From: Dariusz Michaluk <d.michaluk@samsung.com>
Date: Thu, 8 May 2025 11:36:51 +0000 (+0200)
Subject: Adjust tests to openssl v3.5
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Fyaca;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git

Adjust tests to openssl v3.5

Since openssl v3.2, the RSA_private_decrypt() method used with PKCS#1 padding
doesn't return an error when it detects an error in padding,
instead it returns a pseudo-randomly generated message.
This is a fix for Bleichenbacher attack.

Change-Id: Ifc4a965f98eac908912c2bc34aff6801f766e93d
---

diff --git a/src/yaca/yaca-test-rsa.cpp b/src/yaca/yaca-test-rsa.cpp
index e9af5154..75013e2b 100644
--- a/src/yaca/yaca-test-rsa.cpp
+++ b/src/yaca/yaca-test-rsa.cpp
@@ -189,11 +189,17 @@ void test_rsa_padding(const KeyPair& kp, const PaddingInfo& pi, EncryptionType e
         /*
          * - YACA_PADDING_PKCS1 & YACA_PADDING_PKCS1_SSLV23 are equal
          * - YACA_PADDING_NONE checks only the input length
+         *
+         * Since openssl v3.2, the RSA_private_decrypt() method used with PKCS#1 padding
+         * doesn't return an error when it detects an error in padding,
+         * instead it returns a pseudo-randomly generated message.
+         *
          */
         expected = YACA_ERROR_INVALID_PARAMETER;
         if (p.padding == YACA_PADDING_NONE ||
             (p.padding == YACA_PADDING_PKCS1 && padding == YACA_PADDING_PKCS1_SSLV23) ||
-            (p.padding == YACA_PADDING_PKCS1_SSLV23 && padding == YACA_PADDING_PKCS1))
+            (p.padding == YACA_PADDING_PKCS1_SSLV23 && padding == YACA_PADDING_PKCS1) ||
+            p.padding == YACA_PADDING_PKCS1 || p.padding == YACA_PADDING_PKCS1_SSLV23)
             expected = YACA_ERROR_NONE;
 
         int ret = decrypt(p.padding, dec_key.get(),
@@ -210,8 +216,15 @@ void test_rsa_padding(const KeyPair& kp, const PaddingInfo& pi, EncryptionType e
      * Shortened ciphertext. During encryption without padding OpenSSL allows
      * input of length equal to the key length but during decryption it allows
      * also shorter input. Yaca API does the same.
+     *
+     * Since openssl v3.2, the RSA_private_decrypt() method used with PKCS#1 padding
+     * doesn't return an error when it detects an error in padding,
+     * instead it returns a pseudo-randomly generated message.
+     *
      */
-    if (padding != YACA_PADDING_NONE)
+    if (padding != YACA_PADDING_NONE &&
+        padding != YACA_PADDING_PKCS1 &&
+        padding != YACA_PADDING_PKCS1_SSLV23)
         YACA_INVALID_PARAM(decrypt(padding, dec_key.get(),
                                    ciphertext.get(), ciphertext_len - 1,
                                    &tmp, &plaintext_len));