Fix bug in RSA PKCS#1 v1.5 "reversed" operations

2025-03-08 10:09:54 +00:00 · 2014-02-03 11:58:55 +01:00 · 2014-02-03 11:58:55 +01:00 · fbf0915404
parent c4919bc528
commit fbf0915404
3 changed files with 36 additions and 2 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ Features
 Bugfix
   * ecp_gen_keypair() does more tries to prevent failure because of
     statistics
   * Fix buf in RSA PKCS#1 v1.5 "reversed" operations
 = PolarSSL 1.3.4 released on 2014-01-27
 Features
--- a/library/rsa.c
+++ b/library/rsa.c
@ -809,7 +809,7 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
         * (minus one, for the 00 byte) */
        for( i = 0; i < ilen - 3; i++ )
        {
-            pad_done |= ( p[i] == 0xFF );
+            pad_done |= ( p[i] != 0xFF );
            pad_count += ( pad_done == 0 );
        }
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@ -160,6 +160,21 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string,
    TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
    /* For PKCS#1 v1.5, there is an alternative way to generate signatures */
    if( padding_mode == RSA_PKCS_V15 )
    {
        memset( output, 0x00, 1000 );
        memset( output_str, 0x00, 1000 );
        TEST_ASSERT( rsa_rsaes_pkcs1_v15_encrypt( &ctx,
                    &rnd_pseudo_rand, &rnd_info, RSA_PRIVATE,
                    hash_len, hash_result, output ) == 0 );
        hexify( output_str, output, ctx.len );
        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
    }
    mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
    rsa_free( &ctx );
 }
@ -174,13 +189,15 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
    unsigned char message_str[1000];
    unsigned char hash_result[1000];
    unsigned char result_str[1000];
    unsigned char output[1000];
    rsa_context ctx;
-    size_t hash_len;
+    size_t hash_len, olen;
    rsa_init( &ctx, padding_mode, 0 );
    memset( message_str, 0x00, 1000 );
    memset( hash_result, 0x00, 1000 );
    memset( result_str, 0x00, 1000 );
    memset( output, 0x00, sizeof( output ) );
    ctx.len = mod / 8;
    TEST_ASSERT( mpi_read_string( &ctx.N, radix_N, input_N ) == 0 );
@ -194,6 +211,22 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
    TEST_ASSERT( rsa_pkcs1_verify( &ctx, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_NONE, hash_len, hash_result, result_str ) == correct );
    /* For PKCS#1 v1.5, there is an alternative way to verify signatures */
    if( padding_mode == RSA_PKCS_V15 )
    {
        int ok;
        TEST_ASSERT( rsa_rsaes_pkcs1_v15_decrypt( &ctx,
                    NULL, NULL, RSA_PUBLIC,
                    &olen, result_str, output, sizeof( output ) ) == 0 );
        ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0;
        if( correct == 0 )
            TEST_ASSERT( ok == 1 );
        else
            TEST_ASSERT( ok == 0 );
    }
    rsa_free( &ctx );
 }
 /* END_CASE */