lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3173099.iDVlNMTGc2@tachyon.chronox.de>
Date:	Thu, 04 Jun 2015 02:15:15 +0200
From:	Stephan Mueller <smueller@...onox.de>
To:	Tadeusz Struk <tadeusz.struk@...el.com>
Cc:	herbert@...dor.apana.org.au, linux-kernel@...r.kernel.org,
	keescook@...omium.org, jwboyer@...hat.com, richard@....at,
	steved@...hat.com, qat-linux@...el.com, dhowells@...hat.com,
	linux-crypto@...r.kernel.org, james.l.morris@...cle.com,
	jkosina@...e.cz, zohar@...ux.vnet.ibm.com, davem@...emloft.net,
	vgoyal@...hat.com
Subject: Re: [PATCH RFC v3 3/3] crypto: add tests vectors for RSA

Am Mittwoch, 3. Juni 2015, 15:44:24 schrieb Tadeusz Struk:

Hi Tadeusz,

> New test vectors for RSA algorithm.
> 
> Signed-off-by: Tadeusz Struk <tadeusz.struk@...el.com>
> ---
>  crypto/testmgr.c |  151
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ crypto/testmgr.h |  
> 86 +++++++++++++++++++++++++++++++
>  2 files changed, 237 insertions(+)
> 
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index 717d6f2..54a5412 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -30,6 +30,8 @@
>  #include <linux/string.h>
>  #include <crypto/rng.h>
>  #include <crypto/drbg.h>
> +#include <crypto/public_key.h>
> +#include <crypto/akcipher.h>
> 
>  #include "internal.h"
> 
> @@ -116,6 +118,11 @@ struct drbg_test_suite {
>  	unsigned int count;
>  };
> 
> +struct akcipher_test_suite {
> +	struct akcipher_testvec *vecs;
> +	unsigned int count;
> +};
> +
>  struct alg_test_desc {
>  	const char *alg;
>  	int (*test)(const struct alg_test_desc *desc, const char *driver,
> @@ -130,6 +137,7 @@ struct alg_test_desc {
>  		struct hash_test_suite hash;
>  		struct cprng_test_suite cprng;
>  		struct drbg_test_suite drbg;
> +		struct akcipher_test_suite akcipher;
>  	} suite;
>  };
> 
> @@ -1825,6 +1833,139 @@ static int alg_test_drbg(const struct alg_test_desc
> *desc, const char *driver,
> 
>  }
> 
> +static int do_test_rsa(struct crypto_akcipher *tfm,
> +		       struct akcipher_testvec *vecs)
> +{
> +	struct akcipher_request *req;
> +	struct public_key pkey;
> +	void *outbuf_enc = NULL;
> +	void *outbuf_dec = NULL;
> +	struct tcrypt_result result;
> +	unsigned int out_len = vecs->c_size;
> +	int err = -ENOMEM;
> +
> +	req = akcipher_request_alloc(tfm, GFP_KERNEL);
> +	if (!req)
> +		return err;
> +
> +	pkey.rsa.n = mpi_read_raw_data(vecs->pub_key_n, vecs->pub_key_n_size);
> +	if (!pkey.rsa.n)
> +		goto free_req;
> +
> +	pkey.rsa.e = mpi_read_raw_data(vecs->pub_key_e, vecs->pub_key_e_size);
> +	if (!pkey.rsa.e)
> +		goto free_n;
> +
> +	pkey.rsa.d = mpi_read_raw_data(vecs->sec_key_d, vecs->sec_key_d_size);
> +	if (!pkey.rsa.d)
> +		goto free_e;
> +
> +	outbuf_enc = kzalloc(vecs->c_size, GFP_KERNEL);
> +	if (!outbuf_enc)
> +		goto free_d;
> +
> +	/* Run RSA encrypt - c = m^e mod n;*/
> +	init_completion(&result.completion);
> +	crypto_akcipher_setkey(tfm, &pkey);
> +	akcipher_request_set_crypt(req, vecs->m, outbuf_enc, vecs->m_size,
> +				   out_len, &out_len);
> +	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
> +				      tcrypt_complete, &result);
> +	err = wait_async_op(&result, crypto_akcipher_encrypt(req));
> +	if (err) {
> +		pr_err("alg: rsa: encrypt test failed. err %d\n", err);
> +		goto free_all;
> +	}
> +
> +	if (out_len != vecs->c_size) {
> +		err = -EINVAL;
> +		goto free_all;
> +	}
> +

May I ask that the outbuf_enc is memcmp()ed with an expected value? This check 
is required for FIPS 140-2 compliance. Without that memcmp, FIPS 140-2 
validations will not be successful.

> +	outbuf_dec = kzalloc(out_len, GFP_KERNEL);
> +	if (!outbuf_dec) {
> +		err = -ENOMEM;
> +		goto free_all;
> +	}
> +
> +	init_completion(&result.completion);
> +	akcipher_request_set_crypt(req, outbuf_enc, outbuf_dec, vecs->c_size,
> +				   out_len, &out_len);
> +	/* Run RSA decrypt - m = c^d mod n;*/
> +	err = wait_async_op(&result, crypto_akcipher_decrypt(req));
> +	if (err) {
> +		pr_err("alg: rsa: decrypt test failed. err %d\n", err);
> +		goto free_all;
> +	}
> +
> +	if (out_len != vecs->m_size) {
> +		err = -EINVAL;
> +		goto free_all;
> +	}
> +
> +	/* verify that decrypted message is equal to the original msg */
> +	if (memcmp(vecs->m, outbuf_dec, vecs->m_size)) {
> +		pr_err("alg: rsa: encrypt test failed. Invalid output\n");
> +		err = -EINVAL;
> +	}
> +free_all:
> +	kfree(outbuf_dec);
> +	kfree(outbuf_enc);
> +free_d:
> +	mpi_free(pkey.rsa.d);
> +free_e:
> +	mpi_free(pkey.rsa.e);
> +free_n:
> +	mpi_free(pkey.rsa.n);
> +free_req:
> +	akcipher_request_free(req);
> +	return err;
> +}
> +
> +static int test_rsa(struct crypto_akcipher *tfm, struct akcipher_testvec
> *vecs, +		    unsigned int tcount)
> +{
> +	int ret, i;
> +
> +	for (i = 0; i < tcount; i++) {
> +		ret = do_test_rsa(tfm, vecs++);
> +		if (ret) {
> +			pr_err("alg: rsa: test failed on vector %d\n", i + 1);
> +			return ret;
> +		}
> +	}
> +	return 0;
> +}
> +
> +static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
> +			 struct akcipher_testvec *vecs, unsigned int tcount)
> +{
> +	if (strncmp(alg, "rsa", 3) == 0)
> +		return test_rsa(tfm, vecs, tcount);
> +
> +	return 0;
> +}
> +
> +static int alg_test_akcipher(const struct alg_test_desc *desc,
> +			     const char *driver, u32 type, u32 mask)
> +{
> +	struct crypto_akcipher *tfm;
> +	int err = 0;
> +
> +	tfm = crypto_alloc_akcipher(driver, type | CRYPTO_ALG_INTERNAL, mask);
> +	if (IS_ERR(tfm)) {
> +		printk(KERN_ERR "alg: akcipher: Failed to load transform for 
%s: "
> +		       "%ld\n", driver, PTR_ERR(tfm));
> +		return PTR_ERR(tfm);
> +	}
> +	if (desc->suite.akcipher.vecs)
> +		err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
> +				    desc->suite.akcipher.count);
> +
> +	crypto_free_akcipher(tfm);
> +	return err;
> +}
> +
>  static int alg_test_null(const struct alg_test_desc *desc,
>  			     const char *driver, u32 type, u32 mask)
>  {
> @@ -3399,6 +3540,16 @@ static const struct alg_test_desc alg_test_descs[] =
> { }
>  		}
>  	}, {
> +		.alg = "rsa",
> +		.test = alg_test_akcipher,
> +		.fips_allowed = 1,
> +		.suite = {
> +			.akcipher = {
> +				.vecs = rsa_tv_template,
> +				.count = RSA_TEST_VECTORS
> +			}
> +		}
> +	}, {
>  		.alg = "salsa20",
>  		.test = alg_test_skcipher,
>  		.suite = {
> diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> index 6003143..ab68906 100644
> --- a/crypto/testmgr.h
> +++ b/crypto/testmgr.h
> @@ -107,9 +107,95 @@ struct drbg_testvec {
>  	size_t expectedlen;
>  };
> 
> +struct akcipher_testvec {
> +	unsigned char *pub_key_n;
> +	unsigned char *pub_key_e;
> +	unsigned char *sec_key_d;
> +	unsigned char *m;
> +	unsigned int pub_key_n_size;
> +	unsigned int pub_key_e_size;
> +	unsigned int sec_key_d_size;
> +	unsigned int m_size;
> +	unsigned int c_size; /* size of encrypted message */
> +};
> +
>  static char zeroed_string[48];
> 
>  /*
> + * RSA test vectors. Borrowed from openSSL.
> + */
> +#define RSA_TEST_VECTORS	3
> +
> +static struct akcipher_testvec rsa_tv_template [] = {
> +	{
> +	.pub_key_n =
> +	"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
> +	"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
> +	"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
> +	"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
> +	"\xF5",
> +	.pub_key_e = "\x11",
> +	.sec_key_d =
> +	"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
> +	"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
> +	"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
> +	"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51",
> +	.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
> +	.pub_key_n_size = 65,
> +	.pub_key_e_size = 1,
> +	.sec_key_d_size = 64,
> +	.m_size = 8,
> +	.c_size = 64,
> +	}, {
> +	.pub_key_n =
> +	"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
> +	"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
> +	"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
> +	"\x34\x77\xCF",
> +	.pub_key_e = "\x3",
> +	.sec_key_d =
> +	"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
> +	"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
> +	"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
> +	"\xE5\xEB",
> +	.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
> +	.pub_key_n_size = 51,
> +	.pub_key_e_size = 1,
> +	.sec_key_d_size = 50,
> +	.m_size = 8,
> +	.c_size = 24,
> +	}, {
> +	.pub_key_n =
> +	"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
> +	"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
> +	"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
> +	"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
> +	"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
> +	"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
> +	"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
> +	"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
> +	"\xCB",
> +	.pub_key_e = "\x11",
> +	.sec_key_d =
> +	"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
> +	"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
> +	"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
> +	"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
> +	"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
> +	"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
> +	"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
> +	"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
> +	"\xC1",
> +	.m = "\x54\x85\x9b\x34\x2c\x49\xea\x2a",
> +	.pub_key_n_size = 129,
> +	.pub_key_e_size = 1,
> +	.sec_key_d_size = 129,
> +	.m_size = 8,
> +	.c_size = 128,

Sorry for bringing that one up just now: 512 and 1024 bit test vectors will 
not be helpful for several use cases, including FIPS. I can offer to give you 
2k or 3k vectors. Besides, wouldn't one vector be sufficient?
> +	}
> +};
> +
> +/*
>   * MD4 test vectors from RFC1320
>   */
>  #define MD4_TEST_VECTORS	7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ