Merge branch 'feature/testRsaPkcs1' into develop

This closes #48
This commit is contained in:
Steffen Jaeckel 2014-08-28 13:35:13 +02:00
commit 78e367895a
33 changed files with 37532 additions and 49 deletions

View File

@ -24,6 +24,10 @@ int main(void)
printf("\nmodes_test...."); fflush(stdout); x = modes_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\nder_test......"); fflush(stdout); x = der_tests(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\npkcs_1_test..."); fflush(stdout); x = pkcs_1_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\npkcs_1_pss_test...."); fflush(stdout); x = pkcs_1_pss_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\npkcs_1_oaep_test...."); fflush(stdout); x = pkcs_1_oaep_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\npkcs_1_emsa_test...."); fflush(stdout); x = pkcs_1_emsa_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\npkcs_1_eme_test...."); fflush(stdout); x = pkcs_1_eme_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\nrsa_test......"); fflush(stdout); x = rsa_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\ndh_test......."); fflush(stdout); x = dh_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
printf("\necc_test......"); fflush(stdout); x = ecc_tests(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);

View File

@ -0,0 +1,11 @@
default: regen
clean:
rm -f *.c
regen:
python rt.py pss-vect.txt pss > pss-vect.c
python rt.py oaep-vect.txt oaep > oaep-vect.c
python rt.py pkcs1v15sign-vectors.txt emsa > pkcs1v15sign-vectors.c
python rt.py pkcs1v15crypt-vectors.txt eme > pkcs1v15crypt-vectors.c

View File

@ -0,0 +1,369 @@
# =================================
# WORKED-OUT EXAMPLE FOR RSAES-OAEP
# =================================
#
# This file gives an example of the process of
# encrypting and decrypting a message with
# RSAES-OAEP as specified in PKCS #1 v2.1.
#
# The message is a bit string of length 128,
# while the size of the modulus in the public
# key is 1024 bits. The second representation
# of the private key is used, which means that
# CRT is applied in the decryption process.
#
# The underlying hash function is SHA-1; the
# mask generation function is MGF1 with SHA-1
# as specified in PKCS #1 v2.1.
#
# This file also contains a demonstration of
# the RSADP decryption primitive with CRT.
# Finally, DER encodings of the RSA keys are
# given at the end of the file.
#
#
# Integers are represented by strings of octets
# with the leftmost octet being the most
# significant octet. For example,
#
# 9,202,000 = (0x)8c 69 50.
#
# =============================================
# ------------------------------
# Components of the RSA Key Pair
# ------------------------------
# RSA modulus n:
bb f8 2f 09 06 82 ce 9c 23 38 ac 2b 9d a8 71 f7
36 8d 07 ee d4 10 43 a4 40 d6 b6 f0 74 54 f5 1f
b8 df ba af 03 5c 02 ab 61 ea 48 ce eb 6f cd 48
76 ed 52 0d 60 e1 ec 46 19 71 9d 8a 5b 8b 80 7f
af b8 e0 a3 df c7 37 72 3e e6 b4 b7 d9 3a 25 84
ee 6a 64 9d 06 09 53 74 88 34 b2 45 45 98 39 4e
e0 aa b1 2d 7b 61 a5 1f 52 7a 9a 41 f6 c1 68 7f
e2 53 72 98 ca 2a 8f 59 46 f8 e5 fd 09 1d bd cb
# RSA public exponent e:
(0x)11
# Prime p:
ee cf ae 81 b1 b9 b3 c9 08 81 0b 10 a1 b5 60 01
99 eb 9f 44 ae f4 fd a4 93 b8 1a 9e 3d 84 f6 32
12 4e f0 23 6e 5d 1e 3b 7e 28 fa e7 aa 04 0a 2d
5b 25 21 76 45 9d 1f 39 75 41 ba 2a 58 fb 65 99
# Prime q:
c9 7f b1 f0 27 f4 53 f6 34 12 33 ea aa d1 d9 35
3f 6c 42 d0 88 66 b1 d0 5a 0f 20 35 02 8b 9d 86
98 40 b4 16 66 b4 2e 92 ea 0d a3 b4 32 04 b5 cf
ce 33 52 52 4d 04 16 a5 a4 41 e7 00 af 46 15 03
# p's CRT exponent dP:
54 49 4c a6 3e ba 03 37 e4 e2 40 23 fc d6 9a 5a
eb 07 dd dc 01 83 a4 d0 ac 9b 54 b0 51 f2 b1 3e
d9 49 09 75 ea b7 74 14 ff 59 c1 f7 69 2e 9a 2e
20 2b 38 fc 91 0a 47 41 74 ad c9 3c 1f 67 c9 81
# q's CRT exponent dQ:
47 1e 02 90 ff 0a f0 75 03 51 b7 f8 78 86 4c a9
61 ad bd 3a 8a 7e 99 1c 5c 05 56 a9 4c 31 46 a7
f9 80 3f 8f 6f 8a e3 42 e9 31 fd 8a e4 7a 22 0d
1b 99 a4 95 84 98 07 fe 39 f9 24 5a 98 36 da 3d
# CRT coefficient qInv:
b0 6c 4f da bb 63 01 19 8d 26 5b db ae 94 23 b3
80 f2 71 f7 34 53 88 50 93 07 7f cd 39 e2 11 9f
c9 86 32 15 4f 58 83 b1 67 a9 67 bf 40 2b 4e 9e
2e 0f 96 56 e6 98 ea 36 66 ed fb 25 79 80 39 f7
# ----------------------------------
# Step-by-step RSAES-OAEP Encryption
# ----------------------------------
# Message M to be encrypted:
d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49
# Label L:
(the empty string)
# lHash = Hash(L)
# DB = lHash || Padding || M
# seed = random string of octets
# dbMask = MGF(seed, length(DB))
# maskedDB = DB xor dbMask
# seedMask = MGF(maskedDB, length(seed))
# maskedSeed = seed xor seedMask
# EM = 0x00 || maskedSeed || maskedDB
# lHash:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90
af d8 07 09
# DB:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90
af d8 07 09 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69
fd 32 a7 c8 a0 5b bc 90 d3 2c 49
# seed:
aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2
f0 6c b5 8f
# dbMask:
06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24
8a c7 83 de e0 b2 c0 46 26 f5 af f9 3e dc fb 25
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0
95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b
7c fc 95 1a 51 ec d1 dd e6 12 64
# maskedDB:
dc d8 7d 5c 68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4
25 1f 84 d7 e0 b2 c0 46 26 f5 af f9 3e dc fb 25
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0
95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52
81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
# seedMask:
41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08
72 5d be a9
# maskedSeed:
eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca
82 31 0b 26
# EM = 00 || maskedSeed || maskedDB:
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
# Ciphertext, the RSA encryption of EM:
12 53 e0 4d c0 a5 39 7b b4 4a 7a b8 7e 9b f2 a0
39 a3 3d 1e 99 6f c8 2a 94 cc d3 00 74 c9 5d f7
63 72 20 17 06 9e 52 68 da 5d 1c 0b 4f 87 2c f6
53 c1 1d f8 23 14 a6 79 68 df ea e2 8d ef 04 bb
6d 84 b1 c3 1d 65 4a 19 70 e5 78 3b d6 eb 96 a0
24 c2 ca 2f 4a 90 fe 9f 2e f5 c9 c1 40 e5 bb 48
da 95 36 ad 87 00 c8 4f c9 13 0a de a7 4e 55 8d
51 a7 4d df 85 d8 b5 0d e9 68 38 d6 06 3e 09 55
# --------------------------------------------
# Step-by-step RSAES-OAEP Decryption Using CRT
# --------------------------------------------
# c = the integer value of C above
# m1 = c^dP mod p = (c mod p)^dP mod p
# m2 = c^dQ mod q = (c mod q)^dQ mod q
# h = (m1-m2)*qInv mod p
# m = m2 + q*h = the integer value of EM above
# c mod p:
de 63 d4 72 35 66 fa a7 59 bf e4 08 82 1d d5 25
72 ec 92 85 4d df 87 a2 b6 64 d4 4d aa 37 ca 34
6a 05 20 3d 82 ff 2d e8 e3 6c ec 1d 34 f9 8e b6
05 e2 a7 d2 6d e7 af 36 9c e4 ec ae 14 e3 56 33
# c mod q:
a2 d9 24 de d9 c3 6d 62 3e d9 a6 5b 5d 86 2c fb
ec 8b 19 9c 64 27 9c 54 14 e6 41 19 6e f1 c9 3c
50 7a 9b 52 13 88 1a ad 05 b4 cc fa 02 8a c1 ec
61 42 09 74 bf 16 25 83 6b 0b 7d 05 fb b7 53 36
# m1:
89 6c a2 6c d7 e4 87 1c 7f c9 68 a8 ed ea 11 e2
71 82 4f 0e 03 65 52 17 94 f1 e9 e9 43 b4 a4 4b
57 c9 e3 95 a1 46 74 78 f5 26 49 6b 4b b9 1f 1c
ba ea 90 0f fc 60 2c f0 c6 63 6e ba 84 fc 9f f7
# m2:
4e bb 22 75 85 f0 c1 31 2d ca 19 e0 b5 41 db 14
99 fb f1 4e 27 0e 69 8e 23 9a 8c 27 a9 6c da 9a
74 09 74 de 93 7b 5c 9c 93 ea d9 46 2c 65 75 02
1a 23 d4 64 99 dc 9f 6b 35 89 75 59 60 8f 19 be
# h:
01 2b 2b 24 15 0e 76 e1 59 bd 8d db 42 76 e0 7b
fa c1 88 e0 8d 60 47 cf 0e fb 8a e2 ae bd f2 51
c4 0e bc 23 dc fd 4a 34 42 43 94 ad a9 2c fc be
1b 2e ff bb 60 fd fb 03 35 9a 95 36 8d 98 09 25
# m:
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
# The intermediate values in the remaining
# decryption process are the same as during
# RSAES-OAEP encryption of M.
# =============================================
# ========================
# DER Encoding of RSA Keys
# ========================
# ------------
# RSAPublicKey
# ------------
30 81 87
# modulus
02 81 81
00 bb f8 2f 09 06 82 ce
9c 23 38 ac 2b 9d a8 71
f7 36 8d 07 ee d4 10 43
a4 40 d6 b6 f0 74 54 f5
1f b8 df ba af 03 5c 02
ab 61 ea 48 ce eb 6f cd
48 76 ed 52 0d 60 e1 ec
46 19 71 9d 8a 5b 8b 80
7f af b8 e0 a3 df c7 37
72 3e e6 b4 b7 d9 3a 25
84 ee 6a 64 9d 06 09 53
74 88 34 b2 45 45 98 39
4e e0 aa b1 2d 7b 61 a5
1f 52 7a 9a 41 f6 c1 68
7f e2 53 72 98 ca 2a 8f
59 46 f8 e5 fd 09 1d bd
cb
# publicExponent
02 01
11
# -------------
# RSAPrivateKey
# -------------
30 82 02 5b
# version
02 01
00
# modulus
02 81 81
00 bb f8 2f 09 06 82 ce
9c 23 38 ac 2b 9d a8 71
f7 36 8d 07 ee d4 10 43
a4 40 d6 b6 f0 74 54 f5
1f b8 df ba af 03 5c 02
ab 61 ea 48 ce eb 6f cd
48 76 ed 52 0d 60 e1 ec
46 19 71 9d 8a 5b 8b 80
7f af b8 e0 a3 df c7 37
72 3e e6 b4 b7 d9 3a 25
84 ee 6a 64 9d 06 09 53
74 88 34 b2 45 45 98 39
4e e0 aa b1 2d 7b 61 a5
1f 52 7a 9a 41 f6 c1 68
7f e2 53 72 98 ca 2a 8f
59 46 f8 e5 fd 09 1d bd
cb
# publicExponent
02 01
11
# privateExponent
02 81 81
00 a5 da fc 53 41 fa f2
89 c4 b9 88 db 30 c1 cd
f8 3f 31 25 1e 06 68 b4
27 84 81 38 01 57 96 41
b2 94 10 b3 c7 99 8d 6b
c4 65 74 5e 5c 39 26 69
d6 87 0d a2 c0 82 a9 39
e3 7f dc b8 2e c9 3e da
c9 7f f3 ad 59 50 ac cf
bc 11 1c 76 f1 a9 52 94
44 e5 6a af 68 c5 6c 09
2c d3 8d c3 be f5 d2 0a
93 99 26 ed 4f 74 a1 3e
dd fb e1 a1 ce cc 48 94
af 94 28 c2 b7 b8 88 3f
e4 46 3a 4b c8 5b 1c b3
c1
# prime1
02 41
00 ee cf ae 81 b1 b9 b3
c9 08 81 0b 10 a1 b5 60
01 99 eb 9f 44 ae f4 fd
a4 93 b8 1a 9e 3d 84 f6
32 12 4e f0 23 6e 5d 1e
3b 7e 28 fa e7 aa 04 0a
2d 5b 25 21 76 45 9d 1f
39 75 41 ba 2a 58 fb 65
99
# prime2
02 41
00 c9 7f b1 f0 27 f4 53
f6 34 12 33 ea aa d1 d9
35 3f 6c 42 d0 88 66 b1
d0 5a 0f 20 35 02 8b 9d
86 98 40 b4 16 66 b4 2e
92 ea 0d a3 b4 32 04 b5
cf ce 33 52 52 4d 04 16
a5 a4 41 e7 00 af 46 15
03
# exponent1
02 40
54 49 4c a6 3e ba 03 37
e4 e2 40 23 fc d6 9a 5a
eb 07 dd dc 01 83 a4 d0
ac 9b 54 b0 51 f2 b1 3e
d9 49 09 75 ea b7 74 14
ff 59 c1 f7 69 2e 9a 2e
20 2b 38 fc 91 0a 47 41
74 ad c9 3c 1f 67 c9 81
# exponent2
02 40
47 1e 02 90 ff 0a f0 75
03 51 b7 f8 78 86 4c a9
61 ad bd 3a 8a 7e 99 1c
5c 05 56 a9 4c 31 46 a7
f9 80 3f 8f 6f 8a e3 42
e9 31 fd 8a e4 7a 22 0d
1b 99 a4 95 84 98 07 fe
39 f9 24 5a 98 36 da 3d
# coefficient
02 41
00 b0 6c 4f da bb 63 01
19 8d 26 5b db ae 94 23
b3 80 f2 71 f7 34 53 88
50 93 07 7f cd 39 e2 11
9f c9 86 32 15 4f 58 83
b1 67 a9 67 bf 40 2b 4e
9e 2e 0f 96 56 e6 98 ea
36 66 ed fb 25 79 80 39
f7
# ------------------------
# PrivateKeyInfo (PKCS #8)
# ------------------------
30 82 02 75
# version
02 01
00
# privateKeyAlgorithmIdentifier
30 0d
06 09
2a 86 48 86 f7 0d 01 01 01
# parameters
05 00
# privateKey = RSAPrivateKey encoding
04 82 02 5f
# DER encoding of RSAPrivateKey structure
30 82 02 5b ... 79 80 39 f7
# =============================================

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

162
notes/rsa-testvectors/pss-int.txt Executable file
View File

@ -0,0 +1,162 @@
# =================================
# WORKED-OUT EXAMPLE FOR RSASSA-PSS
# =================================
#
# This file gives an example of the process of
# signing a message with RSASSA-PSS as
# specified in PKCS #1 v2.1.
#
# The message is an octet string of length 114,
# while the size of the modulus in the public
# key is 1024 bits. The message is signed via a
# random salt of length 20 octets
#
# The underlying hash function in the EMSA-PSS
# encoding method is SHA-1; the mask generation
# function is MGF1 with SHA-1 as specified in
# PKCS #1 v2.1.
#
# Integers are represented by strings of octets
# with the leftmost octet being the most
# significant octet. For example,
#
# 9,202,000 = (0x)8c 69 50.
#
# =============================================
# ------------------------------
# Components of the RSA Key Pair
# ------------------------------
# RSA modulus n:
a2 ba 40 ee 07 e3 b2 bd 2f 02 ce 22 7f 36 a1 95
02 44 86 e4 9c 19 cb 41 bb bd fb ba 98 b2 2b 0e
57 7c 2e ea ff a2 0d 88 3a 76 e6 5e 39 4c 69 d4
b3 c0 5a 1e 8f ad da 27 ed b2 a4 2b c0 00 fe 88
8b 9b 32 c2 2d 15 ad d0 cd 76 b3 e7 93 6e 19 95
5b 22 0d d1 7d 4e a9 04 b1 ec 10 2b 2e 4d e7 75
12 22 aa 99 15 10 24 c7 cb 41 cc 5e a2 1d 00 ee
b4 1f 7c 80 08 34 d2 c6 e0 6b ce 3b ce 7e a9 a5
# RSA public exponent e:
01 00 01
# Prime p:
d1 7f 65 5b f2 7c 8b 16 d3 54 62 c9 05 cc 04 a2
6f 37 e2 a6 7f a9 c0 ce 0d ce d4 72 39 4a 0d f7
43 fe 7f 92 9e 37 8e fd b3 68 ed df f4 53 cf 00
7a f6 d9 48 e0 ad e7 57 37 1f 8a 71 1e 27 8f 6b
# Prime q:
c6 d9 2b 6f ee 74 14 d1 35 8c e1 54 6f b6 29 87
53 0b 90 bd 15 e0 f1 49 63 a5 e2 63 5a db 69 34
7e c0 c0 1b 2a b1 76 3f d8 ac 1a 59 2f b2 27 57
46 3a 98 24 25 bb 97 a3 a4 37 c5 bf 86 d0 3f 2f
# p's CRT exponent dP:
9d 0d bf 83 e5 ce 9e 4b 17 54 dc d5 cd 05 bc b7
b5 5f 15 08 33 0e a4 9f 14 d4 e8 89 55 0f 82 56
cb 5f 80 6d ff 34 b1 7a da 44 20 88 53 57 7d 08
e4 26 28 90 ac f7 52 46 1c ea 05 54 76 01 bc 4f
# q's CRT exponent dQ:
12 91 a5 24 c6 b7 c0 59 e9 0e 46 dc 83 b2 17 1e
b3 fa 98 81 8f d1 79 b6 c8 bf 6c ec aa 47 63 03
ab f2 83 fe 05 76 9c fc 49 57 88 fe 5b 1d df de
9e 88 4a 3c d5 e9 36 b7 e9 55 eb f9 7e b5 63 b1
# CRT coefficient qInv:
a6 3f 1d a3 8b 95 0c 9a d1 c6 7c e0 d6 77 ec 29
14 cd 7d 40 06 2d f4 2a 67 eb 19 8a 17 6f 97 42
aa c7 c5 fe a1 4f 22 97 66 2b 84 81 2c 4d ef c4
9a 80 25 ab 43 82 28 6b e4 c0 37 88 dd 01 d6 9f
# ---------------------------------
# Step-by-step RSASSA-PSS Signature
# ---------------------------------
# Message M to be signed:
85 9e ef 2f d7 8a ca 00 30 8b dc 47 11 93 bf 55
bf 9d 78 db 8f 8a 67 2b 48 46 34 f3 c9 c2 6e 64
78 ae 10 26 0f e0 dd 8c 08 2e 53 a5 29 3a f2 17
3c d5 0c 6d 5d 35 4f eb f7 8b 26 02 1c 25 c0 27
12 e7 8c d4 69 4c 9f 46 97 77 e4 51 e7 f8 e9 e0
4c d3 73 9c 6b bf ed ae 48 7f b5 56 44 e9 ca 74
ff 77 a5 3c b7 29 80 2f 6e d4 a5 ff a8 ba 15 98
90 fc
# mHash = Hash(M)
# salt = random string of octets
# M' = Padding || mHash || salt
# H = Hash(M')
# DB = Padding || salt
# dbMask = MGF(H, length(DB))
# maskedDB = DB xor dbMask (leftmost bit set to
# zero)
# EM = maskedDB || H || 0xbc
# mHash:
37 b6 6a e0 44 58 43 35 3d 47 ec b0 b4 fd 14 c1
10 e6 2d 6a
# salt:
e3 b5 d5 d0 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8
3b ce 7e 61
# M':
00 00 00 00 00 00 00 00 37 b6 6a e0 44 58 43 35
3d 47 ec b0 b4 fd 14 c1 10 e6 2d 6a e3 b5 d5 d0
02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 3b ce 7e 61
# H:
df 1a 89 6f 9d 8b c8 16 d9 7c d7 a2 c4 3b ad 54
6f be 8c fe
# DB:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 e3 b5 d5 d0 02 c1 bc e5 0c
2b 65 ef 88 a1 88 d8 3b ce 7e 61
# dbMask:
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
d3 18 3a 31 1f c8 97 39 a9 66 43 13 6e 8b 0f 46
5e 87 a4 53 5c d4 c5 9b 10 02 8d
# maskedDB:
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a
75 e2 4b db fd 5c 1d a0 de 7c ec
# Encoded message EM:
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a
75 e2 4b db fd 5c 1d a0 de 7c ec df 1a 89 6f 9d
8b c8 16 d9 7c d7 a2 c4 3b ad 54 6f be 8c fe bc
# Signature S, the RSA decryption of EM:
8d aa 62 7d 3d e7 59 5d 63 05 6c 7e c6 59 e5 44
06 f1 06 10 12 8b aa e8 21 c8 b2 a0 f3 93 6d 54
dc 3b dc e4 66 89 f6 b7 95 1b b1 8e 84 05 42 76
97 18 d5 71 5d 21 0d 85 ef bb 59 61 92 03 2c 42
be 4c 29 97 2c 85 62 75 eb 6d 5a 45 f0 5f 51 87
6f c6 74 3d ed dd 28 ca ec 9b b3 0e a9 9e 02 c3
48 82 69 60 4f e4 97 f7 4c cd 7c 7f ca 16 71 89
71 23 cb d3 0d ef 5d 54 a2 b5 53 6a d9 0a 74 7e
# =============================================

File diff suppressed because it is too large Load Diff

2581
notes/rsa-testvectors/pss-vect.txt Executable file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,22 @@
====================
pkcs-1v2-1-vec.zip
====================
This directory contains test vectors for RSAES-OAEP and
RSASSA-PSS as defined in PKCS #1 v2.1.
The files:
readme.txt This file.
oaep-vect.txt Test vectors for RSAES-OAEP encryption.
oaep-int.txt Intermediate values for RSAES-OAEP
encryption and RSA decryption with CRT.
Also, DER-encoded RSAPrivateKey and
RSAPublicKey types.
pss-vect.txt Test vectors for RSASSA-PSS signing.
pss-int.txt Intermediate values for RSASSA-PSS
signing.

253
notes/rsa-testvectors/rt.py Executable file
View File

@ -0,0 +1,253 @@
#!/usr/bin/env python
import sys
import os
import hashlib
def md5_for_file(path, block_size=256*128):
'''
Block size directly depends on the block size of your filesystem
to avoid performances issues
Here I have blocks of 4096 octets (Default NTFS)
'''
md5 = hashlib.md5()
with open(path,'rb') as f:
for chunk in iter(lambda: f.read(block_size), b''):
md5.update(chunk)
f.close()
return md5.hexdigest()
def read_until_ends(f, s):
while True:
l = f.readline()
if l.strip().endswith(s):
break
return l
def read_until_start(f, s):
while True:
l = f.readline()
if l.startswith(s):
break
return l
def read_hex(f):
t = []
while True:
l = f.readline()
if l.strip() == '':
break
t.extend(l.strip().split(' '))
return t
class NamedData(object):
def __init__(self, name, data):
self.name = name
self.data = data
def __str__(self):
return " /* {0} */\n {1},\n {{ {2} }}\n".format(self.name, len(self.data), ', '.join('0x' + x for x in self.data))
def read_part(f, s):
name = read_until_start(f, s).strip().lstrip('# ').rstrip(':')
data = read_hex(f)
e = NamedData(name, data)
return e
class RsaKey(object):
def __init__(self, n, e, d, p, q, dP, dQ, qInv):
self.n = n
self.e = e
self.d = d
self.p = p
self.q = q
self.dP = dP
self.dQ = dQ
self.qInv = qInv
def __str__(self):
return "{{\n{0},\n{1},\n{2},\n{3},\n{4},\n{5},\n{6},\n{7}\n}}\n".format(self.n, self.e, self.d, self.p, self.q, self.dP, self.dQ, self.qInv)
def read_key(f):
if ftype.version == 1:
read_until_start(f, '# Private key')
n = read_part(f, ftype.n)
e = read_part(f, ftype.e)
d = read_part(f, ftype.d)
p = read_part(f, ftype.p)
q = read_part(f, ftype.q)
dP = read_part(f, ftype.dP)
dQ = read_part(f, ftype.dQ)
qInv = read_part(f, ftype.qInv)
k = RsaKey(n, e, d, p, q, dP, dQ, qInv)
return k
class Data(object):
def __init__(self, name, obj1, obj2, obj3):
self.name = name
self.obj1 = obj1
self.obj2 = obj2
self.obj3 = obj3
def __str__(self):
if self.obj3 == None:
return "{{\n \"{0}\",\n{1},\n{2}\n}}\n,".format(self.name, self.obj1, self.obj2)
else:
return "{{\n \"{0}\",\n{1},\n{2},\n{3}\n}}\n,".format(self.name, self.obj1, self.obj2, self.obj3)
def read_data(f):
name = read_until_start(f, ftype.o).strip().lstrip('# ')
obj1 = read_part(f, ftype.o1)
obj2 = read_part(f, ftype.o2)
if ftype.name == 'emsa':
obj3 = None
else:
obj3 = read_part(f, ftype.o3)
s = Data(name, obj1, obj2, obj3)
return s
class Example(object):
def __init__(self, name, key, data):
self.name = name
self.key = key
self.data = data
def __str__(self):
res = "{{\n \"{0}\",\n{1},\n{{".format(self.name, str(self.key))
for idx, d in enumerate(self.data, 1):
if idx == 2:
res += '#ifdef LTC_TEST_EXT\n'
res += str(d) + '\n'
if idx == ftype.numcases:
res += '#endif /* LTC_TEST_EXT */\n'
res += '}\n},'
return res
def read_example(f):
name = read_until_start(f, '# Example').strip().lstrip('# ')
key = read_key(f)
l = read_until_start(f, ftype.sod)
d = []
while l.strip().startswith(ftype.sod):
if ftype.version == 1:
f.seek(-len(l), os.SEEK_CUR)
data = read_data(f)
d.append(data)
l = read_until_start(f, '#')
e = Example(name, key, d)
f.seek(-len(l), os.SEEK_CUR)
return e
class PkcsType(object):
def __init__(self, name):
if name == 'pss':
self.o = '# RSASSA-PSS Signature Example'
self.o1 = '# Message to be signed'
self.o2 = '# Salt'
self.o3 = '# Signature'
elif name == 'oaep':
self.o = '# RSAES-OAEP Encryption Example'
self.o1 = '# Message to be encrypted'
self.o2 = '# Seed'
self.o3 = '# Encryption'
elif name == 'emsa':
self.o = '# PKCS#1 v1.5 Signature Example'
self.o1 = '# Message to be signed'
self.o2 = '# Signature'
elif name == 'eme':
self.o = '# PKCS#1 v1.5 Encryption Example'
self.o1 = '# Message'
self.o2 = '# Seed'
self.o3 = '# Encryption'
else:
raise ValueError('Type unknown: ' + name)
if name == 'pss' or name == 'oaep':
self.version = 2
self.numcases = 6
self.n = '# RSA modulus n'
self.e = '# RSA public exponent e'
self.d = '# RSA private exponent d'
self.p = '# Prime p'
self.q = '# Prime q'
self.dP = '# p\'s CRT exponent dP'
self.dQ = '# q\'s CRT exponent dQ'
self.qInv = '# CRT coefficient qInv'
self.sod = '# --------------------------------'
elif name == 'emsa' or name == 'eme':
self.version = 1
self.numcases = 20
self.n = '# Modulus'
self.e = '# Public exponent'
self.d = '# Exponent'
self.p = '# Prime 1'
self.q = '# Prime 2'
self.dP = '# Prime exponent 1'
self.dQ = '# Prime exponent 2'
self.qInv = '# Coefficient'
self.sod = self.o
self.name = name
ftype = PkcsType(sys.argv[2])
print('/* Generated from file: %s\n * with md5 hash: %s\n */\n' % (sys.argv[1], md5_for_file(sys.argv[1])))
print('''
typedef struct rsaKey {
int n_l;
unsigned char n[256];
int e_l;
unsigned char e[256];
int d_l;
unsigned char d[256];
int p_l;
unsigned char p[256];
int q_l;
unsigned char q[256];
int dP_l;
unsigned char dP[256];
int dQ_l;
unsigned char dQ[256];
int qInv_l;
unsigned char qInv[256];
} rsaKey_t;
typedef struct rsaData {
const char* name;
int o1_l;
unsigned char o1[256];
int o2_l;
unsigned char o2[256];''')
if ftype.name != 'emsa':
print(''' int o3_l;
unsigned char o3[256];''')
print('''} rsaData_t;
typedef struct testcase {
const char* name;
rsaKey_t rsa;
#ifdef LTC_TEST_EXT
rsaData_t data[%d];
#else
rsaData_t data[1];
#endif /* LTC_TEST_EXT */
} testcase_t;
testcase_t testcases_%s[] =
{''' % (ftype.numcases, sys.argv[2]))
with open(sys.argv[1], 'rb') as f:
ex = []
while read_until_ends(f, '============================================='):
if f.tell() == os.path.getsize(sys.argv[1]):
break
e = read_example(f)
ex.append(e)
for i in ex:
print(i)
f.close()
print('};\n')

View File

@ -51,11 +51,12 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
}
hLen = hash_descriptor[hash_idx].hashsize;
modulus_bitlen--;
modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);
/* check sizes */
if ((saltlen > modulus_len) ||
(modulus_len < hLen + saltlen + 2) || (siglen != modulus_len)) {
(modulus_len < hLen + saltlen + 2)) {
return CRYPT_PK_INVALID_SIZE;
}
@ -95,8 +96,9 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
XMEMCPY(hash, sig + x, hLen);
x += hLen;
/* check the MSB */
if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen-1)))) != 0) {
if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen)))) != 0) {
err = CRYPT_INVALID_PACKET;
goto LBL_ERR;
}
@ -112,7 +114,7 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
}
/* now clear the first byte [make sure smaller than modulus] */
DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1));
DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen));
/* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */

View File

@ -54,6 +54,7 @@ int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
}
hLen = hash_descriptor[hash_idx].hashsize;
modulus_bitlen--;
modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);
/* check sizes */
@ -147,7 +148,7 @@ int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
out[y] = 0xBC;
/* now clear the 8*modulus_len - modulus_bitlen most significant bits */
out[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1));
out[0] &= 0xFF >> ((modulus_len<<3) - modulus_bitlen);
/* store output size */
*outlen = modulus_len;

View File

@ -65,9 +65,8 @@ int pkcs_1_v1_5_decode(const unsigned char *msg,
}
ps_len = i++ - 2;
if ((i >= modulus_len) || (ps_len < 8)) {
/* There was no octet with hexadecimal value 0x00 to separate ps from m,
* or the length of ps is less than 8 octets.
if (i >= modulus_len) {
/* There was no octet with hexadecimal value 0x00 to separate ps from m.
*/
result = CRYPT_INVALID_PACKET;
goto bail;
@ -87,6 +86,14 @@ int pkcs_1_v1_5_decode(const unsigned char *msg,
ps_len = i - 2;
}
if (ps_len < 8)
{
/* The length of ps is less than 8 octets.
*/
result = CRYPT_INVALID_PACKET;
goto bail;
}
if (*outlen < (msglen - (2 + ps_len + 1))) {
*outlen = msglen - (2 + ps_len + 1);
result = CRYPT_BUFFER_OVERFLOW;

View File

@ -76,7 +76,7 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen,
if (which == PK_PRIVATE) {
#ifdef LTC_RSA_BLINDING
/* do blinding */
err = mp_rand(rnd, mp_count_bits(key->N));
err = mp_rand(rnd, mp_get_digit_count(key->N));
if (err != CRYPT_OK) {
goto error;
}

View File

@ -92,11 +92,18 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
if (padding == LTC_PKCS_1_PSS) {
/* PSS decode and verify it */
if(modulus_bitlen%8 == 1){
err = pkcs_1_pss_decode(hash, hashlen, tmpbuf+1, x-1, saltlen, hash_idx, modulus_bitlen, stat);
}
else{
err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat);
}
} else {
/* PKCS #1 v1.5 decode it */
unsigned char *out;
unsigned long outlen, loid[16];
unsigned long outlen, loid[16], reallen;
int decoded;
ltc_asn1_list digestinfo[2], siginfo[2];
@ -138,8 +145,14 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
goto bail_2;
}
if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
XFREE(out);
goto bail_2;
}
/* test OID */
if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
if ((reallen == outlen) &&
(digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
(XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
(siginfo[1].size == hashlen) &&
(XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {

View File

@ -5,9 +5,10 @@ ifndef RANLIB
RANLIB=ranlib
endif
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
dsa_test.o ecc_test.o mac_test.o misc_test.o modes_test.o pkcs_1_test.o rsa_test.o \
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o \
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
ifndef LIBTEST_S
LIBTEST_S=libtomcrypt_prof.a

View File

@ -1,9 +1,10 @@
CFLAGS += -I../src/headers -I./
CC?=icc
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
dsa_test.o ecc_test.o mac_test.o modes_test.o pkcs_1_test.o rsa_test.o \
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o \
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
ifndef LIBTEST_S
LIBTEST_S = libtomcrypt_prof.a

View File

@ -4,9 +4,10 @@
CFLAGS = $(CFLAGS_OPTS) -W -I../src/headers -I. -Wall -W
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
dsa_test.o ecc_test.o mac_test.o misc_test.o modes_test.o pkcs_1_test.o rsa_test.o \
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o pkcs_1_pss_test.o \
pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
default: $(LIBTEST_S)

View File

@ -1,9 +1,10 @@
CFLAGS = /I../src/headers/ /I./ /Ox /DWIN32 /DLTC_SOURCE /W3 /Fo$@
OBJECTS=base64_test.obj cipher_hash_test.obj der_tests.obj \
OBJECTS=base64_test.obj cipher_hash_test.obj der_tests.obj no_prng.obj \
dsa_test.obj ecc_test.obj mac_test.obj modes_test.obj pkcs_1_test.obj \
rsa_test.obj store_test.obj test_driver.obj x86_prof.obj katja_test.obj \
dh_test.obj misc_test.obj
dh_test.obj misc_test.obj pkcs_1_pss_test.obj pkcs_1_oaep_test.obj \
pkcs_1_emsa_test.obj pkcs_1_eme_test.obj
tomcrypt_prof.lib: $(OBJECTS)
lib /out:tomcrypt_prof.lib $(OBJECTS)

View File

@ -6,9 +6,10 @@ LTCOMPILE = $(LT) --mode=compile --tag=CC $(CC)
CFLAGS += -I../src/headers -I./ -Wall -Wsign-compare -W -Wshadow -Wno-unused-parameter
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
dsa_test.o ecc_test.o mac_test.o modes_test.o pkcs_1_test.o rsa_test.o \
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o \
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
ifndef LIBTEST
LIBTEST=libtomcrypt_prof.la

148
testprof/no_prng.c Normal file
View File

@ -0,0 +1,148 @@
/* LibTomCrypt, modular cryptographic library
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*
* http://libtom.org
*/
#include "tomcrypt.h"
/**
@file no_prng.c
NO PRNG, Steffen Jaeckel
*/
#ifdef LTC_PKCS_1
static unsigned char no_prng_entropy[1024];
static unsigned long no_prng_len = 0;
static unsigned long no_prng_offset = 0;
/**
Start the PRNG
@param prng [out] The PRNG state to initialize
@return CRYPT_OK if successful
*/
int no_prng_start(prng_state *prng)
{
no_prng_len = 0;
no_prng_offset = 0;
return CRYPT_OK;
}
/**
Add entropy to the PRNG state
@param in The data to add
@param inlen Length of the data to add
@param prng PRNG state to update
@return CRYPT_OK if successful
*/
int no_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen <= sizeof(no_prng_entropy));
no_prng_len = MIN(inlen, sizeof(no_prng_entropy));
memcpy(no_prng_entropy, in, no_prng_len);
no_prng_offset = 0;
return CRYPT_OK;
}
/**
Make the PRNG ready to read from
@param prng The PRNG to make active
@return CRYPT_OK if successful
*/
int no_prng_ready(prng_state *prng)
{
LTC_ARGCHK(prng != NULL);
return CRYPT_OK;
}
/**
Read from the PRNG
@param out Destination
@param outlen Length of output
@param prng The active PRNG to read from
@return Number of octets read
*/
unsigned long no_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
LTC_ARGCHK(out != NULL);
outlen = MIN(outlen, no_prng_len - no_prng_offset);
memcpy(out, &no_prng_entropy[no_prng_offset], outlen);
no_prng_offset += outlen;
return outlen;
}
/**
Terminate the PRNG
@param prng The PRNG to terminate
@return CRYPT_OK if successful
*/
int no_prng_done(prng_state *prng)
{
return CRYPT_OK;
}
/**
Export the PRNG state
@param out [out] Destination
@param outlen [in/out] Max size and resulting size of the state
@param prng The PRNG to export
@return CRYPT_OK if successful
*/
int no_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
{
return CRYPT_OK;
}
/**
Import a PRNG state
@param in The PRNG state
@param inlen Size of the state
@param prng The PRNG to import
@return CRYPT_OK if successful
*/
int no_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
return CRYPT_OK;
}
/**
PRNG self-test
@return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
*/
int no_prng_test(void)
{
return CRYPT_OK;
}
const struct ltc_prng_descriptor no_prng_desc =
{
"no_prng", 0,
&no_prng_start,
&no_prng_add_entropy,
&no_prng_ready,
&no_prng_read,
&no_prng_done,
&no_prng_export,
&no_prng_import,
&no_prng_test
};
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -0,0 +1,69 @@
#include <tomcrypt_test.h>
#ifdef LTC_PKCS_1
#include "../notes/rsa-testvectors/pkcs1v15crypt-vectors.c"
int pkcs_1_eme_test(void)
{
int prng_idx = register_prng(&no_prng_desc);
int hash_idx = find_hash("sha1");
unsigned int i;
DO(prng_is_valid(prng_idx));
DO(hash_is_valid(hash_idx));
for (i = 0; i < sizeof(testcases_eme)/sizeof(testcases_eme[0]); ++i) {
testcase_t* t = &testcases_eme[i];
rsa_key k, *key = &k;
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
key->type = PK_PRIVATE;
unsigned int j;
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
rsaData_t* s = &t->data[j];
unsigned char buf[256], obuf[256];
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
int stat;
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
DOX(rsa_encrypt_key_ex(s->o1, s->o1_l, obuf, &obuflen, NULL, 0, NULL, prng_idx, -1, LTC_PKCS_1_V1_5, key), s->name);
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(rsa_decrypt_key_ex(obuf, obuflen, buf, &buflen, NULL, 0, -1, LTC_PKCS_1_V1_5, &stat, key), s->name);
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
} /* for */
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
} /* for */
unregister_prng(&no_prng_desc);
return 0;
}
#else
int pkcs_1_eme_test(void)
{
fprintf(stderr, "NOP");
return 0;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -0,0 +1,65 @@
#include <tomcrypt_test.h>
#ifdef LTC_PKCS_1
#include "../notes/rsa-testvectors/pkcs1v15sign-vectors.c"
int pkcs_1_emsa_test(void)
{
int hash_idx = find_hash("sha1");
unsigned int i;
DO(hash_is_valid(hash_idx));
for (i = 0; i < sizeof(testcases_emsa)/sizeof(testcases_emsa[0]); ++i) {
testcase_t* t = &testcases_emsa[i];
rsa_key k, *key = &k;
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
key->type = PK_PRIVATE;
unsigned int j;
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
rsaData_t* s = &t->data[j];
unsigned char buf[20], obuf[256];
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
int stat;
DOX(hash_memory(hash_idx, s->o1, s->o1_l, buf, &buflen), s->name);
DOX(rsa_sign_hash_ex(buf, buflen, obuf, &obuflen, LTC_PKCS_1_V1_5, NULL, -1, hash_idx, 0, key), s->name);
DOX(obuflen == (unsigned long)s->o2_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(memcmp(s->o2, obuf, s->o2_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(rsa_verify_hash_ex(obuf, obuflen, buf, buflen, LTC_PKCS_1_V1_5, hash_idx, 0, &stat, key), s->name);
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
} /* for */
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
} /* for */
return 0;
}
#else
int pkcs_1_emsa_test(void)
{
fprintf(stderr, "NOP");
return 0;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -0,0 +1,69 @@
#include <tomcrypt_test.h>
#ifdef LTC_PKCS_1
#include "../notes/rsa-testvectors/oaep-vect.c"
int pkcs_1_oaep_test(void)
{
int prng_idx = register_prng(&no_prng_desc);
int hash_idx = find_hash("sha1");
unsigned int i;
DO(prng_is_valid(prng_idx));
DO(hash_is_valid(hash_idx));
for (i = 0; i < sizeof(testcases_oaep)/sizeof(testcases_oaep[0]); ++i) {
testcase_t* t = &testcases_oaep[i];
rsa_key k, *key = &k;
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
key->type = PK_PRIVATE;
unsigned int j;
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
rsaData_t* s = &t->data[j];
unsigned char buf[256], obuf[256];
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
int stat;
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
DOX(rsa_encrypt_key(s->o1, s->o1_l, obuf, &obuflen, NULL, 0, NULL, prng_idx, hash_idx, key), s->name);
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(rsa_decrypt_key(obuf, obuflen, buf, &buflen, NULL, 0, hash_idx, &stat, key), s->name);
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
} /* for */
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
} /* for */
unregister_prng(&no_prng_desc);
return 0;
}
#else
int pkcs_1_oaep_test(void)
{
fprintf(stderr, "NOP");
return 0;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -0,0 +1,70 @@
#include <tomcrypt_test.h>
#ifdef LTC_PKCS_1
#include "../notes/rsa-testvectors/pss-vect.c"
int pkcs_1_pss_test(void)
{
int prng_idx = register_prng(&no_prng_desc);
int hash_idx = find_hash("sha1");
unsigned int i;
DO(prng_is_valid(prng_idx));
DO(hash_is_valid(hash_idx));
for (i = 0; i < sizeof(testcases_pss)/sizeof(testcases_pss[0]); ++i) {
testcase_t* t = &testcases_pss[i];
rsa_key k, *key = &k;
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
key->type = PK_PRIVATE;
unsigned int j;
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
rsaData_t* s = &t->data[j];
unsigned char buf[20], obuf[256];
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
int stat;
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
DOX(hash_memory(hash_idx, s->o1, s->o1_l, buf, &buflen), s->name);
DOX(rsa_sign_hash(buf, buflen, obuf, &obuflen, NULL, prng_idx, hash_idx, s->o2_l, key), s->name);
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
DOX(rsa_verify_hash(obuf, obuflen, buf, buflen, hash_idx, s->o2_l, &stat, key), s->name);
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
} /* for */
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
} /* for */
unregister_prng(&no_prng_desc);
return 0;
}
#else
int pkcs_1_pss_test(void)
{
fprintf(stderr, "NOP");
return 0;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -2,6 +2,12 @@
#ifdef LTC_PKCS_1
#ifdef LTC_TEST_REAL_RAND
#define LTC_TEST_RAND_SEED time(NULL)
#else
#define LTC_TEST_RAND_SEED 23
#endif
int pkcs_1_test(void)
{
unsigned char buf[3][128];
@ -18,7 +24,7 @@ int pkcs_1_test(void)
return 1;
}
srand(time(NULL));
srand(LTC_TEST_RAND_SEED);
/* do many tests */
for (x = 0; x < 100; x++) {
zeromem(buf, sizeof(buf));

View File

@ -104,8 +104,8 @@ int rsa_test(void)
{
unsigned char in[1024], out[1024], tmp[1024];
rsa_key key, privKey, pubKey;
int hash_idx, prng_idx, stat, stat2;
unsigned long rsa_msgsize, len, len2, cnt;
int hash_idx, prng_idx, stat, stat2, i;
unsigned long rsa_msgsize, len, len2, len3, cnt, cnt2;
static unsigned char lparam[] = { 0x01, 0x02, 0x03, 0x04 };
if (rsa_compat_test() != 0) {
@ -186,24 +186,9 @@ for (cnt = 0; cnt < len; ) {
return 1;
}
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
unsigned long x;
fprintf(stderr, "\nrsa_decrypt_key mismatch, len %lu (second decrypt)\n", len2);
fprintf(stderr, "Original contents: \n");
for (x = 0; x < rsa_msgsize; ) {
fprintf(stderr, "%02x ", in[x]);
if (!(++x % 16)) {
fprintf(stderr, "\n");
}
}
fprintf(stderr, "\n");
fprintf(stderr, "Output contents: \n");
for (x = 0; x < rsa_msgsize; ) {
fprintf(stderr, "%02x ", out[x]);
if (!(++x % 16)) {
fprintf(stderr, "\n");
}
}
fprintf(stderr, "\n");
print_hex("Original", in, rsa_msgsize);
print_hex("Output", tmp, len2);
return 1;
}
}
@ -232,6 +217,8 @@ for (cnt = 0; cnt < len; ) {
}
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
fprintf(stderr, "rsa_decrypt_key mismatch len %lu", len2);
print_hex("Original", in, rsa_msgsize);
print_hex("Output", tmp, len2);
return 1;
}
}
@ -240,18 +227,26 @@ for (cnt = 0; cnt < len; ) {
for (rsa_msgsize = 1; rsa_msgsize <= 117; rsa_msgsize++) {
len = sizeof(out);
len2 = rsa_msgsize;
/* make a random key/msg */
yarrow_read(in, rsa_msgsize, &yarrow_prng);
DO(rsa_encrypt_key_ex(in, rsa_msgsize, out, &len, NULL, 0, &yarrow_prng, prng_idx, 0, LTC_PKCS_1_V1_5, &key));
len2 = rsa_msgsize;
DO(rsa_decrypt_key_ex(out, len, tmp, &len2, NULL, 0, 0, LTC_PKCS_1_V1_5, &stat, &key));
if (!(stat == 1 && stat2 == 0)) {
if (stat != 1) {
fprintf(stderr, "rsa_decrypt_key_ex failed, %d, %d", stat, stat2);
return 1;
}
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
if (len2 != rsa_msgsize) {
fprintf(stderr, "rsa_decrypt_key_ex mismatch len %lu", len2);
return 1;
}
if (memcmp(tmp, in, rsa_msgsize)) {
fprintf(stderr, "rsa_decrypt_key_ex mismatch data");
print_hex("Original", in, rsa_msgsize);
print_hex("Output", tmp, rsa_msgsize);
return 1;
}
}
/* sign a message (unsalted, lower cholestorol and Atkins approved) now */
@ -281,7 +276,7 @@ for (cnt = 0; cnt < len; ) {
}
/* verify with privKey */
/* change a byte */
/* change byte back to original */
in[0] ^= 1;
DO(rsa_verify_hash(out, len, in, 20, hash_idx, 0, &stat, &privKey));
/* change a byte */
@ -297,7 +292,7 @@ for (cnt = 0; cnt < len; ) {
}
/* verify with pubKey */
/* change a byte */
/* change byte back to original */
in[0] ^= 1;
DO(rsa_verify_hash(out, len, in, 20, hash_idx, 0, &stat, &pubKey));
/* change a byte */
@ -344,6 +339,85 @@ for (cnt = 0; cnt < len; ) {
return 1;
}
/* Testcase for Bleichenbacher attack
*
* (1) Create a valid signature
* (2) Check that it can be verified
* (3) Decrypt the package to fetch plain text
* (4) Forge the structure of PKCS#1-EMSA encoded data
* (4.1) Search for start and end of the padding string
* (4.2) Move the signature to the front of the padding string
* (4.3) Zero the message until the end
* (5) Encrypt the package again
* (6) Profit :)
* For PS lengths < 8: the verification process should fail
* For PS lengths >= 8: the verification process should succeed
* For all PS lengths: the result should not be valid
*/
unsigned char* p = in;
unsigned char* p2 = out;
unsigned char* p3 = tmp;
for (i = 0; i < 9; ++i) {
len = sizeof(in);
len2 = sizeof(out);
cnt = rsa_get_size(&key);
/* (1) */
DO(rsa_sign_hash_ex(p, 20, p2, &len2, LTC_PKCS_1_V1_5, &yarrow_prng, prng_idx, hash_idx, 8, &privKey));
/* (2) */
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey), "should succeed");
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, "should succeed");
len3 = sizeof(tmp);
/* (3) */
DO(ltc_mp.rsa_me(p2, len2, p3, &len3, PK_PUBLIC, &key));
/* (4) */
#if 0
printf("\nBefore:");
for (cnt = 0; cnt < len3; ++cnt) {
if (cnt%32 == 0)
printf("\n%3lu:", cnt);
printf(" %02x", p3[cnt]);
}
#endif
/* (4.1) */
for (cnt = 0; cnt < len3; ++cnt) {
if (p3[cnt] == 0xff)
break;
}
for (cnt2 = cnt+1; cnt2 < len3; ++cnt2) {
if (p3[cnt2] != 0xff)
break;
}
/* (4.2) */
memmove(&p3[cnt+i], &p3[cnt2], len3-cnt2);
/* (4.3) */
for (cnt = cnt + len3-cnt2+i; cnt < len; ++cnt) {
p3[cnt] = 0;
}
#if 0
printf("\nAfter:");
for (cnt = 0; cnt < len3; ++cnt) {
if (cnt%32 == 0)
printf("\n%3lu:", cnt);
printf(" %02x", p3[cnt]);
}
printf("\n");
#endif
len2 = sizeof(out);
/* (5) */
DO(ltc_mp.rsa_me(p3, len3, p2, &len2, PK_PRIVATE, &key));
len3 = sizeof(tmp);
/* (6) */
if (i < 8)
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey)
== CRYPT_INVALID_PACKET ? CRYPT_OK:CRYPT_INVALID_PACKET, "should fail");
else
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey), "should succeed");
DOX(stat == 0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, "should fail");
}
/* free the key and return */
rsa_free(&key);
rsa_free(&pubKey);

View File

@ -39,11 +39,11 @@ extern prng_state yarrow_prng;
void run_cmd(int res, int line, char *file, char *cmd, const char *algorithm);
#ifdef LTC_VERBOSE
#define DO(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0);
#define DOX(x, str) do { fprintf(stderr, "%s - %s:\n", #x, (str)); run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0);
#define DO(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0)
#define DOX(x, str) do { fprintf(stderr, "%s - %s:\n", #x, (str)); run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0)
#else
#define DO(x) do { run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0);
#define DOX(x, str) do { run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0);
#define DO(x) do { run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0)
#define DOX(x, str) do { run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0)
#endif
/* TESTS */
@ -51,6 +51,10 @@ int cipher_hash_test(void);
int modes_test(void);
int mac_test(void);
int pkcs_1_test(void);
int pkcs_1_pss_test(void);
int pkcs_1_oaep_test(void);
int pkcs_1_emsa_test(void);
int pkcs_1_eme_test(void);
int store_test(void);
int rsa_test(void);
int dh_test(void);
@ -72,6 +76,11 @@ extern struct list {
extern int no_results;
#ifdef LTC_PKCS_1
extern const struct ltc_prng_descriptor no_prng_desc;
#endif
void print_hex(const char* what, const unsigned char* p, const unsigned long l);
int sorter(const void *a, const void *b);
void tally_results(int type);
ulong64 rdtsc (void);

View File

@ -2,6 +2,19 @@
prng_state yarrow_prng;
void print_hex(const char* what, const unsigned char* p, const unsigned long l)
{
unsigned long x;
fprintf(stderr, "%s contents: \n", what);
for (x = 0; x < l; ) {
fprintf(stderr, "%02x ", p[x]);
if (!(++x % 16)) {
fprintf(stderr, "\n");
}
}
fprintf(stderr, "\n");
}
struct list results[100];
int no_results;
int sorter(const void *a, const void *b)