]>
Commit | Line | Data |
---|---|---|
2b32b281 | 1 | /* |
b0edda11 | 2 | * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4d94ae00 | 4 | * |
909f1a2e | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
440e5d80 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
4d94ae00 | 9 | */ |
440e5d80 | 10 | |
10bf4fc2 | 11 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */ |
b770a80f | 12 | #include "testutil.h" |
3b6aa36c | 13 | |
a69de3f2 | 14 | #ifndef OPENSSL_NO_EC |
4d94ae00 | 15 | |
0f113f3e MC |
16 | # include <openssl/evp.h> |
17 | # include <openssl/bn.h> | |
fb29bb59 | 18 | # include <openssl/ec.h> |
0f113f3e | 19 | # include <openssl/rand.h> |
1a31d801 BB |
20 | # include "internal/nelem.h" |
21 | # include "ecdsatest.h" | |
690ecff7 | 22 | |
2b32b281 | 23 | /* functions to change the RAND_METHOD */ |
b66411f6 | 24 | static int fbytes(unsigned char *buf, int num); |
2b32b281 | 25 | |
df2ee0e2 BL |
26 | static RAND_METHOD fake_rand; |
27 | static const RAND_METHOD *old_rand; | |
1a31d801 BB |
28 | static int use_fake = 0; |
29 | static const char *numbers[2]; | |
30 | static size_t crv_len = 0; | |
31 | static EC_builtin_curve *curves = NULL; | |
2b32b281 | 32 | |
b66411f6 | 33 | static int change_rand(void) |
0f113f3e MC |
34 | { |
35 | /* save old rand method */ | |
b66411f6 | 36 | if (!TEST_ptr(old_rand = RAND_get_rand_method())) |
0f113f3e MC |
37 | return 0; |
38 | ||
b66411f6 | 39 | fake_rand = *old_rand; |
0f113f3e MC |
40 | /* use own random function */ |
41 | fake_rand.bytes = fbytes; | |
0f113f3e | 42 | /* set new RAND_METHOD */ |
b66411f6 | 43 | if (!TEST_true(RAND_set_rand_method(&fake_rand))) |
0f113f3e MC |
44 | return 0; |
45 | return 1; | |
46 | } | |
2b32b281 | 47 | |
b66411f6 | 48 | static int restore_rand(void) |
0f113f3e | 49 | { |
b66411f6 | 50 | if (!TEST_true(RAND_set_rand_method(old_rand))) |
0f113f3e | 51 | return 0; |
b66411f6 | 52 | return 1; |
0f113f3e | 53 | } |
4d94ae00 | 54 | |
b66411f6 | 55 | static int fbytes(unsigned char *buf, int num) |
0f113f3e | 56 | { |
b66411f6 | 57 | int ret = 0; |
1a31d801 | 58 | static int fbytes_counter = 0; |
0f113f3e MC |
59 | BIGNUM *tmp = NULL; |
60 | ||
61 | if (use_fake == 0) | |
62 | return old_rand->bytes(buf, num); | |
63 | ||
64 | use_fake = 0; | |
65 | ||
1a31d801 BB |
66 | if (!TEST_ptr(tmp = BN_new()) |
67 | || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) | |
68 | || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) | |
69 | /* tmp might need leading zeros so pad it out */ | |
70 | || !TEST_int_le(BN_num_bytes(tmp), num) | |
71 | || !TEST_true(BN_bn2binpad(tmp, buf, num))) | |
72 | goto err; | |
73 | ||
74 | fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); | |
75 | ret = 1; | |
76 | err: | |
0f113f3e MC |
77 | BN_free(tmp); |
78 | return ret; | |
79 | } | |
2b32b281 | 80 | |
1a31d801 BB |
81 | /*- |
82 | * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. | |
83 | * The ECDSA KATs are from: | |
84 | * - the X9.62 draft (4) | |
85 | * - NIST CAVP (720) | |
86 | * | |
87 | * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. | |
88 | * NB: This is not how applications should use ECDSA; this is only for testing. | |
89 | * | |
90 | * Tests the library can successfully: | |
91 | * - generate public keys that matches those KATs | |
92 | * - create ECDSA signatures that match those KATs | |
93 | * - accept those signatures as valid | |
94 | */ | |
95 | static int x9_62_tests(int n) | |
0f113f3e | 96 | { |
1a31d801 BB |
97 | int nid, md_nid, ret = 0; |
98 | const char *r_in = NULL, *s_in = NULL, *tbs = NULL; | |
99 | unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; | |
100 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
0f113f3e | 101 | unsigned int dgst_len = 0; |
1a31d801 BB |
102 | long q_len, msg_len = 0; |
103 | size_t p_len; | |
104 | EVP_MD_CTX *mctx = NULL; | |
0f113f3e MC |
105 | EC_KEY *key = NULL; |
106 | ECDSA_SIG *signature = NULL; | |
107 | BIGNUM *r = NULL, *s = NULL; | |
108 | BIGNUM *kinv = NULL, *rp = NULL; | |
1a31d801 BB |
109 | const BIGNUM *sig_r = NULL, *sig_s = NULL; |
110 | ||
111 | nid = ecdsa_cavs_kats[n].nid; | |
112 | md_nid = ecdsa_cavs_kats[n].md_nid; | |
113 | r_in = ecdsa_cavs_kats[n].r; | |
114 | s_in = ecdsa_cavs_kats[n].s; | |
115 | tbs = ecdsa_cavs_kats[n].msg; | |
116 | numbers[0] = ecdsa_cavs_kats[n].d; | |
117 | numbers[1] = ecdsa_cavs_kats[n].k; | |
118 | ||
119 | TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); | |
120 | ||
10c25644 SL |
121 | #ifdef FIPS_MODE |
122 | if (EC_curve_nid2nist(nid) == NULL) | |
123 | return TEST_skip("skip non approved curves"); | |
124 | #endif /* FIPS_MODE */ | |
125 | ||
1a31d801 BB |
126 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) |
127 | /* get the message digest */ | |
128 | || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) | |
129 | || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) | |
130 | || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) | |
131 | || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) | |
132 | /* create the key */ | |
133 | || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) | |
134 | /* load KAT variables */ | |
135 | || !TEST_ptr(r = BN_new()) | |
136 | || !TEST_ptr(s = BN_new()) | |
137 | || !TEST_true(BN_hex2bn(&r, r_in)) | |
138 | || !TEST_true(BN_hex2bn(&s, s_in)) | |
139 | /* swap the RNG source */ | |
140 | || !TEST_true(change_rand())) | |
141 | goto err; | |
142 | ||
143 | /* public key must match KAT */ | |
0f113f3e | 144 | use_fake = 1; |
1a31d801 BB |
145 | if (!TEST_true(EC_KEY_generate_key(key)) |
146 | || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, | |
147 | &pbuf, NULL)) | |
148 | || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) | |
149 | || !TEST_int_eq(q_len, p_len) | |
150 | || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) | |
151 | goto err; | |
152 | ||
153 | /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ | |
0f113f3e | 154 | use_fake = 1; |
1a31d801 BB |
155 | if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) |
156 | || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, | |
157 | kinv, rp, key)) | |
158 | /* verify the signature */ | |
159 | || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) | |
160 | goto err; | |
b66411f6 | 161 | |
0f113f3e | 162 | /* compare the created signature with the expected signature */ |
9267c11b | 163 | ECDSA_SIG_get0(signature, &sig_r, &sig_s); |
dc352c19 | 164 | if (!TEST_BN_eq(sig_r, r) |
1a31d801 BB |
165 | || !TEST_BN_eq(sig_s, s)) |
166 | goto err; | |
0f113f3e | 167 | |
0f113f3e | 168 | ret = 1; |
b66411f6 | 169 | |
1a31d801 BB |
170 | err: |
171 | /* restore the RNG source */ | |
172 | if (!TEST_true(restore_rand())) | |
173 | ret = 0; | |
174 | ||
175 | OPENSSL_free(message); | |
176 | OPENSSL_free(pbuf); | |
177 | OPENSSL_free(qbuf); | |
8fdc3734 | 178 | EC_KEY_free(key); |
25aaa98a | 179 | ECDSA_SIG_free(signature); |
23a1d5e9 RS |
180 | BN_free(r); |
181 | BN_free(s); | |
1a31d801 | 182 | EVP_MD_CTX_free(mctx); |
23a1d5e9 RS |
183 | BN_clear_free(kinv); |
184 | BN_clear_free(rp); | |
0f113f3e MC |
185 | return ret; |
186 | } | |
4d94ae00 | 187 | |
1a31d801 BB |
188 | /*- |
189 | * Positive and negative ECDSA testing through EVP interface: | |
190 | * - EVP_DigestSign (this is the one-shot version) | |
191 | * - EVP_DigestVerify | |
192 | * | |
193 | * Tests the library can successfully: | |
194 | * - create a key | |
195 | * - create a signature | |
196 | * - accept that signature | |
197 | * - reject that signature with a different public key | |
198 | * - reject that signature if its length is not correct | |
199 | * - reject that signature after modifying the message | |
200 | * - accept that signature after un-modifying the message | |
201 | * - reject that signature after modifying the signature | |
202 | * - accept that signature after un-modifying the signature | |
203 | */ | |
204 | static int test_builtin(int n) | |
0f113f3e | 205 | { |
1a31d801 BB |
206 | EC_KEY *eckey_neg = NULL, *eckey = NULL; |
207 | unsigned char dirt, offset, tbs[128]; | |
208 | unsigned char *sig = NULL; | |
209 | EVP_PKEY *pkey_neg = NULL, *pkey = NULL; | |
210 | EVP_MD_CTX *mctx = NULL; | |
211 | size_t sig_len; | |
0f113f3e | 212 | int nid, ret = 0; |
68ad17e8 | 213 | int temp; |
0f113f3e | 214 | |
1a31d801 | 215 | nid = curves[n].nid; |
0f113f3e | 216 | |
1a31d801 BB |
217 | /* skip built-in curves where ord(G) is not prime */ |
218 | if (nid == NID_ipsec4 || nid == NID_ipsec3) { | |
219 | TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); | |
220 | return 1; | |
0f113f3e MC |
221 | } |
222 | ||
1a31d801 BB |
223 | TEST_info("testing ECDSA for curve %s", OBJ_nid2sn(nid)); |
224 | ||
225 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) | |
226 | /* get some random message data */ | |
227 | || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) | |
228 | /* real key */ | |
229 | || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) | |
230 | || !TEST_true(EC_KEY_generate_key(eckey)) | |
231 | || !TEST_ptr(pkey = EVP_PKEY_new()) | |
232 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) | |
233 | /* fake key for negative testing */ | |
234 | || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) | |
235 | || !TEST_true(EC_KEY_generate_key(eckey_neg)) | |
236 | || !TEST_ptr(pkey_neg = EVP_PKEY_new()) | |
237 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) | |
238 | goto err; | |
239 | ||
68ad17e8 | 240 | temp = ECDSA_size(eckey); |
1a31d801 | 241 | |
68ad17e8 P |
242 | if (!TEST_int_ge(temp, 0) |
243 | || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) | |
1a31d801 BB |
244 | /* create a signature */ |
245 | || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) | |
246 | || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) | |
247 | || !TEST_int_le(sig_len, ECDSA_size(eckey)) | |
248 | /* negative test, verify with wrong key, 0 return */ | |
249 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
250 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) | |
251 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) | |
252 | /* negative test, verify with wrong signature length, -1 return */ | |
253 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
254 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
255 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) | |
256 | /* positive test, verify with correct key, 1 return */ | |
257 | || !TEST_true(EVP_MD_CTX_reset(mctx)) | |
258 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
259 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
260 | goto err; | |
261 | ||
262 | /* muck with the message, test it fails with 0 return */ | |
263 | tbs[0] ^= 1; | |
264 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
265 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
266 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)) | |
267 | goto err; | |
268 | /* un-muck and test it verifies */ | |
269 | tbs[0] ^= 1; | |
270 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
271 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
272 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
273 | goto err; | |
274 | ||
275 | /*- | |
276 | * Muck with the ECDSA signature. The DER encoding is one of: | |
277 | * - 30 LL 02 .. | |
278 | * - 30 81 LL 02 .. | |
279 | * | |
280 | * - Sometimes this mucks with the high level DER sequence wrapper: | |
281 | * in that case, DER-parsing of the whole signature should fail. | |
282 | * | |
283 | * - Sometimes this mucks with the DER-encoding of ECDSA.r: | |
284 | * in that case, DER-parsing of ECDSA.r should fail. | |
285 | * | |
286 | * - Sometimes this mucks with the DER-encoding of ECDSA.s: | |
287 | * in that case, DER-parsing of ECDSA.s should fail. | |
288 | * | |
289 | * - Sometimes this mucks with ECDSA.r: | |
290 | * in that case, the signature verification should fail. | |
291 | * | |
292 | * - Sometimes this mucks with ECDSA.s: | |
293 | * in that case, the signature verification should fail. | |
294 | * | |
295 | * The usual case is changing the integer value of ECDSA.r or ECDSA.s. | |
296 | * Because the ratio of DER overhead to signature bytes is small. | |
297 | * So most of the time it will be one of the last two cases. | |
298 | * | |
299 | * In any case, EVP_PKEY_verify should not return 1 for valid. | |
300 | */ | |
301 | offset = tbs[0] % sig_len; | |
302 | dirt = tbs[1] ? tbs[1] : 1; | |
303 | sig[offset] ^= dirt; | |
304 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
305 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
306 | || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
307 | goto err; | |
308 | /* un-muck and test it verifies */ | |
309 | sig[offset] ^= dirt; | |
310 | if (!TEST_true(EVP_MD_CTX_reset(mctx)) | |
311 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) | |
312 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) | |
313 | goto err; | |
0f113f3e | 314 | |
1a31d801 BB |
315 | ret = 1; |
316 | err: | |
317 | EVP_PKEY_free(pkey); | |
318 | EVP_PKEY_free(pkey_neg); | |
319 | EVP_MD_CTX_free(mctx); | |
320 | OPENSSL_free(sig); | |
0f113f3e MC |
321 | return ret; |
322 | } | |
1297ef99 | 323 | #endif |
4d94ae00 | 324 | |
ad887416 | 325 | int setup_tests(void) |
0f113f3e | 326 | { |
a69de3f2 P |
327 | #ifdef OPENSSL_NO_EC |
328 | TEST_note("Elliptic curves are disabled."); | |
329 | #else | |
1a31d801 BB |
330 | /* get a list of all internal curves */ |
331 | crv_len = EC_get_builtin_curves(NULL, 0); | |
332 | if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) | |
333 | || !TEST_true(EC_get_builtin_curves(curves, crv_len))) | |
334 | return 0; | |
335 | ADD_ALL_TESTS(test_builtin, crv_len); | |
336 | ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); | |
a69de3f2 | 337 | #endif |
ad887416 | 338 | return 1; |
0f113f3e | 339 | } |
1a31d801 BB |
340 | |
341 | void cleanup_tests(void) | |
342 | { | |
343 | #ifndef OPENSSL_NO_EC | |
344 | OPENSSL_free(curves); | |
345 | #endif | |
346 | } |