X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=test%2Fecdsatest.c;h=a62efad1cfdfcf12aebb6194f5b2b8dffca5333c;hb=5235ef44b93306a14d0b6c695b13c64b16e1fdec;hp=95b642b1955dbbaf22a27548de7a8d210fb72b21;hpb=b770a80f6d0b08659cd03f26388b45512adb84f3;p=thirdparty%2Fopenssl.git diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 95b642b195..a62efad1cf 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -2,37 +2,33 @@ * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -#include -#include -#include - #include /* To see if OPENSSL_NO_EC is defined */ #include "testutil.h" #ifndef OPENSSL_NO_EC -# include -# include # include # include # include -# ifndef OPENSSL_NO_ENGINE -# include -# endif -# include # include +# include "internal/nelem.h" +# include "ecdsatest.h" /* functions to change the RAND_METHOD */ static int fbytes(unsigned char *buf, int num); static RAND_METHOD fake_rand; static const RAND_METHOD *old_rand; +static int use_fake = 0; +static const char *numbers[2]; +static size_t crv_len = 0; +static EC_builtin_curve *curves = NULL; static int change_rand(void) { @@ -56,25 +52,10 @@ static int restore_rand(void) return 1; } -static int fbytes_counter = 0, use_fake = 0; -static const char *numbers[8] = { - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", - "1542725565216523985789236956265265265235675811949404040041", - "1456427555219115346513212300075341203043918714616464614664" - "64667494947990", - "1712787255652165239672857892369562652652652356758119494040" - "40041670216363" -}; - static int fbytes(unsigned char *buf, int num) { int ret = 0; + static int fbytes_counter = 0; BIGNUM *tmp = NULL; if (use_fake == 0) @@ -82,316 +63,261 @@ static int fbytes(unsigned char *buf, int num) use_fake = 0; - if (fbytes_counter >= 8) - return 0; - if (!TEST_ptr(tmp = BN_new())) - return 0; - if (!TEST_true(BN_dec2bn(&tmp, numbers[fbytes_counter]))) { - BN_free(tmp); - return 0; - } - fbytes_counter++; - if (TEST_int_eq(BN_num_bytes(tmp), num) - && TEST_true(BN_bn2bin(tmp, buf))) - ret = 1; + if (!TEST_ptr(tmp = BN_new()) + || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) + || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) + /* tmp might need leading zeros so pad it out */ + || !TEST_int_le(BN_num_bytes(tmp), num) + || !TEST_true(BN_bn2binpad(tmp, buf, num))) + goto err; + + fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); + ret = 1; + err: BN_free(tmp); return ret; } -/* some tests from the X9.62 draft */ -static int x9_62_test_internal(int nid, const char *r_in, const char *s_in) +/*- + * This function hijacks the RNG to feed it the chosen ECDSA key and nonce. + * The ECDSA KATs are from: + * - the X9.62 draft (4) + * - NIST CAVP (720) + * + * It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG. + * NB: This is not how applications should use ECDSA; this is only for testing. + * + * Tests the library can successfully: + * - generate public keys that matches those KATs + * - create ECDSA signatures that match those KATs + * - accept those signatures as valid + */ +static int x9_62_tests(int n) { - int ret = 0; - const char message[] = "abc"; - unsigned char digest[SHA_DIGEST_LENGTH]; + int nid, md_nid, ret = 0; + const char *r_in = NULL, *s_in = NULL, *tbs = NULL; + unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL; + unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int dgst_len = 0; - EVP_MD_CTX *md_ctx; + long q_len, msg_len = 0; + size_t p_len; + EVP_MD_CTX *mctx = NULL; EC_KEY *key = NULL; ECDSA_SIG *signature = NULL; BIGNUM *r = NULL, *s = NULL; BIGNUM *kinv = NULL, *rp = NULL; - const BIGNUM *sig_r, *sig_s; - - if (!TEST_ptr(md_ctx = EVP_MD_CTX_new())) - goto x962_int_err; - - /* get the message digest */ - if (!TEST_true(EVP_DigestInit(md_ctx, EVP_sha1())) - || !TEST_true(EVP_DigestUpdate(md_ctx, (const void *)message, 3)) - || !TEST_true(EVP_DigestFinal(md_ctx, digest, &dgst_len))) - goto x962_int_err; - - TEST_info("testing %s", OBJ_nid2sn(nid)); - - /* create the key */ - if (!TEST_ptr(key = EC_KEY_new_by_curve_name(nid))) - goto x962_int_err; + const BIGNUM *sig_r = NULL, *sig_s = NULL; + + nid = ecdsa_cavs_kats[n].nid; + md_nid = ecdsa_cavs_kats[n].md_nid; + r_in = ecdsa_cavs_kats[n].r; + s_in = ecdsa_cavs_kats[n].s; + tbs = ecdsa_cavs_kats[n].msg; + numbers[0] = ecdsa_cavs_kats[n].d; + numbers[1] = ecdsa_cavs_kats[n].k; + + TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid)); + +#ifdef FIPS_MODE + if (EC_curve_nid2nist(nid) == NULL) + return TEST_skip("skip non approved curves"); +#endif /* FIPS_MODE */ + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get the message digest */ + || !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len)) + || !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL)) + || !TEST_true(EVP_DigestUpdate(mctx, message, msg_len)) + || !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len)) + /* create the key */ + || !TEST_ptr(key = EC_KEY_new_by_curve_name(nid)) + /* load KAT variables */ + || !TEST_ptr(r = BN_new()) + || !TEST_ptr(s = BN_new()) + || !TEST_true(BN_hex2bn(&r, r_in)) + || !TEST_true(BN_hex2bn(&s, s_in)) + /* swap the RNG source */ + || !TEST_true(change_rand())) + goto err; + + /* public key must match KAT */ use_fake = 1; - if (!TEST_true(EC_KEY_generate_key(key))) - goto x962_int_err; - - /* create the signature */ + if (!TEST_true(EC_KEY_generate_key(key)) + || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, + &pbuf, NULL)) + || !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len)) + || !TEST_int_eq(q_len, p_len) + || !TEST_mem_eq(qbuf, q_len, pbuf, p_len)) + goto err; + + /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ use_fake = 1; - /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */ - if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp))) - goto x962_int_err; - if (!TEST_ptr(signature = - ECDSA_do_sign_ex(digest, SHA_DIGEST_LENGTH, kinv, rp, key))) - goto x962_int_err; + if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) + || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, + kinv, rp, key)) + /* verify the signature */ + || !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1)) + goto err; /* compare the created signature with the expected signature */ - if (!TEST_ptr(r = BN_new()) || !TEST_ptr(s = BN_new())) - goto x962_int_err; - if (!TEST_true(BN_dec2bn(&r, r_in)) || !TEST_true(BN_dec2bn(&s, s_in))) - goto x962_int_err; ECDSA_SIG_get0(signature, &sig_r, &sig_s); if (!TEST_BN_eq(sig_r, r) - || !TEST_BN_eq(sig_s, s)) - goto x962_int_err; - - /* verify the signature */ - if (!TEST_int_eq(ECDSA_do_verify(digest, SHA_DIGEST_LENGTH, - signature, key), 1)) - goto x962_int_err; + || !TEST_BN_eq(sig_s, s)) + goto err; ret = 1; - x962_int_err: + err: + /* restore the RNG source */ + if (!TEST_true(restore_rand())) + ret = 0; + + OPENSSL_free(message); + OPENSSL_free(pbuf); + OPENSSL_free(qbuf); EC_KEY_free(key); ECDSA_SIG_free(signature); BN_free(r); BN_free(s); - EVP_MD_CTX_free(md_ctx); + EVP_MD_CTX_free(mctx); BN_clear_free(kinv); BN_clear_free(rp); return ret; } -static int x9_62_tests(void) -{ - int ret = 0; - - /* set own rand method */ - if (!change_rand()) - goto x962_err; - - if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, - "3342403536405981729393488334694600415596881826869351677613", - "5735822328888155254683894997897571951568553642892029982342"))) - goto x962_err; - if (!TEST_true(x9_62_test_internal(NID_X9_62_prime239v1, - "3086361431751678114926225473006680188549593787585317781474" - "62058306432176", - "3238135532097973577080787768312505059318910517550078427819" - "78505179448783"))) - goto x962_err; - -# ifndef OPENSSL_NO_EC2M - if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, - "87194383164871543355722284926904419997237591535066528048", - "308992691965804947361541664549085895292153777025772063598"))) - goto x962_err; - if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb239v1, - "2159633321041961198501834003903461262881815148684178964245" - "5876922391552", - "1970303740007316867383349976549972270528498040721988191026" - "49413465737174"))) - goto x962_err; -# endif - ret = 1; - - x962_err: - if (!TEST_true(restore_rand())) - ret = 0; - return ret; -} - -static int test_builtin(void) +/*- + * Positive and negative ECDSA testing through EVP interface: + * - EVP_DigestSign (this is the one-shot version) + * - EVP_DigestVerify + * + * Tests the library can successfully: + * - create a key + * - create a signature + * - accept that signature + * - reject that signature with a different public key + * - reject that signature if its length is not correct + * - reject that signature after modifying the message + * - accept that signature after un-modifying the message + * - reject that signature after modifying the signature + * - accept that signature after un-modifying the signature + */ +static int test_builtin(int n) { - EC_builtin_curve *curves = NULL; - size_t crv_len = 0, n = 0; - EC_KEY *eckey = NULL, *wrong_eckey = NULL; - EC_GROUP *group; - ECDSA_SIG *ecdsa_sig = NULL, *modified_sig = NULL; - unsigned char digest[SHA512_DIGEST_LENGTH], - wrong_digest[SHA512_DIGEST_LENGTH]; - unsigned char *signature = NULL; - const unsigned char *sig_ptr; - unsigned char *sig_ptr2; - unsigned char *raw_buf = NULL; - const BIGNUM *sig_r, *sig_s; - BIGNUM *modified_r = NULL, *modified_s = NULL; - BIGNUM *unmodified_r = NULL, *unmodified_s = NULL; - unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; + EC_KEY *eckey_neg = NULL, *eckey = NULL; + unsigned char dirt, offset, tbs[128]; + unsigned char *sig = NULL; + EVP_PKEY *pkey_neg = NULL, *pkey = NULL; + EVP_MD_CTX *mctx = NULL; + size_t sig_len; int nid, ret = 0; + int temp; - /* fill digest values with some random data */ - if (!TEST_true(RAND_bytes(digest, SHA512_DIGEST_LENGTH)) - || !TEST_true(RAND_bytes(wrong_digest, SHA512_DIGEST_LENGTH))) - goto builtin_err; + nid = curves[n].nid; - /* create and verify a ecdsa signature with every available curve */ - /* get a list of all internal curves */ - crv_len = EC_get_builtin_curves(NULL, 0); - if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) - goto builtin_err; - - /* now create and verify a signature for every curve */ - for (n = 0; n < crv_len; n++) { - unsigned char dirt, offset; - - nid = curves[n].nid; - if (nid == NID_ipsec4 || nid == NID_ipsec3) - continue; - /* create new ecdsa key (== EC_KEY) */ - if (!TEST_ptr(eckey = EC_KEY_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_true(EC_KEY_set_group(eckey, group))) - goto builtin_err; - EC_GROUP_free(group); - degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); - - TEST_info("testing %s", OBJ_nid2sn(nid)); - - /* create key */ - if (!TEST_true(EC_KEY_generate_key(eckey))) - goto builtin_err; - /* create second key */ - if (!TEST_ptr(wrong_eckey = EC_KEY_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_true(EC_KEY_set_group(wrong_eckey, group))) - goto builtin_err; - EC_GROUP_free(group); - if (!TEST_true(EC_KEY_generate_key(wrong_eckey))) - goto builtin_err; - - /* check key */ - if (!TEST_true(EC_KEY_check_key(eckey))) - goto builtin_err; - - /* create signature */ - sig_len = ECDSA_size(eckey); - if (!TEST_ptr(signature = OPENSSL_malloc(sig_len)) - || !TEST_true(ECDSA_sign(0, digest, SHA512_DIGEST_LENGTH, - signature, &sig_len, eckey))) - goto builtin_err; - - /* verify signature */ - if (!TEST_int_eq(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, - signature, sig_len, eckey), - 1)) - goto builtin_err; - - /* verify signature with the wrong key */ - if (!TEST_int_ne(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, - signature, sig_len, wrong_eckey), - 1)) - goto builtin_err; - - /* wrong digest */ - if (!TEST_int_ne(ECDSA_verify(0, wrong_digest, SHA512_DIGEST_LENGTH, - signature, sig_len, eckey), - 1)) - goto builtin_err; - - /* wrong length */ - if (!TEST_int_ne(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, - signature, sig_len - 1, eckey), - 1)) - goto builtin_err; - - /* - * Modify a single byte of the signature: to ensure we don't garble - * the ASN1 structure, we read the raw signature and modify a byte in - * one of the bignums directly. - */ - sig_ptr = signature; - if (!TEST_ptr(ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len))) - goto builtin_err; - - ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s); - - /* Store the two BIGNUMs in raw_buf. */ - r_len = BN_num_bytes(sig_r); - s_len = BN_num_bytes(sig_s); - bn_len = (degree + 7) / 8; - if (!TEST_false(r_len > bn_len) - || !TEST_false(s_len > bn_len)) - goto builtin_err; - buf_len = 2 * bn_len; - if (!TEST_ptr(raw_buf = OPENSSL_zalloc(buf_len))) - goto builtin_err; - BN_bn2bin(sig_r, raw_buf + bn_len - r_len); - BN_bn2bin(sig_s, raw_buf + buf_len - s_len); - - /* Modify a single byte in the buffer. */ - offset = raw_buf[10] % buf_len; - dirt = raw_buf[11] ? raw_buf[11] : 1; - raw_buf[offset] ^= dirt; - - /* Now read the BIGNUMs back in from raw_buf. */ - if (!TEST_ptr(modified_sig = ECDSA_SIG_new())) - goto builtin_err; - if (!TEST_ptr(modified_r = BN_bin2bn(raw_buf, bn_len, NULL)) - || !TEST_ptr(modified_s = BN_bin2bn(raw_buf + bn_len, - bn_len, NULL)) - || !TEST_true(ECDSA_SIG_set0(modified_sig, - modified_r, modified_s))) { - BN_free(modified_r); - BN_free(modified_s); - goto builtin_err; - } - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_false(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, - signature, sig_len, eckey))) - goto builtin_err; - - /* Sanity check: undo the modification and verify signature. */ - raw_buf[offset] ^= dirt; - if (!TEST_ptr(unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL)) - || !TEST_ptr(unmodified_s = BN_bin2bn(raw_buf + bn_len, - bn_len, NULL)) - || !TEST_true(ECDSA_SIG_set0(modified_sig, unmodified_r, - unmodified_s))) { - BN_free(unmodified_r); - BN_free(unmodified_s); - goto builtin_err; - } - - sig_ptr2 = signature; - sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_true(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, - signature, sig_len, eckey))) - goto builtin_err; - - /* cleanup */ - ERR_clear_error(); - OPENSSL_free(signature); - signature = NULL; - EC_KEY_free(eckey); - eckey = NULL; - EC_KEY_free(wrong_eckey); - wrong_eckey = NULL; - ECDSA_SIG_free(ecdsa_sig); - ecdsa_sig = NULL; - ECDSA_SIG_free(modified_sig); - modified_sig = NULL; - OPENSSL_free(raw_buf); - raw_buf = NULL; + /* skip built-in curves where ord(G) is not prime */ + if (nid == NID_ipsec4 || nid == NID_ipsec3) { + TEST_info("skipped: ECDSA unsupported for curve %s", OBJ_nid2sn(nid)); + return 1; } - ret = 1; - builtin_err: - EC_KEY_free(eckey); - EC_KEY_free(wrong_eckey); - ECDSA_SIG_free(ecdsa_sig); - ECDSA_SIG_free(modified_sig); - OPENSSL_free(signature); - OPENSSL_free(raw_buf); - OPENSSL_free(curves); + TEST_info("testing ECDSA for curve %s", OBJ_nid2sn(nid)); + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + /* get some random message data */ + || !TEST_true(RAND_bytes(tbs, sizeof(tbs))) + /* real key */ + || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey)) + || !TEST_ptr(pkey = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)) + /* fake key for negative testing */ + || !TEST_ptr(eckey_neg = EC_KEY_new_by_curve_name(nid)) + || !TEST_true(EC_KEY_generate_key(eckey_neg)) + || !TEST_ptr(pkey_neg = EVP_PKEY_new()) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey_neg, eckey_neg))) + goto err; + + temp = ECDSA_size(eckey); + + if (!TEST_int_ge(temp, 0) + || !TEST_ptr(sig = OPENSSL_malloc(sig_len = (size_t)temp)) + /* create a signature */ + || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) + || !TEST_int_le(sig_len, ECDSA_size(eckey)) + /* negative test, verify with wrong key, 0 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey_neg)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0) + /* negative test, verify with wrong signature length, -1 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len - 1, tbs, sizeof(tbs)), -1) + /* positive test, verify with correct key, 1 return */ + || !TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; + + /* muck with the message, test it fails with 0 return */ + tbs[0] ^= 1; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 0)) + goto err; + /* un-muck and test it verifies */ + tbs[0] ^= 1; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; + + /*- + * Muck with the ECDSA signature. The DER encoding is one of: + * - 30 LL 02 .. + * - 30 81 LL 02 .. + * + * - Sometimes this mucks with the high level DER sequence wrapper: + * in that case, DER-parsing of the whole signature should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.r: + * in that case, DER-parsing of ECDSA.r should fail. + * + * - Sometimes this mucks with the DER-encoding of ECDSA.s: + * in that case, DER-parsing of ECDSA.s should fail. + * + * - Sometimes this mucks with ECDSA.r: + * in that case, the signature verification should fail. + * + * - Sometimes this mucks with ECDSA.s: + * in that case, the signature verification should fail. + * + * The usual case is changing the integer value of ECDSA.r or ECDSA.s. + * Because the ratio of DER overhead to signature bytes is small. + * So most of the time it will be one of the last two cases. + * + * In any case, EVP_PKEY_verify should not return 1 for valid. + */ + offset = tbs[0] % sig_len; + dirt = tbs[1] ? tbs[1] : 1; + sig[offset] ^= dirt; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_ne(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; + /* un-muck and test it verifies */ + sig[offset] ^= dirt; + if (!TEST_true(EVP_MD_CTX_reset(mctx)) + || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) + goto err; + ret = 1; + err: + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_neg); + EVP_MD_CTX_free(mctx); + OPENSSL_free(sig); return ret; } #endif @@ -401,8 +327,20 @@ int setup_tests(void) #ifdef OPENSSL_NO_EC TEST_note("Elliptic curves are disabled."); #else - ADD_TEST(x9_62_tests); - ADD_TEST(test_builtin); + /* get a list of all internal curves */ + crv_len = EC_get_builtin_curves(NULL, 0); + if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + return 0; + ADD_ALL_TESTS(test_builtin, crv_len); + ADD_ALL_TESTS(x9_62_tests, OSSL_NELEM(ecdsa_cavs_kats)); #endif return 1; } + +void cleanup_tests(void) +{ +#ifndef OPENSSL_NO_EC + OPENSSL_free(curves); +#endif +}