summaryrefslogtreecommitdiff
path: root/test/ectest.c
Commit message (Collapse)AuthorAgeFilesLines
* New function EC_GROUP_to_params to convert an EC_GROUP to an array of ↵Oliver Mihatsch2023-02-081-0/+113
| | | | | | | | | OSSL_PARAM. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20205)
* Potential null pointer referenceyangyangtiantianlonglong2022-11-021-7/+7
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19429)
* d2i_PublicKey: Make it work with EC parameters in a provided keyTomas Mraz2021-11-221-0/+42
| | | | | | | Fixes #16989 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17065)
* Fix tests to check for negative results when calling EVP_PKEY_fromdata_initslontis2021-11-051-5/+5
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16801)
* fix some code with obvious wrong coding stylex20182021-10-281-2/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16918)
* Use <> for #include openssl/xxxRich Salz2021-05-271-3/+3
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15468)
* Test oct2point for hybrid point encoding of (0, y)Theo Buehler2021-05-091-0/+50
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15108)
* Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free().Shane Lontis2021-04-121-3/+3
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14785)
* Simplify the EVP_PKEY_XXX_fromdata_XX methods.Shane Lontis2021-02-081-5/+8
| | | | | | | | | | | | | | | | | | The existing names such as EVP_PKEY_param_fromdata_settable were a bit confusing since the 'param' referred to key params not OSSL_PARAM. To simplify the interface a 'selection' parameter will be passed instead. The changes are: (1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init(). (2) EVP_PKEY_fromdata() has an additional selection parameter. (3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable(). EVP_PKEY_fromdata_settable() also uses a selection parameter. Fixes #12989 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14076)
* Disable the test-ec completely when building with no-ecTomas Mraz2021-01-261-58/+51
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
* Deprecate EC_KEY + Update ec apps to use EVP_PKEYShane Lontis2021-01-261-6/+3
| | | | | | | | | Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
* Add Explicit EC parameter support to providers.Shane Lontis2020-08-221-1/+223
| | | | | | | | | | This was added for backward compatability. Added EC_GROUP_new_from_params() that supports explicit curve parameters. This fixes the 15-test_genec.t TODO. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12604)
* [test][ectest] Minor touches to custom_generator_testNicola Tuveri2020-07-291-4/+2
| | | | | | | | | | | | Minor changes to `custom_generator_test`: - this is to align to the 1.1.1 version of the test (simplify the code as there is no need to use `EC_GROUP_get_field_type()`) - add comment to explain how the buffer size is computed Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12507)
* [test] Vertically test explicit EC params API patternsNicola Tuveri2020-07-291-1/+280
| | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new test (run on all the built-in curves) to create `EC_GROUP` with **unknown** *explicit parameters*: from a built-in group we create an alternative group from scratch that differs in the generator used. At the `EC_GROUP` layer we perform a basic math check to ensure that the math on the alternative group still makes sense, using comparable results from the origin group. We then create two `EC_KEY` objects on top of this alternative group and run key generation from the `EC_KEY` layer. Then we promote these two `EC_KEY`s to `EVP_PKEY` objects and try to run the derive operation at the highest abstraction layer, comparing results in both directions. Finally, we create provider-native keys using `EVP_PKEY_fromdata` and data derived from the previous objects, we compute an equivalent shared secret from these provider keys, and compare it to the result obtained from the previous steps. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12507)
* [test] ectest: check custom generatorsBilly Brumley2020-07-121-0/+84
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12096)
* Move EC_METHOD to internal-onlyBilly Brumley2020-06-021-83/+31
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11928)
* deprecate EC precomputation functionalityBilly Brumley2020-05-191-9/+10
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11851)
* deprecate EC_POINTs_mul functionBilly Brumley2020-05-161-10/+26
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11807)
* Update copyright yearMatt Caswell2020-04-231-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
* [crypto/ec] deprecate Jprojective_coordinates_GFp functionsBilly Brumley2020-04-221-79/+0
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11527)
* Add self-test for EC_POINT_hex2pointNicola Tuveri2019-11-131-0/+101
| | | | | | | | | Adds tests for each curve to ensure that encodings obtained through EC_POINT_hex2point() can be fed to EC_POINT_point2hex() yielding a point identical to the one from which the encoding is generated. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10329)
* Add BN_check_prime()Kurt Roeckx2019-10-141-7/+7
| | | | | | | | | | Add a new API to test for primes that can't be misused, deprecated the old APIs. Suggested by Jake Massimo and Kenneth Paterson Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #9272
* [test] ECC: check the bounds for auto computing cofactorBilly Brumley2019-09-091-0/+91
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9821)
* Uniform TEST_*() check usage in test/ectest.cNicola Tuveri2019-09-091-13/+13
| | | | | | | | | | | | - Replace a `TEST_true()` with `!TEST_false()` to avoid reporting confusing errors - We tend to use `if (!TEST_foo() || !TEST_bar())` and it's a bit confusing to switch to `if(!(TEST_foo() && TEST_bar()))`: replace it with the more common style Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9813)
* Fix spacing nit in test/ectest.cNicola Tuveri2019-09-091-1/+1
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9813)
* [ec] Match built-in curves on EC_GROUP_new_from_ecparametersNicola Tuveri2019-09-091-0/+267
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Description ----------- Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any of the built-in curves. If that is the case, return a new `EC_GROUP_new_by_curve_name()` object instead of the explicit parameters `EC_GROUP`. This affects all users of `EC_GROUP_new_from_ecparameters()`: - direct calls to `EC_GROUP_new_from_ecparameters()` - direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit parameters argument - ASN.1 parsing of explicit parameters keys (as it eventually ends up calling `EC_GROUP_new_from_ecpkparameters()`) A parsed explicit parameter key will still be marked with the `OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless programmatically forced otherwise, if the key is eventually serialized the output will still be encoded with explicit parameters, even if internally it is treated as a named curve `EC_GROUP`. Before this change, creating any `EC_GROUP` object using `EC_GROUP_new_from_ecparameters()`, yielded an object associated with the default generic `EC_METHOD`, but this was never guaranteed in the documentation. After this commit, users of the library that intentionally want to create an `EC_GROUP` object using a specific `EC_METHOD` can still explicitly call `EC_GROUP_new(foo_method)` and then manually set the curve parameters using `EC_GROUP_set_*()`. Motivation ---------- This has obvious performance benefits for the built-in curves with specialized `EC_METHOD`s and subtle but important security benefits: - the specialized methods have better security hardening than the generic implementations - optional fields in the parameter encoding, like the `cofactor`, cannot be leveraged by an attacker to force execution of the less secure code-paths for single point scalar multiplication - in general, this leads to reducing the attack surface Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth analysis of the issues related to this commit. It should be noted that `libssl` does not allow to negotiate explicit parameters (as per RFC 8422), so it is not directly affected by the consequences of using explicit parameters that this commit fixes. On the other hand, we detected external applications and users in the wild that use explicit parameters by default (and sometimes using 0 as the cofactor value, which is technically not a valid value per the specification, but is tolerated by parsers for wider compatibility given that the field is optional). These external users of `libcrypto` are exposed to these vulnerabilities and their security will benefit from this commit. Related commits --------------- While this commit is beneficial for users using built-in curves and explicit parameters encoding for serialized keys, commit b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the 1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the invalid cofactor values more in general also for other curves (CVE-2019-1547). The following list covers commits in `master` that are related to the vulnerabilities presented in the manuscript motivating this commit: - d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too - 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. - b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it - 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats Note that the PRs that contributed the listed commits also include other commits providing related testing and documentation, in addition to links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and 1.1.1 branches. Responsible Disclosure ---------------------- This and the other issues presented in https://arxiv.org/abs/1909.01785 were reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the NISEC group at Tampere University, FINLAND. The OpenSSL Security Team evaluated the security risk for this vulnerability as low, and encouraged to propose fixes using public Pull Requests. _______________________________________________________________________________ Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9808)
* [test] computing ECC cofactors: regression testBilly Brumley2019-09-071-5/+5
| | | | | | | | | | | | | | | | | | | | | | | This is a forward port from https://github.com/openssl/openssl/pull/9781 for the test logic introduced by https://github.com/openssl/openssl/pull/9727 As @mattcaswell commented (https://github.com/openssl/openssl/pull/9781#discussion_r321621541): > These `TEST_true` calls should be `!TEST_false` because we are > *expecting* a failure. > The difference is that the test framework will print error details if > the test doesn't give the expected answer. > So by using `TEST_true` instead of `!TEST_false` we'll get error > details printed, but the test will succeed anyway. (cherry picked from commit e8aafc891d9bd7fa1cce0401d858ef842f09b49e) Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9797)
* [test] computing ECC cofactors: regression testBilly Brumley2019-09-051-3/+86
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9827)
* Make the EC code available from inside the FIPS providerMatt Caswell2019-08-061-19/+19
| | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9380)
* Temporary workaround for ectest.c for [extended tests]Nicola Tuveri2019-07-311-1/+1
| | | | | | | | | | | | | | | | | [extended tests] This is a temporary workaround for issue #9251, which contains a full discussion of the real problem. As a temporary workaround, we test `EC_GROUP_new_from_ecparameters()` against a curve that does not currently have alternative implementations. The proper fix is dependant on resolution of issue #8615 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9474)
* EC only uses approved curves in FIPS mode.Shane Lontis2019-06-251-1/+1
| | | | | | | | | | | | | | Once there are buildable fips tests, some tests that are data driven from files will need to be modified to exclude non approved curves in fips mode. These changes were tested by temporarily adding #define FIPS_MODE 1 to all the modified source files. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9081)
* Fix no-ec2mMatt Caswell2019-04-231-1/+4
| | | | | Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/8792)
* ec key validation checks updatedShane Lontis2019-04-111-2/+55
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8564)
* doc fixupsShane Lontis2019-04-111-3/+3
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8555)
* Separate the lookup testNicola Tuveri2019-04-111-33/+84
| | | | | | | | | | | | | | | | | | | | | | | | This fixes the "verifying the alias" case. Actually, while working on it, I realized that conceptually we were testing the 2 different behaviours of `EC_GROUP_check_named_curve()` at the same time, and actually not in the proper way. I think it's fair to assume that overwriting the curve name for an existing group with `NID_undef` could lead to the unexpected behaviour we were observing and working around. Thus I decided to separate the lookup test in a dedicated simpler test that does what the documentation of `EC_GROUP_check_named_curve()` suggests: the lookup functionality is meant to find a name for a group generated with explicit parameters. In case an alternative alias is returned by the lookup instead of the expected nid, to avoid doing comparisons between `EC_GROUP`s with different `EC_METHOD`s, the workaround is to retrieve the `ECPARAMETERS` of the "alias group" and create a new explicit parameters group to use in `EC_GROUP_cmp()`. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8555)
* EC_GROUP_set_curve() might fail for arbitrary paramsNicola Tuveri2019-04-111-10/+40
| | | | | | | | | | | | | | | | Setting arbitrary `p`, `a` or `b` with `EC_GROUP_set_curve()` might fail for some `EC_GROUP`s, depending on the internal `EC_METHOD` implementation, hence the block of tests verifying that `EC_GROUP_check_named_curve()` fails when any of the curve parameters is changed is modified to run only if the previous `EC_GROUP_set_curve()` call succeeds. `ERR_set_mark()` and `ERR_pop_to_mark()` are used to avoid littering the thread error stack with unrelated errors happened during `EC_GROUP_set_curve()`. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8555)
* added code to validate EC named curve parametersShane Lontis2019-04-111-0/+178
| | | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8555)
* Fix memory leak in ectestNicola Tuveri2019-03-131-0/+1
| | | | | | | Fixes #8462 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8466)
* Add a test for underflow in ecp_nistp521.cMatt Caswell2019-03-071-0/+69
| | | | | | | | | The previous commit fixed an underflow that may occur in ecp_nistp521.c. This commit adds a test for that condition. It is heavily based on an original test harness by Billy Brumley. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8405)
* Add EC_GROUP_get0_fieldDavid Asraf2019-02-151-0/+38
| | | | | | | | New function to return internal pointer for field. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8195)
* Following the license change, modify the boilerplates in test/Richard Levitte2018-12-061-1/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767)
* Use the new non-curve type specific EC functions internallyMatt Caswell2018-07-311-72/+59
| | | | | | | Fixes #6646 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815)
* [test] test some important ladder corner casesBilly Brumley2018-07-161-1/+12
| | | | | | | | and catch corner cases better and earlier Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6690)
* enable-ec_nistp_64_gcc_128: Fix function prototype warning [-Wstrict-prototypes]Nicola Tuveri2018-06-221-1/+1
| | | | | | | | | Fix prototype warnings triggered by -Wstrict-prototypes when configuring with `enable-ec_nistp_64_gcc_128` Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6556)
* Fix explicit EC curve encoding.David Benjamin2018-05-231-5/+76
| | | | | | | | | | | Per SEC 1, the curve coefficients must be padded up to size. See C.2's definition of Curve, C.1's definition of FieldElement, and 2.3.5's definition of how to encode the field elements in http://www.secg.org/sec1-v2.pdf. This comes up for P-521, where b needs a leading zero. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6314)
* Fix a bug in ecp_nistp224.c.David Benjamin2018-04-031-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | felem_neg does not produce an output within the tight bounds suitable for felem_contract. This affects build configurations which set enable-ec_nistp_64_gcc_128. point_double and point_add, in the non-z*_is_zero cases, tolerate and fix up the wider bounds, so this only affects point_add calls where the other point is infinity. Thus it only affects the final addition in arbitrary-point multiplication, giving the wrong y-coordinate. This is a no-op for ECDH and ECDSA, which only use the x-coordinate of arbitrary-point operations. Note: ecp_nistp521.c has the same issue in that the documented preconditions are violated by the test case. I have not addressed this in this PR. ecp_nistp521.c does not immediately produce the wrong answer; felem_contract there appears to be a bit more tolerant than its documented preconditions. However, I haven't checked the point_add property above holds. ecp_nistp521.c should either get this same fix, to be conservative, or have the bounds analysis and comments reworked for the wider bounds. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5779)
* Update copyright yearMatt Caswell2018-03-201-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5689)
* Update tests for TLS Ed448Matt Caswell2018-03-051-6/+0
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5470)
* Consistent formatting for sizeof(foo)Rich Salz2017-12-071-6/+6
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4872)
* MSC_VER <= 1200 isn't supported; remove dead codeRich Salz2017-08-271-5/+0
| | | | | | | VisualStudio 6 and earlier aren't supported. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4263)
View Lorry Controller Status