]>
Commit | Line | Data |
---|---|---|
2b32b281 | 1 | /* |
33388b44 | 2 | * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4d94ae00 | 4 | * |
909f1a2e | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
440e5d80 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
4d94ae00 | 9 | */ |
440e5d80 | 10 | |
579422c8 P |
11 | /* |
12 | * Low level APIs are deprecated for public use, but still ok for internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
10bf4fc2 | 16 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */ |
b770a80f | 17 | #include "testutil.h" |
3b6aa36c | 18 | |
a69de3f2 | 19 | #ifndef OPENSSL_NO_EC |
4d94ae00 | 20 | |
0f113f3e MC |
21 | # include <openssl/evp.h> |
22 | # include <openssl/bn.h> | |
fb29bb59 | 23 | # include <openssl/ec.h> |
0f113f3e | 24 | # include <openssl/rand.h> |
1a31d801 BB |
25 | # include "internal/nelem.h" |
26 | # include "ecdsatest.h" | |
690ecff7 | 27 | |
2b32b281 | 28 | /* functions to change the RAND_METHOD */ |
b66411f6 | 29 | static int fbytes(unsigned char *buf, int num); |
2b32b281 | 30 | |
df2ee0e2 BL |
31 | static RAND_METHOD fake_rand; |
32 | static const RAND_METHOD *old_rand; | |
1a31d801 BB |
33 | static int use_fake = 0; |
34 | static const char *numbers[2]; | |
35 | static size_t crv_len = 0; | |
36 | static EC_builtin_curve *curves = NULL; | |
2b32b281 | 37 | |
b66411f6 | 38 | static int change_rand(void) |
0f113f3e MC |
39 | { |
40 | /* save old rand method */ | |
b66411f6 | 41 | if (!TEST_ptr(old_rand = RAND_get_rand_method())) |
0f113f3e MC |
42 | return 0; |
43 | ||
b66411f6 | 44 | fake_rand = *old_rand; |
0f113f3e MC |
45 | /* use own random function */ |
46 | fake_rand.bytes = fbytes; | |
0f113f3e | 47 | /* set new RAND_METHOD */ |
b66411f6 | 48 | if (!TEST_true(RAND_set_rand_method(&fake_rand))) |
0f113f3e MC |
49 | return 0; |
50 | return 1; | |
51 | } | |
2b32b281 | 52 | |
b66411f6 | 53 | static int restore_rand(void) |
0f113f3e | 54 | { |
b66411f6 | 55 | if (!TEST_true(RAND_set_rand_method(old_rand))) |
0f113f3e | 56 | return 0; |
b66411f6 | 57 | return 1; |
0f113f3e | 58 | } |
4d94ae00 | 59 | |
b66411f6 | 60 | static int fbytes(unsigned char *buf, int num) |
0f113f3e | 61 | { |
b66411f6 | 62 | int ret = 0; |
1a31d801 | 63 | static int fbytes_counter = 0; |
0f113f3e MC |
64 | BIGNUM *tmp = NULL; |
65 | ||
66 | if (use_fake == 0) | |
67 | return old_rand->bytes(buf, num); | |
68 | ||
69 | use_fake = 0; | |
70 | ||
1a31d801 BB |
71 | if (!TEST_ptr(tmp = BN_new()) |
72 | || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) | |
73 | || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) | |
74 | /* tmp might need leading zeros so pad it out */ | |
75 | || !TEST_int_le(BN_num_bytes(tmp), num) | |
76 | || !TEST_true(BN_bn2binpad(tmp, buf, num))) | |
77 | goto err; | |
78 | ||
79 | fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); | |
80 | ret = 1; | |
81 | err: | |
0f113f3e MC |
82 | BN_free(tmp); |
83 | return ret; | |
84 | } | |
2b32b281 | 85 | |
1a31d801 BB |
86 | /*- |
87 | * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. | |
88 | * The ECDSA KATs are from: | |
89 | * - the X9.62 draft (4) | |
90 | * - NIST CAVP (720) | |
91 | * | |
92 | * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. | |
93 | * NB: This is not how applications should use ECDSA; this is only for testing. | |
94 | * | |
95 | * Tests the library can successfully: | |
96 | * - generate public keys that matches those KATs | |
97 | * - create ECDSA signatures that match those KATs | |
98 | * - accept those signatures as valid | |
99 | */ | |
100 | static int x9_62_tests(int n) | |
0f113f3e | 101 | { |
1a31d801 BB |
102 | int nid, md_nid, ret = 0; |
103 | const char *r_in = NULL, *s_in = NULL, *tbs = NULL; | |
104 | unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; | |
105 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
0f113f3e | 106 | unsigned int dgst_len = 0; |
1a31d801 BB |
107 | long q_len, msg_len = 0; |
108 | size_t p_len; | |
109 | EVP_MD_CTX *mctx = NULL; | |
0f113f3e MC |
110 | EC_KEY *key = NULL; |
111 | ECDSA_SIG *signature = NULL; | |
112 | BIGNUM *r = NULL, *s = NULL; | |
113 | BIGNUM *kinv = NULL, *rp = NULL; | |
1a31d801 BB |
114 | const BIGNUM *sig_r = NULL, *sig_s = NULL; |
115 | ||
116 | nid = ecdsa_cavs_kats[n].nid; | |
117 | md_nid = ecdsa_cavs_kats[n].md_nid; | |
118 | r_in = ecdsa_cavs_kats[n].r; | |
119 | s_in = ecdsa_cavs_kats[n].s; | |
120 | tbs = ecdsa_cavs_kats[n].msg; | |
121 | numbers[0] = ecdsa_cavs_kats[n].d; | |
122 | numbers[1] = ecdsa_cavs_kats[n].k; | |
123 | ||
124 | TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); | |
125 | ||
10c25644 SL |
126 | #ifdef FIPS_MODE |
127 | if (EC_curve_nid2nist(nid) == NULL) | |
128 | return TEST_skip("skip non approved curves"); | |
129 | #endif /* FIPS_MODE */ | |
130 | ||
1a31d801 BB |
131 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) |
132 | /* get the message digest */ | |
133 | || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) | |
134 | || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) | |
135 | || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) | |
136 | || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) | |
137 | /* create the key */ | |
138 | || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) | |
139 | /* load KAT variables */ | |
140 | || !TEST_ptr(r = BN_new()) | |
141 | || !TEST_ptr(s = BN_new()) | |
142 | || !TEST_true(BN_hex2bn(&r, r_in)) | |
143 | || !TEST_true(BN_hex2bn(&s, s_in)) | |
144 | /* swap the RNG source */ | |
145 | || !TEST_true(change_rand())) | |
146 | goto err; | |
147 | ||
148 | /* public key must match KAT */ | |
0f113f3e | 149 | use_fake = 1; |
1a31d801 BB |
150 | if (!TEST_true(EC_KEY_generate_key(key)) |
151 | || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, | |
152 | &pbuf, NULL)) | |
153 | || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) | |
154 | || !TEST_int_eq(q_len, p_len) | |
155 | || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) | |
156 | goto err; | |
157 | ||
158 | /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ | |
0f113f3e | 159 | use_fake = 1; |
1a31d801 BB |
160 | if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) |
161 | || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, | |
162 | kinv, rp, key)) | |
163 | /* verify the signature */ | |
164 | || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) | |
165 | goto err; | |
b66411f6 | 166 | |
0f113f3e | 167 | /* compare the created signature with the expected signature */ |
9267c11b | 168 | ECDSA_SIG_get0(signature, &sig_r, &sig_s); |
dc352c19 | 169 | if (!TEST_BN_eq(sig_r, r) |
1a31d801 BB |
170 | || !TEST_BN_eq(sig_s, s)) |
171 | goto err; | |
0f113f3e | 172 | |
0f113f3e | 173 | ret = 1; |
b66411f6 | 174 | |
1a31d801 BB |
175 | err: |
176 | /* restore the RNG source */ | |
177 | if (!TEST_true(restore_rand())) | |
178 | ret = 0; | |
179 | ||
180 | OPENSSL_free(message); | |
181 | OPENSSL_free(pbuf); | |
182 | OPENSSL_free(qbuf); | |
8fdc3734 | 183 | EC_KEY_free(key); |
25aaa98a | 184 | ECDSA_SIG_free(signature); |
23a1d5e9 RS |
185 | BN_free(r); |
186 | BN_free(s); | |
1a31d801 | 187 | EVP_MD_CTX_free(mctx); |
23a1d5e9 RS |
188 | BN_clear_free(kinv); |
189 | BN_clear_free(rp); | |
0f113f3e MC |
190 | return ret; |
191 | } | |
4d94ae00 | 192 | |
1a31d801 BB |
193 | /*- |
194 | * Positive and negative ECDSA testing through EVP interface: | |
195 | * - EVP_DigestSign (this is the one-shot version) | |
196 | * - EVP_DigestVerify | |
197 | * | |
198 | * Tests the library can successfully: | |
199 | * - create a key | |
200 | * - create a signature | |
201 | * - accept that signature | |
202 | * - reject that signature with a different public key | |
203 | * - reject that signature if its length is not correct | |
204 | * - reject that signature after modifying the message | |
205 | * - accept that signature after un-modifying the message | |
206 | * - reject that signature after modifying the signature | |
207 | * - accept that signature after un-modifying the signature | |
208 | */ | |
3995de2c RL |
209 | static int set_sm2_id(EVP_MD_CTX *mctx, EVP_PKEY *pkey) |
210 | { | |
211 | /* With the SM2 key type, the SM2 ID is mandatory */ | |
212 | static const char sm2_id[] = { 1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r' }; | |
213 | EVP_PKEY_CTX *pctx; | |
214 | ||
fda127be | 215 | if (!TEST_ptr(pctx = EVP_MD_CTX_pkey_ctx(mctx)) |
3995de2c RL |
216 | || !TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, sm2_id, sizeof(sm2_id)), 0)) |
217 | return 0; | |
3995de2c RL |
218 | return 1; |
219 | } | |
220 | ||
221 | static int test_builtin(int n, int as) | |
0f113f3e | 222 | { |
1a31d801 BB |
223 | EC_KEY *eckey_neg = NULL, *eckey = NULL; |
224 | unsigned char dirt, offset, tbs[128]; | |
225 | unsigned char *sig = NULL; | |
226 | EVP_PKEY *pkey_neg = NULL, *pkey = NULL; | |
227 | EVP_MD_CTX *mctx = NULL; | |
228 | size_t sig_len; | |
0f113f3e | 229 | int nid, ret = 0; |
68ad17e8 | 230 | int temp; |
0f113f3e | 231 | |
1a31d801 | 232 | nid = curves[n].nid; |
0f113f3e | 233 | |
1a31d801 BB |
234 | /* skip built-in curves where ord(G) is not prime */ |
235 | if (nid == NID_ipsec4 || nid == NID_ipsec3) { | |
236 | TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); | |
237 | return 1; | |
0f113f3e MC |
238 | } |
239 | ||
3995de2c RL |
240 | TEST_info("testing ECDSA for curve %s as %s key type", OBJ_nid2sn(nid), |
241 | as == EVP_PKEY_EC ? "EC" : "SM2"); | |
1a31d801 BB |
242 | |
243 | if (!TEST_ptr(mctx = EVP_MD_CTX_new()) | |
244 | /* get some random message data */ | |
245 | || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) | |
246 | /* real key */ | |
247 | || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) | |
248 | || !TEST_true(EC_KEY_generate_key(eckey)) | |
249 | || !TEST_ptr(pkey = EVP_PKEY_new()) | |
250 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) | |
251 | /* fake key for negative testing */ | |
252 | || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) | |
253 | || !TEST_true(EC_KEY_generate_key(eckey_neg)) | |
254 | || !TEST_ptr(pkey_neg = EVP_PKEY_new()) | |
255 | || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) | |
256 | goto err; | |
257 | ||
68ad17e8 | 258 | temp = ECDSA_size(eckey); |
1a31d801 | 259 | |
3995de2c RL |
260 | /* |
261 | * |as| indicates how we want to treat the key, i.e. what sort of | |
262 | * computation we want to do with it. The two choices are the key | |
263 | * types EVP_PKEY_EC and EVP_PKEY_SM2. It's perfectly possible to | |
264 | * switch back and forth between those two key types, regardless of | |
265 | * curve, even though the default is to have EVP_PKEY_SM2 for the | |
266 | * SM2 curve and EVP_PKEY_EC for all other curves. | |
267 | */ | |
268 | if (!TEST_true(EVP_PKEY_set_alias_type(pkey, as)) | |
269 | || !TEST_true(EVP_PKEY_set_alias_type(pkey_neg, as))) | |
270 | goto err; | |
271 | ||
68ad17e8 P |
272 | if (!TEST_int_ge(temp, 0) |
273 | || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) | |
1a31d801 BB |
274 | /* create a signature */ |
275 | || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) | |
fda127be | 276 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
1a31d801 BB |
277 | || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) |
278 | || !TEST_int_le(sig_len, ECDSA_size(eckey)) | |
1a31d801 | 279 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 280 | /* negative test, verify with wrong key, 0 return */ |
1a31d801 | 281 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) |
fda127be | 282 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey_neg)) |
1a31d801 | 283 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) |
1a31d801 | 284 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 285 | /* negative test, verify with wrong signature length, -1 return */ |
1a31d801 | 286 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
fda127be | 287 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
1a31d801 | 288 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) |
1a31d801 | 289 | || !TEST_true(EVP_MD_CTX_reset(mctx)) |
3995de2c | 290 | /* positive test, verify with correct key, 1 return */ |
1a31d801 | 291 | || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
fda127be | 292 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) |
3995de2c | 293 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 294 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
295 | goto err; |
296 | ||
297 | /* muck with the message, test it fails with 0 return */ | |
298 | tbs[0] ^= 1; | |
fda127be RL |
299 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
300 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 301 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) |
3995de2c | 302 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
303 | goto err; |
304 | /* un-muck and test it verifies */ | |
305 | tbs[0] ^= 1; | |
fda127be RL |
306 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
307 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 308 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 309 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
310 | goto err; |
311 | ||
312 | /*- | |
313 | * Muck with the ECDSA signature. The DER encoding is one of: | |
314 | * - 30 LL 02 .. | |
315 | * - 30 81 LL 02 .. | |
316 | * | |
317 | * - Sometimes this mucks with the high level DER sequence wrapper: | |
318 | * in that case, DER-parsing of the whole signature should fail. | |
319 | * | |
320 | * - Sometimes this mucks with the DER-encoding of ECDSA.r: | |
321 | * in that case, DER-parsing of ECDSA.r should fail. | |
322 | * | |
323 | * - Sometimes this mucks with the DER-encoding of ECDSA.s: | |
324 | * in that case, DER-parsing of ECDSA.s should fail. | |
325 | * | |
326 | * - Sometimes this mucks with ECDSA.r: | |
327 | * in that case, the signature verification should fail. | |
328 | * | |
329 | * - Sometimes this mucks with ECDSA.s: | |
330 | * in that case, the signature verification should fail. | |
331 | * | |
332 | * The usual case is changing the integer value of ECDSA.r or ECDSA.s. | |
333 | * Because the ratio of DER overhead to signature bytes is small. | |
334 | * So most of the time it will be one of the last two cases. | |
335 | * | |
336 | * In any case, EVP_PKEY_verify should not return 1 for valid. | |
337 | */ | |
338 | offset = tbs[0] % sig_len; | |
339 | dirt = tbs[1] ? tbs[1] : 1; | |
340 | sig[offset] ^= dirt; | |
fda127be RL |
341 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
342 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 343 | || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 344 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 BB |
345 | goto err; |
346 | /* un-muck and test it verifies */ | |
347 | sig[offset] ^= dirt; | |
fda127be RL |
348 | if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) |
349 | || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) | |
3995de2c | 350 | || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) |
3995de2c | 351 | || !TEST_true(EVP_MD_CTX_reset(mctx))) |
1a31d801 | 352 | goto err; |
0f113f3e | 353 | |
1a31d801 BB |
354 | ret = 1; |
355 | err: | |
356 | EVP_PKEY_free(pkey); | |
357 | EVP_PKEY_free(pkey_neg); | |
358 | EVP_MD_CTX_free(mctx); | |
359 | OPENSSL_free(sig); | |
0f113f3e MC |
360 | return ret; |
361 | } | |
3995de2c RL |
362 | |
363 | static int test_builtin_as_ec(int n) | |
364 | { | |
365 | return test_builtin(n, EVP_PKEY_EC); | |
366 | } | |
367 | ||
9afaa8d6 | 368 | # ifndef OPENSSL_NO_SM2 |
3995de2c RL |
369 | static int test_builtin_as_sm2(int n) |
370 | { | |
371 | return test_builtin(n, EVP_PKEY_SM2); | |
372 | } | |
9afaa8d6 MC |
373 | # endif |
374 | #endif /* OPENSSL_NO_EC */ | |
4d94ae00 | 375 | |
ad887416 | 376 | int setup_tests(void) |
0f113f3e | 377 | { |
a69de3f2 P |
378 | #ifdef OPENSSL_NO_EC |
379 | TEST_note("Elliptic curves are disabled."); | |
380 | #else | |
1a31d801 BB |
381 | /* get a list of all internal curves */ |
382 | crv_len = EC_get_builtin_curves(NULL, 0); | |
383 | if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) | |
384 | || !TEST_true(EC_get_builtin_curves(curves, crv_len))) | |
385 | return 0; | |
3995de2c | 386 | ADD_ALL_TESTS(test_builtin_as_ec, crv_len); |
9afaa8d6 | 387 | # ifndef OPENSSL_NO_SM2 |
3995de2c | 388 | ADD_ALL_TESTS(test_builtin_as_sm2, crv_len); |
9afaa8d6 | 389 | # endif |
1a31d801 | 390 | ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); |
a69de3f2 | 391 | #endif |
ad887416 | 392 | return 1; |
0f113f3e | 393 | } |
1a31d801 BB |
394 | |
395 | void cleanup_tests(void) | |
396 | { | |
397 | #ifndef OPENSSL_NO_EC | |
398 | OPENSSL_free(curves); | |
399 | #endif | |
400 | } |