| /* BEGIN_HEADER */ |
| #include "mbedtls/ecdsa.h" |
| #include "hash_info.h" |
| #include "mbedtls/legacy_or_psa.h" |
| #if (defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C)) || \ |
| (!defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA)) |
| #define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC |
| #endif |
| /* END_HEADER */ |
| |
| /* BEGIN_DEPENDENCIES |
| * depends_on:MBEDTLS_ECDSA_C |
| * END_DEPENDENCIES |
| */ |
| |
| /* BEGIN_CASE */ |
| void ecdsa_prim_zero(int id) |
| { |
| mbedtls_ecp_group grp; |
| mbedtls_ecp_point Q; |
| mbedtls_mpi d, r, s; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| unsigned char buf[MBEDTLS_HASH_MAX_SIZE]; |
| |
| mbedtls_ecp_group_init(&grp); |
| mbedtls_ecp_point_init(&Q); |
| mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); |
| memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); |
| memset(buf, 0, sizeof(buf)); |
| |
| TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); |
| TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| |
| TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); |
| |
| exit: |
| mbedtls_ecp_group_free(&grp); |
| mbedtls_ecp_point_free(&Q); |
| mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void ecdsa_prim_random(int id) |
| { |
| mbedtls_ecp_group grp; |
| mbedtls_ecp_point Q; |
| mbedtls_mpi d, r, s; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| unsigned char buf[MBEDTLS_HASH_MAX_SIZE]; |
| |
| mbedtls_ecp_group_init(&grp); |
| mbedtls_ecp_point_init(&Q); |
| mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); |
| memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); |
| memset(buf, 0, sizeof(buf)); |
| |
| /* prepare material for signature */ |
| TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, |
| buf, sizeof(buf)) == 0); |
| TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); |
| TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| |
| TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, buf, sizeof(buf), |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| TEST_ASSERT(mbedtls_ecdsa_verify(&grp, buf, sizeof(buf), &Q, &r, &s) == 0); |
| |
| exit: |
| mbedtls_ecp_group_free(&grp); |
| mbedtls_ecp_point_free(&Q); |
| mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void ecdsa_prim_test_vectors(int id, char *d_str, char *xQ_str, |
| char *yQ_str, data_t *rnd_buf, |
| data_t *hash, char *r_str, char *s_str, |
| int result) |
| { |
| mbedtls_ecp_group grp; |
| mbedtls_ecp_point Q; |
| mbedtls_mpi d, r, s, r_check, s_check, zero; |
| mbedtls_test_rnd_buf_info rnd_info; |
| |
| mbedtls_ecp_group_init(&grp); |
| mbedtls_ecp_point_init(&Q); |
| mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); |
| mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); |
| mbedtls_mpi_init(&zero); |
| |
| TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); |
| TEST_ASSERT(mbedtls_ecp_point_read_string(&Q, 16, xQ_str, yQ_str) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); |
| rnd_info.fallback_f_rng = mbedtls_test_rnd_std_rand; |
| rnd_info.fallback_p_rng = NULL; |
| rnd_info.buf = rnd_buf->x; |
| rnd_info.length = rnd_buf->len; |
| |
| /* Fix rnd_buf->x by shifting it left if necessary */ |
| if (grp.nbits % 8 != 0) { |
| unsigned char shift = 8 - (grp.nbits % 8); |
| size_t i; |
| |
| for (i = 0; i < rnd_info.length - 1; i++) { |
| rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> (8 - shift); |
| } |
| |
| rnd_buf->x[rnd_info.length-1] <<= shift; |
| } |
| |
| TEST_ASSERT(mbedtls_ecdsa_sign(&grp, &r, &s, &d, hash->x, hash->len, |
| mbedtls_test_rnd_buffer_rand, &rnd_info) == result); |
| |
| if (result == 0) { |
| /* Check we generated the expected values */ |
| TEST_EQUAL(mbedtls_mpi_cmp_mpi(&r, &r_check), 0); |
| TEST_EQUAL(mbedtls_mpi_cmp_mpi(&s, &s_check), 0); |
| |
| /* Valid signature */ |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, |
| &Q, &r_check, &s_check), 0); |
| |
| /* Invalid signature: wrong public key (G instead of Q) */ |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, |
| &grp.G, &r_check, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| |
| /* Invalid signatures: r or s or both one off */ |
| TEST_EQUAL(mbedtls_mpi_sub_int(&r, &r_check, 1), 0); |
| TEST_EQUAL(mbedtls_mpi_add_int(&s, &s_check, 1), 0); |
| |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| |
| /* Invalid signatures: r, s or both (CVE-2022-21449) are zero */ |
| TEST_EQUAL(mbedtls_mpi_lset(&zero, 0), 0); |
| |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &zero, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r_check, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &zero, &zero), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| |
| /* Invalid signatures: r, s or both are == N */ |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &grp.N, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r_check, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &grp.N, &grp.N), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| |
| /* Invalid signatures: r, s or both are negative */ |
| TEST_EQUAL(mbedtls_mpi_sub_mpi(&r, &r_check, &grp.N), 0); |
| TEST_EQUAL(mbedtls_mpi_sub_mpi(&s, &s_check, &grp.N), 0); |
| |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| |
| /* Invalid signatures: r or s or both are > N */ |
| TEST_EQUAL(mbedtls_mpi_add_mpi(&r, &r_check, &grp.N), 0); |
| TEST_EQUAL(mbedtls_mpi_add_mpi(&s, &s_check, &grp.N), 0); |
| |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s_check), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r_check, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| TEST_EQUAL(mbedtls_ecdsa_verify(&grp, hash->x, hash->len, &Q, |
| &r, &s), MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| } |
| |
| exit: |
| mbedtls_ecp_group_free(&grp); |
| mbedtls_ecp_point_free(&Q); |
| mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); |
| mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); |
| mbedtls_mpi_free(&zero); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */ |
| void ecdsa_det_test_vectors(int id, char *d_str, int md_alg, data_t *hash, |
| char *r_str, char *s_str) |
| { |
| mbedtls_ecp_group grp; |
| mbedtls_mpi d, r, s, r_check, s_check; |
| |
| mbedtls_ecp_group_init(&grp); |
| mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); |
| mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check); |
| |
| TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&s_check, s_str) == 0); |
| |
| TEST_ASSERT( |
| mbedtls_ecdsa_sign_det_ext(&grp, &r, &s, &d, |
| hash->x, hash->len, md_alg, |
| mbedtls_test_rnd_std_rand, |
| NULL) |
| == 0); |
| |
| TEST_ASSERT(mbedtls_mpi_cmp_mpi(&r, &r_check) == 0); |
| TEST_ASSERT(mbedtls_mpi_cmp_mpi(&s, &s_check) == 0); |
| |
| exit: |
| mbedtls_ecp_group_free(&grp); |
| mbedtls_mpi_free(&d); mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); |
| mbedtls_mpi_free(&r_check); mbedtls_mpi_free(&s_check); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */ |
| void ecdsa_write_read_zero(int id) |
| { |
| mbedtls_ecdsa_context ctx; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| unsigned char hash[32]; |
| unsigned char sig[200]; |
| size_t sig_len, i; |
| |
| mbedtls_ecdsa_init(&ctx); |
| memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); |
| memset(hash, 0, sizeof(hash)); |
| memset(sig, 0x2a, sizeof(sig)); |
| |
| /* generate signing key */ |
| TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| |
| /* generate and write signature, then read and verify it */ |
| TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, |
| hash, sizeof(hash), |
| sig, sizeof(sig), &sig_len, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == 0); |
| |
| /* check we didn't write past the announced length */ |
| for (i = sig_len; i < sizeof(sig); i++) { |
| TEST_ASSERT(sig[i] == 0x2a); |
| } |
| |
| /* try verification with invalid length */ |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len - 1) != 0); |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len + 1) != 0); |
| |
| /* try invalid sequence tag */ |
| sig[0]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) != 0); |
| sig[0]--; |
| |
| /* try modifying r */ |
| sig[10]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig[10]--; |
| |
| /* try modifying s */ |
| sig[sig_len - 1]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig[sig_len - 1]--; |
| |
| exit: |
| mbedtls_ecdsa_free(&ctx); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */ |
| void ecdsa_write_read_random(int id) |
| { |
| mbedtls_ecdsa_context ctx; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| unsigned char hash[32]; |
| unsigned char sig[200]; |
| size_t sig_len, i; |
| |
| mbedtls_ecdsa_init(&ctx); |
| memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); |
| memset(hash, 0, sizeof(hash)); |
| memset(sig, 0x2a, sizeof(sig)); |
| |
| /* prepare material for signature */ |
| TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info, |
| hash, sizeof(hash)) == 0); |
| |
| /* generate signing key */ |
| TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| |
| /* generate and write signature, then read and verify it */ |
| TEST_ASSERT(mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, |
| hash, sizeof(hash), |
| sig, sizeof(sig), &sig_len, |
| &mbedtls_test_rnd_pseudo_rand, |
| &rnd_info) == 0); |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == 0); |
| |
| /* check we didn't write past the announced length */ |
| for (i = sig_len; i < sizeof(sig); i++) { |
| TEST_ASSERT(sig[i] == 0x2a); |
| } |
| |
| /* try verification with invalid length */ |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len - 1) != 0); |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len + 1) != 0); |
| |
| /* try invalid sequence tag */ |
| sig[0]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) != 0); |
| sig[0]--; |
| |
| /* try modifying r */ |
| sig[10]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig[10]--; |
| |
| /* try modifying s */ |
| sig[sig_len - 1]++; |
| TEST_ASSERT(mbedtls_ecdsa_read_signature(&ctx, hash, sizeof(hash), |
| sig, sig_len) == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig[sig_len - 1]--; |
| |
| exit: |
| mbedtls_ecdsa_free(&ctx); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ |
| void ecdsa_read_restart(int id, data_t *pk, data_t *hash, data_t *sig, |
| int max_ops, int min_restart, int max_restart) |
| { |
| mbedtls_ecdsa_context ctx; |
| mbedtls_ecdsa_restart_ctx rs_ctx; |
| int ret, cnt_restart; |
| |
| mbedtls_ecdsa_init(&ctx); |
| mbedtls_ecdsa_restart_init(&rs_ctx); |
| |
| TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); |
| TEST_ASSERT(mbedtls_ecp_point_read_binary(&ctx.grp, &ctx.Q, |
| pk->x, pk->len) == 0); |
| |
| mbedtls_ecp_set_max_ops(max_ops); |
| |
| cnt_restart = 0; |
| do { |
| ret = mbedtls_ecdsa_read_signature_restartable(&ctx, |
| hash->x, hash->len, sig->x, sig->len, |
| &rs_ctx); |
| } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); |
| |
| TEST_ASSERT(ret == 0); |
| TEST_ASSERT(cnt_restart >= min_restart); |
| TEST_ASSERT(cnt_restart <= max_restart); |
| |
| /* try modifying r */ |
| |
| TEST_ASSERT(sig->len > 10); |
| sig->x[10]++; |
| do { |
| ret = mbedtls_ecdsa_read_signature_restartable(&ctx, |
| hash->x, hash->len, sig->x, sig->len, |
| &rs_ctx); |
| } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); |
| TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig->x[10]--; |
| |
| /* try modifying s */ |
| sig->x[sig->len - 1]++; |
| do { |
| ret = mbedtls_ecdsa_read_signature_restartable(&ctx, |
| hash->x, hash->len, sig->x, sig->len, |
| &rs_ctx); |
| } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); |
| TEST_ASSERT(ret == MBEDTLS_ERR_ECP_VERIFY_FAILED); |
| sig->x[sig->len - 1]--; |
| |
| /* Do we leak memory when aborting an operation? |
| * This test only makes sense when we actually restart */ |
| if (min_restart > 0) { |
| ret = mbedtls_ecdsa_read_signature_restartable(&ctx, |
| hash->x, hash->len, sig->x, sig->len, |
| &rs_ctx); |
| TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); |
| } |
| |
| exit: |
| mbedtls_ecdsa_free(&ctx); |
| mbedtls_ecdsa_restart_free(&rs_ctx); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */ |
| void ecdsa_write_restart(int id, char *d_str, int md_alg, |
| data_t *hash, data_t *sig_check, |
| int max_ops, int min_restart, int max_restart) |
| { |
| int ret, cnt_restart; |
| mbedtls_ecdsa_restart_ctx rs_ctx; |
| mbedtls_ecdsa_context ctx; |
| unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; |
| size_t slen; |
| |
| mbedtls_ecdsa_restart_init(&rs_ctx); |
| mbedtls_ecdsa_init(&ctx); |
| memset(sig, 0, sizeof(sig)); |
| |
| TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0); |
| TEST_ASSERT(mbedtls_test_read_mpi(&ctx.d, d_str) == 0); |
| |
| mbedtls_ecp_set_max_ops(max_ops); |
| |
| slen = sizeof(sig); |
| cnt_restart = 0; |
| do { |
| ret = mbedtls_ecdsa_write_signature_restartable(&ctx, |
| md_alg, |
| hash->x, |
| hash->len, |
| sig, |
| sizeof(sig), |
| &slen, |
| mbedtls_test_rnd_std_rand, |
| NULL, |
| &rs_ctx); |
| } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); |
| |
| TEST_ASSERT(ret == 0); |
| TEST_ASSERT(slen == sig_check->len); |
| TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0); |
| |
| TEST_ASSERT(cnt_restart >= min_restart); |
| TEST_ASSERT(cnt_restart <= max_restart); |
| |
| /* Do we leak memory when aborting an operation? |
| * This test only makes sense when we actually restart */ |
| if (min_restart > 0) { |
| ret = mbedtls_ecdsa_write_signature_restartable(&ctx, |
| md_alg, |
| hash->x, |
| hash->len, |
| sig, |
| sizeof(sig), |
| &slen, |
| mbedtls_test_rnd_std_rand, |
| NULL, |
| &rs_ctx); |
| TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); |
| } |
| |
| exit: |
| mbedtls_ecdsa_restart_free(&rs_ctx); |
| mbedtls_ecdsa_free(&ctx); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void ecdsa_verify(int grp_id, char *x, char *y, char *r, char *s, data_t *content, int expected) |
| { |
| mbedtls_ecdsa_context ctx; |
| mbedtls_mpi sig_r, sig_s; |
| |
| mbedtls_ecdsa_init(&ctx); |
| mbedtls_mpi_init(&sig_r); |
| mbedtls_mpi_init(&sig_s); |
| |
| /* Prepare ECP group context */ |
| TEST_EQUAL(mbedtls_ecp_group_load(&ctx.grp, grp_id), 0); |
| |
| /* Prepare public key */ |
| TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.X, x), 0); |
| TEST_EQUAL(mbedtls_test_read_mpi(&ctx.Q.Y, y), 0); |
| TEST_EQUAL(mbedtls_mpi_lset(&ctx.Q.Z, 1), 0); |
| |
| /* Prepare signature R & S */ |
| TEST_EQUAL(mbedtls_test_read_mpi(&sig_r, r), 0); |
| TEST_EQUAL(mbedtls_test_read_mpi(&sig_s, s), 0); |
| |
| /* Test whether public key has expected validity */ |
| TEST_EQUAL(mbedtls_ecp_check_pubkey(&ctx.grp, &ctx.Q), |
| expected == MBEDTLS_ERR_ECP_INVALID_KEY ? MBEDTLS_ERR_ECP_INVALID_KEY : 0); |
| |
| /* Verification */ |
| int result = mbedtls_ecdsa_verify(&ctx.grp, content->x, content->len, &ctx.Q, &sig_r, &sig_s); |
| |
| TEST_EQUAL(result, expected); |
| exit: |
| mbedtls_ecdsa_free(&ctx); |
| mbedtls_mpi_free(&sig_r); |
| mbedtls_mpi_free(&sig_s); |
| } |
| /* END_CASE */ |