randombit / botan / 12939727421

coverage: 91.212% (+0.01%) from 91.202%
12939727421

push

github

web-flow 
Merge pull request #4582 from randombit/jack/fake-pms-match-expected

In PK_Decryptor::decrypt_or_random return a fake PMS matching expected content bytes

93618 of 102638 relevant lines covered (91.21%)

11596786.31 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.49
/src/tests/test_rsa.cpp
1 
/*
2 
* (C) 2014,2015 Jack Lloyd
3 
*
4 
* Botan is released under the Simplified BSD License (see license.txt)
5 
*/
6 









7



#include "test_rng.h"










8



#include "tests.h"










9












10



#if defined(BOTAN_HAS_RSA)










11



   #include "test_pubkey.h"










12



   #include <botan/rsa.h>










13



#endif










14












15



namespace Botan_Tests {










16












17



namespace {










18












19



#if defined(BOTAN_HAS_RSA)










20












21



std::unique_ptr<Botan::Private_Key> load_rsa_private_key(const VarMap& vars) {




555





22



   const BigInt p = vars.get_req_bn("P");




555





23



   const BigInt q = vars.get_req_bn("Q");




555





24



   const BigInt e = vars.get_req_bn("E");




555





25












26



   return std::make_unique<Botan::RSA_PrivateKey>(p, q, e);




555





27



}




1,665





28












29



std::unique_ptr<Botan::Public_Key> load_rsa_public_key(const VarMap& vars) {




568





30



   const BigInt n = vars.get_req_bn("N");




568





31



   const BigInt e = vars.get_req_bn("E");




568





32












33



   return std::make_unique<Botan::RSA_PublicKey>(n, e);




1,136





34



}




1,136





35












36



class RSA_ES_KAT_Tests final : public PK_Encryption_Decryption_Test {










37



   public:










38



      RSA_ES_KAT_Tests() : PK_Encryption_Decryption_Test("RSA", "pubkey/rsaes.vec", "E,P,Q,Msg,Ciphertext", "Nonce") {}




2





39












40



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




188





41



         return load_rsa_private_key(vars);




188





42



      }










43



};










44












45



class RSA_Decryption_KAT_Tests final : public PK_Decryption_Test {










46



   public:










47



      RSA_Decryption_KAT_Tests() : PK_Decryption_Test("RSA", "pubkey/rsa_decrypt.vec", "E,P,Q,Ciphertext,Msg") {}




2





48












49



      bool clear_between_callbacks() const override { return false; }




25





50












51



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




25





52



         return load_rsa_private_key(vars);




25





53



      }










54



};










55












56



class RSA_KEM_Tests final : public PK_KEM_Test {










57



   public:










58



      RSA_KEM_Tests() : PK_KEM_Test("RSA", "pubkey/rsa_kem.vec", "E,P,Q,R,C0,KDF,K") {}




2





59












60



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




10





61



         return load_rsa_private_key(vars);




10





62



      }










63



};










64












65



class RSA_Signature_KAT_Tests final : public PK_Signature_Generation_Test {










66



   public:










67



      RSA_Signature_KAT_Tests() :




1





68



            PK_Signature_Generation_Test("RSA", "pubkey/rsa_sig.vec", "E,P,Q,Msg,Signature", "Nonce") {}




2





69












70



      std::string default_padding(const VarMap& /*unused*/) const override { return "Raw"; }




×







71












72



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




172





73



         return load_rsa_private_key(vars);




172





74



      }










75



};










76












77



class RSA_PSS_KAT_Tests final : public PK_Signature_Generation_Test {










78



   public:










79



      RSA_PSS_KAT_Tests() :




1





80



            PK_Signature_Generation_Test("RSA", "pubkey/rsa_pss.vec", "P,Q,E,Hash,Nonce,Msg,Signature", "") {}




2





81












82



      std::string default_padding(const VarMap& vars) const override {




80





83



         const std::string hash_name = vars.get_req_str("Hash");




80





84



         const size_t salt_size = vars.get_req_bin("Nonce").size();




160





85



         return "PSSR(" + hash_name + ",MGF1," + std::to_string(salt_size) + ")";




240





86



      }




80





87












88



      bool clear_between_callbacks() const override { return false; }




80





89












90



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




80





91



         return load_rsa_private_key(vars);




80





92



      }










93



};










94












95



class RSA_PSS_Raw_KAT_Tests final : public PK_Signature_Generation_Test {










96



   public:










97



      RSA_PSS_Raw_KAT_Tests() :




1





98



            PK_Signature_Generation_Test("RSA", "pubkey/rsa_pss_raw.vec", "P,Q,E,Hash,Nonce,Msg,Signature", "") {}




2





99












100



      std::string default_padding(const VarMap& vars) const override {




80





101



         const std::string hash_name = vars.get_req_str("Hash");




80





102



         const size_t salt_size = vars.get_req_bin("Nonce").size();




160





103



         return "PSSR_Raw(" + hash_name + ",MGF1," + std::to_string(salt_size) + ")";




240





104



      }




80





105












106



      bool clear_between_callbacks() const override { return false; }




80





107












108



      std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override {




80





109



         return load_rsa_private_key(vars);




80





110



      }










111



};










112












113



class RSA_Signature_Verify_Tests final : public PK_Signature_Verification_Test {










114



   public:










115



      RSA_Signature_Verify_Tests() :




1





116



            PK_Signature_Verification_Test("RSA", "pubkey/rsa_verify.vec", "E,N,Msg,Signature") {}




2





117












118



      std::string default_padding(const VarMap& /*unused*/) const override { return "Raw"; }




×







119












120



      std::unique_ptr<Botan::Public_Key> load_public_key(const VarMap& vars) override {




202





121



         return load_rsa_public_key(vars);




202





122



      }










123



};










124












125



class RSA_Signature_Verify_Invalid_Tests final : public PK_Signature_NonVerification_Test {










126



   public:










127



      RSA_Signature_Verify_Invalid_Tests() :




1





128



            PK_Signature_NonVerification_Test("RSA", "pubkey/rsa_invalid.vec", "E,N,Msg,InvalidSignature") {}




2





129












130



      std::string default_padding(const VarMap& /*unused*/) const override { return "Raw"; }




×







131












132



      std::unique_ptr<Botan::Public_Key> load_public_key(const VarMap& vars) override {




366





133



         return load_rsa_public_key(vars);




366





134



      }










135



};










136












137



class RSA_Keygen_Tests final : public PK_Key_Generation_Test {




×







138



   public:










139



      std::vector<std::string> keygen_params() const override { return {"1024", "1280"}; }




1





140












141



      std::unique_ptr<Botan::Public_Key> public_key_from_raw(std::string_view /* keygen_params */,




×







142



                                                             std::string_view /* provider */,










143



                                                             std::span<const uint8_t> /* raw_pk */) const override {










144



         // RSA does not implement raw public key encoding










145



         return nullptr;




×







146



      }










147












148



      std::string algo_name() const override { return "RSA"; }




2





149



};










150












151



class RSA_Keygen_Stability_Tests final : public PK_Key_Generation_Stability_Test {










152



   public:










153



      RSA_Keygen_Stability_Tests() : PK_Key_Generation_Stability_Test("RSA", "pubkey/rsa_keygen.vec") {}




2





154



};










155












156



class RSA_Keygen_Bad_RNG_Test final : public Test {




×







157



   public:










158



      std::vector<Test::Result> run() override {




1





159



         Test::Result result("RSA keygen with bad RNG");




1





160












161



         /*










162



         We don't need to count requests here; actually this test










163



         is relying on the fact that the Request_Counting_RNG outputs










164



         repeating 808080...










165



         */










166



         Request_Counting_RNG rng;




1





167












168



         try {




1





169



            Botan::RSA_PrivateKey rsa(rng, 1024);




1





170



            result.test_failure("Generated a key with a bad RNG");




×







171



         } catch(Botan::Internal_Error& e) {




1





172



            result.test_success("Key generation with bad RNG failed");




1





173



            result.test_eq("Expected message", e.what(), "Internal error: RNG failure during RSA key generation");




1





174



         }




1





175












176



         return {result};




2





177



      }




2





178



};










179












180



class RSA_Blinding_Tests final : public Test {




×







181



   public:










182



      std::vector<Test::Result> run() override {




1





183



         Test::Result result("RSA blinding");




1





184












185



         /* This test makes only sense with the base provider, else skip it. */










186



         if(provider_filter({"base"}).empty()) {




1





187



            result.note_missing("base provider");




×







188



            return std::vector<Test::Result>{result};




×







189



         }










190












191



   #if defined(BOTAN_HAS_EMSA_RAW) || defined(BOTAN_HAS_EME_RAW)










192



         Botan::RSA_PrivateKey rsa(this->rng(), 1024);




1





193



         Botan::Null_RNG null_rng;




1





194



   #endif










195












196



   #if defined(BOTAN_HAS_EMSA_RAW)










197












198



         /*










199



         * The blinder chooses a new starting point BOTAN_BLINDING_REINIT_INTERVAL










200



         * so sign several times that with a single key.










201



         *










202



         * Very small values (padding/hashing disabled, only low byte set on input)










203



         * are used as an additional test on the blinders.










204



         */










205












206



         Botan::PK_Signer signer(




1





207



            rsa, this->rng(), "Raw", Botan::Signature_Format::Standard, "base");  // don't try this at home




1





208



         Botan::PK_Verifier verifier(rsa, "Raw", Botan::Signature_Format::Standard, "base");




1





209












210



         for(size_t i = 1; i <= BOTAN_BLINDING_REINIT_INTERVAL * 6; ++i) {




385





211



            std::vector<uint8_t> input(16);




384





212



            input[input.size() - 1] = static_cast<uint8_t>(i | 1);




384





213












214



            signer.update(input);




384





215












216



            // assert RNG is not called in this situation










217



            std::vector<uint8_t> signature = signer.signature(null_rng);




384





218












219



            result.test_eq("Signature verifies", verifier.verify_message(input, signature), true);




768





220



         }




768





221



   #endif










222












223



   #if defined(BOTAN_HAS_EME_RAW)










224












225



         /*










226



         * The blinder chooses a new starting point BOTAN_BLINDING_REINIT_INTERVAL










227



         * so decrypt several times that with a single key.










228



         *










229



         * Very small values (padding/hashing disabled, only low byte set on input)










230



         * are used as an additional test on the blinders.










231



         */










232












233



         Botan::PK_Encryptor_EME encryptor(rsa, this->rng(), "Raw", "base");  // don't try this at home




1





234












235



         /*










236



         Test blinding reinit interval










237












238



         Seed Fixed_Output_RNG only with enough bytes for the initial










239



         blinder initialization plus the exponent blinding bits which










240



         is 2*64 bits per operation.










241



         */










242



         const size_t rng_bytes = rsa.get_n().bytes() + (2 * 8 * BOTAN_BLINDING_REINIT_INTERVAL);




1





243












244



         Fixed_Output_RNG fixed_rng(this->rng(), rng_bytes);




1





245



         Botan::PK_Decryptor_EME decryptor(rsa, fixed_rng, "Raw", "base");




1





246












247



         for(size_t i = 1; i <= BOTAN_BLINDING_REINIT_INTERVAL; ++i) {




65





248



            std::vector<uint8_t> input(16);




64





249



            input[input.size() - 1] = static_cast<uint8_t>(i);




64





250












251



            std::vector<uint8_t> ciphertext = encryptor.encrypt(input, null_rng);




64





252












253



            std::vector<uint8_t> plaintext = Botan::unlock(decryptor.decrypt(ciphertext));




64





254



            plaintext.insert(plaintext.begin(), input.size() - 1, 0);




64





255












256



            result.test_eq("Successful decryption", plaintext, input);




128





257



         }




192





258












259



         result.test_eq("RNG is no longer seeded", fixed_rng.is_seeded(), false);




1





260












261



         // one more decryption should trigger a blinder reinitialization










262



         result.test_throws("RSA blinding reinit",




2





263



                            "Test error Fixed output RNG ran out of bytes, test bug?",










264



                            [&decryptor, &encryptor, &null_rng]() {




1





265



                               std::vector<uint8_t> ciphertext =




1





266



                                  encryptor.encrypt(std::vector<uint8_t>(16, 5), null_rng);




1





267



                               decryptor.decrypt(ciphertext);




1





268



                            });




×







269












270



   #endif










271












272



         return std::vector<Test::Result>{result};




2





273



      }




2





274



};










275












276



class RSA_DecryptOrRandom_Tests : public Test {




×







277



   public:










278



      std::vector<Test::Result> run() override {




1





279



         const std::vector<std::string> padding_schemes = {




1





280



   #if defined(BOTAN_HAS_EME_PKCS1)










281



            "PKCS1v15",










282



   #endif










283



   #if defined(BOTAN_HAS_EME_OAEP)










284



            "OAEP(SHA-256)",










285



   #endif










286



         };




1





287












288



         constexpr size_t bits = 1024;




1





289












290



         auto private_key = Botan::RSA_PrivateKey(rng(), bits);




1





291












292



         std::vector<Test::Result> results;




1





293



         for(const auto& padding : padding_schemes) {




3





294



            Test::Result result("RSA decrypt_or_random " + padding);




2





295



            test_decrypt_or_random(result, padding, private_key, rng());




2





296



            results.push_back(result);




2





297



         }




2





298



         return results;




1





299



      }




1





300












301



   private:










302



      static void test_decrypt_or_random(Test::Result& result,




2





303



                                         std::string_view padding,










304



                                         Botan::Private_Key& private_key,










305



                                         Botan::RandomNumberGenerator& rng) {










306



         constexpr size_t trials = 100;




2





307



         constexpr size_t pt_len = 32;




2





308












309



         auto public_key = private_key.public_key();




2





310



         const auto msg = rng.random_vec(pt_len);




2





311












312



         Botan::PK_Encryptor_EME enc(*public_key, rng, padding);




2





313



         const auto ctext = enc.encrypt(msg, rng);




2





314












315



         Botan::PK_Decryptor_EME dec(private_key, rng, padding);




2





316












317



         for(size_t i = 0; i != trials; ++i) {




202





318



            auto bad_ctext = mutate_vec(ctext, rng, false, 1);




200





319












320



            auto rec = dec.decrypt_or_random(bad_ctext.data(), bad_ctext.size(), pt_len, rng);




200





321












322



            result.test_eq("Returns a ciphertext of expected length", rec.size(), pt_len);




400





323



         }




400





324












325



         // Test decrypt_or_random with content check happy path










326



         for(size_t i = 1; i != pt_len; ++i) {




64





327



            const size_t req_bytes = i;




62





328












329



            std::vector<uint8_t> required_contents(req_bytes);




62





330



            std::vector<uint8_t> required_offsets(req_bytes);




62





331












332



            for(size_t j = 0; j != req_bytes; ++j) {




1,054





333



               uint8_t idx = rng.next_byte() % pt_len;




992





334



               required_contents[j] = msg[idx];




992





335



               required_offsets[j] = idx;




992





336



            }










337












338



            auto rec = dec.decrypt_or_random(




62





339



               ctext.data(), ctext.size(), pt_len, rng, required_contents.data(), required_offsets.data(), req_bytes);




62





340












341



            result.test_eq("Returned the expected message", rec, msg);




124





342



         }




186





343












344



         // Test decrypt_or_random with content check error path










345



         for(size_t i = 1; i != pt_len; ++i) {




64





346



            const size_t req_bytes = i;




62





347












348



            std::vector<uint8_t> required_contents(req_bytes);




62





349



            std::vector<uint8_t> required_offsets(req_bytes);




62





350












351



            size_t corrupted = Test::random_index(rng, req_bytes);




62





352



            uint8_t corruption = rng.next_nonzero_byte();




62





353












354



            for(size_t j = 0; j != req_bytes; ++j) {




1,054





355



               uint8_t idx = rng.next_byte() % pt_len;




992





356



               required_offsets[j] = idx;




992





357












358



               if(idx == corrupted) {




992





359



                  required_contents[j] = msg[idx] ^ corruption;




39





360



               } else {










361



                  required_contents[j] = msg[idx];




953





362



               }










363



            }










364












365



            auto rec = dec.decrypt_or_random(




62





366



               ctext.data(), ctext.size(), pt_len, rng, required_contents.data(), required_offsets.data(), req_bytes);




62





367












368



            result.test_ne("Returned random message", rec, ctext);




124





369












370



            for(size_t j = 0; j != req_bytes; ++j) {




1,054





371



               result.confirm("Random message satisfies stated content requirements",




1,984





372



                              rec[required_offsets[j]] == required_contents[j]);




992





373



            }










374



         }




186





375



      }




8





376



};










377












378



BOTAN_REGISTER_TEST("pubkey", "rsa_encrypt", RSA_ES_KAT_Tests);










379



BOTAN_REGISTER_TEST("pubkey", "rsa_decrypt", RSA_Decryption_KAT_Tests);










380



BOTAN_REGISTER_TEST("pubkey", "rsa_sign", RSA_Signature_KAT_Tests);










381



BOTAN_REGISTER_TEST("pubkey", "rsa_pss", RSA_PSS_KAT_Tests);










382



BOTAN_REGISTER_TEST("pubkey", "rsa_pss_raw", RSA_PSS_Raw_KAT_Tests);










383



BOTAN_REGISTER_TEST("pubkey", "rsa_verify", RSA_Signature_Verify_Tests);










384



BOTAN_REGISTER_TEST("pubkey", "rsa_verify_invalid", RSA_Signature_Verify_Invalid_Tests);










385



BOTAN_REGISTER_TEST("pubkey", "rsa_kem", RSA_KEM_Tests);










386



BOTAN_REGISTER_TEST("pubkey", "rsa_keygen", RSA_Keygen_Tests);










387



BOTAN_REGISTER_TEST("pubkey", "rsa_keygen_stability", RSA_Keygen_Stability_Tests);










388



BOTAN_REGISTER_TEST("pubkey", "rsa_keygen_badrng", RSA_Keygen_Bad_RNG_Test);










389



BOTAN_REGISTER_TEST("pubkey", "rsa_blinding", RSA_Blinding_Tests);










390



BOTAN_REGISTER_TEST("pubkey", "rsa_decrypt_or_random", RSA_DecryptOrRandom_Tests);










391












392



#endif










393












394



}  // namespace










395












396



}  // namespace Botan_Tests
























    

  • 

    •