From eb402f3cd39bae8689a927fb61499cbee0283a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Apr 2017 10:57:30 +0200 Subject: [PATCH] Add test for restartable signature Test relies on deterministic signature as this uses plain sig internally, so if deterministic works, then so does non-deterministic, while the reciprocal is false. (Also, deterministic is enabled by default in config.h.) Test case is taken from a RFC 6979 test vector, just manually converting (r,s) to the encoded signature. --- tests/suites/test_suite_ecdsa.data | 4 ++ tests/suites/test_suite_ecdsa.function | 57 ++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data index f2cf214cc..c236c28c6 100644 --- a/tests/suites/test_suite_ecdsa.data +++ b/tests/suites/test_suite_ecdsa.data @@ -265,3 +265,7 @@ ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387 ECDSA restartable read-verify: max_ops=250 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":250:4:64 + +ECDSA restartable sign-write: secp256r1 restart disabled +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":0:0:0 diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function index d5cb65480..9205627be 100644 --- a/tests/suites/test_suite_ecdsa.function +++ b/tests/suites/test_suite_ecdsa.function @@ -264,3 +264,60 @@ exit: mbedtls_ecdsa_restart_free( &rs_ctx ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */ +void ecdsa_write_restart( int id, char *d_str, int md_alg, + char *msg, char *sig_str, + int max_ops, int min_restart, int max_restart ) +{ + int ret, cnt_restart; + mbedtls_ecdsa_restart_ctx rs_ctx; + mbedtls_ecdsa_context ctx; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; + unsigned char sig_check[MBEDTLS_ECDSA_MAX_LEN]; + size_t hlen, slen, slen_check; + const mbedtls_md_info_t *md_info; + + mbedtls_ecdsa_restart_init( &rs_ctx ); + mbedtls_ecdsa_init( &ctx ); + memset( hash, 0, sizeof( hash ) ); + memset( sig, 0, sizeof( sig ) ); + memset( sig_check, 0, sizeof( sig_check ) ); + + TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &ctx.d, 16, d_str ) == 0 ); + slen_check = unhexify( sig_check, sig_str ); + + md_info = mbedtls_md_info_from_type( md_alg ); + TEST_ASSERT( md_info != NULL ); + + hlen = mbedtls_md_get_size( md_info ); + mbedtls_md( md_info, (const unsigned char *) msg, strlen( msg ), hash ); + + mbedtls_ecp_set_max_ops( max_ops ); + + slen = sizeof( sig ); + cnt_restart = 0; + do { + ret = mbedtls_ecdsa_write_signature_restartable( &ctx, + md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx ); + } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); + + TEST_ASSERT( ret == 0 ); + TEST_ASSERT( slen == slen_check ); + TEST_ASSERT( memcmp( sig, sig_check, slen ) == 0 ); + + TEST_ASSERT( cnt_restart >= min_restart ); + TEST_ASSERT( cnt_restart <= max_restart ); + + /* do we leak memory when aborting? */ + ret = mbedtls_ecdsa_write_signature_restartable( &ctx, + md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx ); + TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); + +exit: + mbedtls_ecdsa_restart_free( &rs_ctx ); + mbedtls_ecdsa_free( &ctx ); +} +/* END_CASE */