Test ECDSA signing is non-deterministic.

This is a very very basic sanity check on k generation, but it helps make sure we haven't *completely* disconnected the RNG. Change-Id: If7ae5dd6be3d0866962cd966b8c1ed1cdedffb50 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45865 Reviewed-by: Adam Langley <agl@google.com>
4 years ago · 8640b412d9
parent bc0a4f1f0f
commit 8640b412d9
1 changed files with 10 additions and 0 deletions
--- a/crypto/fipsmodule/ecdsa/ecdsa_test.cc
+++ b/crypto/fipsmodule/ecdsa/ecdsa_test.cc
@ -66,6 +66,7 @@

 #include "../ec/internal.h"
 #include "../../test/file_test.h"
+#include "../../test/test_util.h"


 static bssl::UniquePtr<BIGNUM> HexToBIGNUM(const char *hex) {
@ -228,6 +229,15 @@ TEST(ECDSATest, BuiltinCurves) {
        ECDSA_sign(0, digest, 20, signature.data(), &sig_len, eckey.get()));
    signature.resize(sig_len);

+    // ECDSA signing should be non-deterministic. This does not verify k is
+    // generated securely but at least checks it was randomized at all.
+    sig_len = ECDSA_size(eckey.get());
+    std::vector<uint8_t> signature2(sig_len);
+    ASSERT_TRUE(
+        ECDSA_sign(0, digest, 20, signature2.data(), &sig_len, eckey.get()));
+    signature2.resize(sig_len);
+    EXPECT_NE(Bytes(signature), Bytes(signature2));
+
    // Verify the signature.
    EXPECT_TRUE(ECDSA_verify(0, digest, 20, signature.data(), signature.size(),
                             eckey.get()));