2
0

ecdsatest.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423
  1. /*
  2. * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. /*
  11. * Low level APIs are deprecated for public use, but still ok for internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */
  15. #include "testutil.h"
  16. #ifndef OPENSSL_NO_EC
  17. # include <openssl/evp.h>
  18. # include <openssl/bn.h>
  19. # include <openssl/ec.h>
  20. # include <openssl/rand.h>
  21. # include "internal/nelem.h"
  22. # include "ecdsatest.h"
  23. static fake_random_generate_cb fbytes;
  24. static const char *numbers[2];
  25. static size_t crv_len = 0;
  26. static EC_builtin_curve *curves = NULL;
  27. static OSSL_PROVIDER *fake_rand = NULL;
  28. static int fbytes(unsigned char *buf, size_t num, ossl_unused const char *name,
  29. EVP_RAND_CTX *ctx)
  30. {
  31. int ret = 0;
  32. static int fbytes_counter = 0;
  33. BIGNUM *tmp = NULL;
  34. fake_rand_set_callback(ctx, NULL);
  35. if (!TEST_ptr(tmp = BN_new())
  36. || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers))
  37. || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter]))
  38. /* tmp might need leading zeros so pad it out */
  39. || !TEST_int_le(BN_num_bytes(tmp), num)
  40. || !TEST_int_gt(BN_bn2binpad(tmp, buf, num), 0))
  41. goto err;
  42. fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers);
  43. ret = 1;
  44. err:
  45. BN_free(tmp);
  46. return ret;
  47. }
  48. /*-
  49. * This function hijacks the RNG to feed it the chosen ECDSA key and nonce.
  50. * The ECDSA KATs are from:
  51. * - the X9.62 draft (4)
  52. * - NIST CAVP (720)
  53. *
  54. * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG.
  55. * NB: This is not how applications should use ECDSA; this is only for testing.
  56. *
  57. * Tests the library can successfully:
  58. * - generate public keys that matches those KATs
  59. * - create ECDSA signatures that match those KATs
  60. * - accept those signatures as valid
  61. */
  62. static int x9_62_tests(int n)
  63. {
  64. int nid, md_nid, ret = 0;
  65. const char *r_in = NULL, *s_in = NULL, *tbs = NULL;
  66. unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL;
  67. unsigned char digest[EVP_MAX_MD_SIZE];
  68. unsigned int dgst_len = 0;
  69. long q_len, msg_len = 0;
  70. size_t p_len;
  71. EVP_MD_CTX *mctx = NULL;
  72. EC_KEY *key = NULL;
  73. ECDSA_SIG *signature = NULL;
  74. BIGNUM *r = NULL, *s = NULL;
  75. BIGNUM *kinv = NULL, *rp = NULL;
  76. const BIGNUM *sig_r = NULL, *sig_s = NULL;
  77. nid = ecdsa_cavs_kats[n].nid;
  78. md_nid = ecdsa_cavs_kats[n].md_nid;
  79. r_in = ecdsa_cavs_kats[n].r;
  80. s_in = ecdsa_cavs_kats[n].s;
  81. tbs = ecdsa_cavs_kats[n].msg;
  82. numbers[0] = ecdsa_cavs_kats[n].d;
  83. numbers[1] = ecdsa_cavs_kats[n].k;
  84. TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid));
  85. #ifdef FIPS_MODULE
  86. if (EC_curve_nid2nist(nid) == NULL)
  87. return TEST_skip("skip non approved curves");
  88. #endif /* FIPS_MODULE */
  89. if (!TEST_ptr(mctx = EVP_MD_CTX_new())
  90. /* get the message digest */
  91. || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len))
  92. || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL))
  93. || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len))
  94. || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len))
  95. /* create the key */
  96. || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid))
  97. /* load KAT variables */
  98. || !TEST_ptr(r = BN_new())
  99. || !TEST_ptr(s = BN_new())
  100. || !TEST_true(BN_hex2bn(&r, r_in))
  101. || !TEST_true(BN_hex2bn(&s, s_in)))
  102. goto err;
  103. /* public key must match KAT */
  104. fake_rand_set_callback(RAND_get0_private(NULL), &fbytes);
  105. if (!TEST_true(EC_KEY_generate_key(key))
  106. || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED,
  107. &pbuf, NULL))
  108. || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len))
  109. || !TEST_int_eq(q_len, p_len)
  110. || !TEST_mem_eq(qbuf, q_len, pbuf, p_len))
  111. goto err;
  112. /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */
  113. fake_rand_set_callback(RAND_get0_private(NULL), &fbytes);
  114. if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp))
  115. || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len,
  116. kinv, rp, key))
  117. /* verify the signature */
  118. || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1))
  119. goto err;
  120. /* compare the created signature with the expected signature */
  121. ECDSA_SIG_get0(signature, &sig_r, &sig_s);
  122. if (!TEST_BN_eq(sig_r, r)
  123. || !TEST_BN_eq(sig_s, s))
  124. goto err;
  125. ret = 1;
  126. err:
  127. OPENSSL_free(message);
  128. OPENSSL_free(pbuf);
  129. OPENSSL_free(qbuf);
  130. EC_KEY_free(key);
  131. ECDSA_SIG_free(signature);
  132. BN_free(r);
  133. BN_free(s);
  134. EVP_MD_CTX_free(mctx);
  135. BN_clear_free(kinv);
  136. BN_clear_free(rp);
  137. return ret;
  138. }
  139. /*-
  140. * Positive and negative ECDSA testing through EVP interface:
  141. * - EVP_DigestSign (this is the one-shot version)
  142. * - EVP_DigestVerify
  143. *
  144. * Tests the library can successfully:
  145. * - create a key
  146. * - create a signature
  147. * - accept that signature
  148. * - reject that signature with a different public key
  149. * - reject that signature if its length is not correct
  150. * - reject that signature after modifying the message
  151. * - accept that signature after un-modifying the message
  152. * - reject that signature after modifying the signature
  153. * - accept that signature after un-modifying the signature
  154. */
  155. static int set_sm2_id(EVP_MD_CTX *mctx, EVP_PKEY *pkey)
  156. {
  157. /* With the SM2 key type, the SM2 ID is mandatory */
  158. static const char sm2_id[] = { 1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r' };
  159. EVP_PKEY_CTX *pctx;
  160. if (!TEST_ptr(pctx = EVP_MD_CTX_get_pkey_ctx(mctx))
  161. || !TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, sm2_id, sizeof(sm2_id)), 0))
  162. return 0;
  163. return 1;
  164. }
  165. static int test_builtin(int n, int as)
  166. {
  167. EC_KEY *eckey_neg = NULL, *eckey = NULL;
  168. unsigned char dirt, offset, tbs[128];
  169. unsigned char *sig = NULL;
  170. EVP_PKEY *pkey_neg = NULL, *pkey = NULL, *dup_pk = NULL;
  171. EVP_MD_CTX *mctx = NULL;
  172. size_t sig_len;
  173. int nid, ret = 0;
  174. int temp;
  175. nid = curves[n].nid;
  176. /* skip built-in curves where ord(G) is not prime */
  177. if (nid == NID_ipsec4 || nid == NID_ipsec3) {
  178. TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid));
  179. return 1;
  180. }
  181. /*
  182. * skip SM2 curve if 'as' is equal to EVP_PKEY_EC or, skip all curves
  183. * except SM2 curve if 'as' is equal to EVP_PKEY_SM2
  184. */
  185. if (nid == NID_sm2 && as == EVP_PKEY_EC) {
  186. TEST_info("skipped: EC key type unsupported for curve %s",
  187. OBJ_nid2sn(nid));
  188. return 1;
  189. } else if (nid != NID_sm2 && as == EVP_PKEY_SM2) {
  190. TEST_info("skipped: SM2 key type unsupported for curve %s",
  191. OBJ_nid2sn(nid));
  192. return 1;
  193. }
  194. TEST_info("testing ECDSA for curve %s as %s key type", OBJ_nid2sn(nid),
  195. as == EVP_PKEY_EC ? "EC" : "SM2");
  196. if (!TEST_ptr(mctx = EVP_MD_CTX_new())
  197. /* get some random message data */
  198. || !TEST_int_gt(RAND_bytes(tbs, sizeof(tbs)), 0)
  199. /* real key */
  200. || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid))
  201. || !TEST_true(EC_KEY_generate_key(eckey))
  202. || !TEST_ptr(pkey = EVP_PKEY_new())
  203. || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))
  204. /* fake key for negative testing */
  205. || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid))
  206. || !TEST_true(EC_KEY_generate_key(eckey_neg))
  207. || !TEST_ptr(pkey_neg = EVP_PKEY_new())
  208. || !TEST_false(EVP_PKEY_assign_EC_KEY(pkey_neg, NULL))
  209. || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg)))
  210. goto err;
  211. if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
  212. || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
  213. goto err;
  214. temp = ECDSA_size(eckey);
  215. if (!TEST_int_ge(temp, 0)
  216. || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp))
  217. /* create a signature */
  218. || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey))
  219. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  220. || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs)))
  221. || !TEST_int_le(sig_len, ECDSA_size(eckey))
  222. || !TEST_true(EVP_MD_CTX_reset(mctx))
  223. /* negative test, verify with wrong key, 0 return */
  224. || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg))
  225. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey_neg))
  226. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)
  227. || !TEST_true(EVP_MD_CTX_reset(mctx))
  228. /* negative test, verify with wrong signature length, -1 return */
  229. || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  230. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  231. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1)
  232. || !TEST_true(EVP_MD_CTX_reset(mctx))
  233. /* positive test, verify with correct key, 1 return */
  234. || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  235. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  236. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)
  237. || !TEST_true(EVP_MD_CTX_reset(mctx)))
  238. goto err;
  239. /* muck with the message, test it fails with 0 return */
  240. tbs[0] ^= 1;
  241. if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  242. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  243. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)
  244. || !TEST_true(EVP_MD_CTX_reset(mctx)))
  245. goto err;
  246. /* un-muck and test it verifies */
  247. tbs[0] ^= 1;
  248. if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  249. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  250. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)
  251. || !TEST_true(EVP_MD_CTX_reset(mctx)))
  252. goto err;
  253. /*-
  254. * Muck with the ECDSA signature. The DER encoding is one of:
  255. * - 30 LL 02 ..
  256. * - 30 81 LL 02 ..
  257. *
  258. * - Sometimes this mucks with the high level DER sequence wrapper:
  259. * in that case, DER-parsing of the whole signature should fail.
  260. *
  261. * - Sometimes this mucks with the DER-encoding of ECDSA.r:
  262. * in that case, DER-parsing of ECDSA.r should fail.
  263. *
  264. * - Sometimes this mucks with the DER-encoding of ECDSA.s:
  265. * in that case, DER-parsing of ECDSA.s should fail.
  266. *
  267. * - Sometimes this mucks with ECDSA.r:
  268. * in that case, the signature verification should fail.
  269. *
  270. * - Sometimes this mucks with ECDSA.s:
  271. * in that case, the signature verification should fail.
  272. *
  273. * The usual case is changing the integer value of ECDSA.r or ECDSA.s.
  274. * Because the ratio of DER overhead to signature bytes is small.
  275. * So most of the time it will be one of the last two cases.
  276. *
  277. * In any case, EVP_PKEY_verify should not return 1 for valid.
  278. */
  279. offset = tbs[0] % sig_len;
  280. dirt = tbs[1] ? tbs[1] : 1;
  281. sig[offset] ^= dirt;
  282. if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  283. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  284. || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)
  285. || !TEST_true(EVP_MD_CTX_reset(mctx)))
  286. goto err;
  287. /* un-muck and test it verifies */
  288. sig[offset] ^= dirt;
  289. if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))
  290. || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey))
  291. || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)
  292. || !TEST_true(EVP_MD_CTX_reset(mctx)))
  293. goto err;
  294. ret = 1;
  295. err:
  296. EVP_PKEY_free(pkey);
  297. EVP_PKEY_free(pkey_neg);
  298. EVP_PKEY_free(dup_pk);
  299. EVP_MD_CTX_free(mctx);
  300. OPENSSL_free(sig);
  301. return ret;
  302. }
  303. static int test_builtin_as_ec(int n)
  304. {
  305. return test_builtin(n, EVP_PKEY_EC);
  306. }
  307. # ifndef OPENSSL_NO_SM2
  308. static int test_builtin_as_sm2(int n)
  309. {
  310. return test_builtin(n, EVP_PKEY_SM2);
  311. }
  312. # endif
  313. static int test_ecdsa_sig_NULL(void)
  314. {
  315. int ret;
  316. unsigned int siglen0;
  317. unsigned int siglen;
  318. unsigned char dgst[128] = { 0 };
  319. EC_KEY *eckey = NULL;
  320. unsigned char *sig = NULL;
  321. BIGNUM *kinv = NULL, *rp = NULL;
  322. ret = TEST_ptr(eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1))
  323. && TEST_int_eq(EC_KEY_generate_key(eckey), 1)
  324. && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen0,
  325. eckey), 1)
  326. && TEST_int_gt(siglen0, 0)
  327. && TEST_ptr(sig = OPENSSL_malloc(siglen0))
  328. && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), sig, &siglen,
  329. eckey), 1)
  330. && TEST_int_gt(siglen, 0)
  331. && TEST_int_le(siglen, siglen0)
  332. && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen,
  333. eckey), 1)
  334. && TEST_int_eq(ECDSA_sign_setup(eckey, NULL, &kinv, &rp), 1)
  335. && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), NULL, &siglen,
  336. kinv, rp, eckey), 1)
  337. && TEST_int_gt(siglen, 0)
  338. && TEST_int_le(siglen, siglen0)
  339. && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), sig, &siglen0,
  340. kinv, rp, eckey), 1)
  341. && TEST_int_eq(siglen, siglen0)
  342. && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen,
  343. eckey), 1);
  344. EC_KEY_free(eckey);
  345. OPENSSL_free(sig);
  346. BN_free(kinv);
  347. BN_free(rp);
  348. return ret;
  349. }
  350. #endif /* OPENSSL_NO_EC */
  351. int setup_tests(void)
  352. {
  353. #ifdef OPENSSL_NO_EC
  354. TEST_note("Elliptic curves are disabled.");
  355. #else
  356. fake_rand = fake_rand_start(NULL);
  357. if (fake_rand == NULL)
  358. return 0;
  359. /* get a list of all internal curves */
  360. crv_len = EC_get_builtin_curves(NULL, 0);
  361. if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
  362. || !TEST_true(EC_get_builtin_curves(curves, crv_len))) {
  363. fake_rand_finish(fake_rand);
  364. return 0;
  365. }
  366. ADD_ALL_TESTS(test_builtin_as_ec, crv_len);
  367. ADD_TEST(test_ecdsa_sig_NULL);
  368. # ifndef OPENSSL_NO_SM2
  369. ADD_ALL_TESTS(test_builtin_as_sm2, crv_len);
  370. # endif
  371. ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats));
  372. #endif
  373. return 1;
  374. }
  375. void cleanup_tests(void)
  376. {
  377. #ifndef OPENSSL_NO_EC
  378. fake_rand_finish(fake_rand);
  379. OPENSSL_free(curves);
  380. #endif
  381. }