diff --git a/ChangeLog b/ChangeLog index d8289ce76..cbbb1ac87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 1.3.x branch +Security + * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt + required by PKCS1 v2.2 + * Fix a potential integer underflow to buffer overread in + mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in + SSL/TLS. + * Fix potential integer overflow to buffer overflow in + mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos diff --git a/library/rsa.c b/library/rsa.c index 16114ac5e..26d69c522 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -525,7 +525,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx, olen = ctx->len; hlen = md_get_size( md_info ); - if( olen < ilen + 2 * hlen + 2 ) + // first comparison checks for overflow + if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); @@ -592,7 +593,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, olen = ctx->len; - if( olen < ilen + 11 ) + // first comparison checks for overflow + if( ilen + 11 < ilen || olen < ilen + 11 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); nb_pad = olen - 3 - ilen; @@ -702,6 +704,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + hlen = md_get_size( md_info ); + + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + /* * RSA operation */ @@ -717,6 +725,10 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, */ hlen = md_get_size( md_info ); + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + md_init( &md_ctx ); md_init_ctx( &md_ctx, md_info ); @@ -851,6 +863,8 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx, bad |= *p++; /* Must be zero */ } + bad |= ( pad_count < 8 ); + if( bad ) return( POLARSSL_ERR_RSA_INVALID_PADDING ); diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index dfa475c1a..5d182677f 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -30,7 +30,9 @@ #include "polarssl/platform.h" #else #include +#include #define polarssl_printf printf +#define polarssl_exit exit #endif #if defined(POLARSSL_BIGNUM_C) && defined(POLARSSL_RSA_C) && \ @@ -58,7 +60,7 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret, c; + int return_val, exit_val, c; size_t i; rsa_context rsa; entropy_context entropy; @@ -69,7 +71,7 @@ int main( int argc, char *argv[] ) ((void) argv); memset(result, 0, sizeof( result ) ); - ret = 1; + exit_val = 0; if( argc != 1 ) { @@ -79,18 +81,23 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n" ); #endif - goto exit; + polarssl_exit( 1 ); } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); - if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + rsa_init( &rsa, RSA_PKCS_V15, 0 ); + + return_val = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) + strlen( pers ) ); + if( return_val != 0 ) { - polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", + return_val ); goto exit; } @@ -99,23 +106,24 @@ int main( int argc, char *argv[] ) if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL ) { + exit_val = 1; polarssl_printf( " failed\n ! Could not open rsa_priv.txt\n" \ " ! Please run rsa_genkey first\n\n" ); goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - - if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.P , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.Q , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.DP, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.QP, 16, f ) ) != 0 ) + if( ( return_val = mpi_read_file( &rsa.N , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.E , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.D , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.P , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.Q , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.DP, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.QP, 16, f ) ) != 0 ) { - polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", + return_val ); goto exit; } @@ -126,10 +134,9 @@ int main( int argc, char *argv[] ) /* * Extract the RSA encrypted value from the text file */ - ret = 1; - if( ( f = fopen( "result-enc.txt", "rb" ) ) == NULL ) { + exit_val = 1; polarssl_printf( "\n ! Could not open %s\n\n", "result-enc.txt" ); goto exit; } @@ -144,6 +151,7 @@ int main( int argc, char *argv[] ) if( i != rsa.len ) { + exit_val = 1; polarssl_printf( "\n ! Invalid RSA signature format\n\n" ); goto exit; } @@ -154,11 +162,13 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n . Decrypting the encrypted data" ); fflush( stdout ); - if( ( ret = rsa_pkcs1_decrypt( &rsa, ctr_drbg_random, &ctr_drbg, - RSA_PRIVATE, &i, buf, result, - 1024 ) ) != 0 ) + if( ( return_val = rsa_pkcs1_decrypt( &rsa, ctr_drbg_random, &ctr_drbg, + RSA_PRIVATE, &i, buf, result, + 1024 ) ) != 0 ) { - polarssl_printf( " failed\n ! rsa_pkcs1_decrypt returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! rsa_pkcs1_decrypt returned %d\n\n", + return_val ); goto exit; } @@ -166,17 +176,16 @@ int main( int argc, char *argv[] ) polarssl_printf( "The decrypted result is: '%s'\n\n", result ); - ret = 0; - exit: ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); + rsa_free( &rsa ); #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif - return( ret ); + return( exit_val ); } #endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_FS_IO */ diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 683183324..9154875c4 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -30,8 +30,10 @@ #include "polarssl/platform.h" #else #include +#include #define polarssl_fprintf fprintf #define polarssl_printf printf +#define polarssl_exit exit #endif #if defined(POLARSSL_BIGNUM_C) && defined(POLARSSL_RSA_C) && \ @@ -59,7 +61,7 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret; + int return_val, exit_val; size_t i; rsa_context rsa; entropy_context entropy; @@ -68,7 +70,7 @@ int main( int argc, char *argv[] ) unsigned char buf[512]; const char *pers = "rsa_encrypt"; - ret = 1; + exit_val = 0; if( argc != 2 ) { @@ -78,18 +80,24 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n" ); #endif - goto exit; + polarssl_exit( 1 ); } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); - if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) + rsa_init( &rsa, RSA_PKCS_V15, 0 ); + + return_val = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ); + + if( return_val != 0 ) { - polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", + return_val ); goto exit; } @@ -98,18 +106,18 @@ int main( int argc, char *argv[] ) if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL ) { - ret = 1; + exit_val = 1; polarssl_printf( " failed\n ! Could not open rsa_pub.txt\n" \ - " ! Please run rsa_genkey first\n\n" ); + " ! Please run rsa_genkey first\n\n" ); goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - - if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) + if( ( return_val = mpi_read_file( &rsa.N, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) { - polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", + return_val ); goto exit; } @@ -119,6 +127,7 @@ int main( int argc, char *argv[] ) if( strlen( argv[1] ) > 100 ) { + exit_val = 1; polarssl_printf( " Input data larger than 100 characters.\n\n" ); goto exit; } @@ -131,11 +140,13 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n . Generating the RSA encrypted value" ); fflush( stdout ); - if( ( ret = rsa_pkcs1_encrypt( &rsa, ctr_drbg_random, &ctr_drbg, - RSA_PUBLIC, strlen( argv[1] ), - input, buf ) ) != 0 ) + if( ( return_val = rsa_pkcs1_encrypt( &rsa, ctr_drbg_random, &ctr_drbg, + RSA_PUBLIC, strlen( argv[1] ), + input, buf ) ) != 0 ) { - polarssl_printf( " failed\n ! rsa_pkcs1_encrypt returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! rsa_pkcs1_encrypt returned %d\n\n", + return_val ); goto exit; } @@ -144,7 +155,7 @@ int main( int argc, char *argv[] ) */ if( ( f = fopen( "result-enc.txt", "wb+" ) ) == NULL ) { - ret = 1; + exit_val = 1; polarssl_printf( " failed\n ! Could not create %s\n\n", "result-enc.txt" ); goto exit; } @@ -160,13 +171,14 @@ int main( int argc, char *argv[] ) exit: ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); + rsa_free( &rsa ); #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif - return( ret ); + return( exit_val ); } #endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_ENTROPY_C && POLARSSL_FS_IO && POLARSSL_CTR_DRBG_C */ diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index c9bdd3afe..a3162f263 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -67,6 +67,7 @@ int main( int argc, char *argv[] ) unsigned char buf[POLARSSL_MPI_MAX_SIZE]; char filename[512]; + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; if( argc != 2 ) @@ -91,8 +92,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 || @@ -160,6 +159,8 @@ int main( int argc, char *argv[] ) exit: + rsa_free( &rsa ); + #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 4011df6a2..ece1588df 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -66,7 +66,9 @@ int main( int argc, char *argv[] ) unsigned char buf[POLARSSL_MPI_MAX_SIZE]; char filename[512]; + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; + if( argc != 2 ) { polarssl_printf( "usage: rsa_verify \n" ); @@ -88,8 +90,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) { @@ -152,6 +152,8 @@ int main( int argc, char *argv[] ) exit: + rsa_free( &rsa ); + #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 68e670708..4f468568b 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -77,6 +77,7 @@ add_test_suite(memory_buffer_alloc) add_test_suite(mpi) add_test_suite(pbkdf2) add_test_suite(pem) +add_test_suite(pkcs1_v15) add_test_suite(pkcs1_v21) add_test_suite(pkcs5) add_test_suite(pk) diff --git a/tests/Makefile b/tests/Makefile index 25b704a5f..307b7e13c 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -75,7 +75,7 @@ APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_md$(EXEXT) test_suite_mdx$(EXEXT) \ test_suite_memory_buffer_alloc$(EXEXT) \ test_suite_mpi$(EXEXT) test_suite_pbkdf2$(EXEXT) \ - test_suite_pem$(EXEXT) \ + test_suite_pem$(EXEXT) test_suite_pkcs1_v15$(EXEXT) \ test_suite_pkcs1_v21$(EXEXT) test_suite_pkcs5$(EXEXT) \ test_suite_pkparse$(EXEXT) test_suite_pkwrite$(EXEXT) \ test_suite_pk$(EXEXT) \ @@ -367,6 +367,10 @@ test_suite_pem$(EXEXT): test_suite_pem.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +test_suite_pkcs1_v15$(EXEXT): test_suite_pkcs1_v15.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test_suite_pkcs1_v21$(EXEXT): test_suite_pkcs1_v21.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data new file mode 100644 index 000000000..f7f0b184e --- /dev/null +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -0,0 +1,35 @@ +RSAES-V15 Encryption Test Vector Int +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32":"6c5ebca6116b1e91316613fbb5e93197270a849122d549122d05815e2626f80d20f7f3f038c98295203c0f7f6bb8c3568455c67dec82bca86be86eff43b56b7ba2d15375f9a42454c2a2c709953a6e4a977462e35fd21a9c2fb3c0ad2a370f7655267bf6f04814784982988e663b869fc8588475af860d499e5a6ffdfc2c6bfd":0 + +RSAES-V15 Decryption Test Vector Int +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 + +RSAES-V15 Encryption Test Vector Data just fits +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 + +RSAES-V15 Decryption Test Vector Data just fits +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 + +RSAES-V15 Encryption Test Vector Data too long 1 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":POLARSSL_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 7 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":POLARSSL_ERR_RSA_INVALID_PADDING + +RSAES-V15 Encryption Test Vector Data too long 3 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":POLARSSL_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 5 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":POLARSSL_ERR_RSA_INVALID_PADDING + +RSAES-V15 Encryption Test Vector Data too long 8 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":POLARSSL_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 0 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":POLARSSL_ERR_RSA_INVALID_PADDING + +RSASSA-V15 Signing Test Vector Int +pkcs1_rsassa_v15_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"2154f928615e5101fcdeb57bc08fc2f35c3d5996403861ae3efb1d0712f8bb05cc21f7f5f11f62e5b6ea9f0f2b62180e5cbe7ba535032d6ac8068fff7f362f73d2c3bf5eca6062a1723d7cfd5abb6dcf7e405f2dc560ffe6fc37d38bee4dc9e24fe2bece3e3b4a3f032701d3f0947b42930083dd4ad241b3309b514595482d42":0 + +RSASSA-V15 Verification Test Vector Int +pkcs1_rsassa_v15_verify:1024:16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"2154f928615e5101fcdeb57bc08fc2f35c3d5996403861ae3efb1d0712f8bb05cc21f7f5f11f62e5b6ea9f0f2b62180e5cbe7ba535032d6ac8068fff7f362f73d2c3bf5eca6062a1723d7cfd5abb6dcf7e405f2dc560ffe6fc37d38bee4dc9e24fe2bece3e3b4a3f032701d3f0947b42930083dd4ad241b3309b514595482d42":0 diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function new file mode 100644 index 000000000..3555f92b7 --- /dev/null +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -0,0 +1,211 @@ +/* BEGIN_HEADER */ +#include "polarssl/rsa.h" +#include "polarssl/md.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:POLARSSL_PKCS1_V15:POLARSSL_RSA_C:POLARSSL_SHA1_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E, + char *input_E, int hash, + char *message_hex_string, char *seed, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + unsigned char rnd_buf[1000]; + rsa_context ctx; + size_t msg_len; + rnd_buf_info info; + + info.length = unhexify( rnd_buf, seed ); + info.buf = rnd_buf; + + rsa_init( &ctx, RSA_PKCS_V15, hash ); + memset( message_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + + TEST_ASSERT( rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, RSA_PUBLIC, msg_len, message_str, output ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len ); + + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } + +exit: + rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P, + int radix_Q, char *input_Q, int radix_N, + char *input_N, int radix_E, char *input_E, + int hash, char *result_hex_str, char *seed, + char *message_hex_string, int result ) +{ + unsigned char message_str[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + rsa_context ctx; + mpi P1, Q1, H, G; + size_t output_len; + rnd_pseudo_info rnd_info; + ((void) seed); + + mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); + rsa_init( &ctx, RSA_PKCS_V15, hash ); + + memset( message_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); + TEST_ASSERT( mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); + TEST_ASSERT( mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); + TEST_ASSERT( mpi_gcd( &G, &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); + + TEST_ASSERT( rsa_check_privkey( &ctx ) == 0 ); + + unhexify( message_str, message_hex_string ); + + TEST_ASSERT( rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len ); + + TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 ); + } + +exit: + mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); + rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsassa_v15_sign( int mod, int radix_P, char *input_P, int radix_Q, + char *input_Q, int radix_N, char *input_N, + int radix_E, char *input_E, int digest, int hash, + char *message_hex_string, char *salt, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char hash_result[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + unsigned char rnd_buf[1000]; + rsa_context ctx; + mpi P1, Q1, H, G; + size_t msg_len; + rnd_buf_info info; + + info.length = unhexify( rnd_buf, salt ); + info.buf = rnd_buf; + + mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); + rsa_init( &ctx, RSA_PKCS_V15, hash ); + + memset( message_str, 0x00, 1000 ); + memset( hash_result, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); + TEST_ASSERT( mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); + TEST_ASSERT( mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); + TEST_ASSERT( mpi_gcd( &G, &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); + + TEST_ASSERT( rsa_check_privkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + + if( md_info_from_type( digest ) != NULL ) + TEST_ASSERT( md( md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + + TEST_ASSERT( rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, RSA_PRIVATE, digest, 0, hash_result, output ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len); + + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } + +exit: + mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); + rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsassa_v15_verify( int mod, int radix_N, char *input_N, int radix_E, + char *input_E, int digest, int hash, + char *message_hex_string, char *salt, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char hash_result[1000]; + unsigned char result_str[1000]; + rsa_context ctx; + size_t msg_len; + ((void) salt); + + rsa_init( &ctx, RSA_PKCS_V15, hash ); + memset( message_str, 0x00, 1000 ); + memset( hash_result, 0x00, 1000 ); + memset( result_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + unhexify( result_str, result_hex_str ); + + if( md_info_from_type( digest ) != NULL ) + TEST_ASSERT( md( md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + + TEST_ASSERT( rsa_pkcs1_verify( &ctx, NULL, NULL, RSA_PUBLIC, digest, 0, hash_result, result_str ) == result ); + +exit: + rsa_free( &ctx ); +} +/* END_CASE */ +