]>
Commit | Line | Data |
---|---|---|
8240d5fa | 1 | /* |
454afd98 | 2 | * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. |
8240d5fa | 3 | * |
a6ed19dc | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
8240d5fa SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
d7e498ac RL |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
8240d5fa SL |
16 | #include <stdio.h> |
17 | #include <string.h> | |
18 | ||
19 | #include "internal/nelem.h" | |
20 | ||
21 | #include <openssl/crypto.h> | |
22 | #include <openssl/err.h> | |
23 | #include <openssl/rand.h> | |
24 | #include <openssl/bn.h> | |
25 | ||
26 | #include "testutil.h" | |
27 | ||
28 | #ifdef OPENSSL_NO_RSA | |
29 | int setup_tests(void) | |
30 | { | |
31 | /* No tests */ | |
32 | return 1; | |
33 | } | |
34 | #else | |
706457b7 | 35 | # include "rsa_local.h" |
8240d5fa SL |
36 | # include <openssl/rsa.h> |
37 | ||
38 | /* taken from RSA2 cavs data */ | |
39 | static const unsigned char cav_e[] = { | |
40 | 0x01,0x00,0x01 | |
41 | }; | |
8240d5fa SL |
42 | static const unsigned char cav_p[] = { |
43 | 0xcf,0x72,0x1b,0x9a,0xfd,0x0d,0x22,0x1a,0x74,0x50,0x97,0x22,0x76,0xd8,0xc0, | |
44 | 0xc2,0xfd,0x08,0x81,0x05,0xdd,0x18,0x21,0x99,0x96,0xd6,0x5c,0x79,0xe3,0x02, | |
45 | 0x81,0xd7,0x0e,0x3f,0x3b,0x34,0xda,0x61,0xc9,0x2d,0x84,0x86,0x62,0x1e,0x3d, | |
46 | 0x5d,0xbf,0x92,0x2e,0xcd,0x35,0x3d,0x6e,0xb9,0x59,0x16,0xc9,0x82,0x50,0x41, | |
47 | 0x30,0x45,0x67,0xaa,0xb7,0xbe,0xec,0xea,0x4b,0x9e,0xa0,0xc3,0x05,0xbc,0x4c, | |
48 | 0x01,0xa5,0x4b,0xbd,0xa4,0x20,0xb5,0x20,0xd5,0x59,0x6f,0x82,0x5c,0x8f,0x4f, | |
49 | 0xe0,0x3a,0x4e,0x7e,0xfe,0x44,0xf3,0x3c,0xc0,0x0e,0x14,0x2b,0x32,0xe6,0x28, | |
50 | 0x8b,0x63,0x87,0x00,0xc3,0x53,0x4a,0x5b,0x71,0x7a,0x5b,0x28,0x40,0xc4,0x18, | |
51 | 0xb6,0x77,0x0b,0xab,0x59,0xa4,0x96,0x7d | |
52 | }; | |
53 | static const unsigned char cav_q[] = { | |
54 | 0xfe,0xab,0xf2,0x7c,0x16,0x4a,0xf0,0x8d,0x31,0xc6,0x0a,0x82,0xe2,0xae,0xbb, | |
55 | 0x03,0x7e,0x7b,0x20,0x4e,0x64,0xb0,0x16,0xad,0x3c,0x01,0x1a,0xd3,0x54,0xbf, | |
56 | 0x2b,0xa4,0x02,0x9e,0xc3,0x0d,0x60,0x3d,0x1f,0xb9,0xc0,0x0d,0xe6,0x97,0x68, | |
57 | 0xbb,0x8c,0x81,0xd5,0xc1,0x54,0x96,0x0f,0x99,0xf0,0xa8,0xa2,0xf3,0xc6,0x8e, | |
58 | 0xec,0xbc,0x31,0x17,0x70,0x98,0x24,0xa3,0x36,0x51,0xa8,0x54,0xc4,0x44,0xdd, | |
59 | 0xf7,0x7e,0xda,0x47,0x4a,0x67,0x44,0x5d,0x4e,0x75,0xf0,0x4d,0x00,0x68,0xe1, | |
60 | 0x4a,0xec,0x1f,0x45,0xf9,0xe6,0xca,0x38,0x95,0x48,0x6f,0xdc,0x9d,0x1b,0xa3, | |
61 | 0x4b,0xfd,0x08,0x4b,0x54,0xcd,0xeb,0x3d,0xef,0x33,0x11,0x6e,0xce,0xe4,0x5d, | |
62 | 0xef,0xa9,0x58,0x5c,0x87,0x4d,0xc8,0xcf | |
63 | }; | |
64 | static const unsigned char cav_n[] = { | |
65 | 0xce,0x5e,0x8d,0x1a,0xa3,0x08,0x7a,0x2d,0xb4,0x49,0x48,0xf0,0x06,0xb6,0xfe, | |
66 | 0xba,0x2f,0x39,0x7c,0x7b,0xe0,0x5d,0x09,0x2d,0x57,0x4e,0x54,0x60,0x9c,0xe5, | |
67 | 0x08,0x4b,0xe1,0x1a,0x73,0xc1,0x5e,0x2f,0xb6,0x46,0xd7,0x81,0xca,0xbc,0x98, | |
68 | 0xd2,0xf9,0xef,0x1c,0x92,0x8c,0x8d,0x99,0x85,0x28,0x52,0xd6,0xd5,0xab,0x70, | |
69 | 0x7e,0x9e,0xa9,0x87,0x82,0xc8,0x95,0x64,0xeb,0xf0,0x6c,0x0f,0x3f,0xe9,0x02, | |
70 | 0x29,0x2e,0x6d,0xa1,0xec,0xbf,0xdc,0x23,0xdf,0x82,0x4f,0xab,0x39,0x8d,0xcc, | |
71 | 0xac,0x21,0x51,0x14,0xf8,0xef,0xec,0x73,0x80,0x86,0xa3,0xcf,0x8f,0xd5,0xcf, | |
72 | 0x22,0x1f,0xcc,0x23,0x2f,0xba,0xcb,0xf6,0x17,0xcd,0x3a,0x1f,0xd9,0x84,0xb9, | |
73 | 0x88,0xa7,0x78,0x0f,0xaa,0xc9,0x04,0x01,0x20,0x72,0x5d,0x2a,0xfe,0x5b,0xdd, | |
74 | 0x16,0x5a,0xed,0x83,0x02,0x96,0x39,0x46,0x37,0x30,0xc1,0x0d,0x87,0xc2,0xc8, | |
75 | 0x33,0x38,0xed,0x35,0x72,0xe5,0x29,0xf8,0x1f,0x23,0x60,0xe1,0x2a,0x5b,0x1d, | |
76 | 0x6b,0x53,0x3f,0x07,0xc4,0xd9,0xbb,0x04,0x0c,0x5c,0x3f,0x0b,0xc4,0xd4,0x61, | |
77 | 0x96,0x94,0xf1,0x0f,0x4a,0x49,0xac,0xde,0xd2,0xe8,0x42,0xb3,0x4a,0x0b,0x64, | |
78 | 0x7a,0x32,0x5f,0x2b,0x5b,0x0f,0x8b,0x8b,0xe0,0x33,0x23,0x34,0x64,0xf8,0xb5, | |
79 | 0x7f,0x69,0x60,0xb8,0x71,0xe9,0xff,0x92,0x42,0xb1,0xf7,0x23,0xa8,0xa7,0x92, | |
80 | 0x04,0x3d,0x6b,0xff,0xf7,0xab,0xbb,0x14,0x1f,0x4c,0x10,0x97,0xd5,0x6b,0x71, | |
81 | 0x12,0xfd,0x93,0xa0,0x4a,0x3b,0x75,0x72,0x40,0x96,0x1c,0x5f,0x40,0x40,0x57, | |
82 | 0x13 | |
83 | }; | |
84 | static const unsigned char cav_d[] = { | |
85 | 0x47,0x47,0x49,0x1d,0x66,0x2a,0x4b,0x68,0xf5,0xd8,0x4a,0x24,0xfd,0x6c,0xbf, | |
86 | 0x56,0xb7,0x70,0xf7,0x9a,0x21,0xc8,0x80,0x9e,0xf4,0x84,0xcd,0x88,0x01,0x28, | |
87 | 0xea,0x50,0xab,0x13,0x63,0xdf,0xea,0x14,0x38,0xb5,0x07,0x42,0x81,0x2f,0xda, | |
88 | 0xe9,0x24,0x02,0x7e,0xaf,0xef,0x74,0x09,0x0e,0x80,0xfa,0xfb,0xd1,0x19,0x41, | |
89 | 0xe5,0xba,0x0f,0x7c,0x0a,0xa4,0x15,0x55,0xa2,0x58,0x8c,0x3a,0x48,0x2c,0xc6, | |
90 | 0xde,0x4a,0x76,0xfb,0x72,0xb6,0x61,0xe6,0xd2,0x10,0x44,0x4c,0x33,0xb8,0xd2, | |
91 | 0x74,0xb1,0x9d,0x3b,0xcd,0x2f,0xb1,0x4f,0xc3,0x98,0xbd,0x83,0xb7,0x7e,0x75, | |
92 | 0xe8,0xa7,0x6a,0xee,0xcc,0x51,0x8c,0x99,0x17,0x67,0x7f,0x27,0xf9,0x0d,0x6a, | |
93 | 0xb7,0xd4,0x80,0x17,0x89,0x39,0x9c,0xf3,0xd7,0x0f,0xdf,0xb0,0x55,0x80,0x1d, | |
94 | 0xaf,0x57,0x2e,0xd0,0xf0,0x4f,0x42,0x69,0x55,0xbc,0x83,0xd6,0x97,0x83,0x7a, | |
95 | 0xe6,0xc6,0x30,0x6d,0x3d,0xb5,0x21,0xa7,0xc4,0x62,0x0a,0x20,0xce,0x5e,0x5a, | |
96 | 0x17,0x98,0xb3,0x6f,0x6b,0x9a,0xeb,0x6b,0xa3,0xc4,0x75,0xd8,0x2b,0xdc,0x5c, | |
97 | 0x6f,0xec,0x5d,0x49,0xac,0xa8,0xa4,0x2f,0xb8,0x8c,0x4f,0x2e,0x46,0x21,0xee, | |
98 | 0x72,0x6a,0x0e,0x22,0x80,0x71,0xc8,0x76,0x40,0x44,0x61,0x16,0xbf,0xa5,0xf8, | |
99 | 0x89,0xc7,0xe9,0x87,0xdf,0xbd,0x2e,0x4b,0x4e,0xc2,0x97,0x53,0xe9,0x49,0x1c, | |
100 | 0x05,0xb0,0x0b,0x9b,0x9f,0x21,0x19,0x41,0xe9,0xf5,0x61,0xd7,0x33,0x2e,0x2c, | |
101 | 0x94,0xb8,0xa8,0x9a,0x3a,0xcc,0x6a,0x24,0x8d,0x19,0x13,0xee,0xb9,0xb0,0x48, | |
102 | 0x61 | |
103 | }; | |
104 | ||
105 | /* helper function */ | |
106 | static BIGNUM *bn_load_new(const unsigned char *data, int sz) | |
107 | { | |
108 | BIGNUM *ret = BN_new(); | |
109 | if (ret != NULL) | |
110 | BN_bin2bn(data, sz, ret); | |
111 | return ret; | |
112 | } | |
113 | ||
8240d5fa SL |
114 | static int test_check_public_exponent(void) |
115 | { | |
116 | int ret = 0; | |
117 | BIGNUM *e = NULL; | |
118 | ||
119 | ret = TEST_ptr(e = BN_new()) | |
120 | /* e is too small */ | |
121 | && TEST_true(BN_set_word(e, 65535)) | |
23b2fc0b | 122 | && TEST_false(ossl_rsa_check_public_exponent(e)) |
8240d5fa SL |
123 | /* e is even will fail */ |
124 | && TEST_true(BN_set_word(e, 65536)) | |
23b2fc0b | 125 | && TEST_false(ossl_rsa_check_public_exponent(e)) |
8240d5fa SL |
126 | /* e is ok */ |
127 | && TEST_true(BN_set_word(e, 65537)) | |
23b2fc0b | 128 | && TEST_true(ossl_rsa_check_public_exponent(e)) |
8240d5fa SL |
129 | /* e = 2^256 is too big */ |
130 | && TEST_true(BN_lshift(e, BN_value_one(), 256)) | |
23b2fc0b | 131 | && TEST_false(ossl_rsa_check_public_exponent(e)) |
8240d5fa SL |
132 | /* e = 2^256-1 is odd and in range */ |
133 | && TEST_true(BN_sub(e, e, BN_value_one())) | |
23b2fc0b | 134 | && TEST_true(ossl_rsa_check_public_exponent(e)); |
8240d5fa SL |
135 | BN_free(e); |
136 | return ret; | |
137 | } | |
138 | ||
139 | static int test_check_prime_factor_range(void) | |
140 | { | |
141 | int ret = 0; | |
142 | BN_CTX *ctx = NULL; | |
143 | BIGNUM *p = NULL; | |
144 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL, *bn_p4 = NULL; | |
145 | /* Some range checks that are larger than 32 bits */ | |
146 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4F, 0x33, 0x3F }; | |
147 | static const unsigned char p2[] = { 0x10, 0x00, 0x00, 0x00, 0x00 }; | |
148 | static const unsigned char p3[] = { 0x0B, 0x50, 0x4F, 0x33, 0x40 }; | |
149 | static const unsigned char p4[] = { 0x0F, 0xFF, 0xFF, 0xFF, 0xFF }; | |
150 | ||
151 | /* (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2) - 1 | |
152 | * For 8 bits: 0xB.504F <= p <= 0xF | |
153 | * for 72 bits: 0xB504F333F. <= p <= 0xF_FFFF_FFFF | |
154 | */ | |
155 | ret = TEST_ptr(p = BN_new()) | |
156 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
157 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
158 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
159 | && TEST_ptr(bn_p4 = bn_load_new(p4, sizeof(p4))) | |
160 | && TEST_ptr(ctx = BN_CTX_new()) | |
161 | && TEST_true(BN_set_word(p, 0xA)) | |
23b2fc0b | 162 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 163 | && TEST_true(BN_set_word(p, 0x10)) |
23b2fc0b | 164 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 165 | && TEST_true(BN_set_word(p, 0xB)) |
23b2fc0b | 166 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
fd4a6e7d | 167 | && TEST_true(BN_set_word(p, 0xC)) |
23b2fc0b | 168 | && TEST_true(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 169 | && TEST_true(BN_set_word(p, 0xF)) |
23b2fc0b P |
170 | && TEST_true(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
171 | && TEST_false(ossl_rsa_check_prime_factor_range(bn_p1, 72, ctx)) | |
172 | && TEST_false(ossl_rsa_check_prime_factor_range(bn_p2, 72, ctx)) | |
173 | && TEST_true(ossl_rsa_check_prime_factor_range(bn_p3, 72, ctx)) | |
174 | && TEST_true(ossl_rsa_check_prime_factor_range(bn_p4, 72, ctx)); | |
8240d5fa SL |
175 | |
176 | BN_free(bn_p4); | |
177 | BN_free(bn_p3); | |
178 | BN_free(bn_p2); | |
179 | BN_free(bn_p1); | |
180 | BN_free(p); | |
181 | BN_CTX_free(ctx); | |
182 | return ret; | |
183 | } | |
184 | ||
185 | static int test_check_prime_factor(void) | |
186 | { | |
187 | int ret = 0; | |
188 | BN_CTX *ctx = NULL; | |
189 | BIGNUM *p = NULL, *e = NULL; | |
190 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL; | |
191 | ||
192 | /* Some range checks that are larger than 32 bits */ | |
193 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4f, 0x33, 0x73 }; | |
194 | static const unsigned char p2[] = { 0x0B, 0x50, 0x4f, 0x33, 0x75 }; | |
195 | static const unsigned char p3[] = { 0x0F, 0x50, 0x00, 0x03, 0x75 }; | |
196 | ||
197 | ret = TEST_ptr(p = BN_new()) | |
198 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
199 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
200 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
201 | && TEST_ptr(e = BN_new()) | |
202 | && TEST_ptr(ctx = BN_CTX_new()) | |
203 | /* Fails the prime test */ | |
204 | && TEST_true(BN_set_word(e, 0x1)) | |
23b2fc0b | 205 | && TEST_false(ossl_rsa_check_prime_factor(bn_p1, e, 72, ctx)) |
8240d5fa | 206 | /* p is prime and in range and gcd(p-1, e) = 1 */ |
23b2fc0b | 207 | && TEST_true(ossl_rsa_check_prime_factor(bn_p2, e, 72, ctx)) |
8240d5fa SL |
208 | /* gcd(p-1,e) = 1 test fails */ |
209 | && TEST_true(BN_set_word(e, 0x2)) | |
23b2fc0b | 210 | && TEST_false(ossl_rsa_check_prime_factor(p, e, 72, ctx)) |
8240d5fa SL |
211 | /* p fails the range check */ |
212 | && TEST_true(BN_set_word(e, 0x1)) | |
23b2fc0b | 213 | && TEST_false(ossl_rsa_check_prime_factor(bn_p3, e, 72, ctx)); |
8240d5fa SL |
214 | |
215 | BN_free(bn_p3); | |
216 | BN_free(bn_p2); | |
217 | BN_free(bn_p1); | |
218 | BN_free(e); | |
219 | BN_free(p); | |
220 | BN_CTX_free(ctx); | |
221 | return ret; | |
222 | } | |
223 | ||
d7e498ac | 224 | /* This test uses legacy functions because they can take invalid numbers */ |
8240d5fa SL |
225 | static int test_check_private_exponent(void) |
226 | { | |
227 | int ret = 0; | |
228 | RSA *key = NULL; | |
229 | BN_CTX *ctx = NULL; | |
230 | BIGNUM *p = NULL, *q = NULL, *e = NULL, *d = NULL, *n = NULL; | |
231 | ||
232 | ret = TEST_ptr(key = RSA_new()) | |
233 | && TEST_ptr(ctx = BN_CTX_new()) | |
234 | && TEST_ptr(p = BN_new()) | |
235 | && TEST_ptr(q = BN_new()) | |
8240d5fa SL |
236 | /* lcm(15-1,17-1) = 14*16 / 2 = 112 */ |
237 | && TEST_true(BN_set_word(p, 15)) | |
238 | && TEST_true(BN_set_word(q, 17)) | |
a12864a5 SL |
239 | && TEST_true(RSA_set0_factors(key, p, q)); |
240 | if (!ret) { | |
241 | BN_free(p); | |
242 | BN_free(q); | |
243 | goto end; | |
244 | } | |
245 | ||
246 | ret = TEST_ptr(e = BN_new()) | |
247 | && TEST_ptr(d = BN_new()) | |
248 | && TEST_ptr(n = BN_new()) | |
8240d5fa SL |
249 | && TEST_true(BN_set_word(e, 5)) |
250 | && TEST_true(BN_set_word(d, 157)) | |
251 | && TEST_true(BN_set_word(n, 15*17)) | |
a12864a5 SL |
252 | && TEST_true(RSA_set0_key(key, n, e, d)); |
253 | if (!ret) { | |
254 | BN_free(e); | |
255 | BN_free(d); | |
256 | BN_free(n); | |
257 | goto end; | |
258 | } | |
259 | /* fails since d >= lcm(p-1, q-1) */ | |
23b2fc0b | 260 | ret = TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa SL |
261 | && TEST_true(BN_set_word(d, 45)) |
262 | /* d is correct size and 1 = e.d mod lcm(p-1, q-1) */ | |
23b2fc0b | 263 | && TEST_true(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa | 264 | /* d is too small compared to nbits */ |
23b2fc0b | 265 | && TEST_false(ossl_rsa_check_private_exponent(key, 16, ctx)) |
8240d5fa SL |
266 | /* d is too small compared to nbits */ |
267 | && TEST_true(BN_set_word(d, 16)) | |
23b2fc0b | 268 | && TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa SL |
269 | /* fail if 1 != e.d mod lcm(p-1, q-1) */ |
270 | && TEST_true(BN_set_word(d, 46)) | |
23b2fc0b | 271 | && TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)); |
a12864a5 | 272 | end: |
8240d5fa SL |
273 | RSA_free(key); |
274 | BN_CTX_free(ctx); | |
275 | return ret; | |
276 | } | |
277 | ||
278 | static int test_check_crt_components(void) | |
279 | { | |
280 | const int P = 15; | |
281 | const int Q = 17; | |
282 | const int E = 5; | |
283 | const int N = P*Q; | |
284 | const int DP = 3; | |
285 | const int DQ = 13; | |
286 | const int QINV = 8; | |
287 | ||
288 | int ret = 0; | |
289 | RSA *key = NULL; | |
290 | BN_CTX *ctx = NULL; | |
291 | BIGNUM *p = NULL, *q = NULL, *e = NULL; | |
292 | ||
293 | ret = TEST_ptr(key = RSA_new()) | |
294 | && TEST_ptr(ctx = BN_CTX_new()) | |
295 | && TEST_ptr(p = BN_new()) | |
296 | && TEST_ptr(q = BN_new()) | |
297 | && TEST_ptr(e = BN_new()) | |
298 | && TEST_true(BN_set_word(p, P)) | |
299 | && TEST_true(BN_set_word(q, Q)) | |
300 | && TEST_true(BN_set_word(e, E)) | |
a12864a5 SL |
301 | && TEST_true(RSA_set0_factors(key, p, q)); |
302 | if (!ret) { | |
303 | BN_free(p); | |
304 | BN_free(q); | |
305 | goto end; | |
306 | } | |
23b2fc0b | 307 | ret = TEST_true(ossl_rsa_sp800_56b_derive_params_from_pq(key, 8, e, ctx)) |
8240d5fa SL |
308 | && TEST_BN_eq_word(key->n, N) |
309 | && TEST_BN_eq_word(key->dmp1, DP) | |
310 | && TEST_BN_eq_word(key->dmq1, DQ) | |
311 | && TEST_BN_eq_word(key->iqmp, QINV) | |
23b2fc0b | 312 | && TEST_true(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
313 | /* (a) 1 < dP < (p – 1). */ |
314 | && TEST_true(BN_set_word(key->dmp1, 1)) | |
23b2fc0b | 315 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 316 | && TEST_true(BN_set_word(key->dmp1, P-1)) |
23b2fc0b | 317 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
318 | && TEST_true(BN_set_word(key->dmp1, DP)) |
319 | /* (b) 1 < dQ < (q - 1). */ | |
320 | && TEST_true(BN_set_word(key->dmq1, 1)) | |
23b2fc0b | 321 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 322 | && TEST_true(BN_set_word(key->dmq1, Q-1)) |
23b2fc0b | 323 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
324 | && TEST_true(BN_set_word(key->dmq1, DQ)) |
325 | /* (c) 1 < qInv < p */ | |
326 | && TEST_true(BN_set_word(key->iqmp, 1)) | |
23b2fc0b | 327 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 328 | && TEST_true(BN_set_word(key->iqmp, P)) |
23b2fc0b | 329 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
330 | && TEST_true(BN_set_word(key->iqmp, QINV)) |
331 | /* (d) 1 = (dP . e) mod (p - 1)*/ | |
332 | && TEST_true(BN_set_word(key->dmp1, DP+1)) | |
23b2fc0b | 333 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
334 | && TEST_true(BN_set_word(key->dmp1, DP)) |
335 | /* (e) 1 = (dQ . e) mod (q - 1) */ | |
336 | && TEST_true(BN_set_word(key->dmq1, DQ-1)) | |
23b2fc0b | 337 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
338 | && TEST_true(BN_set_word(key->dmq1, DQ)) |
339 | /* (f) 1 = (qInv . q) mod p */ | |
340 | && TEST_true(BN_set_word(key->iqmp, QINV+1)) | |
23b2fc0b | 341 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
342 | && TEST_true(BN_set_word(key->iqmp, QINV)) |
343 | /* check defaults are still valid */ | |
23b2fc0b | 344 | && TEST_true(ossl_rsa_check_crt_components(key, ctx)); |
a12864a5 | 345 | end: |
8240d5fa SL |
346 | BN_free(e); |
347 | RSA_free(key); | |
348 | BN_CTX_free(ctx); | |
349 | return ret; | |
350 | } | |
351 | ||
352 | static int test_pq_diff(void) | |
353 | { | |
354 | int ret = 0; | |
355 | BIGNUM *tmp = NULL, *p = NULL, *q = NULL; | |
356 | ||
357 | ret = TEST_ptr(tmp = BN_new()) | |
358 | && TEST_ptr(p = BN_new()) | |
359 | && TEST_ptr(q = BN_new()) | |
360 | /* |1-(2+1)| > 2^1 */ | |
361 | && TEST_true(BN_set_word(p, 1)) | |
362 | && TEST_true(BN_set_word(q, 1+2)) | |
23b2fc0b | 363 | && TEST_false(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)) |
8240d5fa SL |
364 | /* Check |p - q| > 2^(nbits/2 - 100) */ |
365 | && TEST_true(BN_set_word(q, 1+3)) | |
23b2fc0b | 366 | && TEST_true(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)) |
8240d5fa SL |
367 | && TEST_true(BN_set_word(p, 1+3)) |
368 | && TEST_true(BN_set_word(q, 1)) | |
23b2fc0b | 369 | && TEST_true(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)); |
8240d5fa SL |
370 | BN_free(p); |
371 | BN_free(q); | |
372 | BN_free(tmp); | |
373 | return ret; | |
374 | } | |
375 | ||
376 | static int test_invalid_keypair(void) | |
377 | { | |
378 | int ret = 0; | |
379 | RSA *key = NULL; | |
380 | BN_CTX *ctx = NULL; | |
381 | BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL; | |
382 | ||
383 | ret = TEST_ptr(key = RSA_new()) | |
384 | && TEST_ptr(ctx = BN_CTX_new()) | |
385 | /* NULL parameters */ | |
23b2fc0b | 386 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
387 | /* load key */ |
388 | && TEST_ptr(p = bn_load_new(cav_p, sizeof(cav_p))) | |
389 | && TEST_ptr(q = bn_load_new(cav_q, sizeof(cav_q))) | |
a12864a5 SL |
390 | && TEST_true(RSA_set0_factors(key, p, q)); |
391 | if (!ret) { | |
392 | BN_free(p); | |
393 | BN_free(q); | |
394 | goto end; | |
395 | } | |
396 | ||
397 | ret = TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
8240d5fa SL |
398 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) |
399 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
a12864a5 SL |
400 | && TEST_true(RSA_set0_key(key, n, e, d)); |
401 | if (!ret) { | |
402 | BN_free(e); | |
403 | BN_free(n); | |
404 | BN_free(d); | |
405 | goto end; | |
406 | } | |
8240d5fa | 407 | /* bad strength/key size */ |
23b2fc0b P |
408 | ret = TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 100, 2048)) |
409 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 112, 1024)) | |
410 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 128, 2048)) | |
411 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 140, 3072)) | |
8240d5fa | 412 | /* mismatching exponent */ |
23b2fc0b P |
413 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, BN_value_one(), |
414 | -1, 2048)) | |
8240d5fa SL |
415 | /* bad exponent */ |
416 | && TEST_true(BN_add_word(e, 1)) | |
23b2fc0b | 417 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
418 | && TEST_true(BN_sub_word(e, 1)) |
419 | ||
420 | /* mismatch between bits and modulus */ | |
23b2fc0b P |
421 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 3072)) |
422 | && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, e, 112, 2048)) | |
8240d5fa SL |
423 | /* check n == pq failure */ |
424 | && TEST_true(BN_add_word(n, 1)) | |
23b2fc0b | 425 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
426 | && TEST_true(BN_sub_word(n, 1)) |
427 | /* check p */ | |
428 | && TEST_true(BN_sub_word(p, 2)) | |
429 | && TEST_true(BN_mul(n, p, q, ctx)) | |
23b2fc0b | 430 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
431 | && TEST_true(BN_add_word(p, 2)) |
432 | && TEST_true(BN_mul(n, p, q, ctx)) | |
433 | /* check q */ | |
434 | && TEST_true(BN_sub_word(q, 2)) | |
435 | && TEST_true(BN_mul(n, p, q, ctx)) | |
23b2fc0b | 436 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
437 | && TEST_true(BN_add_word(q, 2)) |
438 | && TEST_true(BN_mul(n, p, q, ctx)); | |
a12864a5 | 439 | end: |
8240d5fa SL |
440 | RSA_free(key); |
441 | BN_CTX_free(ctx); | |
442 | return ret; | |
443 | } | |
444 | ||
8240d5fa SL |
445 | static int keygen_size[] = |
446 | { | |
447 | 2048, 3072 | |
448 | }; | |
449 | ||
450 | static int test_sp80056b_keygen(int id) | |
451 | { | |
452 | RSA *key = NULL; | |
453 | int ret; | |
454 | int sz = keygen_size[id]; | |
455 | ||
456 | ret = TEST_ptr(key = RSA_new()) | |
23b2fc0b P |
457 | && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL)) |
458 | && TEST_true(ossl_rsa_sp800_56b_check_public(key)) | |
459 | && TEST_true(ossl_rsa_sp800_56b_check_private(key)) | |
460 | && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, sz)); | |
8240d5fa SL |
461 | |
462 | RSA_free(key); | |
463 | return ret; | |
464 | } | |
465 | ||
466 | static int test_check_private_key(void) | |
467 | { | |
468 | int ret = 0; | |
469 | BIGNUM *n = NULL, *d = NULL, *e = NULL; | |
470 | RSA *key = NULL; | |
471 | ||
472 | ret = TEST_ptr(key = RSA_new()) | |
473 | /* check NULL pointers fail */ | |
23b2fc0b | 474 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
475 | /* load private key */ |
476 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
477 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
478 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
a12864a5 SL |
479 | && TEST_true(RSA_set0_key(key, n, e, d)); |
480 | if (!ret) { | |
481 | BN_free(n); | |
482 | BN_free(e); | |
483 | BN_free(d); | |
484 | goto end; | |
485 | } | |
486 | /* check d is in range */ | |
23b2fc0b | 487 | ret = TEST_true(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
488 | /* check d is too low */ |
489 | && TEST_true(BN_set_word(d, 0)) | |
23b2fc0b | 490 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
491 | /* check d is too high */ |
492 | && TEST_ptr(BN_copy(d, n)) | |
23b2fc0b | 493 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)); |
a12864a5 | 494 | end: |
8240d5fa SL |
495 | RSA_free(key); |
496 | return ret; | |
497 | } | |
498 | ||
499 | static int test_check_public_key(void) | |
500 | { | |
501 | int ret = 0; | |
502 | BIGNUM *n = NULL, *e = NULL; | |
503 | RSA *key = NULL; | |
504 | ||
505 | ret = TEST_ptr(key = RSA_new()) | |
506 | /* check NULL pointers fail */ | |
23b2fc0b | 507 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
508 | /* load public key */ |
509 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
510 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
a12864a5 SL |
511 | && TEST_true(RSA_set0_key(key, n, e, NULL)); |
512 | if (!ret) { | |
513 | BN_free(e); | |
514 | BN_free(n); | |
515 | goto end; | |
516 | } | |
517 | /* check public key is valid */ | |
23b2fc0b | 518 | ret = TEST_true(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
519 | /* check fail if n is even */ |
520 | && TEST_true(BN_add_word(n, 1)) | |
23b2fc0b | 521 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
522 | && TEST_true(BN_sub_word(n, 1)) |
523 | /* check fail if n is wrong number of bits */ | |
524 | && TEST_true(BN_lshift1(n, n)) | |
23b2fc0b | 525 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
526 | && TEST_true(BN_rshift1(n, n)) |
527 | /* test odd exponent fails */ | |
528 | && TEST_true(BN_add_word(e, 1)) | |
23b2fc0b | 529 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
530 | && TEST_true(BN_sub_word(e, 1)) |
531 | /* modulus fails composite check */ | |
532 | && TEST_true(BN_add_word(n, 2)) | |
23b2fc0b | 533 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)); |
a12864a5 | 534 | end: |
8240d5fa SL |
535 | RSA_free(key); |
536 | return ret; | |
537 | } | |
538 | ||
539 | int setup_tests(void) | |
540 | { | |
541 | ADD_TEST(test_check_public_exponent); | |
542 | ADD_TEST(test_check_prime_factor_range); | |
543 | ADD_TEST(test_check_prime_factor); | |
544 | ADD_TEST(test_check_private_exponent); | |
545 | ADD_TEST(test_check_crt_components); | |
546 | ADD_TEST(test_check_private_key); | |
547 | ADD_TEST(test_check_public_key); | |
548 | ADD_TEST(test_invalid_keypair); | |
549 | ADD_TEST(test_pq_diff); | |
8240d5fa SL |
550 | ADD_ALL_TESTS(test_sp80056b_keygen, (int)OSSL_NELEM(keygen_size)); |
551 | return 1; | |
552 | } | |
553 | #endif |