X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Fecdsatest.c;h=ad2f4048a0c9998e985b0f3ece0c7f18c242eb31;hp=d56836f40d345764041f75cae1a15b3603572da5;hb=de4fb434c7f5fe7359dd9f57185bb98845d8e6f1;hpb=7f572e958b13041056f377a62d3219633cfb1e8a diff --git a/test/ecdsatest.c b/test/ecdsatest.c index d56836f40d..ad2f4048a0 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -1,161 +1,61 @@ -/* crypto/ecdsa/ecdsatest.c */ /* - * Written by Nils Larsch for the OpenSSL project. - */ -/* ==================================================================== - * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - */ - -#include -#include -#include #include /* To see if OPENSSL_NO_EC is defined */ +#include "testutil.h" -#ifdef OPENSSL_NO_EC -int main(int argc, char *argv[]) -{ - puts("Elliptic curves are disabled."); - return 0; -} -#else +#ifndef OPENSSL_NO_EC -# include -# include # include # include -# include -# ifndef OPENSSL_NO_ENGINE -# include -# endif -# include +# include # include - -static const char rnd_seed[] = "string to make the random number generator " - "think it has entropy"; - -/* declaration of the test functions */ -int x9_62_tests(BIO *); -int x9_62_test_internal(BIO *out, int nid, const char *r, const char *s); -int test_builtin(BIO *); +# include "internal/nelem.h" +# include "ecdsatest.h" /* functions to change the RAND_METHOD */ -int change_rand(void); -int restore_rand(void); -int fbytes(unsigned char *buf, int num); +static int fbytes(unsigned char *buf, int num); static RAND_METHOD fake_rand; static const RAND_METHOD *old_rand; +static int use_fake = 0; +static const char *numbers[2]; +static size_t crv_len = 0; +static EC_builtin_curve *curves = NULL; -int change_rand(void) +static int change_rand(void) { /* save old rand method */ - if ((old_rand = RAND_get_rand_method()) == NULL) + if (!TEST_ptr(old_rand = RAND_get_rand_method())) return 0; - fake_rand.seed = old_rand->seed; - fake_rand.cleanup = old_rand->cleanup; - fake_rand.add = old_rand->add; - fake_rand.status = old_rand->status; + fake_rand = *old_rand; /* use own random function */ fake_rand.bytes = fbytes; - fake_rand.pseudorand = old_rand->bytes; /* set new RAND_METHOD */ - if (!RAND_set_rand_method(&fake_rand)) + if (!TEST_true(RAND_set_rand_method(&fake_rand))) return 0; return 1; } -int restore_rand(void) +static int restore_rand(void) { - if (!RAND_set_rand_method(old_rand)) + if (!TEST_true(RAND_set_rand_method(old_rand))) return 0; - else - return 1; + return 1; } -static int fbytes_counter = 0, use_fake = 0; -static const char *numbers[8] = { - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", - "1542725565216523985789236956265265265235675811949404040041", - "1456427555219115346513212300075341203043918714616464614664" - "64667494947990", - "1712787255652165239672857892369562652652652356758119494040" - "40041670216363" -}; - -int fbytes(unsigned char *buf, int num) +static int fbytes(unsigned char *buf, int num) { - int ret; + int ret = 0; + static int fbytes_counter = 0; BIGNUM *tmp = NULL; if (use_fake == 0) @@ -163,390 +63,277 @@ int fbytes(unsigned char *buf, int num) use_fake = 0; - if (fbytes_counter >= 8) - return 0; - tmp = BN_new(); - if (!tmp) - return 0; - if (!BN_dec2bn(&tmp, numbers[fbytes_counter])) { - BN_free(tmp); - return 0; - } - fbytes_counter++; - if (num != BN_num_bytes(tmp) || !BN_bn2bin(tmp, buf)) - ret = 0; - else - ret = 1; + if (!TEST_ptr(tmp = BN_new()) + || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) + || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) + /* tmp might need leading zeros so pad it out */ + || !TEST_int_le(BN_num_bytes(tmp), num) + || !TEST_true(BN_bn2binpad(tmp, buf, num))) + goto err; + + fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); + ret = 1; + err: BN_free(tmp); return ret; } -/* some tests from the X9.62 draft */ -int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in) +/*- + * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. + * The ECDSA KATs are from: + * - the X9.62 draft (4) + * - NIST CAVP (720) + * + * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. + * NB: This is not how applications should use ECDSA; this is only for testing. + * + * Tests the library can successfully: + * - generate public keys that matches those KATs + * - create ECDSA signatures that match those KATs + * - accept those signatures as valid + */ +static int x9_62_tests(int n) { - int ret = 0; - const char message[] = "abc"; - unsigned char digest[20]; + int nid, md_nid, ret = 0; + const char *r_in = NULL, *s_in = NULL, *tbs = NULL; + unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; + unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int dgst_len = 0; - EVP_MD_CTX md_ctx; + long q_len, msg_len = 0; + size_t p_len; + EVP_MD_CTX *mctx = NULL; EC_KEY *key = NULL; ECDSA_SIG *signature = NULL; BIGNUM *r = NULL, *s = NULL; BIGNUM *kinv = NULL, *rp = NULL; + const BIGNUM *sig_r = NULL, *sig_s = NULL; + + nid = ecdsa_cavs_kats[n].nid; + md_nid = ecdsa_cavs_kats[n].md_nid; + r_in = ecdsa_cavs_kats[n].r; + s_in = ecdsa_cavs_kats[n].s; + tbs = ecdsa_cavs_kats[n].msg; + numbers[0] = ecdsa_cavs_kats[n].d; + numbers[1] = ecdsa_cavs_kats[n].k; + + TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get the message digest */ + || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) + || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) + || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) + || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) + /* create the key */ + || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) + /* load KAT variables */ + || !TEST_ptr(r = BN_new()) + || !TEST_ptr(s = BN_new()) + || !TEST_true(BN_hex2bn(&r, r_in)) + || !TEST_true(BN_hex2bn(&s, s_in)) + /* swap the RNG source */ + || !TEST_true(change_rand())) + goto err; - EVP_MD_CTX_init(&md_ctx); - /* get the message digest */ - if (!EVP_DigestInit(&md_ctx, EVP_sha1()) - || !EVP_DigestUpdate(&md_ctx, (const void *)message, 3) - || !EVP_DigestFinal(&md_ctx, digest, &dgst_len)) - goto x962_int_err; - - BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid)); - /* create the key */ - if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) - goto x962_int_err; + /* public key must match KAT */ use_fake = 1; - if (!EC_KEY_generate_key(key)) - goto x962_int_err; - BIO_printf(out, "."); - (void)BIO_flush(out); - /* create the signature */ + if (!TEST_true(EC_KEY_generate_key(key)) + || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, + &pbuf, NULL)) + || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) + || !TEST_int_eq(q_len, p_len) + || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) + goto err; + + /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ use_fake = 1; - /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */ - if (!ECDSA_sign_setup(key, NULL, &kinv, &rp)) - goto x962_int_err; - signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key); - if (signature == NULL) - goto x962_int_err; - BIO_printf(out, "."); - (void)BIO_flush(out); + if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) + || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, + kinv, rp, key)) + /* verify the signature */ + || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) + goto err; + /* compare the created signature with the expected signature */ - if ((r = BN_new()) == NULL || (s = BN_new()) == NULL) - goto x962_int_err; - if (!BN_dec2bn(&r, r_in) || !BN_dec2bn(&s, s_in)) - goto x962_int_err; - if (BN_cmp(signature->r, r) || BN_cmp(signature->s, s)) - goto x962_int_err; - BIO_printf(out, "."); - (void)BIO_flush(out); - /* verify the signature */ - if (ECDSA_do_verify(digest, 20, signature, key) != 1) - goto x962_int_err; - BIO_printf(out, "."); - (void)BIO_flush(out); - - BIO_printf(out, " ok\n"); + ECDSA_SIG_get0(signature, &sig_r, &sig_s); + if (!TEST_BN_eq(sig_r, r) + || !TEST_BN_eq(sig_s, s)) + goto err; + ret = 1; - x962_int_err: - if (!ret) - BIO_printf(out, " failed\n"); + + err: + /* restore the RNG source */ + if (!TEST_true(restore_rand())) + ret = 0; + + OPENSSL_free(message); + OPENSSL_free(pbuf); + OPENSSL_free(qbuf); EC_KEY_free(key); ECDSA_SIG_free(signature); BN_free(r); BN_free(s); - EVP_MD_CTX_cleanup(&md_ctx); + EVP_MD_CTX_free(mctx); BN_clear_free(kinv); BN_clear_free(rp); return ret; } -int x9_62_tests(BIO *out) -{ - int ret = 0; - - BIO_printf(out, "some tests from X9.62:\n"); - - /* set own rand method */ - if (!change_rand()) - goto x962_err; - - if (!x9_62_test_internal(out, NID_X9_62_prime192v1, - "3342403536405981729393488334694600415596881826869351677613", - "5735822328888155254683894997897571951568553642892029982342")) - goto x962_err; - if (!x9_62_test_internal(out, NID_X9_62_prime239v1, - "3086361431751678114926225473006680188549593787585317781474" - "62058306432176", - "3238135532097973577080787768312505059318910517550078427819" - "78505179448783")) - goto x962_err; -# ifndef OPENSSL_NO_EC2M - if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1, - "87194383164871543355722284926904419997237591535066528048", - "308992691965804947361541664549085895292153777025772063598")) - goto x962_err; - if (!x9_62_test_internal(out, NID_X9_62_c2tnb239v1, - "2159633321041961198501834003903461262881815148684178964245" - "5876922391552", - "1970303740007316867383349976549972270528498040721988191026" - "49413465737174")) - goto x962_err; -# endif - ret = 1; - x962_err: - if (!restore_rand()) - ret = 0; - return ret; -} - -int test_builtin(BIO *out) +/*- + * Positive and negative ECDSA testing through EVP interface: + * - EVP_DigestSign (this is the one-shot version) + * - EVP_DigestVerify + * + * Tests the library can successfully: + * - create a key + * - create a signature + * - accept that signature + * - reject that signature with a different public key + * - reject that signature if its length is not correct + * - reject that signature after modifying the message + * - accept that signature after un-modifying the message + * - reject that signature after modifying the signature + * - accept that signature after un-modifying the signature + */ +static int test_builtin(int n) { - EC_builtin_curve *curves = NULL; - size_t crv_len = 0, n = 0; - EC_KEY *eckey = NULL, *wrong_eckey = NULL; - EC_GROUP *group; - ECDSA_SIG *ecdsa_sig = NULL; - unsigned char digest[20], wrong_digest[20]; - unsigned char *signature = NULL; - const unsigned char *sig_ptr; - unsigned char *sig_ptr2; - unsigned char *raw_buf = NULL; - unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; + EC_KEY *eckey_neg = NULL, *eckey = NULL; + unsigned char dirt, offset, tbs[128]; + unsigned char *sig = NULL; + EVP_PKEY *pkey_neg = NULL, *pkey = NULL; + EVP_MD_CTX *mctx = NULL; + size_t sig_len; int nid, ret = 0; - /* fill digest values with some random data */ - if (RAND_bytes(digest, 20) <= 0 || RAND_bytes(wrong_digest, 20) <= 0) { - BIO_printf(out, "ERROR: unable to get random data\n"); - goto builtin_err; - } - - /* - * create and verify a ecdsa signature with every availble curve (with ) - */ - BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() " - "with some internal curves:\n"); + nid = curves[n].nid; - /* get a list of all internal curves */ - crv_len = EC_get_builtin_curves(NULL, 0); - curves = OPENSSL_malloc(sizeof(*curves) * crv_len); - if (curves == NULL) { - BIO_printf(out, "malloc error\n"); - goto builtin_err; - } - - if (!EC_get_builtin_curves(curves, crv_len)) { - BIO_printf(out, "unable to get internal curves\n"); - goto builtin_err; - } - - /* now create and verify a signature for every curve */ - for (n = 0; n < crv_len; n++) { - unsigned char dirt, offset; - - nid = curves[n].nid; - if (nid == NID_ipsec4) - continue; - /* create new ecdsa key (== EC_KEY) */ - if ((eckey = EC_KEY_new()) == NULL) - goto builtin_err; - group = EC_GROUP_new_by_curve_name(nid); - if (group == NULL) - goto builtin_err; - if (EC_KEY_set_group(eckey, group) == 0) - goto builtin_err; - EC_GROUP_free(group); - degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); - if (degree < 160) { - /* drop the curve */ - EC_KEY_free(eckey); - eckey = NULL; - continue; - } - BIO_printf(out, "%s: ", OBJ_nid2sn(nid)); - /* create key */ - if (!EC_KEY_generate_key(eckey)) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - /* create second key */ - if ((wrong_eckey = EC_KEY_new()) == NULL) - goto builtin_err; - group = EC_GROUP_new_by_curve_name(nid); - if (group == NULL) - goto builtin_err; - if (EC_KEY_set_group(wrong_eckey, group) == 0) - goto builtin_err; - EC_GROUP_free(group); - if (!EC_KEY_generate_key(wrong_eckey)) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - - BIO_printf(out, "."); - (void)BIO_flush(out); - /* check key */ - if (!EC_KEY_check_key(eckey)) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - /* create signature */ - sig_len = ECDSA_size(eckey); - if ((signature = OPENSSL_malloc(sig_len)) == NULL) - goto builtin_err; - if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - /* verify signature */ - if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - /* verify signature with the wrong key */ - if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - /* wrong digest */ - if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - /* wrong length */ - if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - - /* - * Modify a single byte of the signature: to ensure we don't garble - * the ASN1 structure, we read the raw signature and modify a byte in - * one of the bignums directly. - */ - sig_ptr = signature; - if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - - /* Store the two BIGNUMs in raw_buf. */ - r_len = BN_num_bytes(ecdsa_sig->r); - s_len = BN_num_bytes(ecdsa_sig->s); - bn_len = (degree + 7) / 8; - if ((r_len > bn_len) || (s_len > bn_len)) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - buf_len = 2 * bn_len; - if ((raw_buf = OPENSSL_zalloc(buf_len)) == NULL) - goto builtin_err; - BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len); - BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len); - - /* Modify a single byte in the buffer. */ - offset = raw_buf[10] % buf_len; - dirt = raw_buf[11] ? raw_buf[11] : 1; - raw_buf[offset] ^= dirt; - /* Now read the BIGNUMs back in from raw_buf. */ - if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) || - (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL)) - goto builtin_err; - - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); - if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - /* - * Sanity check: undo the modification and verify signature. - */ - raw_buf[offset] ^= dirt; - if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) || - (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL)) - goto builtin_err; - - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); - if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) { - BIO_printf(out, " failed\n"); - goto builtin_err; - } - BIO_printf(out, "."); - (void)BIO_flush(out); - - BIO_printf(out, " ok\n"); - /* cleanup */ - /* clean bogus errors */ - ERR_clear_error(); - OPENSSL_free(signature); - signature = NULL; - EC_KEY_free(eckey); - eckey = NULL; - EC_KEY_free(wrong_eckey); - wrong_eckey = NULL; - ECDSA_SIG_free(ecdsa_sig); - ecdsa_sig = NULL; - OPENSSL_free(raw_buf); - raw_buf = NULL; + /* skip built-in curves where ord(G) is not prime */ + if (nid == NID_ipsec4 || nid == NID_ipsec3) { + TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); + return 1; } - ret = 1; - builtin_err: - EC_KEY_free(eckey); - EC_KEY_free(wrong_eckey); - ECDSA_SIG_free(ecdsa_sig); - OPENSSL_free(signature); - OPENSSL_free(raw_buf); - OPENSSL_free(curves); - - return ret; -} - -int main(void) -{ - int ret = 1; - BIO *out; - - out = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); - - /* enable memory leak checking unless explicitly disabled */ - if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && - (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { - CRYPTO_malloc_debug_init(); - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); - } else { - /* OPENSSL_DEBUG_MEMORY=off */ - CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); - } - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + TEST_info("testing ECDSA for curve %s", OBJ_nid2sn(nid)); + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get some random message data */ + || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) + /* real key */ + || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey)) + || !TEST_ptr(pkey = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) + /* fake key for negative testing */ + || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey_neg)) + || !TEST_ptr(pkey_neg = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) + goto err; - ERR_load_crypto_strings(); + sig_len = ECDSA_size(eckey); + + if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)) + /* create a signature */ + || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) + || !TEST_int_le(sig_len, ECDSA_size(eckey)) + /* negative test, verify with wrong key, 0 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) + /* negative test, verify with wrong signature length, -1 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) + /* positive test, verify with correct key, 1 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; - /* initialize the prng */ - RAND_seed(rnd_seed, sizeof(rnd_seed)); + /* muck with the message, test it fails with 0 return */ + tbs[0] ^= 1; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)) + goto err; + /* un-muck and test it verifies */ + tbs[0] ^= 1; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; - /* the tests */ - if (!x9_62_tests(out)) + /*- + * Muck with the ECDSA signature. The DER encoding is one of: + * - 30 LL 02 .. + * - 30 81 LL 02 .. + * + * - Sometimes this mucks with the high level DER sequence wrapper: + * in that case, DER-parsing of the whole signature should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.r: + * in that case, DER-parsing of ECDSA.r should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.s: + * in that case, DER-parsing of ECDSA.s should fail. + * + * - Sometimes this mucks with ECDSA.r: + * in that case, the signature verification should fail. + * + * - Sometimes this mucks with ECDSA.s: + * in that case, the signature verification should fail. + * + * The usual case is changing the integer value of ECDSA.r or ECDSA.s. + * Because the ratio of DER overhead to signature bytes is small. + * So most of the time it will be one of the last two cases. + * + * In any case, EVP_PKEY_verify should not return 1 for valid. + */ + offset = tbs[0] % sig_len; + dirt = tbs[1] ? tbs[1] : 1; + sig[offset] ^= dirt; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) goto err; - if (!test_builtin(out)) + /* un-muck and test it verifies */ + sig[offset] ^= dirt; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) goto err; - ret = 0; + ret = 1; err: - if (ret) - BIO_printf(out, "\nECDSA test failed\n"); - else - BIO_printf(out, "\nECDSA test passed\n"); - if (ret) - ERR_print_errors(out); - CRYPTO_cleanup_all_ex_data(); - ERR_remove_thread_state(NULL); - ERR_free_strings(); - CRYPTO_mem_leaks(out); - BIO_free(out); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_neg); + EVP_MD_CTX_free(mctx); + OPENSSL_free(sig); return ret; } #endif + +int setup_tests(void) +{ +#ifdef OPENSSL_NO_EC + TEST_note("Elliptic curves are disabled."); +#else + /* get a list of all internal curves */ + crv_len = EC_get_builtin_curves(NULL, 0); + if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + return 0; + ADD_ALL_TESTS(test_builtin, crv_len); + ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); +#endif + return 1; +} + +void cleanup_tests(void) +{ +#ifndef OPENSSL_NO_EC + OPENSSL_free(curves); +#endif +}