]>
Commit | Line | Data |
---|---|---|
2b32b281 | 1 | /* |
b0edda11 | 2 | * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4d94ae00 | 4 | * |
909f1a2e | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
440e5d80 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
4d94ae00 | 9 | */ |
440e5d80 | 10 | |
10bf4fc2 | 11 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */ |
b770a80f | 12 | #include "testutil.h" |
3b6aa36c | 13 | |
a69de3f2 | 14 | #ifndef OPENSSL_NO_EC |
4d94ae00 | 15 | |
0f113f3e MC |
16 | # include <openssl/evp.h> |
17 | # include <openssl/bn.h> | |
fb29bb59 | 18 | # include <openssl/ec.h> |
0f113f3e | 19 | # include <openssl/rand.h> |
1a31d801 BB |
20 | # include "internal/nelem.h" |
21 | # include "ecdsatest.h" | |
690ecff7 | 22 | |
2b32b281 | 23 | /* functions to change the RAND_METHOD */ |
b66411f6 | 24 | static int fbytes(unsigned char *buf, int num); |
2b32b281 | 25 | |
df2ee0e2 BL |
26 | static RAND_METHOD fake_rand; |
27 | static const RAND_METHOD *old_rand; | |
1a31d801 BB |
28 | static int use_fake = 0; |
29 | static const char *numbers[2]; | |
30 | static size_t crv_len = 0; | |
31 | static EC_builtin_curve *curves = NULL; | |
2b32b281 | 32 | |
b66411f6 | 33 | static int change_rand(void) |
0f113f3e MC |
34 | { |
35 | /* save old rand method */ | |
b66411f6 | 36 | if (!TEST_ptr(old_rand = RAND_get_rand_method())) |
0f113f3e MC |
37 | return 0; |
38 | ||
b66411f6 | 39 | fake_rand = *old_rand; |
0f113f3e MC |
40 | /* use own random function */ |
41 | fake_rand.bytes = fbytes; | |
0f113f3e | 42 | /* set new RAND_METHOD */ |
b66411f6 | 43 | if (!TEST_true(RAND_set_rand_method(&fake_rand))) |
0f113f3e MC |
44 | return 0; |
45 | return 1; | |
46 | } | |
2b32b281 | 47 | |
b66411f6 | 48 | static int restore_rand(void) |
0f113f3e | 49 | { |
b66411f6 | 50 | if (!TEST_true(RAND_set_rand_method(old_rand))) |
0f113f3e | 51 | return 0; |
b66411f6 | 52 | return 1; |
0f113f3e | 53 | } |
4d94ae00 | 54 | |
b66411f6 | 55 | static int fbytes(unsigned char *buf, int num) |
0f113f3e | 56 | { |
b66411f6 | 57 | int ret = 0; |
1a31d801 | 58 | static int fbytes_counter = 0; |
0f113f3e MC |
59 | BIGNUM *tmp = NULL; |
60 | ||
61 | if (use_fake == 0) | |
62 | return old_rand->bytes(buf, num); | |
63 | ||
64 | use_fake = 0; | |
65 | ||
1a31d801 BB |
66 | if (!TEST_ptr(tmp = BN_new()) |
67 | || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) | |
68 | || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) | |
69 | /* tmp might need leading zeros so pad it out */ | |
70 | || !TEST_int_le(BN_num_bytes(tmp), num) | |
71 | || !TEST_true(BN_bn2binpad(tmp, buf, num))) | |
72 | goto err; | |
73 | ||
74 | fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); | |
75 | ret = 1; | |
76 | err: | |
0f113f3e MC |
77 | BN_free(tmp); |
78 | return ret; | |
79 | } | |
2b32b281 | 80 | |
1a31d801 BB |
81 | /*- |
82 | * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. | |
83 | * The ECDSA KATs are from: | |
84 | * - the X9.62 draft (4) | |
85 | * - NIST CAVP (720) | |
86 | * | |
87 | * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. | |
88 | * NB: This is not how applications should use ECDSA; this is only for testing. | |
89 | * | |
90 | * Tests the library can successfully: | |
91 | * - generate public keys that matches those KATs | |
92 | * - create ECDSA signatures that match those KATs | |
93 | * - accept those signatures as valid | |
94 | */ | |
95 | static int x9_62_tests(int n) | |
0f113f3e | 96 | { |
1a31d801 BB |
97 | int nid, md_nid, ret = 0; |
98 | const char *r_in = NULL, *s_in = NULL, *tbs = NULL; | |
99 | unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; | |
100 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
0f113f3e | 101 | unsigned int dgst_len = 0; |
1a31d801 BB |
102 | long q_len, msg_len = 0; |
103 | size_t p_len; | |
104 | EVP_MD_CTX *mctx = NULL; | |
0f113f3e MC |
105 | EC_KEY *key = NULL; |
106 | ECDSA_SIG *signature = NULL; | |
107 | BIGNUM *r = NULL, *s = NULL; | |
108 | BIGNUM *kinv = NULL, *rp = NULL; | |
1a31d801 BB |
109 | const BIGNUM *sig_r = NULL, *sig_s = NULL; |
110 | ||
111 | nid = ecdsa_cavs_kats[n].nid; | |
112 | md_nid = ecdsa_cavs_kats[n].md_nid; | |
113 | r_in = ecdsa_cavs_kats[n].r; | |
114 | s_in = ecdsa_cavs_kats[n].s; | |
115 | tbs = ecdsa_cavs_kats[n].msg; | |
116 | numbers[0] = ecdsa_cavs_kats[n].d; | |
117 | numbers[1] = ecdsa_cavs_kats[n].k; | |
118 | ||
119 | TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); | |
120 | ||
121 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) | |
122 | /* get the message digest */ | |
123 | || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) | |
124 | || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) | |
125 | || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) | |
126 | || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) | |
127 | /* create the key */ | |
128 | || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) | |
129 | /* load KAT variables */ | |
130 | || !TEST_ptr(r = BN_new()) | |
131 | || !TEST_ptr(s = BN_new()) | |
132 | || !TEST_true(BN_hex2bn(&r, r_in)) | |
133 | || !TEST_true(BN_hex2bn(&s, s_in)) | |
134 | /* swap the RNG source */ | |
135 | || !TEST_true(change_rand())) | |
136 | goto err; | |
137 | ||
138 | /* public key must match KAT */ | |
0f113f3e | 139 | use_fake = 1; |
1a31d801 BB |
140 | if (!TEST_true(EC_KEY_generate_key(key)) |
141 | || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, | |
142 | &pbuf, NULL)) | |
143 | || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) | |
144 | || !TEST_int_eq(q_len, p_len) | |
145 | || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) | |
146 | goto err; | |
147 | ||
148 | /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ | |
0f113f3e | 149 | use_fake = 1; |
1a31d801 BB |
150 | if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) |
151 | || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, | |
152 | kinv, rp, key)) | |
153 | /* verify the signature */ | |
154 | || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) | |
155 | goto err; | |
b66411f6 | 156 | |
0f113f3e | 157 | /* compare the created signature with the expected signature */ |
9267c11b | 158 | ECDSA_SIG_get0(signature, &sig_r, &sig_s); |
dc352c19 | 159 | if (!TEST_BN_eq(sig_r, r) |
1a31d801 BB |
160 | || !TEST_BN_eq(sig_s, s)) |
161 | goto err; | |
0f113f3e | 162 | |
0f113f3e | 163 | ret = 1; |
b66411f6 | 164 | |
1a31d801 BB |
165 | err: |
166 | /* restore the RNG source */ | |
167 | if (!TEST_true(restore_rand())) | |
168 | ret = 0; | |
169 | ||
170 | OPENSSL_free(message); | |
171 | OPENSSL_free(pbuf); | |
172 | OPENSSL_free(qbuf); | |
8fdc3734 | 173 | EC_KEY_free(key); |
25aaa98a | 174 | ECDSA_SIG_free(signature); |
23a1d5e9 RS |
175 | BN_free(r); |
176 | BN_free(s); | |
1a31d801 | 177 | EVP_MD_CTX_free(mctx); |
23a1d5e9 RS |
178 | BN_clear_free(kinv); |
179 | BN_clear_free(rp); | |
0f113f3e MC |
180 | return ret; |
181 | } | |
4d94ae00 | 182 | |
1a31d801 BB |
183 | /*- |
184 | * Positive and negative ECDSA testing through EVP interface: | |
185 | * - EVP_DigestSign (this is the one-shot version) | |
186 | * - EVP_DigestVerify | |
187 | * | |
188 | * Tests the library can successfully: | |
189 | * - create a key | |
190 | * - create a signature | |
191 | * - accept that signature | |
192 | * - reject that signature with a different public key | |
193 | * - reject that signature if its length is not correct | |
194 | * - reject that signature after modifying the message | |
195 | * - accept that signature after un-modifying the message | |
196 | * - reject that signature after modifying the signature | |
197 | * - accept that signature after un-modifying the signature | |
198 | */ | |
199 | static int test_builtin(int n) | |
0f113f3e | 200 | { |
1a31d801 BB |
201 | EC_KEY *eckey_neg = NULL, *eckey = NULL; |
202 | unsigned char dirt, offset, tbs[128]; | |
203 | unsigned char *sig = NULL; | |
204 | EVP_PKEY *pkey_neg = NULL, *pkey = NULL; | |
205 | EVP_MD_CTX *mctx = NULL; | |
206 | size_t sig_len; | |
0f113f3e | 207 | int nid, ret = 0; |
68ad17e8 | 208 | int temp; |
0f113f3e | 209 | |
1a31d801 | 210 | nid = curves[n].nid; |
0f113f3e | 211 | |
1a31d801 BB |
212 | /* skip built-in curves where ord(G) is not prime */ |
213 | if (nid == NID_ipsec4 || nid == NID_ipsec3) { | |
214 | TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); | |
215 | return 1; | |
0f113f3e MC |
216 | } |
217 | ||
1a31d801 BB |
218 | TEST_info("testing ECDSA for curve %s", OBJ_nid2sn(nid)); |
219 | ||
220 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) | |
221 | /* get some random message data */ | |
222 | || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) | |
223 | /* real key */ | |
224 | || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) | |
225 | || !TEST_true(EC_KEY_generate_key(eckey)) | |
226 | || !TEST_ptr(pkey = EVP_PKEY_new()) | |
227 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) | |
228 | /* fake key for negative testing */ | |
229 | || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) | |
230 | || !TEST_true(EC_KEY_generate_key(eckey_neg)) | |
231 | || !TEST_ptr(pkey_neg = EVP_PKEY_new()) | |
232 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) | |
233 | goto err; | |
234 | ||
68ad17e8 | 235 | temp = ECDSA_size(eckey); |
1a31d801 | 236 | |
68ad17e8 P |
237 | if (!TEST_int_ge(temp, 0) |
238 | || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) | |
1a31d801 BB |
239 | /* create a signature */ |
240 | || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) | |
241 | || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) | |
242 | || !TEST_int_le(sig_len, ECDSA_size(eckey)) | |
243 | /* negative test, verify with wrong key, 0 return */ | |
244 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
245 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) | |
246 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) | |
247 | /* negative test, verify with wrong signature length, -1 return */ | |
248 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
249 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
250 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) | |
251 | /* positive test, verify with correct key, 1 return */ | |
252 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
253 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
254 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
255 | goto err; | |
256 | ||
257 | /* muck with the message, test it fails with 0 return */ | |
258 | tbs[0] ^= 1; | |
259 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
260 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
261 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)) | |
262 | goto err; | |
263 | /* un-muck and test it verifies */ | |
264 | tbs[0] ^= 1; | |
265 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
266 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
267 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
268 | goto err; | |
269 | ||
270 | /*- | |
271 | * Muck with the ECDSA signature. The DER encoding is one of: | |
272 | * - 30 LL 02 .. | |
273 | * - 30 81 LL 02 .. | |
274 | * | |
275 | * - Sometimes this mucks with the high level DER sequence wrapper: | |
276 | * in that case, DER-parsing of the whole signature should fail. | |
277 | * | |
278 | * - Sometimes this mucks with the DER-encoding of ECDSA.r: | |
279 | * in that case, DER-parsing of ECDSA.r should fail. | |
280 | * | |
281 | * - Sometimes this mucks with the DER-encoding of ECDSA.s: | |
282 | * in that case, DER-parsing of ECDSA.s should fail. | |
283 | * | |
284 | * - Sometimes this mucks with ECDSA.r: | |
285 | * in that case, the signature verification should fail. | |
286 | * | |
287 | * - Sometimes this mucks with ECDSA.s: | |
288 | * in that case, the signature verification should fail. | |
289 | * | |
290 | * The usual case is changing the integer value of ECDSA.r or ECDSA.s. | |
291 | * Because the ratio of DER overhead to signature bytes is small. | |
292 | * So most of the time it will be one of the last two cases. | |
293 | * | |
294 | * In any case, EVP_PKEY_verify should not return 1 for valid. | |
295 | */ | |
296 | offset = tbs[0] % sig_len; | |
297 | dirt = tbs[1] ? tbs[1] : 1; | |
298 | sig[offset] ^= dirt; | |
299 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
300 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
301 | || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
302 | goto err; | |
303 | /* un-muck and test it verifies */ | |
304 | sig[offset] ^= dirt; | |
305 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
306 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
307 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
308 | goto err; | |
0f113f3e | 309 | |
1a31d801 BB |
310 | ret = 1; |
311 | err: | |
312 | EVP_PKEY_free(pkey); | |
313 | EVP_PKEY_free(pkey_neg); | |
314 | EVP_MD_CTX_free(mctx); | |
315 | OPENSSL_free(sig); | |
0f113f3e MC |
316 | return ret; |
317 | } | |
1297ef99 | 318 | #endif |
4d94ae00 | 319 | |
ad887416 | 320 | int setup_tests(void) |
0f113f3e | 321 | { |
a69de3f2 P |
322 | #ifdef OPENSSL_NO_EC |
323 | TEST_note("Elliptic curves are disabled."); | |
324 | #else | |
1a31d801 BB |
325 | /* get a list of all internal curves */ |
326 | crv_len = EC_get_builtin_curves(NULL, 0); | |
327 | if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) | |
328 | || !TEST_true(EC_get_builtin_curves(curves, crv_len))) | |
329 | return 0; | |
330 | ADD_ALL_TESTS(test_builtin, crv_len); | |
331 | ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); | |
a69de3f2 | 332 | #endif |
ad887416 | 333 | return 1; |
0f113f3e | 334 | } |
1a31d801 BB |
335 | |
336 | void cleanup_tests(void) | |
337 | { | |
338 | #ifndef OPENSSL_NO_EC | |
339 | OPENSSL_free(curves); | |
340 | #endif | |
341 | } |