X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=test%2Ftest_crypto.c;h=acfabd05791911135bd8a2a6b32718598505f5d4;hp=a5f6246247ffa5eb923f4d5d08df6aebc50f2c9b;hb=491a45337de8dc0a4c100abf33f5c0e187a08afd;hpb=89ea3b1876d6a17a754c1f80c74f5076eccda866 diff --git a/test/test_crypto.c b/test/test_crypto.c index a5f6246..acfabd0 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -591,7 +591,7 @@ test_HMAC_CT(const br_hash_class *digest_class, br_hmac_key_init(&kc, digest_class, key, key_len); - for (u = 0; u < 130; u ++) { + for (u = 0; u < 2; u ++) { for (v = 0; v < 130; v ++) { size_t min_len, max_len; size_t w; @@ -1075,21 +1075,43 @@ test_HMAC_DRBG(void) } static void -do_KAT_PRF( - void (*prf)(void *dst, size_t len, - const void *secret, size_t secret_len, - const char *label, const void *seed, size_t seed_len), +do_KAT_PRF(br_tls_prf_impl prf, const char *ssecret, const char *label, const char *sseed, const char *sref) { unsigned char secret[100], seed[100], ref[500], out[500]; size_t secret_len, seed_len, ref_len; + br_tls_prf_seed_chunk chunks[2]; secret_len = hextobin(secret, ssecret); seed_len = hextobin(seed, sseed); ref_len = hextobin(ref, sref); - prf(out, ref_len, secret, secret_len, label, seed, seed_len); - check_equals("TLS PRF KAT", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len; + prf(out, ref_len, secret, secret_len, label, 1, chunks); + check_equals("TLS PRF KAT 1", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len; + chunks[1].data = NULL; + chunks[1].len = 0; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 2", out, ref, ref_len); + + chunks[0].data = NULL; + chunks[0].len = 0; + chunks[1].data = seed; + chunks[1].len = seed_len; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 3", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len >> 1; + chunks[1].data = seed + chunks[0].len; + chunks[1].len = seed_len - chunks[0].len; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 4", out, ref, ref_len); } static void @@ -3133,6 +3155,71 @@ test_AES_generic(char *name, check_equals("KAT CBC AES decrypt (2)", buf, plain, data_len); } + + /* + * We want to check proper IV management for CBC: + * encryption and decryption must properly copy the _last_ + * encrypted block as new IV, for all sizes. + */ + for (u = 1; u <= 35; u ++) { + br_hmac_drbg_context rng; + unsigned char x; + size_t key_len, data_len; + size_t v; + + br_hmac_drbg_init(&rng, &br_sha256_vtable, + "seed for AES/CBC", 16); + x = u; + br_hmac_drbg_update(&rng, &x, 1); + data_len = u << 4; + for (key_len = 16; key_len <= 32; key_len += 16) { + unsigned char key[32]; + unsigned char iv[16], iv1[16], iv2[16]; + unsigned char plain[35 * 16]; + unsigned char tmp1[sizeof plain]; + unsigned char tmp2[sizeof plain]; + br_aes_gen_cbcenc_keys v_ec; + br_aes_gen_cbcdec_keys v_dc; + const br_block_cbcenc_class **ec; + const br_block_cbcdec_class **dc; + + br_hmac_drbg_generate(&rng, key, key_len); + br_hmac_drbg_generate(&rng, iv, sizeof iv); + br_hmac_drbg_generate(&rng, plain, data_len); + + ec = &v_ec.vtable; + ve->init(ec, key, key_len); + memcpy(iv1, iv, sizeof iv); + memcpy(tmp1, plain, data_len); + ve->run(ec, iv1, tmp1, data_len); + check_equals("IV CBC AES (1)", + tmp1 + data_len - 16, iv1, 16); + memcpy(iv2, iv, sizeof iv); + memcpy(tmp2, plain, data_len); + for (v = 0; v < data_len; v += 16) { + ve->run(ec, iv2, tmp2 + v, 16); + } + check_equals("IV CBC AES (2)", + tmp2 + data_len - 16, iv2, 16); + check_equals("IV CBC AES (3)", + tmp1, tmp2, data_len); + + dc = &v_dc.vtable; + vd->init(dc, key, key_len); + memcpy(iv1, iv, sizeof iv); + vd->run(dc, iv1, tmp1, data_len); + check_equals("IV CBC AES (4)", iv1, iv2, 16); + check_equals("IV CBC AES (5)", + tmp1, plain, data_len); + memcpy(iv2, iv, sizeof iv); + for (v = 0; v < data_len; v += 16) { + vd->run(dc, iv2, tmp2 + v, 16); + } + check_equals("IV CBC AES (6)", iv1, iv2, 16); + check_equals("IV CBC AES (7)", + tmp2, plain, data_len); + } + } } if (vc != NULL) { @@ -3157,7 +3244,6 @@ test_AES_generic(char *name, data_len = hextobin(plain, KAT_AES_CTR[u + 2]); hextobin(cipher, KAT_AES_CTR[u + 3]); vc->init(xc, key, key_len); - memcpy(buf, plain, data_len); vc->run(xc, iv, 1, buf, data_len); check_equals("KAT CTR AES (1)", buf, cipher, data_len); @@ -3271,6 +3357,278 @@ test_AES_ct64(void) 1, 1); } +static void +test_AES_x86ni(void) +{ + const br_block_cbcenc_class *x_cbcenc; + const br_block_cbcdec_class *x_cbcdec; + const br_block_ctr_class *x_ctr; + int hcbcenc, hcbcdec, hctr; + + x_cbcenc = br_aes_x86ni_cbcenc_get_vtable(); + x_cbcdec = br_aes_x86ni_cbcdec_get_vtable(); + x_ctr = br_aes_x86ni_ctr_get_vtable(); + hcbcenc = (x_cbcenc != NULL); + hcbcdec = (x_cbcdec != NULL); + hctr = (x_ctr != NULL); + if (hcbcenc != hctr || hcbcdec != hctr) { + fprintf(stderr, "AES_x86ni availability mismatch (%d/%d/%d)\n", + hcbcenc, hcbcdec, hctr); + exit(EXIT_FAILURE); + } + if (hctr) { + test_AES_generic("AES_x86ni", + x_cbcenc, x_cbcdec, x_ctr, 1, 1); + } else { + printf("Test AES_x86ni: UNAVAILABLE\n"); + } +} + +static void +test_AES_pwr8(void) +{ + const br_block_cbcenc_class *x_cbcenc; + const br_block_cbcdec_class *x_cbcdec; + const br_block_ctr_class *x_ctr; + int hcbcenc, hcbcdec, hctr; + + x_cbcenc = br_aes_pwr8_cbcenc_get_vtable(); + x_cbcdec = br_aes_pwr8_cbcdec_get_vtable(); + x_ctr = br_aes_pwr8_ctr_get_vtable(); + hcbcenc = (x_cbcenc != NULL); + hcbcdec = (x_cbcdec != NULL); + hctr = (x_ctr != NULL); + if (hcbcenc != hctr || hcbcdec != hctr) { + fprintf(stderr, "AES_pwr8 availability mismatch (%d/%d/%d)\n", + hcbcenc, hcbcdec, hctr); + exit(EXIT_FAILURE); + } + if (hctr) { + test_AES_generic("AES_pwr8", + x_cbcenc, x_cbcdec, x_ctr, 1, 1); + } else { + printf("Test AES_pwr8: UNAVAILABLE\n"); + } +} + +/* + * Custom CTR + CBC-MAC AES implementation. Can also do CTR-only, and + * CBC-MAC-only. The 'aes_big' implementation (CTR) is used. This is + * meant for comparisons. + * + * If 'ctr' is NULL then no encryption/decryption is done; otherwise, + * CTR encryption/decryption is performed (full-block counter) and the + * 'ctr' array is updated with the new counter value. + * + * If 'cbcmac' is NULL then no CBC-MAC is done; otherwise, CBC-MAC is + * applied on the encrypted data, with 'cbcmac' as IV and destination + * buffer for the output. If 'ctr' is not NULL and 'encrypt' is non-zero, + * then CBC-MAC is computed over the result of CTR processing; otherwise, + * CBC-MAC is computed over the input data itself. + */ +static void +do_aes_ctrcbc(const void *key, size_t key_len, int encrypt, + void *ctr, void *cbcmac, unsigned char *data, size_t len) +{ + br_aes_big_ctr_keys bc; + int i; + + br_aes_big_ctr_init(&bc, key, key_len); + for (i = 0; i < 2; i ++) { + /* + * CBC-MAC is computed on the encrypted data, so in + * first pass if decrypting, second pass if encrypting. + */ + if (cbcmac != NULL + && ((encrypt && i == 1) || (!encrypt && i == 0))) + { + unsigned char zz[16]; + size_t u; + + memcpy(zz, cbcmac, sizeof zz); + for (u = 0; u < len; u += 16) { + unsigned char tmp[16]; + size_t v; + + for (v = 0; v < 16; v ++) { + tmp[v] = zz[v] ^ data[u + v]; + } + memset(zz, 0, sizeof zz); + br_aes_big_ctr_run(&bc, + tmp, br_dec32be(tmp + 12), zz, 16); + } + memcpy(cbcmac, zz, sizeof zz); + } + + /* + * CTR encryption/decryption is done only in the first pass. + * We process data block per block, because the CTR-only + * class uses a 32-bit counter, while the CTR+CBC-MAC + * class uses a 128-bit counter. + */ + if (ctr != NULL && i == 0) { + unsigned char zz[16]; + size_t u; + + memcpy(zz, ctr, sizeof zz); + for (u = 0; u < len; u += 16) { + int i; + + br_aes_big_ctr_run(&bc, + zz, br_dec32be(zz + 12), data + u, 16); + for (i = 15; i >= 0; i --) { + zz[i] = (zz[i] + 1) & 0xFF; + if (zz[i] != 0) { + break; + } + } + } + memcpy(ctr, zz, sizeof zz); + } + } +} + +static void +test_AES_CTRCBC_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + br_hmac_drbg_context rng; + size_t key_len; + + printf("Test AES CTR/CBC-MAC %s: ", name); + fflush(stdout); + + br_hmac_drbg_init(&rng, &br_sha256_vtable, name, strlen(name)); + for (key_len = 16; key_len <= 32; key_len += 8) { + br_aes_gen_ctrcbc_keys bc; + unsigned char key[32]; + size_t data_len; + + br_hmac_drbg_generate(&rng, key, key_len); + vt->init(&bc.vtable, key, key_len); + for (data_len = 0; data_len <= 512; data_len += 16) { + unsigned char plain[512]; + unsigned char data1[sizeof plain]; + unsigned char data2[sizeof plain]; + unsigned char ctr[16], cbcmac[16]; + unsigned char ctr1[16], cbcmac1[16]; + unsigned char ctr2[16], cbcmac2[16]; + int i; + + br_hmac_drbg_generate(&rng, plain, data_len); + + for (i = 0; i <= 16; i ++) { + if (i == 0) { + br_hmac_drbg_generate(&rng, ctr, 16); + } else { + memset(ctr, 0, i - 1); + memset(ctr + i - 1, 0xFF, 17 - i); + } + br_hmac_drbg_generate(&rng, cbcmac, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + vt->ctr(&bc.vtable, ctr1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, NULL, data2, data_len); + check_equals("CTR-only data", + data1, data2, data_len); + check_equals("CTR-only counter", + ctr1, ctr2, 16); + + memcpy(data1, plain, data_len); + memcpy(cbcmac1, cbcmac, 16); + vt->mac(&bc.vtable, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + NULL, cbcmac2, data2, data_len); + check_equals("CBC-MAC-only", + cbcmac1, cbcmac2, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->encrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, cbcmac2, data2, data_len); + check_equals("encrypt: combined data", + data1, data2, data_len); + check_equals("encrypt: combined counter", + ctr1, ctr2, 16); + check_equals("encrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->decrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 0, + ctr2, cbcmac2, data2, data_len); + check_equals("decrypt: combined data", + data1, data2, data_len); + check_equals("decrypt: combined counter", + ctr1, ctr2, 16); + check_equals("decrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + } + + printf("."); + fflush(stdout); + } + + printf(" "); + fflush(stdout); + } + + printf("done.\n"); + fflush(stdout); +} + +static void +test_AES_CTRCBC_big(void) +{ + test_AES_CTRCBC_inner("big", &br_aes_big_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_small(void) +{ + test_AES_CTRCBC_inner("small", &br_aes_small_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct(void) +{ + test_AES_CTRCBC_inner("ct", &br_aes_ct_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct64(void) +{ + test_AES_CTRCBC_inner("ct64", &br_aes_ct64_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_x86ni(void) +{ + const br_block_ctrcbc_class *vt; + + vt = br_aes_x86ni_ctrcbc_get_vtable(); + if (vt != NULL) { + test_AES_CTRCBC_inner("x86ni", vt); + } else { + printf("Test AES CTR/CBC-MAC x86ni: UNAVAILABLE\n"); + } +} + /* * DES known-answer tests. Order: plaintext, key, ciphertext. * (mostly from NIST SP 800-20). @@ -4038,12 +4396,16 @@ static const struct { }; static void -test_ChaCha20_ct(void) +test_ChaCha20_generic(const char *name, br_chacha20_run cr) { size_t u; - printf("Test ChaCha20_ct: "); + printf("Test %s: ", name); fflush(stdout); + if (cr == 0) { + printf("UNAVAILABLE\n"); + return; + } for (u = 0; KAT_CHACHA20[u].skey; u ++) { unsigned char key[32], nonce[12], plain[400], cipher[400]; @@ -4059,10 +4421,11 @@ test_ChaCha20_ct(void) for (v = 0; v < len; v ++) { unsigned char tmp[400]; size_t w; + uint32_t cc2; memset(tmp, 0, sizeof tmp); memcpy(tmp, plain, v); - if (br_chacha20_ct_run(key, nonce, cc, tmp, v) + if (cr(key, nonce, cc, tmp, v) != cc + (uint32_t)((v + 63) >> 6)) { fprintf(stderr, "ChaCha20: wrong counter\n"); @@ -4078,7 +4441,21 @@ test_ChaCha20_ct(void) exit(EXIT_FAILURE); } } - br_chacha20_ct_run(key, nonce, cc, tmp, v); + for (w = 0, cc2 = cc; w < v; w += 64, cc2 ++) { + size_t x; + + x = v - w; + if (x > 64) { + x = 64; + } + if (cr(key, nonce, cc2, tmp + w, x) + != (cc2 + 1)) + { + fprintf(stderr, "ChaCha20:" + " wrong counter (2)\n"); + exit(EXIT_FAILURE); + } + } if (memcmp(tmp, plain, v) != 0) { fprintf(stderr, "ChaCha20 KAT fail (2)\n"); exit(EXIT_FAILURE); @@ -4093,6 +4470,18 @@ test_ChaCha20_ct(void) fflush(stdout); } +static void +test_ChaCha20_ct(void) +{ + test_ChaCha20_generic("ChaCha20_ct", &br_chacha20_ct_run); +} + +static void +test_ChaCha20_sse2(void) +{ + test_ChaCha20_generic("ChaCha20_sse2", br_chacha20_sse2_get()); +} + static const struct { const char *splain; const char *saad; @@ -4137,24 +4526,12 @@ test_Poly1305_inner(const char *name, br_poly1305_run ipoly, memcpy(data, plain, len); ipoly(key, nonce, data, len, aad, aad_len, tmp, br_chacha20_ct_run, 1); - if (memcmp(data, cipher, len) != 0) { - fprintf(stderr, "ChaCha20+Poly1305 KAT failed (1)\n"); - exit(EXIT_FAILURE); - } - if (memcmp(tmp, tag, 16) != 0) { - fprintf(stderr, "ChaCha20+Poly1305 KAT failed (2)\n"); - exit(EXIT_FAILURE); - } + check_equals("ChaCha20+Poly1305 KAT (1)", data, cipher, len); + check_equals("ChaCha20+Poly1305 KAT (2)", tmp, tag, 16); ipoly(key, nonce, data, len, aad, aad_len, tmp, br_chacha20_ct_run, 0); - if (memcmp(data, plain, len) != 0) { - fprintf(stderr, "ChaCha20+Poly1305 KAT failed (3)\n"); - exit(EXIT_FAILURE); - } - if (memcmp(tmp, tag, 16) != 0) { - fprintf(stderr, "ChaCha20+Poly1305 KAT failed (4)\n"); - exit(EXIT_FAILURE); - } + check_equals("ChaCha20+Poly1305 KAT (3)", data, plain, len); + check_equals("ChaCha20+Poly1305 KAT (4)", tmp, tag, 16); printf("."); fflush(stdout); @@ -4220,6 +4597,20 @@ test_Poly1305_i15(void) &br_poly1305_ctmul_run); } +static void +test_Poly1305_ctmulq(void) +{ + br_poly1305_run bp; + + bp = br_poly1305_ctmulq_get(); + if (bp == 0) { + printf("Test Poly1305_ctmulq: UNAVAILABLE\n"); + } else { + test_Poly1305_inner("Poly1305_ctmulq", bp, + &br_poly1305_ctmul_run); + } +} + /* * A 1024-bit RSA key, generated with OpenSSL. */ @@ -4329,10 +4720,413 @@ static const br_rsa_private_key RSA_SK = { (void *)RSA_IQ, sizeof RSA_IQ }; +/* + * A 2048-bit RSA key, generated with OpenSSL. + */ +static const unsigned char RSA2048_N[] = { + 0xEA, 0xB1, 0xB0, 0x87, 0x60, 0xE2, 0x69, 0xF5, + 0xC9, 0x3F, 0xCB, 0x4F, 0x9E, 0x7D, 0xD0, 0x56, + 0x54, 0x8F, 0xF5, 0x59, 0x97, 0x04, 0x3F, 0x30, + 0xE1, 0xFB, 0x7B, 0xF5, 0xA0, 0xEB, 0xA7, 0x7B, + 0x29, 0x96, 0x7B, 0x32, 0x48, 0x48, 0xA4, 0x99, + 0x90, 0x92, 0x48, 0xFB, 0xDC, 0xEC, 0x8A, 0x3B, + 0xE0, 0x57, 0x6E, 0xED, 0x1C, 0x5B, 0x78, 0xCF, + 0x07, 0x41, 0x96, 0x4C, 0x2F, 0xA2, 0xD1, 0xC8, + 0xA0, 0x5F, 0xFC, 0x2A, 0x5B, 0x3F, 0xBC, 0xD7, + 0xE6, 0x91, 0xF1, 0x44, 0xD6, 0xD8, 0x41, 0x66, + 0x3E, 0x80, 0xEE, 0x98, 0x73, 0xD5, 0x32, 0x60, + 0x7F, 0xDF, 0xBF, 0xB2, 0x0B, 0xA5, 0xCA, 0x11, + 0x88, 0x1A, 0x0E, 0xA1, 0x61, 0x4C, 0x5A, 0x70, + 0xCE, 0x12, 0xC0, 0x61, 0xF5, 0x50, 0x0E, 0xF6, + 0xC1, 0xC2, 0x88, 0x8B, 0xE5, 0xCE, 0xAE, 0x90, + 0x65, 0x23, 0xA7, 0xAD, 0xCB, 0x04, 0x17, 0x00, + 0xA2, 0xDB, 0xB0, 0x21, 0x49, 0xDD, 0x3C, 0x2E, + 0x8C, 0x47, 0x27, 0xF2, 0x84, 0x51, 0x63, 0xEB, + 0xF8, 0xAF, 0x63, 0xA7, 0x89, 0xE1, 0xF0, 0x2F, + 0xF9, 0x9C, 0x0A, 0x8A, 0xBC, 0x57, 0x05, 0xB0, + 0xEF, 0xA0, 0xDA, 0x67, 0x70, 0xAF, 0x3F, 0xA4, + 0x92, 0xFC, 0x4A, 0xAC, 0xEF, 0x89, 0x41, 0x58, + 0x57, 0x63, 0x0F, 0x6A, 0x89, 0x68, 0x45, 0x4C, + 0x20, 0xF9, 0x7F, 0x50, 0x9D, 0x8C, 0x52, 0xC4, + 0xC1, 0x33, 0xCD, 0x42, 0x35, 0x12, 0xEC, 0x82, + 0xF9, 0xC1, 0xB7, 0x60, 0x7B, 0x52, 0x61, 0xD0, + 0xAE, 0xFD, 0x4B, 0x68, 0xB1, 0x55, 0x0E, 0xAB, + 0x99, 0x24, 0x52, 0x60, 0x8E, 0xDB, 0x90, 0x34, + 0x61, 0xE3, 0x95, 0x7C, 0x34, 0x64, 0x06, 0xCB, + 0x44, 0x17, 0x70, 0x78, 0xC1, 0x1B, 0x87, 0x8F, + 0xCF, 0xB0, 0x7D, 0x93, 0x59, 0x84, 0x49, 0xF5, + 0x55, 0xBB, 0x48, 0xCA, 0xD3, 0x76, 0x1E, 0x7F +}; +static const unsigned char RSA2048_E[] = { + 0x01, 0x00, 0x01 +}; +static const unsigned char RSA2048_P[] = { + 0xF9, 0xA7, 0xB5, 0xC4, 0xE8, 0x52, 0xEC, 0xB1, + 0x33, 0x6A, 0x68, 0x32, 0x63, 0x2D, 0xBA, 0xE5, + 0x61, 0x14, 0x69, 0x82, 0xC8, 0x31, 0x14, 0xD5, + 0xC2, 0x6C, 0x1A, 0xBE, 0xA0, 0x68, 0xA6, 0xC5, + 0xEA, 0x40, 0x59, 0xFB, 0x0A, 0x30, 0x3D, 0xD5, + 0xDD, 0x94, 0xAE, 0x0C, 0x9F, 0xEE, 0x19, 0x0C, + 0xA8, 0xF2, 0x85, 0x27, 0x60, 0xAA, 0xD5, 0x7C, + 0x59, 0x91, 0x1F, 0xAF, 0x5E, 0x00, 0xC8, 0x2D, + 0xCA, 0xB4, 0x70, 0xA1, 0xF8, 0x8C, 0x0A, 0xB3, + 0x08, 0x95, 0x03, 0x9E, 0xA4, 0x6B, 0x9D, 0x55, + 0x47, 0xE0, 0xEC, 0xB3, 0x21, 0x7C, 0xE4, 0x16, + 0x91, 0xE3, 0xD7, 0x1B, 0x3D, 0x81, 0xF1, 0xED, + 0x16, 0xF9, 0x05, 0x0E, 0xA6, 0x9F, 0x37, 0x73, + 0x18, 0x1B, 0x9C, 0x9D, 0x33, 0xAD, 0x25, 0xEF, + 0x3A, 0xC0, 0x4B, 0x34, 0x24, 0xF5, 0xFD, 0x59, + 0xF5, 0x65, 0xE6, 0x92, 0x2A, 0x04, 0x06, 0x3D +}; +static const unsigned char RSA2048_Q[] = { + 0xF0, 0xA8, 0xA4, 0x20, 0xDD, 0xF3, 0x99, 0xE6, + 0x1C, 0xB1, 0x21, 0xE8, 0x66, 0x68, 0x48, 0x00, + 0x04, 0xE3, 0x21, 0xA3, 0xE8, 0xC5, 0xFD, 0x85, + 0x6D, 0x2C, 0x98, 0xE3, 0x36, 0x39, 0x3E, 0x80, + 0xB7, 0x36, 0xA5, 0xA9, 0xBB, 0xEB, 0x1E, 0xB8, + 0xEB, 0x44, 0x65, 0xE8, 0x81, 0x7D, 0xE0, 0x87, + 0xC1, 0x08, 0x94, 0xDD, 0x92, 0x40, 0xF4, 0x8B, + 0x3C, 0xB5, 0xC1, 0xAD, 0x9D, 0x4C, 0x14, 0xCD, + 0xD9, 0x2D, 0xB6, 0xE4, 0x99, 0xB3, 0x71, 0x63, + 0x64, 0xE1, 0x31, 0x7E, 0x34, 0x95, 0x96, 0x52, + 0x85, 0x27, 0xBE, 0x40, 0x10, 0x0A, 0x9E, 0x01, + 0x1C, 0xBB, 0xB2, 0x5B, 0x40, 0x85, 0x65, 0x6E, + 0xA0, 0x88, 0x73, 0xF6, 0x22, 0xCC, 0x23, 0x26, + 0x62, 0xAD, 0x92, 0x57, 0x57, 0xF4, 0xD4, 0xDF, + 0xD9, 0x7C, 0xDE, 0xAD, 0xD2, 0x1F, 0x32, 0x29, + 0xBA, 0xE7, 0xE2, 0x32, 0xA1, 0xA0, 0xBF, 0x6B +}; +static const unsigned char RSA2048_DP[] = { + 0xB2, 0xF9, 0xD7, 0x66, 0xC5, 0x83, 0x05, 0x6A, + 0x77, 0xC8, 0xB5, 0xD0, 0x41, 0xA7, 0xBC, 0x0F, + 0xCB, 0x4B, 0xFD, 0xE4, 0x23, 0x2E, 0x84, 0x98, + 0x46, 0x1C, 0x88, 0x03, 0xD7, 0x2D, 0x8F, 0x39, + 0xDD, 0x98, 0xAA, 0xA9, 0x3D, 0x01, 0x9E, 0xA2, + 0xDE, 0x8A, 0x43, 0x48, 0x8B, 0xB2, 0xFE, 0xC4, + 0x43, 0xAE, 0x31, 0x65, 0x2C, 0x78, 0xEC, 0x39, + 0x8C, 0x60, 0x6C, 0xCD, 0xA4, 0xDF, 0x7C, 0xA2, + 0xCF, 0x6A, 0x12, 0x41, 0x1B, 0xD5, 0x11, 0xAA, + 0x8D, 0xE1, 0x7E, 0x49, 0xD1, 0xE7, 0xD0, 0x50, + 0x1E, 0x0A, 0x92, 0xC6, 0x4C, 0xA0, 0xA3, 0x47, + 0xC6, 0xE9, 0x07, 0x01, 0xE1, 0x53, 0x72, 0x23, + 0x9D, 0x4F, 0x82, 0x9F, 0xA1, 0x36, 0x0D, 0x63, + 0x76, 0x89, 0xFC, 0xF9, 0xF9, 0xDD, 0x0C, 0x8F, + 0xF7, 0x97, 0x79, 0x92, 0x75, 0x58, 0xE0, 0x7B, + 0x08, 0x61, 0x38, 0x2D, 0xDA, 0xEF, 0x2D, 0xA5 +}; +static const unsigned char RSA2048_DQ[] = { + 0x8B, 0x69, 0x56, 0x33, 0x08, 0x00, 0x8F, 0x3D, + 0xC3, 0x8F, 0x45, 0x52, 0x48, 0xC8, 0xCE, 0x34, + 0xDC, 0x9F, 0xEB, 0x23, 0xF5, 0xBB, 0x84, 0x62, + 0xDF, 0xDC, 0xBE, 0xF0, 0x98, 0xBF, 0xCE, 0x9A, + 0x68, 0x08, 0x4B, 0x2D, 0xA9, 0x83, 0xC9, 0xF7, + 0x5B, 0xAA, 0xF2, 0xD2, 0x1E, 0xF9, 0x99, 0xB1, + 0x6A, 0xBC, 0x9A, 0xE8, 0x44, 0x4A, 0x46, 0x9F, + 0xC6, 0x5A, 0x90, 0x49, 0x0F, 0xDF, 0x3C, 0x0A, + 0x07, 0x6E, 0xB9, 0x0D, 0x72, 0x90, 0x85, 0xF6, + 0x0B, 0x41, 0x7D, 0x17, 0x5C, 0x44, 0xEF, 0xA0, + 0xFC, 0x2C, 0x0A, 0xC5, 0x37, 0xC5, 0xBE, 0xC4, + 0x6C, 0x2D, 0xBB, 0x63, 0xAB, 0x5B, 0xDB, 0x67, + 0x9B, 0xAD, 0x90, 0x67, 0x9C, 0xBE, 0xDE, 0xF9, + 0xE4, 0x9E, 0x22, 0x31, 0x60, 0xED, 0x9E, 0xC7, + 0xD2, 0x48, 0xC9, 0x02, 0xAE, 0xBF, 0x8D, 0xA2, + 0xA8, 0xF8, 0x9D, 0x8B, 0xB1, 0x1F, 0xDA, 0xE3 +}; +static const unsigned char RSA2048_IQ[] = { + 0xB5, 0x48, 0xD4, 0x48, 0x5A, 0x33, 0xCD, 0x13, + 0xFE, 0xC6, 0xF7, 0x01, 0x0A, 0x3E, 0x40, 0xA3, + 0x45, 0x94, 0x6F, 0x85, 0xE4, 0x68, 0x66, 0xEC, + 0x69, 0x6A, 0x3E, 0xE0, 0x62, 0x3F, 0x0C, 0xEF, + 0x21, 0xCC, 0xDA, 0xAD, 0x75, 0x98, 0x12, 0xCA, + 0x9E, 0x31, 0xDD, 0x95, 0x0D, 0xBD, 0x55, 0xEB, + 0x92, 0xF7, 0x9E, 0xBD, 0xFC, 0x28, 0x35, 0x96, + 0x31, 0xDC, 0x53, 0x80, 0xA3, 0x57, 0x89, 0x3C, + 0x4A, 0xEC, 0x40, 0x75, 0x13, 0xAC, 0x4F, 0x36, + 0x3A, 0x86, 0x9A, 0xA6, 0x58, 0xC9, 0xED, 0xCB, + 0xD6, 0xBB, 0xB2, 0xD9, 0xAA, 0x04, 0xC4, 0xE8, + 0x47, 0x3E, 0xBD, 0x14, 0x9B, 0x8F, 0x61, 0x70, + 0x69, 0x66, 0x23, 0x62, 0x18, 0xE3, 0x52, 0x98, + 0xE3, 0x22, 0xE9, 0x6F, 0xDA, 0x28, 0x68, 0x08, + 0xB8, 0xB9, 0x8B, 0x97, 0x8B, 0x77, 0x3F, 0xCA, + 0x9D, 0x9D, 0xBE, 0xD5, 0x2D, 0x3E, 0xC2, 0x11 +}; + +static const br_rsa_public_key RSA2048_PK = { + (void *)RSA2048_N, sizeof RSA2048_N, + (void *)RSA2048_E, sizeof RSA2048_E +}; + +static const br_rsa_private_key RSA2048_SK = { + 2048, + (void *)RSA2048_P, sizeof RSA2048_P, + (void *)RSA2048_Q, sizeof RSA2048_Q, + (void *)RSA2048_DP, sizeof RSA2048_DP, + (void *)RSA2048_DQ, sizeof RSA2048_DQ, + (void *)RSA2048_IQ, sizeof RSA2048_IQ +}; + +/* + * A 4096-bit RSA key, generated with OpenSSL. + */ +static const unsigned char RSA4096_N[] = { + 0xAA, 0x17, 0x71, 0xBC, 0x92, 0x3E, 0xB5, 0xBD, + 0x3E, 0x64, 0xCF, 0x03, 0x9B, 0x24, 0x65, 0x33, + 0x5F, 0xB4, 0x47, 0x89, 0xE5, 0x63, 0xE4, 0xA0, + 0x5A, 0x51, 0x95, 0x07, 0x73, 0xEE, 0x00, 0xF6, + 0x3E, 0x31, 0x0E, 0xDA, 0x15, 0xC3, 0xAA, 0x21, + 0x6A, 0xCD, 0xFF, 0x46, 0x6B, 0xDF, 0x0A, 0x7F, + 0x8A, 0xC2, 0x25, 0x19, 0x47, 0x44, 0xD8, 0x52, + 0xC1, 0x56, 0x25, 0x6A, 0xE0, 0xD2, 0x61, 0x11, + 0x2C, 0xF7, 0x73, 0x9F, 0x5F, 0x74, 0xAA, 0xDD, + 0xDE, 0xAF, 0x81, 0xF6, 0x0C, 0x1A, 0x3A, 0xF9, + 0xC5, 0x47, 0x82, 0x75, 0x1D, 0x41, 0xF0, 0xB2, + 0xFD, 0xBA, 0xE2, 0xA4, 0xA1, 0xB8, 0x32, 0x48, + 0x06, 0x0D, 0x29, 0x2F, 0x44, 0x14, 0xF5, 0xAC, + 0x54, 0x83, 0xC4, 0xB6, 0x85, 0x85, 0x9B, 0x1C, + 0x05, 0x61, 0x28, 0x62, 0x24, 0xA8, 0xF0, 0xE6, + 0x80, 0xA7, 0x91, 0xE8, 0xC7, 0x8E, 0x52, 0x17, + 0xBE, 0xAF, 0xC6, 0x0A, 0xA3, 0xFB, 0xD1, 0x04, + 0x15, 0x3B, 0x14, 0x35, 0xA5, 0x41, 0xF5, 0x30, + 0xFE, 0xEF, 0x53, 0xA7, 0x89, 0x91, 0x78, 0x30, + 0xBE, 0x3A, 0xB1, 0x4B, 0x2E, 0x4A, 0x0E, 0x25, + 0x1D, 0xCF, 0x51, 0x54, 0x52, 0xF1, 0x88, 0x85, + 0x36, 0x23, 0xDE, 0xBA, 0x66, 0x25, 0x60, 0x8D, + 0x45, 0xD7, 0xD8, 0x10, 0x41, 0x64, 0xC7, 0x4B, + 0xCE, 0x72, 0x13, 0xD7, 0x20, 0xF8, 0x2A, 0x74, + 0xA5, 0x05, 0xF4, 0x5A, 0x90, 0xF4, 0x9C, 0xE7, + 0xC9, 0xCF, 0x1E, 0xD5, 0x9C, 0xAC, 0xE5, 0x00, + 0x83, 0x73, 0x9F, 0xE7, 0xC6, 0x93, 0xC0, 0x06, + 0xA7, 0xB8, 0xF8, 0x46, 0x90, 0xC8, 0x78, 0x27, + 0x2E, 0xCC, 0xC0, 0x2A, 0x20, 0xC5, 0xFC, 0x63, + 0x22, 0xA1, 0xD6, 0x16, 0xAD, 0x9C, 0xD6, 0xFC, + 0x7A, 0x6E, 0x9C, 0x98, 0x51, 0xEE, 0x6B, 0x6D, + 0x8F, 0xEF, 0xCE, 0x7C, 0x5D, 0x16, 0xB0, 0xCE, + 0x9C, 0xEE, 0x92, 0xCF, 0xB7, 0xEB, 0x41, 0x36, + 0x3A, 0x6C, 0xF2, 0x0D, 0x26, 0x11, 0x2F, 0x6C, + 0x27, 0x62, 0xA2, 0xCC, 0x63, 0x53, 0xBD, 0xFC, + 0x9F, 0xBE, 0x9B, 0xBD, 0xE5, 0xA7, 0xDA, 0xD4, + 0xF8, 0xED, 0x5E, 0x59, 0x2D, 0xAC, 0xCD, 0x13, + 0xEB, 0xE5, 0x9E, 0x39, 0x82, 0x8B, 0xFD, 0xA8, + 0xFB, 0xCB, 0x86, 0x27, 0xC7, 0x4B, 0x4C, 0xD0, + 0xBA, 0x12, 0xD0, 0x76, 0x1A, 0xDB, 0x30, 0xC5, + 0xB3, 0x2C, 0x4C, 0xC5, 0x32, 0x03, 0x05, 0x67, + 0x8D, 0xD0, 0x14, 0x37, 0x59, 0x2B, 0xE3, 0x1C, + 0x25, 0x3E, 0xA5, 0xE4, 0xF1, 0x0D, 0x34, 0xBB, + 0xD5, 0xF6, 0x76, 0x45, 0x5B, 0x0F, 0x1E, 0x07, + 0x0A, 0xBA, 0x9D, 0x71, 0x87, 0xDE, 0x45, 0x50, + 0xE5, 0x0F, 0x32, 0xBB, 0x5C, 0x32, 0x2D, 0x40, + 0xCD, 0x19, 0x95, 0x4E, 0xC5, 0x54, 0x3A, 0x9A, + 0x46, 0x9B, 0x85, 0xFE, 0x53, 0xB7, 0xD8, 0x65, + 0x6D, 0x68, 0x0C, 0xBB, 0xE3, 0x3D, 0x8E, 0x64, + 0xBE, 0x27, 0x15, 0xAB, 0x12, 0x20, 0xD9, 0x84, + 0xF5, 0x02, 0xE4, 0xBB, 0xDD, 0xAB, 0x59, 0x51, + 0xF4, 0xE1, 0x79, 0xBE, 0xB8, 0xA3, 0x8E, 0xD1, + 0x1C, 0xB0, 0xFA, 0x48, 0x76, 0xC2, 0x9D, 0x7A, + 0x01, 0xA5, 0xAF, 0x8C, 0xBA, 0xAA, 0x4C, 0x06, + 0x2B, 0x0A, 0x62, 0xF0, 0x79, 0x5B, 0x42, 0xFC, + 0xF8, 0xBF, 0xD4, 0xDD, 0x62, 0x32, 0xE3, 0xCE, + 0xF1, 0x2C, 0xE6, 0xED, 0xA8, 0x8A, 0x41, 0xA3, + 0xC1, 0x1E, 0x07, 0xB6, 0x43, 0x10, 0x80, 0xB7, + 0xF3, 0xD0, 0x53, 0x2A, 0x9A, 0x98, 0xA7, 0x4F, + 0x9E, 0xA3, 0x3E, 0x1B, 0xDA, 0x93, 0x15, 0xF2, + 0xF4, 0x20, 0xA5, 0xA8, 0x4F, 0x8A, 0xBA, 0xED, + 0xB1, 0x17, 0x6C, 0x0F, 0xD9, 0x8F, 0x38, 0x11, + 0xF3, 0xD9, 0x5E, 0x88, 0xA1, 0xA1, 0x82, 0x8B, + 0x30, 0xD7, 0xC6, 0xCE, 0x4E, 0x30, 0x55, 0x57 +}; +static const unsigned char RSA4096_E[] = { + 0x01, 0x00, 0x01 +}; +static const unsigned char RSA4096_P[] = { + 0xD3, 0x7A, 0x22, 0xD8, 0x9B, 0xBF, 0x42, 0xB4, + 0x53, 0x04, 0x10, 0x6A, 0x84, 0xFD, 0x7C, 0x1D, + 0xF6, 0xF4, 0x10, 0x65, 0xAA, 0xE5, 0xE1, 0x4E, + 0xB4, 0x37, 0xF7, 0xAC, 0xF7, 0xD3, 0xB2, 0x3B, + 0xFE, 0xE7, 0x63, 0x42, 0xE9, 0xF0, 0x3C, 0xE0, + 0x42, 0xB4, 0xBB, 0x09, 0xD0, 0xB2, 0x7C, 0x70, + 0xA4, 0x11, 0x97, 0x90, 0x01, 0xD0, 0x0E, 0x7B, + 0xAF, 0x7D, 0x30, 0x4E, 0x6B, 0x3A, 0xCC, 0x50, + 0x4E, 0xAF, 0x2F, 0xC3, 0xC2, 0x4F, 0x7E, 0xC5, + 0xB3, 0x76, 0x33, 0xFB, 0xA7, 0xB1, 0x96, 0xA5, + 0x46, 0x41, 0xC6, 0xDA, 0x5A, 0xFD, 0x17, 0x0A, + 0x6A, 0x86, 0x54, 0x83, 0xE1, 0x57, 0xE7, 0xAF, + 0x8C, 0x42, 0xE5, 0x39, 0xF2, 0xC7, 0xFC, 0x4A, + 0x3D, 0x3C, 0x94, 0x89, 0xC2, 0xC6, 0x2D, 0x0A, + 0x5F, 0xD0, 0x21, 0x23, 0x5C, 0xC9, 0xC8, 0x44, + 0x8A, 0x96, 0x72, 0x4D, 0x96, 0xC6, 0x17, 0x0C, + 0x36, 0x43, 0x7F, 0xD8, 0xA0, 0x7A, 0x31, 0x7E, + 0xCE, 0x13, 0xE3, 0x13, 0x2E, 0xE0, 0x91, 0xC2, + 0x61, 0x13, 0x16, 0x8D, 0x99, 0xCB, 0xA9, 0x2C, + 0x4D, 0x9D, 0xDD, 0x1D, 0x03, 0xE7, 0xA7, 0x50, + 0xF4, 0x16, 0x43, 0xB1, 0x7F, 0x99, 0x61, 0x3F, + 0xA5, 0x59, 0x91, 0x16, 0xC3, 0x06, 0x63, 0x59, + 0xE9, 0xDA, 0xB5, 0x06, 0x2E, 0x0C, 0xD9, 0xAB, + 0x93, 0x89, 0x12, 0x82, 0xFB, 0x90, 0xD9, 0x30, + 0x60, 0xF7, 0x35, 0x2D, 0x18, 0x78, 0xEB, 0x2B, + 0xA1, 0x06, 0x67, 0x37, 0xDE, 0x72, 0x20, 0xD2, + 0x80, 0xE5, 0x2C, 0xD7, 0x5E, 0xC7, 0x67, 0x2D, + 0x40, 0xE7, 0x7A, 0xCF, 0x4A, 0x69, 0x9D, 0xA7, + 0x90, 0x9F, 0x3B, 0xDF, 0x07, 0x97, 0x64, 0x69, + 0x06, 0x4F, 0xBA, 0xF4, 0xE5, 0xBD, 0x71, 0x60, + 0x36, 0xB7, 0xA3, 0xDE, 0x76, 0xC5, 0x38, 0xD7, + 0x1D, 0x9A, 0xFC, 0x36, 0x3D, 0x3B, 0xDC, 0xCF +}; +static const unsigned char RSA4096_Q[] = { + 0xCD, 0xE6, 0xC6, 0xA6, 0x42, 0x4C, 0x45, 0x65, + 0x8B, 0x85, 0x76, 0xFC, 0x21, 0xB6, 0x57, 0x79, + 0x3C, 0xE4, 0xE3, 0x85, 0x55, 0x2F, 0x59, 0xD3, + 0x3F, 0x74, 0xAF, 0x9F, 0x11, 0x04, 0x10, 0x8B, + 0xF9, 0x5F, 0x4D, 0x25, 0xEE, 0x20, 0xF9, 0x69, + 0x3B, 0x02, 0xB6, 0x43, 0x0D, 0x0C, 0xED, 0x30, + 0x31, 0x57, 0xE7, 0x9A, 0x57, 0x24, 0x6B, 0x4A, + 0x5E, 0xA2, 0xBF, 0xD4, 0x47, 0x7D, 0xFA, 0x78, + 0x51, 0x86, 0x80, 0x68, 0x85, 0x7C, 0x7B, 0x08, + 0x4A, 0x35, 0x24, 0x4F, 0x8B, 0x24, 0x49, 0xF8, + 0x16, 0x06, 0x9C, 0x57, 0x4E, 0x94, 0x4C, 0xBD, + 0x6E, 0x53, 0x52, 0xC9, 0xC1, 0x64, 0x43, 0x22, + 0x1E, 0xDD, 0xEB, 0xAC, 0x90, 0x58, 0xCA, 0xBA, + 0x9C, 0xAC, 0xCF, 0xDD, 0x08, 0x6D, 0xB7, 0x31, + 0xDB, 0x0D, 0x83, 0xE6, 0x50, 0xA6, 0x69, 0xB1, + 0x1C, 0x68, 0x92, 0xB4, 0xB5, 0x76, 0xDE, 0xBD, + 0x4F, 0xA5, 0x30, 0xED, 0x23, 0xFF, 0xE5, 0x80, + 0x21, 0xAB, 0xED, 0xE6, 0xDC, 0x32, 0x3D, 0xF7, + 0x45, 0xB8, 0x19, 0x3D, 0x8E, 0x15, 0x7C, 0xE5, + 0x0D, 0xC8, 0x9B, 0x7D, 0x1F, 0x7C, 0x14, 0x14, + 0x41, 0x09, 0xA7, 0xEB, 0xFB, 0xD9, 0x5F, 0x9A, + 0x94, 0xB6, 0xD5, 0xA0, 0x2C, 0xAF, 0xB5, 0xEF, + 0x5C, 0x5A, 0x8E, 0x34, 0xA1, 0x8F, 0xEB, 0x38, + 0x0F, 0x31, 0x6E, 0x45, 0x21, 0x7A, 0xAA, 0xAF, + 0x6C, 0xB1, 0x8E, 0xB2, 0xB9, 0xD4, 0x1E, 0xEF, + 0x66, 0xD8, 0x4E, 0x3D, 0xF2, 0x0C, 0xF1, 0xBA, + 0xFB, 0xA9, 0x27, 0xD2, 0x45, 0x54, 0x83, 0x4B, + 0x10, 0xC4, 0x9A, 0x32, 0x9C, 0xC7, 0x9A, 0xCF, + 0x4E, 0xBF, 0x07, 0xFC, 0x27, 0xB7, 0x96, 0x1D, + 0xDE, 0x9D, 0xE4, 0x84, 0x68, 0x00, 0x9A, 0x9F, + 0x3D, 0xE6, 0xC7, 0x26, 0x11, 0x48, 0x79, 0xFA, + 0x09, 0x76, 0xC8, 0x25, 0x3A, 0xE4, 0x70, 0xF9 +}; +static const unsigned char RSA4096_DP[] = { + 0x5C, 0xE3, 0x3E, 0xBF, 0x09, 0xD9, 0xFE, 0x80, + 0x9A, 0x1E, 0x24, 0xDF, 0xC4, 0xBE, 0x5A, 0x70, + 0x06, 0xF2, 0xB8, 0xE9, 0x0F, 0x21, 0x9D, 0xCF, + 0x26, 0x15, 0x97, 0x32, 0x60, 0x40, 0x99, 0xFF, + 0x04, 0x3D, 0xBA, 0x39, 0xBF, 0xEB, 0x87, 0xB1, + 0xB1, 0x5B, 0x14, 0xF4, 0x80, 0xB8, 0x85, 0x34, + 0x2C, 0xBC, 0x95, 0x67, 0xE9, 0x83, 0xEB, 0x78, + 0xA4, 0x62, 0x46, 0x7F, 0x8B, 0x55, 0xEE, 0x3C, + 0x2F, 0xF3, 0x7E, 0xF5, 0x6B, 0x39, 0xE3, 0xA3, + 0x0E, 0xEA, 0x92, 0x76, 0xAC, 0xF7, 0xB2, 0x05, + 0xB2, 0x50, 0x5D, 0xF9, 0xB7, 0x11, 0x87, 0xB7, + 0x49, 0x86, 0xEB, 0x44, 0x6A, 0x0C, 0x64, 0x75, + 0x95, 0x14, 0x24, 0xFF, 0x49, 0x06, 0x52, 0x68, + 0x81, 0x71, 0x44, 0x85, 0x26, 0x0A, 0x49, 0xEA, + 0x4E, 0x9F, 0x6A, 0x8E, 0xCF, 0xC8, 0xC9, 0xB0, + 0x61, 0x77, 0x27, 0x89, 0xB0, 0xFA, 0x1D, 0x51, + 0x7D, 0xDC, 0x34, 0x21, 0x80, 0x8B, 0x6B, 0x86, + 0x19, 0x1A, 0x5F, 0x19, 0x23, 0xF3, 0xFB, 0xD1, + 0xF7, 0x35, 0x9D, 0x28, 0x61, 0x2F, 0x35, 0x85, + 0x82, 0x2A, 0x1E, 0xDF, 0x09, 0xC2, 0x0C, 0x99, + 0xE0, 0x3C, 0x8F, 0x4B, 0x3D, 0x92, 0xAF, 0x46, + 0x77, 0x68, 0x59, 0xF4, 0x37, 0x81, 0x6C, 0xCE, + 0x27, 0x8B, 0xAB, 0x0B, 0xA5, 0xDA, 0x7B, 0x19, + 0x83, 0xDA, 0x27, 0x49, 0x65, 0x1A, 0x00, 0x6B, + 0xE1, 0x8B, 0x73, 0xCD, 0xF4, 0xFB, 0xD7, 0xBF, + 0xF8, 0x20, 0x89, 0xE1, 0xDE, 0x51, 0x1E, 0xDD, + 0x97, 0x44, 0x12, 0x68, 0x1E, 0xF7, 0x52, 0xF8, + 0x6B, 0x93, 0xC1, 0x3B, 0x9F, 0xA1, 0xB8, 0x5F, + 0xCB, 0x84, 0x45, 0x95, 0xF7, 0x0D, 0xA6, 0x4B, + 0x03, 0x3C, 0xAE, 0x0F, 0xB7, 0x81, 0x78, 0x75, + 0x1C, 0x53, 0x99, 0x24, 0xB3, 0xE2, 0x78, 0xCE, + 0xF3, 0xF0, 0x09, 0x6C, 0x01, 0x85, 0x73, 0xBD +}; +static const unsigned char RSA4096_DQ[] = { + 0xCD, 0x88, 0xAC, 0x8B, 0x92, 0x6A, 0xA8, 0x6B, + 0x71, 0x16, 0xCD, 0x6B, 0x6A, 0x0B, 0xA6, 0xCD, + 0xF3, 0x27, 0x58, 0xA6, 0xE4, 0x1D, 0xDC, 0x40, + 0xAF, 0x7B, 0x3F, 0x44, 0x3D, 0xAC, 0x1D, 0x08, + 0x5C, 0xE9, 0xF1, 0x0D, 0x07, 0xE4, 0x0A, 0x94, + 0x2C, 0xBF, 0xCC, 0x48, 0xAA, 0x62, 0x58, 0xF2, + 0x5E, 0x8F, 0x2D, 0x36, 0x37, 0xFE, 0xB6, 0xCB, + 0x0A, 0x24, 0xD3, 0xF0, 0x87, 0x5D, 0x0E, 0x05, + 0xC4, 0xFB, 0xCA, 0x7A, 0x8B, 0xA5, 0x72, 0xFB, + 0x17, 0x78, 0x6C, 0xC2, 0xAA, 0x56, 0x93, 0x2F, + 0xFE, 0x6C, 0xA2, 0xEB, 0xD4, 0x18, 0xDD, 0x71, + 0xCB, 0x0B, 0x89, 0xFC, 0xB3, 0xFB, 0xED, 0xB7, + 0xC5, 0xB0, 0x29, 0x6D, 0x9C, 0xB9, 0xC5, 0xC4, + 0xFA, 0x58, 0xD7, 0x36, 0x01, 0x0F, 0xE4, 0x6A, + 0xF4, 0x0B, 0x4D, 0xBB, 0x3E, 0x8E, 0x9F, 0xBA, + 0x98, 0x6D, 0x1A, 0xE5, 0x20, 0xAF, 0x84, 0x30, + 0xDD, 0xAC, 0x3C, 0x66, 0xBC, 0x24, 0xD9, 0x67, + 0x4A, 0x35, 0x61, 0xC9, 0xAD, 0xCC, 0xC9, 0x66, + 0x68, 0x46, 0x19, 0x8C, 0x04, 0xA5, 0x16, 0x83, + 0x5F, 0x7A, 0xFD, 0x1B, 0xAD, 0xAE, 0x22, 0x2D, + 0x05, 0xAF, 0x29, 0xDC, 0xBB, 0x0E, 0x86, 0x0C, + 0xBC, 0x9E, 0xB6, 0x28, 0xA9, 0xF2, 0xCC, 0x5E, + 0x1F, 0x86, 0x95, 0xA5, 0x9C, 0x11, 0x19, 0xF0, + 0x5F, 0xDA, 0x2C, 0x04, 0xFE, 0x22, 0x80, 0xF7, + 0x94, 0x3C, 0xBA, 0x01, 0x56, 0xD6, 0x93, 0xFA, + 0xCE, 0x62, 0xE5, 0xD7, 0x98, 0x23, 0xAB, 0xB9, + 0xC7, 0x35, 0x57, 0xF6, 0xE2, 0x16, 0x36, 0xE9, + 0x5B, 0xD7, 0xA5, 0x45, 0x18, 0x93, 0x77, 0xC9, + 0xB1, 0x05, 0xA8, 0x66, 0xE1, 0x0E, 0xB5, 0xDF, + 0x23, 0x35, 0xE1, 0xC2, 0xFA, 0x3E, 0x80, 0x1A, + 0xAD, 0xA4, 0x0C, 0xEF, 0xC7, 0x18, 0xDE, 0x09, + 0xE6, 0x20, 0x98, 0x31, 0xF1, 0xD3, 0xCF, 0xA1 +}; +static const unsigned char RSA4096_IQ[] = { + 0x76, 0xD7, 0x75, 0xDF, 0xA3, 0x0C, 0x9D, 0x64, + 0x6E, 0x00, 0x82, 0x2E, 0x5C, 0x5E, 0x43, 0xC4, + 0xD2, 0x28, 0xB0, 0xB1, 0xA8, 0xD8, 0x26, 0x91, + 0xA0, 0xF5, 0xC8, 0x69, 0xFF, 0x24, 0x33, 0xAB, + 0x67, 0xC7, 0xA3, 0xAE, 0xBB, 0x17, 0x27, 0x5B, + 0x5A, 0xCD, 0x67, 0xA3, 0x70, 0x91, 0x9E, 0xD5, + 0xF1, 0x97, 0x00, 0x0A, 0x30, 0x64, 0x3D, 0x9B, + 0xBF, 0xB5, 0x8C, 0xAC, 0xC7, 0x20, 0x0A, 0xD2, + 0x76, 0x36, 0x36, 0x5D, 0xE4, 0xAC, 0x5D, 0xBC, + 0x44, 0x32, 0xB0, 0x76, 0x33, 0x40, 0xDD, 0x29, + 0x22, 0xE0, 0xFF, 0x55, 0x4C, 0xCE, 0x3F, 0x43, + 0x34, 0x95, 0x94, 0x7C, 0x22, 0x0D, 0xAB, 0x20, + 0x38, 0x70, 0xC3, 0x4A, 0x19, 0xCF, 0x81, 0xCE, + 0x79, 0x28, 0x6C, 0xC2, 0xA3, 0xB3, 0x48, 0x20, + 0x2D, 0x3E, 0x74, 0x45, 0x2C, 0xAA, 0x9F, 0xA5, + 0xC2, 0xE3, 0x2D, 0x41, 0x95, 0xBD, 0x78, 0xAB, + 0x6A, 0xA8, 0x7A, 0x45, 0x52, 0xE2, 0x66, 0xE7, + 0x6C, 0x38, 0x03, 0xA5, 0xDA, 0xAD, 0x94, 0x3C, + 0x6A, 0xA1, 0xA2, 0xD5, 0xCD, 0xDE, 0x05, 0xCC, + 0x6E, 0x3D, 0x8A, 0xF6, 0x9A, 0xA5, 0x0F, 0xA9, + 0x18, 0xC4, 0xF9, 0x9C, 0x2F, 0xB3, 0xF1, 0x30, + 0x38, 0x60, 0x69, 0x09, 0x67, 0x2C, 0xE9, 0x42, + 0x68, 0x3C, 0x70, 0x32, 0x1A, 0x44, 0x32, 0x02, + 0x82, 0x9F, 0x60, 0xE8, 0xA4, 0x42, 0x74, 0xA2, + 0xA2, 0x5A, 0x99, 0xDC, 0xC8, 0xCA, 0x15, 0x4D, + 0xFF, 0xF1, 0x8A, 0x23, 0xD8, 0xD3, 0xB1, 0x9A, + 0xB4, 0x0B, 0xBB, 0xE8, 0x38, 0x74, 0x0C, 0x52, + 0xC7, 0x8B, 0x63, 0x4C, 0xEA, 0x7D, 0x5F, 0x58, + 0x34, 0x53, 0x3E, 0x23, 0x10, 0xBB, 0x60, 0x6B, + 0x52, 0x9D, 0x89, 0x9F, 0xF0, 0x5F, 0xCE, 0xB3, + 0x9C, 0x0E, 0x75, 0x0F, 0x87, 0xF6, 0x66, 0xA5, + 0x4C, 0x94, 0x84, 0xFE, 0x94, 0xB9, 0x04, 0xB7 +}; + +static const br_rsa_public_key RSA4096_PK = { + (void *)RSA4096_N, sizeof RSA4096_N, + (void *)RSA4096_E, sizeof RSA4096_E +}; + +static const br_rsa_private_key RSA4096_SK = { + 4096, + (void *)RSA4096_P, sizeof RSA4096_P, + (void *)RSA4096_Q, sizeof RSA4096_Q, + (void *)RSA4096_DP, sizeof RSA4096_DP, + (void *)RSA4096_DQ, sizeof RSA4096_DQ, + (void *)RSA4096_IQ, sizeof RSA4096_IQ +}; + static void test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv) { - unsigned char t1[128], t2[128], t3[128]; + unsigned char t1[512], t2[512], t3[512]; + size_t len; printf("Test %s: ", name); fflush(stdout); @@ -4340,19 +5134,104 @@ test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv) /* * A KAT test (computed with OpenSSL). */ - hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); + len = hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3"); - memcpy(t3, t1, sizeof t1); - if (!fpub(t3, sizeof t3, &RSA_PK)) { - fprintf(stderr, "RSA public operation failed\n"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA_PK)) { + fprintf(stderr, "RSA public operation failed (1)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA_SK)) { + fprintf(stderr, "RSA private operation failed (1)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (1)", t1, t3, len); + + /* + * Another KAT test, with a (fake) hash value slightly different + * (last byte is 0xD9 instead of 0xD3). + */ + len = hextobin(t1, "32C2DB8B2C73BBCA9960CB3F11FEDEE7B699359EF2EEC3A632E56B7FF3DE2F371E5179BAB03F17E0BB20D2891ACAB679F95DA9B43A01DAAD192FADD25D8ACCF1498EC80F5BBCAC88EA59D60E3BC9D3CE27743981DE42385FFFFF04DD2D716E1A46C04A28ECAF6CD200DAB81083A830D61538D69BB39A183107BD50302AA6BC28"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD9"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA_PK)) { + fprintf(stderr, "RSA public operation failed (2)\n"); exit(EXIT_FAILURE); } - check_equals("KAT RSA pub", t2, t3, sizeof t2); + check_equals("KAT RSA pub", t2, t3, len); if (!fpriv(t3, &RSA_SK)) { - fprintf(stderr, "RSA private operation failed\n"); + fprintf(stderr, "RSA private operation failed (2)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (2)", t1, t3, len); + + /* + * Third KAT vector is invalid, because the encrypted value is + * out of range: instead of x, value is x+n (where n is the + * modulus). Mathematically, this still works, but implementations + * are supposed to reject such cases. + */ + len = hextobin(t1, "F27781B9B3B358583A24F9BA6B34EE98B67A5AE8D8D4FA567BA773EB6B85EF88848680640A1E2F5FD117876E5FB928B64C6EFC7E03632A3F4C941E15657C0C705F3BB8D0B03A0249143674DB1FE6E5406D690BF2DA76EA7FF3AC6FCE12C7801252FAD52D332BE4AB41F9F8CF1728CDF98AB8E8C20E0C350E4F707A6402C01E0B"); + hextobin(t2, "BFB6A62E873F9C8DA0C42E7B59360FB0FFE12549E5E636B048C2086B77A7C051663506A959DF177F15F6B4E544EE723C531152C9C9614F923364704307F13F7F15ACF0C1547D55C029DC9ECCE41D117245F4D270FC34B21FF3AD6AEFE58633281540902F547F79F3461F44D33CCB2D094231ADCC76BE25511B4513BB70491DBC"); + memcpy(t3, t1, len); + if (fpub(t3, len, &RSA_PK)) { + size_t u; + fprintf(stderr, "RSA public operation should have failed" + " (value out of range)\n"); + fprintf(stderr, "x = "); + for (u = 0; u < len; u ++) { + fprintf(stderr, "%02X", t3[u]); + } + fprintf(stderr, "\n"); + exit(EXIT_FAILURE); + } + memcpy(t3, t2, len); + if (fpriv(t3, &RSA_SK)) { + size_t u; + fprintf(stderr, "RSA private operation should have failed" + " (value out of range)\n"); + fprintf(stderr, "x = "); + for (u = 0; u < len; u ++) { + fprintf(stderr, "%02X", t3[u]); + } + fprintf(stderr, "\n"); + exit(EXIT_FAILURE); + } + + /* + * RSA-2048 test vector. + */ + len = hextobin(t1, "B188ED4EF173A30AED3889926E3CF1CE03FE3BAA7AB122B119A8CD529062F235A7B321008FB898894A624B3E6C8C5374950E78FAC86651345FE2ABA0791968284F23B0D794F8DCDDA924518854822CB7FF2AA9F205AACD909BB5EA541534CC00DBC2EF7727B9FE1BAFE6241B931E8BD01E13632E5AF9E94F4A335772B61F24D6F6AA642AEABB173E36F546CB02B19A1E5D4E27E3EB67F2E986E9F084D4BD266543800B1DC96088A05DFA9AFA595398E9A766D41DD8DA4F74F36C9D74867F0BF7BFA8622EE43C79DA0CEAC14B5D39DE074BDB89D84145BC19D8B2D0EA74DBF2DC29E907BF7C7506A2603CD8BC25EFE955D0125EDB2685EF158B020C9FC539242A"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D060960864801650304020105000420A5A0A792A09438811584A68E240C6C89F1FB1C53C0C86E270B942635F4F6B24A"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA2048_PK)) { + fprintf(stderr, "RSA public operation failed (2048)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA2048_SK)) { + fprintf(stderr, "RSA private operation failed (2048)\n"); exit(EXIT_FAILURE); } - check_equals("KAT RSA priv", t1, t3, sizeof t1); + check_equals("KAT RSA priv (2048)", t1, t3, len); + + /* + * RSA-4096 test vector. + */ + len = hextobin(t1, "7D35B6B4D85252D08A2658C0B04126CC617B0E56B2A782A5FA2722AD05BD49538111682C12DA2C5FA1B9C30FB1AB8DA2C6A49EB4226A4D32290CF091FBB22EC499C7B18192C230B29F957DAF551F1EAD1917BA9E03D757100BD1F96B829708A6188A3927436113BB21E175D436BBB7A90E20162203FFB8F675313DFB21EFDA3EA0C7CC9B605AE7FB47E2DD2A9C4D5F124D7DE1B690AF9ADFEDC6055E0F9D2C9A891FB2501F3055D6DA7E94D51672BA1E86AEB782E4B020F70E0DF5399262909FC5B4770B987F2826EF2099A15F3CD5A0D6FE82E0C85FBA2C53C77305F534A7B0C7EA0D5244E37F1C1318EEF7079995F0642E4AB80EB0ED60DB4955FB652ED372DAC787581054A827C37A25C7B4DE7AE7EF3D099D47D6682ADF02BCC4DE04DDF2920F7124CF5B4955705E4BDB97A0BF341B584797878B4D3795134A9469FB391E4E4988F0AA451027CBC2ED6121FC23B26BF593E3C51DEDD53B62E23050D5B41CA34204679916A87AF1B17873A0867924D0C303942ADA478B769487FCEF861D4B20DCEE6942CCB84184833CDB258167258631C796BC1977D001354E2EE168ABE3B45FC969EA7F22B8E133C57A10FBB25ED19694E89C399CF7723B3C0DF0CC9F57A8ED0959EFC392FB31B8ADAEA969E2DEE8282CB245E5677368F00CCE4BA52C07C16BE7F9889D57191D5B2FE552D72B3415C64C09EE622457766EC809344A1EFE"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004205B60DD5AD5B3C62E0DA25FD0D8CB26325E1CE32CC9ED234B288235BCCF6ED2C8"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA4096_PK)) { + fprintf(stderr, "RSA public operation failed (4096)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA4096_SK)) { + fprintf(stderr, "RSA private operation failed (4096)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (4096)", t1, t3, len); printf("done.\n"); fflush(stdout); @@ -4368,6 +5247,11 @@ test_RSA_sign(const char *name, br_rsa_private fpriv, { unsigned char t1[128], t2[128]; unsigned char hv[20], tmp[20]; + unsigned char rsa_n[128], rsa_e[3], rsa_p[64], rsa_q[64]; + unsigned char rsa_dp[64], rsa_dq[64], rsa_iq[64]; + br_rsa_public_key rsa_pk; + br_rsa_private_key rsa_sk; + unsigned char hv2[64], tmp2[64], sig[128]; br_sha1_context hc; size_t u; @@ -4421,56 +5305,594 @@ test_RSA_sign(const char *name, br_rsa_private fpriv, fflush(stdout); } + /* + * Another KAT test, which historically showed a bug. + */ + rsa_pk.n = rsa_n; + rsa_pk.nlen = hextobin(rsa_n, "E65DAEF196D22C300B3DAE1CE5157EDF821BB6038E419D8D363A8B2DA84A1321042330E6F87A8BD8FE6BA1D2A17031955ED2315CC5FD2397197E238A5E0D2D0AFD25717E814EC4D2BBA887327A3C5B3A450FD8D547BDFCBB0F73B997CA13DD5E7572C4D5BAA764A349BAB2F868ACF4574AE2C7AEC94B77D2EE00A21B6CB175BB"); + rsa_pk.e = rsa_e; + rsa_pk.elen = hextobin(rsa_e, "010001"); + + rsa_sk.n_bitlen = 1024; + rsa_sk.p = rsa_p; + rsa_sk.plen = hextobin(rsa_p, "FF58513DBA4F3F42DFDFD3E6AFB6BD62DE27E06BA3C9D9F9B542CB21228C2AAE67936514161C8FDC1A248A50195CAF22ADC50DA89BFED1B9EEFBB37304241357"); + rsa_sk.q = rsa_q; + rsa_sk.qlen = hextobin(rsa_q, "E6F4F66818B7442297DDEB45E9B3D438E5B57BB5EF86EFF2462AD6B9C10F383517CDD2E7E36EAD4BEBCC57CFE8AA985F7E7B38B96D30FFBE9ED9FE21B1CFB63D"); + rsa_sk.dp = rsa_dp; + rsa_sk.dplen = hextobin(rsa_dp, "6F89517B682D83919F9EF2BDBA955526A1A9C382E139A3A84AC01160B8E9871F458901C7035D988D6931FAE4C01F57350BB89E9DBEFE50F829E6F25CD43B39E3"); + rsa_sk.dq = rsa_dq; + rsa_sk.dqlen = hextobin(rsa_dq, "409E08D2D7176F58BE64B88EB6F4394C31F8B4C412600E821A5FA1F416AFCB6A0F5EE6C33A3E9CFDC0DB4B3640427A9F3D23FC9AE491F0FBC435F98433DB8981"); + rsa_sk.iq = rsa_iq; + rsa_sk.iqlen = hextobin(rsa_iq, "CF333D6AD66D02B4D11C8C23CA669D14D71803ADC3943BE03B1E48F52F385BCFDDFD0F85AD02A984E504FC6612549D4E7867B7D09DD13196BFC3FAA4B57393A9"); + hextobin(sig, "CFB84D161E6DB130736FC6212EBE575571AF341CEF5757C19952A5364C90E3C47549E520E26253DAE70F645F31FA8B5DA9AE282741D3CA4B1CC365B7BD75D6D61D4CFD9AD9EDD17D23E0BA7D9775138DBABC7FF2A57587FE1EA1B51E8F3C68326E26FF89D8CF92BDD4C787D04857DFC3266E6B33B92AA08809929C72642F35C2"); + + hextobin(hv2, "F66C62B38E1CC69C378C0E16574AE5C6443FDFA3E85C6205C00B3231CAA3074EC1481BDC22AB575E6CF3CCD9EDA6B39F83923FC0E6475C799D257545F77233B4"); + if (!fsign(BR_HASH_OID_SHA512, hv2, 64, &rsa_sk, t2)) { + fprintf(stderr, "Signature generation failed (2)\n"); + exit(EXIT_FAILURE); + } + check_equals("Regenerated signature (2)", t2, sig, sizeof t2); + if (!fvrfy(t2, sizeof t2, BR_HASH_OID_SHA512, + sizeof tmp2, &rsa_pk, tmp2)) + { + fprintf(stderr, "Signature verification failed (2)\n"); + exit(EXIT_FAILURE); + } + check_equals("Extracted hash value (2)", hv2, tmp2, sizeof tmp2); + printf(" done.\n"); fflush(stdout); } +/* + * Test vectors from pkcs-1v2-1d2-vec.zip (originally from ftp.rsa.com). + * There are ten RSA keys, and for each RSA key, there are 6 messages, + * each with an explicit seed. + * + * Field order: + * modulus (n) + * public exponent (e) + * first factor (p) + * second factor (q) + * first private exponent (dp) + * second private exponent (dq) + * CRT coefficient (iq) + * cleartext 1 + * seed 1 (20-byte random value) + * ciphertext 1 + * cleartext 2 + * seed 2 (20-byte random value) + * ciphertext 2 + * ... + * cleartext 6 + * seed 6 (20-byte random value) + * ciphertext 6 + * + * This pattern is repeated for all keys. The array stops on a NULL. + */ +static const char *KAT_RSA_OAEP[] = { + /* 1024-bit key, from oeap-int.txt */ + "BBF82F090682CE9C2338AC2B9DA871F7368D07EED41043A440D6B6F07454F51FB8DFBAAF035C02AB61EA48CEEB6FCD4876ED520D60E1EC4619719D8A5B8B807FAFB8E0A3DFC737723EE6B4B7D93A2584EE6A649D060953748834B2454598394EE0AAB12D7B61A51F527A9A41F6C1687FE2537298CA2A8F5946F8E5FD091DBDCB", + "11", + "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632124EF0236E5D1E3B7E28FAE7AA040A2D5B252176459D1F397541BA2A58FB6599", + "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D869840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503", + "54494CA63EBA0337E4E24023FCD69A5AEB07DDDC0183A4D0AC9B54B051F2B13ED9490975EAB77414FF59C1F7692E9A2E202B38FC910A474174ADC93C1F67C981", + "471E0290FF0AF0750351B7F878864CA961ADBD3A8A7E991C5C0556A94C3146A7F9803F8F6F8AE342E931FD8AE47A220D1B99A495849807FE39F9245A9836DA3D", + "B06C4FDABB6301198D265BDBAE9423B380F271F73453885093077FCD39E2119FC98632154F5883B167A967BF402B4E9E2E0F9656E698EA3666EDFB25798039F7", + + /* oaep-int.txt contains only one message, so we repeat it six + times to respect our array format. */ + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + "D436E99569FD32A7C8A05BBC90D32C49", + "AAFD12F659CAE63489B479E5076DDEC2F06CB58F", + "1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955", + + /* 1024-bit key */ + "A8B3B284AF8EB50B387034A860F146C4919F318763CD6C5598C8AE4811A1E0ABC4C7E0B082D693A5E7FCED675CF4668512772C0CBC64A742C6C630F533C8CC72F62AE833C40BF25842E984BB78BDBF97C0107D55BDB662F5C4E0FAB9845CB5148EF7392DD3AAFF93AE1E6B667BB3D4247616D4F5BA10D4CFD226DE88D39F16FB", + "010001", + "D32737E7267FFE1341B2D5C0D150A81B586FB3132BED2F8D5262864A9CB9F30AF38BE448598D413A172EFB802C21ACF1C11C520C2F26A471DCAD212EAC7CA39D", + "CC8853D1D54DA630FAC004F471F281C7B8982D8224A490EDBEB33D3E3D5CC93C4765703D1DD791642F1F116A0DD852BE2419B2AF72BFE9A030E860B0288B5D77", + "0E12BF1718E9CEF5599BA1C3882FE8046A90874EEFCE8F2CCC20E4F2741FB0A33A3848AEC9C9305FBECBD2D76819967D4671ACC6431E4037968DB37878E695C1", + "95297B0F95A2FA67D00707D609DFD4FC05C89DAFC2EF6D6EA55BEC771EA333734D9251E79082ECDA866EFEF13C459E1A631386B7E354C899F5F112CA85D71583", + "4F456C502493BDC0ED2AB756A3A6ED4D67352A697D4216E93212B127A63D5411CE6FA98D5DBEFD73263E3728142743818166ED7DD63687DD2A8CA1D2F4FBD8E1", + + "6628194E12073DB03BA94CDA9EF9532397D50DBA79B987004AFEFE34", + "18B776EA21069D69776A33E96BAD48E1DDA0A5EF", + "354FE67B4A126D5D35FE36C777791A3F7BA13DEF484E2D3908AFF722FAD468FB21696DE95D0BE911C2D3174F8AFCC201035F7B6D8E69402DE5451618C21A535FA9D7BFC5B8DD9FC243F8CF927DB31322D6E881EAA91A996170E657A05A266426D98C88003F8477C1227094A0D9FA1E8C4024309CE1ECCCB5210035D47AC72E8A", + + "750C4047F547E8E41411856523298AC9BAE245EFAF1397FBE56F9DD5", + "0CC742CE4A9B7F32F951BCB251EFD925FE4FE35F", + "640DB1ACC58E0568FE5407E5F9B701DFF8C3C91E716C536FC7FCEC6CB5B71C1165988D4A279E1577D730FC7A29932E3F00C81515236D8D8E31017A7A09DF4352D904CDEB79AA583ADCC31EA698A4C05283DABA9089BE5491F67C1A4EE48DC74BBBE6643AEF846679B4CB395A352D5ED115912DF696FFE0702932946D71492B44", + + "D94AE0832E6445CE42331CB06D531A82B1DB4BAAD30F746DC916DF24D4E3C2451FFF59A6423EB0E1D02D4FE646CF699DFD818C6E97B051", + "2514DF4695755A67B288EAF4905C36EEC66FD2FD", + "423736ED035F6026AF276C35C0B3741B365E5F76CA091B4E8C29E2F0BEFEE603595AA8322D602D2E625E95EB81B2F1C9724E822ECA76DB8618CF09C5343503A4360835B5903BC637E3879FB05E0EF32685D5AEC5067CD7CC96FE4B2670B6EAC3066B1FCF5686B68589AAFB7D629B02D8F8625CA3833624D4800FB081B1CF94EB", + + "52E650D98E7F2A048B4F86852153B97E01DD316F346A19F67A85", + "C4435A3E1A18A68B6820436290A37CEFB85DB3FB", + "45EAD4CA551E662C9800F1ACA8283B0525E6ABAE30BE4B4ABA762FA40FD3D38E22ABEFC69794F6EBBBC05DDBB11216247D2F412FD0FBA87C6E3ACD888813646FD0E48E785204F9C3F73D6D8239562722DDDD8771FEC48B83A31EE6F592C4CFD4BC88174F3B13A112AAE3B9F7B80E0FC6F7255BA880DC7D8021E22AD6A85F0755", + + "8DA89FD9E5F974A29FEFFB462B49180F6CF9E802", + "B318C42DF3BE0F83FEA823F5A7B47ED5E425A3B5", + "36F6E34D94A8D34DAACBA33A2139D00AD85A9345A86051E73071620056B920E219005855A213A0F23897CDCD731B45257C777FE908202BEFDD0B58386B1244EA0CF539A05D5D10329DA44E13030FD760DCD644CFEF2094D1910D3F433E1C7C6DD18BC1F2DF7F643D662FB9DD37EAD9059190F4FA66CA39E869C4EB449CBDC439", + + "26521050844271", + "E4EC0982C2336F3A677F6A356174EB0CE887ABC2", + "42CEE2617B1ECEA4DB3F4829386FBD61DAFBF038E180D837C96366DF24C097B4AB0FAC6BDF590D821C9F10642E681AD05B8D78B378C0F46CE2FAD63F74E0AD3DF06B075D7EB5F5636F8D403B9059CA761B5C62BB52AA45002EA70BAACE08DED243B9D8CBD62A68ADE265832B56564E43A6FA42ED199A099769742DF1539E8255", + + /* 1025-bit key */ + "01947C7FCE90425F47279E70851F25D5E62316FE8A1DF19371E3E628E260543E4901EF6081F68C0B8141190D2AE8DABA7D1250EC6DB636E944EC3722877C7C1D0A67F14B1694C5F0379451A43E49A32DDE83670B73DA91A1C99BC23B436A60055C610F0BAF99C1A079565B95A3F1526632D1D4DA60F20EDA25E653C4F002766F45", + "010001", + "0159DBDE04A33EF06FB608B80B190F4D3E22BCC13AC8E4A081033ABFA416EDB0B338AA08B57309EA5A5240E7DC6E54378C69414C31D97DDB1F406DB3769CC41A43", + "012B652F30403B38B40995FD6FF41A1ACC8ADA70373236B7202D39B2EE30CFB46DB09511F6F307CC61CC21606C18A75B8A62F822DF031BA0DF0DAFD5506F568BD7", + "436EF508DE736519C2DA4C580D98C82CB7452A3FB5EFADC3B9C7789A1BC6584F795ADDBBD32439C74686552ECB6C2C307A4D3AF7F539EEC157248C7B31F1A255", + "012B15A89F3DFB2B39073E73F02BDD0C1A7B379DD435F05CDDE2EFF9E462948B7CEC62EE9050D5E0816E0785A856B49108DCB75F3683874D1CA6329A19013066FF", + "0270DB17D5914B018D76118B24389A7350EC836B0063A21721236FD8EDB6D89B51E7EEB87B611B7132CB7EA7356C23151C1E7751507C786D9EE1794170A8C8E8", + + "8FF00CAA605C702830634D9A6C3D42C652B58CF1D92FEC570BEEE7", + "8C407B5EC2899E5099C53E8CE793BF94E71B1782", + "0181AF8922B9FCB4D79D92EBE19815992FC0C1439D8BCD491398A0F4AD3A329A5BD9385560DB532683C8B7DA04E4B12AED6AACDF471C34C9CDA891ADDCC2DF3456653AA6382E9AE59B54455257EB099D562BBE10453F2B6D13C59C02E10F1F8ABB5DA0D0570932DACF2D0901DB729D0FEFCC054E70968EA540C81B04BCAEFE720E", + + "2D", + "B600CF3C2E506D7F16778C910D3A8B003EEE61D5", + "018759FF1DF63B2792410562314416A8AEAF2AC634B46F940AB82D64DBF165EEE33011DA749D4BAB6E2FCD18129C9E49277D8453112B429A222A8471B070993998E758861C4D3F6D749D91C4290D332C7A4AB3F7EA35FF3A07D497C955FF0FFC95006B62C6D296810D9BFAB024196C7934012C2DF978EF299ABA239940CBA10245", + + "74FC88C51BC90F77AF9D5E9A4A70133D4B4E0B34DA3C37C7EF8E", + "A73768AEEAA91F9D8C1ED6F9D2B63467F07CCAE3", + "018802BAB04C60325E81C4962311F2BE7C2ADCE93041A00719C88F957575F2C79F1B7BC8CED115C706B311C08A2D986CA3B6A9336B147C29C6F229409DDEC651BD1FDD5A0B7F610C9937FDB4A3A762364B8B3206B4EA485FD098D08F63D4AA8BB2697D027B750C32D7F74EAF5180D2E9B66B17CB2FA55523BC280DA10D14BE2053", + + "A7EB2A5036931D27D4E891326D99692FFADDA9BF7EFD3E34E622C4ADC085F721DFE885072C78A203B151739BE540FA8C153A10F00A", + "9A7B3B0E708BD96F8190ECAB4FB9B2B3805A8156", + "00A4578CBC176318A638FBA7D01DF15746AF44D4F6CD96D7E7C495CBF425B09C649D32BF886DA48FBAF989A2117187CAFB1FB580317690E3CCD446920B7AF82B31DB5804D87D01514ACBFA9156E782F867F6BED9449E0E9A2C09BCECC6AA087636965E34B3EC766F2FE2E43018A2FDDEB140616A0E9D82E5331024EE0652FC7641", + + "2EF2B066F854C33F3BDCBB5994A435E73D6C6C", + "EB3CEBBC4ADC16BB48E88C8AEC0E34AF7F427FD3", + "00EBC5F5FDA77CFDAD3C83641A9025E77D72D8A6FB33A810F5950F8D74C73E8D931E8634D86AB1246256AE07B6005B71B7F2FB98351218331CE69B8FFBDC9DA08BBC9C704F876DEB9DF9FC2EC065CAD87F9090B07ACC17AA7F997B27ACA48806E897F771D95141FE4526D8A5301B678627EFAB707FD40FBEBD6E792A25613E7AEC", + + "8A7FB344C8B6CB2CF2EF1F643F9A3218F6E19BBA89C0", + "4C45CF4D57C98E3D6D2095ADC51C489EB50DFF84", + "010839EC20C27B9052E55BEFB9B77E6FC26E9075D7A54378C646ABDF51E445BD5715DE81789F56F1803D9170764A9E93CB78798694023EE7393CE04BC5D8F8C5A52C171D43837E3ACA62F609EB0AA5FFB0960EF04198DD754F57F7FBE6ABF765CF118B4CA443B23B5AAB266F952326AC4581100644325F8B721ACD5D04FF14EF3A", + + /* 2048-bit key */ + "AE45ED5601CEC6B8CC05F803935C674DDBE0D75C4C09FD7951FC6B0CAEC313A8DF39970C518BFFBA5ED68F3F0D7F22A4029D413F1AE07E4EBE9E4177CE23E7F5404B569E4EE1BDCF3C1FB03EF113802D4F855EB9B5134B5A7C8085ADCAE6FA2FA1417EC3763BE171B0C62B760EDE23C12AD92B980884C641F5A8FAC26BDAD4A03381A22FE1B754885094C82506D4019A535A286AFEB271BB9BA592DE18DCF600C2AEEAE56E02F7CF79FC14CF3BDC7CD84FEBBBF950CA90304B2219A7AA063AEFA2C3C1980E560CD64AFE779585B6107657B957857EFDE6010988AB7DE417FC88D8F384C4E6E72C3F943E0C31C0C4A5CC36F879D8A3AC9D7D59860EAADA6B83BB", + "010001", + "ECF5AECD1E5515FFFACBD75A2816C6EBF49018CDFB4638E185D66A7396B6F8090F8018C7FD95CC34B857DC17F0CC6516BB1346AB4D582CADAD7B4103352387B70338D084047C9D9539B6496204B3DD6EA442499207BEC01F964287FF6336C3984658336846F56E46861881C10233D2176BF15A5E96DDC780BC868AA77D3CE769", + "BC46C464FC6AC4CA783B0EB08A3C841B772F7E9B2F28BABD588AE885E1A0C61E4858A0FB25AC299990F35BE85164C259BA1175CDD7192707135184992B6C29B746DD0D2CABE142835F7D148CC161524B4A09946D48B828473F1CE76B6CB6886C345C03E05F41D51B5C3A90A3F24073C7D74A4FE25D9CF21C75960F3FC3863183", + "C73564571D00FB15D08A3DE9957A50915D7126E9442DACF42BC82E862E5673FF6A008ED4D2E374617DF89F17A160B43B7FDA9CB6B6B74218609815F7D45CA263C159AA32D272D127FAF4BC8CA2D77378E8AEB19B0AD7DA3CB3DE0AE7314980F62B6D4B0A875D1DF03C1BAE39CCD833EF6CD7E2D9528BF084D1F969E794E9F6C1", + "2658B37F6DF9C1030BE1DB68117FA9D87E39EA2B693B7E6D3A2F70947413EEC6142E18FB8DFCB6AC545D7C86A0AD48F8457170F0EFB26BC48126C53EFD1D16920198DC2A1107DC282DB6A80CD3062360BA3FA13F70E4312FF1A6CD6B8FC4CD9C5C3DB17C6D6A57212F73AE29F619327BAD59B153858585BA4E28B60A62A45E49", + "6F38526B3925085534EF3E415A836EDE8B86158A2C7CBFECCB0BD834304FEC683BA8D4F479C433D43416E63269623CEA100776D85AFF401D3FFF610EE65411CE3B1363D63A9709EEDE42647CEA561493D54570A879C18682CD97710B96205EC31117D73B5F36223FADD6E8BA90DD7C0EE61D44E163251E20C7F66EB305117CB8", + + "8BBA6BF82A6C0F86D5F1756E97956870B08953B06B4EB205BC1694EE", + "47E1AB7119FEE56C95EE5EAAD86F40D0AA63BD33", + "53EA5DC08CD260FB3B858567287FA91552C30B2FEBFBA213F0AE87702D068D19BAB07FE574523DFB42139D68C3C5AFEEE0BFE4CB7969CBF382B804D6E61396144E2D0E60741F8993C3014B58B9B1957A8BABCD23AF854F4C356FB1662AA72BFCC7E586559DC4280D160C126785A723EBEEBEFF71F11594440AAEF87D10793A8774A239D4A04C87FE1467B9DAF85208EC6C7255794A96CC29142F9A8BD418E3C1FD67344B0CD0829DF3B2BEC60253196293C6B34D3F75D32F213DD45C6273D505ADF4CCED1057CB758FC26AEEFA441255ED4E64C199EE075E7F16646182FDB464739B68AB5DAFF0E63E9552016824F054BF4D3C8C90A97BB6B6553284EB429FCC", + + "E6AD181F053B58A904F2457510373E57", + "6D17F5B4C1FFAC351D195BF7B09D09F09A4079CF", + "A2B1A430A9D657E2FA1C2BB5ED43FFB25C05A308FE9093C01031795F5874400110828AE58FB9B581CE9DDDD3E549AE04A0985459BDE6C626594E7B05DC4278B2A1465C1368408823C85E96DC66C3A30983C639664FC4569A37FE21E5A195B5776EED2DF8D8D361AF686E750229BBD663F161868A50615E0C337BEC0CA35FEC0BB19C36EB2E0BBCC0582FA1D93AACDB061063F59F2CE1EE43605E5D89ECA183D2ACDFE9F81011022AD3B43A3DD417DAC94B4E11EA81B192966E966B182082E71964607B4F8002F36299844A11F2AE0FAEAC2EAE70F8F4F98088ACDCD0AC556E9FCCC511521908FAD26F04C64201450305778758B0538BF8B5BB144A828E629795", + + "510A2CF60E866FA2340553C94EA39FBC256311E83E94454B4124", + "385387514DECCC7C740DD8CDF9DAEE49A1CBFD54", + "9886C3E6764A8B9A84E84148EBD8C3B1AA8050381A78F668714C16D9CFD2A6EDC56979C535D9DEE3B44B85C18BE8928992371711472216D95DDA98D2EE8347C9B14DFFDFF84AA48D25AC06F7D7E65398AC967B1CE90925F67DCE049B7F812DB0742997A74D44FE81DBE0E7A3FEAF2E5C40AF888D550DDBBE3BC20657A29543F8FC2913B9BD1A61B2AB2256EC409BBD7DC0D17717EA25C43F42ED27DF8738BF4AFC6766FF7AFF0859555EE283920F4C8A63C4A7340CBAFDDC339ECDB4B0515002F96C932B5B79167AF699C0AD3FCCFDF0F44E85A70262BF2E18FE34B850589975E867FF969D48EABF212271546CDC05A69ECB526E52870C836F307BD798780EDE", + + "BCDD190DA3B7D300DF9A06E22CAAE2A75F10C91FF667B7C16BDE8B53064A2649A94045C9", + "5CACA6A0F764161A9684F85D92B6E0EF37CA8B65", + "6318E9FB5C0D05E5307E1683436E903293AC4642358AAA223D7163013ABA87E2DFDA8E60C6860E29A1E92686163EA0B9175F329CA3B131A1EDD3A77759A8B97BAD6A4F8F4396F28CF6F39CA58112E48160D6E203DAA5856F3ACA5FFED577AF499408E3DFD233E3E604DBE34A9C4C9082DE65527CAC6331D29DC80E0508A0FA7122E7F329F6CCA5CFA34D4D1DA417805457E008BEC549E478FF9E12A763C477D15BBB78F5B69BD57830FC2C4ED686D79BC72A95D85F88134C6B0AFE56A8CCFBC855828BB339BD17909CF1D70DE3335AE07039093E606D655365DE6550B872CD6DE1D440EE031B61945F629AD8A353B0D40939E96A3C450D2A8D5EEE9F678093C8", + + "A7DD6C7DC24B46F9DD5F1E91ADA4C3B3DF947E877232A9", + "95BCA9E3859894B3DD869FA7ECD5BBC6401BF3E4", + "75290872CCFD4A4505660D651F56DA6DAA09CA1301D890632F6A992F3D565CEE464AFDED40ED3B5BE9356714EA5AA7655F4A1366C2F17C728F6F2C5A5D1F8E28429BC4E6F8F2CFF8DA8DC0E0A9808E45FD09EA2FA40CB2B6CE6FFFF5C0E159D11B68D90A85F7B84E103B09E682666480C657505C0929259468A314786D74EAB131573CF234BF57DB7D9E66CC6748192E002DC0DEEA930585F0831FDCD9BC33D51F79ED2FFC16BCF4D59812FCEBCAA3F9069B0E445686D644C25CCF63B456EE5FA6FFE96F19CDF751FED9EAF35957754DBF4BFEA5216AA1844DC507CB2D080E722EBA150308C2B5FF1193620F1766ECF4481BAFB943BD292877F2136CA494ABA0", + + "EAF1A73A1B0C4609537DE69CD9228BBCFB9A8CA8C6C3EFAF056FE4A7F4634ED00B7C39EC6922D7B8EA2C04EBAC", + "9F47DDF42E97EEA856A9BDBC714EB3AC22F6EB32", + "2D207A73432A8FB4C03051B3F73B28A61764098DFA34C47A20995F8115AA6816679B557E82DBEE584908C6E69782D7DEB34DBD65AF063D57FCA76A5FD069492FD6068D9984D209350565A62E5C77F23038C12CB10C6634709B547C46F6B4A709BD85CA122D74465EF97762C29763E06DBC7A9E738C78BFCA0102DC5E79D65B973F28240CAAB2E161A78B57D262457ED8195D53E3C7AE9DA021883C6DB7C24AFDD2322EAC972AD3C354C5FCEF1E146C3A0290FB67ADF007066E00428D2CEC18CE58F9328698DEFEF4B2EB5EC76918FDE1C198CBB38B7AFC67626A9AEFEC4322BFD90D2563481C9A221F78C8272C82D1B62AB914E1C69F6AF6EF30CA5260DB4A46", + + NULL +}; + +/* + * Fake RNG that returns exactly the provided bytes. + */ +typedef struct { + const br_prng_class *vtable; + unsigned char buf[128]; + size_t ptr, len; +} rng_oaep_ctx; + +static void rng_oaep_init(rng_oaep_ctx *cc, + const void *params, const void *seed, size_t len); +static void rng_oaep_generate(rng_oaep_ctx *cc, void *dst, size_t len); +static void rng_oaep_update(rng_oaep_ctx *cc, const void *src, size_t len); + +static const br_prng_class rng_oaep_vtable = { + sizeof(rng_oaep_ctx), + (void (*)(const br_prng_class **, + const void *, const void *, size_t))&rng_oaep_init, + (void (*)(const br_prng_class **, + void *, size_t))&rng_oaep_generate, + (void (*)(const br_prng_class **, + const void *, size_t))&rng_oaep_update +}; + static void -test_RSA_i15(void) +rng_oaep_init(rng_oaep_ctx *cc, const void *params, + const void *seed, size_t len) { - test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private); - test_RSA_sign("RSA i15 sign", &br_rsa_i15_private, - &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy); + (void)params; + if (len > sizeof cc->buf) { + fprintf(stderr, "seed is too large (%lu bytes)\n", + (unsigned long)len); + exit(EXIT_FAILURE); + } + cc->vtable = &rng_oaep_vtable; + memcpy(cc->buf, seed, len); + cc->ptr = 0; + cc->len = len; } static void -test_RSA_i31(void) +rng_oaep_generate(rng_oaep_ctx *cc, void *dst, size_t len) { - test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private); - test_RSA_sign("RSA i31 sign", &br_rsa_i31_private, - &br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy); + if (len > (cc->len - cc->ptr)) { + fprintf(stderr, "asking for more data than expected\n"); + exit(EXIT_FAILURE); + } + memcpy(dst, cc->buf + cc->ptr, len); + cc->ptr += len; } static void -test_RSA_i32(void) +rng_oaep_update(rng_oaep_ctx *cc, const void *src, size_t len) { - test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private); - test_RSA_sign("RSA i32 sign", &br_rsa_i32_private, - &br_rsa_i32_pkcs1_sign, &br_rsa_i32_pkcs1_vrfy); + (void)cc; + (void)src; + (void)len; + fprintf(stderr, "unexpected update\n"); + exit(EXIT_FAILURE); } -#if 0 static void -test_RSA_signatures(void) +test_RSA_OAEP(const char *name, + br_rsa_oaep_encrypt menc, br_rsa_oaep_decrypt mdec) { - uint32_t n[40], e[2], p[20], q[20], dp[20], dq[20], iq[20], x[40]; - unsigned char hv[20], sig[128]; - unsigned char ref[128], tmp[128]; - br_sha1_context hc; + size_t u; - printf("Test RSA signatures: "); + printf("Test %s: ", name); fflush(stdout); - /* - * Decode RSA key elements. - */ - br_int_decode(n, sizeof n / sizeof n[0], RSA_N, sizeof RSA_N); - br_int_decode(e, sizeof e / sizeof e[0], RSA_E, sizeof RSA_E); - br_int_decode(p, sizeof p / sizeof p[0], RSA_P, sizeof RSA_P); - br_int_decode(q, sizeof q / sizeof q[0], RSA_Q, sizeof RSA_Q); - br_int_decode(dp, sizeof dp / sizeof dp[0], RSA_DP, sizeof RSA_DP); - br_int_decode(dq, sizeof dq / sizeof dq[0], RSA_DQ, sizeof RSA_DQ); - br_int_decode(iq, sizeof iq / sizeof iq[0], RSA_IQ, sizeof RSA_IQ); + u = 0; + while (KAT_RSA_OAEP[u] != NULL) { + unsigned char n[512]; + unsigned char e[8]; + unsigned char p[256]; + unsigned char q[256]; + unsigned char dp[256]; + unsigned char dq[256]; + unsigned char iq[256]; + br_rsa_public_key pk; + br_rsa_private_key sk; + size_t v; + + pk.n = n; + pk.nlen = hextobin(n, KAT_RSA_OAEP[u ++]); + pk.e = e; + pk.elen = hextobin(e, KAT_RSA_OAEP[u ++]); + + for (v = 0; n[v] == 0; v ++); + sk.n_bitlen = BIT_LENGTH(n[v]) + ((pk.nlen - 1 - v) << 3); + sk.p = p; + sk.plen = hextobin(p, KAT_RSA_OAEP[u ++]); + sk.q = q; + sk.qlen = hextobin(q, KAT_RSA_OAEP[u ++]); + sk.dp = dp; + sk.dplen = hextobin(dp, KAT_RSA_OAEP[u ++]); + sk.dq = dq; + sk.dqlen = hextobin(dq, KAT_RSA_OAEP[u ++]); + sk.iq = iq; + sk.iqlen = hextobin(iq, KAT_RSA_OAEP[u ++]); + + for (v = 0; v < 6; v ++) { + unsigned char plain[512], seed[128], cipher[512]; + size_t plain_len, seed_len, cipher_len; + rng_oaep_ctx rng; + unsigned char tmp[513]; + size_t len; + + plain_len = hextobin(plain, KAT_RSA_OAEP[u ++]); + seed_len = hextobin(seed, KAT_RSA_OAEP[u ++]); + cipher_len = hextobin(cipher, KAT_RSA_OAEP[u ++]); + rng_oaep_init(&rng, NULL, seed, seed_len); + + len = menc(&rng.vtable, &br_sha1_vtable, NULL, 0, &pk, + tmp, sizeof tmp, plain, plain_len); + if (len != cipher_len) { + fprintf(stderr, + "wrong encrypted length: %lu vs %lu\n", + (unsigned long)len, + (unsigned long)cipher_len); + } + if (rng.ptr != rng.len) { + fprintf(stderr, "seed not fully consumed\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA/OAEP encrypt", tmp, cipher, len); + + if (mdec(&br_sha1_vtable, NULL, 0, + &sk, tmp, &len) != 1) + { + fprintf(stderr, "decryption failed\n"); + exit(EXIT_FAILURE); + } + if (len != plain_len) { + fprintf(stderr, + "wrong decrypted length: %lu vs %lu\n", + (unsigned long)len, + (unsigned long)plain_len); + } + check_equals("KAT RSA/OAEP decrypt", tmp, plain, len); + + /* + * Try with a different label; it should fail. + */ + memcpy(tmp, cipher, cipher_len); + len = cipher_len; + if (mdec(&br_sha1_vtable, "T", 1, + &sk, tmp, &len) != 0) + { + fprintf(stderr, "decryption should have failed" + " (wrong label)\n"); + exit(EXIT_FAILURE); + } + + /* + * Try with a the wrong length; it should fail. + */ + tmp[0] = 0x00; + memcpy(tmp + 1, cipher, cipher_len); + len = cipher_len + 1; + if (mdec(&br_sha1_vtable, "T", 1, + &sk, tmp, &len) != 0) + { + fprintf(stderr, "decryption should have failed" + " (wrong length)\n"); + exit(EXIT_FAILURE); + } + + printf("."); + fflush(stdout); + } + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_RSA_keygen(const char *name, br_rsa_keygen kg, + br_rsa_pkcs1_sign sign, br_rsa_pkcs1_vrfy vrfy) +{ + br_hmac_drbg_context rng; + int i; + + printf("Test %s: ", name); + fflush(stdout); + + br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for RSA keygen", 19); + + for (i = 0; i < 40; i ++) { + unsigned size; + uint32_t pubexp; + br_rsa_private_key sk; + br_rsa_public_key pk; + unsigned char kbuf_priv[BR_RSA_KBUF_PRIV_SIZE(2048)]; + unsigned char kbuf_pub[BR_RSA_KBUF_PUB_SIZE(2048)]; + uint32_t mod[256]; + uint32_t cc; + size_t u, v; + unsigned char sig[257], hv[32], hv2[sizeof hv]; + unsigned mask1, mask2; + + if (i <= 35) { + size = 1024 + i; + pubexp = 17; + } else { + size = 2048; + pubexp = (i << 1) - 69; + } + + if (!kg(&rng.vtable, + &sk, kbuf_priv, &pk, kbuf_pub, size, pubexp)) + { + fprintf(stderr, "RSA key pair generation failure\n"); + exit(EXIT_FAILURE); + } + + for (u = pk.elen; u > 0; u --) { + if (pk.e[u - 1] != (pubexp & 0xFF)) { + fprintf(stderr, "wrong public exponent\n"); + exit(EXIT_FAILURE); + } + pubexp >>= 8; + } + if (pubexp != 0) { + fprintf(stderr, "truncated public exponent\n"); + exit(EXIT_FAILURE); + } + + memset(mod, 0, sizeof mod); + for (u = 0; u < sk.plen; u ++) { + for (v = 0; v < sk.qlen; v ++) { + mod[u + v] += (uint32_t)sk.p[sk.plen - 1 - u] + * (uint32_t)sk.q[sk.qlen - 1 - v]; + } + } + cc = 0; + for (u = 0; u < sk.plen + sk.qlen; u ++) { + mod[u] += cc; + cc = mod[u] >> 8; + mod[u] &= 0xFF; + } + for (u = 0; u < pk.nlen; u ++) { + if (mod[pk.nlen - 1 - u] != pk.n[u]) { + fprintf(stderr, "wrong modulus\n"); + exit(EXIT_FAILURE); + } + } + if (sk.n_bitlen != size) { + fprintf(stderr, "wrong key size\n"); + exit(EXIT_FAILURE); + } + if (pk.nlen != (size + 7) >> 3) { + fprintf(stderr, "wrong modulus size (bytes)\n"); + exit(EXIT_FAILURE); + } + mask1 = 0x01 << ((size + 7) & 7); + mask2 = 0xFF & -mask1; + if ((pk.n[0] & mask2) != mask1) { + fprintf(stderr, "wrong modulus size (bits)\n"); + exit(EXIT_FAILURE); + } + + rng.vtable->generate(&rng.vtable, hv, sizeof hv); + memset(sig, 0, sizeof sig); + sig[pk.nlen] = 0x00; + if (!sign(BR_HASH_OID_SHA256, hv, sizeof hv, &sk, sig)) { + fprintf(stderr, "signature error\n"); + exit(EXIT_FAILURE); + } + if (sig[pk.nlen] != 0x00) { + fprintf(stderr, "signature length error\n"); + exit(EXIT_FAILURE); + } + if (!vrfy(sig, pk.nlen, BR_HASH_OID_SHA256, sizeof hv, + &pk, hv2)) + { + fprintf(stderr, "signature verification error (1)\n"); + exit(EXIT_FAILURE); + } + if (memcmp(hv, hv2, sizeof hv) != 0) { + fprintf(stderr, "signature verification error (2)\n"); + exit(EXIT_FAILURE); + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_RSA_i15(void) +{ + test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private); + test_RSA_sign("RSA i15 sign", &br_rsa_i15_private, + &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy); + test_RSA_OAEP("RSA i15 OAEP", + &br_rsa_i15_oaep_encrypt, &br_rsa_i15_oaep_decrypt); + test_RSA_keygen("RSA i15 keygen", &br_rsa_i15_keygen, + &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy); +} + +static void +test_RSA_i31(void) +{ + test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private); + test_RSA_sign("RSA i31 sign", &br_rsa_i31_private, + &br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy); + test_RSA_OAEP("RSA i31 OAEP", + &br_rsa_i31_oaep_encrypt, &br_rsa_i31_oaep_decrypt); + test_RSA_keygen("RSA i31 keygen", &br_rsa_i31_keygen, + &br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy); +} + +static void +test_RSA_i32(void) +{ + test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private); + test_RSA_sign("RSA i32 sign", &br_rsa_i32_private, + &br_rsa_i32_pkcs1_sign, &br_rsa_i32_pkcs1_vrfy); + test_RSA_OAEP("RSA i32 OAEP", + &br_rsa_i32_oaep_encrypt, &br_rsa_i32_oaep_decrypt); +} + +static void +test_RSA_i62(void) +{ + br_rsa_public pub; + br_rsa_private priv; + br_rsa_pkcs1_sign sign; + br_rsa_pkcs1_vrfy vrfy; + br_rsa_oaep_encrypt menc; + br_rsa_oaep_decrypt mdec; + br_rsa_keygen kgen; + + pub = br_rsa_i62_public_get(); + priv = br_rsa_i62_private_get(); + sign = br_rsa_i62_pkcs1_sign_get(); + vrfy = br_rsa_i62_pkcs1_vrfy_get(); + menc = br_rsa_i62_oaep_encrypt_get(); + mdec = br_rsa_i62_oaep_decrypt_get(); + kgen = br_rsa_i62_keygen_get(); + if (pub) { + if (!priv || !sign || !vrfy || !menc || !mdec || !kgen) { + fprintf(stderr, "Inconsistent i62 availability\n"); + exit(EXIT_FAILURE); + } + test_RSA_core("RSA i62 core", pub, priv); + test_RSA_sign("RSA i62 sign", priv, sign, vrfy); + test_RSA_OAEP("RSA i62 OAEP", menc, mdec); + test_RSA_keygen("RSA i62 keygen", kgen, sign, vrfy); + } else { + if (priv || sign || vrfy || menc || mdec || kgen) { + fprintf(stderr, "Inconsistent i62 availability\n"); + exit(EXIT_FAILURE); + } + printf("Test RSA i62: UNAVAILABLE\n"); + } +} + +#if 0 +static void +test_RSA_signatures(void) +{ + uint32_t n[40], e[2], p[20], q[20], dp[20], dq[20], iq[20], x[40]; + unsigned char hv[20], sig[128]; + unsigned char ref[128], tmp[128]; + br_sha1_context hc; + + printf("Test RSA signatures: "); + fflush(stdout); + + /* + * Decode RSA key elements. + */ + br_int_decode(n, sizeof n / sizeof n[0], RSA_N, sizeof RSA_N); + br_int_decode(e, sizeof e / sizeof e[0], RSA_E, sizeof RSA_E); + br_int_decode(p, sizeof p / sizeof p[0], RSA_P, sizeof RSA_P); + br_int_decode(q, sizeof q / sizeof q[0], RSA_Q, sizeof RSA_Q); + br_int_decode(dp, sizeof dp / sizeof dp[0], RSA_DP, sizeof RSA_DP); + br_int_decode(dq, sizeof dq / sizeof dq[0], RSA_DQ, sizeof RSA_DQ); + br_int_decode(iq, sizeof iq / sizeof iq[0], RSA_IQ, sizeof RSA_IQ); /* * Decode reference signature (computed with OpenSSL). @@ -4649,6 +6071,31 @@ test_GHASH(const char *name, br_ghash gh) check_equals("KAT GHASH", y, ref, sizeof ref); } + for (u = 0; u <= 1024; u ++) { + unsigned char key[32], iv[12]; + unsigned char buf[1024 + 32]; + unsigned char y0[16], y1[16]; + char tmp[100]; + + memset(key, 0, sizeof key); + memset(iv, 0, sizeof iv); + br_enc32be(key, u); + memset(buf, 0, sizeof buf); + br_chacha20_ct_run(key, iv, 1, buf, sizeof buf); + + memcpy(y0, buf, 16); + br_ghash_ctmul32(y0, buf + 16, buf + 32, u); + memcpy(y1, buf, 16); + gh(y1, buf + 16, buf + 32, u); + sprintf(tmp, "XREF %s (len = %u)", name, (unsigned)u); + check_equals(tmp, y0, y1, 16); + + if ((u & 31) == 0) { + printf("."); + fflush(stdout); + } + } + printf("done.\n"); fflush(stdout); } @@ -4671,6 +6118,834 @@ test_GHASH_ctmul64(void) test_GHASH("GHASH_ctmul64", br_ghash_ctmul64); } +static void +test_GHASH_pclmul(void) +{ + br_ghash gh; + + gh = br_ghash_pclmul_get(); + if (gh == 0) { + printf("Test GHASH_pclmul: UNAVAILABLE\n"); + } else { + test_GHASH("GHASH_pclmul", gh); + } +} + +static void +test_GHASH_pwr8(void) +{ + br_ghash gh; + + gh = br_ghash_pwr8_get(); + if (gh == 0) { + printf("Test GHASH_pwr8: UNAVAILABLE\n"); + } else { + test_GHASH("GHASH_pwr8", gh); + } +} + +/* + * From: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf + * + * Order: key, plaintext, AAD, IV, ciphertext, tag + */ +static const char *const KAT_GCM[] = { + "00000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "58e2fccefa7e3061367f1d57a4e7455a", + + "00000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "0388dace60b6a392f328c2b971b2fe78", + "ab6e47d42cec13bdf53a67b21257bddf", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985", + "4d5c2af327cd64a62cf35abd2ba6fab4", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091", + "5bc94fbc3221a5db94fae95ae7121a47", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598", + "3612d2e79e3b0785561be14aaca2fccb", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5", + "619cc5aefffe0bfa462af43c1699d050", + + "000000000000000000000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "cd33b28ac773f74ba00ed1f312572435", + + "000000000000000000000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "98e7247c07f0fe411c267e4384b0f600", + "2ff58d80033927ab8ef4d4587514f0fb", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256", + "9924a7c8587336bfb118024db8674a14", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710", + "2519498e80f1478f37ba55bd6d27618c", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7", + "65dcc57fcf623a24094fcca40d3533f8", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b", + "dcf566ff291c25bbb8568fc3d376a6d9", + + "0000000000000000000000000000000000000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "530f8afbc74536b9a963b4f1c4cb738b", + + "0000000000000000000000000000000000000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "cea7403d4d606b6e074ec5d3baf39d18", + "d0d1c8a799996bf0265b98b5d48ab919", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad", + "b094dac5d93471bdec1a502270e3cc6c", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662", + "76fc6ece0f4e1768cddf8853bb2d551b", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f", + "3a337dbf46a792c45e454913fe2ea8f2", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f", + "a44a8266ee1c8eb0c8b5d4cf5ae9f19a", + + NULL +}; + +static void +test_GCM(void) +{ + size_t u; + + printf("Test GCM: "); + fflush(stdout); + + for (u = 0; KAT_GCM[u]; u += 6) { + unsigned char key[32]; + unsigned char plain[100]; + unsigned char aad[100]; + unsigned char iv[100]; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t key_len, plain_len, aad_len, iv_len; + br_aes_ct_ctr_keys bc; + br_gcm_context gc; + unsigned char tmp[100], out[16]; + size_t v, tag_len; + + key_len = hextobin(key, KAT_GCM[u]); + plain_len = hextobin(plain, KAT_GCM[u + 1]); + aad_len = hextobin(aad, KAT_GCM[u + 2]); + iv_len = hextobin(iv, KAT_GCM[u + 3]); + hextobin(cipher, KAT_GCM[u + 4]); + hextobin(tag, KAT_GCM[u + 5]); + + br_aes_ct_ctr_init(&bc, key, key_len); + br_gcm_init(&gc, &bc.vtable, br_ghash_ctmul32); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + br_gcm_get_tag(&gc, out); + check_equals("KAT GCM 1", tmp, cipher, plain_len); + check_equals("KAT GCM 2", out, tag, 16); + + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 0, tmp, plain_len); + check_equals("KAT GCM 3", tmp, plain, plain_len); + if (!br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_gcm_reset(&gc, iv, iv_len); + for (v = 0; v < aad_len; v ++) { + br_gcm_aad_inject(&gc, aad + v, 1); + } + br_gcm_flip(&gc); + for (v = 0; v < plain_len; v ++) { + br_gcm_run(&gc, 1, tmp + v, 1); + } + check_equals("KAT GCM 4", tmp, cipher, plain_len); + if (!br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_gcm_reset(&gc, iv, iv_len); + for (v = 0; v < aad_len; v ++) { + br_gcm_aad_inject(&gc, aad + v, 1); + } + br_gcm_flip(&gc); + for (v = 0; v < plain_len; v ++) { + br_gcm_run(&gc, 0, tmp + v, 1); + } + br_gcm_get_tag(&gc, out); + check_equals("KAT GCM 5", tmp, plain, plain_len); + check_equals("KAT GCM 6", out, tag, 16); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_gcm_reset(&gc, iv, iv_len); + aad[v] ^= 0x04; + br_gcm_aad_inject(&gc, aad, aad_len); + aad[v] ^= 0x04; + br_gcm_flip(&gc); + br_gcm_run(&gc, 0, tmp, plain_len); + check_equals("KAT GCM 7", tmp, plain, plain_len); + if (br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + br_gcm_get_tag_trunc(&gc, out, tag_len); + check_equals("KAT GCM 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + if (!br_gcm_check_tag_trunc(&gc, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +/* + * From "The EAX Mode of Operation (A Two-Pass Authenticated Encryption + * Scheme Optimized for Simplicity and Efficiency)" (Bellare, Rogaway, + * Wagner), presented at FSE 2004. Full article is available at: + * http://web.cs.ucdavis.edu/~rogaway/papers/eax.html + * + * EAX specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: plaintext, key, nonce, header, ciphertext, tag. + */ +static const char *const KAT_EAX[] = { + "", + "233952dee4d5ed5f9b9c6d6ff80ff478", + "62ec67f9c3a4a407fcb2a8c49031a8b3", + "6bfb914fd07eae6b", + "", + "e037830e8389f27b025a2d6527e79d01", + + "f7fb", + "91945d3f4dcbee0bf45ef52255f095a4", + "becaf043b0a23d843194ba972c66debd", + "fa3bfd4806eb53fa", + "19dd", + "5c4c9331049d0bdab0277408f67967e5", + + "1a47cb4933", + "01f74ad64077f2e704c0f60ada3dd523", + "70c3db4f0d26368400a10ed05d2bff5e", + "234a3463c1264ac6", + "d851d5bae0", + "3a59f238a23e39199dc9266626c40f80", + + "481c9e39b1", + "d07cf6cbb7f313bdde66b727afd3c5e8", + "8408dfff3c1a2b1292dc199e46b7d617", + "33cce2eabff5a79d", + "632a9d131a", + "d4c168a4225d8e1ff755939974a7bede", + + "40d0c07da5e4", + "35b6d0580005bbc12b0587124557d2c2", + "fdb6b06676eedc5c61d74276e1f8e816", + "aeb96eaebe2970e9", + "071dfe16c675", + "cb0677e536f73afe6a14b74ee49844dd", + + "4de3b35c3fc039245bd1fb7d", + "bd8e6e11475e60b268784c38c62feb22", + "6eac5c93072d8e8513f750935e46da1b", + "d4482d1ca78dce0f", + "835bb4f15d743e350e728414", + "abb8644fd6ccb86947c5e10590210a4f", + + "8b0a79306c9ce7ed99dae4f87f8dd61636", + "7c77d6e813bed5ac98baa417477a2e7d", + "1a8c98dcd73d38393b2bf1569deefc19", + "65d2017990d62528", + "02083e3979da014812f59f11d52630da30", + "137327d10649b0aa6e1c181db617d7f2", + + "1bda122bce8a8dbaf1877d962b8592dd2d56", + "5fff20cafab119ca2fc73549e20f5b0d", + "dde59b97d722156d4d9aff2bc7559826", + "54b9f04e6a09189a", + "2ec47b2c4954a489afc7ba4897edcdae8cc3", + "3b60450599bd02c96382902aef7f832a", + + "6cf36720872b8513f6eab1a8a44438d5ef11", + "a4a4782bcffd3ec5e7ef6d8c34a56123", + "b781fcf2f75fa5a8de97a9ca48e522ec", + "899a175897561d7e", + "0de18fd0fdd91e7af19f1d8ee8733938b1e8", + "e7f6d2231618102fdb7fe55ff1991700", + + "ca40d7446e545ffaed3bd12a740a659ffbbb3ceab7", + "8395fcf1e95bebd697bd010bc766aac3", + "22e7add93cfc6393c57ec0b3c17d6b44", + "126735fcc320d25a", + "cb8920f87a6c75cff39627b56e3ed197c552d295a7", + "cfc46afc253b4652b1af3795b124ab6e", + + NULL +}; + +static void +test_EAX_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + size_t u; + + printf("Test EAX %s: ", name); + fflush(stdout); + + for (u = 0; KAT_EAX[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad[100]; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len; + br_aes_gen_ctrcbc_keys bc; + br_eax_context ec; + br_eax_state st; + unsigned char tmp[100], out[16]; + size_t v, tag_len; + + plain_len = hextobin(plain, KAT_EAX[u]); + key_len = hextobin(key, KAT_EAX[u + 1]); + nonce_len = hextobin(nonce, KAT_EAX[u + 2]); + aad_len = hextobin(aad, KAT_EAX[u + 3]); + hextobin(cipher, KAT_EAX[u + 4]); + hextobin(tag, KAT_EAX[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_eax_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 1", tmp, cipher, plain_len); + check_equals("KAT EAX 2", out, tag, 16); + + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 3", tmp, plain, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT EAX 4", tmp, cipher, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 0, tmp + v, 1); + } + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 5", tmp, plain, plain_len); + check_equals("KAT EAX 6", out, tag, 16); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + aad[v] ^= 0x04; + br_eax_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 7", tmp, plain, plain_len); + if (br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag_trunc(&ec, out, tag_len); + check_equals("KAT EAX 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + if (!br_eax_check_tag_trunc(&ec, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + + /* + * For capture tests, we need the message to be non-empty. + */ + if (plain_len == 0) { + continue; + } + + /* + * Captured state, pre-AAD. This requires the AAD and the + * message to be non-empty. + */ + br_eax_capture(&ec, &st); + + if (aad_len > 0) { + br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + memcpy(tmp, plain, plain_len); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 9", tmp, cipher, plain_len); + check_equals("KAT EAX 10", out, tag, 16); + + br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 11", tmp, plain, plain_len); + check_equals("KAT EAX 12", out, tag, 16); + } + + /* + * Captured state, post-AAD. This requires the message to + * be non-empty. + */ + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_get_aad_mac(&ec, &st); + + br_eax_reset_post_aad(&ec, &st, nonce, nonce_len); + memcpy(tmp, plain, plain_len); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 13", tmp, cipher, plain_len); + check_equals("KAT EAX 14", out, tag, 16); + + br_eax_reset_post_aad(&ec, &st, nonce, nonce_len); + br_eax_run(&ec, 0, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 15", tmp, plain, plain_len); + check_equals("KAT EAX 16", out, tag, 16); + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_EAX(void) +{ + const br_block_ctrcbc_class *x_ctrcbc; + + test_EAX_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_EAX_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_EAX_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_EAX_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); + + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_EAX_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test EAX aes_x86ni: UNAVAILABLE\n"); + } +} + +/* + * From NIST SP 800-38C, appendix C. + * + * CCM specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: key, nonce, aad, plaintext, ciphertext, tag. + */ +static const char *const KAT_CCM[] = { + "404142434445464748494a4b4c4d4e4f", + "10111213141516", + "0001020304050607", + "20212223", + "7162015b", + "4dac255d", + + "404142434445464748494a4b4c4d4e4f", + "1011121314151617", + "000102030405060708090a0b0c0d0e0f", + "202122232425262728292a2b2c2d2e2f", + "d2a1f0e051ea5f62081a7792073d593d", + "1fc64fbfaccd", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b", + "000102030405060708090a0b0c0d0e0f10111213", + "202122232425262728292a2b2c2d2e2f3031323334353637", + "e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5", + "484392fbc1b09951", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b1c", + NULL, + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72", + "b4ac6bec93e8598e7f0dadbcea5b", + + NULL +}; + +static void +test_CCM_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + size_t u; + + printf("Test CCM %s: ", name); + fflush(stdout); + + for (u = 0; KAT_CCM[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad_buf[100], *aad; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len, tag_len; + br_aes_gen_ctrcbc_keys bc; + br_ccm_context ec; + unsigned char tmp[100], out[16]; + size_t v; + + key_len = hextobin(key, KAT_CCM[u]); + nonce_len = hextobin(nonce, KAT_CCM[u + 1]); + if (KAT_CCM[u + 2] == NULL) { + aad_len = 65536; + aad = malloc(aad_len); + if (aad == NULL) { + fprintf(stderr, "OOM error\n"); + exit(EXIT_FAILURE); + } + for (v = 0; v < 65536; v ++) { + aad[v] = (unsigned char)v; + } + } else { + aad = aad_buf; + aad_len = hextobin(aad, KAT_CCM[u + 2]); + } + plain_len = hextobin(plain, KAT_CCM[u + 3]); + hextobin(cipher, KAT_CCM[u + 4]); + tag_len = hextobin(tag, KAT_CCM[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_ccm_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + if (!br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len)) + { + fprintf(stderr, "CCM reset failed\n"); + exit(EXIT_FAILURE); + } + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 1, tmp, plain_len); + if (br_ccm_get_tag(&ec, out) != tag_len) { + fprintf(stderr, "CCM returned wrong tag length\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT CCM 1", tmp, cipher, plain_len); + check_equals("KAT CCM 2", out, tag, tag_len); + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 3", tmp, plain, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT CCM 4", tmp, cipher, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 0, tmp + v, 1); + } + br_ccm_get_tag(&ec, out); + check_equals("KAT CCM 5", tmp, plain, plain_len); + check_equals("KAT CCM 6", out, tag, tag_len); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + aad[v] ^= 0x04; + br_ccm_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 7", tmp, plain, plain_len); + if (br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + + /* + * When the AAD is really big, we don't want to do + * the complete quadratic operation. + */ + if (v >= 32) { + break; + } + } + + if (aad != aad_buf) { + free(aad); + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_CCM(void) +{ + const br_block_ctrcbc_class *x_ctrcbc; + + test_CCM_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_CCM_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_CCM_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_CCM_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); + + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_CCM_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test CCM aes_x86ni: UNAVAILABLE\n"); + } +} + static void test_EC_inner(const char *sk, const char *sU, const br_ec_impl *impl, int curve) @@ -4863,6 +7138,39 @@ test_EC_inner(const char *sk, const char *sU, fflush(stdout); } +static void +test_EC_P256_carry_inner(const br_ec_impl *impl, const char *sP, const char *sQ) +{ + unsigned char P[65], Q[sizeof P], k[1]; + size_t plen, qlen; + + plen = hextobin(P, sP); + qlen = hextobin(Q, sQ); + if (plen != sizeof P || qlen != sizeof P) { + fprintf(stderr, "KAT is incorrect\n"); + exit(EXIT_FAILURE); + } + k[0] = 0x10; + if (impl->mul(P, plen, k, 1, BR_EC_secp256r1) != 1) { + fprintf(stderr, "P-256 multiplication failed\n"); + exit(EXIT_FAILURE); + } + check_equals("P256_carry", P, Q, plen); + printf("."); + fflush(stdout); +} + +static void +test_EC_P256_carry(const br_ec_impl *impl) +{ + test_EC_P256_carry_inner(impl, + "0435BAA24B2B6E1B3C88E22A383BD88CC4B9A3166E7BCF94FF6591663AE066B33B821EBA1B4FC8EA609A87EB9A9C9A1CCD5C9F42FA1365306F64D7CAA718B8C978", + "0447752A76CA890328D34E675C4971EC629132D1FC4863EDB61219B72C4E58DC5E9D51E7B293488CFD913C3CF20E438BB65C2BA66A7D09EABB45B55E804260C5EB"); + test_EC_P256_carry_inner(impl, + "04DCAE9D9CE211223602024A6933BD42F77B6BF4EAB9C8915F058C149419FADD2CC9FC0707B270A1B5362BA4D249AFC8AC3DA1EFCA8270176EEACA525B49EE19E6", + "048DAC7B0BE9B3206FCE8B24B6B4AEB122F2A67D13E536B390B6585CA193427E63F222388B5F51D744D6F5D47536D89EEEC89552BCB269E7828019C4410DFE980A"); +} + static void test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask) { @@ -4875,6 +7183,7 @@ test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask) "C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721", "0460FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB67903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299", impl, BR_EC_secp256r1); + test_EC_P256_carry(impl); } if (curve_mask & ((uint32_t)1 << BR_EC_secp384r1)) { test_EC_inner( @@ -4918,6 +7227,13 @@ test_EC_p256_m15(void) (uint32_t)1 << BR_EC_secp256r1); } +static void +test_EC_p256_m31(void) +{ + test_EC_KAT("EC_p256_m31", &br_ec_p256_m31, + (uint32_t)1 << BR_EC_secp256r1); +} + const struct { const char *scalar; const char *u_in; @@ -5492,6 +7808,108 @@ test_ECDSA_i15(void) fflush(stdout); } +static void +test_modpow_i31(void) +{ + br_hmac_drbg_context hc; + int k; + + printf("Test ModPow/i31: "); + + br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11); + for (k = 10; k <= 500; k ++) { + size_t blen; + unsigned char bm[128], bx[128], bx1[128], bx2[128]; + unsigned char be[128]; + unsigned mask; + uint32_t x1[35], m1[35]; + uint16_t x2[70], m2[70]; + uint32_t tmp1[1000]; + uint16_t tmp2[2000]; + + blen = (k + 7) >> 3; + br_hmac_drbg_generate(&hc, bm, blen); + br_hmac_drbg_generate(&hc, bx, blen); + br_hmac_drbg_generate(&hc, be, blen); + bm[blen - 1] |= 0x01; + mask = 0xFF >> ((int)(blen << 3) - k); + bm[0] &= mask; + bm[0] |= (mask - (mask >> 1)); + bx[0] &= (mask >> 1); + + br_i31_decode(m1, bm, blen); + br_i31_decode_mod(x1, bx, blen, m1); + br_i31_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]), + tmp1, (sizeof tmp1) / (sizeof tmp1[0])); + br_i31_encode(bx1, blen, x1); + + br_i15_decode(m2, bm, blen); + br_i15_decode_mod(x2, bx, blen, m2); + br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]), + tmp2, (sizeof tmp2) / (sizeof tmp2[0])); + br_i15_encode(bx2, blen, x2); + + check_equals("ModPow i31/i15", bx1, bx2, blen); + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_modpow_i62(void) +{ + br_hmac_drbg_context hc; + int k; + + printf("Test ModPow/i62: "); + + br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11); + for (k = 10; k <= 500; k ++) { + size_t blen; + unsigned char bm[128], bx[128], bx1[128], bx2[128]; + unsigned char be[128]; + unsigned mask; + uint32_t x1[35], m1[35]; + uint16_t x2[70], m2[70]; + uint64_t tmp1[500]; + uint16_t tmp2[2000]; + + blen = (k + 7) >> 3; + br_hmac_drbg_generate(&hc, bm, blen); + br_hmac_drbg_generate(&hc, bx, blen); + br_hmac_drbg_generate(&hc, be, blen); + bm[blen - 1] |= 0x01; + mask = 0xFF >> ((int)(blen << 3) - k); + bm[0] &= mask; + bm[0] |= (mask - (mask >> 1)); + bx[0] &= (mask >> 1); + + br_i31_decode(m1, bm, blen); + br_i31_decode_mod(x1, bx, blen, m1); + br_i62_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]), + tmp1, (sizeof tmp1) / (sizeof tmp1[0])); + br_i31_encode(bx1, blen, x1); + + br_i15_decode(m2, bm, blen); + br_i15_decode_mod(x2, bx, blen, m2); + br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]), + tmp2, (sizeof tmp2) / (sizeof tmp2[0])); + br_i15_encode(bx2, blen, x2); + + check_equals("ModPow i62/i15", bx1, bx2, blen); + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + static int eq_name(const char *s1, const char *s2) { @@ -5552,27 +7970,45 @@ static const struct { STU(AES_small), STU(AES_ct), STU(AES_ct64), + STU(AES_pwr8), + STU(AES_x86ni), + STU(AES_CTRCBC_big), + STU(AES_CTRCBC_small), + STU(AES_CTRCBC_ct), + STU(AES_CTRCBC_ct64), + STU(AES_CTRCBC_x86ni), STU(DES_tab), STU(DES_ct), STU(ChaCha20_ct), + STU(ChaCha20_sse2), STU(Poly1305_ctmul), STU(Poly1305_ctmul32), + STU(Poly1305_ctmulq), STU(Poly1305_i15), STU(RSA_i15), STU(RSA_i31), STU(RSA_i32), + STU(RSA_i62), STU(GHASH_ctmul), STU(GHASH_ctmul32), STU(GHASH_ctmul64), + STU(GHASH_pclmul), + STU(GHASH_pwr8), + STU(CCM), + STU(EAX), + STU(GCM), STU(EC_prime_i15), STU(EC_prime_i31), STU(EC_p256_m15), + STU(EC_p256_m31), STU(EC_c25519_i15), STU(EC_c25519_i31), STU(EC_c25519_m15), STU(EC_c25519_m31), STU(ECDSA_i15), STU(ECDSA_i31), + STU(modpow_i31), + STU(modpow_i62), { 0, 0 } };