnd_buf->x; 25 info.length = rnd_buf->len; 26 27 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 28 mbedtls_rsa_init( &ctx ); 29 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 30 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 31 memset( output, 0x00, sizeof( output ) ); 32 33 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 34 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 35 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 36 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 37 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 38 39 if( message_str->len == 0 ) 40 message_str->x = NULL; 41 TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, 42 &mbedtls_test_rnd_buffer_rand, 43 &info, message_str->len, 44 message_str->x, 45 output ) == result ); 46 47 if( result == 0 ) 48 { 49 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 50 ctx.len, result_str->len ) == 0 ); 51 } 52 53exit: 54 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 55 mbedtls_rsa_free( &ctx ); 56} 57/* END_CASE */ 58 59/* BEGIN_CASE */ 60void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, 61 int radix_Q, char * input_Q, int radix_N, 62 char * input_N, int radix_E, char * input_E, 63 int hash, data_t * result_str, 64 char * seed, data_t * message_str, 65 int result ) 66{ 67 unsigned char output[128]; 68 mbedtls_rsa_context ctx; 69 size_t output_len; 70 mbedtls_test_rnd_pseudo_info rnd_info; 71 mbedtls_mpi N, P, Q, E; 72 ((void) seed); 73 74 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 75 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 76 mbedtls_rsa_init( &ctx ); 77 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 78 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 79 80 memset( output, 0x00, sizeof( output ) ); 81 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 82 83 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 84 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 85 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 86 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 87 88 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 89 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 90 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 91 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 92 93 if( result_str->len == 0 ) 94 { 95 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 96 &mbedtls_test_rnd_pseudo_rand, 97 &rnd_info, 98 &output_len, message_str->x, 99 NULL, 0 ) == result ); 100 } 101 else 102 { 103 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 104 &mbedtls_test_rnd_pseudo_rand, 105 &rnd_info, 106 &output_len, message_str->x, 107 output, 1000 ) == result ); 108 if( result == 0 ) 109 { 110 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 111 output_len, 112 result_str->len) == 0 ); 113 } 114 } 115 116exit: 117 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 118 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 119 mbedtls_rsa_free( &ctx ); 120} 121/* END_CASE */ 122 123/* BEGIN_CASE */ 124void pkcs1_v15_decode( data_t *input, 125 int expected_plaintext_length_arg, 126 int output_size_arg, 127 int expected_result ) 128{ 129 size_t expected_plaintext_length = expected_plaintext_length_arg; 130 size_t output_size = output_size_arg; 131 mbedtls_test_rnd_pseudo_info rnd_info; 132 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi; 133 mbedtls_rsa_context ctx; 134 static unsigned char N[128] = { 135 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5, 136 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec, 137 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5, 138 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73, 139 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5, 140 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde, 141 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d, 142 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e, 143 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2, 144 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1, 145 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46, 146 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec, 147 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33, 148 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11, 149 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12, 150 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb 151 }; 152 static unsigned char E[1] = { 0x03 }; 153 static unsigned char P[64] = { 154 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8, 155 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8, 156 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd, 157 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9, 158 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5, 159 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55, 160 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1, 161 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b 162 }; 163 static unsigned char Q[64] = { 164 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b, 165 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03, 166 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c, 167 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e, 168 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83, 169 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc, 170 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca, 171 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1 172 }; 173 unsigned char original[128]; 174 unsigned char intermediate[128]; 175 static unsigned char default_content[128] = { 176 /* A randomly generated pattern. */ 177 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a, 178 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19, 179 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58, 180 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4, 181 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50, 182 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa, 183 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08, 184 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf, 185 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70, 186 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef, 187 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a, 188 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2, 189 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b, 190 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde, 191 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d, 192 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42 193 }; 194 unsigned char final[128]; 195 size_t output_length = 0x7EA0; 196 197 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 198 mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi ); 199 mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi ); 200 mbedtls_rsa_init( &ctx ); 201 202 TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 ); 203 TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 ); 204 TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 ); 205 TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 ); 206 207 TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi, 208 NULL, &Empi ) == 0 ); 209 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 210 211 TEST_ASSERT( input->len <= sizeof( N ) ); 212 memcpy( original, input->x, input->len ); 213 memset( original + input->len, 'd', sizeof( original ) - input->len ); 214 TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 ); 215 216 memcpy( final, default_content, sizeof( final ) ); 217 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 218 &mbedtls_test_rnd_pseudo_rand, 219 &rnd_info, &output_length, 220 intermediate, final, 221 output_size ) == expected_result ); 222 if( expected_result == 0 ) 223 { 224 TEST_ASSERT( output_length == expected_plaintext_length ); 225 TEST_ASSERT( memcmp( original + sizeof( N ) - output_length, 226 final, 227 output_length ) == 0 ); 228 } 229 else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING || 230 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ) 231 { 232 size_t max_payload_length = 233 output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size; 234 size_t i; 235 size_t count = 0; 236 237#if !defined(MBEDTLS_RSA_ALT) 238 /* Check that the output in invalid cases is what the default 239 * implementation currently does. Alternative implementations 240 * may produce different output, so we only perform these precise 241 * checks when using the default implementation. */ 242 TEST_ASSERT( output_length == max_payload_length ); 243 for( i = 0; i < max_payload_length; i++ ) 244 TEST_ASSERT( final[i] == 0 ); 245#endif 246 /* Even in alternative implementations, the outputs must have 247 * changed, otherwise it indicates at least a timing vulnerability 248 * because no write to the outputs is performed in the bad case. */ 249 TEST_ASSERT( output_length != 0x7EA0 ); 250 for( i = 0; i < max_payload_length; i++ ) 251 count += ( final[i] == default_content[i] ); 252 /* If more than 16 bytes are unchanged in final, that's evidence 253 * that final wasn't overwritten. */ 254 TEST_ASSERT( count < 16 ); 255 } 256 257exit: 258 mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi ); 259 mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi ); 260 mbedtls_rsa_free( &ctx ); 261} 262/* END_CASE */ 263 264/* BEGIN_CASE */ 265void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, 266 char * input_Q, int radix_N, char * input_N, 267 int radix_E, char * input_E, int digest, int hash, 268 data_t * message_str, data_t * rnd_buf, 269 data_t * result_str, int result ) 270{ 271 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 272 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); 273 unsigned char output[128]; 274 mbedtls_rsa_context ctx; 275 mbedtls_mpi N, P, Q, E; 276 mbedtls_test_rnd_buf_info info; 277 278 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 279 info.fallback_p_rng = NULL; 280 info.buf = rnd_buf->x; 281 info.length = rnd_buf->len; 282 283 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 284 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 285 mbedtls_rsa_init( &ctx ); 286 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 287 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 288 289 memset( hash_result, 0x00, sizeof( hash_result ) ); 290 memset( output, 0x00, sizeof( output ) ); 291 292 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 293 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 294 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 295 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 296 297 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 298 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 299 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 300 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 301 302 if( md_info != NULL ) 303 TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); 304 305 TEST_ASSERT( mbedtls_rsa_pkcs1_sign( 306 &ctx, &mbedtls_test_rnd_buffer_rand, &info, 307 digest, mbedtls_md_get_size( md_info ), hash_result, 308 output ) == result ); 309 if( result == 0 ) 310 { 311 312 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 313 ctx.len, result_str->len ) == 0 ); 314 } 315 316exit: 317 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 318 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 319 mbedtls_rsa_free( &ctx ); 320} 321/* END_CASE */ 322 323/* BEGIN_CASE */ 324void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, 325 int radix_E, char * input_E, int digest, 326 int hash, data_t * message_str, char * salt, 327 data_t * result_str, int result ) 328{ 329 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 330 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); 331 mbedtls_rsa_context ctx; 332 mbedtls_mpi N, E; 333 ((void) salt); 334 335 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 336 mbedtls_rsa_init( &ctx ); 337 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 338 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 339 memset( hash_result, 0x00, sizeof( hash_result ) ); 340 341 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 342 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 343 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 344 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 345 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 346 347 348 if( md_info != NULL ) 349 TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); 350 351 TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, mbedtls_md_get_size( md_info ), hash_result, result_str->x ) == result ); 352 353exit: 354 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 355 mbedtls_rsa_free( &ctx ); 356} 357/* END_CASE */ 358