X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=test%2Fecdsatest.c;h=f7d6608f392e922b42ac2a979fa1722b9d5ef9df;hb=765d04c9460a304c8119f57941341a149498b9db;hp=a3234814d47df88abd92664fc2677deaf90f4325;hpb=dc352c193755525292310c8992e3c9b81a556a31;p=oweals%2Fopenssl.git diff --git a/test/ecdsatest.c b/test/ecdsatest.c index a3234814d4..f7d6608f39 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -1,61 +1,39 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * +/* + * Low level APIs are deprecated for public use, but still ok for internal use. */ - -#include -#include -#include +#include "internal/deprecated.h" #include /* To see if OPENSSL_NO_EC is defined */ +#include "testutil.h" -#ifdef OPENSSL_NO_EC -int main(int argc, char *argv[]) -{ - puts("Elliptic curves are disabled."); - return 0; -} -#else +#ifndef OPENSSL_NO_EC -# include -# include # include # include # include -# ifndef OPENSSL_NO_ENGINE -# include -# endif -# include # include -# include "testutil.h" - -static const char rnd_seed[] = "string to make the random number generator " - "think it has entropy"; - +# include "internal/nelem.h" +# include "ecdsatest.h" /* functions to change the RAND_METHOD */ static int fbytes(unsigned char *buf, int num); static RAND_METHOD fake_rand; static const RAND_METHOD *old_rand; +static int use_fake = 0; +static const char *numbers[2]; +static size_t crv_len = 0; +static EC_builtin_curve *curves = NULL; static int change_rand(void) { @@ -79,25 +57,10 @@ static int restore_rand(void) return 1; } -static int fbytes_counter = 0, use_fake = 0; -static const char *numbers[8] = { - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", - "1542725565216523985789236956265265265235675811949404040041", - "1456427555219115346513212300075341203043918714616464614664" - "64667494947990", - "1712787255652165239672857892369562652652652356758119494040" - "40041670216363" -}; - static int fbytes(unsigned char *buf, int num) { int ret = 0; + static int fbytes_counter = 0; BIGNUM *tmp = NULL; if (use_fake == 0) @@ -105,320 +68,333 @@ static int fbytes(unsigned char *buf, int num) use_fake = 0; - if (fbytes_counter >= 8) - return 0; - if (!TEST_ptr(tmp = BN_new())) - return 0; - if (!TEST_true(BN_dec2bn(&tmp, numbers[fbytes_counter]))) { - BN_free(tmp); - return 0; - } - fbytes_counter++; - if (TEST_int_eq(BN_num_bytes(tmp), num) - && TEST_true(BN_bn2bin(tmp, buf))) - ret = 1; + if (!TEST_ptr(tmp = BN_new()) + || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) + || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) + /* tmp might need leading zeros so pad it out */ + || !TEST_int_le(BN_num_bytes(tmp), num) + || !TEST_true(BN_bn2binpad(tmp, buf, num))) + goto err; + + fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); + ret = 1; + err: BN_free(tmp); return ret; } -/* some tests from the X9.62 draft */ -static int x9_62_test_internal(int nid, const char *r_in, const char *s_in) +/*- + * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. + * The ECDSA KATs are from: + * - the X9.62 draft (4) + * - NIST CAVP (720) + * + * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. + * NB: This is not how applications should use ECDSA; this is only for testing. + * + * Tests the library can successfully: + * - generate public keys that matches those KATs + * - create ECDSA signatures that match those KATs + * - accept those signatures as valid + */ +static int x9_62_tests(int n) { - int ret = 0; - const char message[] = "abc"; - unsigned char digest[20]; + int nid, md_nid, ret = 0; + const char *r_in = NULL, *s_in = NULL, *tbs = NULL; + unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; + unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int dgst_len = 0; - EVP_MD_CTX *md_ctx; + long q_len, msg_len = 0; + size_t p_len; + EVP_MD_CTX *mctx = NULL; EC_KEY *key = NULL; ECDSA_SIG *signature = NULL; BIGNUM *r = NULL, *s = NULL; BIGNUM *kinv = NULL, *rp = NULL; - const BIGNUM *sig_r, *sig_s; - - if (!TEST_ptr(md_ctx = EVP_MD_CTX_new())) - goto x962_int_err; - - /* get the message digest */ - if (!TEST_true(EVP_DigestInit(md_ctx, EVP_sha1())) - || !TEST_true(EVP_DigestUpdate(md_ctx, (const void *)message, 3)) - || !TEST_true(EVP_DigestFinal(md_ctx, digest, &dgst_len))) - goto x962_int_err; - - TEST_info("testing %s", OBJ_nid2sn(nid)); - - /* create the key */ - if (!TEST_ptr(key = EC_KEY_new_by_curve_name(nid))) - goto x962_int_err; + const BIGNUM *sig_r = NULL, *sig_s = NULL; + + nid = ecdsa_cavs_kats[n].nid; + md_nid = ecdsa_cavs_kats[n].md_nid; + r_in = ecdsa_cavs_kats[n].r; + s_in = ecdsa_cavs_kats[n].s; + tbs = ecdsa_cavs_kats[n].msg; + numbers[0] = ecdsa_cavs_kats[n].d; + numbers[1] = ecdsa_cavs_kats[n].k; + + TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); + +#ifdef FIPS_MODULE + if (EC_curve_nid2nist(nid) == NULL) + return TEST_skip("skip non approved curves"); +#endif /* FIPS_MODULE */ + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get the message digest */ + || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) + || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) + || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) + || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) + /* create the key */ + || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) + /* load KAT variables */ + || !TEST_ptr(r = BN_new()) + || !TEST_ptr(s = BN_new()) + || !TEST_true(BN_hex2bn(&r, r_in)) + || !TEST_true(BN_hex2bn(&s, s_in)) + /* swap the RNG source */ + || !TEST_true(change_rand())) + goto err; + + /* public key must match KAT */ use_fake = 1; - if (!TEST_true(EC_KEY_generate_key(key))) - goto x962_int_err; - - /* create the signature */ + if (!TEST_true(EC_KEY_generate_key(key)) + || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, + &pbuf, NULL)) + || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) + || !TEST_int_eq(q_len, p_len) + || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) + goto err; + + /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ use_fake = 1; - /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */ - if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp))) - goto x962_int_err; - if (!TEST_ptr(signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key))) - goto x962_int_err; + if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) + || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, + kinv, rp, key)) + /* verify the signature */ + || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) + goto err; /* compare the created signature with the expected signature */ - if (!TEST_ptr(r = BN_new()) || !TEST_ptr(s = BN_new())) - goto x962_int_err; - if (!TEST_true(BN_dec2bn(&r, r_in)) || !TEST_true(BN_dec2bn(&s, s_in))) - goto x962_int_err; ECDSA_SIG_get0(signature, &sig_r, &sig_s); if (!TEST_BN_eq(sig_r, r) - || !TEST_BN_eq(sig_s, s)) - goto x962_int_err; - - /* verify the signature */ - if (!TEST_int_eq(ECDSA_do_verify(digest, 20, signature, key), 1)) - goto x962_int_err; + || !TEST_BN_eq(sig_s, s)) + goto err; ret = 1; - x962_int_err: + err: + /* restore the RNG source */ + if (!TEST_true(restore_rand())) + ret = 0; + + OPENSSL_free(message); + OPENSSL_free(pbuf); + OPENSSL_free(qbuf); EC_KEY_free(key); ECDSA_SIG_free(signature); BN_free(r); BN_free(s); - EVP_MD_CTX_free(md_ctx); + EVP_MD_CTX_free(mctx); BN_clear_free(kinv); BN_clear_free(rp); return ret; } -static int x9_62_tests() +/*- + * Positive and negative ECDSA testing through EVP interface: + * - EVP_DigestSign (this is the one-shot version) + * - EVP_DigestVerify + * + * Tests the library can successfully: + * - create a key + * - create a signature + * - accept that signature + * - reject that signature with a different public key + * - reject that signature if its length is not correct + * - reject that signature after modifying the message + * - accept that signature after un-modifying the message + * - reject that signature after modifying the signature + * - accept that signature after un-modifying the signature + */ +static int set_sm2_id(EVP_MD_CTX *mctx, EVP_PKEY *pkey) { - int ret = 0; + /* With the SM2 key type, the SM2 ID is mandatory */ + static const char sm2_id[] = { 1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r' }; + EVP_PKEY_CTX *pctx; - /* set own rand method */ - if (!change_rand()) - goto x962_err; - - if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, - "3342403536405981729393488334694600415596881826869351677613", - "5735822328888155254683894997897571951568553642892029982342"))) - goto x962_err; - if (!TEST_true(x9_62_test_internal(NID_X9_62_prime239v1, - "3086361431751678114926225473006680188549593787585317781474" - "62058306432176", - "3238135532097973577080787768312505059318910517550078427819" - "78505179448783"))) - goto x962_err; - -# ifndef OPENSSL_NO_EC2M - if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, - "87194383164871543355722284926904419997237591535066528048", - "308992691965804947361541664549085895292153777025772063598"))) - goto x962_err; - if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb239v1, - "2159633321041961198501834003903461262881815148684178964245" - "5876922391552", - "1970303740007316867383349976549972270528498040721988191026" - "49413465737174"))) - goto x962_err; -# endif - ret = 1; - - x962_err: - if (!TEST_true(restore_rand())) - ret = 0; - return ret; + if (!TEST_ptr(pctx = EVP_MD_CTX_pkey_ctx(mctx)) + || !TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, sm2_id, sizeof(sm2_id)), 0)) + return 0; + return 1; } -static int test_builtin(void) +static int test_builtin(int n, int as) { - EC_builtin_curve *curves = NULL; - size_t crv_len = 0, n = 0; - EC_KEY *eckey = NULL, *wrong_eckey = NULL; - EC_GROUP *group; - ECDSA_SIG *ecdsa_sig = NULL, *modified_sig = NULL; - unsigned char digest[20], wrong_digest[20]; - unsigned char *signature = NULL; - const unsigned char *sig_ptr; - unsigned char *sig_ptr2; - unsigned char *raw_buf = NULL; - const BIGNUM *sig_r, *sig_s; - BIGNUM *modified_r = NULL, *modified_s = NULL; - BIGNUM *unmodified_r = NULL, *unmodified_s = NULL; - unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; + EC_KEY *eckey_neg = NULL, *eckey = NULL; + unsigned char dirt, offset, tbs[128]; + unsigned char *sig = NULL; + EVP_PKEY *pkey_neg = NULL, *pkey = NULL; + EVP_MD_CTX *mctx = NULL; + size_t sig_len; int nid, ret = 0; + int temp; - /* fill digest values with some random data */ - if (!TEST_true(RAND_bytes(digest, 20)) - || !TEST_true(RAND_bytes(wrong_digest, 20))) - goto builtin_err; + nid = curves[n].nid; - /* create and verify a ecdsa signature with every available curve */ - /* get a list of all internal curves */ - crv_len = EC_get_builtin_curves(NULL, 0); - if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) - goto builtin_err; - - /* now create and verify a signature for every curve */ - for (n = 0; n < crv_len; n++) { - unsigned char dirt, offset; - - nid = curves[n].nid; - if (nid == NID_ipsec4 || nid == NID_X25519) - continue; - /* create new ecdsa key (== EC_KEY) */ - if (!TEST_ptr(eckey = EC_KEY_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_true(EC_KEY_set_group(eckey, group))) - goto builtin_err; - EC_GROUP_free(group); - degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); - if (degree < 160) { - /* drop the curve */ - EC_KEY_free(eckey); - eckey = NULL; - continue; - } - TEST_info("testing %s", OBJ_nid2sn(nid)); - - /* create key */ - if (!TEST_true(EC_KEY_generate_key(eckey))) - goto builtin_err; - /* create second key */ - if (!TEST_ptr(wrong_eckey = EC_KEY_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_true(EC_KEY_set_group(wrong_eckey, group))) - goto builtin_err; - EC_GROUP_free(group); - if (!TEST_true(EC_KEY_generate_key(wrong_eckey))) - goto builtin_err; - - /* check key */ - if (!TEST_true(EC_KEY_check_key(eckey))) - goto builtin_err; - - /* create signature */ - sig_len = ECDSA_size(eckey); - if (!TEST_ptr(signature = OPENSSL_malloc(sig_len)) - || !TEST_true(ECDSA_sign(0, digest, 20, signature, &sig_len, - eckey))) - goto builtin_err; - - /* verify signature */ - if (!TEST_int_eq(ECDSA_verify(0, digest, 20, signature, sig_len, - eckey), 1)) - goto builtin_err; - - /* verify signature with the wrong key */ - if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature, sig_len, - wrong_eckey), 1)) - goto builtin_err; - - /* wrong digest */ - if (!TEST_int_ne(ECDSA_verify(0, wrong_digest, 20, signature, - sig_len, eckey), 1)) - goto builtin_err; - - /* wrong length */ - if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature, - sig_len - 1, eckey), 1)) - goto builtin_err; - - /* - * Modify a single byte of the signature: to ensure we don't garble - * the ASN1 structure, we read the raw signature and modify a byte in - * one of the bignums directly. - */ - sig_ptr = signature; - if (!TEST_ptr(ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len))) - goto builtin_err; - - ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s); - - /* Store the two BIGNUMs in raw_buf. */ - r_len = BN_num_bytes(sig_r); - s_len = BN_num_bytes(sig_s); - bn_len = (degree + 7) / 8; - if (!TEST_false(r_len > bn_len) - || !TEST_false(s_len > bn_len)) - goto builtin_err; - buf_len = 2 * bn_len; - if (!TEST_ptr(raw_buf = OPENSSL_zalloc(buf_len))) - goto builtin_err; - BN_bn2bin(sig_r, raw_buf + bn_len - r_len); - BN_bn2bin(sig_s, raw_buf + buf_len - s_len); - - /* Modify a single byte in the buffer. */ - offset = raw_buf[10] % buf_len; - dirt = raw_buf[11] ? raw_buf[11] : 1; - raw_buf[offset] ^= dirt; - - /* Now read the BIGNUMs back in from raw_buf. */ - if (!TEST_ptr(modified_sig = ECDSA_SIG_new())) - goto builtin_err; - if (!TEST_ptr(modified_r = BN_bin2bn(raw_buf, bn_len, NULL)) - || !TEST_ptr(modified_s = BN_bin2bn(raw_buf + bn_len, - bn_len, NULL)) - || !TEST_true(ECDSA_SIG_set0(modified_sig, - modified_r, modified_s))) { - BN_free(modified_r); - BN_free(modified_s); - goto builtin_err; - } - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_false(ECDSA_verify(0, digest, 20, signature, sig_len, eckey))) - goto builtin_err; - - /* Sanity check: undo the modification and verify signature. */ - raw_buf[offset] ^= dirt; - if (!TEST_ptr(unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL)) - || !TEST_ptr(unmodified_s = BN_bin2bn(raw_buf + bn_len, - bn_len, NULL)) - || !TEST_true(ECDSA_SIG_set0(modified_sig, unmodified_r, - unmodified_s))) { - BN_free(unmodified_r); - BN_free(unmodified_s); - goto builtin_err; - } - - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_true(ECDSA_verify(0, digest, 20, signature, sig_len, eckey))) - goto builtin_err; - - /* cleanup */ - ERR_clear_error(); - OPENSSL_free(signature); - signature = NULL; - EC_KEY_free(eckey); - eckey = NULL; - EC_KEY_free(wrong_eckey); - wrong_eckey = NULL; - ECDSA_SIG_free(ecdsa_sig); - ecdsa_sig = NULL; - ECDSA_SIG_free(modified_sig); - modified_sig = NULL; - OPENSSL_free(raw_buf); - raw_buf = NULL; + /* skip built-in curves where ord(G) is not prime */ + if (nid == NID_ipsec4 || nid == NID_ipsec3) { + TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); + return 1; } - ret = 1; - builtin_err: - EC_KEY_free(eckey); - EC_KEY_free(wrong_eckey); - ECDSA_SIG_free(ecdsa_sig); - ECDSA_SIG_free(modified_sig); - OPENSSL_free(signature); - OPENSSL_free(raw_buf); - OPENSSL_free(curves); + TEST_info("testing ECDSA for curve %s as %s key type", OBJ_nid2sn(nid), + as == EVP_PKEY_EC ? "EC" : "SM2"); + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get some random message data */ + || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) + /* real key */ + || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey)) + || !TEST_ptr(pkey = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) + /* fake key for negative testing */ + || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey_neg)) + || !TEST_ptr(pkey_neg = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) + goto err; + + temp = ECDSA_size(eckey); + + /* + * |as| indicates how we want to treat the key, i.e. what sort of + * computation we want to do with it. The two choices are the key + * types EVP_PKEY_EC and EVP_PKEY_SM2. It's perfectly possible to + * switch back and forth between those two key types, regardless of + * curve, even though the default is to have EVP_PKEY_SM2 for the + * SM2 curve and EVP_PKEY_EC for all other curves. + */ + if (!TEST_true(EVP_PKEY_set_alias_type(pkey, as)) + || !TEST_true(EVP_PKEY_set_alias_type(pkey_neg, as))) + goto err; + + if (!TEST_int_ge(temp, 0) + || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) + /* create a signature */ + || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) + || !TEST_int_le(sig_len, ECDSA_size(eckey)) + || !TEST_true(EVP_MD_CTX_reset(mctx)) + /* negative test, verify with wrong key, 0 return */ + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey_neg)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) + || !TEST_true(EVP_MD_CTX_reset(mctx)) + /* negative test, verify with wrong signature length, -1 return */ + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) + || !TEST_true(EVP_MD_CTX_reset(mctx)) + /* positive test, verify with correct key, 1 return */ + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) + || !TEST_true(EVP_MD_CTX_reset(mctx))) + goto err; + + /* muck with the message, test it fails with 0 return */ + tbs[0] ^= 1; + if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) + || !TEST_true(EVP_MD_CTX_reset(mctx))) + goto err; + /* un-muck and test it verifies */ + tbs[0] ^= 1; + if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) + || !TEST_true(EVP_MD_CTX_reset(mctx))) + goto err; + + /*- + * Muck with the ECDSA signature. The DER encoding is one of: + * - 30 LL 02 .. + * - 30 81 LL 02 .. + * + * - Sometimes this mucks with the high level DER sequence wrapper: + * in that case, DER-parsing of the whole signature should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.r: + * in that case, DER-parsing of ECDSA.r should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.s: + * in that case, DER-parsing of ECDSA.s should fail. + * + * - Sometimes this mucks with ECDSA.r: + * in that case, the signature verification should fail. + * + * - Sometimes this mucks with ECDSA.s: + * in that case, the signature verification should fail. + * + * The usual case is changing the integer value of ECDSA.r or ECDSA.s. + * Because the ratio of DER overhead to signature bytes is small. + * So most of the time it will be one of the last two cases. + * + * In any case, EVP_PKEY_verify should not return 1 for valid. + */ + offset = tbs[0] % sig_len; + dirt = tbs[1] ? tbs[1] : 1; + sig[offset] ^= dirt; + if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) + || !TEST_true(EVP_MD_CTX_reset(mctx))) + goto err; + /* un-muck and test it verifies */ + sig[offset] ^= dirt; + if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || (as == EVP_PKEY_SM2 && !set_sm2_id(mctx, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1) + || !TEST_true(EVP_MD_CTX_reset(mctx))) + goto err; + ret = 1; + err: + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_neg); + EVP_MD_CTX_free(mctx); + OPENSSL_free(sig); return ret; } -void register_tests(void) +static int test_builtin_as_ec(int n) +{ + return test_builtin(n, EVP_PKEY_EC); +} + +# ifndef OPENSSL_NO_SM2 +static int test_builtin_as_sm2(int n) { - /* initialize the prng */ - RAND_seed(rnd_seed, sizeof(rnd_seed)); - ADD_TEST(x9_62_tests); - ADD_TEST(test_builtin); + return test_builtin(n, EVP_PKEY_SM2); } +# endif +#endif /* OPENSSL_NO_EC */ + +int setup_tests(void) +{ +#ifdef OPENSSL_NO_EC + TEST_note("Elliptic curves are disabled."); +#else + /* get a list of all internal curves */ + crv_len = EC_get_builtin_curves(NULL, 0); + if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + return 0; + ADD_ALL_TESTS(test_builtin_as_ec, crv_len); +# ifndef OPENSSL_NO_SM2 + ADD_ALL_TESTS(test_builtin_as_sm2, crv_len); +# endif + ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); +#endif + return 1; +} + +void cleanup_tests(void) +{ +#ifndef OPENSSL_NO_EC + OPENSSL_free(curves); #endif +}