xref: /aosp_15_r20/external/mbedtls/tests/suites/test_suite_pkcs1_v15.function (revision 62c56f9862f102b96d72393aff6076c951fb8148) 
1/* BEGIN_HEADER */
2#include "mbedtls/rsa.h"
3#include "mbedtls/md.h"
4/* END_HEADER */
5
6/* BEGIN_DEPENDENCIES
7 * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C
8 * END_DEPENDENCIES
9 */
10
11/* BEGIN_CASE */
12void pkcs1_rsaes_v15_encrypt(int mod, char *input_N,
13                             char *input_E, int hash,
14                             data_t *message_str, data_t *rnd_buf,
15                             data_t *result_str, int result)
16{
17    unsigned char output[128];
18    mbedtls_rsa_context ctx;
19    mbedtls_test_rnd_buf_info info;
20    mbedtls_mpi N, E;
21
22    info.fallback_f_rng = mbedtls_test_rnd_std_rand;
23    info.fallback_p_rng = NULL;
24    info.buf = rnd_buf->x;
25    info.length = rnd_buf->len;
26
27    mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
28    mbedtls_rsa_init(&ctx);
29
30    TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
31    TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), MBEDTLS_MD_NONE);
32
33    TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
34                                        MBEDTLS_RSA_PKCS_V15, hash) == 0);
35    memset(output, 0x00, sizeof(output));
36
37    TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
38    TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
39
40    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
41    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
42    TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
43    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
44    TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
45
46    if (message_str->len == 0) {
47        message_str->x = NULL;
48    }
49    TEST_ASSERT(mbedtls_rsa_pkcs1_encrypt(&ctx,
50                                          &mbedtls_test_rnd_buffer_rand,
51                                          &info, message_str->len,
52                                          message_str->x,
53                                          output) == result);
54
55    if (result == 0) {
56        TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
57                                        ctx.len, result_str->len) == 0);
58    }
59
60exit:
61    mbedtls_mpi_free(&N); mbedtls_mpi_free(&E);
62    mbedtls_rsa_free(&ctx);
63}
64/* END_CASE */
65
66/* BEGIN_CASE */
67void pkcs1_rsaes_v15_decrypt(int mod, char *input_P, char *input_Q,
68                             char *input_N, char *input_E, int hash,
69                             data_t *result_str, char *seed,
70                             data_t *message_str, int result)
71{
72    unsigned char output[128];
73    mbedtls_rsa_context ctx;
74    size_t output_len;
75    mbedtls_test_rnd_pseudo_info rnd_info;
76    mbedtls_mpi N, P, Q, E;
77    ((void) seed);
78
79    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
80    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
81    mbedtls_rsa_init(&ctx);
82    TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
83                                        MBEDTLS_RSA_PKCS_V15, hash) == 0);
84
85    TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
86    TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
87
88    memset(output, 0x00, sizeof(output));
89    memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
90
91    TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
92    TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
93    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
94    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
95
96    TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
97    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
98    TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
99    TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
100
101    if (result_str->len == 0) {
102        TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
103                                              &mbedtls_test_rnd_pseudo_rand,
104                                              &rnd_info,
105                                              &output_len, message_str->x,
106                                              NULL, 0) == result);
107    } else {
108        TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
109                                              &mbedtls_test_rnd_pseudo_rand,
110                                              &rnd_info,
111                                              &output_len, message_str->x,
112                                              output, 1000) == result);
113        if (result == 0) {
114            TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
115                                            output_len,
116                                            result_str->len) == 0);
117        }
118    }
119
120exit:
121    mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
122    mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
123    mbedtls_rsa_free(&ctx);
124}
125/* END_CASE */
126
127/* BEGIN_CASE */
128void pkcs1_v15_decode(data_t *input,
129                      int expected_plaintext_length_arg,
130                      int output_size_arg,
131                      int expected_result)
132{
133    size_t expected_plaintext_length = expected_plaintext_length_arg;
134    size_t output_size = output_size_arg;
135    mbedtls_test_rnd_pseudo_info rnd_info;
136    mbedtls_mpi Nmpi, Empi, Pmpi, Qmpi;
137    mbedtls_rsa_context ctx;
138    static unsigned char N[128] = {
139        0xc4, 0x79, 0x4c, 0x6d, 0xb2, 0xe9, 0xdf, 0xc5,
140        0xe5, 0xd7, 0x55, 0x4b, 0xfb, 0x6c, 0x2e, 0xec,
141        0x84, 0xd0, 0x88, 0x12, 0xaf, 0xbf, 0xb4, 0xf5,
142        0x47, 0x3c, 0x7e, 0x92, 0x4c, 0x58, 0xc8, 0x73,
143        0xfe, 0x8f, 0x2b, 0x8f, 0x8e, 0xc8, 0x5c, 0xf5,
144        0x05, 0xeb, 0xfb, 0x0d, 0x7b, 0x2a, 0x93, 0xde,
145        0x15, 0x0d, 0xc8, 0x13, 0xcf, 0xd2, 0x6f, 0x0d,
146        0x9d, 0xad, 0x30, 0xe5, 0x70, 0x20, 0x92, 0x9e,
147        0xb3, 0x6b, 0xba, 0x5c, 0x50, 0x0f, 0xc3, 0xb2,
148        0x7e, 0x64, 0x07, 0x94, 0x7e, 0xc9, 0x4e, 0xc1,
149        0x65, 0x04, 0xaf, 0xb3, 0x9f, 0xde, 0xa8, 0x46,
150        0xfa, 0x6c, 0xf3, 0x03, 0xaf, 0x1c, 0x1b, 0xec,
151        0x75, 0x44, 0x66, 0x77, 0xc9, 0xde, 0x51, 0x33,
152        0x64, 0x27, 0xb0, 0xd4, 0x8d, 0x31, 0x6a, 0x11,
153        0x27, 0x3c, 0x99, 0xd4, 0x22, 0xc0, 0x9d, 0x12,
154        0x01, 0xc7, 0x4a, 0x73, 0xac, 0xbf, 0xc2, 0xbb
155    };
156    static unsigned char E[1] = { 0x03 };
157    static unsigned char P[64] = {
158        0xe5, 0x53, 0x1f, 0x88, 0x51, 0xee, 0x59, 0xf8,
159        0xc1, 0xe4, 0xcc, 0x5b, 0xb3, 0x75, 0x8d, 0xc8,
160        0xe8, 0x95, 0x2f, 0xd0, 0xef, 0x37, 0xb4, 0xcd,
161        0xd3, 0x9e, 0x48, 0x8b, 0x81, 0x58, 0x60, 0xb9,
162        0x27, 0x1d, 0xb6, 0x28, 0x92, 0x64, 0xa3, 0xa5,
163        0x64, 0xbd, 0xcc, 0x53, 0x68, 0xdd, 0x3e, 0x55,
164        0xea, 0x9d, 0x5e, 0xcd, 0x1f, 0x96, 0x87, 0xf1,
165        0x29, 0x75, 0x92, 0x70, 0x8f, 0x28, 0xfb, 0x2b
166    };
167    static unsigned char Q[64] = {
168        0xdb, 0x53, 0xef, 0x74, 0x61, 0xb4, 0x20, 0x3b,
169        0x3b, 0x87, 0x76, 0x75, 0x81, 0x56, 0x11, 0x03,
170        0x59, 0x31, 0xe3, 0x38, 0x4b, 0x8c, 0x7a, 0x9c,
171        0x05, 0xd6, 0x7f, 0x1e, 0x5e, 0x60, 0xf0, 0x4e,
172        0x0b, 0xdc, 0x34, 0x54, 0x1c, 0x2e, 0x90, 0x83,
173        0x14, 0xef, 0xc0, 0x96, 0x5c, 0x30, 0x10, 0xcc,
174        0xc1, 0xba, 0xa0, 0x54, 0x3f, 0x96, 0x24, 0xca,
175        0xa3, 0xfb, 0x55, 0xbc, 0x71, 0x29, 0x4e, 0xb1
176    };
177    unsigned char original[128];
178    unsigned char intermediate[128];
179    static unsigned char default_content[128] = {
180        /* A randomly generated pattern. */
181        0x4c, 0x27, 0x54, 0xa0, 0xce, 0x0d, 0x09, 0x4a,
182        0x1c, 0x38, 0x8e, 0x2d, 0xa3, 0xc4, 0xe0, 0x19,
183        0x4c, 0x99, 0xb2, 0xbf, 0xe6, 0x65, 0x7e, 0x58,
184        0xd7, 0xb6, 0x8a, 0x05, 0x2f, 0xa5, 0xec, 0xa4,
185        0x35, 0xad, 0x10, 0x36, 0xff, 0x0d, 0x08, 0x50,
186        0x74, 0x47, 0xc9, 0x9c, 0x4a, 0xe7, 0xfd, 0xfa,
187        0x83, 0x5f, 0x14, 0x5a, 0x1e, 0xe7, 0x35, 0x08,
188        0xad, 0xf7, 0x0d, 0x86, 0xdf, 0xb8, 0xd4, 0xcf,
189        0x32, 0xb9, 0x5c, 0xbe, 0xa3, 0xd2, 0x89, 0x70,
190        0x7b, 0xc6, 0x48, 0x7e, 0x58, 0x4d, 0xf3, 0xef,
191        0x34, 0xb7, 0x57, 0x54, 0x79, 0xc5, 0x8e, 0x0a,
192        0xa3, 0xbf, 0x6d, 0x42, 0x83, 0x25, 0x13, 0xa2,
193        0x95, 0xc0, 0x0d, 0x32, 0xec, 0x77, 0x91, 0x2b,
194        0x68, 0xb6, 0x8c, 0x79, 0x15, 0xfb, 0x94, 0xde,
195        0xb9, 0x2b, 0x94, 0xb3, 0x28, 0x23, 0x86, 0x3d,
196        0x37, 0x00, 0xe6, 0xf1, 0x1f, 0x4e, 0xd4, 0x42
197    };
198    unsigned char final[128];
199    size_t output_length = 0x7EA0;
200
201    memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
202    mbedtls_mpi_init(&Nmpi); mbedtls_mpi_init(&Empi);
203    mbedtls_mpi_init(&Pmpi); mbedtls_mpi_init(&Qmpi);
204    mbedtls_rsa_init(&ctx);
205
206    TEST_ASSERT(mbedtls_mpi_read_binary(&Nmpi, N, sizeof(N)) == 0);
207    TEST_ASSERT(mbedtls_mpi_read_binary(&Empi, E, sizeof(E)) == 0);
208    TEST_ASSERT(mbedtls_mpi_read_binary(&Pmpi, P, sizeof(P)) == 0);
209    TEST_ASSERT(mbedtls_mpi_read_binary(&Qmpi, Q, sizeof(Q)) == 0);
210
211    TEST_ASSERT(mbedtls_rsa_import(&ctx, &Nmpi, &Pmpi, &Qmpi,
212                                   NULL, &Empi) == 0);
213    TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
214
215    TEST_ASSERT(input->len <= sizeof(N));
216    memcpy(original, input->x, input->len);
217    memset(original + input->len, 'd', sizeof(original) - input->len);
218    TEST_ASSERT(mbedtls_rsa_public(&ctx, original, intermediate) == 0);
219
220    memcpy(final, default_content, sizeof(final));
221    TEST_ASSERT(mbedtls_rsa_pkcs1_decrypt(&ctx,
222                                          &mbedtls_test_rnd_pseudo_rand,
223                                          &rnd_info, &output_length,
224                                          intermediate, final,
225                                          output_size) == expected_result);
226    if (expected_result == 0) {
227        TEST_ASSERT(output_length == expected_plaintext_length);
228        TEST_ASSERT(memcmp(original + sizeof(N) - output_length,
229                           final,
230                           output_length) == 0);
231    } else if (expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING ||
232               expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) {
233        size_t max_payload_length =
234            output_size > sizeof(N) - 11 ? sizeof(N) - 11 : output_size;
235        size_t i;
236        size_t count = 0;
237
238#if !defined(MBEDTLS_RSA_ALT)
239        /* Check that the output in invalid cases is what the default
240         * implementation currently does. Alternative implementations
241         * may produce different output, so we only perform these precise
242         * checks when using the default implementation. */
243        TEST_ASSERT(output_length == max_payload_length);
244        for (i = 0; i < max_payload_length; i++) {
245            TEST_ASSERT(final[i] == 0);
246        }
247#endif
248        /* Even in alternative implementations, the outputs must have
249         * changed, otherwise it indicates at least a timing vulnerability
250         * because no write to the outputs is performed in the bad case. */
251        TEST_ASSERT(output_length != 0x7EA0);
252        for (i = 0; i < max_payload_length; i++) {
253            count += (final[i] == default_content[i]);
254        }
255        /* If more than 16 bytes are unchanged in final, that's evidence
256         * that final wasn't overwritten. */
257        TEST_ASSERT(count < 16);
258    }
259
260exit:
261    mbedtls_mpi_free(&Nmpi); mbedtls_mpi_free(&Empi);
262    mbedtls_mpi_free(&Pmpi); mbedtls_mpi_free(&Qmpi);
263    mbedtls_rsa_free(&ctx);
264}
265/* END_CASE */
266
267/* BEGIN_CASE */
268void pkcs1_rsassa_v15_sign(int mod, char *input_P,
269                           char *input_Q, char *input_N,
270                           char *input_E, int digest, int hash,
271                           data_t *message_str, data_t *rnd_buf,
272                           data_t *result_str, int result)
273{
274    unsigned char output[128];
275    mbedtls_rsa_context ctx;
276    mbedtls_mpi N, P, Q, E;
277    mbedtls_test_rnd_buf_info info;
278
279    info.fallback_f_rng = mbedtls_test_rnd_std_rand;
280    info.fallback_p_rng = NULL;
281    info.buf = rnd_buf->x;
282    info.length = rnd_buf->len;
283
284    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
285    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
286    mbedtls_rsa_init(&ctx);
287    TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
288                                        MBEDTLS_RSA_PKCS_V15, hash) == 0);
289
290    memset(output, 0x00, sizeof(output));
291
292    TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
293    TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
294
295    TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
296    TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
297    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
298    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
299
300    TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
301    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
302    TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
303    TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
304
305    TEST_ASSERT(mbedtls_rsa_pkcs1_sign(
306                    &ctx, &mbedtls_test_rnd_buffer_rand, &info,
307                    digest, message_str->len, message_str->x,
308                    output) == result);
309    if (result == 0) {
310
311        TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
312                                        ctx.len, result_str->len) == 0);
313    }
314
315exit:
316    mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
317    mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
318    mbedtls_rsa_free(&ctx);
319}
320/* END_CASE */
321
322/* BEGIN_CASE */
323void pkcs1_rsassa_v15_verify(int mod, char *input_N, char *input_E,
324                             int digest, int hash, data_t *message_str,
325                             char *salt, data_t *result_str, int result)
326{
327    mbedtls_rsa_context ctx;
328    mbedtls_mpi N, E;
329    ((void) salt);
330
331    mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
332    mbedtls_rsa_init(&ctx);
333    TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
334                                        MBEDTLS_RSA_PKCS_V15, hash) == 0);
335
336    TEST_EQUAL(mbedtls_rsa_get_padding_mode(&ctx), MBEDTLS_RSA_PKCS_V15);
337    TEST_EQUAL(mbedtls_rsa_get_md_alg(&ctx), hash);
338
339    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
340    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
341    TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
342    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) ((mod + 7) / 8));
343    TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
344
345    TEST_ASSERT(mbedtls_rsa_pkcs1_verify(&ctx, digest, message_str->len, message_str->x,
346                                         result_str->x) == result);
347
348exit:
349    mbedtls_mpi_free(&N); mbedtls_mpi_free(&E);
350    mbedtls_rsa_free(&ctx);
351}
352/* END_CASE */
353