mbedtls/tests/suites/test_suite_ecdsa.function

506 lines
19 KiB
C
Raw Normal View History

/* BEGIN_HEADER */
2015-03-09 18:05:11 +01:00
#include "mbedtls/ecdsa.h"
#include "hash_info.h"
#include "mbedtls/legacy_or_psa.h"
#if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \
( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) )
#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC
#endif
/* END_HEADER */
2013-01-26 19:09:07 +01:00
/* BEGIN_DEPENDENCIES
* depends_on:MBEDTLS_ECDSA_C
* END_DEPENDENCIES
*/
2013-01-26 19:09:07 +01:00
/* BEGIN_CASE */
void ecdsa_prim_zero( int id )
{
mbedtls_ecp_group grp;
mbedtls_ecp_point Q;
mbedtls_mpi d, r, s;
mbedtls_test_rnd_pseudo_info rnd_info;
unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
mbedtls_ecp_group_init( &grp );
mbedtls_ecp_point_init( &Q );
mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
memset( buf, 0, sizeof( buf ) );
TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q,
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, buf, sizeof( buf ),
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_verify( &grp, buf, sizeof( buf ), &Q, &r, &s ) == 0 );
exit:
mbedtls_ecp_group_free( &grp );
mbedtls_ecp_point_free( &Q );
mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
}
/* END_CASE */
/* BEGIN_CASE */
void ecdsa_prim_random( int id )
2013-01-26 19:09:07 +01:00
{
mbedtls_ecp_group grp;
mbedtls_ecp_point Q;
mbedtls_mpi d, r, s;
mbedtls_test_rnd_pseudo_info rnd_info;
unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
2013-01-26 19:09:07 +01:00
mbedtls_ecp_group_init( &grp );
mbedtls_ecp_point_init( &Q );
mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
memset( buf, 0, sizeof( buf ) );
2013-01-26 19:09:07 +01:00
/* prepare material for signature */
TEST_ASSERT( mbedtls_test_rnd_pseudo_rand( &rnd_info,
buf, sizeof( buf ) ) == 0 );
TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q,
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, buf, sizeof( buf ),
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_verify( &grp, buf, sizeof( buf ), &Q, &r, &s ) == 0 );
2013-01-26 19:09:07 +01:00
exit:
mbedtls_ecp_group_free( &grp );
mbedtls_ecp_point_free( &Q );
mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
2013-01-26 19:09:07 +01:00
}
/* END_CASE */
2013-01-27 08:10:28 +01:00
/* BEGIN_CASE */
2017-05-30 15:23:15 +02:00
void ecdsa_prim_test_vectors( int id, char * d_str, char * xQ_str,
char * yQ_str, data_t * rnd_buf,
data_t * hash, char * r_str, char * s_str,
2017-05-30 15:23:15 +02:00
int result )
2013-01-27 08:10:28 +01:00
{
mbedtls_ecp_group grp;
mbedtls_ecp_point Q;
mbedtls_mpi d, r, s, r_check, s_check, zero;
mbedtls_test_rnd_buf_info rnd_info;
2013-01-27 08:10:28 +01:00
mbedtls_ecp_group_init( &grp );
mbedtls_ecp_point_init( &Q );
mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
mbedtls_mpi_init( &r_check ); mbedtls_mpi_init( &s_check );
mbedtls_mpi_init( &zero );
2013-01-27 08:10:28 +01:00
TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
TEST_ASSERT( mbedtls_ecp_point_read_string( &Q, 16, xQ_str, yQ_str ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &d, d_str ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &r_check, r_str ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &s_check, s_str ) == 0 );
rnd_info.fallback_f_rng = mbedtls_test_rnd_std_rand;
rnd_info.fallback_p_rng = NULL;
2017-06-09 05:32:58 +02:00
rnd_info.buf = rnd_buf->x;
rnd_info.length = rnd_buf->len;
2017-06-09 05:32:58 +02:00
/* Fix rnd_buf->x by shifting it left if necessary */
if( grp.nbits % 8 != 0 )
{
unsigned char shift = 8 - ( grp.nbits % 8 );
size_t i;
for( i = 0; i < rnd_info.length - 1; i++ )
2017-06-09 05:32:58 +02:00
rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> ( 8 - shift );
2017-06-09 05:32:58 +02:00
rnd_buf->x[rnd_info.length-1] <<= shift;
}
2013-01-27 08:10:28 +01:00
2017-06-09 05:32:58 +02:00
TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, hash->x, hash->len,
mbedtls_test_rnd_buffer_rand, &rnd_info ) == result );
2013-01-27 08:10:28 +01:00
if ( result == 0)
{
/* Check we generated the expected values */
TEST_EQUAL( mbedtls_mpi_cmp_mpi( &r, &r_check ), 0 );
TEST_EQUAL( mbedtls_mpi_cmp_mpi( &s, &s_check ), 0 );
/* Valid signature */
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
&Q, &r_check, &s_check ), 0 );
/* Invalid signature: wrong public key (G instead of Q) */
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
&grp.G, &r_check, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
/* Invalid signatures: r or s or both one off */
TEST_EQUAL( mbedtls_mpi_sub_int( &r, &r_check, 1 ), 0 );
TEST_EQUAL( mbedtls_mpi_add_int( &s, &s_check, 1 ), 0 );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
/* Invalid signatures: r, s or both (CVE-2022-21449) are zero */
TEST_EQUAL( mbedtls_mpi_lset( &zero, 0 ), 0 );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&zero, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r_check, &zero ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&zero, &zero ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
/* Invalid signatures: r, s or both are == N */
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&grp.N, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r_check, &grp.N ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&grp.N, &grp.N ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
/* Invalid signatures: r, s or both are negative */
TEST_EQUAL( mbedtls_mpi_sub_mpi( &r, &r_check, &grp.N ), 0 );
TEST_EQUAL( mbedtls_mpi_sub_mpi( &s, &s_check, &grp.N ), 0 );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
/* Invalid signatures: r or s or both are > N */
TEST_EQUAL( mbedtls_mpi_add_mpi( &r, &r_check, &grp.N ), 0 );
TEST_EQUAL( mbedtls_mpi_add_mpi( &s, &s_check, &grp.N ), 0 );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
&r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
}
exit:
mbedtls_ecp_group_free( &grp );
mbedtls_ecp_point_free( &Q );
mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
mbedtls_mpi_free( &r_check ); mbedtls_mpi_free( &s_check );
mbedtls_mpi_free( &zero );
2013-01-27 08:10:28 +01:00
}
/* END_CASE */
2013-08-08 13:30:57 +02:00
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
void ecdsa_det_test_vectors( int id, char * d_str, int md_alg, data_t * hash,
2017-05-30 15:23:15 +02:00
char * r_str, char * s_str )
2014-01-06 14:25:56 +01:00
{
mbedtls_ecp_group grp;
mbedtls_mpi d, r, s, r_check, s_check;
2014-01-06 14:25:56 +01:00
mbedtls_ecp_group_init( &grp );
mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
mbedtls_mpi_init( &r_check ); mbedtls_mpi_init( &s_check );
2014-01-06 14:25:56 +01:00
TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &d, d_str ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &r_check, r_str ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &s_check, s_str ) == 0 );
2014-01-06 14:25:56 +01:00
TEST_ASSERT(
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
mbedtls_ecdsa_sign_det_ext( &grp, &r, &s, &d,
hash->x, hash->len, md_alg,
mbedtls_test_rnd_std_rand,
NULL )
== 0 );
2014-01-06 14:25:56 +01:00
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 );
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 );
2014-01-06 14:25:56 +01:00
exit:
mbedtls_ecp_group_free( &grp );
mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
mbedtls_mpi_free( &r_check ); mbedtls_mpi_free( &s_check );
2014-01-06 14:25:56 +01:00
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */
void ecdsa_write_read_zero( int id )
2013-08-08 13:30:57 +02:00
{
mbedtls_ecdsa_context ctx;
mbedtls_test_rnd_pseudo_info rnd_info;
unsigned char hash[32];
2013-08-08 13:30:57 +02:00
unsigned char sig[200];
size_t sig_len, i;
mbedtls_ecdsa_init( &ctx );
memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
2013-08-08 13:30:57 +02:00
memset( hash, 0, sizeof( hash ) );
memset( sig, 0x2a, sizeof( sig ) );
/* generate signing key */
TEST_ASSERT( mbedtls_ecdsa_genkey( &ctx, id,
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
/* generate and write signature, then read and verify it */
TEST_ASSERT( mbedtls_ecdsa_write_signature( &ctx, MBEDTLS_MD_SHA256,
hash, sizeof( hash ),
sig, sizeof( sig ), &sig_len, &mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == 0 );
/* check we didn't write past the announced length */
for( i = sig_len; i < sizeof( sig ); i++ )
TEST_ASSERT( sig[i] == 0x2a );
/* try verification with invalid length */
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len - 1 ) != 0 );
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len + 1 ) != 0 );
/* try invalid sequence tag */
sig[0]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) != 0 );
sig[0]--;
/* try modifying r */
sig[10]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig[10]--;
/* try modifying s */
sig[sig_len - 1]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig[sig_len - 1]--;
exit:
mbedtls_ecdsa_free( &ctx );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */
void ecdsa_write_read_random( int id )
{
mbedtls_ecdsa_context ctx;
mbedtls_test_rnd_pseudo_info rnd_info;
unsigned char hash[32];
unsigned char sig[200];
size_t sig_len, i;
mbedtls_ecdsa_init( &ctx );
memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
memset( hash, 0, sizeof( hash ) );
memset( sig, 0x2a, sizeof( sig ) );
/* prepare material for signature */
TEST_ASSERT( mbedtls_test_rnd_pseudo_rand( &rnd_info,
hash, sizeof( hash ) ) == 0 );
/* generate signing key */
TEST_ASSERT( mbedtls_ecdsa_genkey( &ctx, id,
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
/* generate and write signature, then read and verify it */
TEST_ASSERT( mbedtls_ecdsa_write_signature( &ctx, MBEDTLS_MD_SHA256,
hash, sizeof( hash ),
sig, sizeof( sig ), &sig_len, &mbedtls_test_rnd_pseudo_rand,
&rnd_info ) == 0 );
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == 0 );
/* check we didn't write past the announced length */
for( i = sig_len; i < sizeof( sig ); i++ )
TEST_ASSERT( sig[i] == 0x2a );
/* try verification with invalid length */
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len - 1 ) != 0 );
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len + 1 ) != 0 );
/* try invalid sequence tag */
sig[0]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) != 0 );
sig[0]--;
/* try modifying r */
sig[10]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig[10]--;
/* try modifying s */
sig[sig_len - 1]++;
TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig[sig_len - 1]--;
2013-08-08 13:30:57 +02:00
exit:
mbedtls_ecdsa_free( &ctx );
2013-08-08 13:30:57 +02:00
}
/* END_CASE */
2014-01-06 10:27:16 +01:00
/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
void ecdsa_read_restart( int id, data_t *pk, data_t *hash, data_t *sig,
int max_ops, int min_restart, int max_restart )
{
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_restart_ctx rs_ctx;
int ret, cnt_restart;
mbedtls_ecdsa_init( &ctx );
mbedtls_ecdsa_restart_init( &rs_ctx );
TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
TEST_ASSERT( mbedtls_ecp_point_read_binary( &ctx.grp, &ctx.Q,
pk->x, pk->len ) == 0 );
mbedtls_ecp_set_max_ops( max_ops );
cnt_restart = 0;
do {
ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
hash->x, hash->len, sig->x, sig->len, &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( cnt_restart >= min_restart );
TEST_ASSERT( cnt_restart <= max_restart );
/* try modifying r */
TEST_ASSERT( sig->len > 10 );
sig->x[10]++;
do {
ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
hash->x, hash->len, sig->x, sig->len, &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig->x[10]--;
/* try modifying s */
sig->x[sig->len - 1]++;
do {
ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
hash->x, hash->len, sig->x, sig->len, &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
sig->x[sig->len - 1]--;
/* Do we leak memory when aborting an operation?
* This test only makes sense when we actually restart */
if( min_restart > 0 )
{
ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
hash->x, hash->len, sig->x, sig->len, &rs_ctx );
TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
}
exit:
mbedtls_ecdsa_free( &ctx );
mbedtls_ecdsa_restart_free( &rs_ctx );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */
void ecdsa_write_restart( int id, char *d_str, int md_alg,
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
data_t *hash, data_t *sig_check,
int max_ops, int min_restart, int max_restart )
{
int ret, cnt_restart;
mbedtls_ecdsa_restart_ctx rs_ctx;
mbedtls_ecdsa_context ctx;
unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
size_t slen;
mbedtls_ecdsa_restart_init( &rs_ctx );
mbedtls_ecdsa_init( &ctx );
memset( sig, 0, sizeof( sig ) );
TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &ctx.d, d_str ) == 0 );
mbedtls_ecp_set_max_ops( max_ops );
slen = sizeof( sig );
cnt_restart = 0;
do {
ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
md_alg, hash->x, hash->len, sig, sizeof( sig ), &slen,
mbedtls_test_rnd_std_rand, NULL, &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( slen == sig_check->len );
TEST_ASSERT( memcmp( sig, sig_check->x, slen ) == 0 );
TEST_ASSERT( cnt_restart >= min_restart );
TEST_ASSERT( cnt_restart <= max_restart );
/* Do we leak memory when aborting an operation?
* This test only makes sense when we actually restart */
if( min_restart > 0 )
{
ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
Rm useless use of MD in ECDSA test functions We had a message in the data file, and were computing its hash in the test function. It is more efficient (and simpler when it comes to dependencies) to directly have the message hash in the data file. It was probably this way because some test vectors provide the message for the sake of all-in-one implementation that hash-and-sign at once. But our API gets a hash as the input and signs it. In unit tests, this should be reflected in the signature of the test function, which should take a hash as input. The changes to the .data file were done using the following python script: import hashlib suite = 'ecdsa' functions = { 'ecdsa_det_test_vectors': (3, 4), 'ecdsa_write_restart': (3, 4), } def hash_ctx(s): if s == 'MBEDTLS_MD_MD5': return hashlib.md5() if s == 'MBEDTLS_MD_SHA1': return hashlib.sha1() if s == 'MBEDTLS_MD_SHA224': return hashlib.sha224() if s == 'MBEDTLS_MD_SHA256': return hashlib.sha256() if s == 'MBEDTLS_MD_SHA384': return hashlib.sha384() if s == 'MBEDTLS_MD_SHA512': return hashlib.sha512() def fix(l): parts = l.rstrip().split(":") fun = parts[0] if fun not in functions: return l (alg_idx, msg_idx) = functions[fun] alg_str = parts[alg_idx] if alg_str == "MBEDTLS_MD_NONE": return l h = hash_ctx(alg_str) msg_str = parts[msg_idx][1:-1] h.update(msg_str.encode('ascii')) msg_hash = h.hexdigest() msg_hash_str = '"' + msg_hash.upper() + '"' parts[msg_idx] = msg_hash_str return ":".join(parts) + '\n' filename = 'tests/suites/test_suite_' + suite + '.data' with open(filename) as f: lines = f.readlines() lines = [fix(l) for l in lines] with open(filename, 'w') as f: f.writelines(lines) Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-07-19 16:54:28 +02:00
md_alg, hash->x, hash->len, sig, sizeof( sig ), &slen,
mbedtls_test_rnd_std_rand, NULL, &rs_ctx );
TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
}
exit:
mbedtls_ecdsa_restart_free( &rs_ctx );
mbedtls_ecdsa_free( &ctx );
}
/* END_CASE */
/* BEGIN_CASE */
void ecdsa_verify( int grp_id, char * x, char * y, char * r, char * s, data_t * content, int expected )
{
mbedtls_ecdsa_context ctx;
mbedtls_mpi sig_r, sig_s;
mbedtls_ecdsa_init( &ctx );
mbedtls_mpi_init( &sig_r );
mbedtls_mpi_init( &sig_s );
/* Prepare ECP group context */
TEST_EQUAL( mbedtls_ecp_group_load( &ctx.grp, grp_id ), 0 );
/* Prepare public key */
TEST_EQUAL( mbedtls_test_read_mpi( &ctx.Q.X, x ), 0 );
TEST_EQUAL( mbedtls_test_read_mpi( &ctx.Q.Y, y ), 0 );
TEST_EQUAL( mbedtls_mpi_lset( &ctx.Q.Z, 1 ), 0 );
/* Prepare signature R & S */
TEST_EQUAL( mbedtls_test_read_mpi( &sig_r, r ), 0 );
TEST_EQUAL( mbedtls_test_read_mpi( &sig_s, s ), 0 );
/* Test whether public key has expected validity */
TEST_EQUAL( mbedtls_ecp_check_pubkey( &ctx.grp, &ctx.Q ),
expected == MBEDTLS_ERR_ECP_INVALID_KEY ? MBEDTLS_ERR_ECP_INVALID_KEY : 0 );
/* Verification */
int result = mbedtls_ecdsa_verify( &ctx.grp, content->x, content->len, &ctx.Q, &sig_r, &sig_s );
TEST_EQUAL( result, expected );
exit:
mbedtls_ecdsa_free( &ctx );
mbedtls_mpi_free( &sig_r );
mbedtls_mpi_free( &sig_s );
}
/* END_CASE */