1 /*
2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11
12 * These tests are setup to load null into the default library context.
13 * Any tests are expected to use the created 'libctx' to find algorithms.
14 * The framework runs the tests twice using the 'default' provider or
15 * 'fips' provider as inputs.
16 */
17
18 /*
19 * DSA/DH low level APIs are deprecated for public use, but still ok for
20 * internal use.
21 */
22 #include "internal/deprecated.h"
23 #include <assert.h>
24 #include <openssl/evp.h>
25 #include <openssl/provider.h>
26 #include <openssl/dsa.h>
27 #include <openssl/dh.h>
28 #include <openssl/safestack.h>
29 #include <openssl/core_dispatch.h>
30 #include <openssl/core_names.h>
31 #include <openssl/x509.h>
32 #include <openssl/encoder.h>
33 #include "testutil.h"
34 #include "internal/nelem.h"
35 #include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */
36 #include "../e_os.h" /* strcasecmp */
37
38 static OSSL_LIB_CTX *libctx = NULL;
39 static OSSL_PROVIDER *nullprov = NULL;
40 static OSSL_PROVIDER *libprov = NULL;
41 static STACK_OF(OPENSSL_STRING) *cipher_names = NULL;
42
43 typedef enum OPTION_choice {
44 OPT_ERR = -1,
45 OPT_EOF = 0,
46 OPT_CONFIG_FILE,
47 OPT_PROVIDER_NAME,
48 OPT_TEST_ENUM
49 } OPTION_CHOICE;
50
test_get_options(void)51 const OPTIONS *test_get_options(void)
52 {
53 static const OPTIONS test_options[] = {
54 OPT_TEST_OPTIONS_DEFAULT_USAGE,
55 { "config", OPT_CONFIG_FILE, '<',
56 "The configuration file to use for the libctx" },
57 { "provider", OPT_PROVIDER_NAME, 's',
58 "The provider to load (The default value is 'default')" },
59 { NULL }
60 };
61 return test_options;
62 }
63
64 #ifndef OPENSSL_NO_DH
getname(int id)65 static const char *getname(int id)
66 {
67 const char *name[] = {"p", "q", "g" };
68
69 if (id >= 0 && id < 3)
70 return name[id];
71 return "?";
72 }
73 #endif
74
75 /*
76 * We're using some DH specific values in this test, so we skip compilation if
77 * we're in a no-dh build.
78 */
79 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
80
test_dsa_param_keygen(int tstid)81 static int test_dsa_param_keygen(int tstid)
82 {
83 int ret = 0;
84 int expected;
85 EVP_PKEY_CTX *gen_ctx = NULL;
86 EVP_PKEY *pkey_parm = NULL;
87 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
88 DSA *dsa = NULL;
89 int pind, qind, gind;
90 BIGNUM *p = NULL, *q = NULL, *g = NULL;
91
92 /*
93 * Just grab some fixed dh p, q, g values for testing,
94 * these 'safe primes' should not be used normally for dsa *.
95 */
96 static const BIGNUM *bn[] = {
97 &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q,
98 &ossl_bignum_dh2048_256_g
99 };
100
101 /*
102 * These tests are using bad values for p, q, g by reusing the values.
103 * A value of 0 uses p, 1 uses q and 2 uses g.
104 * There are 27 different combinations, with only the 1 valid combination.
105 */
106 pind = tstid / 9;
107 qind = (tstid / 3) % 3;
108 gind = tstid % 3;
109 expected = (pind == 0 && qind == 1 && gind == 2);
110
111 TEST_note("Testing with (p, q, g) = (%s, %s, %s)\n", getname(pind),
112 getname(qind), getname(gind));
113
114 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
115 || !TEST_ptr(dsa = DSA_new())
116 || !TEST_ptr(p = BN_dup(bn[pind]))
117 || !TEST_ptr(q = BN_dup(bn[qind]))
118 || !TEST_ptr(g = BN_dup(bn[gind]))
119 || !TEST_true(DSA_set0_pqg(dsa, p, q, g)))
120 goto err;
121 p = q = g = NULL;
122
123 if (!TEST_true(EVP_PKEY_assign_DSA(pkey_parm, dsa)))
124 goto err;
125 dsa = NULL;
126
127 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
128 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
129 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
130 goto err;
131
132 if (expected) {
133 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
134 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
135 goto err;
136 }
137
138 ret = 1;
139 err:
140 EVP_PKEY_free(pkey);
141 EVP_PKEY_free(dup_pk);
142 EVP_PKEY_CTX_free(gen_ctx);
143 EVP_PKEY_free(pkey_parm);
144 DSA_free(dsa);
145 BN_free(g);
146 BN_free(q);
147 BN_free(p);
148 return ret;
149 }
150 #endif /* OPENSSL_NO_DSA */
151
152 #ifndef OPENSSL_NO_DH
do_dh_param_keygen(int tstid,const BIGNUM ** bn)153 static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
154 {
155 int ret = 0;
156 int expected;
157 EVP_PKEY_CTX *gen_ctx = NULL;
158 EVP_PKEY *pkey_parm = NULL;
159 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
160 DH *dh = NULL;
161 int pind, qind, gind;
162 BIGNUM *p = NULL, *q = NULL, *g = NULL;
163
164 /*
165 * These tests are using bad values for p, q, g by reusing the values.
166 * A value of 0 uses p, 1 uses q and 2 uses g.
167 * There are 27 different combinations, with only the 1 valid combination.
168 */
169 pind = tstid / 9;
170 qind = (tstid / 3) % 3;
171 gind = tstid % 3;
172 expected = (pind == 0 && qind == 1 && gind == 2);
173
174 TEST_note("Testing with (p, q, g) = (%s, %s, %s)", getname(pind),
175 getname(qind), getname(gind));
176
177 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
178 || !TEST_ptr(dh = DH_new())
179 || !TEST_ptr(p = BN_dup(bn[pind]))
180 || !TEST_ptr(q = BN_dup(bn[qind]))
181 || !TEST_ptr(g = BN_dup(bn[gind]))
182 || !TEST_true(DH_set0_pqg(dh, p, q, g)))
183 goto err;
184 p = q = g = NULL;
185
186 if (!TEST_true(EVP_PKEY_assign_DH(pkey_parm, dh)))
187 goto err;
188 dh = NULL;
189
190 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
191 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
192 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
193 goto err;
194
195 if (expected) {
196 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
197 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
198 goto err;
199 }
200
201 ret = 1;
202 err:
203 EVP_PKEY_free(pkey);
204 EVP_PKEY_free(dup_pk);
205 EVP_PKEY_CTX_free(gen_ctx);
206 EVP_PKEY_free(pkey_parm);
207 DH_free(dh);
208 BN_free(g);
209 BN_free(q);
210 BN_free(p);
211 return ret;
212 }
213
214 /*
215 * Note that we get the fips186-4 path being run for most of these cases since
216 * the internal code will detect that the p, q, g does not match a safe prime
217 * group (Except for when tstid = 5, which sets the correct p, q, g)
218 */
test_dh_safeprime_param_keygen(int tstid)219 static int test_dh_safeprime_param_keygen(int tstid)
220 {
221 static const BIGNUM *bn[] = {
222 &ossl_bignum_ffdhe2048_p, &ossl_bignum_ffdhe2048_q,
223 &ossl_bignum_const_2
224 };
225 return do_dh_param_keygen(tstid, bn);
226 }
227
dhx_cert_load(void)228 static int dhx_cert_load(void)
229 {
230 int ret = 0;
231 X509 *cert = NULL;
232 BIO *bio = NULL;
233
234 static const unsigned char dhx_cert[] = {
235 0x30,0x82,0x03,0xff,0x30,0x82,0x02,0xe7,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
236 0xdb,0xf5,0x4d,0x22,0xa0,0x7a,0x67,0xa6,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
237 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x44,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
238 0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0a,0x0c,
239 0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,0x72,0x6f,0x75,0x70,0x31,0x1d,
240 0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,0x65,0x73,0x74,0x20,0x53,0x2f,
241 0x4d,0x49,0x4d,0x45,0x20,0x52,0x53,0x41,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,
242 0x0d,0x31,0x33,0x30,0x38,0x30,0x32,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x17,0x0d,
243 0x32,0x33,0x30,0x36,0x31,0x31,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x30,0x44,0x31,
244 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,
245 0x06,0x03,0x55,0x04,0x0a,0x0c,0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,
246 0x72,0x6f,0x75,0x70,0x31,0x1d,0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,
247 0x65,0x73,0x74,0x20,0x53,0x2f,0x4d,0x49,0x4d,0x45,0x20,0x45,0x45,0x20,0x44,0x48,
248 0x20,0x23,0x31,0x30,0x82,0x01,0xb6,0x30,0x82,0x01,0x2b,0x06,0x07,0x2a,0x86,0x48,
249 0xce,0x3e,0x02,0x01,0x30,0x82,0x01,0x1e,0x02,0x81,0x81,0x00,0xd4,0x0c,0x4a,0x0c,
250 0x04,0x72,0x71,0x19,0xdf,0x59,0x19,0xc5,0xaf,0x44,0x7f,0xca,0x8e,0x2b,0xf0,0x09,
251 0xf5,0xd3,0x25,0xb1,0x73,0x16,0x55,0x89,0xdf,0xfd,0x07,0xaf,0x19,0xd3,0x7f,0xd0,
252 0x07,0xa2,0xfe,0x3f,0x5a,0xf1,0x01,0xc6,0xf8,0x2b,0xef,0x4e,0x6d,0x03,0x38,0x42,
253 0xa1,0x37,0xd4,0x14,0xb4,0x00,0x4a,0xb1,0x86,0x5a,0x83,0xce,0xb9,0x08,0x0e,0xc1,
254 0x99,0x27,0x47,0x8d,0x0b,0x85,0xa8,0x82,0xed,0xcc,0x0d,0xb9,0xb0,0x32,0x7e,0xdf,
255 0xe8,0xe4,0xf6,0xf6,0xec,0xb3,0xee,0x7a,0x11,0x34,0x65,0x97,0xfc,0x1a,0xb0,0x95,
256 0x4b,0x19,0xb9,0xa6,0x1c,0xd9,0x01,0x32,0xf7,0x35,0x7c,0x2d,0x5d,0xfe,0xc1,0x85,
257 0x70,0x49,0xf8,0xcc,0x99,0xd0,0xbe,0xf1,0x5a,0x78,0xc8,0x03,0x02,0x81,0x80,0x69,
258 0x00,0xfd,0x66,0xf2,0xfc,0x15,0x8b,0x09,0xb8,0xdc,0x4d,0xea,0xaa,0x79,0x55,0xf9,
259 0xdf,0x46,0xa6,0x2f,0xca,0x2d,0x8f,0x59,0x2a,0xad,0x44,0xa3,0xc6,0x18,0x2f,0x95,
260 0xb6,0x16,0x20,0xe3,0xd3,0xd1,0x8f,0x03,0xce,0x71,0x7c,0xef,0x3a,0xc7,0x44,0x39,
261 0x0e,0xe2,0x1f,0xd8,0xd3,0x89,0x2b,0xe7,0x51,0xdc,0x12,0x48,0x4c,0x18,0x4d,0x99,
262 0x12,0x06,0xe4,0x17,0x02,0x03,0x8c,0x24,0x05,0x8e,0xa6,0x85,0xf2,0x69,0x1b,0xe1,
263 0x6a,0xdc,0xe2,0x04,0x3a,0x01,0x9d,0x64,0xbe,0xfe,0x45,0xf9,0x44,0x18,0x71,0xbd,
264 0x2d,0x3e,0x7a,0x6f,0x72,0x7d,0x1a,0x80,0x42,0x57,0xae,0x18,0x6f,0x91,0xd6,0x61,
265 0x03,0x8a,0x1c,0x89,0x73,0xc7,0x56,0x41,0x03,0xd3,0xf8,0xed,0x65,0xe2,0x85,0x02,
266 0x15,0x00,0x89,0x94,0xab,0x10,0x67,0x45,0x41,0xad,0x63,0xc6,0x71,0x40,0x8d,0x6b,
267 0x9e,0x19,0x5b,0xa4,0xc7,0xf5,0x03,0x81,0x84,0x00,0x02,0x81,0x80,0x2f,0x5b,0xde,
268 0x72,0x02,0x36,0x6b,0x00,0x5e,0x24,0x7f,0x14,0x2c,0x18,0x52,0x42,0x97,0x4b,0xdb,
269 0x6e,0x15,0x50,0x3c,0x45,0x3e,0x25,0xf3,0xb7,0xc5,0x6e,0xe5,0x52,0xe7,0xc4,0xfb,
270 0xf4,0xa5,0xf0,0x39,0x12,0x7f,0xbc,0x54,0x1c,0x93,0xb9,0x5e,0xee,0xe9,0x14,0xb0,
271 0xdf,0xfe,0xfc,0x36,0xe4,0xf2,0xaf,0xfb,0x13,0xc8,0xdf,0x18,0x94,0x1d,0x40,0xb9,
272 0x71,0xdd,0x4c,0x9c,0xa7,0x03,0x52,0x02,0xb5,0xed,0x71,0x80,0x3e,0x23,0xda,0x28,
273 0xe5,0xab,0xe7,0x6f,0xf2,0x0a,0x0e,0x00,0x5b,0x7d,0xc6,0x4b,0xd7,0xc7,0xb2,0xc3,
274 0xba,0x62,0x7f,0x70,0x28,0xa0,0x9d,0x71,0x13,0x70,0xd1,0x9f,0x32,0x2f,0x3e,0xd2,
275 0xcd,0x1b,0xa4,0xc6,0x72,0xa0,0x74,0x5d,0x71,0xef,0x03,0x43,0x6e,0xa3,0x60,0x30,
276 0x5e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30,
277 0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x05,0xe0,0x30,
278 0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x0b,0x5a,0x4d,0x5f,0x7d,0x25,
279 0xc7,0xf2,0x9d,0xc1,0xaa,0xb7,0x63,0x82,0x2f,0xfa,0x8f,0x32,0xe7,0xc0,0x30,0x1f,
280 0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xdf,0x7e,0x5e,0x88,0x05,
281 0x24,0x33,0x08,0xdd,0x22,0x81,0x02,0x97,0xcc,0x9a,0xb7,0xb1,0x33,0x27,0x30,0x30,
282 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
283 0x01,0x01,0x00,0x5a,0xf2,0x63,0xef,0xd3,0x16,0xd7,0xf5,0xaa,0xdd,0x12,0x00,0x36,
284 0x00,0x21,0xa2,0x7b,0x08,0xd6,0x3b,0x9f,0x62,0xac,0x53,0x1f,0xed,0x4c,0xd1,0x15,
285 0x34,0x65,0x71,0xee,0x96,0x07,0xa6,0xef,0xb2,0xde,0xd8,0xbb,0x35,0x6e,0x2c,0xe2,
286 0xd1,0x26,0xef,0x7e,0x94,0xe2,0x88,0x51,0xa4,0x6c,0xaa,0x27,0x2a,0xd3,0xb6,0xc2,
287 0xf7,0xea,0xc3,0x0b,0xa9,0xb5,0x28,0x37,0xa2,0x63,0x08,0xe4,0x88,0xc0,0x1b,0x16,
288 0x1b,0xca,0xfd,0x8a,0x07,0x32,0x29,0xa7,0x53,0xb5,0x2d,0x30,0xe4,0xf5,0x16,0xc3,
289 0xe3,0xc2,0x4c,0x30,0x5d,0x35,0x80,0x1c,0xa2,0xdb,0xe3,0x4b,0x51,0x0d,0x4c,0x60,
290 0x5f,0xb9,0x46,0xac,0xa8,0x46,0xa7,0x32,0xa7,0x9c,0x76,0xf8,0xe9,0xb5,0x19,0xe2,
291 0x0c,0xe1,0x0f,0xc6,0x46,0xe2,0x38,0xa7,0x87,0x72,0x6d,0x6c,0xbc,0x88,0x2f,0x9d,
292 0x2d,0xe5,0xd0,0x7d,0x1e,0xc7,0x5d,0xf8,0x7e,0xb4,0x0b,0xa6,0xf9,0x6c,0xe3,0x7c,
293 0xb2,0x70,0x6e,0x75,0x9b,0x1e,0x63,0xe1,0x4d,0xb2,0x81,0xd3,0x55,0x38,0x94,0x1a,
294 0x7a,0xfa,0xbf,0x01,0x18,0x70,0x2d,0x35,0xd3,0xe3,0x10,0x7a,0x9a,0xa7,0x8f,0xf3,
295 0xbd,0x56,0x55,0x5e,0xd8,0xbd,0x4e,0x16,0x76,0xd0,0x48,0x4c,0xf9,0x51,0x54,0xdf,
296 0x2d,0xb0,0xc9,0xaa,0x5e,0x42,0x38,0x50,0xbf,0x0f,0xc0,0xd9,0x84,0x44,0x4b,0x42,
297 0x24,0xec,0x14,0xa3,0xde,0x11,0xdf,0x58,0x7f,0xc2,0x4d,0xb2,0xd5,0x42,0x78,0x6e,
298 0x52,0x3e,0xad,0xc3,0x5f,0x04,0xc4,0xe6,0x31,0xaa,0x81,0x06,0x8b,0x13,0x4b,0x3c,
299 0x0e,0x6a,0xb1
300 };
301
302 if (!TEST_ptr(bio = BIO_new_mem_buf(dhx_cert, sizeof(dhx_cert)))
303 || !TEST_ptr(cert = X509_new_ex(libctx, NULL))
304 || !TEST_ptr(d2i_X509_bio(bio, &cert)))
305 goto err;
306 ret = 1;
307 err:
308 X509_free(cert);
309 BIO_free(bio);
310 return ret;
311 }
312
313 #endif /* OPENSSL_NO_DH */
314
test_cipher_reinit(int test_id)315 static int test_cipher_reinit(int test_id)
316 {
317 int ret = 0, diff, ccm, siv, no_null_key;
318 int out1_len = 0, out2_len = 0, out3_len = 0;
319 EVP_CIPHER *cipher = NULL;
320 EVP_CIPHER_CTX *ctx = NULL;
321 unsigned char out1[256];
322 unsigned char out2[256];
323 unsigned char out3[256];
324 unsigned char in[16] = {
325 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
326 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10
327 };
328 unsigned char key[64] = {
329 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
330 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
331 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
332 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
333 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
334 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
335 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
336 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
337 };
338 unsigned char iv[16] = {
339 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
340 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
341 };
342 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
343
344 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
345 goto err;
346
347 TEST_note("Fetching %s\n", name);
348 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
349 goto err;
350
351 /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */
352 ccm = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE);
353
354 /* siv cannot be called with NULL key as the iv is irrelevant */
355 siv = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_SIV_MODE);
356
357 /*
358 * Skip init call with a null key for RC4 as the stream cipher does not
359 * handle reinit (1.1.1 behaviour).
360 */
361 no_null_key = EVP_CIPHER_is_a(cipher, "RC4")
362 || EVP_CIPHER_is_a(cipher, "RC4-40")
363 || EVP_CIPHER_is_a(cipher, "RC4-HMAC-MD5");
364
365 /* DES3-WRAP uses random every update - so it will give a different value */
366 diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP");
367
368 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
369 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, sizeof(in)))
370 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
371 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, &out2_len, in, sizeof(in)),
372 ccm ? 0 : 1)
373 || (!no_null_key
374 && (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
375 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, &out3_len, in, sizeof(in)),
376 ccm || siv ? 0 : 1))))
377 goto err;
378
379 if (ccm == 0) {
380 if (diff) {
381 if (!TEST_mem_ne(out1, out1_len, out2, out2_len)
382 || !TEST_mem_ne(out1, out1_len, out3, out3_len)
383 || !TEST_mem_ne(out2, out2_len, out3, out3_len))
384 goto err;
385 } else {
386 if (!TEST_mem_eq(out1, out1_len, out2, out2_len)
387 || (!siv && !no_null_key && !TEST_mem_eq(out1, out1_len, out3, out3_len)))
388 goto err;
389 }
390 }
391 ret = 1;
392 err:
393 EVP_CIPHER_free(cipher);
394 EVP_CIPHER_CTX_free(ctx);
395 return ret;
396 }
397
398 /*
399 * This test only uses a partial block (half the block size) of input for each
400 * EVP_EncryptUpdate() in order to test that the second init/update is not using
401 * a leftover buffer from the first init/update.
402 * Note: some ciphers don't need a full block to produce output.
403 */
test_cipher_reinit_partialupdate(int test_id)404 static int test_cipher_reinit_partialupdate(int test_id)
405 {
406 int ret = 0, in_len;
407 int out1_len = 0, out2_len = 0, out3_len = 0;
408 EVP_CIPHER *cipher = NULL;
409 EVP_CIPHER_CTX *ctx = NULL;
410 unsigned char out1[256];
411 unsigned char out2[256];
412 unsigned char out3[256];
413 static const unsigned char in[32] = {
414 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
415 0xba, 0xbe, 0xba, 0xbe, 0x00, 0x00, 0xba, 0xbe,
416 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
417 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
418 };
419 static const unsigned char key[64] = {
420 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
421 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
422 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
423 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
424 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
425 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
426 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
427 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
428 };
429 static const unsigned char iv[16] = {
430 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
431 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
432 };
433 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
434
435 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
436 goto err;
437
438 TEST_note("Fetching %s\n", name);
439 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
440 goto err;
441
442 in_len = EVP_CIPHER_get_block_size(cipher) / 2;
443
444 /* skip any ciphers that don't allow partial updates */
445 if (((EVP_CIPHER_get_flags(cipher)
446 & (EVP_CIPH_FLAG_CTS | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) != 0)
447 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE
448 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE
449 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_WRAP_MODE) {
450 ret = 1;
451 goto err;
452 }
453
454 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
455 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, in_len))
456 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
457 || !TEST_true(EVP_EncryptUpdate(ctx, out2, &out2_len, in, in_len)))
458 goto err;
459
460 if (!TEST_mem_eq(out1, out1_len, out2, out2_len))
461 goto err;
462
463 if (EVP_CIPHER_get_mode(cipher) != EVP_CIPH_SIV_MODE) {
464 if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
465 || !TEST_true(EVP_EncryptUpdate(ctx, out3, &out3_len, in, in_len)))
466 goto err;
467
468 if (!TEST_mem_eq(out1, out1_len, out3, out3_len))
469 goto err;
470 }
471 ret = 1;
472 err:
473 EVP_CIPHER_free(cipher);
474 EVP_CIPHER_CTX_free(ctx);
475 return ret;
476 }
477
478
name_cmp(const char * const * a,const char * const * b)479 static int name_cmp(const char * const *a, const char * const *b)
480 {
481 return strcasecmp(*a, *b);
482 }
483
collect_cipher_names(EVP_CIPHER * cipher,void * cipher_names_list)484 static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list)
485 {
486 STACK_OF(OPENSSL_STRING) *names = cipher_names_list;
487 const char *name = EVP_CIPHER_get0_name(cipher);
488 char *namedup = NULL;
489
490 assert(name != NULL);
491 /* the cipher will be freed after returning, strdup is needed */
492 if ((namedup = OPENSSL_strdup(name)) != NULL
493 && !sk_OPENSSL_STRING_push(names, namedup))
494 OPENSSL_free(namedup);
495 }
496
rsa_keygen(int bits,EVP_PKEY ** pub,EVP_PKEY ** priv)497 static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv)
498 {
499 int ret = 0;
500 unsigned char *pub_der = NULL;
501 const unsigned char *pp = NULL;
502 size_t len = 0;
503 OSSL_ENCODER_CTX *ectx = NULL;
504
505 if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits))
506 || !TEST_ptr(ectx =
507 OSSL_ENCODER_CTX_new_for_pkey(*priv,
508 EVP_PKEY_PUBLIC_KEY,
509 "DER", "type-specific",
510 NULL))
511 || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len)))
512 goto err;
513 pp = pub_der;
514 if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_RSA, pub, &pp, len)))
515 goto err;
516 ret = 1;
517 err:
518 OSSL_ENCODER_CTX_free(ectx);
519 OPENSSL_free(pub_der);
520 return ret;
521 }
522
kem_rsa_gen_recover(void)523 static int kem_rsa_gen_recover(void)
524 {
525 int ret = 0;
526 EVP_PKEY *pub = NULL;
527 EVP_PKEY *priv = NULL;
528 EVP_PKEY_CTX *sctx = NULL, *rctx = NULL, *dctx = NULL;
529 unsigned char secret[256] = { 0, };
530 unsigned char ct[256] = { 0, };
531 unsigned char unwrap[256] = { 0, };
532 size_t ctlen = 0, unwraplen = 0, secretlen = 0;
533 int bits = 2048;
534
535 ret = TEST_true(rsa_keygen(bits, &pub, &priv))
536 && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
537 && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
538 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
539 && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx))
540 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL,
541 &secretlen), 1)
542 && TEST_int_eq(ctlen, secretlen)
543 && TEST_int_eq(ctlen, bits / 8)
544 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret,
545 &secretlen), 1)
546 && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
547 && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1)
548 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1)
549 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen,
550 ct, ctlen), 1)
551 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen,
552 ct, ctlen), 1)
553 && TEST_mem_eq(unwrap, unwraplen, secret, secretlen);
554 EVP_PKEY_free(pub);
555 EVP_PKEY_free(priv);
556 EVP_PKEY_CTX_free(rctx);
557 EVP_PKEY_CTX_free(dctx);
558 EVP_PKEY_CTX_free(sctx);
559 return ret;
560 }
561
562 #ifndef OPENSSL_NO_DES
563 /*
564 * This test makes sure that EVP_CIPHER_CTX_rand_key() works correctly
565 * For fips mode this code would produce an error if the flag is not set.
566 */
test_cipher_tdes_randkey(void)567 static int test_cipher_tdes_randkey(void)
568 {
569 int ret;
570 EVP_CIPHER_CTX *ctx = NULL;
571 EVP_CIPHER *tdes_cipher = NULL, *aes_cipher = NULL;
572 unsigned char key[24] = { 0 };
573
574 ret = TEST_ptr(aes_cipher = EVP_CIPHER_fetch(libctx, "AES-256-CBC", NULL))
575 && TEST_int_eq(EVP_CIPHER_get_flags(aes_cipher) & EVP_CIPH_RAND_KEY, 0)
576 && TEST_ptr(tdes_cipher = EVP_CIPHER_fetch(libctx, "DES-EDE3-CBC", NULL))
577 && TEST_int_ne(EVP_CIPHER_get_flags(tdes_cipher) & EVP_CIPH_RAND_KEY, 0)
578 && TEST_ptr(ctx = EVP_CIPHER_CTX_new())
579 && TEST_true(EVP_CipherInit_ex(ctx, tdes_cipher, NULL, NULL, NULL, 1))
580 && TEST_true(EVP_CIPHER_CTX_rand_key(ctx, key));
581
582 EVP_CIPHER_CTX_free(ctx);
583 EVP_CIPHER_free(tdes_cipher);
584 EVP_CIPHER_free(aes_cipher);
585 return ret;
586 }
587 #endif /* OPENSSL_NO_DES */
588
kem_rsa_params(void)589 static int kem_rsa_params(void)
590 {
591 int ret = 0;
592 EVP_PKEY *pub = NULL;
593 EVP_PKEY *priv = NULL;
594 EVP_PKEY_CTX *pubctx = NULL, *privctx = NULL;
595 unsigned char secret[256] = { 0, };
596 unsigned char ct[256] = { 0, };
597 size_t ctlen = 0, secretlen = 0;
598
599 ret = TEST_true(rsa_keygen(2048, &pub, &priv))
600 && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
601 && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
602 /* Test setting kem op before the init fails */
603 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2)
604 /* Test NULL ctx passed */
605 && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0)
606 && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0)
607 && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0)
608 && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0)
609 /* Test Invalid operation */
610 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1)
611 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0)
612 /* Wrong key component - no secret should be returned on failure */
613 && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1)
614 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
615 && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct,
616 sizeof(ct)), 0)
617 && TEST_uchar_eq(secret[0], 0)
618 /* Test encapsulate fails if the mode is not set */
619 && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1)
620 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2)
621 /* Test setting a bad kem ops fail */
622 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0)
623 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0)
624 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0)
625 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0)
626 /* Test secretlen is optional */
627 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
628 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1)
629 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
630 /* Test outlen is optional */
631 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
632 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1)
633 /* test that either len must be set if out is NULL */
634 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0)
635 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
636 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
637 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1)
638 /* Secret buffer should be set if there is an output buffer */
639 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0)
640 /* Test that lengths are optional if ct is not NULL */
641 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1)
642 /* Pass if secret or secret length are not NULL */
643 && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1)
644 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1)
645 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1)
646 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1)
647 && TEST_int_eq(secretlen, 256)
648 /* Fail if passed NULL arguments */
649 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0)
650 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0)
651 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0)
652 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0);
653
654 EVP_PKEY_free(pub);
655 EVP_PKEY_free(priv);
656 EVP_PKEY_CTX_free(pubctx);
657 EVP_PKEY_CTX_free(privctx);
658 return ret;
659 }
660
661 #ifndef OPENSSL_NO_DH
gen_dh_key(void)662 static EVP_PKEY *gen_dh_key(void)
663 {
664 EVP_PKEY_CTX *gctx = NULL;
665 EVP_PKEY *pkey = NULL;
666 OSSL_PARAM params[2];
667
668 params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
669 params[1] = OSSL_PARAM_construct_end();
670
671 if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL))
672 || !TEST_true(EVP_PKEY_keygen_init(gctx))
673 || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params))
674 || !TEST_true(EVP_PKEY_keygen(gctx, &pkey)))
675 goto err;
676 err:
677 EVP_PKEY_CTX_free(gctx);
678 return pkey;
679 }
680
681 /* Fail if we try to use a dh key */
kem_invalid_keytype(void)682 static int kem_invalid_keytype(void)
683 {
684 int ret = 0;
685 EVP_PKEY *key = NULL;
686 EVP_PKEY_CTX *sctx = NULL;
687
688 if (!TEST_ptr(key = gen_dh_key()))
689 goto done;
690
691 if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL)))
692 goto done;
693 if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2))
694 goto done;
695
696 ret = 1;
697 done:
698 EVP_PKEY_free(key);
699 EVP_PKEY_CTX_free(sctx);
700 return ret;
701 }
702 #endif /* OPENSSL_NO_DH */
703
setup_tests(void)704 int setup_tests(void)
705 {
706 const char *prov_name = "default";
707 char *config_file = NULL;
708 OPTION_CHOICE o;
709
710 while ((o = opt_next()) != OPT_EOF) {
711 switch (o) {
712 case OPT_PROVIDER_NAME:
713 prov_name = opt_arg();
714 break;
715 case OPT_CONFIG_FILE:
716 config_file = opt_arg();
717 break;
718 case OPT_TEST_CASES:
719 break;
720 default:
721 case OPT_ERR:
722 return 0;
723 }
724 }
725
726 if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
727 return 0;
728
729 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
730 ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
731 #endif
732 #ifndef OPENSSL_NO_DH
733 ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
734 ADD_TEST(dhx_cert_load);
735 #endif
736
737 if (!TEST_ptr(cipher_names = sk_OPENSSL_STRING_new(name_cmp)))
738 return 0;
739 EVP_CIPHER_do_all_provided(libctx, collect_cipher_names, cipher_names);
740
741 ADD_ALL_TESTS(test_cipher_reinit, sk_OPENSSL_STRING_num(cipher_names));
742 ADD_ALL_TESTS(test_cipher_reinit_partialupdate,
743 sk_OPENSSL_STRING_num(cipher_names));
744 ADD_TEST(kem_rsa_gen_recover);
745 ADD_TEST(kem_rsa_params);
746 #ifndef OPENSSL_NO_DH
747 ADD_TEST(kem_invalid_keytype);
748 #endif
749 #ifndef OPENSSL_NO_DES
750 ADD_TEST(test_cipher_tdes_randkey);
751 #endif
752 return 1;
753 }
754
755 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */
string_free(char * m)756 static void string_free(char *m)
757 {
758 OPENSSL_free(m);
759 }
760
cleanup_tests(void)761 void cleanup_tests(void)
762 {
763 sk_OPENSSL_STRING_pop_free(cipher_names, string_free);
764 OSSL_PROVIDER_unload(libprov);
765 OSSL_LIB_CTX_free(libctx);
766 OSSL_PROVIDER_unload(nullprov);
767 }
768