1/* BEGIN_HEADER */ 2#include "mbedtls/ecdsa.h" 3/* END_HEADER */ 4 5/* BEGIN_DEPENDENCIES 6 * depends_on:MBEDTLS_ECDSA_C 7 * END_DEPENDENCIES 8 */ 9 10/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ 11void ecdsa_invalid_param() 12{ 13 mbedtls_ecdsa_context ctx; 14 mbedtls_ecp_keypair key; 15 mbedtls_ecp_group grp; 16 mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1; 17 mbedtls_ecp_point P; 18 mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256; 19 mbedtls_mpi m; 20 size_t slen; 21 unsigned char buf[42] = { 0 }; 22 23 mbedtls_ecdsa_init(&ctx); 24 mbedtls_ecp_keypair_init(&key); 25 mbedtls_ecp_group_init(&grp); 26 mbedtls_ecp_point_init(&P); 27 mbedtls_mpi_init(&m); 28 29 TEST_INVALID_PARAM(mbedtls_ecdsa_init(NULL)); 30 TEST_VALID_PARAM(mbedtls_ecdsa_free(NULL)); 31 32#if defined(MBEDTLS_ECP_RESTARTABLE) 33 TEST_INVALID_PARAM(mbedtls_ecdsa_restart_init(NULL)); 34 TEST_VALID_PARAM(mbedtls_ecdsa_restart_free(NULL)); 35#endif /* MBEDTLS_ECP_RESTARTABLE */ 36 37 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 38 mbedtls_ecdsa_sign(NULL, &m, &m, &m, 39 buf, sizeof(buf), 40 mbedtls_test_rnd_std_rand, 41 NULL)); 42 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 43 mbedtls_ecdsa_sign(&grp, NULL, &m, &m, 44 buf, sizeof(buf), 45 mbedtls_test_rnd_std_rand, 46 NULL)); 47 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 48 mbedtls_ecdsa_sign(&grp, &m, NULL, &m, 49 buf, sizeof(buf), 50 mbedtls_test_rnd_std_rand, 51 NULL)); 52 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 53 mbedtls_ecdsa_sign(&grp, &m, &m, NULL, 54 buf, sizeof(buf), 55 mbedtls_test_rnd_std_rand, 56 NULL)); 57 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 58 mbedtls_ecdsa_sign(&grp, &m, &m, &m, 59 NULL, sizeof(buf), 60 mbedtls_test_rnd_std_rand, 61 NULL)); 62 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 63 mbedtls_ecdsa_sign(&grp, &m, &m, &m, 64 buf, sizeof(buf), 65 NULL, NULL)); 66 67#if defined(MBEDTLS_ECDSA_DETERMINISTIC) 68 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 69 mbedtls_ecdsa_sign_det_ext(NULL, &m, &m, &m, 70 buf, sizeof(buf), 71 valid_md, 72 mbedtls_test_rnd_std_rand, 73 NULL)); 74 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 75 mbedtls_ecdsa_sign_det_ext(&grp, NULL, &m, &m, 76 buf, sizeof(buf), 77 valid_md, 78 mbedtls_test_rnd_std_rand, 79 NULL)); 80 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 81 mbedtls_ecdsa_sign_det_ext(&grp, &m, NULL, &m, 82 buf, sizeof(buf), 83 valid_md, 84 mbedtls_test_rnd_std_rand, 85 NULL)); 86 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 87 mbedtls_ecdsa_sign_det_ext(&grp, &m, &m, NULL, 88 buf, sizeof(buf), 89 valid_md, 90 mbedtls_test_rnd_std_rand, 91 NULL)); 92 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 93 mbedtls_ecdsa_sign_det_ext(&grp, &m, &m, &m, 94 NULL, sizeof(buf), 95 valid_md, 96 mbedtls_test_rnd_std_rand, 97 NULL)); 98#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 99 100 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 101 mbedtls_ecdsa_verify(NULL, 102 buf, sizeof(buf), 103 &P, &m, &m)); 104 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 105 mbedtls_ecdsa_verify(&grp, 106 NULL, sizeof(buf), 107 &P, &m, &m)); 108 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 109 mbedtls_ecdsa_verify(&grp, 110 buf, sizeof(buf), 111 NULL, &m, &m)); 112 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 113 mbedtls_ecdsa_verify(&grp, 114 buf, sizeof(buf), 115 &P, NULL, &m)); 116 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 117 mbedtls_ecdsa_verify(&grp, 118 buf, sizeof(buf), 119 &P, &m, NULL)); 120 121 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 122 mbedtls_ecdsa_write_signature(NULL, valid_md, buf, sizeof(buf), 123 buf, &slen, mbedtls_test_rnd_std_rand, 124 NULL)); 125 126 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 127 mbedtls_ecdsa_write_signature(&ctx, valid_md, NULL, sizeof(buf), 128 buf, &slen, mbedtls_test_rnd_std_rand, 129 NULL)); 130 131 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 132 mbedtls_ecdsa_write_signature(&ctx, valid_md, buf, sizeof(buf), 133 NULL, &slen, mbedtls_test_rnd_std_rand, 134 NULL)); 135 136 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 137 mbedtls_ecdsa_write_signature(&ctx, valid_md, buf, sizeof(buf), 138 buf, NULL, mbedtls_test_rnd_std_rand, 139 NULL)); 140 141 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 142 mbedtls_ecdsa_write_signature_restartable(NULL, valid_md, buf, 143 sizeof(buf), buf, &slen, 144 mbedtls_test_rnd_std_rand, 145 NULL, NULL)); 146 147 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 148 mbedtls_ecdsa_write_signature_restartable(&ctx, valid_md, NULL, 149 sizeof(buf), buf, &slen, 150 mbedtls_test_rnd_std_rand, 151 NULL, NULL)); 152 153 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 154 mbedtls_ecdsa_write_signature_restartable(&ctx, valid_md, buf, 155 sizeof(buf), NULL, &slen, 156 mbedtls_test_rnd_std_rand, 157 NULL, NULL)); 158 159 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 160 mbedtls_ecdsa_write_signature_restartable(&ctx, valid_md, buf, 161 sizeof(buf), buf, NULL, 162 mbedtls_test_rnd_std_rand, 163 NULL, NULL)); 164 165 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 166 mbedtls_ecdsa_read_signature(NULL, 167 buf, sizeof(buf), 168 buf, sizeof(buf))); 169 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 170 mbedtls_ecdsa_read_signature(&ctx, 171 NULL, sizeof(buf), 172 buf, sizeof(buf))); 173 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 174 mbedtls_ecdsa_read_signature(&ctx, 175 buf, sizeof(buf), 176 NULL, sizeof(buf))); 177 178 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 179 mbedtls_ecdsa_read_signature_restartable(NULL, 180 buf, sizeof(buf), 181 buf, sizeof(buf), 182 NULL)); 183 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 184 mbedtls_ecdsa_read_signature_restartable(&ctx, 185 NULL, sizeof(buf), 186 buf, sizeof(buf), 187 NULL)); 188 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 189 mbedtls_ecdsa_read_signature_restartable(&ctx, 190 buf, sizeof(buf), 191 NULL, sizeof(buf), 192 NULL)); 193 194 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 195 mbedtls_ecdsa_genkey(NULL, valid_group, 196 mbedtls_test_rnd_std_rand, 197 NULL)); 198 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 199 mbedtls_ecdsa_genkey(&ctx, valid_group, 200 NULL, NULL)); 201 202 203 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 204 mbedtls_ecdsa_from_keypair(NULL, &key)); 205 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 206 mbedtls_ecdsa_from_keypair(&ctx, NULL)); 207 208exit: 209 mbedtls_ecdsa_free(&ctx); 210 mbedtls_ecp_keypair_free(&key); 211 mbedtls_ecp_group_free(&grp); 212 mbedtls_ecp_point_free(&P); 213 mbedtls_mpi_free(&m); 214 215 return; 216} 217/* END_CASE */ 218 219/* BEGIN_CASE */ 220void ecdsa_prim_zero(int id) 221{ 222 mbedtls_ecp_group grp; 223 mbedtls_ecp_point Q; 224 mbedtls_mpi d, r, s; 225 mbedtls_test_rnd_pseudo_info rnd_info; 226 unsigned char buf[MBEDTLS_MD_MAX_SIZE]; 227 228 mbedtls_ecp_group_init(&grp); 229 mbedtls_ecp_point_init(&Q); 230 mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 231 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 232 memset(buf, 0, sizeof(buf)); 233 234 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 235 TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, 236 &mbedtls_test_rnd_pseudo_rand, 237 &rnd_info) == 0); 238 239 TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), 240 &mbedtls_test_rnd_pseudo_rand, 241 &rnd_info) == 0); 242 TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); 243 244exit: 245 mbedtls_ecp_group_free(&grp); 246 mbedtls_ecp_point_free(&Q); 247 mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 248} 249/* END_CASE */ 250 251/* BEGIN_CASE */ 252void ecdsa_prim_random(int id) 253{ 254 mbedtls_ecp_group grp; 255 mbedtls_ecp_point Q; 256 mbedtls_mpi d, r, s; 257 mbedtls_test_rnd_pseudo_info rnd_info; 258 unsigned char buf[MBEDTLS_MD_MAX_SIZE]; 259 260 mbedtls_ecp_group_init(&grp); 261 mbedtls_ecp_point_init(&Q); 262 mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 263 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 264 memset(buf, 0, sizeof(buf)); 265 266 /* prepare material for signature */ 267 TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, 268 buf, sizeof(buf)) == 0); 269 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 270 TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, 271 &mbedtls_test_rnd_pseudo_rand, 272 &rnd_info) == 0); 273 274 TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), 275 &mbedtls_test_rnd_pseudo_rand, 276 &rnd_info) == 0); 277 TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); 278 279exit: 280 mbedtls_ecp_group_free(&grp); 281 mbedtls_ecp_point_free(&Q); 282 mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 283} 284/* END_CASE */ 285 286/* BEGIN_CASE */ 287void ecdsa_prim_test_vectors(int id, char *d_str, char *xQ_str, 288 char *yQ_str, data_t *rnd_buf, 289 data_t *hash, char *r_str, char *s_str, 290 int result) 291{ 292 mbedtls_ecp_group grp; 293 mbedtls_ecp_point Q; 294 mbedtls_mpi d, r, s, r_check, s_check, zero; 295 mbedtls_test_rnd_buf_info rnd_info; 296 297 mbedtls_ecp_group_init(&grp); 298 mbedtls_ecp_point_init(&Q); 299 mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 300 mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); 301 mbedtls_mpi_init(&zero); 302 303 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 304 TEST_ASSERT(mbedtls_ecp_point_read_string(&Q, 16, xQ_str, yQ_str) == 0); 305 TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); 306 TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); 307 TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); 308 rnd_info.fallback_f_rng = mbedtls_test_rnd_std_rand; 309 rnd_info.fallback_p_rng = NULL; 310 rnd_info.buf = rnd_buf->x; 311 rnd_info.length = rnd_buf->len; 312 313 /* Fix rnd_buf->x by shifting it left if necessary */ 314 if (grp.nbits % 8 != 0) { 315 unsigned char shift = 8 - (grp.nbits % 8); 316 size_t i; 317 318 for (i = 0; i < rnd_info.length - 1; i++) { 319 rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> (8 - shift); 320 } 321 322 rnd_buf->x[rnd_info.length-1] <<= shift; 323 } 324 325 TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, hash->x, hash->len, 326 mbedtls_test_rnd_buffer_rand, &rnd_info) == result); 327 328 if (result == 0) { 329 /* Check we generated the expected values */ 330 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&r, &r_check), 0); 331 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&s, &s_check), 0); 332 333 /* Valid signature */ 334 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, 335 &Q, &r_check, &s_check), 0); 336 337 /* Invalid signature: wrong public key (G instead of Q) */ 338 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, 339 &grp.G, &r_check, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 340 341 /* Invalid signatures: r or s or both one off */ 342 TEST_EQUAL(mbedtls_mpi_sub_int(&r, &r_check, 1), 0); 343 TEST_EQUAL(mbedtls_mpi_add_int(&s, &s_check, 1), 0); 344 345 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 346 &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 347 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 348 &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 349 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 350 &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 351 352 /* Invalid signatures: r, s or both (CVE-2022-21449) are zero */ 353 TEST_EQUAL(mbedtls_mpi_lset(&zero, 0), 0); 354 355 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 356 &zero, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 357 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 358 &r_check, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); 359 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 360 &zero, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); 361 362 /* Invalid signatures: r, s or both are == N */ 363 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 364 &grp.N, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 365 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 366 &r_check, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); 367 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 368 &grp.N, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); 369 370 /* Invalid signatures: r, s or both are negative */ 371 TEST_EQUAL(mbedtls_mpi_sub_mpi(&r, &r_check, &grp.N), 0); 372 TEST_EQUAL(mbedtls_mpi_sub_mpi(&s, &s_check, &grp.N), 0); 373 374 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 375 &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 376 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 377 &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 378 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 379 &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 380 381 /* Invalid signatures: r or s or both are > N */ 382 TEST_EQUAL(mbedtls_mpi_add_mpi(&r, &r_check, &grp.N), 0); 383 TEST_EQUAL(mbedtls_mpi_add_mpi(&s, &s_check, &grp.N), 0); 384 385 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 386 &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 387 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 388 &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 389 TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 390 &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 391 } 392 393exit: 394 mbedtls_ecp_group_free(&grp); 395 mbedtls_ecp_point_free(&Q); 396 mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 397 mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); 398 mbedtls_mpi_free(&zero); 399} 400/* END_CASE */ 401 402/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */ 403void ecdsa_det_test_vectors(int id, char *d_str, int md_alg, char *msg, 404 char *r_str, char *s_str) 405{ 406 mbedtls_ecp_group grp; 407 mbedtls_mpi d, r, s, r_check, s_check; 408 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 409 size_t hlen; 410 const mbedtls_md_info_t *md_info; 411 412 mbedtls_ecp_group_init(&grp); 413 mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 414 mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); 415 memset(hash, 0, sizeof(hash)); 416 417 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 418 TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); 419 TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); 420 TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); 421 422 md_info = mbedtls_md_info_from_type(md_alg); 423 TEST_ASSERT(md_info != NULL); 424 hlen = mbedtls_md_get_size(md_info); 425 TEST_ASSERT(mbedtls_md(md_info, (const unsigned char *) msg, 426 strlen(msg), hash) == 0); 427 428 TEST_ASSERT( 429 mbedtls_ecdsa_sign_det_ext(&grp, &r, &s, &d, hash, hlen, 430 md_alg, mbedtls_test_rnd_std_rand, 431 NULL) 432 == 0); 433 434 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&r, &r_check) == 0); 435 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&s, &s_check) == 0); 436 437exit: 438 mbedtls_ecp_group_free(&grp); 439 mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 440 mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); 441} 442/* END_CASE */ 443 444/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ 445void ecdsa_write_read_zero(int id) 446{ 447 mbedtls_ecdsa_context ctx; 448 mbedtls_test_rnd_pseudo_info rnd_info; 449 unsigned char hash[32]; 450 unsigned char sig[200]; 451 size_t sig_len, i; 452 453 mbedtls_ecdsa_init(&ctx); 454 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 455 memset(hash, 0, sizeof(hash)); 456 memset(sig, 0x2a, sizeof(sig)); 457 458 /* generate signing key */ 459 TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, 460 &mbedtls_test_rnd_pseudo_rand, 461 &rnd_info) == 0); 462 463 /* generate and write signature, then read and verify it */ 464 TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, 465 hash, sizeof(hash), 466 sig, &sig_len, &mbedtls_test_rnd_pseudo_rand, 467 &rnd_info) == 0); 468 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 469 sig, sig_len) == 0); 470 471 /* check we didn't write past the announced length */ 472 for (i = sig_len; i < sizeof(sig); i++) { 473 TEST_ASSERT(sig[i] == 0x2a); 474 } 475 476 /* try verification with invalid length */ 477 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 478 sig, sig_len - 1) != 0); 479 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 480 sig, sig_len + 1) != 0); 481 482 /* try invalid sequence tag */ 483 sig[0]++; 484 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 485 sig, sig_len) != 0); 486 sig[0]--; 487 488 /* try modifying r */ 489 sig[10]++; 490 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 491 sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 492 sig[10]--; 493 494 /* try modifying s */ 495 sig[sig_len - 1]++; 496 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 497 sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 498 sig[sig_len - 1]--; 499 500exit: 501 mbedtls_ecdsa_free(&ctx); 502} 503/* END_CASE */ 504 505/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ 506void ecdsa_write_read_random(int id) 507{ 508 mbedtls_ecdsa_context ctx; 509 mbedtls_test_rnd_pseudo_info rnd_info; 510 unsigned char hash[32]; 511 unsigned char sig[200]; 512 size_t sig_len, i; 513 514 mbedtls_ecdsa_init(&ctx); 515 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 516 memset(hash, 0, sizeof(hash)); 517 memset(sig, 0x2a, sizeof(sig)); 518 519 /* prepare material for signature */ 520 TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, 521 hash, sizeof(hash)) == 0); 522 523 /* generate signing key */ 524 TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, 525 &mbedtls_test_rnd_pseudo_rand, 526 &rnd_info) == 0); 527 528 /* generate and write signature, then read and verify it */ 529 TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, 530 hash, sizeof(hash), 531 sig, &sig_len, &mbedtls_test_rnd_pseudo_rand, 532 &rnd_info) == 0); 533 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 534 sig, sig_len) == 0); 535 536 /* check we didn't write past the announced length */ 537 for (i = sig_len; i < sizeof(sig); i++) { 538 TEST_ASSERT(sig[i] == 0x2a); 539 } 540 541 /* try verification with invalid length */ 542 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 543 sig, sig_len - 1) != 0); 544 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 545 sig, sig_len + 1) != 0); 546 547 /* try invalid sequence tag */ 548 sig[0]++; 549 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 550 sig, sig_len) != 0); 551 sig[0]--; 552 553 /* try modifying r */ 554 sig[10]++; 555 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 556 sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 557 sig[10]--; 558 559 /* try modifying s */ 560 sig[sig_len - 1]++; 561 TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 562 sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 563 sig[sig_len - 1]--; 564 565exit: 566 mbedtls_ecdsa_free(&ctx); 567} 568/* END_CASE */ 569 570/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 571void ecdsa_read_restart(int id, data_t *pk, data_t *hash, data_t *sig, 572 int max_ops, int min_restart, int max_restart) 573{ 574 mbedtls_ecdsa_context ctx; 575 mbedtls_ecdsa_restart_ctx rs_ctx; 576 int ret, cnt_restart; 577 578 mbedtls_ecdsa_init(&ctx); 579 mbedtls_ecdsa_restart_init(&rs_ctx); 580 581 TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); 582 TEST_ASSERT(mbedtls_ecp_point_read_binary(&ctx.grp, &ctx.Q, 583 pk->x, pk->len) == 0); 584 585 mbedtls_ecp_set_max_ops(max_ops); 586 587 cnt_restart = 0; 588 do { 589 ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 590 hash->x, hash->len, sig->x, sig->len, 591 &rs_ctx); 592 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 593 594 TEST_ASSERT(ret == 0); 595 TEST_ASSERT(cnt_restart >= min_restart); 596 TEST_ASSERT(cnt_restart <= max_restart); 597 598 /* try modifying r */ 599 600 TEST_ASSERT(sig->len > 10); 601 sig->x[10]++; 602 do { 603 ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 604 hash->x, hash->len, sig->x, sig->len, 605 &rs_ctx); 606 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 607 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); 608 sig->x[10]--; 609 610 /* try modifying s */ 611 sig->x[sig->len - 1]++; 612 do { 613 ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 614 hash->x, hash->len, sig->x, sig->len, 615 &rs_ctx); 616 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 617 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); 618 sig->x[sig->len - 1]--; 619 620 /* Do we leak memory when aborting an operation? 621 * This test only makes sense when we actually restart */ 622 if (min_restart > 0) { 623 ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 624 hash->x, hash->len, sig->x, sig->len, 625 &rs_ctx); 626 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 627 } 628 629exit: 630 mbedtls_ecdsa_free(&ctx); 631 mbedtls_ecdsa_restart_free(&rs_ctx); 632} 633/* END_CASE */ 634 635/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */ 636void ecdsa_write_restart(int id, char *d_str, int md_alg, 637 char *msg, data_t *sig_check, 638 int max_ops, int min_restart, int max_restart) 639{ 640 int ret, cnt_restart; 641 mbedtls_ecdsa_restart_ctx rs_ctx; 642 mbedtls_ecdsa_context ctx; 643 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 644 unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; 645 size_t hlen, slen; 646 const mbedtls_md_info_t *md_info; 647 648 mbedtls_ecdsa_restart_init(&rs_ctx); 649 mbedtls_ecdsa_init(&ctx); 650 memset(hash, 0, sizeof(hash)); 651 memset(sig, 0, sizeof(sig)); 652 653 TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); 654 TEST_ASSERT(mbedtls_test_read_mpi(&ctx.d, d_str) == 0); 655 656 md_info = mbedtls_md_info_from_type(md_alg); 657 TEST_ASSERT(md_info != NULL); 658 659 hlen = mbedtls_md_get_size(md_info); 660 TEST_ASSERT(mbedtls_md(md_info, 661 (const unsigned char *) msg, strlen(msg), 662 hash) == 0); 663 664 mbedtls_ecp_set_max_ops(max_ops); 665 666 slen = sizeof(sig); 667 cnt_restart = 0; 668 do { 669 ret = mbedtls_ecdsa_write_signature_restartable(&ctx, 670 md_alg, 671 hash, 672 hlen, 673 sig, 674 &slen, 675 NULL, 676 NULL, 677 &rs_ctx); 678 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 679 680 TEST_ASSERT(ret == 0); 681 TEST_ASSERT(slen == sig_check->len); 682 TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0); 683 684 TEST_ASSERT(cnt_restart >= min_restart); 685 TEST_ASSERT(cnt_restart <= max_restart); 686 687 /* Do we leak memory when aborting an operation? 688 * This test only makes sense when we actually restart */ 689 if (min_restart > 0) { 690 ret = mbedtls_ecdsa_write_signature_restartable(&ctx, 691 md_alg, 692 hash, 693 hlen, 694 sig, 695 &slen, 696 NULL, 697 NULL, 698 &rs_ctx); 699 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 700 } 701 702exit: 703 mbedtls_ecdsa_restart_free(&rs_ctx); 704 mbedtls_ecdsa_free(&ctx); 705} 706/* END_CASE */ 707 708/* BEGIN_CASE */ 709void ecdsa_verify(int grp_id, char *x, char *y, char *r, char *s, data_t *content, int expected) 710{ 711 mbedtls_ecdsa_context ctx; 712 mbedtls_mpi sig_r, sig_s; 713 714 mbedtls_ecdsa_init(&ctx); 715 mbedtls_mpi_init(&sig_r); 716 mbedtls_mpi_init(&sig_s); 717 718 /* Prepare ECP group context */ 719 TEST_EQUAL(mbedtls_ecp_group_load(&ctx.grp, grp_id), 0); 720 721 /* Prepare public key */ 722 TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.X, x), 0); 723 TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.Y, y), 0); 724 TEST_EQUAL(mbedtls_mpi_lset(&ctx.Q.Z, 1), 0); 725 726 /* Prepare signature R & S */ 727 TEST_EQUAL(mbedtls_test_read_mpi(&sig_r, r), 0); 728 TEST_EQUAL(mbedtls_test_read_mpi(&sig_s, s), 0); 729 730 /* Test whether public key has expected validity */ 731 TEST_EQUAL(mbedtls_ecp_check_pubkey(&ctx.grp, &ctx.Q), 732 expected == MBEDTLS_ERR_ECP_INVALID_KEY ? MBEDTLS_ERR_ECP_INVALID_KEY : 0); 733 734 /* Verification */ 735 int result = mbedtls_ecdsa_verify(&ctx.grp, content->x, content->len, &ctx.Q, &sig_r, &sig_s); 736 737 TEST_EQUAL(result, expected); 738exit: 739 mbedtls_ecdsa_free(&ctx); 740 mbedtls_mpi_free(&sig_r); 741 mbedtls_mpi_free(&sig_s); 742} 743/* END_CASE */ 744