[thirdparty/openssl.git] / test / ecdsatest.c

/*
 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
 * Portions of the attached software ("Contribution") are developed by
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * The elliptic curve binary polynomial software is originally written by
 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */

#ifdef OPENSSL_NO_EC
int main(int argc, char *argv[])
{
    puts("Elliptic curves are disabled.");
    return 0;
}
#else

# include <openssl/crypto.h>
# include <openssl/bio.h>
# include <openssl/evp.h>
# include <openssl/bn.h>
# include <openssl/ec.h>
# ifndef OPENSSL_NO_ENGINE
#  include <openssl/engine.h>
# endif
# include <openssl/err.h>
# include <openssl/rand.h>

static const char rnd_seed[] = "string to make the random number generator "
    "think it has entropy";

/* declaration of the test functions */
int x9_62_tests(BIO *);
int x9_62_test_internal(BIO *out, int nid, const char *r, const char *s);
int test_builtin(BIO *);

/* functions to change the RAND_METHOD */
int change_rand(void);
int restore_rand(void);
int fbytes(unsigned char *buf, int num);

static RAND_METHOD fake_rand;
static const RAND_METHOD *old_rand;

int change_rand(void)
{
    /* save old rand method */
    if ((old_rand = RAND_get_rand_method()) == NULL)
        return 0;

    fake_rand.seed = old_rand->seed;
    fake_rand.cleanup = old_rand->cleanup;
    fake_rand.add = old_rand->add;
    fake_rand.status = old_rand->status;
    /* use own random function */
    fake_rand.bytes = fbytes;
    fake_rand.pseudorand = old_rand->bytes;
    /* set new RAND_METHOD */
    if (!RAND_set_rand_method(&fake_rand))
        return 0;
    return 1;
}

int restore_rand(void)
{
    if (!RAND_set_rand_method(old_rand))
        return 0;
    else
        return 1;
}

static int fbytes_counter = 0, use_fake = 0;
static const char *numbers[8] = {
    "651056770906015076056810763456358567190100156695615665659",
    "6140507067065001063065065565667405560006161556565665656654",
    "8763001015071075675010661307616710783570106710677817767166"
        "71676178726717",
    "7000000175690566466555057817571571075705015757757057795755"
        "55657156756655",
    "1275552191113212300012030439187146164646146646466749494799",
    "1542725565216523985789236956265265265235675811949404040041",
    "1456427555219115346513212300075341203043918714616464614664"
        "64667494947990",
    "1712787255652165239672857892369562652652652356758119494040"
        "40041670216363"
};

int fbytes(unsigned char *buf, int num)
{
    int ret;
    BIGNUM *tmp = NULL;

    if (use_fake == 0)
        return old_rand->bytes(buf, num);

    use_fake = 0;

    if (fbytes_counter >= 8)
        return 0;
    tmp = BN_new();
    if (!tmp)
        return 0;
    if (!BN_dec2bn(&tmp, numbers[fbytes_counter])) {
        BN_free(tmp);
        return 0;
    }
    fbytes_counter++;
    if (num != BN_num_bytes(tmp) || !BN_bn2bin(tmp, buf))
        ret = 0;
    else
        ret = 1;
    BN_free(tmp);
    return ret;
}

/* some tests from the X9.62 draft */
int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
{
    int ret = 0;
    const char message[] = "abc";
    unsigned char digest[20];
    unsigned int dgst_len = 0;
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
    EC_KEY *key = NULL;
    ECDSA_SIG *signature = NULL;
    BIGNUM *r = NULL, *s = NULL;
    BIGNUM *kinv = NULL, *rp = NULL;
    const BIGNUM *sig_r, *sig_s;

    if (md_ctx == NULL)
        goto x962_int_err;

    /* get the message digest */
    if (!EVP_DigestInit(md_ctx, EVP_sha1())
        || !EVP_DigestUpdate(md_ctx, (const void *)message, 3)
        || !EVP_DigestFinal(md_ctx, digest, &dgst_len))
        goto x962_int_err;

    BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid));
    /* create the key */
    if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
        goto x962_int_err;
    use_fake = 1;
    if (!EC_KEY_generate_key(key))
        goto x962_int_err;
    BIO_printf(out, ".");
    (void)BIO_flush(out);
    /* create the signature */
    use_fake = 1;
    /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */
    if (!ECDSA_sign_setup(key, NULL, &kinv, &rp))
        goto x962_int_err;
    signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key);
    if (signature == NULL)
        goto x962_int_err;
    BIO_printf(out, ".");
    (void)BIO_flush(out);
    /* compare the created signature with the expected signature */
    if ((r = BN_new()) == NULL || (s = BN_new()) == NULL)
        goto x962_int_err;
    if (!BN_dec2bn(&r, r_in) || !BN_dec2bn(&s, s_in))
        goto x962_int_err;
    ECDSA_SIG_get0(signature, &sig_r, &sig_s);
    if (BN_cmp(sig_r, r) || BN_cmp(sig_s, s))
        goto x962_int_err;
    BIO_printf(out, ".");
    (void)BIO_flush(out);
    /* verify the signature */
    if (ECDSA_do_verify(digest, 20, signature, key) != 1)
        goto x962_int_err;
    BIO_printf(out, ".");
    (void)BIO_flush(out);

    BIO_printf(out, " ok\n");
    ret = 1;
 x962_int_err:
    if (!ret)
        BIO_printf(out, " failed\n");
    EC_KEY_free(key);
    ECDSA_SIG_free(signature);
    BN_free(r);
    BN_free(s);
    EVP_MD_CTX_free(md_ctx);
    BN_clear_free(kinv);
    BN_clear_free(rp);
    return ret;
}

int x9_62_tests(BIO *out)
{
    int ret = 0;

    BIO_printf(out, "some tests from X9.62:\n");

    /* set own rand method */
    if (!change_rand())
        goto x962_err;

    if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
                             "3342403536405981729393488334694600415596881826869351677613",
                             "5735822328888155254683894997897571951568553642892029982342"))
        goto x962_err;
    if (!x9_62_test_internal(out, NID_X9_62_prime239v1,
                             "3086361431751678114926225473006680188549593787585317781474"
                             "62058306432176",
                             "3238135532097973577080787768312505059318910517550078427819"
                             "78505179448783"))
        goto x962_err;
# ifndef OPENSSL_NO_EC2M
    if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
                             "87194383164871543355722284926904419997237591535066528048",
                             "308992691965804947361541664549085895292153777025772063598"))
        goto x962_err;
    if (!x9_62_test_internal(out, NID_X9_62_c2tnb239v1,
                             "2159633321041961198501834003903461262881815148684178964245"
                             "5876922391552",
                             "1970303740007316867383349976549972270528498040721988191026"
                             "49413465737174"))
        goto x962_err;
# endif
    ret = 1;
 x962_err:
    if (!restore_rand())
        ret = 0;
    return ret;
}

int test_builtin(BIO *out)
{
    EC_builtin_curve *curves = NULL;
    size_t crv_len = 0, n = 0;
    EC_KEY *eckey = NULL, *wrong_eckey = NULL;
    EC_GROUP *group;
    ECDSA_SIG *ecdsa_sig = NULL, *modified_sig = NULL;
    unsigned char digest[20], wrong_digest[20];
    unsigned char *signature = NULL;
    const unsigned char *sig_ptr;
    unsigned char *sig_ptr2;
    unsigned char *raw_buf = NULL;
    const BIGNUM *sig_r, *sig_s;
    BIGNUM *modified_r = NULL, *modified_s = NULL;
    BIGNUM *unmodified_r = NULL, *unmodified_s = NULL;
    unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
    int nid, ret = 0;

    /* fill digest values with some random data */
    if (RAND_bytes(digest, 20) <= 0 || RAND_bytes(wrong_digest, 20) <= 0) {
        BIO_printf(out, "ERROR: unable to get random data\n");
        goto builtin_err;
    }

    /*
     * create and verify a ecdsa signature with every available curve (with )
     */
    BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() "
               "with some internal curves:\n");

    /* get a list of all internal curves */
    crv_len = EC_get_builtin_curves(NULL, 0);
    curves = OPENSSL_malloc(sizeof(*curves) * crv_len);
    if (curves == NULL) {
        BIO_printf(out, "malloc error\n");
        goto builtin_err;
    }

    if (!EC_get_builtin_curves(curves, crv_len)) {
        BIO_printf(out, "unable to get internal curves\n");
        goto builtin_err;
    }

    /* now create and verify a signature for every curve */
    for (n = 0; n < crv_len; n++) {
        unsigned char dirt, offset;

        nid = curves[n].nid;
        if (nid == NID_ipsec4 || nid == NID_X25519)
            continue;
        /* create new ecdsa key (== EC_KEY) */
        if ((eckey = EC_KEY_new()) == NULL)
            goto builtin_err;
        group = EC_GROUP_new_by_curve_name(nid);
        if (group == NULL)
            goto builtin_err;
        if (EC_KEY_set_group(eckey, group) == 0)
            goto builtin_err;
        EC_GROUP_free(group);
        degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
        if (degree < 160) {
            /* drop the curve */
            EC_KEY_free(eckey);
            eckey = NULL;
            continue;
        }
        BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
        /* create key */
        if (!EC_KEY_generate_key(eckey)) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        /* create second key */
        if ((wrong_eckey = EC_KEY_new()) == NULL)
            goto builtin_err;
        group = EC_GROUP_new_by_curve_name(nid);
        if (group == NULL)
            goto builtin_err;
        if (EC_KEY_set_group(wrong_eckey, group) == 0)
            goto builtin_err;
        EC_GROUP_free(group);
        if (!EC_KEY_generate_key(wrong_eckey)) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }

        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* check key */
        if (!EC_KEY_check_key(eckey)) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* create signature */
        sig_len = ECDSA_size(eckey);
        if ((signature = OPENSSL_malloc(sig_len)) == NULL)
            goto builtin_err;
        if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* verify signature */
        if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* verify signature with the wrong key */
        if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* wrong digest */
        if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);
        /* wrong length */
        if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);

        /*
         * Modify a single byte of the signature: to ensure we don't garble
         * the ASN1 structure, we read the raw signature and modify a byte in
         * one of the bignums directly.
         */
        sig_ptr = signature;
        if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }

        ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s);

        /* Store the two BIGNUMs in raw_buf. */
        r_len = BN_num_bytes(sig_r);
        s_len = BN_num_bytes(sig_s);
        bn_len = (degree + 7) / 8;
        if ((r_len > bn_len) || (s_len > bn_len)) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        buf_len = 2 * bn_len;
        if ((raw_buf = OPENSSL_zalloc(buf_len)) == NULL)
            goto builtin_err;
        BN_bn2bin(sig_r, raw_buf + bn_len - r_len);
        BN_bn2bin(sig_s, raw_buf + buf_len - s_len);

        /* Modify a single byte in the buffer. */
        offset = raw_buf[10] % buf_len;
        dirt = raw_buf[11] ? raw_buf[11] : 1;
        raw_buf[offset] ^= dirt;
        /* Now read the BIGNUMs back in from raw_buf. */
        modified_sig = ECDSA_SIG_new();
        if (modified_sig == NULL)
            goto builtin_err;
        if (((modified_r = BN_bin2bn(raw_buf, bn_len, NULL)) == NULL)
            || ((modified_s = BN_bin2bn(raw_buf + bn_len, bn_len, NULL)) == NULL)
            || !ECDSA_SIG_set0(modified_sig, modified_r, modified_s)) {
            BN_free(modified_r);
            BN_free(modified_s);
            goto builtin_err;
        }
        sig_ptr2 = signature;
        sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
        if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        /*
         * Sanity check: undo the modification and verify signature.
         */
        raw_buf[offset] ^= dirt;
        if (((unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL)) == NULL)
            || ((unmodified_s = BN_bin2bn(raw_buf + bn_len, bn_len, NULL)) == NULL)
            || !ECDSA_SIG_set0(modified_sig, unmodified_r, unmodified_s)) {
            BN_free(unmodified_r);
            BN_free(unmodified_s);
            goto builtin_err;
        }

        sig_ptr2 = signature;
        sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
        if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
            BIO_printf(out, " failed\n");
            goto builtin_err;
        }
        BIO_printf(out, ".");
        (void)BIO_flush(out);

        BIO_printf(out, " ok\n");
        /* cleanup */
        /* clean bogus errors */
        ERR_clear_error();
        OPENSSL_free(signature);
        signature = NULL;
        EC_KEY_free(eckey);
        eckey = NULL;
        EC_KEY_free(wrong_eckey);
        wrong_eckey = NULL;
        ECDSA_SIG_free(ecdsa_sig);
        ecdsa_sig = NULL;
        ECDSA_SIG_free(modified_sig);
        modified_sig = NULL;
        OPENSSL_free(raw_buf);
        raw_buf = NULL;
    }

    ret = 1;
 builtin_err:
    EC_KEY_free(eckey);
    EC_KEY_free(wrong_eckey);
    ECDSA_SIG_free(ecdsa_sig);
    ECDSA_SIG_free(modified_sig);
    OPENSSL_free(signature);
    OPENSSL_free(raw_buf);
    OPENSSL_free(curves);

    return ret;
}

int main(void)
{
    int ret = 1;
    BIO *out;
    char *p;

    out = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);

    p = getenv("OPENSSL_DEBUG_MEMORY");
    if (p != NULL && strcmp(p, "on") == 0)
        CRYPTO_set_mem_debug(1);

    /* initialize the prng */
    RAND_seed(rnd_seed, sizeof(rnd_seed));

    /* the tests */
    if (!x9_62_tests(out))
        goto err;
    if (!test_builtin(out))
        goto err;

    ret = 0;
 err:
    if (ret)
        BIO_printf(out, "\nECDSA test failed\n");
    else
        BIO_printf(out, "\nECDSA test passed\n");
    if (ret)
        ERR_print_errors(out);

#ifndef OPENSSL_NO_CRYPTO_MDEBUG
    if (CRYPTO_mem_leaks(out) <= 0)
        ret = 1;
#endif
    BIO_free(out);
    return ret;
}
#endif
Commit	Line	Data
2b32b281	1	/*
440e5d80	2	* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
4d94ae00	3	*
440e5d80 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
4d94ae00	8	*/
440e5d80	9
e172d60d BM	10	/* ====================================================================
	11	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
	12	*
0f113f3e	13	* Portions of the attached software ("Contribution") are developed by
e172d60d BM	14	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
	15	*
	16	* The Contribution is licensed pursuant to the OpenSSL open source
	17	* license provided above.
	18	*
0f113f3e	19	* The elliptic curve binary polynomial software is originally written by
e172d60d BM	20	* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
	21	*
	22	*/
	23
4d94ae00 BM	24	#include <stdio.h>
	25	#include <stdlib.h>
	26	#include <string.h>
4d94ae00	27
10bf4fc2	28	#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */
3b6aa36c	29
10bf4fc2	30	#ifdef OPENSSL_NO_EC
0f113f3e MC	31	int main(int argc, char *argv[])
	32	{
	33	puts("Elliptic curves are disabled.");
	34	return 0;
	35	}
4d94ae00 BM	36	#else
4d94ae00 BM	37
0f113f3e MC	38	# include <openssl/crypto.h>
	39	# include <openssl/bio.h>
	40	# include <openssl/evp.h>
	41	# include <openssl/bn.h>
fb29bb59	42	# include <openssl/ec.h>
0f113f3e MC	43	# ifndef OPENSSL_NO_ENGINE
	44	# include <openssl/engine.h>
	45	# endif
	46	# include <openssl/err.h>
	47	# include <openssl/rand.h>
690ecff7	48
2b32b281	49	static const char rnd_seed[] = "string to make the random number generator "
0f113f3e	50	"think it has entropy";
2b32b281 BM	51
	52	/* declaration of the test functions */
	53	int x9_62_tests(BIO *);
	54	int x9_62_test_internal(BIO out, int nid, const char r, const char *s);
	55	int test_builtin(BIO *);
	56
	57	/* functions to change the RAND_METHOD */
	58	int change_rand(void);
	59	int restore_rand(void);
6343829a	60	int fbytes(unsigned char *buf, int num);
2b32b281	61
df2ee0e2 BL	62	static RAND_METHOD fake_rand;
df2ee0e2 BL	63	static const RAND_METHOD *old_rand;
2b32b281 BM	64
2b32b281 BM	65	int change_rand(void)
0f113f3e MC	66	{
	67	/* save old rand method */
	68	if ((old_rand = RAND_get_rand_method()) == NULL)
	69	return 0;
	70
	71	fake_rand.seed = old_rand->seed;
	72	fake_rand.cleanup = old_rand->cleanup;
	73	fake_rand.add = old_rand->add;
	74	fake_rand.status = old_rand->status;
	75	/* use own random function */
	76	fake_rand.bytes = fbytes;
	77	fake_rand.pseudorand = old_rand->bytes;
	78	/* set new RAND_METHOD */
	79	if (!RAND_set_rand_method(&fake_rand))
	80	return 0;
	81	return 1;
	82	}
2b32b281 BM	83
2b32b281 BM	84	int restore_rand(void)
0f113f3e MC	85	{
	86	if (!RAND_set_rand_method(old_rand))
	87	return 0;
	88	else
	89	return 1;
	90	}
4d94ae00	91
d80399a3	92	static int fbytes_counter = 0, use_fake = 0;
2b32b281	93	static const char *numbers[8] = {
0f113f3e MC	94	"651056770906015076056810763456358567190100156695615665659",
	95	"6140507067065001063065065565667405560006161556565665656654",
	96	"8763001015071075675010661307616710783570106710677817767166"
	97	"71676178726717",
	98	"7000000175690566466555057817571571075705015757757057795755"
	99	"55657156756655",
	100	"1275552191113212300012030439187146164646146646466749494799",
	101	"1542725565216523985789236956265265265235675811949404040041",
	102	"1456427555219115346513212300075341203043918714616464614664"
	103	"64667494947990",
	104	"1712787255652165239672857892369562652652652356758119494040"
	105	"40041670216363"
	106	};
2b32b281	107
6343829a	108	int fbytes(unsigned char *buf, int num)
0f113f3e MC	109	{
	110	int ret;
	111	BIGNUM *tmp = NULL;
	112
	113	if (use_fake == 0)
	114	return old_rand->bytes(buf, num);
	115
	116	use_fake = 0;
	117
	118	if (fbytes_counter >= 8)
	119	return 0;
	120	tmp = BN_new();
	121	if (!tmp)
	122	return 0;
	123	if (!BN_dec2bn(&tmp, numbers[fbytes_counter])) {
	124	BN_free(tmp);
	125	return 0;
	126	}
	127	fbytes_counter++;
	128	if (num != BN_num_bytes(tmp) \|\| !BN_bn2bin(tmp, buf))
	129	ret = 0;
	130	else
	131	ret = 1;
	132	BN_free(tmp);
	133	return ret;
	134	}
2b32b281 BM	135
	136	/* some tests from the X9.62 draft */
	137	int x9_62_test_internal(BIO out, int nid, const char r_in, const char *s_in)
0f113f3e MC	138	{
	139	int ret = 0;
	140	const char message[] = "abc";
	141	unsigned char digest[20];
	142	unsigned int dgst_len = 0;
bfb0641f	143	EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
0f113f3e MC	144	EC_KEY *key = NULL;
	145	ECDSA_SIG *signature = NULL;
	146	BIGNUM r = NULL, s = NULL;
	147	BIGNUM kinv = NULL, rp = NULL;
9267c11b	148	const BIGNUM sig_r, sig_s;
0f113f3e	149
6e59a892 RL	150	if (md_ctx == NULL)
	151	goto x962_int_err;
	152
0f113f3e	153	/* get the message digest */
6e59a892 RL	154	if (!EVP_DigestInit(md_ctx, EVP_sha1())
	155	\|\| !EVP_DigestUpdate(md_ctx, (const void *)message, 3)
	156	\|\| !EVP_DigestFinal(md_ctx, digest, &dgst_len))
0f113f3e MC	157	goto x962_int_err;
	158
	159	BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid));
	160	/* create the key */
	161	if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
	162	goto x962_int_err;
	163	use_fake = 1;
	164	if (!EC_KEY_generate_key(key))
	165	goto x962_int_err;
	166	BIO_printf(out, ".");
	167	(void)BIO_flush(out);
	168	/* create the signature */
	169	use_fake = 1;
	170	/* Use ECDSA_sign_setup to avoid use of ECDSA nonces */
	171	if (!ECDSA_sign_setup(key, NULL, &kinv, &rp))
	172	goto x962_int_err;
	173	signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key);
	174	if (signature == NULL)
	175	goto x962_int_err;
	176	BIO_printf(out, ".");
	177	(void)BIO_flush(out);
	178	/* compare the created signature with the expected signature */
	179	if ((r = BN_new()) == NULL \|\| (s = BN_new()) == NULL)
	180	goto x962_int_err;
	181	if (!BN_dec2bn(&r, r_in) \|\| !BN_dec2bn(&s, s_in))
	182	goto x962_int_err;
9267c11b	183	ECDSA_SIG_get0(signature, &sig_r, &sig_s);
cf70b8f5	184	if (BN_cmp(sig_r, r) \|\| BN_cmp(sig_s, s))
0f113f3e MC	185	goto x962_int_err;
	186	BIO_printf(out, ".");
	187	(void)BIO_flush(out);
	188	/* verify the signature */
	189	if (ECDSA_do_verify(digest, 20, signature, key) != 1)
	190	goto x962_int_err;
	191	BIO_printf(out, ".");
	192	(void)BIO_flush(out);
	193
	194	BIO_printf(out, " ok\n");
	195	ret = 1;
	196	x962_int_err:
	197	if (!ret)
	198	BIO_printf(out, " failed\n");
8fdc3734	199	EC_KEY_free(key);
25aaa98a	200	ECDSA_SIG_free(signature);
23a1d5e9 RS	201	BN_free(r);
23a1d5e9 RS	202	BN_free(s);
bfb0641f	203	EVP_MD_CTX_free(md_ctx);
23a1d5e9 RS	204	BN_clear_free(kinv);
23a1d5e9 RS	205	BN_clear_free(rp);
0f113f3e MC	206	return ret;
0f113f3e MC	207	}
4d94ae00	208
2b32b281	209	int x9_62_tests(BIO *out)
0f113f3e MC	210	{
	211	int ret = 0;
	212
	213	BIO_printf(out, "some tests from X9.62:\n");
	214
	215	/* set own rand method */
	216	if (!change_rand())
	217	goto x962_err;
	218
	219	if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
	220	"3342403536405981729393488334694600415596881826869351677613",
	221	"5735822328888155254683894997897571951568553642892029982342"))
	222	goto x962_err;
	223	if (!x9_62_test_internal(out, NID_X9_62_prime239v1,
	224	"3086361431751678114926225473006680188549593787585317781474"
	225	"62058306432176",
	226	"3238135532097973577080787768312505059318910517550078427819"
	227	"78505179448783"))
	228	goto x962_err;
	229	# ifndef OPENSSL_NO_EC2M
	230	if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
	231	"87194383164871543355722284926904419997237591535066528048",
	232	"308992691965804947361541664549085895292153777025772063598"))
	233	goto x962_err;
	234	if (!x9_62_test_internal(out, NID_X9_62_c2tnb239v1,
	235	"2159633321041961198501834003903461262881815148684178964245"
	236	"5876922391552",
	237	"1970303740007316867383349976549972270528498040721988191026"
	238	"49413465737174"))
	239	goto x962_err;
	240	# endif
	241	ret = 1;
	242	x962_err:
	243	if (!restore_rand())
	244	ret = 0;
	245	return ret;
	246	}
2b32b281 BM	247
2b32b281 BM	248	int test_builtin(BIO *out)
0f113f3e MC	249	{
	250	EC_builtin_curve *curves = NULL;
	251	size_t crv_len = 0, n = 0;
	252	EC_KEY eckey = NULL, wrong_eckey = NULL;
	253	EC_GROUP *group;
9267c11b	254	ECDSA_SIG ecdsa_sig = NULL, modified_sig = NULL;
0f113f3e MC	255	unsigned char digest[20], wrong_digest[20];
	256	unsigned char *signature = NULL;
	257	const unsigned char *sig_ptr;
	258	unsigned char *sig_ptr2;
	259	unsigned char *raw_buf = NULL;
9267c11b EK	260	const BIGNUM sig_r, sig_s;
	261	BIGNUM modified_r = NULL, modified_s = NULL;
	262	BIGNUM unmodified_r = NULL, unmodified_s = NULL;
0f113f3e MC	263	unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
	264	int nid, ret = 0;
	265
	266	/* fill digest values with some random data */
266483d2	267	if (RAND_bytes(digest, 20) <= 0 \|\| RAND_bytes(wrong_digest, 20) <= 0) {
0f113f3e MC	268	BIO_printf(out, "ERROR: unable to get random data\n");
	269	goto builtin_err;
	270	}
	271
	272	/*
60250017	273	* create and verify a ecdsa signature with every available curve (with )
0f113f3e MC	274	*/
	275	BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() "
	276	"with some internal curves:\n");
	277
	278	/* get a list of all internal curves */
	279	crv_len = EC_get_builtin_curves(NULL, 0);
b4faea50	280	curves = OPENSSL_malloc(sizeof(curves) crv_len);
0f113f3e MC	281	if (curves == NULL) {
	282	BIO_printf(out, "malloc error\n");
	283	goto builtin_err;
	284	}
	285
	286	if (!EC_get_builtin_curves(curves, crv_len)) {
	287	BIO_printf(out, "unable to get internal curves\n");
	288	goto builtin_err;
	289	}
	290
	291	/* now create and verify a signature for every curve */
	292	for (n = 0; n < crv_len; n++) {
	293	unsigned char dirt, offset;
	294
	295	nid = curves[n].nid;
4a5bbc4e	296	if (nid == NID_ipsec4 \|\| nid == NID_X25519)
0f113f3e MC	297	continue;
	298	/* create new ecdsa key (== EC_KEY) */
	299	if ((eckey = EC_KEY_new()) == NULL)
	300	goto builtin_err;
	301	group = EC_GROUP_new_by_curve_name(nid);
	302	if (group == NULL)
	303	goto builtin_err;
	304	if (EC_KEY_set_group(eckey, group) == 0)
	305	goto builtin_err;
	306	EC_GROUP_free(group);
	307	degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
8fdc3734	308	if (degree < 160) {
0f113f3e	309	/* drop the curve */
0f113f3e MC	310	EC_KEY_free(eckey);
	311	eckey = NULL;
	312	continue;
	313	}
	314	BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
	315	/* create key */
	316	if (!EC_KEY_generate_key(eckey)) {
	317	BIO_printf(out, " failed\n");
	318	goto builtin_err;
	319	}
	320	/* create second key */
	321	if ((wrong_eckey = EC_KEY_new()) == NULL)
	322	goto builtin_err;
	323	group = EC_GROUP_new_by_curve_name(nid);
	324	if (group == NULL)
	325	goto builtin_err;
	326	if (EC_KEY_set_group(wrong_eckey, group) == 0)
	327	goto builtin_err;
	328	EC_GROUP_free(group);
	329	if (!EC_KEY_generate_key(wrong_eckey)) {
	330	BIO_printf(out, " failed\n");
	331	goto builtin_err;
	332	}
	333
	334	BIO_printf(out, ".");
	335	(void)BIO_flush(out);
	336	/* check key */
	337	if (!EC_KEY_check_key(eckey)) {
	338	BIO_printf(out, " failed\n");
	339	goto builtin_err;
	340	}
	341	BIO_printf(out, ".");
	342	(void)BIO_flush(out);
	343	/* create signature */
	344	sig_len = ECDSA_size(eckey);
	345	if ((signature = OPENSSL_malloc(sig_len)) == NULL)
	346	goto builtin_err;
	347	if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
	348	BIO_printf(out, " failed\n");
	349	goto builtin_err;
	350	}
	351	BIO_printf(out, ".");
	352	(void)BIO_flush(out);
	353	/* verify signature */
	354	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
	355	BIO_printf(out, " failed\n");
	356	goto builtin_err;
	357	}
	358	BIO_printf(out, ".");
	359	(void)BIO_flush(out);
	360	/* verify signature with the wrong key */
	361	if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
	362	BIO_printf(out, " failed\n");
	363	goto builtin_err;
	364	}
	365	BIO_printf(out, ".");
	366	(void)BIO_flush(out);
	367	/* wrong digest */
	368	if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
	369	BIO_printf(out, " failed\n");
	370	goto builtin_err;
	371	}
	372	BIO_printf(out, ".");
	373	(void)BIO_flush(out);
374	/* wrong length */
375	if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
376	BIO_printf(out, " failed\n");
377	goto builtin_err;
378	}
379	BIO_printf(out, ".");
380	(void)BIO_flush(out);
381
382	/*
383	* Modify a single byte of the signature: to ensure we don't garble
384	* the ASN1 structure, we read the raw signature and modify a byte in
385	* one of the bignums directly.
386	*/
387	sig_ptr = signature;
388	if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL) {
389	BIO_printf(out, " failed\n");
390	goto builtin_err;
391	}
392
9267c11b	393	ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s);
cf70b8f5	394
0f113f3e	395	/* Store the two BIGNUMs in raw_buf. */
cf70b8f5 DSH	396	r_len = BN_num_bytes(sig_r);
cf70b8f5 DSH	397	s_len = BN_num_bytes(sig_s);
0f113f3e MC	398	bn_len = (degree + 7) / 8;
	399	if ((r_len > bn_len) \|\| (s_len > bn_len)) {
	400	BIO_printf(out, " failed\n");
	401	goto builtin_err;
	402	}
	403	buf_len = 2 * bn_len;
b51bce94	404	if ((raw_buf = OPENSSL_zalloc(buf_len)) == NULL)
0f113f3e	405	goto builtin_err;
cf70b8f5 DSH	406	BN_bn2bin(sig_r, raw_buf + bn_len - r_len);
cf70b8f5 DSH	407	BN_bn2bin(sig_s, raw_buf + buf_len - s_len);
0f113f3e MC	408
	409	/* Modify a single byte in the buffer. */
	410	offset = raw_buf[10] % buf_len;
	411	dirt = raw_buf[11] ? raw_buf[11] : 1;
	412	raw_buf[offset] ^= dirt;
	413	/* Now read the BIGNUMs back in from raw_buf. */
9267c11b EK	414	modified_sig = ECDSA_SIG_new();
9267c11b EK	415	if (modified_sig == NULL)
0f113f3e	416	goto builtin_err;
9267c11b EK	417	if (((modified_r = BN_bin2bn(raw_buf, bn_len, NULL)) == NULL)
	418	\|\| ((modified_s = BN_bin2bn(raw_buf + bn_len, bn_len, NULL)) == NULL)
	419	\|\| !ECDSA_SIG_set0(modified_sig, modified_r, modified_s)) {
	420	BN_free(modified_r);
	421	BN_free(modified_s);
	422	goto builtin_err;
	423	}
0f113f3e	424	sig_ptr2 = signature;
9267c11b	425	sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
0f113f3e MC	426	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
	427	BIO_printf(out, " failed\n");
	428	goto builtin_err;
	429	}
	430	/*
	431	* Sanity check: undo the modification and verify signature.
	432	*/
	433	raw_buf[offset] ^= dirt;
9267c11b EK	434	if (((unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL)) == NULL)
	435	\|\| ((unmodified_s = BN_bin2bn(raw_buf + bn_len, bn_len, NULL)) == NULL)
	436	\|\| !ECDSA_SIG_set0(modified_sig, unmodified_r, unmodified_s)) {
	437	BN_free(unmodified_r);
	438	BN_free(unmodified_s);
0f113f3e	439	goto builtin_err;
9267c11b	440	}
0f113f3e MC	441
0f113f3e MC	442	sig_ptr2 = signature;
9267c11b	443	sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
0f113f3e MC	444	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
	445	BIO_printf(out, " failed\n");
	446	goto builtin_err;
	447	}
	448	BIO_printf(out, ".");
	449	(void)BIO_flush(out);
	450
	451	BIO_printf(out, " ok\n");
	452	/* cleanup */
	453	/* clean bogus errors */
	454	ERR_clear_error();
	455	OPENSSL_free(signature);
	456	signature = NULL;
	457	EC_KEY_free(eckey);
	458	eckey = NULL;
	459	EC_KEY_free(wrong_eckey);
	460	wrong_eckey = NULL;
	461	ECDSA_SIG_free(ecdsa_sig);
	462	ecdsa_sig = NULL;
9267c11b EK	463	ECDSA_SIG_free(modified_sig);
9267c11b EK	464	modified_sig = NULL;
0f113f3e MC	465	OPENSSL_free(raw_buf);
	466	raw_buf = NULL;
	467	}
	468
	469	ret = 1;
	470	builtin_err:
8fdc3734 RS	471	EC_KEY_free(eckey);
8fdc3734 RS	472	EC_KEY_free(wrong_eckey);
25aaa98a	473	ECDSA_SIG_free(ecdsa_sig);
9267c11b	474	ECDSA_SIG_free(modified_sig);
b548a1f1 RS	475	OPENSSL_free(signature);
	476	OPENSSL_free(raw_buf);
	477	OPENSSL_free(curves);
0f113f3e MC	478
	479	return ret;
	480	}
4d94ae00 BM	481
4d94ae00 BM	482	int main(void)
0f113f3e MC	483	{
	484	int ret = 1;
	485	BIO *out;
bbd86bf5	486	char *p;
0f113f3e	487
0f81f5f7	488	out = BIO_new_fp(stdout, BIO_NOCLOSE \| BIO_FP_TEXT);
0f113f3e	489
bbd86bf5 RS	490	p = getenv("OPENSSL_DEBUG_MEMORY");
	491	if (p != NULL && strcmp(p, "on") == 0)
	492	CRYPTO_set_mem_debug(1);
0f113f3e MC	493
	494	/* initialize the prng */
	495	RAND_seed(rnd_seed, sizeof(rnd_seed));
	496
	497	/* the tests */
	498	if (!x9_62_tests(out))
	499	goto err;
	500	if (!test_builtin(out))
	501	goto err;
	502
	503	ret = 0;
	504	err:
	505	if (ret)
	506	BIO_printf(out, "\nECDSA test failed\n");
	507	else
	508	BIO_printf(out, "\nECDSA test passed\n");
	509	if (ret)
	510	ERR_print_errors(out);
8793f012	511
c2e27310	512	#ifndef OPENSSL_NO_CRYPTO_MDEBUG
541e9565 DSH	513	if (CRYPTO_mem_leaks(out) <= 0)
541e9565 DSH	514	ret = 1;
bbd86bf5	515	#endif
ca3a82c3	516	BIO_free(out);
0f113f3e MC	517	return ret;
0f113f3e MC	518	}
4d94ae00	519	#endif