Test ECDSA signing is non-deterministic.
This is a very very basic sanity check on k generation, but it helps
make sure we haven't *completely* disconnected the RNG.
Change-Id: If7ae5dd6be3d0866962cd966b8c1ed1cdedffb50
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45865
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/ecdsa/ecdsa_test.cc b/crypto/fipsmodule/ecdsa/ecdsa_test.cc
index 4c95df9..95e26cf 100644
--- a/crypto/fipsmodule/ecdsa/ecdsa_test.cc
+++ b/crypto/fipsmodule/ecdsa/ecdsa_test.cc
@@ -66,6 +66,7 @@
#include "../ec/internal.h"
#include "../../test/file_test.h"
+#include "../../test/test_util.h"
static bssl::UniquePtr<BIGNUM> HexToBIGNUM(const char *hex) {
@@ -228,6 +229,15 @@
ECDSA_sign(0, digest, 20, signature.data(), &sig_len, eckey.get()));
signature.resize(sig_len);
+ // ECDSA signing should be non-deterministic. This does not verify k is
+ // generated securely but at least checks it was randomized at all.
+ sig_len = ECDSA_size(eckey.get());
+ std::vector<uint8_t> signature2(sig_len);
+ ASSERT_TRUE(
+ ECDSA_sign(0, digest, 20, signature2.data(), &sig_len, eckey.get()));
+ signature2.resize(sig_len);
+ EXPECT_NE(Bytes(signature), Bytes(signature2));
+
// Verify the signature.
EXPECT_TRUE(ECDSA_verify(0, digest, 20, signature.data(), signature.size(),
eckey.get()));