From 4ed7376a5dec59995e1294780ecdc2b29f0815a1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 8 Feb 2016 13:59:25 +0000 Subject: [PATCH 01/32] Length check added --- library/rsa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index 0cb0e7d8d..aa7e2723b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -844,6 +844,9 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx, bad |= *p++; /* Must be zero */ } + if( pad_count < 8 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + if( bad ) return( POLARSSL_ERR_RSA_INVALID_PADDING ); From e003f50e6e367514a0d808c50628e45961241ad9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:14:10 +0000 Subject: [PATCH 02/32] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index c153a7b65..f6be09858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 1.3.x branch +Security + * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt + required by PKCS1 v2.2 + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From f1225eaffce425acfbac79673ce89695ca8291f2 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 12 Feb 2016 13:18:20 +0000 Subject: [PATCH 03/32] Add tests for the bug IOTSSL-619. The main goal with these tests is to test the bug in question and they are not meant to test the entire PKCS#1 v1.5 behaviour. To achieve full test coverage, further test cases are needed. --- tests/CMakeLists.txt | 1 + tests/suites/test_suite_pkcs1_v15.data | 30 ++++++ tests/suites/test_suite_pkcs1_v15.function | 110 +++++++++++++++++++++ 3 files changed, 141 insertions(+) create mode 100644 tests/suites/test_suite_pkcs1_v15.data create mode 100644 tests/suites/test_suite_pkcs1_v15.function diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 68e670708..4f468568b 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -77,6 +77,7 @@ add_test_suite(memory_buffer_alloc) add_test_suite(mpi) add_test_suite(pbkdf2) add_test_suite(pem) +add_test_suite(pkcs1_v15) add_test_suite(pkcs1_v21) add_test_suite(pkcs5) add_test_suite(pk) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data new file mode 100644 index 000000000..65bd99caf --- /dev/null +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -0,0 +1,30 @@ +RSAES-V15 Encryption Test Vector Int +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 + +RSAES-V15 Decryption Test Vector Int +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 + +RSAES-V15 Encryption Test Vector Data just fits +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 + +RSAES-V15 Decryption Test Vector Data just fits +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 + +RSAES-V15 Encryption Test Vector Data too long 1 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 7 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":MBEDTLS_ERR_RSA_INVALID_PADDING + +RSAES-V15 Encryption Test Vector Data too long 3 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 5 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":MBEDTLS_ERR_RSA_INVALID_PADDING + +RSAES-V15 Encryption Test Vector Data too long 8 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSAES-V15 Decryption Test Vector Padding too short 0 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":MBEDTLS_ERR_RSA_INVALID_PADDING + diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function new file mode 100644 index 000000000..90460f1d3 --- /dev/null +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -0,0 +1,110 @@ +/* BEGIN_HEADER */ +#include "mbedtls/rsa.h" +#include "mbedtls/md.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E, + char *input_E, int hash, + char *message_hex_string, char *seed, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + unsigned char rnd_buf[1000]; + mbedtls_rsa_context ctx; + size_t msg_len; + rnd_buf_info info; + + info.length = unhexify( rnd_buf, seed ); + info.buf = rnd_buf; + + mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + memset( message_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + + TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len ); + + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } + +exit: + mbedtls_rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P, + int radix_Q, char *input_Q, int radix_N, + char *input_N, int radix_E, char *input_E, + int hash, char *result_hex_str, char *seed, + char *message_hex_string, int result ) +{ + unsigned char message_str[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + mbedtls_rsa_context ctx; + mbedtls_mpi P1, Q1, H, G; + size_t output_len; + rnd_pseudo_info rnd_info; + ((void) seed); + + mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); + mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + + memset( message_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( mbedtls_mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_gcd( &G, &ctx.E, &H ) == 0 ); + TEST_ASSERT( mbedtls_mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); + TEST_ASSERT( mbedtls_mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); + + TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); + + unhexify( message_str, message_hex_string ); + + TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len ); + + TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 ); + } + +exit: + mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); + mbedtls_rsa_free( &ctx ); +} +/* END_CASE */ + From 7c3be6b97e69280aac3401be46323cd6869bdb5f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 12 Feb 2016 13:30:09 +0000 Subject: [PATCH 04/32] Removing 'if' branch from the fix. This new error shouldn't be distinguishable from other padding errors. Updating 'bad' instead of adding a new 'if' branch. --- library/rsa.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index aa7e2723b..5ab636f52 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -844,8 +844,7 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx, bad |= *p++; /* Must be zero */ } - if( pad_count < 8 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + bad |= ( pad_count < 8 ); if( bad ) return( POLARSSL_ERR_RSA_INVALID_PADDING ); From 53eb0d1f5a7d9e84f0111cdc037a026d78bbc0c3 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 16 Mar 2016 10:26:12 +0000 Subject: [PATCH 05/32] Fix the backport of pkcs1 v1.5 test suite. The test suite was not properly backported and it remained unnoticed, because it was not compile due to the change in the naming of the compile time requirements. --- tests/suites/test_suite_pkcs1_v15.data | 20 ++++---- tests/suites/test_suite_pkcs1_v15.function | 60 +++++++++++----------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data index 65bd99caf..a38d48add 100644 --- a/tests/suites/test_suite_pkcs1_v15.data +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -1,30 +1,30 @@ RSAES-V15 Encryption Test Vector Int -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 RSAES-V15 Decryption Test Vector Int -pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 RSAES-V15 Encryption Test Vector Data just fits -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 RSAES-V15 Decryption Test Vector Data just fits -pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"4293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"18cdb161f40a18509a3501b7e8ec1c7522e2490319efee8581179b5bcf3750f83a865952d078efd48f58f8060b0d43f9888b43a094fe15209451826ef797195885ff9fa3e26994eee85dbe5dd0404a71565708286027b433c88c85af555b96c34c304dc7c8278233654c022ef340042cfff55e6b15b67cfea8a5a384ef64a6ac":0 RSAES-V15 Encryption Test Vector Data too long 1 -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":POLARSSL_ERR_RSA_BAD_INPUT_DATA RSAES-V15 Decryption Test Vector Padding too short 7 -pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":MBEDTLS_ERR_RSA_INVALID_PADDING +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"b84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"05abded6751d620a95177abdba915027b58dd6eecf4ebe71f71c400b115e1d9e12465ace4db3cc03eb57fcbbfe017770f438cf84c10bad505919aefebfa0752087f6376b055beabf0e089fbb90e10f99c795d2d5676eea196db7f94a8fd34aedaba39fb230281bb9917cc91793eb37f84dedb2421e9680c39cfda34d4a012134":POLARSSL_ERR_RSA_INVALID_PADDING RSAES-V15 Encryption Test Vector Data too long 3 -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":POLARSSL_ERR_RSA_BAD_INPUT_DATA RSAES-V15 Decryption Test Vector Padding too short 5 -pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":MBEDTLS_ERR_RSA_INVALID_PADDING +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"aa1ab84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"10d60b8040d57d8701bacb55f2f283d54601ec24d465601ac7f7d5a2f75cac380ba78ca4ab6f3c159f3a9fd6839f5adde0333852ebf876c585664c1a58a1e6885231982f2027be6d7f08ff1807d3ceda8e41ad1f02ddf97a7458832fd13a1f431de6a4ab79e3d4b88bb1df2c5c77fcde9e7b5aa1e7bb29112eae58763127752a":POLARSSL_ERR_RSA_INVALID_PADDING RSAES-V15 Encryption Test Vector Data too long 8 -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":POLARSSL_ERR_RSA_BAD_INPUT_DATA RSAES-V15 Decryption Test Vector Padding too short 0 -pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":MBEDTLS_ERR_RSA_INVALID_PADDING +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":POLARSSL_ERR_RSA_INVALID_PADDING diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 90460f1d3..2b7d4561b 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -1,10 +1,10 @@ /* BEGIN_HEADER */ -#include "mbedtls/rsa.h" -#include "mbedtls/md.h" +#include "polarssl/rsa.h" +#include "polarssl/md.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA1_C + * depends_on:POLARSSL_PKCS1_V15:POLARSSL_RSA_C:POLARSSL_SHA1_C * END_DEPENDENCIES */ @@ -18,27 +18,27 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E, unsigned char output[1000]; unsigned char output_str[1000]; unsigned char rnd_buf[1000]; - mbedtls_rsa_context ctx; + rsa_context ctx; size_t msg_len; rnd_buf_info info; info.length = unhexify( rnd_buf, seed ); info.buf = rnd_buf; - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + rsa_init( &ctx, RSA_PKCS_V15, hash ); memset( message_str, 0x00, 1000 ); memset( output, 0x00, 1000 ); memset( output_str, 0x00, 1000 ); ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); - TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); + TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); msg_len = unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + TEST_ASSERT( rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, RSA_PUBLIC, msg_len, message_str, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -47,7 +47,7 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E, } exit: - mbedtls_rsa_free( &ctx ); + rsa_free( &ctx ); } /* END_CASE */ @@ -61,14 +61,14 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P, unsigned char message_str[1000]; unsigned char output[1000]; unsigned char output_str[1000]; - mbedtls_rsa_context ctx; - mbedtls_mpi P1, Q1, H, G; + rsa_context ctx; + mpi P1, Q1, H, G; size_t output_len; rnd_pseudo_info rnd_info; ((void) seed); - mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); + rsa_init( &ctx, RSA_PKCS_V15, hash ); memset( message_str, 0x00, 1000 ); memset( output, 0x00, 1000 ); @@ -76,25 +76,25 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P, memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) ); ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); - TEST_ASSERT( mbedtls_mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); - TEST_ASSERT( mbedtls_mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_gcd( &G, &ctx.E, &H ) == 0 ); - TEST_ASSERT( mbedtls_mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); - TEST_ASSERT( mbedtls_mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); + TEST_ASSERT( mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); + TEST_ASSERT( mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); + TEST_ASSERT( mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); + TEST_ASSERT( mpi_gcd( &G, &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); - TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); + TEST_ASSERT( rsa_check_privkey( &ctx ) == 0 ); unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result ); + TEST_ASSERT( rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -103,8 +103,8 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P, } exit: - mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); - mbedtls_rsa_free( &ctx ); + mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); + rsa_free( &ctx ); } /* END_CASE */ From afe799f2ebe9edfba76586c5b1f011882b010ad9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 16 Mar 2016 10:16:54 +0000 Subject: [PATCH 06/32] Fix the broken pkcs1 v1.5 test. The random buffer handed over to the test function was too small and the remaining bytes were generated by the default (platform dependant) function. --- tests/suites/test_suite_pkcs1_v15.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data index a38d48add..b58aee6d8 100644 --- a/tests/suites/test_suite_pkcs1_v15.data +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -1,5 +1,5 @@ RSAES-V15 Encryption Test Vector Int -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32":"6c5ebca6116b1e91316613fbb5e93197270a849122d549122d05815e2626f80d20f7f3f038c98295203c0f7f6bb8c3568455c67dec82bca86be86eff43b56b7ba2d15375f9a42454c2a2c709953a6e4a977462e35fd21a9c2fb3c0ad2a370f7655267bf6f04814784982988e663b869fc8588475af860d499e5a6ffdfc2c6bfd":0 RSAES-V15 Decryption Test Vector Int pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":0 From 19db48e16aaa7188749df761525fd029627dca58 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 9 Feb 2016 14:51:35 +0000 Subject: [PATCH 07/32] Included test for integer underflow. --- library/rsa.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 5ab636f52..6f652189f 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -710,8 +710,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, */ hlen = md_get_size( md_info ); - md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + + mbedtls_md_init( &md_ctx ); + mbedtls_md_setup( &md_ctx, md_info, 0 ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From 45a5f7406de50a6e2dac0289009a2d19ea9c0798 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:40:16 +0000 Subject: [PATCH 08/32] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 86e000a22..7d3c5f26d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 +Security + * Fix a potential integer underflow to buffer overread in + mbedtls_rsa_rsaes_oaep_decrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From 1d114d2efa76ba77a4fa256bca4e412f32b611ac Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:08:18 +0000 Subject: [PATCH 09/32] Move underflow test to make time constant --- library/rsa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index 6f652189f..54635001c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,6 +695,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + hlen = mbedtls_md_get_size( md_info ); + + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* * RSA operation */ From e8864dd066699aad7b3c4fcfe630827454cdc539 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:15:44 +0000 Subject: [PATCH 10/32] Extended ChangeLog entry --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7d3c5f26d..9173c3db5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,8 @@ Security Security * Fix a potential integer underflow to buffer overread in - mbedtls_rsa_rsaes_oaep_decrypt + mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in + SSL/TLS. Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three From da51d9cbabe32dc5f22ee65c7e3bf3a55315f57b Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 16 Mar 2016 23:31:03 +0000 Subject: [PATCH 11/32] Fix ChangeLog after merging fix for IOTSSL-628 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9173c3db5..e54e74c18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,8 +5,6 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 - -Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. From 0bc725f2956da4f25fed2c93f058c67f8b6b26d1 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 00:57:18 +0000 Subject: [PATCH 12/32] Fix for backprt of IOTSSL-628 Corrections to constand and function names changed between 1.3 and 2.1 --- library/rsa.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 54635001c..1472bd09b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,11 +695,11 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); + hlen = md_get_size( md_info ); // checking for integer underflow if( 2 * hlen + 2 > ilen ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); /* * RSA operation @@ -720,8 +720,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( 2 * hlen + 2 > ilen ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - mbedtls_md_init( &md_ctx ); - mbedtls_md_setup( &md_ctx, md_info, 0 ); + md_init( &md_ctx ); + md_init_ctx( &md_ctx, md_info ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From 7f1d78b56045de84910a45bc99b2509c0ab18cad Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:25:55 +0000 Subject: [PATCH 13/32] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index e54e74c18..aef64c11e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Security mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. +Security + * Fix potential integer overflow to buffer overflow in + mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From 6e5fb63cf61721ad56e490969b9112ae540c9a2e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 8 Feb 2016 14:52:29 +0000 Subject: [PATCH 14/32] Included tests for the overflow Conflicts: library/rsa.c --- library/rsa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 1472bd09b..e8aed73c8 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -519,7 +519,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx, olen = ctx->len; hlen = md_get_size( md_info ); - if( olen < ilen + 2 * hlen + 2 ) + // first comparison checks for overflow + if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); @@ -585,7 +586,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, olen = ctx->len; - if( olen < ilen + 11 ) + // first comparison checks for overflow + if( ilen + 11 < ilen || olen < ilen + 11 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); nb_pad = olen - 3 - ilen; From fb2304a6407b4ad373e4fc3537e740128b5a375e Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 11:03:14 +0000 Subject: [PATCH 15/32] Fix ChangeLog for backport of IOTSSL-621 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aef64c11e..9cc7722ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,8 +8,6 @@ Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. - -Security * Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt From 33857f4c3de7bea28c63d5a5904e041163184a6e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 14 Mar 2016 13:40:43 +0000 Subject: [PATCH 16/32] Update default configuration Change the default settings for SSL and modify the tests accordingly. --- ChangeLog | 1 + include/polarssl/config.h | 2 +- tests/compat.sh | 2 +- tests/scripts/all.sh | 21 +++++++++++++++++++++ tests/ssl-opt.sh | 18 ++++++++++++++++++ 5 files changed, 42 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6be09858..86e000a22 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, don't use the optimized assembly for bignum multiplication. This removes the need to pass -fomit-frame-pointer to avoid a build error with -O0. + * Disabled SSLv3 in the default configuration. = mbed TLS 1.3.16 released 2016-01-05 diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 4929aa1a9..8fdf36e84 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -1012,7 +1012,7 @@ * * Comment this macro to disable support for SSL 3.0 */ -#define POLARSSL_SSL_PROTO_SSL3 +//#define POLARSSL_SSL_PROTO_SSL3 /** * \def POLARSSL_SSL_PROTO_TLS1 diff --git a/tests/compat.sh b/tests/compat.sh index 04af41003..8d057af67 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -45,7 +45,7 @@ else fi # default values for options -MODES="ssl3 tls1 tls1_1 tls1_2" +MODES="tls1 tls1_1 tls1_2" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index dfc0061ca..ae82f7ba7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -103,6 +103,27 @@ cd tests ./compat.sh cd .. +msg "build: Default + SSLv3 (ASan build)" # ~ 6 min +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl set POLARSSL_SSL_PROTO_SSL3 +CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . +make + +msg "test: SSLv3 - main suites and selftest (ASan build)" # ~ 50s +make test +programs/test/selftest + +msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min +cd tests +./compat.sh -m 'ssl3 tls1 tls1_1 tls1_2' +cd .. + +msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min +cd tests +./ssl-opt.sh +cd .. + msg "build: cmake, full config, clang" # ~ 50s cleanup cp "$CONFIG_H" "$CONFIG_BAK" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e2efae91c..dcf9bb1c2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -66,6 +66,13 @@ get_options() { done } +# skip next test if the flag is not enabled in config.h +requires_config_enabled() { + if grep "^#define $1" $CONFIG_H > /dev/null; then :; else + SKIP_NEXT="YES" + fi +} + # skip next test if OpenSSL can't send SSLv2 ClientHello requires_openssl_with_sslv2() { if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then @@ -560,6 +567,7 @@ run_test "Encrypt then MAC: client disabled, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -572,6 +580,7 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -619,6 +628,7 @@ run_test "Extended Master Secret: client disabled, server enabled" \ -C "using extended master secret" \ -S "using extended master secret" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Extended Master Secret: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3" \ "$P_CLI debug_level=3 force_version=ssl3" \ @@ -630,6 +640,7 @@ run_test "Extended Master Secret: client SSLv3, server enabled" \ -C "using extended master secret" \ -S "using extended master secret" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Extended Master Secret: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3" \ "$P_CLI debug_level=3 min_version=ssl3" \ @@ -748,6 +759,7 @@ run_test "CBC Record splitting: TLS 1.0, splitting" \ -s "Read from client: 1 bytes read" \ -s "122 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "CBC Record splitting: SSLv3, splitting" \ "$P_SRV min_version=ssl3" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -1454,6 +1466,7 @@ run_test "Authentication: client no cert, openssl server optional" \ -c "skip write certificate verify" \ -C "! ssl_handshake returned" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -2159,6 +2172,7 @@ run_test "PSK callback: wrong key" \ # Tests for ciphersuites per version +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Per-version suites: SSL3" \ "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=ssl3" \ @@ -2199,6 +2213,7 @@ run_test "ssl_get_bytes_avail: extra data" \ # Tests for small packets +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Small packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -2206,6 +2221,7 @@ run_test "Small packet SSLv3 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Small packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -2340,6 +2356,7 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ # Test for large packets +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Large packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ @@ -2347,6 +2364,7 @@ run_test "Large packet SSLv3 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Large packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1" \ "$P_CLI request_size=16384 force_version=ssl3 \ From d886c4a419e6282a41c585a85f661a895b6831e4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 9 Feb 2016 14:51:35 +0000 Subject: [PATCH 17/32] Included test for integer underflow. --- library/rsa.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 5ab636f52..6f652189f 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -710,8 +710,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, */ hlen = md_get_size( md_info ); - md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + + mbedtls_md_init( &md_ctx ); + mbedtls_md_setup( &md_ctx, md_info, 0 ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From 532d62f900c6d3fecf0b3e0169f76e1f667d2a1f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:40:16 +0000 Subject: [PATCH 18/32] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 86e000a22..7d3c5f26d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 +Security + * Fix a potential integer underflow to buffer overread in + mbedtls_rsa_rsaes_oaep_decrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From fb9d33047a0632eed2c8092ef615eb12d4982f50 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:08:18 +0000 Subject: [PATCH 19/32] Move underflow test to make time constant --- library/rsa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index 6f652189f..54635001c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,6 +695,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + hlen = mbedtls_md_get_size( md_info ); + + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* * RSA operation */ From 21b967137d0805adba887eaa3702693868d6233b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:15:44 +0000 Subject: [PATCH 20/32] Extended ChangeLog entry --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7d3c5f26d..9173c3db5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,8 @@ Security Security * Fix a potential integer underflow to buffer overread in - mbedtls_rsa_rsaes_oaep_decrypt + mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in + SSL/TLS. Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three From c0dfe440c73a71b9c79568a7862071ce61c27a2c Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 16 Mar 2016 23:31:03 +0000 Subject: [PATCH 21/32] Fix ChangeLog after merging fix for IOTSSL-628 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9173c3db5..e54e74c18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,8 +5,6 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 - -Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. From c7971b51ced6fe87d60e95ad6428c0915e1de970 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 00:57:18 +0000 Subject: [PATCH 22/32] Fix for backprt of IOTSSL-628 Corrections to constand and function names changed between 1.3 and 2.1 --- library/rsa.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 54635001c..1472bd09b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,11 +695,11 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); + hlen = md_get_size( md_info ); // checking for integer underflow if( 2 * hlen + 2 > ilen ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); /* * RSA operation @@ -720,8 +720,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( 2 * hlen + 2 > ilen ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - mbedtls_md_init( &md_ctx ); - mbedtls_md_setup( &md_ctx, md_info, 0 ); + md_init( &md_ctx ); + md_init_ctx( &md_ctx, md_info ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From bedc728fedfeb8d5b13cde7cad0bd1c279bfcd7a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:25:55 +0000 Subject: [PATCH 23/32] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index e54e74c18..aef64c11e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Security mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. +Security + * Fix potential integer overflow to buffer overflow in + mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From d95e8d1cb4ac2411d627042e21f07f27511d237c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 8 Feb 2016 14:52:29 +0000 Subject: [PATCH 24/32] Included tests for the overflow Conflicts: library/rsa.c --- library/rsa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 1472bd09b..e8aed73c8 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -519,7 +519,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx, olen = ctx->len; hlen = md_get_size( md_info ); - if( olen < ilen + 2 * hlen + 2 ) + // first comparison checks for overflow + if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); @@ -585,7 +586,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, olen = ctx->len; - if( olen < ilen + 11 ) + // first comparison checks for overflow + if( ilen + 11 < ilen || olen < ilen + 11 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); nb_pad = olen - 3 - ilen; From bee781981996df25573453ede2a219625d8a9a81 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 11:03:14 +0000 Subject: [PATCH 25/32] Fix ChangeLog for backport of IOTSSL-621 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aef64c11e..9cc7722ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,8 +8,6 @@ Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. - -Security * Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt From d255c0e4306416b73142c519fbe7baa8eb595809 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sun, 10 Apr 2016 00:03:16 +0100 Subject: [PATCH 26/32] Adds test_suite_pkcs1_v15 to tests/Makefile --- tests/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index 25b704a5f..307b7e13c 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -75,7 +75,7 @@ APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_md$(EXEXT) test_suite_mdx$(EXEXT) \ test_suite_memory_buffer_alloc$(EXEXT) \ test_suite_mpi$(EXEXT) test_suite_pbkdf2$(EXEXT) \ - test_suite_pem$(EXEXT) \ + test_suite_pem$(EXEXT) test_suite_pkcs1_v15$(EXEXT) \ test_suite_pkcs1_v21$(EXEXT) test_suite_pkcs5$(EXEXT) \ test_suite_pkparse$(EXEXT) test_suite_pkwrite$(EXEXT) \ test_suite_pk$(EXEXT) \ @@ -367,6 +367,10 @@ test_suite_pem$(EXEXT): test_suite_pem.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +test_suite_pkcs1_v15$(EXEXT): test_suite_pkcs1_v15.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test_suite_pkcs1_v21$(EXEXT): test_suite_pkcs1_v21.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ From 8970fd6ab9fee5cb5d21effe2faa232794018c3e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 16 Mar 2016 16:39:41 +0000 Subject: [PATCH 27/32] Add tests to cover PKCS1 v1.5 signature functions. The reported memory leak should have been spotted by make memcheck But it wasn't. Keeping the tests for better coverage. --- tests/suites/test_suite_pkcs1_v15.data | 5 + tests/suites/test_suite_pkcs1_v15.function | 157 +++++++++++++++++++++ 2 files changed, 162 insertions(+) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data index b58aee6d8..f7f0b184e 100644 --- a/tests/suites/test_suite_pkcs1_v15.data +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -28,3 +28,8 @@ pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a RSAES-V15 Decryption Test Vector Padding too short 0 pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"a5a384ef64a6acb84293cecc8095232ae595b84c15ec26f35cf5fde88ae7a9aaa717bcb1ecc4de498da81db97425000770817b5dde5eed01ca3745ff5ab894d0fc0921e5a10b081490129d8ccbaa154ad3dd461397af8ec964ef99402d60a7591ee44b8ce1c16ef88fcb2717076c730d88223893bdd8000b23d87d38ab":"aafd12f659cae63489b479e5076ddec2f06cb58f":"72f98d12ddc230484179ec3022d11b3719222daaa0dc016fc3dbd6771a3f2c9fdd0560f86d616dd50ef1fa5b8c7e1fc40b5abf7b845d7795b3a6af02457b97f783360575cde7497bdf9c104650d4e9a8f4034406de1af95ace39bef2b9e979b74d9a2c0a741d8a21221d9afc98992776cad52d73151613dbc10da9bd8038751a":POLARSSL_ERR_RSA_INVALID_PADDING +RSASSA-V15 Signing Test Vector Int +pkcs1_rsassa_v15_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"2154f928615e5101fcdeb57bc08fc2f35c3d5996403861ae3efb1d0712f8bb05cc21f7f5f11f62e5b6ea9f0f2b62180e5cbe7ba535032d6ac8068fff7f362f73d2c3bf5eca6062a1723d7cfd5abb6dcf7e405f2dc560ffe6fc37d38bee4dc9e24fe2bece3e3b4a3f032701d3f0947b42930083dd4ad241b3309b514595482d42":0 + +RSASSA-V15 Verification Test Vector Int +pkcs1_rsassa_v15_verify:1024:16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"2154f928615e5101fcdeb57bc08fc2f35c3d5996403861ae3efb1d0712f8bb05cc21f7f5f11f62e5b6ea9f0f2b62180e5cbe7ba535032d6ac8068fff7f362f73d2c3bf5eca6062a1723d7cfd5abb6dcf7e405f2dc560ffe6fc37d38bee4dc9e24fe2bece3e3b4a3f032701d3f0947b42930083dd4ad241b3309b514595482d42":0 diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 2b7d4561b..0323e5a92 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -108,3 +108,160 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void pkcs1_rsassa_v15_sign( int mod, int radix_P, char *input_P, int radix_Q, + char *input_Q, int radix_N, char *input_N, + int radix_E, char *input_E, int digest, int hash, + char *message_hex_string, char *salt, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char hash_result[1000]; + unsigned char output[1000]; + unsigned char output_str[1000]; + unsigned char rnd_buf[1000]; + rsa_context ctx; + mpi P1, Q1, H, G; + size_t msg_len; + rnd_buf_info info; + + info.length = unhexify( rnd_buf, salt ); + info.buf = rnd_buf; + + mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); + rsa_init( &ctx, RSA_PKCS_V15, hash ); + + memset( message_str, 0x00, 1000 ); + memset( hash_result, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + memset( output_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.P, radix_P, input_P ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.Q, radix_Q, input_Q ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( mpi_sub_int( &P1, &ctx.P, 1 ) == 0 ); + TEST_ASSERT( mpi_sub_int( &Q1, &ctx.Q, 1 ) == 0 ); + TEST_ASSERT( mpi_mul_mpi( &H, &P1, &Q1 ) == 0 ); + TEST_ASSERT( mpi_gcd( &G, &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.D , &ctx.E, &H ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DP, &ctx.D, &P1 ) == 0 ); + TEST_ASSERT( mpi_mod_mpi( &ctx.DQ, &ctx.D, &Q1 ) == 0 ); + TEST_ASSERT( mpi_inv_mod( &ctx.QP, &ctx.Q, &ctx.P ) == 0 ); + + TEST_ASSERT( rsa_check_privkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + + if( md_info_from_type( digest ) != NULL ) + TEST_ASSERT( md( md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + + TEST_ASSERT( rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, RSA_PRIVATE, digest, 0, hash_result, output ) == result ); + if( result == 0 ) + { + hexify( output_str, output, ctx.len); + + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } + +exit: + mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G ); + rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsassa_v15_verify( int mod, int radix_N, char *input_N, int radix_E, + char *input_E, int digest, int hash, + char *message_hex_string, char *salt, + char *result_hex_str, int result ) +{ + unsigned char message_str[1000]; + unsigned char hash_result[1000]; + unsigned char result_str[1000]; + rsa_context ctx; + size_t msg_len; + ((void) salt); + + rsa_init( &ctx, RSA_PKCS_V15, hash ); + memset( message_str, 0x00, 1000 ); + memset( hash_result, 0x00, 1000 ); + memset( result_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + unhexify( result_str, result_hex_str ); + + if( md_info_from_type( digest ) != NULL ) + TEST_ASSERT( md( md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + + TEST_ASSERT( rsa_pkcs1_verify( &ctx, NULL, NULL, RSA_PUBLIC, digest, 0, hash_result, result_str ) == result ); + +exit: + rsa_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs1_rsassa_v15_verify_ext( int mod, + int radix_N, char *input_N, + int radix_E, char *input_E, + int msg_digest_id, int ctx_hash, + int mgf_hash, int salt_len, + char *message_hex_string, + char *result_hex_str, + int result_simple, + int result_full ) +{ + unsigned char message_str[1000]; + unsigned char hash_result[1000]; + unsigned char result_str[1000]; + rsa_context ctx; + size_t msg_len, hash_len; + + rsa_init( &ctx, RSA_PKCS_V15, ctx_hash ); + memset( message_str, 0x00, 1000 ); + memset( hash_result, 0x00, 1000 ); + memset( result_str, 0x00, 1000 ); + + ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); + TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); + TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); + + TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); + + msg_len = unhexify( message_str, message_hex_string ); + unhexify( result_str, result_hex_str ); + + if( msg_digest_id != POLARSSL_MD_NONE ) + { + TEST_ASSERT( md( md_info_from_type( msg_digest_id ), + message_str, msg_len, hash_result ) == 0 ); + hash_len = 0; + } + else + { + memcpy( hash_result, message_str, msg_len ); + hash_len = msg_len; + } + + TEST_ASSERT( rsa_pkcs1_verify( &ctx, NULL, NULL, RSA_PUBLIC, + msg_digest_id, hash_len, hash_result, + result_str ) == result_simple ); + + TEST_ASSERT( rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, RSA_PUBLIC, + msg_digest_id, hash_len, hash_result, + mgf_hash, salt_len, + result_str ) == result_full ); + +exit: + rsa_free( &ctx ); +} +/* END_CASE */ From fa4a88a8ebdaf55ebcf24916a9d5e5a03c5c0967 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Mar 2016 15:21:39 +0000 Subject: [PATCH 28/32] Fix memory leaks in example programs. --- programs/pkey/rsa_decrypt.c | 8 ++++---- programs/pkey/rsa_encrypt.c | 4 ++-- programs/pkey/rsa_sign.c | 5 +++-- programs/pkey/rsa_verify.c | 6 ++++-- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index dfa475c1a..0ea50074b 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -69,6 +69,8 @@ int main( int argc, char *argv[] ) ((void) argv); memset(result, 0, sizeof( result ) ); + entropy_init( &entropy ); + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; if( argc != 1 ) @@ -79,13 +81,12 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n" ); #endif - goto exit; + return ret; } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) @@ -104,8 +105,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 || @@ -171,6 +170,7 @@ int main( int argc, char *argv[] ) exit: ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); + rsa_free( &rsa ); #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 683183324..0e9b9e3cb 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -68,6 +68,7 @@ int main( int argc, char *argv[] ) unsigned char buf[512]; const char *pers = "rsa_encrypt"; + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; if( argc != 2 ) @@ -104,8 +105,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) { @@ -160,6 +159,7 @@ int main( int argc, char *argv[] ) exit: ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); + rsa_free( &rsa ); #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index c9bdd3afe..a3162f263 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -67,6 +67,7 @@ int main( int argc, char *argv[] ) unsigned char buf[POLARSSL_MPI_MAX_SIZE]; char filename[512]; + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; if( argc != 2 ) @@ -91,8 +92,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 || @@ -160,6 +159,8 @@ int main( int argc, char *argv[] ) exit: + rsa_free( &rsa ); + #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 4011df6a2..ece1588df 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -66,7 +66,9 @@ int main( int argc, char *argv[] ) unsigned char buf[POLARSSL_MPI_MAX_SIZE]; char filename[512]; + rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = 1; + if( argc != 2 ) { polarssl_printf( "usage: rsa_verify \n" ); @@ -88,8 +90,6 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 || ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) { @@ -152,6 +152,8 @@ int main( int argc, char *argv[] ) exit: + rsa_free( &rsa ); + #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); From de62b6e3968151dcb207387c41c9ff15539809f3 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Tue, 12 Apr 2016 17:36:34 +0100 Subject: [PATCH 29/32] Fixes error and exit paths in rsa sample programs --- programs/pkey/rsa_decrypt.c | 60 +++++++++++++++++++++---------------- programs/pkey/rsa_encrypt.c | 49 ++++++++++++++++++------------ 2 files changed, 64 insertions(+), 45 deletions(-) diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 0ea50074b..292092c3c 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -31,6 +31,7 @@ #else #include #define polarssl_printf printf +#define polarssl_exit exit #endif #if defined(POLARSSL_BIGNUM_C) && defined(POLARSSL_RSA_C) && \ @@ -58,7 +59,7 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret, c; + int return_val, exit_val, c; size_t i; rsa_context rsa; entropy_context entropy; @@ -69,9 +70,7 @@ int main( int argc, char *argv[] ) ((void) argv); memset(result, 0, sizeof( result ) ); - entropy_init( &entropy ); - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - ret = 1; + exit_val = 0; if( argc != 1 ) { @@ -81,17 +80,23 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n" ); #endif - return ret; + polarssl_exit( 1 ); } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + entropy_init( &entropy ); + rsa_init( &rsa, RSA_PKCS_V15, 0 ); + + return_val = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) + strlen( pers ) ); + if( return_val != 0 ) { - polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", + return_val ); goto exit; } @@ -100,21 +105,24 @@ int main( int argc, char *argv[] ) if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL ) { + exit_val = 1; polarssl_printf( " failed\n ! Could not open rsa_priv.txt\n" \ " ! Please run rsa_genkey first\n\n" ); goto exit; } - if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.P , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.Q , 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.DP, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.QP, 16, f ) ) != 0 ) + if( ( return_val = mpi_read_file( &rsa.N , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.E , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.D , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.P , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.Q , 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.DP, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.QP, 16, f ) ) != 0 ) { - polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", + return_val ); goto exit; } @@ -125,10 +133,9 @@ int main( int argc, char *argv[] ) /* * Extract the RSA encrypted value from the text file */ - ret = 1; - if( ( f = fopen( "result-enc.txt", "rb" ) ) == NULL ) { + exit_val = 1; polarssl_printf( "\n ! Could not open %s\n\n", "result-enc.txt" ); goto exit; } @@ -143,6 +150,7 @@ int main( int argc, char *argv[] ) if( i != rsa.len ) { + exit_val = 1; polarssl_printf( "\n ! Invalid RSA signature format\n\n" ); goto exit; } @@ -153,11 +161,13 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n . Decrypting the encrypted data" ); fflush( stdout ); - if( ( ret = rsa_pkcs1_decrypt( &rsa, ctr_drbg_random, &ctr_drbg, - RSA_PRIVATE, &i, buf, result, - 1024 ) ) != 0 ) + if( ( return_val = rsa_pkcs1_decrypt( &rsa, ctr_drbg_random, &ctr_drbg, + RSA_PRIVATE, &i, buf, result, + 1024 ) ) != 0 ) { - polarssl_printf( " failed\n ! rsa_pkcs1_decrypt returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! rsa_pkcs1_decrypt returned %d\n\n", + return_val ); goto exit; } @@ -165,8 +175,6 @@ int main( int argc, char *argv[] ) polarssl_printf( "The decrypted result is: '%s'\n\n", result ); - ret = 0; - exit: ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); @@ -177,6 +185,6 @@ exit: fflush( stdout ); getchar(); #endif - return( ret ); + return( exit_val ); } #endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_FS_IO */ diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 0e9b9e3cb..1d35462bd 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -32,6 +32,7 @@ #include #define polarssl_fprintf fprintf #define polarssl_printf printf +#define polarssl_exit exit #endif #if defined(POLARSSL_BIGNUM_C) && defined(POLARSSL_RSA_C) && \ @@ -59,7 +60,7 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret; + int return_val, exit_val; size_t i; rsa_context rsa; entropy_context entropy; @@ -68,8 +69,7 @@ int main( int argc, char *argv[] ) unsigned char buf[512]; const char *pers = "rsa_encrypt"; - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - ret = 1; + exit_val = 0; if( argc != 2 ) { @@ -79,18 +79,24 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n" ); #endif - goto exit; + polarssl_exit( 1 ); } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); - if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) + rsa_init( &rsa, RSA_PKCS_V15, 0 ); + + return_val = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ); + + if( return_val != 0 ) { - polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", + return_val ); goto exit; } @@ -99,16 +105,18 @@ int main( int argc, char *argv[] ) if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL ) { - ret = 1; + exit_val = 1; polarssl_printf( " failed\n ! Could not open rsa_pub.txt\n" \ - " ! Please run rsa_genkey first\n\n" ); + " ! Please run rsa_genkey first\n\n" ); goto exit; } - if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 || - ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) + if( ( return_val = mpi_read_file( &rsa.N, 16, f ) ) != 0 || + ( return_val = mpi_read_file( &rsa.E, 16, f ) ) != 0 ) { - polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! mpi_read_file returned %d\n\n", + return_val ); goto exit; } @@ -118,6 +126,7 @@ int main( int argc, char *argv[] ) if( strlen( argv[1] ) > 100 ) { + exit_val = 1; polarssl_printf( " Input data larger than 100 characters.\n\n" ); goto exit; } @@ -130,11 +139,13 @@ int main( int argc, char *argv[] ) polarssl_printf( "\n . Generating the RSA encrypted value" ); fflush( stdout ); - if( ( ret = rsa_pkcs1_encrypt( &rsa, ctr_drbg_random, &ctr_drbg, - RSA_PUBLIC, strlen( argv[1] ), - input, buf ) ) != 0 ) + if( ( return_val = rsa_pkcs1_encrypt( &rsa, ctr_drbg_random, &ctr_drbg, + RSA_PUBLIC, strlen( argv[1] ), + input, buf ) ) != 0 ) { - polarssl_printf( " failed\n ! rsa_pkcs1_encrypt returned %d\n\n", ret ); + exit_val = 1; + polarssl_printf( " failed\n ! rsa_pkcs1_encrypt returned %d\n\n", + return_val ); goto exit; } @@ -143,7 +154,7 @@ int main( int argc, char *argv[] ) */ if( ( f = fopen( "result-enc.txt", "wb+" ) ) == NULL ) { - ret = 1; + exit_val = 1; polarssl_printf( " failed\n ! Could not create %s\n\n", "result-enc.txt" ); goto exit; } @@ -166,7 +177,7 @@ exit: fflush( stdout ); getchar(); #endif - return( ret ); + return( exit_val ); } #endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_ENTROPY_C && POLARSSL_FS_IO && POLARSSL_CTR_DRBG_C */ From 8435f9e8ec9f80225354b02341e8eb305006b036 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 13 Apr 2016 01:38:54 +0100 Subject: [PATCH 30/32] Add missing stdlib.h header to rsa sample programs --- programs/pkey/rsa_decrypt.c | 1 + programs/pkey/rsa_encrypt.c | 1 + 2 files changed, 2 insertions(+) diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 292092c3c..5d182677f 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -30,6 +30,7 @@ #include "polarssl/platform.h" #else #include +#include #define polarssl_printf printf #define polarssl_exit exit #endif diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 1d35462bd..9154875c4 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -30,6 +30,7 @@ #include "polarssl/platform.h" #else #include +#include #define polarssl_fprintf fprintf #define polarssl_printf printf #define polarssl_exit exit From f20ab8941fe806d4b9dc110ed55bad265e462466 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 13 Apr 2016 01:41:49 +0100 Subject: [PATCH 31/32] Add missing config dependencies to PKCS1 V15 tests --- tests/suites/test_suite_pkcs1_v15.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 0323e5a92..b5c43bccd 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -209,7 +209,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_PKCS1_V15 POLARSSL_PKCS1_V21 */ void pkcs1_rsassa_v15_verify_ext( int mod, int radix_N, char *input_N, int radix_E, char *input_E, From d74aa47380744244c82fdd9a97280adb0a9d0c34 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 18 Apr 2016 10:12:05 +0100 Subject: [PATCH 32/32] Remove unused code from PKCS1v15 test suite --- tests/suites/test_suite_pkcs1_v15.function | 56 ---------------------- 1 file changed, 56 deletions(-) diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index b5c43bccd..3555f92b7 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -209,59 +209,3 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_PKCS1_V15 POLARSSL_PKCS1_V21 */ -void pkcs1_rsassa_v15_verify_ext( int mod, - int radix_N, char *input_N, - int radix_E, char *input_E, - int msg_digest_id, int ctx_hash, - int mgf_hash, int salt_len, - char *message_hex_string, - char *result_hex_str, - int result_simple, - int result_full ) -{ - unsigned char message_str[1000]; - unsigned char hash_result[1000]; - unsigned char result_str[1000]; - rsa_context ctx; - size_t msg_len, hash_len; - - rsa_init( &ctx, RSA_PKCS_V15, ctx_hash ); - memset( message_str, 0x00, 1000 ); - memset( hash_result, 0x00, 1000 ); - memset( result_str, 0x00, 1000 ); - - ctx.len = mod / 8 + ( ( mod % 8 ) ? 1 : 0 ); - TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 ); - TEST_ASSERT( mpi_read_string( &ctx.E, radix_E, input_E ) == 0 ); - - TEST_ASSERT( rsa_check_pubkey( &ctx ) == 0 ); - - msg_len = unhexify( message_str, message_hex_string ); - unhexify( result_str, result_hex_str ); - - if( msg_digest_id != POLARSSL_MD_NONE ) - { - TEST_ASSERT( md( md_info_from_type( msg_digest_id ), - message_str, msg_len, hash_result ) == 0 ); - hash_len = 0; - } - else - { - memcpy( hash_result, message_str, msg_len ); - hash_len = msg_len; - } - - TEST_ASSERT( rsa_pkcs1_verify( &ctx, NULL, NULL, RSA_PUBLIC, - msg_digest_id, hash_len, hash_result, - result_str ) == result_simple ); - - TEST_ASSERT( rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, RSA_PUBLIC, - msg_digest_id, hash_len, hash_result, - mgf_hash, salt_len, - result_str ) == result_full ); - -exit: - rsa_free( &ctx ); -} -/* END_CASE */