xref: /freebsd/crypto/openssl/test/ec_internal_test.c (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1 /*
2  * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * Low level APIs are deprecated for public use, but still ok for internal use.
12  */
13 #include "internal/deprecated.h"
14 
15 #include "internal/nelem.h"
16 #include "testutil.h"
17 #include <openssl/ec.h>
18 #include "ec_local.h"
19 #include <openssl/objects.h>
20 
21 static size_t crv_len = 0;
22 static EC_builtin_curve *curves = NULL;
23 
24 /* sanity checks field_inv function pointer in EC_METHOD */
group_field_tests(const EC_GROUP * group,BN_CTX * ctx)25 static int group_field_tests(const EC_GROUP *group, BN_CTX *ctx)
26 {
27     BIGNUM *a = NULL, *b = NULL, *c = NULL;
28     int ret = 0;
29 
30     if (group->meth->field_inv == NULL || group->meth->field_mul == NULL)
31         return 1;
32 
33     BN_CTX_start(ctx);
34     a = BN_CTX_get(ctx);
35     b = BN_CTX_get(ctx);
36     if (!TEST_ptr(c = BN_CTX_get(ctx))
37         /* 1/1 = 1 */
38         || !TEST_true(group->meth->field_inv(group, b, BN_value_one(), ctx))
39         || !TEST_true(BN_is_one(b))
40         /* (1/a)*a = 1 */
41         || !TEST_true(BN_rand(a, BN_num_bits(group->field) - 1,
42                               BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
43         || !TEST_true(group->meth->field_inv(group, b, a, ctx))
44         || (group->meth->field_encode &&
45             !TEST_true(group->meth->field_encode(group, a, a, ctx)))
46         || (group->meth->field_encode &&
47             !TEST_true(group->meth->field_encode(group, b, b, ctx)))
48         || !TEST_true(group->meth->field_mul(group, c, a, b, ctx))
49         || (group->meth->field_decode &&
50             !TEST_true(group->meth->field_decode(group, c, c, ctx)))
51         || !TEST_true(BN_is_one(c)))
52         goto err;
53 
54     /* 1/0 = error */
55     BN_zero(a);
56     if (!TEST_false(group->meth->field_inv(group, b, a, ctx))
57         || !TEST_true(ERR_GET_LIB(ERR_peek_last_error()) == ERR_LIB_EC)
58         || !TEST_true(ERR_GET_REASON(ERR_peek_last_error()) ==
59                       EC_R_CANNOT_INVERT)
60         /* 1/p = error */
61         || !TEST_false(group->meth->field_inv(group, b, group->field, ctx))
62         || !TEST_true(ERR_GET_LIB(ERR_peek_last_error()) == ERR_LIB_EC)
63         || !TEST_true(ERR_GET_REASON(ERR_peek_last_error()) ==
64                       EC_R_CANNOT_INVERT))
65         goto err;
66 
67     ERR_clear_error();
68     ret = 1;
69  err:
70     BN_CTX_end(ctx);
71     return ret;
72 }
73 
74 /* wrapper for group_field_tests for explicit curve params and EC_METHOD */
field_tests(const EC_METHOD * meth,const unsigned char * params,int len)75 static int field_tests(const EC_METHOD *meth, const unsigned char *params,
76                        int len)
77 {
78     BN_CTX *ctx = NULL;
79     BIGNUM *p = NULL, *a = NULL, *b = NULL;
80     EC_GROUP *group = NULL;
81     int ret = 0;
82 
83     if (!TEST_ptr(ctx = BN_CTX_new()))
84         return 0;
85 
86     BN_CTX_start(ctx);
87     p = BN_CTX_get(ctx);
88     a = BN_CTX_get(ctx);
89     if (!TEST_ptr(b = BN_CTX_get(ctx))
90         || !TEST_ptr(group = EC_GROUP_new(meth))
91         || !TEST_true(BN_bin2bn(params, len, p))
92         || !TEST_true(BN_bin2bn(params + len, len, a))
93         || !TEST_true(BN_bin2bn(params + 2 * len, len, b))
94         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
95         || !group_field_tests(group, ctx))
96         goto err;
97     ret = 1;
98 
99  err:
100     BN_CTX_end(ctx);
101     BN_CTX_free(ctx);
102     if (group != NULL)
103         EC_GROUP_free(group);
104     return ret;
105 }
106 
107 /* NIST prime curve P-256 */
108 static const unsigned char params_p256[] = {
109     /* p */
110     0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
111     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
112     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
113     /* a */
114     0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
115     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
116     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
117     /* b */
118     0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
119     0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
120     0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B
121 };
122 
123 #ifndef OPENSSL_NO_EC2M
124 /* NIST binary curve B-283 */
125 static const unsigned char params_b283[] = {
126     /* p */
127     0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
128     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
129     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
130     /* a */
131     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
132     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
133     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
134     /* b */
135     0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, 0xAF, 0x8A,
136     0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76, 0x45, 0x30, 0x9F, 0xA2,
137     0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26, 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5
138 };
139 #endif
140 
141 /* test EC_GFp_simple_method directly */
field_tests_ecp_simple(void)142 static int field_tests_ecp_simple(void)
143 {
144     TEST_info("Testing EC_GFp_simple_method()\n");
145     return field_tests(EC_GFp_simple_method(), params_p256,
146                        sizeof(params_p256) / 3);
147 }
148 
149 /* test EC_GFp_mont_method directly */
field_tests_ecp_mont(void)150 static int field_tests_ecp_mont(void)
151 {
152     TEST_info("Testing EC_GFp_mont_method()\n");
153     return field_tests(EC_GFp_mont_method(), params_p256,
154                        sizeof(params_p256) / 3);
155 }
156 
157 #ifndef OPENSSL_NO_EC2M
158 /* test EC_GF2m_simple_method directly */
field_tests_ec2_simple(void)159 static int field_tests_ec2_simple(void)
160 {
161     TEST_info("Testing EC_GF2m_simple_method()\n");
162     return field_tests(EC_GF2m_simple_method(), params_b283,
163                        sizeof(params_b283) / 3);
164 }
165 #endif
166 
167 /* test default method for a named curve */
field_tests_default(int n)168 static int field_tests_default(int n)
169 {
170     BN_CTX *ctx = NULL;
171     EC_GROUP *group = NULL;
172     int nid = curves[n].nid;
173     int ret = 0;
174 
175     TEST_info("Testing curve %s\n", OBJ_nid2sn(nid));
176 
177     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
178         || !TEST_ptr(ctx = BN_CTX_new())
179         || !group_field_tests(group, ctx))
180         goto err;
181 
182     ret = 1;
183  err:
184     if (group != NULL)
185         EC_GROUP_free(group);
186     if (ctx != NULL)
187         BN_CTX_free(ctx);
188     return ret;
189 }
190 
191 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
192 /*
193  * Tests a point known to cause an incorrect underflow in an old version of
194  * ecp_nist521.c
195  */
underflow_test(void)196 static int underflow_test(void)
197 {
198     BN_CTX *ctx = NULL;
199     EC_GROUP *grp = NULL;
200     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
201     BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
202     BIGNUM *k = NULL;
203     int testresult = 0;
204     const char *x1str =
205         "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
206         "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
207     const char *p521m1 =
208         "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
209         "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
210 
211     ctx = BN_CTX_new();
212     if (!TEST_ptr(ctx))
213         return 0;
214 
215     BN_CTX_start(ctx);
216     x1 = BN_CTX_get(ctx);
217     y1 = BN_CTX_get(ctx);
218     z1 = BN_CTX_get(ctx);
219     x2 = BN_CTX_get(ctx);
220     y2 = BN_CTX_get(ctx);
221     k = BN_CTX_get(ctx);
222     if (!TEST_ptr(k))
223         goto err;
224 
225     grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
226     P = EC_POINT_new(grp);
227     Q = EC_POINT_new(grp);
228     R = EC_POINT_new(grp);
229     if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
230         goto err;
231 
232     if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
233             || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
234             || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
235             || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
236             || !TEST_true(ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(grp, P, x1,
237                                                                              y1, z1, ctx))
238             || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
239             || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
240             || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
241             || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
242         goto err;
243 
244     if (!TEST_int_eq(BN_cmp(x1, x2), 0)
245             || !TEST_int_eq(BN_cmp(y1, y2), 0))
246         goto err;
247 
248     testresult = 1;
249 
250  err:
251     BN_CTX_end(ctx);
252     EC_POINT_free(P);
253     EC_POINT_free(Q);
254     EC_POINT_free(R);
255     EC_GROUP_free(grp);
256     BN_CTX_free(ctx);
257 
258     return testresult;
259 }
260 #endif
261 
262 /*
263  * Tests behavior of the EC_KEY_set_private_key
264  */
set_private_key(void)265 static int set_private_key(void)
266 {
267     EC_KEY *key = NULL, *aux_key = NULL;
268     int testresult = 0;
269 
270     key = EC_KEY_new_by_curve_name(NID_secp224r1);
271     aux_key = EC_KEY_new_by_curve_name(NID_secp224r1);
272     if (!TEST_ptr(key)
273         || !TEST_ptr(aux_key)
274         || !TEST_int_eq(EC_KEY_generate_key(key), 1)
275         || !TEST_int_eq(EC_KEY_generate_key(aux_key), 1))
276         goto err;
277 
278     /* Test setting a valid private key */
279     if (!TEST_int_eq(EC_KEY_set_private_key(key, aux_key->priv_key), 1))
280         goto err;
281 
282     /* Test compliance with legacy behavior for NULL private keys */
283     if (!TEST_int_eq(EC_KEY_set_private_key(key, NULL), 0)
284         || !TEST_ptr_null(key->priv_key))
285         goto err;
286 
287     testresult = 1;
288 
289  err:
290     EC_KEY_free(key);
291     EC_KEY_free(aux_key);
292     return testresult;
293 }
294 
295 /*
296  * Tests behavior of the decoded_from_explicit_params flag and API
297  */
decoded_flag_test(void)298 static int decoded_flag_test(void)
299 {
300     EC_GROUP *grp;
301     EC_GROUP *grp_copy = NULL;
302     ECPARAMETERS *ecparams = NULL;
303     ECPKPARAMETERS *ecpkparams = NULL;
304     EC_KEY *key = NULL;
305     unsigned char *encodedparams = NULL;
306     const unsigned char *encp;
307     int encodedlen;
308     int testresult = 0;
309 
310     /* Test EC_GROUP_new not setting the flag */
311     grp = EC_GROUP_new(EC_GFp_simple_method());
312     if (!TEST_ptr(grp)
313         || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
314         goto err;
315     EC_GROUP_free(grp);
316 
317     /* Test EC_GROUP_new_by_curve_name not setting the flag */
318     grp = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
319     if (!TEST_ptr(grp)
320         || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
321         goto err;
322 
323     /* Test EC_GROUP_new_from_ecparameters not setting the flag */
324     if (!TEST_ptr(ecparams = EC_GROUP_get_ecparameters(grp, NULL))
325         || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecparameters(ecparams))
326         || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
327         goto err;
328     EC_GROUP_free(grp_copy);
329     grp_copy = NULL;
330     ECPARAMETERS_free(ecparams);
331     ecparams = NULL;
332 
333     /* Test EC_GROUP_new_from_ecpkparameters not setting the flag */
334     if (!TEST_int_eq(EC_GROUP_get_asn1_flag(grp), OPENSSL_EC_NAMED_CURVE)
335         || !TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
336         || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
337         || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0)
338         || !TEST_ptr(key = EC_KEY_new())
339     /* Test EC_KEY_decoded_from_explicit_params on key without a group */
340         || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), -1)
341         || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
342     /* Test EC_KEY_decoded_from_explicit_params negative case */
343         || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 0))
344         goto err;
345     EC_GROUP_free(grp_copy);
346     grp_copy = NULL;
347     ECPKPARAMETERS_free(ecpkparams);
348     ecpkparams = NULL;
349 
350     /* Test d2i_ECPKParameters with named params not setting the flag */
351     if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
352         || !TEST_ptr(encp = encodedparams)
353         || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
354         || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
355         goto err;
356     EC_GROUP_free(grp_copy);
357     grp_copy = NULL;
358     OPENSSL_free(encodedparams);
359     encodedparams = NULL;
360 
361     /* Asn1 flag stays set to explicit with EC_GROUP_new_from_ecpkparameters */
362     EC_GROUP_set_asn1_flag(grp, OPENSSL_EC_EXPLICIT_CURVE);
363     if (!TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
364         || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
365         || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
366         || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
367         goto err;
368     EC_GROUP_free(grp_copy);
369     grp_copy = NULL;
370 
371     /* Test d2i_ECPKParameters with explicit params setting the flag */
372     if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
373         || !TEST_ptr(encp = encodedparams)
374         || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
375         || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
376         || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 1)
377         || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
378     /* Test EC_KEY_decoded_from_explicit_params positive case */
379         || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 1))
380         goto err;
381 
382     testresult = 1;
383 
384  err:
385     EC_KEY_free(key);
386     EC_GROUP_free(grp);
387     EC_GROUP_free(grp_copy);
388     ECPARAMETERS_free(ecparams);
389     ECPKPARAMETERS_free(ecpkparams);
390     OPENSSL_free(encodedparams);
391 
392     return testresult;
393 }
394 
395 static
ecpkparams_i2d2i_test(int n)396 int ecpkparams_i2d2i_test(int n)
397 {
398     EC_GROUP *g1 = NULL, *g2 = NULL;
399     FILE *fp = NULL;
400     int nid = curves[n].nid;
401     int testresult = 0;
402 
403     /* create group */
404     if (!TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid)))
405         goto end;
406 
407     /* encode params to file */
408     if (!TEST_ptr(fp = fopen("params.der", "wb"))
409             || !TEST_true(i2d_ECPKParameters_fp(fp, g1)))
410         goto end;
411 
412     /* flush and close file */
413     if (!TEST_int_eq(fclose(fp), 0)) {
414         fp = NULL;
415         goto end;
416     }
417     fp = NULL;
418 
419     /* decode params from file */
420     if (!TEST_ptr(fp = fopen("params.der", "rb"))
421             || !TEST_ptr(g2 = d2i_ECPKParameters_fp(fp, NULL)))
422         goto end;
423 
424     testresult = 1; /* PASS */
425 
426 end:
427     if (fp != NULL)
428         fclose(fp);
429 
430     EC_GROUP_free(g1);
431     EC_GROUP_free(g2);
432 
433     return testresult;
434 }
435 
setup_tests(void)436 int setup_tests(void)
437 {
438     crv_len = EC_get_builtin_curves(NULL, 0);
439     if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
440         || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
441         return 0;
442 
443     ADD_TEST(field_tests_ecp_simple);
444     ADD_TEST(field_tests_ecp_mont);
445 #ifndef OPENSSL_NO_EC2M
446     ADD_TEST(field_tests_ec2_simple);
447 #endif
448     ADD_ALL_TESTS(field_tests_default, crv_len);
449 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
450     ADD_TEST(underflow_test);
451 #endif
452     ADD_TEST(set_private_key);
453     ADD_TEST(decoded_flag_test);
454     ADD_ALL_TESTS(ecpkparams_i2d2i_test, crv_len);
455 
456     return 1;
457 }
458 
cleanup_tests(void)459 void cleanup_tests(void)
460 {
461     OPENSSL_free(curves);
462 }
463