mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-10 21:40:52 +02:00
tests: make RsaDecisionCoverage padding-mismatch check deterministic
test_wc_RsaDecisionCoverage decrypted an OAEP-SHA256 cipher text as PKCS#1 v1.5 and asserted it must return < 0. That is flaky: v1.5 decrypt-unpadding of the random OAEP plaintext spuriously "succeeds" whenever byte[1] lands on 0x02 with a valid 0x00 separator after >=8 nonzero bytes -- a few-percent-per-run coin flip, and a fresh random key is generated each run. It surfaced as intermittent make-check failures (e.g. "result: 36 >= 0", "140 >= 0") on PR CI. Replace it with a deterministic padding-mismatch: decrypt the (no-label) OAEP cipher text as OAEP with a non-empty label. OAEP authenticates the label via lHash, so a label mismatch fails the integrity check every time, still exercising the padding-mismatch decision branch in rsa.c. Verified locally by looping test_wc_RsaDecisionCoverage 150x in an OAEP+SHA256 build: old assertion failed 2/150, new assertion 0/150.
This commit is contained in:
+12
-5
@@ -1535,11 +1535,18 @@ int test_wc_RsaDecisionCoverage(void)
|
||||
ExpectIntEQ(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
|
||||
cipherLen, NULL, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256,
|
||||
NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
|
||||
/* Cipher text is OAEP-SHA256: decoding it as PKCS#1 v1.5 must fail and
|
||||
* exercise the padding-mismatch decision branch in rsa.c. */
|
||||
ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
|
||||
cipherLen, &key, WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0),
|
||||
0);
|
||||
/* Cipher text is OAEP-SHA256 with no label. Decrypting it as OAEP with a
|
||||
* non-empty label makes the recovered lHash mismatch, so OAEP's integrity
|
||||
* check fails *deterministically* and exercises the padding-mismatch
|
||||
* decision branch in rsa.c. (Decoding it as PKCS#1 v1.5 was flaky: v1.5
|
||||
* unpadding of the random OAEP plaintext spuriously "succeeds" a few
|
||||
* percent of the time when byte[1] lands on 0x02 with a valid separator.) */
|
||||
{
|
||||
byte wrongLabel[5] = { 'w', 'r', 'o', 'n', 'g' };
|
||||
ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain,
|
||||
cipherLen, &key, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256,
|
||||
WC_MGF1SHA256, wrongLabel, sizeof(wrongLabel)), 0);
|
||||
}
|
||||
|
||||
/* ---- wc_RsaPrivateDecryptInline_ex argument-check branches ---- */
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user