tests: make RsaDecisionCoverage padding-mismatch check deterministic

test_wc_RsaDecisionCoverage decrypted an OAEP-SHA256 cipher text as PKCS#1 v1.5
and asserted it must return < 0. That is flaky: v1.5 decrypt-unpadding of the
random OAEP plaintext spuriously "succeeds" whenever byte[1] lands on 0x02 with
a valid 0x00 separator after >=8 nonzero bytes -- a few-percent-per-run coin
flip, and a fresh random key is generated each run. It surfaced as intermittent
make-check failures (e.g. "result: 36 >= 0", "140 >= 0") on PR CI.

Replace it with a deterministic padding-mismatch: decrypt the (no-label) OAEP
cipher text as OAEP with a non-empty label. OAEP authenticates the label via
lHash, so a label mismatch fails the integrity check every time, still
exercising the padding-mismatch decision branch in rsa.c.

Verified locally by looping test_wc_RsaDecisionCoverage 150x in an
OAEP+SHA256 build: old assertion failed 2/150, new assertion 0/150.
This commit is contained in:
Daniele Lacamera
2026-07-07 16:09:23 +02:00
parent a178b6f50d
commit a79c7044da
+12 -5
View File
@@ -1535,11 +1535,18 @@ int test_wc_RsaDecisionCoverage(void)
ExpectIntEQ(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
cipherLen, NULL, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256,
NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Cipher text is OAEP-SHA256: decoding it as PKCS#1 v1.5 must fail and
* exercise the padding-mismatch decision branch in rsa.c. */
ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
cipherLen, &key, WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0),
0);
/* Cipher text is OAEP-SHA256 with no label. Decrypting it as OAEP with a
* non-empty label makes the recovered lHash mismatch, so OAEP's integrity
* check fails *deterministically* and exercises the padding-mismatch
* decision branch in rsa.c. (Decoding it as PKCS#1 v1.5 was flaky: v1.5
* unpadding of the random OAEP plaintext spuriously "succeeds" a few
* percent of the time when byte[1] lands on 0x02 with a valid separator.) */
{
byte wrongLabel[5] = { 'w', 'r', 'o', 'n', 'g' };
ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
cipherLen, &key, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256,
WC_MGF1SHA256, wrongLabel, sizeof(wrongLabel)), 0);
}
/* ---- wc_RsaPrivateDecryptInline_ex argument-check branches ---- */
{