Google Git
Sign in
boringssl/boringssl.git/8640b412d9d4f7d03f6f5fa647dc74eea25ef99f^!/./crypto
commit
8640b412d9d4f7d03f6f5fa647dc74eea25ef99f
[log] [tgz]
author
David Benjamin <davidben@google.com>
Sun Jan 31 18:23:39 2021 -0500
committer
Adam Langley <agl@google.com>
Tue Feb 23 21:21:44 2021 +0000
tree
44ea30b9524b16015d2a3e6765b5b51508615326
parent
bc0a4f1f0f7a2d56f944058da74b9c776ba38002 [diff]
Test ECDSA signing is non-deterministic.

This is a very very basic sanity check on k generation, but it helps
make sure we haven't *completely* disconnected the RNG.

Change-Id: If7ae5dd6be3d0866962cd966b8c1ed1cdedffb50
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45865
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/fipsmodule/ecdsa/ecdsa_test.cc b/crypto/fipsmodule/ecdsa/ecdsa_test.cc
index 4c95df9..95e26cf 100644
--- a/crypto/fipsmodule/ecdsa/ecdsa_test.cc
+++ b/crypto/fipsmodule/ecdsa/ecdsa_test.cc

@@ -66,6 +66,7 @@
 
 #include "../ec/internal.h"
 #include "../../test/file_test.h"
+#include "../../test/test_util.h"
 
 
 static bssl::UniquePtr<BIGNUM> HexToBIGNUM(const char *hex) {
@@ -228,6 +229,15 @@
         ECDSA_sign(0, digest, 20, signature.data(), &sig_len, eckey.get()));
     signature.resize(sig_len);
 
+    // ECDSA signing should be non-deterministic. This does not verify k is
+    // generated securely but at least checks it was randomized at all.
+    sig_len = ECDSA_size(eckey.get());
+    std::vector<uint8_t> signature2(sig_len);
+    ASSERT_TRUE(
+        ECDSA_sign(0, digest, 20, signature2.data(), &sig_len, eckey.get()));
+    signature2.resize(sig_len);
+    EXPECT_NE(Bytes(signature), Bytes(signature2));
+
     // Verify the signature.
     EXPECT_TRUE(ECDSA_verify(0, digest, 20, signature.data(), signature.size(),
                              eckey.get()));