aboutsummaryrefslogtreecommitdiff
path: root/tests/suites/test_suite_ecdsa.function
diff options
context:
space:
mode:
Diffstat (limited to 'tests/suites/test_suite_ecdsa.function')
-rw-r--r--tests/suites/test_suite_ecdsa.function505
1 files changed, 505 insertions, 0 deletions
diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function
new file mode 100644
index 000000000..0e2ac92c7
--- /dev/null
+++ b/tests/suites/test_suite_ecdsa.function
@@ -0,0 +1,505 @@
+/* BEGIN_HEADER */
+#include "mbedtls/ecdsa.h"
+#include "hash_info.h"
+#include "mbedtls/legacy_or_psa.h"
+#if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \
+ ( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) )
+#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC
+#endif
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ECDSA_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void ecdsa_prim_zero( int id )
+{
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_point Q;
+ mbedtls_mpi d, r, s;
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
+
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_ecp_point_init( &Q );
+ mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
+ memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
+ memset( buf, 0, sizeof( buf ) );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+
+ TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, buf, sizeof( buf ),
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+ TEST_ASSERT( mbedtls_ecdsa_verify( &grp, buf, sizeof( buf ), &Q, &r, &s ) == 0 );
+
+exit:
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_ecp_point_free( &Q );
+ mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecdsa_prim_random( int id )
+{
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_point Q;
+ mbedtls_mpi d, r, s;
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
+
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_ecp_point_init( &Q );
+ mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
+ memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
+ memset( buf, 0, sizeof( buf ) );
+
+ /* prepare material for signature */
+ TEST_ASSERT( mbedtls_test_rnd_pseudo_rand( &rnd_info,
+ buf, sizeof( buf ) ) == 0 );
+ TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+
+ TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, buf, sizeof( buf ),
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+ TEST_ASSERT( mbedtls_ecdsa_verify( &grp, buf, sizeof( buf ), &Q, &r, &s ) == 0 );
+
+exit:
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_ecp_point_free( &Q );
+ mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecdsa_prim_test_vectors( int id, char * d_str, char * xQ_str,
+ char * yQ_str, data_t * rnd_buf,
+ data_t * hash, char * r_str, char * s_str,
+ int result )
+{
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_point Q;
+ mbedtls_mpi d, r, s, r_check, s_check, zero;
+ mbedtls_test_rnd_buf_info rnd_info;
+
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_ecp_point_init( &Q );
+ mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
+ mbedtls_mpi_init( &r_check ); mbedtls_mpi_init( &s_check );
+ mbedtls_mpi_init( &zero );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_ecp_point_read_string( &Q, 16, xQ_str, yQ_str ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &d, d_str ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &r_check, r_str ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &s_check, s_str ) == 0 );
+ rnd_info.fallback_f_rng = mbedtls_test_rnd_std_rand;
+ rnd_info.fallback_p_rng = NULL;
+ rnd_info.buf = rnd_buf->x;
+ rnd_info.length = rnd_buf->len;
+
+ /* Fix rnd_buf->x by shifting it left if necessary */
+ if( grp.nbits % 8 != 0 )
+ {
+ unsigned char shift = 8 - ( grp.nbits % 8 );
+ size_t i;
+
+ for( i = 0; i < rnd_info.length - 1; i++ )
+ rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> ( 8 - shift );
+
+ rnd_buf->x[rnd_info.length-1] <<= shift;
+ }
+
+ TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, hash->x, hash->len,
+ mbedtls_test_rnd_buffer_rand, &rnd_info ) == result );
+
+ if ( result == 0)
+ {
+ /* Check we generated the expected values */
+ TEST_EQUAL( mbedtls_mpi_cmp_mpi( &r, &r_check ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_mpi( &s, &s_check ), 0 );
+
+ /* Valid signature */
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
+ &Q, &r_check, &s_check ), 0 );
+
+ /* Invalid signature: wrong public key (G instead of Q) */
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
+ &grp.G, &r_check, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+ /* Invalid signatures: r or s or both one off */
+ TEST_EQUAL( mbedtls_mpi_sub_int( &r, &r_check, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_add_int( &s, &s_check, 1 ), 0 );
+
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+ /* Invalid signatures: r, s or both (CVE-2022-21449) are zero */
+ TEST_EQUAL( mbedtls_mpi_lset( &zero, 0 ), 0 );
+
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &zero, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r_check, &zero ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &zero, &zero ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+ /* Invalid signatures: r, s or both are == N */
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &grp.N, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r_check, &grp.N ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &grp.N, &grp.N ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+ /* Invalid signatures: r, s or both are negative */
+ TEST_EQUAL( mbedtls_mpi_sub_mpi( &r, &r_check, &grp.N ), 0 );
+ TEST_EQUAL( mbedtls_mpi_sub_mpi( &s, &s_check, &grp.N ), 0 );
+
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+ /* Invalid signatures: r or s or both are > N */
+ TEST_EQUAL( mbedtls_mpi_add_mpi( &r, &r_check, &grp.N ), 0 );
+ TEST_EQUAL( mbedtls_mpi_add_mpi( &s, &s_check, &grp.N ), 0 );
+
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s_check ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r_check, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ TEST_EQUAL( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q,
+ &r, &s ), MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ }
+
+exit:
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_ecp_point_free( &Q );
+ mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
+ mbedtls_mpi_free( &r_check ); mbedtls_mpi_free( &s_check );
+ mbedtls_mpi_free( &zero );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */
+void ecdsa_det_test_vectors( int id, char * d_str, int md_alg, data_t * hash,
+ char * r_str, char * s_str )
+{
+ mbedtls_ecp_group grp;
+ mbedtls_mpi d, r, s, r_check, s_check;
+
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
+ mbedtls_mpi_init( &r_check ); mbedtls_mpi_init( &s_check );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &d, d_str ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &r_check, r_str ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &s_check, s_str ) == 0 );
+
+ TEST_ASSERT(
+ mbedtls_ecdsa_sign_det_ext( &grp, &r, &s, &d,
+ hash->x, hash->len, md_alg,
+ mbedtls_test_rnd_std_rand,
+ NULL )
+ == 0 );
+
+ TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 );
+
+exit:
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
+ mbedtls_mpi_free( &r_check ); mbedtls_mpi_free( &s_check );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */
+void ecdsa_write_read_zero( int id )
+{
+ mbedtls_ecdsa_context ctx;
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ unsigned char hash[32];
+ unsigned char sig[200];
+ size_t sig_len, i;
+
+ mbedtls_ecdsa_init( &ctx );
+ memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
+ memset( hash, 0, sizeof( hash ) );
+ memset( sig, 0x2a, sizeof( sig ) );
+
+ /* generate signing key */
+ TEST_ASSERT( mbedtls_ecdsa_genkey( &ctx, id,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+
+ /* generate and write signature, then read and verify it */
+ TEST_ASSERT( mbedtls_ecdsa_write_signature( &ctx, MBEDTLS_MD_SHA256,
+ hash, sizeof( hash ),
+ sig, sizeof( sig ), &sig_len, &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == 0 );
+
+ /* check we didn't write past the announced length */
+ for( i = sig_len; i < sizeof( sig ); i++ )
+ TEST_ASSERT( sig[i] == 0x2a );
+
+ /* try verification with invalid length */
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len - 1 ) != 0 );
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len + 1 ) != 0 );
+
+ /* try invalid sequence tag */
+ sig[0]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) != 0 );
+ sig[0]--;
+
+ /* try modifying r */
+ sig[10]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig[10]--;
+
+ /* try modifying s */
+ sig[sig_len - 1]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig[sig_len - 1]--;
+
+exit:
+ mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC */
+void ecdsa_write_read_random( int id )
+{
+ mbedtls_ecdsa_context ctx;
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ unsigned char hash[32];
+ unsigned char sig[200];
+ size_t sig_len, i;
+
+ mbedtls_ecdsa_init( &ctx );
+ memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
+ memset( hash, 0, sizeof( hash ) );
+ memset( sig, 0x2a, sizeof( sig ) );
+
+ /* prepare material for signature */
+ TEST_ASSERT( mbedtls_test_rnd_pseudo_rand( &rnd_info,
+ hash, sizeof( hash ) ) == 0 );
+
+ /* generate signing key */
+ TEST_ASSERT( mbedtls_ecdsa_genkey( &ctx, id,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+
+ /* generate and write signature, then read and verify it */
+ TEST_ASSERT( mbedtls_ecdsa_write_signature( &ctx, MBEDTLS_MD_SHA256,
+ hash, sizeof( hash ),
+ sig, sizeof( sig ), &sig_len, &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) == 0 );
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == 0 );
+
+ /* check we didn't write past the announced length */
+ for( i = sig_len; i < sizeof( sig ); i++ )
+ TEST_ASSERT( sig[i] == 0x2a );
+
+ /* try verification with invalid length */
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len - 1 ) != 0 );
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len + 1 ) != 0 );
+
+ /* try invalid sequence tag */
+ sig[0]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) != 0 );
+ sig[0]--;
+
+ /* try modifying r */
+ sig[10]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig[10]--;
+
+ /* try modifying s */
+ sig[sig_len - 1]++;
+ TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
+ sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig[sig_len - 1]--;
+
+exit:
+ mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void ecdsa_read_restart( int id, data_t *pk, data_t *hash, data_t *sig,
+ int max_ops, int min_restart, int max_restart )
+{
+ mbedtls_ecdsa_context ctx;
+ mbedtls_ecdsa_restart_ctx rs_ctx;
+ int ret, cnt_restart;
+
+ mbedtls_ecdsa_init( &ctx );
+ mbedtls_ecdsa_restart_init( &rs_ctx );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_ecp_point_read_binary( &ctx.grp, &ctx.Q,
+ pk->x, pk->len ) == 0 );
+
+ mbedtls_ecp_set_max_ops( max_ops );
+
+ cnt_restart = 0;
+ do {
+ ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+ hash->x, hash->len, sig->x, sig->len, &rs_ctx );
+ } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( cnt_restart >= min_restart );
+ TEST_ASSERT( cnt_restart <= max_restart );
+
+ /* try modifying r */
+
+ TEST_ASSERT( sig->len > 10 );
+ sig->x[10]++;
+ do {
+ ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+ hash->x, hash->len, sig->x, sig->len, &rs_ctx );
+ } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+ TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig->x[10]--;
+
+ /* try modifying s */
+ sig->x[sig->len - 1]++;
+ do {
+ ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+ hash->x, hash->len, sig->x, sig->len, &rs_ctx );
+ } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+ TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+ sig->x[sig->len - 1]--;
+
+ /* Do we leak memory when aborting an operation?
+ * This test only makes sense when we actually restart */
+ if( min_restart > 0 )
+ {
+ ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+ hash->x, hash->len, sig->x, sig->len, &rs_ctx );
+ TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+ }
+
+exit:
+ mbedtls_ecdsa_free( &ctx );
+ mbedtls_ecdsa_restart_free( &rs_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */
+void ecdsa_write_restart( int id, char *d_str, int md_alg,
+ data_t *hash, data_t *sig_check,
+ int max_ops, int min_restart, int max_restart )
+{
+ int ret, cnt_restart;
+ mbedtls_ecdsa_restart_ctx rs_ctx;
+ mbedtls_ecdsa_context ctx;
+ unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
+ size_t slen;
+
+ mbedtls_ecdsa_restart_init( &rs_ctx );
+ mbedtls_ecdsa_init( &ctx );
+ memset( sig, 0, sizeof( sig ) );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &ctx.d, d_str ) == 0 );
+
+ mbedtls_ecp_set_max_ops( max_ops );
+
+ slen = sizeof( sig );
+ cnt_restart = 0;
+ do {
+ ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+ md_alg, hash->x, hash->len, sig, sizeof( sig ), &slen,
+ mbedtls_test_rnd_std_rand, NULL, &rs_ctx );
+ } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( slen == sig_check->len );
+ TEST_ASSERT( memcmp( sig, sig_check->x, slen ) == 0 );
+
+ TEST_ASSERT( cnt_restart >= min_restart );
+ TEST_ASSERT( cnt_restart <= max_restart );
+
+ /* Do we leak memory when aborting an operation?
+ * This test only makes sense when we actually restart */
+ if( min_restart > 0 )
+ {
+ ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+ md_alg, hash->x, hash->len, sig, sizeof( sig ), &slen,
+ mbedtls_test_rnd_std_rand, NULL, &rs_ctx );
+ TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+ }
+
+exit:
+ mbedtls_ecdsa_restart_free( &rs_ctx );
+ mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecdsa_verify( int grp_id, char * x, char * y, char * r, char * s, data_t * content, int expected )
+{
+ mbedtls_ecdsa_context ctx;
+ mbedtls_mpi sig_r, sig_s;
+
+ mbedtls_ecdsa_init( &ctx );
+ mbedtls_mpi_init( &sig_r );
+ mbedtls_mpi_init( &sig_s );
+
+ /* Prepare ECP group context */
+ TEST_EQUAL( mbedtls_ecp_group_load( &ctx.grp, grp_id ), 0 );
+
+ /* Prepare public key */
+ TEST_EQUAL( mbedtls_test_read_mpi( &ctx.Q.X, x ), 0 );
+ TEST_EQUAL( mbedtls_test_read_mpi( &ctx.Q.Y, y ), 0 );
+ TEST_EQUAL( mbedtls_mpi_lset( &ctx.Q.Z, 1 ), 0 );
+
+ /* Prepare signature R & S */
+ TEST_EQUAL( mbedtls_test_read_mpi( &sig_r, r ), 0 );
+ TEST_EQUAL( mbedtls_test_read_mpi( &sig_s, s ), 0 );
+
+ /* Test whether public key has expected validity */
+ TEST_EQUAL( mbedtls_ecp_check_pubkey( &ctx.grp, &ctx.Q ),
+ expected == MBEDTLS_ERR_ECP_INVALID_KEY ? MBEDTLS_ERR_ECP_INVALID_KEY : 0 );
+
+ /* Verification */
+ int result = mbedtls_ecdsa_verify( &ctx.grp, content->x, content->len, &ctx.Q, &sig_r, &sig_s );
+
+ TEST_EQUAL( result, expected );
+exit:
+ mbedtls_ecdsa_free( &ctx );
+ mbedtls_mpi_free( &sig_r );
+ mbedtls_mpi_free( &sig_s );
+}
+/* END_CASE */
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 01:05:12 +0000