From 947ff113d29ec9755d4e1fd60bfb67674872f23d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 18 Feb 2011 17:25:00 +0000 Subject: [PATCH] add ECDSA POST --- crypto/fips_err.h | 1 + fips/ecdsa/Makefile | 4 +- fips/ecdsa/fips_ecdsa_selftest.c | 71 ++++++++++++++++++++++++++++++++ fips/fips.c | 1 + fips/fips.h | 3 ++ fips/fips_test_suite.c | 3 ++ 6 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 fips/ecdsa/fips_ecdsa_selftest.c diff --git a/crypto/fips_err.h b/crypto/fips_err.h index de2f0d5254..683a69cf52 100644 --- a/crypto/fips_err.h +++ b/crypto/fips_err.h @@ -90,6 +90,7 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, +{ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, diff --git a/fips/ecdsa/Makefile b/fips/ecdsa/Makefile index 77948d08e3..5e03694bba 100644 --- a/fips/ecdsa/Makefile +++ b/fips/ecdsa/Makefile @@ -22,8 +22,8 @@ TEST= fips_ecdsavs.c APPS= LIB=$(TOP)/libcrypto.a -LIBSRC= fips_ecdsa_lib.c fips_ecdsa_sign.c -LIBOBJ= fips_ecdsa_lib.o fips_ecdsa_sign.o +LIBSRC= fips_ecdsa_lib.c fips_ecdsa_sign.c fips_ecdsa_selftest.c +LIBOBJ= fips_ecdsa_lib.o fips_ecdsa_sign.o fips_ecdsa_selftest.o SRC= $(LIBSRC) diff --git a/fips/ecdsa/fips_ecdsa_selftest.c b/fips/ecdsa/fips_ecdsa_selftest.c new file mode 100644 index 0000000000..50e0a8b710 --- /dev/null +++ b/fips/ecdsa/fips_ecdsa_selftest.c @@ -0,0 +1,71 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ + +#define OPENSSL_FIPSAPI + +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef OPENSSL_FIPS + +static const unsigned char str1[]="12345678901234567890"; + +static int corrupt_ecdsa = 0; + +void FIPS_corrupt_ecdsa() + { + corrupt_ecdsa = 1; + } + +int FIPS_selftest_ecdsa() + { + EC_KEY *ec=NULL; + int ret = 0; + EVP_MD_CTX mctx; + ECDSA_SIG *esig = NULL; + + FIPS_md_ctx_init(&mctx); + + ec = EC_KEY_new_by_curve_name(NID_secp384r1); + + if(ec == NULL) + goto err; + + EC_KEY_generate_key(ec); + + if (!FIPS_digestinit(&mctx, EVP_sha512())) + goto err; + if (!FIPS_digestupdate(&mctx, str1, 20)) + goto err; + esig = FIPS_ecdsa_sign_ctx(ec, &mctx); + if (!esig) + goto err; + + if (corrupt_ecdsa) + BN_add_word(esig->r, 1); + + if (!FIPS_digestinit(&mctx, EVP_sha512())) + goto err; + if (!FIPS_digestupdate(&mctx, str1, 20)) + goto err; + if (FIPS_ecdsa_verify_ctx(ec, &mctx, esig) != 1) + goto err; + + ret = 1; + + err: + FIPS_md_ctx_cleanup(&mctx); + if (ec) + EC_KEY_free(ec); + if (esig) + FIPS_ecdsa_sig_free(esig); + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_ECDSA,FIPS_R_SELFTEST_FAILED); + return ret; + } +#endif diff --git a/fips/fips.c b/fips/fips.c index 4b66537342..86adc6be51 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -178,6 +178,7 @@ int FIPS_selftest(void) && FIPS_selftest_aes_gcm() && FIPS_selftest_des() && FIPS_selftest_rsa() + && FIPS_selftest_ecdsa() && FIPS_selftest_dsa(); } diff --git a/fips/fips.h b/fips/fips.h index dab9bbe45d..4cfb985efa 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -86,6 +86,8 @@ int FIPS_selftest_rsa(void); void FIPS_corrupt_dsa(void); void FIPS_corrupt_dsa_keygen(void); int FIPS_selftest_dsa(void); +int FIPS_selftest_ecdsa(void); +void FIPS_corrupt_ecdsa(void); void FIPS_corrupt_ec_keygen(void); void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); @@ -195,6 +197,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_FIPS_SELFTEST_AES_GCM 130 #define FIPS_F_FIPS_SELFTEST_DES 111 #define FIPS_F_FIPS_SELFTEST_DSA 112 +#define FIPS_F_FIPS_SELFTEST_ECDSA 131 #define FIPS_F_FIPS_SELFTEST_HMAC 113 #define FIPS_F_FIPS_SELFTEST_RNG 114 #define FIPS_F_FIPS_SELFTEST_SHA1 115 diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index 12970abe58..1d88b0d00c 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -490,6 +490,9 @@ int main(int argc,char **argv) } else if (!strcmp(argv[1], "dsa")) { FIPS_corrupt_dsa(); printf("DSA key generation and signature validation with corrupted KAT...\n"); + } else if (!strcmp(argv[1], "ecdsa")) { + FIPS_corrupt_ecdsa(); + printf("ECDSA key generation and signature validation with corrupted KAT...\n"); } else if (!strcmp(argv[1], "rsa")) { FIPS_corrupt_rsa(); printf("RSA key generation and signature validation with corrupted KAT...\n"); -- 2.25.1