From a79c7044dadde2f70e3733a3e99e75a4e55b039c Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 7 Jul 2026 16:09:23 +0200 Subject: [PATCH] tests: make RsaDecisionCoverage padding-mismatch check deterministic test_wc_RsaDecisionCoverage decrypted an OAEP-SHA256 cipher text as PKCS#1 v1.5 and asserted it must return < 0. That is flaky: v1.5 decrypt-unpadding of the random OAEP plaintext spuriously "succeeds" whenever byte[1] lands on 0x02 with a valid 0x00 separator after >=8 nonzero bytes -- a few-percent-per-run coin flip, and a fresh random key is generated each run. It surfaced as intermittent make-check failures (e.g. "result: 36 >= 0", "140 >= 0") on PR CI. Replace it with a deterministic padding-mismatch: decrypt the (no-label) OAEP cipher text as OAEP with a non-empty label. OAEP authenticates the label via lHash, so a label mismatch fails the integrity check every time, still exercising the padding-mismatch decision branch in rsa.c. Verified locally by looping test_wc_RsaDecisionCoverage 150x in an OAEP+SHA256 build: old assertion failed 2/150, new assertion 0/150. --- tests/api/test_rsa.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tests/api/test_rsa.c b/tests/api/test_rsa.c index acfe49a49c..dcc4850bfc 100644 --- a/tests/api/test_rsa.c +++ b/tests/api/test_rsa.c @@ -1535,11 +1535,18 @@ int test_wc_RsaDecisionCoverage(void) ExpectIntEQ(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain, cipherLen, NULL, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* Cipher text is OAEP-SHA256: decoding it as PKCS#1 v1.5 must fail and - * exercise the padding-mismatch decision branch in rsa.c. */ - ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain, - cipherLen, &key, WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0), - 0); + /* Cipher text is OAEP-SHA256 with no label. Decrypting it as OAEP with a + * non-empty label makes the recovered lHash mismatch, so OAEP's integrity + * check fails *deterministically* and exercises the padding-mismatch + * decision branch in rsa.c. (Decoding it as PKCS#1 v1.5 was flaky: v1.5 + * unpadding of the random OAEP plaintext spuriously "succeeds" a few + * percent of the time when byte[1] lands on 0x02 with a valid separator.) */ + { + byte wrongLabel[5] = { 'w', 'r', 'o', 'n', 'g' }; + ExpectIntLT(wc_RsaPrivateDecrypt_ex(cipher, (word32)cipherOutLen, plain, + cipherLen, &key, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, + WC_MGF1SHA256, wrongLabel, sizeof(wrongLabel)), 0); + } /* ---- wc_RsaPrivateDecryptInline_ex argument-check branches ---- */ {