diff options
| author | Jiaying Song <jiaying.song.cn@windriver.com> | 2025-08-20 17:13:44 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-08-29 08:33:32 -0700 |
| commit | d6f3ce165174cd09f4af6c055d4974a15d9630ae (patch) | |
| tree | 1cd09bd43d0e5ac4a470954acfd0f7d8e74b3bf7 | |
| parent | 6b05a9736953089e1f900a1c49cca37404737cfd (diff) | |
| download | poky-d6f3ce165174cd09f4af6c055d4974a15d9630ae.tar.gz | |
openssl: fix CVE-2023-50781
A flaw was found in m2crypto. This issue may allow a remote attacker to
decrypt captured messages in TLS servers that use RSA key exchanges,
which may lead to exposure of confidential or sensitive data.
The CVE-2023-50781 in M2Crypto is addressed by modifying OpenSSL because
M2Crypto relies on OpenSSL for its cryptographic operations.The issue
stems from OpenSSL’s RSA PKCS#1 v1.5 padding verification being
vulnerable to Bleichenbacher-type attacks.To mitigate this, OpenSSL
introduced an implicit rejection mechanism in the RSA PKCS#1 v1.5
padding.Therefore, resolving the vulnerability requires changes within
OpenSSL itself to ensure M2Crypto’s security.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-50781
https://github.com/openssl/openssl/pull/13817/commits
https://todo.sr.ht/~mcepl/m2crypto/342?__goaway_challenge=meta-refresh&__goaway_id=45a03d6accb7b343867110db1f7fb334
(From OE-Core rev: d24c4923d6f7a25bdc3ec5d4ac6bee32bb0bae88)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
7 files changed, 1806 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch new file mode 100644 index 0000000000..234fe7b8aa --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch | |||
| @@ -0,0 +1,618 @@ | |||
| 1 | From 24734088e1034392de981151dfe57e3a379ada18 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Tue, 15 Mar 2022 13:58:08 +0100 | ||
| 4 | Subject: [PATCH 1/3] rsa: add implicit rejection in PKCS#1 v1.5 | ||
| 5 | |||
| 6 | The RSA decryption as implemented before required very careful handling | ||
| 7 | of both the exit code returned by OpenSSL and the potentially returned | ||
| 8 | ciphertext. Looking at the recent security vulnerabilities | ||
| 9 | (CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of | ||
| 10 | OpenSSL do it correctly. | ||
| 11 | |||
| 12 | Given that correct code requires side channel secure programming in | ||
| 13 | application code, we can classify the existing RSA decryption methods | ||
| 14 | as CWE-676, which in turn likely causes CWE-208 and CWE-385 in | ||
| 15 | application code. | ||
| 16 | |||
| 17 | To prevent that, we can use a technique called "implicit rejection". | ||
| 18 | For that we generate a random message to be returned in case the | ||
| 19 | padding check fails. We generate the message based on static secret | ||
| 20 | data (the private exponent) and the provided ciphertext (so that the | ||
| 21 | attacker cannot determine that the returned value is randomly generated | ||
| 22 | instead of result of decryption and de-padding). We return it in case | ||
| 23 | any part of padding check fails. | ||
| 24 | |||
| 25 | The upshot of this approach is that then not only is the length of the | ||
| 26 | returned message useless as the Bleichenbacher oracle, so are the | ||
| 27 | actual bytes of the returned message. So application code doesn't have | ||
| 28 | to perform any operations on the returned message in side-channel free | ||
| 29 | way to remain secure against Bleichenbacher attacks. | ||
| 30 | |||
| 31 | Note: this patch implements a specific algorithm, shared with Mozilla | ||
| 32 | NSS, so that the attacker cannot use one library as an oracle against the | ||
| 33 | other in heterogeneous environments. | ||
| 34 | |||
| 35 | CVE: CVE-2023-50781 | ||
| 36 | |||
| 37 | Upstream-Status: Backport | ||
| 38 | [https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7] | ||
| 39 | |||
| 40 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 41 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 42 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 43 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 44 | |||
| 45 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 46 | --- | ||
| 47 | crypto/rsa/rsa_ossl.c | 95 +++++++- | ||
| 48 | crypto/rsa/rsa_pk1.c | 252 ++++++++++++++++++++++ | ||
| 49 | doc/man1/openssl-pkeyutl.pod.in | 5 + | ||
| 50 | doc/man1/openssl-rsautl.pod.in | 5 + | ||
| 51 | doc/man3/EVP_PKEY_CTX_ctrl.pod | 7 + | ||
| 52 | doc/man3/EVP_PKEY_decrypt.pod | 12 ++ | ||
| 53 | doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +- | ||
| 54 | doc/man3/RSA_public_encrypt.pod | 11 +- | ||
| 55 | include/crypto/rsa.h | 4 + | ||
| 56 | 9 files changed, 393 insertions(+), 5 deletions(-) | ||
| 57 | |||
| 58 | diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c | ||
| 59 | index 0fc642e777..330302ae55 100644 | ||
| 60 | --- a/crypto/rsa/rsa_ossl.c | ||
| 61 | +++ b/crypto/rsa/rsa_ossl.c | ||
| 62 | @@ -17,6 +17,9 @@ | ||
| 63 | #include "crypto/bn.h" | ||
| 64 | #include "rsa_local.h" | ||
| 65 | #include "internal/constant_time.h" | ||
| 66 | +#include <openssl/evp.h> | ||
| 67 | +#include <openssl/sha.h> | ||
| 68 | +#include <openssl/hmac.h> | ||
| 69 | |||
| 70 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, | ||
| 71 | unsigned char *to, RSA *rsa, int padding); | ||
| 72 | @@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 73 | BIGNUM *f, *ret; | ||
| 74 | int j, num = 0, r = -1; | ||
| 75 | unsigned char *buf = NULL; | ||
| 76 | + unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; | ||
| 77 | + HMAC_CTX *hmac = NULL; | ||
| 78 | + unsigned int md_len = SHA256_DIGEST_LENGTH; | ||
| 79 | + unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; | ||
| 80 | BN_CTX *ctx = NULL; | ||
| 81 | int local_blinding = 0; | ||
| 82 | + EVP_MD *md = NULL; | ||
| 83 | /* | ||
| 84 | * Used only if the blinding structure is shared. A non-NULL unblind | ||
| 85 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | ||
| 86 | @@ -408,6 +416,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 87 | goto err; | ||
| 88 | } | ||
| 89 | |||
| 90 | + if (flen < 1) { | ||
| 91 | + ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); | ||
| 92 | + goto err; | ||
| 93 | + } | ||
| 94 | + | ||
| 95 | /* make data into a big number */ | ||
| 96 | if (BN_bin2bn(from, (int)flen, f) == NULL) | ||
| 97 | goto err; | ||
| 98 | @@ -472,13 +485,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 99 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | ||
| 100 | goto err; | ||
| 101 | |||
| 102 | + /* | ||
| 103 | + * derive the Key Derivation Key from private exponent and public | ||
| 104 | + * ciphertext | ||
| 105 | + */ | ||
| 106 | + if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) { | ||
| 107 | + /* | ||
| 108 | + * because we use d as a handle to rsa->d we need to keep it local and | ||
| 109 | + * free before any further use of rsa->d | ||
| 110 | + */ | ||
| 111 | + BIGNUM *d = BN_new(); | ||
| 112 | + if (d == NULL) { | ||
| 113 | + ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); | ||
| 114 | + goto err; | ||
| 115 | + } | ||
| 116 | + if (rsa->d == NULL) { | ||
| 117 | + ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); | ||
| 118 | + BN_free(d); | ||
| 119 | + goto err; | ||
| 120 | + } | ||
| 121 | + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | ||
| 122 | + if (BN_bn2binpad(d, buf, num) < 0) { | ||
| 123 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 124 | + BN_free(d); | ||
| 125 | + goto err; | ||
| 126 | + } | ||
| 127 | + BN_free(d); | ||
| 128 | + | ||
| 129 | + /* | ||
| 130 | + * we use hardcoded hash so that migrating between versions that use | ||
| 131 | + * different hash doesn't provide a Bleichenbacher oracle: | ||
| 132 | + * if the attacker can see that different versions return different | ||
| 133 | + * messages for the same ciphertext, they'll know that the message is | ||
| 134 | + * syntethically generated, which means that the padding check failed | ||
| 135 | + */ | ||
| 136 | + md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); | ||
| 137 | + if (md == NULL) { | ||
| 138 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 139 | + goto err; | ||
| 140 | + } | ||
| 141 | + | ||
| 142 | + if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { | ||
| 143 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 144 | + goto err; | ||
| 145 | + } | ||
| 146 | + | ||
| 147 | + hmac = HMAC_CTX_new(); | ||
| 148 | + if (hmac == NULL) { | ||
| 149 | + ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); | ||
| 150 | + goto err; | ||
| 151 | + } | ||
| 152 | + | ||
| 153 | + if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { | ||
| 154 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 155 | + goto err; | ||
| 156 | + } | ||
| 157 | + | ||
| 158 | + if (flen < num) { | ||
| 159 | + memset(buf, 0, num - flen); | ||
| 160 | + if (HMAC_Update(hmac, buf, num - flen) <= 0) { | ||
| 161 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 162 | + goto err; | ||
| 163 | + } | ||
| 164 | + } | ||
| 165 | + if (HMAC_Update(hmac, from, flen) <= 0) { | ||
| 166 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 167 | + goto err; | ||
| 168 | + } | ||
| 169 | + | ||
| 170 | + md_len = SHA256_DIGEST_LENGTH; | ||
| 171 | + if (HMAC_Final(hmac, kdk, &md_len) <= 0) { | ||
| 172 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 173 | + goto err; | ||
| 174 | + } | ||
| 175 | + } | ||
| 176 | + | ||
| 177 | j = BN_bn2binpad(ret, buf, num); | ||
| 178 | if (j < 0) | ||
| 179 | goto err; | ||
| 180 | |||
| 181 | switch (padding) { | ||
| 182 | case RSA_PKCS1_PADDING: | ||
| 183 | - r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | ||
| 184 | + if (rsa->flags & RSA_FLAG_EXT_PKEY) | ||
| 185 | + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | ||
| 186 | + else | ||
| 187 | + r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); | ||
| 188 | break; | ||
| 189 | case RSA_PKCS1_OAEP_PADDING: | ||
| 190 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | ||
| 191 | @@ -501,6 +592,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 192 | #endif | ||
| 193 | |||
| 194 | err: | ||
| 195 | + HMAC_CTX_free(hmac); | ||
| 196 | + EVP_MD_free(md); | ||
| 197 | BN_CTX_end(ctx); | ||
| 198 | BN_CTX_free(ctx); | ||
| 199 | OPENSSL_clear_free(buf, num); | ||
| 200 | diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c | ||
| 201 | index 51507fc030..5cd2b26879 100644 | ||
| 202 | --- a/crypto/rsa/rsa_pk1.c | ||
| 203 | +++ b/crypto/rsa/rsa_pk1.c | ||
| 204 | @@ -21,10 +21,14 @@ | ||
| 205 | #include <openssl/rand.h> | ||
| 206 | /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ | ||
| 207 | #include <openssl/prov_ssl.h> | ||
| 208 | +#include <openssl/evp.h> | ||
| 209 | +#include <openssl/sha.h> | ||
| 210 | +#include <openssl/hmac.h> | ||
| 211 | #include "internal/cryptlib.h" | ||
| 212 | #include "crypto/rsa.h" | ||
| 213 | #include "rsa_local.h" | ||
| 214 | |||
| 215 | + | ||
| 216 | int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, | ||
| 217 | const unsigned char *from, int flen) | ||
| 218 | { | ||
| 219 | @@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, | ||
| 220 | return constant_time_select_int(good, mlen, -1); | ||
| 221 | } | ||
| 222 | |||
| 223 | + | ||
| 224 | +static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, | ||
| 225 | + unsigned char *to, int tlen, | ||
| 226 | + const char *label, int llen, | ||
| 227 | + const unsigned char *kdk, | ||
| 228 | + uint16_t bitlen) | ||
| 229 | +{ | ||
| 230 | + int pos; | ||
| 231 | + int ret = -1; | ||
| 232 | + uint16_t iter = 0; | ||
| 233 | + unsigned char be_iter[sizeof(iter)]; | ||
| 234 | + unsigned char be_bitlen[sizeof(bitlen)]; | ||
| 235 | + HMAC_CTX *hmac = NULL; | ||
| 236 | + EVP_MD *md = NULL; | ||
| 237 | + unsigned char hmac_out[SHA256_DIGEST_LENGTH]; | ||
| 238 | + unsigned int md_len; | ||
| 239 | + | ||
| 240 | + if (tlen * 8 != bitlen) { | ||
| 241 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 242 | + return ret; | ||
| 243 | + } | ||
| 244 | + | ||
| 245 | + be_bitlen[0] = (bitlen >> 8) & 0xff; | ||
| 246 | + be_bitlen[1] = bitlen & 0xff; | ||
| 247 | + | ||
| 248 | + hmac = HMAC_CTX_new(); | ||
| 249 | + if (hmac == NULL) { | ||
| 250 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 251 | + goto err; | ||
| 252 | + } | ||
| 253 | + | ||
| 254 | + /* | ||
| 255 | + * we use hardcoded hash so that migrating between versions that use | ||
| 256 | + * different hash doesn't provide a Bleichenbacher oracle: | ||
| 257 | + * if the attacker can see that different versions return different | ||
| 258 | + * messages for the same ciphertext, they'll know that the message is | ||
| 259 | + * syntethically generated, which means that the padding check failed | ||
| 260 | + */ | ||
| 261 | + md = EVP_MD_fetch(ctx, "sha256", NULL); | ||
| 262 | + if (md == NULL) { | ||
| 263 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 264 | + goto err; | ||
| 265 | + } | ||
| 266 | + | ||
| 267 | + if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { | ||
| 268 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 269 | + goto err; | ||
| 270 | + } | ||
| 271 | + | ||
| 272 | + for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { | ||
| 273 | + if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { | ||
| 274 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 275 | + goto err; | ||
| 276 | + } | ||
| 277 | + | ||
| 278 | + be_iter[0] = (iter >> 8) & 0xff; | ||
| 279 | + be_iter[1] = iter & 0xff; | ||
| 280 | + | ||
| 281 | + if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { | ||
| 282 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 283 | + goto err; | ||
| 284 | + } | ||
| 285 | + if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { | ||
| 286 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 287 | + goto err; | ||
| 288 | + } | ||
| 289 | + if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { | ||
| 290 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 291 | + goto err; | ||
| 292 | + } | ||
| 293 | + | ||
| 294 | + /* | ||
| 295 | + * HMAC_Final requires the output buffer to fit the whole MAC | ||
| 296 | + * value, so we need to use the intermediate buffer for the last | ||
| 297 | + * unaligned block | ||
| 298 | + */ | ||
| 299 | + md_len = SHA256_DIGEST_LENGTH; | ||
| 300 | + if (pos + SHA256_DIGEST_LENGTH > tlen) { | ||
| 301 | + if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { | ||
| 302 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 303 | + goto err; | ||
| 304 | + } | ||
| 305 | + memcpy(to + pos, hmac_out, tlen - pos); | ||
| 306 | + } else { | ||
| 307 | + if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { | ||
| 308 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 309 | + goto err; | ||
| 310 | + } | ||
| 311 | + } | ||
| 312 | + } | ||
| 313 | + | ||
| 314 | + ret = 0; | ||
| 315 | + | ||
| 316 | +err: | ||
| 317 | + HMAC_CTX_free(hmac); | ||
| 318 | + EVP_MD_free(md); | ||
| 319 | + return ret; | ||
| 320 | +} | ||
| 321 | + | ||
| 322 | +/* | ||
| 323 | + * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 | ||
| 324 | + * padding from a decrypted RSA message. Unlike the | ||
| 325 | + * RSA_padding_check_PKCS1_type_2() it will not return an error in case it | ||
| 326 | + * detects a padding error, rather it will return a deterministically generated | ||
| 327 | + * random message. In other words it will perform an implicit rejection | ||
| 328 | + * of an invalid padding. This means that the returned value does not indicate | ||
| 329 | + * if the padding of the encrypted message was correct or not, making | ||
| 330 | + * side channel attacks like the ones described by Bleichenbacher impossible | ||
| 331 | + * without access to the full decrypted value and a brute-force search of | ||
| 332 | + * remaining padding bytes | ||
| 333 | + */ | ||
| 334 | +int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, | ||
| 335 | + unsigned char *to, int tlen, | ||
| 336 | + const unsigned char *from, int flen, | ||
| 337 | + int num, unsigned char *kdk) | ||
| 338 | +{ | ||
| 339 | +/* | ||
| 340 | + * We need to generate a random length for the synthethic message, to avoid | ||
| 341 | + * bias towards zero and avoid non-constant timeness of DIV, we prepare | ||
| 342 | + * 128 values to check if they are not too large for the used key size, | ||
| 343 | + * and use 0 in case none of them are small enough, as 2^-128 is a good enough | ||
| 344 | + * safety margin | ||
| 345 | + */ | ||
| 346 | +#define MAX_LEN_GEN_TRIES 128 | ||
| 347 | + unsigned char *synthetic = NULL; | ||
| 348 | + int synthethic_length; | ||
| 349 | + uint16_t len_candidate; | ||
| 350 | + unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; | ||
| 351 | + uint16_t len_mask; | ||
| 352 | + uint16_t max_sep_offset; | ||
| 353 | + int synth_msg_index = 0; | ||
| 354 | + int ret = -1; | ||
| 355 | + int i, j; | ||
| 356 | + unsigned int good, found_zero_byte; | ||
| 357 | + int zero_index = 0, msg_index; | ||
| 358 | + | ||
| 359 | + /* | ||
| 360 | + * If these checks fail then either the message in publicly invalid, or | ||
| 361 | + * we've been called incorrectly. We can fail immediately. | ||
| 362 | + * Since this code is called only internally by openssl, those are just | ||
| 363 | + * sanity checks | ||
| 364 | + */ | ||
| 365 | + if (num != flen || tlen <= 0 || flen <= 0) { | ||
| 366 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 367 | + return -1; | ||
| 368 | + } | ||
| 369 | + | ||
| 370 | + /* Generate a random message to return in case the padding checks fail */ | ||
| 371 | + synthetic = OPENSSL_malloc(flen); | ||
| 372 | + if (synthetic == NULL) { | ||
| 373 | + ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); | ||
| 374 | + return -1; | ||
| 375 | + } | ||
| 376 | + | ||
| 377 | + if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) | ||
| 378 | + goto err; | ||
| 379 | + | ||
| 380 | + /* decide how long the random message should be */ | ||
| 381 | + if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), | ||
| 382 | + "length", 6, kdk, | ||
| 383 | + MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) | ||
| 384 | + goto err; | ||
| 385 | + | ||
| 386 | + /* | ||
| 387 | + * max message size is the size of the modulus size less 2 bytes for | ||
| 388 | + * version and padding type and a minimum of 8 bytes padding | ||
| 389 | + */ | ||
| 390 | + len_mask = max_sep_offset = flen - 2 - 8; | ||
| 391 | + /* | ||
| 392 | + * we want a mask so lets propagate the high bit to all positions less | ||
| 393 | + * significant than it | ||
| 394 | + */ | ||
| 395 | + len_mask |= len_mask >> 1; | ||
| 396 | + len_mask |= len_mask >> 2; | ||
| 397 | + len_mask |= len_mask >> 4; | ||
| 398 | + len_mask |= len_mask >> 8; | ||
| 399 | + | ||
| 400 | + synthethic_length = 0; | ||
| 401 | + for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); | ||
| 402 | + i += sizeof(len_candidate)) { | ||
| 403 | + len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; | ||
| 404 | + len_candidate &= len_mask; | ||
| 405 | + | ||
| 406 | + synthethic_length = constant_time_select_int( | ||
| 407 | + constant_time_lt(len_candidate, max_sep_offset), | ||
| 408 | + len_candidate, synthethic_length); | ||
| 409 | + } | ||
| 410 | + | ||
| 411 | + synth_msg_index = flen - synthethic_length; | ||
| 412 | + | ||
| 413 | + /* we have alternative message ready, check the real one */ | ||
| 414 | + good = constant_time_is_zero(from[0]); | ||
| 415 | + good &= constant_time_eq(from[1], 2); | ||
| 416 | + | ||
| 417 | + /* then look for the padding|message separator (the first zero byte) */ | ||
| 418 | + found_zero_byte = 0; | ||
| 419 | + for (i = 2; i < flen; i++) { | ||
| 420 | + unsigned int equals0 = constant_time_is_zero(from[i]); | ||
| 421 | + zero_index = constant_time_select_int(~found_zero_byte & equals0, | ||
| 422 | + i, zero_index); | ||
| 423 | + found_zero_byte |= equals0; | ||
| 424 | + } | ||
| 425 | + | ||
| 426 | + /* | ||
| 427 | + * padding must be at least 8 bytes long, and it starts two bytes into | ||
| 428 | + * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check | ||
| 429 | + * also fails. | ||
| 430 | + */ | ||
| 431 | + good &= constant_time_ge(zero_index, 2 + 8); | ||
| 432 | + | ||
| 433 | + /* | ||
| 434 | + * Skip the zero byte. This is incorrect if we never found a zero-byte | ||
| 435 | + * but in this case we also do not copy the message out. | ||
| 436 | + */ | ||
| 437 | + msg_index = zero_index + 1; | ||
| 438 | + | ||
| 439 | + /* | ||
| 440 | + * old code returned an error in case the decrypted message wouldn't fit | ||
| 441 | + * into the |to|, since that would leak information, return the synthethic | ||
| 442 | + * message instead | ||
| 443 | + */ | ||
| 444 | + good &= constant_time_ge(tlen, num - msg_index); | ||
| 445 | + | ||
| 446 | + msg_index = constant_time_select_int(good, msg_index, synth_msg_index); | ||
| 447 | + | ||
| 448 | + /* | ||
| 449 | + * since at this point the |msg_index| does not provide the signal | ||
| 450 | + * indicating if the padding check failed or not, we don't have to worry | ||
| 451 | + * about leaking the length of returned message, we still need to ensure | ||
| 452 | + * that we read contents of both buffers so that cache accesses don't leak | ||
| 453 | + * the value of |good| | ||
| 454 | + */ | ||
| 455 | + for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) | ||
| 456 | + to[j] = constant_time_select_8(good, from[i], synthetic[i]); | ||
| 457 | + ret = j; | ||
| 458 | + | ||
| 459 | +err: | ||
| 460 | + /* | ||
| 461 | + * the only time ret < 0 is when the ciphertext is publicly invalid | ||
| 462 | + * or we were called with invalid parameters, so we don't have to perform | ||
| 463 | + * a side-channel secure raising of the error | ||
| 464 | + */ | ||
| 465 | + if (ret < 0) | ||
| 466 | + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | ||
| 467 | + OPENSSL_free(synthetic); | ||
| 468 | + return ret; | ||
| 469 | +} | ||
| 470 | + | ||
| 471 | /* | ||
| 472 | * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 | ||
| 473 | * padding from a decrypted RSA message in a TLS signature. The result is stored | ||
| 474 | diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in | ||
| 475 | index 2f6ef0021d..015265a74d 100644 | ||
| 476 | --- a/doc/man1/openssl-pkeyutl.pod.in | ||
| 477 | +++ b/doc/man1/openssl-pkeyutl.pod.in | ||
| 478 | @@ -273,6 +273,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a | ||
| 479 | digest is set, then the B<DigestInfo> structure is used and its length | ||
| 480 | must correspond to the digest type. | ||
| 481 | |||
| 482 | +Note, for B<pkcs1> padding, as a protection against Bleichenbacher attack, | ||
| 483 | +the decryption will not fail in case of padding check failures. Use B<none> | ||
| 484 | +and manual inspection of the decrypted message to verify if the decrypted | ||
| 485 | +value has correct PKCS#1 v1.5 padding. | ||
| 486 | + | ||
| 487 | For B<oaep> mode only encryption and decryption is supported. | ||
| 488 | |||
| 489 | For B<x931> if the digest type is set it is used to format the block data | ||
| 490 | diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in | ||
| 491 | index 0a32fd965b..4c462abc8c 100644 | ||
| 492 | --- a/doc/man1/openssl-rsautl.pod.in | ||
| 493 | +++ b/doc/man1/openssl-rsautl.pod.in | ||
| 494 | @@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, | ||
| 495 | ANSI X9.31, or no padding, respectively. | ||
| 496 | For signatures, only B<-pkcs> and B<-raw> can be used. | ||
| 497 | |||
| 498 | +Note: because of protection against Bleichenbacher attacks, decryption | ||
| 499 | +using PKCS#1 v1.5 mode will not return errors in case padding check failed. | ||
| 500 | +Use B<-raw> and inspect the returned value manually to check if the | ||
| 501 | +padding is correct. | ||
| 502 | + | ||
| 503 | =item B<-hexdump> | ||
| 504 | |||
| 505 | Hex dump the output data. | ||
| 506 | diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 507 | index 3075eaafd6..e788f38809 100644 | ||
| 508 | --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 509 | +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 510 | @@ -386,6 +386,13 @@ this behaviour should be tolerated then | ||
| 511 | OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual | ||
| 512 | negotiated protocol version. Otherwise it should be left unset. | ||
| 513 | |||
| 514 | +Similarly to the B<RSA_PKCS1_WITH_TLS_PADDING> above, since OpenSSL version | ||
| 515 | +3.1.0, the use of B<RSA_PKCS1_PADDING> will return a randomly generated message | ||
| 516 | +instead of padding errors in case padding checks fail. Applications that | ||
| 517 | +want to remain secure while using earlier versions of OpenSSL, still need to | ||
| 518 | +handle both the error code from the RSA decryption operation and the | ||
| 519 | +returned message in a side channel secure manner. | ||
| 520 | + | ||
| 521 | =head2 DSA parameters | ||
| 522 | |||
| 523 | EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA | ||
| 524 | diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod | ||
| 525 | index b6f9bad5f1..898535a7a2 100644 | ||
| 526 | --- a/doc/man3/EVP_PKEY_decrypt.pod | ||
| 527 | +++ b/doc/man3/EVP_PKEY_decrypt.pod | ||
| 528 | @@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a | ||
| 529 | return value of -2 indicates the operation is not supported by the public key | ||
| 530 | algorithm. | ||
| 531 | |||
| 532 | +=head1 WARNINGS | ||
| 533 | + | ||
| 534 | +In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, | ||
| 535 | +both the return value from the EVP_PKEY_decrypt() and the B<outlen> provided | ||
| 536 | +information useful in mounting a Bleichenbacher attack against the | ||
| 537 | +used private key. They had to processed in a side-channel free way. | ||
| 538 | + | ||
| 539 | +Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 | ||
| 540 | +v1.5 padding doesn't return an error in case it detects an error in padding, | ||
| 541 | +instead it returns a pseudo-randomly generated message, removing the need | ||
| 542 | +of side-channel secure code from applications using OpenSSL. | ||
| 543 | + | ||
| 544 | =head1 EXAMPLES | ||
| 545 | |||
| 546 | Decrypt data using OAEP (for RSA keys): | ||
| 547 | diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod | ||
| 548 | index 9f7025c497..36ae18563f 100644 | ||
| 549 | --- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod | ||
| 550 | +++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod | ||
| 551 | @@ -121,8 +121,8 @@ L<ERR_get_error(3)>. | ||
| 552 | |||
| 553 | =head1 WARNINGS | ||
| 554 | |||
| 555 | -The result of RSA_padding_check_PKCS1_type_2() is a very sensitive | ||
| 556 | -information which can potentially be used to mount a Bleichenbacher | ||
| 557 | +The result of RSA_padding_check_PKCS1_type_2() is exactly the | ||
| 558 | +information which is used to mount a classical Bleichenbacher | ||
| 559 | padding oracle attack. This is an inherent weakness in the PKCS #1 | ||
| 560 | v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not | ||
| 561 | possible, the result of RSA_padding_check_PKCS1_type_2() should be | ||
| 562 | @@ -137,6 +137,9 @@ as this would create a small timing side channel which could be | ||
| 563 | used to mount a Bleichenbacher attack against any padding mode | ||
| 564 | including PKCS1_OAEP. | ||
| 565 | |||
| 566 | +You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption | ||
| 567 | +as they implement the necessary workarounds internally. | ||
| 568 | + | ||
| 569 | =head1 SEE ALSO | ||
| 570 | |||
| 571 | L<RSA_public_encrypt(3)>, | ||
| 572 | diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod | ||
| 573 | index 1d38073aea..bd3f835ac6 100644 | ||
| 574 | --- a/doc/man3/RSA_public_encrypt.pod | ||
| 575 | +++ b/doc/man3/RSA_public_encrypt.pod | ||
| 576 | @@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. | ||
| 577 | |||
| 578 | =back | ||
| 579 | |||
| 580 | -B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 | ||
| 581 | -based padding modes, not more than RSA_size(B<rsa>) - 42 for | ||
| 582 | +When encrypting B<flen> must not be more than RSA_size(B<rsa>) - 11 for the | ||
| 583 | +PKCS #1 v1.5 based padding modes, not more than RSA_size(B<rsa>) - 42 for | ||
| 584 | RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING. | ||
| 585 | When a padding mode other than RSA_NO_PADDING is in use, then | ||
| 586 | RSA_public_encrypt() will include some random bytes into the ciphertext | ||
| 587 | @@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle | ||
| 588 | attack. This is an inherent weakness in the PKCS #1 v1.5 padding | ||
| 589 | design. Prefer RSA_PKCS1_OAEP_PADDING. | ||
| 590 | |||
| 591 | +In OpenSSL before version 3.1.0, both the return value and the length of | ||
| 592 | +returned value could be used to mount the Bleichenbacher attack. | ||
| 593 | +Since version 3.1.0, OpenSSL does not return an error in case of padding | ||
| 594 | +checks failed. Instead it generates a random message based on used private | ||
| 595 | +key and provided ciphertext so that application code doesn't have to implement | ||
| 596 | +a side-channel secure error handling. | ||
| 597 | + | ||
| 598 | =head1 CONFORMING TO | ||
| 599 | |||
| 600 | SSL, PKCS #1 v2.0 | ||
| 601 | diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h | ||
| 602 | index 949873d0ee..f267e5d9d1 100644 | ||
| 603 | --- a/include/crypto/rsa.h | ||
| 604 | +++ b/include/crypto/rsa.h | ||
| 605 | @@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); | ||
| 606 | RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, | ||
| 607 | OSSL_LIB_CTX *libctx, const char *propq); | ||
| 608 | |||
| 609 | +int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, | ||
| 610 | + unsigned char *to, int tlen, | ||
| 611 | + const unsigned char *from, int flen, | ||
| 612 | + int num, unsigned char *kdk); | ||
| 613 | int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, | ||
| 614 | size_t tlen, | ||
| 615 | const unsigned char *from, | ||
| 616 | -- | ||
| 617 | 2.34.1 | ||
| 618 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch new file mode 100644 index 0000000000..b336d9e850 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch | |||
| @@ -0,0 +1,358 @@ | |||
| 1 | From e92f0cd3b03e5aca948b03df7e3d02e536700f68 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Thu, 27 Oct 2022 19:16:58 +0200 | ||
| 4 | Subject: [PATCH 2/3] rsa: Add option to disable implicit rejection | ||
| 5 | |||
| 6 | CVE: CVE-2023-50781 | ||
| 7 | |||
| 8 | Upstream-Status: Backport | ||
| 9 | [https://github.com/openssl/openssl/commit/5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a] | ||
| 10 | |||
| 11 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 12 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 13 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 14 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 15 | |||
| 16 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 17 | --- | ||
| 18 | crypto/cms/cms_env.c | 7 +++++ | ||
| 19 | crypto/evp/ctrl_params_translate.c | 6 +++++ | ||
| 20 | crypto/rsa/rsa_ossl.c | 16 ++++++++---- | ||
| 21 | crypto/rsa/rsa_pmeth.c | 20 +++++++++++++- | ||
| 22 | doc/man1/openssl-pkeyutl.pod.in | 10 +++++++ | ||
| 23 | doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 ++ | ||
| 24 | doc/man7/provider-asym_cipher.pod | 9 +++++++ | ||
| 25 | include/openssl/core_names.h | 2 ++ | ||
| 26 | include/openssl/rsa.h | 5 ++++ | ||
| 27 | .../implementations/asymciphers/rsa_enc.c | 26 +++++++++++++++++-- | ||
| 28 | 10 files changed, 95 insertions(+), 8 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c | ||
| 31 | index 445a16fb77..49b0289114 100644 | ||
| 32 | --- a/crypto/cms/cms_env.c | ||
| 33 | +++ b/crypto/cms/cms_env.c | ||
| 34 | @@ -581,6 +581,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, | ||
| 35 | if (!ossl_cms_env_asn1_ctrl(ri, 1)) | ||
| 36 | goto err; | ||
| 37 | |||
| 38 | + if (EVP_PKEY_is_a(pkey, "RSA")) | ||
| 39 | + /* upper layer CMS code incorrectly assumes that a successful RSA | ||
| 40 | + * decryption means that the key matches ciphertext (which never | ||
| 41 | + * was the case, implicit rejection or not), so to make it work | ||
| 42 | + * disable implicit rejection for RSA keys */ | ||
| 43 | + EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); | ||
| 44 | + | ||
| 45 | if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, | ||
| 46 | ktri->encryptedKey->data, | ||
| 47 | ktri->encryptedKey->length) <= 0) | ||
| 48 | diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c | ||
| 49 | index 44d0895bcf..db7325439a 100644 | ||
| 50 | --- a/crypto/evp/ctrl_params_translate.c | ||
| 51 | +++ b/crypto/evp/ctrl_params_translate.c | ||
| 52 | @@ -2269,6 +2269,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { | ||
| 53 | EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, | ||
| 54 | OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, | ||
| 55 | |||
| 56 | + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, | ||
| 57 | + EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, | ||
| 58 | + "rsa_pkcs1_implicit_rejection", | ||
| 59 | + OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, | ||
| 60 | + NULL }, | ||
| 61 | + | ||
| 62 | { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, | ||
| 63 | EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, | ||
| 64 | OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, | ||
| 65 | diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c | ||
| 66 | index 330302ae55..4bdacd5ed9 100644 | ||
| 67 | --- a/crypto/rsa/rsa_ossl.c | ||
| 68 | +++ b/crypto/rsa/rsa_ossl.c | ||
| 69 | @@ -395,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 70 | BIGNUM *unblind = NULL; | ||
| 71 | BN_BLINDING *blinding = NULL; | ||
| 72 | |||
| 73 | + /* | ||
| 74 | + * we need the value of the private exponent to perform implicit rejection | ||
| 75 | + */ | ||
| 76 | + if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) | ||
| 77 | + padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; | ||
| 78 | + | ||
| 79 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) | ||
| 80 | goto err; | ||
| 81 | BN_CTX_start(ctx); | ||
| 82 | @@ -489,7 +495,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 83 | * derive the Key Derivation Key from private exponent and public | ||
| 84 | * ciphertext | ||
| 85 | */ | ||
| 86 | - if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) { | ||
| 87 | + if (padding == RSA_PKCS1_PADDING) { | ||
| 88 | /* | ||
| 89 | * because we use d as a handle to rsa->d we need to keep it local and | ||
| 90 | * free before any further use of rsa->d | ||
| 91 | @@ -565,11 +571,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, | ||
| 92 | goto err; | ||
| 93 | |||
| 94 | switch (padding) { | ||
| 95 | + case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: | ||
| 96 | + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | ||
| 97 | + break; | ||
| 98 | case RSA_PKCS1_PADDING: | ||
| 99 | - if (rsa->flags & RSA_FLAG_EXT_PKEY) | ||
| 100 | - r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | ||
| 101 | - else | ||
| 102 | - r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); | ||
| 103 | + r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); | ||
| 104 | break; | ||
| 105 | case RSA_PKCS1_OAEP_PADDING: | ||
| 106 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | ||
| 107 | diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c | ||
| 108 | index 0bf5ac098a..81b031f81b 100644 | ||
| 109 | --- a/crypto/rsa/rsa_pmeth.c | ||
| 110 | +++ b/crypto/rsa/rsa_pmeth.c | ||
| 111 | @@ -52,6 +52,8 @@ typedef struct { | ||
| 112 | /* OAEP label */ | ||
| 113 | unsigned char *oaep_label; | ||
| 114 | size_t oaep_labellen; | ||
| 115 | + /* if to use implicit rejection in PKCS#1 v1.5 decryption */ | ||
| 116 | + int implicit_rejection; | ||
| 117 | } RSA_PKEY_CTX; | ||
| 118 | |||
| 119 | /* True if PSS parameters are restricted */ | ||
| 120 | @@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) | ||
| 121 | /* Maximum for sign, auto for verify */ | ||
| 122 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; | ||
| 123 | rctx->min_saltlen = -1; | ||
| 124 | + rctx->implicit_rejection = 1; | ||
| 125 | ctx->data = rctx; | ||
| 126 | ctx->keygen_info = rctx->gentmp; | ||
| 127 | ctx->keygen_info_count = 2; | ||
| 128 | @@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) | ||
| 129 | dctx->md = sctx->md; | ||
| 130 | dctx->mgf1md = sctx->mgf1md; | ||
| 131 | dctx->saltlen = sctx->saltlen; | ||
| 132 | + dctx->implicit_rejection = sctx->implicit_rejection; | ||
| 133 | if (sctx->oaep_label) { | ||
| 134 | OPENSSL_free(dctx->oaep_label); | ||
| 135 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); | ||
| 136 | @@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, | ||
| 137 | const unsigned char *in, size_t inlen) | ||
| 138 | { | ||
| 139 | int ret; | ||
| 140 | + int pad_mode; | ||
| 141 | RSA_PKEY_CTX *rctx = ctx->data; | ||
| 142 | /* | ||
| 143 | * Discard const. Its marked as const because this may be a cached copy of | ||
| 144 | @@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, | ||
| 145 | rctx->oaep_labellen, | ||
| 146 | rctx->md, rctx->mgf1md); | ||
| 147 | } else { | ||
| 148 | - ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); | ||
| 149 | + if (rctx->pad_mode == RSA_PKCS1_PADDING && | ||
| 150 | + rctx->implicit_rejection == 0) | ||
| 151 | + pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; | ||
| 152 | + else | ||
| 153 | + pad_mode = rctx->pad_mode; | ||
| 154 | + ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); | ||
| 155 | } | ||
| 156 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); | ||
| 157 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); | ||
| 158 | @@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) | ||
| 159 | *(unsigned char **)p2 = rctx->oaep_label; | ||
| 160 | return rctx->oaep_labellen; | ||
| 161 | |||
| 162 | + case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: | ||
| 163 | + if (rctx->pad_mode != RSA_PKCS1_PADDING) { | ||
| 164 | + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); | ||
| 165 | + return -2; | ||
| 166 | + } | ||
| 167 | + rctx->implicit_rejection = p1; | ||
| 168 | + return 1; | ||
| 169 | + | ||
| 170 | case EVP_PKEY_CTRL_DIGESTINIT: | ||
| 171 | case EVP_PKEY_CTRL_PKCS7_SIGN: | ||
| 172 | #ifndef OPENSSL_NO_CMS | ||
| 173 | diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in | ||
| 174 | index 015265a74d..5e62551d34 100644 | ||
| 175 | --- a/doc/man1/openssl-pkeyutl.pod.in | ||
| 176 | +++ b/doc/man1/openssl-pkeyutl.pod.in | ||
| 177 | @@ -305,6 +305,16 @@ explicitly set in PSS mode then the signing digest is used. | ||
| 178 | Sets the digest used for the OAEP hash function. If not explicitly set then | ||
| 179 | SHA1 is used. | ||
| 180 | |||
| 181 | +=item B<rsa_pkcs1_implicit_rejection:>I<flag> | ||
| 182 | + | ||
| 183 | +Disables (when set to 0) or enables (when set to 1) the use of implicit | ||
| 184 | +rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a | ||
| 185 | +protection against Bleichenbacher attack, the library will generate a | ||
| 186 | +deterministic random plaintext that it will return to the caller in case | ||
| 187 | +of padding check failure. | ||
| 188 | +When disabled, it's the callers' responsibility to handle the returned | ||
| 189 | +errors in a side-channel free manner. | ||
| 190 | + | ||
| 191 | =back | ||
| 192 | |||
| 193 | =head1 RSA-PSS ALGORITHM | ||
| 194 | diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 195 | index e788f38809..3844aa2199 100644 | ||
| 196 | --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 197 | +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod | ||
| 198 | @@ -392,6 +392,8 @@ instead of padding errors in case padding checks fail. Applications that | ||
| 199 | want to remain secure while using earlier versions of OpenSSL, still need to | ||
| 200 | handle both the error code from the RSA decryption operation and the | ||
| 201 | returned message in a side channel secure manner. | ||
| 202 | +This protection against Bleichenbacher attacks can be disabled by setting | ||
| 203 | +the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. | ||
| 204 | |||
| 205 | =head2 DSA parameters | ||
| 206 | |||
| 207 | diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod | ||
| 208 | index 0976a263a8..2a8426a6ed 100644 | ||
| 209 | --- a/doc/man7/provider-asym_cipher.pod | ||
| 210 | +++ b/doc/man7/provider-asym_cipher.pod | ||
| 211 | @@ -234,6 +234,15 @@ The TLS protocol version first requested by the client. | ||
| 212 | |||
| 213 | The negotiated TLS protocol version. | ||
| 214 | |||
| 215 | +=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer> | ||
| 216 | + | ||
| 217 | +Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 | ||
| 218 | +decryption. When set (non zero value), the decryption API will return | ||
| 219 | +a deterministically random value if the PKCS#1 v1.5 padding check fails. | ||
| 220 | +This makes explotation of the Bleichenbacher significantly harder, even | ||
| 221 | +if the code using the RSA decryption API is not implemented in side-channel | ||
| 222 | +free manner. Set by default. | ||
| 223 | + | ||
| 224 | =back | ||
| 225 | |||
| 226 | OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() | ||
| 227 | diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h | ||
| 228 | index 6bed5a8a67..5a350b537f 100644 | ||
| 229 | --- a/include/openssl/core_names.h | ||
| 230 | +++ b/include/openssl/core_names.h | ||
| 231 | @@ -292,6 +292,7 @@ extern "C" { | ||
| 232 | #define OSSL_PKEY_PARAM_DIST_ID "distid" | ||
| 233 | #define OSSL_PKEY_PARAM_PUB_KEY "pub" | ||
| 234 | #define OSSL_PKEY_PARAM_PRIV_KEY "priv" | ||
| 235 | +#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" | ||
| 236 | |||
| 237 | /* Diffie-Hellman/DSA Parameters */ | ||
| 238 | #define OSSL_PKEY_PARAM_FFC_P "p" | ||
| 239 | @@ -467,6 +468,7 @@ extern "C" { | ||
| 240 | #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" | ||
| 241 | #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" | ||
| 242 | #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" | ||
| 243 | +#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" | ||
| 244 | |||
| 245 | /* | ||
| 246 | * Encoder / decoder parameters | ||
| 247 | diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h | ||
| 248 | index a55c9727c6..247f9014e3 100644 | ||
| 249 | --- a/include/openssl/rsa.h | ||
| 250 | +++ b/include/openssl/rsa.h | ||
| 251 | @@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); | ||
| 252 | |||
| 253 | # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) | ||
| 254 | |||
| 255 | +# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) | ||
| 256 | + | ||
| 257 | # define RSA_PKCS1_PADDING 1 | ||
| 258 | # define RSA_NO_PADDING 3 | ||
| 259 | # define RSA_PKCS1_OAEP_PADDING 4 | ||
| 260 | @@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); | ||
| 261 | # define RSA_PKCS1_PSS_PADDING 6 | ||
| 262 | # define RSA_PKCS1_WITH_TLS_PADDING 7 | ||
| 263 | |||
| 264 | +/* internal RSA_ only */ | ||
| 265 | +# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 | ||
| 266 | + | ||
| 267 | # define RSA_PKCS1_PADDING_SIZE 11 | ||
| 268 | |||
| 269 | # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) | ||
| 270 | diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c | ||
| 271 | index c8921acd6e..11a91e62b1 100644 | ||
| 272 | --- a/providers/implementations/asymciphers/rsa_enc.c | ||
| 273 | +++ b/providers/implementations/asymciphers/rsa_enc.c | ||
| 274 | @@ -75,6 +75,8 @@ typedef struct { | ||
| 275 | /* TLS padding */ | ||
| 276 | unsigned int client_version; | ||
| 277 | unsigned int alt_version; | ||
| 278 | + /* PKCS#1 v1.5 decryption mode */ | ||
| 279 | + unsigned int implicit_rejection; | ||
| 280 | } PROV_RSA_CTX; | ||
| 281 | |||
| 282 | static void *rsa_newctx(void *provctx) | ||
| 283 | @@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], | ||
| 284 | RSA_free(prsactx->rsa); | ||
| 285 | prsactx->rsa = vrsa; | ||
| 286 | prsactx->operation = operation; | ||
| 287 | + prsactx->implicit_rejection = 1; | ||
| 288 | |||
| 289 | switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { | ||
| 290 | case RSA_FLAG_TYPE_RSA: | ||
| 291 | @@ -199,6 +202,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, | ||
| 292 | { | ||
| 293 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | ||
| 294 | int ret; | ||
| 295 | + int pad_mode; | ||
| 296 | size_t len = RSA_size(prsactx->rsa); | ||
| 297 | |||
| 298 | if (!ossl_prov_is_running()) | ||
| 299 | @@ -276,8 +280,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, | ||
| 300 | } | ||
| 301 | OPENSSL_free(tbuf); | ||
| 302 | } else { | ||
| 303 | - ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, | ||
| 304 | - prsactx->pad_mode); | ||
| 305 | + if ((prsactx->implicit_rejection == 0) && | ||
| 306 | + (prsactx->pad_mode == RSA_PKCS1_PADDING)) | ||
| 307 | + pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; | ||
| 308 | + else | ||
| 309 | + pad_mode = prsactx->pad_mode; | ||
| 310 | + ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); | ||
| 311 | } | ||
| 312 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); | ||
| 313 | ret = constant_time_select_int(constant_time_msb(ret), 0, 1); | ||
| 314 | @@ -401,6 +409,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) | ||
| 315 | if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) | ||
| 316 | return 0; | ||
| 317 | |||
| 318 | + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); | ||
| 319 | + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) | ||
| 320 | + return 0; | ||
| 321 | + | ||
| 322 | return 1; | ||
| 323 | } | ||
| 324 | |||
| 325 | @@ -412,6 +424,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { | ||
| 326 | NULL, 0), | ||
| 327 | OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), | ||
| 328 | OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), | ||
| 329 | + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), | ||
| 330 | OSSL_PARAM_END | ||
| 331 | }; | ||
| 332 | |||
| 333 | @@ -549,6 +562,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) | ||
| 334 | return 0; | ||
| 335 | prsactx->alt_version = alt_version; | ||
| 336 | } | ||
| 337 | + p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); | ||
| 338 | + if (p != NULL) { | ||
| 339 | + unsigned int implicit_rejection; | ||
| 340 | + | ||
| 341 | + if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) | ||
| 342 | + return 0; | ||
| 343 | + prsactx->implicit_rejection = implicit_rejection; | ||
| 344 | + } | ||
| 345 | |||
| 346 | return 1; | ||
| 347 | } | ||
| 348 | @@ -562,6 +583,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { | ||
| 349 | OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), | ||
| 350 | OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), | ||
| 351 | OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), | ||
| 352 | + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), | ||
| 353 | OSSL_PARAM_END | ||
| 354 | }; | ||
| 355 | |||
| 356 | -- | ||
| 357 | 2.34.1 | ||
| 358 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch new file mode 100644 index 0000000000..0a1f63f30a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From ba78f7b0599ba5bfb5032dd2664465c5b13388e3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Tue, 22 Nov 2022 18:25:49 +0100 | ||
| 4 | Subject: [PATCH 3/3] smime/pkcs7: disable the Bleichenbacher workaround | ||
| 5 | |||
| 6 | CVE: CVE-2023-50781 | ||
| 7 | |||
| 8 | Upstream-Status: Backport | ||
| 9 | [https://github.com/openssl/openssl/commit/056dade341d2589975a3aae71f81c8d7061583c7] | ||
| 10 | |||
| 11 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 12 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 13 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 14 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 15 | |||
| 16 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 17 | --- | ||
| 18 | crypto/pkcs7/pk7_doit.c | 7 +++++++ | ||
| 19 | 1 file changed, 7 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c | ||
| 22 | index e9de097da1..6d3124da87 100644 | ||
| 23 | --- a/crypto/pkcs7/pk7_doit.c | ||
| 24 | +++ b/crypto/pkcs7/pk7_doit.c | ||
| 25 | @@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, | ||
| 26 | if (EVP_PKEY_decrypt_init(pctx) <= 0) | ||
| 27 | goto err; | ||
| 28 | |||
| 29 | + if (EVP_PKEY_is_a(pkey, "RSA")) | ||
| 30 | + /* upper layer pkcs7 code incorrectly assumes that a successful RSA | ||
| 31 | + * decryption means that the key matches ciphertext (which never | ||
| 32 | + * was the case, implicit rejection or not), so to make it work | ||
| 33 | + * disable implicit rejection for RSA keys */ | ||
| 34 | + EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); | ||
| 35 | + | ||
| 36 | if (EVP_PKEY_decrypt(pctx, NULL, &eklen, | ||
| 37 | ri->enc_key->data, ri->enc_key->length) <= 0) | ||
| 38 | goto err; | ||
| 39 | -- | ||
| 40 | 2.34.1 | ||
| 41 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch new file mode 100644 index 0000000000..c6dad3cbec --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch | |||
| @@ -0,0 +1,441 @@ | |||
| 1 | From 8ae4f0e68ebb7435be494b58676827ae91695371 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Tue, 12 Jan 2021 14:58:04 +0100 | ||
| 4 | Subject: [PATCH] rsa: add test vectors for the implicit rejection in RSA | ||
| 5 | PKCS#1 v1.5 | ||
| 6 | |||
| 7 | CVE: CVE-2023-50781 | ||
| 8 | |||
| 9 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/8ae4f0e68ebb7435be494b58676827ae91695371] | ||
| 10 | |||
| 11 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 12 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 13 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 14 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 15 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 16 | --- | ||
| 17 | .../30-test_evp_data/evppkey_rsa_common.txt | 408 ++++++++++++++++++ | ||
| 18 | 1 file changed, 408 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 21 | index 080c4d02af..1405465098 100644 | ||
| 22 | --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 23 | +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 24 | @@ -277,6 +277,414 @@ Derive = RSA-2048 | ||
| 25 | Result = KEYOP_INIT_ERROR | ||
| 26 | Reason = operation not supported for this keytype | ||
| 27 | |||
| 28 | +# Test vectors for the Bleichenbacher workaround | ||
| 29 | + | ||
| 30 | +PrivateKey = RSA-2048-2 | ||
| 31 | +-----BEGIN RSA PRIVATE KEY----- | ||
| 32 | +MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS | ||
| 33 | +KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC | ||
| 34 | +Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y | ||
| 35 | +o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ | ||
| 36 | ++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F | ||
| 37 | +EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm | ||
| 38 | +pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G | ||
| 39 | +MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp | ||
| 40 | +aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo | ||
| 41 | +RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 | ||
| 42 | +egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX | ||
| 43 | +eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe | ||
| 44 | +z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG | ||
| 45 | +lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou | ||
| 46 | +O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw | ||
| 47 | +93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF | ||
| 48 | +1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr | ||
| 49 | +uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb | ||
| 50 | +3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx | ||
| 51 | +sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a | ||
| 52 | +AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL | ||
| 53 | +9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW | ||
| 54 | +FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp | ||
| 55 | +LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM | ||
| 56 | +FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da | ||
| 57 | +-----END RSA PRIVATE KEY----- | ||
| 58 | + | ||
| 59 | +# corresponding public key | ||
| 60 | +PublicKey = RSA-2048-2-PUBLIC | ||
| 61 | +-----BEGIN PUBLIC KEY----- | ||
| 62 | +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc | ||
| 63 | +iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO | ||
| 64 | +jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 | ||
| 65 | +SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO | ||
| 66 | +yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 | ||
| 67 | +a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn | ||
| 68 | +aQIDAQAB | ||
| 69 | +-----END PUBLIC KEY----- | ||
| 70 | + | ||
| 71 | +PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC | ||
| 72 | + | ||
| 73 | +# RSA decrypt | ||
| 74 | + | ||
| 75 | +# a random positive test case | ||
| 76 | +Decrypt = RSA-2048-2 | ||
| 77 | +Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 | ||
| 78 | +Output = "lorem ipsum dolor sit amet" | ||
| 79 | + | ||
| 80 | +# a random negative test case decrypting to empty | ||
| 81 | +Decrypt = RSA-2048-2 | ||
| 82 | +Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 | ||
| 83 | +Output = | ||
| 84 | + | ||
| 85 | +# invalid decrypting to max length message | ||
| 86 | +Decrypt = RSA-2048-2 | ||
| 87 | +Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 | ||
| 88 | +Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 | ||
| 89 | + | ||
| 90 | +# invalid decrypting to message with length specified by second to last value from PRF | ||
| 91 | +Decrypt = RSA-2048-2 | ||
| 92 | +Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 | ||
| 93 | +Output = 0f9b | ||
| 94 | + | ||
| 95 | +# invalid decrypting to message with length specified by third to last value from PRF | ||
| 96 | +Decrypt = RSA-2048-2 | ||
| 97 | +Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 | ||
| 98 | +Output = 4f02 | ||
| 99 | + | ||
| 100 | +# positive test with 11 byte long value | ||
| 101 | +Decrypt = RSA-2048-2 | ||
| 102 | +Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 | ||
| 103 | +Output = "lorem ipsum" | ||
| 104 | + | ||
| 105 | +# positive test with 11 byte long value and zero padded ciphertext | ||
| 106 | +Decrypt = RSA-2048-2 | ||
| 107 | +Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b | ||
| 108 | +Output = "lorem ipsum" | ||
| 109 | + | ||
| 110 | +# positive test with 11 byte long value and zero truncated ciphertext | ||
| 111 | +Decrypt = RSA-2048-2 | ||
| 112 | +Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b | ||
| 113 | +Output = "lorem ipsum" | ||
| 114 | + | ||
| 115 | +# positive test with 11 byte long value and double zero padded ciphertext | ||
| 116 | +Decrypt = RSA-2048-2 | ||
| 117 | +Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc | ||
| 118 | +Output = "lorem ipsum" | ||
| 119 | + | ||
| 120 | +# positive test with 11 byte long value and double zero truncated ciphertext | ||
| 121 | +Decrypt = RSA-2048-2 | ||
| 122 | +Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc | ||
| 123 | +Output = "lorem ipsum" | ||
| 124 | + | ||
| 125 | +# positive that generates a 0 byte long synthethic message internally | ||
| 126 | +Decrypt = RSA-2048-2 | ||
| 127 | +Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 | ||
| 128 | +Output = "lorem ipsum" | ||
| 129 | + | ||
| 130 | +# positive that generates a 245 byte long synthethic message internally | ||
| 131 | +Decrypt = RSA-2048-2 | ||
| 132 | +Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 | ||
| 133 | +Output = "lorem ipsum" | ||
| 134 | + | ||
| 135 | +# a random negative test that generates an 11 byte long message | ||
| 136 | +Decrypt = RSA-2048-2 | ||
| 137 | +Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 | ||
| 138 | +Output = af9ac70191c92413cb9f2d | ||
| 139 | + | ||
| 140 | +# an otherwise correct plaintext, but with wrong first byte | ||
| 141 | +# (0x01 instead of 0x00), generates a random 11 byte long plaintext | ||
| 142 | +Decrypt = RSA-2048-2 | ||
| 143 | +Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f | ||
| 144 | +Output = a1f8c9255c35cfba403ccc | ||
| 145 | + | ||
| 146 | +# an otherwise correct plaintext, but with wrong second byte | ||
| 147 | +# (0x01 instead of 0x02), generates a random 11 byte long plaintext | ||
| 148 | +Decrypt = RSA-2048-2 | ||
| 149 | +Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 | ||
| 150 | +Output = e6d700309ca0ed62452254 | ||
| 151 | + | ||
| 152 | +# an invalid ciphertext, with a zero byte in first byte of | ||
| 153 | +# ciphertext, decrypts to a random 11 byte long synthethic | ||
| 154 | +# plaintext | ||
| 155 | +Decrypt = RSA-2048-2 | ||
| 156 | +Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 | ||
| 157 | +Output = ba27b1842e7c21c0e7ef6a | ||
| 158 | + | ||
| 159 | +# an invalid ciphertext, with a zero byte removed from first byte of | ||
| 160 | +# ciphertext, decrypts to a random 11 byte long synthethic | ||
| 161 | +# plaintext | ||
| 162 | +Decrypt = RSA-2048-2 | ||
| 163 | +Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 | ||
| 164 | +Output = ba27b1842e7c21c0e7ef6a | ||
| 165 | + | ||
| 166 | +# an invalid ciphertext, with two zero bytes in first bytes of | ||
| 167 | +# ciphertext, decrypts to a random 11 byte long synthethic | ||
| 168 | +# plaintext | ||
| 169 | +Decrypt = RSA-2048-2 | ||
| 170 | +Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 | ||
| 171 | +Output = d5cf555b1d6151029a429a | ||
| 172 | + | ||
| 173 | +# an invalid ciphertext, with two zero bytes removed from first bytes of | ||
| 174 | +# ciphertext, decrypts to a random 11 byte long synthethic | ||
| 175 | +# plaintext | ||
| 176 | +Decrypt = RSA-2048-2 | ||
| 177 | +Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 | ||
| 178 | +Output = d5cf555b1d6151029a429a | ||
| 179 | + | ||
| 180 | +# and invalid ciphertext, otherwise valid but starting with 000002, decrypts | ||
| 181 | +# to random 11 byte long synthethic plaintext | ||
| 182 | +Decrypt = RSA-2048-2 | ||
| 183 | +Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 | ||
| 184 | +Output = 3d4a054d9358209e9cbbb9 | ||
| 185 | + | ||
| 186 | +# negative test with otherwise valid padding but a zero byte in first byte | ||
| 187 | +# of padding | ||
| 188 | +Decrypt = RSA-2048-2 | ||
| 189 | +Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e | ||
| 190 | +Output = 1f037dd717b07d3e7f7359 | ||
| 191 | + | ||
| 192 | +# negative test with otherwise valid padding but a zero byte at the eigth | ||
| 193 | +# byte of padding | ||
| 194 | +Decrypt = RSA-2048-2 | ||
| 195 | +Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f | ||
| 196 | +Output = 63cb0bf65fc8255dd29e17 | ||
| 197 | + | ||
| 198 | +# negative test with an otherwise valid plaintext but with missing separator | ||
| 199 | +# byte | ||
| 200 | +Decrypt = RSA-2048-2 | ||
| 201 | +Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 | ||
| 202 | +Output = 6f09a0b62699337c497b0b | ||
| 203 | + | ||
| 204 | +# Test vectors for the Bleichenbacher workaround (2049 bit key size) | ||
| 205 | + | ||
| 206 | +PrivateKey = RSA-2049 | ||
| 207 | +-----BEGIN RSA PRIVATE KEY----- | ||
| 208 | +MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD | ||
| 209 | +rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi | ||
| 210 | +5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES | ||
| 211 | +9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp | ||
| 212 | +j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 | ||
| 213 | +3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 | ||
| 214 | +1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl | ||
| 215 | +omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT | ||
| 216 | +e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo | ||
| 217 | +DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M | ||
| 218 | +8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH | ||
| 219 | +HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP | ||
| 220 | +wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 | ||
| 221 | +dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H | ||
| 222 | +zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll | ||
| 223 | +YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J | ||
| 224 | +qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC | ||
| 225 | ++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL | ||
| 226 | +ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c | ||
| 227 | +ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd | ||
| 228 | +G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 | ||
| 229 | +3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP | ||
| 230 | +G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv | ||
| 231 | +iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t | ||
| 232 | +5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= | ||
| 233 | +-----END RSA PRIVATE KEY----- | ||
| 234 | + | ||
| 235 | +# corresponding public key | ||
| 236 | +PublicKey = RSA-2049-PUBLIC | ||
| 237 | +-----BEGIN PUBLIC KEY----- | ||
| 238 | +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL | ||
| 239 | +woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI | ||
| 240 | +XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf | ||
| 241 | +YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U | ||
| 242 | +FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr | ||
| 243 | +w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ | ||
| 244 | +lwIDAQAB | ||
| 245 | +-----END PUBLIC KEY----- | ||
| 246 | + | ||
| 247 | +PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC | ||
| 248 | + | ||
| 249 | +# RSA decrypt | ||
| 250 | + | ||
| 251 | +# malformed that generates length specified by 3rd last value from PRF | ||
| 252 | +Decrypt = RSA-2049 | ||
| 253 | +Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 | ||
| 254 | +Output = 42 | ||
| 255 | + | ||
| 256 | +# simple positive test case | ||
| 257 | +Decrypt = RSA-2049 | ||
| 258 | +Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 | ||
| 259 | +Output = "lorem ipsum" | ||
| 260 | + | ||
| 261 | +# positive test case with null padded ciphertext | ||
| 262 | +Decrypt = RSA-2049 | ||
| 263 | +Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 | ||
| 264 | +Output = "lorem ipsum" | ||
| 265 | + | ||
| 266 | +# positive test case with null truncated ciphertext | ||
| 267 | +Decrypt = RSA-2049 | ||
| 268 | +Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 | ||
| 269 | +Output = "lorem ipsum" | ||
| 270 | + | ||
| 271 | +# positive test case with double null padded ciphertext | ||
| 272 | +Decrypt = RSA-2049 | ||
| 273 | +Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 | ||
| 274 | +Output = "lorem ipsum" | ||
| 275 | + | ||
| 276 | +# positive test case with double null truncated ciphertext | ||
| 277 | +Decrypt = RSA-2049 | ||
| 278 | +Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 | ||
| 279 | +Output = "lorem ipsum" | ||
| 280 | + | ||
| 281 | +# a random negative test case that generates an 11 byte long message | ||
| 282 | +Decrypt = RSA-2049 | ||
| 283 | +Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca | ||
| 284 | +Output = 1189b6f5498fd6df532b00 | ||
| 285 | + | ||
| 286 | +# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) | ||
| 287 | +Decrypt = RSA-2049 | ||
| 288 | +Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff | ||
| 289 | +Output = f6d0f5b78082fe61c04674 | ||
| 290 | + | ||
| 291 | +# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) | ||
| 292 | +Decrypt = RSA-2049 | ||
| 293 | +Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 | ||
| 294 | +Output = 1ab287fcef3ff17067914d | ||
| 295 | + | ||
| 296 | +# RSA decrypt with 3072 bit keys | ||
| 297 | +PrivateKey = RSA-3072 | ||
| 298 | +-----BEGIN RSA PRIVATE KEY----- | ||
| 299 | +MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ | ||
| 300 | +72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS | ||
| 301 | +N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K | ||
| 302 | +CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 | ||
| 303 | +wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU | ||
| 304 | +YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 | ||
| 305 | +XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P | ||
| 306 | +ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 | ||
| 307 | +CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy | ||
| 308 | +9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY | ||
| 309 | +gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J | ||
| 310 | +pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm | ||
| 311 | +DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 | ||
| 312 | +2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s | ||
| 313 | +HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC | ||
| 314 | +Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d | ||
| 315 | +RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 | ||
| 316 | +UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP | ||
| 317 | +Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ | ||
| 318 | ++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI | ||
| 319 | +gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv | ||
| 320 | +StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF | ||
| 321 | +rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 | ||
| 322 | +bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb | ||
| 323 | +7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm | ||
| 324 | +IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 | ||
| 325 | +Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH | ||
| 326 | +ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 | ||
| 327 | +c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff | ||
| 328 | +/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O | ||
| 329 | +to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 | ||
| 330 | +ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr | ||
| 331 | +Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR | ||
| 332 | +ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo | ||
| 333 | +G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH | ||
| 334 | +mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe | ||
| 335 | +0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== | ||
| 336 | +-----END RSA PRIVATE KEY----- | ||
| 337 | + | ||
| 338 | +PublicKey = RSA-3072-PUBLIC | ||
| 339 | +-----BEGIN PUBLIC KEY----- | ||
| 340 | +MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx | ||
| 341 | +nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd | ||
| 342 | +vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni | ||
| 343 | +5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx | ||
| 344 | +UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx | ||
| 345 | +7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v | ||
| 346 | +EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ | ||
| 347 | +gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk | ||
| 348 | +ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= | ||
| 349 | +-----END PUBLIC KEY----- | ||
| 350 | + | ||
| 351 | +PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC | ||
| 352 | + | ||
| 353 | +# a random invalid ciphertext that generates an empty synthethic one | ||
| 354 | +Decrypt = RSA-3072 | ||
| 355 | +Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 | ||
| 356 | +Output = | ||
| 357 | + | ||
| 358 | +# a random invalid that has PRF output with a length one byte too long | ||
| 359 | +# in the last value | ||
| 360 | +Decrypt = RSA-3072 | ||
| 361 | +Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 | ||
| 362 | +Output = 56a3bea054e01338be9b7d7957539c | ||
| 363 | + | ||
| 364 | +# a random invalid that generates a synthethic of maximum size | ||
| 365 | +Decrypt = RSA-3072 | ||
| 366 | +Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 | ||
| 367 | +Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 | ||
| 368 | + | ||
| 369 | +# a positive test case that decrypts to 9 byte long value | ||
| 370 | +Decrypt = RSA-3072 | ||
| 371 | +Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde | ||
| 372 | +Output = "forty two" | ||
| 373 | + | ||
| 374 | +# a positive test case with null padded ciphertext | ||
| 375 | +Decrypt = RSA-3072 | ||
| 376 | +Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 | ||
| 377 | +Output = "forty two" | ||
| 378 | + | ||
| 379 | +# a positive test case with null truncated ciphertext | ||
| 380 | +Decrypt = RSA-3072 | ||
| 381 | +Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 | ||
| 382 | +Output = "forty two" | ||
| 383 | + | ||
| 384 | +# a positive test case with double null padded ciphertext | ||
| 385 | +Decrypt = RSA-3072 | ||
| 386 | +Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 | ||
| 387 | +Output = "forty two" | ||
| 388 | + | ||
| 389 | +# a positive test case with double null truncated ciphertext | ||
| 390 | +Decrypt = RSA-3072 | ||
| 391 | +Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 | ||
| 392 | +Output = "forty two" | ||
| 393 | + | ||
| 394 | +# a random negative test case that generates a 9 byte long message | ||
| 395 | +Decrypt = RSA-3072 | ||
| 396 | +Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 | ||
| 397 | +Output = 257906ca6de8307728 | ||
| 398 | + | ||
| 399 | +# a random negative test case that generates a 9 byte long message based on | ||
| 400 | +# second to last value from PRF | ||
| 401 | +Decrypt = RSA-3072 | ||
| 402 | +Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 | ||
| 403 | +Output = 043383c929060374ed | ||
| 404 | + | ||
| 405 | +# a random negative test that generates message based on 3rd last value from | ||
| 406 | +# PRF | ||
| 407 | +Decrypt = RSA-3072 | ||
| 408 | +Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 | ||
| 409 | +Output = 70263fa6050534b9e0 | ||
| 410 | + | ||
| 411 | +# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) | ||
| 412 | +Decrypt = RSA-3072 | ||
| 413 | +Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 | ||
| 414 | +Output = 6d8d3a094ff3afff4c | ||
| 415 | + | ||
| 416 | +# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) | ||
| 417 | +Decrypt = RSA-3072 | ||
| 418 | +Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 | ||
| 419 | +Output = c6ae80ffa80bc184b0 | ||
| 420 | + | ||
| 421 | +# an otherwise valid plaintext, but with zero byte in first byte of padding | ||
| 422 | +Decrypt = RSA-3072 | ||
| 423 | +Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 | ||
| 424 | +Output = a8a9301daa01bb25c7 | ||
| 425 | + | ||
| 426 | +# an otherwise valid plaintext, but with zero byte in eight byte of padding | ||
| 427 | +Decrypt = RSA-3072 | ||
| 428 | +Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 | ||
| 429 | +Output = 6c716fe01d44398018 | ||
| 430 | + | ||
| 431 | +# an otherwise valid plaintext, but with null separator missing | ||
| 432 | +Decrypt = RSA-3072 | ||
| 433 | +Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 | ||
| 434 | +Output = aa2de6cde4e2442884 | ||
| 435 | + | ||
| 436 | # RSA PSS key tests | ||
| 437 | |||
| 438 | # PSS only key, no parameter restrictions | ||
| 439 | -- | ||
| 440 | 2.34.1 | ||
| 441 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch new file mode 100644 index 0000000000..f4650de5de --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch | |||
| @@ -0,0 +1,284 @@ | |||
| 1 | From c693522a96b6fb2bb4b55a53d86550811bc0d7df Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Thu, 3 Nov 2022 17:45:58 +0100 | ||
| 4 | Subject: [PATCH] rsa: Skip the synthethic plaintext test with old FIPS | ||
| 5 | provider | ||
| 6 | |||
| 7 | since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher | ||
| 8 | workaround, the decryption fails instead of providing a synthetic | ||
| 9 | plaintext, so skip them then | ||
| 10 | |||
| 11 | CVE: CVE-2023-50781 | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ddecbef6e389d263b728b7fa30fd3d9ce13feddb] | ||
| 14 | |||
| 15 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 16 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 17 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 18 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 19 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 20 | --- | ||
| 21 | .../30-test_evp_data/evppkey_rsa_common.txt | 66 ++++++++++++++++++- | ||
| 22 | 1 file changed, 63 insertions(+), 3 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 25 | index d569e78..4bd7c72 100644 | ||
| 26 | --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 27 | +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 28 | @@ -253,12 +253,12 @@ Decrypt = RSA-2048 | ||
| 29 | Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 | ||
| 30 | Output = "Hello World" | ||
| 31 | |||
| 32 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 33 | +FIPSversion = >3.0.0 | ||
| 34 | # Corrupted ciphertext | ||
| 35 | -FIPSversion = <3.2.0 | ||
| 36 | Decrypt = RSA-2048 | ||
| 37 | Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 | ||
| 38 | -Output = "Hello World" | ||
| 39 | -Result = KEYOP_ERROR | ||
| 40 | +Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff | ||
| 41 | |||
| 42 | # OAEP padding | ||
| 43 | Decrypt = RSA-2048 | ||
| 44 | @@ -330,21 +330,29 @@ Decrypt = RSA-2048-2 | ||
| 45 | Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 | ||
| 46 | Output = "lorem ipsum dolor sit amet" | ||
| 47 | |||
| 48 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 49 | +FIPSversion = >3.0.0 | ||
| 50 | # a random negative test case decrypting to empty | ||
| 51 | Decrypt = RSA-2048-2 | ||
| 52 | Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 | ||
| 53 | Output = | ||
| 54 | |||
| 55 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 56 | +FIPSversion = >3.0.0 | ||
| 57 | # invalid decrypting to max length message | ||
| 58 | Decrypt = RSA-2048-2 | ||
| 59 | Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 | ||
| 60 | Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 | ||
| 61 | |||
| 62 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 63 | +FIPSversion = >3.0.0 | ||
| 64 | # invalid decrypting to message with length specified by second to last value from PRF | ||
| 65 | Decrypt = RSA-2048-2 | ||
| 66 | Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 | ||
| 67 | Output = 0f9b | ||
| 68 | |||
| 69 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 70 | +FIPSversion = >3.0.0 | ||
| 71 | # invalid decrypting to message with length specified by third to last value from PRF | ||
| 72 | Decrypt = RSA-2048-2 | ||
| 73 | Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 | ||
| 74 | @@ -385,23 +393,31 @@ Decrypt = RSA-2048-2 | ||
| 75 | Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 | ||
| 76 | Output = "lorem ipsum" | ||
| 77 | |||
| 78 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 79 | +FIPSversion = >3.0.0 | ||
| 80 | # a random negative test that generates an 11 byte long message | ||
| 81 | Decrypt = RSA-2048-2 | ||
| 82 | Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 | ||
| 83 | Output = af9ac70191c92413cb9f2d | ||
| 84 | |||
| 85 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 86 | +FIPSversion = >3.0.0 | ||
| 87 | # an otherwise correct plaintext, but with wrong first byte | ||
| 88 | # (0x01 instead of 0x00), generates a random 11 byte long plaintext | ||
| 89 | Decrypt = RSA-2048-2 | ||
| 90 | Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f | ||
| 91 | Output = a1f8c9255c35cfba403ccc | ||
| 92 | |||
| 93 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 94 | +FIPSversion = >3.0.0 | ||
| 95 | # an otherwise correct plaintext, but with wrong second byte | ||
| 96 | # (0x01 instead of 0x02), generates a random 11 byte long plaintext | ||
| 97 | Decrypt = RSA-2048-2 | ||
| 98 | Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 | ||
| 99 | Output = e6d700309ca0ed62452254 | ||
| 100 | |||
| 101 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 102 | +FIPSversion = >3.0.0 | ||
| 103 | # an invalid ciphertext, with a zero byte in first byte of | ||
| 104 | # ciphertext, decrypts to a random 11 byte long synthethic | ||
| 105 | # plaintext | ||
| 106 | @@ -409,6 +425,8 @@ Decrypt = RSA-2048-2 | ||
| 107 | Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 | ||
| 108 | Output = ba27b1842e7c21c0e7ef6a | ||
| 109 | |||
| 110 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 111 | +FIPSversion = >3.0.0 | ||
| 112 | # an invalid ciphertext, with a zero byte removed from first byte of | ||
| 113 | # ciphertext, decrypts to a random 11 byte long synthethic | ||
| 114 | # plaintext | ||
| 115 | @@ -416,6 +434,8 @@ Decrypt = RSA-2048-2 | ||
| 116 | Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 | ||
| 117 | Output = ba27b1842e7c21c0e7ef6a | ||
| 118 | |||
| 119 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 120 | +FIPSversion = >3.0.0 | ||
| 121 | # an invalid ciphertext, with two zero bytes in first bytes of | ||
| 122 | # ciphertext, decrypts to a random 11 byte long synthethic | ||
| 123 | # plaintext | ||
| 124 | @@ -423,6 +443,8 @@ Decrypt = RSA-2048-2 | ||
| 125 | Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 | ||
| 126 | Output = d5cf555b1d6151029a429a | ||
| 127 | |||
| 128 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 129 | +FIPSversion = >3.0.0 | ||
| 130 | # an invalid ciphertext, with two zero bytes removed from first bytes of | ||
| 131 | # ciphertext, decrypts to a random 11 byte long synthethic | ||
| 132 | # plaintext | ||
| 133 | @@ -430,24 +452,32 @@ Decrypt = RSA-2048-2 | ||
| 134 | Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 | ||
| 135 | Output = d5cf555b1d6151029a429a | ||
| 136 | |||
| 137 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 138 | +FIPSversion = >3.0.0 | ||
| 139 | # and invalid ciphertext, otherwise valid but starting with 000002, decrypts | ||
| 140 | # to random 11 byte long synthethic plaintext | ||
| 141 | Decrypt = RSA-2048-2 | ||
| 142 | Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 | ||
| 143 | Output = 3d4a054d9358209e9cbbb9 | ||
| 144 | |||
| 145 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 146 | +FIPSversion = >3.0.0 | ||
| 147 | # negative test with otherwise valid padding but a zero byte in first byte | ||
| 148 | # of padding | ||
| 149 | Decrypt = RSA-2048-2 | ||
| 150 | Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e | ||
| 151 | Output = 1f037dd717b07d3e7f7359 | ||
| 152 | |||
| 153 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 154 | +FIPSversion = >3.0.0 | ||
| 155 | # negative test with otherwise valid padding but a zero byte at the eigth | ||
| 156 | # byte of padding | ||
| 157 | Decrypt = RSA-2048-2 | ||
| 158 | Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f | ||
| 159 | Output = 63cb0bf65fc8255dd29e17 | ||
| 160 | |||
| 161 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 162 | +FIPSversion = >3.0.0 | ||
| 163 | # negative test with an otherwise valid plaintext but with missing separator | ||
| 164 | # byte | ||
| 165 | Decrypt = RSA-2048-2 | ||
| 166 | @@ -501,6 +531,8 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC | ||
| 167 | |||
| 168 | # RSA decrypt | ||
| 169 | |||
| 170 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 171 | +FIPSversion = >3.0.0 | ||
| 172 | # malformed that generates length specified by 3rd last value from PRF | ||
| 173 | Decrypt = RSA-2049 | ||
| 174 | Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 | ||
| 175 | @@ -531,16 +563,22 @@ Decrypt = RSA-2049 | ||
| 176 | Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 | ||
| 177 | Output = "lorem ipsum" | ||
| 178 | |||
| 179 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 180 | +FIPSversion = >3.0.0 | ||
| 181 | # a random negative test case that generates an 11 byte long message | ||
| 182 | Decrypt = RSA-2049 | ||
| 183 | Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca | ||
| 184 | Output = 1189b6f5498fd6df532b00 | ||
| 185 | |||
| 186 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 187 | +FIPSversion = >3.0.0 | ||
| 188 | # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) | ||
| 189 | Decrypt = RSA-2049 | ||
| 190 | Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff | ||
| 191 | Output = f6d0f5b78082fe61c04674 | ||
| 192 | |||
| 193 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 194 | +FIPSversion = >3.0.0 | ||
| 195 | # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) | ||
| 196 | Decrypt = RSA-2049 | ||
| 197 | Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 | ||
| 198 | @@ -603,17 +641,23 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= | ||
| 199 | |||
| 200 | PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC | ||
| 201 | |||
| 202 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 203 | +FIPSversion = >3.0.0 | ||
| 204 | # a random invalid ciphertext that generates an empty synthethic one | ||
| 205 | Decrypt = RSA-3072 | ||
| 206 | Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 | ||
| 207 | Output = | ||
| 208 | |||
| 209 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 210 | +FIPSversion = >3.0.0 | ||
| 211 | # a random invalid that has PRF output with a length one byte too long | ||
| 212 | # in the last value | ||
| 213 | Decrypt = RSA-3072 | ||
| 214 | Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 | ||
| 215 | Output = 56a3bea054e01338be9b7d7957539c | ||
| 216 | |||
| 217 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 218 | +FIPSversion = >3.0.0 | ||
| 219 | # a random invalid that generates a synthethic of maximum size | ||
| 220 | Decrypt = RSA-3072 | ||
| 221 | Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 | ||
| 222 | @@ -644,43 +688,59 @@ Decrypt = RSA-3072 | ||
| 223 | Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 | ||
| 224 | Output = "forty two" | ||
| 225 | |||
| 226 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 227 | +FIPSversion = >3.0.0 | ||
| 228 | # a random negative test case that generates a 9 byte long message | ||
| 229 | Decrypt = RSA-3072 | ||
| 230 | Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 | ||
| 231 | Output = 257906ca6de8307728 | ||
| 232 | |||
| 233 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 234 | +FIPSversion = >3.0.0 | ||
| 235 | # a random negative test case that generates a 9 byte long message based on | ||
| 236 | # second to last value from PRF | ||
| 237 | Decrypt = RSA-3072 | ||
| 238 | Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 | ||
| 239 | Output = 043383c929060374ed | ||
| 240 | |||
| 241 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 242 | +FIPSversion = >3.0.0 | ||
| 243 | # a random negative test that generates message based on 3rd last value from | ||
| 244 | # PRF | ||
| 245 | Decrypt = RSA-3072 | ||
| 246 | Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 | ||
| 247 | Output = 70263fa6050534b9e0 | ||
| 248 | |||
| 249 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 250 | +FIPSversion = >3.0.0 | ||
| 251 | # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) | ||
| 252 | Decrypt = RSA-3072 | ||
| 253 | Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 | ||
| 254 | Output = 6d8d3a094ff3afff4c | ||
| 255 | |||
| 256 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 257 | +FIPSversion = >3.0.0 | ||
| 258 | # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) | ||
| 259 | Decrypt = RSA-3072 | ||
| 260 | Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 | ||
| 261 | Output = c6ae80ffa80bc184b0 | ||
| 262 | |||
| 263 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 264 | +FIPSversion = >3.0.0 | ||
| 265 | # an otherwise valid plaintext, but with zero byte in first byte of padding | ||
| 266 | Decrypt = RSA-3072 | ||
| 267 | Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 | ||
| 268 | Output = a8a9301daa01bb25c7 | ||
| 269 | |||
| 270 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 271 | +FIPSversion = >3.0.0 | ||
| 272 | # an otherwise valid plaintext, but with zero byte in eight byte of padding | ||
| 273 | Decrypt = RSA-3072 | ||
| 274 | Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 | ||
| 275 | Output = 6c716fe01d44398018 | ||
| 276 | |||
| 277 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 278 | +FIPSversion = >3.0.0 | ||
| 279 | # an otherwise valid plaintext, but with null separator missing | ||
| 280 | Decrypt = RSA-3072 | ||
| 281 | Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 | ||
| 282 | -- | ||
| 283 | 2.34.1 | ||
| 284 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch new file mode 100644 index 0000000000..75e1df4bba --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 455db0c94c0b83083ce8b792982c03aa56fc866f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hubert Kario <hkario@redhat.com> | ||
| 3 | Date: Tue, 22 Nov 2022 17:42:11 +0100 | ||
| 4 | Subject: [PATCH] rsa: add test for the option to disable implicit rejection | ||
| 5 | |||
| 6 | CVE: CVE-2023-50781 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/455db0c94c0b83083ce8b792982c03aa56fc866f] | ||
| 9 | |||
| 10 | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||
| 11 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 12 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 13 | (Merged from https://github.com/openssl/openssl/pull/13817) | ||
| 14 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 15 | --- | ||
| 16 | .../30-test_evp_data/evppkey_rsa_common.txt | 18 ++++++++++++++++++ | ||
| 17 | 1 file changed, 18 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 20 | index 0ad654fc60..a3d01eec45 100644 | ||
| 21 | --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 22 | +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt | ||
| 23 | @@ -253,6 +253,14 @@ Decrypt = RSA-2048 | ||
| 24 | Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 | ||
| 25 | Output = "Hello World" | ||
| 26 | |||
| 27 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 28 | +FIPSversion = >3.0.0 | ||
| 29 | +# Note: disable the Bleichenbacher workaround to see if it passes | ||
| 30 | +Decrypt = RSA-2048 | ||
| 31 | +Ctrl = rsa_pkcs1_implicit_rejection:0 | ||
| 32 | +Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 | ||
| 33 | +Output = "Hello World" | ||
| 34 | + | ||
| 35 | # The old FIPS provider doesn't include the workaround (#13817) | ||
| 36 | FIPSversion = >3.0.0 | ||
| 37 | # Corrupted ciphertext | ||
| 38 | @@ -261,6 +269,16 @@ Decrypt = RSA-2048 | ||
| 39 | Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 | ||
| 40 | Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff | ||
| 41 | |||
| 42 | +# The old FIPS provider doesn't include the workaround (#13817) | ||
| 43 | +FIPSversion = >3.0.0 | ||
| 44 | +# Corrupted ciphertext | ||
| 45 | +# Note: disable the Bleichenbacher workaround to see if it fails | ||
| 46 | +Decrypt = RSA-2048 | ||
| 47 | +Ctrl = rsa_pkcs1_implicit_rejection:0 | ||
| 48 | +Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 | ||
| 49 | +Output = "Hello World" | ||
| 50 | +Result = KEYOP_ERROR | ||
| 51 | + | ||
| 52 | # OAEP padding | ||
| 53 | Decrypt = RSA-2048 | ||
| 54 | Ctrl = rsa_padding_mode:oaep | ||
| 55 | -- | ||
| 56 | 2.34.1 | ||
| 57 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb index ee0ab2e498..a50bd2edbf 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb | |||
| @@ -13,7 +13,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op | |||
| 13 | file://afalg.patch \ | 13 | file://afalg.patch \ |
| 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ |
| 15 | file://CVE-2024-41996.patch \ | 15 | file://CVE-2024-41996.patch \ |
| 16 | " | 16 | file://CVE-2023-50781-1.patch \ |
| 17 | file://CVE-2023-50781-2.patch \ | ||
| 18 | file://CVE-2023-50781-3.patch \ | ||
| 19 | file://CVE-2023-50781-4.patch \ | ||
| 20 | file://CVE-2023-50781-5.patch \ | ||
| 21 | file://CVE-2023-50781-6.patch \ | ||
| 22 | " | ||
| 17 | 23 | ||
| 18 | SRC_URI:append:class-nativesdk = " \ | 24 | SRC_URI:append:class-nativesdk = " \ |
| 19 | file://environment.d-openssl.sh \ | 25 | file://environment.d-openssl.sh \ |