]>
Commit | Line | Data |
---|---|---|
8240d5fa SL |
1 | /* |
2 | * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdio.h> | |
11 | #include <string.h> | |
12 | ||
13 | #include "internal/nelem.h" | |
14 | ||
15 | #include <openssl/crypto.h> | |
16 | #include <openssl/err.h> | |
17 | #include <openssl/rand.h> | |
18 | #include <openssl/bn.h> | |
19 | ||
20 | #include "testutil.h" | |
21 | ||
22 | #ifdef OPENSSL_NO_RSA | |
23 | int setup_tests(void) | |
24 | { | |
25 | /* No tests */ | |
26 | return 1; | |
27 | } | |
28 | #else | |
706457b7 | 29 | # include "rsa_local.h" |
8240d5fa SL |
30 | # include <openssl/rsa.h> |
31 | ||
32 | /* taken from RSA2 cavs data */ | |
33 | static const unsigned char cav_e[] = { | |
34 | 0x01,0x00,0x01 | |
35 | }; | |
36 | static const unsigned char cav_Xp[] = { | |
37 | 0xcf,0x72,0x1b,0x9a,0xfd,0x0d,0x22,0x1a,0x74,0x50,0x97,0x22,0x76,0xd8,0xc0, | |
38 | 0xc2,0xfd,0x08,0x81,0x05,0xdd,0x18,0x21,0x99,0x96,0xd6,0x5c,0x79,0xe3,0x02, | |
39 | 0x81,0xd7,0x0e,0x3f,0x3b,0x34,0xda,0x61,0xc9,0x2d,0x84,0x86,0x62,0x1e,0x3d, | |
40 | 0x5d,0xbf,0x92,0x2e,0xcd,0x35,0x3d,0x6e,0xb9,0x59,0x16,0xc9,0x82,0x50,0x41, | |
41 | 0x30,0x45,0x67,0xaa,0xb7,0xbe,0xec,0xea,0x4b,0x9e,0xa0,0xc3,0x05,0xb3,0x88, | |
42 | 0xd4,0x4c,0xac,0xeb,0xe4,0x03,0xc6,0xca,0xcb,0xd9,0xd3,0x4e,0xf6,0x7f,0x2c, | |
43 | 0x27,0x1e,0x08,0x6c,0xc2,0xd6,0x45,0x1f,0x84,0xe4,0x3c,0x97,0x19,0xde,0xb8, | |
44 | 0x55,0xaf,0x0e,0xcf,0x9e,0xb0,0x9c,0x20,0xd3,0x1f,0xa8,0xd7,0x52,0xc2,0x95, | |
45 | 0x1c,0x80,0x15,0x42,0x4d,0x4f,0x19,0x16 | |
46 | }; | |
47 | static const unsigned char cav_Xp1[] = { | |
48 | 0xac,0x5f,0x7f,0x6e,0x33,0x3e,0x97,0x3a,0xb3,0x17,0x44,0xa9,0x0f,0x7a,0x54, | |
49 | 0x70,0x27,0x06,0x93,0xd5,0x49,0xde,0x91,0x83,0xbc,0x8a,0x7b,0x95 | |
50 | }; | |
51 | static const unsigned char cav_Xp2[] = { | |
52 | 0x0b,0xf6,0xe8,0x79,0x5a,0x81,0xae,0x90,0x1d,0xa4,0x38,0x74,0x9c,0x0e,0x6f, | |
53 | 0xe0,0x03,0xcf,0xc4,0x53,0x16,0x32,0x17,0xf7,0x09,0x5f,0xd9 | |
54 | }; | |
55 | static const unsigned char cav_Xq[] = { | |
56 | 0xfe,0xab,0xf2,0x7c,0x16,0x4a,0xf0,0x8d,0x31,0xc6,0x0a,0x82,0xe2,0xae,0xbb, | |
57 | 0x03,0x7e,0x7b,0x20,0x4e,0x64,0xb0,0x16,0xad,0x3c,0x01,0x1a,0xd3,0x54,0xbf, | |
58 | 0x2b,0xa4,0x02,0x9e,0xc3,0x0d,0x60,0x3d,0x1f,0xb9,0xc0,0x0d,0xe6,0x97,0x68, | |
59 | 0xbb,0x8c,0x81,0xd5,0xc1,0x54,0x96,0x0f,0x99,0xf0,0xa8,0xa2,0xf3,0xc6,0x8e, | |
60 | 0xec,0xbc,0x31,0x17,0x70,0x98,0x24,0xa3,0x36,0x51,0xa8,0x54,0xbd,0x9a,0x89, | |
61 | 0x99,0x6e,0x57,0x5e,0xd0,0x39,0x86,0xc3,0xa3,0x1b,0xc7,0xcf,0xc4,0x4f,0x47, | |
62 | 0x25,0x9e,0x2c,0x79,0xe1,0x2c,0xcc,0xe4,0x63,0xf4,0x02,0x84,0xf8,0xf6,0xa1, | |
63 | 0x5c,0x93,0x14,0xf2,0x68,0x5f,0x3a,0x90,0x2f,0x4e,0x5e,0xf9,0x16,0x05,0xcf, | |
64 | 0x21,0x63,0xca,0xfa,0xb0,0x08,0x02,0xc0 | |
65 | }; | |
66 | static const unsigned char cav_Xq1[] = { | |
67 | 0x9b,0x02,0xd4,0xba,0xf0,0xaa,0x14,0x99,0x6d,0xc0,0xb7,0xa5,0xe1,0xd3,0x70, | |
68 | 0xb6,0x5a,0xa2,0x9b,0x59,0xd5,0x8c,0x1e,0x9f,0x3f,0x9a,0xde,0xeb,0x9e,0x9c, | |
69 | 0x61,0xd6,0x5a,0xe1 | |
70 | }; | |
71 | static const unsigned char cav_Xq2[] = { | |
72 | 0x06,0x81,0x53,0xfd,0xa8,0x7b,0xa3,0x85,0x90,0x15,0x2c,0x97,0xb2,0xa0,0x17, | |
73 | 0x48,0xb0,0x7f,0x0a,0x01,0x6d | |
74 | }; | |
75 | /* expected values */ | |
76 | static const unsigned char cav_p1[] = { | |
77 | 0xac,0x5f,0x7f,0x6e,0x33,0x3e,0x97,0x3a,0xb3,0x17,0x44,0xa9,0x0f,0x7a,0x54, | |
78 | 0x70,0x27,0x06,0x93,0xd5,0x49,0xde,0x91,0x83,0xbc,0x8a,0x7b,0xc3 | |
79 | }; | |
80 | static const unsigned char cav_p2[] = { | |
81 | 0x0b,0xf6,0xe8,0x79,0x5a,0x81,0xae,0x90,0x1d,0xa4,0x38,0x74,0x9c,0x0e,0x6f, | |
82 | 0xe0,0x03,0xcf,0xc4,0x53,0x16,0x32,0x17,0xf7,0x09,0x5f,0xd9 | |
83 | }; | |
84 | static const unsigned char cav_q1[] = { | |
85 | 0x9b,0x02,0xd4,0xba,0xf0,0xaa,0x14,0x99,0x6d,0xc0,0xb7,0xa5,0xe1,0xd3,0x70, | |
86 | 0xb6,0x5a,0xa2,0x9b,0x59,0xd5,0x8c,0x1e,0x9f,0x3f,0x9a,0xde,0xeb,0x9e,0x9c, | |
87 | 0x61,0xd6,0x5d,0x47 | |
88 | }; | |
89 | static const unsigned char cav_q2[] = { | |
90 | 0x06,0x81,0x53,0xfd,0xa8,0x7b,0xa3,0x85,0x90,0x15,0x2c,0x97,0xb2,0xa0,0x17, | |
91 | 0x48,0xb0,0x7f,0x0a,0x01,0x8f | |
92 | }; | |
93 | static const unsigned char cav_p[] = { | |
94 | 0xcf,0x72,0x1b,0x9a,0xfd,0x0d,0x22,0x1a,0x74,0x50,0x97,0x22,0x76,0xd8,0xc0, | |
95 | 0xc2,0xfd,0x08,0x81,0x05,0xdd,0x18,0x21,0x99,0x96,0xd6,0x5c,0x79,0xe3,0x02, | |
96 | 0x81,0xd7,0x0e,0x3f,0x3b,0x34,0xda,0x61,0xc9,0x2d,0x84,0x86,0x62,0x1e,0x3d, | |
97 | 0x5d,0xbf,0x92,0x2e,0xcd,0x35,0x3d,0x6e,0xb9,0x59,0x16,0xc9,0x82,0x50,0x41, | |
98 | 0x30,0x45,0x67,0xaa,0xb7,0xbe,0xec,0xea,0x4b,0x9e,0xa0,0xc3,0x05,0xbc,0x4c, | |
99 | 0x01,0xa5,0x4b,0xbd,0xa4,0x20,0xb5,0x20,0xd5,0x59,0x6f,0x82,0x5c,0x8f,0x4f, | |
100 | 0xe0,0x3a,0x4e,0x7e,0xfe,0x44,0xf3,0x3c,0xc0,0x0e,0x14,0x2b,0x32,0xe6,0x28, | |
101 | 0x8b,0x63,0x87,0x00,0xc3,0x53,0x4a,0x5b,0x71,0x7a,0x5b,0x28,0x40,0xc4,0x18, | |
102 | 0xb6,0x77,0x0b,0xab,0x59,0xa4,0x96,0x7d | |
103 | }; | |
104 | static const unsigned char cav_q[] = { | |
105 | 0xfe,0xab,0xf2,0x7c,0x16,0x4a,0xf0,0x8d,0x31,0xc6,0x0a,0x82,0xe2,0xae,0xbb, | |
106 | 0x03,0x7e,0x7b,0x20,0x4e,0x64,0xb0,0x16,0xad,0x3c,0x01,0x1a,0xd3,0x54,0xbf, | |
107 | 0x2b,0xa4,0x02,0x9e,0xc3,0x0d,0x60,0x3d,0x1f,0xb9,0xc0,0x0d,0xe6,0x97,0x68, | |
108 | 0xbb,0x8c,0x81,0xd5,0xc1,0x54,0x96,0x0f,0x99,0xf0,0xa8,0xa2,0xf3,0xc6,0x8e, | |
109 | 0xec,0xbc,0x31,0x17,0x70,0x98,0x24,0xa3,0x36,0x51,0xa8,0x54,0xc4,0x44,0xdd, | |
110 | 0xf7,0x7e,0xda,0x47,0x4a,0x67,0x44,0x5d,0x4e,0x75,0xf0,0x4d,0x00,0x68,0xe1, | |
111 | 0x4a,0xec,0x1f,0x45,0xf9,0xe6,0xca,0x38,0x95,0x48,0x6f,0xdc,0x9d,0x1b,0xa3, | |
112 | 0x4b,0xfd,0x08,0x4b,0x54,0xcd,0xeb,0x3d,0xef,0x33,0x11,0x6e,0xce,0xe4,0x5d, | |
113 | 0xef,0xa9,0x58,0x5c,0x87,0x4d,0xc8,0xcf | |
114 | }; | |
115 | static const unsigned char cav_n[] = { | |
116 | 0xce,0x5e,0x8d,0x1a,0xa3,0x08,0x7a,0x2d,0xb4,0x49,0x48,0xf0,0x06,0xb6,0xfe, | |
117 | 0xba,0x2f,0x39,0x7c,0x7b,0xe0,0x5d,0x09,0x2d,0x57,0x4e,0x54,0x60,0x9c,0xe5, | |
118 | 0x08,0x4b,0xe1,0x1a,0x73,0xc1,0x5e,0x2f,0xb6,0x46,0xd7,0x81,0xca,0xbc,0x98, | |
119 | 0xd2,0xf9,0xef,0x1c,0x92,0x8c,0x8d,0x99,0x85,0x28,0x52,0xd6,0xd5,0xab,0x70, | |
120 | 0x7e,0x9e,0xa9,0x87,0x82,0xc8,0x95,0x64,0xeb,0xf0,0x6c,0x0f,0x3f,0xe9,0x02, | |
121 | 0x29,0x2e,0x6d,0xa1,0xec,0xbf,0xdc,0x23,0xdf,0x82,0x4f,0xab,0x39,0x8d,0xcc, | |
122 | 0xac,0x21,0x51,0x14,0xf8,0xef,0xec,0x73,0x80,0x86,0xa3,0xcf,0x8f,0xd5,0xcf, | |
123 | 0x22,0x1f,0xcc,0x23,0x2f,0xba,0xcb,0xf6,0x17,0xcd,0x3a,0x1f,0xd9,0x84,0xb9, | |
124 | 0x88,0xa7,0x78,0x0f,0xaa,0xc9,0x04,0x01,0x20,0x72,0x5d,0x2a,0xfe,0x5b,0xdd, | |
125 | 0x16,0x5a,0xed,0x83,0x02,0x96,0x39,0x46,0x37,0x30,0xc1,0x0d,0x87,0xc2,0xc8, | |
126 | 0x33,0x38,0xed,0x35,0x72,0xe5,0x29,0xf8,0x1f,0x23,0x60,0xe1,0x2a,0x5b,0x1d, | |
127 | 0x6b,0x53,0x3f,0x07,0xc4,0xd9,0xbb,0x04,0x0c,0x5c,0x3f,0x0b,0xc4,0xd4,0x61, | |
128 | 0x96,0x94,0xf1,0x0f,0x4a,0x49,0xac,0xde,0xd2,0xe8,0x42,0xb3,0x4a,0x0b,0x64, | |
129 | 0x7a,0x32,0x5f,0x2b,0x5b,0x0f,0x8b,0x8b,0xe0,0x33,0x23,0x34,0x64,0xf8,0xb5, | |
130 | 0x7f,0x69,0x60,0xb8,0x71,0xe9,0xff,0x92,0x42,0xb1,0xf7,0x23,0xa8,0xa7,0x92, | |
131 | 0x04,0x3d,0x6b,0xff,0xf7,0xab,0xbb,0x14,0x1f,0x4c,0x10,0x97,0xd5,0x6b,0x71, | |
132 | 0x12,0xfd,0x93,0xa0,0x4a,0x3b,0x75,0x72,0x40,0x96,0x1c,0x5f,0x40,0x40,0x57, | |
133 | 0x13 | |
134 | }; | |
135 | static const unsigned char cav_d[] = { | |
136 | 0x47,0x47,0x49,0x1d,0x66,0x2a,0x4b,0x68,0xf5,0xd8,0x4a,0x24,0xfd,0x6c,0xbf, | |
137 | 0x56,0xb7,0x70,0xf7,0x9a,0x21,0xc8,0x80,0x9e,0xf4,0x84,0xcd,0x88,0x01,0x28, | |
138 | 0xea,0x50,0xab,0x13,0x63,0xdf,0xea,0x14,0x38,0xb5,0x07,0x42,0x81,0x2f,0xda, | |
139 | 0xe9,0x24,0x02,0x7e,0xaf,0xef,0x74,0x09,0x0e,0x80,0xfa,0xfb,0xd1,0x19,0x41, | |
140 | 0xe5,0xba,0x0f,0x7c,0x0a,0xa4,0x15,0x55,0xa2,0x58,0x8c,0x3a,0x48,0x2c,0xc6, | |
141 | 0xde,0x4a,0x76,0xfb,0x72,0xb6,0x61,0xe6,0xd2,0x10,0x44,0x4c,0x33,0xb8,0xd2, | |
142 | 0x74,0xb1,0x9d,0x3b,0xcd,0x2f,0xb1,0x4f,0xc3,0x98,0xbd,0x83,0xb7,0x7e,0x75, | |
143 | 0xe8,0xa7,0x6a,0xee,0xcc,0x51,0x8c,0x99,0x17,0x67,0x7f,0x27,0xf9,0x0d,0x6a, | |
144 | 0xb7,0xd4,0x80,0x17,0x89,0x39,0x9c,0xf3,0xd7,0x0f,0xdf,0xb0,0x55,0x80,0x1d, | |
145 | 0xaf,0x57,0x2e,0xd0,0xf0,0x4f,0x42,0x69,0x55,0xbc,0x83,0xd6,0x97,0x83,0x7a, | |
146 | 0xe6,0xc6,0x30,0x6d,0x3d,0xb5,0x21,0xa7,0xc4,0x62,0x0a,0x20,0xce,0x5e,0x5a, | |
147 | 0x17,0x98,0xb3,0x6f,0x6b,0x9a,0xeb,0x6b,0xa3,0xc4,0x75,0xd8,0x2b,0xdc,0x5c, | |
148 | 0x6f,0xec,0x5d,0x49,0xac,0xa8,0xa4,0x2f,0xb8,0x8c,0x4f,0x2e,0x46,0x21,0xee, | |
149 | 0x72,0x6a,0x0e,0x22,0x80,0x71,0xc8,0x76,0x40,0x44,0x61,0x16,0xbf,0xa5,0xf8, | |
150 | 0x89,0xc7,0xe9,0x87,0xdf,0xbd,0x2e,0x4b,0x4e,0xc2,0x97,0x53,0xe9,0x49,0x1c, | |
151 | 0x05,0xb0,0x0b,0x9b,0x9f,0x21,0x19,0x41,0xe9,0xf5,0x61,0xd7,0x33,0x2e,0x2c, | |
152 | 0x94,0xb8,0xa8,0x9a,0x3a,0xcc,0x6a,0x24,0x8d,0x19,0x13,0xee,0xb9,0xb0,0x48, | |
153 | 0x61 | |
154 | }; | |
155 | ||
156 | /* helper function */ | |
157 | static BIGNUM *bn_load_new(const unsigned char *data, int sz) | |
158 | { | |
159 | BIGNUM *ret = BN_new(); | |
160 | if (ret != NULL) | |
161 | BN_bin2bn(data, sz, ret); | |
162 | return ret; | |
163 | } | |
164 | ||
165 | /* helper function */ | |
166 | static BIGNUM *bn_load(BN_CTX *ctx, const unsigned char *data, int sz) | |
167 | { | |
168 | BIGNUM *ret = BN_CTX_get(ctx); | |
169 | if (ret != NULL) | |
170 | BN_bin2bn(data, sz, ret); | |
171 | return ret; | |
172 | } | |
173 | ||
174 | static int test_check_public_exponent(void) | |
175 | { | |
176 | int ret = 0; | |
177 | BIGNUM *e = NULL; | |
178 | ||
179 | ret = TEST_ptr(e = BN_new()) | |
180 | /* e is too small */ | |
181 | && TEST_true(BN_set_word(e, 65535)) | |
182 | && TEST_false(rsa_check_public_exponent(e)) | |
183 | /* e is even will fail */ | |
184 | && TEST_true(BN_set_word(e, 65536)) | |
185 | && TEST_false(rsa_check_public_exponent(e)) | |
186 | /* e is ok */ | |
187 | && TEST_true(BN_set_word(e, 65537)) | |
188 | && TEST_true(rsa_check_public_exponent(e)) | |
189 | /* e = 2^256 is too big */ | |
190 | && TEST_true(BN_lshift(e, BN_value_one(), 256)) | |
191 | && TEST_false(rsa_check_public_exponent(e)) | |
192 | /* e = 2^256-1 is odd and in range */ | |
193 | && TEST_true(BN_sub(e, e, BN_value_one())) | |
194 | && TEST_true(rsa_check_public_exponent(e)); | |
195 | BN_free(e); | |
196 | return ret; | |
197 | } | |
198 | ||
199 | static int test_check_prime_factor_range(void) | |
200 | { | |
201 | int ret = 0; | |
202 | BN_CTX *ctx = NULL; | |
203 | BIGNUM *p = NULL; | |
204 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL, *bn_p4 = NULL; | |
205 | /* Some range checks that are larger than 32 bits */ | |
206 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4F, 0x33, 0x3F }; | |
207 | static const unsigned char p2[] = { 0x10, 0x00, 0x00, 0x00, 0x00 }; | |
208 | static const unsigned char p3[] = { 0x0B, 0x50, 0x4F, 0x33, 0x40 }; | |
209 | static const unsigned char p4[] = { 0x0F, 0xFF, 0xFF, 0xFF, 0xFF }; | |
210 | ||
211 | /* (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2) - 1 | |
212 | * For 8 bits: 0xB.504F <= p <= 0xF | |
213 | * for 72 bits: 0xB504F333F. <= p <= 0xF_FFFF_FFFF | |
214 | */ | |
215 | ret = TEST_ptr(p = BN_new()) | |
216 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
217 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
218 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
219 | && TEST_ptr(bn_p4 = bn_load_new(p4, sizeof(p4))) | |
220 | && TEST_ptr(ctx = BN_CTX_new()) | |
221 | && TEST_true(BN_set_word(p, 0xA)) | |
222 | && TEST_false(rsa_check_prime_factor_range(p, 8, ctx)) | |
223 | && TEST_true(BN_set_word(p, 0x10)) | |
224 | && TEST_false(rsa_check_prime_factor_range(p, 8, ctx)) | |
225 | && TEST_true(BN_set_word(p, 0xB)) | |
226 | && TEST_true(rsa_check_prime_factor_range(p, 8, ctx)) | |
227 | && TEST_true(BN_set_word(p, 0xF)) | |
228 | && TEST_true(rsa_check_prime_factor_range(p, 8, ctx)) | |
229 | && TEST_false(rsa_check_prime_factor_range(bn_p1, 72, ctx)) | |
230 | && TEST_false(rsa_check_prime_factor_range(bn_p2, 72, ctx)) | |
231 | && TEST_true(rsa_check_prime_factor_range(bn_p3, 72, ctx)) | |
232 | && TEST_true(rsa_check_prime_factor_range(bn_p4, 72, ctx)); | |
233 | ||
234 | BN_free(bn_p4); | |
235 | BN_free(bn_p3); | |
236 | BN_free(bn_p2); | |
237 | BN_free(bn_p1); | |
238 | BN_free(p); | |
239 | BN_CTX_free(ctx); | |
240 | return ret; | |
241 | } | |
242 | ||
243 | static int test_check_prime_factor(void) | |
244 | { | |
245 | int ret = 0; | |
246 | BN_CTX *ctx = NULL; | |
247 | BIGNUM *p = NULL, *e = NULL; | |
248 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL; | |
249 | ||
250 | /* Some range checks that are larger than 32 bits */ | |
251 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4f, 0x33, 0x73 }; | |
252 | static const unsigned char p2[] = { 0x0B, 0x50, 0x4f, 0x33, 0x75 }; | |
253 | static const unsigned char p3[] = { 0x0F, 0x50, 0x00, 0x03, 0x75 }; | |
254 | ||
255 | ret = TEST_ptr(p = BN_new()) | |
256 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
257 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
258 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
259 | && TEST_ptr(e = BN_new()) | |
260 | && TEST_ptr(ctx = BN_CTX_new()) | |
261 | /* Fails the prime test */ | |
262 | && TEST_true(BN_set_word(e, 0x1)) | |
263 | && TEST_false(rsa_check_prime_factor(bn_p1, e, 72, ctx)) | |
264 | /* p is prime and in range and gcd(p-1, e) = 1 */ | |
265 | && TEST_true(rsa_check_prime_factor(bn_p2, e, 72, ctx)) | |
266 | /* gcd(p-1,e) = 1 test fails */ | |
267 | && TEST_true(BN_set_word(e, 0x2)) | |
268 | && TEST_false(rsa_check_prime_factor(p, e, 72, ctx)) | |
269 | /* p fails the range check */ | |
270 | && TEST_true(BN_set_word(e, 0x1)) | |
271 | && TEST_false(rsa_check_prime_factor(bn_p3, e, 72, ctx)); | |
272 | ||
273 | BN_free(bn_p3); | |
274 | BN_free(bn_p2); | |
275 | BN_free(bn_p1); | |
276 | BN_free(e); | |
277 | BN_free(p); | |
278 | BN_CTX_free(ctx); | |
279 | return ret; | |
280 | } | |
281 | ||
282 | static int test_check_private_exponent(void) | |
283 | { | |
284 | int ret = 0; | |
285 | RSA *key = NULL; | |
286 | BN_CTX *ctx = NULL; | |
287 | BIGNUM *p = NULL, *q = NULL, *e = NULL, *d = NULL, *n = NULL; | |
288 | ||
289 | ret = TEST_ptr(key = RSA_new()) | |
290 | && TEST_ptr(ctx = BN_CTX_new()) | |
291 | && TEST_ptr(p = BN_new()) | |
292 | && TEST_ptr(q = BN_new()) | |
8240d5fa SL |
293 | /* lcm(15-1,17-1) = 14*16 / 2 = 112 */ |
294 | && TEST_true(BN_set_word(p, 15)) | |
295 | && TEST_true(BN_set_word(q, 17)) | |
a12864a5 SL |
296 | && TEST_true(RSA_set0_factors(key, p, q)); |
297 | if (!ret) { | |
298 | BN_free(p); | |
299 | BN_free(q); | |
300 | goto end; | |
301 | } | |
302 | ||
303 | ret = TEST_ptr(e = BN_new()) | |
304 | && TEST_ptr(d = BN_new()) | |
305 | && TEST_ptr(n = BN_new()) | |
8240d5fa SL |
306 | && TEST_true(BN_set_word(e, 5)) |
307 | && TEST_true(BN_set_word(d, 157)) | |
308 | && TEST_true(BN_set_word(n, 15*17)) | |
a12864a5 SL |
309 | && TEST_true(RSA_set0_key(key, n, e, d)); |
310 | if (!ret) { | |
311 | BN_free(e); | |
312 | BN_free(d); | |
313 | BN_free(n); | |
314 | goto end; | |
315 | } | |
316 | /* fails since d >= lcm(p-1, q-1) */ | |
317 | ret = TEST_false(rsa_check_private_exponent(key, 8, ctx)) | |
8240d5fa SL |
318 | && TEST_true(BN_set_word(d, 45)) |
319 | /* d is correct size and 1 = e.d mod lcm(p-1, q-1) */ | |
320 | && TEST_true(rsa_check_private_exponent(key, 8, ctx)) | |
321 | /* d is too small compared to nbits */ | |
322 | && TEST_false(rsa_check_private_exponent(key, 16, ctx)) | |
323 | /* d is too small compared to nbits */ | |
324 | && TEST_true(BN_set_word(d, 16)) | |
325 | && TEST_false(rsa_check_private_exponent(key, 8, ctx)) | |
326 | /* fail if 1 != e.d mod lcm(p-1, q-1) */ | |
327 | && TEST_true(BN_set_word(d, 46)) | |
328 | && TEST_false(rsa_check_private_exponent(key, 8, ctx)); | |
a12864a5 | 329 | end: |
8240d5fa SL |
330 | RSA_free(key); |
331 | BN_CTX_free(ctx); | |
332 | return ret; | |
333 | } | |
334 | ||
335 | static int test_check_crt_components(void) | |
336 | { | |
337 | const int P = 15; | |
338 | const int Q = 17; | |
339 | const int E = 5; | |
340 | const int N = P*Q; | |
341 | const int DP = 3; | |
342 | const int DQ = 13; | |
343 | const int QINV = 8; | |
344 | ||
345 | int ret = 0; | |
346 | RSA *key = NULL; | |
347 | BN_CTX *ctx = NULL; | |
348 | BIGNUM *p = NULL, *q = NULL, *e = NULL; | |
349 | ||
350 | ret = TEST_ptr(key = RSA_new()) | |
351 | && TEST_ptr(ctx = BN_CTX_new()) | |
352 | && TEST_ptr(p = BN_new()) | |
353 | && TEST_ptr(q = BN_new()) | |
354 | && TEST_ptr(e = BN_new()) | |
355 | && TEST_true(BN_set_word(p, P)) | |
356 | && TEST_true(BN_set_word(q, Q)) | |
357 | && TEST_true(BN_set_word(e, E)) | |
a12864a5 SL |
358 | && TEST_true(RSA_set0_factors(key, p, q)); |
359 | if (!ret) { | |
360 | BN_free(p); | |
361 | BN_free(q); | |
362 | goto end; | |
363 | } | |
364 | ret = TEST_true(rsa_sp800_56b_derive_params_from_pq(key, 8, e, ctx)) | |
8240d5fa SL |
365 | && TEST_BN_eq_word(key->n, N) |
366 | && TEST_BN_eq_word(key->dmp1, DP) | |
367 | && TEST_BN_eq_word(key->dmq1, DQ) | |
368 | && TEST_BN_eq_word(key->iqmp, QINV) | |
369 | && TEST_true(rsa_check_crt_components(key, ctx)) | |
370 | /* (a) 1 < dP < (p – 1). */ | |
371 | && TEST_true(BN_set_word(key->dmp1, 1)) | |
372 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
373 | && TEST_true(BN_set_word(key->dmp1, P-1)) | |
374 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
375 | && TEST_true(BN_set_word(key->dmp1, DP)) | |
376 | /* (b) 1 < dQ < (q - 1). */ | |
377 | && TEST_true(BN_set_word(key->dmq1, 1)) | |
378 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
379 | && TEST_true(BN_set_word(key->dmq1, Q-1)) | |
380 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
381 | && TEST_true(BN_set_word(key->dmq1, DQ)) | |
382 | /* (c) 1 < qInv < p */ | |
383 | && TEST_true(BN_set_word(key->iqmp, 1)) | |
384 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
385 | && TEST_true(BN_set_word(key->iqmp, P)) | |
386 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
387 | && TEST_true(BN_set_word(key->iqmp, QINV)) | |
388 | /* (d) 1 = (dP . e) mod (p - 1)*/ | |
389 | && TEST_true(BN_set_word(key->dmp1, DP+1)) | |
390 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
391 | && TEST_true(BN_set_word(key->dmp1, DP)) | |
392 | /* (e) 1 = (dQ . e) mod (q - 1) */ | |
393 | && TEST_true(BN_set_word(key->dmq1, DQ-1)) | |
394 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
395 | && TEST_true(BN_set_word(key->dmq1, DQ)) | |
396 | /* (f) 1 = (qInv . q) mod p */ | |
397 | && TEST_true(BN_set_word(key->iqmp, QINV+1)) | |
398 | && TEST_false(rsa_check_crt_components(key, ctx)) | |
399 | && TEST_true(BN_set_word(key->iqmp, QINV)) | |
400 | /* check defaults are still valid */ | |
401 | && TEST_true(rsa_check_crt_components(key, ctx)); | |
a12864a5 | 402 | end: |
8240d5fa SL |
403 | BN_free(e); |
404 | RSA_free(key); | |
405 | BN_CTX_free(ctx); | |
406 | return ret; | |
407 | } | |
408 | ||
409 | static int test_pq_diff(void) | |
410 | { | |
411 | int ret = 0; | |
412 | BIGNUM *tmp = NULL, *p = NULL, *q = NULL; | |
413 | ||
414 | ret = TEST_ptr(tmp = BN_new()) | |
415 | && TEST_ptr(p = BN_new()) | |
416 | && TEST_ptr(q = BN_new()) | |
417 | /* |1-(2+1)| > 2^1 */ | |
418 | && TEST_true(BN_set_word(p, 1)) | |
419 | && TEST_true(BN_set_word(q, 1+2)) | |
420 | && TEST_false(rsa_check_pminusq_diff(tmp, p, q, 202)) | |
421 | /* Check |p - q| > 2^(nbits/2 - 100) */ | |
422 | && TEST_true(BN_set_word(q, 1+3)) | |
423 | && TEST_true(rsa_check_pminusq_diff(tmp, p, q, 202)) | |
424 | && TEST_true(BN_set_word(p, 1+3)) | |
425 | && TEST_true(BN_set_word(q, 1)) | |
426 | && TEST_true(rsa_check_pminusq_diff(tmp, p, q, 202)); | |
427 | BN_free(p); | |
428 | BN_free(q); | |
429 | BN_free(tmp); | |
430 | return ret; | |
431 | } | |
432 | ||
433 | static int test_invalid_keypair(void) | |
434 | { | |
435 | int ret = 0; | |
436 | RSA *key = NULL; | |
437 | BN_CTX *ctx = NULL; | |
438 | BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL; | |
439 | ||
440 | ret = TEST_ptr(key = RSA_new()) | |
441 | && TEST_ptr(ctx = BN_CTX_new()) | |
442 | /* NULL parameters */ | |
443 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) | |
444 | /* load key */ | |
445 | && TEST_ptr(p = bn_load_new(cav_p, sizeof(cav_p))) | |
446 | && TEST_ptr(q = bn_load_new(cav_q, sizeof(cav_q))) | |
a12864a5 SL |
447 | && TEST_true(RSA_set0_factors(key, p, q)); |
448 | if (!ret) { | |
449 | BN_free(p); | |
450 | BN_free(q); | |
451 | goto end; | |
452 | } | |
453 | ||
454 | ret = TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
8240d5fa SL |
455 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) |
456 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
a12864a5 SL |
457 | && TEST_true(RSA_set0_key(key, n, e, d)); |
458 | if (!ret) { | |
459 | BN_free(e); | |
460 | BN_free(n); | |
461 | BN_free(d); | |
462 | goto end; | |
463 | } | |
8240d5fa | 464 | /* bad strength/key size */ |
a12864a5 | 465 | ret = TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 100, 2048)) |
8240d5fa SL |
466 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 112, 1024)) |
467 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 128, 2048)) | |
468 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 140, 3072)) | |
469 | /* mismatching exponent */ | |
470 | && TEST_false(rsa_sp800_56b_check_keypair(key, BN_value_one(), -1, | |
471 | 2048)) | |
472 | /* bad exponent */ | |
473 | && TEST_true(BN_add_word(e, 1)) | |
474 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, | |
475 | 2048)) | |
476 | && TEST_true(BN_sub_word(e, 1)) | |
477 | ||
478 | /* mismatch between bits and modulus */ | |
479 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 3072)) | |
480 | && TEST_true(rsa_sp800_56b_check_keypair(key, e, 112, 2048)) | |
481 | /* check n == pq failure */ | |
482 | && TEST_true(BN_add_word(n, 1)) | |
483 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) | |
484 | && TEST_true(BN_sub_word(n, 1)) | |
485 | /* check p */ | |
486 | && TEST_true(BN_sub_word(p, 2)) | |
487 | && TEST_true(BN_mul(n, p, q, ctx)) | |
488 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) | |
489 | && TEST_true(BN_add_word(p, 2)) | |
490 | && TEST_true(BN_mul(n, p, q, ctx)) | |
491 | /* check q */ | |
492 | && TEST_true(BN_sub_word(q, 2)) | |
493 | && TEST_true(BN_mul(n, p, q, ctx)) | |
494 | && TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) | |
495 | && TEST_true(BN_add_word(q, 2)) | |
496 | && TEST_true(BN_mul(n, p, q, ctx)); | |
a12864a5 | 497 | end: |
8240d5fa SL |
498 | RSA_free(key); |
499 | BN_CTX_free(ctx); | |
500 | return ret; | |
501 | } | |
502 | ||
503 | static int test_fips1864_keygen_kat(void) | |
504 | { | |
505 | int ret = 0; | |
506 | RSA *key = NULL; | |
507 | BN_CTX *ctx = NULL; | |
508 | BIGNUM *e, *Xp, *Xp1, *Xp2, *Xq, *Xq1, *Xq2; | |
509 | BIGNUM *p1, *p2, *q1, *q2; | |
510 | BIGNUM *p1_exp, *p2_exp, *q1_exp, *q2_exp; | |
511 | BIGNUM *p_exp, *q_exp, *n_exp, *d_exp; | |
512 | const BIGNUM *p, *q, *n, *d, *e2; | |
513 | ||
514 | if (!(TEST_ptr(key = RSA_new()) && TEST_ptr(ctx = BN_CTX_new()))) | |
515 | goto err; | |
516 | BN_CTX_start(ctx); | |
517 | ||
518 | e = bn_load(ctx, cav_e, sizeof(cav_e)); | |
519 | Xp = bn_load(ctx, cav_Xp, sizeof(cav_Xp)); | |
520 | Xp1 = bn_load(ctx, cav_Xp1, sizeof(cav_Xp1)); | |
521 | Xp2 = bn_load(ctx, cav_Xp2, sizeof(cav_Xp2)); | |
522 | Xq = bn_load(ctx, cav_Xq, sizeof(cav_Xq)); | |
523 | Xq1 = bn_load(ctx, cav_Xq1, sizeof(cav_Xq1)); | |
524 | Xq2 = bn_load(ctx, cav_Xq2, sizeof(cav_Xq2)); | |
525 | p1_exp = bn_load(ctx, cav_p1, sizeof(cav_p1)); | |
526 | p2_exp = bn_load(ctx, cav_p2, sizeof(cav_p2)); | |
527 | q1_exp = bn_load(ctx, cav_q1, sizeof(cav_q1)); | |
528 | q2_exp = bn_load(ctx, cav_q2, sizeof(cav_q2)); | |
529 | p_exp = bn_load(ctx, cav_p, sizeof(cav_p)); | |
530 | q_exp = bn_load(ctx, cav_q, sizeof(cav_q)); | |
531 | n_exp = bn_load(ctx, cav_n, sizeof(cav_n)); | |
532 | d_exp = bn_load(ctx, cav_d, sizeof(cav_d)); | |
533 | p1 = BN_CTX_get(ctx); | |
534 | p2 = BN_CTX_get(ctx); | |
535 | q1 = BN_CTX_get(ctx); | |
536 | q2 = BN_CTX_get(ctx); | |
537 | ret = TEST_ptr(q2) | |
538 | && TEST_true(rsa_fips186_4_gen_prob_primes(key, p1, p2, NULL, Xp, Xp1, | |
539 | Xp2, q1, q2, NULL, Xq, Xq1, | |
540 | Xq2, 2048, e, ctx, NULL)) | |
541 | && TEST_true(rsa_sp800_56b_derive_params_from_pq(key, 2048, e, ctx)) | |
542 | && TEST_BN_eq(p1_exp, p1) | |
543 | && TEST_BN_eq(p2_exp, p2) | |
544 | && TEST_BN_eq(q1_exp, q1) | |
545 | && TEST_BN_eq(q2_exp, q2); | |
546 | if (!ret) | |
547 | goto err; | |
548 | ||
549 | RSA_get0_key(key, &n, &e2, &d); | |
550 | RSA_get0_factors(key, &p, &q); | |
551 | ret = TEST_BN_eq(e, e2) | |
552 | && TEST_BN_eq(p_exp, p) | |
553 | && TEST_BN_eq(q_exp, q) | |
554 | && TEST_BN_eq(n_exp, n) | |
555 | && TEST_BN_eq(d_exp, d); | |
556 | err: | |
557 | RSA_free(key); | |
558 | BN_CTX_end(ctx); | |
559 | BN_CTX_free(ctx); | |
560 | return ret; | |
561 | } | |
562 | ||
563 | ||
564 | static int keygen_size[] = | |
565 | { | |
566 | 2048, 3072 | |
567 | }; | |
568 | ||
569 | static int test_sp80056b_keygen(int id) | |
570 | { | |
571 | RSA *key = NULL; | |
572 | int ret; | |
573 | int sz = keygen_size[id]; | |
574 | ||
575 | ret = TEST_ptr(key = RSA_new()) | |
576 | && TEST_true(rsa_sp800_56b_generate_key(key, sz, NULL, NULL)) | |
577 | && TEST_true(rsa_sp800_56b_check_public(key)) | |
578 | && TEST_true(rsa_sp800_56b_check_private(key)) | |
579 | && TEST_true(rsa_sp800_56b_check_keypair(key, NULL, -1, sz)); | |
580 | ||
581 | RSA_free(key); | |
582 | return ret; | |
583 | } | |
584 | ||
585 | static int test_check_private_key(void) | |
586 | { | |
587 | int ret = 0; | |
588 | BIGNUM *n = NULL, *d = NULL, *e = NULL; | |
589 | RSA *key = NULL; | |
590 | ||
591 | ret = TEST_ptr(key = RSA_new()) | |
592 | /* check NULL pointers fail */ | |
593 | && TEST_false(rsa_sp800_56b_check_private(key)) | |
594 | /* load private key */ | |
595 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
596 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
597 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
a12864a5 SL |
598 | && TEST_true(RSA_set0_key(key, n, e, d)); |
599 | if (!ret) { | |
600 | BN_free(n); | |
601 | BN_free(e); | |
602 | BN_free(d); | |
603 | goto end; | |
604 | } | |
605 | /* check d is in range */ | |
606 | ret = TEST_true(rsa_sp800_56b_check_private(key)) | |
8240d5fa SL |
607 | /* check d is too low */ |
608 | && TEST_true(BN_set_word(d, 0)) | |
609 | && TEST_false(rsa_sp800_56b_check_private(key)) | |
610 | /* check d is too high */ | |
611 | && TEST_ptr(BN_copy(d, n)) | |
612 | && TEST_false(rsa_sp800_56b_check_private(key)); | |
a12864a5 | 613 | end: |
8240d5fa SL |
614 | RSA_free(key); |
615 | return ret; | |
616 | } | |
617 | ||
618 | static int test_check_public_key(void) | |
619 | { | |
620 | int ret = 0; | |
621 | BIGNUM *n = NULL, *e = NULL; | |
622 | RSA *key = NULL; | |
623 | ||
624 | ret = TEST_ptr(key = RSA_new()) | |
625 | /* check NULL pointers fail */ | |
626 | && TEST_false(rsa_sp800_56b_check_public(key)) | |
627 | /* load public key */ | |
628 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
629 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
a12864a5 SL |
630 | && TEST_true(RSA_set0_key(key, n, e, NULL)); |
631 | if (!ret) { | |
632 | BN_free(e); | |
633 | BN_free(n); | |
634 | goto end; | |
635 | } | |
636 | /* check public key is valid */ | |
637 | ret = TEST_true(rsa_sp800_56b_check_public(key)) | |
8240d5fa SL |
638 | /* check fail if n is even */ |
639 | && TEST_true(BN_add_word(n, 1)) | |
640 | && TEST_false(rsa_sp800_56b_check_public(key)) | |
641 | && TEST_true(BN_sub_word(n, 1)) | |
642 | /* check fail if n is wrong number of bits */ | |
643 | && TEST_true(BN_lshift1(n, n)) | |
644 | && TEST_false(rsa_sp800_56b_check_public(key)) | |
645 | && TEST_true(BN_rshift1(n, n)) | |
646 | /* test odd exponent fails */ | |
647 | && TEST_true(BN_add_word(e, 1)) | |
648 | && TEST_false(rsa_sp800_56b_check_public(key)) | |
649 | && TEST_true(BN_sub_word(e, 1)) | |
650 | /* modulus fails composite check */ | |
651 | && TEST_true(BN_add_word(n, 2)) | |
652 | && TEST_false(rsa_sp800_56b_check_public(key)); | |
a12864a5 | 653 | end: |
8240d5fa SL |
654 | RSA_free(key); |
655 | return ret; | |
656 | } | |
657 | ||
658 | int setup_tests(void) | |
659 | { | |
660 | ADD_TEST(test_check_public_exponent); | |
661 | ADD_TEST(test_check_prime_factor_range); | |
662 | ADD_TEST(test_check_prime_factor); | |
663 | ADD_TEST(test_check_private_exponent); | |
664 | ADD_TEST(test_check_crt_components); | |
665 | ADD_TEST(test_check_private_key); | |
666 | ADD_TEST(test_check_public_key); | |
667 | ADD_TEST(test_invalid_keypair); | |
668 | ADD_TEST(test_pq_diff); | |
669 | ADD_TEST(test_fips1864_keygen_kat); | |
670 | ADD_ALL_TESTS(test_sp80056b_keygen, (int)OSSL_NELEM(keygen_size)); | |
671 | return 1; | |
672 | } | |
673 | #endif |