diff --git a/ChangeLog b/ChangeLog index 916ec663e..1808b9fc6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,17 +68,6 @@ New deprecations * Direct manipulation of structure fields of RSA contexts is deprecated. Users are advised to use the extended RSA API instead. -API Changes - * Extend RSA interface by multiple functions allowing structure- - independent setup and export of RSA contexts. Most notably, - mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting - up RSA contexts from partial key material and having them completed to the - needs of the implementation automatically. This allows to setup private RSA - contexts from keys consisting of N,D,E only, even if P,Q are needed for the - purpose or CRT and/or blinding. - * The configuration option MBEDTLS_RSA_ALT can be used to define alternative - implementations of the RSA interface declared in rsa.h. - Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. @@ -142,6 +131,19 @@ Changes used. Reported and fix proposed independently by satur9nine and sliai on GitHub. * Only run AES-192 self-test if AES-192 is available. Fixes #963. + * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the + undeclared dependency of the RSA module on the ASN.1 module. + +API Changes + * Extend RSA interface by multiple functions allowing structure- + independent setup and export of RSA contexts. Most notably, + mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting + up RSA contexts from partial key material and having them completed to the + needs of the implementation automatically. This allows to setup private RSA + contexts from keys consisting of N,D,E only, even if P,Q are needed for the + purpose or CRT and/or blinding. + * The configuration option MBEDTLS_RSA_ALT can be used to define alternative + implementations of the RSA interface declared in rsa.h. = mbed TLS 2.6.0 branch released 2017-08-10 diff --git a/library/rsa.c b/library/rsa.c index e2f93a4eb..7b3739778 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -75,6 +75,20 @@ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } +/* constant-time buffer comparison */ +static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n ) +{ + size_t i; + const unsigned char *A = (const unsigned char *) a; + const unsigned char *B = (const unsigned char *) b; + unsigned char diff = 0; + + for( i = 0; i < n; i++ ) + diff |= A[i] ^ B[i]; + + return( diff ); +} + int mbedtls_rsa_import( mbedtls_rsa_context *ctx, const mbedtls_mpi *N, const mbedtls_mpi *P, const mbedtls_mpi *Q, @@ -1508,6 +1522,137 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, /* * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function */ + +/* Construct a PKCS v1.5 encoding of a hashed message + * + * This is used both for signature generation and verification. + * + * Parameters: + * - md_alg: Identifies the hash algorithm used to generate the given hash; + * MBEDTLS_MD_NONE if raw data is signed. + * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. + * - hash: Buffer containing the hashed message or the raw data. + * - dst_len: Length of the encoded message. + * - dst: Buffer to hold the encoded message. + * + * Assumptions: + * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. + * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. + * - dst points to a buffer of size at least dst_len. + * + */ +static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, + unsigned int hashlen, + const unsigned char *hash, + size_t dst_len, + unsigned char *dst ) +{ + size_t oid_size = 0; + size_t nb_pad = dst_len; + unsigned char *p = dst; + const char *oid = NULL; + + /* Are we signing hashed or raw data? */ + if( md_alg != MBEDTLS_MD_NONE ) + { + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + hashlen = mbedtls_md_get_size( md_info ); + + /* Double-check that 8 + hashlen + oid_size can be used as a + * 1-byte ASN.1 length encoding and that there's no overflow. */ + if( 8 + hashlen + oid_size >= 0x80 || + 10 + hashlen < hashlen || + 10 + hashlen + oid_size < 10 + hashlen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + /* + * Static bounds check: + * - Need 10 bytes for five tag-length pairs. + * (Insist on 1-byte length encodings to protect against variants of + * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) + * - Need hashlen bytes for hash + * - Need oid_size bytes for hash alg OID. + */ + if( nb_pad < 10 + hashlen + oid_size ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + nb_pad -= 10 + hashlen + oid_size; + } + else + { + if( nb_pad < hashlen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + nb_pad -= hashlen; + } + + /* Need space for signature header and padding delimiter (3 bytes), + * and 8 bytes for the minimal padding */ + if( nb_pad < 3 + 8 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + nb_pad -= 3; + + /* Now nb_pad is the amount of memory to be filled + * with padding, and at least 8 bytes long. */ + + /* Write signature header and padding */ + *p++ = 0; + *p++ = MBEDTLS_RSA_SIGN; + memset( p, 0xFF, nb_pad ); + p += nb_pad; + *p++ = 0; + + /* Are we signing raw data? */ + if( md_alg == MBEDTLS_MD_NONE ) + { + memcpy( p, hash, hashlen ); + return( 0 ); + } + + /* Signing hashed data, add corresponding ASN.1 structure + * + * DigestInfo ::= SEQUENCE { + * digestAlgorithm DigestAlgorithmIdentifier, + * digest Digest } + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * Digest ::= OCTET STRING + * + * Schematic: + * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] + * TAG-NULL + LEN [ NULL ] ] + * TAG-OCTET + LEN [ HASH ] ] + */ + *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; + *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); + *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; + *p++ = (unsigned char)( 0x04 + oid_size ); + *p++ = MBEDTLS_ASN1_OID; + *p++ = (unsigned char) oid_size; + memcpy( p, oid, oid_size ); + p += oid_size; + *p++ = MBEDTLS_ASN1_NULL; + *p++ = 0x00; + *p++ = MBEDTLS_ASN1_OCTET_STRING; + *p++ = (unsigned char) hashlen; + memcpy( p, hash, hashlen ); + p += hashlen; + + /* Just a sanity-check, should be automatic + * after the initial bounds check. */ + if( p != dst + dst_len ) + { + mbedtls_zeroize( dst, dst_len ); + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + } + + return( 0 ); +} + /* * Do an RSA operation to sign the message digest */ @@ -1520,88 +1665,41 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, const unsigned char *hash, unsigned char *sig ) { - size_t nb_pad, olen, oid_size = 0; - unsigned char *p = sig; - const char *oid = NULL; - unsigned char *sig_try = NULL, *verif = NULL; - size_t i; - unsigned char diff; - volatile unsigned char diff_no_optimize; int ret; + unsigned char *sig_try = NULL, *verif = NULL; if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - olen = ctx->len; - nb_pad = olen - 3; + /* + * Prepare PKCS1-v1.5 encoding (padding and hash identifier) + */ - if( md_alg != MBEDTLS_MD_NONE ) - { - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - nb_pad -= 10 + oid_size; - - hashlen = mbedtls_md_get_size( md_info ); - } - - nb_pad -= hashlen; - - if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - - *p++ = 0; - *p++ = MBEDTLS_RSA_SIGN; - memset( p, 0xFF, nb_pad ); - p += nb_pad; - *p++ = 0; - - if( md_alg == MBEDTLS_MD_NONE ) - { - memcpy( p, hash, hashlen ); - } - else - { - /* - * DigestInfo ::= SEQUENCE { - * digestAlgorithm DigestAlgorithmIdentifier, - * digest Digest } - * - * DigestAlgorithmIdentifier ::= AlgorithmIdentifier - * - * Digest ::= OCTET STRING - */ - *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; - *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); - *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; - *p++ = (unsigned char) ( 0x04 + oid_size ); - *p++ = MBEDTLS_ASN1_OID; - *p++ = oid_size & 0xFF; - memcpy( p, oid, oid_size ); - p += oid_size; - *p++ = MBEDTLS_ASN1_NULL; - *p++ = 0x00; - *p++ = MBEDTLS_ASN1_OCTET_STRING; - *p++ = hashlen; - memcpy( p, hash, hashlen ); - } - - if( mode == MBEDTLS_RSA_PUBLIC ) - return( mbedtls_rsa_public( ctx, sig, sig ) ); + if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, + ctx->len, sig ) ) != 0 ) + return( ret ); /* + * Call respective RSA primitive + */ + + if( mode == MBEDTLS_RSA_PUBLIC ) + { + /* Skip verification on a public key operation */ + return( mbedtls_rsa_public( ctx, sig, sig ) ); + } + + /* Private key operation + * * In order to prevent Lenstra's attack, make the signature in a * temporary buffer and check it before returning it. */ + sig_try = mbedtls_calloc( 1, ctx->len ); if( sig_try == NULL ) return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); - verif = mbedtls_calloc( 1, ctx->len ); + verif = mbedtls_calloc( 1, ctx->len ); if( verif == NULL ) { mbedtls_free( sig_try ); @@ -1611,12 +1709,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); - /* Compare in constant time just in case */ - for( diff = 0, i = 0; i < ctx->len; i++ ) - diff |= verif[i] ^ sig[i]; - diff_no_optimize = diff; - - if( diff_no_optimize != 0 ) + if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 ) { ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto cleanup; @@ -1830,121 +1923,64 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, const unsigned char *hash, const unsigned char *sig ) { - int ret; - size_t len, siglen, asn1_len; - unsigned char *p, *p0, *end; - mbedtls_md_type_t msg_md_alg; - const mbedtls_md_info_t *md_info; - mbedtls_asn1_buf oid; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + int ret = 0; + const size_t sig_len = ctx->len; + unsigned char *encoded = NULL, *encoded_expected = NULL; if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - siglen = ctx->len; + /* + * Prepare expected PKCS1 v1.5 encoding of hash. + */ - if( siglen < 16 || siglen > sizeof( buf ) ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL || + ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL ) + { + ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; + goto cleanup; + } + + if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len, + encoded_expected ) ) != 0 ) + goto cleanup; + + /* + * Apply RSA primitive to get what should be PKCS1 encoded hash. + */ ret = ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, sig, buf ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); - + ? mbedtls_rsa_public( ctx, sig, encoded ) + : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); if( ret != 0 ) - return( ret ); - - p = buf; - - if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); - - while( *p != 0 ) - { - if( p >= buf + siglen - 1 || *p != 0xFF ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); - p++; - } - p++; /* skip 00 byte */ - - /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */ - if( p - buf < 11 ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); - - len = siglen - ( p - buf ); - - if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) - { - if( memcmp( p, hash, hashlen ) == 0 ) - return( 0 ); - else - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - } - - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hashlen = mbedtls_md_get_size( md_info ); - - end = p + len; + goto cleanup; /* - * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure. - * Insist on 2-byte length tags, to protect against variants of - * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification. + * Compare */ - p0 = p; - if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 || asn1_len + 2 != len ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - p0 = p; - if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 || asn1_len + 6 + hashlen != len ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected, + sig_len ) ) != 0 ) + { + ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; + goto cleanup; + } - p0 = p; - if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); +cleanup: - oid.p = p; - p += oid.len; + if( encoded != NULL ) + { + mbedtls_zeroize( encoded, sig_len ); + mbedtls_free( encoded ); + } - if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + if( encoded_expected != NULL ) + { + mbedtls_zeroize( encoded_expected, sig_len ); + mbedtls_free( encoded_expected ); + } - if( md_alg != msg_md_alg ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - /* - * assume the algorithm parameters must be NULL - */ - p0 = p; - if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - p0 = p; - if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 || asn1_len != hashlen ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - if( memcmp( p, hash, hashlen ) != 0 ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - p += hashlen; - - if( p != end ) - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - return( 0 ); + return( ret ); } #endif /* MBEDTLS_PKCS1_V15 */ diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index f6ea378ff..cfb4281be 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -114,13 +114,13 @@ Verify ext RSA #8 (PKCS1 v2.1, RSASSA-PSS without options) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_PK_BAD_INPUT_DATA -Verify ext RSA #9 (PKCS1 v2.1, RSA with options) +Verify ext RSA #9 (PKCS1 v1.5, RSA with options) depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_PK_BAD_INPUT_DATA -Verify ext RSA #10 (PKCS1 v2.1, RSA without options) +Verify ext RSA #10 (PKCS1 v1.5, RSA without options) depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_RSA_VERIFY_FAILED Verify ext RSA #11 (PKCS1 v2.1, asking for ECDSA) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 2747da726..41149063f 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -26,7 +26,7 @@ mbedtls_rsa_pkcs1_verify:"44637d3b8de525fd589237bc81229c8966d3af24540850c2403633 RSA PKCS1 Verify v1.5 CAVS #7 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 # Bad padding after performing the public key operation -mbedtls_rsa_pkcs1_verify:"d03f12276f6ba7545b8fce719471bd253791878809694e8754f3b389f26c9253a758ed28b4c62535a8d5702d7a778731d5759ff2b3b39b192db680e791632918b6093c0e8ca25c2bf756a07fde4144a37f769fe4054455a45cb8cefe4462e7a9a45ce71f2189b4fef01b47aee8585d44dc9d6fa627a3e5f08801871731f234cd":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"3":"d93a878c1ce86571590b0e43794b3edb23552797c4b8c9e3da4fe1cc4ac0566acd3b10541fe9a7a79f5ea4892d3069ca6903efb5c40c47eb8a9c781eb4249281d40c3d96aae16da1bb4daaece6a26eca5f41c062b4124a64fc9d340cba5ab0d1f5affff6515a87f0933774fd4322d2fa497cd6f708a429ca56dcb1fd3db623d0":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"d03f12276f6ba7545b8fce719471bd253791878809694e8754f3b389f26c9253a758ed28b4c62535a8d5702d7a778731d5759ff2b3b39b192db680e791632918b6093c0e8ca25c2bf756a07fde4144a37f769fe4054455a45cb8cefe4462e7a9a45ce71f2189b4fef01b47aee8585d44dc9d6fa627a3e5f08801871731f234cd":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"3":"d93a878c1ce86571590b0e43794b3edb23552797c4b8c9e3da4fe1cc4ac0566acd3b10541fe9a7a79f5ea4892d3069ca6903efb5c40c47eb8a9c781eb4249281d40c3d96aae16da1bb4daaece6a26eca5f41c062b4124a64fc9d340cba5ab0d1f5affff6515a87f0933774fd4322d2fa497cd6f708a429ca56dcb1fd3db623d0":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #8 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 @@ -38,7 +38,7 @@ mbedtls_rsa_pkcs1_verify:"647586ba587b09aa555d1b8da4cdf5c6e777e08859379ca4578901 RSA PKCS1 Verify v1.5 CAVS #10 depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"55013a489e09b6553262aab59fb041b49437b86d52876f8e5d5e405b77ca0ff6ce8ea2dd75c7b3b411cf4445d56233c5b0ff0e58c49128d81b4fedd295e172d225c451e13defb34b87b7aea6d6f0d20f5c55feb71d2a789fa31f3d9ff47896adc16bec5ce0c9dda3fde190e08ca2451c01ff3091449887695f96dac97ad6a30e":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"10001":"dd82b7be791c454fbbf6f1de47cbe585a687e4e8bbae0b6e2a77f8ca4efd06d71498f9a74b931bd59c377e71daf708a624c51303f377006c676487bad57f7067b09b7bb94a6189119ab8cf7321c321b2dc7df565bfbec833a28b86625fb5fd6a035d4ed79ff0f9aee9fa78935eec65069439ee449d7f5249cdae6fdd6d8c2a63":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"55013a489e09b6553262aab59fb041b49437b86d52876f8e5d5e405b77ca0ff6ce8ea2dd75c7b3b411cf4445d56233c5b0ff0e58c49128d81b4fedd295e172d225c451e13defb34b87b7aea6d6f0d20f5c55feb71d2a789fa31f3d9ff47896adc16bec5ce0c9dda3fde190e08ca2451c01ff3091449887695f96dac97ad6a30e":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"10001":"dd82b7be791c454fbbf6f1de47cbe585a687e4e8bbae0b6e2a77f8ca4efd06d71498f9a74b931bd59c377e71daf708a624c51303f377006c676487bad57f7067b09b7bb94a6189119ab8cf7321c321b2dc7df565bfbec833a28b86625fb5fd6a035d4ed79ff0f9aee9fa78935eec65069439ee449d7f5249cdae6fdd6d8c2a63":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #11 depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 @@ -82,11 +82,11 @@ mbedtls_rsa_pkcs1_verify:"a3edb0f52c6166d7b76e71634761f402337c3e9667549d00cd7877 RSA PKCS1 Verify v1.5 CAVS #21 depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"ac58fd024208d7f045d81a56cd55aad40ab86b0d216ab55136c7027aca23ea13480a52c0dacce0d98139b25965aa4ff76a41dd92037195d24bc0750d52cb3467b48b7b3e71d852c5f82bd9ee85a8388ead5cd8bc38c3d4792e8daa9734a137d31963e245ad3217fad235f7dfd5584de0fe91c4526568588e08b60bdf1badd99f":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"a142b0d9456f8f4772675265a08613a66c416bd1ae712975c69d9ca5fb8c1be9c24359a04fd15460bf6136a8a11f13e3ce2de2171524f10cb715f0d71e3db15281ab99eadbe86cf8c5c518162c638ef27a4f7bfb4a1a3873f3c384a5b1c3b4966c837b9d8d192ac34e03943b7ae191355aa1ff3b9cd041bb2668f1f81cf0d015b3d3608cd9ac79398212c0f132f1bd45d47768b999fcf3c05fe2069593ceecedc851a7fc465abcfef0fabba9b9460153f6ba8723a5c6e766c83a446aef3ee327":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"ac58fd024208d7f045d81a56cd55aad40ab86b0d216ab55136c7027aca23ea13480a52c0dacce0d98139b25965aa4ff76a41dd92037195d24bc0750d52cb3467b48b7b3e71d852c5f82bd9ee85a8388ead5cd8bc38c3d4792e8daa9734a137d31963e245ad3217fad235f7dfd5584de0fe91c4526568588e08b60bdf1badd99f":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"a142b0d9456f8f4772675265a08613a66c416bd1ae712975c69d9ca5fb8c1be9c24359a04fd15460bf6136a8a11f13e3ce2de2171524f10cb715f0d71e3db15281ab99eadbe86cf8c5c518162c638ef27a4f7bfb4a1a3873f3c384a5b1c3b4966c837b9d8d192ac34e03943b7ae191355aa1ff3b9cd041bb2668f1f81cf0d015b3d3608cd9ac79398212c0f132f1bd45d47768b999fcf3c05fe2069593ceecedc851a7fc465abcfef0fabba9b9460153f6ba8723a5c6e766c83a446aef3ee327":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #22 depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"027f767928a5821e2723d6f36c43e6b498b6f0b381852571794a096bd49f1c36a4d7bacec7ec402c24b970163169173bb930ec7fdc39bc9457dfc4ca051f5f28a64de1bbe007c22e8368ff9b117dbda17efd2fb73434bbbf5a4158df56813b8c904bb2e779de504dcd974a291568210d6f85810291606a1c0cd88d51ceadf98a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"0676e64daaa18f4af46e9dfbe234db389b8a527b0fe1db97eb7f404e3155226cba70d318800f83160fa1aa19916e5c09f079331079f18cb8ab1a4b884cb28501824974f683ed2b9babae9f8c15bea30802805c6b2152119764811bbf5f3994d2e97fa2fe8c5ab15a23c14d7ae56be00eaa8bc26678481ff5ba59b0acfb0e43341bff9fc638e5625480a73dbc5d8d13bd2b9e64037c6b79df0c60869980c6a22ec46f80fb859cb4ee5d2032ac1fe538cfd85c70a7f33b4af50a93395917c2cfb6":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"027f767928a5821e2723d6f36c43e6b498b6f0b381852571794a096bd49f1c36a4d7bacec7ec402c24b970163169173bb930ec7fdc39bc9457dfc4ca051f5f28a64de1bbe007c22e8368ff9b117dbda17efd2fb73434bbbf5a4158df56813b8c904bb2e779de504dcd974a291568210d6f85810291606a1c0cd88d51ceadf98a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"0676e64daaa18f4af46e9dfbe234db389b8a527b0fe1db97eb7f404e3155226cba70d318800f83160fa1aa19916e5c09f079331079f18cb8ab1a4b884cb28501824974f683ed2b9babae9f8c15bea30802805c6b2152119764811bbf5f3994d2e97fa2fe8c5ab15a23c14d7ae56be00eaa8bc26678481ff5ba59b0acfb0e43341bff9fc638e5625480a73dbc5d8d13bd2b9e64037c6b79df0c60869980c6a22ec46f80fb859cb4ee5d2032ac1fe538cfd85c70a7f33b4af50a93395917c2cfb6":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #23 depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 @@ -118,11 +118,11 @@ mbedtls_rsa_pkcs1_verify:"f7857ce04bf4292ea1755f9e587822372f4dcdf10bddfc0ff498a8 RSA PKCS1 Verify v1.5 CAVS #30 depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"ca312774f2756ac2019f213a01a63c9a0b4a49ccafecf25e97a4c632668e3c77e664f4d7635241f25205e50c37061b02c546db8346fa597c3da8cfd44a827c5a4ff4ecfcd1797b39a1b215d9bbb93fdb6eb35bafbda427a5068888a6e19f86224b0897490491207e35ce39085668b10b4fb851b7dd9465c03869790ef38a61b5":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"3":"a202c33eb831b9d8e818b6c3bcdb42818e1d9c22a06ddd73a17a21e49d18cda44df349a066477cae068e1a5d2b518b0885e889ef796ca9e6f42a69ac755b8a6405fbaef93fe0130d98de35d689addfee3eecd26658903f774bda481c3f40ee0e9569a3c3e2da7ad576c7de82159d933e36fa29cfef99367005e34ab5082d80f48276d37dabc88dbb023bd01585329d2ccf417f78ec508aaa29751007d31f1669296b981d44c8fa99130c5df7a071725b496859314aaf9baf0ebc780355914249":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"ca312774f2756ac2019f213a01a63c9a0b4a49ccafecf25e97a4c632668e3c77e664f4d7635241f25205e50c37061b02c546db8346fa597c3da8cfd44a827c5a4ff4ecfcd1797b39a1b215d9bbb93fdb6eb35bafbda427a5068888a6e19f86224b0897490491207e35ce39085668b10b4fb851b7dd9465c03869790ef38a61b5":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"3":"a202c33eb831b9d8e818b6c3bcdb42818e1d9c22a06ddd73a17a21e49d18cda44df349a066477cae068e1a5d2b518b0885e889ef796ca9e6f42a69ac755b8a6405fbaef93fe0130d98de35d689addfee3eecd26658903f774bda481c3f40ee0e9569a3c3e2da7ad576c7de82159d933e36fa29cfef99367005e34ab5082d80f48276d37dabc88dbb023bd01585329d2ccf417f78ec508aaa29751007d31f1669296b981d44c8fa99130c5df7a071725b496859314aaf9baf0ebc780355914249":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #31 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"2abe079077290ceb6c80ac5c61062ce8da814b1fb99a1a9fb2860ed900e6541856ec64bf19c0d9d1cc2280b7cc50af3e3d2ad8e044945d44761ca60891dd72bd6aa26a33274ffcf7ae7d661b5e651135fcff21aaf06b4a2db18fe5827e0243884f2841760b9f1c65fbda870f7f0cfbd6ff484f0825e688614928f2d12d1e7080":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"402631f3cddfb02cc4d9cb58ef1ab6726bd787a50e12e98567c9702bfdf47af85904aec5a2f6c5df9a10f08f90f93728eb090ae2ac21ded9f38faecd8195f3eb3d4107521b1cee956e7a214245b038adae912fa35ec97cb3bdc41352e8aaff80173561284cb740f999a3cd6653a6c3d5a3f911a416f41e2155083982c99eb5998a0a74d77f1ae999d901ee24a7f2c424179a3f92b07dc0b3498c1884e60677bee0175e810b426c4ad008d2743cd19b00b33177bf8be3fed7f7406e1bce0c2ea3":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"2abe079077290ceb6c80ac5c61062ce8da814b1fb99a1a9fb2860ed900e6541856ec64bf19c0d9d1cc2280b7cc50af3e3d2ad8e044945d44761ca60891dd72bd6aa26a33274ffcf7ae7d661b5e651135fcff21aaf06b4a2db18fe5827e0243884f2841760b9f1c65fbda870f7f0cfbd6ff484f0825e688614928f2d12d1e7080":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"10001":"402631f3cddfb02cc4d9cb58ef1ab6726bd787a50e12e98567c9702bfdf47af85904aec5a2f6c5df9a10f08f90f93728eb090ae2ac21ded9f38faecd8195f3eb3d4107521b1cee956e7a214245b038adae912fa35ec97cb3bdc41352e8aaff80173561284cb740f999a3cd6653a6c3d5a3f911a416f41e2155083982c99eb5998a0a74d77f1ae999d901ee24a7f2c424179a3f92b07dc0b3498c1884e60677bee0175e810b426c4ad008d2743cd19b00b33177bf8be3fed7f7406e1bce0c2ea3":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #32 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 @@ -130,7 +130,7 @@ mbedtls_rsa_pkcs1_verify:"da9505809dc92cfd8e01a1857dde52df6677c40d98f4577c1659ca RSA PKCS1 Verify v1.5 CAVS #33 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"d0cd038c65b3acca45822eaf91ea5176e82043268876dec0b62e2abd619023b7023abc67c6b823cfef5447b8772f985ff7910d6cc87e6c23688ac6de1fee40bbe2da1a92770de92adaa427ace02fee571a0a0176fceb0c8f3eb72dde839ab201395625f5c0db8641ce19d7711212dec61733262c6ce4476c025e67a3d5bc01f3":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA512:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"11":"2f30629c1117d013bb36e6099dee931dcaf0a1032b07ec23e2b262898a8945e569c9573d81e22bb0a5f8a28b0d7b8ff01367dd7f089c68ed1daa11cf53a96ee91b38e6b839b6e90bea34d14b78f5d2c7629b68c5b4f2ecfff66b483b2233cb14f95df533c867a2b610aebcdbb7ea3109aaf2f5762ab3edc2571deccc7da0c9a5b443ca2b924c0f18de7bbb736a08fed3916795018a436a3ae62c85d554a53a6d48623908e06e7d275f4251d3b3bd530bd11e155dcf2b5c2adf030cdf931ae749":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"d0cd038c65b3acca45822eaf91ea5176e82043268876dec0b62e2abd619023b7023abc67c6b823cfef5447b8772f985ff7910d6cc87e6c23688ac6de1fee40bbe2da1a92770de92adaa427ace02fee571a0a0176fceb0c8f3eb72dde839ab201395625f5c0db8641ce19d7711212dec61733262c6ce4476c025e67a3d5bc01f3":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA512:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"11":"2f30629c1117d013bb36e6099dee931dcaf0a1032b07ec23e2b262898a8945e569c9573d81e22bb0a5f8a28b0d7b8ff01367dd7f089c68ed1daa11cf53a96ee91b38e6b839b6e90bea34d14b78f5d2c7629b68c5b4f2ecfff66b483b2233cb14f95df533c867a2b610aebcdbb7ea3109aaf2f5762ab3edc2571deccc7da0c9a5b443ca2b924c0f18de7bbb736a08fed3916795018a436a3ae62c85d554a53a6d48623908e06e7d275f4251d3b3bd530bd11e155dcf2b5c2adf030cdf931ae749":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Verify v1.5 CAVS #34 depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 @@ -138,7 +138,42 @@ mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e9 RSA PKCS1 Verify v1.5 padding too short depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"AABBCC03020100FFFFFFFFFF1122330A0B0CCCDDDDDDDDDD":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:16:"9292758453063D803DD603D5E777D7888ED1D5BF35786190FA2F23EBC0848AEADDA92CA6C3D80B32C4D109BE0F36D6AE7130B9CED7ACDF54CFC7555AC14EEBAB93A89813FBF3C4F8066D2D800F7C38A81AE31942917403FF4946B0A83D3D3E05EE57C6F5F5606FB5D4BC6CD34EE0801A5E94BB77B07507233A0BC7BAC8F90F79":16:"10001":"6edd56f397d9bc6d176bbe3d80946fc352ad6127b85b1d67d849c0a38cbde7222c5fafbb18dcef791178a8e15f5c8cd91869f8ca4b758c46ce3e229bf666d2e3e296544351bcb5db7e0004f6c0800f76a432071297e405759d4324d1cf1c412758be93a39f834e03dee59e28ac571ce2b0b3c8fe639979f516223b54027340a5":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"AABBCC03020100FFFFFFFFFF1122330A0B0CCCDDDDDDDDDD":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:16:"9292758453063D803DD603D5E777D7888ED1D5BF35786190FA2F23EBC0848AEADDA92CA6C3D80B32C4D109BE0F36D6AE7130B9CED7ACDF54CFC7555AC14EEBAB93A89813FBF3C4F8066D2D800F7C38A81AE31942917403FF4946B0A83D3D3E05EE57C6F5F5606FB5D4BC6CD34EE0801A5E94BB77B07507233A0BC7BAC8F90F79":16:"10001":"6edd56f397d9bc6d176bbe3d80946fc352ad6127b85b1d67d849c0a38cbde7222c5fafbb18dcef791178a8e15f5c8cd91869f8ca4b758c46ce3e229bf666d2e3e296544351bcb5db7e0004f6c0800f76a432071297e405759d4324d1cf1c412758be93a39f834e03dee59e28ac571ce2b0b3c8fe639979f516223b54027340a5":MBEDTLS_ERR_RSA_VERIFY_FAILED + +# The following tests check whether the use of reduced length encodings (as mandated for DER in contrast to BER) is enforced in +# the verification of PKCS1 v1.5 signatures - this is relevant to prevent Bleichenbacher signature forgery attacks. +# The test data has been generated by signing a test file using `programs/pkey/rsa_sign` after making modifications +# to `mbedtls_rsa_rsassa_pkcs1_v15_encode` to force the use of non-reduced encodings in different places as indicated in the respective tests. +# See the documentation of `mbedtls_rsa_rsassa_pkcs1_v15_encode` for the layout of the relevant ASN.1 structure. +# Correct signature with DER-compliant reduced length encodings +RSA PKCS1 Verify v1.5 reduced length encoding +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"5B56096ECADA4DAC299FD3D6091C1BE4D7C4210086E61ADA6FFC267A690034DAFB3734035880B9E71CEB0331C32C8DE1A254D777DFE3C848AC7764907602452EC16FD8EB3664E2E682DB3AA8979059BFADFE6192D9029844C8CAF310552717DD5B5B36A9910CFABE5C54AC16F3A3461DEE730060981BD9B47EE8D6644963B7CA":0 + +# Non-reduced 1-byte length encoding in `DigestInfo` ASN.1 element +RSA PKCS1 Verify v1.5 non-reduced length encoding #1 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"2FCF7FC1B60B3C083872B1BD9C666745921951A8A9E099FD629675F620B670713519C4A97B870591B97FE5C5DB2FC2A0A3FCB0016536D1205AA32BA8BFCF54ABD542C02F7FCEA3C3531D7A87C82ED5B151A9599F1BDB070A905F5B721DE3C22F8AC35034C607920CE0699D7F79E5913915F3A01856B5D30F9E68F0CD7856D40F":MBEDTLS_ERR_RSA_VERIFY_FAILED + +# Non-reduced 2-byte length encoding for `digestAlgorithm` ASN.1 element +RSA PKCS1 Verify v1.5 non-reduced length encoding #2 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"3C27512A8FDC973D856C0F288BE27D00D54FC0B359C520DA73A05156D98CDD6A83E6657BFA81D7B9716EEDFD98C08CD82F399298782782AE341D9AABCBB6B5F9C6552DE1D8B93047E1135032653F4F65A8937352E903864E008429E049680E3AA80F5DE1C7408C403011CEF4A3ECA549C027C8954BFBCA21F2A41C3EB0278029":MBEDTLS_ERR_RSA_VERIFY_FAILED + +# Non-reduced 3-byte length encoding for optional parameters in `digestAlgorithm` ASN.1 element +RSA PKCS1 Verify v1.5 non-reduced length encoding #3 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"24BEB8502F24E0D11D9C10CEE4435EA972CEC93C23936E815ED2DF41BECEDDE889AF85BBEAF1B8C6928913AC523EA1D6653832E9D4E74F55B76771EA84F5A607342C341A14AB258019F38DBAEE4B967C8C8D26D6AF2583D32988471BA38751B6A67BA3D1147619C266A9AAC34244740BB59CD9DB3AFF19438B04C619AB719123":MBEDTLS_ERR_RSA_VERIFY_FAILED + +# Non-reduced 4-byte length encoding in `digest` ASN.1 element +RSA PKCS1 Verify v1.5 non-reduced length encoding #4 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"13172EF7362CF421103FE1893429FAE85F83636BA8AF545252599A39892E62CEC317DC47C1D6B19328B63CDFD02FA0B49CE7980504635251FF08C0A1308C64D6466DFBF1EF2BA49EFDD6C2C888A30870EC2DC0FA4D67FDE6631C85ED2CEF8EEBF5578C974CBA4A04034D9B579B420D6CA93E4BFC09E014542A0EFB902AF90C5E":MBEDTLS_ERR_RSA_VERIFY_FAILED + +# Non-reduced 3-byte length encoding for OID in `digestAlgorithm` ASN.1 element +RSA PKCS1 Verify v1.5 non-reduced length encoding #5 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 +mbedtls_rsa_pkcs1_verify:"7369676e617475726520746573740a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:16:"A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211":16:"10001":"65DD518F63A2E289C035E9F2A9927BF5A6A74FF6FEFFF61AFCC52ED4A8A5B93534A3AD1709136306EE1379B47A4863BC6ED879E92CD6F99AA5B5F106102BDAE8DAFB15CF6EF00CB5FA63967706528DEE8876F3D04E8D75533009C73DA4C5744D20FFDB18EA78EE4D5D9D6F7BD3AFC2AD9A0EDDD56AA40AAEF789E6FB12AB6DE7":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA) depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15 @@ -158,7 +193,7 @@ mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e9 RSA PKCS1 Sign #2 Verify (Fail) depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"5aee2b9dbc02a6a2d87ff64a64165dc0b9ce70c79bab2d287939e2601c3223e0493988d5468731ae4edc7d5f5d449335c204fdb0e192c1915c9d694d3a61c3be14df79c4b34d6ac73707829024d263c94f9107fa93f3783de3965522336e18d1e01a142b5103451bb97839eaf2f44703a63050a36b78aef4072ea1a8daaaf1a2918fc03ee957a9c09efdc6287bcb4d6aec4723290294b249b3e3dc63157b560ad9c867323a73ebeb360cc9e482111643b0d86c4e33dcf170155590f0eba7d170789e84de336b7fe2f6cf485ddca94607a4ff379fc49d375c730249dd1a210e7dccd763d1c23c7532e769c6aa88e38e8654ff90f7b34df4c07ba90e89099ec1ed":MBEDTLS_ERR_RSA_INVALID_PADDING +mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"5aee2b9dbc02a6a2d87ff64a64165dc0b9ce70c79bab2d287939e2601c3223e0493988d5468731ae4edc7d5f5d449335c204fdb0e192c1915c9d694d3a61c3be14df79c4b34d6ac73707829024d263c94f9107fa93f3783de3965522336e18d1e01a142b5103451bb97839eaf2f44703a63050a36b78aef4072ea1a8daaaf1a2918fc03ee957a9c09efdc6287bcb4d6aec4723290294b249b3e3dc63157b560ad9c867323a73ebeb360cc9e482111643b0d86c4e33dcf170155590f0eba7d170789e84de336b7fe2f6cf485ddca94607a4ff379fc49d375c730249dd1a210e7dccd763d1c23c7532e769c6aa88e38e8654ff90f7b34df4c07ba90e89099ec1ed":MBEDTLS_ERR_RSA_VERIFY_FAILED RSA PKCS1 Sign #3 (SHA224, 2048 bits RSA) depends_on:MBEDTLS_SHA256_C:MBEDTLS_PKCS1_V15