]>
Commit | Line | Data |
---|---|---|
8240d5fa | 1 | /* |
da1c088f | 2 | * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. |
8240d5fa | 3 | * |
a6ed19dc | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
8240d5fa SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
d7e498ac RL |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
8240d5fa SL |
16 | #include <stdio.h> |
17 | #include <string.h> | |
18 | ||
19 | #include "internal/nelem.h" | |
20 | ||
21 | #include <openssl/crypto.h> | |
22 | #include <openssl/err.h> | |
23 | #include <openssl/rand.h> | |
24 | #include <openssl/bn.h> | |
25 | ||
26 | #include "testutil.h" | |
27 | ||
3a1ee3c1 RL |
28 | #include "rsa_local.h" |
29 | #include <openssl/rsa.h> | |
8240d5fa SL |
30 | |
31 | /* taken from RSA2 cavs data */ | |
32 | static const unsigned char cav_e[] = { | |
33 | 0x01,0x00,0x01 | |
34 | }; | |
8240d5fa SL |
35 | static const unsigned char cav_p[] = { |
36 | 0xcf,0x72,0x1b,0x9a,0xfd,0x0d,0x22,0x1a,0x74,0x50,0x97,0x22,0x76,0xd8,0xc0, | |
37 | 0xc2,0xfd,0x08,0x81,0x05,0xdd,0x18,0x21,0x99,0x96,0xd6,0x5c,0x79,0xe3,0x02, | |
38 | 0x81,0xd7,0x0e,0x3f,0x3b,0x34,0xda,0x61,0xc9,0x2d,0x84,0x86,0x62,0x1e,0x3d, | |
39 | 0x5d,0xbf,0x92,0x2e,0xcd,0x35,0x3d,0x6e,0xb9,0x59,0x16,0xc9,0x82,0x50,0x41, | |
40 | 0x30,0x45,0x67,0xaa,0xb7,0xbe,0xec,0xea,0x4b,0x9e,0xa0,0xc3,0x05,0xbc,0x4c, | |
41 | 0x01,0xa5,0x4b,0xbd,0xa4,0x20,0xb5,0x20,0xd5,0x59,0x6f,0x82,0x5c,0x8f,0x4f, | |
42 | 0xe0,0x3a,0x4e,0x7e,0xfe,0x44,0xf3,0x3c,0xc0,0x0e,0x14,0x2b,0x32,0xe6,0x28, | |
43 | 0x8b,0x63,0x87,0x00,0xc3,0x53,0x4a,0x5b,0x71,0x7a,0x5b,0x28,0x40,0xc4,0x18, | |
44 | 0xb6,0x77,0x0b,0xab,0x59,0xa4,0x96,0x7d | |
45 | }; | |
46 | static const unsigned char cav_q[] = { | |
47 | 0xfe,0xab,0xf2,0x7c,0x16,0x4a,0xf0,0x8d,0x31,0xc6,0x0a,0x82,0xe2,0xae,0xbb, | |
48 | 0x03,0x7e,0x7b,0x20,0x4e,0x64,0xb0,0x16,0xad,0x3c,0x01,0x1a,0xd3,0x54,0xbf, | |
49 | 0x2b,0xa4,0x02,0x9e,0xc3,0x0d,0x60,0x3d,0x1f,0xb9,0xc0,0x0d,0xe6,0x97,0x68, | |
50 | 0xbb,0x8c,0x81,0xd5,0xc1,0x54,0x96,0x0f,0x99,0xf0,0xa8,0xa2,0xf3,0xc6,0x8e, | |
51 | 0xec,0xbc,0x31,0x17,0x70,0x98,0x24,0xa3,0x36,0x51,0xa8,0x54,0xc4,0x44,0xdd, | |
52 | 0xf7,0x7e,0xda,0x47,0x4a,0x67,0x44,0x5d,0x4e,0x75,0xf0,0x4d,0x00,0x68,0xe1, | |
53 | 0x4a,0xec,0x1f,0x45,0xf9,0xe6,0xca,0x38,0x95,0x48,0x6f,0xdc,0x9d,0x1b,0xa3, | |
54 | 0x4b,0xfd,0x08,0x4b,0x54,0xcd,0xeb,0x3d,0xef,0x33,0x11,0x6e,0xce,0xe4,0x5d, | |
55 | 0xef,0xa9,0x58,0x5c,0x87,0x4d,0xc8,0xcf | |
56 | }; | |
57 | static const unsigned char cav_n[] = { | |
58 | 0xce,0x5e,0x8d,0x1a,0xa3,0x08,0x7a,0x2d,0xb4,0x49,0x48,0xf0,0x06,0xb6,0xfe, | |
59 | 0xba,0x2f,0x39,0x7c,0x7b,0xe0,0x5d,0x09,0x2d,0x57,0x4e,0x54,0x60,0x9c,0xe5, | |
60 | 0x08,0x4b,0xe1,0x1a,0x73,0xc1,0x5e,0x2f,0xb6,0x46,0xd7,0x81,0xca,0xbc,0x98, | |
61 | 0xd2,0xf9,0xef,0x1c,0x92,0x8c,0x8d,0x99,0x85,0x28,0x52,0xd6,0xd5,0xab,0x70, | |
62 | 0x7e,0x9e,0xa9,0x87,0x82,0xc8,0x95,0x64,0xeb,0xf0,0x6c,0x0f,0x3f,0xe9,0x02, | |
63 | 0x29,0x2e,0x6d,0xa1,0xec,0xbf,0xdc,0x23,0xdf,0x82,0x4f,0xab,0x39,0x8d,0xcc, | |
64 | 0xac,0x21,0x51,0x14,0xf8,0xef,0xec,0x73,0x80,0x86,0xa3,0xcf,0x8f,0xd5,0xcf, | |
65 | 0x22,0x1f,0xcc,0x23,0x2f,0xba,0xcb,0xf6,0x17,0xcd,0x3a,0x1f,0xd9,0x84,0xb9, | |
66 | 0x88,0xa7,0x78,0x0f,0xaa,0xc9,0x04,0x01,0x20,0x72,0x5d,0x2a,0xfe,0x5b,0xdd, | |
67 | 0x16,0x5a,0xed,0x83,0x02,0x96,0x39,0x46,0x37,0x30,0xc1,0x0d,0x87,0xc2,0xc8, | |
68 | 0x33,0x38,0xed,0x35,0x72,0xe5,0x29,0xf8,0x1f,0x23,0x60,0xe1,0x2a,0x5b,0x1d, | |
69 | 0x6b,0x53,0x3f,0x07,0xc4,0xd9,0xbb,0x04,0x0c,0x5c,0x3f,0x0b,0xc4,0xd4,0x61, | |
70 | 0x96,0x94,0xf1,0x0f,0x4a,0x49,0xac,0xde,0xd2,0xe8,0x42,0xb3,0x4a,0x0b,0x64, | |
71 | 0x7a,0x32,0x5f,0x2b,0x5b,0x0f,0x8b,0x8b,0xe0,0x33,0x23,0x34,0x64,0xf8,0xb5, | |
72 | 0x7f,0x69,0x60,0xb8,0x71,0xe9,0xff,0x92,0x42,0xb1,0xf7,0x23,0xa8,0xa7,0x92, | |
73 | 0x04,0x3d,0x6b,0xff,0xf7,0xab,0xbb,0x14,0x1f,0x4c,0x10,0x97,0xd5,0x6b,0x71, | |
74 | 0x12,0xfd,0x93,0xa0,0x4a,0x3b,0x75,0x72,0x40,0x96,0x1c,0x5f,0x40,0x40,0x57, | |
75 | 0x13 | |
76 | }; | |
77 | static const unsigned char cav_d[] = { | |
78 | 0x47,0x47,0x49,0x1d,0x66,0x2a,0x4b,0x68,0xf5,0xd8,0x4a,0x24,0xfd,0x6c,0xbf, | |
79 | 0x56,0xb7,0x70,0xf7,0x9a,0x21,0xc8,0x80,0x9e,0xf4,0x84,0xcd,0x88,0x01,0x28, | |
80 | 0xea,0x50,0xab,0x13,0x63,0xdf,0xea,0x14,0x38,0xb5,0x07,0x42,0x81,0x2f,0xda, | |
81 | 0xe9,0x24,0x02,0x7e,0xaf,0xef,0x74,0x09,0x0e,0x80,0xfa,0xfb,0xd1,0x19,0x41, | |
82 | 0xe5,0xba,0x0f,0x7c,0x0a,0xa4,0x15,0x55,0xa2,0x58,0x8c,0x3a,0x48,0x2c,0xc6, | |
83 | 0xde,0x4a,0x76,0xfb,0x72,0xb6,0x61,0xe6,0xd2,0x10,0x44,0x4c,0x33,0xb8,0xd2, | |
84 | 0x74,0xb1,0x9d,0x3b,0xcd,0x2f,0xb1,0x4f,0xc3,0x98,0xbd,0x83,0xb7,0x7e,0x75, | |
85 | 0xe8,0xa7,0x6a,0xee,0xcc,0x51,0x8c,0x99,0x17,0x67,0x7f,0x27,0xf9,0x0d,0x6a, | |
86 | 0xb7,0xd4,0x80,0x17,0x89,0x39,0x9c,0xf3,0xd7,0x0f,0xdf,0xb0,0x55,0x80,0x1d, | |
87 | 0xaf,0x57,0x2e,0xd0,0xf0,0x4f,0x42,0x69,0x55,0xbc,0x83,0xd6,0x97,0x83,0x7a, | |
88 | 0xe6,0xc6,0x30,0x6d,0x3d,0xb5,0x21,0xa7,0xc4,0x62,0x0a,0x20,0xce,0x5e,0x5a, | |
89 | 0x17,0x98,0xb3,0x6f,0x6b,0x9a,0xeb,0x6b,0xa3,0xc4,0x75,0xd8,0x2b,0xdc,0x5c, | |
90 | 0x6f,0xec,0x5d,0x49,0xac,0xa8,0xa4,0x2f,0xb8,0x8c,0x4f,0x2e,0x46,0x21,0xee, | |
91 | 0x72,0x6a,0x0e,0x22,0x80,0x71,0xc8,0x76,0x40,0x44,0x61,0x16,0xbf,0xa5,0xf8, | |
92 | 0x89,0xc7,0xe9,0x87,0xdf,0xbd,0x2e,0x4b,0x4e,0xc2,0x97,0x53,0xe9,0x49,0x1c, | |
93 | 0x05,0xb0,0x0b,0x9b,0x9f,0x21,0x19,0x41,0xe9,0xf5,0x61,0xd7,0x33,0x2e,0x2c, | |
94 | 0x94,0xb8,0xa8,0x9a,0x3a,0xcc,0x6a,0x24,0x8d,0x19,0x13,0xee,0xb9,0xb0,0x48, | |
95 | 0x61 | |
96 | }; | |
97 | ||
98 | /* helper function */ | |
99 | static BIGNUM *bn_load_new(const unsigned char *data, int sz) | |
100 | { | |
101 | BIGNUM *ret = BN_new(); | |
102 | if (ret != NULL) | |
103 | BN_bin2bn(data, sz, ret); | |
104 | return ret; | |
105 | } | |
106 | ||
254957f7 | 107 | /* Check that small rsa exponents are allowed in non FIPS mode */ |
8240d5fa SL |
108 | static int test_check_public_exponent(void) |
109 | { | |
110 | int ret = 0; | |
111 | BIGNUM *e = NULL; | |
112 | ||
113 | ret = TEST_ptr(e = BN_new()) | |
254957f7 SL |
114 | /* e is too small will fail */ |
115 | && TEST_true(BN_set_word(e, 1)) | |
23b2fc0b | 116 | && TEST_false(ossl_rsa_check_public_exponent(e)) |
8240d5fa SL |
117 | /* e is even will fail */ |
118 | && TEST_true(BN_set_word(e, 65536)) | |
23b2fc0b | 119 | && TEST_false(ossl_rsa_check_public_exponent(e)) |
8240d5fa | 120 | /* e is ok */ |
254957f7 SL |
121 | && TEST_true(BN_set_word(e, 3)) |
122 | && TEST_true(ossl_rsa_check_public_exponent(e)) | |
123 | && TEST_true(BN_set_word(e, 17)) | |
124 | && TEST_true(ossl_rsa_check_public_exponent(e)) | |
8240d5fa | 125 | && TEST_true(BN_set_word(e, 65537)) |
23b2fc0b | 126 | && TEST_true(ossl_rsa_check_public_exponent(e)) |
254957f7 | 127 | /* e = 2^256 + 1 is ok */ |
8240d5fa | 128 | && TEST_true(BN_lshift(e, BN_value_one(), 256)) |
254957f7 | 129 | && TEST_true(BN_add(e, e, BN_value_one())) |
23b2fc0b | 130 | && TEST_true(ossl_rsa_check_public_exponent(e)); |
8240d5fa SL |
131 | BN_free(e); |
132 | return ret; | |
133 | } | |
134 | ||
135 | static int test_check_prime_factor_range(void) | |
136 | { | |
137 | int ret = 0; | |
138 | BN_CTX *ctx = NULL; | |
139 | BIGNUM *p = NULL; | |
140 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL, *bn_p4 = NULL; | |
141 | /* Some range checks that are larger than 32 bits */ | |
142 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4F, 0x33, 0x3F }; | |
143 | static const unsigned char p2[] = { 0x10, 0x00, 0x00, 0x00, 0x00 }; | |
144 | static const unsigned char p3[] = { 0x0B, 0x50, 0x4F, 0x33, 0x40 }; | |
145 | static const unsigned char p4[] = { 0x0F, 0xFF, 0xFF, 0xFF, 0xFF }; | |
146 | ||
147 | /* (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2) - 1 | |
148 | * For 8 bits: 0xB.504F <= p <= 0xF | |
149 | * for 72 bits: 0xB504F333F. <= p <= 0xF_FFFF_FFFF | |
150 | */ | |
151 | ret = TEST_ptr(p = BN_new()) | |
152 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
153 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
154 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
155 | && TEST_ptr(bn_p4 = bn_load_new(p4, sizeof(p4))) | |
156 | && TEST_ptr(ctx = BN_CTX_new()) | |
157 | && TEST_true(BN_set_word(p, 0xA)) | |
23b2fc0b | 158 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 159 | && TEST_true(BN_set_word(p, 0x10)) |
23b2fc0b | 160 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 161 | && TEST_true(BN_set_word(p, 0xB)) |
23b2fc0b | 162 | && TEST_false(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
fd4a6e7d | 163 | && TEST_true(BN_set_word(p, 0xC)) |
23b2fc0b | 164 | && TEST_true(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
8240d5fa | 165 | && TEST_true(BN_set_word(p, 0xF)) |
23b2fc0b P |
166 | && TEST_true(ossl_rsa_check_prime_factor_range(p, 8, ctx)) |
167 | && TEST_false(ossl_rsa_check_prime_factor_range(bn_p1, 72, ctx)) | |
168 | && TEST_false(ossl_rsa_check_prime_factor_range(bn_p2, 72, ctx)) | |
169 | && TEST_true(ossl_rsa_check_prime_factor_range(bn_p3, 72, ctx)) | |
170 | && TEST_true(ossl_rsa_check_prime_factor_range(bn_p4, 72, ctx)); | |
8240d5fa SL |
171 | |
172 | BN_free(bn_p4); | |
173 | BN_free(bn_p3); | |
174 | BN_free(bn_p2); | |
175 | BN_free(bn_p1); | |
176 | BN_free(p); | |
177 | BN_CTX_free(ctx); | |
178 | return ret; | |
179 | } | |
180 | ||
181 | static int test_check_prime_factor(void) | |
182 | { | |
183 | int ret = 0; | |
184 | BN_CTX *ctx = NULL; | |
185 | BIGNUM *p = NULL, *e = NULL; | |
186 | BIGNUM *bn_p1 = NULL, *bn_p2 = NULL, *bn_p3 = NULL; | |
187 | ||
188 | /* Some range checks that are larger than 32 bits */ | |
189 | static const unsigned char p1[] = { 0x0B, 0x50, 0x4f, 0x33, 0x73 }; | |
190 | static const unsigned char p2[] = { 0x0B, 0x50, 0x4f, 0x33, 0x75 }; | |
191 | static const unsigned char p3[] = { 0x0F, 0x50, 0x00, 0x03, 0x75 }; | |
192 | ||
193 | ret = TEST_ptr(p = BN_new()) | |
194 | && TEST_ptr(bn_p1 = bn_load_new(p1, sizeof(p1))) | |
195 | && TEST_ptr(bn_p2 = bn_load_new(p2, sizeof(p2))) | |
196 | && TEST_ptr(bn_p3 = bn_load_new(p3, sizeof(p3))) | |
197 | && TEST_ptr(e = BN_new()) | |
198 | && TEST_ptr(ctx = BN_CTX_new()) | |
199 | /* Fails the prime test */ | |
200 | && TEST_true(BN_set_word(e, 0x1)) | |
23b2fc0b | 201 | && TEST_false(ossl_rsa_check_prime_factor(bn_p1, e, 72, ctx)) |
8240d5fa | 202 | /* p is prime and in range and gcd(p-1, e) = 1 */ |
23b2fc0b | 203 | && TEST_true(ossl_rsa_check_prime_factor(bn_p2, e, 72, ctx)) |
8240d5fa SL |
204 | /* gcd(p-1,e) = 1 test fails */ |
205 | && TEST_true(BN_set_word(e, 0x2)) | |
23b2fc0b | 206 | && TEST_false(ossl_rsa_check_prime_factor(p, e, 72, ctx)) |
8240d5fa SL |
207 | /* p fails the range check */ |
208 | && TEST_true(BN_set_word(e, 0x1)) | |
23b2fc0b | 209 | && TEST_false(ossl_rsa_check_prime_factor(bn_p3, e, 72, ctx)); |
8240d5fa SL |
210 | |
211 | BN_free(bn_p3); | |
212 | BN_free(bn_p2); | |
213 | BN_free(bn_p1); | |
214 | BN_free(e); | |
215 | BN_free(p); | |
216 | BN_CTX_free(ctx); | |
217 | return ret; | |
218 | } | |
219 | ||
d7e498ac | 220 | /* This test uses legacy functions because they can take invalid numbers */ |
8240d5fa SL |
221 | static int test_check_private_exponent(void) |
222 | { | |
223 | int ret = 0; | |
224 | RSA *key = NULL; | |
225 | BN_CTX *ctx = NULL; | |
226 | BIGNUM *p = NULL, *q = NULL, *e = NULL, *d = NULL, *n = NULL; | |
227 | ||
228 | ret = TEST_ptr(key = RSA_new()) | |
229 | && TEST_ptr(ctx = BN_CTX_new()) | |
230 | && TEST_ptr(p = BN_new()) | |
231 | && TEST_ptr(q = BN_new()) | |
8240d5fa SL |
232 | /* lcm(15-1,17-1) = 14*16 / 2 = 112 */ |
233 | && TEST_true(BN_set_word(p, 15)) | |
234 | && TEST_true(BN_set_word(q, 17)) | |
a12864a5 SL |
235 | && TEST_true(RSA_set0_factors(key, p, q)); |
236 | if (!ret) { | |
237 | BN_free(p); | |
238 | BN_free(q); | |
239 | goto end; | |
240 | } | |
241 | ||
242 | ret = TEST_ptr(e = BN_new()) | |
243 | && TEST_ptr(d = BN_new()) | |
244 | && TEST_ptr(n = BN_new()) | |
8240d5fa SL |
245 | && TEST_true(BN_set_word(e, 5)) |
246 | && TEST_true(BN_set_word(d, 157)) | |
247 | && TEST_true(BN_set_word(n, 15*17)) | |
a12864a5 SL |
248 | && TEST_true(RSA_set0_key(key, n, e, d)); |
249 | if (!ret) { | |
250 | BN_free(e); | |
251 | BN_free(d); | |
252 | BN_free(n); | |
253 | goto end; | |
254 | } | |
255 | /* fails since d >= lcm(p-1, q-1) */ | |
23b2fc0b | 256 | ret = TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa SL |
257 | && TEST_true(BN_set_word(d, 45)) |
258 | /* d is correct size and 1 = e.d mod lcm(p-1, q-1) */ | |
23b2fc0b | 259 | && TEST_true(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa | 260 | /* d is too small compared to nbits */ |
23b2fc0b | 261 | && TEST_false(ossl_rsa_check_private_exponent(key, 16, ctx)) |
8240d5fa SL |
262 | /* d is too small compared to nbits */ |
263 | && TEST_true(BN_set_word(d, 16)) | |
23b2fc0b | 264 | && TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)) |
8240d5fa SL |
265 | /* fail if 1 != e.d mod lcm(p-1, q-1) */ |
266 | && TEST_true(BN_set_word(d, 46)) | |
23b2fc0b | 267 | && TEST_false(ossl_rsa_check_private_exponent(key, 8, ctx)); |
a12864a5 | 268 | end: |
8240d5fa SL |
269 | RSA_free(key); |
270 | BN_CTX_free(ctx); | |
271 | return ret; | |
272 | } | |
273 | ||
274 | static int test_check_crt_components(void) | |
275 | { | |
276 | const int P = 15; | |
277 | const int Q = 17; | |
278 | const int E = 5; | |
279 | const int N = P*Q; | |
280 | const int DP = 3; | |
281 | const int DQ = 13; | |
282 | const int QINV = 8; | |
283 | ||
284 | int ret = 0; | |
285 | RSA *key = NULL; | |
286 | BN_CTX *ctx = NULL; | |
287 | BIGNUM *p = NULL, *q = NULL, *e = NULL; | |
288 | ||
289 | ret = TEST_ptr(key = RSA_new()) | |
290 | && TEST_ptr(ctx = BN_CTX_new()) | |
291 | && TEST_ptr(p = BN_new()) | |
292 | && TEST_ptr(q = BN_new()) | |
293 | && TEST_ptr(e = BN_new()) | |
294 | && TEST_true(BN_set_word(p, P)) | |
295 | && TEST_true(BN_set_word(q, Q)) | |
296 | && TEST_true(BN_set_word(e, E)) | |
a12864a5 SL |
297 | && TEST_true(RSA_set0_factors(key, p, q)); |
298 | if (!ret) { | |
299 | BN_free(p); | |
300 | BN_free(q); | |
301 | goto end; | |
302 | } | |
b1ce6a23 | 303 | |
304 | ret = TEST_int_eq(ossl_rsa_sp800_56b_derive_params_from_pq(key, 8, e, ctx), 1) | |
8240d5fa SL |
305 | && TEST_BN_eq_word(key->n, N) |
306 | && TEST_BN_eq_word(key->dmp1, DP) | |
307 | && TEST_BN_eq_word(key->dmq1, DQ) | |
308 | && TEST_BN_eq_word(key->iqmp, QINV) | |
23b2fc0b | 309 | && TEST_true(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
310 | /* (a) 1 < dP < (p – 1). */ |
311 | && TEST_true(BN_set_word(key->dmp1, 1)) | |
23b2fc0b | 312 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 313 | && TEST_true(BN_set_word(key->dmp1, P-1)) |
23b2fc0b | 314 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
315 | && TEST_true(BN_set_word(key->dmp1, DP)) |
316 | /* (b) 1 < dQ < (q - 1). */ | |
317 | && TEST_true(BN_set_word(key->dmq1, 1)) | |
23b2fc0b | 318 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 319 | && TEST_true(BN_set_word(key->dmq1, Q-1)) |
23b2fc0b | 320 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
321 | && TEST_true(BN_set_word(key->dmq1, DQ)) |
322 | /* (c) 1 < qInv < p */ | |
323 | && TEST_true(BN_set_word(key->iqmp, 1)) | |
23b2fc0b | 324 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa | 325 | && TEST_true(BN_set_word(key->iqmp, P)) |
23b2fc0b | 326 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
327 | && TEST_true(BN_set_word(key->iqmp, QINV)) |
328 | /* (d) 1 = (dP . e) mod (p - 1)*/ | |
329 | && TEST_true(BN_set_word(key->dmp1, DP+1)) | |
23b2fc0b | 330 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
331 | && TEST_true(BN_set_word(key->dmp1, DP)) |
332 | /* (e) 1 = (dQ . e) mod (q - 1) */ | |
333 | && TEST_true(BN_set_word(key->dmq1, DQ-1)) | |
23b2fc0b | 334 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
335 | && TEST_true(BN_set_word(key->dmq1, DQ)) |
336 | /* (f) 1 = (qInv . q) mod p */ | |
337 | && TEST_true(BN_set_word(key->iqmp, QINV+1)) | |
23b2fc0b | 338 | && TEST_false(ossl_rsa_check_crt_components(key, ctx)) |
8240d5fa SL |
339 | && TEST_true(BN_set_word(key->iqmp, QINV)) |
340 | /* check defaults are still valid */ | |
23b2fc0b | 341 | && TEST_true(ossl_rsa_check_crt_components(key, ctx)); |
a12864a5 | 342 | end: |
8240d5fa SL |
343 | BN_free(e); |
344 | RSA_free(key); | |
345 | BN_CTX_free(ctx); | |
346 | return ret; | |
347 | } | |
348 | ||
b1ce6a23 | 349 | static const struct derive_from_pq_test { |
350 | int p, q, e; | |
351 | } derive_from_pq_tests[] = { | |
352 | { 15, 17, 6 }, /* Mod_inverse failure */ | |
353 | { 0, 17, 5 }, /* d is too small */ | |
354 | }; | |
355 | ||
356 | static int test_derive_params_from_pq_fail(int tst) | |
357 | { | |
358 | int ret = 0; | |
359 | RSA *key = NULL; | |
360 | BN_CTX *ctx = NULL; | |
361 | BIGNUM *p = NULL, *q = NULL, *e = NULL; | |
362 | ||
363 | ret = TEST_ptr(key = RSA_new()) | |
364 | && TEST_ptr(ctx = BN_CTX_new()) | |
365 | && TEST_ptr(p = BN_new()) | |
366 | && TEST_ptr(q = BN_new()) | |
367 | && TEST_ptr(e = BN_new()) | |
368 | && TEST_true(BN_set_word(p, derive_from_pq_tests[tst].p)) | |
369 | && TEST_true(BN_set_word(q, derive_from_pq_tests[tst].q)) | |
370 | && TEST_true(BN_set_word(e, derive_from_pq_tests[tst].e)) | |
371 | && TEST_true(RSA_set0_factors(key, p, q)); | |
372 | if (!ret) { | |
373 | BN_free(p); | |
374 | BN_free(q); | |
375 | goto end; | |
376 | } | |
377 | ||
378 | ret = TEST_int_le(ossl_rsa_sp800_56b_derive_params_from_pq(key, 8, e, ctx), 0); | |
379 | end: | |
380 | BN_free(e); | |
381 | RSA_free(key); | |
382 | BN_CTX_free(ctx); | |
383 | return ret; | |
384 | } | |
385 | ||
8240d5fa SL |
386 | static int test_pq_diff(void) |
387 | { | |
388 | int ret = 0; | |
389 | BIGNUM *tmp = NULL, *p = NULL, *q = NULL; | |
390 | ||
391 | ret = TEST_ptr(tmp = BN_new()) | |
392 | && TEST_ptr(p = BN_new()) | |
393 | && TEST_ptr(q = BN_new()) | |
394 | /* |1-(2+1)| > 2^1 */ | |
395 | && TEST_true(BN_set_word(p, 1)) | |
396 | && TEST_true(BN_set_word(q, 1+2)) | |
23b2fc0b | 397 | && TEST_false(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)) |
8240d5fa SL |
398 | /* Check |p - q| > 2^(nbits/2 - 100) */ |
399 | && TEST_true(BN_set_word(q, 1+3)) | |
23b2fc0b | 400 | && TEST_true(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)) |
8240d5fa SL |
401 | && TEST_true(BN_set_word(p, 1+3)) |
402 | && TEST_true(BN_set_word(q, 1)) | |
23b2fc0b | 403 | && TEST_true(ossl_rsa_check_pminusq_diff(tmp, p, q, 202)); |
8240d5fa SL |
404 | BN_free(p); |
405 | BN_free(q); | |
406 | BN_free(tmp); | |
407 | return ret; | |
408 | } | |
409 | ||
410 | static int test_invalid_keypair(void) | |
411 | { | |
412 | int ret = 0; | |
413 | RSA *key = NULL; | |
414 | BN_CTX *ctx = NULL; | |
415 | BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL; | |
416 | ||
417 | ret = TEST_ptr(key = RSA_new()) | |
418 | && TEST_ptr(ctx = BN_CTX_new()) | |
419 | /* NULL parameters */ | |
23b2fc0b | 420 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
421 | /* load key */ |
422 | && TEST_ptr(p = bn_load_new(cav_p, sizeof(cav_p))) | |
423 | && TEST_ptr(q = bn_load_new(cav_q, sizeof(cav_q))) | |
a12864a5 SL |
424 | && TEST_true(RSA_set0_factors(key, p, q)); |
425 | if (!ret) { | |
426 | BN_free(p); | |
427 | BN_free(q); | |
428 | goto end; | |
429 | } | |
430 | ||
431 | ret = TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
8240d5fa SL |
432 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) |
433 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
a12864a5 SL |
434 | && TEST_true(RSA_set0_key(key, n, e, d)); |
435 | if (!ret) { | |
436 | BN_free(e); | |
437 | BN_free(n); | |
438 | BN_free(d); | |
439 | goto end; | |
440 | } | |
8240d5fa | 441 | /* bad strength/key size */ |
23b2fc0b P |
442 | ret = TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 100, 2048)) |
443 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 112, 1024)) | |
444 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 128, 2048)) | |
445 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, 140, 3072)) | |
8240d5fa | 446 | /* mismatching exponent */ |
23b2fc0b P |
447 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, BN_value_one(), |
448 | -1, 2048)) | |
8240d5fa SL |
449 | /* bad exponent */ |
450 | && TEST_true(BN_add_word(e, 1)) | |
23b2fc0b | 451 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
452 | && TEST_true(BN_sub_word(e, 1)) |
453 | ||
454 | /* mismatch between bits and modulus */ | |
23b2fc0b P |
455 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 3072)) |
456 | && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, e, 112, 2048)) | |
8240d5fa SL |
457 | /* check n == pq failure */ |
458 | && TEST_true(BN_add_word(n, 1)) | |
23b2fc0b | 459 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa | 460 | && TEST_true(BN_sub_word(n, 1)) |
8b268541 CL |
461 | /* check that validation fails if len(n) is not even */ |
462 | && TEST_true(BN_lshift1(n, n)) | |
463 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) | |
464 | && TEST_true(BN_rshift1(n, n)) | |
8240d5fa SL |
465 | /* check p */ |
466 | && TEST_true(BN_sub_word(p, 2)) | |
467 | && TEST_true(BN_mul(n, p, q, ctx)) | |
23b2fc0b | 468 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
469 | && TEST_true(BN_add_word(p, 2)) |
470 | && TEST_true(BN_mul(n, p, q, ctx)) | |
471 | /* check q */ | |
472 | && TEST_true(BN_sub_word(q, 2)) | |
473 | && TEST_true(BN_mul(n, p, q, ctx)) | |
23b2fc0b | 474 | && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) |
8240d5fa SL |
475 | && TEST_true(BN_add_word(q, 2)) |
476 | && TEST_true(BN_mul(n, p, q, ctx)); | |
a12864a5 | 477 | end: |
8240d5fa SL |
478 | RSA_free(key); |
479 | BN_CTX_free(ctx); | |
480 | return ret; | |
481 | } | |
482 | ||
8240d5fa SL |
483 | static int keygen_size[] = |
484 | { | |
485 | 2048, 3072 | |
486 | }; | |
487 | ||
488 | static int test_sp80056b_keygen(int id) | |
489 | { | |
490 | RSA *key = NULL; | |
491 | int ret; | |
492 | int sz = keygen_size[id]; | |
493 | ||
494 | ret = TEST_ptr(key = RSA_new()) | |
23b2fc0b P |
495 | && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL)) |
496 | && TEST_true(ossl_rsa_sp800_56b_check_public(key)) | |
497 | && TEST_true(ossl_rsa_sp800_56b_check_private(key)) | |
498 | && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, sz)); | |
8240d5fa SL |
499 | |
500 | RSA_free(key); | |
501 | return ret; | |
502 | } | |
503 | ||
504 | static int test_check_private_key(void) | |
505 | { | |
506 | int ret = 0; | |
507 | BIGNUM *n = NULL, *d = NULL, *e = NULL; | |
508 | RSA *key = NULL; | |
509 | ||
510 | ret = TEST_ptr(key = RSA_new()) | |
511 | /* check NULL pointers fail */ | |
23b2fc0b | 512 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
513 | /* load private key */ |
514 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
515 | && TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d))) | |
516 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
a12864a5 SL |
517 | && TEST_true(RSA_set0_key(key, n, e, d)); |
518 | if (!ret) { | |
519 | BN_free(n); | |
520 | BN_free(e); | |
521 | BN_free(d); | |
522 | goto end; | |
523 | } | |
524 | /* check d is in range */ | |
23b2fc0b | 525 | ret = TEST_true(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
526 | /* check d is too low */ |
527 | && TEST_true(BN_set_word(d, 0)) | |
23b2fc0b | 528 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)) |
8240d5fa SL |
529 | /* check d is too high */ |
530 | && TEST_ptr(BN_copy(d, n)) | |
23b2fc0b | 531 | && TEST_false(ossl_rsa_sp800_56b_check_private(key)); |
a12864a5 | 532 | end: |
8240d5fa SL |
533 | RSA_free(key); |
534 | return ret; | |
535 | } | |
536 | ||
537 | static int test_check_public_key(void) | |
538 | { | |
539 | int ret = 0; | |
540 | BIGNUM *n = NULL, *e = NULL; | |
541 | RSA *key = NULL; | |
542 | ||
543 | ret = TEST_ptr(key = RSA_new()) | |
544 | /* check NULL pointers fail */ | |
23b2fc0b | 545 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
546 | /* load public key */ |
547 | && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) | |
548 | && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) | |
a12864a5 SL |
549 | && TEST_true(RSA_set0_key(key, n, e, NULL)); |
550 | if (!ret) { | |
551 | BN_free(e); | |
552 | BN_free(n); | |
553 | goto end; | |
554 | } | |
555 | /* check public key is valid */ | |
23b2fc0b | 556 | ret = TEST_true(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
557 | /* check fail if n is even */ |
558 | && TEST_true(BN_add_word(n, 1)) | |
23b2fc0b | 559 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
560 | && TEST_true(BN_sub_word(n, 1)) |
561 | /* check fail if n is wrong number of bits */ | |
562 | && TEST_true(BN_lshift1(n, n)) | |
23b2fc0b | 563 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
564 | && TEST_true(BN_rshift1(n, n)) |
565 | /* test odd exponent fails */ | |
566 | && TEST_true(BN_add_word(e, 1)) | |
23b2fc0b | 567 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)) |
8240d5fa SL |
568 | && TEST_true(BN_sub_word(e, 1)) |
569 | /* modulus fails composite check */ | |
570 | && TEST_true(BN_add_word(n, 2)) | |
23b2fc0b | 571 | && TEST_false(ossl_rsa_sp800_56b_check_public(key)); |
a12864a5 | 572 | end: |
8240d5fa SL |
573 | RSA_free(key); |
574 | return ret; | |
575 | } | |
576 | ||
577 | int setup_tests(void) | |
578 | { | |
579 | ADD_TEST(test_check_public_exponent); | |
580 | ADD_TEST(test_check_prime_factor_range); | |
581 | ADD_TEST(test_check_prime_factor); | |
582 | ADD_TEST(test_check_private_exponent); | |
583 | ADD_TEST(test_check_crt_components); | |
b1ce6a23 | 584 | ADD_ALL_TESTS(test_derive_params_from_pq_fail, (int)OSSL_NELEM(derive_from_pq_tests)); |
8240d5fa SL |
585 | ADD_TEST(test_check_private_key); |
586 | ADD_TEST(test_check_public_key); | |
587 | ADD_TEST(test_invalid_keypair); | |
588 | ADD_TEST(test_pq_diff); | |
8240d5fa SL |
589 | ADD_ALL_TESTS(test_sp80056b_keygen, (int)OSSL_NELEM(keygen_size)); |
590 | return 1; | |
591 | } |