1/* BEGIN_HEADER */ 2#include "mbedtls/rsa.h" 3#include "mbedtls/md.h" 4/* END_HEADER */ 5 6/* BEGIN_DEPENDENCIES 7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C 8 * END_DEPENDENCIES 9 */ 10 11/* BEGIN_CASE */ 12void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, 13 int radix_E, char * input_E, int hash, 14 data_t * message_str, data_t * rnd_buf, 15 data_t * result_str, int result ) 16{ 17 unsigned char output[128]; 18 mbedtls_rsa_context ctx; 19 rnd_buf_info info; 20 mbedtls_mpi N, E; 21 22 info.buf = rnd_buf->x; 23 info.length = rnd_buf->len; 24 25 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 26 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 27 memset( output, 0x00, sizeof( output ) ); 28 29 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 30 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 31 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 32 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 33 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 34 35 36 TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result ); 37 if( result == 0 ) 38 { 39 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 40 ctx.len, result_str->len ) == 0 ); 41 } 42 43exit: 44 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 45 mbedtls_rsa_free( &ctx ); 46} 47/* END_CASE */ 48 49/* BEGIN_CASE */ 50void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, 51 int radix_Q, char * input_Q, int radix_N, 52 char * input_N, int radix_E, char * input_E, 53 int hash, data_t * result_str, 54 char * seed, data_t * message_str, 55 int result ) 56{ 57 unsigned char output[128]; 58 mbedtls_rsa_context ctx; 59 size_t output_len; 60 rnd_pseudo_info rnd_info; 61 mbedtls_mpi N, P, Q, E; 62 ((void) seed); 63 64 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 65 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 66 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 67 68 memset( output, 0x00, sizeof( output ) ); 69 memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) ); 70 71 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 72 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 73 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 74 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 75 76 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 77 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 78 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 79 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 80 81 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result ); 82 if( result == 0 ) 83 { 84 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 85 output_len, 86 result_str->len) == 0 ); 87 } 88 89exit: 90 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 91 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 92 mbedtls_rsa_free( &ctx ); 93} 94/* END_CASE */ 95 96/* BEGIN_CASE */ 97void pkcs1_v15_decode( int mode, 98 data_t *input, 99 int expected_plaintext_length_arg, 100 int output_size_arg, 101 int expected_result ) 102{ 103 size_t expected_plaintext_length = expected_plaintext_length_arg; 104 size_t output_size = output_size_arg; 105 rnd_pseudo_info rnd_info; 106 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi; 107 mbedtls_rsa_context ctx; 108 static unsigned char N[128] = { 109 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5, 110 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec, 111 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5, 112 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73, 113 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5, 114 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde, 115 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d, 116 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e, 117 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2, 118 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1, 119 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46, 120 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec, 121 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33, 122 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11, 123 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12, 124 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb 125 }; 126 static unsigned char E[1] = { 0x03 }; 127 static unsigned char P[64] = { 128 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8, 129 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8, 130 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd, 131 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9, 132 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5, 133 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55, 134 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1, 135 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b 136 }; 137 static unsigned char Q[64] = { 138 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b, 139 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03, 140 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c, 141 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e, 142 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83, 143 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc, 144 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca, 145 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1 146 }; 147 unsigned char original[128]; 148 unsigned char intermediate[128]; 149 static unsigned char default_content[128] = { 150 /* A randomly generated pattern. */ 151 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a, 152 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19, 153 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58, 154 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4, 155 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50, 156 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa, 157 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08, 158 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf, 159 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70, 160 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef, 161 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a, 162 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2, 163 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b, 164 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde, 165 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d, 166 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42 167 }; 168 unsigned char final[128]; 169 size_t output_length = 0x7EA0; 170 171 memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) ); 172 mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi ); 173 mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi ); 174 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); 175 176 TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 ); 177 TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 ); 178 TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 ); 179 TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 ); 180 181 TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi, 182 NULL, &Empi ) == 0 ); 183 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 184 185 TEST_ASSERT( input->len <= sizeof( N ) ); 186 memcpy( original, input->x, input->len ); 187 memset( original + input->len, 'd', sizeof( original ) - input->len ); 188 if( mode == MBEDTLS_RSA_PRIVATE ) 189 TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 ); 190 else 191 TEST_ASSERT( mbedtls_rsa_private( &ctx, &rnd_pseudo_rand, &rnd_info, 192 original, intermediate ) == 0 ); 193 194 memcpy( final, default_content, sizeof( final ) ); 195 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 196 &rnd_pseudo_rand, &rnd_info, 197 mode, 198 &output_length, 199 intermediate, 200 final, 201 output_size ) == expected_result ); 202 if( expected_result == 0 ) 203 { 204 TEST_ASSERT( output_length == expected_plaintext_length ); 205 TEST_ASSERT( memcmp( original + sizeof( N ) - output_length, 206 final, 207 output_length ) == 0 ); 208 } 209 else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING || 210 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ) 211 { 212 size_t max_payload_length = 213 output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size; 214 size_t i; 215 size_t count = 0; 216 217#if !defined(MBEDTLS_RSA_ALT) 218 /* Check that the output in invalid cases is what the default 219 * implementation currently does. Alternative implementations 220 * may produce different output, so we only perform these precise 221 * checks when using the default implementation. */ 222 TEST_ASSERT( output_length == max_payload_length ); 223 for( i = 0; i < max_payload_length; i++ ) 224 TEST_ASSERT( final[i] == 0 ); 225#endif 226 /* Even in alternative implementations, the outputs must have 227 * changed, otherwise it indicates at least a timing vulnerability 228 * because no write to the outputs is performed in the bad case. */ 229 TEST_ASSERT( output_length != 0x7EA0 ); 230 for( i = 0; i < max_payload_length; i++ ) 231 count += ( final[i] == default_content[i] ); 232 /* If more than 16 bytes are unchanged in final, that's evidence 233 * that final wasn't overwritten. */ 234 TEST_ASSERT( count < 16 ); 235 } 236 237exit: 238 mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi ); 239 mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi ); 240 mbedtls_rsa_free( &ctx ); 241} 242/* END_CASE */ 243 244/* BEGIN_CASE */ 245void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, 246 char * input_Q, int radix_N, char * input_N, 247 int radix_E, char * input_E, int digest, int hash, 248 data_t * message_str, data_t * rnd_buf, 249 data_t * result_str, int result ) 250{ 251 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 252 unsigned char output[128]; 253 mbedtls_rsa_context ctx; 254 mbedtls_mpi N, P, Q, E; 255 rnd_buf_info info; 256 257 info.buf = rnd_buf->x; 258 info.length = rnd_buf->len; 259 260 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 261 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 262 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 263 264 memset( hash_result, 0x00, sizeof( hash_result ) ); 265 memset( output, 0x00, sizeof( output ) ); 266 267 TEST_ASSERT( mbedtls_test_read_mpi( &P, radix_P, input_P ) == 0 ); 268 TEST_ASSERT( mbedtls_test_read_mpi( &Q, radix_Q, input_Q ) == 0 ); 269 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 270 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 271 272 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 273 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 274 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 275 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 276 277 278 if( mbedtls_md_info_from_type( digest ) != NULL ) 279 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); 280 281 TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result ); 282 if( result == 0 ) 283 { 284 285 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 286 ctx.len, result_str->len ) == 0 ); 287 } 288 289exit: 290 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 291 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 292 mbedtls_rsa_free( &ctx ); 293} 294/* END_CASE */ 295 296/* BEGIN_CASE */ 297void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, 298 int radix_E, char * input_E, int digest, 299 int hash, data_t * message_str, char * salt, 300 data_t * result_str, int result ) 301{ 302 unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; 303 mbedtls_rsa_context ctx; 304 mbedtls_mpi N, E; 305 ((void) salt); 306 307 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 308 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); 309 memset( hash_result, 0x00, sizeof( hash_result ) ); 310 311 TEST_ASSERT( mbedtls_test_read_mpi( &N, radix_N, input_N ) == 0 ); 312 TEST_ASSERT( mbedtls_test_read_mpi( &E, radix_E, input_E ) == 0 ); 313 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 314 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 315 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 316 317 318 if( mbedtls_md_info_from_type( digest ) != NULL ) 319 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); 320 321 TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); 322 323exit: 324 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 325 mbedtls_rsa_free( &ctx ); 326} 327/* END_CASE */ 328