]>
Commit | Line | Data |
---|---|---|
2b32b281 | 1 | /* |
8020d79b | 2 | * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4d94ae00 | 4 | * |
909f1a2e | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
440e5d80 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
4d94ae00 | 9 | */ |
440e5d80 | 10 | |
579422c8 P |
11 | /* |
12 | * Low level APIs are deprecated for public use, but still ok for internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
10bf4fc2 | 16 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */ |
b770a80f | 17 | #include "testutil.h" |
3b6aa36c | 18 | |
a69de3f2 | 19 | #ifndef OPENSSL_NO_EC |
4d94ae00 | 20 | |
0f113f3e MC |
21 | # include <openssl/evp.h> |
22 | # include <openssl/bn.h> | |
fb29bb59 | 23 | # include <openssl/ec.h> |
0f113f3e | 24 | # include <openssl/rand.h> |
1a31d801 BB |
25 | # include "internal/nelem.h" |
26 | # include "ecdsatest.h" | |
690ecff7 | 27 | |
fccdb61a P |
28 | static fake_random_generate_cb fbytes; |
29 | ||
1a31d801 BB |
30 | static const char *numbers[2]; |
31 | static size_t crv_len = 0; | |
32 | static EC_builtin_curve *curves = NULL; | |
332a245c | 33 | static OSSL_PROVIDER *fake_rand = NULL; |
2b32b281 | 34 | |
fccdb61a P |
35 | static int fbytes(unsigned char *buf, size_t num, ossl_unused const char *name, |
36 | EVP_RAND_CTX *ctx) | |
0f113f3e | 37 | { |
b66411f6 | 38 | int ret = 0; |
1a31d801 | 39 | static int fbytes_counter = 0; |
0f113f3e MC |
40 | BIGNUM *tmp = NULL; |
41 | ||
fccdb61a | 42 | fake_rand_set_callback(ctx, NULL); |
0f113f3e | 43 | |
1a31d801 BB |
44 | if (!TEST_ptr(tmp = BN_new()) |
45 | || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) | |
46 | || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) | |
47 | /* tmp might need leading zeros so pad it out */ | |
48 | || !TEST_int_le(BN_num_bytes(tmp), num) | |
49 | || !TEST_true(BN_bn2binpad(tmp, buf, num))) | |
50 | goto err; | |
51 | ||
52 | fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); | |
53 | ret = 1; | |
54 | err: | |
0f113f3e MC |
55 | BN_free(tmp); |
56 | return ret; | |
57 | } | |
2b32b281 | 58 | |
1a31d801 BB |
59 | /*- |
60 | * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. | |
61 | * The ECDSA KATs are from: | |
62 | * - the X9.62 draft (4) | |
63 | * - NIST CAVP (720) | |
64 | * | |
65 | * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. | |
66 | * NB: This is not how applications should use ECDSA; this is only for testing. | |
67 | * | |
68 | * Tests the library can successfully: | |
69 | * - generate public keys that matches those KATs | |
70 | * - create ECDSA signatures that match those KATs | |
71 | * - accept those signatures as valid | |
72 | */ | |
73 | static int x9_62_tests(int n) | |
0f113f3e | 74 | { |
1a31d801 BB |
75 | int nid, md_nid, ret = 0; |
76 | const char *r_in = NULL, *s_in = NULL, *tbs = NULL; | |
77 | unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; | |
78 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
0f113f3e | 79 | unsigned int dgst_len = 0; |
1a31d801 BB |
80 | long q_len, msg_len = 0; |
81 | size_t p_len; | |
82 | EVP_MD_CTX *mctx = NULL; | |
0f113f3e MC |
83 | EC_KEY *key = NULL; |
84 | ECDSA_SIG *signature = NULL; | |
85 | BIGNUM *r = NULL, *s = NULL; | |
86 | BIGNUM *kinv = NULL, *rp = NULL; | |
1a31d801 BB |
87 | const BIGNUM *sig_r = NULL, *sig_s = NULL; |
88 | ||
89 | nid = ecdsa_cavs_kats[n].nid; | |
90 | md_nid = ecdsa_cavs_kats[n].md_nid; | |
91 | r_in = ecdsa_cavs_kats[n].r; | |
92 | s_in = ecdsa_cavs_kats[n].s; | |
93 | tbs = ecdsa_cavs_kats[n].msg; | |
94 | numbers[0] = ecdsa_cavs_kats[n].d; | |
95 | numbers[1] = ecdsa_cavs_kats[n].k; | |
96 | ||
97 | TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); | |
98 | ||
f844f9eb | 99 | #ifdef FIPS_MODULE |
10c25644 SL |
100 | if (EC_curve_nid2nist(nid) == NULL) |
101 | return TEST_skip("skip non approved curves"); | |
f844f9eb | 102 | #endif /* FIPS_MODULE */ |
10c25644 | 103 | |
1a31d801 BB |
104 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) |
105 | /* get the message digest */ | |
106 | || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) | |
107 | || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) | |
108 | || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) | |
109 | || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) | |
110 | /* create the key */ | |
111 | || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) | |
112 | /* load KAT variables */ | |
113 | || !TEST_ptr(r = BN_new()) | |
114 | || !TEST_ptr(s = BN_new()) | |
115 | || !TEST_true(BN_hex2bn(&r, r_in)) | |
332a245c | 116 | || !TEST_true(BN_hex2bn(&s, s_in))) |
1a31d801 BB |
117 | goto err; |
118 | ||
119 | /* public key must match KAT */ | |
fccdb61a | 120 | fake_rand_set_callback(RAND_get0_private(NULL), &fbytes); |
1a31d801 BB |
121 | if (!TEST_true(EC_KEY_generate_key(key)) |
122 | || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, | |
123 | &pbuf, NULL)) | |
124 | || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) | |
125 | || !TEST_int_eq(q_len, p_len) | |
126 | || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) | |
127 | goto err; | |
128 | ||
129 | /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ | |
fccdb61a | 130 | fake_rand_set_callback(RAND_get0_private(NULL), &fbytes); |
1a31d801 BB |
131 | if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) |
132 | || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, | |
133 | kinv, rp, key)) | |
134 | /* verify the signature */ | |
135 | || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) | |
136 | goto err; | |
b66411f6 | 137 | |
0f113f3e | 138 | /* compare the created signature with the expected signature */ |
9267c11b | 139 | ECDSA_SIG_get0(signature, &sig_r, &sig_s); |
dc352c19 | 140 | if (!TEST_BN_eq(sig_r, r) |
1a31d801 BB |
141 | || !TEST_BN_eq(sig_s, s)) |
142 | goto err; | |
0f113f3e | 143 | |
0f113f3e | 144 | ret = 1; |
b66411f6 | 145 | |
1a31d801 | 146 | err: |
1a31d801 BB |
147 | OPENSSL_free(message); |
148 | OPENSSL_free(pbuf); | |
149 | OPENSSL_free(qbuf); | |
8fdc3734 | 150 | EC_KEY_free(key); |
25aaa98a | 151 | ECDSA_SIG_free(signature); |
23a1d5e9 RS |
152 | BN_free(r); |
153 | BN_free(s); | |
1a31d801 | 154 | EVP_MD_CTX_free(mctx); |
23a1d5e9 RS |
155 | BN_clear_free(kinv); |
156 | BN_clear_free(rp); | |
0f113f3e MC |
157 | return ret; |
158 | } | |
4d94ae00 | 159 | |
1a31d801 BB |
160 | /*- |
161 | * Positive and negative ECDSA testing through EVP interface: | |
162 | * - EVP_DigestSign (this is the one-shot version) | |
163 | * - EVP_DigestVerify | |
164 | * | |
165 | * Tests the library can successfully: | |
166 | * - create a key | |
167 | * - create a signature | |
168 | * - accept that signature | |
169 | * - reject that signature with a different public key | |
170 | * - reject that signature if its length is not correct | |
171 | * - reject that signature after modifying the message | |
172 | * - accept that signature after un-modifying the message | |
173 | * - reject that signature after modifying the signature | |
174 | * - accept that signature after un-modifying the signature | |
175 | */ | |
3995de2c RL |
176 | static int set_sm2_id(EVP_MD_CTX *mctx, EVP_PKEY *pkey) |
177 | { | |
178 | /* With the SM2 key type, the SM2 ID is mandatory */ | |
179 | static const char sm2_id[] = { 1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r' }; | |
180 | EVP_PKEY_CTX *pctx; | |
181 | ||
fda127be | 182 | if (!TEST_ptr(pctx = EVP_MD_CTX_pkey_ctx(mctx)) |
3995de2c RL |
183 | || !TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, sm2_id, sizeof(sm2_id)), 0)) |
184 | return 0; | |
3995de2c RL |
185 | return 1; |
186 | } | |
187 | ||
188 | static int test_builtin(int n, int as) | |
0f113f3e | 189 | { |
1a31d801 BB |
190 | EC_KEY *eckey_neg = NULL, *eckey = NULL; |
191 | unsigned char dirt, offset, tbs[128]; | |
192 | unsigned char *sig = NULL; | |
2145ba5e | 193 | EVP_PKEY *pkey_neg = NULL, *pkey = NULL, *dup_pk = NULL; |
1a31d801 BB |
194 | EVP_MD_CTX *mctx = NULL; |
195 | size_t sig_len; | |
0f113f3e | 196 | int nid, ret = 0; |
68ad17e8 | 197 | int temp; |
0f113f3e | 198 | |
1a31d801 | 199 | nid = curves[n].nid; |
0f113f3e | 200 | |
1a31d801 BB |
201 | /* skip built-in curves where ord(G) is not prime */ |
202 | if (nid == NID_ipsec4 || nid == NID_ipsec3) { | |
203 | TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); | |
204 | return 1; | |
0f113f3e MC |
205 | } |
206 | ||
7ee511d0 PY |
207 | /* |
208 | * skip SM2 curve if 'as' is equal to EVP_PKEY_EC or, skip all curves | |
209 | * except SM2 curve if 'as' is equal to EVP_PKEY_SM2 | |
210 | */ | |
211 | if (nid == NID_sm2 && as == EVP_PKEY_EC) { | |
212 | TEST_info("skipped: EC key type unsupported for curve %s", | |
213 | OBJ_nid2sn(nid)); | |
214 | return 1; | |
215 | } else if (nid != NID_sm2 && as == EVP_PKEY_SM2) { | |
216 | TEST_info("skipped: SM2 key type unsupported for curve %s", | |
217 | OBJ_nid2sn(nid)); | |
218 | return 1; | |
219 | } | |
220 | ||
3995de2c RL |
221 | TEST_info("testing ECDSA for curve %s as %s key type", OBJ_nid2sn(nid), |
222 | as == EVP_PKEY_EC ? "EC" : "SM2"); | |
1a31d801 BB |
223 | |
224 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) | |
225 | /* get some random message data */ | |
226 | || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) | |
227 | /* real key */ | |
228 | || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) | |
229 | || !TEST_true(EC_KEY_generate_key(eckey)) | |
230 | || !TEST_ptr(pkey = EVP_PKEY_new()) | |
231 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) | |
232 | /* fake key for negative testing */ | |
233 | || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) | |
234 | || !TEST_true(EC_KEY_generate_key(eckey_neg)) | |
235 | || !TEST_ptr(pkey_neg = EVP_PKEY_new()) | |
4bb73d54 | 236 | || !TEST_false(EVP_PKEY_assign_EC_KEY(pkey_neg, NULL)) |
1a31d801 BB |
237 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) |
238 | goto err; | |
239 | ||
2145ba5e TM |
240 | if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)) |
241 | || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1)) | |
242 | goto err; | |
243 | ||
68ad17e8 | 244 | temp = ECDSA_size(eckey); |
1a31d801 | 245 | |
3995de2c RL |
246 | /* |
247 | * |as| indicates how we want to treat the key, i.e. what sort of | |
248 | * computation we want to do with it. The two choices are the key | |
249 | * types EVP_PKEY_EC and EVP_PKEY_SM2. It's perfectly possible to | |
250 | * switch back and forth between those two key types, regardless of | |
251 | * curve, even though the default is to have EVP_PKEY_SM2 for the | |
252 | * SM2 curve and EVP_PKEY_EC for all other curves. | |
253 | */ | |
254 | if (!TEST_true(EVP_PKEY_set_alias_type(pkey, as)) | |
255 | || !TEST_true(EVP_PKEY_set_alias_type(pkey_neg, as))) | |
256 | goto err; | |
257 | ||
68ad17e8 P |
258 | if (!TEST_int_ge(temp, 0) |
259 | || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) | |
1a31d801 BB |
260 | /* create a signature */ |
261 | || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) | |
fda127be | 262 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
1a31d801 BB |
263 | || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) |
264 | || !TEST_int_le(sig_len, ECDSA_size(eckey)) | |
1a31d801 | 265 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 266 | /* negative test, verify with wrong key, 0 return */ |
1a31d801 | 267 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) |
fda127be | 268 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey_neg)) |
1a31d801 | 269 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) |
1a31d801 | 270 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 271 | /* negative test, verify with wrong signature length, -1 return */ |
1a31d801 | 272 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
fda127be | 273 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
1a31d801 | 274 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) |
1a31d801 | 275 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 276 | /* positive test, verify with correct key, 1 return */ |
1a31d801 | 277 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
fda127be | 278 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
3995de2c | 279 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 280 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
281 | goto err; |
282 | ||
283 | /* muck with the message, test it fails with 0 return */ | |
284 | tbs[0] ^= 1; | |
fda127be RL |
285 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
286 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 287 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) |
3995de2c | 288 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
289 | goto err; |
290 | /* un-muck and test it verifies */ | |
291 | tbs[0] ^= 1; | |
fda127be RL |
292 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
293 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 294 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 295 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
296 | goto err; |
297 | ||
298 | /*- | |
299 | * Muck with the ECDSA signature. The DER encoding is one of: | |
300 | * - 30 LL 02 .. | |
301 | * - 30 81 LL 02 .. | |
302 | * | |
303 | * - Sometimes this mucks with the high level DER sequence wrapper: | |
304 | * in that case, DER-parsing of the whole signature should fail. | |
305 | * | |
306 | * - Sometimes this mucks with the DER-encoding of ECDSA.r: | |
307 | * in that case, DER-parsing of ECDSA.r should fail. | |
308 | * | |
309 | * - Sometimes this mucks with the DER-encoding of ECDSA.s: | |
310 | * in that case, DER-parsing of ECDSA.s should fail. | |
311 | * | |
312 | * - Sometimes this mucks with ECDSA.r: | |
313 | * in that case, the signature verification should fail. | |
314 | * | |
315 | * - Sometimes this mucks with ECDSA.s: | |
316 | * in that case, the signature verification should fail. | |
317 | * | |
318 | * The usual case is changing the integer value of ECDSA.r or ECDSA.s. | |
319 | * Because the ratio of DER overhead to signature bytes is small. | |
320 | * So most of the time it will be one of the last two cases. | |
321 | * | |
322 | * In any case, EVP_PKEY_verify should not return 1 for valid. | |
323 | */ | |
324 | offset = tbs[0] % sig_len; | |
325 | dirt = tbs[1] ? tbs[1] : 1; | |
326 | sig[offset] ^= dirt; | |
fda127be RL |
327 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
328 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 329 | || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 330 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
331 | goto err; |
332 | /* un-muck and test it verifies */ | |
333 | sig[offset] ^= dirt; | |
fda127be RL |
334 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
335 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 336 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 337 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 | 338 | goto err; |
0f113f3e | 339 | |
1a31d801 BB |
340 | ret = 1; |
341 | err: | |
342 | EVP_PKEY_free(pkey); | |
343 | EVP_PKEY_free(pkey_neg); | |
2145ba5e | 344 | EVP_PKEY_free(dup_pk); |
1a31d801 BB |
345 | EVP_MD_CTX_free(mctx); |
346 | OPENSSL_free(sig); | |
0f113f3e MC |
347 | return ret; |
348 | } | |
3995de2c RL |
349 | |
350 | static int test_builtin_as_ec(int n) | |
351 | { | |
352 | return test_builtin(n, EVP_PKEY_EC); | |
353 | } | |
354 | ||
9afaa8d6 | 355 | # ifndef OPENSSL_NO_SM2 |
3995de2c RL |
356 | static int test_builtin_as_sm2(int n) |
357 | { | |
358 | return test_builtin(n, EVP_PKEY_SM2); | |
359 | } | |
9afaa8d6 MC |
360 | # endif |
361 | #endif /* OPENSSL_NO_EC */ | |
4d94ae00 | 362 | |
ad887416 | 363 | int setup_tests(void) |
0f113f3e | 364 | { |
a69de3f2 P |
365 | #ifdef OPENSSL_NO_EC |
366 | TEST_note("Elliptic curves are disabled."); | |
367 | #else | |
332a245c P |
368 | fake_rand = fake_rand_start(NULL); |
369 | if (fake_rand == NULL) | |
370 | return 0; | |
371 | ||
1a31d801 BB |
372 | /* get a list of all internal curves */ |
373 | crv_len = EC_get_builtin_curves(NULL, 0); | |
374 | if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) | |
332a245c P |
375 | || !TEST_true(EC_get_builtin_curves(curves, crv_len))) { |
376 | fake_rand_finish(fake_rand); | |
1a31d801 | 377 | return 0; |
332a245c | 378 | } |
3995de2c | 379 | ADD_ALL_TESTS(test_builtin_as_ec, crv_len); |
9afaa8d6 | 380 | # ifndef OPENSSL_NO_SM2 |
3995de2c | 381 | ADD_ALL_TESTS(test_builtin_as_sm2, crv_len); |
9afaa8d6 | 382 | # endif |
1a31d801 | 383 | ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); |
a69de3f2 | 384 | #endif |
ad887416 | 385 | return 1; |
0f113f3e | 386 | } |
1a31d801 BB |
387 | |
388 | void cleanup_tests(void) | |
389 | { | |
390 | #ifndef OPENSSL_NO_EC | |
332a245c | 391 | fake_rand_finish(fake_rand); |
1a31d801 BB |
392 | OPENSSL_free(curves); |
393 | #endif | |
394 | } |