blob: 7113274550f0ceeb8e6b0c240a8f522a3e5f4022 [file] [log] [blame]
Janos Follath8a49a012016-02-12 13:18:20 +00001/* BEGIN_HEADER */
2#include "mbedtls/rsa.h"
3#include "mbedtls/md.h"
4/* END_HEADER */
5
6/* BEGIN_DEPENDENCIES
Manuel Pégourié-Gonnard3637c512022-07-13 12:41:36 +02007 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C
Janos Follath8a49a012016-02-12 13:18:20 +00008 * END_DEPENDENCIES
9 */
10
11/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010012void pkcs1_rsaes_v15_encrypt(int mod, char *input_N,
13 char *input_E, int hash,
14 data_t *message_str, data_t *rnd_buf,
15 data_t *result_str, int result)
Janos Follath8a49a012016-02-12 13:18:20 +000016{
Ron Eldor635888b2018-11-25 15:54:52 +020017 unsigned char output[128];
Janos Follath8a49a012016-02-12 13:18:20 +000018 mbedtls_rsa_context ctx;
Ronald Cron351f0ee2020-06-10 12:12:18 +020019 mbedtls_test_rnd_buf_info info;
Hanno Becker6d43f9e2017-08-23 06:35:17 +010020 mbedtls_mpi N, E;
Janos Follath8a49a012016-02-12 13:18:20 +000021
Gilles Peskineecacc3c2021-03-24 00:48:57 +010022 info.fallback_f_rng = mbedtls_test_rnd_std_rand;
23 info.fallback_p_rng = NULL;
Azim Khand30ca132017-06-09 04:32:58 +010024 info.buf = rnd_buf->x;
25 info.length = rnd_buf->len;
Janos Follath8a49a012016-02-12 13:18:20 +000026
Gilles Peskine449bd832023-01-11 14:50:10 +010027 mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
28 mbedtls_rsa_init(&ctx);
Yanray Wange05a21f2023-03-17 20:09:17 +080029
Yanray Wang69bc8402023-03-17 20:33:03 +080030 TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
31 TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), MBEDTLS_MD_NONE);
Yanray Wange05a21f2023-03-17 20:09:17 +080032
Gilles Peskine449bd832023-01-11 14:50:10 +010033 TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
34 MBEDTLS_RSA_PKCS_V15, hash) == 0);
35 memset(output, 0x00, sizeof(output));
Janos Follath8a49a012016-02-12 13:18:20 +000036
Yanray Wang69bc8402023-03-17 20:33:03 +080037 TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
38 TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
Yanray Wang15d3df72023-03-17 19:34:01 +080039
Gilles Peskine449bd832023-01-11 14:50:10 +010040 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
41 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
42 TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
43 TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
44 TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
Janos Follath8a49a012016-02-12 13:18:20 +000045
Gilles Peskine449bd832023-01-11 14:50:10 +010046 if (message_str->len == 0) {
Gilles Peskine85a6dd42018-10-15 16:32:42 +020047 message_str->x = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +010048 }
49 TEST_ASSERT(mbedtls_rsa_pkcs1_encrypt(&ctx,
50 &mbedtls_test_rnd_buffer_rand,
51 &info, message_str->len,
52 message_str->x,
53 output) == result);
Ronald Cron6c5bd7f2020-06-10 14:08:26 +020054
Gilles Peskine449bd832023-01-11 14:50:10 +010055 if (result == 0) {
56 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
57 ctx.len, result_str->len) == 0);
Janos Follath8a49a012016-02-12 13:18:20 +000058 }
59
60exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010061 mbedtls_mpi_free(&N); mbedtls_mpi_free(&E);
62 mbedtls_rsa_free(&ctx);
Janos Follath8a49a012016-02-12 13:18:20 +000063}
64/* END_CASE */
65
66/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010067void pkcs1_rsaes_v15_decrypt(int mod, char *input_P, char *input_Q,
68 char *input_N, char *input_E, int hash,
69 data_t *result_str, char *seed,
70 data_t *message_str, int result)
Janos Follath8a49a012016-02-12 13:18:20 +000071{
Ron Eldor635888b2018-11-25 15:54:52 +020072 unsigned char output[128];
Janos Follath8a49a012016-02-12 13:18:20 +000073 mbedtls_rsa_context ctx;
Janos Follath8a49a012016-02-12 13:18:20 +000074 size_t output_len;
Ronald Cron351f0ee2020-06-10 12:12:18 +020075 mbedtls_test_rnd_pseudo_info rnd_info;
Hanno Becker6d43f9e2017-08-23 06:35:17 +010076 mbedtls_mpi N, P, Q, E;
Janos Follath8a49a012016-02-12 13:18:20 +000077 ((void) seed);
78
Gilles Peskine449bd832023-01-11 14:50:10 +010079 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
80 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
81 mbedtls_rsa_init(&ctx);
82 TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
83 MBEDTLS_RSA_PKCS_V15, hash) == 0);
Janos Follath8a49a012016-02-12 13:18:20 +000084
Yanray Wang69bc8402023-03-17 20:33:03 +080085 TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
86 TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
Yanray Wang15d3df72023-03-17 19:34:01 +080087
Gilles Peskine449bd832023-01-11 14:50:10 +010088 memset(output, 0x00, sizeof(output));
89 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
Janos Follath8a49a012016-02-12 13:18:20 +000090
Gilles Peskine449bd832023-01-11 14:50:10 +010091 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
92 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
93 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
94 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
Janos Follath8a49a012016-02-12 13:18:20 +000095
Gilles Peskine449bd832023-01-11 14:50:10 +010096 TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
97 TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
98 TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
99 TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
Janos Follath8a49a012016-02-12 13:18:20 +0000100
Gilles Peskine449bd832023-01-11 14:50:10 +0100101 if (result_str->len == 0) {
102 TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
103 &mbedtls_test_rnd_pseudo_rand,
104 &rnd_info,
105 &output_len, message_str->x,
106 NULL, 0) == result);
107 } else {
108 TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
109 &mbedtls_test_rnd_pseudo_rand,
110 &rnd_info,
111 &output_len, message_str->x,
112 output, 1000) == result);
113 if (result == 0) {
114 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
115 output_len,
116 result_str->len) == 0);
Gilles Peskine85a6dd42018-10-15 16:32:42 +0200117 }
Janos Follath8a49a012016-02-12 13:18:20 +0000118 }
119
120exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100121 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
122 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
123 mbedtls_rsa_free(&ctx);
Janos Follath8a49a012016-02-12 13:18:20 +0000124}
125/* END_CASE */
126
Janos Follathe6aef9f2016-03-16 16:39:41 +0000127/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100128void pkcs1_v15_decode(data_t *input,
129 int expected_plaintext_length_arg,
130 int output_size_arg,
131 int expected_result)
Gilles Peskine695a3462018-10-05 18:15:25 +0200132{
133 size_t expected_plaintext_length = expected_plaintext_length_arg;
134 size_t output_size = output_size_arg;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200135 mbedtls_test_rnd_pseudo_info rnd_info;
Gilles Peskine695a3462018-10-05 18:15:25 +0200136 mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi;
137 mbedtls_rsa_context ctx;
138 static unsigned char N[128] = {
139 0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5,
140 0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec,
141 0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5,
142 0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73,
143 0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5,
144 0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde,
145 0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d,
146 0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e,
147 0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2,
148 0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1,
149 0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46,
150 0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec,
151 0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33,
152 0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11,
153 0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12,
154 0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb
155 };
156 static unsigned char E[1] = { 0x03 };
157 static unsigned char P[64] = {
158 0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8,
159 0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8,
160 0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd,
161 0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9,
162 0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5,
163 0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55,
164 0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1,
165 0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b
166 };
167 static unsigned char Q[64] = {
168 0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b,
169 0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03,
170 0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c,
171 0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e,
172 0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83,
173 0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc,
174 0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca,
175 0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1
176 };
177 unsigned char original[128];
178 unsigned char intermediate[128];
179 static unsigned char default_content[128] = {
180 /* A randomly generated pattern. */
181 0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a,
182 0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19,
183 0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58,
184 0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4,
185 0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50,
186 0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa,
187 0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08,
188 0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf,
189 0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70,
190 0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef,
191 0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a,
192 0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2,
193 0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b,
194 0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde,
195 0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d,
196 0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42
197 };
198 unsigned char final[128];
199 size_t output_length = 0x7EA0;
200
Gilles Peskine449bd832023-01-11 14:50:10 +0100201 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
202 mbedtls_mpi_init(&Nmpi); mbedtls_mpi_init(&Empi);
203 mbedtls_mpi_init(&Pmpi); mbedtls_mpi_init(&Qmpi);
204 mbedtls_rsa_init(&ctx);
Gilles Peskine695a3462018-10-05 18:15:25 +0200205
Gilles Peskine449bd832023-01-11 14:50:10 +0100206 TEST_ASSERT(mbedtls_mpi_read_binary(&Nmpi, N, sizeof(N)) == 0);
207 TEST_ASSERT(mbedtls_mpi_read_binary(&Empi, E, sizeof(E)) == 0);
208 TEST_ASSERT(mbedtls_mpi_read_binary(&Pmpi, P, sizeof(P)) == 0);
209 TEST_ASSERT(mbedtls_mpi_read_binary(&Qmpi, Q, sizeof(Q)) == 0);
Gilles Peskine695a3462018-10-05 18:15:25 +0200210
Gilles Peskine449bd832023-01-11 14:50:10 +0100211 TEST_ASSERT(mbedtls_rsa_import(&ctx, &Nmpi, &Pmpi, &Qmpi,
212 NULL, &Empi) == 0);
213 TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
Gilles Peskine695a3462018-10-05 18:15:25 +0200214
Gilles Peskine449bd832023-01-11 14:50:10 +0100215 TEST_ASSERT(input->len <= sizeof(N));
216 memcpy(original, input->x, input->len);
217 memset(original + input->len, 'd', sizeof(original) - input->len);
218 TEST_ASSERT(mbedtls_rsa_public(&ctx, original, intermediate) == 0);
Gilles Peskine695a3462018-10-05 18:15:25 +0200219
Gilles Peskine449bd832023-01-11 14:50:10 +0100220 memcpy(final, default_content, sizeof(final));
221 TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
222 &mbedtls_test_rnd_pseudo_rand,
223 &rnd_info, &output_length,
224 intermediate, final,
225 output_size) == expected_result);
226 if (expected_result == 0) {
227 TEST_ASSERT(output_length == expected_plaintext_length);
228 TEST_ASSERT(memcmp(original + sizeof(N) - output_length,
229 final,
230 output_length) == 0);
231 } else if (expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING ||
232 expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) {
Gilles Peskine695a3462018-10-05 18:15:25 +0200233 size_t max_payload_length =
Gilles Peskine449bd832023-01-11 14:50:10 +0100234 output_size > sizeof(N) - 11 ? sizeof(N) - 11 : output_size;
Gilles Peskine695a3462018-10-05 18:15:25 +0200235 size_t i;
236 size_t count = 0;
237
238#if !defined(MBEDTLS_RSA_ALT)
239 /* Check that the output in invalid cases is what the default
240 * implementation currently does. Alternative implementations
241 * may produce different output, so we only perform these precise
242 * checks when using the default implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100243 TEST_ASSERT(output_length == max_payload_length);
244 for (i = 0; i < max_payload_length; i++) {
245 TEST_ASSERT(final[i] == 0);
246 }
Gilles Peskine695a3462018-10-05 18:15:25 +0200247#endif
248 /* Even in alternative implementations, the outputs must have
249 * changed, otherwise it indicates at least a timing vulnerability
250 * because no write to the outputs is performed in the bad case. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100251 TEST_ASSERT(output_length != 0x7EA0);
252 for (i = 0; i < max_payload_length; i++) {
253 count += (final[i] == default_content[i]);
254 }
Gilles Peskine695a3462018-10-05 18:15:25 +0200255 /* If more than 16 bytes are unchanged in final, that's evidence
256 * that final wasn't overwritten. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100257 TEST_ASSERT(count < 16);
Gilles Peskine695a3462018-10-05 18:15:25 +0200258 }
259
260exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100261 mbedtls_mpi_free(&Nmpi); mbedtls_mpi_free(&Empi);
262 mbedtls_mpi_free(&Pmpi); mbedtls_mpi_free(&Qmpi);
263 mbedtls_rsa_free(&ctx);
Gilles Peskine695a3462018-10-05 18:15:25 +0200264}
265/* END_CASE */
266
Manuel Pégourié-Gonnard5ce99592022-07-16 08:04:55 +0200267/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100268void pkcs1_rsassa_v15_sign(int mod, char *input_P,
269 char *input_Q, char *input_N,
270 char *input_E, int digest, int hash,
271 data_t *message_str, data_t *rnd_buf,
272 data_t *result_str, int result)
Janos Follathe6aef9f2016-03-16 16:39:41 +0000273{
Ron Eldor635888b2018-11-25 15:54:52 +0200274 unsigned char output[128];
Janos Follathe6aef9f2016-03-16 16:39:41 +0000275 mbedtls_rsa_context ctx;
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100276 mbedtls_mpi N, P, Q, E;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200277 mbedtls_test_rnd_buf_info info;
Janos Follathe6aef9f2016-03-16 16:39:41 +0000278
Gilles Peskineecacc3c2021-03-24 00:48:57 +0100279 info.fallback_f_rng = mbedtls_test_rnd_std_rand;
280 info.fallback_p_rng = NULL;
Azim Khand30ca132017-06-09 04:32:58 +0100281 info.buf = rnd_buf->x;
282 info.length = rnd_buf->len;
Janos Follathe6aef9f2016-03-16 16:39:41 +0000283
Gilles Peskine449bd832023-01-11 14:50:10 +0100284 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
285 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
286 mbedtls_rsa_init(&ctx);
287 TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
288 MBEDTLS_RSA_PKCS_V15, hash) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000289
Gilles Peskine449bd832023-01-11 14:50:10 +0100290 memset(output, 0x00, sizeof(output));
Janos Follathe6aef9f2016-03-16 16:39:41 +0000291
Yanray Wang69bc8402023-03-17 20:33:03 +0800292 TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
293 TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
Yanray Wang15d3df72023-03-17 19:34:01 +0800294
Gilles Peskine449bd832023-01-11 14:50:10 +0100295 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
296 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
297 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
298 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000299
Gilles Peskine449bd832023-01-11 14:50:10 +0100300 TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
301 TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
302 TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
303 TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000304
Gilles Peskine449bd832023-01-11 14:50:10 +0100305 TEST_ASSERT(mbedtls_rsa_pkcs1_sign(
306 &ctx, &mbedtls_test_rnd_buffer_rand, &info,
307 digest, message_str->len, message_str->x,
308 output) == result);
309 if (result == 0) {
Janos Follathe6aef9f2016-03-16 16:39:41 +0000310
Gilles Peskine449bd832023-01-11 14:50:10 +0100311 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
312 ctx.len, result_str->len) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000313 }
314
315exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100316 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
317 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
318 mbedtls_rsa_free(&ctx);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000319}
320/* END_CASE */
321
Manuel Pégourié-Gonnard5ce99592022-07-16 08:04:55 +0200322/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100323void pkcs1_rsassa_v15_verify(int mod, char *input_N, char *input_E,
324 int digest, int hash, data_t *message_str,
325 char *salt, data_t *result_str, int result)
Janos Follathe6aef9f2016-03-16 16:39:41 +0000326{
Janos Follathe6aef9f2016-03-16 16:39:41 +0000327 mbedtls_rsa_context ctx;
Hanno Becker6d43f9e2017-08-23 06:35:17 +0100328 mbedtls_mpi N, E;
Janos Follathe6aef9f2016-03-16 16:39:41 +0000329 ((void) salt);
330
Gilles Peskine449bd832023-01-11 14:50:10 +0100331 mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
332 mbedtls_rsa_init(&ctx);
333 TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
334 MBEDTLS_RSA_PKCS_V15, hash) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000335
Yanray Wang69bc8402023-03-17 20:33:03 +0800336 TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
337 TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
Yanray Wang15d3df72023-03-17 19:34:01 +0800338
Gilles Peskine449bd832023-01-11 14:50:10 +0100339 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
340 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
341 TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
342 TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
343 TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000344
Gilles Peskine449bd832023-01-11 14:50:10 +0100345 TEST_ASSERT(mbedtls_rsa_pkcs1_verify(&ctx, digest, message_str->len, message_str->x,
346 result_str->x) == result);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000347
348exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100349 mbedtls_mpi_free(&N); mbedtls_mpi_free(&E);
350 mbedtls_rsa_free(&ctx);
Janos Follathe6aef9f2016-03-16 16:39:41 +0000351}
352/* END_CASE */