1 /* $OpenBSD: ecdsatest.c,v 1.7 2021/11/18 15:12:59 tb Exp $ */ 2 /* 3 * Written by Nils Larsch for the OpenSSL project. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 /* ==================================================================== 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 60 * 61 * Portions of the attached software ("Contribution") are developed by 62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 63 * 64 * The Contribution is licensed pursuant to the OpenSSL open source 65 * license provided above. 66 * 67 * The elliptic curve binary polynomial software is originally written by 68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. 69 * 70 */ 71 72 #include <stdio.h> 73 #include <stdlib.h> 74 #include <string.h> 75 76 #include <openssl/crypto.h> 77 #include <openssl/bio.h> 78 #include <openssl/evp.h> 79 #include <openssl/bn.h> 80 #include <openssl/ecdsa.h> 81 #ifndef OPENSSL_NO_ENGINE 82 #include <openssl/engine.h> 83 #endif 84 #include <openssl/err.h> 85 86 /* declaration of the test functions */ 87 int x9_62_test_internal(BIO *out, int nid, const char *r, const char *s); 88 int test_builtin(BIO *); 89 90 /* some tests from the X9.62 draft */ 91 int 92 x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in) 93 { 94 int ret = 0; 95 const char message[] = "abc"; 96 unsigned char digest[20]; 97 unsigned int dgst_len = 0; 98 EVP_MD_CTX *md_ctx = NULL; 99 EC_KEY *key = NULL; 100 ECDSA_SIG *signature = NULL; 101 BIGNUM *r = NULL, *s = NULL; 102 103 if ((md_ctx = EVP_MD_CTX_new()) == NULL) 104 goto x962_int_err; 105 /* get the message digest */ 106 EVP_DigestInit(md_ctx, EVP_ecdsa()); 107 EVP_DigestUpdate(md_ctx, (const void*)message, 3); 108 EVP_DigestFinal(md_ctx, digest, &dgst_len); 109 110 BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid)); 111 /* create the key */ 112 if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) 113 goto x962_int_err; 114 if (!EC_KEY_generate_key(key)) 115 goto x962_int_err; 116 BIO_printf(out, "."); 117 (void)BIO_flush(out); 118 /* create the signature */ 119 signature = ECDSA_do_sign(digest, 20, key); 120 if (signature == NULL) 121 goto x962_int_err; 122 BIO_printf(out, "."); 123 (void)BIO_flush(out); 124 /* compare the created signature with the expected signature */ 125 if ((r = BN_new()) == NULL || (s = BN_new()) == NULL) 126 goto x962_int_err; 127 if (!BN_dec2bn(&r, r_in) || 128 !BN_dec2bn(&s, s_in)) 129 goto x962_int_err; 130 if (BN_cmp(signature->r ,r) || BN_cmp(signature->s, s)) 131 goto x962_int_err; 132 BIO_printf(out, "."); 133 (void)BIO_flush(out); 134 /* verify the signature */ 135 if (ECDSA_do_verify(digest, 20, signature, key) != 1) 136 goto x962_int_err; 137 BIO_printf(out, "."); 138 (void)BIO_flush(out); 139 140 BIO_printf(out, " ok\n"); 141 ret = 1; 142 x962_int_err: 143 if (!ret) 144 BIO_printf(out, " failed\n"); 145 if (key) 146 EC_KEY_free(key); 147 if (signature) 148 ECDSA_SIG_free(signature); 149 if (r) 150 BN_free(r); 151 if (s) 152 BN_free(s); 153 EVP_MD_CTX_free(md_ctx); 154 return ret; 155 } 156 157 int 158 test_builtin(BIO *out) 159 { 160 EC_builtin_curve *curves = NULL; 161 size_t num_curves = 0, n = 0; 162 EC_KEY *eckey = NULL, *wrong_eckey = NULL; 163 EC_GROUP *group; 164 ECDSA_SIG *ecdsa_sig = NULL; 165 unsigned char digest[20], wrong_digest[20]; 166 unsigned char *signature = NULL; 167 const unsigned char *sig_ptr; 168 unsigned char *sig_ptr2; 169 unsigned char *raw_buf = NULL; 170 unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; 171 int nid, ret = 0; 172 173 /* fill digest values with some random data */ 174 arc4random_buf(digest, 20); 175 arc4random_buf(wrong_digest, 20); 176 177 /* create and verify a ecdsa signature with every available curve */ 178 BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() " 179 "with some internal curves:\n"); 180 181 /* get a list of all internal curves */ 182 num_curves = EC_get_builtin_curves(NULL, 0); 183 184 curves = reallocarray(NULL, sizeof(EC_builtin_curve), num_curves); 185 186 if (curves == NULL) { 187 BIO_printf(out, "reallocarray error\n"); 188 goto builtin_err; 189 } 190 191 if (!EC_get_builtin_curves(curves, num_curves)) { 192 BIO_printf(out, "unable to get internal curves\n"); 193 goto builtin_err; 194 } 195 196 /* now create and verify a signature for every curve */ 197 for (n = 0; n < num_curves; n++) { 198 unsigned char dirt, offset; 199 200 nid = curves[n].nid; 201 if (nid == NID_ipsec4) 202 continue; 203 /* create new ecdsa key (== EC_KEY) */ 204 if ((eckey = EC_KEY_new()) == NULL) 205 goto builtin_err; 206 group = EC_GROUP_new_by_curve_name(nid); 207 if (group == NULL) 208 goto builtin_err; 209 if (EC_KEY_set_group(eckey, group) == 0) 210 goto builtin_err; 211 EC_GROUP_free(group); 212 degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); 213 if (degree < 160) { 214 /* drop the curve */ 215 EC_KEY_free(eckey); 216 eckey = NULL; 217 continue; 218 } 219 BIO_printf(out, "%s: ", OBJ_nid2sn(nid)); 220 /* create key */ 221 if (!EC_KEY_generate_key(eckey)) { 222 BIO_printf(out, " failed\n"); 223 goto builtin_err; 224 } 225 /* create second key */ 226 if ((wrong_eckey = EC_KEY_new()) == NULL) 227 goto builtin_err; 228 group = EC_GROUP_new_by_curve_name(nid); 229 if (group == NULL) 230 goto builtin_err; 231 if (EC_KEY_set_group(wrong_eckey, group) == 0) 232 goto builtin_err; 233 EC_GROUP_free(group); 234 if (!EC_KEY_generate_key(wrong_eckey)) { 235 BIO_printf(out, " failed\n"); 236 goto builtin_err; 237 } 238 239 BIO_printf(out, "."); 240 (void)BIO_flush(out); 241 /* check key */ 242 if (!EC_KEY_check_key(eckey)) { 243 BIO_printf(out, " failed\n"); 244 goto builtin_err; 245 } 246 BIO_printf(out, "."); 247 (void)BIO_flush(out); 248 /* create signature */ 249 sig_len = ECDSA_size(eckey); 250 if ((signature = malloc(sig_len)) == NULL) 251 goto builtin_err; 252 if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) { 253 BIO_printf(out, " failed\n"); 254 goto builtin_err; 255 } 256 BIO_printf(out, "."); 257 (void)BIO_flush(out); 258 /* verify signature */ 259 if (ECDSA_verify(0, digest, 20, signature, sig_len, 260 eckey) != 1) { 261 BIO_printf(out, " failed\n"); 262 goto builtin_err; 263 } 264 BIO_printf(out, "."); 265 (void)BIO_flush(out); 266 /* verify signature with the wrong key */ 267 if (ECDSA_verify(0, digest, 20, signature, sig_len, 268 wrong_eckey) == 1) { 269 BIO_printf(out, " failed\n"); 270 goto builtin_err; 271 } 272 BIO_printf(out, "."); 273 (void)BIO_flush(out); 274 /* wrong digest */ 275 if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, 276 eckey) == 1) { 277 BIO_printf(out, " failed\n"); 278 goto builtin_err; 279 } 280 BIO_printf(out, "."); 281 (void)BIO_flush(out); 282 /* wrong length */ 283 if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, 284 eckey) == 1) { 285 BIO_printf(out, " failed\n"); 286 goto builtin_err; 287 } 288 BIO_printf(out, "."); 289 (void)BIO_flush(out); 290 291 /* 292 * Modify a single byte of the signature: to ensure we don't 293 * garble the ASN1 structure, we read the raw signature and 294 * modify a byte in one of the bignums directly. 295 */ 296 sig_ptr = signature; 297 if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, 298 sig_len)) == NULL) { 299 BIO_printf(out, " failed\n"); 300 goto builtin_err; 301 } 302 303 /* Store the two BIGNUMs in raw_buf. */ 304 r_len = BN_num_bytes(ecdsa_sig->r); 305 s_len = BN_num_bytes(ecdsa_sig->s); 306 bn_len = (degree + 7) / 8; 307 if ((r_len > bn_len) || (s_len > bn_len)) { 308 BIO_printf(out, " failed\n"); 309 goto builtin_err; 310 } 311 buf_len = 2 * bn_len; 312 if ((raw_buf = calloc(1, buf_len)) == NULL) 313 goto builtin_err; 314 BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len); 315 BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len); 316 317 /* Modify a single byte in the buffer. */ 318 offset = raw_buf[10] % buf_len; 319 dirt = raw_buf[11] ? raw_buf[11] : 1; 320 raw_buf[offset] ^= dirt; 321 /* Now read the BIGNUMs back in from raw_buf. */ 322 if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) || 323 (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL)) 324 goto builtin_err; 325 326 sig_ptr2 = signature; 327 sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); 328 if (ECDSA_verify(0, digest, 20, signature, sig_len, 329 eckey) == 1) { 330 BIO_printf(out, " failed\n"); 331 goto builtin_err; 332 } 333 /* Sanity check: undo the modification and verify signature. */ 334 raw_buf[offset] ^= dirt; 335 if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) || 336 (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL)) 337 goto builtin_err; 338 339 sig_ptr2 = signature; 340 sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); 341 if (ECDSA_verify(0, digest, 20, signature, sig_len, 342 eckey) != 1) { 343 BIO_printf(out, " failed\n"); 344 goto builtin_err; 345 } 346 BIO_printf(out, "."); 347 (void)BIO_flush(out); 348 349 BIO_printf(out, " ok\n"); 350 /* cleanup */ 351 /* clean bogus errors */ 352 ERR_clear_error(); 353 free(signature); 354 signature = NULL; 355 EC_KEY_free(eckey); 356 eckey = NULL; 357 EC_KEY_free(wrong_eckey); 358 wrong_eckey = NULL; 359 ECDSA_SIG_free(ecdsa_sig); 360 ecdsa_sig = NULL; 361 free(raw_buf); 362 raw_buf = NULL; 363 } 364 365 ret = 1; 366 builtin_err: 367 EC_KEY_free(eckey); 368 EC_KEY_free(wrong_eckey); 369 ECDSA_SIG_free(ecdsa_sig); 370 free(signature); 371 free(raw_buf); 372 free(curves); 373 374 return ret; 375 } 376 377 int 378 main(void) 379 { 380 int ret = 1; 381 BIO *out; 382 383 out = BIO_new_fp(stdout, BIO_NOCLOSE); 384 385 ERR_load_crypto_strings(); 386 387 /* the tests */ 388 if (!test_builtin(out)) 389 goto err; 390 391 ret = 0; 392 err: 393 if (ret) 394 BIO_printf(out, "\nECDSA test failed\n"); 395 else 396 BIO_printf(out, "\nECDSA test passed\n"); 397 if (ret) 398 ERR_print_errors(out); 399 CRYPTO_cleanup_all_ex_data(); 400 ERR_remove_thread_state(NULL); 401 ERR_free_strings(); 402 CRYPTO_mem_leaks(out); 403 if (out != NULL) 404 BIO_free(out); 405 return ret; 406 } 407