• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/* BEGIN_HEADER */
2#include "mbedtls/rsa.h"
3#include "mbedtls/md.h"
4/* END_HEADER */
5
6/* BEGIN_DEPENDENCIES
7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
8 * END_DEPENDENCIES
9 */
10
11/* BEGIN_CASE */
12void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N,
13                              int radix_E, char * input_E, int hash,
14                              data_t * message_str, data_t * rnd_buf,
15                              data_t * result_str, int result )
16{
17    unsigned char output[128];
18    mbedtls_rsa_context ctx;
19    rnd_buf_info info;
20    mbedtls_mpi N, E;
21
22    info.buf = rnd_buf->x;
23    info.length = rnd_buf->len;
24
25    mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
26    mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
27    memset( output, 0x00, sizeof( output ) );
28
29    TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 );
30    TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 );
31    TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 );
32    TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
33    TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
34
35
36    TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result );
37    if( result == 0 )
38    {
39        TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x,
40                                          ctx.len, result_str->len ) == 0 );
41    }
42
43exit:
44    mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
45    mbedtls_rsa_free( &ctx );
46}
47/* END_CASE */
48
49/* BEGIN_CASE */
50void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P,
51                              int radix_Q, char * input_Q, int radix_N,
52                              char * input_N, int radix_E, char * input_E,
53                              int hash, data_t * result_str,
54                              char * seed, data_t * message_str,
55                              int result )
56{
57    unsigned char output[128];
58    mbedtls_rsa_context ctx;
59    size_t output_len;
60    rnd_pseudo_info rnd_info;
61    mbedtls_mpi N, P, Q, E;
62    ((void) seed);
63
64    mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
65    mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
66    mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
67
68    memset( output, 0x00, sizeof( output ) );
69    memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
70
71    TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 );
72    TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 );
73    TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 );
74    TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 );
75
76    TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 );
77    TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
78    TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
79    TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
80
81    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result );
82    if( result == 0 )
83    {
84        TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x,
85                                          output_len,
86                                          result_str->len) == 0 );
87    }
88
89exit:
90    mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P );
91    mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E );
92    mbedtls_rsa_free( &ctx );
93}
94/* END_CASE */
95
96/* BEGIN_CASE */
97void pkcs1_v15_decode( int mode,
98                       data_t *input,
99                       int expected_plaintext_length_arg,
100                       int output_size_arg,
101                       int expected_result )
102{
103    size_t expected_plaintext_length = expected_plaintext_length_arg;
104    size_t output_size = output_size_arg;
105    rnd_pseudo_info rnd_info;
106    mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi;
107    mbedtls_rsa_context ctx;
108    static unsigned char N[128] = {
109        0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5,
110        0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec,
111        0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5,
112        0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73,
113        0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5,
114        0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde,
115        0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d,
116        0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e,
117        0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2,
118        0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1,
119        0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46,
120        0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec,
121        0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33,
122        0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11,
123        0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12,
124        0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb
125    };
126    static unsigned char E[1] = { 0x03 };
127    static unsigned char P[64] = {
128        0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8,
129        0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8,
130        0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd,
131        0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9,
132        0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5,
133        0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55,
134        0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1,
135        0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b
136    };
137    static unsigned char Q[64] = {
138        0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b,
139        0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03,
140        0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c,
141        0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e,
142        0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83,
143        0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc,
144        0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca,
145        0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1
146    };
147    unsigned char original[128];
148    unsigned char intermediate[128];
149    static unsigned char default_content[128] = {
150        /* A randomly generated pattern. */
151        0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a,
152        0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19,
153        0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58,
154        0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4,
155        0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50,
156        0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa,
157        0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08,
158        0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf,
159        0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70,
160        0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef,
161        0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a,
162        0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2,
163        0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b,
164        0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde,
165        0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d,
166        0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42
167    };
168    unsigned char final[128];
169    size_t output_length = 0x7EA0;
170
171    memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
172    mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi );
173    mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi );
174    mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 );
175
176    TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 );
177    TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 );
178    TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 );
179    TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 );
180
181    TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi,
182                                     NULL, &Empi ) == 0 );
183    TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
184
185    TEST_ASSERT( input->len <= sizeof( N ) );
186    memcpy( original, input->x, input->len );
187    memset( original + input->len, 'd', sizeof( original ) - input->len );
188    if( mode == MBEDTLS_RSA_PRIVATE )
189        TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 );
190    else
191        TEST_ASSERT( mbedtls_rsa_private( &ctx, &rnd_pseudo_rand, &rnd_info,
192                                          original, intermediate ) == 0 );
193
194    memcpy( final, default_content, sizeof( final ) );
195    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx,
196                                            &rnd_pseudo_rand, &rnd_info,
197                                            mode,
198                                            &output_length,
199                                            intermediate,
200                                            final,
201                                            output_size ) == expected_result );
202    if( expected_result == 0 )
203    {
204        TEST_ASSERT( output_length == expected_plaintext_length );
205        TEST_ASSERT( memcmp( original + sizeof( N ) - output_length,
206                             final,
207                             output_length ) == 0 );
208    }
209    else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING ||
210             expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE )
211    {
212        size_t max_payload_length =
213            output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size;
214        size_t i;
215        size_t count = 0;
216
217#if !defined(MBEDTLS_RSA_ALT)
218        /* Check that the output in invalid cases is what the default
219         * implementation currently does. Alternative implementations
220         * may produce different output, so we only perform these precise
221         * checks when using the default implementation. */
222        TEST_ASSERT( output_length == max_payload_length );
223        for( i = 0; i < max_payload_length; i++ )
224            TEST_ASSERT( final[i] == 0 );
225#endif
226        /* Even in alternative implementations, the outputs must have
227         * changed, otherwise it indicates at least a timing vulnerability
228         * because no write to the outputs is performed in the bad case. */
229        TEST_ASSERT( output_length != 0x7EA0 );
230        for( i = 0; i < max_payload_length; i++ )
231            count += ( final[i] == default_content[i] );
232        /* If more than 16 bytes are unchanged in final, that's evidence
233         * that final wasn't overwritten. */
234        TEST_ASSERT( count < 16 );
235    }
236
237exit:
238    mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi );
239    mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi );
240    mbedtls_rsa_free( &ctx );
241}
242/* END_CASE */
243
244/* BEGIN_CASE */
245void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q,
246                            char * input_Q, int radix_N, char * input_N,
247                            int radix_E, char * input_E, int digest, int hash,
248                            data_t * message_str, data_t * rnd_buf,
249                            data_t * result_str, int result )
250{
251    unsigned char hash_result[MBEDTLS_MD_MAX_SIZE];
252    unsigned char output[128];
253    mbedtls_rsa_context ctx;
254    mbedtls_mpi N, P, Q, E;
255    rnd_buf_info info;
256
257    info.buf = rnd_buf->x;
258    info.length = rnd_buf->len;
259
260    mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
261    mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
262    mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
263
264    memset( hash_result, 0x00, sizeof( hash_result ) );
265    memset( output, 0x00, sizeof( output ) );
266
267    TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 );
268    TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 );
269    TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 );
270    TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 );
271
272    TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 );
273    TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
274    TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
275    TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
276
277
278    if( mbedtls_md_info_from_type( digest ) != NULL )
279        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
280
281    TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result );
282    if( result == 0 )
283    {
284
285        TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x,
286                                          ctx.len, result_str->len ) == 0 );
287    }
288
289exit:
290    mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P );
291    mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E );
292    mbedtls_rsa_free( &ctx );
293}
294/* END_CASE */
295
296/* BEGIN_CASE */
297void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N,
298                              int radix_E, char * input_E, int digest,
299                              int hash, data_t * message_str, char * salt,
300                              data_t * result_str, int result )
301{
302    unsigned char hash_result[MBEDTLS_MD_MAX_SIZE];
303    mbedtls_rsa_context ctx;
304    mbedtls_mpi N, E;
305    ((void) salt);
306
307    mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
308    mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
309    memset( hash_result, 0x00, sizeof( hash_result ) );
310
311    TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 );
312    TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 );
313    TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 );
314    TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
315    TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
316
317
318    if( mbedtls_md_info_from_type( digest ) != NULL )
319        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
320
321    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result );
322
323exit:
324    mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
325    mbedtls_rsa_free( &ctx );
326}
327/* END_CASE */
328