blob: 2b9cf297aeebfa393b204a36c7f44193aaefdfeb [file] [log] [blame]
Janos Follath8a49a012016-02-12 13:18:20 +00001/* BEGIN_HEADER */
2#include "mbedtls/rsa.h"
3#include "mbedtls/md.h"
4/* END_HEADER */
5
6/* BEGIN_DEPENDENCIES
7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
8 * END_DEPENDENCIES
9 */
10
11/* BEGIN_CASE */
12void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E,
13 char *input_E, int hash,
14 char *message_hex_string, char *seed,
15 char *result_hex_str, int result )
16{
17 unsigned char message_str[1000];
18 unsigned char output[1000];
19 unsigned char output_str[1000];
20 unsigned char rnd_buf[1000];
21 mbedtls_rsa_context ctx;
22 size_t msg_len;
23 rnd_buf_info info;
Hanno Becker6d43f9e2017-08-23 06:35:17 +010024 mbedtls_mpi N, E;
Janos Follath8a49a012016-02-12 13:18:20 +000025
26 info.length = unhexify( rnd_buf, seed );
27 info.buf = rnd_buf;
28
Hanno Becker6d43f9e2017-08-23 06:35:17 +010029 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
Janos Follath8a49a012016-02-12 13:18:20 +000030 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
31 memset( message_str, 0x00, 1000 );
32 memset( output, 0x00, 1000 );
33 memset( output_str, 0x00, 1000 );
34
Hanno Becker6d43f9e2017-08-23 06:35:17 +010035 TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
36 TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
37 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 );
38 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
Janos Follath8a49a012016-02-12 13:18:20 +000039 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
40
41 msg_len = unhexify( message_str, message_hex_string );
42
43 TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result );
44 if( result == 0 )
45 {
46 hexify( output_str, output, ctx.len );
47
48 TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
49 }
50
51exit:
Hanno Becker6d43f9e2017-08-23 06:35:17 +010052 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
Janos Follath8a49a012016-02-12 13:18:20 +000053 mbedtls_rsa_free( &ctx );
54}
55/* END_CASE */
56
57/* BEGIN_CASE */
58void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P,
59 int radix_Q, char *input_Q, int radix_N,
60 char *input_N, int radix_E, char *input_E,
61 int hash, char *result_hex_str, char *seed,
62 char *message_hex_string, int result )
63{
64 unsigned char message_str[1000];
65 unsigned char output[1000];
66 unsigned char output_str[1000];
67 mbedtls_rsa_context ctx;
Janos Follath8a49a012016-02-12 13:18:20 +000068 size_t output_len;
69 rnd_pseudo_info rnd_info;
Hanno Becker6d43f9e2017-08-23 06:35:17 +010070 mbedtls_mpi N, P, Q, E;
Janos Follath8a49a012016-02-12 13:18:20 +000071 ((void) seed);
72
Hanno Becker6d43f9e2017-08-23 06:35:17 +010073 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
74 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
Janos Follath8a49a012016-02-12 13:18:20 +000075 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
76
77 memset( message_str, 0x00, 1000 );
78 memset( output, 0x00, 1000 );
79 memset( output_str, 0x00, 1000 );
80 memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
81
Hanno Becker6d43f9e2017-08-23 06:35:17 +010082 TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
83 TEST_ASSERT( mbedtls_mpi_read_string( &Q, radix_Q, input_Q ) == 0 );
84 TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
85 TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
Janos Follath8a49a012016-02-12 13:18:20 +000086
Hanno Becker6d43f9e2017-08-23 06:35:17 +010087 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 );
88 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
Hanno Becker7f25f852017-10-10 16:56:22 +010089 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
Janos Follath8a49a012016-02-12 13:18:20 +000090 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
91
92 unhexify( message_str, message_hex_string );
93
94 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result );
95 if( result == 0 )
96 {
97 hexify( output_str, output, ctx.len );
98
99 TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 );
100 }
101
102exit:
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100103 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P );
104 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E );
Janos Follath8a49a012016-02-12 13:18:20 +0000105 mbedtls_rsa_free( &ctx );
106}
107/* END_CASE */
108
Janos Follathe6aef9f2016-03-16 16:39:41 +0000109/* BEGIN_CASE */
Gilles Peskined3f978b2018-10-05 18:15:25 +0200110void pkcs1_v15_decode( int mode,
111 char *input_hex,
112 int expected_plaintext_length_arg,
113 int output_size_arg,
114 int expected_result )
115{
116 size_t input_len;
117 size_t expected_plaintext_length = expected_plaintext_length_arg;
118 size_t output_size = output_size_arg;
119 rnd_pseudo_info rnd_info;
120 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi;
121 mbedtls_rsa_context ctx;
122 static unsigned char N[128] = {
123 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5,
124 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec,
125 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5,
126 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73,
127 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5,
128 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde,
129 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d,
130 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e,
131 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2,
132 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1,
133 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46,
134 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec,
135 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33,
136 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11,
137 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12,
138 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb
139 };
140 static unsigned char E[1] = { 0x03 };
141 static unsigned char P[64] = {
142 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8,
143 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8,
144 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd,
145 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9,
146 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5,
147 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55,
148 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1,
149 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b
150 };
151 static unsigned char Q[64] = {
152 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b,
153 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03,
154 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c,
155 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e,
156 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83,
157 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc,
158 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca,
159 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1
160 };
161 unsigned char original[128];
162 unsigned char intermediate[128];
163 static unsigned char default_content[128] = {
164 /* A randomly generated pattern. */
165 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a,
166 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19,
167 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58,
168 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4,
169 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50,
170 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa,
171 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08,
172 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf,
173 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70,
174 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef,
175 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a,
176 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2,
177 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b,
178 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde,
179 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d,
180 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42
181 };
182 unsigned char final[128];
183 size_t output_length = 0x7EA0;
184
185 memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
186 mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi );
187 mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi );
188 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 );
189
190 TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 );
191 TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 );
192 TEST_ASSERT( mbedtls_mpi_read_binary( &Pmpi, P, sizeof( P ) ) == 0 );
193 TEST_ASSERT( mbedtls_mpi_read_binary( &Qmpi, Q, sizeof( Q ) ) == 0 );
194
195 TEST_ASSERT( mbedtls_rsa_import( &ctx, &Nmpi, &Pmpi, &Qmpi,
196 NULL, &Empi ) == 0 );
197 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
198
199 input_len = unhexify( original, input_hex );
200 memset( original + input_len, 'd', sizeof( original ) - input_len );
201 if( mode == MBEDTLS_RSA_PRIVATE )
202 TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 );
203 else
204 TEST_ASSERT( mbedtls_rsa_private( &ctx, &rnd_pseudo_rand, &rnd_info,
205 original, intermediate ) == 0 );
206
207 memcpy( final, default_content, sizeof( final ) );
208 TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx,
209 &rnd_pseudo_rand, &rnd_info,
210 mode,
211 &output_length,
212 intermediate,
213 final,
214 output_size ) == expected_result );
215 if( expected_result == 0 )
216 {
217 TEST_ASSERT( output_length == expected_plaintext_length );
218 TEST_ASSERT( memcmp( original + sizeof( N ) - output_length,
219 final,
220 output_length ) == 0 );
221 }
222 else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING ||
223 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE )
224 {
225 size_t max_payload_length =
226 output_size > sizeof( N ) - 11 ? sizeof( N ) - 11 : output_size;
227 size_t i;
228 size_t count = 0;
229
230#if !defined(MBEDTLS_RSA_ALT)
231 /* Check that the output in invalid cases is what the default
232 * implementation currently does. Alternative implementations
233 * may produce different output, so we only perform these precise
234 * checks when using the default implementation. */
235 TEST_ASSERT( output_length == max_payload_length );
236 for( i = 0; i < max_payload_length; i++ )
237 TEST_ASSERT( final[i] == 0 );
238#endif
239 /* Even in alternative implementations, the outputs must have
240 * changed, otherwise it indicates at least a timing vulnerability
241 * because no write to the outputs is performed in the bad case. */
242 TEST_ASSERT( output_length != 0x7EA0 );
243 for( i = 0; i < max_payload_length; i++ )
244 count += ( final[i] == default_content[i] );
245 /* If more than 16 bytes are unchanged in final, that's evidence
246 * that final wasn't overwritten. */
247 TEST_ASSERT( count < 16 );
248 }
249
250exit:
251 mbedtls_mpi_free( &Nmpi ); mbedtls_mpi_free( &Empi );
252 mbedtls_mpi_free( &Pmpi ); mbedtls_mpi_free( &Qmpi );
253 mbedtls_rsa_free( &ctx );
254}
255/* END_CASE */
256
257/* BEGIN_CASE */
Janos Follathe6aef9f2016-03-16 16:39:41 +0000258void pkcs1_rsassa_v15_sign( int mod, int radix_P, char *input_P, int radix_Q,
259 char *input_Q, int radix_N, char *input_N,
260 int radix_E, char *input_E, int digest, int hash,
261 char *message_hex_string, char *salt,
262 char *result_hex_str, int result )
263{
264 unsigned char message_str[1000];
265 unsigned char hash_result[1000];
266 unsigned char output[1000];
267 unsigned char output_str[1000];
268 unsigned char rnd_buf[1000];
269 mbedtls_rsa_context ctx;
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100270 mbedtls_mpi N, P, Q, E;
Janos Follathe6aef9f2016-03-16 16:39:41 +0000271 size_t msg_len;
272 rnd_buf_info info;
273
274 info.length = unhexify( rnd_buf, salt );
275 info.buf = rnd_buf;
276
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100277 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
278 mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000279 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
280
281 memset( message_str, 0x00, 1000 );
282 memset( hash_result, 0x00, 1000 );
283 memset( output, 0x00, 1000 );
284 memset( output_str, 0x00, 1000 );
285
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100286 TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
287 TEST_ASSERT( mbedtls_mpi_read_string( &Q, radix_Q, input_Q ) == 0 );
288 TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
289 TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000290
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100291 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, &P, &Q, NULL, &E ) == 0 );
292 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
Hanno Becker7f25f852017-10-10 16:56:22 +0100293 TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000294 TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
295
296 msg_len = unhexify( message_str, message_hex_string );
297
298 if( mbedtls_md_info_from_type( digest ) != NULL )
299 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 );
300
301 TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result );
302 if( result == 0 )
303 {
304 hexify( output_str, output, ctx.len);
305
306 TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
307 }
308
309exit:
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100310 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P );
311 mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000312 mbedtls_rsa_free( &ctx );
313}
314/* END_CASE */
315
316/* BEGIN_CASE */
317void pkcs1_rsassa_v15_verify( int mod, int radix_N, char *input_N, int radix_E,
318 char *input_E, int digest, int hash,
319 char *message_hex_string, char *salt,
320 char *result_hex_str, int result )
321{
322 unsigned char message_str[1000];
323 unsigned char hash_result[1000];
324 unsigned char result_str[1000];
325 mbedtls_rsa_context ctx;
326 size_t msg_len;
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100327 mbedtls_mpi N, E;
Janos Follathe6aef9f2016-03-16 16:39:41 +0000328 ((void) salt);
329
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100330 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000331 mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
332 memset( message_str, 0x00, 1000 );
333 memset( hash_result, 0x00, 1000 );
334 memset( result_str, 0x00, 1000 );
335
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100336 TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
337 TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
338 TEST_ASSERT( mbedtls_rsa_import( &ctx, &N, NULL, NULL, NULL, &E ) == 0 );
339 TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000340 TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
341
342 msg_len = unhexify( message_str, message_hex_string );
343 unhexify( result_str, result_hex_str );
344
345 if( mbedtls_md_info_from_type( digest ) != NULL )
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100346 TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ),
347 message_str, msg_len, hash_result ) == 0 );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000348
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100349 TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC,
350 digest, 0, hash_result,
351 result_str ) == result );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000352
353exit:
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100354 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
Janos Follathe6aef9f2016-03-16 16:39:41 +0000355 mbedtls_rsa_free( &ctx );
356}
357/* END_CASE */