1/* BEGIN_HEADER */ 2#include "mbedtls/rsa.h" 3#include "mbedtls/md.h" 4 5#include "mbedtls/legacy_or_psa.h" 6/* END_HEADER */ 7 8/* BEGIN_DEPENDENCIES 9 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C 10 * END_DEPENDENCIES 11 */ 12 13/* BEGIN_CASE */ 14void pkcs1_rsaes_v15_encrypt( int mod, char * input_N, 15 char * input_E, int hash, 16 data_t * message_str, data_t * rnd_buf, 17 data_t * result_str, int result ) 18{ 19 unsigned char output[128]; 20 mbedtls_rsa_context ctx; 21 mbedtls_test_rnd_buf_info info; 22 mbedtls_mpi N, E; 23 24 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 25 info.fallback_p_rng = NULL; 26 info.buf = rnd_buf->x; 27 info.length = rnd_buf->len; 28 29 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 30 mbedtls_rsa_init( &ctx ); 31 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 32 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 33 memset( output, 0x00, sizeof( output ) ); 34 35 TEST_ASSERT( mbedtls_test_read_mpi( &N, input_N ) == 0 ); 36 TEST_ASSERT( mbedtls_test_read_mpi( &E, input_E ) == 0 ); 37 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 38 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 39 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 40 41 if( message_str->len == 0 ) 42 message_str->x = NULL; 43 TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, 44 &mbedtls_test_rnd_buffer_rand, 45 &info, message_str->len, 46 message_str->x, 47 output ) == result ); 48 49 if( result == 0 ) 50 { 51 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 52 ctx.len, result_str->len ) == 0 ); 53 } 54 55exit: 56 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 57 mbedtls_rsa_free( &ctx ); 58} 59/* END_CASE */ 60 61/* BEGIN_CASE */ 62void pkcs1_rsaes_v15_decrypt( int mod, char * input_P, char * input_Q, 63 char * input_N, char * input_E, int hash, 64 data_t * result_str, char * seed, 65 data_t * message_str, int result ) 66{ 67 unsigned char output[128]; 68 mbedtls_rsa_context ctx; 69 size_t output_len; 70 mbedtls_test_rnd_pseudo_info rnd_info; 71 mbedtls_mpi N, P, Q, E; 72 ((void) seed); 73 74 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 75 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 76 mbedtls_rsa_init( &ctx ); 77 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 78 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 79 80 memset( output, 0x00, sizeof( output ) ); 81 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 82 83 TEST_ASSERT( mbedtls_test_read_mpi( &P, input_P ) == 0 ); 84 TEST_ASSERT( mbedtls_test_read_mpi( &Q, input_Q ) == 0 ); 85 TEST_ASSERT( mbedtls_test_read_mpi( &N, input_N ) == 0 ); 86 TEST_ASSERT( mbedtls_test_read_mpi( &E, input_E ) == 0 ); 87 88 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 89 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 90 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 91 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 92 93 if( result_str->len == 0 ) 94 { 95 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 96 &mbedtls_test_rnd_pseudo_rand, 97 &rnd_info, 98 &output_len, message_str->x, 99 NULL, 0 ) == result ); 100 } 101 else 102 { 103 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 104 &mbedtls_test_rnd_pseudo_rand, 105 &rnd_info, 106 &output_len, message_str->x, 107 output, 1000 ) == result ); 108 if( result == 0 ) 109 { 110 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 111 output_len, 112 result_str->len) == 0 ); 113 } 114 } 115 116exit: 117 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 118 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 119 mbedtls_rsa_free( &ctx ); 120} 121/* END_CASE */ 122 123/* BEGIN_CASE */ 124void pkcs1_v15_decode( data_t *input, 125 int expected_plaintext_length_arg, 126 int output_size_arg, 127 int expected_result ) 128{ 129 size_t expected_plaintext_length = expected_plaintext_length_arg; 130 size_t output_size = output_size_arg; 131 mbedtls_test_rnd_pseudo_info rnd_info; 132 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi; 133 mbedtls_rsa_context ctx; 134 static unsigned char N[128] = { 135 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5, 136 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec, 137 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5, 138 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73, 139 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5, 140 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde, 141 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d, 142 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e, 143 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2, 144 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1, 145 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46, 146 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec, 147 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33, 148 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11, 149 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12, 150 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb 151 }; 152 static unsigned char E[1] = { 0x03 }; 153 static unsigned char P[64] = { 154 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8, 155 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8, 156 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd, 157 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9, 158 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5, 159 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55, 160 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1, 161 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b 162 }; 163 static unsigned char Q[64] = { 164 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b, 165 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03, 166 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c, 167 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e, 168 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83, 169 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc, 170 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca, 171 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1 172 }; 173 unsigned char original[128]; 174 unsigned char intermediate[128]; 175 static unsigned char default_content[128] = { 176 /* A randomly generated pattern. */ 177 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a, 178 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19, 179 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58, 180 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4, 181 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50, 182 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa, 183 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08, 184 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf, 185 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70, 186 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef, 187 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a, 188 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2, 189 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b, 190 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde, 191 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d, 192 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42 193 }; 194 unsigned char final[128]; 195 size_t output_length = 0x7EA0; 196 197 memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); 198 mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi ); 199 mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi ); 200 mbedtls_rsa_init( &ctx ); 201 202 TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 ); 203 TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 ); 204 TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 ); 205 TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 ); 206 207 TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi, 208 NULL, &Empi ) == 0 ); 209 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 210 211 TEST_ASSERT( input->len <= sizeof( N ) ); 212 memcpy( original, input->x, input->len ); 213 memset( original + input->len, 'd', sizeof( original ) - input->len ); 214 TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 ); 215 216 memcpy( final, default_content, sizeof( final ) ); 217 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, 218 &mbedtls_test_rnd_pseudo_rand, 219 &rnd_info, &output_length, 220 intermediate, final, 221 output_size ) == expected_result ); 222 if( expected_result == 0 ) 223 { 224 TEST_ASSERT( output_length == expected_plaintext_length ); 225 TEST_ASSERT( memcmp( original + sizeof( N ) - output_length, 226 final, 227 output_length ) == 0 ); 228 } 229 else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING || 230 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ) 231 { 232 size_t max_payload_length = 233 output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size; 234 size_t i; 235 size_t count = 0; 236 237#if !defined(MBEDTLS_RSA_ALT) 238 /* Check that the output in invalid cases is what the default 239 * implementation currently does. Alternative implementations 240 * may produce different output, so we only perform these precise 241 * checks when using the default implementation. */ 242 TEST_ASSERT( output_length == max_payload_length ); 243 for( i = 0; i < max_payload_length; i++ ) 244 TEST_ASSERT( final[i] == 0 ); 245#endif 246 /* Even in alternative implementations, the outputs must have 247 * changed, otherwise it indicates at least a timing vulnerability 248 * because no write to the outputs is performed in the bad case. */ 249 TEST_ASSERT( output_length != 0x7EA0 ); 250 for( i = 0; i < max_payload_length; i++ ) 251 count += ( final[i] == default_content[i] ); 252 /* If more than 16 bytes are unchanged in final, that's evidence 253 * that final wasn't overwritten. */ 254 TEST_ASSERT( count < 16 ); 255 } 256 257exit: 258 mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi ); 259 mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi ); 260 mbedtls_rsa_free( &ctx ); 261} 262/* END_CASE */ 263 264/* BEGIN_CASE */ 265void pkcs1_rsassa_v15_sign( int mod, char * input_P, 266 char * input_Q, char * input_N, 267 char * input_E, int digest, int hash, 268 data_t * message_str, data_t * rnd_buf, 269 data_t * result_str, int result ) 270{ 271 unsigned char output[128]; 272 mbedtls_rsa_context ctx; 273 mbedtls_mpi N, P, Q, E; 274 mbedtls_test_rnd_buf_info info; 275 276 info.fallback_f_rng = mbedtls_test_rnd_std_rand; 277 info.fallback_p_rng = NULL; 278 info.buf = rnd_buf->x; 279 info.length = rnd_buf->len; 280 281 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); 282 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); 283 mbedtls_rsa_init( &ctx ); 284 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 285 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 286 287 memset( output, 0x00, sizeof( output ) ); 288 289 TEST_ASSERT( mbedtls_test_read_mpi( &P, input_P ) == 0 ); 290 TEST_ASSERT( mbedtls_test_read_mpi( &Q, input_Q ) == 0 ); 291 TEST_ASSERT( mbedtls_test_read_mpi( &N, input_N ) == 0 ); 292 TEST_ASSERT( mbedtls_test_read_mpi( &E, input_E ) == 0 ); 293 294 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 ); 295 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 296 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); 297 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); 298 299 TEST_ASSERT( mbedtls_rsa_pkcs1_sign( 300 &ctx, &mbedtls_test_rnd_buffer_rand, &info, 301 digest, message_str->len, message_str->x, 302 output ) == result ); 303 if( result == 0 ) 304 { 305 306 TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, 307 ctx.len, result_str->len ) == 0 ); 308 } 309 310exit: 311 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); 312 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); 313 mbedtls_rsa_free( &ctx ); 314} 315/* END_CASE */ 316 317/* BEGIN_CASE */ 318void pkcs1_rsassa_v15_verify( int mod, char * input_N, char * input_E, 319 int digest, int hash, data_t * message_str, 320 char * salt, data_t * result_str, int result ) 321{ 322 mbedtls_rsa_context ctx; 323 mbedtls_mpi N, E; 324 ((void) salt); 325 326 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); 327 mbedtls_rsa_init( &ctx ); 328 TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, 329 MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); 330 331 TEST_ASSERT( mbedtls_test_read_mpi( &N, input_N ) == 0 ); 332 TEST_ASSERT( mbedtls_test_read_mpi( &E, input_E ) == 0 ); 333 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 ); 334 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); 335 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); 336 337 TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, message_str->len, message_str->x, result_str->x ) == result ); 338 339exit: 340 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); 341 mbedtls_rsa_free( &ctx ); 342} 343/* END_CASE */ 344