1 /*
2  * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11 
12  * These tests are setup to load null into the default library context.
13  * Any tests are expected to use the created 'libctx' to find algorithms.
14  * The framework runs the tests twice using the 'default' provider or
15  * 'fips' provider as inputs.
16  */
17 
18 /*
19  * DSA/DH low level APIs are deprecated for public use, but still ok for
20  * internal use.
21  */
22 #include "internal/deprecated.h"
23 #include <assert.h>
24 #include <openssl/evp.h>
25 #include <openssl/provider.h>
26 #include <openssl/dsa.h>
27 #include <openssl/dh.h>
28 #include <openssl/safestack.h>
29 #include <openssl/core_dispatch.h>
30 #include <openssl/core_names.h>
31 #include <openssl/x509.h>
32 #include <openssl/encoder.h>
33 #include "testutil.h"
34 #include "internal/nelem.h"
35 #include "crypto/bn_dh.h"   /* _bignum_ffdhe2048_p */
36 #include "../e_os.h"        /* strcasecmp */
37 
38 static OSSL_LIB_CTX *libctx = NULL;
39 static OSSL_PROVIDER *nullprov = NULL;
40 static OSSL_PROVIDER *libprov = NULL;
41 static STACK_OF(OPENSSL_STRING) *cipher_names = NULL;
42 
43 typedef enum OPTION_choice {
44     OPT_ERR = -1,
45     OPT_EOF = 0,
46     OPT_CONFIG_FILE,
47     OPT_PROVIDER_NAME,
48     OPT_TEST_ENUM
49 } OPTION_CHOICE;
50 
test_get_options(void)51 const OPTIONS *test_get_options(void)
52 {
53     static const OPTIONS test_options[] = {
54         OPT_TEST_OPTIONS_DEFAULT_USAGE,
55         { "config", OPT_CONFIG_FILE, '<',
56           "The configuration file to use for the libctx" },
57         { "provider", OPT_PROVIDER_NAME, 's',
58           "The provider to load (The default value is 'default')" },
59         { NULL }
60     };
61     return test_options;
62 }
63 
64 #ifndef OPENSSL_NO_DH
getname(int id)65 static const char *getname(int id)
66 {
67     const char *name[] = {"p", "q", "g" };
68 
69     if (id >= 0 && id < 3)
70         return name[id];
71     return "?";
72 }
73 #endif
74 
75 /*
76  * We're using some DH specific values in this test, so we skip compilation if
77  * we're in a no-dh build.
78  */
79 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
80 
test_dsa_param_keygen(int tstid)81 static int test_dsa_param_keygen(int tstid)
82 {
83     int ret = 0;
84     int expected;
85     EVP_PKEY_CTX *gen_ctx = NULL;
86     EVP_PKEY *pkey_parm = NULL;
87     EVP_PKEY *pkey = NULL, *dup_pk = NULL;
88     DSA *dsa = NULL;
89     int pind, qind, gind;
90     BIGNUM *p = NULL, *q = NULL, *g = NULL;
91 
92     /*
93      * Just grab some fixed dh p, q, g values for testing,
94      * these 'safe primes' should not be used normally for dsa *.
95      */
96     static const BIGNUM *bn[] = {
97         &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q,
98         &ossl_bignum_dh2048_256_g
99     };
100 
101     /*
102      * These tests are using bad values for p, q, g by reusing the values.
103      * A value of 0 uses p, 1 uses q and 2 uses g.
104      * There are 27 different combinations, with only the 1 valid combination.
105      */
106     pind = tstid / 9;
107     qind = (tstid / 3) % 3;
108     gind = tstid % 3;
109     expected  = (pind == 0 && qind == 1 && gind == 2);
110 
111     TEST_note("Testing with (p, q, g) = (%s, %s, %s)\n", getname(pind),
112               getname(qind), getname(gind));
113 
114     if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
115         || !TEST_ptr(dsa = DSA_new())
116         || !TEST_ptr(p = BN_dup(bn[pind]))
117         || !TEST_ptr(q = BN_dup(bn[qind]))
118         || !TEST_ptr(g = BN_dup(bn[gind]))
119         || !TEST_true(DSA_set0_pqg(dsa, p, q, g)))
120         goto err;
121     p = q = g = NULL;
122 
123     if (!TEST_true(EVP_PKEY_assign_DSA(pkey_parm, dsa)))
124         goto err;
125     dsa = NULL;
126 
127     if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
128         || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
129         || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
130         goto err;
131 
132     if (expected) {
133         if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
134             || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
135             goto err;
136     }
137 
138     ret = 1;
139 err:
140     EVP_PKEY_free(pkey);
141     EVP_PKEY_free(dup_pk);
142     EVP_PKEY_CTX_free(gen_ctx);
143     EVP_PKEY_free(pkey_parm);
144     DSA_free(dsa);
145     BN_free(g);
146     BN_free(q);
147     BN_free(p);
148     return ret;
149 }
150 #endif /* OPENSSL_NO_DSA */
151 
152 #ifndef OPENSSL_NO_DH
do_dh_param_keygen(int tstid,const BIGNUM ** bn)153 static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
154 {
155     int ret = 0;
156     int expected;
157     EVP_PKEY_CTX *gen_ctx = NULL;
158     EVP_PKEY *pkey_parm = NULL;
159     EVP_PKEY *pkey = NULL, *dup_pk = NULL;
160     DH *dh = NULL;
161     int pind, qind, gind;
162     BIGNUM *p = NULL, *q = NULL, *g = NULL;
163 
164     /*
165      * These tests are using bad values for p, q, g by reusing the values.
166      * A value of 0 uses p, 1 uses q and 2 uses g.
167      * There are 27 different combinations, with only the 1 valid combination.
168      */
169     pind = tstid / 9;
170     qind = (tstid / 3) % 3;
171     gind = tstid % 3;
172     expected  = (pind == 0 && qind == 1 && gind == 2);
173 
174     TEST_note("Testing with (p, q, g) = (%s, %s, %s)", getname(pind),
175               getname(qind), getname(gind));
176 
177     if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
178         || !TEST_ptr(dh = DH_new())
179         || !TEST_ptr(p = BN_dup(bn[pind]))
180         || !TEST_ptr(q = BN_dup(bn[qind]))
181         || !TEST_ptr(g = BN_dup(bn[gind]))
182         || !TEST_true(DH_set0_pqg(dh, p, q, g)))
183         goto err;
184     p = q = g = NULL;
185 
186     if (!TEST_true(EVP_PKEY_assign_DH(pkey_parm, dh)))
187         goto err;
188     dh = NULL;
189 
190     if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
191         || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
192         || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
193         goto err;
194 
195     if (expected) {
196         if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
197             || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
198             goto err;
199     }
200 
201     ret = 1;
202 err:
203     EVP_PKEY_free(pkey);
204     EVP_PKEY_free(dup_pk);
205     EVP_PKEY_CTX_free(gen_ctx);
206     EVP_PKEY_free(pkey_parm);
207     DH_free(dh);
208     BN_free(g);
209     BN_free(q);
210     BN_free(p);
211     return ret;
212 }
213 
214 /*
215  * Note that we get the fips186-4 path being run for most of these cases since
216  * the internal code will detect that the p, q, g does not match a safe prime
217  * group (Except for when tstid = 5, which sets the correct p, q, g)
218  */
test_dh_safeprime_param_keygen(int tstid)219 static int test_dh_safeprime_param_keygen(int tstid)
220 {
221     static const BIGNUM *bn[] = {
222         &ossl_bignum_ffdhe2048_p,  &ossl_bignum_ffdhe2048_q,
223         &ossl_bignum_const_2
224     };
225     return do_dh_param_keygen(tstid, bn);
226 }
227 
dhx_cert_load(void)228 static int dhx_cert_load(void)
229 {
230     int ret = 0;
231     X509 *cert = NULL;
232     BIO *bio = NULL;
233 
234     static const unsigned char dhx_cert[] = {
235         0x30,0x82,0x03,0xff,0x30,0x82,0x02,0xe7,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
236         0xdb,0xf5,0x4d,0x22,0xa0,0x7a,0x67,0xa6,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
237         0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x44,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
238         0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0a,0x0c,
239         0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,0x72,0x6f,0x75,0x70,0x31,0x1d,
240         0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,0x65,0x73,0x74,0x20,0x53,0x2f,
241         0x4d,0x49,0x4d,0x45,0x20,0x52,0x53,0x41,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,
242         0x0d,0x31,0x33,0x30,0x38,0x30,0x32,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x17,0x0d,
243         0x32,0x33,0x30,0x36,0x31,0x31,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x30,0x44,0x31,
244         0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,
245         0x06,0x03,0x55,0x04,0x0a,0x0c,0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,
246         0x72,0x6f,0x75,0x70,0x31,0x1d,0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,
247         0x65,0x73,0x74,0x20,0x53,0x2f,0x4d,0x49,0x4d,0x45,0x20,0x45,0x45,0x20,0x44,0x48,
248         0x20,0x23,0x31,0x30,0x82,0x01,0xb6,0x30,0x82,0x01,0x2b,0x06,0x07,0x2a,0x86,0x48,
249         0xce,0x3e,0x02,0x01,0x30,0x82,0x01,0x1e,0x02,0x81,0x81,0x00,0xd4,0x0c,0x4a,0x0c,
250         0x04,0x72,0x71,0x19,0xdf,0x59,0x19,0xc5,0xaf,0x44,0x7f,0xca,0x8e,0x2b,0xf0,0x09,
251         0xf5,0xd3,0x25,0xb1,0x73,0x16,0x55,0x89,0xdf,0xfd,0x07,0xaf,0x19,0xd3,0x7f,0xd0,
252         0x07,0xa2,0xfe,0x3f,0x5a,0xf1,0x01,0xc6,0xf8,0x2b,0xef,0x4e,0x6d,0x03,0x38,0x42,
253         0xa1,0x37,0xd4,0x14,0xb4,0x00,0x4a,0xb1,0x86,0x5a,0x83,0xce,0xb9,0x08,0x0e,0xc1,
254         0x99,0x27,0x47,0x8d,0x0b,0x85,0xa8,0x82,0xed,0xcc,0x0d,0xb9,0xb0,0x32,0x7e,0xdf,
255         0xe8,0xe4,0xf6,0xf6,0xec,0xb3,0xee,0x7a,0x11,0x34,0x65,0x97,0xfc,0x1a,0xb0,0x95,
256         0x4b,0x19,0xb9,0xa6,0x1c,0xd9,0x01,0x32,0xf7,0x35,0x7c,0x2d,0x5d,0xfe,0xc1,0x85,
257         0x70,0x49,0xf8,0xcc,0x99,0xd0,0xbe,0xf1,0x5a,0x78,0xc8,0x03,0x02,0x81,0x80,0x69,
258         0x00,0xfd,0x66,0xf2,0xfc,0x15,0x8b,0x09,0xb8,0xdc,0x4d,0xea,0xaa,0x79,0x55,0xf9,
259         0xdf,0x46,0xa6,0x2f,0xca,0x2d,0x8f,0x59,0x2a,0xad,0x44,0xa3,0xc6,0x18,0x2f,0x95,
260         0xb6,0x16,0x20,0xe3,0xd3,0xd1,0x8f,0x03,0xce,0x71,0x7c,0xef,0x3a,0xc7,0x44,0x39,
261         0x0e,0xe2,0x1f,0xd8,0xd3,0x89,0x2b,0xe7,0x51,0xdc,0x12,0x48,0x4c,0x18,0x4d,0x99,
262         0x12,0x06,0xe4,0x17,0x02,0x03,0x8c,0x24,0x05,0x8e,0xa6,0x85,0xf2,0x69,0x1b,0xe1,
263         0x6a,0xdc,0xe2,0x04,0x3a,0x01,0x9d,0x64,0xbe,0xfe,0x45,0xf9,0x44,0x18,0x71,0xbd,
264         0x2d,0x3e,0x7a,0x6f,0x72,0x7d,0x1a,0x80,0x42,0x57,0xae,0x18,0x6f,0x91,0xd6,0x61,
265         0x03,0x8a,0x1c,0x89,0x73,0xc7,0x56,0x41,0x03,0xd3,0xf8,0xed,0x65,0xe2,0x85,0x02,
266         0x15,0x00,0x89,0x94,0xab,0x10,0x67,0x45,0x41,0xad,0x63,0xc6,0x71,0x40,0x8d,0x6b,
267         0x9e,0x19,0x5b,0xa4,0xc7,0xf5,0x03,0x81,0x84,0x00,0x02,0x81,0x80,0x2f,0x5b,0xde,
268         0x72,0x02,0x36,0x6b,0x00,0x5e,0x24,0x7f,0x14,0x2c,0x18,0x52,0x42,0x97,0x4b,0xdb,
269         0x6e,0x15,0x50,0x3c,0x45,0x3e,0x25,0xf3,0xb7,0xc5,0x6e,0xe5,0x52,0xe7,0xc4,0xfb,
270         0xf4,0xa5,0xf0,0x39,0x12,0x7f,0xbc,0x54,0x1c,0x93,0xb9,0x5e,0xee,0xe9,0x14,0xb0,
271         0xdf,0xfe,0xfc,0x36,0xe4,0xf2,0xaf,0xfb,0x13,0xc8,0xdf,0x18,0x94,0x1d,0x40,0xb9,
272         0x71,0xdd,0x4c,0x9c,0xa7,0x03,0x52,0x02,0xb5,0xed,0x71,0x80,0x3e,0x23,0xda,0x28,
273         0xe5,0xab,0xe7,0x6f,0xf2,0x0a,0x0e,0x00,0x5b,0x7d,0xc6,0x4b,0xd7,0xc7,0xb2,0xc3,
274         0xba,0x62,0x7f,0x70,0x28,0xa0,0x9d,0x71,0x13,0x70,0xd1,0x9f,0x32,0x2f,0x3e,0xd2,
275         0xcd,0x1b,0xa4,0xc6,0x72,0xa0,0x74,0x5d,0x71,0xef,0x03,0x43,0x6e,0xa3,0x60,0x30,
276         0x5e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30,
277         0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x05,0xe0,0x30,
278         0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x0b,0x5a,0x4d,0x5f,0x7d,0x25,
279         0xc7,0xf2,0x9d,0xc1,0xaa,0xb7,0x63,0x82,0x2f,0xfa,0x8f,0x32,0xe7,0xc0,0x30,0x1f,
280         0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xdf,0x7e,0x5e,0x88,0x05,
281         0x24,0x33,0x08,0xdd,0x22,0x81,0x02,0x97,0xcc,0x9a,0xb7,0xb1,0x33,0x27,0x30,0x30,
282         0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
283         0x01,0x01,0x00,0x5a,0xf2,0x63,0xef,0xd3,0x16,0xd7,0xf5,0xaa,0xdd,0x12,0x00,0x36,
284         0x00,0x21,0xa2,0x7b,0x08,0xd6,0x3b,0x9f,0x62,0xac,0x53,0x1f,0xed,0x4c,0xd1,0x15,
285         0x34,0x65,0x71,0xee,0x96,0x07,0xa6,0xef,0xb2,0xde,0xd8,0xbb,0x35,0x6e,0x2c,0xe2,
286         0xd1,0x26,0xef,0x7e,0x94,0xe2,0x88,0x51,0xa4,0x6c,0xaa,0x27,0x2a,0xd3,0xb6,0xc2,
287         0xf7,0xea,0xc3,0x0b,0xa9,0xb5,0x28,0x37,0xa2,0x63,0x08,0xe4,0x88,0xc0,0x1b,0x16,
288         0x1b,0xca,0xfd,0x8a,0x07,0x32,0x29,0xa7,0x53,0xb5,0x2d,0x30,0xe4,0xf5,0x16,0xc3,
289         0xe3,0xc2,0x4c,0x30,0x5d,0x35,0x80,0x1c,0xa2,0xdb,0xe3,0x4b,0x51,0x0d,0x4c,0x60,
290         0x5f,0xb9,0x46,0xac,0xa8,0x46,0xa7,0x32,0xa7,0x9c,0x76,0xf8,0xe9,0xb5,0x19,0xe2,
291         0x0c,0xe1,0x0f,0xc6,0x46,0xe2,0x38,0xa7,0x87,0x72,0x6d,0x6c,0xbc,0x88,0x2f,0x9d,
292         0x2d,0xe5,0xd0,0x7d,0x1e,0xc7,0x5d,0xf8,0x7e,0xb4,0x0b,0xa6,0xf9,0x6c,0xe3,0x7c,
293         0xb2,0x70,0x6e,0x75,0x9b,0x1e,0x63,0xe1,0x4d,0xb2,0x81,0xd3,0x55,0x38,0x94,0x1a,
294         0x7a,0xfa,0xbf,0x01,0x18,0x70,0x2d,0x35,0xd3,0xe3,0x10,0x7a,0x9a,0xa7,0x8f,0xf3,
295         0xbd,0x56,0x55,0x5e,0xd8,0xbd,0x4e,0x16,0x76,0xd0,0x48,0x4c,0xf9,0x51,0x54,0xdf,
296         0x2d,0xb0,0xc9,0xaa,0x5e,0x42,0x38,0x50,0xbf,0x0f,0xc0,0xd9,0x84,0x44,0x4b,0x42,
297         0x24,0xec,0x14,0xa3,0xde,0x11,0xdf,0x58,0x7f,0xc2,0x4d,0xb2,0xd5,0x42,0x78,0x6e,
298         0x52,0x3e,0xad,0xc3,0x5f,0x04,0xc4,0xe6,0x31,0xaa,0x81,0x06,0x8b,0x13,0x4b,0x3c,
299         0x0e,0x6a,0xb1
300     };
301 
302     if (!TEST_ptr(bio = BIO_new_mem_buf(dhx_cert, sizeof(dhx_cert)))
303         || !TEST_ptr(cert = X509_new_ex(libctx, NULL))
304         || !TEST_ptr(d2i_X509_bio(bio, &cert)))
305         goto err;
306     ret = 1;
307 err:
308     X509_free(cert);
309     BIO_free(bio);
310     return ret;
311 }
312 
313 #endif /* OPENSSL_NO_DH */
314 
test_cipher_reinit(int test_id)315 static int test_cipher_reinit(int test_id)
316 {
317     int ret = 0, diff, ccm, siv, no_null_key;
318     int out1_len = 0, out2_len = 0, out3_len = 0;
319     EVP_CIPHER *cipher = NULL;
320     EVP_CIPHER_CTX *ctx = NULL;
321     unsigned char out1[256];
322     unsigned char out2[256];
323     unsigned char out3[256];
324     unsigned char in[16] = {
325         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
326         0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10
327     };
328     unsigned char key[64] = {
329         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
330         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
331         0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
332         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
333         0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
334         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
335         0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
336         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
337     };
338     unsigned char iv[16] = {
339         0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
340         0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
341     };
342     const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
343 
344     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
345         goto err;
346 
347     TEST_note("Fetching %s\n", name);
348     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
349         goto err;
350 
351     /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */
352     ccm = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE);
353 
354     /* siv cannot be called with NULL key as the iv is irrelevant */
355     siv = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_SIV_MODE);
356 
357     /*
358      * Skip init call with a null key for RC4 as the stream cipher does not
359      * handle reinit (1.1.1 behaviour).
360      */
361     no_null_key = EVP_CIPHER_is_a(cipher, "RC4")
362                   || EVP_CIPHER_is_a(cipher, "RC4-40")
363                   || EVP_CIPHER_is_a(cipher, "RC4-HMAC-MD5");
364 
365     /* DES3-WRAP uses random every update - so it will give a different value */
366     diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP");
367 
368     if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
369         || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, sizeof(in)))
370         || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
371         || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, &out2_len, in, sizeof(in)),
372                         ccm ? 0 : 1)
373         || (!no_null_key
374         && (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
375         || !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, &out3_len, in, sizeof(in)),
376                         ccm || siv ? 0 : 1))))
377         goto err;
378 
379     if (ccm == 0) {
380         if (diff) {
381             if (!TEST_mem_ne(out1, out1_len, out2, out2_len)
382                 || !TEST_mem_ne(out1, out1_len, out3, out3_len)
383                 || !TEST_mem_ne(out2, out2_len, out3, out3_len))
384                 goto err;
385         } else {
386             if (!TEST_mem_eq(out1, out1_len, out2, out2_len)
387                 || (!siv && !no_null_key && !TEST_mem_eq(out1, out1_len, out3, out3_len)))
388                 goto err;
389         }
390     }
391     ret = 1;
392 err:
393     EVP_CIPHER_free(cipher);
394     EVP_CIPHER_CTX_free(ctx);
395     return ret;
396 }
397 
398 /*
399  * This test only uses a partial block (half the block size) of input for each
400  * EVP_EncryptUpdate() in order to test that the second init/update is not using
401  * a leftover buffer from the first init/update.
402  * Note: some ciphers don't need a full block to produce output.
403  */
test_cipher_reinit_partialupdate(int test_id)404 static int test_cipher_reinit_partialupdate(int test_id)
405 {
406     int ret = 0, in_len;
407     int out1_len = 0, out2_len = 0, out3_len = 0;
408     EVP_CIPHER *cipher = NULL;
409     EVP_CIPHER_CTX *ctx = NULL;
410     unsigned char out1[256];
411     unsigned char out2[256];
412     unsigned char out3[256];
413     static const unsigned char in[32] = {
414         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
415         0xba, 0xbe, 0xba, 0xbe, 0x00, 0x00, 0xba, 0xbe,
416         0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
417         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
418     };
419     static const unsigned char key[64] = {
420         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
421         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
422         0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
423         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
424         0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
425         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
426         0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
427         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
428     };
429     static const unsigned char iv[16] = {
430         0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
431         0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
432     };
433     const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
434 
435     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
436         goto err;
437 
438     TEST_note("Fetching %s\n", name);
439     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
440         goto err;
441 
442     in_len = EVP_CIPHER_get_block_size(cipher) / 2;
443 
444     /* skip any ciphers that don't allow partial updates */
445     if (((EVP_CIPHER_get_flags(cipher)
446           & (EVP_CIPH_FLAG_CTS | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) != 0)
447         || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE
448         || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE
449         || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_WRAP_MODE) {
450         ret = 1;
451         goto err;
452     }
453 
454     if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
455         || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, in_len))
456         || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
457         || !TEST_true(EVP_EncryptUpdate(ctx, out2, &out2_len, in, in_len)))
458         goto err;
459 
460     if (!TEST_mem_eq(out1, out1_len, out2, out2_len))
461         goto err;
462 
463     if (EVP_CIPHER_get_mode(cipher) != EVP_CIPH_SIV_MODE) {
464         if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
465             || !TEST_true(EVP_EncryptUpdate(ctx, out3, &out3_len, in, in_len)))
466             goto err;
467 
468         if (!TEST_mem_eq(out1, out1_len, out3, out3_len))
469             goto err;
470     }
471     ret = 1;
472 err:
473     EVP_CIPHER_free(cipher);
474     EVP_CIPHER_CTX_free(ctx);
475     return ret;
476 }
477 
478 
name_cmp(const char * const * a,const char * const * b)479 static int name_cmp(const char * const *a, const char * const *b)
480 {
481     return strcasecmp(*a, *b);
482 }
483 
collect_cipher_names(EVP_CIPHER * cipher,void * cipher_names_list)484 static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list)
485 {
486     STACK_OF(OPENSSL_STRING) *names = cipher_names_list;
487     const char *name = EVP_CIPHER_get0_name(cipher);
488     char *namedup = NULL;
489 
490     assert(name != NULL);
491     /* the cipher will be freed after returning, strdup is needed */
492     if ((namedup = OPENSSL_strdup(name)) != NULL
493         && !sk_OPENSSL_STRING_push(names, namedup))
494         OPENSSL_free(namedup);
495 }
496 
rsa_keygen(int bits,EVP_PKEY ** pub,EVP_PKEY ** priv)497 static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv)
498 {
499     int ret = 0;
500     unsigned char *pub_der = NULL;
501     const unsigned char *pp = NULL;
502     size_t len = 0;
503     OSSL_ENCODER_CTX *ectx = NULL;
504 
505     if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits))
506         || !TEST_ptr(ectx =
507                      OSSL_ENCODER_CTX_new_for_pkey(*priv,
508                                                    EVP_PKEY_PUBLIC_KEY,
509                                                    "DER", "type-specific",
510                                                    NULL))
511         || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len)))
512         goto err;
513     pp = pub_der;
514     if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_RSA, pub, &pp, len)))
515         goto err;
516     ret = 1;
517 err:
518     OSSL_ENCODER_CTX_free(ectx);
519     OPENSSL_free(pub_der);
520     return ret;
521 }
522 
kem_rsa_gen_recover(void)523 static int kem_rsa_gen_recover(void)
524 {
525     int ret = 0;
526     EVP_PKEY *pub = NULL;
527     EVP_PKEY *priv = NULL;
528     EVP_PKEY_CTX *sctx = NULL, *rctx = NULL, *dctx = NULL;
529     unsigned char secret[256] = { 0, };
530     unsigned char ct[256] = { 0, };
531     unsigned char unwrap[256] = { 0, };
532     size_t ctlen = 0, unwraplen = 0, secretlen = 0;
533     int bits = 2048;
534 
535     ret = TEST_true(rsa_keygen(bits, &pub, &priv))
536           && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
537           && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
538           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
539           && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx))
540           && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL,
541                                               &secretlen), 1)
542           && TEST_int_eq(ctlen, secretlen)
543           && TEST_int_eq(ctlen, bits / 8)
544           && TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret,
545                                               &secretlen), 1)
546           && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
547           && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1)
548           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1)
549           && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen,
550                                               ct, ctlen), 1)
551           && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen,
552                                               ct, ctlen), 1)
553           && TEST_mem_eq(unwrap, unwraplen, secret, secretlen);
554     EVP_PKEY_free(pub);
555     EVP_PKEY_free(priv);
556     EVP_PKEY_CTX_free(rctx);
557     EVP_PKEY_CTX_free(dctx);
558     EVP_PKEY_CTX_free(sctx);
559     return ret;
560 }
561 
562 #ifndef OPENSSL_NO_DES
563 /*
564  * This test makes sure that EVP_CIPHER_CTX_rand_key() works correctly
565  * For fips mode this code would produce an error if the flag is not set.
566  */
test_cipher_tdes_randkey(void)567 static int test_cipher_tdes_randkey(void)
568 {
569     int ret;
570     EVP_CIPHER_CTX *ctx = NULL;
571     EVP_CIPHER *tdes_cipher = NULL, *aes_cipher = NULL;
572     unsigned char key[24] = { 0 };
573 
574     ret = TEST_ptr(aes_cipher = EVP_CIPHER_fetch(libctx, "AES-256-CBC", NULL))
575           && TEST_int_eq(EVP_CIPHER_get_flags(aes_cipher) & EVP_CIPH_RAND_KEY, 0)
576           && TEST_ptr(tdes_cipher = EVP_CIPHER_fetch(libctx, "DES-EDE3-CBC", NULL))
577           && TEST_int_ne(EVP_CIPHER_get_flags(tdes_cipher) & EVP_CIPH_RAND_KEY, 0)
578           && TEST_ptr(ctx = EVP_CIPHER_CTX_new())
579           && TEST_true(EVP_CipherInit_ex(ctx, tdes_cipher, NULL, NULL, NULL, 1))
580           && TEST_true(EVP_CIPHER_CTX_rand_key(ctx, key));
581 
582     EVP_CIPHER_CTX_free(ctx);
583     EVP_CIPHER_free(tdes_cipher);
584     EVP_CIPHER_free(aes_cipher);
585     return ret;
586 }
587 #endif /* OPENSSL_NO_DES */
588 
kem_rsa_params(void)589 static int kem_rsa_params(void)
590 {
591     int ret = 0;
592     EVP_PKEY *pub = NULL;
593     EVP_PKEY *priv = NULL;
594     EVP_PKEY_CTX *pubctx = NULL, *privctx = NULL;
595     unsigned char secret[256] = { 0, };
596     unsigned char ct[256] = { 0, };
597     size_t ctlen = 0, secretlen = 0;
598 
599     ret = TEST_true(rsa_keygen(2048, &pub, &priv))
600           && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
601           && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
602           /* Test setting kem op before the init fails */
603           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2)
604           /* Test NULL ctx passed */
605           && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0)
606           && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0)
607           && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0)
608           && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0)
609           /* Test Invalid operation */
610           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1)
611           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0)
612           /* Wrong key component - no secret should be returned on failure */
613           && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1)
614           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
615           && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct,
616                                               sizeof(ct)), 0)
617           && TEST_uchar_eq(secret[0], 0)
618           /* Test encapsulate fails if the mode is not set */
619           && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1)
620           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2)
621           /* Test setting a bad kem ops fail */
622           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0)
623           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx,  NULL), 0)
624           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL,  "RSASVE"), 0)
625           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL,  NULL), 0)
626           /* Test secretlen is optional */
627           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
628           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1)
629           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
630           /* Test outlen is optional */
631           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
632           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1)
633           /* test that either len must be set if out is NULL */
634           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0)
635           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
636           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
637           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1)
638           /* Secret buffer should be set if there is an output buffer */
639           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0)
640           /* Test that lengths are optional if ct is not NULL */
641           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1)
642           /* Pass if secret or secret length are not NULL */
643           && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1)
644           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1)
645           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1)
646           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1)
647           && TEST_int_eq(secretlen, 256)
648           /* Fail if passed NULL arguments */
649           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0)
650           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0)
651           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0)
652           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0);
653 
654     EVP_PKEY_free(pub);
655     EVP_PKEY_free(priv);
656     EVP_PKEY_CTX_free(pubctx);
657     EVP_PKEY_CTX_free(privctx);
658     return ret;
659 }
660 
661 #ifndef OPENSSL_NO_DH
gen_dh_key(void)662 static EVP_PKEY *gen_dh_key(void)
663 {
664     EVP_PKEY_CTX *gctx = NULL;
665     EVP_PKEY *pkey = NULL;
666     OSSL_PARAM params[2];
667 
668     params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
669     params[1] = OSSL_PARAM_construct_end();
670 
671     if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL))
672         || !TEST_true(EVP_PKEY_keygen_init(gctx))
673         || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params))
674         || !TEST_true(EVP_PKEY_keygen(gctx, &pkey)))
675         goto err;
676 err:
677     EVP_PKEY_CTX_free(gctx);
678     return pkey;
679 }
680 
681 /* Fail if we try to use a dh key */
kem_invalid_keytype(void)682 static int kem_invalid_keytype(void)
683 {
684     int ret = 0;
685     EVP_PKEY *key = NULL;
686     EVP_PKEY_CTX *sctx = NULL;
687 
688     if (!TEST_ptr(key = gen_dh_key()))
689         goto done;
690 
691     if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL)))
692         goto done;
693     if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2))
694         goto done;
695 
696     ret = 1;
697 done:
698     EVP_PKEY_free(key);
699     EVP_PKEY_CTX_free(sctx);
700     return ret;
701 }
702 #endif /* OPENSSL_NO_DH */
703 
setup_tests(void)704 int setup_tests(void)
705 {
706     const char *prov_name = "default";
707     char *config_file = NULL;
708     OPTION_CHOICE o;
709 
710     while ((o = opt_next()) != OPT_EOF) {
711         switch (o) {
712         case OPT_PROVIDER_NAME:
713             prov_name = opt_arg();
714             break;
715         case OPT_CONFIG_FILE:
716             config_file = opt_arg();
717             break;
718         case OPT_TEST_CASES:
719            break;
720         default:
721         case OPT_ERR:
722             return 0;
723         }
724     }
725 
726     if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
727         return 0;
728 
729 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
730     ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
731 #endif
732 #ifndef OPENSSL_NO_DH
733     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
734     ADD_TEST(dhx_cert_load);
735 #endif
736 
737     if (!TEST_ptr(cipher_names = sk_OPENSSL_STRING_new(name_cmp)))
738         return 0;
739     EVP_CIPHER_do_all_provided(libctx, collect_cipher_names, cipher_names);
740 
741     ADD_ALL_TESTS(test_cipher_reinit, sk_OPENSSL_STRING_num(cipher_names));
742     ADD_ALL_TESTS(test_cipher_reinit_partialupdate,
743                   sk_OPENSSL_STRING_num(cipher_names));
744     ADD_TEST(kem_rsa_gen_recover);
745     ADD_TEST(kem_rsa_params);
746 #ifndef OPENSSL_NO_DH
747     ADD_TEST(kem_invalid_keytype);
748 #endif
749 #ifndef OPENSSL_NO_DES
750     ADD_TEST(test_cipher_tdes_randkey);
751 #endif
752     return 1;
753 }
754 
755 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */
string_free(char * m)756 static void string_free(char *m)
757 {
758     OPENSSL_free(m);
759 }
760 
cleanup_tests(void)761 void cleanup_tests(void)
762 {
763     sk_OPENSSL_STRING_pop_free(cipher_names, string_free);
764     OSSL_PROVIDER_unload(libprov);
765     OSSL_LIB_CTX_free(libctx);
766     OSSL_PROVIDER_unload(nullprov);
767 }
768