1*62c56f98SSadaf Ebrahimi/* BEGIN_HEADER */ 2*62c56f98SSadaf Ebrahimi#include "mbedtls/ecdsa.h" 3*62c56f98SSadaf Ebrahimi/* END_HEADER */ 4*62c56f98SSadaf Ebrahimi 5*62c56f98SSadaf Ebrahimi/* BEGIN_DEPENDENCIES 6*62c56f98SSadaf Ebrahimi * depends_on:MBEDTLS_ECDSA_C 7*62c56f98SSadaf Ebrahimi * END_DEPENDENCIES 8*62c56f98SSadaf Ebrahimi */ 9*62c56f98SSadaf Ebrahimi 10*62c56f98SSadaf Ebrahimi/* BEGIN_CASE */ 11*62c56f98SSadaf Ebrahimivoid ecdsa_prim_zero(int id) 12*62c56f98SSadaf Ebrahimi{ 13*62c56f98SSadaf Ebrahimi mbedtls_ecp_group grp; 14*62c56f98SSadaf Ebrahimi mbedtls_ecp_point Q; 15*62c56f98SSadaf Ebrahimi mbedtls_mpi d, r, s; 16*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_pseudo_info rnd_info; 17*62c56f98SSadaf Ebrahimi unsigned char buf[MBEDTLS_MD_MAX_SIZE]; 18*62c56f98SSadaf Ebrahimi 19*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_init(&grp); 20*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_init(&Q); 21*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 22*62c56f98SSadaf Ebrahimi memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 23*62c56f98SSadaf Ebrahimi memset(buf, 0, sizeof(buf)); 24*62c56f98SSadaf Ebrahimi 25*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 26*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, 27*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 28*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 29*62c56f98SSadaf Ebrahimi 30*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), 31*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 32*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 33*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); 34*62c56f98SSadaf Ebrahimi 35*62c56f98SSadaf Ebrahimiexit: 36*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_free(&grp); 37*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_free(&Q); 38*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 39*62c56f98SSadaf Ebrahimi} 40*62c56f98SSadaf Ebrahimi/* END_CASE */ 41*62c56f98SSadaf Ebrahimi 42*62c56f98SSadaf Ebrahimi/* BEGIN_CASE */ 43*62c56f98SSadaf Ebrahimivoid ecdsa_prim_random(int id) 44*62c56f98SSadaf Ebrahimi{ 45*62c56f98SSadaf Ebrahimi mbedtls_ecp_group grp; 46*62c56f98SSadaf Ebrahimi mbedtls_ecp_point Q; 47*62c56f98SSadaf Ebrahimi mbedtls_mpi d, r, s; 48*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_pseudo_info rnd_info; 49*62c56f98SSadaf Ebrahimi unsigned char buf[MBEDTLS_MD_MAX_SIZE]; 50*62c56f98SSadaf Ebrahimi 51*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_init(&grp); 52*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_init(&Q); 53*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 54*62c56f98SSadaf Ebrahimi memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 55*62c56f98SSadaf Ebrahimi memset(buf, 0, sizeof(buf)); 56*62c56f98SSadaf Ebrahimi 57*62c56f98SSadaf Ebrahimi /* prepare material for signature */ 58*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, 59*62c56f98SSadaf Ebrahimi buf, sizeof(buf)) == 0); 60*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 61*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, 62*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 63*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 64*62c56f98SSadaf Ebrahimi 65*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), 66*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 67*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 68*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); 69*62c56f98SSadaf Ebrahimi 70*62c56f98SSadaf Ebrahimiexit: 71*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_free(&grp); 72*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_free(&Q); 73*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 74*62c56f98SSadaf Ebrahimi} 75*62c56f98SSadaf Ebrahimi/* END_CASE */ 76*62c56f98SSadaf Ebrahimi 77*62c56f98SSadaf Ebrahimi/* BEGIN_CASE */ 78*62c56f98SSadaf Ebrahimivoid ecdsa_prim_test_vectors(int id, char *d_str, char *xQ_str, 79*62c56f98SSadaf Ebrahimi char *yQ_str, data_t *rnd_buf, 80*62c56f98SSadaf Ebrahimi data_t *hash, char *r_str, char *s_str, 81*62c56f98SSadaf Ebrahimi int result) 82*62c56f98SSadaf Ebrahimi{ 83*62c56f98SSadaf Ebrahimi mbedtls_ecp_group grp; 84*62c56f98SSadaf Ebrahimi mbedtls_ecp_point Q; 85*62c56f98SSadaf Ebrahimi mbedtls_mpi d, r, s, r_check, s_check, zero; 86*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_buf_info rnd_info; 87*62c56f98SSadaf Ebrahimi 88*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_init(&grp); 89*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_init(&Q); 90*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 91*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); 92*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&zero); 93*62c56f98SSadaf Ebrahimi 94*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 95*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_point_read_string(&Q, 16, xQ_str, yQ_str) == 0); 96*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); 97*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); 98*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); 99*62c56f98SSadaf Ebrahimi rnd_info.fallback_f_rng = mbedtls_test_rnd_std_rand; 100*62c56f98SSadaf Ebrahimi rnd_info.fallback_p_rng = NULL; 101*62c56f98SSadaf Ebrahimi rnd_info.buf = rnd_buf->x; 102*62c56f98SSadaf Ebrahimi rnd_info.length = rnd_buf->len; 103*62c56f98SSadaf Ebrahimi 104*62c56f98SSadaf Ebrahimi /* Fix rnd_buf->x by shifting it left if necessary */ 105*62c56f98SSadaf Ebrahimi if (grp.nbits % 8 != 0) { 106*62c56f98SSadaf Ebrahimi unsigned char shift = 8 - (grp.nbits % 8); 107*62c56f98SSadaf Ebrahimi size_t i; 108*62c56f98SSadaf Ebrahimi 109*62c56f98SSadaf Ebrahimi for (i = 0; i < rnd_info.length - 1; i++) { 110*62c56f98SSadaf Ebrahimi rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> (8 - shift); 111*62c56f98SSadaf Ebrahimi } 112*62c56f98SSadaf Ebrahimi 113*62c56f98SSadaf Ebrahimi rnd_buf->x[rnd_info.length-1] <<= shift; 114*62c56f98SSadaf Ebrahimi } 115*62c56f98SSadaf Ebrahimi 116*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, hash->x, hash->len, 117*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_buffer_rand, &rnd_info) == result); 118*62c56f98SSadaf Ebrahimi 119*62c56f98SSadaf Ebrahimi if (result == 0) { 120*62c56f98SSadaf Ebrahimi /* Check we generated the expected values */ 121*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_cmp_mpi(&r, &r_check), 0); 122*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_cmp_mpi(&s, &s_check), 0); 123*62c56f98SSadaf Ebrahimi 124*62c56f98SSadaf Ebrahimi /* Valid signature */ 125*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, 126*62c56f98SSadaf Ebrahimi &Q, &r_check, &s_check), 0); 127*62c56f98SSadaf Ebrahimi 128*62c56f98SSadaf Ebrahimi /* Invalid signature: wrong public key (G instead of Q) */ 129*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, 130*62c56f98SSadaf Ebrahimi &grp.G, &r_check, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 131*62c56f98SSadaf Ebrahimi 132*62c56f98SSadaf Ebrahimi /* Invalid signatures: r or s or both one off */ 133*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_sub_int(&r, &r_check, 1), 0); 134*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_add_int(&s, &s_check, 1), 0); 135*62c56f98SSadaf Ebrahimi 136*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 137*62c56f98SSadaf Ebrahimi &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 138*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 139*62c56f98SSadaf Ebrahimi &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 140*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 141*62c56f98SSadaf Ebrahimi &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 142*62c56f98SSadaf Ebrahimi 143*62c56f98SSadaf Ebrahimi /* Invalid signatures: r, s or both (CVE-2022-21449) are zero */ 144*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_lset(&zero, 0), 0); 145*62c56f98SSadaf Ebrahimi 146*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 147*62c56f98SSadaf Ebrahimi &zero, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 148*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 149*62c56f98SSadaf Ebrahimi &r_check, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); 150*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 151*62c56f98SSadaf Ebrahimi &zero, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); 152*62c56f98SSadaf Ebrahimi 153*62c56f98SSadaf Ebrahimi /* Invalid signatures: r, s or both are == N */ 154*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 155*62c56f98SSadaf Ebrahimi &grp.N, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 156*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 157*62c56f98SSadaf Ebrahimi &r_check, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); 158*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 159*62c56f98SSadaf Ebrahimi &grp.N, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); 160*62c56f98SSadaf Ebrahimi 161*62c56f98SSadaf Ebrahimi /* Invalid signatures: r, s or both are negative */ 162*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_sub_mpi(&r, &r_check, &grp.N), 0); 163*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_sub_mpi(&s, &s_check, &grp.N), 0); 164*62c56f98SSadaf Ebrahimi 165*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 166*62c56f98SSadaf Ebrahimi &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 167*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 168*62c56f98SSadaf Ebrahimi &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 169*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 170*62c56f98SSadaf Ebrahimi &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 171*62c56f98SSadaf Ebrahimi 172*62c56f98SSadaf Ebrahimi /* Invalid signatures: r or s or both are > N */ 173*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_add_mpi(&r, &r_check, &grp.N), 0); 174*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_add_mpi(&s, &s_check, &grp.N), 0); 175*62c56f98SSadaf Ebrahimi 176*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 177*62c56f98SSadaf Ebrahimi &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); 178*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 179*62c56f98SSadaf Ebrahimi &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 180*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, 181*62c56f98SSadaf Ebrahimi &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); 182*62c56f98SSadaf Ebrahimi } 183*62c56f98SSadaf Ebrahimi 184*62c56f98SSadaf Ebrahimiexit: 185*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_free(&grp); 186*62c56f98SSadaf Ebrahimi mbedtls_ecp_point_free(&Q); 187*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 188*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); 189*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&zero); 190*62c56f98SSadaf Ebrahimi} 191*62c56f98SSadaf Ebrahimi/* END_CASE */ 192*62c56f98SSadaf Ebrahimi 193*62c56f98SSadaf Ebrahimi/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */ 194*62c56f98SSadaf Ebrahimivoid ecdsa_det_test_vectors(int id, char *d_str, int md_alg, data_t *hash, 195*62c56f98SSadaf Ebrahimi char *r_str, char *s_str) 196*62c56f98SSadaf Ebrahimi{ 197*62c56f98SSadaf Ebrahimi mbedtls_ecp_group grp; 198*62c56f98SSadaf Ebrahimi mbedtls_mpi d, r, s, r_check, s_check; 199*62c56f98SSadaf Ebrahimi 200*62c56f98SSadaf Ebrahimi MD_PSA_INIT(); 201*62c56f98SSadaf Ebrahimi 202*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_init(&grp); 203*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); 204*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); 205*62c56f98SSadaf Ebrahimi 206*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 207*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); 208*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); 209*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); 210*62c56f98SSadaf Ebrahimi 211*62c56f98SSadaf Ebrahimi TEST_ASSERT( 212*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_sign_det_ext(&grp, &r, &s, &d, 213*62c56f98SSadaf Ebrahimi hash->x, hash->len, md_alg, 214*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_std_rand, 215*62c56f98SSadaf Ebrahimi NULL) 216*62c56f98SSadaf Ebrahimi == 0); 217*62c56f98SSadaf Ebrahimi 218*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_mpi_cmp_mpi(&r, &r_check) == 0); 219*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_mpi_cmp_mpi(&s, &s_check) == 0); 220*62c56f98SSadaf Ebrahimi 221*62c56f98SSadaf Ebrahimiexit: 222*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_free(&grp); 223*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); 224*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); 225*62c56f98SSadaf Ebrahimi MD_PSA_DONE(); 226*62c56f98SSadaf Ebrahimi} 227*62c56f98SSadaf Ebrahimi/* END_CASE */ 228*62c56f98SSadaf Ebrahimi 229*62c56f98SSadaf Ebrahimi/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */ 230*62c56f98SSadaf Ebrahimivoid ecdsa_write_read_zero(int id) 231*62c56f98SSadaf Ebrahimi{ 232*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_context ctx; 233*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_pseudo_info rnd_info; 234*62c56f98SSadaf Ebrahimi unsigned char hash[32]; 235*62c56f98SSadaf Ebrahimi unsigned char sig[200]; 236*62c56f98SSadaf Ebrahimi size_t sig_len, i; 237*62c56f98SSadaf Ebrahimi 238*62c56f98SSadaf Ebrahimi MD_PSA_INIT(); 239*62c56f98SSadaf Ebrahimi 240*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_init(&ctx); 241*62c56f98SSadaf Ebrahimi memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 242*62c56f98SSadaf Ebrahimi memset(hash, 0, sizeof(hash)); 243*62c56f98SSadaf Ebrahimi memset(sig, 0x2a, sizeof(sig)); 244*62c56f98SSadaf Ebrahimi 245*62c56f98SSadaf Ebrahimi /* generate signing key */ 246*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, 247*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 248*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 249*62c56f98SSadaf Ebrahimi 250*62c56f98SSadaf Ebrahimi /* generate and write signature, then read and verify it */ 251*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, 252*62c56f98SSadaf Ebrahimi hash, sizeof(hash), 253*62c56f98SSadaf Ebrahimi sig, sizeof(sig), &sig_len, 254*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 255*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 256*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 257*62c56f98SSadaf Ebrahimi sig, sig_len) == 0); 258*62c56f98SSadaf Ebrahimi 259*62c56f98SSadaf Ebrahimi /* check we didn't write past the announced length */ 260*62c56f98SSadaf Ebrahimi for (i = sig_len; i < sizeof(sig); i++) { 261*62c56f98SSadaf Ebrahimi TEST_ASSERT(sig[i] == 0x2a); 262*62c56f98SSadaf Ebrahimi } 263*62c56f98SSadaf Ebrahimi 264*62c56f98SSadaf Ebrahimi /* try verification with invalid length */ 265*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 266*62c56f98SSadaf Ebrahimi sig, sig_len - 1) != 0); 267*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 268*62c56f98SSadaf Ebrahimi sig, sig_len + 1) != 0); 269*62c56f98SSadaf Ebrahimi 270*62c56f98SSadaf Ebrahimi /* try invalid sequence tag */ 271*62c56f98SSadaf Ebrahimi sig[0]++; 272*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 273*62c56f98SSadaf Ebrahimi sig, sig_len) != 0); 274*62c56f98SSadaf Ebrahimi sig[0]--; 275*62c56f98SSadaf Ebrahimi 276*62c56f98SSadaf Ebrahimi /* try modifying r */ 277*62c56f98SSadaf Ebrahimi sig[10]++; 278*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 279*62c56f98SSadaf Ebrahimi sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 280*62c56f98SSadaf Ebrahimi sig[10]--; 281*62c56f98SSadaf Ebrahimi 282*62c56f98SSadaf Ebrahimi /* try modifying s */ 283*62c56f98SSadaf Ebrahimi sig[sig_len - 1]++; 284*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 285*62c56f98SSadaf Ebrahimi sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 286*62c56f98SSadaf Ebrahimi sig[sig_len - 1]--; 287*62c56f98SSadaf Ebrahimi 288*62c56f98SSadaf Ebrahimiexit: 289*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_free(&ctx); 290*62c56f98SSadaf Ebrahimi MD_PSA_DONE(); 291*62c56f98SSadaf Ebrahimi} 292*62c56f98SSadaf Ebrahimi/* END_CASE */ 293*62c56f98SSadaf Ebrahimi 294*62c56f98SSadaf Ebrahimi/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */ 295*62c56f98SSadaf Ebrahimivoid ecdsa_write_read_random(int id) 296*62c56f98SSadaf Ebrahimi{ 297*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_context ctx; 298*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_pseudo_info rnd_info; 299*62c56f98SSadaf Ebrahimi unsigned char hash[32]; 300*62c56f98SSadaf Ebrahimi unsigned char sig[200]; 301*62c56f98SSadaf Ebrahimi size_t sig_len, i; 302*62c56f98SSadaf Ebrahimi 303*62c56f98SSadaf Ebrahimi MD_PSA_INIT(); 304*62c56f98SSadaf Ebrahimi 305*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_init(&ctx); 306*62c56f98SSadaf Ebrahimi memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 307*62c56f98SSadaf Ebrahimi memset(hash, 0, sizeof(hash)); 308*62c56f98SSadaf Ebrahimi memset(sig, 0x2a, sizeof(sig)); 309*62c56f98SSadaf Ebrahimi 310*62c56f98SSadaf Ebrahimi /* prepare material for signature */ 311*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, 312*62c56f98SSadaf Ebrahimi hash, sizeof(hash)) == 0); 313*62c56f98SSadaf Ebrahimi 314*62c56f98SSadaf Ebrahimi /* generate signing key */ 315*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, 316*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 317*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 318*62c56f98SSadaf Ebrahimi 319*62c56f98SSadaf Ebrahimi /* generate and write signature, then read and verify it */ 320*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, 321*62c56f98SSadaf Ebrahimi hash, sizeof(hash), 322*62c56f98SSadaf Ebrahimi sig, sizeof(sig), &sig_len, 323*62c56f98SSadaf Ebrahimi &mbedtls_test_rnd_pseudo_rand, 324*62c56f98SSadaf Ebrahimi &rnd_info) == 0); 325*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 326*62c56f98SSadaf Ebrahimi sig, sig_len) == 0); 327*62c56f98SSadaf Ebrahimi 328*62c56f98SSadaf Ebrahimi /* check we didn't write past the announced length */ 329*62c56f98SSadaf Ebrahimi for (i = sig_len; i < sizeof(sig); i++) { 330*62c56f98SSadaf Ebrahimi TEST_ASSERT(sig[i] == 0x2a); 331*62c56f98SSadaf Ebrahimi } 332*62c56f98SSadaf Ebrahimi 333*62c56f98SSadaf Ebrahimi /* try verification with invalid length */ 334*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 335*62c56f98SSadaf Ebrahimi sig, sig_len - 1) != 0); 336*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 337*62c56f98SSadaf Ebrahimi sig, sig_len + 1) != 0); 338*62c56f98SSadaf Ebrahimi 339*62c56f98SSadaf Ebrahimi /* try invalid sequence tag */ 340*62c56f98SSadaf Ebrahimi sig[0]++; 341*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 342*62c56f98SSadaf Ebrahimi sig, sig_len) != 0); 343*62c56f98SSadaf Ebrahimi sig[0]--; 344*62c56f98SSadaf Ebrahimi 345*62c56f98SSadaf Ebrahimi /* try modifying r */ 346*62c56f98SSadaf Ebrahimi sig[10]++; 347*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 348*62c56f98SSadaf Ebrahimi sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 349*62c56f98SSadaf Ebrahimi sig[10]--; 350*62c56f98SSadaf Ebrahimi 351*62c56f98SSadaf Ebrahimi /* try modifying s */ 352*62c56f98SSadaf Ebrahimi sig[sig_len - 1]++; 353*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), 354*62c56f98SSadaf Ebrahimi sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); 355*62c56f98SSadaf Ebrahimi sig[sig_len - 1]--; 356*62c56f98SSadaf Ebrahimi 357*62c56f98SSadaf Ebrahimiexit: 358*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_free(&ctx); 359*62c56f98SSadaf Ebrahimi MD_PSA_DONE(); 360*62c56f98SSadaf Ebrahimi} 361*62c56f98SSadaf Ebrahimi/* END_CASE */ 362*62c56f98SSadaf Ebrahimi 363*62c56f98SSadaf Ebrahimi/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 364*62c56f98SSadaf Ebrahimivoid ecdsa_read_restart(int id, data_t *pk, data_t *hash, data_t *sig, 365*62c56f98SSadaf Ebrahimi int max_ops, int min_restart, int max_restart) 366*62c56f98SSadaf Ebrahimi{ 367*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_context ctx; 368*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_ctx rs_ctx; 369*62c56f98SSadaf Ebrahimi int ret, cnt_restart; 370*62c56f98SSadaf Ebrahimi 371*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_init(&ctx); 372*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_init(&rs_ctx); 373*62c56f98SSadaf Ebrahimi 374*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); 375*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_point_read_binary(&ctx.grp, &ctx.Q, 376*62c56f98SSadaf Ebrahimi pk->x, pk->len) == 0); 377*62c56f98SSadaf Ebrahimi 378*62c56f98SSadaf Ebrahimi mbedtls_ecp_set_max_ops(max_ops); 379*62c56f98SSadaf Ebrahimi 380*62c56f98SSadaf Ebrahimi cnt_restart = 0; 381*62c56f98SSadaf Ebrahimi do { 382*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 383*62c56f98SSadaf Ebrahimi hash->x, hash->len, sig->x, sig->len, 384*62c56f98SSadaf Ebrahimi &rs_ctx); 385*62c56f98SSadaf Ebrahimi } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 386*62c56f98SSadaf Ebrahimi 387*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == 0); 388*62c56f98SSadaf Ebrahimi TEST_ASSERT(cnt_restart >= min_restart); 389*62c56f98SSadaf Ebrahimi TEST_ASSERT(cnt_restart <= max_restart); 390*62c56f98SSadaf Ebrahimi 391*62c56f98SSadaf Ebrahimi /* try modifying r */ 392*62c56f98SSadaf Ebrahimi 393*62c56f98SSadaf Ebrahimi TEST_ASSERT(sig->len > 10); 394*62c56f98SSadaf Ebrahimi sig->x[10]++; 395*62c56f98SSadaf Ebrahimi do { 396*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 397*62c56f98SSadaf Ebrahimi hash->x, hash->len, sig->x, sig->len, 398*62c56f98SSadaf Ebrahimi &rs_ctx); 399*62c56f98SSadaf Ebrahimi } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 400*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); 401*62c56f98SSadaf Ebrahimi sig->x[10]--; 402*62c56f98SSadaf Ebrahimi 403*62c56f98SSadaf Ebrahimi /* try modifying s */ 404*62c56f98SSadaf Ebrahimi sig->x[sig->len - 1]++; 405*62c56f98SSadaf Ebrahimi do { 406*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 407*62c56f98SSadaf Ebrahimi hash->x, hash->len, sig->x, sig->len, 408*62c56f98SSadaf Ebrahimi &rs_ctx); 409*62c56f98SSadaf Ebrahimi } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 410*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); 411*62c56f98SSadaf Ebrahimi sig->x[sig->len - 1]--; 412*62c56f98SSadaf Ebrahimi 413*62c56f98SSadaf Ebrahimi /* Do we leak memory when aborting an operation? 414*62c56f98SSadaf Ebrahimi * This test only makes sense when we actually restart */ 415*62c56f98SSadaf Ebrahimi if (min_restart > 0) { 416*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_read_signature_restartable(&ctx, 417*62c56f98SSadaf Ebrahimi hash->x, hash->len, sig->x, sig->len, 418*62c56f98SSadaf Ebrahimi &rs_ctx); 419*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 420*62c56f98SSadaf Ebrahimi } 421*62c56f98SSadaf Ebrahimi 422*62c56f98SSadaf Ebrahimiexit: 423*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_free(&ctx); 424*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_free(&rs_ctx); 425*62c56f98SSadaf Ebrahimi} 426*62c56f98SSadaf Ebrahimi/* END_CASE */ 427*62c56f98SSadaf Ebrahimi 428*62c56f98SSadaf Ebrahimi/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */ 429*62c56f98SSadaf Ebrahimivoid ecdsa_write_restart(int id, char *d_str, int md_alg, 430*62c56f98SSadaf Ebrahimi data_t *hash, data_t *sig_check, 431*62c56f98SSadaf Ebrahimi int max_ops, int min_restart, int max_restart) 432*62c56f98SSadaf Ebrahimi{ 433*62c56f98SSadaf Ebrahimi int ret, cnt_restart; 434*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_ctx rs_ctx; 435*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_context ctx; 436*62c56f98SSadaf Ebrahimi unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; 437*62c56f98SSadaf Ebrahimi size_t slen; 438*62c56f98SSadaf Ebrahimi 439*62c56f98SSadaf Ebrahimi MD_PSA_INIT(); 440*62c56f98SSadaf Ebrahimi 441*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_init(&rs_ctx); 442*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_init(&ctx); 443*62c56f98SSadaf Ebrahimi memset(sig, 0, sizeof(sig)); 444*62c56f98SSadaf Ebrahimi 445*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); 446*62c56f98SSadaf Ebrahimi TEST_ASSERT(mbedtls_test_read_mpi(&ctx.d, d_str) == 0); 447*62c56f98SSadaf Ebrahimi 448*62c56f98SSadaf Ebrahimi mbedtls_ecp_set_max_ops(max_ops); 449*62c56f98SSadaf Ebrahimi 450*62c56f98SSadaf Ebrahimi slen = sizeof(sig); 451*62c56f98SSadaf Ebrahimi cnt_restart = 0; 452*62c56f98SSadaf Ebrahimi do { 453*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_write_signature_restartable(&ctx, 454*62c56f98SSadaf Ebrahimi md_alg, 455*62c56f98SSadaf Ebrahimi hash->x, 456*62c56f98SSadaf Ebrahimi hash->len, 457*62c56f98SSadaf Ebrahimi sig, 458*62c56f98SSadaf Ebrahimi sizeof(sig), 459*62c56f98SSadaf Ebrahimi &slen, 460*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_std_rand, 461*62c56f98SSadaf Ebrahimi NULL, 462*62c56f98SSadaf Ebrahimi &rs_ctx); 463*62c56f98SSadaf Ebrahimi } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 464*62c56f98SSadaf Ebrahimi 465*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == 0); 466*62c56f98SSadaf Ebrahimi TEST_ASSERT(slen == sig_check->len); 467*62c56f98SSadaf Ebrahimi TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0); 468*62c56f98SSadaf Ebrahimi 469*62c56f98SSadaf Ebrahimi TEST_ASSERT(cnt_restart >= min_restart); 470*62c56f98SSadaf Ebrahimi TEST_ASSERT(cnt_restart <= max_restart); 471*62c56f98SSadaf Ebrahimi 472*62c56f98SSadaf Ebrahimi /* Do we leak memory when aborting an operation? 473*62c56f98SSadaf Ebrahimi * This test only makes sense when we actually restart */ 474*62c56f98SSadaf Ebrahimi if (min_restart > 0) { 475*62c56f98SSadaf Ebrahimi ret = mbedtls_ecdsa_write_signature_restartable(&ctx, 476*62c56f98SSadaf Ebrahimi md_alg, 477*62c56f98SSadaf Ebrahimi hash->x, 478*62c56f98SSadaf Ebrahimi hash->len, 479*62c56f98SSadaf Ebrahimi sig, 480*62c56f98SSadaf Ebrahimi sizeof(sig), 481*62c56f98SSadaf Ebrahimi &slen, 482*62c56f98SSadaf Ebrahimi mbedtls_test_rnd_std_rand, 483*62c56f98SSadaf Ebrahimi NULL, 484*62c56f98SSadaf Ebrahimi &rs_ctx); 485*62c56f98SSadaf Ebrahimi TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 486*62c56f98SSadaf Ebrahimi } 487*62c56f98SSadaf Ebrahimi 488*62c56f98SSadaf Ebrahimiexit: 489*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_restart_free(&rs_ctx); 490*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_free(&ctx); 491*62c56f98SSadaf Ebrahimi MD_PSA_DONE(); 492*62c56f98SSadaf Ebrahimi} 493*62c56f98SSadaf Ebrahimi/* END_CASE */ 494*62c56f98SSadaf Ebrahimi 495*62c56f98SSadaf Ebrahimi/* BEGIN_CASE */ 496*62c56f98SSadaf Ebrahimivoid ecdsa_verify(int grp_id, char *x, char *y, char *r, char *s, data_t *content, int expected) 497*62c56f98SSadaf Ebrahimi{ 498*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_context ctx; 499*62c56f98SSadaf Ebrahimi mbedtls_mpi sig_r, sig_s; 500*62c56f98SSadaf Ebrahimi 501*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_init(&ctx); 502*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&sig_r); 503*62c56f98SSadaf Ebrahimi mbedtls_mpi_init(&sig_s); 504*62c56f98SSadaf Ebrahimi 505*62c56f98SSadaf Ebrahimi /* Prepare ECP group context */ 506*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecp_group_load(&ctx.grp, grp_id), 0); 507*62c56f98SSadaf Ebrahimi 508*62c56f98SSadaf Ebrahimi /* Prepare public key */ 509*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.X, x), 0); 510*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.Y, y), 0); 511*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_mpi_lset(&ctx.Q.Z, 1), 0); 512*62c56f98SSadaf Ebrahimi 513*62c56f98SSadaf Ebrahimi /* Prepare signature R & S */ 514*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_test_read_mpi(&sig_r, r), 0); 515*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_test_read_mpi(&sig_s, s), 0); 516*62c56f98SSadaf Ebrahimi 517*62c56f98SSadaf Ebrahimi /* Test whether public key has expected validity */ 518*62c56f98SSadaf Ebrahimi TEST_EQUAL(mbedtls_ecp_check_pubkey(&ctx.grp, &ctx.Q), 519*62c56f98SSadaf Ebrahimi expected == MBEDTLS_ERR_ECP_INVALID_KEY ? MBEDTLS_ERR_ECP_INVALID_KEY : 0); 520*62c56f98SSadaf Ebrahimi 521*62c56f98SSadaf Ebrahimi /* Verification */ 522*62c56f98SSadaf Ebrahimi int result = mbedtls_ecdsa_verify(&ctx.grp, content->x, content->len, &ctx.Q, &sig_r, &sig_s); 523*62c56f98SSadaf Ebrahimi 524*62c56f98SSadaf Ebrahimi TEST_EQUAL(result, expected); 525*62c56f98SSadaf Ebrahimiexit: 526*62c56f98SSadaf Ebrahimi mbedtls_ecdsa_free(&ctx); 527*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&sig_r); 528*62c56f98SSadaf Ebrahimi mbedtls_mpi_free(&sig_s); 529*62c56f98SSadaf Ebrahimi} 530*62c56f98SSadaf Ebrahimi/* END_CASE */ 531