xref: /openbsd-src/regress/lib/libcrypto/ecdsa/ecdsatest.c (revision 50b7afb2c2c0993b0894d4e34bf857cb13ed9c80) 
1 /* crypto/ecdsa/ecdsatest.c */
2 /*
3  * Written by Nils Larsch for the OpenSSL project.
4  */
5 /* ====================================================================
6  * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* ====================================================================
59  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60  *
61  * Portions of the attached software ("Contribution") are developed by
62  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63  *
64  * The Contribution is licensed pursuant to the OpenSSL open source
65  * license provided above.
66  *
67  * The elliptic curve binary polynomial software is originally written by
68  * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69  *
70  */
71 
72 #include <stdio.h>
73 #include <stdlib.h>
74 #include <string.h>
75 
76 #include <openssl/crypto.h>
77 #include <openssl/bio.h>
78 #include <openssl/evp.h>
79 #include <openssl/bn.h>
80 #include <openssl/ecdsa.h>
81 #ifndef OPENSSL_NO_ENGINE
82 #include <openssl/engine.h>
83 #endif
84 #include <openssl/err.h>
85 #include <openssl/rand.h>
86 
87 /* declaration of the test functions */
88 int x9_62_test_internal(BIO *out, int nid, const char *r, const char *s);
89 int test_builtin(BIO *);
90 
91 /* some tests from the X9.62 draft */
92 int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
93 	{
94 	int	ret = 0;
95 	const char message[] = "abc";
96 	unsigned char digest[20];
97 	unsigned int  dgst_len = 0;
98 	EVP_MD_CTX md_ctx;
99 	EC_KEY    *key = NULL;
100 	ECDSA_SIG *signature = NULL;
101 	BIGNUM    *r = NULL, *s = NULL;
102 
103 	EVP_MD_CTX_init(&md_ctx);
104 	/* get the message digest */
105 	EVP_DigestInit(&md_ctx, EVP_ecdsa());
106 	EVP_DigestUpdate(&md_ctx, (const void*)message, 3);
107 	EVP_DigestFinal(&md_ctx, digest, &dgst_len);
108 
109 	BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid));
110 	/* create the key */
111 	if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
112 		goto x962_int_err;
113 	if (!EC_KEY_generate_key(key))
114 		goto x962_int_err;
115 	BIO_printf(out, ".");
116 	(void)BIO_flush(out);
117 	/* create the signature */
118 	signature = ECDSA_do_sign(digest, 20, key);
119 	if (signature == NULL)
120 		goto x962_int_err;
121 	BIO_printf(out, ".");
122 	(void)BIO_flush(out);
123 	/* compare the created signature with the expected signature */
124 	if ((r = BN_new()) == NULL || (s = BN_new()) == NULL)
125 		goto x962_int_err;
126 	if (!BN_dec2bn(&r, r_in) ||
127 	    !BN_dec2bn(&s, s_in))
128 		goto x962_int_err;
129 	if (BN_cmp(signature->r ,r) || BN_cmp(signature->s, s))
130 		goto x962_int_err;
131 	BIO_printf(out, ".");
132 	(void)BIO_flush(out);
133 	/* verify the signature */
134 	if (ECDSA_do_verify(digest, 20, signature, key) != 1)
135 		goto x962_int_err;
136 	BIO_printf(out, ".");
137 	(void)BIO_flush(out);
138 
139 	BIO_printf(out, " ok\n");
140 	ret = 1;
141 x962_int_err:
142 	if (!ret)
143 		BIO_printf(out, " failed\n");
144 	if (key)
145 		EC_KEY_free(key);
146 	if (signature)
147 		ECDSA_SIG_free(signature);
148 	if (r)
149 		BN_free(r);
150 	if (s)
151 		BN_free(s);
152 	EVP_MD_CTX_cleanup(&md_ctx);
153 	return ret;
154 	}
155 
156 int test_builtin(BIO *out)
157 	{
158 	EC_builtin_curve *curves = NULL;
159 	size_t		crv_len = 0, n = 0;
160 	EC_KEY		*eckey = NULL, *wrong_eckey = NULL;
161 	EC_GROUP	*group;
162 	ECDSA_SIG	*ecdsa_sig = NULL;
163 	unsigned char	digest[20], wrong_digest[20];
164 	unsigned char	*signature = NULL;
165 	const unsigned char	*sig_ptr;
166 	unsigned char	*sig_ptr2;
167 	unsigned char	*raw_buf = NULL;
168 	unsigned int	sig_len, degree, r_len, s_len, bn_len, buf_len;
169 	int		nid, ret =  0;
170 
171 	/* fill digest values with some random data */
172 	if (!RAND_pseudo_bytes(digest, 20) ||
173 	    !RAND_pseudo_bytes(wrong_digest, 20))
174 		{
175 		BIO_printf(out, "ERROR: unable to get random data\n");
176 		goto builtin_err;
177 		}
178 
179 	/* create and verify a ecdsa signature with every availble curve
180 	 * (with ) */
181 	BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() "
182 		"with some internal curves:\n");
183 
184 	/* get a list of all internal curves */
185 	crv_len = EC_get_builtin_curves(NULL, 0);
186 
187 	curves = reallocarray(NULL, sizeof(EC_builtin_curve), crv_len);
188 
189 	if (curves == NULL)
190 		{
191 		BIO_printf(out, "malloc error\n");
192 		goto builtin_err;
193 		}
194 
195 	if (!EC_get_builtin_curves(curves, crv_len))
196 		{
197 		BIO_printf(out, "unable to get internal curves\n");
198 		goto builtin_err;
199 		}
200 
201 	/* now create and verify a signature for every curve */
202 	for (n = 0; n < crv_len; n++)
203 		{
204 		unsigned char dirt, offset;
205 
206 		nid = curves[n].nid;
207 		if (nid == NID_ipsec4)
208 			continue;
209 		/* create new ecdsa key (== EC_KEY) */
210 		if ((eckey = EC_KEY_new()) == NULL)
211 			goto builtin_err;
212 		group = EC_GROUP_new_by_curve_name(nid);
213 		if (group == NULL)
214 			goto builtin_err;
215 		if (EC_KEY_set_group(eckey, group) == 0)
216 			goto builtin_err;
217 		EC_GROUP_free(group);
218 		degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
219 		if (degree < 160)
220 			/* drop the curve */
221 			{
222 			EC_KEY_free(eckey);
223 			eckey = NULL;
224 			continue;
225 			}
226 		BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
227 		/* create key */
228 		if (!EC_KEY_generate_key(eckey))
229 			{
230 			BIO_printf(out, " failed\n");
231 			goto builtin_err;
232 			}
233 		/* create second key */
234 		if ((wrong_eckey = EC_KEY_new()) == NULL)
235 			goto builtin_err;
236 		group = EC_GROUP_new_by_curve_name(nid);
237 		if (group == NULL)
238 			goto builtin_err;
239 		if (EC_KEY_set_group(wrong_eckey, group) == 0)
240 			goto builtin_err;
241 		EC_GROUP_free(group);
242 		if (!EC_KEY_generate_key(wrong_eckey))
243 			{
244 			BIO_printf(out, " failed\n");
245 			goto builtin_err;
246 			}
247 
248 		BIO_printf(out, ".");
249 		(void)BIO_flush(out);
250 		/* check key */
251 		if (!EC_KEY_check_key(eckey))
252 			{
253 			BIO_printf(out, " failed\n");
254 			goto builtin_err;
255 			}
256 		BIO_printf(out, ".");
257 		(void)BIO_flush(out);
258 		/* create signature */
259 		sig_len = ECDSA_size(eckey);
260 		if ((signature = malloc(sig_len)) == NULL)
261 			goto builtin_err;
262                 if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey))
263 			{
264 			BIO_printf(out, " failed\n");
265 			goto builtin_err;
266 			}
267 		BIO_printf(out, ".");
268 		(void)BIO_flush(out);
269 		/* verify signature */
270 		if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
271 			{
272 			BIO_printf(out, " failed\n");
273 			goto builtin_err;
274 			}
275 		BIO_printf(out, ".");
276 		(void)BIO_flush(out);
277 		/* verify signature with the wrong key */
278 		if (ECDSA_verify(0, digest, 20, signature, sig_len,
279 			wrong_eckey) == 1)
280 			{
281 			BIO_printf(out, " failed\n");
282 			goto builtin_err;
283 			}
284 		BIO_printf(out, ".");
285 		(void)BIO_flush(out);
286 		/* wrong digest */
287 		if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len,
288 			eckey) == 1)
289 			{
290 			BIO_printf(out, " failed\n");
291 			goto builtin_err;
292 			}
293 		BIO_printf(out, ".");
294 		(void)BIO_flush(out);
295 		/* wrong length */
296 		if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
297 			eckey) == 1)
298 			{
299 			BIO_printf(out, " failed\n");
300 			goto builtin_err;
301 			}
302 		BIO_printf(out, ".");
303 		(void)BIO_flush(out);
304 
305 		/* Modify a single byte of the signature: to ensure we don't
306 		 * garble the ASN1 structure, we read the raw signature and
307 		 * modify a byte in one of the bignums directly. */
308 		sig_ptr = signature;
309 		if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
310 			{
311 			BIO_printf(out, " failed\n");
312 			goto builtin_err;
313 			}
314 
315 		/* Store the two BIGNUMs in raw_buf. */
316 		r_len = BN_num_bytes(ecdsa_sig->r);
317 		s_len = BN_num_bytes(ecdsa_sig->s);
318 		bn_len = (degree + 7) / 8;
319 		if ((r_len > bn_len) || (s_len > bn_len))
320 			{
321 			BIO_printf(out, " failed\n");
322 			goto builtin_err;
323 			}
324 		buf_len = 2 * bn_len;
325 		if ((raw_buf = calloc(1, buf_len)) == NULL)
326 			goto builtin_err;
327 		BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
328 		BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
329 
330 		/* Modify a single byte in the buffer. */
331 		offset = raw_buf[10] % buf_len;
332 		dirt   = raw_buf[11] ? raw_buf[11] : 1;
333 		raw_buf[offset] ^= dirt;
334 		/* Now read the BIGNUMs back in from raw_buf. */
335 		if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
336 			(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
337 			goto builtin_err;
338 
339 		sig_ptr2 = signature;
340 		sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
341 		if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
342 			{
343 			BIO_printf(out, " failed\n");
344 			goto builtin_err;
345 			}
346 		/* Sanity check: undo the modification and verify signature. */
347 		raw_buf[offset] ^= dirt;
348 		if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
349 			(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
350 			goto builtin_err;
351 
352 		sig_ptr2 = signature;
353 		sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
354 		if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
355 			{
356 			BIO_printf(out, " failed\n");
357 			goto builtin_err;
358 			}
359 		BIO_printf(out, ".");
360 		(void)BIO_flush(out);
361 
362 		BIO_printf(out, " ok\n");
363 		/* cleanup */
364 		/* clean bogus errors */
365 		ERR_clear_error();
366 		free(signature);
367 		signature = NULL;
368 		EC_KEY_free(eckey);
369 		eckey = NULL;
370 		EC_KEY_free(wrong_eckey);
371 		wrong_eckey = NULL;
372 		ECDSA_SIG_free(ecdsa_sig);
373 		ecdsa_sig = NULL;
374 		free(raw_buf);
375 		raw_buf = NULL;
376 		}
377 
378 	ret = 1;
379 builtin_err:
380 	if (eckey)
381 		EC_KEY_free(eckey);
382 	if (wrong_eckey)
383 		EC_KEY_free(wrong_eckey);
384 	if (ecdsa_sig)
385 		ECDSA_SIG_free(ecdsa_sig);
386 	free(signature);
387 	free(raw_buf);
388 	free(curves);
389 
390 	return ret;
391 	}
392 
393 int main(void)
394 	{
395 	int 	ret = 1;
396 	BIO	*out;
397 
398 	out = BIO_new_fp(stdout, BIO_NOCLOSE);
399 
400 	ERR_load_crypto_strings();
401 
402 	/* the tests */
403 	if (!test_builtin(out)) goto err;
404 
405 	ret = 0;
406 err:
407 	if (ret)
408 		BIO_printf(out, "\nECDSA test failed\n");
409 	else
410 		BIO_printf(out, "\nECDSA test passed\n");
411 	if (ret)
412 		ERR_print_errors(out);
413 	CRYPTO_cleanup_all_ex_data();
414 	ERR_remove_thread_state(NULL);
415 	ERR_free_strings();
416 	CRYPTO_mem_leaks(out);
417 	if (out != NULL)
418 		BIO_free(out);
419 	return ret;
420 	}
421