From 3a48c7deb652f7bbefcaac5aa582d98ad3545a43 Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Fri, 18 Dec 2020 09:24:50 -0800 Subject: [PATCH] Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big-endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "length" with the big-endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero-out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation Differential Revision: https://phabricator.services.mozilla.com/D99843 --- .../testvectors/rsa_pkcs1_2048_test-vectors.h | 1270 ++++++++++++++++- .../testvectors/rsa_pkcs1_3072_test-vectors.h | 1231 +++++++++++++++- .../testvectors/rsa_pkcs1_4096_test-vectors.h | 527 +++++-- gtests/freebl_gtest/Makefile | 43 + gtests/freebl_gtest/manifest.mn | 38 + gtests/freebl_gtest/rsa_unittest.cc | 12 +- gtests/manifest.mn | 1 + gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc | 9 +- gtests/pk11_gtest/pk11_rsaoaep_unittest.cc | 32 +- lib/freebl/alghmac.c | 72 +- lib/freebl/alghmac.h | 6 + lib/freebl/rsapkcs.c | 276 +++- 12 files changed, 3270 insertions(+), 247 deletions(-) create mode 100644 gtests/freebl_gtest/Makefile create mode 100644 gtests/freebl_gtest/manifest.mn diff --git a/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h b/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h index a375b943b9..3c93312f57 100644 --- a/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h +++ b/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h @@ -3444,6 +3444,216 @@ static const std::vector priv_key_32{ 0x8c, 0x71, 0x8b, 0xf9, 0x74, 0xf5, 0xb7, 0x3c, 0xcb, 0xd8, 0x08, 0xd1, 0x24, 0x8c, 0x8f, 0x5c, 0xae}; +/* 2048 bit key from Hubert's Bleichenbacher tests */ +static const std::vector priv_key_1b{ + 0x30, 0x82, 0x04, 0xbd, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, + 0x04, 0xa7, 0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xc8, 0xcc, 0x83, 0x97, 0x14, 0x09, 0x8d, 0xa5, 0x6c, 0xaa, + 0x23, 0x64, 0x0f, 0x93, 0xdc, 0x89, 0x97, 0xc1, 0x63, 0x72, 0x96, 0x8f, + 0xc1, 0xb0, 0xc6, 0xdf, 0x51, 0x13, 0xc1, 0xc9, 0x4e, 0x8b, 0x21, 0xe4, + 0x8a, 0xd2, 0x29, 0x7e, 0x65, 0x41, 0x90, 0x11, 0xb4, 0xe6, 0xd8, 0xf5, + 0xe7, 0x3b, 0x1b, 0x78, 0xb2, 0x57, 0x40, 0x03, 0x21, 0xd1, 0xef, 0x6b, + 0x60, 0x2d, 0x4e, 0xc8, 0xce, 0x8d, 0x14, 0x1c, 0x94, 0x90, 0x5e, 0xb4, + 0xad, 0x30, 0x66, 0x39, 0xa4, 0x92, 0x06, 0x53, 0x4b, 0x6e, 0x7f, 0x26, + 0x07, 0x42, 0x3e, 0x97, 0xdf, 0xfd, 0x13, 0x3c, 0x88, 0xd7, 0x21, 0x39, + 0x9d, 0xef, 0xbc, 0x7e, 0x96, 0xcc, 0xdc, 0xbd, 0x7f, 0x3a, 0xae, 0x1f, + 0xe8, 0x92, 0x71, 0x2b, 0xfb, 0x49, 0x29, 0x81, 0x7d, 0x51, 0x16, 0x66, + 0x44, 0x0a, 0x1f, 0xac, 0xb7, 0xa2, 0x08, 0xf5, 0xea, 0x16, 0x59, 0x10, + 0xad, 0xd8, 0xa3, 0xf2, 0xd4, 0x97, 0x20, 0x23, 0x60, 0xcc, 0xb6, 0x32, + 0x02, 0x4f, 0x0d, 0x07, 0x16, 0x9c, 0x19, 0x18, 0xf3, 0x16, 0xf7, 0x94, + 0xb1, 0x43, 0xae, 0xf5, 0x4e, 0xc8, 0x75, 0x22, 0xa4, 0xc0, 0x29, 0x78, + 0xf9, 0x68, 0x99, 0x80, 0xbf, 0xfb, 0xf6, 0x49, 0xc3, 0x07, 0xe8, 0x18, + 0x19, 0xbf, 0xf8, 0x84, 0x09, 0x63, 0x8d, 0x48, 0xbd, 0x94, 0xbe, 0x15, + 0x2b, 0x59, 0xff, 0x64, 0x9f, 0xa0, 0xbd, 0x62, 0x9d, 0x0f, 0xfa, 0x18, + 0x13, 0xc3, 0xab, 0xf4, 0xb5, 0x6b, 0xd3, 0xc2, 0xea, 0x54, 0x65, 0xdf, + 0xfa, 0x14, 0x58, 0x92, 0x92, 0xa9, 0xd8, 0xa2, 0x4a, 0xd2, 0x6b, 0xe7, + 0xee, 0x05, 0x10, 0x74, 0x1b, 0x63, 0x82, 0xd4, 0x3c, 0x83, 0xd5, 0xbf, + 0xa4, 0x0a, 0x46, 0x61, 0x3d, 0x06, 0x2b, 0xe4, 0x45, 0x51, 0x7d, 0xbc, + 0xaf, 0x0c, 0xb4, 0xe1, 0xa7, 0x69, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, + 0x82, 0x01, 0x00, 0x14, 0x55, 0x01, 0x0e, 0x0f, 0x2d, 0x58, 0x76, 0x63, + 0xa6, 0x66, 0xa6, 0xff, 0x1c, 0xcd, 0xbb, 0xf0, 0xed, 0xd8, 0x10, 0x06, + 0x46, 0xd0, 0x2a, 0x02, 0x39, 0x22, 0x90, 0x89, 0x92, 0xc4, 0xad, 0x39, + 0xe5, 0x56, 0x59, 0x29, 0x72, 0x6e, 0xf6, 0x50, 0x8c, 0x3a, 0x71, 0x15, + 0x8e, 0xf0, 0xb6, 0xff, 0x75, 0x1d, 0x39, 0xd0, 0x75, 0x80, 0xbb, 0x2d, + 0x2f, 0x06, 0x32, 0x10, 0x44, 0x2d, 0x06, 0x03, 0xff, 0x50, 0xdb, 0xbd, + 0x7b, 0x35, 0xfe, 0x2c, 0x9b, 0xb1, 0x9a, 0x47, 0xa1, 0xaf, 0x85, 0xa4, + 0xc2, 0x49, 0x01, 0xe0, 0x2c, 0xa8, 0xb5, 0x8b, 0x79, 0x19, 0xb2, 0x0e, + 0xdf, 0x32, 0xaa, 0xcf, 0xbf, 0x51, 0xad, 0xb4, 0xbc, 0x4b, 0x61, 0xb9, + 0xb7, 0xe9, 0x68, 0xca, 0xa4, 0xd5, 0x70, 0xf7, 0x0e, 0xf1, 0x8d, 0x80, + 0x63, 0x22, 0x88, 0x93, 0xe4, 0x7d, 0x43, 0x9e, 0xfc, 0xa7, 0x93, 0x25, + 0x9b, 0xcf, 0x2c, 0xd1, 0x08, 0xa3, 0xd8, 0x68, 0x8c, 0xdf, 0x07, 0x8e, + 0x7a, 0xc7, 0x99, 0x96, 0x9f, 0x23, 0x39, 0xd2, 0xc1, 0xf5, 0x22, 0xb9, + 0x69, 0x68, 0x46, 0x29, 0xa9, 0x33, 0xba, 0xae, 0xc2, 0x68, 0x16, 0x25, + 0xea, 0xb8, 0x4f, 0x4e, 0x56, 0xf4, 0x44, 0x7e, 0x9d, 0x88, 0xfb, 0x9a, + 0x19, 0x9c, 0xf7, 0x10, 0x23, 0xe0, 0xe2, 0x57, 0xb1, 0x44, 0x41, 0xb3, + 0x3c, 0x84, 0xd3, 0xbc, 0x67, 0xca, 0x80, 0x31, 0xd2, 0x61, 0x26, 0x18, + 0x10, 0x3a, 0x7a, 0x0a, 0x40, 0x84, 0x42, 0x62, 0xf7, 0x5d, 0x88, 0x90, + 0xcd, 0x61, 0x6e, 0x51, 0xf9, 0x03, 0x54, 0x88, 0xfd, 0x6e, 0x09, 0x9d, + 0xe8, 0xff, 0x6d, 0x65, 0xa4, 0xff, 0x11, 0x82, 0x54, 0x80, 0x7c, 0x9f, + 0x58, 0xd2, 0xfb, 0xba, 0x8b, 0xa1, 0x51, 0xdc, 0x8c, 0x68, 0xbe, 0x34, + 0x9c, 0x97, 0x7a, 0x20, 0x4e, 0x04, 0xc1, 0x02, 0x81, 0x81, 0x00, 0xf8, + 0xf5, 0xad, 0x6b, 0xa8, 0x28, 0x93, 0x1b, 0xea, 0x45, 0x9b, 0x8a, 0x3f, + 0x6d, 0xc0, 0x41, 0xd2, 0x34, 0x82, 0x40, 0x9c, 0x25, 0x71, 0xe9, 0x63, + 0xf3, 0x1f, 0x74, 0x86, 0x02, 0xa2, 0x56, 0x37, 0x1b, 0x38, 0x83, 0xed, + 0x45, 0x9e, 0xcf, 0x97, 0x05, 0x26, 0x45, 0x9e, 0xdd, 0x16, 0xe0, 0x55, + 0x22, 0xf5, 0xa4, 0x5d, 0x94, 0x75, 0x1b, 0x2e, 0xc2, 0xda, 0xf2, 0x72, + 0xc7, 0xf8, 0x81, 0x6a, 0x52, 0xc0, 0x0d, 0x18, 0x08, 0x01, 0x71, 0x63, + 0x4d, 0xa8, 0x99, 0xd7, 0x97, 0x32, 0x22, 0xf5, 0x1b, 0x93, 0x76, 0x30, + 0x54, 0x86, 0x96, 0xa9, 0xf7, 0xd8, 0xc2, 0x4a, 0x59, 0x49, 0x7c, 0x1e, + 0xfc, 0xd4, 0x55, 0xcf, 0xb9, 0x7e, 0xe8, 0x6d, 0x2b, 0x6d, 0x34, 0x97, + 0x2b, 0x33, 0x2f, 0xda, 0x30, 0x3f, 0x04, 0x99, 0x9b, 0x4e, 0xb6, 0xb5, + 0xcc, 0x0b, 0xb3, 0x3e, 0x77, 0x61, 0xdd, 0x02, 0x81, 0x81, 0x00, 0xce, + 0x7a, 0x2e, 0x3b, 0x49, 0xa9, 0x0b, 0x96, 0x33, 0x0a, 0x12, 0xdc, 0x68, + 0x2b, 0xdf, 0xbd, 0xfb, 0xae, 0x8d, 0xd6, 0xdc, 0x03, 0xb6, 0x14, 0x7a, + 0xef, 0xbd, 0x57, 0x57, 0x43, 0xf0, 0xf6, 0xda, 0x4d, 0x86, 0x23, 0x50, + 0x61, 0xb7, 0x1a, 0xfd, 0x9c, 0xad, 0x2d, 0x34, 0x02, 0x5e, 0x56, 0xac, + 0x86, 0xb0, 0xf7, 0x74, 0x3e, 0xb3, 0x5e, 0x1a, 0xcb, 0xca, 0x23, 0x78, + 0x95, 0x42, 0x44, 0x65, 0xb7, 0x06, 0xed, 0x22, 0x17, 0x5e, 0x57, 0x18, + 0xc8, 0xc7, 0x0b, 0x67, 0x03, 0xea, 0x8f, 0x6b, 0x51, 0x0f, 0x94, 0x5b, + 0xe4, 0x8e, 0x5a, 0x36, 0xbb, 0x3c, 0x3c, 0x91, 0x73, 0x2b, 0x58, 0x9d, + 0xfc, 0x05, 0xd7, 0x2d, 0x80, 0x90, 0x31, 0x94, 0x45, 0x2b, 0xda, 0x21, + 0x34, 0x86, 0x47, 0xec, 0x72, 0x94, 0x3f, 0x11, 0xa8, 0x46, 0xe6, 0x2f, + 0xae, 0xbe, 0x8e, 0xb5, 0x36, 0xb0, 0xfd, 0x02, 0x81, 0x80, 0x76, 0xfe, + 0x15, 0xf1, 0x8a, 0xe2, 0x39, 0xcd, 0xf1, 0xdf, 0x6b, 0x44, 0x5c, 0xa4, + 0xbc, 0x6b, 0xb9, 0x68, 0xd7, 0x88, 0xc2, 0x19, 0x33, 0xa4, 0xf5, 0xdc, + 0xd2, 0x80, 0x03, 0x3d, 0x67, 0x12, 0x06, 0x2c, 0xc0, 0x8a, 0x6d, 0xf2, + 0x04, 0xc1, 0xfb, 0xd0, 0xbe, 0x46, 0x30, 0x74, 0x43, 0xe6, 0xdd, 0x4a, + 0x64, 0x56, 0x37, 0x54, 0x29, 0xd4, 0xe0, 0x38, 0xca, 0x25, 0x6f, 0xaf, + 0x1c, 0x9b, 0xde, 0x91, 0xc6, 0xb1, 0x7b, 0x76, 0xf8, 0x19, 0x95, 0xf9, + 0x1c, 0x48, 0xcb, 0xbe, 0xbc, 0x7b, 0xf0, 0xe3, 0x49, 0x4c, 0x08, 0x35, + 0x9e, 0x4e, 0x8c, 0xd6, 0xa5, 0x87, 0xd7, 0xb9, 0x6d, 0x62, 0x21, 0xfd, + 0x7e, 0x0f, 0xb5, 0xc5, 0x57, 0x5f, 0x08, 0x2e, 0xe5, 0x77, 0x69, 0x79, + 0x80, 0x71, 0xb2, 0xbb, 0xb4, 0xa3, 0x22, 0x38, 0x15, 0x1b, 0x47, 0x31, + 0x4b, 0xb6, 0x54, 0x79, 0x03, 0x11, 0x02, 0x81, 0x81, 0x00, 0x99, 0x88, + 0x48, 0xb0, 0x55, 0x49, 0x9a, 0x10, 0x09, 0xcb, 0xc7, 0xd2, 0x94, 0xb3, + 0x6b, 0x1f, 0xfd, 0xf2, 0x02, 0x0e, 0x6e, 0x73, 0x64, 0x05, 0x3e, 0x94, + 0xde, 0x1a, 0x00, 0x0d, 0xc9, 0x34, 0x05, 0x87, 0xf7, 0xe2, 0x72, 0x76, + 0xf6, 0x8c, 0xdf, 0x60, 0x8d, 0x75, 0x3b, 0x63, 0x37, 0x7b, 0x03, 0xb6, + 0xf4, 0x08, 0x4d, 0x2c, 0x02, 0x7c, 0x4b, 0x38, 0x96, 0x0a, 0x62, 0x33, + 0xba, 0x9e, 0xd9, 0x73, 0x8b, 0x76, 0xf1, 0x0e, 0xa7, 0x5b, 0xe4, 0x56, + 0x07, 0x8b, 0xf7, 0x01, 0xf6, 0x7c, 0xc6, 0xb3, 0xf3, 0xfd, 0xc1, 0x86, + 0xe6, 0x43, 0x36, 0xc7, 0x6b, 0x37, 0x2e, 0x80, 0x91, 0x0e, 0xc8, 0x0b, + 0x0a, 0xdc, 0xc2, 0x3d, 0x02, 0xfb, 0x9a, 0xe1, 0x04, 0x86, 0xa2, 0x82, + 0x48, 0x07, 0x5b, 0x4e, 0xa7, 0xe5, 0x6d, 0xdf, 0xcf, 0x38, 0x82, 0xe4, + 0x51, 0x56, 0x14, 0x71, 0xa2, 0x91, 0x02, 0x81, 0x80, 0x64, 0x3b, 0xf7, + 0x46, 0x42, 0x9f, 0x7d, 0x83, 0x66, 0x7a, 0x06, 0x53, 0x02, 0x13, 0x47, + 0xef, 0xbf, 0xc0, 0x5e, 0x63, 0x51, 0xf8, 0x21, 0xa9, 0xde, 0xbb, 0x60, + 0xe0, 0xec, 0xcd, 0xe5, 0x00, 0x5a, 0xd9, 0xe9, 0xec, 0x31, 0xe5, 0x58, + 0xf7, 0xe9, 0x2c, 0x29, 0x32, 0x8e, 0x74, 0x56, 0x9d, 0x7c, 0xef, 0x7c, + 0x74, 0xca, 0xbc, 0x2b, 0x35, 0x5e, 0xd4, 0x01, 0xa1, 0xa0, 0x91, 0x4b, + 0x4e, 0x3c, 0xbb, 0x06, 0x48, 0x4e, 0x58, 0x19, 0x60, 0x51, 0x16, 0x9e, + 0xd1, 0x4c, 0xaa, 0x2e, 0xfa, 0x6e, 0xa0, 0x44, 0xe0, 0x54, 0xd2, 0x61, + 0x44, 0xcc, 0x16, 0x29, 0xc5, 0x50, 0x10, 0x55, 0x8a, 0x04, 0xe1, 0x33, + 0xf4, 0x4b, 0x7c, 0x24, 0x4d, 0xac, 0x25, 0xbf, 0x91, 0x3c, 0x57, 0xb8, + 0x90, 0xee, 0x49, 0xf5, 0x48, 0x25, 0x9c, 0xd6, 0x34, 0x04, 0xfe, 0xf6, + 0x85, 0x9d, 0xcf, 0x97, 0x5a}; + +/* 2049 bit key from Hubert's Bleichenbacher tests */ +static const std::vector priv_key_2b{ + 0x30, 0x82, 0x04, 0xbf, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, + 0x04, 0xa9, 0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x01, 0x01, 0x55, 0xf8, 0x89, 0x55, 0x6a, 0x17, 0x75, 0xf1, 0xc7, 0xa7, + 0x78, 0x6a, 0x50, 0xb1, 0x8b, 0xc2, 0x8c, 0x9e, 0x98, 0x6e, 0xde, 0x56, + 0x67, 0xca, 0xb3, 0x9b, 0x84, 0x12, 0x4e, 0x90, 0xeb, 0xa7, 0x5c, 0x1d, + 0xb0, 0x83, 0xac, 0x3e, 0x44, 0x3b, 0xba, 0x94, 0xdc, 0x23, 0x56, 0x0f, + 0x75, 0xe3, 0xa8, 0x16, 0x93, 0xa2, 0xa4, 0x3b, 0xdc, 0x74, 0x26, 0xd8, + 0xc4, 0xea, 0xfe, 0x68, 0xc8, 0x5d, 0xe0, 0xfe, 0x75, 0x7f, 0x6e, 0x49, + 0xbb, 0x9e, 0xd4, 0x47, 0xe6, 0x02, 0x43, 0x08, 0x00, 0xdb, 0xb0, 0x4c, + 0xeb, 0x22, 0xe7, 0xfa, 0x57, 0xa1, 0x8d, 0x33, 0x8f, 0xb6, 0x60, 0x26, + 0xcd, 0xb4, 0x67, 0xe7, 0x0c, 0xc0, 0x40, 0xe7, 0xd3, 0x67, 0xef, 0x40, + 0x3c, 0x7b, 0xf1, 0xe3, 0xdf, 0x62, 0x46, 0x50, 0x09, 0x46, 0x31, 0xf2, + 0x1e, 0xaf, 0xd2, 0xfb, 0x5b, 0xc9, 0x15, 0xff, 0x04, 0x37, 0x9a, 0xcd, + 0x11, 0x12, 0xf7, 0x32, 0xc0, 0xb4, 0x66, 0x07, 0xc1, 0x78, 0xd3, 0x8a, + 0x20, 0xf5, 0x2e, 0xda, 0x50, 0x9f, 0x2f, 0x9c, 0x04, 0x05, 0xd5, 0x10, + 0x69, 0xe8, 0x0c, 0xcf, 0x94, 0x15, 0x54, 0xd0, 0x47, 0x04, 0x67, 0x50, + 0x5c, 0x3c, 0xf5, 0x41, 0xea, 0x08, 0x97, 0xdf, 0xc9, 0xf4, 0x00, 0xce, + 0xcb, 0x29, 0x8f, 0xfc, 0x75, 0x33, 0x72, 0xd9, 0xf6, 0x93, 0x3a, 0xf1, + 0x74, 0xcc, 0x40, 0xed, 0x96, 0xd4, 0x67, 0x03, 0x17, 0x33, 0xb9, 0x7f, + 0x8c, 0xdd, 0xd3, 0xf9, 0x2b, 0xc3, 0xa0, 0x3e, 0xa8, 0x57, 0x6c, 0x41, + 0x7f, 0x24, 0x00, 0x7b, 0x5e, 0x4f, 0x75, 0x01, 0x10, 0x5b, 0x54, 0x4d, + 0xe9, 0xfa, 0xdc, 0xdf, 0xfa, 0xdf, 0x98, 0xdf, 0xb4, 0xbb, 0x05, 0xb8, + 0x19, 0x9f, 0x3f, 0x85, 0xac, 0xfd, 0x91, 0xf7, 0xa9, 0xa0, 0x94, 0xb9, + 0xa3, 0x83, 0xf5, 0x04, 0x90, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, + 0x82, 0x01, 0x01, 0x01, 0x19, 0xc2, 0xb3, 0xf5, 0x0a, 0x7a, 0xd6, 0x15, + 0x26, 0x79, 0xd7, 0xff, 0x51, 0x09, 0x58, 0xac, 0x2d, 0x8c, 0xa6, 0xf0, + 0x02, 0x85, 0x92, 0xf3, 0x32, 0xd5, 0x5a, 0x16, 0x73, 0x61, 0x78, 0xa8, + 0xe6, 0x7f, 0x17, 0xe7, 0x05, 0xce, 0x30, 0x0e, 0x3e, 0x87, 0x54, 0x72, + 0x51, 0x00, 0x60, 0x13, 0xf9, 0x74, 0xd0, 0xa3, 0xdb, 0x49, 0xef, 0x34, + 0x4c, 0xa5, 0xa2, 0x6a, 0x34, 0xc0, 0x45, 0x07, 0x04, 0xd0, 0xe4, 0x22, + 0xe0, 0xce, 0x23, 0xa6, 0x94, 0x25, 0xc1, 0x5f, 0xef, 0xb6, 0xf2, 0x6e, + 0x10, 0x6e, 0xef, 0xf6, 0x4c, 0xc8, 0xb9, 0xd7, 0x44, 0x2e, 0x4d, 0xa4, + 0xe8, 0xc8, 0x50, 0x08, 0xea, 0xeb, 0x36, 0x58, 0x59, 0xa2, 0x29, 0x4f, + 0xa3, 0x93, 0x7b, 0xc2, 0x6b, 0xe5, 0x63, 0x32, 0xe7, 0xd8, 0x1e, 0x2c, + 0x16, 0x0e, 0xf6, 0x35, 0xcc, 0x52, 0x8a, 0xa7, 0xbe, 0x55, 0xe6, 0x33, + 0xa7, 0x23, 0xdb, 0xc1, 0xe1, 0x6b, 0xa2, 0x9e, 0x52, 0xb2, 0x9a, 0xef, + 0x2f, 0x9e, 0x56, 0x54, 0xfd, 0xc0, 0x66, 0x6b, 0xb0, 0xfc, 0x25, 0x4a, + 0xcb, 0xe8, 0x0e, 0x63, 0x87, 0x4f, 0x0f, 0x5f, 0x02, 0x07, 0x82, 0xe3, + 0xc9, 0xdc, 0xfc, 0x25, 0x20, 0xd0, 0xc9, 0xc4, 0xa7, 0xb6, 0x34, 0xe4, + 0x50, 0x3f, 0xbb, 0x49, 0x3e, 0x1a, 0xaf, 0xee, 0xb3, 0xf8, 0x8b, 0xd7, + 0xa1, 0x33, 0x98, 0x72, 0x5d, 0xae, 0x6f, 0xe3, 0x99, 0xe7, 0x75, 0xcd, + 0x5d, 0x4c, 0xf0, 0x9f, 0xc8, 0x38, 0x34, 0x7c, 0x4c, 0x98, 0xda, 0xb1, + 0xa4, 0x88, 0x3c, 0xce, 0x62, 0x05, 0x13, 0x61, 0x5a, 0xfa, 0xa1, 0x0a, + 0x63, 0x36, 0x8e, 0x6d, 0x7b, 0x79, 0xdf, 0x41, 0x66, 0xab, 0x16, 0x27, + 0x39, 0xef, 0x51, 0x5a, 0x44, 0x02, 0xee, 0x1e, 0x06, 0x01, 0xc5, 0xa5, + 0x5b, 0xc7, 0x1d, 0xf0, 0xe3, 0x0e, 0xdf, 0x81, 0x02, 0x81, 0x81, 0x01, + 0x88, 0xf6, 0x93, 0x60, 0xf0, 0x1e, 0x18, 0xd9, 0xa2, 0xde, 0x29, 0x52, + 0x53, 0xd2, 0x52, 0xc3, 0x1e, 0x44, 0x76, 0xce, 0xa5, 0xff, 0x7b, 0xf8, + 0x41, 0x3d, 0xf7, 0xfd, 0xe3, 0x56, 0x52, 0x3c, 0xdc, 0x97, 0x68, 0x05, + 0xf8, 0x4f, 0xc0, 0xdd, 0xec, 0x77, 0x0d, 0xf0, 0x6c, 0xed, 0x06, 0x5c, + 0x81, 0x13, 0x48, 0x75, 0x4b, 0x34, 0x6a, 0xf1, 0x69, 0x75, 0x68, 0x77, + 0xfd, 0x3b, 0x3d, 0x56, 0x86, 0x82, 0xc8, 0x78, 0x7d, 0x0b, 0x31, 0x4e, + 0xf6, 0xac, 0x67, 0xd6, 0x5e, 0x81, 0x33, 0x39, 0x8b, 0x62, 0xa0, 0x83, + 0xc0, 0xf8, 0x76, 0x5c, 0x5a, 0xd4, 0x0d, 0x5a, 0x81, 0xf9, 0xbb, 0xdc, + 0xe2, 0x52, 0x7e, 0xd7, 0xe9, 0x50, 0x08, 0xcb, 0x10, 0x29, 0xcb, 0x4c, + 0xab, 0xd1, 0xf9, 0xe9, 0xbe, 0xdf, 0xc2, 0x86, 0xc9, 0x65, 0x52, 0x25, + 0x5d, 0xa7, 0xea, 0xb1, 0x92, 0x17, 0x8e, 0xf7, 0x02, 0x81, 0x81, 0x00, + 0xde, 0xc7, 0xcf, 0x11, 0xda, 0xde, 0x83, 0xa4, 0xc4, 0x3d, 0x2f, 0x80, + 0x19, 0x7f, 0x21, 0xfd, 0x5d, 0x46, 0xfd, 0x57, 0xb4, 0x31, 0xf4, 0x4f, + 0xe8, 0x1a, 0x1d, 0xe3, 0x7f, 0x6a, 0x09, 0x1f, 0xfc, 0x04, 0x64, 0xed, + 0x97, 0x1d, 0xc8, 0x50, 0x88, 0x35, 0xad, 0xe6, 0xcc, 0x5f, 0x56, 0x6f, + 0x39, 0x65, 0x61, 0x3a, 0x8b, 0x36, 0x79, 0x8c, 0x92, 0xe6, 0xe2, 0x3f, + 0x52, 0xef, 0x90, 0x7e, 0x95, 0x67, 0xe3, 0x41, 0xbe, 0xbc, 0x53, 0x37, + 0x18, 0x96, 0x25, 0xfb, 0xbe, 0xab, 0x1f, 0x3b, 0x7b, 0x3f, 0x92, 0xff, + 0xb2, 0x68, 0x1e, 0x6e, 0xf5, 0xa7, 0x84, 0xa8, 0xc2, 0xd7, 0x8f, 0x7c, + 0x2d, 0x89, 0xaa, 0xaa, 0x24, 0xd2, 0xce, 0xdb, 0xd0, 0x66, 0x81, 0xcf, + 0xe6, 0x5c, 0x36, 0xc7, 0xbf, 0xa3, 0xc5, 0xba, 0x13, 0x51, 0x62, 0x22, + 0x2e, 0xf5, 0xc2, 0xe9, 0x14, 0xc9, 0x83, 0x61, 0x02, 0x81, 0x80, 0x12, + 0x09, 0x3f, 0x3a, 0x73, 0xca, 0xed, 0xd9, 0x0f, 0x60, 0xa3, 0x04, 0xe4, + 0x54, 0x02, 0xf8, 0x71, 0xab, 0x32, 0xc8, 0xc9, 0x55, 0xb0, 0x9a, 0xf4, + 0x63, 0xa3, 0xbe, 0x43, 0x70, 0xf2, 0xd5, 0x58, 0x4a, 0x9a, 0xbb, 0xab, + 0x69, 0xfd, 0xb0, 0x31, 0xea, 0x44, 0xf9, 0x84, 0x06, 0x5d, 0x04, 0x61, + 0xe8, 0x40, 0xab, 0x21, 0x88, 0x86, 0x60, 0x0e, 0x37, 0x15, 0x54, 0x6c, + 0x8b, 0x0b, 0x85, 0xad, 0x26, 0xd3, 0x8c, 0xb4, 0x30, 0x8f, 0x52, 0xd0, + 0x7f, 0x99, 0x44, 0x7d, 0x91, 0xf0, 0x87, 0xf3, 0x9d, 0xd3, 0x40, 0x38, + 0xdb, 0x2e, 0x93, 0x8e, 0x97, 0xad, 0x05, 0x3a, 0x71, 0xfb, 0xed, 0x67, + 0x75, 0xe1, 0xdc, 0x87, 0x18, 0xe5, 0x4e, 0x6c, 0xaf, 0x7e, 0x65, 0x46, + 0x7d, 0x9c, 0xba, 0xdd, 0xc7, 0xe7, 0x65, 0xc8, 0x58, 0x9e, 0x2c, 0x98, + 0xdf, 0xdc, 0x25, 0xca, 0x4e, 0xca, 0x81, 0x02, 0x81, 0x81, 0x00, 0x8c, + 0xce, 0x61, 0x34, 0x79, 0xcf, 0x96, 0x08, 0xf7, 0xf7, 0x6c, 0x24, 0x5c, + 0xf9, 0x1b, 0xb4, 0x95, 0xd6, 0x1e, 0x9d, 0xe6, 0x48, 0x84, 0x90, 0x54, + 0xb4, 0xdd, 0x1b, 0x43, 0x16, 0xf3, 0xf9, 0x81, 0x42, 0x0d, 0xc0, 0x95, + 0x78, 0xbf, 0x79, 0x16, 0xfe, 0x46, 0x91, 0xcf, 0xae, 0x9a, 0x64, 0xe6, + 0x34, 0x0b, 0x86, 0x03, 0x23, 0x45, 0x23, 0xf2, 0x5d, 0x77, 0xb6, 0x6a, + 0x66, 0xfc, 0x3e, 0xe5, 0x93, 0xa9, 0xf1, 0x8d, 0xea, 0x5d, 0xf6, 0x3e, + 0xd5, 0xf7, 0xdf, 0xeb, 0x9d, 0x20, 0xba, 0x69, 0xa5, 0xbe, 0xf5, 0x59, + 0xff, 0xb0, 0xec, 0x94, 0xdb, 0x72, 0x5f, 0x6f, 0xf6, 0xea, 0xbb, 0xa3, + 0xd4, 0x95, 0x47, 0xc0, 0xca, 0x74, 0xf0, 0x3e, 0x01, 0xec, 0x1e, 0x49, + 0x0d, 0x13, 0x9a, 0xa0, 0xa7, 0x94, 0x7b, 0x8d, 0x66, 0x2c, 0xce, 0x4a, + 0x3c, 0x0f, 0x1b, 0x5e, 0x86, 0x17, 0x41, 0x02, 0x81, 0x81, 0x00, 0xf9, + 0x95, 0x9b, 0x34, 0xc4, 0xbc, 0xa8, 0xce, 0x48, 0x88, 0x78, 0x1b, 0x31, + 0xb1, 0xe9, 0xb5, 0xd8, 0xad, 0xf5, 0xd0, 0xd3, 0xe3, 0xed, 0x54, 0x5e, + 0x83, 0x67, 0xd3, 0xf8, 0x54, 0x5b, 0xa6, 0x44, 0x32, 0xb8, 0x87, 0x30, + 0x35, 0xef, 0x88, 0x1c, 0x2b, 0xcd, 0xe0, 0x0d, 0x18, 0x09, 0xf9, 0x2c, + 0x40, 0xd8, 0x78, 0x37, 0xb5, 0xc4, 0xf9, 0xac, 0xf4, 0x8b, 0x36, 0xb8, + 0xdc, 0x53, 0xa5, 0x95, 0x61, 0xa4, 0x56, 0x52, 0x34, 0x02, 0xd1, 0xe8, + 0xfa, 0x3a, 0xf3, 0x00, 0xe5, 0x4c, 0x91, 0xb6, 0x3e, 0x6c, 0xee, 0x06, + 0xfe, 0x6d, 0xe6, 0x66, 0xf3, 0x92, 0x95, 0x82, 0xa0, 0x3e, 0x1f, 0x45, + 0x4e, 0x77, 0x89, 0xfb, 0x07, 0x81, 0xa4, 0xd6, 0xfb, 0xb5, 0x26, 0xef, + 0x88, 0x16, 0x21, 0xfd, 0x1e, 0xac, 0xd2, 0x14, 0x66, 0xe4, 0xcd, 0xd9, + 0x8a, 0xed, 0x10, 0xf4, 0xe7, 0x6f, 0x79}; + const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { // Comment: @@ -3704,7 +3914,18 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { // Comment: ps is all 0 // tcID: 9 {9, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x97, 0x93, 0xdd, 0x1a, 0x05, 0x70, 0x7a, 0xcb, 0xba, 0xf4, 0x2f, 0x86, + 0xa7, 0xbe, 0x25, 0x73, 0xc9, 0xc3, 0x9f, 0xde, 0x4a, 0xc1, 0x82, 0x9d, + 0x9e, 0x14, 0x0e, 0x66, 0x62, 0x7e, 0xb9, 0xbc, 0x10, 0x41, 0x31, 0x85, + 0x0c, 0x5a, 0x02, 0xbd, 0x58, 0x38, 0xb4, 0xd6, 0x34, 0x47, 0x7e, 0x0f, + 0x05, 0xde, 0x98, 0x76, 0x88, 0x5e, 0xc7, 0xfd, 0x9c, 0x12, 0x0f, 0x4e, + 0xbe, 0x40, 0xc9, 0xc3, 0xe0, 0xee, 0x94, 0x6e, 0x47, 0xa2, 0xc2, 0x4c, + 0xa2, 0xd6, 0xc9, 0x7f, 0xc1, 0x70, 0x08, 0x90, 0xce, 0xb2, 0x84, 0xb4, + 0x37, 0x38, 0xdc, 0xb3, 0x8b, 0xa1, 0xff, 0xdd, 0xd1, 0xbb, 0x8c, 0xf1, + 0x02, 0x77, 0x3d, 0x3a, 0xc3, 0xe2, 0x3b, 0x41, 0x58, 0x9d, 0x59, 0x0b, + 0x38, 0x77, 0x43, 0xf7, 0xcf, 0x3b, 0xf2, 0x57, 0xc6, 0x69, 0xae, 0xa4, + 0xea, 0x92, 0x6e, 0x78, 0xe5, 0x95}, {0x6e, 0x0d, 0x50, 0x7f, 0x66, 0xe1, 0x6d, 0x4b, 0x73, 0x73, 0xa5, 0x04, 0xc6, 0xd4, 0x86, 0x92, 0xaa, 0xa5, 0x41, 0xfd, 0xd5, 0x9e, 0xeb, 0x5d, 0x4a, 0x2c, 0xd9, 0x1f, 0x60, 0x00, 0xce, 0x9b, 0x57, 0x34, 0xa2, 0x32, @@ -3728,7 +3949,7 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x60, 0x9a, 0xd4, 0x46, 0xde, 0x43, 0xeb, 0xed, 0x16, 0x33, 0x0a, 0xb0, 0x67, 0x16, 0xfa, 0x73}, priv_key_0, - false}, + true}, // Comment: ps is all 1 // tcID: 10 @@ -3791,7 +4012,27 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { // Comment: byte 0 of ps is 0 // tcID: 12 {12, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x44, 0xe8, 0x82, 0x2f, 0x3a, 0x33, 0x61, 0x68, 0x34, 0xc3, 0x4a, 0x85, + 0x24, 0x74, 0x34, 0x57, 0x08, 0xc6, 0xd9, 0xa2, 0xe6, 0x65, 0xee, 0xe8, + 0xc9, 0x8d, 0xf4, 0x01, 0xb1, 0x7f, 0xb9, 0xfb, 0xbd, 0x2d, 0x34, 0x9e, + 0x76, 0x50, 0x5d, 0xb7, 0xb6, 0x14, 0x5c, 0x22, 0x39, 0x72, 0xc3, 0x82, + 0x0f, 0x6a, 0x3c, 0x68, 0xf0, 0xc9, 0xbd, 0x06, 0x17, 0xc2, 0x71, 0x3c, + 0xec, 0x22, 0x75, 0x79, 0x80, 0x85, 0x03, 0x36, 0x76, 0x90, 0x66, 0x80, + 0xd1, 0x51, 0x56, 0x88, 0x1e, 0xf2, 0xff, 0x43, 0x2e, 0xd9, 0xbe, 0x22, + 0xed, 0x92, 0xb8, 0xcf, 0xe7, 0xdd, 0x9f, 0xf0, 0x27, 0xc3, 0xf4, 0x49, + 0x6f, 0x36, 0x4c, 0x52, 0x2e, 0x04, 0x69, 0x9c, 0xe2, 0xb3, 0xe4, 0xbf, + 0x36, 0xc4, 0xbb, 0xc4, 0xa5, 0x2e, 0x77, 0xf9, 0xaa, 0x2a, 0x07, 0x2b, + 0x7e, 0x74, 0xaa, 0xd7, 0x08, 0xfd, 0x83, 0x82, 0x1c, 0x5f, 0xec, 0xd1, + 0x70, 0xe1, 0xeb, 0x2a, 0xb7, 0xfe, 0xd9, 0xdb, 0x8c, 0x2f, 0xec, 0xfc, + 0x8b, 0x5c, 0xc7, 0xf2, 0x12, 0x39, 0xb7, 0xde, 0x64, 0x68, 0x41, 0xd9, + 0xb2, 0x64, 0x8b, 0xd7, 0x14, 0x12, 0x86, 0xab, 0x57, 0x7b, 0xbd, 0x8d, + 0xd4, 0x13, 0x9f, 0x53, 0x3a, 0x8b, 0xb5, 0x6a, 0x61, 0x8e, 0x50, 0x61, + 0xc9, 0xfa, 0x9d, 0x87, 0xe2, 0x30, 0x1f, 0xa2, 0xe3, 0x81, 0xa2, 0x12, + 0x1a, 0x40, 0x5d, 0x5e, 0xb3, 0xee, 0x39, 0xc4, 0x0c, 0x39, 0xf2, 0xf7, + 0xfa, 0x41, 0xb9, 0x1f, 0x30, 0x5a, 0xe9, 0x7c, 0xab, 0x3e, 0x08, 0x42, + 0x0a, 0xa3, 0x48, 0x06, 0x6e, 0x23, 0xda, 0x48, 0xa0, 0xe1, 0x01, 0x3b, + 0x0e, 0x56}, {0x6a, 0x8b, 0x8c, 0x01, 0x24, 0x7d, 0x9d, 0x4d, 0x1c, 0x3b, 0xba, 0xac, 0x58, 0xe0, 0x77, 0xe3, 0x79, 0x26, 0x85, 0x4d, 0xc8, 0xbd, 0xb5, 0x8f, 0xb7, 0xb9, 0x89, 0x79, 0xba, 0x91, 0x02, 0x93, 0x44, 0x69, 0x83, 0x64, @@ -3815,12 +4056,21 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x62, 0xca, 0x20, 0xde, 0xe6, 0x20, 0xc0, 0xac, 0xef, 0x14, 0x75, 0xb3, 0x62, 0xee, 0x9b, 0x9f}, priv_key_0, - false}, + true}, // Comment: byte 1 of ps is 0 // tcID: 13 {13, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xd7, 0x51, 0x04, 0x03, 0x67, 0x28, 0x32, 0x1a, 0x06, 0xca, 0x69, 0xcf, + 0x3d, 0xc5, 0xce, 0x9e, 0xa1, 0x59, 0x81, 0x91, 0xb9, 0x7e, 0x86, 0x92, + 0xe9, 0x2a, 0x49, 0x93, 0x88, 0x17, 0x32, 0xd1, 0x08, 0xfe, 0xd2, 0x9d, + 0xa1, 0xfe, 0xf5, 0x4f, 0x57, 0x98, 0x6c, 0xca, 0xa8, 0x60, 0xbd, 0xd5, + 0xe5, 0xba, 0xd1, 0x61, 0x5b, 0xef, 0xea, 0x98, 0x95, 0x36, 0x24, 0x86, + 0xd3, 0xb5, 0xee, 0x12, 0xbb, 0x28, 0x02, 0xf2, 0xfc, 0x68, 0xfd, 0x93, + 0xf6, 0x5c, 0x13, 0x95, 0x7a, 0x14, 0xef, 0x6a, 0x65, 0xb8, 0x85, 0xad, + 0xef, 0x29, 0xf5, 0x92, 0x43, 0xed, 0xb2, 0x65, 0xc9, 0xfe, 0x25, 0x55, + 0x69, 0x35, 0x31, 0xab, 0xfb, 0x87, 0x11, 0x55}, {0x84, 0xc1, 0x49, 0xc3, 0x78, 0xf3, 0xf1, 0x2c, 0xe2, 0x02, 0xbb, 0x56, 0x14, 0x56, 0x25, 0x70, 0x57, 0x70, 0x91, 0x14, 0xec, 0xba, 0xa4, 0xc3, 0xa7, 0xdb, 0xfb, 0xcb, 0xfa, 0xf2, 0xfe, 0x9a, 0x19, 0xce, 0xba, 0xbd, @@ -3844,12 +4094,13 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xb9, 0x9d, 0xa1, 0xf6, 0xa7, 0xee, 0x0d, 0x93, 0x64, 0xef, 0x71, 0x1e, 0xda, 0x4f, 0x07, 0x93}, priv_key_0, - false}, + true}, // Comment: byte 7 of ps is 0 // tcID: 14 {14, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x56, 0xe4, 0x6b, 0xeb, 0x8b, 0x98, 0xc2}, {0x33, 0x07, 0x26, 0x4f, 0x64, 0xd4, 0xca, 0x8b, 0x62, 0xc4, 0xe7, 0xda, 0x4c, 0xac, 0x11, 0x72, 0x62, 0xe5, 0xd3, 0xa3, 0xdb, 0xc1, 0x9a, 0x52, 0x9a, 0xc5, 0x16, 0x7c, 0x19, 0x87, 0xbc, 0xe5, 0x6e, 0x35, 0x87, 0x26, @@ -3873,12 +4124,33 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x7a, 0x74, 0xc7, 0xca, 0x98, 0x76, 0xf0, 0x8f, 0xd6, 0x4d, 0x1d, 0x5f, 0x19, 0x67, 0x86, 0xbe}, priv_key_0, - false}, + true}, // Comment: ps truncated // tcID: 15 {15, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x7e, 0xb6, 0xd0, 0x76, 0xcb, 0x3e, 0x91, 0x1f, 0xd5, 0x11, 0x31, 0x3e, + 0xd6, 0xe8, 0x72, 0x76, 0x0f, 0x33, 0xbb, 0x38, 0xde, 0x69, 0xae, 0x29, + 0xe1, 0xdf, 0x90, 0x94, 0x0c, 0x7a, 0x39, 0x3c, 0x46, 0xb2, 0x05, 0xd0, + 0x54, 0xa9, 0xe8, 0x54, 0x5d, 0xa1, 0x46, 0x86, 0x48, 0xab, 0x9c, 0x64, + 0x4c, 0xb9, 0xb6, 0x14, 0x75, 0x91, 0x03, 0x4b, 0xb1, 0xd2, 0x78, 0xcf, + 0x8c, 0x13, 0xf2, 0x9d, 0xfd, 0x88, 0x7b, 0xf2, 0x08, 0x66, 0x31, 0xde, + 0x6b, 0xce, 0x5a, 0x3a, 0x90, 0x2e, 0xbc, 0xd0, 0x75, 0xcf, 0xfd, 0xac, + 0x7c, 0x64, 0xc2, 0x0d, 0x70, 0x78, 0x0a, 0xc7, 0xa0, 0x1e, 0x51, 0xec, + 0xa2, 0x54, 0x2b, 0x5e, 0xac, 0xd8, 0x7e, 0x62, 0x1c, 0x72, 0x84, 0x9d, + 0x8e, 0xff, 0x75, 0x18, 0x54, 0x5a, 0x71, 0xb0, 0x40, 0xe6, 0x31, 0xeb, + 0x53, 0x68, 0xd8, 0xa9, 0x12, 0xa3, 0x54, 0x20, 0xc2, 0x0e, 0xf2, 0x80, + 0x15, 0x8c, 0x62, 0x96, 0xaa, 0x49, 0xfd, 0x09, 0xf3, 0xa4, 0x86, 0x3d, + 0x71, 0x2a, 0xe7, 0x25, 0x14, 0x8b, 0xa0, 0x25, 0xae, 0x8f, 0xfa, 0x14, + 0x6a, 0x09, 0x37, 0xd4, 0x61, 0x43, 0x1e, 0x11, 0x5e, 0x39, 0xa7, 0xc7, + 0x4d, 0xd0, 0xf4, 0xfc, 0x48, 0xfe, 0x58, 0x8f, 0x6c, 0x18, 0x8b, 0x96, + 0x6a, 0x74, 0x36, 0x8c, 0x4d, 0xbb, 0x60, 0xe3, 0xf5, 0xcc, 0xd5, 0x30, + 0xe1, 0xb2, 0xc3, 0x84, 0x86, 0x66, 0xde, 0x4c, 0x22, 0x04, 0x69, 0x75, + 0x8a, 0xca, 0x95, 0xa9, 0xfe, 0xae, 0xcd, 0x28, 0xbc, 0x3e, 0xf6, 0x4d, + 0x1a, 0xbb, 0x88, 0x5d, 0x96, 0xc9, 0x99, 0x3b, 0xab, 0x60, 0x1d, 0x08, + 0x7e, 0xfb, 0xc6, 0xc8, 0x73, 0xc6, 0x54, 0x7e, 0x5a, 0x86, 0x61, 0x11, + 0x29, 0x75, 0x41, 0x25, 0x31}, {0x16, 0xd5, 0x6b, 0x7a, 0x9e, 0x67, 0x2e, 0x38, 0x70, 0x16, 0xe8, 0xb1, 0xc9, 0xcf, 0xf4, 0x74, 0xd5, 0x60, 0xfa, 0xa8, 0xca, 0x14, 0xa5, 0x65, 0xfb, 0xa0, 0x86, 0x01, 0x5c, 0x5f, 0x9d, 0x53, 0xb2, 0x05, 0xc4, 0xcc, @@ -3902,12 +4174,22 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x7f, 0x01, 0xc7, 0x94, 0x0e, 0xc6, 0x27, 0x58, 0x00, 0x6a, 0x65, 0x28, 0x71, 0xd7, 0x2b, 0x75}, priv_key_0, - false}, + true}, // Comment: ps missing // tcID: 16 {16, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xbb, 0x17, 0x37, 0xae, 0x4e, 0xdd, 0x4e, 0x87, 0xc3, 0x61, 0x4f, 0x62, + 0xd7, 0x09, 0xcf, 0x27, 0xc4, 0x45, 0xc6, 0xfc, 0x1c, 0x00, 0x8f, 0x8c, + 0xab, 0xc5, 0x52, 0xdf, 0x0b, 0x5c, 0xac, 0x1a, 0xe8, 0x9a, 0x68, 0xe1, + 0xa7, 0xfc, 0xae, 0xe2, 0x48, 0xfe, 0xc5, 0x0c, 0x8e, 0x16, 0x4b, 0x86, + 0x7c, 0x0d, 0xe4, 0xda, 0x2c, 0x40, 0xf1, 0x80, 0xe0, 0x75, 0xb9, 0xb2, + 0x5b, 0x45, 0x56, 0x45, 0x10, 0x00, 0x0c, 0xb7, 0xda, 0x28, 0x96, 0xdf, + 0xc0, 0xb3, 0x54, 0x91, 0xa5, 0x1d, 0xb2, 0x34, 0xc0, 0x1e, 0xdd, 0xa0, + 0xec, 0xb3, 0x00, 0x69, 0x4c, 0xec, 0xdb, 0xa7, 0xb6, 0x4c, 0x9f, 0x8a, + 0xc4, 0xb1, 0x4b, 0xaa, 0x32, 0x7a, 0xa5, 0x42, 0xd2, 0x20, 0x45, 0xec, + 0x61, 0xcc, 0x0c, 0x01, 0xa3, 0xd4, 0xa5, 0x97, 0x04, 0x46}, {0x25, 0xf6, 0x7b, 0xc6, 0xc1, 0x32, 0x0a, 0x13, 0xfa, 0x91, 0xa2, 0x3d, 0x4d, 0x18, 0x01, 0xcc, 0x73, 0x59, 0x41, 0x61, 0xa7, 0xf3, 0x44, 0xff, 0xa1, 0x95, 0xd6, 0xdd, 0x18, 0x94, 0xc1, 0xe3, 0x9d, 0x6c, 0xd8, 0x18, @@ -3931,12 +4213,22 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xc2, 0xb9, 0x2e, 0x64, 0xdd, 0xa8, 0xe7, 0x39, 0x97, 0x19, 0xa1, 0x3b, 0x81, 0x82, 0xc7, 0x39}, priv_key_0, - false}, + true}, // Comment: Block type = 0 // tcID: 17 {17, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x0f, 0xa1, 0x46, 0x17, 0x1e, 0xdc, 0xaa, 0xd5, 0x8d, 0xce, 0x5c, 0x6b, + 0x76, 0x4b, 0x93, 0xbd, 0x87, 0xf7, 0x48, 0x0b, 0xd1, 0x41, 0x07, 0xde, + 0xda, 0x64, 0x35, 0x80, 0xfa, 0x8f, 0x6d, 0xa0, 0x56, 0x34, 0xc3, 0x0f, + 0x4a, 0x4c, 0x5d, 0x7b, 0xdb, 0x25, 0x0d, 0x19, 0xc3, 0x3b, 0xe4, 0x7c, + 0x77, 0xaf, 0x6e, 0x53, 0xe2, 0xd9, 0x4e, 0xd5, 0x15, 0x94, 0x4f, 0xe1, + 0x94, 0x43, 0x7e, 0xf1, 0x3f, 0x0d, 0x8f, 0x0e, 0x34, 0x5c, 0xd0, 0x43, + 0xe2, 0x86, 0x17, 0x54, 0x9f, 0xce, 0x19, 0x7a, 0x54, 0xef, 0x1b, 0xb9, + 0x1d, 0x2d, 0x6f, 0xda, 0x3d, 0x4b, 0x9b, 0xa9, 0x9e, 0x24, 0xbd, 0x8c, + 0x66, 0x7b, 0xc8, 0x5f, 0xb2, 0xb3, 0x5c, 0xd3, 0xd2, 0xe8, 0xcc, 0x6f, + 0x66, 0x6c, 0xb5}, {0x37, 0x1e, 0x28, 0x17, 0x30, 0xbb, 0xc2, 0x89, 0xcd, 0x77, 0xa6, 0x4a, 0xb4, 0x9b, 0x37, 0x0e, 0xd7, 0x90, 0x0c, 0x48, 0xf5, 0x62, 0x56, 0x15, 0xff, 0x28, 0xbe, 0xee, 0xea, 0xbc, 0x86, 0x0b, 0x46, 0x73, 0xab, 0x16, @@ -3960,12 +4252,32 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x50, 0x08, 0xc2, 0xd9, 0x10, 0x0e, 0xd0, 0x8c, 0xaa, 0x88, 0xbd, 0xc1, 0x1a, 0xea, 0x04, 0xdf}, priv_key_0, - false}, + true}, // Comment: Block type = 1 // tcID: 18 {18, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xa1, 0x3b, 0x3a, 0x52, 0x0f, 0xbf, 0xeb, 0xff, 0x1b, 0x23, 0x4f, 0xb5, + 0x11, 0xe3, 0x02, 0xf0, 0x33, 0x36, 0xc1, 0x14, 0x8f, 0x87, 0x3d, 0xd4, + 0x98, 0x64, 0x90, 0x3b, 0x6e, 0x6c, 0xc5, 0xba, 0x66, 0x1c, 0x27, 0x59, + 0x31, 0x9a, 0xc3, 0x88, 0xe0, 0x58, 0xaf, 0xf6, 0xef, 0x85, 0xd9, 0x75, + 0xdd, 0x49, 0xe7, 0x14, 0x6f, 0xa4, 0xea, 0xa8, 0x81, 0xe7, 0x81, 0x5e, + 0x22, 0xf0, 0xa8, 0x16, 0x30, 0x0b, 0xbb, 0x87, 0xd7, 0x9d, 0x52, 0x68, + 0x3e, 0xe2, 0xb9, 0x5a, 0x37, 0xfe, 0x27, 0xd6, 0xce, 0x7e, 0x74, 0x52, + 0x2e, 0x9d, 0x0d, 0x87, 0x8a, 0x2a, 0xed, 0xc0, 0xeb, 0xc2, 0x8d, 0xba, + 0xf0, 0x73, 0xbe, 0x91, 0x0a, 0x3b, 0xc9, 0x7b, 0x87, 0x2c, 0x6e, 0x38, + 0x35, 0x66, 0x47, 0x65, 0x9c, 0x50, 0x72, 0xcb, 0xc1, 0xaf, 0xa1, 0x1e, + 0x69, 0xab, 0x24, 0xd6, 0x9a, 0x95, 0x40, 0x49, 0xca, 0x7b, 0x48, 0x9b, + 0xe9, 0xb2, 0xc6, 0x4b, 0x66, 0xf9, 0x97, 0x84, 0xba, 0x57, 0xf4, 0x55, + 0x5e, 0x2c, 0x55, 0x1a, 0xe8, 0xc9, 0xb2, 0x6b, 0x1c, 0x25, 0x20, 0x63, + 0x61, 0x40, 0xa8, 0xb4, 0x76, 0xc3, 0x85, 0xaf, 0x07, 0x40, 0xd0, 0xf8, + 0x9c, 0x86, 0xd4, 0xde, 0x25, 0x51, 0x61, 0x31, 0xcb, 0xc9, 0x42, 0x7f, + 0xcd, 0xcf, 0x6c, 0x30, 0xc5, 0x10, 0xc3, 0xf4, 0x3f, 0x9b, 0xfe, 0x27, + 0x10, 0xda, 0xf2, 0x74, 0x70, 0xce, 0xf9, 0x87, 0x95, 0x4c, 0x14, 0xc9, + 0x42, 0x37, 0x6d, 0x0e, 0x95, 0x4d, 0x86, 0xf3, 0xa1, 0x54, 0x32, 0x94, + 0xc8, 0xf6, 0x3a, 0xa1, 0xa9, 0xc9, 0x44, 0x01, 0x17, 0x92, 0xea, 0x81, + 0x4a, 0xa6}, {0x92, 0x21, 0x0e, 0x5b, 0xbf, 0x24, 0xd2, 0xcd, 0x95, 0x27, 0xf6, 0xe2, 0x4f, 0xfa, 0xfa, 0xfd, 0xfe, 0xe2, 0x42, 0xb1, 0x46, 0x53, 0x9f, 0x37, 0x31, 0x71, 0x5f, 0xff, 0x42, 0x09, 0x2c, 0xc8, 0xf5, 0xa1, 0xa4, 0x91, @@ -3989,12 +4301,22 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x6b, 0x1a, 0xcc, 0x67, 0xa5, 0x6e, 0xc3, 0x79, 0xbb, 0xa0, 0x3a, 0x8b, 0xe9, 0x1d, 0xc0, 0xcd}, priv_key_0, - false}, + true}, // Comment: Block type = 0xff // tcID: 19 {19, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x60, 0x05, 0x55, 0x0d, 0x8e, 0xad, 0x7e, 0x73, 0xb0, 0x47, 0x8a, 0xa3, + 0xd8, 0x5e, 0x4b, 0xa0, 0xa4, 0x9c, 0x24, 0x62, 0x5a, 0x37, 0xf5, 0x91, + 0x16, 0x3a, 0x93, 0x40, 0x91, 0x9c, 0x85, 0x45, 0xf7, 0xa5, 0xf1, 0x6a, + 0xd6, 0xda, 0x70, 0x6b, 0x4d, 0x58, 0x81, 0x93, 0xac, 0xfb, 0x28, 0xc7, + 0x48, 0x03, 0xea, 0x9c, 0xb7, 0xce, 0x93, 0xe5, 0xf6, 0x8c, 0x14, 0x72, + 0x27, 0x9c, 0xe7, 0x32, 0xea, 0x8a, 0xea, 0x7d, 0x10, 0xd0, 0xcb, 0x24, + 0xab, 0x36, 0x02, 0x11, 0xe5, 0xcf, 0x7d, 0xcb, 0xc0, 0xec, 0x04, 0xe8, + 0xef, 0xe8, 0x04, 0x19, 0x39, 0x32, 0x07, 0x70, 0x3c, 0x19, 0xcd, 0x21, + 0x19, 0x15, 0x95, 0x86, 0xdd, 0xcb, 0xf2, 0xa5, 0x79, 0x2d, 0xe4, 0xa2, + 0x9b, 0x07, 0xab, 0x7a, 0x6c, 0x1c, 0x65, 0x0a}, {0x6d, 0xbc, 0x27, 0xd3, 0x33, 0x71, 0xf8, 0xcb, 0x3c, 0x3a, 0x54, 0x18, 0x5a, 0x68, 0x7a, 0x66, 0xee, 0xa8, 0x11, 0x4f, 0x26, 0xcd, 0x23, 0x46, 0x17, 0xb2, 0xf5, 0x67, 0xd6, 0x01, 0x3e, 0x22, 0x2f, 0x33, 0xd7, 0xfe, @@ -4018,12 +4340,27 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xc1, 0xbb, 0x25, 0x28, 0x6d, 0x9c, 0xe2, 0x02, 0x17, 0x6f, 0x39, 0x5e, 0x29, 0xf9, 0x21, 0x36}, priv_key_0, - false}, + true}, // Comment: First byte is not zero // tcID: 20 {20, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xee, 0xdb, 0x97, 0x9a, 0x9d, 0x20, 0xb0, 0x25, 0x90, 0xb9, 0x29, 0xc8, + 0x30, 0x40, 0x9d, 0x54, 0x55, 0xf7, 0xf0, 0x8d, 0x90, 0x99, 0x38, 0x2b, + 0x29, 0x46, 0x3e, 0x26, 0x48, 0x59, 0x1a, 0xc5, 0x12, 0x0e, 0x83, 0x1f, + 0x64, 0x61, 0x62, 0x04, 0x2c, 0x5c, 0x40, 0x7d, 0x49, 0x04, 0x47, 0xb4, + 0xfe, 0x90, 0x75, 0x13, 0x81, 0x22, 0x07, 0x3b, 0xe1, 0x2d, 0x33, 0x1f, + 0xa1, 0x46, 0x3a, 0x7a, 0x5a, 0x60, 0x03, 0x9a, 0x8e, 0x44, 0x93, 0x30, + 0x20, 0xc3, 0x33, 0x15, 0x69, 0x96, 0x57, 0xe8, 0x00, 0x18, 0x45, 0xd1, + 0x54, 0x41, 0x72, 0xc5, 0xde, 0x76, 0x79, 0xcf, 0x56, 0x26, 0x76, 0x49, + 0xc0, 0xa6, 0xa0, 0x1b, 0x9b, 0xc1, 0x69, 0x4e, 0x47, 0x95, 0x16, 0x17, + 0x70, 0x1d, 0xdc, 0x27, 0x04, 0x9d, 0x00, 0x14, 0x66, 0x36, 0xdd, 0xc2, + 0xe8, 0x72, 0xb7, 0x10, 0xb3, 0x6f, 0x02, 0x2f, 0x87, 0x4c, 0xd4, 0x76, + 0xc8, 0x42, 0x3b, 0x67, 0x86, 0xd4, 0x6e, 0xdf, 0xb2, 0xc2, 0xcc, 0x61, + 0xdd, 0xff, 0x93, 0xd6, 0x5f, 0xd6, 0xe8, 0xb9, 0x5c, 0xe9, 0xf4, 0x81, + 0x90, 0x20, 0xa9, 0xa2, 0xed, 0x3c, 0x9a, 0xc3, 0x49, 0x6c, 0x7a, 0xe8, + 0x2d, 0xdd, 0xb7, 0xf7, 0xbd, 0xc8}, {0x79, 0x4a, 0xb7, 0x24, 0xae, 0xb1, 0x76, 0xc4, 0x41, 0x5a, 0x59, 0x7e, 0x9d, 0x69, 0xcb, 0x56, 0x7c, 0xec, 0xe4, 0x47, 0x9e, 0x6e, 0x4c, 0x9c, 0x19, 0x53, 0x0b, 0x08, 0x77, 0xb5, 0x37, 0x19, 0xd7, 0xf6, 0x31, 0x8b, @@ -4047,12 +4384,31 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xd0, 0x36, 0x06, 0xe6, 0xf7, 0x5c, 0xb5, 0x85, 0x44, 0x43, 0xea, 0xa3, 0x63, 0x61, 0x41, 0x16}, priv_key_0, - false}, + true}, // Comment: First byte is not zero // tcID: 21 {21, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x0e, 0x16, 0xc7, 0x0b, 0x13, 0x1b, 0xc2, 0x77, 0x6b, 0xf7, 0xcd, 0xdd, + 0xa5, 0xce, 0x15, 0x45, 0x10, 0xd1, 0xe9, 0x0c, 0x65, 0x07, 0x20, 0x1e, + 0x69, 0x4a, 0x96, 0xff, 0x8d, 0x78, 0x30, 0xf9, 0x47, 0x73, 0x4b, 0x0d, + 0x6e, 0x7b, 0xe7, 0x15, 0x2e, 0xf0, 0x25, 0xbd, 0x40, 0x83, 0x18, 0xa1, + 0x20, 0x97, 0x55, 0x68, 0x0f, 0x54, 0x28, 0x48, 0x69, 0x19, 0xb0, 0xf8, + 0x52, 0xb7, 0xc9, 0x0d, 0x3a, 0xe7, 0x92, 0x31, 0x97, 0xfc, 0x1b, 0x3f, + 0xc7, 0x5f, 0x0f, 0x78, 0xf9, 0xd2, 0x80, 0x2b, 0x32, 0x57, 0xbe, 0x5c, + 0x09, 0x5c, 0xb3, 0x31, 0x7e, 0x9f, 0xe6, 0xc1, 0xf1, 0xa9, 0x1a, 0xa2, + 0x6d, 0x01, 0x7c, 0x8e, 0x58, 0x24, 0x5f, 0x68, 0x25, 0xfa, 0xf7, 0xa8, + 0x97, 0x8e, 0x9c, 0x2b, 0xc4, 0x39, 0x00, 0x7c, 0xa8, 0x44, 0xcb, 0xde, + 0x93, 0x8a, 0x23, 0xf5, 0xdc, 0xc8, 0xa6, 0x6e, 0x67, 0xb3, 0x89, 0xd2, + 0xed, 0xb7, 0x06, 0x01, 0xe7, 0x4e, 0x57, 0x83, 0x1f, 0x9b, 0x36, 0x2d, + 0xff, 0x2b, 0x31, 0x22, 0xdb, 0x72, 0xda, 0x75, 0x4a, 0x14, 0xc5, 0xca, + 0xa9, 0x13, 0xe9, 0x29, 0x56, 0x28, 0x16, 0xc6, 0xb3, 0x24, 0x69, 0x5f, + 0x1c, 0xef, 0x9a, 0x6d, 0xc9, 0x1d, 0xff, 0x58, 0xb3, 0xa5, 0xd9, 0xea, + 0xfb, 0x72, 0xb5, 0xd5, 0x91, 0x17, 0xcd, 0x21, 0x48, 0x67, 0xd4, 0xf4, + 0x70, 0xfd, 0xdf, 0xc5, 0x66, 0xf5, 0x84, 0x19, 0x3d, 0x38, 0xb8, 0xcc, + 0xc1, 0xb6, 0x03, 0xc1, 0x34, 0xf3, 0xd6, 0xdd, 0xd8, 0x1f, 0x87, 0xab, + 0x3a, 0x69, 0x4c, 0x9a, 0x3a, 0xee, 0xc3, 0xe6, 0x90}, {0x8c, 0x7b, 0x80, 0x18, 0x88, 0x18, 0xf6, 0x3e, 0x6a, 0x01, 0x10, 0xcf, 0x94, 0xa1, 0x69, 0xc7, 0x8a, 0x0d, 0xb7, 0x59, 0x17, 0xca, 0xaf, 0x47, 0x40, 0x5e, 0x83, 0x84, 0xb7, 0x9a, 0x8f, 0x40, 0xde, 0x94, 0xf2, 0x8f, @@ -4076,12 +4432,31 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x73, 0x75, 0x99, 0x8e, 0x5a, 0x03, 0xaf, 0x0e, 0xc8, 0xaa, 0x92, 0x27, 0x6b, 0xd5, 0x1b, 0x21}, priv_key_0, - false}, + true}, // Comment: signature padding // tcID: 22 {22, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x72, 0x01, 0x1d, 0x4c, 0xc4, 0xf8, 0x00, 0x09, 0x58, 0x28, 0x9a, 0xb8, + 0x48, 0x47, 0x86, 0xe5, 0x6a, 0xb9, 0x12, 0xc7, 0x79, 0x3a, 0x06, 0x5a, + 0x76, 0x75, 0xfa, 0x09, 0xf2, 0x65, 0x06, 0x2b, 0x04, 0x2a, 0x87, 0x3c, + 0xe1, 0x5b, 0x08, 0xb5, 0xc2, 0x2d, 0xe8, 0x64, 0x1d, 0xac, 0xde, 0xfd, + 0x89, 0x0a, 0xcd, 0x09, 0x61, 0xd8, 0xab, 0x2a, 0xf0, 0xc7, 0x4e, 0xfb, + 0xed, 0xc5, 0xa0, 0xf5, 0xa3, 0xfe, 0xba, 0xb1, 0x71, 0x29, 0x65, 0xbb, + 0x5d, 0x83, 0x5a, 0x51, 0x5f, 0xb0, 0x1b, 0xa1, 0x09, 0x77, 0x5f, 0x69, + 0x1b, 0x71, 0x96, 0x1e, 0xb9, 0xac, 0x46, 0x56, 0x5c, 0xc8, 0xa0, 0x59, + 0x08, 0x1f, 0x17, 0x7e, 0x19, 0x67, 0xf9, 0xe0, 0x09, 0x87, 0x82, 0x23, + 0xb0, 0x79, 0x50, 0xd5, 0xfb, 0xbd, 0xa7, 0x5a, 0x85, 0x53, 0x0a, 0xb6, + 0x93, 0x68, 0xc1, 0x9f, 0xab, 0x1c, 0x6f, 0xe9, 0xd2, 0x9f, 0x76, 0x03, + 0x5b, 0xca, 0x30, 0x86, 0x9c, 0x8b, 0xa1, 0x7f, 0xa8, 0xf0, 0xa7, 0x9b, + 0x3c, 0xbf, 0x5f, 0x78, 0xf3, 0x26, 0xed, 0xf5, 0x7a, 0xe7, 0x06, 0x07, + 0xf4, 0xce, 0x34, 0xcd, 0xbe, 0x63, 0x09, 0x36, 0x25, 0x0b, 0x5b, 0x58, + 0x69, 0xc1, 0xe9, 0x47, 0x8c, 0x0a, 0x6c, 0xde, 0xa5, 0x78, 0x9d, 0x65, + 0x71, 0xb1, 0xed, 0x9b, 0x11, 0x5b, 0xeb, 0x4a, 0xa4, 0xb6, 0xdc, 0x18, + 0x56, 0xdf, 0xd1, 0xbc, 0xa1, 0xec, 0xac, 0xcd, 0x27, 0x0f, 0x4a, 0x73, + 0xca, 0x35, 0xf4, 0x1a, 0x85, 0x4d, 0x5e, 0xa0, 0xaf, 0xe1, 0xe6, 0x73, + 0x19, 0x3a, 0xed, 0x83, 0xca, 0x08, 0xf1, 0x86, 0x5a, 0x36, 0x31, 0x03}, {0x34, 0xbc, 0x8b, 0x1a, 0x46, 0x46, 0xf2, 0xdb, 0x8b, 0x10, 0xfd, 0xae, 0x22, 0xd6, 0xb5, 0xcb, 0x30, 0x02, 0x29, 0x11, 0x40, 0x15, 0xf2, 0x52, 0x93, 0xd4, 0xb2, 0x8e, 0x8f, 0x58, 0x78, 0x3e, 0x1c, 0x5e, 0x68, 0x94, @@ -4105,12 +4480,26 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x6e, 0xdb, 0x96, 0x85, 0x2a, 0x32, 0xc9, 0x63, 0x2c, 0x2e, 0x6e, 0x4b, 0x9a, 0x6f, 0x88, 0x1e}, priv_key_0, - false}, + true}, // Comment: no zero after padding // tcID: 23 {23, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x23, 0x12, 0x21, 0x07, 0xd3, 0x02, 0x52, 0xeb, 0x4c, 0x82, 0x74, 0xaa, + 0x02, 0x95, 0x99, 0xeb, 0xbc, 0x20, 0x32, 0xe7, 0x9b, 0xc1, 0x56, 0xf7, + 0x45, 0xfc, 0xd4, 0xb7, 0xaa, 0x67, 0x6f, 0x54, 0xf2, 0x09, 0x36, 0xed, + 0xf5, 0x27, 0xc1, 0xc3, 0xf9, 0x98, 0xad, 0x15, 0x2f, 0xb3, 0x99, 0x3d, + 0x0b, 0xfc, 0x91, 0xc0, 0x93, 0xdd, 0x3c, 0x7b, 0x76, 0x2e, 0xee, 0x84, + 0xab, 0x9a, 0xe4, 0x4f, 0x41, 0x9f, 0xe3, 0xc4, 0x66, 0xef, 0x15, 0x53, + 0x5e, 0x7b, 0x8a, 0x98, 0x2d, 0xd9, 0x5e, 0x14, 0x41, 0xfe, 0xc5, 0x1e, + 0x8a, 0x7a, 0x54, 0x65, 0xb8, 0xc4, 0x53, 0x3b, 0x1a, 0xca, 0xbc, 0xae, + 0xda, 0x0b, 0x34, 0xa1, 0x68, 0x07, 0xfa, 0x5b, 0x0e, 0x80, 0x09, 0x97, + 0xd6, 0x62, 0x14, 0x5e, 0xb0, 0xc0, 0xd4, 0xb1, 0x7f, 0x9f, 0xb6, 0x17, + 0xf0, 0x41, 0xa0, 0x5c, 0x38, 0xb2, 0xbe, 0xaf, 0xa0, 0xfe, 0x01, 0x7c, + 0xc0, 0x5d, 0x09, 0x89, 0x41, 0x8f, 0xfc, 0xf5, 0x2f, 0xdf, 0x00, 0x4f, + 0xf1, 0x27, 0xc1, 0x94, 0x15, 0xb8, 0x55, 0x65, 0x03, 0x9c, 0x2c, 0xb8, + 0xfa, 0xa8, 0xfc, 0xdc}, {0x46, 0x29, 0x02, 0x7b, 0xfd, 0xd6, 0xc3, 0x3a, 0xbd, 0xa0, 0x30, 0xf0, 0xcb, 0x3a, 0xc1, 0xb5, 0x5b, 0xdd, 0xdd, 0xd1, 0x12, 0x92, 0x52, 0x0f, 0x14, 0x22, 0x48, 0xbb, 0xd1, 0xef, 0xad, 0x14, 0xad, 0xcb, 0x7e, 0xc5, @@ -4134,12 +4523,29 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xb4, 0x16, 0x09, 0x5c, 0x6f, 0xf9, 0x6f, 0x6d, 0xe0, 0xd9, 0x12, 0x3d, 0xd9, 0xce, 0x6d, 0x31}, priv_key_0, - false}, + true}, // Comment: no padding // tcID: 24 {24, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xc4, 0x59, 0x75, 0xe3, 0x07, 0x51, 0xd5, 0x1b, 0x4a, 0x81, 0x93, 0x86, + 0xcc, 0x9f, 0x2a, 0x90, 0x20, 0xac, 0x1e, 0x07, 0x84, 0x4a, 0x19, 0xba, + 0x86, 0x92, 0x0d, 0xd9, 0xe7, 0x3e, 0x2d, 0x45, 0xb8, 0x16, 0x4a, 0xf0, + 0x84, 0x05, 0x46, 0x3f, 0xce, 0x7d, 0x63, 0x61, 0x8d, 0x15, 0xdc, 0x07, + 0xb8, 0x08, 0x70, 0xe8, 0x87, 0xe5, 0xc8, 0xbc, 0xec, 0xfd, 0x37, 0x85, + 0x5a, 0xee, 0x81, 0x81, 0x90, 0x58, 0x07, 0xf6, 0xbb, 0x30, 0x2e, 0xa4, + 0x15, 0xc9, 0x97, 0xfb, 0x6c, 0x39, 0x08, 0x6d, 0x39, 0xde, 0x08, 0xfb, + 0xee, 0x88, 0xbf, 0x8c, 0x04, 0x6a, 0xe8, 0x49, 0x41, 0x8d, 0xd1, 0x6c, + 0xfb, 0x1e, 0xe2, 0x23, 0x60, 0xbc, 0x87, 0xab, 0xba, 0xb9, 0x0d, 0x31, + 0x46, 0xe6, 0x00, 0xb5, 0x56, 0x29, 0xbf, 0x30, 0xf3, 0x6d, 0xe9, 0x71, + 0x09, 0x23, 0xb0, 0xeb, 0x93, 0xb1, 0xf6, 0x29, 0x8e, 0x55, 0x15, 0x33, + 0x13, 0xdf, 0xf7, 0xa3, 0x10, 0x34, 0x40, 0x40, 0x3f, 0xf5, 0xe7, 0x05, + 0xfe, 0xb9, 0xf4, 0xf2, 0x91, 0xae, 0x27, 0x85, 0x17, 0xd5, 0x3c, 0xb3, + 0x63, 0x8c, 0xed, 0x27, 0x95, 0x70, 0x58, 0x56, 0x62, 0xe7, 0xd6, 0xf7, + 0x97, 0x96, 0x83, 0x9b, 0xf0, 0x4f, 0x5e, 0x1b, 0x96, 0x2f, 0x69, 0x68, + 0x4a, 0x3e, 0xe8, 0x2b, 0x93, 0xdb, 0x14, 0x04, 0x31, 0x58, 0xa0, 0x2c, + 0x0c, 0x82, 0xcb, 0x9d, 0x8d, 0xf8, 0xfd, 0xd5, 0xea}, {0x91, 0x0a, 0xd4, 0x0a, 0xe0, 0xd8, 0xaf, 0x15, 0x1f, 0x51, 0x23, 0x54, 0xe1, 0xcf, 0x12, 0xaf, 0x7c, 0x48, 0x51, 0xcf, 0xf0, 0xb6, 0x59, 0x02, 0x6e, 0x90, 0xa9, 0xec, 0x4d, 0xea, 0x6c, 0x1e, 0x4b, 0x2b, 0x33, 0xcb, @@ -4163,12 +4569,29 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xba, 0x4b, 0x81, 0x6a, 0x23, 0x28, 0xee, 0xe9, 0x85, 0x3f, 0xa6, 0x99, 0x4e, 0xc3, 0x13, 0xd8}, priv_key_0, - false}, + true}, // Comment: m = 2 // tcID: 25 {25, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x9e, 0x7c, 0xf0, 0xec, 0x30, 0x99, 0xfa, 0x06, 0x92, 0xbf, 0xd1, 0xef, + 0x09, 0x46, 0xd0, 0x40, 0x06, 0xe3, 0xdb, 0x42, 0xcb, 0x9f, 0x14, 0x17, + 0x04, 0x5e, 0x23, 0x98, 0x6a, 0x95, 0x4c, 0xca, 0xb3, 0xa1, 0x8c, 0xcc, + 0x6d, 0x93, 0x03, 0x67, 0x50, 0xab, 0x6b, 0x1b, 0x61, 0xc7, 0x46, 0xe3, + 0x30, 0x0c, 0x75, 0x98, 0xc7, 0xe9, 0xd5, 0x28, 0x22, 0xe0, 0xd2, 0x30, + 0x2d, 0xa7, 0xea, 0xfb, 0x87, 0xa8, 0x4e, 0x5c, 0x9a, 0xf5, 0x74, 0xde, + 0xe3, 0x34, 0xcb, 0x7d, 0xfb, 0xd5, 0xe6, 0xc1, 0x00, 0x6a, 0xa5, 0x15, + 0xc0, 0x42, 0x59, 0xeb, 0x3d, 0x06, 0xa1, 0xa9, 0x48, 0x85, 0x2c, 0x7f, + 0xd1, 0x26, 0xd1, 0x5e, 0x80, 0xe3, 0x2d, 0x7f, 0xc8, 0xee, 0xd9, 0x41, + 0x85, 0xb3, 0x20, 0x95, 0xe3, 0x7f, 0x2f, 0x6a, 0x56, 0x41, 0x23, 0xce, + 0x05, 0x2f, 0xb3, 0x5c, 0x52, 0xc7, 0x08, 0xd7, 0x3c, 0x3d, 0x6f, 0x4f, + 0x4c, 0xa5, 0x9d, 0x91, 0xf4, 0x63, 0x01, 0x51, 0x17, 0x33, 0x3d, 0xb5, + 0xf7, 0x01, 0x44, 0x4c, 0x08, 0x6f, 0x1e, 0xd0, 0x5a, 0xca, 0x05, 0x89, + 0xe4, 0xa1, 0x64, 0x33, 0xad, 0x00, 0x90, 0x38, 0x12, 0xb3, 0xd0, 0xae, + 0x13, 0x28, 0x9a, 0xab, 0xca, 0xdc, 0x31, 0xab, 0x6e, 0x00, 0x1c, 0x8b, + 0x5c, 0x03, 0x09, 0x1b, 0xc7, 0x89, 0x9a, 0xed, 0x0a, 0x78, 0x1b, 0x0a, + 0xba, 0xfe, 0x57, 0x22, 0x6a, 0x24, 0xe1, 0xb5, 0xa4, 0x75, 0xda}, {0x62, 0x94, 0xdd, 0xf0, 0xfc, 0xd1, 0x37, 0x39, 0x0c, 0xb2, 0x19, 0x3e, 0x05, 0x0b, 0x5f, 0x61, 0xbf, 0x01, 0x83, 0x97, 0x29, 0x12, 0xdc, 0xa8, 0x8d, 0xdc, 0xef, 0x7d, 0x54, 0x38, 0x86, 0x65, 0xa7, 0xff, 0x9b, 0xe1, @@ -4192,12 +4615,13 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x74, 0xca, 0xca, 0x09, 0x95, 0xca, 0x3e, 0x57, 0x64, 0x28, 0xf6, 0x51, 0xe1, 0xcf, 0x37, 0x64}, priv_key_0, - false}, + true}, // Comment: m = n-2 // tcID: 26 {26, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x6a, 0xbd, 0xa8, 0xd0, 0x70, 0xf3, 0xae, 0x3e, 0x17, 0x5b, 0xb7}, {0x50, 0xbc, 0x2c, 0x3a, 0xd0, 0x7b, 0xaf, 0x0b, 0xb9, 0x03, 0x7b, 0x70, 0x4b, 0x4e, 0x81, 0xc9, 0x70, 0x03, 0xc7, 0xce, 0x64, 0x4a, 0xc8, 0xed, 0x0c, 0x52, 0xef, 0x9b, 0x1d, 0x7f, 0x82, 0x56, 0x95, 0xf4, 0x4a, 0x46, @@ -4221,12 +4645,27 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x80, 0xa8, 0x5c, 0x13, 0x02, 0xfe, 0x01, 0xb3, 0x3d, 0x01, 0xfd, 0x3c, 0x61, 0xfb, 0xa0, 0xe9}, priv_key_0, - false}, + true}, // Comment: c = 0 // tcID: 27 {27, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xfc, 0xd3, 0x37, 0xc9, 0x64, 0x1f, 0xb9, 0x1d, 0x66, 0x0d, 0xb0, 0x8d, + 0x19, 0xb2, 0x47, 0x7e, 0x31, 0xd3, 0xf1, 0xd5, 0x69, 0x8b, 0x7f, 0xa3, + 0x04, 0xa5, 0x92, 0x73, 0xe9, 0xea, 0xfe, 0x53, 0x88, 0xfe, 0xa0, 0xa0, + 0x60, 0x4d, 0x7e, 0x03, 0x02, 0xce, 0xf4, 0x62, 0xb8, 0x27, 0x5c, 0x74, + 0xa3, 0xdb, 0xb1, 0xf8, 0x0f, 0x44, 0x96, 0xc9, 0xf2, 0x48, 0x0d, 0x4e, + 0x03, 0x89, 0x3a, 0x1a, 0x0b, 0xcd, 0xf0, 0x75, 0x04, 0xef, 0x3b, 0x3e, + 0x22, 0xb9, 0x25, 0x16, 0x0c, 0xc1, 0x45, 0xf6, 0x98, 0xee, 0xfc, 0x4b, + 0x82, 0xa7, 0x23, 0x3b, 0x8b, 0x46, 0x27, 0x0e, 0xd1, 0x2b, 0x35, 0x31, + 0x5c, 0x3b, 0x4c, 0x93, 0x79, 0x4f, 0xf1, 0xa9, 0x7d, 0x94, 0xb2, 0xaa, + 0x9a, 0x15, 0x2d, 0x58, 0x79, 0x87, 0x50, 0x7c, 0xb0, 0xea, 0x05, 0xa3, + 0xf0, 0xdf, 0x71, 0x73, 0xe7, 0x4d, 0xb4, 0x06, 0x9e, 0x59, 0xe3, 0x61, + 0x14, 0x52, 0xa8, 0x9b, 0xbb, 0x79, 0xe7, 0xe2, 0xef, 0x60, 0x34, 0x32, + 0xd3, 0x5c, 0xfb, 0xa4, 0x2a, 0xd0, 0xcc, 0x96, 0x34, 0x73, 0x1f, 0x04, + 0x8f, 0x4a, 0xf0, 0x93, 0xa2, 0xe7, 0xe6, 0x14, 0xce, 0xdf, 0xa9, 0x2d, + 0x61, 0x05, 0x1e, 0x91, 0xbb, 0x3d, 0x05, 0x37, 0x90}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -4250,12 +4689,29 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, priv_key_0, - false}, + true}, // Comment: c = 1 // tcID: 28 {28, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x70, 0xbb, 0x62, 0xae, 0x7b, 0x3c, 0x55, 0x94, 0xa6, 0x57, 0x2f, 0x55, + 0x08, 0x4b, 0x6f, 0x50, 0xa6, 0x77, 0x74, 0x7c, 0x60, 0x73, 0xe2, 0xb3, + 0x2b, 0xa9, 0x1b, 0x67, 0x3c, 0x93, 0x1d, 0x21, 0x17, 0x1a, 0xcf, 0x3e, + 0x65, 0xf2, 0xdb, 0xca, 0xc8, 0xac, 0xb0, 0x7f, 0xfe, 0xde, 0xf5, 0x4c, + 0xef, 0xc6, 0x1a, 0x44, 0xda, 0x88, 0x50, 0xf6, 0xbf, 0x42, 0x0c, 0xf5, + 0xbf, 0x96, 0xcc, 0x35, 0x84, 0x0b, 0x26, 0xd2, 0x6c, 0xbd, 0x8b, 0x92, + 0xa8, 0x9e, 0xdf, 0x23, 0xdf, 0xbc, 0x69, 0xc7, 0x5e, 0x69, 0x30, 0xca, + 0x4a, 0xe2, 0x94, 0x90, 0x26, 0x82, 0x57, 0x7c, 0xe6, 0x88, 0xe8, 0x8f, + 0xf3, 0xa2, 0x04, 0xc2, 0xa4, 0xdd, 0x45, 0x01, 0x4e, 0x31, 0x4d, 0xea, + 0x1e, 0xcf, 0xc8, 0xc5, 0xb1, 0x1d, 0x0c, 0x59, 0x27, 0xa0, 0xd3, 0x92, + 0x41, 0x6b, 0xee, 0x34, 0xcc, 0x7d, 0xfb, 0x5c, 0x3f, 0xc6, 0x74, 0x09, + 0x6e, 0xc9, 0xe8, 0x15, 0xad, 0xa3, 0x63, 0x15, 0x0a, 0x78, 0xe1, 0xe7, + 0xf4, 0x52, 0xe4, 0x2f, 0xb8, 0x21, 0x65, 0x44, 0xba, 0x02, 0x6f, 0xca, + 0xf1, 0x59, 0x4b, 0xdb, 0x63, 0x73, 0x51, 0x64, 0xe9, 0x2c, 0x14, 0x9b, + 0xe6, 0xae, 0xfd, 0xdb, 0xe0, 0x79, 0x8e, 0x07, 0x37, 0x1e, 0x39, 0xde, + 0x23, 0x0b, 0xc5, 0x18, 0x9e, 0x42, 0x58, 0xa2, 0xf4, 0x64, 0x64, 0xa9, + 0xca, 0xde, 0x6b, 0x61}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -4279,12 +4735,20 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, priv_key_0, - false}, + true}, // Comment: c = n-1 // tcID: 29 {29, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xff, 0xdc, 0x34, 0xe8, 0x0e, 0x24, 0x05, 0xda, 0xc7, 0x1b, 0xd0, + 0xee, 0x39, 0xfd, 0xfa, 0x65, 0x49, 0xc5, 0x82, 0x46, 0xac, 0x0d, + 0x34, 0x03, 0xe3, 0x79, 0x68, 0x8b, 0x30, 0xce, 0x4a, 0x51, 0xe5, + 0x3b, 0x88, 0x24, 0xb0, 0x9b, 0x5e, 0xdd, 0x7d, 0xbb, 0xc4, 0xfb, + 0xbf, 0x9d, 0xca, 0xbe, 0x3f, 0x29, 0x90, 0x39, 0x43, 0xaa, 0xf1, + 0x8d, 0xf5, 0xb4, 0xce, 0xe5, 0xed, 0x58, 0xc3, 0x8f, 0x4f, 0x38, + 0x07, 0x2c, 0x85, 0x4d, 0x3c, 0xe2, 0x57, 0x2b, 0x2d, 0xcf, 0xcd, + 0x84, 0x1f, 0xa4, 0x7f, 0xc5, 0x97, 0x60, 0x7a, 0x1d}, {0xb3, 0x51, 0x0a, 0x2b, 0xcd, 0x4c, 0xe6, 0x44, 0xc5, 0xb5, 0x94, 0xae, 0x50, 0x59, 0xe1, 0x2b, 0x2f, 0x05, 0x4b, 0x65, 0x8d, 0x5d, 0xa5, 0x95, 0x9a, 0x2f, 0xdf, 0x18, 0x71, 0xb8, 0x08, 0xbc, 0x3d, 0xf3, 0xe6, 0x28, @@ -4308,7 +4772,7 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0xf5, 0x73, 0x26, 0x1c, 0x98, 0xc8, 0x40, 0x0a, 0xa1, 0x2a, 0xf3, 0x8e, 0x43, 0xca, 0xd8, 0x4c}, priv_key_0, - false}, + true}, // Comment: ciphertext is empty // tcID: 30 @@ -5671,6 +6135,736 @@ const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, priv_key_32, + true}, + + // Hubert Bleichenbacher vectors. + // test 1 positive test. + // tcId: 66 + {66, + // lorem ipsum dolor sit amet + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, + 0x75, 0x6d, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x20, + 0x73, 0x69, 0x74, 0x20, 0x61, 0x6d, 0x65, 0x74}, + {0x8b, 0xfe, 0x26, 0x4e, 0x85, 0xd3, 0xbd, 0xea, 0xa6, 0xb8, 0x85, 0x1b, + 0x8e, 0x3b, 0x95, 0x6e, 0xe3, 0xd2, 0x26, 0xfd, 0x3f, 0x69, 0x06, 0x3a, + 0x86, 0x88, 0x01, 0x73, 0xa2, 0x73, 0xd9, 0xf2, 0x83, 0xb2, 0xee, 0xbd, + 0xd1, 0xed, 0x35, 0xf7, 0xe0, 0x2d, 0x91, 0xc5, 0x71, 0x98, 0x1b, 0x67, + 0x37, 0xd5, 0x32, 0x0b, 0xd8, 0x39, 0x6b, 0x0f, 0x3a, 0xd5, 0xb0, 0x19, + 0xda, 0xec, 0x1b, 0x0a, 0xab, 0x3c, 0xbb, 0xc0, 0x26, 0x39, 0x5f, 0x4f, + 0xd1, 0x4f, 0x13, 0x67, 0x3f, 0x2d, 0xfc, 0x81, 0xf9, 0xb6, 0x60, 0xec, + 0x26, 0xac, 0x38, 0x1e, 0x6d, 0xb3, 0x29, 0x9b, 0x4e, 0x46, 0x0b, 0x43, + 0xfa, 0xb9, 0x95, 0x5d, 0xf2, 0xb3, 0xcf, 0xaa, 0x20, 0xe9, 0x00, 0xe1, + 0x9c, 0x85, 0x62, 0x38, 0xfd, 0x37, 0x18, 0x99, 0xc2, 0xbf, 0x2c, 0xe8, + 0xc8, 0x68, 0xb7, 0x67, 0x54, 0xe5, 0xdb, 0x3b, 0x03, 0x65, 0x33, 0xfd, + 0x60, 0x37, 0x46, 0xbe, 0x13, 0xc1, 0x0d, 0x4e, 0x3e, 0x60, 0x22, 0xeb, + 0xc9, 0x05, 0xd2, 0x0c, 0x2a, 0x7f, 0x32, 0xb2, 0x15, 0xa4, 0xcd, 0x53, + 0xb3, 0xf4, 0x4c, 0xa1, 0xc3, 0x27, 0xd2, 0xc2, 0xb6, 0x51, 0x14, 0x58, + 0x21, 0xc0, 0x83, 0x96, 0xc8, 0x90, 0x71, 0xf6, 0x65, 0x34, 0x9c, 0x25, + 0xe4, 0x4d, 0x27, 0x33, 0xcd, 0x93, 0x05, 0x98, 0x5c, 0xee, 0xf6, 0x43, + 0x0c, 0x3c, 0xf5, 0x7a, 0xf5, 0xfa, 0x22, 0x40, 0x89, 0x22, 0x12, 0x18, + 0xfa, 0x34, 0x73, 0x7c, 0x79, 0xc4, 0x46, 0xd2, 0x8a, 0x94, 0xc4, 0x1c, + 0x96, 0xe4, 0xe9, 0x2a, 0xc5, 0x3f, 0xbc, 0xf3, 0x84, 0xde, 0xa8, 0x41, + 0x9e, 0xa0, 0x89, 0xf8, 0x78, 0x44, 0x45, 0xa4, 0x92, 0xc8, 0x12, 0xeb, + 0x0d, 0x40, 0x94, 0x67, 0xf7, 0x5a, 0xfd, 0x7d, 0x4d, 0x10, 0x78, 0x88, + 0x62, 0x05, 0xa0, 0x66}, + priv_key_1b, + true}, + + // Invalid Empty Message + {67, + {}, + {0x20, 0xaa, 0xa8, 0xad, 0xbb, 0xc5, 0x93, 0xa9, 0x24, 0xba, 0x1c, 0x5c, + 0x79, 0x90, 0xb5, 0xc2, 0x24, 0x2a, 0xe4, 0xb9, 0x9d, 0x0f, 0xe6, 0x36, + 0xa1, 0x9a, 0x4c, 0xf7, 0x54, 0xed, 0xbc, 0xee, 0x77, 0x4e, 0x47, 0x2f, + 0xe0, 0x28, 0x16, 0x0e, 0xd4, 0x26, 0x34, 0xf8, 0x86, 0x49, 0x00, 0xcb, + 0x51, 0x40, 0x06, 0xda, 0x64, 0x2c, 0xae, 0x6a, 0xe8, 0xc7, 0xd0, 0x87, + 0xca, 0xeb, 0xcf, 0xa6, 0xda, 0xd1, 0x55, 0x13, 0x01, 0xe1, 0x30, 0x34, + 0x49, 0x89, 0xa1, 0xd4, 0x62, 0xd4, 0x16, 0x45, 0x05, 0xf6, 0x39, 0x39, + 0x33, 0x45, 0x0c, 0x67, 0xbc, 0x6d, 0x39, 0xd8, 0xf5, 0x16, 0x09, 0x07, + 0xca, 0xbc, 0x25, 0x1b, 0x73, 0x79, 0x25, 0xa1, 0xcf, 0x21, 0xe5, 0xc6, + 0xaa, 0x57, 0x81, 0xb7, 0x76, 0x9f, 0x6a, 0x2a, 0x58, 0x3d, 0x97, 0xcc, + 0xe0, 0x08, 0xc0, 0xf8, 0xb6, 0xad, 0xd5, 0xf0, 0xb2, 0xbd, 0x80, 0xbe, + 0xe6, 0x02, 0x37, 0xaa, 0x39, 0xbb, 0x20, 0x71, 0x9f, 0xe7, 0x57, 0x49, + 0xf4, 0xbc, 0x4e, 0x42, 0x46, 0x6e, 0xf5, 0xa8, 0x61, 0xae, 0x3a, 0x92, + 0x39, 0x5c, 0x7d, 0x85, 0x8d, 0x43, 0x0b, 0xfe, 0x38, 0x04, 0x0f, 0x44, + 0x5e, 0xa9, 0x3f, 0xa2, 0x95, 0x8b, 0x50, 0x35, 0x39, 0x80, 0x0f, 0xfa, + 0x5c, 0xe5, 0xf8, 0xcf, 0x51, 0xfa, 0x81, 0x71, 0xa9, 0x1f, 0x36, 0xcb, + 0x4f, 0x45, 0x75, 0xe8, 0xde, 0x6b, 0x4d, 0x3f, 0x09, 0x6e, 0xe1, 0x40, + 0xb9, 0x38, 0xfd, 0x2f, 0x50, 0xee, 0x13, 0xf0, 0xd0, 0x50, 0x22, 0x2e, + 0x2a, 0x72, 0xb0, 0xa3, 0x06, 0x9f, 0xf3, 0xa6, 0x73, 0x8e, 0x82, 0xc8, + 0x70, 0x90, 0xca, 0xa5, 0xae, 0xd4, 0xfc, 0xbe, 0x88, 0x2c, 0x49, 0x64, + 0x6a, 0xa2, 0x50, 0xb9, 0x8f, 0x12, 0xf8, 0x3c, 0x8d, 0x52, 0x81, 0x13, + 0x61, 0x4a, 0x29, 0xe7}, + priv_key_1b, + true}, + + // Invalid Max Nessage + {68, + {0x22, 0xd8, 0x50, 0x13, 0x7b, 0x9e, 0xeb, 0xe0, 0x92, 0xb2, 0x4f, 0x60, + 0x2d, 0xc5, 0xbb, 0x79, 0x18, 0xc1, 0x6b, 0xd8, 0x9d, 0xdb, 0xf2, 0x04, + 0x67, 0xb1, 0x19, 0xd2, 0x05, 0xf9, 0xc2, 0xe4, 0xbd, 0x7d, 0x25, 0x92, + 0xcf, 0x1e, 0x53, 0x21, 0x06, 0xe0, 0xf3, 0x35, 0x57, 0x56, 0x59, 0x23, + 0xc7, 0x3a, 0x02, 0xd4, 0xf0, 0x9c, 0x0c, 0x22, 0xbe, 0xa8, 0x91, 0x48, + 0x18, 0x3e, 0x60, 0x31, 0x7f, 0x70, 0x28, 0xb3, 0xaa, 0x1f, 0x26, 0x1f, + 0x91, 0xc9, 0x79, 0x39, 0x31, 0x01, 0xd7, 0xe1, 0x5f, 0x40, 0x67, 0xe6, + 0x39, 0x79, 0xb3, 0x27, 0x51, 0x65, 0x8e, 0xf7, 0x69, 0x61, 0x0f, 0xe9, + 0x7c, 0xf9, 0xce, 0xf3, 0x27, 0x8b, 0x31, 0x17, 0xd3, 0x84, 0x05, 0x1c, + 0x3b, 0x1d, 0x82, 0xc2, 0x51, 0xc2, 0x30, 0x54, 0x18, 0xc8, 0xf6, 0x84, + 0x05, 0x30, 0xe6, 0x31, 0xaa, 0xd6, 0x3e, 0x70, 0xe2, 0x0e, 0x02, 0x5b, + 0xcd, 0x8e, 0xfb, 0x54, 0xc9, 0x2e, 0xc6, 0xd3, 0xb1, 0x06, 0xa2, 0xf8, + 0xe6, 0x4e, 0xef, 0xf7, 0xd3, 0x84, 0x95, 0xb0, 0xfc, 0x50, 0xc9, 0x71, + 0x38, 0xaf, 0x4b, 0x1c, 0x0a, 0x67, 0xa1, 0xc4, 0xe2, 0x7b, 0x07, 0x7b, + 0x84, 0x39, 0x33, 0x2e, 0xdf, 0xa8, 0x60, 0x8d, 0xfe, 0xae, 0x65, 0x3c, + 0xd6, 0xa6, 0x28, 0xac, 0x55, 0x03, 0x95, 0xf7, 0xe7, 0x43, 0x90, 0xe4, + 0x2c, 0x11, 0x68, 0x22, 0x34, 0x87, 0x09, 0x25, 0xee, 0xaa, 0x1f, 0xa7, + 0x1b, 0x76, 0xcf, 0x1f, 0x2e, 0xe3, 0xbd, 0xa6, 0x9f, 0x67, 0x17, 0x03, + 0x3f, 0xf8, 0xb7, 0xc9, 0x5c, 0x97, 0x99, 0xe7, 0xa3, 0xbe, 0xa5, 0xe7, + 0xe4, 0xa1, 0xc3, 0x59, 0x77, 0x2f, 0xb6, 0xb1, 0xc6, 0xe6, 0xc5, 0x16, + 0x66, 0x1d, 0xfe, 0x30, 0xc3}, + {0x48, 0xcc, 0xea, 0xb1, 0x0f, 0x39, 0xa4, 0xdb, 0x32, 0xf6, 0x00, 0x74, + 0xfe, 0xea, 0x47, 0x3c, 0xbc, 0xdb, 0x7a, 0xcc, 0xf9, 0x2e, 0x15, 0x04, + 0x17, 0xf7, 0x6b, 0x44, 0x75, 0x6b, 0x19, 0x0e, 0x84, 0x3e, 0x79, 0xec, + 0x12, 0xaa, 0x85, 0x08, 0x3a, 0x21, 0xf5, 0x43, 0x7e, 0x7b, 0xad, 0x0a, + 0x60, 0x48, 0x2e, 0x60, 0x11, 0x98, 0xf9, 0xd8, 0x69, 0x23, 0x23, 0x9c, + 0x87, 0x86, 0xee, 0x72, 0x82, 0x85, 0xaf, 0xd0, 0x93, 0x7f, 0x7d, 0xde, + 0x12, 0x71, 0x7f, 0x28, 0x38, 0x98, 0x43, 0xd7, 0x37, 0x59, 0x12, 0xb0, + 0x7b, 0x99, 0x1f, 0x4f, 0xdb, 0x01, 0x90, 0xfc, 0xed, 0x8b, 0xa6, 0x65, + 0x31, 0x43, 0x67, 0xe8, 0xc5, 0xf9, 0xd2, 0x98, 0x1d, 0x0f, 0x51, 0x28, + 0xfe, 0xeb, 0x46, 0xcb, 0x50, 0xfc, 0x23, 0x7e, 0x64, 0x43, 0x8a, 0x86, + 0xdf, 0x19, 0x8d, 0xd0, 0x20, 0x93, 0x64, 0xae, 0x3a, 0x84, 0x2d, 0x77, + 0x53, 0x2b, 0x66, 0xb7, 0xef, 0x26, 0x3b, 0x83, 0xb1, 0x54, 0x1e, 0xd6, + 0x71, 0xb1, 0x20, 0xdf, 0xd6, 0x60, 0x46, 0x2e, 0x21, 0x07, 0xa4, 0xee, + 0x7b, 0x96, 0x4e, 0x73, 0x4a, 0x7b, 0xd6, 0x8d, 0x90, 0xdd, 0xa6, 0x17, + 0x70, 0x65, 0x8a, 0x3c, 0x24, 0x29, 0x48, 0x53, 0x2d, 0xa3, 0x26, 0x48, + 0x68, 0x7e, 0x03, 0x18, 0x28, 0x64, 0x73, 0xf6, 0x75, 0xb4, 0x12, 0xd6, + 0x46, 0x8f, 0x01, 0x3f, 0x14, 0xd7, 0x60, 0xa3, 0x58, 0xdf, 0xca, 0xd3, + 0xcd, 0xa2, 0xaf, 0xee, 0xc5, 0xe2, 0x68, 0xa3, 0x7d, 0x25, 0x0c, 0x37, + 0xf7, 0x22, 0xf4, 0x68, 0xa7, 0x0d, 0xfd, 0x92, 0xd7, 0x29, 0x4c, 0x3c, + 0x1e, 0xe1, 0xe7, 0xf8, 0x84, 0x3b, 0x7d, 0x16, 0xf9, 0xf3, 0x7e, 0xf3, + 0x57, 0x48, 0xc3, 0xae, 0x93, 0xaa, 0x15, 0x5c, 0xdc, 0xdf, 0xeb, 0x4e, + 0x78, 0x56, 0x73, 0x03}, + priv_key_1b, + true}, + + // invalid the last value from the PRF is 246, which is longer than the max + // allowed length: 245, so it needs to select second to last: 2 + {69, + {0x0f, 0x9b}, + {0x14, 0x39, 0xe0, 0x8c, 0x3f, 0x84, 0xc1, 0xa7, 0xfe, 0xc7, 0x4c, 0xe0, + 0x76, 0x14, 0xb2, 0x0e, 0x01, 0xf6, 0xfa, 0x4e, 0x8c, 0x2a, 0x6c, 0xff, + 0xdc, 0x35, 0x20, 0xd8, 0x88, 0x9e, 0x5d, 0x9a, 0x95, 0x0c, 0x64, 0x25, + 0x79, 0x8f, 0x85, 0xd4, 0xbe, 0x38, 0xd3, 0x00, 0xea, 0x56, 0x95, 0xf1, + 0x3e, 0xcd, 0x4c, 0xb3, 0x89, 0xd1, 0xff, 0x5b, 0x82, 0x48, 0x4b, 0x49, + 0x4d, 0x62, 0x80, 0xab, 0x7f, 0xa7, 0x8e, 0x64, 0x59, 0x33, 0x98, 0x1c, + 0xb9, 0x34, 0xcc, 0xe8, 0xbf, 0xcd, 0x11, 0x4c, 0xc0, 0xe6, 0x81, 0x1e, + 0xef, 0xa4, 0x7a, 0xae, 0x20, 0xaf, 0x63, 0x8a, 0x1c, 0xd1, 0x63, 0xd2, + 0xd3, 0x36, 0x61, 0x86, 0xd0, 0xa0, 0x7d, 0xf0, 0xc8, 0x1f, 0x6c, 0x9f, + 0x31, 0x71, 0xcf, 0x35, 0x61, 0x47, 0x2e, 0x98, 0xa6, 0x00, 0x6b, 0xf7, + 0x5d, 0xdb, 0x45, 0x7b, 0xed, 0x03, 0x6d, 0xcc, 0xe1, 0x99, 0x36, 0x9d, + 0xe7, 0xd9, 0x4e, 0xf2, 0xc6, 0x8e, 0x84, 0x67, 0xee, 0x06, 0x04, 0xee, + 0xa2, 0xb3, 0x00, 0x94, 0x79, 0x16, 0x2a, 0x78, 0x91, 0xba, 0x5c, 0x40, + 0xca, 0xb1, 0x7f, 0x49, 0xe1, 0xc4, 0x38, 0xcb, 0x6e, 0xae, 0xa4, 0xf7, + 0x6c, 0xe2, 0x3c, 0xce, 0x0e, 0x48, 0x3f, 0xf0, 0xe9, 0x6f, 0xa7, 0x90, + 0xea, 0x15, 0xbe, 0x67, 0x67, 0x18, 0x14, 0x34, 0x2d, 0x0a, 0x23, 0xf4, + 0xa2, 0x02, 0x62, 0xb6, 0x18, 0x2e, 0x72, 0xf3, 0xa6, 0x7c, 0xd2, 0x89, + 0x71, 0x15, 0x03, 0xc8, 0x55, 0x16, 0xa9, 0xed, 0x22, 0x54, 0x22, 0xf9, + 0x8b, 0x11, 0x6f, 0x1a, 0xb0, 0x80, 0xa8, 0x0a, 0xbd, 0x6f, 0x02, 0x16, + 0xdf, 0x88, 0xd8, 0xcf, 0xd6, 0x7c, 0x13, 0x92, 0x43, 0xbe, 0x8d, 0xd7, + 0x85, 0x02, 0xa7, 0xaa, 0xf6, 0xbc, 0x99, 0xd7, 0xda, 0x71, 0xbc, 0xdf, + 0x62, 0x7e, 0x73, 0x54}, + priv_key_1b, + true}, + // Invalid: the last three numbers from prf are: 2, 247, 255, so we need to + // pick 2, the third one from the end + {70, + {0x4f, 0x02}, + {0x16, 0x90, 0xeb, 0xcc, 0xee, 0xce, 0x2c, 0xe0, 0x24, 0xf3, 0x82, 0xe4, + 0x67, 0xcf, 0x85, 0x10, 0xe7, 0x45, 0x14, 0x12, 0x09, 0x37, 0x97, 0x85, + 0x76, 0xca, 0xf6, 0x84, 0xd4, 0xa0, 0x2a, 0xd5, 0x69, 0xe8, 0xd7, 0x6c, + 0xbe, 0x36, 0x5a, 0x06, 0x0e, 0x00, 0x77, 0x9d, 0xe2, 0xf0, 0x86, 0x5c, + 0xcf, 0x0d, 0x92, 0x3d, 0xe3, 0xb4, 0x78, 0x3a, 0x4e, 0x2c, 0x74, 0xf4, + 0x22, 0xe2, 0xf3, 0x26, 0x08, 0x6c, 0x39, 0x0b, 0x65, 0x8b, 0xa4, 0x7f, + 0x31, 0xab, 0x01, 0x3a, 0xa8, 0x0f, 0x46, 0x8c, 0x71, 0x25, 0x6e, 0x5f, + 0xa5, 0x67, 0x9b, 0x24, 0xe8, 0x3c, 0xd8, 0x2c, 0x3d, 0x1e, 0x05, 0xe3, + 0x98, 0x20, 0x81, 0x55, 0xde, 0x22, 0x12, 0x99, 0x3c, 0xd2, 0xb8, 0xba, + 0xb6, 0x98, 0x7c, 0xf4, 0xcc, 0x12, 0x93, 0xf1, 0x99, 0x09, 0x21, 0x94, + 0x39, 0xd7, 0x41, 0x27, 0x54, 0x5e, 0x9e, 0xd8, 0xa7, 0x06, 0x96, 0x1b, + 0x8e, 0xe2, 0x11, 0x9f, 0x6b, 0xfa, 0xca, 0xfb, 0xef, 0x91, 0xb7, 0x5a, + 0x78, 0x9b, 0xa6, 0x5b, 0x8b, 0x83, 0x3b, 0xc6, 0x14, 0x9c, 0xf4, 0x9b, + 0x5c, 0x4d, 0x2c, 0x63, 0x59, 0xf6, 0x28, 0x08, 0x65, 0x9b, 0xa6, 0x54, + 0x1e, 0x1c, 0xd2, 0x4b, 0xf7, 0xf7, 0x41, 0x04, 0x86, 0xb5, 0x10, 0x3f, + 0x6c, 0x0e, 0xa2, 0x93, 0x34, 0xea, 0x6f, 0x49, 0x75, 0xb1, 0x73, 0x87, + 0x47, 0x4f, 0xe9, 0x20, 0x71, 0x0e, 0xa6, 0x15, 0x68, 0xd7, 0xb7, 0xc0, + 0xa7, 0x91, 0x6a, 0xcf, 0x21, 0x66, 0x5a, 0xd5, 0xa3, 0x1c, 0x4e, 0xab, + 0xcd, 0xe4, 0x4f, 0x8f, 0xb6, 0x12, 0x0d, 0x84, 0x57, 0xaf, 0xa1, 0xf3, + 0xc8, 0x5d, 0x51, 0x7c, 0xda, 0x36, 0x4a, 0xf6, 0x20, 0x11, 0x3a, 0xe5, + 0xa3, 0xc5, 0x2a, 0x04, 0x88, 0x21, 0x73, 0x19, 0x22, 0x73, 0x73, 0x07, + 0xf7, 0x7a, 0x10, 0x81}, + priv_key_1b, + true}, + + // ciphertext that generates a fake 11 byte plaintext, but decrypts + // to real 11 byte long plaintext + {71, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x62, 0x13, 0x63, 0x45, 0x93, 0x33, 0x2c, 0x48, 0x5c, 0xef, 0x78, 0x3e, + 0xa2, 0x84, 0x6e, 0x3d, 0x6e, 0x8b, 0x0e, 0x00, 0x5c, 0xd8, 0x29, 0x3e, + 0xae, 0xbb, 0xaa, 0x50, 0x79, 0x71, 0x2f, 0xd6, 0x81, 0x57, 0x9b, 0xdf, + 0xbb, 0xda, 0x13, 0x8a, 0xe4, 0xd9, 0xd9, 0x52, 0x91, 0x7a, 0x03, 0xc9, + 0x23, 0x98, 0xec, 0x0c, 0xb2, 0xbb, 0x0c, 0x6b, 0x5a, 0x8d, 0x55, 0x06, + 0x1f, 0xed, 0x0d, 0x0d, 0x8d, 0x72, 0x47, 0x35, 0x63, 0x15, 0x26, 0x48, + 0xcf, 0xe6, 0x40, 0xb3, 0x35, 0xdc, 0x95, 0x33, 0x1c, 0x21, 0xcb, 0x13, + 0x3a, 0x91, 0x79, 0x0f, 0xa9, 0x3a, 0xe4, 0x44, 0x97, 0xc1, 0x28, 0x70, + 0x89, 0x70, 0xd2, 0xbe, 0xeb, 0x77, 0xe8, 0x72, 0x1b, 0x06, 0x1b, 0x1c, + 0x44, 0x03, 0x41, 0x43, 0x73, 0x4a, 0x77, 0xbe, 0x82, 0x20, 0x87, 0x74, + 0x15, 0xa6, 0xdb, 0xa0, 0x73, 0xc3, 0x87, 0x16, 0x05, 0x38, 0x05, 0x42, + 0xa9, 0xf2, 0x52, 0x52, 0xa4, 0xba, 0xbe, 0x83, 0x31, 0xcd, 0xd5, 0x3c, + 0xf8, 0x28, 0x42, 0x3f, 0x3c, 0xc7, 0x0b, 0x56, 0x06, 0x24, 0xd0, 0x58, + 0x1f, 0xb1, 0x26, 0xb2, 0xed, 0x4f, 0x4e, 0xd3, 0x58, 0xf0, 0xeb, 0x80, + 0x65, 0xcf, 0x17, 0x63, 0x99, 0xac, 0x1a, 0x84, 0x6a, 0x31, 0x05, 0x5f, + 0x9a, 0xe8, 0xc9, 0xc2, 0x4a, 0x1b, 0xa0, 0x50, 0xbc, 0x20, 0x84, 0x21, + 0x25, 0xbc, 0x17, 0x53, 0x15, 0x8f, 0x80, 0x65, 0xf3, 0xad, 0xb9, 0xcc, + 0x16, 0xbf, 0xdf, 0x83, 0x81, 0x6b, 0xdf, 0x38, 0xb6, 0x24, 0xf1, 0x20, + 0x22, 0xc5, 0xa6, 0xfb, 0xfe, 0x29, 0xbc, 0x91, 0x54, 0x2b, 0xe8, 0xc0, + 0x20, 0x8a, 0x77, 0x0b, 0xcd, 0x67, 0x7d, 0xc5, 0x97, 0xf5, 0x55, 0x7d, + 0xc2, 0xce, 0x28, 0xa1, 0x1b, 0xf3, 0xe3, 0x85, 0x7f, 0x15, 0x87, 0x17, + 0xa3, 0x3f, 0x65, 0x92}, + priv_key_1b, + true}, + + // ciphertext that starts with a null byte, decrypts to real 11 byte + // long plaintext + {72, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x00, 0xa2, 0xe8, 0xf1, 0x14, 0xea, 0x8d, 0x05, 0xd1, 0x2d, 0xc8, 0x43, + 0xe3, 0xcc, 0x3b, 0x2e, 0xdc, 0x82, 0x29, 0xff, 0x2a, 0x02, 0x8b, 0xda, + 0x29, 0xba, 0x9d, 0x55, 0xe3, 0xcd, 0x02, 0x91, 0x19, 0x02, 0xfe, 0xf1, + 0xf4, 0x2a, 0x07, 0x5b, 0xf0, 0x5e, 0x80, 0x16, 0xe8, 0x56, 0x72, 0x13, + 0xd6, 0xf2, 0x60, 0xfa, 0x49, 0xe3, 0x60, 0x77, 0x9d, 0xd8, 0x1a, 0xee, + 0xa3, 0xe0, 0x4c, 0x2c, 0xb5, 0x67, 0xe0, 0xd7, 0x2b, 0x98, 0xbf, 0x75, + 0x40, 0x14, 0x56, 0x1b, 0x75, 0x11, 0xe0, 0x83, 0xd2, 0x0e, 0x0b, 0xfb, + 0x9c, 0xd2, 0x3f, 0x8a, 0x0d, 0x3c, 0x88, 0x90, 0x0c, 0x49, 0xd2, 0xfc, + 0xd5, 0x84, 0x3f, 0xf0, 0x76, 0x56, 0x07, 0xb2, 0x02, 0x6f, 0x28, 0x20, + 0x2a, 0x87, 0xaa, 0x94, 0x67, 0x8a, 0xed, 0x22, 0xa0, 0xc2, 0x07, 0x24, + 0x54, 0x13, 0x94, 0xcd, 0x8f, 0x44, 0xe3, 0x73, 0xeb, 0xa1, 0xd2, 0xba, + 0xe9, 0x8f, 0x51, 0x6c, 0x1e, 0x2b, 0xa3, 0xd8, 0x68, 0x52, 0xd0, 0x64, + 0xf8, 0x56, 0xb1, 0xda, 0xf2, 0x47, 0x95, 0xe7, 0x67, 0xa2, 0xb9, 0x03, + 0x96, 0xe5, 0x07, 0x43, 0xe3, 0x15, 0x06, 0x64, 0xaf, 0xab, 0x13, 0x1f, + 0xe4, 0x0e, 0xa4, 0x05, 0xdc, 0xf5, 0x72, 0xdd, 0x10, 0x79, 0xaf, 0x1d, + 0x3f, 0x03, 0x92, 0xcc, 0xad, 0xcc, 0xa0, 0xa1, 0x27, 0x40, 0xdb, 0xb2, + 0x13, 0xb9, 0x25, 0xca, 0x2a, 0x06, 0xb1, 0xbc, 0x13, 0x83, 0xe8, 0x3a, + 0x65, 0x8c, 0x82, 0xba, 0x2e, 0x74, 0x27, 0x34, 0x23, 0x79, 0x08, 0x4d, + 0x5f, 0x66, 0xb5, 0x44, 0x57, 0x9f, 0x07, 0x66, 0x4c, 0xb2, 0x6e, 0xdd, + 0x4f, 0x10, 0xfd, 0x91, 0x3f, 0xdb, 0xc0, 0xde, 0x05, 0xef, 0x88, 0x7d, + 0x4d, 0x1e, 0xc1, 0xac, 0x95, 0x65, 0x23, 0x97, 0xea, 0x7f, 0xd4, 0xe4, + 0x75, 0x9f, 0xda, 0x8b}, + priv_key_1b, + true}, + + // ciphertext that starts with two null bytes, decrypts to real 11 byte + // long plaintext + {73, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x00, 0x00, 0x1f, 0x71, 0x87, 0x9b, 0x42, 0x61, 0x27, 0xf7, 0xde, 0xad, + 0x62, 0x1f, 0x73, 0x80, 0xa7, 0x09, 0x8c, 0xf7, 0xd2, 0x21, 0x73, 0xaa, + 0x27, 0x99, 0x1b, 0x14, 0x3c, 0x46, 0xd5, 0x33, 0x83, 0xc2, 0x09, 0xbd, + 0x0c, 0x9c, 0x00, 0xd8, 0x40, 0x78, 0x03, 0x7e, 0x71, 0x5f, 0x6b, 0x98, + 0xc6, 0x50, 0x05, 0xa7, 0x71, 0x20, 0x07, 0x05, 0x22, 0xed, 0xe5, 0x1d, + 0x47, 0x2c, 0x87, 0xef, 0x94, 0xb9, 0x4e, 0xad, 0x4c, 0x54, 0x28, 0xee, + 0x10, 0x8a, 0x34, 0x55, 0x61, 0x65, 0x83, 0x01, 0x91, 0x1e, 0xc5, 0xa8, + 0xf7, 0xdd, 0x43, 0xed, 0x4a, 0x39, 0x57, 0xfd, 0x29, 0xfb, 0x02, 0xa3, + 0x52, 0x9b, 0xf6, 0x3f, 0x80, 0x40, 0xd3, 0x95, 0x34, 0x90, 0x93, 0x9b, + 0xd8, 0xf7, 0x8b, 0x2a, 0x34, 0x04, 0xb6, 0xfb, 0x5f, 0xf7, 0x0a, 0x4b, + 0xfd, 0xaa, 0xc5, 0xc5, 0x41, 0xd6, 0xbc, 0xce, 0x49, 0xc9, 0x77, 0x8c, + 0xc3, 0x90, 0xbe, 0x24, 0xcb, 0xef, 0x1d, 0x1e, 0xca, 0x7e, 0x87, 0x04, + 0x57, 0x24, 0x1d, 0x3f, 0xf7, 0x2c, 0xa4, 0x4f, 0x9f, 0x56, 0xbd, 0xf3, + 0x1a, 0x89, 0x0f, 0xa5, 0xeb, 0x3a, 0x91, 0x07, 0xb6, 0x03, 0xcc, 0xc9, + 0xd0, 0x6a, 0x5d, 0xd9, 0x11, 0xa6, 0x64, 0xc8, 0x2b, 0x6a, 0xbd, 0x4f, + 0xe0, 0x36, 0xf8, 0xdb, 0x8d, 0x5a, 0x07, 0x0c, 0x2d, 0x86, 0x38, 0x6a, + 0xe1, 0x8d, 0x97, 0xad, 0xc1, 0x84, 0x76, 0x40, 0xc2, 0x11, 0xd9, 0x1f, + 0xf5, 0xc3, 0x38, 0x75, 0x74, 0xa2, 0x6f, 0x8e, 0xf2, 0x7c, 0xa7, 0xf4, + 0x8d, 0x2d, 0xd1, 0xf0, 0xc7, 0xf1, 0x4b, 0x81, 0xcc, 0x9d, 0x33, 0xee, + 0x68, 0x53, 0x03, 0x1d, 0x3e, 0xcf, 0x10, 0xa9, 0x14, 0xff, 0xd9, 0x09, + 0x47, 0x90, 0x9c, 0x80, 0x11, 0xfd, 0x30, 0x24, 0x92, 0x19, 0x34, 0x8e, + 0xbf, 0xf7, 0x6b, 0xfc}, + priv_key_1b, + true}, + + // valid ciphertext that generates a zero length fake plaintext + {74, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0xb5, 0xe4, 0x93, 0x08, 0xf6, 0xe9, 0x59, 0x00, 0x14, 0xff, 0xaf, 0xfc, + 0x5b, 0x85, 0x60, 0x75, 0x57, 0x39, 0xdd, 0x50, 0x1f, 0x1d, 0x4e, 0x92, + 0x27, 0xa7, 0xd2, 0x91, 0x40, 0x8c, 0xf4, 0xb7, 0x53, 0xf2, 0x92, 0x32, + 0x2f, 0xf8, 0xbe, 0xad, 0x61, 0x3b, 0xf2, 0xca, 0xa1, 0x81, 0xb2, 0x21, + 0xbc, 0x38, 0xca, 0xf6, 0x39, 0x2d, 0xea, 0xfb, 0x28, 0xeb, 0x21, 0xad, + 0x60, 0x93, 0x08, 0x41, 0xed, 0x02, 0xfd, 0x62, 0x25, 0xcc, 0x9c, 0x46, + 0x34, 0x09, 0xad, 0xbe, 0x7d, 0x8f, 0x32, 0x44, 0x02, 0x12, 0xfb, 0xe3, + 0x88, 0x1c, 0x51, 0x37, 0x5b, 0xb0, 0x95, 0x65, 0xef, 0xb2, 0x2e, 0x62, + 0xb0, 0x71, 0x47, 0x2f, 0xb3, 0x86, 0x76, 0xe5, 0xb4, 0xe2, 0x3a, 0x06, + 0x17, 0xdb, 0x5d, 0x14, 0xd9, 0x35, 0x19, 0xac, 0x00, 0x07, 0xa3, 0x0a, + 0x9c, 0x82, 0x2e, 0xb3, 0x1c, 0x38, 0xb5, 0x7f, 0xcb, 0x1b, 0xe2, 0x96, + 0x08, 0xfc, 0xf1, 0xca, 0x2a, 0xbd, 0xca, 0xf5, 0xd5, 0x75, 0x2b, 0xbc, + 0x2b, 0x5a, 0xc7, 0xdb, 0xa5, 0xaf, 0xcf, 0xf4, 0xa5, 0x64, 0x1d, 0xa3, + 0x60, 0xdd, 0x01, 0xf7, 0x11, 0x25, 0x39, 0xb1, 0xed, 0x46, 0xcd, 0xb5, + 0x50, 0xa3, 0xb1, 0x00, 0x65, 0x59, 0xb9, 0xfe, 0x18, 0x91, 0x03, 0x0e, + 0xc8, 0x0f, 0x07, 0x27, 0xc4, 0x24, 0x01, 0xdd, 0xd6, 0xcb, 0xb5, 0xe3, + 0xc8, 0x0f, 0x31, 0x2d, 0xf6, 0xec, 0x89, 0x39, 0x4c, 0x5a, 0x71, 0x18, + 0xf5, 0x73, 0x10, 0x5e, 0x7a, 0xb0, 0x0f, 0xe5, 0x78, 0x33, 0xc1, 0x26, + 0x14, 0x1b, 0x50, 0xa9, 0x35, 0x22, 0x48, 0x42, 0xad, 0xdf, 0xb4, 0x79, + 0xf7, 0x51, 0x60, 0x65, 0x9b, 0xa2, 0x88, 0x77, 0xb5, 0x12, 0xbb, 0x9a, + 0x93, 0x08, 0x4a, 0xd8, 0xbe, 0xc5, 0x40, 0xf9, 0x26, 0x40, 0xf6, 0x3a, + 0x11, 0xa0, 0x10, 0xe0}, + priv_key_1b, + true}, + + // valid ciphertext that generates a 245 byte long fake plaintext + {75, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x1e, 0xa0, 0xb5, 0x0c, 0xa6, 0x52, 0x03, 0xd0, 0xa0, 0x92, 0x80, 0xd3, + 0x97, 0x04, 0xb2, 0x4f, 0xe6, 0xe4, 0x78, 0x00, 0x18, 0x9d, 0xb5, 0x03, + 0x3f, 0x20, 0x27, 0x61, 0xa7, 0x8b, 0xaf, 0xb2, 0x70, 0xc5, 0xe2, 0x5a, + 0xbd, 0x1f, 0x7e, 0xcc, 0x6e, 0x7a, 0xbc, 0x4f, 0x26, 0xd1, 0xb0, 0xcd, + 0x9b, 0x8c, 0x64, 0x8d, 0x52, 0x94, 0x16, 0xee, 0x64, 0xcc, 0xbd, 0xd7, + 0xaa, 0x72, 0xa7, 0x71, 0xd0, 0x35, 0x32, 0x62, 0xb5, 0x43, 0xf0, 0xe4, + 0x36, 0x07, 0x6f, 0x40, 0xa1, 0x09, 0x5f, 0x5c, 0x7d, 0xfd, 0x10, 0xdc, + 0xf0, 0x05, 0x9c, 0xcb, 0x30, 0xe9, 0x2d, 0xfa, 0x5e, 0x01, 0x56, 0x61, + 0x82, 0x15, 0xf1, 0xc3, 0xff, 0x3a, 0xa9, 0x97, 0xa9, 0xd9, 0x99, 0xe5, + 0x06, 0x92, 0x4f, 0x52, 0x89, 0xe3, 0xac, 0x72, 0xe5, 0xe2, 0x08, 0x6c, + 0xc7, 0xb4, 0x99, 0xd7, 0x15, 0x83, 0xed, 0x56, 0x10, 0x28, 0x67, 0x11, + 0x55, 0xdb, 0x40, 0x05, 0xbe, 0xe0, 0x18, 0x00, 0xa7, 0xcd, 0xbd, 0xae, + 0x78, 0x1d, 0xd3, 0x21, 0x99, 0xb8, 0x91, 0x4b, 0x5d, 0x40, 0x11, 0xdd, + 0x6f, 0xf1, 0x1c, 0xd2, 0x6d, 0x46, 0xaa, 0xd5, 0x49, 0x34, 0xd2, 0x93, + 0xb0, 0xbc, 0x40, 0x3d, 0xd2, 0x11, 0xbf, 0x13, 0xb5, 0xa5, 0xc6, 0x83, + 0x6a, 0x5e, 0x76, 0x99, 0x30, 0xf4, 0x37, 0xff, 0xd8, 0x63, 0x4f, 0xb7, + 0x37, 0x17, 0x76, 0xf4, 0xbc, 0x88, 0xfa, 0x6c, 0x27, 0x1d, 0x8a, 0xa6, + 0x01, 0x3d, 0xf8, 0x9a, 0xe6, 0x47, 0x01, 0x54, 0x49, 0x7c, 0x4a, 0xc8, + 0x61, 0xbe, 0x2a, 0x1c, 0x65, 0xeb, 0xff, 0xec, 0x13, 0x9b, 0xf7, 0xaa, + 0xba, 0x3a, 0x81, 0xc7, 0xc5, 0xcd, 0xd8, 0x4d, 0xa9, 0xaf, 0x5d, 0x3e, + 0xdf, 0xb9, 0x57, 0x84, 0x80, 0x74, 0x68, 0x6b, 0x58, 0x37, 0xec, 0xbc, + 0xb6, 0xa4, 0x1c, 0x50}, + priv_key_1b, + true}, + + // a random ciphertext that generates a fake 11 byte plaintext + // and fails padding check + {76, + {0xaf, 0x9a, 0xc7, 0x01, 0x91, 0xc9, 0x24, 0x13, 0xcb, 0x9f, 0x2d}, + {0x5f, 0x02, 0xf4, 0xb1, 0xf4, 0x69, 0x35, 0xc7, 0x42, 0xeb, 0xe6, 0x2b, + 0x6f, 0x05, 0xaa, 0x0a, 0x32, 0x86, 0xaa, 0xb9, 0x1a, 0x49, 0xb3, 0x47, + 0x80, 0xad, 0xde, 0x64, 0x10, 0xab, 0x46, 0xf7, 0x38, 0x6e, 0x05, 0x74, + 0x83, 0x31, 0x86, 0x4a, 0xc9, 0x8e, 0x1d, 0xa6, 0x36, 0x86, 0xe4, 0xba, + 0xbe, 0x3a, 0x19, 0xed, 0x40, 0xa7, 0xf5, 0xce, 0xef, 0xb8, 0x91, 0x79, + 0x59, 0x6a, 0xab, 0x07, 0xab, 0x10, 0x15, 0xe0, 0x3b, 0x8f, 0x82, 0x50, + 0x84, 0xda, 0xb0, 0x28, 0xb6, 0x73, 0x12, 0x88, 0xf2, 0xe5, 0x11, 0xa4, + 0xb3, 0x14, 0xb6, 0xea, 0x39, 0x97, 0xd2, 0xe8, 0xfe, 0x28, 0x25, 0xce, + 0xf8, 0x89, 0x7c, 0xbb, 0xdf, 0xb6, 0xc9, 0x39, 0xd4, 0x41, 0xd6, 0xe0, + 0x49, 0x48, 0x41, 0x4b, 0xb6, 0x9e, 0x68, 0x29, 0x27, 0xef, 0x85, 0x76, + 0xc9, 0xa7, 0x09, 0x0d, 0x4a, 0xad, 0x0e, 0x74, 0xc5, 0x20, 0xd6, 0xd5, + 0xce, 0x63, 0xa1, 0x54, 0x72, 0x0f, 0x00, 0xb7, 0x6d, 0xe8, 0xcc, 0x55, + 0x0b, 0x1a, 0xa1, 0x4f, 0x01, 0x6d, 0x63, 0xa7, 0xb6, 0xd6, 0xea, 0xa1, + 0xf7, 0xdb, 0xe9, 0xe5, 0x02, 0x00, 0xd3, 0x15, 0x9b, 0x3d, 0x09, 0x9c, + 0x90, 0x01, 0x16, 0xbf, 0x4e, 0xba, 0x3b, 0x94, 0x20, 0x4f, 0x18, 0xb1, + 0x31, 0x7b, 0x07, 0x52, 0x97, 0x51, 0xab, 0xf6, 0x4a, 0x26, 0xb0, 0xa0, + 0xbf, 0x1c, 0x8c, 0xe7, 0x57, 0x33, 0x3b, 0x3d, 0x67, 0x32, 0x11, 0xb6, + 0x7c, 0xc0, 0x65, 0x3f, 0x2f, 0xe2, 0x62, 0x0d, 0x57, 0xc8, 0xb6, 0xee, + 0x57, 0x4a, 0x03, 0x23, 0xa1, 0x67, 0xea, 0xb1, 0x10, 0x6d, 0x9b, 0xc7, + 0xfd, 0x90, 0xd4, 0x15, 0xbe, 0x5f, 0x1e, 0x98, 0x91, 0xa0, 0xe6, 0xc7, + 0x09, 0xf4, 0xfc, 0x04, 0x04, 0xe8, 0x22, 0x6f, 0x84, 0x77, 0xb4, 0xe9, + 0x39, 0xb3, 0x6e, 0xb2}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with wrong first byte + // (0x01 instead of 0x00), generates a random 11 byte long plaintext + {77, + {0xa1, 0xf8, 0xc9, 0x25, 0x5c, 0x35, 0xcf, 0xba, 0x40, 0x3c, 0xcc}, + {0x9b, 0x2e, 0xc9, 0xc0, 0xc9, 0x17, 0xc9, 0x8f, 0x1a, 0xd3, 0xd0, 0x11, + 0x9a, 0xec, 0x6b, 0xe5, 0x1a, 0xe3, 0x10, 0x6e, 0x9a, 0xf1, 0x91, 0x4d, + 0x48, 0x60, 0x0a, 0xb6, 0xa2, 0xc0, 0xc0, 0xc8, 0xae, 0x02, 0xa2, 0xdc, + 0x30, 0x39, 0x90, 0x6f, 0xf3, 0xaa, 0xc9, 0x04, 0xaf, 0x32, 0xec, 0x79, + 0x8f, 0xd6, 0x5f, 0x3a, 0xd1, 0xaf, 0xa2, 0xe6, 0x94, 0x00, 0xe7, 0xc1, + 0xde, 0x81, 0xf5, 0x72, 0x8f, 0x3b, 0x32, 0x91, 0xf3, 0x82, 0x63, 0xbc, + 0x7a, 0x90, 0xa0, 0x56, 0x3e, 0x43, 0xce, 0x7a, 0x0d, 0x4e, 0xe9, 0xc0, + 0xd8, 0xa7, 0x16, 0x62, 0x1c, 0xa5, 0xd3, 0xd0, 0x81, 0x18, 0x87, 0x69, + 0xce, 0x1b, 0x13, 0x1a, 0xf7, 0xd3, 0x5b, 0x13, 0xde, 0xa9, 0x91, 0x53, + 0x57, 0x9c, 0x86, 0xdb, 0x31, 0xfe, 0x07, 0xd5, 0xa2, 0xc1, 0x4d, 0x62, + 0x1b, 0x77, 0x85, 0x4e, 0x48, 0xa8, 0xdf, 0x41, 0xb5, 0x79, 0x85, 0x63, + 0xaf, 0x48, 0x9a, 0x29, 0x1e, 0x41, 0x7b, 0x6a, 0x33, 0x4c, 0x63, 0x22, + 0x26, 0x27, 0x37, 0x61, 0x18, 0xc0, 0x2c, 0x53, 0xb6, 0xe8, 0x63, 0x10, + 0xf7, 0x28, 0x73, 0x4f, 0xfc, 0x86, 0xef, 0x9d, 0x7c, 0x8b, 0xf5, 0x6c, + 0x0c, 0x84, 0x1b, 0x24, 0xb8, 0x2b, 0x59, 0xf5, 0x1a, 0xee, 0x45, 0x26, + 0xba, 0x1c, 0x42, 0x68, 0x50, 0x6d, 0x30, 0x1e, 0x4e, 0xbc, 0x49, 0x8c, + 0x6a, 0xeb, 0xb6, 0xfd, 0x52, 0x58, 0xc8, 0x76, 0xbf, 0x90, 0x0b, 0xac, + 0x8c, 0xa4, 0xd3, 0x09, 0xdd, 0x52, 0x2f, 0x6a, 0x63, 0x43, 0x59, 0x9a, + 0x8b, 0xc3, 0x76, 0x0f, 0x42, 0x2c, 0x10, 0xc7, 0x2d, 0x0a, 0xd5, 0x27, + 0xce, 0x4a, 0xf1, 0x87, 0x41, 0x24, 0xac, 0xe3, 0xd9, 0x9b, 0xb7, 0x4d, + 0xb8, 0xd6, 0x9d, 0x25, 0x28, 0xdb, 0x22, 0xc3, 0xa3, 0x76, 0x44, 0x64, + 0x0f, 0x95, 0xc0, 0x5f}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with wrong second byte + // (0x01 instead of 0x02), generates a random 11 byte long plaintext + {78, + {0xe6, 0xd7, 0x00, 0x30, 0x9c, 0xa0, 0xed, 0x62, 0x45, 0x22, 0x54}, + {0x78, 0x2c, 0x2b, 0x59, 0xa2, 0x1a, 0x51, 0x12, 0x43, 0x82, 0x0a, 0xce, + 0xdd, 0x56, 0x7c, 0x13, 0x6f, 0x6d, 0x30, 0x90, 0xc1, 0x15, 0x23, 0x2a, + 0x82, 0xa5, 0xef, 0xb0, 0xb1, 0x78, 0x28, 0x5f, 0x55, 0xb5, 0xec, 0x2d, + 0x2b, 0xac, 0x96, 0xbf, 0x00, 0xd6, 0x59, 0x2e, 0xa7, 0xcd, 0xc3, 0x34, + 0x16, 0x10, 0xc8, 0xfb, 0x07, 0xe5, 0x27, 0xe5, 0xe2, 0xd2, 0x0c, 0xfa, + 0xf2, 0xc7, 0xf2, 0x3e, 0x37, 0x54, 0x31, 0xf4, 0x5e, 0x99, 0x89, 0x29, + 0xa0, 0x2f, 0x25, 0xfd, 0x95, 0x35, 0x4c, 0x33, 0x83, 0x80, 0x90, 0xbc, + 0xa8, 0x38, 0x50, 0x22, 0x59, 0xe9, 0x2d, 0x86, 0xd5, 0x68, 0xbc, 0x2c, + 0xdb, 0x13, 0x2f, 0xab, 0x2a, 0x39, 0x95, 0x93, 0xca, 0x60, 0xa0, 0x15, + 0xdc, 0x2b, 0xb1, 0xaf, 0xcd, 0x64, 0xfe, 0xf8, 0xa3, 0x83, 0x4e, 0x17, + 0xe5, 0x35, 0x8d, 0x82, 0x29, 0x80, 0xdc, 0x44, 0x6e, 0x84, 0x5b, 0x3a, + 0xb4, 0x70, 0x2b, 0x1e, 0xe4, 0x1f, 0xe5, 0xdb, 0x71, 0x6d, 0x92, 0x34, + 0x8d, 0x50, 0x91, 0xc1, 0x5d, 0x35, 0xa1, 0x10, 0x55, 0x5a, 0x35, 0xde, + 0xb4, 0x65, 0x0a, 0x5a, 0x1d, 0x2c, 0x98, 0x02, 0x5d, 0x42, 0xd4, 0x54, + 0x4f, 0x8b, 0x32, 0xaa, 0x6a, 0x5e, 0x02, 0xdc, 0x02, 0xde, 0xae, 0xd9, + 0xa7, 0x31, 0x3b, 0x73, 0xb4, 0x9b, 0x0d, 0x47, 0x72, 0xa3, 0x76, 0x8b, + 0x0e, 0xa0, 0xdb, 0x58, 0x46, 0xac, 0xe6, 0x56, 0x9c, 0xae, 0x67, 0x7b, + 0xf6, 0x7f, 0xb0, 0xac, 0xf3, 0xc2, 0x55, 0xdc, 0x01, 0xec, 0x84, 0x00, + 0xc9, 0x63, 0xb6, 0xe4, 0x9b, 0x10, 0x67, 0x72, 0x8b, 0x4e, 0x56, 0x3d, + 0x7e, 0x1e, 0x15, 0x15, 0x66, 0x43, 0x47, 0xb9, 0x2e, 0xe6, 0x4d, 0xb7, + 0xef, 0xb5, 0x45, 0x23, 0x57, 0xa0, 0x2f, 0xff, 0x7f, 0xcb, 0x74, 0x37, + 0xab, 0xc2, 0xe5, 0x79}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with wrong second byte + // (0x00 instead of 0x02), and a 0x02 on third position, generates a + // random 11 byte long plaintext + {79, + {0x3d, 0x4a, 0x05, 0x4d, 0x93, 0x58, 0x20, 0x9e, 0x9c, 0xbb, 0xb9}, + {0x17, 0x86, 0x55, 0x0c, 0xe8, 0xd8, 0x43, 0x30, 0x52, 0xe0, 0x1e, 0xcb, + 0xa8, 0xb7, 0x6d, 0x30, 0x19, 0xf1, 0x35, 0x5b, 0x21, 0x2a, 0xc9, 0xd0, + 0xf5, 0x19, 0x1b, 0x02, 0x33, 0x25, 0xa7, 0xe7, 0x71, 0x4b, 0x78, 0x02, + 0xf8, 0xe9, 0xa1, 0x7c, 0x4c, 0xb3, 0xcd, 0x3a, 0x84, 0x04, 0x18, 0x91, + 0x47, 0x1b, 0x10, 0xca, 0x1f, 0xcf, 0xb5, 0xd0, 0x41, 0xd3, 0x4c, 0x82, + 0xe6, 0xd0, 0x01, 0x1c, 0xf4, 0xdc, 0x76, 0xb9, 0x0e, 0x9c, 0x2e, 0x07, + 0x43, 0x59, 0x05, 0x79, 0xd5, 0x5b, 0xcd, 0x78, 0x57, 0x05, 0x71, 0x52, + 0xc4, 0xa8, 0x04, 0x03, 0x61, 0x34, 0x3d, 0x1d, 0x22, 0xba, 0x67, 0x7d, + 0x62, 0xb0, 0x11, 0x40, 0x7c, 0x65, 0x2e, 0x23, 0x4b, 0x1d, 0x66, 0x3a, + 0xf2, 0x5e, 0x23, 0x86, 0x25, 0x1d, 0x74, 0x09, 0x19, 0x0f, 0x19, 0xfc, + 0x8e, 0xc3, 0xf9, 0x37, 0x4f, 0xdf, 0x12, 0x54, 0x63, 0x38, 0x74, 0xce, + 0x2e, 0xc2, 0xbf, 0xf4, 0x0a, 0xd0, 0xcb, 0x47, 0x3f, 0x97, 0x61, 0xec, + 0x7b, 0x68, 0xda, 0x45, 0xa4, 0xbd, 0x5e, 0x33, 0xf5, 0xd7, 0xda, 0xc9, + 0xb9, 0xa2, 0x08, 0x21, 0xdf, 0x94, 0x06, 0xb6, 0x53, 0xf7, 0x8a, 0x95, + 0xa6, 0xc0, 0xea, 0x0a, 0x4d, 0x57, 0xf8, 0x67, 0xe4, 0xdb, 0x22, 0xc1, + 0x7b, 0xf9, 0xa1, 0x2c, 0x15, 0x0f, 0x80, 0x9a, 0x7b, 0x72, 0xb6, 0xdb, + 0x86, 0xc2, 0x2a, 0x87, 0x32, 0x24, 0x1e, 0xbf, 0x3c, 0x6a, 0x4f, 0x2c, + 0xf8, 0x26, 0x71, 0xd9, 0x17, 0xab, 0xa8, 0xbc, 0x61, 0x05, 0x2b, 0x40, + 0xcc, 0xdd, 0xd7, 0x43, 0xa9, 0x4e, 0xa9, 0xb5, 0x38, 0x17, 0x51, 0x06, + 0x20, 0x19, 0x71, 0xcc, 0xa9, 0xd1, 0x36, 0xd2, 0x50, 0x81, 0x73, 0x9a, + 0xaf, 0x6c, 0xd1, 0x8b, 0x2a, 0xec, 0xf9, 0xad, 0x32, 0x0e, 0xa3, 0xf8, + 0x95, 0x02, 0xf9, 0x55}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with a null byte on third + // position (first byte of padding), generates a random 11 byte + // long payload + {80, + {0x1f, 0x03, 0x7d, 0xd7, 0x17, 0xb0, 0x7d, 0x3e, 0x7f, 0x73, 0x59}, + {0x17, 0x95, 0x98, 0x82, 0x38, 0x12, 0xd2, 0xc5, 0x8a, 0x7e, 0xb5, 0x05, + 0x21, 0x15, 0x0a, 0x48, 0xbc, 0xca, 0x8b, 0x4e, 0xb5, 0x34, 0x14, 0x01, + 0x8b, 0x6b, 0xca, 0x19, 0xf4, 0x80, 0x14, 0x56, 0xc5, 0xe3, 0x6a, 0x94, + 0x00, 0x37, 0xac, 0x51, 0x6b, 0x0d, 0x64, 0x12, 0xba, 0x44, 0xec, 0x6b, + 0x4f, 0x26, 0x8a, 0x55, 0xef, 0x1c, 0x5f, 0xfb, 0xf1, 0x8a, 0x2f, 0x4e, + 0x35, 0x22, 0xbb, 0x7b, 0x6e, 0xd8, 0x97, 0x74, 0xb7, 0x9b, 0xff, 0xa2, + 0x2f, 0x7d, 0x31, 0x02, 0x16, 0x55, 0x65, 0x64, 0x2d, 0xe0, 0xd4, 0x3a, + 0x95, 0x5e, 0x96, 0xa1, 0xf2, 0xe8, 0x0e, 0x54, 0x30, 0x67, 0x1d, 0x72, + 0x66, 0xeb, 0x4f, 0x90, 0x5d, 0xc8, 0xff, 0x5e, 0x10, 0x6d, 0xc5, 0x58, + 0x8e, 0x5b, 0x02, 0x89, 0xe4, 0x9a, 0x49, 0x13, 0x94, 0x0e, 0x39, 0x2a, + 0x97, 0x06, 0x26, 0x16, 0xd2, 0xbd, 0xa3, 0x81, 0x55, 0x47, 0x1b, 0x7d, + 0x36, 0x0c, 0xfb, 0x94, 0x68, 0x1c, 0x70, 0x2f, 0x60, 0xed, 0x2d, 0x4d, + 0xe6, 0x14, 0xea, 0x72, 0xbf, 0x1c, 0x53, 0x16, 0x0e, 0x63, 0x17, 0x9f, + 0x6c, 0x5b, 0x89, 0x7b, 0x59, 0x49, 0x2b, 0xee, 0x21, 0x91, 0x08, 0x30, + 0x9f, 0x0b, 0x7b, 0x8c, 0xb2, 0xb1, 0x36, 0xc3, 0x46, 0xa5, 0xe9, 0x8b, + 0x8b, 0x4b, 0x84, 0x15, 0xfb, 0x1d, 0x71, 0x3b, 0xae, 0x06, 0x79, 0x11, + 0xe3, 0x05, 0x7f, 0x1c, 0x33, 0x5b, 0x4b, 0x7e, 0x39, 0x10, 0x1e, 0xaf, + 0xd5, 0xd2, 0x8f, 0x01, 0x89, 0x03, 0x7e, 0x43, 0x34, 0xf4, 0xfd, 0xb9, + 0x03, 0x84, 0x27, 0xb1, 0xd1, 0x19, 0xa6, 0x70, 0x2a, 0xa8, 0x23, 0x33, + 0x19, 0xcc, 0x97, 0xd4, 0x96, 0xcc, 0x28, 0x9a, 0xe8, 0xc9, 0x56, 0xdd, + 0xc8, 0x40, 0x42, 0x65, 0x9a, 0x2d, 0x43, 0xd6, 0xaa, 0x22, 0xf1, 0x2b, + 0x81, 0xab, 0x88, 0x4e}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with a null byte on tenth + // position (eight byte of padding), generates a random 11 byte long + // plaintext + {81, + {0x63, 0xcb, 0x0b, 0xf6, 0x5f, 0xc8, 0x25, 0x5d, 0xd2, 0x9e, 0x17}, + {0xa7, 0xa3, 0x40, 0x67, 0x5a, 0x82, 0xc3, 0x0e, 0x22, 0x21, 0x9a, 0x55, + 0xbc, 0x07, 0xcd, 0xf3, 0x6d, 0x47, 0xd0, 0x18, 0x34, 0xc1, 0x83, 0x4f, + 0x91, 0x7f, 0x18, 0xb5, 0x17, 0x41, 0x9c, 0xe9, 0xde, 0x2a, 0x96, 0x46, + 0x0e, 0x74, 0x50, 0x24, 0x43, 0x64, 0x70, 0xed, 0x85, 0xe9, 0x42, 0x97, + 0xb2, 0x83, 0x53, 0x7d, 0x52, 0x18, 0x9c, 0x40, 0x6a, 0x3f, 0x53, 0x3c, + 0xb4, 0x05, 0xcc, 0x6a, 0x9d, 0xba, 0x46, 0xb4, 0x82, 0xce, 0x98, 0xb6, + 0xe3, 0xdd, 0x52, 0xd8, 0xfc, 0xe2, 0x23, 0x74, 0x25, 0x61, 0x7e, 0x38, + 0xc1, 0x1f, 0xbc, 0x46, 0xb6, 0x18, 0x97, 0xef, 0x20, 0x0d, 0x01, 0xe4, + 0xf2, 0x5f, 0x5f, 0x6c, 0x4c, 0x5b, 0x38, 0xcd, 0x0d, 0xe3, 0x8b, 0xa1, + 0x19, 0x08, 0xb8, 0x65, 0x95, 0xa8, 0x03, 0x6a, 0x08, 0xa4, 0x2a, 0x3d, + 0x05, 0xb7, 0x96, 0x00, 0xa9, 0x7a, 0xc1, 0x8b, 0xa3, 0x68, 0xa0, 0x8d, + 0x6c, 0xf6, 0xcc, 0xb6, 0x24, 0xf6, 0xe8, 0x00, 0x2a, 0xfc, 0x75, 0x59, + 0x9f, 0xba, 0x4d, 0xe3, 0xd4, 0xf3, 0xba, 0x7d, 0x20, 0x83, 0x91, 0xeb, + 0xe8, 0xd2, 0x1f, 0x82, 0x82, 0xb1, 0x8e, 0x2c, 0x10, 0x86, 0x9e, 0xb2, + 0x70, 0x2e, 0x68, 0xf9, 0x17, 0x6b, 0x42, 0xb0, 0xdd, 0xc9, 0xd7, 0x63, + 0xf0, 0xc8, 0x6b, 0xa0, 0xff, 0x92, 0xc9, 0x57, 0xaa, 0xea, 0xb7, 0x6d, + 0x9a, 0xb8, 0xda, 0x52, 0xea, 0x29, 0x7e, 0xc1, 0x1d, 0x92, 0xd7, 0x70, + 0x14, 0x6f, 0xaa, 0x1b, 0x30, 0x0e, 0x0f, 0x91, 0xef, 0x96, 0x9b, 0x53, + 0xe7, 0xd2, 0x90, 0x7f, 0xfc, 0x98, 0x4e, 0x9a, 0x9c, 0x9d, 0x11, 0xfb, + 0x7d, 0x6c, 0xba, 0x91, 0x97, 0x20, 0x59, 0xb4, 0x65, 0x06, 0xb0, 0x35, + 0xef, 0xec, 0x65, 0x75, 0xc4, 0x6d, 0x71, 0x14, 0xa6, 0xb9, 0x35, 0x86, + 0x48, 0x58, 0x44, 0x5f}, + priv_key_1b, + true}, + + // an otherwise correct plaintext, but with missing zero separator + // decrypts to 11 byte random synthethic plaintext + {82, + {0x6f, 0x09, 0xa0, 0xb6, 0x26, 0x99, 0x33, 0x7c, 0x49, 0x7b, 0x0b}, + {0x3d, 0x1b, 0x97, 0xe7, 0xaa, 0x34, 0xea, 0xf1, 0xf4, 0xfc, 0x17, 0x1c, + 0xeb, 0x11, 0xdc, 0xff, 0xfd, 0x9a, 0x46, 0xa5, 0xb6, 0x96, 0x12, 0x05, + 0xb1, 0x0b, 0x30, 0x28, 0x18, 0xc1, 0xfc, 0xc9, 0xf4, 0xec, 0x78, 0xbf, + 0x18, 0xea, 0x0c, 0xee, 0x7e, 0x9f, 0xa5, 0xb1, 0x6f, 0xb4, 0xc6, 0x11, + 0x46, 0x3b, 0x36, 0x8b, 0x33, 0x12, 0xac, 0x11, 0xcf, 0x9c, 0x06, 0xb7, + 0xcf, 0x72, 0xb5, 0x4e, 0x28, 0x48, 0x48, 0xa5, 0x08, 0xd3, 0xf0, 0x23, + 0x28, 0xc6, 0x2c, 0x29, 0x99, 0xd0, 0xfb, 0x60, 0x92, 0x9f, 0x81, 0x78, + 0x3c, 0x7a, 0x25, 0x68, 0x91, 0xbc, 0x2f, 0xf4, 0xd9, 0x1d, 0xf2, 0xaf, + 0x96, 0xa2, 0x4f, 0xc5, 0x70, 0x1a, 0x18, 0x23, 0xaf, 0x93, 0x9c, 0xe6, + 0xdb, 0xdc, 0x51, 0x06, 0x08, 0xe3, 0xd4, 0x1e, 0xec, 0x17, 0x2a, 0xd2, + 0xd5, 0x1b, 0x9f, 0xc6, 0x1b, 0x42, 0x17, 0xc9, 0x23, 0xca, 0xdc, 0xf5, + 0xba, 0xc3, 0x21, 0x35, 0x5e, 0xf8, 0xbe, 0x5e, 0x5f, 0x09, 0x0c, 0xdc, + 0x2b, 0xd0, 0xc6, 0x97, 0xd9, 0x05, 0x82, 0x47, 0xdb, 0x3a, 0xd6, 0x13, + 0xfd, 0xce, 0x87, 0xd2, 0x95, 0x5a, 0x6d, 0x1c, 0x94, 0x8a, 0x51, 0x60, + 0xf9, 0x3d, 0xa2, 0x1f, 0x73, 0x1d, 0x74, 0x13, 0x7f, 0x5d, 0x1f, 0x53, + 0xa1, 0x92, 0x3a, 0xdb, 0x51, 0x3d, 0x2e, 0x6e, 0x15, 0x89, 0xd4, 0x4c, + 0xc0, 0x79, 0xf4, 0xc6, 0xdd, 0xd4, 0x71, 0xd3, 0x8a, 0xc8, 0x2d, 0x20, + 0xd8, 0xb1, 0xd2, 0x1f, 0x8d, 0x65, 0xf3, 0xb6, 0x90, 0x70, 0x86, 0x80, + 0x9f, 0x41, 0x23, 0xe0, 0x8d, 0x86, 0xfb, 0x38, 0x72, 0x95, 0x85, 0xde, + 0x02, 0x6a, 0x48, 0x5d, 0x8f, 0x0e, 0x70, 0x3f, 0xd4, 0x77, 0x2f, 0x66, + 0x68, 0xfe, 0xbf, 0x67, 0xdf, 0x94, 0x7b, 0x82, 0x19, 0x5f, 0xa3, 0x86, + 0x7e, 0x3a, 0x30, 0x65}, + priv_key_1b, + true}, + + // + // Bleichenbacher 2049 keys + // malformed plaintext that generates a fake plaintext of length + // specified by 3rd length from the end of PRF output + {83, + {0x42}, + {0x00, 0xb2, 0x6f, 0x64, 0x04, 0xb8, 0x26, 0x49, 0x62, 0x9f, 0x27, 0x04, + 0x49, 0x42, 0x82, 0x44, 0x37, 0x76, 0x92, 0x91, 0x22, 0xe2, 0x79, 0xa9, + 0xcf, 0x30, 0xb0, 0xc6, 0xfe, 0x81, 0x22, 0xa0, 0xa9, 0x04, 0x28, 0x70, + 0xd9, 0x7c, 0xc8, 0xef, 0x65, 0x49, 0x0f, 0xe5, 0x8f, 0x03, 0x1e, 0xb2, + 0x44, 0x23, 0x52, 0x19, 0x1f, 0x5f, 0xbc, 0x31, 0x10, 0x26, 0xb5, 0x14, + 0x7d, 0x32, 0xdf, 0x91, 0x45, 0x99, 0xf3, 0x8b, 0x82, 0x5e, 0xbb, 0x82, + 0x4a, 0xf0, 0xd6, 0x3f, 0x2d, 0x54, 0x1a, 0x24, 0x5c, 0x57, 0x75, 0xd1, + 0xc4, 0xb7, 0x86, 0x30, 0xe4, 0x99, 0x6c, 0xc5, 0xfe, 0x41, 0x3d, 0x38, + 0x45, 0x5a, 0x77, 0x6c, 0xf4, 0xed, 0xcc, 0x0a, 0xa7, 0xfc, 0xcb, 0x31, + 0xc5, 0x84, 0xd6, 0x05, 0x02, 0xed, 0x2b, 0x77, 0x39, 0x8f, 0x53, 0x6e, + 0x13, 0x7f, 0xf7, 0xba, 0x64, 0x30, 0xe9, 0x25, 0x8e, 0x21, 0xc2, 0xdb, + 0x5b, 0x82, 0xf5, 0x38, 0x0f, 0x56, 0x68, 0x76, 0x11, 0x0a, 0xc4, 0xc7, + 0x59, 0x17, 0x89, 0x00, 0xfb, 0xad, 0x7a, 0xb7, 0x0e, 0xa0, 0x7b, 0x1d, + 0xaf, 0x7a, 0x16, 0x39, 0xcb, 0xb4, 0x19, 0x65, 0x43, 0xa6, 0xcb, 0xe8, + 0x27, 0x1f, 0x35, 0xdd, 0xdb, 0x81, 0x20, 0x30, 0x4f, 0x6e, 0xef, 0x83, + 0x05, 0x9e, 0x1c, 0x5c, 0x56, 0x78, 0x71, 0x0f, 0x90, 0x4a, 0x6d, 0x76, + 0x0c, 0x4d, 0x1d, 0x8a, 0xd0, 0x76, 0xbe, 0x17, 0x90, 0x4b, 0x9e, 0x69, + 0x91, 0x00, 0x40, 0xb4, 0x79, 0x14, 0xa0, 0x17, 0x6f, 0xb7, 0xee, 0xa0, + 0xc0, 0x64, 0x44, 0xa6, 0xc4, 0xb8, 0x6d, 0x67, 0x4d, 0x19, 0xa5, 0x56, + 0xa1, 0xde, 0x54, 0x90, 0x37, 0x3c, 0xb0, 0x1c, 0xe3, 0x1b, 0xbd, 0x15, + 0xa5, 0x63, 0x33, 0x62, 0xd3, 0xd2, 0xcd, 0x7d, 0x4a, 0xf1, 0xb4, 0xc5, + 0x12, 0x12, 0x88, 0xb8, 0x94}, + priv_key_2b, + true}, + + // a valid ciphertext that starts with a null byte, decrypts to 11 byte + // long value + {84, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x01, 0x33, 0x00, 0xed, 0xbf, 0x0b, 0xb3, 0x57, 0x1e, 0x59, 0x88, 0x9f, + 0x7e, 0xd7, 0x69, 0x70, 0xbf, 0x6d, 0x57, 0xe1, 0xc8, 0x9b, 0xbb, 0x6d, + 0x1c, 0x39, 0x91, 0xd9, 0xdf, 0x8e, 0x65, 0xed, 0x54, 0xb5, 0x56, 0xd9, + 0x28, 0xda, 0x7d, 0x76, 0x8f, 0xac, 0xb3, 0x95, 0xbb, 0xcc, 0x81, 0xe9, + 0xf8, 0x57, 0x3b, 0x45, 0xcf, 0x81, 0x95, 0xdb, 0xd8, 0x5d, 0x83, 0xa5, + 0x92, 0x81, 0xcd, 0xdf, 0x41, 0x63, 0xae, 0xc1, 0x1b, 0x53, 0xb4, 0x14, + 0x00, 0x53, 0xe3, 0xbd, 0x10, 0x9f, 0x78, 0x7a, 0x7c, 0x3c, 0xec, 0x31, + 0xd5, 0x35, 0xaf, 0x1f, 0x50, 0xe0, 0x59, 0x8d, 0x85, 0xd9, 0x6d, 0x91, + 0xea, 0x01, 0x91, 0x3d, 0x07, 0x09, 0x7d, 0x25, 0xaf, 0x99, 0xc6, 0x74, + 0x64, 0xeb, 0xf2, 0xbb, 0x39, 0x6f, 0xb2, 0x8a, 0x92, 0x33, 0xe5, 0x6f, + 0x31, 0xf7, 0xe1, 0x05, 0xd7, 0x1a, 0x23, 0xe9, 0xef, 0x3b, 0x73, 0x6d, + 0x1e, 0x80, 0xe7, 0x13, 0xd1, 0x69, 0x17, 0x13, 0xdf, 0x97, 0x33, 0x47, + 0x79, 0x55, 0x2f, 0xc9, 0x4b, 0x40, 0xdd, 0x73, 0x3c, 0x72, 0x51, 0xbc, + 0x52, 0x2b, 0x67, 0x3d, 0x3e, 0xc9, 0x35, 0x4a, 0xf3, 0xdd, 0x4a, 0xd4, + 0x4f, 0xa7, 0x1c, 0x06, 0x62, 0x21, 0x3a, 0x57, 0xad, 0xa1, 0xd7, 0x51, + 0x49, 0x69, 0x7d, 0x0e, 0xb5, 0x5c, 0x05, 0x3a, 0xae, 0xd5, 0xff, 0xd0, + 0xb8, 0x15, 0x83, 0x2f, 0x45, 0x41, 0x79, 0x51, 0x9d, 0x37, 0x36, 0xfb, + 0x4f, 0xaf, 0x80, 0x84, 0x16, 0x07, 0x1d, 0xb0, 0xd0, 0xf8, 0x01, 0xac, + 0xa8, 0x54, 0x83, 0x11, 0xee, 0x70, 0x8c, 0x13, 0x1f, 0x4b, 0xe6, 0x58, + 0xb1, 0x5f, 0x6b, 0x54, 0x25, 0x68, 0x72, 0xc2, 0x90, 0x3a, 0xc7, 0x08, + 0xbd, 0x43, 0xb0, 0x17, 0xb0, 0x73, 0xb5, 0x70, 0x7b, 0xc8, 0x4c, 0x2c, + 0xd9, 0xda, 0x70, 0xe9, 0x67}, + priv_key_2b, + true}, + + // a valid ciphertext that starts with a null byte, decrypts to 11 byte + // long value + {85, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x00, 0x02, 0xaa, 0xdf, 0x84, 0x6a, 0x32, 0x9f, 0xad, 0xc6, 0x76, 0x09, + 0x80, 0x30, 0x3d, 0xbd, 0x87, 0xbf, 0xad, 0xfa, 0x78, 0xc2, 0x01, 0x5c, + 0xe4, 0xd6, 0xc5, 0x78, 0x2f, 0xd9, 0xd3, 0xf1, 0x07, 0x8b, 0xd3, 0xc0, + 0xa2, 0xc5, 0xbf, 0xbd, 0xd1, 0xc0, 0x24, 0x55, 0x2e, 0x50, 0x54, 0xd9, + 0x8b, 0x5b, 0xcd, 0xc9, 0x4e, 0x47, 0x6d, 0xd2, 0x80, 0xe6, 0x4d, 0x65, + 0x00, 0x89, 0x32, 0x65, 0x42, 0xce, 0x7c, 0x61, 0xd4, 0xf1, 0xab, 0x40, + 0x00, 0x4c, 0x2e, 0x6a, 0x88, 0xa8, 0x83, 0x61, 0x35, 0x68, 0x55, 0x6a, + 0x10, 0xf3, 0xf9, 0xed, 0xea, 0xb6, 0x7a, 0xe8, 0xdd, 0xdc, 0x1e, 0x6b, + 0x08, 0x31, 0xc2, 0x79, 0x3d, 0x27, 0x15, 0xde, 0x94, 0x3f, 0x7c, 0xe3, + 0x4c, 0x5c, 0x05, 0xd1, 0xb0, 0x9f, 0x14, 0x43, 0x1f, 0xde, 0x56, 0x6d, + 0x17, 0xe7, 0x6c, 0x9f, 0xee, 0xe9, 0x0d, 0x86, 0xa2, 0xc1, 0x58, 0x61, + 0x6e, 0xc8, 0x1d, 0xda, 0x0c, 0x64, 0x2f, 0x58, 0xc0, 0xba, 0x8f, 0xa4, + 0x49, 0x58, 0x43, 0x12, 0x4a, 0x72, 0x35, 0xd4, 0x6f, 0xb4, 0x06, 0x97, + 0x15, 0xa5, 0x1b, 0xf7, 0x10, 0xfd, 0x02, 0x42, 0x59, 0x13, 0x1b, 0xa9, + 0x4d, 0xa7, 0x35, 0x97, 0xac, 0xe4, 0x94, 0x85, 0x6c, 0x94, 0xe7, 0xa3, + 0xec, 0x26, 0x15, 0x45, 0x79, 0x3b, 0x09, 0x90, 0x27, 0x9b, 0x15, 0xfa, + 0x91, 0xc7, 0xfd, 0x13, 0xdb, 0xfb, 0x1d, 0xf2, 0xf2, 0x21, 0xda, 0xb9, + 0xfa, 0x9f, 0x7c, 0x1d, 0x21, 0xe4, 0x8a, 0xa4, 0x9f, 0x6a, 0xae, 0xcb, + 0xab, 0xf5, 0xee, 0x76, 0xdc, 0x6c, 0x2a, 0xf2, 0x31, 0x7f, 0xfb, 0x4e, + 0x30, 0x31, 0x15, 0x38, 0x6a, 0x97, 0xf8, 0x72, 0x9a, 0xfc, 0x3d, 0x0c, + 0x89, 0x41, 0x96, 0x69, 0x23, 0x5f, 0x1a, 0x3a, 0x69, 0x57, 0x0e, 0x08, + 0x36, 0xc7, 0x9f, 0xc1, 0x62}, + priv_key_2b, + true}, + + // a valid ciphertext that starts with two null bytes, decrypts to + // 11 byte long value + {86, + // lorem ipsum + {0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d}, + {0x00, 0x00, 0xf3, 0x6d, 0xa3, 0xb7, 0x2d, 0x8f, 0xf6, 0xde, 0xd7, 0x4e, + 0x7e, 0xfd, 0x08, 0xc0, 0x19, 0x08, 0xf3, 0xf5, 0xf0, 0xde, 0x7b, 0x55, + 0xea, 0xb9, 0x2b, 0x5f, 0x87, 0x51, 0x90, 0x80, 0x9c, 0x39, 0xd4, 0x16, + 0x2e, 0x1e, 0x66, 0x49, 0x61, 0x8f, 0x85, 0x4f, 0xd8, 0x4a, 0xea, 0xb0, + 0x39, 0x70, 0xd1, 0x6b, 0xb8, 0x14, 0xe9, 0x99, 0x85, 0x2c, 0x06, 0xde, + 0x38, 0xd8, 0x2b, 0x95, 0xc0, 0xf3, 0x2e, 0x2a, 0x7b, 0x57, 0x14, 0x02, + 0x1f, 0xe3, 0x03, 0x38, 0x9b, 0xe9, 0xc0, 0xea, 0xc2, 0x4c, 0x90, 0xa6, + 0xb7, 0x21, 0x0f, 0x92, 0x9d, 0x39, 0x0f, 0xab, 0xf9, 0x03, 0xd4, 0x4e, + 0x04, 0x11, 0x0b, 0xb7, 0xa7, 0xfd, 0x6c, 0x38, 0x3c, 0x27, 0x58, 0x04, + 0x72, 0x1e, 0xfa, 0x6d, 0x7c, 0x93, 0xaa, 0x64, 0xc0, 0xbb, 0x2b, 0x18, + 0xd9, 0x7c, 0x52, 0x20, 0xa8, 0x46, 0xc6, 0x6a, 0x48, 0x95, 0xae, 0x52, + 0xad, 0xdd, 0xbe, 0x2a, 0x99, 0x96, 0x82, 0x5e, 0x01, 0x35, 0x85, 0xad, + 0xce, 0xc4, 0xb3, 0x2b, 0xa6, 0x1d, 0x78, 0x27, 0x37, 0xbd, 0x34, 0x3e, + 0x5f, 0xab, 0xd6, 0x8e, 0x8a, 0x95, 0xb8, 0xb1, 0x34, 0x03, 0x18, 0x55, + 0x98, 0x60, 0x79, 0x2d, 0xd7, 0x0d, 0xff, 0xbe, 0x05, 0xa1, 0x05, 0x2b, + 0x54, 0xcb, 0xfb, 0x48, 0xcf, 0xa7, 0xbb, 0x3c, 0x19, 0xce, 0xa5, 0x20, + 0x76, 0xbd, 0xda, 0xc5, 0xc2, 0x5e, 0xe2, 0x76, 0xf1, 0x53, 0xa6, 0x10, + 0xf6, 0xd0, 0x6e, 0xd6, 0x96, 0xd1, 0x92, 0xd8, 0xae, 0x45, 0x07, 0xff, + 0xae, 0x4e, 0x5b, 0xdd, 0xa1, 0x0a, 0x62, 0x5d, 0x6b, 0x67, 0xf3, 0x2f, + 0x7c, 0xff, 0xcd, 0x48, 0xde, 0xe2, 0x43, 0x1f, 0xe6, 0x6f, 0x61, 0x05, + 0xf9, 0xd1, 0x7e, 0x61, 0x1c, 0xdc, 0xc6, 0x74, 0x86, 0x8e, 0x81, 0x69, + 0x2a, 0x36, 0x0f, 0x40, 0x52}, + priv_key_2b, + true}, + + // a random ciphertext that generates a fake 11 byte plaintext + // and fails the padding check + {87, + {0x11, 0x89, 0xb6, 0xf5, 0x49, 0x8f, 0xd6, 0xdf, 0x53, 0x2b, 0x00}, + {0x00, 0xf9, 0x10, 0x20, 0x08, 0x30, 0xfc, 0x8f, 0xff, 0x47, 0x8e, 0x99, + 0xe1, 0x45, 0xf1, 0x47, 0x4b, 0x31, 0x2e, 0x25, 0x12, 0xd0, 0xf9, 0x0b, + 0x8c, 0xef, 0x77, 0xf8, 0x00, 0x1d, 0x09, 0x86, 0x16, 0x88, 0xc1, 0x56, + 0xd1, 0xcb, 0xaf, 0x8a, 0x89, 0x57, 0xf7, 0xeb, 0xf3, 0x5f, 0x72, 0x44, + 0x66, 0x95, 0x2d, 0x05, 0x24, 0xca, 0xd4, 0x8a, 0xad, 0x4f, 0xba, 0x1e, + 0x45, 0xce, 0x8e, 0xa2, 0x7e, 0x8f, 0x3b, 0xa4, 0x41, 0x31, 0xb7, 0x83, + 0x1b, 0x62, 0xd6, 0x0c, 0x07, 0x62, 0x66, 0x1f, 0x4c, 0x1d, 0x1a, 0x88, + 0xcd, 0x06, 0x26, 0x3a, 0x25, 0x9a, 0xbf, 0x1b, 0xa9, 0xe6, 0xb0, 0xb1, + 0x72, 0x06, 0x9a, 0xfb, 0x86, 0xa7, 0xe8, 0x83, 0x87, 0x72, 0x6f, 0x8a, + 0xb3, 0xad, 0xb3, 0x0b, 0xfd, 0x6b, 0x3f, 0x6b, 0xe6, 0xd8, 0x5d, 0x5d, + 0xfd, 0x04, 0x4e, 0x7e, 0xf0, 0x52, 0x39, 0x54, 0x74, 0xa9, 0xcb, 0xb1, + 0xc3, 0x66, 0x7a, 0x92, 0x78, 0x0b, 0x43, 0xa2, 0x26, 0x93, 0x01, 0x5a, + 0xf6, 0xc5, 0x13, 0x04, 0x1b, 0xda, 0xf8, 0x7d, 0x43, 0xb2, 0x4d, 0xdd, + 0x24, 0x4e, 0x79, 0x1e, 0xea, 0xea, 0x10, 0x66, 0xe1, 0xf4, 0x91, 0x71, + 0x17, 0xb3, 0xa4, 0x68, 0xe2, 0x2e, 0x0f, 0x73, 0x58, 0x85, 0x2b, 0xb9, + 0x81, 0x24, 0x8d, 0xe4, 0xd7, 0x20, 0xad, 0xd2, 0xd1, 0x5d, 0xcc, 0xba, + 0x62, 0x80, 0x35, 0x59, 0x35, 0xb6, 0x7c, 0x96, 0xf9, 0xdc, 0xb6, 0xc4, + 0x19, 0xcc, 0x38, 0xab, 0x9f, 0x6f, 0xba, 0x2d, 0x64, 0x9e, 0xf2, 0x06, + 0x6e, 0x0c, 0x34, 0xc9, 0xf7, 0x88, 0xae, 0x49, 0xba, 0xbd, 0x90, 0x25, + 0xfa, 0x85, 0xb2, 0x11, 0x13, 0xe5, 0x6c, 0xe4, 0xf4, 0x3a, 0xa1, 0x34, + 0xc5, 0x12, 0xb0, 0x30, 0xdd, 0x7a, 0xc7, 0xce, 0x82, 0xe7, 0x6f, 0x0b, + 0xe9, 0xce, 0x09, 0xeb, 0xca}, + priv_key_2b, + true}, + + // an otherwise correct plaintext, but with wrong first byte + // (0x01 instead of 0x00), generates a random 11 byte long plaintext + {88, + {0xf6, 0xd0, 0xf5, 0xb7, 0x80, 0x82, 0xfe, 0x61, 0xc0, 0x46, 0x74}, + { + 0x00, 0x2c, 0x9d, 0xdc, 0x36, 0xba, 0x4c, 0xf0, 0x03, 0x86, 0x92, 0xb2, + 0xd3, 0xa1, 0xc6, 0x1a, 0x4b, 0xb3, 0x78, 0x6a, 0x97, 0xce, 0x2e, 0x46, + 0xa3, 0xba, 0x74, 0xd0, 0x31, 0x58, 0xae, 0xef, 0x45, 0x6c, 0xe0, 0xf4, + 0xdb, 0x04, 0xdd, 0xa3, 0xfe, 0x06, 0x22, 0x68, 0xa1, 0x71, 0x12, 0x50, + 0xa1, 0x8c, 0x69, 0x77, 0x8a, 0x62, 0x80, 0xd8, 0x8e, 0x13, 0x3a, 0x16, + 0x25, 0x4e, 0x1f, 0x0e, 0x30, 0xce, 0x8d, 0xac, 0x9b, 0x57, 0xd2, 0xe3, + 0x9a, 0x2f, 0x7d, 0x7b, 0xe3, 0xee, 0x4e, 0x08, 0xae, 0xc2, 0xfd, 0xbe, + 0x8d, 0xad, 0xad, 0x7f, 0xdb, 0xf4, 0x42, 0xa2, 0x9a, 0x8f, 0xb4, 0x08, + 0x57, 0x40, 0x7b, 0xf6, 0xbe, 0x35, 0x59, 0x6b, 0x8e, 0xef, 0xb5, 0xc2, + 0xb3, 0xf5, 0x8b, 0x89, 0x44, 0x52, 0xc2, 0xdc, 0x54, 0xa6, 0x12, 0x3a, + 0x1a, 0x38, 0xd6, 0x42, 0xe2, 0x37, 0x51, 0x74, 0x65, 0x97, 0xe0, 0x8d, + 0x71, 0xac, 0x92, 0x70, 0x4a, 0xdc, 0x17, 0x80, 0x3b, 0x19, 0xe1, 0x31, + 0xb4, 0xd1, 0x92, 0x78, 0x81, 0xf4, 0x3b, 0x02, 0x00, 0xe6, 0xf9, 0x56, + 0x58, 0xf5, 0x59, 0xf9, 0x12, 0xc8, 0x89, 0xb4, 0xcd, 0x51, 0x86, 0x27, + 0x84, 0x36, 0x48, 0x96, 0xcd, 0x6e, 0x86, 0x18, 0xf4, 0x85, 0xa9, 0x92, + 0xf8, 0x29, 0x97, 0xad, 0x6a, 0x09, 0x17, 0xe3, 0x2a, 0xe5, 0x87, 0x2e, + 0xaf, 0x85, 0x00, 0x92, 0xb2, 0xd6, 0xc7, 0x82, 0xad, 0x35, 0xf4, 0x87, + 0xb7, 0x96, 0x82, 0x33, 0x3c, 0x17, 0x50, 0xc6, 0x85, 0xd7, 0xd3, 0x2a, + 0xb3, 0xe1, 0x53, 0x8f, 0x31, 0xdc, 0xaa, 0x5e, 0x7d, 0x5d, 0x28, 0x25, + 0x87, 0x52, 0x42, 0xc8, 0x39, 0x47, 0x30, 0x8d, 0xcf, 0x63, 0xba, 0x4b, + 0xff, 0xf2, 0x03, 0x34, 0xc9, 0xc1, 0x40, 0xc8, 0x37, 0xdb, 0xdb, 0xae, + 0x7a, 0x8d, 0xee, 0x72, 0xff, + }, + priv_key_2b, + true}, + + // an otherwise correct plaintext, but with wrong second byte + // (0x01 instead of 0x02), generates a random 11 byte long plaintext + {89, + {0x1a, 0xb2, 0x87, 0xfc, 0xef, 0x3f, 0xf1, 0x70, 0x67, 0x91, 0x4d}, + {0x00, 0xc5, 0xd7, 0x78, 0x26, 0xc1, 0xab, 0x7a, 0x34, 0xd6, 0x39, 0x0f, + 0x9d, 0x34, 0x2d, 0x5d, 0xbe, 0x84, 0x89, 0x42, 0xe2, 0x61, 0x82, 0x87, + 0x95, 0x2b, 0xa0, 0x35, 0x0d, 0x7d, 0xe6, 0x72, 0x61, 0x12, 0xe9, 0xce, + 0xbc, 0x39, 0x1a, 0x0f, 0xae, 0x18, 0x39, 0xe2, 0xbf, 0x16, 0x82, 0x29, + 0xe3, 0xe0, 0xd7, 0x1d, 0x41, 0x61, 0x80, 0x15, 0x09, 0xf1, 0xf2, 0x8f, + 0x6e, 0x14, 0x87, 0xca, 0x52, 0xdf, 0x05, 0xc4, 0x66, 0xb6, 0xb0, 0xa6, + 0xfb, 0xbe, 0x57, 0xa3, 0x26, 0x8a, 0x97, 0x06, 0x10, 0xec, 0x0b, 0xea, + 0xc3, 0x9e, 0xc0, 0xfa, 0x67, 0xba, 0xbc, 0xe1, 0xef, 0x2a, 0x86, 0xbf, + 0x77, 0x46, 0x6d, 0xc1, 0x27, 0xd7, 0xd0, 0xd2, 0x96, 0x2c, 0x20, 0xe6, + 0x65, 0x93, 0x12, 0x6f, 0x27, 0x68, 0x63, 0xcd, 0x38, 0xdc, 0x63, 0x51, + 0x42, 0x8f, 0x88, 0x4c, 0x13, 0x84, 0xf6, 0x7c, 0xad, 0x0a, 0x0f, 0xfd, + 0xbc, 0x2a, 0xf1, 0x67, 0x11, 0xfb, 0x68, 0xdc, 0x55, 0x9b, 0x96, 0xb3, + 0x7b, 0x4f, 0x04, 0xcd, 0x13, 0x3f, 0xfc, 0x7d, 0x79, 0xc4, 0x3c, 0x42, + 0xca, 0x49, 0x48, 0xfa, 0x89, 0x5b, 0x9d, 0xae, 0xb8, 0x53, 0x15, 0x0c, + 0x8a, 0x51, 0x69, 0x84, 0x9b, 0x73, 0x0c, 0xc7, 0x7d, 0x68, 0xb0, 0x21, + 0x7d, 0x6c, 0x0e, 0x3d, 0xbf, 0x38, 0xd7, 0x51, 0xa1, 0x99, 0x81, 0x86, + 0x63, 0x34, 0x18, 0x36, 0x7e, 0x75, 0x76, 0x53, 0x05, 0x66, 0xc2, 0x3d, + 0x6d, 0x4e, 0x0d, 0xa9, 0xb0, 0x38, 0xd0, 0xbb, 0x51, 0x69, 0xce, 0x40, + 0x13, 0x3e, 0xa0, 0x76, 0x47, 0x2d, 0x05, 0x50, 0x01, 0xf0, 0x13, 0x56, + 0x45, 0x94, 0x0f, 0xd0, 0x8e, 0xa4, 0x42, 0x69, 0xaf, 0x26, 0x04, 0xc8, + 0xb1, 0xba, 0x22, 0x50, 0x53, 0xd6, 0xdb, 0x9a, 0xb4, 0x35, 0x77, 0x68, + 0x94, 0x01, 0xbd, 0xc0, 0xf3}, + priv_key_2b, true}}; #endif // rsa_pkcs1_2048_vectors_h__ diff --git a/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h b/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h index b0f1830891..c52cd8c555 100644 --- a/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h +++ b/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h @@ -5028,6 +5028,159 @@ static const std::vector priv_key_65{ 0x3b, 0xcc, 0xfd, 0x41, 0x12, 0xe4, 0xf4, 0x08, 0x43, 0x32, 0x47, 0x03, 0xee, 0xae, 0x57, 0xb3, 0xf5, 0x08, 0x9d}; +/* 3072 bit key from Hubert's Bleichenbacher tests */ +static const std::vector priv_key_3b{ + 0x30, 0x82, 0x06, 0xfe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, + 0x06, 0xe8, 0x30, 0x82, 0x06, 0xe4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x81, 0x00, 0xaf, 0xd7, 0x1c, 0xaa, 0xd5, 0xe9, 0xf5, 0xb8, 0xc6, 0xc3, + 0x67, 0x07, 0x0a, 0x47, 0xf1, 0x9d, 0x7e, 0x66, 0xae, 0xde, 0x18, 0xa5, + 0xb2, 0x74, 0x1f, 0xb3, 0xc4, 0xd3, 0x34, 0x34, 0x56, 0x06, 0x92, 0xa2, + 0xd9, 0x09, 0xef, 0x68, 0x88, 0xec, 0x60, 0x2f, 0xf6, 0xb9, 0x3a, 0xf2, + 0x58, 0xee, 0x74, 0x30, 0x3c, 0x30, 0x1a, 0xfc, 0xd4, 0xed, 0xbe, 0xc4, + 0x33, 0x11, 0xdd, 0xc8, 0xdd, 0xbf, 0x00, 0xdd, 0xbb, 0xe3, 0x86, 0xd3, + 0x3b, 0x8d, 0x0e, 0x22, 0xb1, 0xb4, 0x49, 0x36, 0xdc, 0x48, 0x98, 0x71, + 0xb8, 0x52, 0x37, 0xb3, 0x4c, 0xe7, 0x47, 0xad, 0x8f, 0xdb, 0x0c, 0x4e, + 0x4d, 0x1d, 0xaa, 0x7a, 0xad, 0xf0, 0x73, 0x85, 0xc5, 0xc8, 0x73, 0x2c, + 0xcb, 0x7d, 0x5a, 0x49, 0xe2, 0xe5, 0x0c, 0x88, 0x3c, 0x7d, 0x7a, 0xc1, + 0x0e, 0xd6, 0xa7, 0x4d, 0x9a, 0xc9, 0x0d, 0xf9, 0x12, 0x99, 0x05, 0xa1, + 0x7d, 0x4a, 0x08, 0x72, 0x10, 0xfc, 0x78, 0xb6, 0xd0, 0x4b, 0x1e, 0xb9, + 0x69, 0x48, 0x2c, 0x11, 0xa6, 0xee, 0xb7, 0x9c, 0x50, 0xe5, 0xb1, 0x6f, + 0x3f, 0x25, 0x4f, 0x75, 0x71, 0x52, 0x8b, 0x2f, 0x17, 0x16, 0xab, 0x81, + 0x6d, 0x6e, 0xca, 0x07, 0x27, 0xbd, 0xea, 0x98, 0x05, 0x93, 0x29, 0x73, + 0x0e, 0xb8, 0xc3, 0x3c, 0xe7, 0x1d, 0x61, 0xdd, 0x4a, 0xc3, 0x93, 0xb6, + 0x25, 0x6e, 0x07, 0xac, 0x1d, 0x12, 0x4f, 0x02, 0x00, 0xd1, 0xc3, 0xe0, + 0x5a, 0x4c, 0x1b, 0xc7, 0xf1, 0xed, 0x2f, 0xc8, 0x3e, 0x57, 0x19, 0x9c, + 0xfe, 0x59, 0x08, 0xb1, 0x00, 0x87, 0xe2, 0x7f, 0xbd, 0x97, 0xd2, 0xc2, + 0x42, 0x14, 0x61, 0x9c, 0x71, 0x47, 0xc8, 0xfb, 0xef, 0xca, 0x39, 0xbc, + 0x25, 0x67, 0x62, 0xa6, 0x82, 0x35, 0x31, 0xf7, 0xe2, 0x34, 0xd6, 0x8e, + 0xae, 0x7a, 0x0d, 0x9f, 0xaf, 0x10, 0xdd, 0x15, 0xe9, 0x52, 0x37, 0x80, + 0xc7, 0xd5, 0xae, 0x58, 0x09, 0x4a, 0xd5, 0x25, 0xa9, 0x06, 0x3b, 0x4c, + 0x33, 0xf9, 0x5e, 0x10, 0x06, 0xda, 0x2e, 0xb1, 0x2d, 0x37, 0x43, 0x68, + 0x94, 0x95, 0xc1, 0xf2, 0x02, 0x3e, 0x40, 0x73, 0x53, 0xc5, 0xeb, 0x3e, + 0x4c, 0xa1, 0xc4, 0x8c, 0xff, 0x81, 0xa1, 0x09, 0x00, 0xd1, 0x48, 0x20, + 0xeb, 0x80, 0x1a, 0xf4, 0xf1, 0xa5, 0x96, 0xc4, 0xb9, 0xce, 0x9a, 0x53, + 0x1f, 0xcf, 0x8a, 0x54, 0xd9, 0xff, 0xd7, 0x24, 0x25, 0x8b, 0x6e, 0xec, + 0x20, 0x10, 0x8d, 0xf6, 0xfd, 0xfd, 0x76, 0xd4, 0xae, 0x03, 0xba, 0x7e, + 0xa5, 0x98, 0xdc, 0xb0, 0xe4, 0xa2, 0x80, 0x84, 0x95, 0x87, 0x28, 0x6f, + 0x4d, 0x7f, 0x25, 0x6c, 0xe8, 0x5e, 0x5e, 0xb5, 0x67, 0x9b, 0x1d, 0xac, + 0xc1, 0xf9, 0x09, 0x56, 0x49, 0xb7, 0x2e, 0x5f, 0xa0, 0x72, 0xae, 0xb0, + 0x03, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x80, 0x25, + 0x17, 0xea, 0xcb, 0x3a, 0xfe, 0xf4, 0xbf, 0xfa, 0xe6, 0x03, 0x98, 0xdf, + 0x99, 0x57, 0xa5, 0xd2, 0xa1, 0x54, 0xa8, 0x33, 0x68, 0xd8, 0xe1, 0x58, + 0x42, 0xb2, 0xf5, 0x9e, 0xe0, 0x9f, 0x79, 0x19, 0x7b, 0xd2, 0xef, 0x1e, + 0x9a, 0xdd, 0xaf, 0x87, 0x86, 0xf6, 0xb4, 0x12, 0x74, 0x47, 0x40, 0x5e, + 0x30, 0x42, 0xb2, 0x1f, 0x2f, 0x50, 0xb7, 0xaa, 0x73, 0x77, 0x16, 0x80, + 0xc3, 0xbb, 0xcb, 0x6c, 0x22, 0x5a, 0x5d, 0x5f, 0xf6, 0xb5, 0x6c, 0x47, + 0x1c, 0x18, 0x82, 0xa0, 0xa3, 0x3b, 0x0a, 0xf1, 0x65, 0xa3, 0xed, 0x6c, + 0x24, 0x9d, 0xc7, 0x78, 0x3e, 0x6b, 0xc7, 0x58, 0xac, 0x37, 0xe6, 0x57, + 0x2d, 0x33, 0xfe, 0x32, 0x50, 0x78, 0xed, 0x95, 0x26, 0x50, 0xf2, 0xeb, + 0x96, 0x04, 0x90, 0x2e, 0xf9, 0x9a, 0x51, 0x1a, 0x11, 0x19, 0xd1, 0x3c, + 0x4f, 0xc9, 0xa4, 0x3a, 0x17, 0x5d, 0xcd, 0xfb, 0xfb, 0x1a, 0x14, 0x00, + 0xfe, 0x17, 0x09, 0x3b, 0x69, 0xcd, 0x3c, 0xdb, 0x89, 0x5f, 0x65, 0x43, + 0x2e, 0xa2, 0x19, 0x5f, 0x90, 0x51, 0x1c, 0x73, 0x36, 0xb5, 0x8a, 0x68, + 0x5d, 0xac, 0xff, 0x2d, 0xaf, 0x4c, 0x5e, 0x92, 0xe5, 0x65, 0xb1, 0x66, + 0x5a, 0xe6, 0x0e, 0x51, 0x2b, 0xaa, 0x99, 0x65, 0xb8, 0x08, 0xd5, 0xff, + 0x11, 0x9c, 0xeb, 0x7c, 0xd6, 0x92, 0xcb, 0xf9, 0x20, 0x06, 0x7a, 0xfa, + 0xcd, 0x80, 0x9f, 0x66, 0xbe, 0x70, 0x6d, 0xa2, 0x68, 0x10, 0xac, 0x79, + 0x0d, 0xb1, 0x56, 0xc9, 0x48, 0xe6, 0xfe, 0x58, 0x1b, 0xc9, 0x84, 0x91, + 0x57, 0xf4, 0xda, 0x49, 0x3f, 0x3a, 0x64, 0xb0, 0xc6, 0xe1, 0x19, 0xe0, + 0x31, 0xb1, 0x07, 0xf8, 0x43, 0x6c, 0xe2, 0x91, 0x60, 0xb4, 0x58, 0xb8, + 0xf9, 0xf1, 0x09, 0x5f, 0xde, 0xb1, 0x92, 0x63, 0x38, 0x4f, 0xf5, 0x38, + 0x75, 0x57, 0xbc, 0x4f, 0x10, 0xb4, 0x03, 0x4d, 0xe8, 0x41, 0x70, 0x3b, + 0xad, 0x2c, 0x1e, 0x76, 0x9c, 0x23, 0x85, 0x3e, 0xb6, 0x30, 0xa3, 0x6d, + 0x10, 0x61, 0xdd, 0x46, 0xe2, 0xa6, 0xbb, 0xaf, 0x74, 0x3a, 0x97, 0xf0, + 0xb3, 0x2c, 0x36, 0xf5, 0x0c, 0x1a, 0x37, 0x22, 0xde, 0xf3, 0xa3, 0x94, + 0xd9, 0x1c, 0x2e, 0x07, 0x8b, 0xf0, 0x9d, 0x79, 0x5e, 0xcd, 0xe5, 0xe5, + 0x6b, 0x82, 0x02, 0xf9, 0x74, 0x02, 0x6f, 0x75, 0xfc, 0x56, 0xe9, 0xa0, + 0xdd, 0x6a, 0x88, 0xf2, 0xe7, 0xcb, 0x78, 0xef, 0x12, 0x98, 0xcc, 0x6c, + 0x65, 0x20, 0x7c, 0xa4, 0x5b, 0xd3, 0x71, 0x88, 0x80, 0x7b, 0x4f, 0xcd, + 0xb1, 0xe6, 0x0d, 0xd8, 0xe5, 0xb8, 0x56, 0x48, 0xfb, 0x7e, 0xfa, 0x8b, + 0x6f, 0xdd, 0x44, 0x8f, 0x39, 0x74, 0x1a, 0x8d, 0x98, 0x09, 0xfe, 0x16, + 0x3a, 0xf3, 0xde, 0x45, 0xba, 0xc2, 0x4a, 0x5a, 0x84, 0x1c, 0x81, 0x02, + 0x81, 0xc1, 0x00, 0xe4, 0xa3, 0xd8, 0x30, 0xd7, 0x3e, 0x8b, 0x31, 0xc6, + 0x82, 0xe2, 0x74, 0xff, 0xc9, 0xfd, 0x12, 0xac, 0x31, 0x3d, 0x2d, 0xd0, + 0x51, 0x3d, 0x50, 0x57, 0x0d, 0xb7, 0xeb, 0x47, 0x62, 0xfe, 0xa1, 0x93, + 0xe7, 0xbb, 0x54, 0x0b, 0x94, 0xa9, 0x4a, 0x5d, 0xdd, 0x74, 0x2a, 0xcf, + 0x73, 0xf5, 0xde, 0xb9, 0xca, 0xe3, 0x1b, 0xd2, 0x3a, 0xc5, 0x60, 0xbb, + 0x27, 0x94, 0xfd, 0x68, 0x26, 0x1f, 0x82, 0x03, 0xf5, 0x71, 0x92, 0x82, + 0x90, 0x4f, 0x46, 0x1e, 0xac, 0xee, 0x2c, 0xe7, 0xe0, 0xa0, 0x09, 0x7a, + 0xa7, 0xc8, 0xdb, 0xab, 0xd3, 0x3f, 0x1b, 0xf2, 0x69, 0x91, 0x2a, 0x07, + 0x82, 0x71, 0x4f, 0xa9, 0x3b, 0x49, 0xea, 0xc4, 0x36, 0xeb, 0x3d, 0xe7, + 0x34, 0xa7, 0xd6, 0xff, 0xdf, 0xd8, 0xc2, 0xc1, 0x43, 0x5e, 0x84, 0x3f, + 0xc7, 0x09, 0xf9, 0x04, 0x8e, 0x54, 0x2a, 0x19, 0x7c, 0x48, 0x54, 0x2b, + 0xeb, 0x2b, 0x85, 0xea, 0xd0, 0xf5, 0xe6, 0x4a, 0xa6, 0x3d, 0x0e, 0xc0, + 0x15, 0x2b, 0x3f, 0x85, 0x61, 0x2d, 0xdc, 0xa6, 0xbf, 0xde, 0xab, 0xf3, + 0x17, 0x5d, 0x59, 0x7d, 0x40, 0x56, 0x3e, 0x0e, 0x06, 0x2d, 0x91, 0xcb, + 0x02, 0x88, 0x80, 0x08, 0x2f, 0xe9, 0xf8, 0xf0, 0x91, 0xbd, 0xbd, 0xda, + 0x31, 0x6e, 0xeb, 0x1e, 0x85, 0x8c, 0xa4, 0x4d, 0x2b, 0x02, 0x8a, 0xe9, + 0xcd, 0xe3, 0xa9, 0x02, 0x81, 0xc1, 0x00, 0xc4, 0xe1, 0xcd, 0x0e, 0xcf, + 0x42, 0x98, 0x61, 0x5e, 0x1f, 0x78, 0x9b, 0xa7, 0xde, 0x22, 0xfd, 0x50, + 0x94, 0xaf, 0x4a, 0xd1, 0xac, 0x29, 0x50, 0xee, 0x96, 0x30, 0x38, 0x5a, + 0x20, 0x40, 0x9a, 0x28, 0x0c, 0x65, 0x38, 0xa2, 0xfe, 0xed, 0x03, 0x14, + 0x48, 0xe2, 0x6e, 0x22, 0xd6, 0x70, 0x93, 0xa7, 0x1f, 0x9d, 0xc7, 0x4e, + 0xbd, 0x1a, 0xbc, 0x0e, 0x9c, 0xe8, 0x3d, 0x67, 0x0b, 0x02, 0x76, 0xab, + 0x1c, 0x85, 0xac, 0x73, 0x4d, 0xd8, 0xbf, 0x9c, 0x74, 0xcc, 0x7f, 0xec, + 0xbd, 0x73, 0x2d, 0x1d, 0x75, 0xf8, 0x89, 0xef, 0x46, 0x0a, 0x48, 0x19, + 0xba, 0x5e, 0x1b, 0x01, 0xde, 0x23, 0x32, 0x55, 0x51, 0x81, 0xb7, 0x6f, + 0xa9, 0x65, 0x44, 0x93, 0x19, 0x8a, 0x60, 0x6f, 0x00, 0xca, 0xfd, 0x8a, + 0x93, 0x35, 0x6e, 0x45, 0x6f, 0x22, 0x3b, 0x75, 0x1b, 0xd5, 0xb5, 0xca, + 0x97, 0xae, 0x2b, 0x39, 0xba, 0x77, 0xfb, 0x7c, 0x17, 0x4c, 0x82, 0xec, + 0x02, 0x18, 0x65, 0x60, 0xd5, 0xe2, 0x7b, 0xf1, 0x8a, 0x26, 0x3c, 0xc2, + 0x12, 0xd9, 0xcc, 0x66, 0xb0, 0x1d, 0x1d, 0xa2, 0x67, 0x3f, 0x29, 0x7d, + 0x4c, 0x1b, 0xed, 0x44, 0x5b, 0x4e, 0xfc, 0x5d, 0xb0, 0x61, 0x36, 0xec, + 0xaa, 0xbd, 0x82, 0xcb, 0x54, 0xd0, 0xfc, 0xc4, 0x26, 0x99, 0xd4, 0xd6, + 0x0a, 0x02, 0x27, 0xbf, 0xe0, 0x03, 0x51, 0x02, 0x81, 0xc0, 0x40, 0xf3, + 0x0e, 0x41, 0xe9, 0x93, 0x39, 0xc5, 0x5d, 0x07, 0xe7, 0x3e, 0xa7, 0x3f, + 0x00, 0xe6, 0x22, 0x06, 0x26, 0xc3, 0xf1, 0xee, 0x72, 0x05, 0x75, 0x85, + 0x4f, 0x1e, 0xc5, 0xfb, 0xa8, 0x2b, 0xcc, 0x31, 0x42, 0xf4, 0xc0, 0x09, + 0x6e, 0x01, 0xd3, 0x22, 0x4a, 0x92, 0xb2, 0xb5, 0xd5, 0x3d, 0x7c, 0xf7, + 0xd6, 0x86, 0x1b, 0xb5, 0x58, 0x46, 0x7f, 0x43, 0xe2, 0x3e, 0x0e, 0x2c, + 0xee, 0x3c, 0x67, 0xd5, 0x7c, 0x7a, 0xcb, 0x1e, 0x25, 0x76, 0xdc, 0xd5, + 0xf1, 0x1e, 0xce, 0x8b, 0xef, 0xca, 0x61, 0x8e, 0x72, 0x2f, 0x7c, 0xe3, + 0x18, 0x85, 0x5e, 0xda, 0x80, 0x43, 0x39, 0x38, 0xe3, 0xe9, 0x66, 0x40, + 0x92, 0x61, 0xdf, 0x75, 0x5e, 0x64, 0x0a, 0x5e, 0xd9, 0xe2, 0xe8, 0x72, + 0xf5, 0x47, 0x75, 0xd1, 0x26, 0x73, 0x59, 0x0e, 0xb8, 0x95, 0x85, 0xa6, + 0xcc, 0xdf, 0xdc, 0xb7, 0x82, 0x70, 0x6e, 0xbd, 0x72, 0x72, 0xab, 0x5e, + 0xca, 0xcb, 0xad, 0x9f, 0x05, 0xaf, 0x3f, 0xff, 0x83, 0x76, 0x9a, 0xf4, + 0x1d, 0x2c, 0x16, 0x2e, 0x61, 0x19, 0xe5, 0x87, 0x58, 0x9c, 0x48, 0x49, + 0x53, 0x76, 0x73, 0x53, 0x6b, 0xf4, 0x83, 0x7f, 0xe7, 0xb8, 0xbf, 0x1a, + 0xa5, 0x53, 0x73, 0x3b, 0x63, 0x74, 0x20, 0x1c, 0x74, 0xce, 0xd3, 0xaf, + 0xca, 0x61, 0x0e, 0x0e, 0xce, 0xbd, 0x19, 0x67, 0xc4, 0x69, 0x02, 0x81, + 0xc1, 0x00, 0xb9, 0x88, 0x4c, 0x14, 0x1b, 0xae, 0x97, 0x28, 0x92, 0x69, + 0x37, 0xdf, 0xff, 0x76, 0x6f, 0x24, 0xa6, 0x0e, 0x27, 0x8e, 0x6b, 0x3e, + 0x41, 0x05, 0x1a, 0x80, 0xff, 0xd9, 0xea, 0xdc, 0x9f, 0xe4, 0x65, 0xbf, + 0x20, 0x98, 0x19, 0xca, 0x00, 0x12, 0x39, 0xc8, 0x61, 0x51, 0x06, 0x95, + 0x6c, 0x2b, 0x48, 0x7f, 0x9b, 0xd0, 0xd9, 0x5b, 0x8d, 0x59, 0x10, 0xb0, + 0x3e, 0x8e, 0xb6, 0x8f, 0x02, 0x78, 0x4f, 0xd1, 0xa6, 0x0a, 0x97, 0xf2, + 0x11, 0x42, 0xa8, 0x2e, 0xcd, 0x13, 0xf4, 0x45, 0xa7, 0xc7, 0x29, 0x0f, + 0x25, 0xf2, 0xde, 0x3f, 0xf3, 0xaa, 0x74, 0x4c, 0x53, 0x28, 0x42, 0x3f, + 0x52, 0x8d, 0xb9, 0x27, 0x01, 0x05, 0x9b, 0x3d, 0x57, 0xc8, 0x22, 0x93, + 0x1b, 0xfa, 0xba, 0x40, 0x56, 0x0a, 0x4d, 0xcf, 0x61, 0xb7, 0x93, 0xc9, + 0x21, 0xca, 0x44, 0x16, 0xc1, 0xf2, 0xf9, 0x82, 0xac, 0xc7, 0xe1, 0x33, + 0xde, 0xa3, 0x68, 0x12, 0x10, 0xb1, 0x03, 0xb5, 0x09, 0xc6, 0x67, 0x55, + 0xc7, 0x83, 0xa3, 0x5f, 0xdb, 0x9e, 0xc0, 0x08, 0xc1, 0xa4, 0x44, 0x54, + 0xcc, 0x6b, 0x43, 0xc2, 0xe6, 0x1b, 0xb4, 0x0e, 0xc7, 0xf6, 0x74, 0xc7, + 0x53, 0x0c, 0xb1, 0x41, 0x68, 0xab, 0x38, 0xa5, 0xc1, 0xc7, 0x02, 0xd3, + 0xdf, 0xc9, 0x83, 0x13, 0x19, 0x3e, 0x1f, 0xa1, 0xf8, 0xdb, 0xfa, 0x8e, + 0x20, 0xb1, 0x02, 0x81, 0xc1, 0x00, 0xe1, 0x2a, 0x42, 0x01, 0x40, 0x7d, + 0x27, 0x51, 0xc9, 0xae, 0xb4, 0x2c, 0xb1, 0xf9, 0xe6, 0xaf, 0x34, 0xdc, + 0xd4, 0x45, 0x31, 0xa9, 0xae, 0x2a, 0x23, 0xdb, 0x54, 0x92, 0xf3, 0xc2, + 0x22, 0x9f, 0x6e, 0x33, 0xa2, 0x8a, 0x8a, 0x66, 0x40, 0xe4, 0xbf, 0x2f, + 0x1c, 0x6a, 0x23, 0x37, 0x8c, 0x5e, 0x56, 0x15, 0xe0, 0xeb, 0x12, 0xbf, + 0x14, 0xe8, 0x1b, 0xb9, 0x9c, 0x4c, 0xe1, 0x51, 0xb5, 0x4e, 0x61, 0x28, + 0x22, 0xbe, 0xb7, 0xca, 0x9e, 0x41, 0x0a, 0x5a, 0xfd, 0xdb, 0x0c, 0xa6, + 0x21, 0xe5, 0x97, 0x00, 0x2b, 0x9d, 0x1c, 0x81, 0x8c, 0x85, 0x60, 0x2f, + 0x99, 0x45, 0x29, 0x1a, 0x47, 0x50, 0x62, 0xec, 0x6a, 0xf5, 0x3f, 0x4f, + 0x52, 0x07, 0x9a, 0xd8, 0x1a, 0xc5, 0x9a, 0x37, 0xd9, 0xd5, 0xef, 0x70, + 0x08, 0x75, 0xfa, 0x77, 0x42, 0x1d, 0x50, 0x70, 0x6c, 0x74, 0xce, 0x17, + 0x87, 0x28, 0x9c, 0x0f, 0xa0, 0xf9, 0x4b, 0x29, 0xe1, 0xb6, 0x52, 0x49, + 0x69, 0xf9, 0x9d, 0x4e, 0x28, 0x22, 0x2c, 0xef, 0x49, 0x5a, 0x46, 0xed, + 0x21, 0x9e, 0xd0, 0x69, 0xe0, 0x77, 0x11, 0xfd, 0x52, 0xc7, 0x6a, 0x6e, + 0xfc, 0xdc, 0x8a, 0x9d, 0x44, 0x29, 0xe1, 0xd1, 0x4d, 0x9a, 0xc7, 0x20, + 0x46, 0x26, 0x07, 0xec, 0x74, 0x2d, 0xa4, 0x48, 0x07, 0x77, 0x70, 0x64, + 0xd8, 0x9d, 0x2b, 0x74, 0xe4, 0x2b}; + const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { // Comment: @@ -5379,7 +5532,10 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { // Comment: ps is all 0 // tcID: 9 {9, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x34, 0xf9, 0xf6, 0x88, 0xfe, 0x27, 0x31, 0x97, 0xf4, + 0xed, 0x30, 0x7a, 0xfb, 0x1b, 0x3c, 0xd7, 0xa3, 0xc6, + 0xf7, 0x6f, 0xe4, 0xde, 0x60, 0x0b, 0x2e, 0x6e}, {0x88, 0xa6, 0x58, 0x47, 0x54, 0xad, 0x31, 0xf2, 0x8a, 0x05, 0x57, 0x5d, 0xd8, 0x09, 0xbe, 0x25, 0x23, 0x1d, 0x07, 0x8d, 0x1c, 0x1e, 0x46, 0xb7, 0x24, 0x0c, 0x1c, 0x40, 0x26, 0x45, 0xb7, 0x10, 0xeb, 0x2d, 0x2b, 0xc1, @@ -5413,7 +5569,7 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xd3, 0x67, 0x1b, 0x0c, 0xfd, 0xf7, 0xf0, 0x5b, 0xf0, 0x77, 0x2d, 0xfe, 0x1c, 0x83, 0x0f, 0xf8, 0xf0, 0x91, 0xed, 0x49, 0xe7, 0x3f, 0x60, 0xc8}, priv_key_33, - false}, + true}, // Comment: ps is all 1 // tcID: 10 @@ -5496,7 +5652,38 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { // Comment: byte 0 of ps is 0 // tcID: 12 {12, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x8b, 0x18, 0x5b, 0x57, 0xa2, 0xd6, 0x27, 0x7c, 0xad, 0xa2, 0x86, 0x26, + 0x19, 0x8b, 0x1d, 0x90, 0x82, 0xe9, 0x2b, 0x16, 0x86, 0x7f, 0x75, 0xc2, + 0x5a, 0x27, 0x6d, 0x9e, 0x2f, 0x31, 0xf5, 0x16, 0x82, 0x11, 0x3b, 0x55, + 0xf1, 0xe8, 0x55, 0x70, 0x27, 0x5b, 0xc8, 0x04, 0x2c, 0x43, 0x44, 0x04, + 0x24, 0x21, 0x78, 0xcf, 0x8b, 0x2d, 0xc1, 0xe0, 0x3e, 0xde, 0x80, 0xf3, + 0x02, 0x66, 0xf5, 0xca, 0xa2, 0x6d, 0x94, 0x36, 0xe6, 0x6e, 0xcd, 0xdf, + 0xdf, 0xff, 0x76, 0x65, 0x00, 0xb5, 0xd4, 0x7a, 0x14, 0x2f, 0x54, 0x93, + 0x5f, 0x9a, 0xdc, 0x81, 0x5a, 0xdc, 0x40, 0x60, 0xe5, 0xaf, 0x15, 0x45, + 0xf2, 0x1e, 0xdd, 0x65, 0x1e, 0x5f, 0x5e, 0x07, 0x69, 0x87, 0x2c, 0x31, + 0xe6, 0xa3, 0x31, 0x7b, 0xc4, 0xd3, 0x93, 0x2f, 0xf9, 0xc4, 0xb0, 0xb6, + 0x5c, 0x5e, 0x60, 0x43, 0x76, 0xae, 0xc5, 0xc9, 0x6c, 0xe7, 0x5b, 0x05, + 0x5b, 0x70, 0x1e, 0x83, 0x74, 0x34, 0x04, 0x83, 0xca, 0x0c, 0x0e, 0x89, + 0x88, 0xb5, 0xbc, 0x3c, 0xbf, 0xba, 0xc9, 0xa8, 0xbf, 0x6e, 0x78, 0xbb, + 0x84, 0xbf, 0x48, 0xf5, 0x70, 0x43, 0xe8, 0x5d, 0x76, 0x25, 0x1a, 0x34, + 0x22, 0x28, 0x4d, 0x10, 0x70, 0xf4, 0xb9, 0xad, 0xa8, 0x5f, 0xf6, 0xb8, + 0xd6, 0x9c, 0x39, 0x5d, 0xaf, 0x09, 0xb0, 0x6e, 0x69, 0xff, 0xab, 0x1c, + 0xc7, 0xb7, 0xfb, 0xc0, 0x29, 0x2e, 0xb4, 0xae, 0xd8, 0x87, 0x01, 0xf2, + 0x7f, 0x8b, 0xfb, 0x65, 0x43, 0x4f, 0xc1, 0x15, 0x1c, 0x7d, 0x7e, 0x7c, + 0xe1, 0xc8, 0xfc, 0x27, 0x3e, 0x09, 0xc6, 0x6e, 0xc7, 0xe8, 0x3d, 0x9c, + 0xbf, 0xb1, 0xbf, 0x62, 0xde, 0x58, 0xbe, 0xb5, 0xe7, 0xd3, 0x5e, 0xa6, + 0x39, 0x11, 0x51, 0xa1, 0xb0, 0x06, 0x24, 0x25, 0x65, 0x68, 0xc4, 0x98, + 0x7d, 0x0a, 0x09, 0x46, 0x27, 0xb0, 0x4a, 0xf5, 0x8f, 0xa8, 0x29, 0x09, + 0xdb, 0x5a, 0x7f, 0xd0, 0x44, 0x7e, 0xd9, 0x2e, 0x2d, 0x4d, 0x54, 0xb1, + 0xf4, 0xd9, 0xe6, 0x11, 0x74, 0x6a, 0x49, 0x04, 0xfa, 0x6a, 0x65, 0xa2, + 0xd0, 0x9a, 0xe2, 0x0b, 0x8a, 0x6c, 0xbf, 0x2f, 0x8e, 0x28, 0x10, 0xa8, + 0xef, 0x2f, 0x6e, 0x43, 0xdf, 0x1b, 0xe7, 0x0a, 0xa2, 0x99, 0x46, 0x11, + 0xf6, 0x4d, 0xac, 0x2c, 0x97, 0x1a, 0xaf, 0xe1, 0x4e, 0xc7, 0xe8, 0xfc, + 0x5e, 0x63, 0xa1, 0x15, 0x5a, 0x98, 0x48, 0xad, 0xa6, 0x99, 0x02, 0x6d, + 0xef, 0xc5, 0xd9, 0x72, 0x20, 0x88, 0xf4, 0xf4, 0xa8, 0x9a, 0x67, 0xb3, + 0x3e, 0x76, 0xec, 0x13, 0x2e, 0xb4, 0x48, 0x4e, 0x97, 0x4c, 0x76, 0x95, + 0x3c, 0xa9, 0x49, 0xcc, 0x4e, 0x73, 0x06, 0x73, 0x67, 0x03}, {0xd7, 0x23, 0xaa, 0xad, 0x7a, 0xed, 0x7f, 0xe2, 0x22, 0x77, 0xd0, 0x57, 0xc7, 0x01, 0x13, 0x53, 0x11, 0x22, 0x78, 0x1e, 0x8e, 0x46, 0xce, 0xcd, 0x03, 0x5a, 0x9d, 0x26, 0xe9, 0x80, 0xa7, 0x71, 0x65, 0x3d, 0x78, 0x0c, @@ -5530,12 +5717,43 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xd1, 0x6e, 0x05, 0x67, 0x40, 0xbe, 0x32, 0x3d, 0xe0, 0x3d, 0xd0, 0x9d, 0x2b, 0xa3, 0x0c, 0x91, 0x3f, 0x28, 0x9d, 0x31, 0x2d, 0xd5, 0x92, 0x5e}, priv_key_33, - false}, + true}, // Comment: byte 1 of ps is 0 // tcID: 13 {13, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x4b, 0x59, 0xa7, 0xcf, 0xcd, 0x10, 0x0f, 0x80, 0xb1, 0x95, 0x76, 0x01, + 0xc3, 0x7e, 0x7f, 0x09, 0xfa, 0x3f, 0x32, 0x6e, 0xff, 0x95, 0x38, 0xbe, + 0xaa, 0x5d, 0xd7, 0x11, 0x13, 0x14, 0xbe, 0x3f, 0x73, 0x6e, 0x40, 0x5e, + 0x41, 0x5f, 0x1e, 0xec, 0x89, 0x7c, 0x0e, 0xbc, 0x36, 0x77, 0x72, 0x78, + 0x65, 0x8e, 0x06, 0xa8, 0x12, 0x8e, 0x5a, 0xc9, 0xe1, 0x77, 0x5a, 0x12, + 0x5d, 0xe6, 0xec, 0xf0, 0x16, 0xe3, 0x14, 0xbd, 0xbc, 0xbb, 0x11, 0x48, + 0xd3, 0xa5, 0x2f, 0xde, 0x76, 0x6d, 0xc8, 0x02, 0xa6, 0x01, 0x31, 0xf9, + 0x7b, 0x6e, 0x11, 0x31, 0xc5, 0x40, 0x6d, 0x4a, 0x78, 0x5a, 0x48, 0xa7, + 0x59, 0x26, 0xc6, 0x87, 0x61, 0x78, 0x89, 0x06, 0xb3, 0xd1, 0xf3, 0x6f, + 0x09, 0xf2, 0xee, 0xfe, 0x7b, 0xfa, 0x8d, 0x7d, 0x03, 0x41, 0x4e, 0x7d, + 0x73, 0xef, 0x64, 0xe4, 0x12, 0x19, 0x1d, 0x53, 0x1c, 0x96, 0x5e, 0xc3, + 0xcc, 0x76, 0xf2, 0x8a, 0xb3, 0xc2, 0x7d, 0xa3, 0xee, 0x74, 0x5f, 0xba, + 0x57, 0xc8, 0x57, 0x4d, 0xec, 0xcc, 0xe0, 0x4c, 0x66, 0x9f, 0x32, 0x1e, + 0xae, 0x07, 0x44, 0x5b, 0xfe, 0x13, 0x42, 0x0b, 0x59, 0x8c, 0x16, 0xd4, + 0x50, 0x25, 0x9b, 0x45, 0x62, 0xa5, 0xf4, 0x5c, 0xb5, 0xab, 0xff, 0xf0, + 0xf6, 0x6e, 0x2b, 0xad, 0x42, 0xd7, 0xc6, 0x21, 0xd0, 0xba, 0x12, 0x08, + 0x48, 0xc5, 0x3c, 0xe1, 0xce, 0x14, 0x0d, 0x9c, 0xca, 0xd9, 0xe7, 0x51, + 0x12, 0x86, 0xbb, 0xd5, 0x2e, 0x64, 0xa1, 0x1f, 0x9c, 0x62, 0xd3, 0x65, + 0xa2, 0x94, 0x7c, 0xb1, 0x0c, 0xa3, 0xe1, 0xff, 0x30, 0x6b, 0x73, 0xfa, + 0x92, 0x79, 0x5c, 0x47, 0xdc, 0x99, 0x30, 0xbe, 0x92, 0x03, 0xcc, 0x64, + 0x43, 0x6b, 0x27, 0x8f, 0xbb, 0x6c, 0xe9, 0xd5, 0x56, 0xd3, 0x84, 0x3c, + 0x83, 0x4c, 0xa6, 0x4d, 0x2a, 0xbd, 0x58, 0x36, 0xbc, 0x47, 0x19, 0x8b, + 0xfc, 0xfd, 0xdd, 0xa5, 0x30, 0x5f, 0x7a, 0x45, 0xd9, 0x89, 0x31, 0x10, + 0x21, 0x16, 0x08, 0xa3, 0xc6, 0x27, 0xdb, 0x19, 0x26, 0x9c, 0x16, 0xa6, + 0xa8, 0x1d, 0x67, 0x77, 0xbe, 0xba, 0x4c, 0xc9, 0xbe, 0x65, 0x80, 0x4c, + 0xac, 0x2c, 0xa9, 0x7b, 0x11, 0xff, 0x67, 0xb2, 0x76, 0x54, 0x3c, 0xa6, + 0x93, 0xd1, 0x3e, 0xf6, 0x2d, 0x79, 0x7d, 0xab, 0xd6, 0x4d, 0xad, 0xfc, + 0x38, 0xab, 0x46, 0xb5, 0x53, 0xe2, 0x83, 0x05, 0xa2, 0x39, 0x1b, 0x77, + 0xec, 0xfd, 0x3e, 0x88, 0xbb, 0x07, 0xdc, 0xa0, 0x9d, 0xe1, 0xa8, 0xbe, + 0xee, 0xb7, 0x88, 0xaa, 0xd6, 0x24, 0xbc, 0xd8, 0xa7, 0x89, 0x9c, 0x67, + 0xa2, 0x31, 0x35}, {0x5b, 0x68, 0xc3, 0xc4, 0x63, 0xfd, 0x8f, 0xfe, 0xda, 0x06, 0xc0, 0x9f, 0xdd, 0xcc, 0xbc, 0x52, 0x84, 0x01, 0x7f, 0x75, 0x3f, 0xf8, 0x1e, 0x1d, 0xb2, 0x55, 0xec, 0xc8, 0xc3, 0x2b, 0x7c, 0x11, 0xe7, 0xf9, 0x2d, 0xdc, @@ -5569,12 +5787,42 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xa4, 0x90, 0xbc, 0xdf, 0xd7, 0x00, 0x0f, 0x52, 0x9c, 0x48, 0x60, 0x8c, 0x2e, 0xfd, 0x62, 0x40, 0xed, 0x7e, 0x84, 0xfc, 0x1b, 0x04, 0xf0, 0xcc}, priv_key_33, - false}, + true}, // Comment: byte 7 of ps is 0 // tcID: 14 {14, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x25, 0x1c, 0xa3, 0x2f, 0x3c, 0x78, 0xa2, 0x31, 0x6a, 0x98, 0xb2, 0x7c, + 0x9a, 0x82, 0xd4, 0x2d, 0x1b, 0xfb, 0x65, 0x41, 0xde, 0xee, 0x2e, 0x7f, + 0xd3, 0x84, 0x4c, 0x96, 0x91, 0x05, 0x4f, 0xe1, 0x54, 0xb7, 0x01, 0xa5, + 0xd6, 0xa3, 0xf9, 0xe7, 0xd4, 0xdd, 0x83, 0xa8, 0xe4, 0xb0, 0xe0, 0x05, + 0xa7, 0x23, 0x5a, 0x24, 0x2d, 0x6c, 0xd9, 0x39, 0xb1, 0x53, 0x5a, 0x79, + 0xd8, 0xb9, 0x53, 0xee, 0x36, 0x48, 0x3b, 0x5e, 0x0b, 0x24, 0xb8, 0xb0, + 0x1b, 0x57, 0xc5, 0xbc, 0x64, 0x15, 0xe1, 0xec, 0xe2, 0x39, 0x76, 0xe3, + 0xe9, 0x52, 0x0b, 0xcc, 0x98, 0x73, 0xac, 0xae, 0x26, 0x10, 0x7e, 0xf3, + 0x07, 0xfb, 0xdc, 0x0f, 0x89, 0xa5, 0x36, 0x9b, 0xa0, 0x93, 0xab, 0x96, + 0x42, 0x78, 0xd8, 0x6e, 0x4b, 0xc1, 0x33, 0x5e, 0x4c, 0x20, 0x7e, 0xcb, + 0x75, 0x11, 0x87, 0x7e, 0xbc, 0x37, 0x96, 0x76, 0x6a, 0x76, 0x92, 0xef, + 0x5d, 0x4f, 0x27, 0xd8, 0x6b, 0x44, 0xce, 0x87, 0xfc, 0x5f, 0x4b, 0xe9, + 0x86, 0xf4, 0xd0, 0xa3, 0xe3, 0x1a, 0xe2, 0xe2, 0x1e, 0xe5, 0x48, 0x4f, + 0x3b, 0x6f, 0xf2, 0xa3, 0x0e, 0x45, 0xba, 0x42, 0xc1, 0x6b, 0x84, 0x63, + 0x8f, 0x1a, 0xa7, 0x66, 0x42, 0xb2, 0x55, 0xf7, 0x66, 0x28, 0x6f, 0xa4, + 0x53, 0x38, 0xb8, 0x0d, 0x39, 0x33, 0xde, 0x80, 0x3a, 0x0d, 0x20, 0x69, + 0x41, 0x18, 0x3f, 0x0c, 0xd9, 0x3c, 0xdb, 0x80, 0x58, 0x74, 0xfd, 0xef, + 0xac, 0xfc, 0x0a, 0xc2, 0x3e, 0xe2, 0xfc, 0x2d, 0xd9, 0xf0, 0x9e, 0x2f, + 0x61, 0xe2, 0x46, 0x94, 0xbf, 0xd9, 0x31, 0xf9, 0xcd, 0x25, 0xfb, 0x7c, + 0x16, 0x3b, 0xcc, 0x66, 0x11, 0x9b, 0xd9, 0x5a, 0x19, 0xe8, 0x07, 0xf2, + 0xd0, 0x87, 0x57, 0x72, 0x5e, 0xc9, 0x28, 0x23, 0x4f, 0x5c, 0xcd, 0xbb, + 0xb8, 0x99, 0x5d, 0x4f, 0xf3, 0x96, 0xd8, 0x11, 0x00, 0xf1, 0xae, 0xb4, + 0x12, 0x1b, 0xea, 0xb6, 0xb3, 0xc5, 0x06, 0x2b, 0xff, 0xa3, 0x8f, 0x0b, + 0xc8, 0x31, 0x91, 0x6f, 0xb4, 0xe4, 0xb8, 0xb2, 0x04, 0x2b, 0x9a, 0xf5, + 0xc1, 0x45, 0xe0, 0xe3, 0x16, 0xfe, 0xd2, 0xbf, 0x5c, 0x07, 0xbe, 0x9f, + 0x47, 0x78, 0xc4, 0xbd, 0x6e, 0x9d, 0x17, 0xfb, 0x72, 0x1f, 0x42, 0x16, + 0xc5, 0x5d, 0xd6, 0xbb, 0xd3, 0x5b, 0xef, 0x5f, 0x0d, 0x96, 0xef, 0x78, + 0xce, 0x80, 0xad, 0xe8, 0x3f, 0x48, 0x59, 0x92, 0xe3, 0xe5, 0x6e, 0x02, + 0xba, 0xaf, 0xbd, 0xcc, 0x65, 0x07, 0xda, 0x44, 0x19, 0x3a, 0xc2, 0xac, + 0x26, 0x96, 0x41, 0xa4, 0x13, 0x2c, 0x11, 0xf6, 0xae, 0x8d}, {0x01, 0xaf, 0x89, 0xa4, 0xd3, 0x7a, 0x04, 0x28, 0x0b, 0x78, 0x62, 0x82, 0x61, 0x96, 0x4c, 0xd3, 0xfe, 0x67, 0xd0, 0x62, 0xb7, 0x4c, 0x35, 0xe8, 0x51, 0xf6, 0x8b, 0x9f, 0x8f, 0xaf, 0x74, 0x54, 0xa2, 0x2d, 0xf1, 0xc8, @@ -5608,12 +5856,38 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x03, 0x56, 0x3c, 0x27, 0x1c, 0x48, 0x50, 0x56, 0x15, 0x3e, 0xfc, 0x36, 0x25, 0x15, 0x92, 0x9e, 0xd6, 0x17, 0x3a, 0x4f, 0xdc, 0xfc, 0xb0, 0xfd}, priv_key_33, - false}, + true}, // Comment: ps truncated // tcID: 15 {15, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xdc, 0xcf, 0x39, 0x12, 0xda, 0xf1, 0x52, 0x57, 0xa9, 0xe2, 0xbc, 0xf3, + 0x8b, 0xc6, 0x3c, 0x65, 0x41, 0x38, 0x81, 0x22, 0xdb, 0x4e, 0x97, 0xcc, + 0xe2, 0x46, 0x71, 0x53, 0x4f, 0x28, 0x95, 0x12, 0x28, 0xf5, 0x9e, 0x47, + 0x77, 0x99, 0x24, 0x83, 0xa1, 0xb5, 0xcf, 0x1d, 0x0e, 0x6b, 0xcd, 0x0f, + 0xad, 0xf7, 0x4c, 0xfe, 0x68, 0x95, 0x15, 0xcd, 0xba, 0x0c, 0x15, 0x67, + 0x2b, 0x40, 0x8b, 0x0d, 0xf0, 0x87, 0x70, 0x2d, 0xd4, 0xf0, 0x8d, 0x93, + 0xb5, 0xa1, 0xc2, 0xdc, 0xfc, 0xfa, 0xe9, 0xc3, 0x9f, 0x3f, 0xd5, 0xac, + 0x49, 0x86, 0xed, 0xf2, 0x07, 0x3a, 0xee, 0xbf, 0x63, 0xcc, 0xac, 0xda, + 0x21, 0x8b, 0x29, 0xaa, 0x79, 0x04, 0x37, 0xbb, 0x11, 0x5e, 0x9c, 0xa6, + 0x18, 0x72, 0x62, 0xcd, 0xf5, 0xc4, 0xa9, 0xac, 0xa5, 0x59, 0xc6, 0x51, + 0xe1, 0xec, 0x17, 0x1d, 0x9d, 0xab, 0xf8, 0x21, 0xc8, 0xe6, 0x5a, 0x2d, + 0x9e, 0x36, 0xb8, 0x32, 0x31, 0x20, 0xf1, 0x38, 0xca, 0xa8, 0x5d, 0x6d, + 0x7c, 0x60, 0x90, 0x09, 0x32, 0xcf, 0x08, 0x1b, 0xb4, 0x2b, 0xa9, 0x54, + 0xc9, 0xea, 0xe8, 0xf0, 0x13, 0x2b, 0x2a, 0x4b, 0xad, 0x99, 0x54, 0x82, + 0x93, 0xf5, 0xc1, 0xcb, 0x2c, 0xe3, 0x86, 0x25, 0x26, 0x11, 0x4b, 0xe5, + 0x3d, 0x82, 0xdf, 0xc5, 0x87, 0x4a, 0x6b, 0xd9, 0xe1, 0x99, 0x97, 0x07, + 0x9e, 0x5e, 0x99, 0x8c, 0xef, 0xbb, 0xd5, 0x9b, 0x74, 0x6f, 0x78, 0xd9, + 0xbf, 0xbe, 0x90, 0xa0, 0x26, 0x74, 0xb6, 0x2d, 0x70, 0xfb, 0xbe, 0x97, + 0x11, 0xdd, 0xb3, 0xf0, 0x9a, 0x7f, 0x23, 0xa9, 0x05, 0xf0, 0x31, 0x67, + 0x0c, 0x84, 0x58, 0xe1, 0xf8, 0x8b, 0x99, 0xb0, 0x68, 0xea, 0xb3, 0x1c, + 0x60, 0x9a, 0xe4, 0x61, 0x46, 0x10, 0xe5, 0xab, 0x36, 0xb9, 0xff, 0x55, + 0xf5, 0x36, 0x34, 0x53, 0x5b, 0xd6, 0xb9, 0xb9, 0x05, 0x13, 0x37, 0x43, + 0xc2, 0x28, 0xac, 0x28, 0x5f, 0x4c, 0x33, 0x80, 0x39, 0xd4, 0x90, 0x64, + 0xa1, 0x05, 0x41, 0xfc, 0xae, 0xe9, 0x16, 0xf5, 0xe3, 0x5a, 0x78, 0x77, + 0xca, 0x52, 0x32, 0xe1, 0x66, 0xf0, 0x73, 0x0c, 0xfa, 0x4d, 0x65, 0xea, + 0x91, 0xeb, 0xc6}, {0x70, 0x0d, 0x40, 0xcf, 0xb0, 0x98, 0x1f, 0x7b, 0x86, 0x26, 0x0e, 0x36, 0x71, 0x2a, 0x46, 0x3d, 0x2d, 0x2f, 0xaf, 0x1f, 0x9d, 0xa3, 0xbf, 0x76, 0x2c, 0x3f, 0x99, 0x33, 0x71, 0xb4, 0x41, 0xd9, 0xe3, 0x74, 0x7f, 0x12, @@ -5647,12 +5921,43 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xe0, 0x69, 0x93, 0x3a, 0xdd, 0xed, 0x25, 0x0d, 0xaf, 0xd8, 0x09, 0x1d, 0xcc, 0x53, 0xba, 0x08, 0x30, 0x1e, 0x64, 0xd4, 0x9a, 0x49, 0x60, 0xc9}, priv_key_33, - false}, + true}, // Comment: ps missing // tcID: 16 {16, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x55, 0x93, 0xd2, 0xbb, 0x19, 0xdd, 0x30, 0x22, 0xb0, 0x69, 0xe5, 0xcc, + 0x40, 0x77, 0x98, 0x4b, 0x55, 0x0a, 0xe3, 0x03, 0x48, 0x80, 0x7e, 0xab, + 0x83, 0x23, 0x51, 0xd9, 0xd7, 0x01, 0x5f, 0x5b, 0x58, 0xc5, 0x3c, 0xc6, + 0x8d, 0xa6, 0x3c, 0xf2, 0x8c, 0xae, 0xa7, 0xf5, 0x60, 0xa5, 0x7c, 0xe4, + 0xc4, 0x4f, 0xda, 0xa3, 0xcd, 0xfb, 0x89, 0x31, 0xf2, 0x49, 0xea, 0xb8, + 0xd3, 0xe0, 0x56, 0x52, 0x64, 0x02, 0x56, 0x71, 0x10, 0xf2, 0x42, 0x6e, + 0x9b, 0x6d, 0x1f, 0xcc, 0x23, 0xb1, 0x25, 0xf6, 0xb8, 0x05, 0x0e, 0xae, + 0xa1, 0x13, 0xbf, 0x5b, 0x35, 0x58, 0x98, 0x52, 0xc2, 0x76, 0xb2, 0x56, + 0x5b, 0xca, 0x2b, 0xca, 0xf7, 0xea, 0x64, 0x55, 0xa0, 0xfa, 0x95, 0x16, + 0x4b, 0x86, 0x2c, 0x66, 0xe0, 0xe9, 0xef, 0x3f, 0xd4, 0x45, 0x68, 0xa2, + 0x4f, 0x63, 0x08, 0xb6, 0x36, 0xe1, 0x29, 0x76, 0xe9, 0x8d, 0xa5, 0xd1, + 0xc3, 0x22, 0x0b, 0xca, 0x78, 0x22, 0x0b, 0x2c, 0xcd, 0x7b, 0x82, 0x05, + 0x72, 0x4d, 0x4a, 0xd5, 0xee, 0x65, 0xb9, 0xe3, 0xf8, 0x10, 0x67, 0x29, + 0xc6, 0xb7, 0xc2, 0x56, 0xce, 0xde, 0xff, 0x23, 0xae, 0x18, 0x78, 0x76, + 0xb4, 0x71, 0x38, 0x6f, 0x1c, 0x71, 0xc0, 0x5d, 0x69, 0x23, 0xf6, 0xae, + 0xc4, 0xe2, 0x0c, 0x8b, 0x48, 0x6b, 0x4e, 0x45, 0xf6, 0xf8, 0xc9, 0xb9, + 0x71, 0x9e, 0xba, 0xee, 0x8a, 0x50, 0x58, 0x14, 0xca, 0xea, 0xea, 0x5d, + 0xe0, 0x6d, 0x3c, 0x83, 0xbd, 0x3d, 0xde, 0x2e, 0xfc, 0xce, 0x55, 0x4a, + 0xe9, 0x39, 0xd4, 0xc3, 0x6a, 0xce, 0x17, 0x38, 0x83, 0x56, 0x7f, 0x3b, + 0x03, 0xd5, 0xca, 0xad, 0xcf, 0x66, 0xfd, 0x02, 0xa9, 0x0a, 0x9f, 0x57, + 0xa6, 0xb4, 0x3b, 0xde, 0x29, 0xf1, 0xe7, 0x6f, 0x25, 0x3e, 0xba, 0x7f, + 0x4a, 0x03, 0xf5, 0x91, 0x0c, 0xa6, 0x8f, 0xe1, 0xad, 0xfa, 0xac, 0x24, + 0x89, 0x51, 0xd3, 0x49, 0xcf, 0x06, 0x62, 0x3c, 0x7d, 0xb3, 0x23, 0x36, + 0x65, 0xcd, 0x1f, 0x6f, 0x18, 0x90, 0xc5, 0x9e, 0x83, 0xa4, 0x8e, 0x7f, + 0xb9, 0x78, 0x96, 0x4a, 0x2d, 0x63, 0xc3, 0xc7, 0x24, 0x94, 0xee, 0x43, + 0xc0, 0x80, 0x46, 0xe3, 0x68, 0xe8, 0x4e, 0x0d, 0x7e, 0x14, 0xb4, 0xca, + 0x58, 0x7b, 0xf2, 0xd8, 0xc6, 0xc5, 0x3d, 0x7b, 0x2d, 0xab, 0x9b, 0xe4, + 0xb0, 0x08, 0x25, 0xb5, 0x0d, 0x3d, 0x8b, 0x33, 0xc1, 0xa6, 0x8f, 0x07, + 0xcb, 0x2a, 0x56, 0x94, 0xa3, 0x14, 0x89, 0x46, 0x2b, 0xae, 0x4c, 0x90, + 0xd7, 0xf2, 0xcb, 0x13, 0xe6, 0x75, 0x21, 0xf7, 0xd0, 0xef, 0xad, 0x3e, + 0x55, 0x85, 0x55, 0x6c}, {0x5a, 0x76, 0x25, 0x90, 0x27, 0x08, 0x9e, 0xdb, 0x01, 0x9b, 0x04, 0x78, 0x8c, 0xb7, 0x02, 0xe5, 0xe0, 0x6b, 0x13, 0xb9, 0x82, 0x6d, 0x57, 0x35, 0x16, 0x94, 0xd2, 0x0f, 0x59, 0x84, 0xba, 0xdd, 0x49, 0x60, 0xbd, 0xc4, @@ -5686,12 +5991,26 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xe9, 0x20, 0xe4, 0x94, 0x27, 0xc0, 0x62, 0x3c, 0x01, 0xd4, 0x98, 0xbe, 0xc7, 0xea, 0x2f, 0x19, 0x77, 0xa3, 0xd6, 0xa1, 0xed, 0x79, 0x43, 0xf0}, priv_key_33, - false}, + true}, // Comment: Block type = 0 // tcID: 17 {17, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xff, 0xb7, 0xb4, 0x8f, 0x15, 0x83, 0x3f, 0x1e, 0x06, 0x8d, 0xd4, 0x6f, + 0xba, 0x45, 0x6f, 0x45, 0x78, 0xb3, 0x31, 0xa3, 0x01, 0xe3, 0x97, 0xcc, + 0x01, 0xa4, 0x6c, 0x3a, 0x4b, 0x0b, 0xf4, 0x4a, 0x44, 0xa3, 0x8c, 0x7e, + 0x7f, 0x19, 0xe5, 0x5b, 0x0a, 0x65, 0x5b, 0x1e, 0x8e, 0xc5, 0x55, 0x91, + 0x8e, 0x49, 0x82, 0x00, 0x5f, 0x14, 0x81, 0xd1, 0x8c, 0x56, 0xb1, 0x8d, + 0x30, 0x51, 0xe6, 0x29, 0x18, 0x05, 0xeb, 0xec, 0xa6, 0x22, 0x3c, 0xf1, + 0x36, 0x86, 0x4f, 0x2b, 0x61, 0x89, 0xe4, 0xaa, 0xe6, 0xd0, 0x7c, 0x95, + 0xdf, 0xc2, 0x85, 0xb5, 0xe2, 0xb3, 0x5a, 0x4c, 0xa7, 0x05, 0xd3, 0x96, + 0xa8, 0x64, 0x8b, 0x14, 0xc9, 0x38, 0x5b, 0x99, 0x54, 0xe1, 0x6f, 0x7f, + 0xa4, 0xba, 0xb3, 0xaa, 0xd8, 0xe4, 0x5f, 0xe5, 0x7c, 0x62, 0x4e, 0x1d, + 0xcd, 0xc2, 0x8b, 0xb5, 0x15, 0x37, 0x04, 0xfb, 0xdd, 0xb2, 0xee, 0xef, + 0xd3, 0x1d, 0xbb, 0x79, 0x0c, 0x93, 0x10, 0x29, 0xfb, 0xec, 0x41, 0xaf, + 0xea, 0x82, 0x48, 0x47, 0x53, 0xc3, 0x79, 0xfd, 0x18, 0x1a, 0x62, 0xb1, + 0xe7, 0x7c, 0x6b, 0x92, 0x21, 0x03, 0xc1, 0xc6, 0x3e, 0xa1, 0xeb}, {0x09, 0x46, 0x36, 0x1a, 0xcb, 0x9a, 0x12, 0x45, 0x2e, 0x37, 0x0d, 0x04, 0xab, 0xbb, 0x2f, 0x64, 0xde, 0x06, 0x51, 0xce, 0x5d, 0x6e, 0x81, 0x3b, 0x4d, 0x25, 0x64, 0x76, 0x00, 0x3c, 0xfb, 0x17, 0x00, 0x48, 0x28, 0x44, @@ -5725,12 +6044,27 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xf5, 0x01, 0x6b, 0x77, 0x22, 0x9a, 0x4b, 0x08, 0x1f, 0xa7, 0x71, 0xf2, 0x49, 0x69, 0x5d, 0xa0, 0xbf, 0x14, 0xe7, 0xbe, 0x77, 0x0e, 0xe0, 0x10}, priv_key_33, - false}, + true}, // Comment: Block type = 1 // tcID: 18 {18, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x4a, 0x05, 0x15, 0xcf, 0x08, 0xd4, 0x5d, 0xc2, 0x0e, 0x95, 0x89, 0x84, + 0x39, 0x3b, 0x8c, 0x58, 0x46, 0x26, 0x61, 0xea, 0xc2, 0xc6, 0x07, 0x34, + 0x9b, 0x69, 0xa5, 0xda, 0x78, 0x14, 0x61, 0xea, 0x62, 0xf3, 0x3a, 0xe7, + 0x0b, 0x54, 0x37, 0x86, 0xba, 0x32, 0x4a, 0x98, 0xf8, 0x70, 0x34, 0x71, + 0x02, 0xfe, 0xd5, 0x11, 0xf8, 0xfa, 0x19, 0x0f, 0x87, 0x21, 0xfb, 0x5d, + 0x79, 0x4d, 0x2c, 0x7a, 0x15, 0xbe, 0xf0, 0xdb, 0x63, 0x9b, 0x99, 0xbf, + 0xaf, 0x51, 0x27, 0xfa, 0x3f, 0x3a, 0x5f, 0x25, 0x54, 0x83, 0xf0, 0x27, + 0x60, 0x1b, 0x45, 0xc4, 0xa9, 0x5b, 0xe7, 0xc2, 0xb0, 0xdf, 0x3c, 0x16, + 0x17, 0x50, 0x0c, 0x04, 0x97, 0x26, 0x03, 0x99, 0x2a, 0x28, 0xf6, 0xb7, + 0xc3, 0xff, 0xf0, 0xbb, 0xfb, 0x2a, 0xff, 0x8b, 0x70, 0x99, 0xbe, 0x09, + 0x90, 0x1b, 0xb7, 0x02, 0xd4, 0x5d, 0x49, 0x29, 0x63, 0xce, 0x7d, 0xbb, + 0xa6, 0x07, 0xcc, 0xce, 0xc1, 0x16, 0x0a, 0xba, 0x35, 0x2f, 0xd8, 0xb7, + 0x37, 0xae, 0x13, 0x32, 0x39, 0xca, 0xea, 0xab, 0xbc, 0x6e, 0x13, 0xb1, + 0xc4, 0x7b, 0xc0, 0x1a, 0x06, 0x89, 0x65, 0x8c, 0x61, 0xed, 0xe3, 0x3e, + 0x3b, 0x32, 0x85, 0xfc, 0x7d, 0x71, 0xeb, 0xba, 0x08, 0xe4, 0x61, 0x2d}, {0x84, 0x9e, 0xb2, 0x49, 0xb9, 0xb5, 0x90, 0x4f, 0x72, 0x6c, 0xb7, 0xdb, 0x32, 0x4f, 0x55, 0x79, 0xd3, 0x31, 0x89, 0x5b, 0xd3, 0xce, 0x51, 0x38, 0xed, 0xaa, 0x2d, 0x28, 0x33, 0x60, 0xfe, 0xda, 0x0b, 0xd3, 0xeb, 0xd9, @@ -5764,12 +6098,37 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xc8, 0x3b, 0x20, 0x78, 0x3a, 0xe2, 0x0d, 0x75, 0x51, 0x27, 0xb5, 0x65, 0x42, 0x72, 0xb7, 0x6c, 0x88, 0xfa, 0x36, 0x29, 0x60, 0xf6, 0x64, 0x66}, priv_key_33, - false}, + true}, // Comment: Block type = 0xff // tcID: 19 {19, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x2a, 0x53, 0x07, 0x95, 0x8e, 0xeb, 0x98, 0x7c, 0x01, 0xfa, 0x1f, 0x58, + 0x85, 0xab, 0x29, 0x83, 0xee, 0x53, 0x73, 0x0f, 0x74, 0xf5, 0x63, 0x8e, + 0x4d, 0x72, 0x97, 0x54, 0x4b, 0xca, 0x83, 0x84, 0x48, 0x3d, 0x6b, 0xf1, + 0x75, 0xd8, 0x78, 0xba, 0xf9, 0x90, 0x6f, 0xa6, 0x4a, 0xcf, 0x5b, 0xe3, + 0x26, 0x2e, 0x7c, 0xd8, 0x7e, 0x71, 0xf1, 0xa1, 0xce, 0xa4, 0xfe, 0x5b, + 0xcc, 0x1b, 0x23, 0xcf, 0x84, 0x1a, 0xfb, 0x64, 0xb5, 0xd6, 0x68, 0x81, + 0x64, 0xad, 0x75, 0x1e, 0x06, 0x01, 0x2c, 0x82, 0x23, 0x46, 0x63, 0xa7, + 0x06, 0x9b, 0xd9, 0x2d, 0x1a, 0xa9, 0xb5, 0xbc, 0x85, 0x40, 0xe9, 0x60, + 0xa0, 0xcc, 0x1e, 0xc6, 0x2a, 0x7d, 0x20, 0xcc, 0x28, 0x1d, 0x3b, 0x00, + 0x62, 0x85, 0xc7, 0x6f, 0xf4, 0x58, 0x4e, 0x6c, 0x13, 0xd6, 0x65, 0x5c, + 0xe7, 0x4b, 0x1c, 0x46, 0x5e, 0x68, 0xaf, 0x31, 0x2c, 0x00, 0x40, 0xe3, + 0x7b, 0x52, 0x66, 0x48, 0xb5, 0x98, 0x5b, 0x54, 0x56, 0x42, 0xef, 0x77, + 0x6e, 0x35, 0xb2, 0x62, 0xbc, 0xb8, 0x8b, 0xd8, 0x78, 0x8c, 0xe5, 0x07, + 0x37, 0x85, 0x96, 0x2c, 0x92, 0xc8, 0x2e, 0x65, 0x8a, 0x56, 0x73, 0xaa, + 0x70, 0x0f, 0xa0, 0x2c, 0x63, 0x84, 0xff, 0xd9, 0xf4, 0x17, 0x7a, 0xee, + 0x35, 0x7d, 0x8d, 0xfd, 0x78, 0xd4, 0x0b, 0x3a, 0x16, 0xcd, 0x25, 0xde, + 0xa7, 0x18, 0x41, 0x2a, 0x61, 0xc5, 0x63, 0x89, 0xd7, 0xff, 0x53, 0x25, + 0xaa, 0xa6, 0xca, 0x58, 0x6e, 0x1a, 0xe8, 0x5d, 0x3a, 0x60, 0xcb, 0xfd, + 0x2d, 0xe5, 0x28, 0x8e, 0x31, 0x36, 0xcc, 0xe6, 0x76, 0x8f, 0x3d, 0x3b, + 0x12, 0xdd, 0x54, 0x62, 0x9c, 0x8d, 0xd2, 0x04, 0x09, 0x02, 0xc2, 0x4d, + 0xed, 0xa1, 0xcb, 0x5f, 0x0d, 0xe4, 0x18, 0x9e, 0xb6, 0xc3, 0x58, 0x7e, + 0x0d, 0xd4, 0x3e, 0xa5, 0x65, 0x40, 0x45, 0x24, 0x19, 0x3c, 0x1e, 0x64, + 0x6b, 0xb4, 0xb5, 0x99, 0x24, 0xa1, 0xba, 0x06, 0x30, 0x74, 0xdf, 0xf2, + 0x51, 0x57, 0xd4, 0x54, 0x6e, 0xa2, 0xa2, 0x4a, 0x36, 0x99, 0x47, 0x1d, + 0x71, 0x40}, {0x99, 0xae, 0xa1, 0x5a, 0xfd, 0xe0, 0xb4, 0x0c, 0x12, 0x96, 0x0c, 0xce, 0x59, 0x8c, 0x11, 0xd6, 0x18, 0xb3, 0xe4, 0xa0, 0x50, 0x2e, 0xb9, 0x76, 0x4c, 0xc1, 0x14, 0xee, 0xd7, 0x04, 0x11, 0x3f, 0x0d, 0x13, 0xd9, 0xc1, @@ -5803,12 +6162,30 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x05, 0x31, 0xcd, 0x10, 0x77, 0xd7, 0xd1, 0x64, 0x6c, 0xd1, 0xa4, 0x58, 0xcb, 0xd4, 0xe8, 0x8a, 0x42, 0xea, 0x2a, 0xb6, 0x29, 0x06, 0xf2, 0xdd}, priv_key_33, - false}, + true}, // Comment: First byte is not zero // tcID: 20 {20, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x50, 0x69, 0x02, 0x80, 0xb4, 0x43, 0xb5, 0xdc, 0xf3, 0xd2, 0x8d, 0xc7, + 0xc1, 0xcc, 0xf5, 0x90, 0xeb, 0xbe, 0xb8, 0xd7, 0x03, 0xc4, 0x85, 0x79, + 0x8d, 0xc0, 0xe5, 0x6b, 0xd1, 0x88, 0x36, 0xb4, 0xe8, 0x6f, 0xee, 0x7c, + 0x89, 0x5c, 0xd0, 0xa9, 0x2a, 0x86, 0x40, 0x1e, 0xbc, 0x4b, 0x28, 0xd2, + 0x7a, 0x2b, 0x69, 0x26, 0xce, 0x77, 0x49, 0x02, 0x34, 0x2d, 0x03, 0x19, + 0xe0, 0x92, 0x10, 0x48, 0xde, 0xbd, 0x63, 0xf8, 0xaa, 0x62, 0x04, 0xbe, + 0xab, 0xb8, 0x65, 0x95, 0xfa, 0x1a, 0x1c, 0x0b, 0x05, 0xbd, 0x5c, 0x64, + 0x8b, 0x09, 0x2e, 0x67, 0x53, 0x7c, 0x35, 0x4f, 0x4a, 0x11, 0x91, 0xe0, + 0xd3, 0x95, 0x16, 0xa0, 0x9d, 0x86, 0x7b, 0xcb, 0x1e, 0xaa, 0x26, 0x5c, + 0x93, 0x06, 0x46, 0xee, 0x24, 0xaf, 0x76, 0x32, 0xdc, 0xc4, 0x3f, 0xef, + 0xb4, 0x83, 0xd0, 0xfa, 0x4a, 0x8b, 0xe9, 0x10, 0x3c, 0x24, 0xd8, 0x57, + 0x36, 0x7a, 0x9e, 0xef, 0x44, 0x57, 0x4c, 0x4e, 0x89, 0x7f, 0xf1, 0x39, + 0x8d, 0x98, 0xae, 0x63, 0xfd, 0xe0, 0x2f, 0x81, 0x68, 0x66, 0x7e, 0x78, + 0x6d, 0x6f, 0x38, 0x1e, 0x2f, 0xf2, 0x75, 0x22, 0xda, 0xaa, 0x83, 0x92, + 0x9e, 0x75, 0xbb, 0x4a, 0x8e, 0x57, 0x2f, 0xbe, 0x67, 0xe8, 0x11, 0x63, + 0x65, 0x73, 0xd2, 0x70, 0x0d, 0x1b, 0x87, 0xd6, 0xe8, 0x32, 0x39, 0x41, + 0xb0, 0xa1, 0xbf, 0x68, 0xde, 0xf5, 0x12, 0xda, 0x15, 0x7f, 0x8e, 0x79, + 0x7e, 0x9d, 0xd2, 0xb5, 0x93, 0x35, 0xd2}, {0xa2, 0x25, 0xdb, 0x92, 0xd6, 0x85, 0x3b, 0x70, 0x8d, 0xd7, 0x2c, 0xbf, 0xd0, 0x81, 0xc0, 0x6c, 0xe3, 0xd6, 0xc4, 0x57, 0x9d, 0xef, 0x7e, 0x6b, 0xd8, 0xb4, 0x50, 0x90, 0xcc, 0x0b, 0x9f, 0x51, 0xd4, 0x21, 0x7d, 0x32, @@ -5842,12 +6219,17 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xce, 0xc7, 0x0d, 0xc0, 0xc3, 0x01, 0x67, 0x93, 0xc4, 0x4a, 0xa9, 0xc8, 0xd9, 0xf7, 0xc9, 0xd3, 0x49, 0x07, 0x52, 0x36, 0x13, 0xd4, 0xbd, 0x84}, priv_key_33, - false}, + true}, // Comment: First byte is not zero // tcID: 21 {21, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xab, 0xd7, 0xeb, 0xfb, 0x98, 0x03, 0x02, 0x9f, 0x72, 0x8d, 0x5d, + 0x43, 0x21, 0x1c, 0xeb, 0x07, 0x09, 0x34, 0x2f, 0x6d, 0x79, 0xc6, + 0xa7, 0x45, 0x4c, 0x87, 0x7e, 0xd0, 0x95, 0x42, 0xf9, 0x29, 0x22, + 0x15, 0x59, 0xda, 0x9b, 0x67, 0xdc, 0xec, 0x6c, 0x83, 0x54, 0xb2, + 0xd3, 0x0b, 0x48, 0xfa, 0x7f, 0x7d, 0x34, 0xf8}, {0x85, 0x42, 0x19, 0x77, 0x73, 0x0b, 0x0f, 0x2c, 0xa7, 0xac, 0x9e, 0x69, 0x32, 0x8c, 0x09, 0x85, 0x3d, 0x07, 0xe6, 0x8f, 0x0c, 0x12, 0x39, 0x60, 0x11, 0xa8, 0x8e, 0x1b, 0x3d, 0x0d, 0x86, 0x75, 0xc7, 0x23, 0xc3, 0xc7, @@ -5881,12 +6263,32 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x8e, 0xe4, 0xdb, 0xcb, 0x86, 0xec, 0x32, 0x6a, 0x54, 0x66, 0x57, 0x52, 0xa9, 0x05, 0x0f, 0x80, 0xb9, 0x0a, 0xc3, 0x4d, 0xd5, 0x1f, 0x1f, 0x11}, priv_key_33, - false}, + true}, // Comment: signature padding // tcID: 22 {22, - {0x54, 0x65, 0x73, 0x74}, + {0xc1, 0x4d, 0x31, 0x46, 0x5b, 0xe0, 0xcd, 0xf4, 0x14, 0xe4, 0xa5, 0xab, + 0x44, 0xf3, 0x5f, 0x0e, 0x6a, 0x22, 0x43, 0x4f, 0x57, 0xb4, 0x5f, 0x94, + 0x0c, 0xdc, 0x33, 0xbe, 0x85, 0x6b, 0x48, 0x71, 0xa6, 0x6e, 0x80, 0xf7, + 0x6b, 0xa7, 0xa5, 0xe8, 0xac, 0x9c, 0x23, 0x56, 0x16, 0x8c, 0x33, 0x60, + 0x2c, 0xee, 0x8f, 0x09, 0xa6, 0xba, 0x07, 0x77, 0x3a, 0xb6, 0xdd, 0xfd, + 0x46, 0xf7, 0x2c, 0x5a, 0xd9, 0xa1, 0x27, 0x68, 0x4c, 0xf4, 0x24, 0x05, + 0xc0, 0x71, 0x1c, 0xd5, 0xdc, 0x60, 0xfa, 0x2d, 0xbe, 0x93, 0xab, 0xd1, + 0xa3, 0xc1, 0x84, 0xa8, 0xb3, 0x55, 0x76, 0x48, 0xb3, 0xdc, 0x7d, 0x4c, + 0x3c, 0xf4, 0x38, 0x1d, 0x06, 0x7b, 0x8f, 0x3e, 0xae, 0xa3, 0xff, 0x42, + 0xc6, 0xa1, 0x86, 0x6d, 0xf6, 0x13, 0x78, 0x97, 0xa4, 0x84, 0x71, 0x9f, + 0xbf, 0xeb, 0x3f, 0xac, 0xbb, 0x32, 0x0d, 0x0f, 0xe6, 0x05, 0x52, 0x41, + 0xfc, 0xa3, 0x34, 0x70, 0x9f, 0xf4, 0xae, 0x87, 0x25, 0x62, 0x99, 0xe5, + 0x76, 0xac, 0x1b, 0x88, 0x17, 0xb7, 0xcb, 0xf8, 0xa0, 0x37, 0x72, 0x51, + 0x72, 0x98, 0xea, 0x7f, 0x45, 0xa4, 0x68, 0xee, 0xba, 0xbf, 0x9f, 0xea, + 0x22, 0x08, 0xad, 0x01, 0xb7, 0x33, 0xa0, 0x33, 0xea, 0x6b, 0xec, 0x33, + 0x2d, 0xbb, 0xfb, 0xff, 0x49, 0x70, 0xde, 0x7c, 0xa8, 0x9f, 0x63, 0x3c, + 0x70, 0x35, 0x43, 0xa7, 0xd8, 0x8c, 0x39, 0x82, 0xf9, 0xbb, 0xcf, 0x6a, + 0x9c, 0x5f, 0x6d, 0xe9, 0x63, 0xf5, 0x32, 0xdb, 0x6e, 0xd8, 0x49, 0xfa, + 0x87, 0xa3, 0x8f, 0x08, 0x41, 0x9b, 0x42, 0xd3, 0x28, 0xc5, 0xa7, 0x33, + 0x76, 0x22, 0x8a, 0x44, 0x4b, 0x91, 0x68, 0xc7, 0xb1, 0xd9, 0x0d, 0x59, + 0x2f, 0xcb, 0x81, 0x63, 0xf6, 0x74, 0x2b, 0x81}, {0x50, 0x9c, 0x69, 0xe8, 0x02, 0xc2, 0xab, 0x81, 0x2f, 0xea, 0x8c, 0x77, 0xf8, 0x9d, 0xd3, 0x21, 0xc0, 0xed, 0xfd, 0x27, 0x9b, 0x20, 0x0e, 0x93, 0xaa, 0xf4, 0x65, 0x91, 0x88, 0x61, 0x48, 0x72, 0x2b, 0x06, 0x58, 0x4f, @@ -5920,12 +6322,29 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x2d, 0x34, 0x9e, 0x54, 0x42, 0x45, 0xca, 0x71, 0x5c, 0xb9, 0x64, 0xf0, 0xbe, 0x18, 0x55, 0x22, 0x9a, 0x9a, 0x6e, 0x9e, 0x6e, 0xa2, 0x0e, 0x63}, priv_key_33, - false}, + true}, // Comment: no zero after padding // tcID: 23 {23, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xe5, 0xdb, 0x5e, 0x79, 0xd1, 0x92, 0x5c, 0x09, 0x00, 0x41, 0xee, 0x90, + 0x2b, 0x99, 0xc6, 0xbf, 0x88, 0x31, 0x5f, 0xa5, 0xd6, 0xe4, 0xe6, 0x02, + 0x40, 0x05, 0x87, 0xe2, 0x46, 0xe0, 0x49, 0x6f, 0x63, 0xf2, 0x15, 0x33, + 0x2a, 0x99, 0x6a, 0x93, 0x1a, 0x2f, 0x35, 0x3b, 0x84, 0x18, 0xa5, 0x85, + 0x69, 0xe7, 0x43, 0x1f, 0xe8, 0x8a, 0x7d, 0xde, 0xca, 0xcf, 0x1c, 0xd2, + 0xb0, 0xe3, 0x16, 0x09, 0xfd, 0xf1, 0x33, 0x39, 0x93, 0x96, 0x40, 0xb2, + 0xae, 0x5a, 0x7a, 0x57, 0xf4, 0x65, 0x9d, 0x37, 0x32, 0x7e, 0x54, 0xa8, + 0xe2, 0x8a, 0x85, 0x4a, 0x0e, 0x72, 0xec, 0xa8, 0x5e, 0x9a, 0x49, 0xb7, + 0xd0, 0xff, 0xbc, 0xf6, 0x2a, 0x58, 0xbf, 0x81, 0xcd, 0xf8, 0x0c, 0xca, + 0x3e, 0x21, 0x34, 0x98, 0x95, 0x47, 0xd1, 0x30, 0x8f, 0x8a, 0xb2, 0xd1, + 0xab, 0x72, 0x0c, 0xed, 0xf1, 0x9b, 0x62, 0x05, 0xdc, 0x2e, 0x5e, 0xc1, + 0xd5, 0x6e, 0xac, 0x40, 0x28, 0x5a, 0x15, 0xfd, 0xb7, 0x0c, 0x21, 0x41, + 0xd6, 0x2e, 0x3a, 0x05, 0x35, 0x26, 0x69, 0x7b, 0x4a, 0xdd, 0x21, 0xdf, + 0xfa, 0x60, 0x64, 0xc0, 0xee, 0x92, 0x36, 0x7a, 0x5d, 0x12, 0xbd, 0xe8, + 0x77, 0x85, 0xb5, 0x59, 0x1f, 0x05, 0xf7, 0xbf, 0x20, 0x69, 0x87, 0xcd, + 0x6d, 0x0a, 0x78, 0x51, 0x86, 0x73, 0xde, 0x26, 0x09, 0xf3, 0x86, 0x99, + 0xc3, 0x86, 0x73, 0x4e, 0x29, 0xbe, 0x37, 0xcd, 0x67, 0x99}, {0x9a, 0xc9, 0xda, 0x6b, 0x29, 0xf1, 0xde, 0x85, 0x99, 0xfe, 0x88, 0xbd, 0xb7, 0x01, 0x2c, 0xb0, 0xce, 0x48, 0x17, 0xfb, 0xca, 0xcc, 0x39, 0xb2, 0x73, 0xc5, 0x57, 0xbb, 0x22, 0xd2, 0xc0, 0x19, 0xb8, 0xc5, 0xcd, 0x55, @@ -5959,12 +6378,20 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x24, 0x7e, 0xd9, 0x61, 0xcd, 0xf0, 0x20, 0x5f, 0xa8, 0xaa, 0xde, 0x1f, 0x42, 0xd8, 0x8d, 0xcc, 0xf9, 0x75, 0x19, 0x4e, 0xe0, 0x93, 0x69, 0x72}, priv_key_33, - false}, + true}, // Comment: no padding // tcID: 24 {24, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xf8, 0x76, 0xca, 0x14, 0x87, 0xfe, 0xa6, 0x54, 0x9a, 0x0f, 0x2b, 0x8a, + 0x92, 0xe1, 0xf0, 0x86, 0x5c, 0x70, 0x49, 0x0b, 0x8c, 0x15, 0x4f, 0x4e, + 0xd6, 0x31, 0x16, 0x7d, 0x6e, 0x54, 0x44, 0x29, 0x8f, 0xc9, 0x32, 0x3f, + 0x51, 0x0f, 0xe2, 0x71, 0x9f, 0x03, 0x46, 0x69, 0xb5, 0x50, 0xdc, 0xb3, + 0xc1, 0xc0, 0x3c, 0x93, 0x41, 0x5d, 0x1c, 0x2a, 0x1c, 0xa2, 0x6c, 0x1a, + 0xbc, 0xb1, 0x36, 0x02, 0xbb, 0xfd, 0xb0, 0xa9, 0xc1, 0x29, 0x45, 0x41, + 0x26, 0xe4, 0xc5, 0xcc, 0xb1, 0xb3, 0xbd, 0xf7, 0x4a, 0x49, 0x31, 0xc3, + 0xd7, 0x87, 0x52, 0xe5, 0x64, 0x97}, {0x50, 0xe9, 0x74, 0xb2, 0xbf, 0xca, 0x62, 0x3e, 0xdd, 0x2d, 0x79, 0x7e, 0x4e, 0x58, 0x8d, 0xe2, 0x24, 0x78, 0xd5, 0xa8, 0xe5, 0x7c, 0x74, 0xc4, 0x48, 0x44, 0x98, 0x53, 0xba, 0x84, 0xfb, 0x1d, 0x00, 0x73, 0xc1, 0xce, @@ -5998,12 +6425,31 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x99, 0xd2, 0xcf, 0x38, 0xd3, 0x9d, 0xa3, 0x7f, 0xa1, 0xc7, 0x56, 0x63, 0x6b, 0xfd, 0x57, 0x6e, 0x7d, 0xe0, 0xf2, 0x6a, 0x10, 0x80, 0x30, 0xb5}, priv_key_33, - false}, + true}, // Comment: m = 2 // tcID: 25 {25, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x60, 0x24, 0x6b, 0xf3, 0xdb, 0x24, 0x1f, 0xa5, 0x89, 0xa1, 0x16, 0x93, + 0x67, 0xc7, 0x38, 0x07, 0x9a, 0x3d, 0x5d, 0xe2, 0x2d, 0xce, 0xe2, 0x7d, + 0xeb, 0x5e, 0x72, 0x90, 0xb5, 0x22, 0x21, 0xf5, 0xe6, 0xd7, 0xb6, 0x25, + 0xcb, 0x8a, 0x2b, 0xa5, 0x10, 0x82, 0x06, 0x5d, 0xaf, 0xec, 0x99, 0x07, + 0x53, 0xb8, 0x99, 0xb6, 0xc0, 0xe2, 0xe8, 0xb3, 0xc4, 0x8d, 0xec, 0xb8, + 0x56, 0xd6, 0x36, 0xe3, 0xb3, 0x12, 0x2a, 0xc7, 0xaf, 0x54, 0xef, 0xc8, + 0x96, 0x77, 0x13, 0x8f, 0x13, 0x42, 0xa3, 0xdf, 0xd0, 0x24, 0xdc, 0xcd, + 0xdb, 0x46, 0x34, 0xf7, 0x4d, 0x3e, 0xd3, 0x65, 0xa0, 0x90, 0x54, 0xa0, + 0x28, 0x60, 0x0d, 0x2c, 0xb8, 0x36, 0x0b, 0x7c, 0xf0, 0x24, 0xfa, 0x4e, + 0x43, 0x5c, 0xc6, 0xc7, 0xb0, 0xe4, 0xda, 0x54, 0xc9, 0x60, 0xad, 0xae, + 0xbc, 0xb0, 0xd7, 0x80, 0xa7, 0x2e, 0xf3, 0x97, 0x35, 0x19, 0xa4, 0xf5, + 0xf3, 0x76, 0x2e, 0x07, 0x00, 0xc4, 0xad, 0xce, 0x6e, 0xba, 0x94, 0xa9, + 0xee, 0x2e, 0xd4, 0x9b, 0x86, 0xf0, 0xc8, 0xcd, 0x53, 0xfc, 0x8b, 0xe1, + 0xe1, 0x1f, 0xd7, 0x60, 0xa1, 0x5d, 0x6c, 0x4c, 0x65, 0x2f, 0x87, 0x47, + 0x41, 0xfd, 0x66, 0x59, 0x25, 0xa1, 0xd4, 0x71, 0xc6, 0x95, 0xa9, 0xd4, + 0x17, 0x06, 0xa5, 0xe2, 0x3b, 0xce, 0x47, 0xe3, 0x0f, 0xbd, 0xdb, 0x47, + 0xe3, 0x7d, 0x06, 0xac, 0x55, 0x2b, 0x65, 0xd4, 0x99, 0xfd, 0x3a, 0xfb, + 0xba, 0xe5, 0xcb, 0x69, 0x01, 0x12, 0x6f, 0x44, 0x37, 0xa8, 0x0c, 0xbb, + 0xbf, 0xba, 0xdf, 0x98, 0xd0}, {0xab, 0x95, 0x7d, 0x59, 0x86, 0x55, 0x13, 0xc0, 0x59, 0xa7, 0xae, 0x69, 0x14, 0xb3, 0x4e, 0x8e, 0x3e, 0x4a, 0xb9, 0x6c, 0xb6, 0x60, 0x69, 0xe0, 0x14, 0xaa, 0x31, 0x5e, 0x67, 0xb2, 0xad, 0xda, 0xe2, 0xb3, 0xb7, 0x59, @@ -6037,12 +6483,38 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xdc, 0x71, 0x14, 0x6c, 0x7c, 0xef, 0xa0, 0x77, 0x5c, 0x40, 0x5f, 0x3f, 0xaa, 0xf5, 0x9e, 0x8d, 0x9c, 0xed, 0xbc, 0xca, 0xbf, 0x18, 0x74, 0xbf}, priv_key_33, - false}, + true}, // Comment: m = n-2 // tcID: 26 {26, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x03, 0x5b, 0x0a, 0x59, 0xfd, 0xcf, 0x4c, 0x68, 0x4e, 0x8f, 0x03, 0xa5, + 0x06, 0x0a, 0x21, 0x3f, 0x72, 0x92, 0xd7, 0xd9, 0x01, 0x4e, 0xf4, 0xcd, + 0xa7, 0x4b, 0x4d, 0xff, 0xd2, 0x81, 0x1e, 0xce, 0x1f, 0xf4, 0x9a, 0x4c, + 0x91, 0x28, 0xe5, 0xe4, 0x51, 0x20, 0x15, 0xfa, 0x4f, 0x6c, 0xb6, 0xd4, + 0x34, 0xa4, 0x6d, 0x37, 0xfa, 0x30, 0x53, 0x07, 0xc1, 0xf5, 0xa9, 0x3f, + 0xff, 0xe8, 0xd6, 0x22, 0x84, 0x01, 0xab, 0x22, 0x35, 0xfc, 0xbb, 0xa6, + 0xe4, 0x62, 0x93, 0x48, 0xe1, 0xb5, 0x83, 0xd9, 0xff, 0xbc, 0xf8, 0x41, + 0xcf, 0x20, 0xe7, 0x27, 0xbb, 0x92, 0xa9, 0x8a, 0x47, 0x6e, 0xa2, 0x1f, + 0x47, 0x75, 0xbf, 0x66, 0x05, 0xcc, 0x79, 0x3f, 0xe9, 0xc7, 0xd9, 0x0b, + 0xf3, 0x4b, 0xd6, 0xb9, 0xfc, 0x56, 0x16, 0x00, 0x37, 0x9a, 0x00, 0xab, + 0xae, 0xc1, 0x55, 0x6d, 0x32, 0xaa, 0x9d, 0x3a, 0x2a, 0xe5, 0x3c, 0x22, + 0x14, 0x64, 0xe4, 0xcd, 0x96, 0xdc, 0x37, 0x4c, 0xdc, 0xcd, 0xf5, 0x30, + 0xe8, 0xfd, 0x3e, 0xd6, 0x69, 0xa5, 0x5c, 0x52, 0x5c, 0x1d, 0xa1, 0xe6, + 0x7f, 0xc7, 0xf3, 0x98, 0x14, 0xc0, 0x47, 0x89, 0xa5, 0x10, 0xac, 0x20, + 0x44, 0x8d, 0x29, 0xde, 0x7e, 0x67, 0x03, 0xa3, 0xb2, 0x87, 0xb0, 0x66, + 0xb8, 0xfa, 0x43, 0x1f, 0xd6, 0xa9, 0x68, 0xf5, 0x3a, 0xc8, 0x44, 0x20, + 0x76, 0xb3, 0x07, 0x54, 0x82, 0xdc, 0xa4, 0x50, 0x32, 0xfe, 0xc9, 0xe8, + 0x52, 0x6f, 0x22, 0xe0, 0xd6, 0x9e, 0xd0, 0xaf, 0xe3, 0x0b, 0x0a, 0xaf, + 0xfa, 0x8a, 0x1e, 0xe5, 0x42, 0xfd, 0x94, 0x17, 0xf5, 0xe8, 0xca, 0x5c, + 0x12, 0x04, 0x58, 0x18, 0xa5, 0x3c, 0x4d, 0x42, 0xcf, 0x0f, 0xc3, 0x08, + 0x7e, 0x17, 0xff, 0x31, 0x34, 0x90, 0x14, 0x08, 0x58, 0x89, 0xaf, 0x6e, + 0x5c, 0x10, 0x4e, 0x5e, 0xc0, 0xcf, 0x7a, 0x68, 0x6b, 0xba, 0xe6, 0xb8, + 0x73, 0x4a, 0xe1, 0x1d, 0xdb, 0xa5, 0xa1, 0x97, 0x69, 0x70, 0xcf, 0x56, + 0x4f, 0x16, 0x50, 0xff, 0x6c, 0xac, 0x77, 0x0f, 0x99, 0x6f, 0xbd, 0x14, + 0x25, 0x76, 0x5e, 0x79, 0x29, 0xc7, 0x0c, 0xdd, 0xa6, 0x5d, 0xa9, 0x46, + 0x0e, 0x52, 0xb2, 0x02, 0x96, 0xa6, 0x3c, 0x4c, 0xca, 0xd6, 0xe7, 0x94}, {0x30, 0xf9, 0xfb, 0x26, 0xe0, 0xd9, 0xf9, 0x39, 0x7c, 0x8e, 0x69, 0x3f, 0x90, 0xd8, 0x8e, 0x98, 0xdb, 0xc5, 0xe2, 0x41, 0x23, 0xaf, 0x3e, 0x46, 0xe4, 0xa1, 0x59, 0x1a, 0xed, 0x74, 0x08, 0xc9, 0xb7, 0xcc, 0x9e, 0xf3, @@ -6076,12 +6548,44 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x34, 0x22, 0xb3, 0x09, 0x05, 0xd0, 0x41, 0x34, 0xfd, 0x53, 0x08, 0x07, 0x55, 0xc0, 0xa4, 0xb5, 0x9c, 0xf2, 0x67, 0x88, 0x56, 0xbf, 0xfb, 0x0c}, priv_key_33, - false}, + true}, // Comment: c = 0 // tcID: 27 {27, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x71, 0x7f, 0xee, 0xde, 0x76, 0x08, 0x18, 0xb0, 0x1c, 0x7a, 0x1c, 0x66, + 0x0e, 0x40, 0xdc, 0x23, 0xa8, 0x53, 0xec, 0x41, 0x2a, 0x79, 0x2f, 0x23, + 0xc1, 0x6b, 0x27, 0x00, 0xe2, 0xca, 0xbc, 0xc1, 0x01, 0x59, 0xb6, 0x6c, + 0x66, 0x42, 0x88, 0x38, 0x9e, 0xf5, 0x26, 0x5a, 0xe7, 0x44, 0x9c, 0x22, + 0x0d, 0xb9, 0x86, 0xfb, 0xb4, 0xae, 0xa6, 0xa7, 0xb4, 0xcc, 0xbc, 0x32, + 0x31, 0x26, 0x0b, 0xe6, 0xe2, 0x50, 0xc2, 0x27, 0xdf, 0x63, 0x20, 0x9c, + 0xec, 0x2e, 0x68, 0x25, 0x87, 0x4c, 0xb5, 0x28, 0x3e, 0xef, 0x43, 0x41, + 0x27, 0x7c, 0x14, 0xfb, 0xf2, 0x7b, 0xbd, 0x3d, 0xd9, 0x08, 0x7c, 0xaa, + 0xa3, 0x2c, 0xd3, 0x83, 0xde, 0xac, 0x69, 0xc7, 0x8a, 0xbf, 0x5d, 0xa2, + 0x83, 0x07, 0x0b, 0x07, 0x9c, 0xa3, 0xdb, 0xdb, 0x12, 0x85, 0x95, 0x44, + 0xa6, 0xde, 0x19, 0x2c, 0xf6, 0x78, 0x7a, 0xea, 0xbc, 0xa1, 0x0a, 0xec, + 0xd0, 0x3f, 0x70, 0x2b, 0x71, 0xfe, 0xef, 0x8f, 0xbc, 0x49, 0x09, 0x6b, + 0x47, 0x2c, 0xe0, 0x68, 0xa5, 0x88, 0xfc, 0x40, 0x56, 0xdf, 0xcb, 0xf0, + 0x78, 0x66, 0xff, 0xf7, 0xac, 0xf3, 0x8f, 0xc2, 0x01, 0x4a, 0x63, 0xe2, + 0x70, 0xe3, 0xbb, 0x6b, 0x60, 0x74, 0xde, 0x60, 0xa5, 0xa7, 0xe0, 0x37, + 0x20, 0xcf, 0xb3, 0xcd, 0xbd, 0x2a, 0xb1, 0xd6, 0x58, 0xaf, 0xdd, 0xdf, + 0x09, 0xd7, 0x40, 0x80, 0x4d, 0xbc, 0x8b, 0xb8, 0xd9, 0x07, 0xf6, 0xe0, + 0xe3, 0x8c, 0x81, 0x55, 0x14, 0x75, 0x8a, 0xc5, 0x96, 0xe3, 0xb1, 0x92, + 0x67, 0xfc, 0x5b, 0x44, 0x01, 0xc8, 0xa6, 0x0e, 0xbc, 0xb8, 0x92, 0xae, + 0x55, 0xd7, 0xf0, 0x7a, 0xc9, 0x9e, 0x65, 0x3b, 0xda, 0xdf, 0xc3, 0x4f, + 0x11, 0x06, 0x11, 0x49, 0xae, 0xdf, 0xc0, 0x82, 0x36, 0x13, 0x0f, 0x36, + 0xf0, 0x47, 0xe2, 0xea, 0x8e, 0x78, 0x84, 0x01, 0x7a, 0xc8, 0x6c, 0x71, + 0x09, 0xda, 0xd7, 0xa3, 0xa3, 0xfc, 0x7f, 0x9d, 0x3e, 0x53, 0x37, 0xe3, + 0x4f, 0x88, 0x43, 0xc1, 0x62, 0x5e, 0xcd, 0xe3, 0xcd, 0x72, 0xb1, 0x46, + 0x44, 0x3f, 0x0d, 0xc6, 0x58, 0xf7, 0xbd, 0xd4, 0x27, 0x8f, 0xc3, 0xcf, + 0xaa, 0x8e, 0x3c, 0x7b, 0x63, 0x87, 0xe0, 0x39, 0x2c, 0x2a, 0xc9, 0x8d, + 0x59, 0xa2, 0xe7, 0x7a, 0x3a, 0x7e, 0xde, 0x66, 0x9e, 0xb5, 0x61, 0x03, + 0x4a, 0x06, 0xa4, 0xec, 0xf8, 0xf6, 0x1d, 0x18, 0xd3, 0xc3, 0x20, 0x86, + 0xcc, 0x4b, 0xf8, 0x75, 0x21, 0x78, 0x42, 0x4e, 0x36, 0x0e, 0x5b, 0xa4, + 0xe6, 0xc7, 0xb8, 0x11, 0xbb, 0xaa, 0xff, 0x14, 0xbd, 0x27, 0x34, 0xd4, + 0xa4, 0x7a, 0xac, 0xef, 0xe1, 0x6f, 0x1d, 0x31, 0xae, 0xa9, 0x50, 0xef, + 0x12}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -6115,12 +6619,14 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, priv_key_33, - false}, + true}, // Comment: c = 1 // tcID: 28 {28, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x4f, 0x7a, 0xe4, 0x9f, 0x5c, 0x41, 0xaf, 0xec, 0x9c, 0xdc, 0xa8, + 0x0e, 0x10, 0x75, 0xec, 0xda, 0xbe, 0x3e, 0x44, 0xb8, 0x76, 0xeb}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -6154,12 +6660,21 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, priv_key_33, - false}, + true}, // Comment: c = n-1 // tcID: 29 {29, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x3c, 0xe0, 0x96, 0x42, 0x5b, 0x21, 0xc9, 0x4f, 0xc5, 0x53, 0x96, 0xa9, + 0x1a, 0x6a, 0x37, 0xcf, 0x8e, 0x55, 0xac, 0x32, 0x34, 0xee, 0xa9, 0xba, + 0x85, 0x76, 0x10, 0x1f, 0x0c, 0x80, 0x37, 0xf5, 0x5c, 0x0e, 0xe0, 0x3c, + 0xdc, 0xf7, 0xf3, 0xe8, 0x3e, 0xe7, 0x74, 0x70, 0xe6, 0x19, 0x92, 0x75, + 0xc9, 0x76, 0x4c, 0x36, 0x18, 0x47, 0x1b, 0xf6, 0x39, 0x4e, 0xde, 0x9a, + 0x69, 0x0a, 0x46, 0xa6, 0x61, 0xcf, 0x9c, 0xfb, 0x6c, 0xe2, 0xdc, 0xdc, + 0x54, 0x96, 0x40, 0x8c, 0xf4, 0xee, 0x9f, 0x0a, 0xff, 0x10, 0x63, 0x09, + 0xb5, 0xe1, 0xc3, 0x96, 0xbb, 0x92, 0xdd, 0xc3, 0xb6, 0x44, 0xb7, 0xe8, + 0xef, 0xa0, 0x99, 0xd3, 0xe2, 0x1d, 0x7c, 0x4c, 0x04, 0x24, 0x0b, 0x7b}, {0xdc, 0x8f, 0x78, 0x80, 0x67, 0x2f, 0x0c, 0xf9, 0xd6, 0x36, 0x17, 0xa8, 0xa5, 0x8b, 0xdd, 0x27, 0x1a, 0x10, 0x9b, 0xad, 0xda, 0x0f, 0xa8, 0x26, 0xf9, 0x4b, 0x8a, 0x79, 0x55, 0x26, 0xb6, 0xa4, 0x9a, 0x80, 0x56, 0x4c, @@ -6193,7 +6708,7 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x10, 0x93, 0xc7, 0x75, 0x82, 0xbf, 0xe1, 0xac, 0x59, 0x93, 0x67, 0x47, 0x00, 0xb6, 0x43, 0x43, 0x39, 0xe0, 0x24, 0x53, 0x15, 0xd8, 0x6f, 0xca}, priv_key_33, - false}, + true}, // Comment: ciphertext is empty // tcID: 30 @@ -7633,38 +8148,31 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { // Comment: edge case for montgomery reduction with special primes // tcID: 56 {56, - {0x62, 0x92, 0x16, 0xbe, 0x33, 0x3c, 0x6a, 0x51, 0x7f, 0xb3, 0x42, 0x7d, - 0x03, 0x94, 0x51, 0x1f, 0xa3, 0xc2, 0x4a, 0x71, 0x11, 0x3f, 0x12, 0x34, - 0xbe, 0xa7, 0xfd, 0x4e, 0x07, 0x28, 0xf6, 0xc6, 0x58, 0x72, 0x41, 0x50, - 0x29, 0xfd, 0x0a, 0xaa, 0xf1, 0xac, 0x7d, 0xae, 0x14, 0xd3, 0x85, 0x03, - 0xdb, 0x27, 0x1d, 0xb4, 0x72, 0xbb, 0xb2, 0x12, 0xbe, 0x45, 0x3c, 0xea, - 0xc6, 0xab, 0x62, 0x2e, 0x75, 0xd5, 0xe3, 0x23, 0xf6, 0x35, 0x3c, 0xe8, - 0xb5, 0xe7, 0x99, 0x3b, 0x6b, 0xe3, 0x9c, 0x30, 0x08, 0x8d, 0x2b, 0x94, - 0xe8, 0x56, 0x33, 0xbe, 0x10, 0x3c, 0xa5, 0xd9, 0xcc, 0xfd, 0xc2, 0x3c, - 0x5a, 0xd2, 0x1a, 0x1a, 0x13, 0xcf, 0x19, 0xc3, 0x90, 0x1f, 0xe8, 0x84, - 0x55, 0x72, 0x60, 0x0c, 0xc7, 0xe5, 0xdf, 0x31, 0x6f, 0x62, 0xe2, 0x23, - 0x7e, 0x22, 0x4b, 0x4e, 0x01, 0xed, 0xb3, 0x2c, 0x81, 0x9f, 0x36, 0x4f, - 0x0c, 0x9f, 0xdc, 0x1f, 0x28, 0xda, 0xd2, 0xb6, 0x92, 0x1c, 0x79, 0x52, - 0xa2, 0x5a, 0x03, 0xe5, 0x9e, 0xf8, 0xd6, 0xc3, 0xa6, 0x1a, 0x54, 0xc4, - 0x6c, 0xfb, 0xad, 0x22, 0xe1, 0x86, 0x20, 0x1e, 0x59, 0xe1, 0x22, 0x01, - 0x8d, 0xc9, 0xbb, 0xc7, 0x44, 0xc5, 0x6c, 0xe6, 0x31, 0xcc, 0x11, 0xf9, - 0x52, 0x3f, 0x79, 0xb4, 0x1f, 0xf7, 0x97, 0x11, 0xee, 0xa6, 0x33, 0x37, - 0xc2, 0x4b, 0xfa, 0x37, 0x91, 0x0f, 0x91, 0x78, 0x3b, 0x78, 0xa4, 0xfe, - 0x22, 0xb8, 0x0e, 0x52, 0xe3, 0xe1, 0x03, 0x4f, 0xcb, 0x33, 0x6d, 0xae, - 0x90, 0x12, 0x24, 0x23, 0x66, 0x92, 0x30, 0xcd, 0x46, 0xfe, 0x54, 0x3c, - 0x1e, 0x0e, 0xd8, 0x09, 0x48, 0xd5, 0x0b, 0x7e, 0xcc, 0xf6, 0xc2, 0x22, - 0xbf, 0xcd, 0xb6, 0x1f, 0x84, 0xc9, 0x20, 0xd2, 0xe4, 0xdc, 0x9d, 0x5e, - 0xaa, 0xa1, 0x41, 0x5b, 0x13, 0xc7, 0x4f, 0x18, 0xb9, 0x41, 0x82, 0x05, - 0x6e, 0x10, 0x35, 0x62, 0xdc, 0x03, 0x32, 0x09, 0x30, 0xc2, 0x02, 0x66, - 0xbd, 0xec, 0xff, 0x56, 0xaa, 0xfb, 0xb5, 0xbd, 0x3a, 0x0a, 0xc6, 0x8b, - 0x66, 0x9b, 0xfe, 0x70, 0xe3, 0x29, 0xeb, 0xfe, 0x8e, 0xc8, 0x7c, 0xea, - 0x99, 0xff, 0x0b, 0x51, 0xce, 0x7d, 0xd0, 0x69, 0x4f, 0x07, 0x50, 0x98, - 0xa6, 0x77, 0xa4, 0x74, 0x3e, 0x10, 0xd3, 0xe3, 0x7f, 0x1f, 0xab, 0x84, - 0x9d, 0xba, 0x39, 0xa9, 0xc7, 0x39, 0xf1, 0xed, 0x15, 0x0f, 0xe7, 0x95, - 0x2b, 0x35, 0x20, 0x2f, 0xb6, 0x13, 0x8d, 0x24, 0xb2, 0xbf, 0x55, 0xe4, - 0x9b, 0xc7, 0x00, 0x6c, 0xf7, 0x8e, 0xa8, 0x05, 0x13, 0x59, 0x83, 0x10, - 0xc8, 0xb0, 0x21, 0x3b, 0xc8, 0x52, 0x5b, 0x92, 0x9e, 0x58, 0x12, 0x94, - 0xc4, 0x96}, + // This is a Bleichenbacher synthetic generated result + {0x74, 0x81, 0xb5, 0xd5, 0x98, 0xf1, 0xd8, 0x0d, 0x5b, 0x30, 0xae, 0x89, + 0x41, 0x91, 0x27, 0x44, 0x18, 0x76, 0x54, 0xca, 0x56, 0x23, 0x17, 0xc6, + 0x64, 0xdc, 0x2d, 0x0a, 0x4c, 0xe0, 0xdc, 0x3d, 0x0d, 0x05, 0x52, 0x05, + 0x5b, 0xc5, 0x7e, 0xd0, 0x26, 0x36, 0x5e, 0x13, 0xf8, 0x63, 0xa3, 0x7d, + 0x7c, 0x84, 0xbc, 0x90, 0x61, 0x88, 0xd3, 0xe7, 0xd6, 0x3b, 0xf1, 0x54, + 0x58, 0x42, 0xdc, 0xa3, 0x75, 0x51, 0x18, 0xdb, 0xfe, 0x26, 0xc7, 0x8d, + 0x24, 0x0f, 0x67, 0x63, 0x71, 0xab, 0xb4, 0xca, 0x29, 0x9f, 0x27, 0x63, + 0x7a, 0x0a, 0x18, 0xe9, 0xa6, 0x79, 0x10, 0xce, 0x2d, 0x21, 0x76, 0x05, + 0x60, 0x36, 0x04, 0x2f, 0x19, 0x7d, 0xf4, 0x4e, 0xfd, 0x59, 0x41, 0xbc, + 0x05, 0xcf, 0xd2, 0xca, 0xf8, 0xa3, 0xe4, 0x28, 0x34, 0x75, 0x99, 0x94, + 0xee, 0xd4, 0xa5, 0x25, 0x01, 0x8d, 0xd3, 0xb0, 0xc3, 0x24, 0x71, 0x7f, + 0xa2, 0x7c, 0x9e, 0x98, 0x01, 0x99, 0xc1, 0xfa, 0x0f, 0x09, 0xa2, 0xdc, + 0x0c, 0x3d, 0x67, 0x92, 0x27, 0xb7, 0xb0, 0x42, 0xf6, 0x76, 0x55, 0x4c, + 0xff, 0x6f, 0x70, 0x0a, 0x02, 0x6d, 0x58, 0x3c, 0xad, 0x1c, 0x49, 0xe6, + 0x0a, 0x2a, 0xcb, 0x61, 0xc9, 0x5e, 0x8e, 0x23, 0xb4, 0x37, 0xb6, 0x9a, + 0xe8, 0x00, 0x24, 0xb6, 0x95, 0x0c, 0x44, 0x00, 0xa0, 0x34, 0xaf, 0xfa, + 0xe9, 0x16, 0xf1, 0x2c, 0x2e, 0x23, 0xa3, 0xc7, 0xd3, 0x61, 0x31, 0xb7, + 0xfe, 0xfd, 0xab, 0x8f, 0x36, 0xaf, 0x8e, 0xd5, 0xbe, 0x4d, 0x4a, 0xc4, + 0x1c, 0xb6, 0x20, 0x6d, 0x0f, 0x3a, 0x01, 0x04, 0x62, 0x5f, 0x28, 0xb2, + 0xfb, 0x57, 0xa1, 0xd3, 0x31, 0x60, 0x51, 0xf2, 0x24, 0x2e, 0xf5, 0x3a, + 0x15, 0xef, 0x84, 0x1d, 0x76, 0x17, 0xee, 0xf4, 0xc0, 0x14, 0x88, 0x9a, + 0xde, 0x84, 0x1c, 0xbf, 0x9f, 0x5b, 0x7e, 0x63, 0x92, 0x38, 0x9e, 0xeb, + 0xf0, 0x0c, 0x2c, 0xba, 0xae, 0xe7, 0x33, 0x74, 0x21, 0x70, 0x64, 0x38, + 0x54, 0x22, 0x49}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -7698,7 +8206,7 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, priv_key_56, - false}, + true}, // Comment: edge case for montgomery reduction with special primes // tcID: 57 @@ -8212,6 +8720,585 @@ const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, priv_key_65, - true}}; + true}, + + // and invalid ciphertext that generates a synthethic plaintext + // that's zero bytes in length + {66, + {}, + {0x5e, 0x95, 0x6c, 0xd9, 0x65, 0x2f, 0x4a, 0x2e, 0xce, 0x90, 0x29, 0x31, + 0x01, 0x3e, 0x09, 0x66, 0x2b, 0x6a, 0x92, 0x57, 0xad, 0x1e, 0x98, 0x7f, + 0xb7, 0x5f, 0x73, 0xa0, 0x60, 0x6d, 0xf2, 0xa4, 0xb0, 0x47, 0x89, 0x77, + 0x08, 0x20, 0xc2, 0xe0, 0x23, 0x22, 0xc4, 0xe8, 0x26, 0xf7, 0x67, 0xbd, + 0x89, 0x57, 0x34, 0xa0, 0x1e, 0x20, 0x60, 0x9c, 0x3b, 0xe4, 0x51, 0x7a, + 0x7a, 0x2a, 0x58, 0x9e, 0xa1, 0xcd, 0xc1, 0x37, 0xbe, 0xb7, 0x3e, 0xb3, + 0x8d, 0xac, 0x78, 0x1b, 0x52, 0xe8, 0x63, 0xde, 0x96, 0x20, 0xf7, 0x9f, + 0x9b, 0x90, 0xfd, 0x5b, 0x95, 0x36, 0x51, 0xfc, 0xbf, 0xef, 0x4a, 0x9f, + 0x1c, 0xc0, 0x74, 0x21, 0xd5, 0x11, 0xa8, 0x7d, 0xd6, 0x94, 0x2c, 0xaa, + 0xb6, 0xa5, 0xa0, 0xf4, 0xdf, 0x47, 0x3e, 0x62, 0xde, 0xfb, 0x52, 0x9a, + 0x7d, 0xe1, 0x50, 0x9a, 0xb9, 0x9c, 0x59, 0x6e, 0x1d, 0xff, 0x13, 0x20, + 0x40, 0x22, 0x98, 0xd8, 0xbe, 0x73, 0xa8, 0x96, 0xcc, 0x86, 0xc3, 0x8a, + 0xe3, 0xf2, 0xf5, 0x76, 0xe9, 0xea, 0x70, 0xcc, 0x28, 0xad, 0x57, 0x5c, + 0xb0, 0xf8, 0x54, 0xf0, 0xbe, 0x43, 0x18, 0x6b, 0xaa, 0x9c, 0x18, 0xe2, + 0x9c, 0x47, 0xc6, 0xca, 0x77, 0x13, 0x5d, 0xb7, 0x9c, 0x81, 0x12, 0x31, + 0xb7, 0xc1, 0x73, 0x09, 0x55, 0x88, 0x7d, 0x32, 0x1f, 0xdc, 0x06, 0x56, + 0x83, 0x82, 0xb8, 0x66, 0x43, 0xcf, 0x08, 0x9b, 0x10, 0xe3, 0x5a, 0xb2, + 0x3e, 0x82, 0x7d, 0x2e, 0x5a, 0xa7, 0xb4, 0xe9, 0x9f, 0xf2, 0xe9, 0x14, + 0xf3, 0x02, 0x35, 0x18, 0x19, 0xeb, 0x4d, 0x16, 0x93, 0x24, 0x3b, 0x35, + 0xf8, 0xbf, 0x1d, 0x42, 0xd0, 0x8f, 0x8e, 0xc4, 0xac, 0xaf, 0xa3, 0x5f, + 0x74, 0x7a, 0x4a, 0x97, 0x5a, 0x28, 0x64, 0x3e, 0xc6, 0x30, 0xd8, 0xe4, + 0xfa, 0x5b, 0xe5, 0x9d, 0x81, 0x99, 0x56, 0x60, 0xa1, 0x4b, 0xb6, 0x4c, + 0x1f, 0xea, 0x51, 0x46, 0xd6, 0xb1, 0x1f, 0x92, 0xda, 0x6a, 0x39, 0x56, + 0xdd, 0x5c, 0xb5, 0xe0, 0xd7, 0x47, 0xcf, 0x2e, 0xa2, 0x3f, 0x81, 0x61, + 0x77, 0x69, 0x18, 0x53, 0x36, 0x26, 0x3d, 0x46, 0xef, 0x4c, 0x14, 0x4b, + 0x75, 0x4d, 0xe6, 0x2a, 0x63, 0x37, 0x34, 0x2d, 0x6c, 0x85, 0xa9, 0x5f, + 0x19, 0xf0, 0x15, 0x72, 0x45, 0x46, 0xee, 0x3f, 0xc4, 0x82, 0x3e, 0xca, + 0x60, 0x3d, 0xbc, 0x1d, 0xc0, 0x1c, 0x2d, 0x5e, 0xd5, 0x0b, 0xd7, 0x2d, + 0x8e, 0x96, 0xdf, 0x2d, 0xc0, 0x48, 0xed, 0xde, 0x00, 0x81, 0x28, 0x40, + 0x68, 0x28, 0x3f, 0xc5, 0xe7, 0x3a, 0x61, 0x39, 0x85, 0x1a, 0xbf, 0x2f, + 0x29, 0x97, 0x7d, 0x0b, 0x3d, 0x16, 0x0c, 0x88, 0x3a, 0x42, 0xa3, 0x7e, + 0xfb, 0xa1, 0xbe, 0x05, 0xc1, 0xa0, 0xb1, 0x74, 0x1d, 0x7d, 0xdf, 0x59}, + priv_key_3b, + true}, + + // an invalid ciphertext that generates last length that's one byte + // too long for the key size, so the second to last value needs to get + // used + {67, + {0x56, 0xa3, 0xbe, 0xa0, 0x54, 0xe0, 0x13, 0x38, 0xbe, 0x9b, 0x7d, 0x79, + 0x57, 0x53, 0x9c}, + {0x7d, 0xb0, 0x39, 0x0d, 0x75, 0xfc, 0xf9, 0xd4, 0xc5, 0x9c, 0xf2, 0x7b, + 0x26, 0x41, 0x90, 0xd8, 0x56, 0xda, 0x9a, 0xbd, 0x11, 0xe9, 0x23, 0x34, + 0xd0, 0xe5, 0xf7, 0x10, 0x05, 0xcf, 0xed, 0x86, 0x5a, 0x71, 0x1d, 0xfa, + 0x28, 0xb7, 0x91, 0x18, 0x83, 0x74, 0xb6, 0x19, 0x16, 0xdb, 0xc1, 0x13, + 0x39, 0xbf, 0x14, 0xb0, 0x6f, 0x5f, 0x3f, 0x68, 0xc2, 0x06, 0xc5, 0x60, + 0x73, 0x80, 0xe1, 0x3d, 0xa3, 0x12, 0x9b, 0xfb, 0x74, 0x41, 0x57, 0xe1, + 0x52, 0x7d, 0xd6, 0xfd, 0xf6, 0x65, 0x12, 0x48, 0xb0, 0x28, 0xa4, 0x96, + 0xae, 0x1b, 0x97, 0x70, 0x2d, 0x44, 0x70, 0x60, 0x43, 0xcd, 0xaa, 0x7a, + 0x59, 0xc0, 0xf4, 0x13, 0x67, 0x30, 0x3f, 0x21, 0xf2, 0x68, 0x96, 0x8b, + 0xf3, 0xbd, 0x29, 0x04, 0xdb, 0x3a, 0xe5, 0x23, 0x9b, 0x55, 0xf8, 0xb4, + 0x38, 0xd9, 0x3d, 0x7d, 0xb9, 0xd1, 0x66, 0x6c, 0x07, 0x1c, 0x08, 0x57, + 0xe2, 0xec, 0x37, 0x75, 0x74, 0x63, 0x76, 0x9c, 0x54, 0xe5, 0x1f, 0x05, + 0x2b, 0x2a, 0x71, 0xb0, 0x4c, 0x28, 0x69, 0xe9, 0xe7, 0x04, 0x9a, 0x10, + 0x37, 0xb8, 0x42, 0x92, 0x06, 0xc9, 0x97, 0x26, 0xf0, 0x72, 0x89, 0xba, + 0xc1, 0x83, 0x63, 0xe7, 0xeb, 0x2a, 0x5b, 0x41, 0x7f, 0x47, 0xc3, 0x7a, + 0x55, 0x09, 0x0c, 0xda, 0x67, 0x65, 0x17, 0xb3, 0x54, 0x9c, 0x87, 0x3f, + 0x2f, 0xe9, 0x5d, 0xa9, 0x68, 0x17, 0x52, 0xec, 0x98, 0x64, 0xb0, 0x69, + 0x08, 0x9a, 0x2e, 0xd2, 0xf3, 0x40, 0xc8, 0xb0, 0x4e, 0xe0, 0x00, 0x79, + 0x05, 0x5a, 0x81, 0x7a, 0x33, 0x55, 0xb4, 0x6a, 0xc7, 0xdc, 0x00, 0xd1, + 0x7f, 0x45, 0x04, 0xcc, 0xfb, 0xcf, 0xca, 0xdb, 0x0c, 0x04, 0xcb, 0x6b, + 0x22, 0x06, 0x9e, 0x17, 0x93, 0x85, 0xae, 0x1e, 0xaf, 0xab, 0xad, 0x55, + 0x21, 0xba, 0xc2, 0xb8, 0xa8, 0xee, 0x1d, 0xff, 0xf5, 0x9a, 0x22, 0xeb, + 0x3f, 0xda, 0xcf, 0xc8, 0x71, 0x75, 0xd1, 0x0d, 0x78, 0x94, 0xcf, 0xd8, + 0x69, 0xd0, 0x56, 0x05, 0x7d, 0xd9, 0x94, 0x4b, 0x86, 0x9c, 0x17, 0x84, + 0xfc, 0xc2, 0x7f, 0x73, 0x1b, 0xc4, 0x61, 0x71, 0xd3, 0x95, 0x70, 0xfb, + 0xff, 0xba, 0xdf, 0x08, 0x2d, 0x33, 0xf6, 0x35, 0x2e, 0xcf, 0x44, 0xac, + 0xa8, 0xd9, 0x47, 0x8e, 0x53, 0xf5, 0xa5, 0xb7, 0xc8, 0x52, 0xb4, 0x01, + 0xe8, 0xf5, 0xf7, 0x4d, 0xa4, 0x9d, 0xa9, 0x1e, 0x65, 0xbd, 0xc9, 0x77, + 0x65, 0xa9, 0x52, 0x3b, 0x7a, 0x08, 0x85, 0xa6, 0xf8, 0xaf, 0xe5, 0x75, + 0x9d, 0x58, 0x00, 0x9f, 0xbf, 0xa8, 0x37, 0x47, 0x2a, 0x96, 0x8e, 0x6a, + 0xe9, 0x20, 0x26, 0xa5, 0xe0, 0x20, 0x2a, 0x39, 0x54, 0x83, 0x09, 0x53, + 0x02, 0xd6, 0xc3, 0x98, 0x5b, 0x5f, 0x58, 0x31, 0xc5, 0x21, 0xa2, 0x71}, + priv_key_3b, + true}, + // an invalid ciphertext that generates a plaintext of maximum size + // for this key size + {68, + {0x7b, 0x03, 0x6f, 0xcd, 0x62, 0x43, 0x90, 0x0e, 0x42, 0x36, 0xc8, 0x94, + 0xe2, 0x46, 0x2c, 0x17, 0x73, 0x8a, 0xcc, 0x87, 0xe0, 0x1a, 0x76, 0xf4, + 0xd9, 0x5c, 0xb9, 0xa3, 0x28, 0xd9, 0xac, 0xde, 0x81, 0x65, 0x02, 0x83, + 0xb8, 0xe8, 0xf6, 0x0a, 0x21, 0x7e, 0x3b, 0xde, 0xe8, 0x35, 0xc7, 0xb2, + 0x22, 0xad, 0x4c, 0x85, 0xd0, 0xac, 0xdb, 0x9a, 0x30, 0x9b, 0xd2, 0xa7, + 0x54, 0x60, 0x9a, 0x65, 0xde, 0xc5, 0x0f, 0x3a, 0xa0, 0x4c, 0x6d, 0x58, + 0x91, 0x03, 0x45, 0x66, 0xb9, 0x56, 0x3d, 0x42, 0x66, 0x8e, 0xde, 0x1f, + 0x89, 0x92, 0xb1, 0x77, 0x53, 0xa2, 0x13, 0x2e, 0x28, 0x97, 0x05, 0x84, + 0xe2, 0x55, 0xef, 0xc8, 0xb4, 0x5a, 0x41, 0xc5, 0xdb, 0xd7, 0x56, 0x7f, + 0x01, 0x4a, 0xce, 0xc5, 0xfe, 0x6f, 0xdb, 0x6d, 0x48, 0x47, 0x90, 0x36, + 0x0a, 0x91, 0x3e, 0xbb, 0x9d, 0xef, 0xcd, 0x74, 0xff, 0x37, 0x7f, 0x2a, + 0x8b, 0xa4, 0x6d, 0x2e, 0xd8, 0x5f, 0x73, 0x3c, 0x9a, 0x3d, 0xa0, 0x8e, + 0xb5, 0x7e, 0xce, 0xdf, 0xaf, 0xda, 0x80, 0x67, 0x78, 0xf0, 0x3c, 0x66, + 0xb2, 0xc5, 0xd2, 0x87, 0x4c, 0xec, 0x1c, 0x29, 0x1b, 0x2d, 0x49, 0xeb, + 0x19, 0x4c, 0x7b, 0x5d, 0x0d, 0xd2, 0x90, 0x8a, 0xe9, 0x0f, 0x48, 0x43, + 0x26, 0x8a, 0x2c, 0x45, 0x56, 0x30, 0x92, 0xad, 0xe0, 0x8a, 0xcb, 0x6a, + 0xb4, 0x81, 0xa0, 0x81, 0x76, 0x10, 0x2f, 0xc8, 0x03, 0xfb, 0xb2, 0xf8, + 0xad, 0x11, 0xb0, 0xe1, 0x53, 0x1b, 0xd3, 0x7d, 0xf5, 0x43, 0x49, 0x8d, + 0xaf, 0x18, 0x0b, 0x12, 0x01, 0x7f, 0x4d, 0x4d, 0x42, 0x6c, 0xa2, 0x9b, + 0x41, 0x61, 0x07, 0x55, 0x34, 0xbf, 0xb9, 0x14, 0x96, 0x80, 0x88, 0xa9, + 0xd1, 0x37, 0x85, 0xd0, 0xad, 0xc0, 0xe2, 0x58, 0x0d, 0x35, 0x48, 0x49, + 0x4b, 0x2a, 0x9e, 0x91, 0x60, 0x5f, 0x2b, 0x27, 0xe6, 0xcc, 0x70, 0x1c, + 0x79, 0x6f, 0x0d, 0xe7, 0xc6, 0xf4, 0x71, 0xf6, 0xab, 0x6c, 0xb9, 0x27, + 0x2a, 0x1e, 0xd6, 0x37, 0xca, 0x32, 0xa6, 0x0d, 0x11, 0x75, 0x05, 0xd8, + 0x2a, 0xf3, 0xc1, 0x33, 0x61, 0x04, 0xaf, 0xb5, 0x37, 0xd0, 0x1a, 0x8f, + 0x70, 0xb5, 0x10, 0xe1, 0xee, 0xbf, 0x48, 0x69, 0xcb, 0x97, 0x6c, 0x41, + 0x94, 0x73, 0x79, 0x5a, 0x66, 0xc7, 0xf5, 0xe6, 0xe2, 0x0a, 0x80, 0x94, + 0xb1, 0xbb, 0x60, 0x3a, 0x74, 0x33, 0x0c, 0x53, 0x7c, 0x5c, 0x06, 0x98, + 0xc3, 0x15, 0x38, 0xbd, 0x2e, 0x13, 0x8c, 0x12, 0x75, 0xa1, 0xbd, 0xf2, + 0x4c, 0x5f, 0xa8, 0xab, 0x3b, 0x7b, 0x52, 0x63, 0x24, 0xe7, 0x91, 0x8a, + 0x38, 0x2d, 0x13, 0x63, 0xb3, 0xd4, 0x63, 0x76, 0x42, 0x22, 0x15, 0x0e, + 0x04}, + {0x17, 0x15, 0x06, 0x53, 0x22, 0x52, 0x2d, 0xff, 0x85, 0x04, 0x98, 0x00, + 0xf6, 0xa2, 0x9a, 0xb5, 0xf9, 0x8c, 0x46, 0x50, 0x20, 0x46, 0x74, 0x14, + 0xb2, 0xa4, 0x41, 0x27, 0xfe, 0x94, 0x46, 0xda, 0x47, 0xfa, 0x18, 0x04, + 0x79, 0x00, 0xf9, 0x9a, 0xfe, 0x67, 0xc2, 0xdf, 0x6f, 0x50, 0x16, 0x0b, + 0xb8, 0xe9, 0x0b, 0xff, 0x29, 0x66, 0x10, 0xfd, 0xe6, 0x32, 0xb3, 0x85, + 0x9d, 0x4d, 0x0d, 0x2e, 0x64, 0x4f, 0x23, 0x83, 0x50, 0x28, 0xc4, 0x6c, + 0xca, 0x01, 0xb8, 0x4b, 0x88, 0x23, 0x1d, 0x7e, 0x03, 0x15, 0x4e, 0xde, + 0xc6, 0x62, 0x7b, 0xcb, 0xa2, 0x3d, 0xe7, 0x67, 0x40, 0xd8, 0x39, 0x85, + 0x1f, 0xa1, 0x2d, 0x74, 0xc8, 0xf9, 0x2e, 0x54, 0x0c, 0x73, 0xfe, 0x83, + 0x7b, 0x91, 0xb7, 0xd6, 0x99, 0xb3, 0x11, 0x99, 0x7d, 0x5f, 0x0f, 0x78, + 0x64, 0xc4, 0x86, 0xd4, 0x99, 0xc3, 0xa7, 0x9c, 0x11, 0x1f, 0xaa, 0xac, + 0xbe, 0x47, 0x99, 0x59, 0x7a, 0x25, 0x06, 0x6c, 0x62, 0x00, 0x21, 0x5c, + 0x3d, 0x15, 0x8f, 0x38, 0x17, 0xc1, 0xaa, 0x57, 0xf1, 0x8b, 0xda, 0xad, + 0x0b, 0xe1, 0x65, 0x8d, 0xa9, 0xda, 0x93, 0xf5, 0xcc, 0x6c, 0x3c, 0x4d, + 0xd7, 0x27, 0x88, 0xaf, 0x57, 0xad, 0xbb, 0x6a, 0x0c, 0x26, 0xf4, 0x2d, + 0x32, 0xd9, 0x5b, 0x8a, 0x4f, 0x95, 0xe8, 0xc6, 0xfe, 0xb2, 0xf8, 0xa5, + 0xd5, 0x3b, 0x19, 0xa5, 0x0a, 0x0b, 0x7c, 0xbc, 0x25, 0xe0, 0x55, 0xad, + 0x03, 0xe5, 0xac, 0xe8, 0xf3, 0xf7, 0xdb, 0x13, 0xe5, 0x77, 0x59, 0xf6, + 0x7b, 0x65, 0xd1, 0x43, 0xf0, 0x8c, 0xca, 0x15, 0x99, 0x2c, 0x6b, 0x2a, + 0xae, 0x64, 0x33, 0x90, 0x48, 0x3d, 0xe1, 0x11, 0xc2, 0x98, 0x8d, 0x4e, + 0x76, 0xb4, 0x25, 0x96, 0x26, 0x60, 0x05, 0x10, 0x3c, 0x8d, 0xe6, 0x04, + 0x4f, 0xb7, 0x39, 0x8e, 0xb3, 0xc2, 0x8a, 0x86, 0x4f, 0xa6, 0x72, 0xde, + 0x5f, 0xd8, 0x77, 0x45, 0x10, 0xff, 0x45, 0xe0, 0x59, 0x69, 0xa1, 0x1a, + 0x4c, 0x7d, 0x3f, 0x34, 0x3e, 0x33, 0x11, 0x90, 0xd2, 0xdc, 0xf2, 0x4f, + 0xb9, 0x15, 0x4b, 0xa9, 0x04, 0xdc, 0x94, 0xaf, 0x98, 0xaf, 0xc5, 0x77, + 0x4a, 0x96, 0x17, 0xd0, 0x41, 0x8f, 0xe6, 0xd1, 0x3f, 0x82, 0x45, 0xc7, + 0xd7, 0x62, 0x6c, 0x17, 0x61, 0x38, 0xdd, 0x69, 0x8a, 0x23, 0x54, 0x7c, + 0x25, 0xf2, 0x7c, 0x2b, 0x98, 0xea, 0x4d, 0x8a, 0x45, 0xc7, 0x84, 0x2b, + 0x81, 0x88, 0x8e, 0x4c, 0xc1, 0x4e, 0x5b, 0x72, 0xe9, 0xcf, 0x91, 0xf5, + 0x69, 0x56, 0xc9, 0x3d, 0xbf, 0x2e, 0x5f, 0x44, 0xa8, 0x28, 0x2a, 0x78, + 0x13, 0x15, 0x7f, 0xc4, 0x81, 0xff, 0x13, 0x71, 0xa0, 0xf6, 0x6b, 0x31, + 0x79, 0x7e, 0x81, 0xeb, 0xdb, 0x09, 0xa6, 0x73, 0xd4, 0xdb, 0x96, 0xd6}, + priv_key_3b, + true}, + + // test_positive_9_bytes_long + {69, + // 'forty two' + {0x66, 0x6f, 0x72, 0x74, 0x79, 0x20, 0x74, 0x77, 0x6f}, + {0x6c, 0x60, 0x84, 0x5a, 0x85, 0x4b, 0x45, 0x71, 0xf6, 0x78, 0x94, 0x1a, + 0xe3, 0x5a, 0x2a, 0xc0, 0x3f, 0x67, 0xc2, 0x1e, 0x21, 0x14, 0x6f, 0x9d, + 0xb1, 0xf2, 0x30, 0x6b, 0xe9, 0xf1, 0x36, 0x45, 0x3b, 0x86, 0xad, 0x55, + 0x64, 0x7d, 0x4f, 0x7b, 0x5c, 0x9e, 0x62, 0x19, 0x7a, 0xaf, 0xf0, 0xc0, + 0xe4, 0x0a, 0x3b, 0x54, 0xc4, 0xcd, 0xe1, 0x4e, 0x77, 0x4b, 0x1c, 0x59, + 0x59, 0xb6, 0xc2, 0xa2, 0x30, 0x28, 0x96, 0xff, 0xae, 0x1f, 0x73, 0xb0, + 0x0b, 0x86, 0x2a, 0x20, 0xff, 0x43, 0x04, 0xfe, 0x06, 0xce, 0xa7, 0xff, + 0x30, 0xec, 0xb3, 0x77, 0x3c, 0xa9, 0xaf, 0x27, 0xa0, 0xb5, 0x45, 0x47, + 0x35, 0x0d, 0x7c, 0x07, 0xdf, 0xb0, 0xa3, 0x96, 0x29, 0xc7, 0xe7, 0x1e, + 0x83, 0xfc, 0x5a, 0xf9, 0xb2, 0xad, 0xba, 0xf8, 0x98, 0xe0, 0x37, 0xf1, + 0xde, 0x69, 0x6a, 0x3f, 0x32, 0x8c, 0xf4, 0x5a, 0xf7, 0xec, 0x9a, 0xff, + 0x71, 0x73, 0x85, 0x40, 0x87, 0xfb, 0x8f, 0xbf, 0x34, 0xbe, 0x98, 0x1e, + 0xfb, 0xd8, 0x49, 0x3f, 0x94, 0x38, 0xd1, 0xb2, 0xba, 0x2a, 0x86, 0xaf, + 0x08, 0x26, 0x62, 0xaa, 0x46, 0xae, 0x9a, 0xdf, 0xbe, 0xc5, 0x1e, 0x5f, + 0x3d, 0x95, 0x50, 0xa4, 0xdd, 0x1d, 0xcb, 0x7c, 0x89, 0x69, 0xc9, 0x58, + 0x7a, 0x6e, 0xdc, 0x82, 0xa8, 0xca, 0xbb, 0xc7, 0x85, 0xc4, 0x0d, 0x9f, + 0xbd, 0x12, 0x06, 0x45, 0x59, 0xfb, 0x76, 0x94, 0x50, 0xac, 0x3e, 0x47, + 0xe8, 0x7b, 0xc0, 0x46, 0x14, 0x81, 0x30, 0xd7, 0xea, 0xa8, 0x43, 0xe4, + 0xb3, 0xcc, 0xef, 0x36, 0x75, 0xd0, 0x63, 0x05, 0x00, 0x80, 0x3c, 0xb7, + 0xff, 0xee, 0x38, 0x82, 0x37, 0x8c, 0x1a, 0x40, 0x4e, 0x85, 0x0c, 0x3e, + 0x20, 0x70, 0x7b, 0xb7, 0x45, 0xe4, 0x2b, 0x13, 0xc1, 0x87, 0x86, 0xc4, + 0x97, 0x60, 0x76, 0xed, 0x9f, 0xa8, 0xfd, 0x0f, 0xf1, 0x5e, 0x57, 0x1b, + 0xef, 0x02, 0xcb, 0xbe, 0x2f, 0x90, 0xc9, 0x08, 0xac, 0x37, 0x34, 0xa4, + 0x33, 0xb7, 0x3e, 0x77, 0x8d, 0x4d, 0x17, 0xfc, 0xc2, 0x8f, 0x49, 0x18, + 0x5e, 0xbc, 0x6e, 0x85, 0x36, 0xa0, 0x6d, 0x29, 0x32, 0x02, 0xd9, 0x44, + 0x96, 0x45, 0x3b, 0xfd, 0xf1, 0xc2, 0xc7, 0x83, 0x3a, 0x3f, 0x99, 0xfa, + 0x38, 0xca, 0x8a, 0x81, 0xf4, 0x2e, 0xaa, 0x52, 0x9d, 0x60, 0x3b, 0x89, + 0x03, 0x08, 0xa3, 0x19, 0xc0, 0xab, 0x63, 0xa3, 0x5f, 0xf8, 0xeb, 0xac, + 0x96, 0x5f, 0x62, 0x78, 0xf5, 0xa7, 0xe5, 0xd6, 0x22, 0xbe, 0x5d, 0x5f, + 0xe5, 0x5f, 0x0c, 0xa3, 0xec, 0x99, 0x3d, 0x55, 0x43, 0x0d, 0x2b, 0xf5, + 0x9c, 0x5d, 0x3e, 0x86, 0x0e, 0x90, 0xc1, 0x6d, 0x91, 0xa0, 0x45, 0x96, + 0xf6, 0xfd, 0xf6, 0x0d, 0x89, 0xed, 0x95, 0xd8, 0x8c, 0x03, 0x6d, 0xde}, + priv_key_3b, + true}, + + // a valid ciphertext that starts with a null byte and decrypts to + // 9 byte long value + {70, + // 'forty two' + {0x66, 0x6f, 0x72, 0x74, 0x79, 0x20, 0x74, 0x77, 0x6f}, + {0x00, 0xf4, 0xd5, 0x65, 0xa3, 0x28, 0x67, 0x84, 0xdb, 0xb8, 0x53, 0x27, + 0xdb, 0x88, 0x07, 0xae, 0x55, 0x7e, 0xad, 0x22, 0x9f, 0x92, 0xab, 0xa9, + 0x45, 0xce, 0xcd, 0xa5, 0x22, 0x5f, 0x60, 0x6a, 0x7d, 0x61, 0x30, 0xed, + 0xee, 0xb6, 0xf2, 0x67, 0x24, 0xd1, 0xef, 0xf1, 0x11, 0x0f, 0x9e, 0xb1, + 0x8d, 0xc3, 0x24, 0x81, 0x40, 0xee, 0x38, 0x37, 0xe6, 0x68, 0x83, 0x91, + 0xe7, 0x87, 0x96, 0xc5, 0x26, 0x79, 0x13, 0x84, 0xf0, 0x45, 0xe2, 0x1b, + 0x6b, 0x85, 0x3f, 0xb6, 0x34, 0x2a, 0x11, 0xf3, 0x09, 0xeb, 0x77, 0x96, + 0x2f, 0x37, 0xce, 0x23, 0x92, 0x5a, 0xf6, 0x00, 0x84, 0x7f, 0xbd, 0x30, + 0xe6, 0xe0, 0x7e, 0x57, 0xde, 0x50, 0xb6, 0x06, 0xe6, 0xb7, 0xf2, 0x88, + 0xcc, 0x77, 0x7c, 0x1a, 0x68, 0x34, 0xf2, 0x7e, 0x6e, 0xda, 0xce, 0x50, + 0x84, 0x52, 0x12, 0x89, 0x16, 0xee, 0xf7, 0x78, 0x8c, 0x8b, 0xb2, 0x27, + 0xe3, 0x54, 0x8c, 0x6a, 0x76, 0x1c, 0xc4, 0xe9, 0xdd, 0x1a, 0x35, 0x84, + 0x17, 0x6d, 0xc0, 0x53, 0xba, 0x35, 0x00, 0xad, 0xb1, 0xd5, 0xe1, 0x61, + 0x12, 0x91, 0x65, 0x4f, 0x12, 0xdf, 0xc5, 0x72, 0x28, 0x32, 0xf6, 0x35, + 0xdb, 0x30, 0x02, 0xd7, 0x3f, 0x9d, 0xef, 0xc3, 0x10, 0xac, 0xe6, 0x2c, + 0x63, 0x86, 0x8d, 0x34, 0x16, 0x19, 0xc7, 0xee, 0x15, 0xb2, 0x02, 0x43, + 0xb3, 0x37, 0x1e, 0x05, 0x07, 0x8e, 0x11, 0x21, 0x97, 0x70, 0xc7, 0x01, + 0xd9, 0xf3, 0x41, 0xaf, 0x35, 0xdf, 0x1b, 0xc7, 0x29, 0xde, 0x29, 0x48, + 0x25, 0xff, 0x2e, 0x41, 0x6a, 0xa1, 0x15, 0x26, 0x61, 0x28, 0x52, 0x77, + 0x7e, 0xb1, 0x31, 0xf9, 0xc4, 0x51, 0x51, 0xeb, 0x14, 0x49, 0x80, 0xd7, + 0x06, 0x08, 0xd2, 0xfc, 0x40, 0x43, 0x47, 0x73, 0x68, 0x36, 0x9a, 0xa0, + 0xfe, 0x48, 0x7a, 0x48, 0xbd, 0x57, 0xe6, 0x6b, 0x00, 0xc3, 0xc5, 0x8f, + 0x94, 0x15, 0x49, 0xf5, 0xec, 0x05, 0x0f, 0xca, 0x64, 0x44, 0x9d, 0xeb, + 0xe7, 0xa0, 0xc4, 0xac, 0x51, 0xe5, 0x5c, 0xb7, 0x16, 0x20, 0xa7, 0x03, + 0x12, 0xaa, 0x4b, 0xd8, 0x5f, 0xac, 0x14, 0x10, 0xc9, 0xc7, 0xf9, 0xd6, + 0xec, 0x61, 0x0b, 0x7d, 0x11, 0xbf, 0x8f, 0xae, 0xff, 0xa2, 0x02, 0x55, + 0xd1, 0xa1, 0xbe, 0xad, 0x92, 0x97, 0xd0, 0xaa, 0x87, 0x65, 0xcd, 0x28, + 0x05, 0x84, 0x7d, 0x63, 0x9b, 0xc4, 0x39, 0xf4, 0xa6, 0xc8, 0x96, 0xe2, + 0x00, 0x8f, 0x74, 0x6f, 0x95, 0x90, 0xff, 0x45, 0x96, 0xde, 0x5d, 0xdd, + 0xe0, 0x00, 0xed, 0x66, 0x6c, 0x45, 0x2c, 0x97, 0x80, 0x43, 0xff, 0x42, + 0x98, 0x46, 0x1e, 0xb5, 0xa2, 0x6d, 0x5e, 0x63, 0xd8, 0x21, 0x43, 0x86, + 0x27, 0xf9, 0x12, 0x01, 0x92, 0x4b, 0xf7, 0xf2, 0xae, 0xee, 0x17, 0x27}, + priv_key_3b, + true}, + + // a valid ciphertext that starts with two null bytes and decrypts to + // 9 byte long value + {71, + // 'forty two' + {0x66, 0x6f, 0x72, 0x74, 0x79, 0x20, 0x74, 0x77, 0x6f}, + {0x00, 0x00, 0x1e, 0xc9, 0x7a, 0xc9, 0x81, 0xdf, 0xd9, 0xdc, 0xc7, 0xa7, + 0x38, 0x9f, 0xdf, 0xa9, 0xd3, 0x61, 0x14, 0x1d, 0xac, 0x80, 0xc2, 0x3a, + 0x06, 0x04, 0x10, 0xd4, 0x72, 0xc1, 0x60, 0x94, 0xe6, 0xcd, 0xff, 0xc0, + 0xc3, 0x68, 0x4d, 0x84, 0xaa, 0x40, 0x2d, 0x70, 0x51, 0xdf, 0xcc, 0xb2, + 0xf6, 0xda, 0x33, 0xf6, 0x69, 0x85, 0xd2, 0xa2, 0x59, 0xf5, 0xb7, 0xfb, + 0xf3, 0x9a, 0xc5, 0x37, 0xe9, 0x5c, 0x5b, 0x70, 0x50, 0xeb, 0x18, 0x84, + 0x4a, 0x05, 0x13, 0xab, 0xef, 0x81, 0x2c, 0xc8, 0xe7, 0x4a, 0x3c, 0x52, + 0x40, 0x00, 0x9e, 0x6e, 0x80, 0x5d, 0xca, 0xdf, 0x53, 0x2b, 0xc1, 0xa2, + 0x70, 0x2d, 0x5a, 0xcc, 0x9e, 0x58, 0x5f, 0xad, 0x5b, 0x89, 0xd4, 0x61, + 0xfc, 0xc1, 0x39, 0x73, 0x51, 0xcd, 0xce, 0x35, 0x17, 0x15, 0x23, 0x75, + 0x8b, 0x17, 0x1d, 0xc0, 0x41, 0xf4, 0x12, 0xe4, 0x29, 0x66, 0xde, 0x7f, + 0x94, 0x85, 0x64, 0x77, 0x35, 0x6d, 0x06, 0xf2, 0xa6, 0xb4, 0x0e, 0x3f, + 0xf0, 0x54, 0x75, 0x62, 0xa4, 0xd9, 0x1b, 0xbf, 0x13, 0x38, 0xe9, 0xe0, + 0x49, 0xfa, 0xcb, 0xee, 0x8b, 0x20, 0x17, 0x11, 0x64, 0x50, 0x54, 0x68, + 0xcd, 0x30, 0x89, 0x97, 0x44, 0x7d, 0x3d, 0xc4, 0xb0, 0xac, 0xb4, 0x9e, + 0x7d, 0x36, 0x8f, 0xed, 0xd8, 0xc7, 0x34, 0x25, 0x1f, 0x30, 0xa8, 0x34, + 0x91, 0xd2, 0x50, 0x6f, 0x3f, 0x87, 0x31, 0x8c, 0xc1, 0x18, 0x82, 0x32, + 0x44, 0xa3, 0x93, 0xdc, 0x7c, 0x5c, 0x73, 0x9a, 0x27, 0x33, 0xd9, 0x3e, + 0x1b, 0x13, 0xdb, 0x68, 0x40, 0xa9, 0x42, 0x99, 0x47, 0x35, 0x7f, 0x47, + 0xb2, 0x3f, 0xbe, 0x39, 0xb7, 0xd2, 0xd6, 0x1e, 0x5e, 0xe2, 0x6f, 0x99, + 0x46, 0xc4, 0x63, 0x2f, 0x6c, 0x46, 0x99, 0xe4, 0x52, 0xf4, 0x12, 0xa2, + 0x66, 0x41, 0xd4, 0x75, 0x11, 0x35, 0x40, 0x07, 0x13, 0xcd, 0x56, 0xec, + 0x66, 0xf0, 0x37, 0x04, 0x23, 0xd5, 0x5d, 0x2a, 0xf7, 0x0f, 0x5e, 0x7a, + 0xd0, 0xad, 0xea, 0x8e, 0x4a, 0x0d, 0x90, 0x4a, 0x01, 0xe4, 0xac, 0x27, + 0x2e, 0xba, 0x4a, 0xf1, 0xa0, 0x29, 0xdd, 0x53, 0xeb, 0x71, 0xf1, 0x15, + 0xbf, 0x31, 0xf7, 0xa6, 0xc8, 0xb1, 0x9a, 0x65, 0x23, 0xad, 0xee, 0xcc, + 0x0d, 0x4c, 0x3c, 0x10, 0x75, 0x75, 0xe3, 0x85, 0x72, 0xa8, 0xf8, 0x47, + 0x4c, 0xca, 0xd1, 0x63, 0xe4, 0x6e, 0x2e, 0x8b, 0x08, 0x11, 0x11, 0x32, + 0xaa, 0x97, 0xa1, 0x6f, 0xb5, 0x88, 0xc9, 0xb7, 0xe3, 0x7b, 0x3b, 0x3d, + 0x74, 0x90, 0x38, 0x1f, 0x3c, 0x55, 0xd1, 0xa9, 0x86, 0x9a, 0x0f, 0xd4, + 0x2c, 0xd8, 0x6f, 0xed, 0x59, 0xec, 0xec, 0x78, 0xcb, 0x6b, 0x2d, 0xfd, + 0x06, 0xa4, 0x97, 0xf5, 0xaf, 0xe3, 0x41, 0x96, 0x91, 0x31, 0x4b, 0xa0}, + priv_key_3b, + true}, + + // test_negative_9_bytes_long + {72, + {0x25, 0x79, 0x06, 0xca, 0x6d, 0xe8, 0x30, 0x77, 0x28}, + {0x5c, 0x85, 0x55, 0xf5, 0xce, 0xf6, 0x27, 0xc1, 0x5d, 0x37, 0xf8, 0x5c, + 0x7f, 0x5f, 0xd6, 0xe4, 0x99, 0x26, 0x4e, 0xa4, 0xb8, 0xe3, 0xf9, 0x11, + 0x20, 0x23, 0xae, 0xb7, 0x22, 0xeb, 0x38, 0xd8, 0xea, 0xc2, 0xbe, 0x37, + 0x51, 0xfd, 0x5a, 0x37, 0x85, 0xab, 0x7f, 0x2d, 0x59, 0xfa, 0x37, 0x28, + 0xe5, 0xbe, 0x8c, 0x3d, 0xe7, 0x8a, 0x67, 0x46, 0x4e, 0x30, 0xb2, 0x1e, + 0xe2, 0x3b, 0x54, 0x84, 0xbb, 0x3c, 0xd0, 0x6d, 0x0e, 0x1c, 0x6a, 0xd2, + 0x56, 0x49, 0xc8, 0x51, 0x81, 0x65, 0x65, 0x3e, 0xb8, 0x04, 0x88, 0xbf, + 0xb4, 0x91, 0xb2, 0x0c, 0x04, 0x89, 0x7a, 0x67, 0x72, 0xf6, 0x92, 0x92, + 0x22, 0x2f, 0xc5, 0xef, 0x50, 0xb5, 0xcf, 0x9e, 0xfc, 0x6d, 0x60, 0x42, + 0x6a, 0x44, 0x9b, 0x6c, 0x48, 0x95, 0x69, 0xd4, 0x8c, 0x83, 0x48, 0x8d, + 0xf6, 0x29, 0xd6, 0x95, 0x65, 0x3d, 0x40, 0x9c, 0xe4, 0x9a, 0x79, 0x54, + 0x47, 0xfc, 0xec, 0x2c, 0x58, 0xa1, 0xa6, 0x72, 0xe4, 0xa3, 0x91, 0x40, + 0x1d, 0x42, 0x8b, 0xaa, 0xf7, 0x81, 0x51, 0x6e, 0x11, 0xe3, 0x23, 0xd3, + 0x02, 0xfc, 0xf2, 0x0f, 0x6e, 0xab, 0x2b, 0x2d, 0xbe, 0x53, 0xa4, 0x8c, + 0x98, 0x7e, 0x40, 0x7c, 0x4d, 0x7e, 0x1c, 0xb4, 0x11, 0x31, 0x32, 0x91, + 0x38, 0x31, 0x3d, 0x33, 0x02, 0x04, 0x17, 0x3a, 0x4f, 0x3f, 0xf0, 0x6c, + 0x6f, 0xad, 0xf9, 0x70, 0xf0, 0xed, 0x10, 0x05, 0xd0, 0xb2, 0x7e, 0x35, + 0xc3, 0xd1, 0x16, 0x93, 0xe0, 0x42, 0x9e, 0x27, 0x2d, 0x58, 0x3e, 0x57, + 0xb2, 0xc5, 0x8d, 0x24, 0x31, 0x5c, 0x39, 0x78, 0x56, 0xb3, 0x44, 0x85, + 0xdc, 0xb0, 0x77, 0x66, 0x55, 0x92, 0xb7, 0x47, 0xf8, 0x89, 0xd3, 0x4f, + 0xeb, 0xf2, 0xbe, 0x8f, 0xce, 0x66, 0xc2, 0x65, 0xfd, 0x9f, 0xc3, 0x57, + 0x5a, 0x62, 0x86, 0xa5, 0xce, 0x88, 0xb4, 0xb4, 0x13, 0xa0, 0x8e, 0xfc, + 0x57, 0xa0, 0x7a, 0x8f, 0x57, 0xa9, 0x99, 0x60, 0x5a, 0x83, 0x7b, 0x05, + 0x42, 0x69, 0x5c, 0x0d, 0x18, 0x9e, 0x67, 0x8b, 0x53, 0x66, 0x2e, 0xcf, + 0x7c, 0x3d, 0x37, 0xd9, 0xdb, 0xee, 0xa5, 0x85, 0xee, 0xbf, 0xaf, 0x79, + 0x14, 0x11, 0x18, 0xe0, 0x67, 0x62, 0xc2, 0x38, 0x1f, 0xe2, 0x7c, 0xa6, + 0x28, 0x8e, 0xdd, 0xdc, 0x19, 0xfd, 0x67, 0xcd, 0x64, 0xf1, 0x6b, 0x46, + 0xe0, 0x6d, 0x8a, 0x59, 0xac, 0x53, 0x0f, 0x22, 0xcd, 0x83, 0xcc, 0x0b, + 0xc4, 0xe3, 0x7f, 0xeb, 0x52, 0x01, 0x5c, 0xbb, 0x22, 0x83, 0x04, 0x3c, + 0xcf, 0x5e, 0x78, 0xa4, 0xeb, 0x71, 0x46, 0x82, 0x7d, 0x7a, 0x46, 0x6b, + 0x66, 0xc8, 0xa4, 0xa4, 0x82, 0x6c, 0x1b, 0xad, 0x68, 0x12, 0x3a, 0x7f, + 0x2d, 0x00, 0xfc, 0x17, 0x36, 0x52, 0x5f, 0xf9, 0x0c, 0x05, 0x8f, 0x56}, + priv_key_3b, + true}, + + // malformed plaintext that generates a fake plaintext of length + // specified by 2nd to last value from PRF + {73, + {0x04, 0x33, 0x83, 0xc9, 0x29, 0x06, 0x03, 0x74, 0xed}, + {0x75, 0x8c, 0x21, 0x5a, 0xa6, 0xac, 0xd6, 0x12, 0x48, 0x06, 0x2b, 0x88, + 0x28, 0x4b, 0xf4, 0x3c, 0x13, 0xcb, 0x3b, 0x3d, 0x02, 0x41, 0x0b, 0xe4, + 0x23, 0x86, 0x07, 0x44, 0x2f, 0x1c, 0x02, 0x16, 0x70, 0x6e, 0x21, 0xa0, + 0x3a, 0x2c, 0x10, 0xeb, 0x62, 0x4a, 0x63, 0x32, 0x2d, 0x85, 0x4d, 0xa1, + 0x95, 0xc0, 0x17, 0xb7, 0x6f, 0xea, 0x83, 0xe2, 0x74, 0xfa, 0x37, 0x18, + 0x34, 0xdc, 0xd2, 0xf3, 0xb7, 0xac, 0xcf, 0x43, 0x3f, 0xc2, 0x12, 0xad, + 0x76, 0xc0, 0xba, 0xc3, 0x66, 0xe1, 0xed, 0x32, 0xe2, 0x5b, 0x27, 0x9f, + 0x94, 0x12, 0x9b, 0xe7, 0xc6, 0x4d, 0x6e, 0x16, 0x2a, 0xdc, 0x08, 0xcc, + 0xeb, 0xc0, 0xcf, 0xe8, 0xe9, 0x26, 0xf0, 0x1c, 0x33, 0xab, 0x9c, 0x06, + 0x5f, 0x0e, 0x0a, 0xc8, 0x3a, 0xe5, 0x13, 0x7a, 0x4c, 0xb6, 0x67, 0x02, + 0x61, 0x5a, 0xd6, 0x8a, 0x35, 0x70, 0x7d, 0x86, 0x76, 0xd2, 0x74, 0x0d, + 0x7c, 0x1a, 0x95, 0x46, 0x80, 0xc8, 0x39, 0x80, 0xe1, 0x97, 0x78, 0xed, + 0x11, 0xee, 0xd3, 0xa7, 0xc2, 0xdb, 0xdf, 0xc4, 0x61, 0xa9, 0xbb, 0xef, + 0x67, 0x1c, 0x1b, 0xc0, 0x0c, 0x88, 0x2d, 0x36, 0x1d, 0x29, 0xd5, 0xf8, + 0x0c, 0x42, 0xbd, 0xf5, 0xef, 0xec, 0x88, 0x6c, 0x34, 0x13, 0x8f, 0x83, + 0x36, 0x9c, 0x69, 0x33, 0xb2, 0xac, 0x4e, 0x93, 0xe7, 0x64, 0x26, 0x53, + 0x51, 0xb4, 0xa0, 0x08, 0x3f, 0x04, 0x0e, 0x14, 0xf5, 0x11, 0xf0, 0x9b, + 0x22, 0xf9, 0x65, 0x66, 0x13, 0x88, 0x64, 0xe4, 0xe6, 0xff, 0x24, 0xda, + 0x48, 0x10, 0x09, 0x5d, 0xa9, 0x8e, 0x05, 0x85, 0x41, 0x09, 0x51, 0x53, + 0x8c, 0xed, 0x2f, 0x75, 0x7a, 0x27, 0x7f, 0xf8, 0xe1, 0x71, 0x72, 0xf0, + 0x65, 0x72, 0xc9, 0x02, 0x4e, 0xea, 0xe5, 0x03, 0xf1, 0x76, 0xfd, 0x46, + 0xeb, 0x6c, 0x5c, 0xd9, 0xba, 0x07, 0xaf, 0x11, 0xcd, 0xe3, 0x1d, 0xcc, + 0xac, 0x12, 0xeb, 0x3a, 0x42, 0x49, 0xa7, 0xbf, 0xd3, 0xb1, 0x97, 0x97, + 0xad, 0x16, 0x56, 0x98, 0x4b, 0xfc, 0xbf, 0x6f, 0x74, 0xe8, 0xf9, 0x9d, + 0x8f, 0x1a, 0xc4, 0x20, 0x81, 0x1f, 0x3d, 0x16, 0x6d, 0x87, 0xf9, 0x35, + 0xef, 0x15, 0xae, 0x85, 0x8c, 0xf9, 0xe7, 0x2c, 0x8e, 0x2b, 0x54, 0x7b, + 0xf1, 0x6c, 0x3f, 0xb0, 0x9a, 0x8c, 0x9b, 0xf8, 0x8f, 0xd2, 0xe5, 0xd3, + 0x8b, 0xf2, 0x4e, 0xd6, 0x10, 0x89, 0x61, 0x31, 0xa8, 0x4d, 0xf7, 0x6b, + 0x9f, 0x92, 0x0f, 0xe7, 0x6d, 0x71, 0xff, 0xf9, 0x38, 0xe9, 0x19, 0x9f, + 0x3b, 0x8c, 0xd0, 0xc1, 0x1f, 0xd0, 0x20, 0x1f, 0x91, 0x39, 0xd7, 0x67, + 0x3a, 0x87, 0x1a, 0x9e, 0x7d, 0x4a, 0xdc, 0x3b, 0xbe, 0x36, 0x0c, 0x88, + 0x13, 0x61, 0x7c, 0xd6, 0x0a, 0x90, 0x12, 0x8f, 0xbe, 0x34, 0xc9, 0xd5}, + priv_key_3b, + true}, + + // malformed plaintext that generates a fake plaintext of length + // specified by 3rd to last value from PRF + {74, + {0x70, 0x26, 0x3f, 0xa6, 0x05, 0x05, 0x34, 0xb9, 0xe0}, + {0x7b, 0x22, 0xd5, 0xe6, 0x2d, 0x28, 0x79, 0x68, 0xc6, 0x62, 0x21, 0x71, + 0xa1, 0xf7, 0x5d, 0xb4, 0xb0, 0xfd, 0x15, 0xcd, 0xf3, 0x13, 0x4a, 0x18, + 0x95, 0xd2, 0x35, 0xd5, 0x6f, 0x8d, 0x8f, 0xe6, 0x19, 0xf2, 0xbf, 0x48, + 0x68, 0x17, 0x4a, 0x91, 0xd7, 0x60, 0x1a, 0x82, 0x97, 0x5d, 0x22, 0x55, + 0x19, 0x0d, 0x28, 0xb8, 0x69, 0x14, 0x1d, 0x7c, 0x39, 0x5f, 0x0b, 0x8c, + 0x4e, 0x2b, 0xe2, 0xb2, 0xc1, 0xb4, 0xff, 0xc1, 0x2c, 0xe7, 0x49, 0xa6, + 0xf6, 0x80, 0x3d, 0x4c, 0xfe, 0x7f, 0xba, 0x0a, 0x8d, 0x69, 0x49, 0xc0, + 0x41, 0x51, 0xf9, 0x81, 0xc0, 0xd8, 0x45, 0x92, 0xaa, 0x2f, 0xf2, 0x5d, + 0x1b, 0xd3, 0xce, 0x5d, 0x10, 0xcb, 0x03, 0xda, 0xca, 0x6b, 0x49, 0x6c, + 0x6a, 0xd4, 0x0d, 0x30, 0xbf, 0xa8, 0xac, 0xdf, 0xd0, 0x2c, 0xdb, 0x93, + 0x26, 0xc4, 0xbd, 0xd9, 0x3b, 0x94, 0x9c, 0x9d, 0xc4, 0x6c, 0xaa, 0x8f, + 0x0e, 0x5f, 0x42, 0x97, 0x85, 0xbc, 0xe6, 0x41, 0x36, 0xa4, 0x29, 0xa3, + 0x69, 0x5e, 0xe6, 0x74, 0xb6, 0x47, 0x45, 0x2b, 0xea, 0x1b, 0x0c, 0x6d, + 0xe9, 0xc5, 0xf1, 0xe8, 0x76, 0x0d, 0x5e, 0xf6, 0xd5, 0xa9, 0xcf, 0xff, + 0x40, 0x45, 0x7b, 0x02, 0x3d, 0x3c, 0x23, 0x3c, 0x1d, 0xcb, 0x32, 0x3e, + 0x78, 0x08, 0x10, 0x3e, 0x73, 0x96, 0x3b, 0x2e, 0xaf, 0xc9, 0x28, 0xc9, + 0xee, 0xb0, 0xee, 0x32, 0x94, 0x95, 0x54, 0x15, 0xc1, 0xdd, 0xd9, 0xa1, + 0xbb, 0x7e, 0x13, 0x8f, 0xec, 0xd7, 0x9a, 0x3c, 0xb8, 0x9c, 0x57, 0xbd, + 0x23, 0x05, 0x52, 0x46, 0x24, 0x81, 0x4a, 0xaf, 0x0f, 0xd1, 0xac, 0xbf, + 0x37, 0x9f, 0x7f, 0x5b, 0x39, 0x42, 0x1f, 0x12, 0xf1, 0x15, 0xba, 0x48, + 0x8d, 0x38, 0x05, 0x86, 0x09, 0x5b, 0xb5, 0x3f, 0x17, 0x4f, 0xae, 0x42, + 0x4f, 0xa4, 0xc8, 0xe3, 0xb2, 0x99, 0x70, 0x9c, 0xd3, 0x44, 0xb9, 0xf9, + 0x49, 0xb1, 0xab, 0x57, 0xf1, 0xc6, 0x45, 0xd7, 0xed, 0x3c, 0x8f, 0x81, + 0xd5, 0x59, 0x41, 0x97, 0x35, 0x50, 0x29, 0xfe, 0xe8, 0x96, 0x09, 0x70, + 0xff, 0x59, 0x71, 0x0d, 0xc0, 0xe5, 0xeb, 0x50, 0xea, 0x6f, 0x4c, 0x39, + 0x38, 0xe3, 0xf8, 0x9e, 0xd7, 0x93, 0x30, 0x23, 0xa2, 0xc2, 0xdd, 0xff, + 0xab, 0xa0, 0x7b, 0xe1, 0x47, 0xf6, 0x86, 0x82, 0x8b, 0xd7, 0xd5, 0x20, + 0xf3, 0x00, 0x50, 0x7e, 0xd6, 0xe7, 0x1b, 0xda, 0xee, 0x05, 0x57, 0x0b, + 0x27, 0xbc, 0x92, 0x74, 0x11, 0x08, 0xac, 0x2e, 0xb4, 0x33, 0xf0, 0x28, + 0xe1, 0x38, 0xdd, 0x6d, 0x63, 0x06, 0x7b, 0xc2, 0x06, 0xea, 0x2d, 0x82, + 0x6a, 0x7f, 0x41, 0xc0, 0xd6, 0x13, 0xda, 0xed, 0x02, 0x0f, 0x0f, 0x30, + 0xf4, 0xe2, 0x72, 0xe9, 0x61, 0x8e, 0x0a, 0x8c, 0x39, 0x01, 0x8a, 0x83}, + priv_key_3b, + true}, + + // an otherwise correct plaintext, but with wrong first byte + // (0x01 instead of 0x00), generates a random 9 byte long plaintext + {75, + {0x6d, 0x8d, 0x3a, 0x09, 0x4f, 0xf3, 0xaf, 0xff, 0x4c}, + {0x6d, 0xb8, 0x0a, 0xdb, 0x5f, 0xf0, 0xa7, 0x68, 0xca, 0xf1, 0x37, 0x8e, + 0xcc, 0x38, 0x2a, 0x69, 0x4e, 0x7d, 0x1b, 0xde, 0x2e, 0xff, 0x4b, 0xa1, + 0x2c, 0x48, 0xaa, 0xf7, 0x94, 0xde, 0xd7, 0xa9, 0x94, 0xa5, 0xb2, 0xb5, + 0x7a, 0xce, 0xc2, 0x0d, 0xbe, 0xc4, 0xae, 0x38, 0x5c, 0x9d, 0xd5, 0x31, + 0x94, 0x5c, 0x0f, 0x19, 0x7a, 0x54, 0x96, 0x90, 0x87, 0x25, 0xfc, 0x99, + 0xd8, 0x86, 0x01, 0xa1, 0x7d, 0x3b, 0xb0, 0xb2, 0xd3, 0x8d, 0x2c, 0x1c, + 0x31, 0x00, 0xf3, 0x99, 0x55, 0xa4, 0xcb, 0x3d, 0xbe, 0xd5, 0xa3, 0x8b, + 0xf9, 0x00, 0xf2, 0x3d, 0x91, 0xe1, 0x73, 0x64, 0x0e, 0x4e, 0xc6, 0x55, + 0xc8, 0x4f, 0xdf, 0xe7, 0x1f, 0xcd, 0xb1, 0x2a, 0x38, 0x61, 0x08, 0xfc, + 0xf7, 0x18, 0xc9, 0xb7, 0xaf, 0x37, 0xd3, 0x97, 0x03, 0xe8, 0x82, 0x43, + 0x62, 0x24, 0xc8, 0x77, 0xa2, 0x23, 0x5e, 0x83, 0x44, 0xfb, 0xa6, 0xc9, + 0x51, 0xeb, 0x7e, 0x2a, 0x4d, 0x1d, 0x1d, 0xe8, 0x1f, 0xb4, 0x63, 0xac, + 0x1b, 0x88, 0x0f, 0x6c, 0xc0, 0xe5, 0x9a, 0xde, 0x05, 0xc8, 0xce, 0x35, + 0x17, 0x9e, 0xcd, 0x09, 0x54, 0x67, 0x31, 0xfc, 0x07, 0xb1, 0x41, 0xd3, + 0xd6, 0xb3, 0x42, 0xa9, 0x7a, 0xe7, 0x47, 0xe6, 0x1a, 0x91, 0x30, 0xf7, + 0x2d, 0x37, 0xac, 0x5a, 0x2c, 0x30, 0x21, 0x5b, 0x6c, 0xbd, 0x66, 0xc7, + 0xdb, 0x89, 0x38, 0x10, 0xdf, 0x58, 0xb4, 0xc4, 0x57, 0xb4, 0xb5, 0x4f, + 0x34, 0x42, 0x82, 0x47, 0xd5, 0x84, 0xe0, 0xfa, 0x71, 0x06, 0x24, 0x46, + 0x21, 0x0d, 0xb0, 0x82, 0x54, 0xfb, 0x9e, 0xad, 0x1b, 0xa1, 0xa3, 0x93, + 0xc7, 0x24, 0xbd, 0x29, 0x1f, 0x0c, 0xf1, 0xa7, 0x14, 0x3f, 0x32, 0xdf, + 0x84, 0x90, 0x51, 0xdc, 0x89, 0x6d, 0x7d, 0x17, 0x6f, 0xef, 0x3b, 0x57, + 0xab, 0x6d, 0xff, 0xd6, 0x26, 0xd0, 0xc3, 0x04, 0x4e, 0x9e, 0xdb, 0x2e, + 0x3d, 0x01, 0x2a, 0xce, 0x20, 0x2d, 0x25, 0x81, 0xdf, 0x01, 0xbe, 0xc7, + 0xe9, 0xaa, 0x07, 0x27, 0xa6, 0x65, 0x0d, 0xd3, 0x73, 0xd3, 0x74, 0xf0, + 0xbc, 0x0f, 0x4a, 0x61, 0x1f, 0x81, 0x39, 0xdf, 0xe9, 0x7d, 0x63, 0xe7, + 0x0c, 0x61, 0x88, 0xf4, 0xdf, 0x5b, 0x67, 0x2e, 0x47, 0xc5, 0x1d, 0x8a, + 0xa5, 0x67, 0x09, 0x72, 0x93, 0xfb, 0xff, 0x12, 0x7c, 0x75, 0xec, 0x69, + 0x0b, 0x43, 0x40, 0x75, 0x78, 0xb7, 0x3c, 0x85, 0x45, 0x17, 0x10, 0xa0, + 0xce, 0xce, 0x58, 0xfd, 0x49, 0x7d, 0x7f, 0x7b, 0xd3, 0x6a, 0x8a, 0x92, + 0x78, 0x3e, 0xf7, 0xdc, 0x62, 0x65, 0xdf, 0xf5, 0x2a, 0xac, 0x8b, 0x70, + 0x34, 0x0b, 0x99, 0x65, 0x08, 0xd3, 0x92, 0x17, 0xf2, 0x78, 0x3c, 0xe6, + 0xfc, 0x91, 0xa1, 0xcc, 0x94, 0xbb, 0x2a, 0xc4, 0x87, 0xb8, 0x4f, 0x62}, + priv_key_3b, + true}, + + // an otherwise correct plaintext, but with wrong second byte + // (0x01 instead of 0x02), generates a random 9 byte long plaintext + {76, + {0xc6, 0xae, 0x80, 0xff, 0xa8, 0x0b, 0xc1, 0x84, 0xb0}, + {0x41, 0x73, 0x28, 0xc0, 0x34, 0x45, 0x85, 0x63, 0x07, 0x9a, 0x40, 0x24, + 0x81, 0x7d, 0x01, 0x50, 0x34, 0x0c, 0x34, 0xe2, 0x5a, 0xe1, 0x6d, 0xca, + 0xd6, 0x90, 0x62, 0x3f, 0x70, 0x2e, 0x5c, 0x74, 0x8a, 0x6e, 0xbb, 0x34, + 0x19, 0xff, 0x48, 0xf4, 0x86, 0xf8, 0x3b, 0xa9, 0xdf, 0x35, 0xc0, 0x5e, + 0xfb, 0xd7, 0xf4, 0x06, 0x13, 0xf0, 0xfc, 0x99, 0x6c, 0x53, 0x70, 0x6c, + 0x30, 0xdf, 0x6b, 0xba, 0x6d, 0xcd, 0x4a, 0x40, 0x82, 0x5f, 0x96, 0x13, + 0x3f, 0x3c, 0x21, 0x63, 0x8a, 0x34, 0x2b, 0xd4, 0x66, 0x3d, 0xff, 0xbd, + 0x00, 0x73, 0x98, 0x0d, 0xac, 0x47, 0xf8, 0xc1, 0xdd, 0x8e, 0x97, 0xce, + 0x14, 0x12, 0xe4, 0xf9, 0x1f, 0x2a, 0x8a, 0xdb, 0x1a, 0xc2, 0xb1, 0x07, + 0x10, 0x66, 0xef, 0xe8, 0xd7, 0x18, 0xbb, 0xb8, 0x8c, 0xa4, 0xa5, 0x9b, + 0xd6, 0x15, 0x00, 0xe8, 0x26, 0xf2, 0x36, 0x52, 0x55, 0xa4, 0x09, 0xbe, + 0xce, 0x0f, 0x97, 0x2d, 0xf9, 0x7c, 0x3a, 0x55, 0xe0, 0x92, 0x89, 0xef, + 0x5f, 0xa8, 0x15, 0xa2, 0x35, 0x3e, 0xf3, 0x93, 0xfd, 0x1a, 0xec, 0xfc, + 0x88, 0x8d, 0x61, 0x1c, 0x16, 0xae, 0xc5, 0x32, 0xe5, 0x14, 0x8b, 0xe1, + 0x5e, 0xf1, 0xbf, 0x28, 0x34, 0xb8, 0xf7, 0x5b, 0xb2, 0x6d, 0xb0, 0x8b, + 0x66, 0xd2, 0xba, 0xad, 0x64, 0x64, 0xf8, 0x43, 0x9d, 0x19, 0x86, 0xb5, + 0x33, 0x81, 0x33, 0x21, 0xdb, 0xb1, 0x80, 0x08, 0x09, 0x10, 0xf2, 0x33, + 0xbc, 0xc4, 0xdd, 0x78, 0x4f, 0xb2, 0x18, 0x71, 0xae, 0xf4, 0x1b, 0xe0, + 0x8b, 0x7b, 0xfa, 0xd4, 0xec, 0xc3, 0xb6, 0x8f, 0x22, 0x8c, 0xb5, 0x31, + 0x7a, 0xc6, 0xec, 0x12, 0x27, 0xbc, 0x7d, 0x0e, 0x45, 0x20, 0x37, 0xba, + 0x91, 0x8e, 0xe1, 0xda, 0x9f, 0xdb, 0x83, 0x93, 0xae, 0x93, 0xb1, 0xe9, + 0x37, 0xa8, 0xd4, 0x69, 0x1a, 0x17, 0x87, 0x1d, 0x50, 0x92, 0xd2, 0x38, + 0x4b, 0x61, 0x90, 0xa5, 0x3d, 0xf8, 0x88, 0xf6, 0x5b, 0x95, 0x1b, 0x05, + 0xed, 0x4a, 0xd5, 0x7f, 0xe4, 0xb0, 0xc6, 0xa4, 0x7b, 0x5b, 0x22, 0xf3, + 0x2a, 0x7f, 0x23, 0xc1, 0xa2, 0x34, 0xc9, 0xfe, 0xb5, 0xd8, 0x71, 0x3d, + 0x94, 0x96, 0x86, 0x76, 0x06, 0x80, 0xda, 0x4d, 0xb4, 0x54, 0xf4, 0xac, + 0xad, 0x97, 0x24, 0x70, 0x03, 0x34, 0x72, 0xb9, 0x86, 0x4d, 0x63, 0xe8, + 0xd2, 0x3e, 0xef, 0xc8, 0x7e, 0xbc, 0xf4, 0x64, 0xec, 0xf3, 0x3f, 0x67, + 0xfb, 0xcd, 0xd4, 0x8e, 0xab, 0x38, 0xc5, 0x29, 0x25, 0x86, 0xb3, 0x6a, + 0xef, 0x59, 0x81, 0xed, 0x2f, 0xa0, 0x7b, 0x2f, 0x9e, 0x23, 0xfc, 0x57, + 0xd9, 0xeb, 0x71, 0xbf, 0xff, 0x41, 0x11, 0xc8, 0x57, 0xe9, 0xff, 0xf2, + 0x3c, 0xeb, 0x31, 0xe7, 0x25, 0x92, 0xe7, 0x0c, 0x87, 0x4b, 0x49, 0x36}, + priv_key_3b, + true}, + + // an otherwise correct plaintext, but with wrong third byte + // (0x00 instead of non-zero), generates a random 9 byte long plaintext + {77, + {0xa8, 0xa9, 0x30, 0x1d, 0xaa, 0x01, 0xbb, 0x25, 0xc7}, + {0x85, 0x42, 0xc6, 0x26, 0xfe, 0x53, 0x34, 0x67, 0xac, 0xff, 0xcd, 0x4e, + 0x61, 0x76, 0x92, 0x24, 0x4c, 0x9b, 0x5a, 0x3b, 0xf0, 0xa2, 0x15, 0xc5, + 0xd6, 0x48, 0x91, 0xce, 0xd4, 0xbf, 0x4f, 0x95, 0x91, 0xb4, 0xb2, 0xae, + 0xdf, 0xf9, 0x84, 0x30, 0x57, 0x98, 0x6d, 0x81, 0x63, 0x1b, 0x0a, 0xcb, + 0x37, 0x04, 0xec, 0x21, 0x80, 0xe5, 0x69, 0x6e, 0x8b, 0xd1, 0x5b, 0x21, + 0x7a, 0x0e, 0xc3, 0x6d, 0x20, 0x61, 0xb0, 0xe2, 0x18, 0x2f, 0xaa, 0x3d, + 0x1c, 0x59, 0xbd, 0x3f, 0x90, 0x86, 0xa1, 0x00, 0x77, 0xa3, 0x33, 0x7a, + 0x3f, 0x5d, 0xa5, 0x03, 0xec, 0x37, 0x53, 0x53, 0x5f, 0xfd, 0x25, 0xb8, + 0x37, 0xa1, 0x2f, 0x25, 0x41, 0xaf, 0xef, 0xd0, 0xcf, 0xfb, 0x02, 0x24, + 0xb8, 0xf8, 0x74, 0xe4, 0xbe, 0xd1, 0x39, 0x49, 0xe1, 0x05, 0xc0, 0x75, + 0xed, 0x44, 0xe2, 0x87, 0xc5, 0xae, 0x03, 0xb1, 0x55, 0xe0, 0x6b, 0x90, + 0xed, 0x24, 0x7d, 0x2c, 0x07, 0xf1, 0xef, 0x33, 0x23, 0xe3, 0x50, 0x8c, + 0xce, 0x4e, 0x40, 0x74, 0x60, 0x6c, 0x54, 0x17, 0x2a, 0xd7, 0x4d, 0x12, + 0xf8, 0xc3, 0xa4, 0x7f, 0x65, 0x4a, 0xd6, 0x71, 0x10, 0x4b, 0xf7, 0x68, + 0x1e, 0x5b, 0x06, 0x18, 0x62, 0x74, 0x7d, 0x9a, 0xfd, 0x37, 0xe0, 0x7d, + 0x8e, 0x0e, 0x22, 0x91, 0xe0, 0x1f, 0x14, 0xa9, 0x5a, 0x1b, 0xb4, 0xcb, + 0xb4, 0x7c, 0x30, 0x4e, 0xf0, 0x67, 0x59, 0x5a, 0x39, 0x47, 0xee, 0x2d, + 0x72, 0x20, 0x67, 0xe3, 0x8a, 0x0f, 0x04, 0x6f, 0x43, 0xec, 0x29, 0xca, + 0xc6, 0xa8, 0x80, 0x1c, 0x6e, 0x3e, 0x9a, 0x23, 0x31, 0xb1, 0xd4, 0x5a, + 0x7a, 0xa2, 0xc6, 0xaf, 0x32, 0x05, 0xbe, 0x38, 0x2d, 0xd0, 0x26, 0xe3, + 0x89, 0x61, 0x4e, 0xe0, 0x95, 0x66, 0x5a, 0x61, 0x1a, 0xb2, 0xe8, 0xdc, + 0xed, 0x2e, 0xe1, 0xc9, 0xd0, 0x8a, 0xc9, 0xde, 0x11, 0xae, 0xf5, 0xb3, + 0x80, 0x3f, 0xc9, 0xa9, 0xce, 0x82, 0x31, 0xec, 0x87, 0xb5, 0xfe, 0xd3, + 0x86, 0xfb, 0x92, 0xee, 0x3d, 0xb9, 0x95, 0xa8, 0x93, 0x07, 0xbc, 0xba, + 0x84, 0x4b, 0xd0, 0xa6, 0x91, 0xc2, 0x9a, 0xe5, 0x12, 0x16, 0xe9, 0x49, + 0xdf, 0xc8, 0x13, 0x13, 0x3c, 0xb0, 0x6a, 0x07, 0x26, 0x5f, 0xd8, 0x07, + 0xbc, 0xb3, 0x37, 0x7f, 0x6a, 0xdb, 0x0a, 0x48, 0x1d, 0x9b, 0x7f, 0x44, + 0x20, 0x03, 0x11, 0x58, 0x95, 0x93, 0x97, 0x73, 0xe6, 0xb9, 0x53, 0x71, + 0xc4, 0xfe, 0xbe, 0xf2, 0x9e, 0xda, 0xe9, 0x46, 0xfa, 0x24, 0x5e, 0x7c, + 0x50, 0x72, 0x9e, 0x2e, 0x55, 0x8c, 0xfa, 0xad, 0x77, 0x3d, 0x1f, 0xd5, + 0xf6, 0x7b, 0x45, 0x7a, 0x6d, 0x9d, 0x17, 0xa8, 0x47, 0xc6, 0xfc, 0xbd, + 0xb1, 0x03, 0xa8, 0x6f, 0x35, 0xf2, 0x28, 0xce, 0xfc, 0x06, 0xce, 0xa0}, + priv_key_3b, + true}, + + // an otherwise correct plaintext, but with wrong tenth byte + // (0x00 instead of non-zero), generates a random 9 byte long plaintext + {78, + {0x6c, 0x71, 0x6f, 0xe0, 0x1d, 0x44, 0x39, 0x80, 0x18}, + {0x44, 0x9d, 0xfa, 0x23, 0x7a, 0x70, 0xa9, 0x9c, 0xb0, 0x35, 0x17, 0x93, + 0xec, 0x86, 0x77, 0x88, 0x20, 0x21, 0xc2, 0xaa, 0x74, 0x35, 0x80, 0xbf, + 0x6a, 0x0e, 0xa6, 0x72, 0x05, 0x5c, 0xff, 0xe8, 0x30, 0x3a, 0xc4, 0x28, + 0x55, 0xb1, 0xd1, 0xf3, 0x37, 0x3a, 0xae, 0x6a, 0xf0, 0x9c, 0xb9, 0x07, + 0x41, 0x80, 0xfc, 0x96, 0x3e, 0x9d, 0x14, 0x78, 0xa4, 0xf9, 0x8b, 0x3b, + 0x48, 0x61, 0xd3, 0xe7, 0xf0, 0xaa, 0x85, 0x60, 0xcf, 0x60, 0x37, 0x11, + 0xf1, 0x39, 0xdb, 0x77, 0x66, 0x7c, 0xa1, 0x4b, 0xa3, 0xa1, 0xac, 0xde, + 0xdf, 0xca, 0x9e, 0xf4, 0x60, 0x3d, 0x6d, 0x7e, 0xb0, 0x64, 0x5b, 0xfc, + 0x80, 0x53, 0x04, 0xf9, 0xad, 0x9d, 0x77, 0xd3, 0x47, 0x62, 0xce, 0x5c, + 0xd8, 0x4b, 0xd3, 0xec, 0x9d, 0x35, 0xc3, 0x0e, 0x3b, 0xe7, 0x2a, 0x1e, + 0x8d, 0x35, 0x5d, 0x56, 0x74, 0xa1, 0x41, 0xb5, 0x53, 0x06, 0x59, 0xad, + 0x64, 0xeb, 0xb6, 0x08, 0x2e, 0x6f, 0x73, 0xa8, 0x08, 0x32, 0xab, 0x63, + 0x88, 0x91, 0x25, 0x38, 0x91, 0x46, 0x54, 0xd3, 0x46, 0x02, 0xf4, 0xb3, + 0xb1, 0xc7, 0x85, 0x89, 0xb4, 0xa5, 0xd9, 0x64, 0xb2, 0xef, 0xcc, 0xa1, + 0xdc, 0x70, 0x04, 0xc4, 0x1f, 0x6c, 0xaf, 0xcb, 0x5a, 0x71, 0x59, 0xa7, + 0xfc, 0x7c, 0x03, 0x98, 0x60, 0x4d, 0x0e, 0xdb, 0xd4, 0xc8, 0xf4, 0xf0, + 0x40, 0x67, 0xda, 0x6a, 0x15, 0x3a, 0x05, 0xe7, 0xcb, 0xee, 0xa1, 0x3b, + 0x5e, 0xe4, 0x12, 0x40, 0x0e, 0xf7, 0xd4, 0xf3, 0x10, 0x6f, 0x47, 0x98, + 0xda, 0x70, 0x7e, 0xc3, 0x7a, 0x11, 0x28, 0x6d, 0xf2, 0xb7, 0xa2, 0x04, + 0x85, 0x6d, 0x5f, 0xf7, 0x73, 0x61, 0x3f, 0xd1, 0xe4, 0x53, 0xa7, 0x11, + 0x4b, 0x78, 0xe3, 0x47, 0xd3, 0xe8, 0x07, 0x8e, 0x1c, 0xb3, 0x27, 0x6b, + 0x35, 0x62, 0x48, 0x6b, 0xa6, 0x30, 0xbf, 0x71, 0x96, 0x97, 0xe0, 0x07, + 0x3a, 0x12, 0x3c, 0x3e, 0x60, 0xeb, 0xb5, 0xc7, 0xa1, 0xcc, 0xff, 0x42, + 0x79, 0xfa, 0xff, 0xa2, 0x40, 0x2b, 0xc1, 0x10, 0x9f, 0x8d, 0x55, 0x9d, + 0x67, 0x66, 0xe7, 0x35, 0x91, 0x94, 0x3d, 0xfc, 0xf2, 0x5b, 0xa1, 0x0c, + 0x37, 0x62, 0xf0, 0x2a, 0xf8, 0x51, 0x87, 0x79, 0x9b, 0x8b, 0x4b, 0x13, + 0x5c, 0x39, 0x90, 0x79, 0x3a, 0x6f, 0xd3, 0x26, 0x42, 0xf1, 0x55, 0x74, + 0x05, 0xba, 0x55, 0xcc, 0x7c, 0xf7, 0x33, 0x6a, 0x0e, 0x96, 0x70, 0x73, + 0xc5, 0xfa, 0x50, 0x74, 0x3f, 0x9c, 0xc5, 0xe3, 0x01, 0x7c, 0x17, 0x2d, + 0x98, 0x98, 0xd2, 0xaf, 0x83, 0x34, 0x5e, 0x71, 0xb3, 0xe0, 0xc2, 0x2a, + 0xb7, 0x91, 0xea, 0xcb, 0x64, 0x84, 0xa3, 0x2e, 0xc6, 0x0e, 0xbc, 0x22, + 0x6e, 0xc9, 0xde, 0xae, 0xe9, 0x1b, 0x1a, 0x05, 0x60, 0xc2, 0xb5, 0x71}, + priv_key_3b, + true}, + + // an otherwise correct plaintext, but with the null byte specifying + // end of padding missing, generates a random 9 byte long plaintext + {79, + {0xaa, 0x2d, 0xe6, 0xcd, 0xe4, 0xe2, 0x44, 0x28, 0x84}, + {0xa7, 0xa5, 0xc9, 0x9e, 0x50, 0xda, 0x48, 0x76, 0x9e, 0xcb, 0x77, 0x9d, + 0x9a, 0xbe, 0x86, 0xef, 0x9e, 0xc8, 0xc3, 0x8c, 0x6f, 0x43, 0xf1, 0x7c, + 0x7f, 0x2d, 0x7a, 0xf6, 0x08, 0xa4, 0xa1, 0xbd, 0x6c, 0xf6, 0x95, 0xb4, + 0x7e, 0x97, 0xc1, 0x91, 0xc6, 0x1f, 0xb5, 0xa2, 0x73, 0x18, 0xd0, 0x2f, + 0x49, 0x5a, 0x17, 0x6b, 0x9f, 0xae, 0x5a, 0x55, 0xb5, 0xd3, 0xfa, 0xbd, + 0x1d, 0x8a, 0xae, 0x49, 0x57, 0xe3, 0x87, 0x9c, 0xb0, 0xc6, 0x0f, 0x03, + 0x77, 0x24, 0xe1, 0x1b, 0xe5, 0xf3, 0x0f, 0x08, 0xfc, 0x51, 0xc0, 0x33, + 0x73, 0x1f, 0x14, 0xb4, 0x4b, 0x41, 0x4d, 0x11, 0x27, 0x8c, 0xd3, 0xdb, + 0xa7, 0xe1, 0xc8, 0xbf, 0xe2, 0x08, 0xd2, 0xb2, 0xbb, 0x7e, 0xc3, 0x63, + 0x66, 0xda, 0xcb, 0x6c, 0x88, 0xb2, 0x4c, 0xd7, 0x9a, 0xb3, 0x94, 0xad, + 0xf1, 0x9d, 0xbb, 0xc2, 0x1d, 0xfa, 0x57, 0x88, 0xba, 0xcb, 0xad, 0xc6, + 0xa6, 0x2f, 0x79, 0xcf, 0x54, 0xfd, 0x8c, 0xf5, 0x85, 0xc6, 0x15, 0xb5, + 0xc0, 0xeb, 0x94, 0xc3, 0x5a, 0xa9, 0xde, 0x25, 0x32, 0x1c, 0x8f, 0xfe, + 0xfb, 0x89, 0x16, 0xbb, 0xaa, 0x26, 0x97, 0xcb, 0x2d, 0xd8, 0x2e, 0xe9, + 0x89, 0x39, 0xdf, 0x9b, 0x67, 0x04, 0xce, 0xe7, 0x77, 0x93, 0xed, 0xd2, + 0xb4, 0x94, 0x7d, 0x82, 0xe0, 0x0e, 0x57, 0x49, 0x66, 0x49, 0x70, 0x73, + 0x6c, 0x59, 0xa8, 0x41, 0x97, 0xbd, 0x72, 0xb5, 0xc7, 0x1e, 0x36, 0xaa, + 0xe2, 0x9c, 0xd3, 0x9a, 0xf6, 0xac, 0x73, 0xa3, 0x68, 0xed, 0xbc, 0x1c, + 0xa7, 0x92, 0xe1, 0x30, 0x9f, 0x44, 0x2a, 0xaf, 0xcd, 0x77, 0xc9, 0x92, + 0xc8, 0x8f, 0x8e, 0x48, 0x63, 0x14, 0x9f, 0x22, 0x16, 0x95, 0xcb, 0x7b, + 0x02, 0x36, 0xe7, 0x5b, 0x23, 0x39, 0xa0, 0x2c, 0x4e, 0xa1, 0x14, 0x85, + 0x43, 0x72, 0xc3, 0x06, 0xb9, 0x41, 0x2d, 0x8e, 0xed, 0xb6, 0x00, 0xa3, + 0x15, 0x32, 0x00, 0x2f, 0x2c, 0xea, 0x07, 0xb4, 0xdf, 0x96, 0x3a, 0x09, + 0x31, 0x85, 0xe4, 0x60, 0x77, 0x32, 0xe4, 0x6d, 0x75, 0x3b, 0x54, 0x09, + 0x74, 0xfb, 0x5a, 0x5c, 0x3f, 0x94, 0x32, 0xdf, 0x22, 0xe8, 0x5b, 0xb1, + 0x76, 0x11, 0x37, 0x09, 0x66, 0xc5, 0x52, 0x2f, 0xd2, 0x3f, 0x2a, 0xd3, + 0x48, 0x43, 0x41, 0xba, 0x7f, 0xd8, 0x88, 0x5f, 0xc8, 0xe6, 0xd3, 0x79, + 0xa6, 0x11, 0xd1, 0x3a, 0x2a, 0xca, 0x78, 0x4f, 0xba, 0x20, 0x73, 0x20, + 0x8f, 0xaa, 0xd2, 0x13, 0x7b, 0xf1, 0x97, 0x9a, 0x0f, 0xa1, 0x46, 0xc1, + 0x88, 0x0d, 0x43, 0x37, 0xdb, 0x32, 0x74, 0x26, 0x94, 0x93, 0xba, 0xb4, + 0x4a, 0x1b, 0xcd, 0x06, 0x81, 0xf7, 0x22, 0x7f, 0xfd, 0xf5, 0x89, 0xc2, + 0xe9, 0x25, 0xed, 0x9d, 0x36, 0x30, 0x25, 0x09, 0xd1, 0x10, 0x9b, 0xa4}, + priv_key_3b, + true}}; #endif // rsa_pkcs1_3072_vectors_h__ diff --git a/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h b/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h index 08478859ea..19d61a40ac 100644 --- a/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h +++ b/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h @@ -7061,7 +7061,42 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { // Comment: ps is all 0 // tcID: 9 {9, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x27, 0xe1, 0x93, 0x04, 0xbd, 0xb4, 0xfe, 0xd3, 0x32, 0xa8, 0xdf, 0x6b, + 0x7f, 0x05, 0x58, 0x70, 0x4a, 0x96, 0x8c, 0xaa, 0x57, 0xf7, 0x31, 0x81, + 0x3c, 0x94, 0x39, 0x9b, 0xc9, 0x38, 0x1e, 0xc8, 0x6d, 0x7d, 0x92, 0x29, + 0x98, 0x5f, 0x46, 0xef, 0xec, 0x15, 0x40, 0x9c, 0x01, 0x58, 0x97, 0xbd, + 0xda, 0xf3, 0xea, 0xf2, 0x20, 0x12, 0x9d, 0x63, 0x6c, 0x2a, 0xd0, 0x1b, + 0xdf, 0xed, 0x28, 0x13, 0xc3, 0xab, 0x83, 0xd2, 0x41, 0xee, 0x0d, 0xb3, + 0x43, 0x8d, 0x11, 0xa1, 0x46, 0x18, 0x49, 0x05, 0x70, 0x6e, 0x77, 0xac, + 0xd1, 0xe4, 0x0b, 0xd4, 0x28, 0x7c, 0x8b, 0x16, 0xe7, 0xec, 0xb2, 0x7e, + 0x6b, 0x38, 0xcc, 0xeb, 0x59, 0x12, 0xb5, 0xf8, 0x36, 0xf7, 0xf9, 0x3b, + 0x42, 0x7a, 0x6e, 0xc5, 0x01, 0xbc, 0x14, 0x8e, 0x2d, 0xea, 0x44, 0xfe, + 0xfd, 0xee, 0xf4, 0xcb, 0xa2, 0x22, 0x88, 0x61, 0xd1, 0x33, 0xc2, 0xc3, + 0x61, 0x9b, 0x1f, 0x0d, 0xcf, 0x82, 0x13, 0x84, 0xd2, 0x4f, 0x60, 0xd8, + 0x16, 0xdc, 0xc8, 0xe8, 0x6c, 0x02, 0x82, 0x43, 0xfa, 0x9d, 0x79, 0x67, + 0xbb, 0x76, 0xa0, 0xae, 0x02, 0x18, 0xc8, 0x66, 0x0d, 0xab, 0x50, 0x7f, + 0xaf, 0x7d, 0x27, 0xf1, 0x48, 0x3d, 0xbb, 0xde, 0x0f, 0xe7, 0x90, 0x8d, + 0x53, 0x5d, 0x41, 0x56, 0xbc, 0xb4, 0x25, 0xb3, 0xba, 0xb8, 0xb4, 0x63, + 0x92, 0x49, 0xcc, 0x8d, 0xe0, 0x3d, 0x75, 0x67, 0xa5, 0xb4, 0x8f, 0x61, + 0x47, 0xc7, 0xa8, 0x65, 0x53, 0x7c, 0x52, 0x69, 0xb2, 0x35, 0x7a, 0xc5, + 0xf5, 0xa9, 0xc7, 0x49, 0x5d, 0xbb, 0x80, 0x9f, 0x35, 0xe6, 0xae, 0xa6, + 0x7e, 0xba, 0x0e, 0x9d, 0xbe, 0xca, 0xbf, 0x8e, 0x2c, 0xa9, 0xa6, 0x13, + 0x95, 0x06, 0x07, 0x73, 0xd3, 0xe0, 0xd0, 0xcf, 0x9b, 0x36, 0x6d, 0x4a, + 0xe5, 0xc2, 0xe7, 0x6a, 0xe0, 0xd7, 0x0b, 0x01, 0xf2, 0xf7, 0xf3, 0x4c, + 0xf1, 0x7b, 0x31, 0x14, 0x10, 0x9b, 0xb4, 0x0e, 0x1a, 0xce, 0x71, 0x3d, + 0xec, 0x0d, 0xee, 0xcc, 0xec, 0xee, 0x18, 0x4e, 0x88, 0xca, 0x80, 0x99, + 0xf2, 0x88, 0x7a, 0x5f, 0xdc, 0x86, 0x34, 0xdc, 0x93, 0xdb, 0x58, 0x31, + 0x44, 0xfa, 0x2a, 0x7b, 0x36, 0x8e, 0x4a, 0x50, 0x33, 0x7c, 0xba, 0x7a, + 0x85, 0xf3, 0xe5, 0x62, 0xe2, 0xe8, 0x65, 0x70, 0x57, 0xd6, 0x30, 0x6a, + 0x62, 0xdf, 0x07, 0x87, 0x1d, 0x07, 0x92, 0x92, 0x43, 0x65, 0xb2, 0x42, + 0x3a, 0xb3, 0x7e, 0x29, 0x61, 0xcb, 0x64, 0x03, 0x19, 0x3a, 0x88, 0x1a, + 0x35, 0xfa, 0x31, 0xaf, 0x00, 0xa1, 0xeb, 0x38, 0x58, 0xfb, 0xee, 0xe6, + 0x23, 0x17, 0x16, 0x89, 0x71, 0x76, 0xdb, 0x77, 0x34, 0x2b, 0x3e, 0x67, + 0x62, 0x58, 0x35, 0xcb, 0xff, 0xdb, 0x94, 0xd0, 0x2c, 0xaf, 0x9e, 0x75, + 0x11, 0x75, 0xd5, 0xab, 0x1b, 0x2f, 0xb2, 0xaf, 0xd3, 0xfe, 0x8b, 0x23, + 0xad, 0x8e, 0x0b, 0x32, 0x2e, 0x8e, 0xe9, 0xbd, 0x59, 0xc3, 0x1d, 0xbe, + 0xbb, 0xb1, 0x5e, 0x06, 0xe0, 0xa3, 0x9b, 0x00, 0xee, 0xc9, 0xd5, 0xa6}, {0x55, 0x6e, 0xa7, 0xb7, 0xb4, 0xca, 0x2c, 0xee, 0x4c, 0xb4, 0xa3, 0x86, 0x74, 0x4b, 0x99, 0xcc, 0x7f, 0xea, 0x3a, 0xd3, 0x59, 0xca, 0xc1, 0xf0, 0x8f, 0xac, 0x04, 0x17, 0xe0, 0x51, 0xac, 0x35, 0xa7, 0x04, 0xc0, 0x51, @@ -7106,7 +7141,7 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0xe8, 0x9e, 0x18, 0x99, 0x17, 0x21, 0x5c, 0xc0, 0x13, 0xad, 0xd1, 0xc0, 0x7f, 0x8e, 0xb1, 0xde, 0x06, 0x9c, 0xe0, 0x48}, priv_key_66, - false}, + true}, // Comment: ps is all 1 // tcID: 10 @@ -7211,7 +7246,26 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { // Comment: byte 0 of ps is 0 // tcID: 12 {12, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x03, 0x7a, 0x7a, 0x13, 0x23, 0x93, 0x4e, 0xd8, 0x3a, 0xaa, 0x79, 0x21, + 0xb1, 0xaf, 0xb1, 0x0d, 0xa9, 0x33, 0x17, 0x1e, 0xe6, 0xcb, 0xe1, 0xd3, + 0x90, 0x3c, 0x5b, 0xff, 0xa7, 0x2d, 0x16, 0xa1, 0xed, 0x1d, 0x21, 0x75, + 0xb2, 0x88, 0x50, 0x5a, 0x28, 0x7b, 0x59, 0x42, 0x5e, 0xdf, 0xc0, 0xe3, + 0x99, 0x3c, 0x6c, 0x1d, 0x4a, 0xa0, 0x26, 0xc8, 0x2b, 0x91, 0xc2, 0x64, + 0xaa, 0xe0, 0xdf, 0x54, 0xbb, 0x11, 0x83, 0x49, 0x8b, 0xd6, 0x8b, 0x47, + 0x57, 0x99, 0x18, 0xf4, 0x0c, 0xec, 0x24, 0x1f, 0x71, 0x1e, 0xb2, 0x5d, + 0xe1, 0x14, 0xa8, 0x74, 0xf7, 0x0f, 0xeb, 0xec, 0x4f, 0x2d, 0x95, 0x5e, + 0x11, 0x6b, 0x43, 0x48, 0xc2, 0x8b, 0x87, 0x1c, 0xa2, 0xba, 0xd1, 0xdf, + 0xf4, 0x12, 0x86, 0x8d, 0x7e, 0xac, 0xf2, 0x1d, 0x70, 0x98, 0x37, 0xec, + 0xd7, 0x88, 0x25, 0x7f, 0x9b, 0xbd, 0xf4, 0xf7, 0x25, 0xb4, 0x09, 0x0a, + 0x64, 0xc6, 0x4e, 0x82, 0x5e, 0x01, 0x21, 0xd0, 0x4c, 0x75, 0xb9, 0x76, + 0xbc, 0xe6, 0x88, 0x57, 0x23, 0x4a, 0x8d, 0x6f, 0x74, 0x46, 0xfc, 0x9d, + 0x6d, 0x71, 0x74, 0x5e, 0xb6, 0x71, 0x51, 0x77, 0x1a, 0x16, 0x3e, 0x39, + 0xe9, 0x3b, 0xa6, 0xfe, 0xd7, 0x38, 0x8e, 0x68, 0x64, 0xf8, 0xb4, 0xf8, + 0x49, 0xd2, 0x89, 0xa9, 0xa1, 0x3e, 0x8f, 0x4e, 0xf9, 0xf2, 0xce, 0xc9, + 0xbc, 0xa2, 0xdc, 0x33, 0x5e, 0x28, 0x22, 0xf6, 0xf8, 0x22, 0xc4, 0x32, + 0x4b, 0xa9, 0x58, 0x5c, 0x28, 0xab, 0x58, 0xf5, 0xe5, 0x56, 0xd7, 0x2d, + 0x4d, 0xc4}, {0x4a, 0x7a, 0x03, 0x20, 0x2b, 0x98, 0x23, 0x09, 0xbc, 0xf2, 0xf9, 0x9d, 0x30, 0xcd, 0x0b, 0xeb, 0xe2, 0x4b, 0x43, 0x80, 0x0e, 0x3b, 0xef, 0x58, 0xab, 0xbc, 0x11, 0xe8, 0x65, 0xec, 0x2b, 0xce, 0xed, 0x4d, 0x25, 0xae, @@ -7256,12 +7310,16 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x2e, 0x08, 0x4b, 0xb6, 0xa1, 0x5f, 0x07, 0x0d, 0x40, 0x9d, 0xf7, 0xe7, 0xfc, 0x80, 0x2e, 0x0e, 0x6a, 0x98, 0x8a, 0x05}, priv_key_66, - false}, + true}, // Comment: byte 1 of ps is 0 // tcID: 13 {13, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x5a, 0x5f, 0x3c, 0xfa, 0xcb, 0x59, 0xe7, 0xaa, 0x7d, 0xad, + 0x3a, 0x79, 0x05, 0x25, 0x9c, 0x38, 0x13, 0x1f, 0x07, 0x10, + 0xdc, 0x75, 0xe5, 0x47, 0x2c, 0x2c, 0x28, 0xc8, 0x62, 0xe9, + 0x05, 0xa4, 0xb3, 0x0e, 0x65, 0x94, 0x64, 0xd8, 0xef, 0x5b}, {0x05, 0x25, 0x6d, 0xdf, 0x55, 0x99, 0x1c, 0xf3, 0xe7, 0x4b, 0x8f, 0xb8, 0xb3, 0x17, 0x2d, 0xb6, 0xe3, 0x27, 0xf1, 0x5c, 0x2c, 0xf1, 0x38, 0x30, 0xfd, 0x16, 0x97, 0x16, 0xf7, 0xe5, 0xe7, 0x17, 0x14, 0x7f, 0x91, 0x60, @@ -7306,12 +7364,15 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x51, 0x7e, 0xc2, 0x15, 0x7f, 0x57, 0xf4, 0xa3, 0x6c, 0xbf, 0xad, 0xab, 0x9b, 0xa6, 0xc8, 0x58, 0x9e, 0xb0, 0x33, 0x10}, priv_key_66, - false}, + true}, // Comment: byte 7 of ps is 0 // tcID: 14 {14, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x9c, 0x62, 0xf9, 0xf4, 0xc1, 0x35, 0x0b, 0x05, 0x0d, + 0x45, 0x25, 0x86, 0x0b, 0x52, 0xe7, 0x44, 0xc5, 0x53, + 0x31, 0x8f, 0xb1, 0x93, 0xbb, 0x2f, 0x7a}, {0x9e, 0xa6, 0x99, 0x11, 0x24, 0xc0, 0x47, 0x78, 0x8b, 0x4c, 0xe7, 0x68, 0x61, 0x4e, 0xdc, 0x52, 0xcb, 0x1b, 0xf8, 0x88, 0x65, 0xf8, 0x0a, 0x7b, 0x7b, 0xbb, 0xc4, 0x35, 0xc1, 0x38, 0x96, 0x25, 0xa0, 0x85, 0xa5, 0x03, @@ -7356,12 +7417,28 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x6a, 0x2f, 0xe8, 0x38, 0x6c, 0xdf, 0xe9, 0x97, 0x32, 0x31, 0x60, 0x26, 0xa2, 0xc6, 0x32, 0xaf, 0xe5, 0x08, 0x42, 0x97}, priv_key_66, - false}, + true}, // Comment: ps truncated // tcID: 15 {15, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x2f, 0x7f, 0x06, 0x4c, 0xaa, 0xd2, 0xdd, 0x14, 0xbe, 0x16, 0x80, 0xae, + 0x3b, 0x7d, 0x11, 0xca, 0x46, 0x1d, 0xec, 0x4b, 0x20, 0x6e, 0x7d, 0x33, + 0x94, 0x76, 0xb0, 0xc6, 0x9f, 0x7d, 0xb3, 0x27, 0xfc, 0x58, 0x84, 0xff, + 0x02, 0x50, 0x88, 0xd2, 0x34, 0x8c, 0xba, 0x80, 0x74, 0x4d, 0xba, 0xb7, + 0x04, 0x28, 0xaa, 0x56, 0x65, 0x2b, 0x84, 0xfe, 0xd2, 0x82, 0x06, 0xd0, + 0x6a, 0xb6, 0x1e, 0x58, 0x94, 0x3b, 0x6f, 0x68, 0x2c, 0x7c, 0x12, 0x42, + 0x44, 0xe0, 0x1f, 0x7e, 0xca, 0x48, 0x06, 0x07, 0x7b, 0x5d, 0xdd, 0x53, + 0xdd, 0xf3, 0xa2, 0x48, 0x7a, 0xb8, 0x79, 0x16, 0x5c, 0xbe, 0x02, 0x83, + 0xab, 0x1b, 0x7e, 0x1c, 0x10, 0x6b, 0x95, 0x82, 0x90, 0x34, 0x8e, 0xde, + 0x21, 0xbf, 0xdb, 0xbb, 0x3e, 0x5b, 0x26, 0xf7, 0x42, 0x7b, 0x0c, 0x41, + 0x19, 0xc6, 0x2f, 0x94, 0xbc, 0x0d, 0xda, 0x34, 0x8e, 0xfc, 0xb6, 0x56, + 0xf9, 0x66, 0x96, 0xaa, 0x15, 0xcc, 0x99, 0x9b, 0x4b, 0x53, 0xb9, 0xc3, + 0x91, 0xfb, 0x49, 0x3a, 0x4b, 0xdc, 0x9a, 0x2f, 0xe3, 0x9f, 0x85, 0x02, + 0x25, 0x96, 0xbf, 0x7c, 0x45, 0x84, 0xcb, 0x0a, 0x7e, 0x41, 0x99, 0x08, + 0x0a, 0x67, 0x0a, 0x77, 0x74, 0xa9, 0x72, 0xeb, 0xa8, 0x5e, 0x1d, 0xd2, + 0x9e, 0xd5, 0x00, 0x53, 0x77, 0x5d}, {0x14, 0x27, 0xb2, 0x36, 0x4d, 0xed, 0xf9, 0xb3, 0x3b, 0x1c, 0xf7, 0x0f, 0x88, 0x23, 0xb6, 0x0a, 0x26, 0x86, 0x52, 0x0f, 0x90, 0x4e, 0x89, 0x24, 0x7b, 0xc6, 0xb5, 0xb6, 0x82, 0x17, 0x0f, 0xd1, 0x52, 0x55, 0x4f, 0x86, @@ -7406,12 +7483,45 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x8f, 0x14, 0x2d, 0xf5, 0xf1, 0xcb, 0xbc, 0xf2, 0xa7, 0x13, 0x72, 0x9c, 0x2a, 0x01, 0x17, 0x78, 0x1f, 0x85, 0x09, 0xdf}, priv_key_66, - false}, + true}, // Comment: ps missing // tcID: 16 {16, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x77, 0x0a, 0xbf, 0xf4, 0x5b, 0xef, 0x4e, 0x24, 0xb7, 0xf5, 0xd2, 0x10, + 0x18, 0x64, 0x86, 0x86, 0x89, 0x01, 0xb2, 0x1e, 0x48, 0x15, 0x96, 0x2d, + 0x6d, 0xe9, 0xc1, 0x75, 0x95, 0xaa, 0x66, 0xba, 0x63, 0x40, 0xbc, 0xc7, + 0xe0, 0x11, 0x6f, 0x49, 0x77, 0x1d, 0xa6, 0xd7, 0xd9, 0x5c, 0x4f, 0x0b, + 0xb6, 0x35, 0xe9, 0x1f, 0x7f, 0x02, 0xc5, 0x43, 0x8c, 0xfe, 0xad, 0x2a, + 0xa3, 0xa5, 0xca, 0x58, 0x98, 0xac, 0xc5, 0x1b, 0x93, 0x86, 0xb4, 0xb3, + 0x9f, 0xc2, 0x01, 0x5c, 0x93, 0x33, 0x2b, 0x2c, 0x4c, 0x5d, 0xfe, 0x0d, + 0x87, 0x70, 0x55, 0x64, 0xff, 0x48, 0xcc, 0x8d, 0x6d, 0x0b, 0xbe, 0x64, + 0xa1, 0x45, 0x90, 0x5e, 0xd0, 0xc5, 0x69, 0x5a, 0x40, 0x27, 0xb2, 0x5a, + 0x61, 0x0d, 0x64, 0xba, 0xd6, 0xf0, 0xaa, 0xa7, 0x0f, 0x10, 0x01, 0xb6, + 0x3d, 0x57, 0xb3, 0x35, 0xf6, 0x6e, 0xf5, 0xb2, 0x3b, 0xea, 0x38, 0x69, + 0x74, 0x09, 0xca, 0x10, 0x31, 0x08, 0x4a, 0x88, 0x25, 0x58, 0x22, 0x56, + 0x0a, 0x7b, 0x63, 0x37, 0x52, 0x37, 0x6c, 0x30, 0xbc, 0x0b, 0x20, 0x0d, + 0x52, 0x37, 0x7a, 0x94, 0x14, 0x78, 0xa2, 0x44, 0x12, 0x9e, 0x04, 0x5b, + 0x8a, 0x40, 0x77, 0x32, 0xed, 0xbf, 0x1d, 0x68, 0xdf, 0xce, 0x07, 0x3a, + 0xd6, 0x81, 0x2f, 0x5c, 0x90, 0xde, 0xe9, 0xa9, 0xe6, 0x07, 0x9e, 0xa7, + 0xfb, 0xb5, 0x10, 0x00, 0xb9, 0x2e, 0xaa, 0x4f, 0x63, 0x19, 0x1b, 0x16, + 0xbd, 0xbf, 0x20, 0xbe, 0xa5, 0x64, 0xe8, 0x87, 0xcb, 0x71, 0x3f, 0x92, + 0x88, 0xc7, 0x9a, 0x16, 0x3c, 0x88, 0xf1, 0xe3, 0x08, 0x09, 0xff, 0xe3, + 0x89, 0x09, 0xf4, 0xaa, 0x78, 0x0c, 0xa8, 0x54, 0xc6, 0xd1, 0x10, 0xa9, + 0xfa, 0x54, 0x68, 0x3e, 0x53, 0x67, 0xc7, 0x8c, 0x2a, 0x8a, 0x25, 0x73, + 0x65, 0x71, 0x83, 0x79, 0xfc, 0x1b, 0x46, 0x3a, 0x6f, 0x97, 0x8a, 0x01, + 0xd8, 0x39, 0xcb, 0xd7, 0x5c, 0x49, 0xb2, 0x70, 0x51, 0xc6, 0x45, 0xaf, + 0xc8, 0x3e, 0x51, 0x7a, 0x4b, 0x3d, 0x8d, 0x96, 0x5c, 0x83, 0xec, 0x02, + 0x99, 0x8e, 0x98, 0xce, 0x15, 0x3a, 0xf0, 0xaf, 0x9b, 0x6e, 0xd4, 0xcc, + 0x8f, 0xe0, 0xb9, 0x84, 0x17, 0xed, 0x66, 0x1c, 0x75, 0x5f, 0x4d, 0xeb, + 0xfa, 0xc7, 0x24, 0x63, 0x65, 0x3c, 0x52, 0x0d, 0x4d, 0x6c, 0xc8, 0x5f, + 0x54, 0x2d, 0xec, 0xbe, 0x87, 0xb5, 0xc6, 0x7e, 0x74, 0xcb, 0x87, 0xe4, + 0xc1, 0x9a, 0x59, 0x13, 0x2e, 0x90, 0xb5, 0x79, 0x5f, 0x8c, 0xa1, 0x8b, + 0xa8, 0x0f, 0x50, 0x7f, 0xb9, 0xee, 0x84, 0xb9, 0xaf, 0x80, 0x3b, 0x30, + 0x4d, 0x65, 0x0b, 0x8d, 0x80, 0xaa, 0xb0, 0x35, 0x38, 0x18, 0x45, 0xb8, + 0x09, 0xfe, 0xe3, 0x7c, 0xf7, 0xb2, 0xd9, 0xae, 0x55, 0x74, 0x24, 0x4e, + 0xbe, 0x6a, 0x1a, 0xcf, 0xc3, 0xff, 0x26, 0x36}, {0xa4, 0xdf, 0xae, 0x87, 0x79, 0xa1, 0x1c, 0x42, 0x54, 0xa5, 0x9c, 0x7c, 0x5e, 0xb0, 0x8e, 0x2c, 0xcf, 0x9d, 0x28, 0x69, 0x2c, 0x2d, 0xf4, 0x90, 0x21, 0x84, 0xe6, 0x91, 0x46, 0xc5, 0x77, 0x24, 0xfa, 0x0a, 0x4b, 0x27, @@ -7456,12 +7566,22 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x58, 0x02, 0xc0, 0xbd, 0x55, 0xed, 0x1a, 0x1b, 0xd8, 0x9a, 0x29, 0x09, 0x2f, 0x1c, 0xe7, 0x50, 0xa2, 0x61, 0xa4, 0xb9}, priv_key_66, - false}, + true}, // Comment: Block type = 0 // tcID: 17 {17, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xbb, 0x28, 0xd2, 0x14, 0xe1, 0x25, 0x7a, 0xfe, 0xbc, 0xf6, 0x7e, 0x15, + 0x4f, 0x43, 0x1b, 0x20, 0x30, 0x85, 0x3d, 0x84, 0xfb, 0xb9, 0x22, 0x68, + 0x9d, 0x12, 0x7a, 0xc9, 0x8b, 0x9c, 0xf7, 0x35, 0xbc, 0xe1, 0x01, 0x9c, + 0x5f, 0x83, 0x15, 0xa8, 0x97, 0x20, 0x73, 0x8d, 0x3d, 0x4c, 0xdc, 0xd1, + 0x48, 0xc6, 0x35, 0x60, 0x65, 0xee, 0x41, 0x65, 0xe1, 0x08, 0xcf, 0xbe, + 0x4c, 0xc8, 0x19, 0xe7, 0xf7, 0x4e, 0x4a, 0x3d, 0xa7, 0x00, 0x66, 0x1c, + 0x5b, 0x42, 0xc6, 0x38, 0x78, 0x53, 0xdc, 0xff, 0xc2, 0x60, 0xab, 0x1b, + 0x84, 0xbe, 0x4f, 0x89, 0x17, 0x47, 0x11, 0x7e, 0xb9, 0xca, 0x03, 0x44, + 0x8f, 0xf8, 0xd2, 0x0d, 0x0a, 0x99, 0xdc, 0x71, 0xd2, 0x16, 0x91, 0x6b, + 0x55, 0xb9, 0x24, 0x6a, 0x3a, 0x00, 0x8d, 0x22, 0xaa}, {0x70, 0x7b, 0xba, 0x45, 0xb2, 0xe3, 0x45, 0x89, 0x5f, 0x4d, 0x6e, 0x5f, 0xf7, 0xdd, 0xfd, 0x52, 0x70, 0x35, 0x4f, 0x19, 0x40, 0xb4, 0xc5, 0x18, 0xa6, 0xec, 0x0e, 0x0b, 0x47, 0xd9, 0xb5, 0x2c, 0xfc, 0xac, 0x90, 0x8b, @@ -7506,12 +7626,35 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0xe9, 0x49, 0x23, 0x61, 0xe0, 0x93, 0x63, 0xfc, 0x7e, 0xea, 0x0d, 0x91, 0xff, 0x94, 0x17, 0x00, 0x2b, 0x79, 0xa5, 0x7f}, priv_key_66, - false}, + true}, // Comment: Block type = 1 // tcID: 18 {18, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x0a, 0x76, 0xe0, 0x54, 0x71, 0x20, 0x46, 0x74, 0xe5, 0x97, 0x30, 0xaa, + 0xc5, 0x7b, 0x5e, 0xc0, 0xcb, 0x3b, 0xb3, 0xdc, 0x62, 0x28, 0x3a, 0xc0, + 0x68, 0xfe, 0x2e, 0x81, 0x16, 0xbd, 0xcf, 0x3e, 0xf3, 0x22, 0x15, 0x8f, + 0xca, 0xa5, 0xc3, 0xa4, 0xcb, 0x91, 0x47, 0x83, 0x81, 0x2e, 0x19, 0x63, + 0x18, 0x91, 0xf6, 0xa9, 0x31, 0xf2, 0xd2, 0x28, 0x9d, 0x29, 0x51, 0x0f, + 0xa9, 0x86, 0xc0, 0x7d, 0x0e, 0x1a, 0xfb, 0x51, 0x4c, 0xfa, 0x2b, 0xdf, + 0x91, 0x80, 0x6d, 0x55, 0x03, 0xb5, 0x83, 0xbc, 0xb9, 0x4b, 0x8f, 0x49, + 0xba, 0x4e, 0x08, 0x2c, 0x3a, 0x25, 0xc7, 0x3f, 0x9c, 0xe5, 0x17, 0x2c, + 0xff, 0x83, 0x90, 0x92, 0x20, 0x16, 0x5c, 0x37, 0xde, 0xc8, 0xe4, 0x03, + 0x55, 0x45, 0x10, 0x29, 0x41, 0x5b, 0xd3, 0xfd, 0xca, 0x4f, 0x82, 0x31, + 0x8e, 0x94, 0x39, 0xb0, 0x8d, 0x70, 0x56, 0x6f, 0x5d, 0xd0, 0x89, 0xf0, + 0x66, 0xdf, 0xf4, 0x95, 0x80, 0x57, 0xce, 0x3c, 0x4b, 0xa3, 0x93, 0x52, + 0xe8, 0x72, 0xf9, 0x1d, 0x2b, 0xa7, 0x91, 0xcf, 0x2c, 0x1a, 0x62, 0xd0, + 0x1c, 0x4c, 0xa6, 0x90, 0xe8, 0xda, 0xc3, 0xe6, 0x9b, 0x33, 0x4b, 0xcb, + 0xd7, 0x35, 0xc2, 0x94, 0x48, 0x9f, 0xe4, 0x9a, 0x0e, 0x09, 0xd1, 0x85, + 0x17, 0x96, 0x3d, 0xf1, 0xac, 0x46, 0x84, 0xbf, 0x8a, 0x69, 0x78, 0xd7, + 0xcd, 0xce, 0x17, 0xd7, 0xb8, 0xea, 0xd9, 0xa5, 0xbe, 0xf8, 0x44, 0x53, + 0xe0, 0xfa, 0x6b, 0x6f, 0xb2, 0x47, 0xe5, 0xea, 0x97, 0x81, 0x24, 0x4a, + 0x34, 0x14, 0x03, 0x62, 0xf7, 0x3a, 0xf7, 0x00, 0x08, 0x5f, 0xf4, 0x1f, + 0x26, 0x61, 0x6b, 0x7c, 0xa7, 0x6a, 0x86, 0x56, 0x5b, 0x47, 0xf7, 0xc8, + 0x1f, 0xc1, 0xf8, 0x5c, 0xb4, 0xa4, 0x37, 0x5f, 0x11, 0xae, 0xc5, 0xec, + 0xe0, 0x92, 0xcf, 0xcd, 0xe2, 0xec, 0xf2, 0x4c, 0xb3, 0xd2, 0x50, 0x02, + 0x84, 0x61, 0x8f, 0xfe, 0x97, 0xe6, 0xda, 0x1c}, {0xdf, 0x0e, 0xab, 0x19, 0x82, 0xae, 0x5a, 0xb7, 0x97, 0x65, 0xbb, 0xcc, 0x8d, 0xaa, 0xf4, 0x3d, 0x46, 0x59, 0xe9, 0x0a, 0xee, 0x06, 0x02, 0x68, 0x88, 0x0a, 0x84, 0xe9, 0x41, 0x88, 0x19, 0x40, 0xbf, 0xe1, 0x6a, 0xb9, @@ -7556,12 +7699,52 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x83, 0xf5, 0x84, 0x5b, 0x59, 0xb7, 0x94, 0x87, 0x2a, 0x76, 0x78, 0xdf, 0x60, 0xd8, 0xb8, 0x3f, 0xc1, 0xd0, 0xe5, 0x97}, priv_key_66, - false}, + true}, // Comment: Block type = 0xff // tcID: 19 {19, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xd1, 0x5b, 0xcc, 0xb0, 0x44, 0x5f, 0xc0, 0x58, 0xc9, 0xe9, 0x91, 0xc1, + 0xc1, 0x3e, 0x2c, 0x0d, 0xb5, 0x61, 0x22, 0xab, 0xfe, 0x20, 0xf5, 0x5d, + 0xea, 0xba, 0x92, 0xc9, 0x40, 0x80, 0xb1, 0x4d, 0xf1, 0x2c, 0xed, 0xe3, + 0x65, 0xf2, 0xa3, 0x04, 0xed, 0xd9, 0x30, 0x85, 0x32, 0xed, 0x99, 0x54, + 0xbf, 0xce, 0xfe, 0x99, 0x89, 0x6e, 0x53, 0xd1, 0x9d, 0xa5, 0xe6, 0xc5, + 0x02, 0x00, 0x82, 0x1b, 0x56, 0x9b, 0x3f, 0xe4, 0x10, 0xbf, 0xe7, 0x1c, + 0x7b, 0xc3, 0x34, 0x91, 0x14, 0x2a, 0x10, 0xe5, 0x50, 0x5c, 0x64, 0x35, + 0x4f, 0x01, 0x88, 0xec, 0x8d, 0x24, 0xfa, 0x0f, 0xaf, 0x56, 0xc2, 0x8b, + 0xce, 0x83, 0xfd, 0x12, 0xef, 0xa7, 0x48, 0xe9, 0xc0, 0x53, 0x4c, 0xa2, + 0x64, 0x34, 0x24, 0x95, 0x46, 0x48, 0x8f, 0x20, 0x6e, 0xbb, 0x9c, 0xe4, + 0x38, 0x06, 0x3a, 0xd7, 0x43, 0x1f, 0xb4, 0x4b, 0xc6, 0x38, 0xc4, 0x1b, + 0xb7, 0x33, 0x41, 0x2b, 0x42, 0xf9, 0x1d, 0xf7, 0x8f, 0x4d, 0x01, 0x37, + 0x6e, 0x4d, 0xb5, 0x45, 0xa4, 0xfc, 0xc9, 0x4a, 0xdc, 0x52, 0x0e, 0x1b, + 0xdb, 0xfb, 0x6f, 0xef, 0x2a, 0x96, 0xdf, 0x3f, 0xf9, 0x3f, 0x95, 0x01, + 0x7c, 0xbe, 0xdf, 0xb3, 0x6f, 0xe5, 0xb5, 0x0a, 0x5c, 0xff, 0x1d, 0xb1, + 0x10, 0xfa, 0x1f, 0x03, 0xe3, 0xe6, 0x5a, 0xa2, 0x4b, 0x94, 0xa9, 0x6a, + 0xb1, 0xef, 0xe7, 0xce, 0xc9, 0xb5, 0x4d, 0x1d, 0xf2, 0x6b, 0x69, 0xde, + 0x87, 0x88, 0x21, 0xf1, 0xc0, 0xfc, 0x51, 0x15, 0x2f, 0xd2, 0x4b, 0xae, + 0x58, 0x10, 0xa7, 0xd6, 0xf1, 0xef, 0x86, 0x9b, 0x90, 0xcd, 0xd9, 0x6f, + 0x36, 0x56, 0xcb, 0xb3, 0x1a, 0x91, 0x1a, 0x5e, 0xde, 0xae, 0xca, 0x70, + 0x9d, 0x40, 0x49, 0x98, 0xc2, 0x9f, 0x40, 0x51, 0x5a, 0x6c, 0xf6, 0xc9, + 0x9b, 0xd8, 0xc8, 0xd8, 0xd5, 0x21, 0x8e, 0xa0, 0x1d, 0x3c, 0x5f, 0xaf, + 0x43, 0xb6, 0x1d, 0xa3, 0x01, 0x2b, 0x42, 0x14, 0xbb, 0x5f, 0x73, 0x3d, + 0xc8, 0x42, 0x89, 0xc2, 0x65, 0xff, 0xa4, 0x50, 0x84, 0xfa, 0x0e, 0x51, + 0x39, 0x17, 0xae, 0xdf, 0xac, 0x81, 0x6b, 0x8a, 0x2e, 0x5f, 0xbf, 0x89, + 0x3d, 0x9c, 0x51, 0x7f, 0xd0, 0xde, 0x13, 0x2f, 0x57, 0x14, 0x85, 0x3b, + 0x81, 0xcc, 0xd7, 0xa1, 0xc8, 0x45, 0xb1, 0xd3, 0x61, 0x0f, 0xf7, 0x66, + 0x77, 0x4e, 0xd6, 0xcc, 0x6a, 0xb7, 0x4d, 0x38, 0x35, 0xab, 0x93, 0x42, + 0x9b, 0x68, 0xed, 0x36, 0x7c, 0x32, 0x79, 0xe5, 0xf7, 0x3c, 0xa3, 0xa1, + 0x3f, 0xff, 0xd5, 0x2a, 0x41, 0x16, 0xba, 0xe3, 0x4d, 0xe5, 0xe5, 0xb8, + 0xac, 0x98, 0xf2, 0xcd, 0x56, 0x3f, 0x0b, 0x24, 0x6d, 0x0c, 0xa9, 0x56, + 0x23, 0x34, 0x71, 0x7d, 0x58, 0x29, 0xe3, 0x55, 0xd8, 0x22, 0xc7, 0xc1, + 0x10, 0x0f, 0xc1, 0x20, 0x72, 0xae, 0x42, 0xd9, 0x46, 0xd0, 0x45, 0xfd, + 0xbe, 0x6f, 0x33, 0xa5, 0x9c, 0xb2, 0x25, 0x40, 0x61, 0xa7, 0x14, 0xf7, + 0x81, 0x13, 0x31, 0x42, 0x85, 0x1a, 0x61, 0x17, 0x9a, 0xdb, 0xc5, 0x21, + 0xf4, 0x42, 0x63, 0xa3, 0x05, 0xaa, 0xdf, 0x1c, 0x8a, 0xb9, 0x30, 0x23, + 0xa4, 0x91, 0x8a, 0xfa, 0x9b, 0x5e, 0x72, 0x92, 0xd6, 0xae, 0x39, 0x64, + 0x5c, 0x73, 0xe5, 0x71, 0x2a, 0x8d, 0xf2, 0x31, 0x32, 0xdd, 0x0f, 0xfa, + 0x45, 0xae, 0xba, 0xb4, 0x30, 0x2d, 0xc6, 0xb5, 0xba, 0x6c, 0xd7, 0xa3, + 0xf3, 0x49, 0x4f, 0xd8, 0x99, 0x51, 0x30, 0x59, 0x8f}, {0xcf, 0x23, 0x55, 0x09, 0xad, 0xc3, 0xf7, 0x06, 0xff, 0x62, 0xe4, 0x22, 0x83, 0xe0, 0xfd, 0xc3, 0x7e, 0x68, 0xd2, 0xa5, 0x4d, 0xa8, 0x7d, 0x5f, 0x89, 0x5b, 0x99, 0x9f, 0x8d, 0xe6, 0x38, 0xbd, 0x3b, 0x11, 0x11, 0x59, @@ -7606,12 +7789,47 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x71, 0xf3, 0xae, 0x76, 0xf1, 0xc6, 0xe3, 0x2c, 0xee, 0x8a, 0x45, 0x88, 0x00, 0xe0, 0xe4, 0x08, 0x58, 0x31, 0x71, 0xf1}, priv_key_66, - false}, + true}, // Comment: First byte is not zero // tcID: 20 {20, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x42, 0x1b, 0x7a, 0x2d, 0x49, 0x34, 0x83, 0x8c, 0xf3, 0xb9, 0xc5, 0x44, + 0x54, 0xaa, 0xe2, 0xa9, 0x7d, 0x53, 0x99, 0xb1, 0x94, 0x79, 0x8e, 0x70, + 0xd1, 0x16, 0x1d, 0x01, 0x4e, 0xe8, 0xf4, 0x56, 0xde, 0xa5, 0x98, 0x2b, + 0x87, 0xe5, 0xd2, 0x76, 0xcb, 0x88, 0x19, 0x54, 0xc1, 0x0a, 0x09, 0xa6, + 0xf8, 0xfc, 0x93, 0xd0, 0x78, 0xb7, 0xf8, 0x65, 0xa9, 0x02, 0x77, 0xe1, + 0x1f, 0x4d, 0x90, 0x6e, 0x61, 0xdb, 0xff, 0x86, 0x51, 0xe1, 0x6f, 0x1b, + 0x60, 0xec, 0x94, 0xd8, 0xed, 0x7f, 0x01, 0xfc, 0x50, 0x30, 0xb6, 0x7d, + 0x70, 0x99, 0xf2, 0x25, 0x95, 0x81, 0x83, 0xe4, 0x4c, 0x22, 0xc3, 0xea, + 0x77, 0x19, 0x66, 0x44, 0x7e, 0x6d, 0x9a, 0xcf, 0x73, 0xfd, 0xab, 0x8e, + 0x6f, 0x30, 0xe0, 0xac, 0x67, 0x65, 0x95, 0x0b, 0xaf, 0xb4, 0x24, 0x46, + 0xec, 0x33, 0xa0, 0x1b, 0x50, 0x81, 0x04, 0x6d, 0x45, 0x8f, 0x90, 0xdb, + 0x41, 0x7f, 0x52, 0x2b, 0xea, 0xd7, 0x78, 0x17, 0xcd, 0x66, 0xa8, 0x48, + 0x90, 0x10, 0x55, 0x11, 0x10, 0xf7, 0xdc, 0xf0, 0x10, 0x6d, 0x3c, 0xac, + 0x33, 0x85, 0x6e, 0x9d, 0xfd, 0x1f, 0x7f, 0xb1, 0xab, 0xaf, 0xb8, 0x84, + 0xb7, 0xad, 0xe2, 0xa8, 0x98, 0x68, 0x92, 0x22, 0xd8, 0x19, 0xa2, 0x1e, + 0xc1, 0x91, 0xc5, 0x6f, 0x35, 0xea, 0x3f, 0xae, 0xa9, 0x71, 0xb5, 0x01, + 0xca, 0xbb, 0xb6, 0x55, 0x65, 0xc9, 0xc9, 0xd1, 0x57, 0x93, 0x50, 0x63, + 0x14, 0xdc, 0xa6, 0x1b, 0x23, 0x58, 0x74, 0x27, 0x31, 0x36, 0xa1, 0xf8, + 0x32, 0x2e, 0xb9, 0x45, 0x73, 0x41, 0xca, 0x03, 0xc8, 0xd6, 0x71, 0xf5, + 0x9a, 0xd2, 0x46, 0x23, 0x01, 0x61, 0xe1, 0xcb, 0xb0, 0xd1, 0x06, 0xbb, + 0x80, 0xc0, 0x68, 0x7e, 0xd5, 0xc5, 0xb9, 0x0f, 0xa3, 0x08, 0xce, 0x74, + 0xce, 0x7a, 0xaa, 0x86, 0xa6, 0x3b, 0x78, 0xe1, 0x4b, 0xde, 0x8b, 0xa8, + 0xa7, 0x11, 0xae, 0xdf, 0x13, 0x5a, 0xb4, 0xde, 0x1c, 0xde, 0x3d, 0x58, + 0x5a, 0xab, 0xb4, 0x7c, 0x24, 0xe1, 0x05, 0xb0, 0xd1, 0x95, 0x05, 0xbf, + 0x5d, 0xb8, 0xc5, 0x41, 0xb7, 0xc0, 0x20, 0x53, 0xbf, 0xd6, 0x25, 0x7c, + 0xce, 0x98, 0x35, 0x8e, 0xda, 0x38, 0x57, 0xc4, 0x70, 0x85, 0x27, 0xbe, + 0x6c, 0xfa, 0x2b, 0xa8, 0xf0, 0x93, 0x0c, 0x2e, 0xe7, 0xc4, 0xdb, 0xf5, + 0xb5, 0x38, 0x87, 0xc1, 0x58, 0x86, 0x0e, 0xd6, 0xc3, 0x49, 0x5f, 0xd4, + 0x1a, 0xe1, 0x29, 0xfe, 0x7e, 0x90, 0x7f, 0xf7, 0xb1, 0xf5, 0x46, 0x95, + 0x78, 0x55, 0x59, 0x0e, 0xd0, 0x3a, 0xfc, 0xd1, 0xe7, 0x07, 0x8c, 0xb7, + 0x2a, 0xae, 0x8b, 0x8f, 0xde, 0xec, 0xbe, 0x8c, 0x22, 0x93, 0xfd, 0x53, + 0x64, 0xee, 0x9f, 0xb1, 0xef, 0x79, 0x31, 0xaa, 0xbd, 0x39, 0x92, 0xec, + 0x23, 0x88, 0x3f, 0x0d, 0x07, 0x36, 0xd0, 0x1d, 0x6e, 0xb7, 0xf3, 0x01, + 0xc0, 0x4b, 0x3d, 0xe2, 0xe4, 0x9a, 0xa6, 0xaf, 0x18, 0xf8, 0xad, 0xf0, + 0x67, 0xcc, 0xda, 0x5d, 0x75, 0x24, 0x06, 0x9b, 0x7f}, {0x95, 0xe6, 0x86, 0xfa, 0x46, 0x9e, 0x35, 0x57, 0xda, 0x1f, 0x42, 0x7b, 0x01, 0xa3, 0x39, 0xcd, 0x50, 0xb6, 0xae, 0xf7, 0x26, 0x39, 0x5b, 0xab, 0x94, 0xb0, 0x6d, 0x43, 0x7e, 0x2c, 0xa5, 0x46, 0xf0, 0x1a, 0x2f, 0x2e, @@ -7656,12 +7874,25 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0xf2, 0x68, 0xe5, 0x21, 0x0a, 0xac, 0xdc, 0xf1, 0xb3, 0xfd, 0x41, 0xbf, 0xeb, 0x9d, 0xb1, 0x55, 0x0c, 0xed, 0xee, 0x6b}, priv_key_66, - false}, + true}, // Comment: First byte is not zero // tcID: 21 {21, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xa4, 0x6b, 0x87, 0xc0, 0x50, 0x3c, 0x0b, 0xc3, 0x7e, 0x30, 0x42, 0xf4, + 0x42, 0x1a, 0xca, 0xa9, 0x75, 0x3f, 0x07, 0x6d, 0xbf, 0xe9, 0x57, 0xc5, + 0xba, 0x9e, 0xba, 0xb4, 0x5e, 0xc2, 0x67, 0x64, 0xf2, 0xe3, 0xf8, 0x25, + 0x59, 0x04, 0xa3, 0x9f, 0xbb, 0xd5, 0xa3, 0x3f, 0xec, 0x28, 0x1d, 0x97, + 0x7e, 0x73, 0x63, 0x3d, 0x08, 0x0b, 0xb1, 0xe9, 0x5f, 0x1b, 0x90, 0x22, + 0x19, 0xed, 0x92, 0x3a, 0x2e, 0xd1, 0x3a, 0x14, 0x56, 0xc2, 0x8c, 0x58, + 0x82, 0x87, 0xbc, 0xb9, 0xe2, 0xb6, 0x2f, 0x90, 0xba, 0x07, 0x67, 0x4f, + 0x41, 0xf9, 0xc7, 0xb0, 0x80, 0xf9, 0x44, 0xa3, 0xb8, 0xa8, 0x88, 0xf9, + 0xbb, 0x9c, 0x6d, 0x00, 0x98, 0xf0, 0x24, 0x08, 0x44, 0xac, 0x68, 0xaa, + 0x9c, 0xa1, 0x27, 0x5d, 0xcf, 0x16, 0x55, 0xb5, 0x11, 0xf2, 0x1c, 0x0a, + 0x66, 0xf3, 0x99, 0x73, 0xa4, 0x2f, 0x54, 0x73, 0x43, 0xfc, 0x1b, 0x79, + 0x37, 0xce, 0x97, 0xa7, 0x7c, 0xac, 0x65, 0x29, 0x02, 0x60, 0x06, 0xcf, + 0x67, 0xeb}, {0x35, 0xbd, 0xd3, 0x34, 0x43, 0xb5, 0x80, 0x35, 0x5f, 0xc6, 0xb7, 0x02, 0x07, 0x14, 0x20, 0xb4, 0x86, 0x46, 0x12, 0xe0, 0x52, 0x67, 0x18, 0x9e, 0x46, 0xbf, 0xe0, 0x97, 0xfb, 0x82, 0xff, 0x1c, 0xee, 0x6f, 0xde, 0x5e, @@ -7706,12 +7937,53 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x20, 0x06, 0x22, 0x51, 0xe1, 0xa5, 0x70, 0xbe, 0x4a, 0x78, 0xe0, 0xcc, 0x59, 0x49, 0x57, 0x4d, 0xe7, 0x0b, 0xd4, 0x75}, priv_key_66, - false}, + true}, // Comment: signature padding // tcID: 22 {22, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xa8, 0xdc, 0x9d, 0xe7, 0xad, 0x8c, 0xc5, 0xee, 0x2c, 0xa7, 0x5b, 0x03, + 0xad, 0x27, 0xde, 0xdc, 0xfb, 0xc2, 0xa2, 0xed, 0x55, 0x3d, 0xe3, 0x63, + 0xa3, 0x73, 0x61, 0xb5, 0xcc, 0x4d, 0xbc, 0xd2, 0x16, 0xf1, 0x9c, 0x89, + 0xb6, 0xbb, 0x5b, 0x0d, 0x11, 0xb9, 0xef, 0xfb, 0x11, 0x13, 0xf7, 0x11, + 0xf7, 0xac, 0x57, 0x86, 0xb9, 0x86, 0x97, 0xea, 0xa5, 0xdb, 0x81, 0xa1, + 0x89, 0x46, 0xc3, 0xf2, 0xde, 0x5e, 0x09, 0xc3, 0x0d, 0xe4, 0x8d, 0x30, + 0x1d, 0xd8, 0xd0, 0xbf, 0x8d, 0xc6, 0x34, 0x77, 0xe2, 0x89, 0x9e, 0x5f, + 0x94, 0xf6, 0x1f, 0xbf, 0xb3, 0x7c, 0x6b, 0x3c, 0xc0, 0x19, 0x59, 0xcc, + 0xcb, 0xb5, 0xc3, 0x11, 0x46, 0x71, 0x48, 0xb3, 0x03, 0xe0, 0x89, 0x61, + 0x51, 0x18, 0x00, 0x03, 0xa6, 0x70, 0xb1, 0xf5, 0xb1, 0xe4, 0x26, 0x57, + 0x34, 0x17, 0x28, 0x54, 0xbc, 0x7a, 0x42, 0xf2, 0x41, 0x7a, 0x6d, 0x22, + 0x46, 0x1d, 0x3d, 0x77, 0xfb, 0x85, 0xf5, 0xf1, 0xdd, 0x1a, 0xbc, 0x29, + 0x6a, 0x8d, 0x73, 0x29, 0x74, 0x6d, 0x0b, 0x77, 0xf7, 0x06, 0xbe, 0xb2, + 0x40, 0xb7, 0x82, 0x90, 0x86, 0x3a, 0xa1, 0xa0, 0x5c, 0x80, 0xd1, 0x89, + 0x4b, 0x26, 0x05, 0xd1, 0x0e, 0xab, 0x4c, 0x67, 0x27, 0x49, 0xd1, 0xbd, + 0x63, 0x82, 0x74, 0x22, 0x4b, 0x75, 0xfa, 0x72, 0x99, 0x09, 0x53, 0xde, + 0xac, 0x75, 0x6a, 0x81, 0x42, 0x88, 0x95, 0xff, 0x2c, 0x34, 0x93, 0x5a, + 0xbe, 0x15, 0xe9, 0x09, 0x7c, 0x77, 0x49, 0x78, 0x27, 0xaf, 0x35, 0xdf, + 0x9a, 0x62, 0xd0, 0xd9, 0xae, 0x3f, 0xc3, 0x8a, 0x6b, 0x56, 0x42, 0x56, + 0x51, 0xea, 0xdd, 0xd2, 0x7e, 0xb4, 0x65, 0xcf, 0xec, 0x1c, 0x4b, 0x66, + 0xa8, 0xb5, 0xf3, 0x6b, 0x1a, 0xfb, 0xba, 0x01, 0x55, 0xec, 0xaf, 0x0a, + 0xb8, 0x8c, 0x99, 0x78, 0x22, 0x0c, 0x63, 0x8e, 0xdd, 0x8c, 0xcc, 0x84, + 0x78, 0xb2, 0xe1, 0x55, 0x47, 0x16, 0xe7, 0x8f, 0xe0, 0xf8, 0xca, 0xa7, + 0x6f, 0x44, 0xc5, 0x49, 0xc7, 0xed, 0x0a, 0xd7, 0x06, 0x68, 0x1c, 0xa8, + 0x53, 0xf5, 0x9f, 0xbe, 0xf0, 0x29, 0x2f, 0x3d, 0x4a, 0xf1, 0x9a, 0x22, + 0x83, 0x32, 0x11, 0xf3, 0x33, 0x21, 0x35, 0x25, 0xef, 0x15, 0xbb, 0xf2, + 0x3b, 0x0a, 0xf0, 0xd6, 0xfa, 0xea, 0xd4, 0xa3, 0x44, 0x64, 0x31, 0x66, + 0x8c, 0xa7, 0xd6, 0xc0, 0x9e, 0x5c, 0x7e, 0x07, 0x8f, 0x05, 0xe6, 0xd0, + 0xdf, 0x35, 0x44, 0x65, 0xca, 0xcb, 0xad, 0x60, 0x81, 0xe8, 0x22, 0xe1, + 0x75, 0x37, 0x27, 0xe3, 0xcd, 0xc0, 0xd9, 0x6c, 0x56, 0x43, 0xca, 0xd5, + 0xb5, 0x12, 0xec, 0x5e, 0xab, 0xff, 0xa3, 0x5f, 0x98, 0x8d, 0x37, 0x84, + 0x50, 0x98, 0x09, 0xa8, 0x90, 0x15, 0xef, 0x1b, 0x88, 0xbf, 0x82, 0x94, + 0x20, 0xd7, 0x07, 0x14, 0x9e, 0x2a, 0x41, 0x7c, 0x36, 0xe1, 0x27, 0xee, + 0x52, 0x6b, 0xec, 0x0a, 0x6d, 0x81, 0x66, 0x11, 0x3b, 0x2a, 0xe1, 0x2e, + 0x8c, 0x24, 0xee, 0x48, 0x93, 0x21, 0x72, 0xd1, 0xad, 0xa7, 0x43, 0xad, + 0x4f, 0x77, 0xfd, 0x83, 0x63, 0xee, 0x34, 0xa2, 0xca, 0x35, 0x52, 0x80, + 0xc8, 0xa0, 0x64, 0xb6, 0x88, 0x6c, 0xfe, 0xcc, 0x17, 0x84, 0xf1, 0x14, + 0x2e, 0x6a, 0x55, 0xff, 0x85, 0xd2, 0x65, 0xeb, 0x25, 0xf9, 0x79, 0x54, + 0x55, 0x77, 0x9a, 0x04, 0xc7, 0xe3, 0x81, 0x27, 0x87, 0xf8, 0xa5, 0x8b, + 0x84, 0x5e, 0xfe, 0x5e, 0xeb, 0x5c, 0x96, 0x77, 0xef, 0x8f, 0xf3, 0xaf, + 0xff, 0x78, 0xa5, 0x00, 0x07, 0x2c, 0x87, 0x37, 0x5d}, {0xc1, 0xea, 0x62, 0x89, 0x1d, 0xb6, 0x99, 0xa2, 0xa0, 0x8e, 0xa5, 0xd0, 0x11, 0x80, 0xaf, 0xb7, 0x32, 0xb2, 0xb0, 0xce, 0x09, 0xd3, 0xd0, 0xa5, 0x8a, 0x73, 0xbb, 0x2b, 0xf1, 0x4f, 0x6b, 0xb7, 0xad, 0xd6, 0x66, 0x29, @@ -7756,12 +8028,27 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x03, 0x0c, 0xf4, 0xfb, 0x3e, 0x72, 0xf4, 0x5a, 0xe7, 0xe4, 0xaf, 0x23, 0xec, 0x51, 0x65, 0x29, 0x52, 0x45, 0xda, 0x32}, priv_key_66, - false}, + true}, // Comment: no zero after padding // tcID: 23 {23, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x9d, 0x9a, 0x9a, 0x8b, 0x03, 0x17, 0x79, 0xc8, 0x54, 0xa7, 0x1c, 0xbb, + 0x80, 0xa6, 0x31, 0xf6, 0x9f, 0x56, 0x1a, 0x67, 0xcd, 0x5e, 0xb5, 0x7b, + 0xfa, 0xee, 0x51, 0xba, 0xfa, 0x67, 0xf2, 0x7a, 0x18, 0x3b, 0xb7, 0xf5, + 0x0d, 0xd8, 0xed, 0xf3, 0xbd, 0xf6, 0xe2, 0x1d, 0x58, 0x61, 0x93, 0x86, + 0x9e, 0x75, 0x60, 0x3a, 0xb6, 0x4c, 0x73, 0xb0, 0x65, 0x0a, 0x0f, 0xcd, + 0x66, 0x1f, 0x2e, 0x23, 0xfb, 0xc9, 0xd4, 0x7f, 0x95, 0xae, 0x7a, 0xfe, + 0xc3, 0xc6, 0xd9, 0x29, 0x14, 0xda, 0x2f, 0x89, 0x09, 0xab, 0x7c, 0x87, + 0x6a, 0xd5, 0x92, 0x64, 0xf9, 0x77, 0x42, 0x4e, 0x63, 0xdf, 0xb0, 0xac, + 0xdf, 0xf8, 0x3f, 0x8d, 0x38, 0xc5, 0x08, 0x85, 0xa7, 0x03, 0x05, 0x61, + 0x8b, 0x9f, 0x10, 0xdd, 0xcf, 0xad, 0x27, 0x74, 0xa1, 0x1d, 0xfc, 0xf3, + 0xe0, 0xb3, 0xc6, 0x88, 0x5c, 0x94, 0x40, 0x44, 0xba, 0x08, 0xc4, 0x22, + 0xcf, 0xc9, 0x09, 0x55, 0x85, 0x8c, 0xb1, 0x38, 0x8a, 0x2a, 0xc7, 0xf4, + 0xdb, 0x31, 0x33, 0x90, 0xec, 0x77, 0x96, 0x55, 0xc0, 0x91, 0x83, 0xd9, + 0xfa, 0x48, 0x49, 0xc5, 0xe3, 0xf2, 0x08, 0x29, 0xe9, 0x5e, 0x04, 0xf1, + 0xaa, 0x3a, 0x4f, 0x27}, {0x80, 0xbb, 0x96, 0x27, 0xf3, 0x7e, 0xf2, 0xec, 0xcf, 0x2a, 0x82, 0x3f, 0xce, 0x1d, 0x31, 0x73, 0x59, 0xc8, 0x5b, 0x15, 0x4d, 0x49, 0xe7, 0xa4, 0xbf, 0x71, 0x23, 0x54, 0x44, 0x99, 0x36, 0xe1, 0xba, 0xb0, 0x33, 0x2a, @@ -7806,12 +8093,32 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x8f, 0x50, 0xa8, 0x0e, 0x7d, 0x49, 0xa1, 0x9e, 0xbd, 0x9a, 0xbb, 0x23, 0x9f, 0x6d, 0xee, 0x93, 0xa1, 0x82, 0xbe, 0x92}, priv_key_66, - false}, + true}, // Comment: no padding // tcID: 24 {24, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xc6, 0x07, 0xd2, 0x16, 0x2d, 0xe7, 0x23, 0x94, 0x24, 0x69, 0xf1, 0xc8, + 0x08, 0x6a, 0x45, 0x52, 0xa5, 0xa4, 0x09, 0x44, 0x1a, 0xb8, 0x23, 0x3b, + 0xb3, 0x10, 0xec, 0x3b, 0x53, 0x82, 0x8f, 0x12, 0x3b, 0x2d, 0x1a, 0x92, + 0x33, 0x82, 0x7b, 0x03, 0xba, 0x6b, 0xf8, 0xef, 0x74, 0x24, 0xaf, 0x52, + 0xa7, 0x67, 0xc4, 0x41, 0x54, 0x30, 0x16, 0x64, 0xdd, 0xc8, 0xff, 0x22, + 0x09, 0x8f, 0xe1, 0xd5, 0x33, 0x31, 0xf5, 0x9e, 0xc5, 0x7e, 0x06, 0xd2, + 0x45, 0x38, 0xff, 0xad, 0xd2, 0x0c, 0x9e, 0x4c, 0xf9, 0x13, 0xe5, 0xcf, + 0x56, 0x8e, 0xb9, 0xb0, 0xc4, 0xa0, 0x19, 0x5d, 0xa8, 0xcf, 0x81, 0x32, + 0x44, 0x68, 0xf7, 0x04, 0x33, 0x7a, 0x5b, 0xb7, 0xef, 0x49, 0xbb, 0xe2, + 0x7d, 0xaf, 0xd0, 0x15, 0x29, 0x9a, 0xed, 0xa7, 0x79, 0x02, 0x48, 0x62, + 0x52, 0x2c, 0x01, 0x4a, 0x67, 0xd0, 0x9f, 0x38, 0xb6, 0x6f, 0x3e, 0x0a, + 0x98, 0x93, 0x52, 0x78, 0x0e, 0x93, 0x56, 0x7e, 0x80, 0x92, 0x5c, 0x23, + 0xce, 0x72, 0x94, 0x99, 0xbb, 0x2d, 0x4c, 0xdd, 0x83, 0xfc, 0x5d, 0x52, + 0xa8, 0xca, 0xcb, 0x1e, 0x79, 0xd5, 0xb2, 0xaf, 0x9a, 0xde, 0x39, 0x51, + 0x9d, 0x52, 0x25, 0x3f, 0xe0, 0x71, 0xbb, 0x3c, 0x34, 0xe9, 0x59, 0x9a, + 0xb5, 0x81, 0x22, 0x1f, 0x1d, 0x8e, 0xd0, 0x0f, 0xc7, 0x84, 0xe8, 0x90, + 0x8c, 0x6f, 0x01, 0x71, 0x89, 0x02, 0x12, 0x2c, 0x80, 0xa7, 0x78, 0xe5, + 0x9a, 0xc1, 0x26, 0xc2, 0x25, 0xb8, 0xed, 0xec, 0xdf, 0x10, 0xe9, 0x2a, + 0x34, 0xe5, 0x32, 0xc6, 0xe7, 0x5c, 0xb4, 0x41, 0x0d, 0x6d, 0xff, 0xe1, + 0xc4, 0x3c}, {0x91, 0x7f, 0x64, 0x04, 0xf9, 0xaa, 0xd2, 0x8b, 0x2e, 0x68, 0xc5, 0xa6, 0xd8, 0xd8, 0x9d, 0x31, 0xa5, 0xd9, 0x63, 0xf5, 0x5c, 0x5b, 0x30, 0xe2, 0xe2, 0x32, 0x11, 0x82, 0x55, 0x9b, 0x9b, 0x42, 0x3d, 0x5c, 0xca, 0xe8, @@ -7856,12 +8163,25 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x3f, 0x59, 0x45, 0xd2, 0x40, 0xb9, 0xb3, 0xb8, 0x58, 0x02, 0x83, 0x98, 0xb2, 0x71, 0xda, 0xd7, 0x15, 0xe7, 0xc7, 0x9e}, priv_key_66, - false}, + true}, // Comment: m = 2 // tcID: 25 {25, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x83, 0x11, 0x9b, 0x47, 0xb1, 0xce, 0xef, 0xa2, 0x99, 0xda, 0xa9, 0xc2, + 0x5f, 0x15, 0x2a, 0x4c, 0x28, 0x66, 0x6c, 0x70, 0x72, 0x7c, 0x71, 0x23, + 0x99, 0x06, 0xcd, 0xc1, 0xe9, 0xf3, 0x93, 0xc0, 0xec, 0x60, 0xfd, 0x2c, + 0x51, 0x10, 0xd7, 0x55, 0x70, 0x62, 0xa3, 0x99, 0x73, 0x59, 0xc4, 0x33, + 0x66, 0x2f, 0x9d, 0x8b, 0x6f, 0x4d, 0x4e, 0x47, 0xa6, 0xd2, 0x9d, 0x51, + 0xa5, 0xcf, 0x59, 0x86, 0x74, 0x31, 0xe8, 0xc2, 0x5a, 0xa3, 0xa4, 0x11, + 0x16, 0x0f, 0x99, 0xf3, 0x4f, 0x8e, 0x82, 0x08, 0xf3, 0x64, 0x46, 0xbb, + 0x0c, 0x8f, 0x7a, 0x58, 0xea, 0x54, 0xb2, 0xc3, 0x11, 0x89, 0xd4, 0xbe, + 0xcb, 0x51, 0xc3, 0x50, 0x72, 0x94, 0xca, 0xbb, 0xcd, 0xaa, 0x87, 0xbf, + 0x7f, 0xa1, 0x11, 0x0b, 0xa9, 0x5b, 0xe4, 0x7c, 0x83, 0x18, 0x76, 0xd8, + 0x43, 0x37, 0x91, 0xc1, 0x90, 0x23, 0x03, 0x67, 0x12, 0x28, 0x73, 0xc4, + 0x7c, 0xeb, 0x33, 0x26, 0x75, 0x8e, 0x1c, 0x29, 0x51, 0xbb, 0xbe, 0xb6, + 0xaa, 0x42, 0xe7, 0x0a, 0x49, 0x68, 0x65}, {0xe1, 0x14, 0xae, 0x9a, 0x71, 0x3e, 0x4c, 0xad, 0xce, 0x8b, 0xdc, 0x80, 0x66, 0x7f, 0x94, 0xaa, 0x59, 0x77, 0x88, 0xd8, 0xff, 0xef, 0x3b, 0xa7, 0x4e, 0xfc, 0xb8, 0xf8, 0xa2, 0x72, 0x20, 0x63, 0x94, 0x72, 0xe1, 0x57, @@ -7906,12 +8226,24 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x2d, 0x40, 0x86, 0xf1, 0xea, 0x8e, 0x22, 0xab, 0xa3, 0xa9, 0x30, 0x25, 0x88, 0x61, 0xcb, 0x8f, 0x26, 0x85, 0x3d, 0xba}, priv_key_66, - false}, + true}, // Comment: m = n-2 // tcID: 26 {26, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x46, 0x9e, 0xf3, 0x79, 0x73, 0x31, 0xba, 0xd6, 0x02, 0x6b, 0xc6, 0x5f, + 0xa5, 0x4a, 0x7a, 0xd7, 0x0b, 0xe3, 0x05, 0xbf, 0x23, 0x93, 0x75, 0xb9, + 0x51, 0x28, 0xf5, 0xca, 0xb2, 0xc7, 0x81, 0x8d, 0xda, 0x54, 0xdd, 0x15, + 0x54, 0x7c, 0xaa, 0x1b, 0x1f, 0x1a, 0xcc, 0x06, 0x00, 0x5d, 0xc8, 0x13, + 0xc6, 0x2f, 0x6c, 0x22, 0x9b, 0x6d, 0xff, 0x45, 0x01, 0xb1, 0xbe, 0x3d, + 0xc2, 0x89, 0x33, 0xec, 0x2c, 0x49, 0x6b, 0xdb, 0x23, 0xa2, 0xb0, 0xf4, + 0xa4, 0x49, 0x5f, 0x12, 0x93, 0x6b, 0x4b, 0x3b, 0x36, 0xd6, 0xef, 0x3b, + 0x00, 0xc8, 0x16, 0xcb, 0x90, 0xfa, 0x62, 0x0c, 0xa3, 0x1e, 0xc0, 0xaa, + 0xf6, 0x84, 0x79, 0x24, 0xc7, 0xc7, 0x87, 0x69, 0x02, 0xd8, 0xd8, 0x51, + 0xa5, 0xcf, 0x57, 0x20, 0xed, 0x92, 0x57, 0xbf, 0x8a, 0x4a, 0x5f, 0x0a, + 0x9b, 0xf0, 0x42, 0x5e, 0x17, 0x38, 0x73, 0x29, 0xb8, 0x8c, 0x6e, 0x69, + 0xa6, 0x2e, 0x67, 0x88, 0x04, 0x73}, {0x14, 0xed, 0x0f, 0x73, 0x5b, 0x91, 0xfd, 0xf6, 0x3c, 0x87, 0x17, 0x71, 0x2b, 0x2e, 0x83, 0x17, 0xa0, 0x51, 0x37, 0xdd, 0x8e, 0x8b, 0x3c, 0x39, 0xfc, 0xe5, 0xa3, 0x43, 0xd6, 0x95, 0xaa, 0xb9, 0x9f, 0x34, 0x0d, 0xea, @@ -7956,12 +8288,32 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x31, 0xfe, 0x47, 0x44, 0x0d, 0xaf, 0x40, 0xc2, 0x19, 0x2c, 0x7b, 0xce, 0xfc, 0xd8, 0x39, 0x8e, 0x92, 0xc8, 0x12, 0x8b}, priv_key_66, - false}, + true}, // Comment: c = 0 // tcID: 27 {27, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xff, 0xc3, 0xee, 0x0f, 0x71, 0x4b, 0xb1, 0x7e, 0x0e, 0x1a, 0x51, 0x99, + 0x32, 0xd8, 0x0f, 0xbf, 0x0a, 0x35, 0x4f, 0xdf, 0xb1, 0x55, 0xfe, 0xe5, + 0x35, 0x9d, 0xb1, 0x84, 0x95, 0x14, 0x79, 0x00, 0xdd, 0x0a, 0xd2, 0x93, + 0xe3, 0xb4, 0x4d, 0x58, 0x0c, 0x36, 0xd7, 0xd3, 0x40, 0x06, 0xeb, 0x3c, + 0x50, 0xf7, 0x88, 0x78, 0x52, 0x88, 0x74, 0xfc, 0xc0, 0x4f, 0x3d, 0x19, + 0xd5, 0x33, 0xbf, 0x11, 0xcb, 0xcf, 0xe7, 0x38, 0xc1, 0x89, 0xa4, 0xc2, + 0xb5, 0xce, 0x33, 0x2a, 0x26, 0xa3, 0xbc, 0x4a, 0x4f, 0xe9, 0xfd, 0x6d, + 0x35, 0x5b, 0xa2, 0x40, 0xf5, 0x88, 0x7c, 0xef, 0xd6, 0x68, 0xa3, 0x9f, + 0x44, 0x28, 0xef, 0x95, 0x6c, 0xc3, 0xb8, 0xe2, 0xfc, 0x21, 0xa2, 0x76, + 0xdb, 0x75, 0x91, 0x67, 0xa7, 0x8a, 0x3d, 0x06, 0x11, 0x23, 0x39, 0xd3, + 0xbd, 0xe5, 0x62, 0xb8, 0x2d, 0xf7, 0x8b, 0x7c, 0x51, 0xd1, 0x31, 0x41, + 0xba, 0x19, 0xa8, 0xa8, 0x83, 0x93, 0xb5, 0x22, 0x3e, 0x95, 0x2d, 0xdf, + 0xe8, 0x63, 0xb5, 0xee, 0x89, 0x19, 0xd0, 0x1d, 0xcf, 0x55, 0x63, 0x7b, + 0x84, 0x49, 0x6a, 0xf6, 0x5b, 0x35, 0xdf, 0xb7, 0x43, 0x75, 0xbf, 0xd9, + 0x3a, 0x7c, 0x56, 0x21, 0x06, 0x59, 0x25, 0x46, 0x6d, 0xd6, 0xf8, 0xb3, + 0x82, 0x0c, 0x66, 0x23, 0xda, 0x37, 0xa6, 0x3f, 0x79, 0x6a, 0xd6, 0x95, + 0xaa, 0xb0, 0x04, 0xff, 0x8e, 0x27, 0xa8, 0x6d, 0x89, 0xd1, 0xf4, 0x8e, + 0xc9, 0x9a, 0xb9, 0x87, 0x82, 0x13, 0xfe, 0x77, 0x1b, 0xd9, 0xdc, 0x80, + 0x48, 0x21, 0x00, 0x5d, 0xa8, 0x3e, 0x3c, 0x28, 0x13, 0x98, 0x2b, 0xf5, + 0x0e, 0x7f, 0x8d, 0x32}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -8006,12 +8358,23 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, priv_key_66, - false}, + true}, // Comment: c = 1 // tcID: 28 {28, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0x74, 0xb2, 0x05, 0x5d, 0x73, 0x55, 0x62, 0x2e, 0x93, 0xc7, 0x91, 0xf0, + 0xc3, 0x20, 0x00, 0x25, 0xb9, 0x12, 0x86, 0x16, 0xea, 0x3a, 0x95, 0x2e, + 0x41, 0xa4, 0xd6, 0x68, 0x6b, 0xfb, 0x0c, 0x70, 0xcc, 0x56, 0x80, 0xdf, + 0x7e, 0x7e, 0x22, 0x9f, 0x06, 0x39, 0x08, 0xec, 0xc3, 0x30, 0x07, 0x10, + 0x6f, 0x62, 0x8c, 0x05, 0x59, 0xa6, 0xfd, 0x87, 0xdc, 0xb3, 0xce, 0x7f, + 0x9d, 0xc1, 0xc1, 0x1a, 0xf7, 0xb3, 0x46, 0x9e, 0xac, 0xfe, 0x41, 0x50, + 0x0d, 0x06, 0xf6, 0x27, 0x67, 0x97, 0xde, 0x26, 0xe6, 0x17, 0x01, 0xf8, + 0x6c, 0x41, 0xe0, 0x66, 0xaa, 0xe9, 0x3b, 0x43, 0x61, 0xeb, 0xd0, 0xfd, + 0x0b, 0xab, 0x1c, 0x8e, 0x21, 0x50, 0xff, 0xc1, 0x7f, 0x33, 0xe0, 0x7b, + 0x7f, 0xec, 0xee, 0xa0, 0x86, 0x7a, 0x57, 0x63, 0x42, 0x30, 0xf6, 0xb9, + 0x3c, 0x82, 0x5b, 0x24, 0x65, 0x75, 0x4c, 0xfa}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -8056,12 +8419,38 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, priv_key_66, - false}, + true}, // Comment: c = n-1 // tcID: 29 {29, - {0x54, 0x65, 0x73, 0x74}, + // This is a Bleichenbacher synthetic generated result + {0xa2, 0xa6, 0x74, 0x8f, 0x27, 0x2c, 0x28, 0x3c, 0xb4, 0xe3, 0x39, 0x6b, + 0xc4, 0xd6, 0x55, 0x06, 0xbc, 0xdb, 0x8d, 0x25, 0x6a, 0x75, 0x8c, 0x0b, + 0xc0, 0xa5, 0xc9, 0x85, 0xba, 0x71, 0x62, 0x2f, 0x88, 0x9d, 0xd1, 0x1e, + 0x47, 0x03, 0xb5, 0x0e, 0xff, 0x43, 0x90, 0xda, 0xcd, 0x85, 0x7c, 0x30, + 0xad, 0xa1, 0x47, 0x0f, 0xbe, 0x07, 0x6e, 0xcd, 0xbc, 0x60, 0x88, 0xb3, + 0x1a, 0x2b, 0xce, 0x12, 0x30, 0x95, 0xea, 0x46, 0x91, 0x86, 0xee, 0x0f, + 0x8d, 0x39, 0x73, 0xb6, 0xbb, 0x2e, 0x67, 0x87, 0x73, 0x2c, 0x1b, 0x50, + 0x65, 0xa3, 0xbf, 0x32, 0x85, 0x2e, 0x2f, 0x5d, 0xd1, 0x93, 0xa8, 0x9c, + 0xc2, 0xe4, 0x32, 0x07, 0x9d, 0x1c, 0x85, 0xb2, 0x5b, 0x75, 0xd6, 0x52, + 0x9f, 0x64, 0x37, 0x50, 0xa2, 0x8a, 0x78, 0x88, 0x09, 0x0a, 0x19, 0xd5, + 0x6d, 0x33, 0x96, 0x01, 0x4e, 0xd9, 0x64, 0x06, 0xc7, 0xc6, 0x55, 0x51, + 0x4e, 0x93, 0x95, 0x05, 0x9a, 0xb3, 0xee, 0xeb, 0xe5, 0xe1, 0xea, 0xe4, + 0xe1, 0x82, 0x0a, 0xe3, 0xe1, 0x05, 0xd1, 0xf0, 0x9a, 0xe8, 0xc8, 0xe9, + 0xb6, 0x57, 0x78, 0x61, 0x3d, 0x2c, 0x53, 0x9c, 0x8e, 0x57, 0x21, 0x56, + 0xa3, 0x16, 0x26, 0x1a, 0x85, 0x9c, 0xa9, 0x7d, 0x80, 0x18, 0x80, 0xf4, + 0x0f, 0x60, 0x4d, 0xed, 0xdb, 0xfb, 0x0a, 0x4e, 0x6c, 0xd4, 0x51, 0x5b, + 0x9c, 0xfa, 0xa8, 0xb0, 0xda, 0x6a, 0x29, 0x39, 0xa1, 0x9c, 0xa5, 0xb0, + 0xc2, 0x86, 0xd3, 0xb0, 0x75, 0xa7, 0xaf, 0x9a, 0x2e, 0x38, 0x9a, 0x73, + 0xe3, 0x67, 0xab, 0xf2, 0xd5, 0x60, 0xd9, 0xcc, 0x50, 0x56, 0x58, 0x5d, + 0xce, 0x45, 0x48, 0x81, 0x30, 0x4e, 0x69, 0x45, 0x78, 0x8d, 0x9c, 0xa3, + 0xb1, 0x21, 0xac, 0x26, 0xf7, 0xe3, 0xca, 0xad, 0x8c, 0xb5, 0x8d, 0x64, + 0xbb, 0x6e, 0x4b, 0x75, 0x13, 0xf5, 0x1e, 0x5c, 0x75, 0x29, 0xaf, 0x30, + 0x23, 0x89, 0x5f, 0x03, 0x19, 0xba, 0xaf, 0x7c, 0x38, 0xd3, 0x64, 0x7c, + 0x9b, 0xbf, 0xa3, 0xce, 0x33, 0x29, 0xcb, 0x9c, 0x87, 0x7e, 0x59, 0xef, + 0x49, 0xe4, 0xde, 0x10, 0x4b, 0x20, 0xbe, 0xa0, 0xc8, 0x37, 0x67, 0x11, + 0xba, 0xa2, 0x7f, 0x6e, 0x0f, 0xb5}, {0xf6, 0x01, 0xbe, 0x0d, 0xcc, 0xd0, 0x4a, 0xa4, 0x0b, 0x12, 0xf3, 0xf1, 0x91, 0xae, 0x17, 0xc1, 0xf9, 0xc8, 0xc0, 0xb6, 0x8e, 0x7a, 0x77, 0xe1, 0x4b, 0xe2, 0x5c, 0x3c, 0x79, 0x07, 0xcb, 0x1d, 0x33, 0xa6, 0xef, 0x41, @@ -8106,7 +8495,7 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x5f, 0x3e, 0xce, 0x35, 0xf8, 0x3d, 0x63, 0x6d, 0xbc, 0xd5, 0xab, 0xf4, 0x85, 0x3a, 0x05, 0x1d, 0xb9, 0x4d, 0x50, 0x44}, priv_key_66, - false}, + true}, // Comment: ciphertext is empty // tcID: 30 @@ -10034,48 +10423,24 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { // Comment: edge case for montgomery reduction with special primes // tcID: 57 {57, - {0xe7, 0x6e, 0x5a, 0xfe, 0xd8, 0x6d, 0xf0, 0x19, 0x22, 0x63, 0x29, 0xb0, - 0x40, 0x16, 0xeb, 0x6b, 0x10, 0x1e, 0x9b, 0xcf, 0x2f, 0x7b, 0x34, 0xbe, - 0x04, 0xcf, 0xdb, 0x34, 0x38, 0x98, 0xd4, 0xf8, 0xa7, 0x3b, 0xb5, 0xdf, - 0xa6, 0xb9, 0xf6, 0xbc, 0xf1, 0xb8, 0x34, 0x74, 0xea, 0x1c, 0xf1, 0xc0, - 0x89, 0x13, 0x1d, 0x97, 0x6b, 0x90, 0x64, 0x71, 0x75, 0x49, 0x6a, 0x4c, - 0xf9, 0x4a, 0x75, 0xb0, 0x8a, 0x0b, 0x2f, 0xad, 0xe4, 0x57, 0x92, 0xd6, - 0x5b, 0x7a, 0x98, 0xb1, 0x65, 0x07, 0xc3, 0x3c, 0x10, 0x8a, 0xf2, 0x4b, - 0xde, 0x91, 0xb7, 0xdf, 0x28, 0x8b, 0x89, 0x93, 0x95, 0x1c, 0x34, 0x6e, - 0x25, 0x74, 0x86, 0x7c, 0xdb, 0x1c, 0xd5, 0xdb, 0x39, 0xf0, 0x04, 0x1e, - 0x0d, 0x09, 0x05, 0x43, 0xd5, 0x13, 0x18, 0xed, 0xb5, 0x2f, 0x3b, 0x92, - 0x26, 0x13, 0x48, 0xa2, 0x1b, 0x46, 0x50, 0xcb, 0x56, 0xf0, 0x05, 0xa3, - 0x2a, 0x3e, 0x39, 0xf5, 0x76, 0xc2, 0x47, 0x87, 0x39, 0xf9, 0x7c, 0xed, - 0xf7, 0x30, 0x1c, 0x39, 0xeb, 0xef, 0xbb, 0xe4, 0xd5, 0x10, 0xaa, 0x59, - 0x7f, 0x4b, 0x00, 0x49, 0xf8, 0xa5, 0xe8, 0x8b, 0xe7, 0xb6, 0x6b, 0x97, - 0x79, 0x65, 0x51, 0xdb, 0x30, 0xfb, 0x14, 0x64, 0x9a, 0x4a, 0x2d, 0x9d, - 0xce, 0x4a, 0x69, 0x31, 0x9f, 0x39, 0xe5, 0xab, 0x86, 0xdc, 0xd1, 0x0b, - 0x08, 0xcf, 0xee, 0x31, 0x2a, 0xb1, 0x7d, 0x59, 0xe2, 0x91, 0x8b, 0xe1, - 0x2c, 0xa1, 0x93, 0x9e, 0x44, 0x4c, 0xb2, 0x0d, 0x5a, 0xfa, 0x37, 0xaa, - 0x02, 0xd2, 0x3e, 0x54, 0x11, 0x03, 0xae, 0xd8, 0x0a, 0x76, 0xf2, 0xcc, - 0xff, 0x76, 0x36, 0xaa, 0x1d, 0xf8, 0x79, 0x8c, 0xa5, 0x7f, 0x2d, 0x11, - 0x07, 0x5b, 0x3f, 0xed, 0x23, 0x87, 0x87, 0x3e, 0x41, 0x80, 0xa6, 0xde, - 0x99, 0x14, 0xbd, 0xfa, 0xe3, 0x66, 0xca, 0xf8, 0x90, 0x37, 0x10, 0x5d, - 0x53, 0x21, 0x02, 0xa7, 0x10, 0x02, 0x68, 0xc8, 0x7e, 0x9f, 0x79, 0x19, - 0x86, 0x4c, 0x64, 0x04, 0xd4, 0x9c, 0x30, 0x8f, 0x53, 0xdd, 0x40, 0xc4, - 0xf2, 0xc4, 0x21, 0x6b, 0x5e, 0x0c, 0x13, 0x1f, 0x1a, 0x97, 0x8b, 0xac, - 0x16, 0xa2, 0xc7, 0xb3, 0xee, 0x62, 0x12, 0xfb, 0x17, 0xe4, 0x2e, 0xe6, - 0x9b, 0x33, 0x94, 0xe2, 0xc0, 0x72, 0x64, 0xda, 0x95, 0x4b, 0x32, 0x2d, - 0xf4, 0x2a, 0xac, 0x99, 0x9e, 0x50, 0x32, 0xba, 0xb4, 0xe2, 0x51, 0x18, - 0x58, 0xc8, 0x30, 0x95, 0x4e, 0x61, 0xcb, 0xa0, 0x87, 0xa0, 0x6c, 0x94, - 0xa9, 0x3e, 0x69, 0x30, 0x81, 0xa7, 0x06, 0xa4, 0xe0, 0xa2, 0xb9, 0xce, - 0xe5, 0xc3, 0x6f, 0x94, 0x18, 0x66, 0xdf, 0xe6, 0xd8, 0x01, 0xe9, 0x66, - 0x0e, 0x8b, 0xab, 0x8d, 0x6f, 0x17, 0x5a, 0x26, 0x37, 0x09, 0xa7, 0xed, - 0x26, 0x6f, 0xd1, 0x35, 0x0e, 0xf8, 0x8b, 0x4a, 0xb9, 0x13, 0xc1, 0x39, - 0x9d, 0x69, 0x3c, 0x8e, 0x79, 0xde, 0xca, 0x2c, 0xe3, 0x5d, 0xee, 0x6a, - 0xc1, 0xab, 0x1c, 0xe6, 0x6f, 0x8f, 0xd1, 0x2b, 0x62, 0xae, 0x98, 0x0e, - 0x2c, 0x8f, 0xf7, 0x52, 0x87, 0xcc, 0x0b, 0x5d, 0xe2, 0xda, 0x59, 0x2b, - 0xbe, 0x36, 0x74, 0x50, 0xab, 0x9c, 0x75, 0xee, 0xca, 0x6e, 0xeb, 0x2d, - 0xcf, 0xd2, 0x9f, 0x74, 0x86, 0x3c, 0xf8, 0xb9, 0x6e, 0x9c, 0x97, 0x9d, - 0xa7, 0xb2, 0x49, 0x82, 0x60, 0x8f, 0xcf, 0xb1, 0xbd, 0x7c, 0x20, 0x64, - 0xd1, 0x52, 0x04, 0xff, 0x67, 0x89, 0x79, 0xae, 0xcf, 0x68, 0x66, 0x0b, - 0x6c, 0x55, 0xaa, 0xbf, 0x06, 0xd4, 0xb3, 0x6d, 0xc2, 0xde, 0xac, 0x17, - 0x2c, 0xba, 0xe6, 0xc7, 0xb6, 0x8d, 0xa1, 0x08, 0xcf, 0x0b}, + // This is a Bleichenbacher synthetic generated result + {0x63, 0x3c, 0x2d, 0x5d, 0xb9, 0x4c, 0x7b, 0x8f, 0xc2, 0x91, 0x1d, 0xe0, + 0xbd, 0x85, 0x7d, 0x5e, 0x9a, 0xd8, 0xe6, 0x67, 0x3c, 0xf9, 0x88, 0x4a, + 0x68, 0x37, 0x92, 0x4f, 0x56, 0xf1, 0xec, 0x7f, 0x8c, 0x2a, 0xd0, 0xdd, + 0x30, 0xd9, 0x6f, 0x7f, 0x6b, 0x0e, 0xe8, 0x8b, 0x65, 0x65, 0x92, 0xba, + 0xa4, 0x38, 0xda, 0x60, 0x5a, 0x61, 0x38, 0x48, 0xd2, 0xda, 0x2a, 0xec, + 0x32, 0x99, 0x39, 0x5f, 0x4b, 0x9c, 0x70, 0xff, 0x63, 0x44, 0x5f, 0x83, + 0x07, 0x1e, 0xae, 0x8a, 0xc7, 0xe9, 0x22, 0x88, 0x6d, 0xeb, 0xca, 0x4c, + 0xb4, 0xf1, 0xfc, 0x05, 0x6d, 0x75, 0x7b, 0x4a, 0x04, 0x4e, 0xe1, 0xec, + 0x40, 0x26, 0x30, 0xc8, 0x4b, 0x2b, 0xad, 0x52, 0x02, 0x23, 0xd8, 0xd5, + 0x89, 0x1c, 0x4e, 0x88, 0xb4, 0xe0, 0x0a, 0x0f, 0x0b, 0xef, 0x44, 0x83, + 0x35, 0xda, 0x7d, 0xbc, 0xf8, 0xbb, 0x6d, 0x1c, 0x2a, 0xaf, 0x7f, 0xf2, + 0xe8, 0x22, 0x15, 0xef, 0xc2, 0x39, 0xcd, 0xaa, 0x77, 0xa9, 0x8a, 0x89, + 0x87, 0x8d, 0x37, 0xb7, 0xc0, 0xb9, 0x75, 0x2d, 0x03, 0x2f, 0x33, 0xe5, + 0x8b, 0x46, 0x59, 0xb8, 0x2a, 0x96, 0xc7, 0x21, 0xa6, 0xcb, 0xab, 0x5a, + 0xde, 0x1a, 0x6b, 0xc0, 0x20, 0xf2, 0xd0, 0xc8, 0xb5, 0x5c, 0xd4, 0x7a, + 0xbf, 0xcb, 0xb7, 0x6b, 0x11, 0xf7, 0x89, 0xa3, 0x65, 0xa3, 0x42, 0xce, + 0x59, 0x01, 0x75}, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -10120,7 +10485,7 @@ const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, priv_key_90, - false}, + true}, // Comment: edge case for montgomery reduction with special primes // tcID: 58 diff --git a/gtests/freebl_gtest/Makefile b/gtests/freebl_gtest/Makefile new file mode 100644 index 0000000000..0d547e0803 --- /dev/null +++ b/gtests/freebl_gtest/Makefile @@ -0,0 +1,43 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../common/gtest.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### diff --git a/gtests/freebl_gtest/manifest.mn b/gtests/freebl_gtest/manifest.mn new file mode 100644 index 0000000000..08a510bcae --- /dev/null +++ b/gtests/freebl_gtest/manifest.mn @@ -0,0 +1,38 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../.. +DEPTH = ../.. +MODULE = nss + +# we'll need to figure out how to get these symbols linked +# in before we include these tests: +# mpi_unittest.cc +# ghash_unittest.cc +CPPSRCS = \ + dh_unittest.cc \ + ecl_unittest.cc \ + rsa_unittest.cc \ + cmac_unittests.cc \ + $(NULL) + +DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" + +INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ + -I$(CORE_DEPTH)/lib/freebl/ecl \ + -I$(CORE_DEPTH)/lib/freebl/mpi \ + -I$(CORE_DEPTH)/lib/freebl \ + -I$(CORE_DEPTH)/gtests/common \ + -I$(CORE_DEPTH)/cpputil + +REQUIRES = nspr nss libdbm gtest cpputil + +PROGRAM = freebl_gtest + +EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \ + $(NULL) + +USE_STATIC_LIBS=1 diff --git a/gtests/freebl_gtest/rsa_unittest.cc b/gtests/freebl_gtest/rsa_unittest.cc index 9a6a9c11fd..cac685c7ec 100644 --- a/gtests/freebl_gtest/rsa_unittest.cc +++ b/gtests/freebl_gtest/rsa_unittest.cc @@ -78,18 +78,22 @@ TEST_F(RSATest, DecryptBlockTestErrors) { uint8_t in[256] = {0}; // This should fail because the padding checks will fail. + // however, Bleichenbacher preventions means that failure would be + // a different output. rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in, sizeof(in)); - EXPECT_EQ(SECFailure, rv); - // outputLen should be maxOutputLen. - EXPECT_EQ(maxOutputLen, outputLen); + EXPECT_EQ(SECSuccess, rv); + // outputLen should <= 256-11=245. + EXPECT_LE(outputLen, 245u); // This should fail because the padding checks will fail. + // however, Bleichenbacher preventions means that failure would be + // a different output. uint8_t out_long[260] = {0}; maxOutputLen = sizeof(out_long); rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in, sizeof(in)); - EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(SECSuccess, rv); // outputLen should <= 256-11=245. EXPECT_LE(outputLen, 245u); // Everything over 256 must be 0 in the output. diff --git a/gtests/manifest.mn b/gtests/manifest.mn index 97c9ef1611..19e50ee6bb 100644 --- a/gtests/manifest.mn +++ b/gtests/manifest.mn @@ -27,6 +27,7 @@ NSS_SRCDIRS = \ certhigh_gtest \ cryptohi_gtest \ der_gtest \ + freebl_gtest \ pk11_gtest \ smime_gtest \ softoken_gtest \ diff --git a/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc b/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc index ea31c48cb9..1b312027f3 100644 --- a/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc +++ b/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc @@ -13,6 +13,7 @@ #include "nss.h" #include "nss_scoped_ptrs.h" #include "pk11pub.h" +#include "databuffer.h" #include "testvectors/rsa_pkcs1_2048_test-vectors.h" #include "testvectors/rsa_pkcs1_3072_test-vectors.h" @@ -44,13 +45,15 @@ class RsaDecryptWycheproofTest rv = PK11_PrivDecryptPKCS1(priv_key.get(), decrypted.data(), &decrypted_len, decrypted.size(), vec.ct.data(), vec.ct.size()); - // RSA_DecryptBlock returns SECFailure with an empty message. - if (vec.valid && vec.msg.size()) { + if (vec.valid) { EXPECT_EQ(SECSuccess, rv); decrypted.resize(decrypted_len); EXPECT_EQ(vec.msg, decrypted); } else { - EXPECT_EQ(SECFailure, rv); + DataBuffer::SetLogLimit(512); + decrypted.resize(decrypted_len); + EXPECT_EQ(SECFailure, rv) + << "Returned:" << DataBuffer(decrypted.data(), decrypted.size()); } }; }; diff --git a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc index 9d329aaafd..2e80e6a384 100644 --- a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc +++ b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc @@ -157,11 +157,32 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) { PK11SymKey* p_unwrapped_tmp = nullptr; - // This fails because this method is broken and assumes CKM_RSA_PKCS and - // doesn't understand OAEP. + // Extract key's value in order to validate decryption worked. + rv = PK11_ExtractKeyValue(to_wrap.get()); + ASSERT_EQ(rv, SECSuccess); + + // References owned by PKCS#11 layer; no need to scope and free. + SECItem* expectedItem = PK11_GetKeyData(to_wrap.get()); + + // This assumes CKM_RSA_PKCS and doesn't understand OAEP. + // CKM_RSA_PKCS cannot safely return errors, however, as it can lead + // to Blecheinbaucher-like attacks. To solve this there's a new definition + // that generates fake key material based on the message and private key. + // This returned key material will not be the key we were expecting, so + // make sure that's the case: p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC, CKA_DECRYPT, 16); - ASSERT_EQ(p_unwrapped_tmp, nullptr); + // as long as the wrapped data is legal RSA length of the key + // (which is should be), then CKM_RSA_PKCS should not fail. + ASSERT_NE(p_unwrapped_tmp, nullptr); + ScopedPK11SymKey fakeUnwrapped; + fakeUnwrapped.reset(p_unwrapped_tmp); + rv = PK11_ExtractKeyValue(fakeUnwrapped.get()); + ASSERT_EQ(rv, SECSuccess); + + // References owned by PKCS#11 layer; no need to scope and free. + SECItem* fakeItem = PK11_GetKeyData(fakeUnwrapped.get()); + ASSERT_NE(SECITEM_CompareItem(fakeItem, expectedItem), 0); ScopedPK11SymKey unwrapped; p_unwrapped_tmp = PK11_PubUnwrapSymKeyWithMechanism( @@ -171,15 +192,10 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) { unwrapped.reset(p_unwrapped_tmp); - // Extract key's value in order to validate decryption worked. - rv = PK11_ExtractKeyValue(to_wrap.get()); - ASSERT_EQ(rv, SECSuccess); - rv = PK11_ExtractKeyValue(unwrapped.get()); ASSERT_EQ(rv, SECSuccess); // References owned by PKCS#11 layer; no need to scope and free. - SECItem* expectedItem = PK11_GetKeyData(to_wrap.get()); SECItem* actualItem = PK11_GetKeyData(unwrapped.get()); ASSERT_EQ(SECITEM_CompareItem(actualItem, expectedItem), 0); diff --git a/lib/freebl/alghmac.c b/lib/freebl/alghmac.c index dd8b73c5fa..e879a2a47a 100644 --- a/lib/freebl/alghmac.c +++ b/lib/freebl/alghmac.c @@ -37,27 +37,20 @@ HMAC_Destroy(HMACContext *cx, PRBool freeit) PORT_Free(cx); } -SECStatus -HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, - const unsigned char *secret, unsigned int secret_len, PRBool isFIPS) +/* just setup the hmac key */ +static SECStatus +hmac_initKey(HMACContext *cx, const unsigned char *secret, + unsigned int secret_len, PRBool isFIPS) { + unsigned int i; unsigned char hashed_secret[HASH_LENGTH_MAX]; /* required by FIPS 198 Section 3 */ - if (isFIPS && secret_len < hash_obj->length / 2) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - if (cx == NULL) { + if (isFIPS && secret_len < cx->hashobj->length / 2) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - cx->wasAllocated = PR_FALSE; - cx->hashobj = hash_obj; - cx->hash = cx->hashobj->create(); - if (cx->hash == NULL) - goto loser; if (secret_len > cx->hashobj->blocklength) { cx->hashobj->begin(cx->hash); @@ -85,6 +78,31 @@ HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, loser: PORT_Memset(hashed_secret, 0, sizeof hashed_secret); + return SECFailure; +} + +SECStatus +HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, + const unsigned char *secret, unsigned int secret_len, PRBool isFIPS) +{ + SECStatus rv; + + if (cx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + cx->wasAllocated = PR_FALSE; + cx->hashobj = hash_obj; + cx->hash = cx->hashobj->create(); + if (cx->hash == NULL) + goto loser; + + rv = hmac_initKey(cx, secret, secret_len, isFIPS); + if (rv != SECSuccess) + goto loser; + + return rv; +loser: if (cx->hash != NULL) cx->hashobj->destroy(cx->hash, PR_TRUE); return SECFailure; @@ -107,6 +125,34 @@ HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, return cx; } +/* this allows us to reuse an existing HMACContext with a new key and + * Hash function */ +SECStatus +HMAC_ReInit(HMACContext *cx, const SECHashObject *hash_obj, + const unsigned char *secret, unsigned int secret_len, PRBool isFIPS) +{ + PRBool wasAllocated; + SECStatus rv; + + /* if we are using the same hash, keep the hash contexts and only + * init the key */ + if ((cx->hashobj == hash_obj) && (cx->hash != NULL)) { + return hmac_initKey(cx, secret, secret_len, isFIPS); + } + /* otherwise we destroy the contents of the context and + * initalize it from scratch. We need to preseve the current state + * of wasAllocated to the final destroy works correctly */ + wasAllocated = cx->wasAllocated; + cx->wasAllocated = PR_FALSE; + HMAC_Destroy(cx, PR_FALSE); + rv = HMAC_Init(cx, hash_obj, secret, secret_len, isFIPS); + if (rv != SECSuccess) { + return rv; + } + cx->wasAllocated = wasAllocated; + return SECSuccess; +} + void HMAC_Begin(HMACContext *cx) { diff --git a/lib/freebl/alghmac.h b/lib/freebl/alghmac.h index 462526ac49..0e0d66a344 100644 --- a/lib/freebl/alghmac.h +++ b/lib/freebl/alghmac.h @@ -30,6 +30,12 @@ SECStatus HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, const unsigned char *secret, unsigned int secret_len, PRBool isFIPS); +/* like HMAC_Init, except caller passes in an existing context + * previously used by either HMAC_Create or HMAC_Init. */ +SECStatus +HMAC_ReInit(HMACContext *cx, const SECHashObject *hash_obj, + const unsigned char *secret, unsigned int secret_len, PRBool isFIPS); + /* reset HMAC for a fresh round */ extern void HMAC_Begin(HMACContext *cx); diff --git a/lib/freebl/rsapkcs.c b/lib/freebl/rsapkcs.c index 73d40909d4..58ff6eca57 100644 --- a/lib/freebl/rsapkcs.c +++ b/lib/freebl/rsapkcs.c @@ -932,7 +932,161 @@ RSA_EncryptBlock(RSAPublicKey *key, return SECFailure; } -/* XXX Doesn't set error code */ +static HMACContext * +rsa_GetHMACContext(const SECHashObject *hash, RSAPrivateKey *key, + const unsigned char *input, unsigned int inputLen) +{ + unsigned char keyHash[HASH_LENGTH_MAX]; + void *hashContext; + HMACContext *hmac = NULL; + unsigned int privKeyLen = key->privateExponent.len; + unsigned int keyLen; + SECStatus rv; + + /* first get the key hash (should store in the key structure) */ + PORT_Memset(keyHash, 0, sizeof(keyHash)); + hashContext = (*hash->create)(); + if (hashContext == NULL) { + return NULL; + } + (*hash->begin)(hashContext); + if (privKeyLen < inputLen) { + int padLen = inputLen - privKeyLen; + while (padLen > sizeof(keyHash)) { + (*hash->update)(hashContext, keyHash, sizeof(keyHash)); + padLen -= sizeof(keyHash); + } + (*hash->update)(hashContext, keyHash, padLen); + } + (*hash->update)(hashContext, key->privateExponent.data, privKeyLen); + (*hash->end)(hashContext, keyHash, &keyLen, sizeof(keyHash)); + (*hash->destroy)(hashContext, PR_TRUE); + + /* now create the hmac key */ + hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE); + if (hmac == NULL) { + PORT_Memset(keyHash, 0, sizeof(keyHash)); + return NULL; + } + HMAC_Begin(hmac); + HMAC_Update(hmac, input, inputLen); + rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash)); + if (rv != SECSuccess) { + PORT_Memset(keyHash, 0, sizeof(keyHash)); + HMAC_Destroy(hmac, PR_TRUE); + return NULL; + } + /* Finally set the new key into the hash context. We + * reuse the original context allocated above so we don't + * need to allocate and free another one */ + rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE); + PORT_Memset(keyHash, 0, sizeof(keyHash)); + if (rv != SECSuccess) { + HMAC_Destroy(hmac, PR_TRUE); + return NULL; + } + + return hmac; +} + +static SECStatus +rsa_HMACPrf(HMACContext *hmac, const char *label, int labelLen, + int hashLength, unsigned char *output, int length) +{ + unsigned char iterator[2] = { 0, 0 }; + unsigned char encodedLen[2] = { 0, 0 }; + unsigned char hmacLast[HASH_LENGTH_MAX]; + unsigned int left = length; + unsigned int hashReturn; + SECStatus rv = SECSuccess; + + /* encodedLen is in bits, length is in bytes, thus the shifts + * do an implied multiply by 8 */ + encodedLen[0] = (length >> 5) & 0xff; + encodedLen[1] = (length << 3) & 0xff; + + while (left > hashLength) { + HMAC_Begin(hmac); + HMAC_Update(hmac, iterator, 2); + HMAC_Update(hmac, (const unsigned char *)label, labelLen); + HMAC_Update(hmac, encodedLen, 2); + rv = HMAC_Finish(hmac, output, &hashReturn, hashLength); + if (rv != SECSuccess) { + return rv; + } + iterator[1]++; + if (iterator[1] == 0) + iterator[0]++; + left -= hashLength; + output += hashLength; + } + if (left) { + HMAC_Begin(hmac); + HMAC_Update(hmac, iterator, 2); + HMAC_Update(hmac, (const unsigned char *)label, labelLen); + HMAC_Update(hmac, encodedLen, 2); + rv = HMAC_Finish(hmac, hmacLast, &hashReturn, sizeof(hmacLast)); + if (rv != SECSuccess) { + return rv; + } + PORT_Memcpy(output, hmacLast, left); + PORT_Memset(hmacLast, 0, sizeof(hmacLast)); + } + return rv; +} + +/* This function takes an input number and + * creates the smallest mask which covers + * the whole number. Examples: + * 0x81 -> 0xff + * 0x1af -> 0x1ff + * 0x4d1 -> 0x7ff + */ +static int +makeMask16(int len) +{ + // or the high bit in each bit location + len |= (len >> 1); + len |= (len >> 2); + len |= (len >> 4); + len |= (len >> 8); + return len; +} + +#define STRING_AND_LENGTH(s) s, sizeof(s) - 1 +static int +rsa_GetErrorLength(HMACContext *hmac, int hashLen, int maxLegalLen) +{ + unsigned char out[128 * 2]; + unsigned char *outp; + int outLength = 0; + int lengthMask; + SECStatus rv; + + lengthMask = makeMask16(maxLegalLen); + rv = rsa_HMACPrf(hmac, STRING_AND_LENGTH("length"), hashLen, + out, sizeof(out)); + if (rv != SECSuccess) { + return -1; + } + for (outp = out; outp < out + sizeof(out); outp += 2) { + int candidate = outp[0] << 8 | outp[1]; + candidate = candidate & lengthMask; + outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen), + candidate, outLength); + } + PORT_Memset(out, 0, sizeof(out)); + return outLength; +} + +/* + * This function can only fail in environmental cases: Programming errors + * and out of memory situations. It can't fail if the keys are valid and + * the inputs are the proper size. If the actual RSA decryption fails, then + * and generated return value is returned based on the key and input. + * Applications are expected to detect decryption failures based on the fact + * that the decrypted value (usually a key) doesn't validate. The prevents + * Blecheinbaucher style attacks against the key. */ SECStatus RSA_DecryptBlock(RSAPrivateKey *key, unsigned char *output, @@ -941,56 +1095,122 @@ RSA_DecryptBlock(RSAPrivateKey *key, const unsigned char *input, unsigned int inputLen) { - PRInt8 rv; + SECStatus rv; + PRUint32 fail; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; unsigned char *buffer = NULL; - unsigned int outLen = 0; - unsigned int copyOutLen = modulusLen - 11; - + unsigned char *errorBuffer = NULL; + unsigned char *bp = NULL; + unsigned char *ep = NULL; + unsigned int outLen = modulusLen; + unsigned int maxLegalLen = modulusLen - 10; + unsigned int errorLength; + const SECHashObject *hashObj; + HMACContext *hmac = NULL; + + /* failures in the top section indicate failures in the environment + * (memory) or the library. OK to return errors in these cases because + * it doesn't provide any oracle information to attackers. */ if (inputLen != modulusLen || modulusLen < 10) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - if (copyOutLen > maxOutputLen) { - copyOutLen = maxOutputLen; + /* Allocate enough space to decrypt */ + buffer = PORT_ZAlloc(modulusLen); + if (!buffer) { + goto loser; + } + errorBuffer = PORT_ZAlloc(modulusLen); + if (!errorBuffer) { + goto loser; + } + hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); + if (hashObj == NULL) { + goto loser; } - // Allocate enough space to decrypt + copyOutLen to allow copying outLen later. - buffer = PORT_ZAlloc(modulusLen + 1 + copyOutLen); - if (!buffer) { - return SECFailure; + /* calculate the values to return in the error case rather than + * the actual returned values. This data is the same for the + * same input and private key. */ + hmac = rsa_GetHMACContext(hashObj, key, input, inputLen); + if (hmac == NULL) { + goto loser; + } + errorLength = rsa_GetErrorLength(hmac, hashObj->length, maxLegalLen); + if (((int)errorLength) < 0) { + goto loser; + } + /* we always have to generate a full moduluslen error string. Otherwise + * we create a timing dependency on errorLength, which could be used to + * determine the difference between errorLength and outputLen and tell + * us that there was a pkcs1 decryption failure */ + rv = rsa_HMACPrf(hmac, STRING_AND_LENGTH("message"), + hashObj->length, errorBuffer, modulusLen); + if (rv != SECSuccess) { + goto loser; } - // rv is 0 if everything is going well and 1 if an error occurs. - rv = RSA_PrivateKeyOp(key, buffer, input) != SECSuccess; - rv |= (buffer[0] != RSA_BLOCK_FIRST_OCTET) | - (buffer[1] != (unsigned char)RSA_BlockPublic); + HMAC_Destroy(hmac, PR_TRUE); + hmac = NULL; + + /* From here on out, we will always return success. If there is + * an error, we will return deterministic output based on the key + * and the input data. */ + rv = RSA_PrivateKeyOp(key, buffer, input); + + fail = PORT_CT_NE(rv, SECSuccess); + fail |= PORT_CT_NE(buffer[0], RSA_BLOCK_FIRST_OCTET) | PORT_CT_NE(buffer[1], RSA_BlockPublic); - // There have to be at least 8 bytes of padding. + /* There have to be at least 8 bytes of padding. */ for (i = 2; i < 10; i++) { - rv |= buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET; + fail |= PORT_CT_EQ(buffer[i], RSA_BLOCK_AFTER_PAD_OCTET); } for (i = 10; i < modulusLen; i++) { unsigned int newLen = modulusLen - i - 1; - unsigned int c = (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) & (outLen == 0); - outLen = constantTimeCondition(c, newLen, outLen); + PRUint32 condition = PORT_CT_EQ(buffer[i], RSA_BLOCK_AFTER_PAD_OCTET) & PORT_CT_EQ(outLen, modulusLen); + outLen = PORT_CT_SEL(condition, newLen, outLen); + } + // this can only happen if a zero wasn't found above + fail |= PORT_CT_GE(outLen, modulusLen); + + outLen = PORT_CT_SEL(fail, errorLength, outLen); + + /* index into the correct buffer. Do it before we truncate outLen if the + * application was asking for less data than we can return */ + bp = buffer + modulusLen - outLen; + ep = errorBuffer + modulusLen - outLen; + + /* at this point, outLen returns no information about decryption failures, + * no need to hide it's value. maxOutputLen is how much data the + * application is expecting, which is also not sensitive. */ + if (outLen > maxOutputLen) { + outLen = maxOutputLen; } - rv |= outLen == 0; - rv |= outLen > maxOutputLen; - // Note that output is set even if SECFailure is returned. - PORT_Memcpy(output, buffer + modulusLen - outLen, copyOutLen); - *outputLen = constantTimeCondition(outLen > maxOutputLen, maxOutputLen, - outLen); + /* we can't use PORT_Memcpy because caching could create a time dependency + * on the status of fail. */ + for (i = 0; i < outLen; i++) { + output[i] = PORT_CT_SEL(fail, ep[i], bp[i]); + } + + *outputLen = outLen; PORT_Free(buffer); + PORT_Free(errorBuffer); + + return SECSuccess; - for (i = 1; i < sizeof(rv) * 8; i <<= 1) { - rv |= rv << i; +loser: + if (hmac) { + HMAC_Destroy(hmac, PR_TRUE); } - return (SECStatus)rv; + PORT_Free(buffer); + PORT_Free(errorBuffer); + + return SECFailure; } /*