Add test for restartable signature
Test relies on deterministic signature as this uses plain sig internally, so
if deterministic works, then so does non-deterministic, while the reciprocal
is false. (Also, deterministic is enabled by default in config.h.)
Test case is taken from a RFC 6979 test vector, just manually converting (r,s)
to the encoded signature.
diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data
index f2cf214..c236c28 100644
--- a/tests/suites/test_suite_ecdsa.data
+++ b/tests/suites/test_suite_ecdsa.data
@@ -265,3 +265,7 @@
ECDSA restartable read-verify: max_ops=250
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":250:4:64
+
+ECDSA restartable sign-write: secp256r1 restart disabled
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":0:0:0
diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function
index d5cb654..9205627 100644
--- a/tests/suites/test_suite_ecdsa.function
+++ b/tests/suites/test_suite_ecdsa.function
@@ -264,3 +264,60 @@
mbedtls_ecdsa_restart_free( &rs_ctx );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */
+void ecdsa_write_restart( int id, char *d_str, int md_alg,
+ char *msg, char *sig_str,
+ int max_ops, int min_restart, int max_restart )
+{
+ int ret, cnt_restart;
+ mbedtls_ecdsa_restart_ctx rs_ctx;
+ mbedtls_ecdsa_context ctx;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
+ unsigned char sig_check[MBEDTLS_ECDSA_MAX_LEN];
+ size_t hlen, slen, slen_check;
+ const mbedtls_md_info_t *md_info;
+
+ mbedtls_ecdsa_restart_init( &rs_ctx );
+ mbedtls_ecdsa_init( &ctx );
+ memset( hash, 0, sizeof( hash ) );
+ memset( sig, 0, sizeof( sig ) );
+ memset( sig_check, 0, sizeof( sig_check ) );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_read_string( &ctx.d, 16, d_str ) == 0 );
+ slen_check = unhexify( sig_check, sig_str );
+
+ md_info = mbedtls_md_info_from_type( md_alg );
+ TEST_ASSERT( md_info != NULL );
+
+ hlen = mbedtls_md_get_size( md_info );
+ mbedtls_md( md_info, (const unsigned char *) msg, strlen( msg ), hash );
+
+ mbedtls_ecp_set_max_ops( max_ops );
+
+ slen = sizeof( sig );
+ cnt_restart = 0;
+ do {
+ ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+ md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx );
+ } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( slen == slen_check );
+ TEST_ASSERT( memcmp( sig, sig_check, slen ) == 0 );
+
+ TEST_ASSERT( cnt_restart >= min_restart );
+ TEST_ASSERT( cnt_restart <= max_restart );
+
+ /* do we leak memory when aborting? */
+ ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+ md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx );
+ TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+
+exit:
+ mbedtls_ecdsa_restart_free( &rs_ctx );
+ mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */