xref: /freebsd/crypto/openssl/test/evp_extra_test.c (revision 5b56413d04e608379c9a306373554a8e4d321bc0)
1 /*
2  * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <openssl/bio.h>
17 #include <openssl/conf.h>
18 #include <openssl/crypto.h>
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <openssl/pem.h>
23 #include <openssl/kdf.h>
24 #include <openssl/provider.h>
25 #include <openssl/core_names.h>
26 #include <openssl/params.h>
27 #include <openssl/param_build.h>
28 #include <openssl/dsa.h>
29 #include <openssl/dh.h>
30 #include <openssl/aes.h>
31 #include <openssl/decoder.h>
32 #include <openssl/rsa.h>
33 #include <openssl/engine.h>
34 #include <openssl/proverr.h>
35 #include "testutil.h"
36 #include "internal/nelem.h"
37 #include "internal/sizes.h"
38 #include "crypto/evp.h"
39 
40 #ifdef STATIC_LEGACY
41 OSSL_provider_init_fn ossl_legacy_provider_init;
42 #endif
43 
44 static OSSL_LIB_CTX *testctx = NULL;
45 static char *testpropq = NULL;
46 
47 static OSSL_PROVIDER *nullprov = NULL;
48 static OSSL_PROVIDER *deflprov = NULL;
49 static OSSL_PROVIDER *lgcyprov = NULL;
50 
51 /*
52  * kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
53  * should never use this key anywhere but in an example.
54  */
55 static const unsigned char kExampleRSAKeyDER[] = {
56     0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xf8,
57     0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
58     0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
59     0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
60     0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
61     0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
62     0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
63     0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
64     0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
65     0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
66     0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
67     0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
68     0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a, 0x6d, 0xc7,
69     0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5, 0x32, 0x85,
70     0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6, 0x5f, 0xee,
71     0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8, 0x66, 0x85,
72     0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6, 0xa4, 0x0a,
73     0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f, 0xc2, 0x15,
74     0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c, 0x5b, 0x83,
75     0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78, 0x80, 0x1b,
76     0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71, 0x99, 0x73,
77     0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60, 0x1f, 0x99,
78     0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d, 0xb1, 0x02,
79     0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3, 0x40, 0x41,
80     0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d, 0x3d, 0x59,
81     0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18, 0xc6, 0xd9,
82     0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d, 0x9f, 0xef,
83     0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32, 0x46, 0x87,
84     0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc, 0x2c, 0xdf,
85     0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63, 0x55, 0xf5,
86     0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05, 0xcd, 0xb5,
87     0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16, 0xb3, 0x62,
88     0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3, 0x9b, 0x64,
89     0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85, 0xfa, 0xb8,
90     0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97, 0xe8, 0xba,
91     0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7, 0xe7, 0xfe,
92     0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99, 0x75, 0xe7,
93     0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4, 0x9d, 0xfe,
94     0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d, 0xf1, 0xdb,
95     0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40, 0x5a, 0x34,
96     0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26, 0x84, 0x27,
97     0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1, 0xe9, 0xc0,
98     0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c, 0xb9, 0xba,
99     0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30, 0x10, 0x06,
100     0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea, 0x52, 0x2c,
101     0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b, 0xc4, 0x1e,
102     0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e, 0x49, 0xaf,
103     0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9, 0xd1, 0x8a,
104     0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae, 0x17, 0x17,
105     0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d, 0x08, 0xf1,
106     0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
107 };
108 
109 /*
110 * kExampleDSAKeyDER is a DSA private key in ASN.1, DER format. Of course, you
111  * should never use this key anywhere but in an example.
112  */
113 #ifndef OPENSSL_NO_DSA
114 static const unsigned char kExampleDSAKeyDER[] = {
115     0x30, 0x82, 0x01, 0xba, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0x9a,
116     0x05, 0x6d, 0x33, 0xcd, 0x5d, 0x78, 0xa1, 0xbb, 0xcb, 0x7d, 0x5b, 0x8d,
117     0xb4, 0xcc, 0xbf, 0x03, 0x99, 0x64, 0xde, 0x38, 0x78, 0x06, 0x15, 0x2f,
118     0x86, 0x26, 0x77, 0xf3, 0xb1, 0x85, 0x00, 0xed, 0xfc, 0x28, 0x3a, 0x42,
119     0x4d, 0xab, 0xab, 0xdf, 0xbc, 0x9c, 0x16, 0xd0, 0x22, 0x50, 0xd1, 0x38,
120     0xdd, 0x3f, 0x64, 0x05, 0x9e, 0x68, 0x7a, 0x1e, 0xf1, 0x56, 0xbf, 0x1e,
121     0x2c, 0xc5, 0x97, 0x2a, 0xfe, 0x7a, 0x22, 0xdc, 0x6c, 0x68, 0xb8, 0x2e,
122     0x06, 0xdb, 0x41, 0xca, 0x98, 0xd8, 0x54, 0xc7, 0x64, 0x48, 0x24, 0x04,
123     0x20, 0xbc, 0x59, 0xe3, 0x6b, 0xea, 0x7e, 0xfc, 0x7e, 0xc5, 0x4e, 0xd4,
124     0xd8, 0x3a, 0xed, 0xcd, 0x5d, 0x99, 0xb8, 0x5c, 0xa2, 0x8b, 0xbb, 0x0b,
125     0xac, 0xe6, 0x8e, 0x25, 0x56, 0x22, 0x3a, 0x2d, 0x3a, 0x56, 0x41, 0x14,
126     0x1f, 0x1c, 0x8f, 0x53, 0x46, 0x13, 0x85, 0x02, 0x15, 0x00, 0x98, 0x7e,
127     0x92, 0x81, 0x88, 0xc7, 0x3f, 0x70, 0x49, 0x54, 0xf6, 0x76, 0xb4, 0xa3,
128     0x9e, 0x1d, 0x45, 0x98, 0x32, 0x7f, 0x02, 0x81, 0x80, 0x69, 0x4d, 0xef,
129     0x55, 0xff, 0x4d, 0x59, 0x2c, 0x01, 0xfa, 0x6a, 0x38, 0xe0, 0x70, 0x9f,
130     0x9e, 0x66, 0x8e, 0x3e, 0x8c, 0x52, 0x22, 0x9d, 0x15, 0x7e, 0x3c, 0xef,
131     0x4c, 0x7a, 0x61, 0x26, 0xe0, 0x2b, 0x81, 0x3f, 0xeb, 0xaf, 0x35, 0x38,
132     0x8d, 0xfe, 0xed, 0x46, 0xff, 0x5f, 0x03, 0x9b, 0x81, 0x92, 0xe7, 0x6f,
133     0x76, 0x4f, 0x1d, 0xd9, 0xbb, 0x89, 0xc9, 0x3e, 0xd9, 0x0b, 0xf9, 0xf4,
134     0x78, 0x11, 0x59, 0xc0, 0x1d, 0xcd, 0x0e, 0xa1, 0x6f, 0x15, 0xf1, 0x4d,
135     0xc1, 0xc9, 0x22, 0xed, 0x8d, 0xad, 0x67, 0xc5, 0x4b, 0x95, 0x93, 0x86,
136     0xa6, 0xaf, 0x8a, 0xee, 0x06, 0x89, 0x2f, 0x37, 0x7e, 0x64, 0xaa, 0xf6,
137     0xe7, 0xb1, 0x5a, 0x0a, 0x93, 0x95, 0x5d, 0x3e, 0x53, 0x9a, 0xde, 0x8a,
138     0xc2, 0x95, 0x45, 0x81, 0xbe, 0x5c, 0x2f, 0xc2, 0xb2, 0x92, 0x58, 0x19,
139     0x72, 0x80, 0xe9, 0x79, 0xa1, 0x02, 0x81, 0x80, 0x07, 0xd7, 0x62, 0xff,
140     0xdf, 0x1a, 0x3f, 0xed, 0x32, 0xd4, 0xd4, 0x88, 0x7b, 0x2c, 0x63, 0x7f,
141     0x97, 0xdc, 0x44, 0xd4, 0x84, 0xa2, 0xdd, 0x17, 0x16, 0x85, 0x13, 0xe0,
142     0xac, 0x51, 0x8d, 0x29, 0x1b, 0x75, 0x9a, 0xe4, 0xe3, 0x8a, 0x92, 0x69,
143     0x09, 0x03, 0xc5, 0x68, 0xae, 0x5e, 0x94, 0xfe, 0xc9, 0x92, 0x6c, 0x07,
144     0xb4, 0x1e, 0x64, 0x62, 0x87, 0xc6, 0xa4, 0xfd, 0x0d, 0x5f, 0xe5, 0xf9,
145     0x1b, 0x4f, 0x85, 0x5f, 0xae, 0xf3, 0x11, 0xe5, 0x18, 0xd4, 0x4d, 0x79,
146     0x9f, 0xc4, 0x79, 0x26, 0x04, 0x27, 0xf0, 0x0b, 0xee, 0x2b, 0x86, 0x9f,
147     0x86, 0x61, 0xe6, 0x51, 0xce, 0x04, 0x9b, 0x5d, 0x6b, 0x34, 0x43, 0x8c,
148     0x85, 0x3c, 0xf1, 0x51, 0x9b, 0x08, 0x23, 0x1b, 0xf5, 0x7e, 0x33, 0x12,
149     0xea, 0xab, 0x1f, 0xb7, 0x2d, 0xe2, 0x5f, 0xe6, 0x97, 0x99, 0xb5, 0x45,
150     0x16, 0x5b, 0xc3, 0x41, 0x02, 0x14, 0x61, 0xbf, 0x51, 0x60, 0xcf, 0xc8,
151     0xf1, 0x8c, 0x82, 0x97, 0xf2, 0xf4, 0x19, 0xba, 0x2b, 0xf3, 0x16, 0xbe,
152     0x40, 0x48
153 };
154 #endif
155 
156 /*
157  * kExampleBadRSAKeyDER is an RSA private key in ASN.1, DER format. The private
158  * components are not correct.
159  */
160 static const unsigned char kExampleBadRSAKeyDER[] = {
161     0x30, 0x82, 0x04, 0x27, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
162     0xa6, 0x1a, 0x1e, 0x6e, 0x7b, 0xee, 0xc6, 0x89, 0x66, 0xe7, 0x93, 0xef,
163     0x54, 0x12, 0x68, 0xea, 0xbf, 0x86, 0x2f, 0xdd, 0xd2, 0x79, 0xb8, 0xa9,
164     0x6e, 0x03, 0xc2, 0xa3, 0xb9, 0xa3, 0xe1, 0x4b, 0x2a, 0xb3, 0xf8, 0xb4,
165     0xcd, 0xea, 0xbe, 0x24, 0xa6, 0x57, 0x5b, 0x83, 0x1f, 0x0f, 0xf2, 0xd3,
166     0xb7, 0xac, 0x7e, 0xd6, 0x8e, 0x6e, 0x1e, 0xbf, 0xb8, 0x73, 0x8c, 0x05,
167     0x56, 0xe6, 0x35, 0x1f, 0xe9, 0x04, 0x0b, 0x09, 0x86, 0x7d, 0xf1, 0x26,
168     0x08, 0x99, 0xad, 0x7b, 0xc8, 0x4d, 0x94, 0xb0, 0x0b, 0x8b, 0x38, 0xa0,
169     0x5c, 0x62, 0xa0, 0xab, 0xd3, 0x8f, 0xd4, 0x09, 0x60, 0x72, 0x1e, 0x33,
170     0x50, 0x80, 0x6e, 0x22, 0xa6, 0x77, 0x57, 0x6b, 0x9a, 0x33, 0x21, 0x66,
171     0x87, 0x6e, 0x21, 0x7b, 0xc7, 0x24, 0x0e, 0xd8, 0x13, 0xdf, 0x83, 0xde,
172     0xcd, 0x40, 0x58, 0x1d, 0x84, 0x86, 0xeb, 0xb8, 0x12, 0x4e, 0xd2, 0xfa,
173     0x80, 0x1f, 0xe4, 0xe7, 0x96, 0x29, 0xb8, 0xcc, 0xce, 0x66, 0x6d, 0x53,
174     0xca, 0xb9, 0x5a, 0xd7, 0xf6, 0x84, 0x6c, 0x2d, 0x9a, 0x1a, 0x14, 0x1c,
175     0x4e, 0x93, 0x39, 0xba, 0x74, 0xed, 0xed, 0x87, 0x87, 0x5e, 0x48, 0x75,
176     0x36, 0xf0, 0xbc, 0x34, 0xfb, 0x29, 0xf9, 0x9f, 0x96, 0x5b, 0x0b, 0xa7,
177     0x54, 0x30, 0x51, 0x29, 0x18, 0x5b, 0x7d, 0xac, 0x0f, 0xd6, 0x5f, 0x7c,
178     0xf8, 0x98, 0x8c, 0xd8, 0x86, 0x62, 0xb3, 0xdc, 0xff, 0x0f, 0xff, 0x7a,
179     0xaf, 0x5c, 0x4c, 0x61, 0x49, 0x2e, 0xc8, 0x95, 0x86, 0xc4, 0x0e, 0x87,
180     0xfc, 0x1d, 0xcf, 0x8b, 0x7c, 0x61, 0xf6, 0xd8, 0xd0, 0x69, 0xf6, 0xcd,
181     0x8a, 0x8c, 0xf6, 0x62, 0xa2, 0x56, 0xa9, 0xe3, 0xd1, 0xcf, 0x4d, 0xa0,
182     0xf6, 0x2d, 0x20, 0x0a, 0x04, 0xb7, 0xa2, 0xf7, 0xb5, 0x99, 0x47, 0x18,
183     0x56, 0x85, 0x87, 0xc7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,
184     0x01, 0x00, 0x99, 0x41, 0x38, 0x1a, 0xd0, 0x96, 0x7a, 0xf0, 0x83, 0xd5,
185     0xdf, 0x94, 0xce, 0x89, 0x3d, 0xec, 0x7a, 0x52, 0x21, 0x10, 0x16, 0x06,
186     0xe0, 0xee, 0xd2, 0xe6, 0xfd, 0x4b, 0x7b, 0x19, 0x4d, 0xe1, 0xc0, 0xc0,
187     0xd5, 0x14, 0x5d, 0x79, 0xdd, 0x7e, 0x8b, 0x4b, 0xc6, 0xcf, 0xb0, 0x75,
188     0x52, 0xa3, 0x2d, 0xb1, 0x26, 0x46, 0x68, 0x9c, 0x0a, 0x1a, 0xf2, 0xe1,
189     0x09, 0xac, 0x53, 0x85, 0x8c, 0x36, 0xa9, 0x14, 0x65, 0xea, 0xa0, 0x00,
190     0xcb, 0xe3, 0x3f, 0xc4, 0x2b, 0x61, 0x2e, 0x6b, 0x06, 0x69, 0x77, 0xfd,
191     0x38, 0x7e, 0x1d, 0x3f, 0x92, 0xe7, 0x77, 0x08, 0x19, 0xa7, 0x9d, 0x29,
192     0x2d, 0xdc, 0x42, 0xc6, 0x7c, 0xd7, 0xd3, 0xa8, 0x01, 0x2c, 0xf2, 0xd5,
193     0x82, 0x57, 0xcb, 0x55, 0x3d, 0xe7, 0xaa, 0xd2, 0x06, 0x30, 0x30, 0x05,
194     0xe6, 0xf2, 0x47, 0x86, 0xba, 0xc6, 0x61, 0x64, 0xeb, 0x4f, 0x2a, 0x5e,
195     0x07, 0x29, 0xe0, 0x96, 0xb2, 0x43, 0xff, 0x5f, 0x1a, 0x54, 0x16, 0xcf,
196     0xb5, 0x56, 0x5c, 0xa0, 0x9b, 0x0c, 0xfd, 0xb3, 0xd2, 0xe3, 0x79, 0x1d,
197     0x21, 0xe2, 0xd6, 0x13, 0xc4, 0x74, 0xa6, 0xf5, 0x8e, 0x8e, 0x81, 0xbb,
198     0xb4, 0xad, 0x8a, 0xf0, 0x93, 0x0a, 0xd8, 0x0a, 0x42, 0x36, 0xbc, 0xe5,
199     0x26, 0x2a, 0x0d, 0x5d, 0x57, 0x13, 0xc5, 0x4e, 0x2f, 0x12, 0x0e, 0xef,
200     0xa7, 0x81, 0x1e, 0xc3, 0xa5, 0xdb, 0xc9, 0x24, 0xeb, 0x1a, 0xa1, 0xf9,
201     0xf6, 0xa1, 0x78, 0x98, 0x93, 0x77, 0x42, 0x45, 0x03, 0xe2, 0xc9, 0xa2,
202     0xfe, 0x2d, 0x77, 0xc8, 0xc6, 0xac, 0x9b, 0x98, 0x89, 0x6d, 0x9a, 0xe7,
203     0x61, 0x63, 0xb7, 0xf2, 0xec, 0xd6, 0xb1, 0xa1, 0x6e, 0x0a, 0x1a, 0xff,
204     0xfd, 0x43, 0x28, 0xc3, 0x0c, 0xdc, 0xf2, 0x47, 0x4f, 0x27, 0xaa, 0x99,
205     0x04, 0x8e, 0xac, 0xe8, 0x7c, 0x01, 0x02, 0x04, 0x12, 0x34, 0x56, 0x78,
206     0x02, 0x81, 0x81, 0x00, 0xca, 0x69, 0xe5, 0xbb, 0x3a, 0x90, 0x82, 0xcb,
207     0x82, 0x50, 0x2f, 0x29, 0xe2, 0x76, 0x6a, 0x57, 0x55, 0x45, 0x4e, 0x35,
208     0x18, 0x61, 0xe0, 0x12, 0x70, 0xc0, 0xab, 0xc7, 0x80, 0xa2, 0xd4, 0x46,
209     0x34, 0x03, 0xa0, 0x19, 0x26, 0x23, 0x9e, 0xef, 0x1a, 0xcb, 0x75, 0xd6,
210     0xba, 0x81, 0xf4, 0x7e, 0x52, 0xe5, 0x2a, 0xe8, 0xf1, 0x49, 0x6c, 0x0f,
211     0x1a, 0xa0, 0xf9, 0xc6, 0xe7, 0xec, 0x60, 0xe4, 0xcb, 0x2a, 0xb5, 0x56,
212     0xe9, 0x9c, 0xcd, 0x19, 0x75, 0x92, 0xb1, 0x66, 0xce, 0xc3, 0xd9, 0x3d,
213     0x11, 0xcb, 0xc4, 0x09, 0xce, 0x1e, 0x30, 0xba, 0x2f, 0x60, 0x60, 0x55,
214     0x8d, 0x02, 0xdc, 0x5d, 0xaf, 0xf7, 0x52, 0x31, 0x17, 0x07, 0x53, 0x20,
215     0x33, 0xad, 0x8c, 0xd5, 0x2f, 0x5a, 0xd0, 0x57, 0xd7, 0xd1, 0x80, 0xd6,
216     0x3a, 0x9b, 0x04, 0x4f, 0x35, 0xbf, 0xe7, 0xd5, 0xbc, 0x8f, 0xd4, 0x81,
217     0x02, 0x81, 0x81, 0x00, 0xc0, 0x9f, 0xf8, 0xcd, 0xf7, 0x3f, 0x26, 0x8a,
218     0x3d, 0x4d, 0x2b, 0x0c, 0x01, 0xd0, 0xa2, 0xb4, 0x18, 0xfe, 0xf7, 0x5e,
219     0x2f, 0x06, 0x13, 0xcd, 0x63, 0xaa, 0x12, 0xa9, 0x24, 0x86, 0xe3, 0xf3,
220     0x7b, 0xda, 0x1a, 0x3c, 0xb1, 0x38, 0x80, 0x80, 0xef, 0x64, 0x64, 0xa1,
221     0x9b, 0xfe, 0x76, 0x63, 0x8e, 0x83, 0xd2, 0xd9, 0xb9, 0x86, 0xb0, 0xe6,
222     0xa6, 0x0c, 0x7e, 0xa8, 0x84, 0x90, 0x98, 0x0c, 0x1e, 0xf3, 0x14, 0x77,
223     0xe0, 0x5f, 0x81, 0x08, 0x11, 0x8f, 0xa6, 0x23, 0xc4, 0xba, 0xc0, 0x8a,
224     0xe4, 0xc6, 0xe3, 0x5c, 0xbe, 0xc5, 0xec, 0x2c, 0xb9, 0xd8, 0x8c, 0x4d,
225     0x1a, 0x9d, 0xe7, 0x7c, 0x85, 0x4c, 0x0d, 0x71, 0x4e, 0x72, 0x33, 0x1b,
226     0xfe, 0xa9, 0x17, 0x72, 0x76, 0x56, 0x9d, 0x74, 0x7e, 0x52, 0x67, 0x9a,
227     0x87, 0x9a, 0xdb, 0x30, 0xde, 0xe4, 0x49, 0x28, 0x3b, 0xd2, 0x67, 0xaf,
228     0x02, 0x81, 0x81, 0x00, 0x89, 0x74, 0x9a, 0x8e, 0xa7, 0xb9, 0xa5, 0x28,
229     0xc0, 0x68, 0xe5, 0x6e, 0x63, 0x1c, 0x99, 0x20, 0x8f, 0x86, 0x8e, 0x12,
230     0x9e, 0x69, 0x30, 0xfa, 0x34, 0xd9, 0x92, 0x8d, 0xdb, 0x7c, 0x37, 0xfd,
231     0x28, 0xab, 0x61, 0x98, 0x52, 0x7f, 0x14, 0x1a, 0x39, 0xae, 0xfb, 0x6a,
232     0x03, 0xa3, 0xe6, 0xbd, 0xb6, 0x5b, 0x6b, 0xe5, 0x5e, 0x9d, 0xc6, 0xa5,
233     0x07, 0x27, 0x54, 0x17, 0xd0, 0x3d, 0x84, 0x9b, 0x3a, 0xa0, 0xd9, 0x1e,
234     0x99, 0x6c, 0x63, 0x17, 0xab, 0xf1, 0x1f, 0x49, 0xba, 0x95, 0xe3, 0x3b,
235     0x86, 0x8f, 0x42, 0xa4, 0x89, 0xf5, 0x94, 0x8f, 0x8b, 0x46, 0xbe, 0x84,
236     0xba, 0x4a, 0xbc, 0x0d, 0x5f, 0x46, 0xeb, 0xe8, 0xec, 0x43, 0x8c, 0x1e,
237     0xad, 0x19, 0x69, 0x2f, 0x08, 0x86, 0x7a, 0x3f, 0x7d, 0x0f, 0x07, 0x97,
238     0xf3, 0x9a, 0x7b, 0xb5, 0xb2, 0xc1, 0x8c, 0x95, 0x68, 0x04, 0xa0, 0x81,
239     0x02, 0x81, 0x80, 0x4e, 0xbf, 0x7e, 0x1b, 0xcb, 0x13, 0x61, 0x75, 0x3b,
240     0xdb, 0x59, 0x5f, 0xb1, 0xd4, 0xb8, 0xeb, 0x9e, 0x73, 0xb5, 0xe7, 0xf6,
241     0x89, 0x3d, 0x1c, 0xda, 0xf0, 0x36, 0xff, 0x35, 0xbd, 0x1e, 0x0b, 0x74,
242     0xe3, 0x9e, 0xf0, 0xf2, 0xf7, 0xd7, 0x82, 0xb7, 0x7b, 0x6a, 0x1b, 0x0e,
243     0x30, 0x4a, 0x98, 0x0e, 0xb4, 0xf9, 0x81, 0x07, 0xe4, 0x75, 0x39, 0xe9,
244     0x53, 0xca, 0xbb, 0x5c, 0xaa, 0x93, 0x07, 0x0e, 0xa8, 0x2f, 0xba, 0x98,
245     0x49, 0x30, 0xa7, 0xcc, 0x1a, 0x3c, 0x68, 0x0c, 0xe1, 0xa4, 0xb1, 0x05,
246     0xe6, 0xe0, 0x25, 0x78, 0x58, 0x14, 0x37, 0xf5, 0x1f, 0xe3, 0x22, 0xef,
247     0xa8, 0x0e, 0x22, 0xa0, 0x94, 0x3a, 0xf6, 0xc9, 0x13, 0xe6, 0x06, 0xbf,
248     0x7f, 0x99, 0xc6, 0xcc, 0xd8, 0xc6, 0xbe, 0xd9, 0x2e, 0x24, 0xc7, 0x69,
249     0x8c, 0x95, 0xba, 0xf6, 0x04, 0xb3, 0x0a, 0xf4, 0xcb, 0xf0, 0xce,
250 };
251 
252 /*
253  * kExampleBad2RSAKeyDER is an RSA private key in ASN.1, DER format. All
254  * values are 0.
255  */
256 static const unsigned char kExampleBad2RSAKeyDER[] = {
257     0x30, 0x1b, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02,
258     0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02,
259     0x01, 0x00, 0x02, 0x01, 0x00
260 };
261 
262 static const unsigned char kMsg[] = { 1, 2, 3, 4 };
263 
264 static const unsigned char kSignature[] = {
265     0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
266     0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
267     0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
268     0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
269     0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
270     0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
271     0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
272     0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
273     0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
274     0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
275     0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
276 };
277 
278 /*
279  * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
280  * PrivateKeyInfo.
281  */
282 static const unsigned char kExampleRSAKeyPKCS8[] = {
283     0x30, 0x82, 0x02, 0x76, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
284     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
285     0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
286     0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
287     0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
288     0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
289     0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
290     0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
291     0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
292     0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
293     0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
294     0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
295     0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
296     0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
297     0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
298     0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
299     0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
300     0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
301     0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
302     0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
303     0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
304     0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
305     0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
306     0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
307     0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
308     0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
309     0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
310     0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
311     0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
312     0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
313     0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
314     0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
315     0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
316     0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
317     0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
318     0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
319     0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
320     0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
321     0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
322     0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
323     0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
324     0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
325     0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
326     0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
327     0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
328     0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
329     0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
330     0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
331     0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
332     0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
333     0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
334     0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
335     0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
336 };
337 
338 #ifndef OPENSSL_NO_EC
339 /*
340  * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
341  * structure.
342  */
343 static const unsigned char kExampleECKeyDER[] = {
344     0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a,
345     0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08,
346     0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a,
347     0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
348     0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69,
349     0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c,
350     0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9,
351     0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18,
352     0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16,
353     0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22,
354     0xc1,
355 };
356 
357 /*
358  * kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
359  * structure. The private key is equal to the order and will fail to import
360  */
361 static const unsigned char kExampleBadECKeyDER[] = {
362     0x30, 0x66, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48,
363     0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
364     0x01, 0x07, 0x04, 0x4C, 0x30, 0x4A, 0x02, 0x01, 0x01, 0x04, 0x20, 0xFF,
365     0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
366     0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3,
367     0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, 0xA1, 0x23, 0x03, 0x21, 0x00,
368     0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
369     0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
370     0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
371 };
372 
373 /* prime256v1 */
374 static const unsigned char kExampleECPubKeyDER[] = {
375     0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
376     0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
377     0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53,
378     0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8,
379     0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7,
380     0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b,
381     0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20,
382     0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5
383 };
384 
385 /*
386  * kExampleBadECPubKeyDER is a sample EC public key with a wrong OID
387  * 1.2.840.10045.2.2 instead of 1.2.840.10045.2.1 - EC Public Key
388  */
389 static const unsigned char kExampleBadECPubKeyDER[] = {
390     0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
391     0x02, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
392     0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53,
393     0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8,
394     0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7,
395     0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b,
396     0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20,
397     0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5
398 };
399 
400 static const unsigned char pExampleECParamDER[] = {
401     0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
402 };
403 
404 static const unsigned char kExampleED25519KeyDER[] = {
405     0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
406     0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a,
407     0xe8, 0x88, 0xfe, 0x00, 0xcd, 0x8b, 0xc6, 0xf4, 0x5c, 0x47, 0x09, 0x46,
408     0x66, 0xe4, 0x72, 0x85, 0x25, 0x26, 0x5e, 0x12, 0x33, 0x48, 0xf6, 0x50
409 };
410 
411 static const unsigned char kExampleED25519PubKeyDER[] = {
412     0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,
413     0xf5, 0xc5, 0xeb, 0x52, 0x3e, 0x7d, 0x07, 0x86, 0xb2, 0x55, 0x07, 0x45,
414     0xef, 0x5b, 0x7c, 0x20, 0xe8, 0x66, 0x28, 0x30, 0x3c, 0x8a, 0x82, 0x40,
415     0x97, 0xa3, 0x08, 0xdc, 0x65, 0x80, 0x39, 0x29
416 };
417 
418 # ifndef OPENSSL_NO_DEPRECATED_3_0
419 static const unsigned char kExampleX25519KeyDER[] = {
420     0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e,
421     0x04, 0x22, 0x04, 0x20, 0xa0, 0x24, 0x3a, 0x31, 0x24, 0xc3, 0x3f, 0xf6,
422     0x7b, 0x96, 0x0b, 0xd4, 0x8f, 0xd1, 0xee, 0x67, 0xf2, 0x9b, 0x88, 0xac,
423     0x50, 0xce, 0x97, 0x36, 0xdd, 0xaf, 0x25, 0xf6, 0x10, 0x34, 0x96, 0x6e
424 };
425 # endif
426 #endif
427 
428 /* kExampleDHKeyDER is a DH private key in ASN.1, DER format. */
429 #ifndef OPENSSL_NO_DEPRECATED_3_0
430 # ifndef OPENSSL_NO_DH
431 static const unsigned char kExampleDHKeyDER[] = {
432     0x30, 0x82, 0x01, 0x21, 0x02, 0x01, 0x00, 0x30, 0x81, 0x95, 0x06, 0x09,
433     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x03, 0x01, 0x30, 0x81, 0x87,
434     0x02, 0x81, 0x81, 0x00, 0xf7, 0x52, 0xc2, 0x68, 0xcc, 0x66, 0xc4, 0x8d,
435     0x03, 0x3f, 0xfa, 0x9c, 0x52, 0xd0, 0xd8, 0x33, 0xf2, 0xe1, 0xc9, 0x9e,
436     0xb7, 0xe7, 0x6e, 0x90, 0x97, 0xeb, 0x92, 0x91, 0x6a, 0x9a, 0x85, 0x63,
437     0x92, 0x79, 0xab, 0xb6, 0x3d, 0x23, 0x58, 0x5a, 0xe8, 0x45, 0x06, 0x81,
438     0x97, 0x77, 0xe1, 0xcc, 0x34, 0x4e, 0xae, 0x36, 0x80, 0xf2, 0xc4, 0x7f,
439     0x8a, 0x52, 0xb8, 0xdb, 0x58, 0xc8, 0x4b, 0x12, 0x4c, 0xf1, 0x4c, 0x53,
440     0xc1, 0x89, 0x39, 0x8d, 0xb6, 0x06, 0xd8, 0xea, 0x7f, 0x2d, 0x36, 0x53,
441     0x96, 0x29, 0xbe, 0xb6, 0x75, 0xfc, 0xe7, 0xf3, 0x36, 0xd6, 0xf4, 0x8f,
442     0x16, 0xa6, 0xc7, 0xec, 0x7b, 0xce, 0x42, 0x8d, 0x48, 0x2e, 0xb7, 0x74,
443     0x00, 0x11, 0x52, 0x61, 0xb4, 0x19, 0x35, 0xec, 0x5c, 0xe4, 0xbe, 0x34,
444     0xc6, 0x59, 0x64, 0x5e, 0x42, 0x61, 0x70, 0x54, 0xf4, 0xe9, 0x6b, 0x53,
445     0x02, 0x01, 0x02, 0x04, 0x81, 0x83, 0x02, 0x81, 0x80, 0x64, 0xc2, 0xe3,
446     0x09, 0x69, 0x37, 0x3c, 0xd2, 0x4a, 0xba, 0xc3, 0x78, 0x6a, 0x9b, 0x8a,
447     0x2a, 0xdb, 0xe7, 0xe6, 0xc0, 0xfa, 0x3a, 0xbe, 0x39, 0x67, 0xc0, 0xa9,
448     0x2a, 0xf0, 0x0a, 0xc1, 0x53, 0x1c, 0xdb, 0xfa, 0x1a, 0x26, 0x98, 0xb0,
449     0x8c, 0xc6, 0x06, 0x4a, 0xa2, 0x48, 0xd3, 0xa4, 0x3b, 0xbd, 0x05, 0x48,
450     0xea, 0x59, 0xdb, 0x18, 0xa4, 0xca, 0x66, 0xd9, 0x5d, 0xb8, 0x95, 0xd1,
451     0xeb, 0x97, 0x3d, 0x66, 0x97, 0x5c, 0x86, 0x8f, 0x7e, 0x90, 0xd3, 0x43,
452     0xd1, 0xa2, 0x0d, 0xcb, 0xe7, 0xeb, 0x90, 0xea, 0x09, 0x40, 0xb1, 0x6f,
453     0xf7, 0x4c, 0xf2, 0x41, 0x83, 0x1d, 0xd0, 0x76, 0xef, 0xaf, 0x55, 0x6f,
454     0x5d, 0xa9, 0xa3, 0x55, 0x81, 0x2a, 0xd1, 0x5d, 0x9d, 0x22, 0x77, 0x97,
455     0x83, 0xde, 0xad, 0xb6, 0x5d, 0x19, 0xc1, 0x53, 0xec, 0xfb, 0xaf, 0x06,
456     0x2e, 0x87, 0x2a, 0x0b, 0x7a
457 };
458 # endif
459 #endif
460 
461 static const unsigned char kCFBDefaultKey[] = {
462     0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
463     0x09, 0xCF, 0x4F, 0x3C
464 };
465 
466 static const unsigned char kGCMDefaultKey[32] = { 0 };
467 
468 static const unsigned char kGCMResetKey[] = {
469     0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94,
470     0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
471     0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
472 };
473 
474 static const unsigned char iCFBIV[] = {
475     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
476     0x0C, 0x0D, 0x0E, 0x0F
477 };
478 
479 static const unsigned char iGCMDefaultIV[12] = { 0 };
480 
481 static const unsigned char iGCMResetIV1[] = {
482     0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
483 };
484 
485 static const unsigned char iGCMResetIV2[] = {
486     0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
487 };
488 
489 static const unsigned char cfbPlaintext[] = {
490     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
491     0x73, 0x93, 0x17, 0x2A
492 };
493 static const unsigned char cfbPlaintext_partial[] = {
494     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
495     0x73, 0x93, 0x17, 0x2A, 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
496 };
497 
498 static const unsigned char gcmDefaultPlaintext[16] = { 0 };
499 
500 static const unsigned char gcmResetPlaintext[] = {
501     0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5,
502     0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
503     0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95,
504     0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
505     0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39
506 };
507 
508 static const unsigned char cfbCiphertext[] = {
509     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
510     0xE8, 0x3C, 0xFB, 0x4A
511 };
512 
513 static const unsigned char cfbCiphertext_partial[] = {
514     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
515     0xE8, 0x3C, 0xFB, 0x4A, 0x0D, 0x4A, 0x71, 0x82, 0x90, 0xF0, 0x9A, 0x35
516 };
517 
518 static const unsigned char ofbCiphertext_partial[] = {
519     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
520     0xE8, 0x3C, 0xFB, 0x4A, 0xB2, 0x65, 0x64, 0x38, 0x26, 0xD2, 0xBC, 0x09
521 };
522 
523 static const unsigned char gcmDefaultCiphertext[] = {
524     0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 0x07, 0x4e, 0xc5, 0xd3,
525     0xba, 0xf3, 0x9d, 0x18
526 };
527 
528 static const unsigned char gcmResetCiphertext1[] = {
529     0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32, 0xae, 0x47, 0xc1, 0x3b,
530     0xf1, 0x98, 0x44, 0xcb, 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
531     0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, 0xfe, 0xb5, 0x82, 0xd3,
532     0x39, 0x34, 0xa4, 0xf0, 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
533     0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99, 0xf4, 0x7c, 0x9b, 0x1f
534 };
535 
536 static const unsigned char gcmResetCiphertext2[] = {
537     0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3,
538     0x2a, 0x84, 0x42, 0x7d, 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
539     0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 0x8c, 0xb0, 0x8e, 0x48,
540     0x59, 0x0d, 0xbb, 0x3d, 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
541     0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 0xbc, 0xc9, 0xf6, 0x62
542 };
543 
544 static const unsigned char gcmAAD[] = {
545     0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce,
546     0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2
547 };
548 
549 static const unsigned char gcmDefaultTag[] = {
550     0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0, 0x26, 0x5b, 0x98, 0xb5,
551     0xd4, 0x8a, 0xb9, 0x19
552 };
553 
554 static const unsigned char gcmResetTag1[] = {
555     0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4, 0x5e, 0x45, 0x49, 0x13,
556     0xfe, 0x2e, 0xa8, 0xf2
557 };
558 
559 static const unsigned char gcmResetTag2[] = {
560     0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, 0xdf, 0x88, 0x53,
561     0xbb, 0x2d, 0x55, 0x1b
562 };
563 
564 typedef struct APK_DATA_st {
565     const unsigned char *kder;
566     size_t size;
567     const char *keytype;
568     int evptype;
569     int check;
570     int pub_check;
571     int param_check;
572     int type; /* 0 for private, 1 for public, 2 for params */
573 } APK_DATA;
574 
575 static APK_DATA keydata[] = {
576     {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA},
577     {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), "RSA", EVP_PKEY_RSA},
578 #ifndef OPENSSL_NO_EC
579     {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC}
580 #endif
581 };
582 
583 static APK_DATA keycheckdata[] = {
584     {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1,
585      0},
586     {kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), "RSA", EVP_PKEY_RSA,
587      0, 1, 1, 0},
588     {kExampleBad2RSAKeyDER, sizeof(kExampleBad2RSAKeyDER), "RSA", EVP_PKEY_RSA,
589      0, 0, 1 /* Since there are no "params" in an RSA key this passes */, 0},
590 #ifndef OPENSSL_NO_EC
591     {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC, 1, 1, 1, 0},
592     /* group is also associated in our pub key */
593     {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1,
594      1, 1},
595     {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1,
596      2},
597     {kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519",
598      EVP_PKEY_ED25519, 1, 1, 1, 0},
599     {kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519",
600      EVP_PKEY_ED25519, 0, 1, 1, 1},
601 #endif
602 };
603 
604 static EVP_PKEY *load_example_key(const char *keytype,
605                                   const unsigned char *data, size_t data_len)
606 {
607     const unsigned char **pdata = &data;
608     EVP_PKEY *pkey = NULL;
609     OSSL_DECODER_CTX *dctx =
610         OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, keytype, 0,
611                                       testctx, testpropq);
612 
613     /* |pkey| will be NULL on error */
614     (void)OSSL_DECODER_from_data(dctx, pdata, &data_len);
615     OSSL_DECODER_CTX_free(dctx);
616     return pkey;
617 }
618 
619 static EVP_PKEY *load_example_rsa_key(void)
620 {
621     return load_example_key("RSA", kExampleRSAKeyDER,
622                             sizeof(kExampleRSAKeyDER));
623 }
624 
625 #ifndef OPENSSL_NO_DSA
626 static EVP_PKEY *load_example_dsa_key(void)
627 {
628     return load_example_key("DSA", kExampleDSAKeyDER,
629                             sizeof(kExampleDSAKeyDER));
630 }
631 #endif
632 
633 #ifndef OPENSSL_NO_EC
634 static EVP_PKEY *load_example_ec_key(void)
635 {
636     return load_example_key("EC", kExampleECKeyDER,
637                             sizeof(kExampleECKeyDER));
638 }
639 #endif
640 
641 #ifndef OPENSSL_NO_DEPRECATED_3_0
642 # ifndef OPENSSL_NO_DH
643 static EVP_PKEY *load_example_dh_key(void)
644 {
645     return load_example_key("DH", kExampleDHKeyDER,
646                             sizeof(kExampleDHKeyDER));
647 }
648 # endif
649 
650 # ifndef OPENSSL_NO_EC
651 static EVP_PKEY *load_example_ed25519_key(void)
652 {
653     return load_example_key("ED25519", kExampleED25519KeyDER,
654                             sizeof(kExampleED25519KeyDER));
655 }
656 
657 static EVP_PKEY *load_example_x25519_key(void)
658 {
659     return load_example_key("X25519", kExampleX25519KeyDER,
660                             sizeof(kExampleX25519KeyDER));
661 }
662 # endif
663 #endif /* OPENSSL_NO_DEPRECATED_3_0 */
664 
665 static EVP_PKEY *load_example_hmac_key(void)
666 {
667     EVP_PKEY *pkey = NULL;
668     unsigned char key[] = {
669         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
670         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
671         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
672     };
673 
674     pkey = EVP_PKEY_new_raw_private_key_ex(testctx, "HMAC",
675                                            NULL, key, sizeof(key));
676     if (!TEST_ptr(pkey))
677         return NULL;
678 
679     return pkey;
680 }
681 
682 static int test_EVP_set_default_properties(void)
683 {
684     OSSL_LIB_CTX *ctx;
685     EVP_MD *md = NULL;
686     int res = 0;
687 
688     if (!TEST_ptr(ctx = OSSL_LIB_CTX_new())
689             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", NULL)))
690         goto err;
691     EVP_MD_free(md);
692     md = NULL;
693 
694     if (!TEST_true(EVP_set_default_properties(ctx, "provider=fizzbang"))
695             || !TEST_ptr_null(md = EVP_MD_fetch(ctx, "sha256", NULL))
696             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", "-provider")))
697         goto err;
698     EVP_MD_free(md);
699     md = NULL;
700 
701     if (!TEST_true(EVP_set_default_properties(ctx, NULL))
702             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", NULL)))
703         goto err;
704     res = 1;
705 err:
706     EVP_MD_free(md);
707     OSSL_LIB_CTX_free(ctx);
708     return res;
709 }
710 
711 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
712 static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params)
713 {
714     EVP_PKEY_CTX *pctx = NULL;
715     EVP_PKEY *tmp_pkey = NULL, *pkey = NULL;
716 
717     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq)))
718         goto err;
719     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
720         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR,
721                                           params), 0))
722         goto err;
723 
724     if (!TEST_ptr(tmp_pkey))
725         goto err;
726 
727     pkey = tmp_pkey;
728     tmp_pkey = NULL;
729  err:
730     EVP_PKEY_free(tmp_pkey);
731     EVP_PKEY_CTX_free(pctx);
732     return pkey;
733 }
734 
735 static int test_selection(EVP_PKEY *pkey, int selection)
736 {
737     int testresult = 0;
738     int ret;
739     BIO *bio = BIO_new(BIO_s_mem());
740 
741     ret = PEM_write_bio_PUBKEY(bio, pkey);
742     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
743         if (!TEST_true(ret))
744             goto err;
745     } else {
746         if (!TEST_false(ret))
747             goto err;
748     }
749     ret = PEM_write_bio_PrivateKey_ex(bio, pkey, NULL, NULL, 0, NULL, NULL,
750                                       testctx, NULL);
751     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
752         if (!TEST_true(ret))
753             goto err;
754     } else {
755         if (!TEST_false(ret))
756             goto err;
757     }
758 
759     testresult = 1;
760  err:
761     BIO_free(bio);
762 
763     return testresult;
764 }
765 #endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA || !OPENSSL_NO_EC */
766 
767 /*
768  * Test combinations of private, public, missing and private + public key
769  * params to ensure they are all accepted
770  */
771 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA)
772 static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
773 {
774     OSSL_PARAM_BLD *bld = NULL;
775     OSSL_PARAM *params = NULL;
776     EVP_PKEY *just_params = NULL;
777     EVP_PKEY *params_and_priv = NULL;
778     EVP_PKEY *params_and_pub = NULL;
779     EVP_PKEY *params_and_keypair = NULL;
780     BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
781     int ret = 0;
782 
783     /*
784      * Setup the parameters for our pkey object. For our purposes they don't
785      * have to actually be *valid* parameters. We just need to set something.
786      */
787     if (!TEST_ptr(p = BN_new())
788         || !TEST_ptr(q = BN_new())
789         || !TEST_ptr(g = BN_new())
790         || !TEST_ptr(pub = BN_new())
791         || !TEST_ptr(priv = BN_new()))
792         goto err;
793 
794     /* Test !priv and !pub */
795     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
796         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
797         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
798         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)))
799         goto err;
800     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
801         || !TEST_ptr(just_params = make_key_fromdata(keytype, params)))
802         goto err;
803 
804     OSSL_PARAM_free(params);
805     OSSL_PARAM_BLD_free(bld);
806     params = NULL;
807     bld = NULL;
808 
809     if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
810         || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR))
811         goto err;
812 
813     /* Test priv and !pub */
814     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
815         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
816         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
817         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
818         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
819                                              priv)))
820         goto err;
821     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
822         || !TEST_ptr(params_and_priv = make_key_fromdata(keytype, params)))
823         goto err;
824 
825     OSSL_PARAM_free(params);
826     OSSL_PARAM_BLD_free(bld);
827     params = NULL;
828     bld = NULL;
829 
830     if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
831         || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
832         goto err;
833 
834     /* Test !priv and pub */
835     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
836         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
837         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
838         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
839         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
840                                              pub)))
841         goto err;
842     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
843         || !TEST_ptr(params_and_pub = make_key_fromdata(keytype, params)))
844         goto err;
845 
846     OSSL_PARAM_free(params);
847     OSSL_PARAM_BLD_free(bld);
848     params = NULL;
849     bld = NULL;
850 
851     if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
852         || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
853         goto err;
854 
855     /* Test priv and pub */
856     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
857         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
858         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
859         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
860         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
861                                              pub))
862         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
863                                              priv)))
864         goto err;
865     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
866         || !TEST_ptr(params_and_keypair = make_key_fromdata(keytype, params)))
867         goto err;
868 
869     if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR))
870         goto err;
871 
872     ret = 1;
873  err:
874     OSSL_PARAM_free(params);
875     OSSL_PARAM_BLD_free(bld);
876     EVP_PKEY_free(just_params);
877     EVP_PKEY_free(params_and_priv);
878     EVP_PKEY_free(params_and_pub);
879     EVP_PKEY_free(params_and_keypair);
880     BN_free(p);
881     BN_free(q);
882     BN_free(g);
883     BN_free(pub);
884     BN_free(priv);
885 
886     return ret;
887 }
888 #endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA */
889 
890 /*
891  * Test combinations of private, public, missing and private + public key
892  * params to ensure they are all accepted for EC keys
893  */
894 #ifndef OPENSSL_NO_EC
895 static unsigned char ec_priv[] = {
896     0xe9, 0x25, 0xf7, 0x66, 0x58, 0xa4, 0xdd, 0x99, 0x61, 0xe7, 0xe8, 0x23,
897     0x85, 0xc2, 0xe8, 0x33, 0x27, 0xc5, 0x5c, 0xeb, 0xdb, 0x43, 0x9f, 0xd5,
898     0xf2, 0x5a, 0x75, 0x55, 0xd0, 0x2e, 0x6d, 0x16
899 };
900 static unsigned char ec_pub[] = {
901     0x04, 0xad, 0x11, 0x90, 0x77, 0x4b, 0x46, 0xee, 0x72, 0x51, 0x15, 0x97,
902     0x4a, 0x6a, 0xa7, 0xaf, 0x59, 0xfa, 0x4b, 0xf2, 0x41, 0xc8, 0x3a, 0x81,
903     0x23, 0xb6, 0x90, 0x04, 0x6c, 0x67, 0x66, 0xd0, 0xdc, 0xf2, 0x15, 0x1d,
904     0x41, 0x61, 0xb7, 0x95, 0x85, 0x38, 0x5a, 0x84, 0x56, 0xe8, 0xb3, 0x0e,
905     0xf5, 0xc6, 0x5d, 0xa4, 0x54, 0x26, 0xb0, 0xf7, 0xa5, 0x4a, 0x33, 0xf1,
906     0x08, 0x09, 0xb8, 0xdb, 0x03
907 };
908 
909 static int test_EC_priv_pub(void)
910 {
911     OSSL_PARAM_BLD *bld = NULL;
912     OSSL_PARAM *params = NULL;
913     EVP_PKEY *just_params = NULL;
914     EVP_PKEY *params_and_priv = NULL;
915     EVP_PKEY *params_and_pub = NULL;
916     EVP_PKEY *params_and_keypair = NULL;
917     BIGNUM *priv = NULL;
918     int ret = 0;
919     unsigned char *encoded = NULL;
920     size_t len = 0;
921     unsigned char buffer[128];
922 
923     /*
924      * Setup the parameters for our pkey object. For our purposes they don't
925      * have to actually be *valid* parameters. We just need to set something.
926      */
927     if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL)))
928         goto err;
929 
930     /* Test !priv and !pub */
931     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
932         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
933                                                       OSSL_PKEY_PARAM_GROUP_NAME,
934                                                       "P-256", 0)))
935         goto err;
936     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
937         || !TEST_ptr(just_params = make_key_fromdata("EC", params)))
938         goto err;
939 
940     OSSL_PARAM_free(params);
941     OSSL_PARAM_BLD_free(bld);
942     params = NULL;
943     bld = NULL;
944 
945     if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
946         || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR))
947         goto err;
948 
949     /* Test priv and !pub */
950     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
951         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
952                                                       OSSL_PKEY_PARAM_GROUP_NAME,
953                                                       "P-256", 0))
954         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
955                                              priv)))
956         goto err;
957     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
958         || !TEST_ptr(params_and_priv = make_key_fromdata("EC", params)))
959         goto err;
960 
961     OSSL_PARAM_free(params);
962     OSSL_PARAM_BLD_free(bld);
963     params = NULL;
964     bld = NULL;
965 
966     /*
967      * We indicate only parameters here, in spite of having built a key that
968      * has a private part, because the PEM_write_bio_PrivateKey_ex call is
969      * expected to fail because it does not support exporting a private EC
970      * key without a corresponding public key
971      */
972     if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
973         || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
974         goto err;
975 
976     /* Test !priv and pub */
977     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
978         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
979                                                       OSSL_PKEY_PARAM_GROUP_NAME,
980                                                       "P-256", 0))
981         || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
982                                                        OSSL_PKEY_PARAM_PUB_KEY,
983                                                        ec_pub, sizeof(ec_pub))))
984         goto err;
985     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
986         || !TEST_ptr(params_and_pub = make_key_fromdata("EC", params)))
987         goto err;
988 
989     OSSL_PARAM_free(params);
990     OSSL_PARAM_BLD_free(bld);
991     params = NULL;
992     bld = NULL;
993 
994     if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
995         || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
996         goto err;
997 
998     /* Test priv and pub */
999     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
1000         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
1001                                                       OSSL_PKEY_PARAM_GROUP_NAME,
1002                                                       "P-256", 0))
1003         || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1004                                                        OSSL_PKEY_PARAM_PUB_KEY,
1005                                                        ec_pub, sizeof(ec_pub)))
1006         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
1007                                              priv)))
1008         goto err;
1009     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
1010         || !TEST_ptr(params_and_keypair = make_key_fromdata("EC", params)))
1011         goto err;
1012 
1013     if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR))
1014         goto err;
1015 
1016     /* Try key equality */
1017     if (!TEST_int_gt(EVP_PKEY_parameters_eq(just_params, just_params), 0)
1018         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_pub),
1019                         0)
1020         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_priv),
1021                         0)
1022         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_keypair),
1023                         0)
1024         || !TEST_int_gt(EVP_PKEY_eq(params_and_pub, params_and_pub), 0)
1025         || !TEST_int_gt(EVP_PKEY_eq(params_and_priv, params_and_priv), 0)
1026         || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_pub), 0)
1027         || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_priv), 0))
1028         goto err;
1029 
1030     /* Positive and negative testcase for EVP_PKEY_get1_encoded_public_key */
1031     if (!TEST_int_gt(EVP_PKEY_get1_encoded_public_key(params_and_pub, &encoded), 0))
1032         goto err;
1033     OPENSSL_free(encoded);
1034     encoded = NULL;
1035     if (!TEST_int_eq(EVP_PKEY_get1_encoded_public_key(just_params, &encoded), 0)) {
1036         OPENSSL_free(encoded);
1037         encoded = NULL;
1038         goto err;
1039     }
1040 
1041     /* Positive and negative testcase for EVP_PKEY_get_octet_string_param */
1042     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1043                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1044                                                      buffer, sizeof(buffer), &len), 1)
1045         || !TEST_int_eq(len, 65))
1046         goto err;
1047 
1048     len = 0;
1049     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1050                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1051                                                      NULL, 0, &len), 1)
1052         || !TEST_int_eq(len, 65))
1053         goto err;
1054 
1055     /* too-short buffer len*/
1056     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1057                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1058                                                      buffer, 10, &len), 0))
1059         goto err;
1060 
1061     ret = 1;
1062  err:
1063     OSSL_PARAM_free(params);
1064     OSSL_PARAM_BLD_free(bld);
1065     EVP_PKEY_free(just_params);
1066     EVP_PKEY_free(params_and_priv);
1067     EVP_PKEY_free(params_and_pub);
1068     EVP_PKEY_free(params_and_keypair);
1069     BN_free(priv);
1070 
1071     return ret;
1072 }
1073 
1074 /* Test that using a legacy EC key with only a private key in it works */
1075 # ifndef OPENSSL_NO_DEPRECATED_3_0
1076 static int test_EC_priv_only_legacy(void)
1077 {
1078     BIGNUM *priv = NULL;
1079     int ret = 0;
1080     EC_KEY *eckey = NULL;
1081     EVP_PKEY *pkey = NULL, *dup_pk = NULL;
1082     EVP_MD_CTX *ctx = NULL;
1083 
1084     /* Create the low level EC_KEY */
1085     if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL)))
1086         goto err;
1087 
1088     eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1089     if (!TEST_ptr(eckey))
1090         goto err;
1091 
1092     if (!TEST_true(EC_KEY_set_private_key(eckey, priv)))
1093         goto err;
1094 
1095     pkey = EVP_PKEY_new();
1096     if (!TEST_ptr(pkey))
1097         goto err;
1098 
1099     if (!TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
1100         goto err;
1101     eckey = NULL;
1102 
1103     for (;;) {
1104         ret = 0;
1105         ctx = EVP_MD_CTX_new();
1106         if (!TEST_ptr(ctx))
1107             goto err;
1108 
1109         /*
1110          * The EVP_DigestSignInit function should create the key on the
1111          * provider side which is sufficient for this test.
1112          */
1113         if (!TEST_true(EVP_DigestSignInit_ex(ctx, NULL, NULL, testctx,
1114                                              testpropq, pkey, NULL)))
1115             goto err;
1116         EVP_MD_CTX_free(ctx);
1117         ctx = NULL;
1118 
1119         if (dup_pk != NULL)
1120             break;
1121 
1122         if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)))
1123             goto err;
1124         /* EVP_PKEY_eq() returns -2 with missing public keys */
1125         ret = TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), -2);
1126         EVP_PKEY_free(pkey);
1127         pkey = dup_pk;
1128         if (!ret)
1129             goto err;
1130     }
1131     ret = 1;
1132 
1133  err:
1134     EVP_MD_CTX_free(ctx);
1135     EVP_PKEY_free(pkey);
1136     EC_KEY_free(eckey);
1137     BN_free(priv);
1138 
1139     return ret;
1140 }
1141 # endif /* OPENSSL_NO_DEPRECATED_3_0 */
1142 #endif /* OPENSSL_NO_EC */
1143 
1144 static int test_EVP_PKEY_sign(int tst)
1145 {
1146     int ret = 0;
1147     EVP_PKEY *pkey = NULL;
1148     unsigned char *sig = NULL;
1149     size_t sig_len = 0, shortsig_len = 1;
1150     EVP_PKEY_CTX *ctx = NULL;
1151     unsigned char tbs[] = {
1152         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
1153         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13
1154     };
1155 
1156     if (tst == 0 ) {
1157         if (!TEST_ptr(pkey = load_example_rsa_key()))
1158             goto out;
1159     } else if (tst == 1) {
1160 #ifndef OPENSSL_NO_DSA
1161         if (!TEST_ptr(pkey = load_example_dsa_key()))
1162             goto out;
1163 #else
1164         ret = 1;
1165         goto out;
1166 #endif
1167     } else {
1168 #ifndef OPENSSL_NO_EC
1169         if (!TEST_ptr(pkey = load_example_ec_key()))
1170             goto out;
1171 #else
1172         ret = 1;
1173         goto out;
1174 #endif
1175     }
1176 
1177     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL);
1178     if (!TEST_ptr(ctx)
1179             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0)
1180             || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs,
1181                                           sizeof(tbs)), 0))
1182         goto out;
1183     sig = OPENSSL_malloc(sig_len);
1184     if (!TEST_ptr(sig)
1185             /* Test sending a signature buffer that is too short is rejected */
1186             || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs,
1187                                           sizeof(tbs)), 0)
1188             || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)),
1189                             0)
1190             /* Test the signature round-trips */
1191             || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0)
1192             || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)),
1193                             0))
1194         goto out;
1195 
1196     ret = 1;
1197  out:
1198     EVP_PKEY_CTX_free(ctx);
1199     OPENSSL_free(sig);
1200     EVP_PKEY_free(pkey);
1201     return ret;
1202 }
1203 
1204 #ifndef OPENSSL_NO_DEPRECATED_3_0
1205 static int test_EVP_PKEY_sign_with_app_method(int tst)
1206 {
1207     int ret = 0;
1208     EVP_PKEY *pkey = NULL;
1209     RSA *rsa = NULL;
1210     RSA_METHOD *rsa_meth = NULL;
1211 #ifndef OPENSSL_NO_DSA
1212     DSA *dsa = NULL;
1213     DSA_METHOD *dsa_meth = NULL;
1214 #endif
1215     unsigned char *sig = NULL;
1216     size_t sig_len = 0, shortsig_len = 1;
1217     EVP_PKEY_CTX *ctx = NULL;
1218     unsigned char tbs[] = {
1219         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
1220         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13
1221     };
1222 
1223     if (tst == 0) {
1224         if (!TEST_ptr(pkey = load_example_rsa_key()))
1225             goto out;
1226         if (!TEST_ptr(rsa_meth = RSA_meth_dup(RSA_get_default_method())))
1227             goto out;
1228 
1229         if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey))
1230             || !TEST_int_gt(RSA_set_method(rsa, rsa_meth), 0)
1231             || !TEST_int_gt(EVP_PKEY_assign_RSA(pkey, rsa), 0))
1232             goto out;
1233         rsa = NULL; /* now owned by the pkey */
1234     } else {
1235 #ifndef OPENSSL_NO_DSA
1236         if (!TEST_ptr(pkey = load_example_dsa_key()))
1237                 goto out;
1238         if (!TEST_ptr(dsa_meth = DSA_meth_dup(DSA_get_default_method())))
1239             goto out;
1240 
1241         if (!TEST_ptr(dsa = EVP_PKEY_get1_DSA(pkey))
1242             || !TEST_int_gt(DSA_set_method(dsa, dsa_meth), 0)
1243             || !TEST_int_gt(EVP_PKEY_assign_DSA(pkey, dsa), 0))
1244             goto out;
1245         dsa = NULL; /* now owned by the pkey */
1246 #else
1247         ret = 1;
1248         goto out;
1249 #endif
1250     }
1251 
1252     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL);
1253     if (!TEST_ptr(ctx)
1254             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0)
1255             || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs,
1256                                           sizeof(tbs)), 0))
1257         goto out;
1258     sig = OPENSSL_malloc(sig_len);
1259     if (!TEST_ptr(sig)
1260             /* Test sending a signature buffer that is too short is rejected */
1261             || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs,
1262                                           sizeof(tbs)), 0)
1263             || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)),
1264                             0)
1265             /* Test the signature round-trips */
1266             || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0)
1267             || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)),
1268                             0))
1269         goto out;
1270 
1271     ret = 1;
1272  out:
1273     EVP_PKEY_CTX_free(ctx);
1274     OPENSSL_free(sig);
1275     EVP_PKEY_free(pkey);
1276     RSA_free(rsa);
1277     RSA_meth_free(rsa_meth);
1278 #ifndef OPENSSL_NO_DSA
1279     DSA_free(dsa);
1280     DSA_meth_free(dsa_meth);
1281 #endif
1282     return ret;
1283 }
1284 #endif /* !OPENSSL_NO_DEPRECATED_3_0 */
1285 
1286 /*
1287  * n = 0 => test using legacy cipher
1288  * n = 1 => test using fetched cipher
1289  */
1290 static int test_EVP_Enveloped(int n)
1291 {
1292     int ret = 0;
1293     EVP_CIPHER_CTX *ctx = NULL;
1294     EVP_PKEY *keypair = NULL;
1295     unsigned char *kek = NULL;
1296     unsigned char iv[EVP_MAX_IV_LENGTH];
1297     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
1298     int len, kek_len, ciphertext_len, plaintext_len;
1299     unsigned char ciphertext[32], plaintext[16];
1300     EVP_CIPHER *type = NULL;
1301 
1302     if (nullprov != NULL)
1303         return TEST_skip("Test does not support a non-default library context");
1304 
1305     if (n == 0)
1306         type = (EVP_CIPHER *)EVP_aes_256_cbc();
1307     else if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "AES-256-CBC",
1308                                                testpropq)))
1309         goto err;
1310 
1311     if (!TEST_ptr(keypair = load_example_rsa_key())
1312             || !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_get_size(keypair)))
1313             || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
1314             || !TEST_true(EVP_SealInit(ctx, type, &kek, &kek_len, iv,
1315                                        &keypair, 1))
1316             || !TEST_true(EVP_SealUpdate(ctx, ciphertext, &ciphertext_len,
1317                                          msg, sizeof(msg)))
1318             || !TEST_true(EVP_SealFinal(ctx, ciphertext + ciphertext_len,
1319                                         &len)))
1320         goto err;
1321 
1322     ciphertext_len += len;
1323 
1324     if (!TEST_true(EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair))
1325             || !TEST_true(EVP_OpenUpdate(ctx, plaintext, &plaintext_len,
1326                                          ciphertext, ciphertext_len))
1327             || !TEST_true(EVP_OpenFinal(ctx, plaintext + plaintext_len, &len)))
1328         goto err;
1329 
1330     plaintext_len += len;
1331     if (!TEST_mem_eq(msg, sizeof(msg), plaintext, plaintext_len))
1332         goto err;
1333 
1334     ret = 1;
1335 err:
1336     if (n != 0)
1337         EVP_CIPHER_free(type);
1338     OPENSSL_free(kek);
1339     EVP_PKEY_free(keypair);
1340     EVP_CIPHER_CTX_free(ctx);
1341     return ret;
1342 }
1343 
1344 /*
1345  * Test 0: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, RSA)
1346  * Test 1: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, DSA)
1347  * Test 2: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, HMAC)
1348  * Test 3: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch digest, RSA)
1349  * Test 4: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch digest, DSA)
1350  * Test 5: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch diegst, HMAC)
1351  * Test 6: Use an MD BIO to do the Update calls instead (RSA)
1352  * Test 7: Use an MD BIO to do the Update calls instead (DSA)
1353  * Test 8: Use an MD BIO to do the Update calls instead (HMAC)
1354  * Test 9: Use EVP_DigestSign (Implicit fetch digest, RSA, short sig)
1355  * Test 10: Use EVP_DigestSign (Implicit fetch digest, DSA, short sig)
1356  * Test 11: Use EVP_DigestSign (Implicit fetch digest, HMAC, short sig)
1357  * Test 12: Use EVP_DigestSign (Implicit fetch digest, RSA)
1358  * Test 13: Use EVP_DigestSign (Implicit fetch digest, DSA)
1359  * Test 14: Use EVP_DigestSign (Implicit fetch digest, HMAC)
1360  * Test 15-29: Same as above with reinitialization
1361  */
1362 static int test_EVP_DigestSignInit(int tst)
1363 {
1364     int ret = 0;
1365     EVP_PKEY *pkey = NULL;
1366     unsigned char *sig = NULL, *sig2 = NULL;
1367     size_t sig_len = 0, sig2_len = 0, shortsig_len = 1;
1368     EVP_MD_CTX *md_ctx = NULL, *md_ctx_verify = NULL;
1369     EVP_MD_CTX *a_md_ctx = NULL, *a_md_ctx_verify = NULL;
1370     BIO *mdbio = NULL, *membio = NULL;
1371     size_t written;
1372     const EVP_MD *md;
1373     EVP_MD *mdexp = NULL;
1374     int reinit = 0;
1375 
1376     if (nullprov != NULL)
1377         return TEST_skip("Test does not support a non-default library context");
1378 
1379     if (tst >= 15) {
1380         reinit = 1;
1381         tst -= 15;
1382     }
1383 
1384     if (tst >= 6 && tst <= 8) {
1385         membio = BIO_new(BIO_s_mem());
1386         mdbio = BIO_new(BIO_f_md());
1387         if (!TEST_ptr(membio) || !TEST_ptr(mdbio))
1388             goto out;
1389         BIO_push(mdbio, membio);
1390         if (!TEST_int_gt(BIO_get_md_ctx(mdbio, &md_ctx), 0))
1391             goto out;
1392     } else {
1393         if (!TEST_ptr(a_md_ctx = md_ctx = EVP_MD_CTX_new())
1394                 || !TEST_ptr(a_md_ctx_verify = md_ctx_verify = EVP_MD_CTX_new()))
1395             goto out;
1396     }
1397 
1398     if (tst % 3 == 0) {
1399         if (!TEST_ptr(pkey = load_example_rsa_key()))
1400                 goto out;
1401     } else if (tst % 3 == 1) {
1402 #ifndef OPENSSL_NO_DSA
1403         if (!TEST_ptr(pkey = load_example_dsa_key()))
1404                 goto out;
1405 #else
1406         ret = 1;
1407         goto out;
1408 #endif
1409     } else {
1410         if (!TEST_ptr(pkey = load_example_hmac_key()))
1411                 goto out;
1412     }
1413 
1414     if (tst >= 3 && tst <= 5)
1415         md = mdexp = EVP_MD_fetch(NULL, "SHA256", NULL);
1416     else
1417         md = EVP_sha256();
1418 
1419     if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, md, NULL, pkey)))
1420         goto out;
1421 
1422     if (reinit && !TEST_true(EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, NULL)))
1423         goto out;
1424 
1425     if (tst >= 6 && tst <= 8) {
1426         if (!BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written))
1427             goto out;
1428     } else if (tst < 6) {
1429         if (!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))))
1430             goto out;
1431     }
1432 
1433     if (tst >= 9) {
1434         /* Determine the size of the signature. */
1435         if (!TEST_true(EVP_DigestSign(md_ctx, NULL, &sig_len, kMsg,
1436                                       sizeof(kMsg)))
1437                 || !TEST_ptr(sig = OPENSSL_malloc(sig_len)))
1438             goto out;
1439         if (tst <= 11) {
1440             /* Test that supply a short sig buffer fails */
1441             if (!TEST_false(EVP_DigestSign(md_ctx, sig, &shortsig_len, kMsg,
1442                                            sizeof(kMsg))))
1443                 goto out;
1444             /*
1445              * We end here because once EVP_DigestSign() has failed you should
1446              * not call it again without re-initing the ctx
1447              */
1448             ret = 1;
1449             goto out;
1450         }
1451         if (!TEST_true(EVP_DigestSign(md_ctx, sig, &sig_len, kMsg,
1452                                       sizeof(kMsg))))
1453             goto out;
1454     } else {
1455         /* Determine the size of the signature. */
1456         if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len))
1457                 || !TEST_ptr(sig = OPENSSL_malloc(sig_len))
1458                 /*
1459                     * Trying to create a signature with a deliberately short
1460                     * buffer should fail.
1461                     */
1462                 || !TEST_false(EVP_DigestSignFinal(md_ctx, sig, &shortsig_len))
1463                 || !TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len)))
1464             goto out;
1465     }
1466 
1467     /*
1468      * Ensure that the signature round-trips (Verification isn't supported for
1469      * HMAC via EVP_DigestVerify*)
1470      */
1471     if (tst % 3 != 2) {
1472         if (tst >= 6 && tst <= 8) {
1473             if (!TEST_int_gt(BIO_reset(mdbio), 0)
1474                 || !TEST_int_gt(BIO_get_md_ctx(mdbio, &md_ctx_verify), 0))
1475                 goto out;
1476         }
1477 
1478         if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, md,
1479                                             NULL, pkey)))
1480             goto out;
1481 
1482         if (tst >= 6 && tst <= 8) {
1483             if (!TEST_true(BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written)))
1484                 goto out;
1485         } else {
1486             if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg,
1487                                                   sizeof(kMsg))))
1488                 goto out;
1489         }
1490         if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
1491             goto out;
1492 
1493         /* Multiple calls to EVP_DigestVerifyFinal should work */
1494         if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
1495             goto out;
1496     } else {
1497         /*
1498          * For HMAC a doubled call to DigestSignFinal should produce the same
1499          * value as finalization should not happen.
1500          */
1501         if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig2_len))
1502             || !TEST_ptr(sig2 = OPENSSL_malloc(sig2_len))
1503             || !TEST_true(EVP_DigestSignFinal(md_ctx, sig2, &sig2_len)))
1504             goto out;
1505 
1506         if (!TEST_mem_eq(sig, sig_len, sig2, sig2_len))
1507             goto out;
1508     }
1509 
1510     ret = 1;
1511 
1512  out:
1513     BIO_free(membio);
1514     BIO_free(mdbio);
1515     EVP_MD_CTX_free(a_md_ctx);
1516     EVP_MD_CTX_free(a_md_ctx_verify);
1517     EVP_PKEY_free(pkey);
1518     OPENSSL_free(sig);
1519     OPENSSL_free(sig2);
1520     EVP_MD_free(mdexp);
1521 
1522     return ret;
1523 }
1524 
1525 static int test_EVP_DigestVerifyInit(void)
1526 {
1527     int ret = 0;
1528     EVP_PKEY *pkey = NULL;
1529     EVP_MD_CTX *md_ctx = NULL;
1530 
1531     if (nullprov != NULL)
1532         return TEST_skip("Test does not support a non-default library context");
1533 
1534     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new())
1535             || !TEST_ptr(pkey = load_example_rsa_key()))
1536         goto out;
1537 
1538     if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, EVP_sha256(), NULL, pkey))
1539             || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg)))
1540             || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature,
1541                                                  sizeof(kSignature)), 0))
1542         goto out;
1543 
1544     /* test with reinitialization */
1545     if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, NULL))
1546             || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg)))
1547             || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature,
1548                                                  sizeof(kSignature)), 0))
1549         goto out;
1550     ret = 1;
1551 
1552  out:
1553     EVP_MD_CTX_free(md_ctx);
1554     EVP_PKEY_free(pkey);
1555     return ret;
1556 }
1557 
1558 #ifndef OPENSSL_NO_SIPHASH
1559 /* test SIPHASH MAC via EVP_PKEY with non-default parameters and reinit */
1560 static int test_siphash_digestsign(void)
1561 {
1562     unsigned char key[16];
1563     unsigned char buf[8], digest[8];
1564     unsigned char expected[8] = {
1565         0x6d, 0x3e, 0x54, 0xc2, 0x2f, 0xf1, 0xfe, 0xe2
1566     };
1567     EVP_PKEY *pkey = NULL;
1568     EVP_MD_CTX *mdctx = NULL;
1569     EVP_PKEY_CTX *ctx = NULL;
1570     int ret = 0;
1571     size_t len = 8;
1572 
1573     if (nullprov != NULL)
1574         return TEST_skip("Test does not support a non-default library context");
1575 
1576     memset(buf, 0, 8);
1577     memset(key, 1, 16);
1578     if (!TEST_ptr(pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_SIPHASH, NULL,
1579                                                       key, 16)))
1580         goto out;
1581 
1582     if (!TEST_ptr(mdctx = EVP_MD_CTX_create()))
1583         goto out;
1584 
1585     if (!TEST_true(EVP_DigestSignInit(mdctx, &ctx, NULL, NULL, pkey)))
1586         goto out;
1587     if (!TEST_int_eq(EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_SIGNCTX,
1588                                        EVP_PKEY_CTRL_SET_DIGEST_SIZE,
1589                                        8, NULL), 1))
1590         goto out;
1591     /* reinitialize */
1592     if (!TEST_true(EVP_DigestSignInit(mdctx, NULL, NULL, NULL, NULL)))
1593         goto out;
1594     if (!TEST_true(EVP_DigestSignUpdate(mdctx, buf, 8)))
1595         goto out;
1596     if (!TEST_true(EVP_DigestSignFinal(mdctx, digest, &len)))
1597         goto out;
1598     if (!TEST_mem_eq(digest, len, expected, sizeof(expected)))
1599         goto out;
1600 
1601     ret = 1;
1602  out:
1603     EVP_PKEY_free(pkey);
1604     EVP_MD_CTX_free(mdctx);
1605     return ret;
1606 }
1607 #endif
1608 
1609 /*
1610  * Test corner cases of EVP_DigestInit/Update/Final API call behavior.
1611  */
1612 static int test_EVP_Digest(void)
1613 {
1614     int ret = 0;
1615     EVP_MD_CTX *md_ctx = NULL;
1616     unsigned char md[EVP_MAX_MD_SIZE];
1617     EVP_MD *sha256 = NULL;
1618     EVP_MD *shake256 = NULL;
1619 
1620     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
1621         goto out;
1622 
1623     if (!TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", testpropq))
1624             || !TEST_ptr(shake256 = EVP_MD_fetch(testctx, "shake256", testpropq)))
1625         goto out;
1626 
1627     if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL))
1628             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1629             || !TEST_true(EVP_DigestFinal(md_ctx, md, NULL))
1630             /* EVP_DigestFinal resets the EVP_MD_CTX. */
1631             || !TEST_ptr_eq(EVP_MD_CTX_get0_md(md_ctx), NULL))
1632         goto out;
1633 
1634     if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL))
1635             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1636             || !TEST_true(EVP_DigestFinal_ex(md_ctx, md, NULL))
1637             /* EVP_DigestFinal_ex does not reset the EVP_MD_CTX. */
1638             || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx))
1639             /*
1640              * EVP_DigestInit_ex with NULL type should work on
1641              * pre-initialized context.
1642              */
1643             || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL)))
1644         goto out;
1645 
1646     if (!TEST_true(EVP_DigestInit_ex(md_ctx, shake256, NULL))
1647             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1648             || !TEST_true(EVP_DigestFinalXOF(md_ctx, md, sizeof(md)))
1649             /* EVP_DigestFinalXOF does not reset the EVP_MD_CTX. */
1650             || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx))
1651             || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL)))
1652         goto out;
1653     ret = 1;
1654 
1655  out:
1656     EVP_MD_CTX_free(md_ctx);
1657     EVP_MD_free(sha256);
1658     EVP_MD_free(shake256);
1659     return ret;
1660 }
1661 
1662 static int test_EVP_md_null(void)
1663 {
1664     int ret = 0;
1665     EVP_MD_CTX *md_ctx = NULL;
1666     const EVP_MD *md_null = EVP_md_null();
1667     unsigned char md_value[EVP_MAX_MD_SIZE];
1668     unsigned int md_len = sizeof(md_value);
1669 
1670     if (nullprov != NULL)
1671         return TEST_skip("Test does not support a non-default library context");
1672 
1673     if (!TEST_ptr(md_null)
1674         || !TEST_ptr(md_ctx = EVP_MD_CTX_new()))
1675         goto out;
1676 
1677     if (!TEST_true(EVP_DigestInit_ex(md_ctx, md_null, NULL))
1678         || !TEST_true(EVP_DigestUpdate(md_ctx, "test", 4))
1679         || !TEST_true(EVP_DigestFinal_ex(md_ctx, md_value, &md_len)))
1680         goto out;
1681 
1682     if (!TEST_uint_eq(md_len, 0))
1683         goto out;
1684 
1685     ret = 1;
1686  out:
1687     EVP_MD_CTX_free(md_ctx);
1688     return ret;
1689 }
1690 
1691 static int test_d2i_AutoPrivateKey(int i)
1692 {
1693     int ret = 0;
1694     const unsigned char *p;
1695     EVP_PKEY *pkey = NULL;
1696     const APK_DATA *ak = &keydata[i];
1697     const unsigned char *input = ak->kder;
1698     size_t input_len = ak->size;
1699     int expected_id = ak->evptype;
1700 
1701     p = input;
1702     if (!TEST_ptr(pkey = d2i_AutoPrivateKey(NULL, &p, input_len))
1703             || !TEST_ptr_eq(p, input + input_len)
1704             || !TEST_int_eq(EVP_PKEY_get_id(pkey), expected_id))
1705         goto done;
1706 
1707     ret = 1;
1708 
1709  done:
1710     EVP_PKEY_free(pkey);
1711     return ret;
1712 }
1713 
1714 #ifndef OPENSSL_NO_EC
1715 
1716 static const unsigned char ec_public_sect163k1_validxy[] = {
1717     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1718     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1719     0x02, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1720     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0x79, 0x02, 0xd1, 0x7b,
1721     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1722     0x6a, 0xd8, 0x17, 0x65, 0x41, 0x2f
1723 };
1724 
1725 static const unsigned char ec_public_sect163k1_badx[] = {
1726     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1727     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1728     0x0a, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1729     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0xb0, 0x02, 0xd1, 0x7b,
1730     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1731     0x6a, 0xd8, 0x17, 0x65, 0x41, 0x2f
1732 };
1733 
1734 static const unsigned char ec_public_sect163k1_bady[] = {
1735     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1736     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1737     0x02, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1738     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0x79, 0x0a, 0xd1, 0x7b,
1739     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1740     0x6a, 0xd8, 0x17, 0x65, 0x41, 0xe6
1741 };
1742 
1743 static struct ec_der_pub_keys_st {
1744     const unsigned char *der;
1745     size_t len;
1746     int valid;
1747 } ec_der_pub_keys[] = {
1748     { ec_public_sect163k1_validxy, sizeof(ec_public_sect163k1_validxy), 1 },
1749     { ec_public_sect163k1_badx, sizeof(ec_public_sect163k1_badx), 0 },
1750     { ec_public_sect163k1_bady, sizeof(ec_public_sect163k1_bady), 0 },
1751 };
1752 
1753 /*
1754  * Tests the range of the decoded EC char2 public point.
1755  * See ec_GF2m_simple_oct2point().
1756  */
1757 static int test_invalide_ec_char2_pub_range_decode(int id)
1758 {
1759     int ret = 0;
1760     EVP_PKEY *pkey;
1761 
1762     pkey = load_example_key("EC", ec_der_pub_keys[id].der,
1763                             ec_der_pub_keys[id].len);
1764 
1765     ret = (ec_der_pub_keys[id].valid && TEST_ptr(pkey))
1766           || TEST_ptr_null(pkey);
1767     EVP_PKEY_free(pkey);
1768     return ret;
1769 }
1770 
1771 /* Tests loading a bad key in PKCS8 format */
1772 static int test_EVP_PKCS82PKEY(void)
1773 {
1774     int ret = 0;
1775     const unsigned char *derp = kExampleBadECKeyDER;
1776     PKCS8_PRIV_KEY_INFO *p8inf = NULL;
1777     EVP_PKEY *pkey = NULL;
1778 
1779     if (!TEST_ptr(p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp,
1780                                               sizeof(kExampleBadECKeyDER))))
1781         goto done;
1782 
1783     if (!TEST_ptr_eq(derp,
1784                      kExampleBadECKeyDER + sizeof(kExampleBadECKeyDER)))
1785         goto done;
1786 
1787     if (!TEST_ptr_null(pkey = EVP_PKCS82PKEY(p8inf)))
1788         goto done;
1789 
1790     ret = 1;
1791 
1792  done:
1793     PKCS8_PRIV_KEY_INFO_free(p8inf);
1794     EVP_PKEY_free(pkey);
1795 
1796     return ret;
1797 }
1798 
1799 #endif
1800 static int test_EVP_PKCS82PKEY_wrong_tag(void)
1801 {
1802     EVP_PKEY *pkey = NULL;
1803     EVP_PKEY *pkey2 = NULL;
1804     BIO *membio = NULL;
1805     char *membuf = NULL;
1806     PKCS8_PRIV_KEY_INFO *p8inf = NULL;
1807     int ok = 0;
1808 
1809     if (testctx != NULL)
1810         /* test not supported with non-default context */
1811         return 1;
1812 
1813     if (!TEST_ptr(membio = BIO_new(BIO_s_mem()))
1814         || !TEST_ptr(pkey = load_example_rsa_key())
1815         || !TEST_int_gt(i2d_PKCS8PrivateKey_bio(membio, pkey, NULL,
1816                                                 NULL, 0, NULL, NULL),
1817                         0)
1818         || !TEST_int_gt(BIO_get_mem_data(membio, &membuf), 0)
1819         || !TEST_ptr(p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(membio, NULL))
1820         || !TEST_ptr(pkey2 = EVP_PKCS82PKEY(p8inf))
1821         || !TEST_int_eq(ERR_peek_last_error(), 0)) {
1822         goto done;
1823     }
1824 
1825     ok = 1;
1826  done:
1827     EVP_PKEY_free(pkey);
1828     EVP_PKEY_free(pkey2);
1829     PKCS8_PRIV_KEY_INFO_free(p8inf);
1830     BIO_free_all(membio);
1831     return ok;
1832 }
1833 
1834 /* This uses kExampleRSAKeyDER and kExampleRSAKeyPKCS8 to verify encoding */
1835 static int test_privatekey_to_pkcs8(void)
1836 {
1837     EVP_PKEY *pkey = NULL;
1838     BIO *membio = NULL;
1839     char *membuf = NULL;
1840     long membuf_len = 0;
1841     int ok = 0;
1842 
1843     if (!TEST_ptr(membio = BIO_new(BIO_s_mem()))
1844         || !TEST_ptr(pkey = load_example_rsa_key())
1845         || !TEST_int_gt(i2d_PKCS8PrivateKey_bio(membio, pkey, NULL,
1846                                                 NULL, 0, NULL, NULL),
1847                         0)
1848         || !TEST_int_gt(membuf_len = BIO_get_mem_data(membio, &membuf), 0)
1849         || !TEST_ptr(membuf)
1850         || !TEST_mem_eq(membuf, (size_t)membuf_len,
1851                         kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8))
1852         /*
1853          * We try to write PEM as well, just to see that it doesn't err, but
1854          * assume that the result is correct.
1855          */
1856         || !TEST_int_gt(PEM_write_bio_PKCS8PrivateKey(membio, pkey, NULL,
1857                                                       NULL, 0, NULL, NULL),
1858                         0))
1859         goto done;
1860 
1861     ok = 1;
1862  done:
1863     EVP_PKEY_free(pkey);
1864     BIO_free_all(membio);
1865     return ok;
1866 }
1867 
1868 #ifndef OPENSSL_NO_EC
1869 static const struct {
1870     int encoding;
1871     const char *encoding_name;
1872 } ec_encodings[] = {
1873     { OPENSSL_EC_EXPLICIT_CURVE, OSSL_PKEY_EC_ENCODING_EXPLICIT },
1874     { OPENSSL_EC_NAMED_CURVE,    OSSL_PKEY_EC_ENCODING_GROUP }
1875 };
1876 
1877 static int ec_export_get_encoding_cb(const OSSL_PARAM params[], void *arg)
1878 {
1879     const OSSL_PARAM *p;
1880     const char *enc_name = NULL;
1881     int *enc = arg;
1882     size_t i;
1883 
1884     *enc = -1;
1885 
1886     if (!TEST_ptr(p = OSSL_PARAM_locate_const(params,
1887                                               OSSL_PKEY_PARAM_EC_ENCODING))
1888         || !TEST_true(OSSL_PARAM_get_utf8_string_ptr(p, &enc_name)))
1889         return 0;
1890 
1891     for (i = 0; i < OSSL_NELEM(ec_encodings); i++) {
1892         if (OPENSSL_strcasecmp(enc_name, ec_encodings[i].encoding_name) == 0) {
1893             *enc = ec_encodings[i].encoding;
1894             break;
1895         }
1896     }
1897 
1898     return (*enc != -1);
1899 }
1900 
1901 static int test_EC_keygen_with_enc(int idx)
1902 {
1903     EVP_PKEY *params = NULL, *key = NULL;
1904     EVP_PKEY_CTX *pctx = NULL, *kctx = NULL;
1905     int enc;
1906     int ret = 0;
1907 
1908     enc = ec_encodings[idx].encoding;
1909 
1910     /* Create key parameters */
1911     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "EC", NULL))
1912         || !TEST_int_gt(EVP_PKEY_paramgen_init(pctx), 0)
1913         || !TEST_int_gt(EVP_PKEY_CTX_set_group_name(pctx, "P-256"), 0)
1914         || !TEST_int_gt(EVP_PKEY_CTX_set_ec_param_enc(pctx, enc), 0)
1915         || !TEST_true(EVP_PKEY_paramgen(pctx, &params))
1916         || !TEST_ptr(params))
1917         goto done;
1918 
1919     /* Create key */
1920     if (!TEST_ptr(kctx = EVP_PKEY_CTX_new_from_pkey(testctx, params, NULL))
1921         || !TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)
1922         || !TEST_true(EVP_PKEY_keygen(kctx, &key))
1923         || !TEST_ptr(key))
1924         goto done;
1925 
1926     /* Check that the encoding got all the way into the key */
1927     if (!TEST_true(evp_keymgmt_util_export(key, OSSL_KEYMGMT_SELECT_ALL,
1928                                            ec_export_get_encoding_cb, &enc))
1929         || !TEST_int_eq(enc, ec_encodings[idx].encoding))
1930         goto done;
1931 
1932     ret = 1;
1933  done:
1934     EVP_PKEY_free(key);
1935     EVP_PKEY_free(params);
1936     EVP_PKEY_CTX_free(kctx);
1937     EVP_PKEY_CTX_free(pctx);
1938     return ret;
1939 }
1940 #endif
1941 
1942 #if !defined(OPENSSL_NO_SM2)
1943 
1944 static int test_EVP_SM2_verify(void)
1945 {
1946     const char *pubkey =
1947         "-----BEGIN PUBLIC KEY-----\n"
1948         "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEp1KLWq1ZE2jmoAnnBJE1LBGxVr18\n"
1949         "YvvqECWCpXfAQ9qUJ+UmthnUPf0iM3SaXKHe6PlLIDyNlWMWb9RUh/yU3g==\n"
1950         "-----END PUBLIC KEY-----\n";
1951 
1952     const char *msg = "message digest";
1953     const char *id = "ALICE123@YAHOO.COM";
1954 
1955     const uint8_t signature[] = {
1956         0x30, 0x44, 0x02, 0x20, 0x5b, 0xdb, 0xab, 0x81, 0x4f, 0xbb,
1957         0x8b, 0x69, 0xb1, 0x05, 0x9c, 0x99, 0x3b, 0xb2, 0x45, 0x06,
1958         0x4a, 0x30, 0x15, 0x59, 0x84, 0xcd, 0xee, 0x30, 0x60, 0x36,
1959         0x57, 0x87, 0xef, 0x5c, 0xd0, 0xbe, 0x02, 0x20, 0x43, 0x8d,
1960         0x1f, 0xc7, 0x77, 0x72, 0x39, 0xbb, 0x72, 0xe1, 0xfd, 0x07,
1961         0x58, 0xd5, 0x82, 0xc8, 0x2d, 0xba, 0x3b, 0x2c, 0x46, 0x24,
1962         0xe3, 0x50, 0xff, 0x04, 0xc7, 0xa0, 0x71, 0x9f, 0xa4, 0x70
1963     };
1964 
1965     int rc = 0;
1966     BIO *bio = NULL;
1967     EVP_PKEY *pkey = NULL;
1968     EVP_MD_CTX *mctx = NULL;
1969     EVP_PKEY_CTX *pctx = NULL;
1970     EVP_MD *sm3 = NULL;
1971 
1972     bio = BIO_new_mem_buf(pubkey, strlen(pubkey));
1973     if (!TEST_true(bio != NULL))
1974         goto done;
1975 
1976     pkey = PEM_read_bio_PUBKEY_ex(bio, NULL, NULL, NULL, testctx, testpropq);
1977     if (!TEST_true(pkey != NULL))
1978         goto done;
1979 
1980     if (!TEST_true(EVP_PKEY_is_a(pkey, "SM2")))
1981         goto done;
1982 
1983     if (!TEST_ptr(mctx = EVP_MD_CTX_new()))
1984         goto done;
1985 
1986     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
1987         goto done;
1988 
1989     EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
1990 
1991     if (!TEST_ptr(sm3 = EVP_MD_fetch(testctx, "sm3", testpropq)))
1992         goto done;
1993 
1994     if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, sm3, NULL, pkey)))
1995         goto done;
1996 
1997     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, id, strlen(id)), 0))
1998         goto done;
1999 
2000     if (!TEST_true(EVP_DigestVerifyUpdate(mctx, msg, strlen(msg))))
2001         goto done;
2002 
2003     if (!TEST_int_gt(EVP_DigestVerifyFinal(mctx, signature, sizeof(signature)), 0))
2004         goto done;
2005     rc = 1;
2006 
2007  done:
2008     BIO_free(bio);
2009     EVP_PKEY_free(pkey);
2010     EVP_PKEY_CTX_free(pctx);
2011     EVP_MD_CTX_free(mctx);
2012     EVP_MD_free(sm3);
2013     return rc;
2014 }
2015 
2016 static int test_EVP_SM2(void)
2017 {
2018     int ret = 0;
2019     EVP_PKEY *pkey = NULL;
2020     EVP_PKEY *pkeyparams = NULL;
2021     EVP_PKEY_CTX *pctx = NULL;
2022     EVP_PKEY_CTX *kctx = NULL;
2023     EVP_PKEY_CTX *sctx = NULL;
2024     size_t sig_len = 0;
2025     unsigned char *sig = NULL;
2026     EVP_MD_CTX *md_ctx = NULL;
2027     EVP_MD_CTX *md_ctx_verify = NULL;
2028     EVP_PKEY_CTX *cctx = NULL;
2029     EVP_MD *check_md = NULL;
2030 
2031     uint8_t ciphertext[128];
2032     size_t ctext_len = sizeof(ciphertext);
2033 
2034     uint8_t plaintext[8];
2035     size_t ptext_len = sizeof(plaintext);
2036 
2037     uint8_t sm2_id[] = {1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r'};
2038 
2039     OSSL_PARAM sparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
2040     OSSL_PARAM gparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
2041     int i;
2042     char mdname[OSSL_MAX_NAME_SIZE];
2043 
2044     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx,
2045                                                     "SM2", testpropq)))
2046         goto done;
2047 
2048     if (!TEST_true(EVP_PKEY_paramgen_init(pctx) == 1))
2049         goto done;
2050 
2051     if (!TEST_int_gt(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_sm2), 0))
2052         goto done;
2053 
2054     if (!TEST_true(EVP_PKEY_paramgen(pctx, &pkeyparams)))
2055         goto done;
2056 
2057     if (!TEST_ptr(kctx = EVP_PKEY_CTX_new_from_pkey(testctx,
2058                                                     pkeyparams, testpropq)))
2059         goto done;
2060 
2061     if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0))
2062         goto done;
2063 
2064     if (!TEST_true(EVP_PKEY_keygen(kctx, &pkey)))
2065         goto done;
2066 
2067     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
2068         goto done;
2069 
2070     if (!TEST_ptr(md_ctx_verify = EVP_MD_CTX_new()))
2071         goto done;
2072 
2073     if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
2074         goto done;
2075 
2076     EVP_MD_CTX_set_pkey_ctx(md_ctx, sctx);
2077     EVP_MD_CTX_set_pkey_ctx(md_ctx_verify, sctx);
2078 
2079     if (!TEST_ptr(check_md = EVP_MD_fetch(testctx, "sm3", testpropq)))
2080         goto done;
2081 
2082     if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, check_md, NULL, pkey)))
2083         goto done;
2084 
2085     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, sm2_id, sizeof(sm2_id)), 0))
2086         goto done;
2087 
2088     if (!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))))
2089         goto done;
2090 
2091     /* Determine the size of the signature. */
2092     if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len)))
2093         goto done;
2094 
2095     if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)))
2096         goto done;
2097 
2098     if (!TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len)))
2099         goto done;
2100 
2101     /* Ensure that the signature round-trips. */
2102 
2103     if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, check_md, NULL,
2104                                         pkey)))
2105         goto done;
2106 
2107     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, sm2_id, sizeof(sm2_id)), 0))
2108         goto done;
2109 
2110     if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg))))
2111         goto done;
2112 
2113     if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
2114         goto done;
2115 
2116     /*
2117      * Try verify again with non-matching 0 length id but ensure that it can
2118      * be set on the context and overrides the previous value.
2119      */
2120 
2121     if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, check_md, NULL,
2122                                         pkey)))
2123         goto done;
2124 
2125     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, NULL, 0), 0))
2126         goto done;
2127 
2128     if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg))))
2129         goto done;
2130 
2131     if (!TEST_int_eq(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
2132         goto done;
2133 
2134     /* now check encryption/decryption */
2135 
2136     gparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
2137                                                   mdname, sizeof(mdname));
2138     for (i = 0; i < 2; i++) {
2139         const char *mdnames[] = {
2140 #ifndef OPENSSL_NO_SM3
2141             "SM3",
2142 #else
2143             NULL,
2144 #endif
2145             "SHA2-256" };
2146         EVP_PKEY_CTX_free(cctx);
2147 
2148         if (mdnames[i] == NULL)
2149             continue;
2150 
2151         sparams[0] =
2152             OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
2153                                              (char *)mdnames[i], 0);
2154 
2155         if (!TEST_ptr(cctx = EVP_PKEY_CTX_new_from_pkey(testctx,
2156                                                         pkey, testpropq)))
2157             goto done;
2158 
2159         if (!TEST_true(EVP_PKEY_encrypt_init(cctx)))
2160             goto done;
2161 
2162         if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
2163             goto done;
2164 
2165         if (!TEST_true(EVP_PKEY_encrypt(cctx, ciphertext, &ctext_len, kMsg,
2166                                         sizeof(kMsg))))
2167             goto done;
2168 
2169         if (!TEST_int_gt(EVP_PKEY_decrypt_init(cctx), 0))
2170             goto done;
2171 
2172         if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
2173             goto done;
2174 
2175         if (!TEST_int_gt(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext,
2176                                         ctext_len), 0))
2177             goto done;
2178 
2179         if (!TEST_true(EVP_PKEY_CTX_get_params(cctx, gparams)))
2180             goto done;
2181 
2182         /*
2183          * Test we're still using the digest we think we are.
2184          * Because of aliases, the easiest is to fetch the digest and
2185          * check the name with EVP_MD_is_a().
2186          */
2187         EVP_MD_free(check_md);
2188         if (!TEST_ptr(check_md = EVP_MD_fetch(testctx, mdname, testpropq)))
2189             goto done;
2190         if (!TEST_true(EVP_MD_is_a(check_md, mdnames[i]))) {
2191             TEST_info("Fetched md %s isn't %s", mdname, mdnames[i]);
2192             goto done;
2193         }
2194 
2195         if (!TEST_true(ptext_len == sizeof(kMsg)))
2196             goto done;
2197 
2198         if (!TEST_true(memcmp(plaintext, kMsg, sizeof(kMsg)) == 0))
2199             goto done;
2200     }
2201 
2202     ret = 1;
2203 done:
2204     EVP_PKEY_CTX_free(pctx);
2205     EVP_PKEY_CTX_free(kctx);
2206     EVP_PKEY_CTX_free(sctx);
2207     EVP_PKEY_CTX_free(cctx);
2208     EVP_PKEY_free(pkey);
2209     EVP_PKEY_free(pkeyparams);
2210     EVP_MD_CTX_free(md_ctx);
2211     EVP_MD_CTX_free(md_ctx_verify);
2212     EVP_MD_free(check_md);
2213     OPENSSL_free(sig);
2214     return ret;
2215 }
2216 
2217 #endif
2218 
2219 static struct keys_st {
2220     int type;
2221     char *priv;
2222     char *pub;
2223 } keys[] = {
2224     {
2225         EVP_PKEY_HMAC, "0123456789", NULL
2226     },
2227     {
2228         EVP_PKEY_HMAC, "", NULL
2229 #ifndef OPENSSL_NO_POLY1305
2230     }, {
2231         EVP_PKEY_POLY1305, "01234567890123456789012345678901", NULL
2232 #endif
2233 #ifndef OPENSSL_NO_SIPHASH
2234     }, {
2235         EVP_PKEY_SIPHASH, "0123456789012345", NULL
2236 #endif
2237     },
2238 #ifndef OPENSSL_NO_EC
2239     {
2240         EVP_PKEY_X25519, "01234567890123456789012345678901",
2241         "abcdefghijklmnopqrstuvwxyzabcdef"
2242     }, {
2243         EVP_PKEY_ED25519, "01234567890123456789012345678901",
2244         "abcdefghijklmnopqrstuvwxyzabcdef"
2245     }, {
2246         EVP_PKEY_X448,
2247         "01234567890123456789012345678901234567890123456789012345",
2248         "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcd"
2249     }, {
2250         EVP_PKEY_ED448,
2251         "012345678901234567890123456789012345678901234567890123456",
2252         "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcde"
2253     }
2254 #endif
2255 };
2256 
2257 static int test_set_get_raw_keys_int(int tst, int pub, int uselibctx)
2258 {
2259     int ret = 0;
2260     unsigned char buf[80];
2261     unsigned char *in;
2262     size_t inlen, len = 0, shortlen = 1;
2263     EVP_PKEY *pkey;
2264 
2265     /* Check if this algorithm supports public keys */
2266     if (pub && keys[tst].pub == NULL)
2267         return 1;
2268 
2269     memset(buf, 0, sizeof(buf));
2270 
2271     if (pub) {
2272 #ifndef OPENSSL_NO_EC
2273         inlen = strlen(keys[tst].pub);
2274         in = (unsigned char *)keys[tst].pub;
2275         if (uselibctx) {
2276             pkey = EVP_PKEY_new_raw_public_key_ex(
2277                         testctx,
2278                         OBJ_nid2sn(keys[tst].type),
2279                         NULL,
2280                         in,
2281                         inlen);
2282         } else {
2283             pkey = EVP_PKEY_new_raw_public_key(keys[tst].type,
2284                                                NULL,
2285                                                in,
2286                                                inlen);
2287         }
2288 #else
2289         return 1;
2290 #endif
2291     } else {
2292         inlen = strlen(keys[tst].priv);
2293         in = (unsigned char *)keys[tst].priv;
2294         if (uselibctx) {
2295             pkey = EVP_PKEY_new_raw_private_key_ex(
2296                         testctx, OBJ_nid2sn(keys[tst].type),
2297                         NULL,
2298                         in,
2299                         inlen);
2300         } else {
2301             pkey = EVP_PKEY_new_raw_private_key(keys[tst].type,
2302                                                 NULL,
2303                                                 in,
2304                                                 inlen);
2305         }
2306     }
2307 
2308     if (!TEST_ptr(pkey)
2309             || !TEST_int_eq(EVP_PKEY_eq(pkey, pkey), 1)
2310             || (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, NULL, &len)))
2311             || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, NULL, &len)))
2312             || !TEST_true(len == inlen))
2313         goto done;
2314     if (tst != 1) {
2315         /*
2316          * Test that supplying a buffer that is too small fails. Doesn't apply
2317          * to HMAC with a zero length key
2318          */
2319         if ((!pub && !TEST_false(EVP_PKEY_get_raw_private_key(pkey, buf,
2320                                                                  &shortlen)))
2321                 || (pub && !TEST_false(EVP_PKEY_get_raw_public_key(pkey, buf,
2322                                                                    &shortlen))))
2323             goto done;
2324     }
2325     if ((!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, buf, &len)))
2326             || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, buf, &len)))
2327             || !TEST_mem_eq(in, inlen, buf, len))
2328         goto done;
2329 
2330     ret = 1;
2331  done:
2332     EVP_PKEY_free(pkey);
2333     return ret;
2334 }
2335 
2336 static int test_set_get_raw_keys(int tst)
2337 {
2338     return (nullprov != NULL || test_set_get_raw_keys_int(tst, 0, 0))
2339            && test_set_get_raw_keys_int(tst, 0, 1)
2340            && (nullprov != NULL || test_set_get_raw_keys_int(tst, 1, 0))
2341            && test_set_get_raw_keys_int(tst, 1, 1);
2342 }
2343 
2344 #ifndef OPENSSL_NO_DEPRECATED_3_0
2345 static int pkey_custom_check(EVP_PKEY *pkey)
2346 {
2347     return 0xbeef;
2348 }
2349 
2350 static int pkey_custom_pub_check(EVP_PKEY *pkey)
2351 {
2352     return 0xbeef;
2353 }
2354 
2355 static int pkey_custom_param_check(EVP_PKEY *pkey)
2356 {
2357     return 0xbeef;
2358 }
2359 
2360 static EVP_PKEY_METHOD *custom_pmeth;
2361 #endif
2362 
2363 static int test_EVP_PKEY_check(int i)
2364 {
2365     int ret = 0;
2366     EVP_PKEY *pkey = NULL;
2367     EVP_PKEY_CTX *ctx = NULL;
2368 #ifndef OPENSSL_NO_DEPRECATED_3_0
2369     EVP_PKEY_CTX *ctx2 = NULL;
2370 #endif
2371     const APK_DATA *ak = &keycheckdata[i];
2372     const unsigned char *input = ak->kder;
2373     size_t input_len = ak->size;
2374     int expected_id = ak->evptype;
2375     int expected_check = ak->check;
2376     int expected_pub_check = ak->pub_check;
2377     int expected_param_check = ak->param_check;
2378     int type = ak->type;
2379 
2380     if (!TEST_ptr(pkey = load_example_key(ak->keytype, input, input_len)))
2381         goto done;
2382     if (type == 0
2383         && !TEST_int_eq(EVP_PKEY_get_id(pkey), expected_id))
2384         goto done;
2385 
2386     if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
2387         goto done;
2388 
2389     if (!TEST_int_eq(EVP_PKEY_check(ctx), expected_check))
2390         goto done;
2391 
2392     if (!TEST_int_eq(EVP_PKEY_public_check(ctx), expected_pub_check))
2393         goto done;
2394 
2395     if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check))
2396         goto done;
2397 
2398 #ifndef OPENSSL_NO_DEPRECATED_3_0
2399     ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
2400     /* assign the pkey directly, as an internal test */
2401     EVP_PKEY_up_ref(pkey);
2402     ctx2->pkey = pkey;
2403 
2404     if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
2405         goto done;
2406 
2407     if (!TEST_int_eq(EVP_PKEY_public_check(ctx2), 0xbeef))
2408         goto done;
2409 
2410     if (!TEST_int_eq(EVP_PKEY_param_check(ctx2), 0xbeef))
2411         goto done;
2412 #endif
2413 
2414     ret = 1;
2415 
2416  done:
2417     EVP_PKEY_CTX_free(ctx);
2418 #ifndef OPENSSL_NO_DEPRECATED_3_0
2419     EVP_PKEY_CTX_free(ctx2);
2420 #endif
2421     EVP_PKEY_free(pkey);
2422     return ret;
2423 }
2424 
2425 #ifndef OPENSSL_NO_CMAC
2426 static int get_cmac_val(EVP_PKEY *pkey, unsigned char *mac)
2427 {
2428     EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
2429     const char msg[] = "Hello World";
2430     size_t maclen = AES_BLOCK_SIZE;
2431     int ret = 1;
2432 
2433     if (!TEST_ptr(mdctx)
2434             || !TEST_true(EVP_DigestSignInit_ex(mdctx, NULL, NULL, testctx,
2435                                                 testpropq, pkey, NULL))
2436             || !TEST_true(EVP_DigestSignUpdate(mdctx, msg, sizeof(msg)))
2437             || !TEST_true(EVP_DigestSignFinal(mdctx, mac, &maclen))
2438             || !TEST_size_t_eq(maclen, AES_BLOCK_SIZE))
2439         ret = 0;
2440 
2441     EVP_MD_CTX_free(mdctx);
2442 
2443     return ret;
2444 }
2445 static int test_CMAC_keygen(void)
2446 {
2447     static unsigned char key[] = {
2448         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2449         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2450         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
2451     };
2452     EVP_PKEY_CTX *kctx = NULL;
2453     int ret = 0;
2454     EVP_PKEY *pkey = NULL;
2455     unsigned char mac[AES_BLOCK_SIZE];
2456 # if !defined(OPENSSL_NO_DEPRECATED_3_0)
2457     unsigned char mac2[AES_BLOCK_SIZE];
2458 # endif
2459 
2460     if (nullprov != NULL)
2461         return TEST_skip("Test does not support a non-default library context");
2462 
2463     /*
2464      * This is a legacy method for CMACs, but should still work.
2465      * This verifies that it works without an ENGINE.
2466      */
2467     kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL);
2468 
2469     /* Test a CMAC key created using the "generated" method */
2470     if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)
2471             || !TEST_int_gt(EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
2472                                             EVP_PKEY_CTRL_CIPHER,
2473                                             0, (void *)EVP_aes_256_ecb()), 0)
2474             || !TEST_int_gt(EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
2475                                             EVP_PKEY_CTRL_SET_MAC_KEY,
2476                                             sizeof(key), (void *)key), 0)
2477             || !TEST_int_gt(EVP_PKEY_keygen(kctx, &pkey), 0)
2478             || !TEST_ptr(pkey)
2479             || !TEST_true(get_cmac_val(pkey, mac)))
2480         goto done;
2481 
2482 # if !defined(OPENSSL_NO_DEPRECATED_3_0)
2483     EVP_PKEY_free(pkey);
2484 
2485     /*
2486      * Test a CMAC key using the direct method, and compare with the mac
2487      * created above.
2488      */
2489     pkey = EVP_PKEY_new_CMAC_key(NULL, key, sizeof(key), EVP_aes_256_ecb());
2490     if (!TEST_ptr(pkey)
2491             || !TEST_true(get_cmac_val(pkey, mac2))
2492             || !TEST_mem_eq(mac, sizeof(mac), mac2, sizeof(mac2)))
2493         goto done;
2494 # endif
2495 
2496     ret = 1;
2497 
2498  done:
2499     EVP_PKEY_free(pkey);
2500     EVP_PKEY_CTX_free(kctx);
2501     return ret;
2502 }
2503 #endif
2504 
2505 static int test_HKDF(void)
2506 {
2507     EVP_PKEY_CTX *pctx;
2508     unsigned char out[20];
2509     size_t outlen;
2510     int i, ret = 0;
2511     unsigned char salt[] = "0123456789";
2512     unsigned char key[] = "012345678901234567890123456789";
2513     unsigned char info[] = "infostring";
2514     const unsigned char expected[] = {
2515         0xe5, 0x07, 0x70, 0x7f, 0xc6, 0x78, 0xd6, 0x54, 0x32, 0x5f, 0x7e, 0xc5,
2516         0x7b, 0x59, 0x3e, 0xd8, 0x03, 0x6b, 0xed, 0xca
2517     };
2518     size_t expectedlen = sizeof(expected);
2519 
2520     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
2521         goto done;
2522 
2523     /* We do this twice to test reuse of the EVP_PKEY_CTX */
2524     for (i = 0; i < 2; i++) {
2525         outlen = sizeof(out);
2526         memset(out, 0, outlen);
2527 
2528         if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
2529                 || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
2530                 || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
2531                                                             sizeof(salt) - 1), 0)
2532                 || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
2533                                                            sizeof(key) - 1), 0)
2534                 || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
2535                                                             sizeof(info) - 1), 0)
2536                 || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
2537                 || !TEST_mem_eq(out, outlen, expected, expectedlen))
2538             goto done;
2539     }
2540 
2541     ret = 1;
2542 
2543  done:
2544     EVP_PKEY_CTX_free(pctx);
2545 
2546     return ret;
2547 }
2548 
2549 static int test_emptyikm_HKDF(void)
2550 {
2551     EVP_PKEY_CTX *pctx;
2552     unsigned char out[20];
2553     size_t outlen;
2554     int ret = 0;
2555     unsigned char salt[] = "9876543210";
2556     unsigned char key[] = "";
2557     unsigned char info[] = "stringinfo";
2558     const unsigned char expected[] = {
2559         0x68, 0x81, 0xa5, 0x3e, 0x5b, 0x9c, 0x7b, 0x6f, 0x2e, 0xec, 0xc8, 0x47,
2560         0x7c, 0xfa, 0x47, 0x35, 0x66, 0x82, 0x15, 0x30
2561     };
2562     size_t expectedlen = sizeof(expected);
2563 
2564     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
2565         goto done;
2566 
2567     outlen = sizeof(out);
2568     memset(out, 0, outlen);
2569 
2570     if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
2571             || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
2572             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
2573                                                         sizeof(salt) - 1), 0)
2574             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
2575                                                        sizeof(key) - 1), 0)
2576             || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
2577                                                         sizeof(info) - 1), 0)
2578             || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
2579             || !TEST_mem_eq(out, outlen, expected, expectedlen))
2580         goto done;
2581 
2582     ret = 1;
2583 
2584  done:
2585     EVP_PKEY_CTX_free(pctx);
2586 
2587     return ret;
2588 }
2589 
2590 static int test_empty_salt_info_HKDF(void)
2591 {
2592     EVP_PKEY_CTX *pctx;
2593     unsigned char out[20];
2594     size_t outlen;
2595     int ret = 0;
2596     unsigned char salt[] = "";
2597     unsigned char key[] = "012345678901234567890123456789";
2598     unsigned char info[] = "";
2599     const unsigned char expected[] = {
2600 	0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
2601 	0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
2602     };
2603     size_t expectedlen = sizeof(expected);
2604 
2605     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
2606         goto done;
2607 
2608     outlen = sizeof(out);
2609     memset(out, 0, outlen);
2610 
2611     if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
2612             || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
2613             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
2614                                                         sizeof(salt) - 1), 0)
2615             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
2616                                                        sizeof(key) - 1), 0)
2617             || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
2618                                                         sizeof(info) - 1), 0)
2619             || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
2620             || !TEST_mem_eq(out, outlen, expected, expectedlen))
2621         goto done;
2622 
2623     ret = 1;
2624 
2625  done:
2626     EVP_PKEY_CTX_free(pctx);
2627 
2628     return ret;
2629 }
2630 
2631 #ifndef OPENSSL_NO_EC
2632 static int test_X509_PUBKEY_inplace(void)
2633 {
2634     int ret = 0;
2635     X509_PUBKEY *xp = X509_PUBKEY_new_ex(testctx, testpropq);
2636     const unsigned char *p = kExampleECPubKeyDER;
2637     size_t input_len = sizeof(kExampleECPubKeyDER);
2638 
2639     if (!TEST_ptr(xp))
2640         goto done;
2641     if (!TEST_ptr(d2i_X509_PUBKEY(&xp, &p, input_len)))
2642         goto done;
2643 
2644     if (!TEST_ptr(X509_PUBKEY_get0(xp)))
2645         goto done;
2646 
2647     p = kExampleBadECPubKeyDER;
2648     input_len = sizeof(kExampleBadECPubKeyDER);
2649 
2650     if (!TEST_ptr(xp = d2i_X509_PUBKEY(&xp, &p, input_len)))
2651         goto done;
2652 
2653     if (!TEST_true(X509_PUBKEY_get0(xp) == NULL))
2654         goto done;
2655 
2656     ret = 1;
2657 
2658  done:
2659     X509_PUBKEY_free(xp);
2660     return ret;
2661 }
2662 
2663 static int test_X509_PUBKEY_dup(void)
2664 {
2665     int ret = 0;
2666     X509_PUBKEY *xp = NULL, *xq = NULL;
2667     const unsigned char *p = kExampleECPubKeyDER;
2668     size_t input_len = sizeof(kExampleECPubKeyDER);
2669 
2670     xp = X509_PUBKEY_new_ex(testctx, testpropq);
2671     if (!TEST_ptr(xp)
2672             || !TEST_ptr(d2i_X509_PUBKEY(&xp, &p, input_len))
2673             || !TEST_ptr(xq = X509_PUBKEY_dup(xp))
2674             || !TEST_ptr_ne(xp, xq))
2675         goto done;
2676 
2677     if (!TEST_ptr(X509_PUBKEY_get0(xq))
2678             || !TEST_ptr(X509_PUBKEY_get0(xp))
2679             || !TEST_ptr_ne(X509_PUBKEY_get0(xq), X509_PUBKEY_get0(xp)))
2680         goto done;
2681 
2682     X509_PUBKEY_free(xq);
2683     xq = NULL;
2684     p = kExampleBadECPubKeyDER;
2685     input_len = sizeof(kExampleBadECPubKeyDER);
2686 
2687     if (!TEST_ptr(xp = d2i_X509_PUBKEY(&xp, &p, input_len))
2688             || !TEST_ptr(xq = X509_PUBKEY_dup(xp)))
2689         goto done;
2690 
2691     X509_PUBKEY_free(xp);
2692     xp = NULL;
2693     if (!TEST_true(X509_PUBKEY_get0(xq) == NULL))
2694         goto done;
2695 
2696     ret = 1;
2697 
2698  done:
2699     X509_PUBKEY_free(xp);
2700     X509_PUBKEY_free(xq);
2701     return ret;
2702 }
2703 #endif /* OPENSSL_NO_EC */
2704 
2705 /* Test getting and setting parameters on an EVP_PKEY_CTX */
2706 static int test_EVP_PKEY_CTX_get_set_params(EVP_PKEY *pkey)
2707 {
2708     EVP_MD_CTX *mdctx = NULL;
2709     EVP_PKEY_CTX *ctx = NULL;
2710     const OSSL_PARAM *params;
2711     OSSL_PARAM ourparams[2], *param = ourparams, *param_md;
2712     int ret = 0;
2713     const EVP_MD *md;
2714     char mdname[OSSL_MAX_NAME_SIZE];
2715     char ssl3ms[48];
2716 
2717     /* Initialise a sign operation */
2718     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq);
2719     if (!TEST_ptr(ctx)
2720             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0))
2721         goto err;
2722 
2723     /*
2724      * We should be able to query the parameters now.
2725      */
2726     params = EVP_PKEY_CTX_settable_params(ctx);
2727     if (!TEST_ptr(params)
2728         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2729                                              OSSL_SIGNATURE_PARAM_DIGEST)))
2730         goto err;
2731 
2732     params = EVP_PKEY_CTX_gettable_params(ctx);
2733     if (!TEST_ptr(params)
2734         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2735                                              OSSL_SIGNATURE_PARAM_ALGORITHM_ID))
2736         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2737                                              OSSL_SIGNATURE_PARAM_DIGEST)))
2738         goto err;
2739 
2740     /*
2741      * Test getting and setting params via EVP_PKEY_CTX_set_params() and
2742      * EVP_PKEY_CTX_get_params()
2743      */
2744     strcpy(mdname, "SHA512");
2745     param_md = param;
2746     *param++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST,
2747                                                 mdname, 0);
2748     *param++ = OSSL_PARAM_construct_end();
2749 
2750     if (!TEST_true(EVP_PKEY_CTX_set_params(ctx, ourparams)))
2751         goto err;
2752 
2753     mdname[0] = '\0';
2754     *param_md = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST,
2755                                                  mdname, sizeof(mdname));
2756     if (!TEST_true(EVP_PKEY_CTX_get_params(ctx, ourparams))
2757             || !TEST_str_eq(mdname, "SHA512"))
2758         goto err;
2759 
2760     /*
2761      * Test the TEST_PKEY_CTX_set_signature_md() and
2762      * TEST_PKEY_CTX_get_signature_md() functions
2763      */
2764     if (!TEST_int_gt(EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()), 0)
2765             || !TEST_int_gt(EVP_PKEY_CTX_get_signature_md(ctx, &md), 0)
2766             || !TEST_ptr_eq(md, EVP_sha256()))
2767         goto err;
2768 
2769     /*
2770      * Test getting MD parameters via an associated EVP_PKEY_CTX
2771      */
2772     mdctx = EVP_MD_CTX_new();
2773     if (!TEST_ptr(mdctx)
2774         || !TEST_true(EVP_DigestSignInit_ex(mdctx, NULL, "SHA1", testctx, testpropq,
2775                                             pkey, NULL)))
2776         goto err;
2777 
2778     /*
2779      * We now have an EVP_MD_CTX with an EVP_PKEY_CTX inside it. We should be
2780      * able to obtain the digest's settable parameters from the provider.
2781      */
2782     params = EVP_MD_CTX_settable_params(mdctx);
2783     if (!TEST_ptr(params)
2784             || !TEST_int_eq(strcmp(params[0].key, OSSL_DIGEST_PARAM_SSL3_MS), 0)
2785                /* The final key should be NULL */
2786             || !TEST_ptr_null(params[1].key))
2787         goto err;
2788 
2789     param = ourparams;
2790     memset(ssl3ms, 0, sizeof(ssl3ms));
2791     *param++ = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS,
2792                                                  ssl3ms, sizeof(ssl3ms));
2793     *param++ = OSSL_PARAM_construct_end();
2794 
2795     if (!TEST_true(EVP_MD_CTX_set_params(mdctx, ourparams)))
2796         goto err;
2797 
2798     ret = 1;
2799 
2800  err:
2801     EVP_MD_CTX_free(mdctx);
2802     EVP_PKEY_CTX_free(ctx);
2803 
2804     return ret;
2805 }
2806 
2807 #ifndef OPENSSL_NO_DSA
2808 static int test_DSA_get_set_params(void)
2809 {
2810     OSSL_PARAM_BLD *bld = NULL;
2811     OSSL_PARAM *params = NULL;
2812     BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
2813     EVP_PKEY_CTX *pctx = NULL;
2814     EVP_PKEY *pkey = NULL;
2815     int ret = 0;
2816 
2817     /*
2818      * Setup the parameters for our DSA object. For our purposes they don't
2819      * have to actually be *valid* parameters. We just need to set something.
2820      */
2821     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "DSA", NULL))
2822         || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
2823         || !TEST_ptr(p = BN_new())
2824         || !TEST_ptr(q = BN_new())
2825         || !TEST_ptr(g = BN_new())
2826         || !TEST_ptr(pub = BN_new())
2827         || !TEST_ptr(priv = BN_new()))
2828         goto err;
2829     if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
2830         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
2831         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
2832         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
2833                                              pub))
2834         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
2835                                              priv)))
2836         goto err;
2837     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
2838         goto err;
2839 
2840     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
2841         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR,
2842                                           params), 0))
2843         goto err;
2844 
2845     if (!TEST_ptr(pkey))
2846         goto err;
2847 
2848     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
2849 
2850  err:
2851     EVP_PKEY_free(pkey);
2852     EVP_PKEY_CTX_free(pctx);
2853     OSSL_PARAM_free(params);
2854     OSSL_PARAM_BLD_free(bld);
2855     BN_free(p);
2856     BN_free(q);
2857     BN_free(g);
2858     BN_free(pub);
2859     BN_free(priv);
2860 
2861     return ret;
2862 }
2863 
2864 /*
2865  * Test combinations of private, public, missing and private + public key
2866  * params to ensure they are all accepted
2867  */
2868 static int test_DSA_priv_pub(void)
2869 {
2870     return test_EVP_PKEY_ffc_priv_pub("DSA");
2871 }
2872 
2873 #endif /* !OPENSSL_NO_DSA */
2874 
2875 static int test_RSA_get_set_params(void)
2876 {
2877     OSSL_PARAM_BLD *bld = NULL;
2878     OSSL_PARAM *params = NULL;
2879     BIGNUM *n = NULL, *e = NULL, *d = NULL;
2880     EVP_PKEY_CTX *pctx = NULL;
2881     EVP_PKEY *pkey = NULL;
2882     int ret = 0;
2883 
2884     /*
2885      * Setup the parameters for our RSA object. For our purposes they don't
2886      * have to actually be *valid* parameters. We just need to set something.
2887      */
2888     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA", NULL))
2889         || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
2890         || !TEST_ptr(n = BN_new())
2891         || !TEST_ptr(e = BN_new())
2892         || !TEST_ptr(d = BN_new()))
2893         goto err;
2894     if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
2895         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
2896         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)))
2897         goto err;
2898     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
2899         goto err;
2900 
2901     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
2902         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR,
2903                                           params), 0))
2904         goto err;
2905 
2906     if (!TEST_ptr(pkey))
2907         goto err;
2908 
2909     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
2910 
2911  err:
2912     EVP_PKEY_free(pkey);
2913     EVP_PKEY_CTX_free(pctx);
2914     OSSL_PARAM_free(params);
2915     OSSL_PARAM_BLD_free(bld);
2916     BN_free(n);
2917     BN_free(e);
2918     BN_free(d);
2919 
2920     return ret;
2921 }
2922 
2923 static int test_RSA_OAEP_set_get_params(void)
2924 {
2925     int ret = 0;
2926     EVP_PKEY *key = NULL;
2927     EVP_PKEY_CTX *key_ctx = NULL;
2928 
2929     if (nullprov != NULL)
2930         return TEST_skip("Test does not support a non-default library context");
2931 
2932     if (!TEST_ptr(key = load_example_rsa_key())
2933         || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(0, key, 0)))
2934         goto err;
2935 
2936     {
2937         int padding = RSA_PKCS1_OAEP_PADDING;
2938         OSSL_PARAM params[4];
2939 
2940         params[0] = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PAD_MODE, &padding);
2941         params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
2942                                                      OSSL_DIGEST_NAME_SHA2_256, 0);
2943         params[2] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
2944                                                      OSSL_DIGEST_NAME_SHA1, 0);
2945         params[3] = OSSL_PARAM_construct_end();
2946 
2947         if (!TEST_int_gt(EVP_PKEY_encrypt_init_ex(key_ctx, params),0))
2948             goto err;
2949     }
2950     {
2951         OSSL_PARAM params[3];
2952         char oaepmd[30] = { '\0' };
2953         char mgf1md[30] = { '\0' };
2954 
2955         params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
2956                                                      oaepmd, sizeof(oaepmd));
2957         params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
2958                                                      mgf1md, sizeof(mgf1md));
2959         params[2] = OSSL_PARAM_construct_end();
2960 
2961         if (!TEST_true(EVP_PKEY_CTX_get_params(key_ctx, params)))
2962             goto err;
2963 
2964         if (!TEST_str_eq(oaepmd, OSSL_DIGEST_NAME_SHA2_256)
2965             || !TEST_str_eq(mgf1md, OSSL_DIGEST_NAME_SHA1))
2966             goto err;
2967     }
2968 
2969     ret = 1;
2970 
2971  err:
2972     EVP_PKEY_free(key);
2973     EVP_PKEY_CTX_free(key_ctx);
2974 
2975     return ret;
2976 }
2977 
2978 /* https://github.com/openssl/openssl/issues/21288 */
2979 static int test_RSA_OAEP_set_null_label(void)
2980 {
2981     int ret = 0;
2982     EVP_PKEY *key = NULL;
2983     EVP_PKEY_CTX *key_ctx = NULL;
2984 
2985     if (!TEST_ptr(key = load_example_rsa_key())
2986         || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, key, NULL))
2987         || !TEST_true(EVP_PKEY_encrypt_init(key_ctx)))
2988         goto err;
2989 
2990     if (!TEST_true(EVP_PKEY_CTX_set_rsa_padding(key_ctx, RSA_PKCS1_OAEP_PADDING)))
2991         goto err;
2992 
2993     if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, OPENSSL_strdup("foo"), 0)))
2994         goto err;
2995 
2996     if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, NULL, 0)))
2997         goto err;
2998 
2999     ret = 1;
3000 
3001  err:
3002     EVP_PKEY_free(key);
3003     EVP_PKEY_CTX_free(key_ctx);
3004 
3005     return ret;
3006 }
3007 
3008 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3009 static int test_decrypt_null_chunks(void)
3010 {
3011     EVP_CIPHER_CTX* ctx = NULL;
3012     EVP_CIPHER *cipher = NULL;
3013     const unsigned char key[32] = {
3014         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3015         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3016         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1
3017     };
3018     unsigned char iv[12] = {
3019         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b
3020     };
3021     unsigned char msg[] = "It was the best of times, it was the worst of times";
3022     unsigned char ciphertext[80];
3023     unsigned char plaintext[80];
3024     /* We initialise tmp to a non zero value on purpose */
3025     int ctlen, ptlen, tmp = 99;
3026     int ret = 0;
3027     const int enc_offset = 10, dec_offset = 20;
3028 
3029     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "ChaCha20-Poly1305", testpropq))
3030             || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
3031             || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL,
3032                                              key, iv))
3033             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &ctlen, msg,
3034                                             enc_offset))
3035             /* Deliberate add a zero length update */
3036             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext + ctlen, &tmp, NULL,
3037                                             0))
3038             || !TEST_int_eq(tmp, 0)
3039             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext + ctlen, &tmp,
3040                                             msg + enc_offset,
3041                                             sizeof(msg) - enc_offset))
3042             || !TEST_int_eq(ctlen += tmp, sizeof(msg))
3043             || !TEST_true(EVP_EncryptFinal(ctx, ciphertext + ctlen, &tmp))
3044             || !TEST_int_eq(tmp, 0))
3045         goto err;
3046 
3047     /* Deliberately initialise tmp to a non zero value */
3048     tmp = 99;
3049     if (!TEST_true(EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv))
3050             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext, &ptlen, ciphertext,
3051                                             dec_offset))
3052             /*
3053              * Deliberately add a zero length update. We also deliberately do
3054              * this at a different offset than for encryption.
3055              */
3056             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext + ptlen, &tmp, NULL,
3057                                             0))
3058             || !TEST_int_eq(tmp, 0)
3059             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext + ptlen, &tmp,
3060                                             ciphertext + dec_offset,
3061                                             ctlen - dec_offset))
3062             || !TEST_int_eq(ptlen += tmp, sizeof(msg))
3063             || !TEST_true(EVP_DecryptFinal(ctx, plaintext + ptlen, &tmp))
3064             || !TEST_int_eq(tmp, 0)
3065             || !TEST_mem_eq(msg, sizeof(msg), plaintext, ptlen))
3066         goto err;
3067 
3068     ret = 1;
3069  err:
3070     EVP_CIPHER_CTX_free(ctx);
3071     EVP_CIPHER_free(cipher);
3072     return ret;
3073 }
3074 #endif /* !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) */
3075 
3076 #ifndef OPENSSL_NO_DH
3077 /*
3078  * Test combinations of private, public, missing and private + public key
3079  * params to ensure they are all accepted
3080  */
3081 static int test_DH_priv_pub(void)
3082 {
3083     return test_EVP_PKEY_ffc_priv_pub("DH");
3084 }
3085 
3086 # ifndef OPENSSL_NO_DEPRECATED_3_0
3087 static int test_EVP_PKEY_set1_DH(void)
3088 {
3089     DH *x942dh = NULL, *noqdh = NULL;
3090     EVP_PKEY *pkey1 = NULL, *pkey2 = NULL;
3091     int ret = 0;
3092     BIGNUM *p, *g = NULL;
3093     BIGNUM *pubkey = NULL;
3094     unsigned char pub[2048 / 8];
3095     size_t len = 0;
3096 
3097     if (!TEST_ptr(p = BN_new())
3098             || !TEST_ptr(g = BN_new())
3099             || !TEST_ptr(pubkey = BN_new())
3100             || !TEST_true(BN_set_word(p, 9999))
3101             || !TEST_true(BN_set_word(g, 2))
3102             || !TEST_true(BN_set_word(pubkey, 4321))
3103             || !TEST_ptr(noqdh = DH_new())
3104             || !TEST_true(DH_set0_pqg(noqdh, p, NULL, g))
3105             || !TEST_true(DH_set0_key(noqdh, pubkey, NULL))
3106             || !TEST_ptr(pubkey = BN_new())
3107             || !TEST_true(BN_set_word(pubkey, 4321)))
3108         goto err;
3109     p = g = NULL;
3110 
3111     x942dh = DH_get_2048_256();
3112     pkey1 = EVP_PKEY_new();
3113     pkey2 = EVP_PKEY_new();
3114     if (!TEST_ptr(x942dh)
3115             || !TEST_ptr(noqdh)
3116             || !TEST_ptr(pkey1)
3117             || !TEST_ptr(pkey2)
3118             || !TEST_true(DH_set0_key(x942dh, pubkey, NULL)))
3119         goto err;
3120     pubkey = NULL;
3121 
3122     if (!TEST_true(EVP_PKEY_set1_DH(pkey1, x942dh))
3123             || !TEST_int_eq(EVP_PKEY_get_id(pkey1), EVP_PKEY_DHX))
3124         goto err;
3125 
3126     if (!TEST_true(EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PUB_KEY,
3127                                          &pubkey))
3128             || !TEST_ptr(pubkey))
3129         goto err;
3130 
3131     if (!TEST_true(EVP_PKEY_set1_DH(pkey2, noqdh))
3132             || !TEST_int_eq(EVP_PKEY_get_id(pkey2), EVP_PKEY_DH))
3133         goto err;
3134 
3135     if (!TEST_true(EVP_PKEY_get_octet_string_param(pkey2,
3136                                                    OSSL_PKEY_PARAM_PUB_KEY,
3137                                                    pub, sizeof(pub), &len))
3138             || !TEST_size_t_ne(len, 0))
3139         goto err;
3140 
3141     ret = 1;
3142  err:
3143     BN_free(p);
3144     BN_free(g);
3145     BN_free(pubkey);
3146     EVP_PKEY_free(pkey1);
3147     EVP_PKEY_free(pkey2);
3148     DH_free(x942dh);
3149     DH_free(noqdh);
3150 
3151     return ret;
3152 }
3153 # endif /* !OPENSSL_NO_DEPRECATED_3_0 */
3154 #endif /* !OPENSSL_NO_DH */
3155 
3156 /*
3157  * We test what happens with an empty template.  For the sake of this test,
3158  * the template must be ignored, and we know that's the case for RSA keys
3159  * (this might arguably be a misfeature, but that's what we currently do,
3160  * even in provider code, since that's how the legacy RSA implementation
3161  * does things)
3162  */
3163 static int test_keygen_with_empty_template(int n)
3164 {
3165     EVP_PKEY_CTX *ctx = NULL;
3166     EVP_PKEY *pkey = NULL;
3167     EVP_PKEY *tkey = NULL;
3168     int ret = 0;
3169 
3170     if (nullprov != NULL)
3171         return TEST_skip("Test does not support a non-default library context");
3172 
3173     switch (n) {
3174     case 0:
3175         /* We do test with no template at all as well */
3176         if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)))
3177             goto err;
3178         break;
3179     case 1:
3180         /* Here we create an empty RSA key that serves as our template */
3181         if (!TEST_ptr(tkey = EVP_PKEY_new())
3182             || !TEST_true(EVP_PKEY_set_type(tkey, EVP_PKEY_RSA))
3183             || !TEST_ptr(ctx = EVP_PKEY_CTX_new(tkey, NULL)))
3184             goto err;
3185         break;
3186     }
3187 
3188     if (!TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3189         || !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0))
3190         goto err;
3191 
3192     ret = 1;
3193  err:
3194     EVP_PKEY_CTX_free(ctx);
3195     EVP_PKEY_free(pkey);
3196     EVP_PKEY_free(tkey);
3197     return ret;
3198 }
3199 
3200 /*
3201  * Test that we fail if we attempt to use an algorithm that is not available
3202  * in the current library context (unless we are using an algorithm that
3203  * should be made available via legacy codepaths).
3204  *
3205  * 0:   RSA
3206  * 1:   SM2
3207  */
3208 static int test_pkey_ctx_fail_without_provider(int tst)
3209 {
3210     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
3211     OSSL_PROVIDER *tmpnullprov = NULL;
3212     EVP_PKEY_CTX *pctx = NULL;
3213     const char *keytype = NULL;
3214     int expect_null = 0;
3215     int ret = 0;
3216 
3217     if (!TEST_ptr(tmpctx))
3218         goto err;
3219 
3220     tmpnullprov = OSSL_PROVIDER_load(tmpctx, "null");
3221     if (!TEST_ptr(tmpnullprov))
3222         goto err;
3223 
3224     /*
3225      * We check for certain algos in the null provider.
3226      * If an algo is expected to have a provider keymgmt, contructing an
3227      * EVP_PKEY_CTX is expected to fail (return NULL).
3228      * Otherwise, if it's expected to have legacy support, contructing an
3229      * EVP_PKEY_CTX is expected to succeed (return non-NULL).
3230      */
3231     switch (tst) {
3232     case 0:
3233         keytype = "RSA";
3234         expect_null = 1;
3235         break;
3236     case 1:
3237         keytype = "SM2";
3238         expect_null = 1;
3239 #ifdef OPENSSL_NO_EC
3240         TEST_info("EC disable, skipping SM2 check...");
3241         goto end;
3242 #endif
3243 #ifdef OPENSSL_NO_SM2
3244         TEST_info("SM2 disable, skipping SM2 check...");
3245         goto end;
3246 #endif
3247         break;
3248     default:
3249         TEST_error("No test for case %d", tst);
3250         goto err;
3251     }
3252 
3253     pctx = EVP_PKEY_CTX_new_from_name(tmpctx, keytype, "");
3254     if (expect_null ? !TEST_ptr_null(pctx) : !TEST_ptr(pctx))
3255         goto err;
3256 
3257 #if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SM2)
3258  end:
3259 #endif
3260     ret = 1;
3261 
3262  err:
3263     EVP_PKEY_CTX_free(pctx);
3264     OSSL_PROVIDER_unload(tmpnullprov);
3265     OSSL_LIB_CTX_free(tmpctx);
3266     return ret;
3267 }
3268 
3269 static int test_rand_agglomeration(void)
3270 {
3271     EVP_RAND *rand;
3272     EVP_RAND_CTX *ctx;
3273     OSSL_PARAM params[3], *p = params;
3274     int res;
3275     unsigned int step = 7;
3276     static unsigned char seed[] = "It does not matter how slowly you go "
3277                                   "as long as you do not stop.";
3278     unsigned char out[sizeof(seed)];
3279 
3280     if (!TEST_int_ne(sizeof(seed) % step, 0)
3281             || !TEST_ptr(rand = EVP_RAND_fetch(testctx, "TEST-RAND", testpropq)))
3282         return 0;
3283     ctx = EVP_RAND_CTX_new(rand, NULL);
3284     EVP_RAND_free(rand);
3285     if (!TEST_ptr(ctx))
3286         return 0;
3287 
3288     memset(out, 0, sizeof(out));
3289     *p++ = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
3290                                              seed, sizeof(seed));
3291     *p++ = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_MAX_REQUEST, &step);
3292     *p = OSSL_PARAM_construct_end();
3293     res = TEST_true(EVP_RAND_CTX_set_params(ctx, params))
3294           && TEST_true(EVP_RAND_generate(ctx, out, sizeof(out), 0, 1, NULL, 0))
3295           && TEST_mem_eq(seed, sizeof(seed), out, sizeof(out));
3296     EVP_RAND_CTX_free(ctx);
3297     return res;
3298 }
3299 
3300 /*
3301  * Test that we correctly return the original or "running" IV after
3302  * an encryption operation.
3303  * Run multiple times for some different relevant algorithms/modes.
3304  */
3305 static int test_evp_iv_aes(int idx)
3306 {
3307     int ret = 0;
3308     EVP_CIPHER_CTX *ctx = NULL;
3309     unsigned char key[16] = {0x4c, 0x43, 0xdb, 0xdd, 0x42, 0x73, 0x47, 0xd1,
3310                              0xe5, 0x62, 0x7d, 0xcd, 0x4d, 0x76, 0x4d, 0x57};
3311     unsigned char init_iv[EVP_MAX_IV_LENGTH] =
3312         {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
3313          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34};
3314     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8,
3315                                          9, 10, 11, 12, 13, 14, 15, 16 };
3316     unsigned char ciphertext[32], oiv[16], iv[16];
3317     unsigned char *ref_iv;
3318     unsigned char cbc_state[16] = {0x10, 0x2f, 0x05, 0xcc, 0xc2, 0x55, 0x72, 0xb9,
3319                                    0x88, 0xe6, 0x4a, 0x17, 0x10, 0x74, 0x22, 0x5e};
3320 
3321     unsigned char ofb_state[16] = {0x76, 0xe6, 0x66, 0x61, 0xd0, 0x8a, 0xe4, 0x64,
3322                                    0xdd, 0x66, 0xbf, 0x00, 0xf0, 0xe3, 0x6f, 0xfd};
3323     unsigned char cfb_state[16] = {0x77, 0xe4, 0x65, 0x65, 0xd5, 0x8c, 0xe3, 0x6c,
3324                                    0xd4, 0x6c, 0xb4, 0x0c, 0xfd, 0xed, 0x60, 0xed};
3325     unsigned char gcm_state[12] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b,
3326                                    0x98, 0x82, 0x5a, 0x55, 0x91, 0x81};
3327     unsigned char ccm_state[7] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98};
3328 #ifndef OPENSSL_NO_OCB
3329     unsigned char ocb_state[12] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b,
3330                                    0x98, 0x82, 0x5a, 0x55, 0x91, 0x81};
3331 #endif
3332     int len = sizeof(ciphertext);
3333     size_t ivlen, ref_len;
3334     const EVP_CIPHER *type = NULL;
3335     int iv_reset = 0;
3336 
3337     if (nullprov != NULL && idx < 6)
3338         return TEST_skip("Test does not support a non-default library context");
3339 
3340     switch(idx) {
3341     case 0:
3342         type = EVP_aes_128_cbc();
3343         /* FALLTHROUGH */
3344     case 6:
3345         type = (type != NULL) ? type :
3346                                 EVP_CIPHER_fetch(testctx, "aes-128-cbc", testpropq);
3347         ref_iv = cbc_state;
3348         ref_len = sizeof(cbc_state);
3349         iv_reset = 1;
3350         break;
3351     case 1:
3352         type = EVP_aes_128_ofb();
3353         /* FALLTHROUGH */
3354     case 7:
3355         type = (type != NULL) ? type :
3356                                 EVP_CIPHER_fetch(testctx, "aes-128-ofb", testpropq);
3357         ref_iv = ofb_state;
3358         ref_len = sizeof(ofb_state);
3359         iv_reset = 1;
3360         break;
3361     case 2:
3362         type = EVP_aes_128_cfb();
3363         /* FALLTHROUGH */
3364     case 8:
3365         type = (type != NULL) ? type :
3366                                 EVP_CIPHER_fetch(testctx, "aes-128-cfb", testpropq);
3367         ref_iv = cfb_state;
3368         ref_len = sizeof(cfb_state);
3369         iv_reset = 1;
3370         break;
3371     case 3:
3372         type = EVP_aes_128_gcm();
3373         /* FALLTHROUGH */
3374     case 9:
3375         type = (type != NULL) ? type :
3376                                 EVP_CIPHER_fetch(testctx, "aes-128-gcm", testpropq);
3377         ref_iv = gcm_state;
3378         ref_len = sizeof(gcm_state);
3379         break;
3380     case 4:
3381         type = EVP_aes_128_ccm();
3382         /* FALLTHROUGH */
3383     case 10:
3384         type = (type != NULL) ? type :
3385                                 EVP_CIPHER_fetch(testctx, "aes-128-ccm", testpropq);
3386         ref_iv = ccm_state;
3387         ref_len = sizeof(ccm_state);
3388         break;
3389 #ifdef OPENSSL_NO_OCB
3390     case 5:
3391     case 11:
3392         return 1;
3393 #else
3394     case 5:
3395         type = EVP_aes_128_ocb();
3396         /* FALLTHROUGH */
3397     case 11:
3398         type = (type != NULL) ? type :
3399                                 EVP_CIPHER_fetch(testctx, "aes-128-ocb", testpropq);
3400         ref_iv = ocb_state;
3401         ref_len = sizeof(ocb_state);
3402         break;
3403 #endif
3404     default:
3405         return 0;
3406     }
3407 
3408     if (!TEST_ptr(type)
3409             || !TEST_ptr((ctx = EVP_CIPHER_CTX_new()))
3410             || !TEST_true(EVP_EncryptInit_ex(ctx, type, NULL, key, init_iv))
3411             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &len, msg,
3412                           (int)sizeof(msg)))
3413             || !TEST_true(EVP_CIPHER_CTX_get_original_iv(ctx, oiv, sizeof(oiv)))
3414             || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv)))
3415             || !TEST_true(EVP_EncryptFinal_ex(ctx, ciphertext, &len)))
3416         goto err;
3417     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
3418     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)
3419             || !TEST_mem_eq(ref_iv, ref_len, iv, ivlen))
3420         goto err;
3421 
3422     /* CBC, OFB, and CFB modes: the updated iv must be reset after reinit */
3423     if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, NULL))
3424         || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))))
3425         goto err;
3426     if (iv_reset) {
3427         if (!TEST_mem_eq(init_iv, ivlen, iv, ivlen))
3428             goto err;
3429     } else {
3430         if (!TEST_mem_eq(ref_iv, ivlen, iv, ivlen))
3431             goto err;
3432     }
3433 
3434     ret = 1;
3435 err:
3436     EVP_CIPHER_CTX_free(ctx);
3437     if (idx >= 6)
3438         EVP_CIPHER_free((EVP_CIPHER *)type);
3439     return ret;
3440 }
3441 
3442 #ifndef OPENSSL_NO_DES
3443 static int test_evp_iv_des(int idx)
3444 {
3445     int ret = 0;
3446     EVP_CIPHER_CTX *ctx = NULL;
3447     static const unsigned char key[24] = {
3448         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
3449         0xf1, 0xe0, 0xd3, 0xc2, 0xb5, 0xa4, 0x97, 0x86,
3450         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
3451     };
3452     static const unsigned char init_iv[8] = {
3453         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
3454     };
3455     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8,
3456                                          9, 10, 11, 12, 13, 14, 15, 16 };
3457     unsigned char ciphertext[32], oiv[8], iv[8];
3458     unsigned const char *ref_iv;
3459     static const unsigned char cbc_state_des[8] = {
3460         0x4f, 0xa3, 0x85, 0xcd, 0x8b, 0xf3, 0x06, 0x2a
3461     };
3462     static const unsigned char cbc_state_3des[8] = {
3463         0x35, 0x27, 0x7d, 0x65, 0x6c, 0xfb, 0x50, 0xd9
3464     };
3465     static const unsigned char ofb_state_des[8] = {
3466         0xa7, 0x0d, 0x1d, 0x45, 0xf9, 0x96, 0x3f, 0x2c
3467     };
3468     static const unsigned char ofb_state_3des[8] = {
3469         0xab, 0x16, 0x24, 0xbb, 0x5b, 0xac, 0xed, 0x5e
3470     };
3471     static const unsigned char cfb_state_des[8] = {
3472         0x91, 0xeb, 0x6d, 0x29, 0x4b, 0x08, 0xbd, 0x73
3473     };
3474     static const unsigned char cfb_state_3des[8] = {
3475         0x34, 0xdd, 0xfb, 0x47, 0x33, 0x1c, 0x61, 0xf7
3476     };
3477     int len = sizeof(ciphertext);
3478     size_t ivlen, ref_len;
3479     EVP_CIPHER *type = NULL;
3480 
3481     if (lgcyprov == NULL && idx < 3)
3482         return TEST_skip("Test requires legacy provider to be loaded");
3483 
3484     switch(idx) {
3485     case 0:
3486         type = EVP_CIPHER_fetch(testctx, "des-cbc", testpropq);
3487         ref_iv = cbc_state_des;
3488         ref_len = sizeof(cbc_state_des);
3489         break;
3490     case 1:
3491         type = EVP_CIPHER_fetch(testctx, "des-ofb", testpropq);
3492         ref_iv = ofb_state_des;
3493         ref_len = sizeof(ofb_state_des);
3494         break;
3495     case 2:
3496         type = EVP_CIPHER_fetch(testctx, "des-cfb", testpropq);
3497         ref_iv = cfb_state_des;
3498         ref_len = sizeof(cfb_state_des);
3499         break;
3500     case 3:
3501         type = EVP_CIPHER_fetch(testctx, "des-ede3-cbc", testpropq);
3502         ref_iv = cbc_state_3des;
3503         ref_len = sizeof(cbc_state_3des);
3504         break;
3505     case 4:
3506         type = EVP_CIPHER_fetch(testctx, "des-ede3-ofb", testpropq);
3507         ref_iv = ofb_state_3des;
3508         ref_len = sizeof(ofb_state_3des);
3509         break;
3510     case 5:
3511         type = EVP_CIPHER_fetch(testctx, "des-ede3-cfb", testpropq);
3512         ref_iv = cfb_state_3des;
3513         ref_len = sizeof(cfb_state_3des);
3514         break;
3515     default:
3516         return 0;
3517     }
3518 
3519     if (!TEST_ptr(type)
3520             || !TEST_ptr((ctx = EVP_CIPHER_CTX_new()))
3521             || !TEST_true(EVP_EncryptInit_ex(ctx, type, NULL, key, init_iv))
3522             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &len, msg,
3523                           (int)sizeof(msg)))
3524             || !TEST_true(EVP_CIPHER_CTX_get_original_iv(ctx, oiv, sizeof(oiv)))
3525             || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv)))
3526             || !TEST_true(EVP_EncryptFinal_ex(ctx, ciphertext, &len)))
3527         goto err;
3528     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
3529     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)
3530             || !TEST_mem_eq(ref_iv, ref_len, iv, ivlen))
3531         goto err;
3532 
3533     if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, NULL))
3534         || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))))
3535         goto err;
3536     if (!TEST_mem_eq(init_iv, ivlen, iv, ivlen))
3537         goto err;
3538 
3539     ret = 1;
3540 err:
3541     EVP_CIPHER_CTX_free(ctx);
3542     EVP_CIPHER_free(type);
3543     return ret;
3544 }
3545 #endif
3546 
3547 #ifndef OPENSSL_NO_BF
3548 static int test_evp_bf_default_keylen(int idx)
3549 {
3550     int ret = 0;
3551     static const char *algos[4] = {
3552         "bf-ecb", "bf-cbc", "bf-cfb", "bf-ofb"
3553     };
3554     int ivlen[4] = { 0, 8, 8, 8 };
3555     EVP_CIPHER *cipher = NULL;
3556 
3557     if (lgcyprov == NULL)
3558         return TEST_skip("Test requires legacy provider to be loaded");
3559 
3560     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, algos[idx], testpropq))
3561             || !TEST_int_eq(EVP_CIPHER_get_key_length(cipher), 16)
3562             || !TEST_int_eq(EVP_CIPHER_get_iv_length(cipher), ivlen[idx]))
3563         goto err;
3564 
3565     ret = 1;
3566 err:
3567     EVP_CIPHER_free(cipher);
3568     return ret;
3569 }
3570 #endif
3571 
3572 #ifndef OPENSSL_NO_EC
3573 static int ecpub_nids[] = {
3574     NID_brainpoolP256r1, NID_X9_62_prime256v1,
3575     NID_secp384r1, NID_secp521r1,
3576 # ifndef OPENSSL_NO_EC2M
3577     NID_sect233k1, NID_sect233r1, NID_sect283r1,
3578     NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1,
3579 # endif
3580     NID_brainpoolP384r1, NID_brainpoolP512r1
3581 };
3582 
3583 static int test_ecpub(int idx)
3584 {
3585     int ret = 0, len, savelen;
3586     int nid;
3587     unsigned char buf[1024];
3588     unsigned char *p;
3589     EVP_PKEY *pkey = NULL;
3590     EVP_PKEY_CTX *ctx = NULL;
3591 # ifndef OPENSSL_NO_DEPRECATED_3_0
3592     const unsigned char *q;
3593     EVP_PKEY *pkey2 = NULL;
3594     EC_KEY *ec = NULL;
3595 # endif
3596 
3597     if (nullprov != NULL)
3598         return TEST_skip("Test does not support a non-default library context");
3599 
3600     nid = ecpub_nids[idx];
3601 
3602     ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
3603     if (!TEST_ptr(ctx)
3604         || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3605         || !TEST_int_gt(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid), 0)
3606         || !TEST_true(EVP_PKEY_keygen(ctx, &pkey)))
3607         goto done;
3608     len = i2d_PublicKey(pkey, NULL);
3609     savelen = len;
3610     if (!TEST_int_ge(len, 1)
3611         || !TEST_int_lt(len, 1024))
3612         goto done;
3613     p = buf;
3614     len = i2d_PublicKey(pkey, &p);
3615     if (!TEST_int_ge(len, 1)
3616             || !TEST_int_eq(len, savelen))
3617         goto done;
3618 
3619 # ifndef OPENSSL_NO_DEPRECATED_3_0
3620     /* Now try to decode the just-created DER. */
3621     q = buf;
3622     if (!TEST_ptr((pkey2 = EVP_PKEY_new()))
3623             || !TEST_ptr((ec = EC_KEY_new_by_curve_name(nid)))
3624             || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey2, ec)))
3625         goto done;
3626     /* EC_KEY ownership transferred */
3627     ec = NULL;
3628     if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_EC, &pkey2, &q, savelen)))
3629         goto done;
3630     /* The keys should match. */
3631     if (!TEST_int_eq(EVP_PKEY_eq(pkey, pkey2), 1))
3632         goto done;
3633 # endif
3634 
3635     ret = 1;
3636 
3637  done:
3638     EVP_PKEY_CTX_free(ctx);
3639     EVP_PKEY_free(pkey);
3640 # ifndef OPENSSL_NO_DEPRECATED_3_0
3641     EVP_PKEY_free(pkey2);
3642     EC_KEY_free(ec);
3643 # endif
3644     return ret;
3645 }
3646 #endif
3647 
3648 static int test_EVP_rsa_pss_with_keygen_bits(void)
3649 {
3650     int ret = 0;
3651     EVP_PKEY_CTX *ctx = NULL;
3652     EVP_PKEY *pkey = NULL;
3653     EVP_MD *md;
3654 
3655     md = EVP_MD_fetch(testctx, "sha256", testpropq);
3656     ret = TEST_ptr(md)
3657         && TEST_ptr((ctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA-PSS", testpropq)))
3658         && TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3659         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 512), 0)
3660         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md), 0)
3661         && TEST_true(EVP_PKEY_keygen(ctx, &pkey));
3662 
3663     EVP_MD_free(md);
3664     EVP_PKEY_free(pkey);
3665     EVP_PKEY_CTX_free(ctx);
3666     return ret;
3667 }
3668 
3669 static int test_EVP_rsa_pss_set_saltlen(void)
3670 {
3671     int ret = 0;
3672     EVP_PKEY *pkey = NULL;
3673     EVP_PKEY_CTX *pkey_ctx = NULL;
3674     EVP_MD *sha256 = NULL;
3675     EVP_MD_CTX *sha256_ctx = NULL;
3676     int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
3677     const int test_value = 32;
3678 
3679     ret = TEST_ptr(pkey = load_example_rsa_key())
3680         && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
3681         && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
3682         && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
3683         && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
3684         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value), 0)
3685         && TEST_int_gt(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen), 0)
3686         && TEST_int_eq(saltlen, test_value);
3687 
3688     EVP_MD_CTX_free(sha256_ctx);
3689     EVP_PKEY_free(pkey);
3690     EVP_MD_free(sha256);
3691 
3692     return ret;
3693 }
3694 
3695 static int success = 1;
3696 static void md_names(const char *name, void *vctx)
3697 {
3698     OSSL_LIB_CTX *ctx = (OSSL_LIB_CTX *)vctx;
3699     /* Force a namemap update */
3700     EVP_CIPHER *aes128 = EVP_CIPHER_fetch(ctx, "AES-128-CBC", NULL);
3701 
3702     if (!TEST_ptr(aes128))
3703         success = 0;
3704 
3705     EVP_CIPHER_free(aes128);
3706 }
3707 
3708 /*
3709  * Test that changing the namemap in a user callback works in a names_do_all
3710  * function.
3711  */
3712 static int test_names_do_all(void)
3713 {
3714     /* We use a custom libctx so that we know the state of the namemap */
3715     OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
3716     EVP_MD *sha256 = NULL;
3717     int testresult = 0;
3718 
3719     if (!TEST_ptr(ctx))
3720         goto err;
3721 
3722     sha256 = EVP_MD_fetch(ctx, "SHA2-256", NULL);
3723     if (!TEST_ptr(sha256))
3724         goto err;
3725 
3726     /*
3727      * We loop through all the names for a given digest. This should still work
3728      * even if the namemap changes part way through.
3729      */
3730     if (!TEST_true(EVP_MD_names_do_all(sha256, md_names, ctx)))
3731         goto err;
3732 
3733     if (!TEST_true(success))
3734         goto err;
3735 
3736     testresult = 1;
3737  err:
3738     EVP_MD_free(sha256);
3739     OSSL_LIB_CTX_free(ctx);
3740     return testresult;
3741 }
3742 
3743 typedef struct {
3744     const char *cipher;
3745     const unsigned char *key;
3746     const unsigned char *iv;
3747     const unsigned char *input;
3748     const unsigned char *expected;
3749     const unsigned char *tag;
3750     size_t ivlen; /* 0 if we do not need to set a specific IV len */
3751     size_t inlen;
3752     size_t expectedlen;
3753     size_t taglen;
3754     int keyfirst;
3755     int initenc;
3756     int finalenc;
3757 } EVP_INIT_TEST_st;
3758 
3759 static const EVP_INIT_TEST_st evp_init_tests[] = {
3760     {
3761         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
3762         cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
3763         0, 1, 0, 1
3764     },
3765     {
3766         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
3767         gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3768         sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
3769         sizeof(gcmDefaultTag), 1, 0, 1
3770     },
3771     {
3772         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
3773         cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
3774         0, 0, 0, 1
3775     },
3776     {
3777         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
3778         gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3779         sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
3780         sizeof(gcmDefaultTag), 0, 0, 1
3781     },
3782     {
3783         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
3784         cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
3785         0, 1, 1, 0
3786     },
3787     {
3788         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
3789         gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3790         sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
3791         sizeof(gcmDefaultTag), 1, 1, 0
3792     },
3793     {
3794         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
3795         cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
3796         0, 0, 1, 0
3797     },
3798     {
3799         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
3800         gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3801         sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
3802         sizeof(gcmDefaultTag), 0, 1, 0
3803     }
3804 };
3805 
3806 /* use same key, iv and plaintext for cfb and ofb */
3807 static const EVP_INIT_TEST_st evp_reinit_tests[] = {
3808     {
3809         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
3810         cfbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
3811         sizeof(cfbCiphertext_partial), 0, 0, 1, 0
3812     },
3813     {
3814         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext_partial,
3815         cfbPlaintext_partial, NULL, 0, sizeof(cfbCiphertext_partial),
3816         sizeof(cfbPlaintext_partial), 0, 0, 0, 0
3817     },
3818     {
3819         "aes-128-ofb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
3820         ofbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
3821         sizeof(ofbCiphertext_partial), 0, 0, 1, 0
3822     },
3823     {
3824         "aes-128-ofb", kCFBDefaultKey, iCFBIV, ofbCiphertext_partial,
3825         cfbPlaintext_partial, NULL, 0, sizeof(ofbCiphertext_partial),
3826         sizeof(cfbPlaintext_partial), 0, 0, 0, 0
3827     },
3828 };
3829 
3830 static int evp_init_seq_set_iv(EVP_CIPHER_CTX *ctx, const EVP_INIT_TEST_st *t)
3831 {
3832     int res = 0;
3833 
3834     if (t->ivlen != 0) {
3835         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen, NULL), 0))
3836             goto err;
3837     }
3838     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv, -1)))
3839         goto err;
3840     res = 1;
3841  err:
3842     return res;
3843 }
3844 
3845 /*
3846  * Test step-wise cipher initialization via EVP_CipherInit_ex where the
3847  * arguments are given one at a time and a final adjustment to the enc
3848  * parameter sets the correct operation.
3849  */
3850 static int test_evp_init_seq(int idx)
3851 {
3852     int outlen1, outlen2;
3853     int testresult = 0;
3854     unsigned char outbuf[1024];
3855     unsigned char tag[16];
3856     const EVP_INIT_TEST_st *t = &evp_init_tests[idx];
3857     EVP_CIPHER_CTX *ctx = NULL;
3858     EVP_CIPHER *type = NULL;
3859     size_t taglen = sizeof(tag);
3860     char *errmsg = NULL;
3861 
3862     ctx = EVP_CIPHER_CTX_new();
3863     if (ctx == NULL) {
3864         errmsg = "CTX_ALLOC";
3865         goto err;
3866     }
3867     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq))) {
3868         errmsg = "CIPHER_FETCH";
3869         goto err;
3870     }
3871     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, t->initenc))) {
3872         errmsg = "EMPTY_ENC_INIT";
3873         goto err;
3874     }
3875     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
3876         errmsg = "PADDING";
3877         goto err;
3878     }
3879     if (t->keyfirst && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
3880         errmsg = "KEY_INIT (before iv)";
3881         goto err;
3882     }
3883     if (!evp_init_seq_set_iv(ctx, t)) {
3884         errmsg = "IV_INIT";
3885         goto err;
3886     }
3887     if (t->keyfirst == 0 &&  !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
3888         errmsg = "KEY_INIT (after iv)";
3889         goto err;
3890     }
3891     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, t->finalenc))) {
3892         errmsg = "FINAL_ENC_INIT";
3893         goto err;
3894     }
3895     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
3896         errmsg = "CIPHER_UPDATE";
3897         goto err;
3898     }
3899     if (t->finalenc == 0 && t->tag != NULL) {
3900         /* Set expected tag */
3901         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
3902                                            t->taglen, (void *)t->tag), 0)) {
3903             errmsg = "SET_TAG";
3904             goto err;
3905         }
3906     }
3907     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
3908         errmsg = "CIPHER_FINAL";
3909         goto err;
3910     }
3911     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
3912         errmsg = "WRONG_RESULT";
3913         goto err;
3914     }
3915     if (t->finalenc != 0 && t->tag != NULL) {
3916         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
3917             errmsg = "GET_TAG";
3918             goto err;
3919         }
3920         if (!TEST_mem_eq(t->tag, t->taglen, tag, taglen)) {
3921             errmsg = "TAG_ERROR";
3922             goto err;
3923         }
3924     }
3925     testresult = 1;
3926  err:
3927     if (errmsg != NULL)
3928         TEST_info("evp_init_test %d: %s", idx, errmsg);
3929     EVP_CIPHER_CTX_free(ctx);
3930     EVP_CIPHER_free(type);
3931     return testresult;
3932 }
3933 
3934 /*
3935  * Test re-initialization of cipher context without changing key or iv.
3936  * The result of both iteration should be the same.
3937  */
3938 static int test_evp_reinit_seq(int idx)
3939 {
3940     int outlen1, outlen2, outlen_final;
3941     int testresult = 0;
3942     unsigned char outbuf1[1024];
3943     unsigned char outbuf2[1024];
3944     const EVP_INIT_TEST_st *t = &evp_reinit_tests[idx];
3945     EVP_CIPHER_CTX *ctx = NULL;
3946     EVP_CIPHER *type = NULL;
3947 
3948     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
3949             || !TEST_ptr(type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq))
3950             /* setup cipher context */
3951             || !TEST_true(EVP_CipherInit_ex2(ctx, type, t->key, t->iv, t->initenc, NULL))
3952             /* first iteration */
3953             || !TEST_true(EVP_CipherUpdate(ctx, outbuf1, &outlen1, t->input, t->inlen))
3954             || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf1, &outlen_final))
3955             /* check test results iteration 1 */
3956             || !TEST_mem_eq(t->expected, t->expectedlen, outbuf1, outlen1 + outlen_final)
3957             /* now re-init the context (same cipher, key and iv) */
3958             || !TEST_true(EVP_CipherInit_ex2(ctx, NULL, NULL, NULL, -1, NULL))
3959             /* second iteration */
3960             || !TEST_true(EVP_CipherUpdate(ctx, outbuf2, &outlen2, t->input, t->inlen))
3961             || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf2, &outlen_final))
3962             /* check test results iteration 2 */
3963             || !TEST_mem_eq(t->expected, t->expectedlen, outbuf2, outlen2 + outlen_final))
3964         goto err;
3965     testresult = 1;
3966  err:
3967     EVP_CIPHER_CTX_free(ctx);
3968     EVP_CIPHER_free(type);
3969     return testresult;
3970 }
3971 
3972 typedef struct {
3973     const unsigned char *input;
3974     const unsigned char *expected;
3975     size_t inlen;
3976     size_t expectedlen;
3977     int enc;
3978 } EVP_RESET_TEST_st;
3979 
3980 static const EVP_RESET_TEST_st evp_reset_tests[] = {
3981     {
3982         cfbPlaintext, cfbCiphertext,
3983         sizeof(cfbPlaintext), sizeof(cfbCiphertext), 1
3984     },
3985     {
3986         cfbCiphertext, cfbPlaintext,
3987         sizeof(cfbCiphertext), sizeof(cfbPlaintext), 0
3988     }
3989 };
3990 
3991 /*
3992  * Test a reset of a cipher via EVP_CipherInit_ex after the cipher has already
3993  * been used.
3994  */
3995 static int test_evp_reset(int idx)
3996 {
3997     const EVP_RESET_TEST_st *t = &evp_reset_tests[idx];
3998     int outlen1, outlen2;
3999     int testresult = 0;
4000     unsigned char outbuf[1024];
4001     EVP_CIPHER_CTX *ctx = NULL;
4002     EVP_CIPHER *type = NULL;
4003     char *errmsg = NULL;
4004 
4005     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
4006         errmsg = "CTX_ALLOC";
4007         goto err;
4008     }
4009     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "aes-128-cfb", testpropq))) {
4010         errmsg = "CIPHER_FETCH";
4011         goto err;
4012     }
4013     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
4014         errmsg = "CIPHER_INIT";
4015         goto err;
4016     }
4017     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
4018         errmsg = "PADDING";
4019         goto err;
4020     }
4021     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
4022         errmsg = "CIPHER_UPDATE";
4023         goto err;
4024     }
4025     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4026         errmsg = "CIPHER_FINAL";
4027         goto err;
4028     }
4029     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
4030         errmsg = "WRONG_RESULT";
4031         goto err;
4032     }
4033     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1))) {
4034         errmsg = "CIPHER_REINIT";
4035         goto err;
4036     }
4037     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
4038         errmsg = "CIPHER_UPDATE (reinit)";
4039         goto err;
4040     }
4041     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4042         errmsg = "CIPHER_FINAL (reinit)";
4043         goto err;
4044     }
4045     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
4046         errmsg = "WRONG_RESULT (reinit)";
4047         goto err;
4048     }
4049     testresult = 1;
4050  err:
4051     if (errmsg != NULL)
4052         TEST_info("test_evp_reset %d: %s", idx, errmsg);
4053     EVP_CIPHER_CTX_free(ctx);
4054     EVP_CIPHER_free(type);
4055     return testresult;
4056 }
4057 
4058 typedef struct {
4059     const char *cipher;
4060     int enc;
4061 } EVP_UPDATED_IV_TEST_st;
4062 
4063 static const EVP_UPDATED_IV_TEST_st evp_updated_iv_tests[] = {
4064     {
4065         "aes-128-cfb", 1
4066     },
4067     {
4068         "aes-128-cfb", 0
4069     },
4070     {
4071         "aes-128-cfb1", 1
4072     },
4073     {
4074         "aes-128-cfb1", 0
4075     },
4076     {
4077         "aes-128-cfb8", 1
4078     },
4079     {
4080         "aes-128-cfb8", 0
4081     },
4082     {
4083         "aes-128-ofb", 1
4084     },
4085     {
4086         "aes-128-ofb", 0
4087     },
4088     {
4089         "aes-128-ctr", 1
4090     },
4091     {
4092         "aes-128-ctr", 0
4093     },
4094     {
4095         "aes-128-cbc", 1
4096     },
4097     {
4098         "aes-128-cbc", 0
4099     }
4100 };
4101 
4102 /*
4103  * Test that the IV in the context is updated during a crypto operation for CFB
4104  * and OFB.
4105  */
4106 static int test_evp_updated_iv(int idx)
4107 {
4108     const EVP_UPDATED_IV_TEST_st *t = &evp_updated_iv_tests[idx];
4109     int outlen1, outlen2;
4110     int testresult = 0;
4111     unsigned char outbuf[1024];
4112     EVP_CIPHER_CTX *ctx = NULL;
4113     EVP_CIPHER *type = NULL;
4114     unsigned char updated_iv[EVP_MAX_IV_LENGTH];
4115     int iv_len;
4116     char *errmsg = NULL;
4117 
4118     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
4119         errmsg = "CTX_ALLOC";
4120         goto err;
4121     }
4122     if ((type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq)) == NULL) {
4123         TEST_info("cipher %s not supported, skipping", t->cipher);
4124         goto ok;
4125     }
4126 
4127     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
4128         errmsg = "CIPHER_INIT";
4129         goto err;
4130     }
4131     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
4132         errmsg = "PADDING";
4133         goto err;
4134     }
4135     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, cfbPlaintext, sizeof(cfbPlaintext)))) {
4136         errmsg = "CIPHER_UPDATE";
4137         goto err;
4138     }
4139     if (!TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, updated_iv, sizeof(updated_iv)))) {
4140         errmsg = "CIPHER_CTX_GET_UPDATED_IV";
4141         goto err;
4142     }
4143     if (!TEST_true(iv_len = EVP_CIPHER_CTX_get_iv_length(ctx))) {
4144         errmsg = "CIPHER_CTX_GET_IV_LEN";
4145         goto err;
4146     }
4147     if (!TEST_mem_ne(iCFBIV, sizeof(iCFBIV), updated_iv, iv_len)) {
4148         errmsg = "IV_NOT_UPDATED";
4149         goto err;
4150     }
4151     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4152         errmsg = "CIPHER_FINAL";
4153         goto err;
4154     }
4155  ok:
4156     testresult = 1;
4157  err:
4158     if (errmsg != NULL)
4159         TEST_info("test_evp_updated_iv %d: %s", idx, errmsg);
4160     EVP_CIPHER_CTX_free(ctx);
4161     EVP_CIPHER_free(type);
4162     return testresult;
4163 }
4164 
4165 typedef struct {
4166     const unsigned char *iv1;
4167     const unsigned char *iv2;
4168     const unsigned char *expected1;
4169     const unsigned char *expected2;
4170     const unsigned char *tag1;
4171     const unsigned char *tag2;
4172     size_t ivlen1;
4173     size_t ivlen2;
4174     size_t expectedlen1;
4175     size_t expectedlen2;
4176 } TEST_GCM_IV_REINIT_st;
4177 
4178 static const TEST_GCM_IV_REINIT_st gcm_reinit_tests[] = {
4179     {
4180         iGCMResetIV1, iGCMResetIV2, gcmResetCiphertext1, gcmResetCiphertext2,
4181         gcmResetTag1, gcmResetTag2, sizeof(iGCMResetIV1), sizeof(iGCMResetIV2),
4182         sizeof(gcmResetCiphertext1), sizeof(gcmResetCiphertext2)
4183     },
4184     {
4185         iGCMResetIV2, iGCMResetIV1, gcmResetCiphertext2, gcmResetCiphertext1,
4186         gcmResetTag2, gcmResetTag1, sizeof(iGCMResetIV2), sizeof(iGCMResetIV1),
4187         sizeof(gcmResetCiphertext2), sizeof(gcmResetCiphertext1)
4188     }
4189 };
4190 
4191 static int test_gcm_reinit(int idx)
4192 {
4193     int outlen1, outlen2, outlen3;
4194     int testresult = 0;
4195     unsigned char outbuf[1024];
4196     unsigned char tag[16];
4197     const TEST_GCM_IV_REINIT_st *t = &gcm_reinit_tests[idx];
4198     EVP_CIPHER_CTX *ctx = NULL;
4199     EVP_CIPHER *type = NULL;
4200     size_t taglen = sizeof(tag);
4201     char *errmsg = NULL;
4202 
4203     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
4204         errmsg = "CTX_ALLOC";
4205         goto err;
4206     }
4207     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "aes-256-gcm", testpropq))) {
4208         errmsg = "CIPHER_FETCH";
4209         goto err;
4210     }
4211     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, 1))) {
4212         errmsg = "ENC_INIT";
4213         goto err;
4214     }
4215     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen1, NULL), 0)) {
4216         errmsg = "SET_IVLEN1";
4217         goto err;
4218     }
4219     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, kGCMResetKey, t->iv1, 1))) {
4220         errmsg = "SET_IV1";
4221         goto err;
4222     }
4223     if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
4224         errmsg = "AAD1";
4225         goto err;
4226     }
4227     EVP_CIPHER_CTX_set_padding(ctx, 0);
4228     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
4229                                     sizeof(gcmResetPlaintext)))) {
4230         errmsg = "CIPHER_UPDATE1";
4231         goto err;
4232     }
4233     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4234         errmsg = "CIPHER_FINAL1";
4235         goto err;
4236     }
4237     if (!TEST_mem_eq(t->expected1, t->expectedlen1, outbuf, outlen1 + outlen2)) {
4238         errmsg = "WRONG_RESULT1";
4239         goto err;
4240     }
4241     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
4242         errmsg = "GET_TAG1";
4243         goto err;
4244     }
4245     if (!TEST_mem_eq(t->tag1, taglen, tag, taglen)) {
4246         errmsg = "TAG_ERROR1";
4247         goto err;
4248     }
4249     /* Now reinit */
4250     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen2, NULL), 0)) {
4251         errmsg = "SET_IVLEN2";
4252         goto err;
4253     }
4254     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv2, -1))) {
4255         errmsg = "SET_IV2";
4256         goto err;
4257     }
4258     if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
4259         errmsg = "AAD2";
4260         goto err;
4261     }
4262     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
4263                                     sizeof(gcmResetPlaintext)))) {
4264         errmsg = "CIPHER_UPDATE2";
4265         goto err;
4266     }
4267     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4268         errmsg = "CIPHER_FINAL2";
4269         goto err;
4270     }
4271     if (!TEST_mem_eq(t->expected2, t->expectedlen2, outbuf, outlen1 + outlen2)) {
4272         errmsg = "WRONG_RESULT2";
4273         goto err;
4274     }
4275     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
4276         errmsg = "GET_TAG2";
4277         goto err;
4278     }
4279     if (!TEST_mem_eq(t->tag2, taglen, tag, taglen)) {
4280         errmsg = "TAG_ERROR2";
4281         goto err;
4282     }
4283     testresult = 1;
4284  err:
4285     if (errmsg != NULL)
4286         TEST_info("evp_init_test %d: %s", idx, errmsg);
4287     EVP_CIPHER_CTX_free(ctx);
4288     EVP_CIPHER_free(type);
4289     return testresult;
4290 }
4291 
4292 static const char *ivlen_change_ciphers[] = {
4293     "AES-256-GCM",
4294 #ifndef OPENSSL_NO_OCB
4295     "AES-256-OCB",
4296 #endif
4297     "AES-256-CCM"
4298 };
4299 
4300 /* Negative test for ivlen change after iv being set */
4301 static int test_ivlen_change(int idx)
4302 {
4303     int outlen;
4304     int res = 0;
4305     unsigned char outbuf[1024];
4306     static const unsigned char iv[] = {
4307          0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
4308          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
4309     };
4310     EVP_CIPHER_CTX *ctx = NULL;
4311     EVP_CIPHER *ciph = NULL;
4312     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
4313     size_t ivlen = 13; /* non-default IV length */
4314 
4315     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
4316         goto err;
4317 
4318     if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, ivlen_change_ciphers[idx],
4319                                           testpropq)))
4320         goto err;
4321 
4322     if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, kGCMDefaultKey, iv, 1)))
4323         goto err;
4324 
4325     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4326                                     sizeof(gcmDefaultPlaintext))))
4327         goto err;
4328 
4329     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
4330                                             &ivlen);
4331     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
4332         goto err;
4333 
4334     ERR_set_mark();
4335     if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4336                                     sizeof(gcmDefaultPlaintext)))) {
4337         ERR_clear_last_mark();
4338         goto err;
4339     }
4340     ERR_pop_to_mark();
4341 
4342     res = 1;
4343  err:
4344     EVP_CIPHER_CTX_free(ctx);
4345     EVP_CIPHER_free(ciph);
4346     return res;
4347 }
4348 
4349 static const char *keylen_change_ciphers[] = {
4350 #ifndef OPENSSL_NO_BF
4351     "BF-ECB",
4352 #endif
4353 #ifndef OPENSSL_NO_CAST
4354     "CAST5-ECB",
4355 #endif
4356 #ifndef OPENSSL_NO_RC2
4357     "RC2-ECB",
4358 #endif
4359 #ifndef OPENSSL_NO_RC4
4360     "RC4",
4361 #endif
4362 #ifndef OPENSSL_NO_RC5
4363     "RC5-ECB",
4364 #endif
4365     NULL
4366 };
4367 
4368 /* Negative test for keylen change after key was set */
4369 static int test_keylen_change(int idx)
4370 {
4371     int outlen;
4372     int res = 0;
4373     unsigned char outbuf[1024];
4374     static const unsigned char key[] = {
4375          0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
4376          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
4377     };
4378     EVP_CIPHER_CTX *ctx = NULL;
4379     EVP_CIPHER *ciph = NULL;
4380     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
4381     size_t keylen = 12; /* non-default key length */
4382 
4383     if (lgcyprov == NULL)
4384         return TEST_skip("Test requires legacy provider to be loaded");
4385 
4386     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
4387         goto err;
4388 
4389     if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, keylen_change_ciphers[idx],
4390                                           testpropq)))
4391         goto err;
4392 
4393     if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, key, NULL, 1)))
4394         goto err;
4395 
4396     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4397                                     sizeof(gcmDefaultPlaintext))))
4398         goto err;
4399 
4400     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
4401                                             &keylen);
4402     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
4403         goto err;
4404 
4405     ERR_set_mark();
4406     if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4407                                     sizeof(gcmDefaultPlaintext)))) {
4408         ERR_clear_last_mark();
4409         goto err;
4410     }
4411     ERR_pop_to_mark();
4412 
4413     res = 1;
4414  err:
4415     EVP_CIPHER_CTX_free(ctx);
4416     EVP_CIPHER_free(ciph);
4417     return res;
4418 }
4419 
4420 #ifndef OPENSSL_NO_DEPRECATED_3_0
4421 static EVP_PKEY_METHOD *custom_pmeth =  NULL;
4422 static const EVP_PKEY_METHOD *orig_pmeth = NULL;
4423 
4424 # define EVP_PKEY_CTRL_MY_COMMAND 9999
4425 
4426 static int custom_pmeth_init(EVP_PKEY_CTX *ctx)
4427 {
4428     int (*pinit)(EVP_PKEY_CTX *ctx);
4429 
4430     EVP_PKEY_meth_get_init(orig_pmeth, &pinit);
4431     return pinit(ctx);
4432 }
4433 
4434 static void custom_pmeth_cleanup(EVP_PKEY_CTX *ctx)
4435 {
4436     void (*pcleanup)(EVP_PKEY_CTX *ctx);
4437 
4438     EVP_PKEY_meth_get_cleanup(orig_pmeth, &pcleanup);
4439     pcleanup(ctx);
4440 }
4441 
4442 static int custom_pmeth_sign(EVP_PKEY_CTX *ctx, unsigned char *out,
4443                              size_t *outlen, const unsigned char *in,
4444                              size_t inlen)
4445 {
4446     int (*psign)(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
4447                  const unsigned char *tbs, size_t tbslen);
4448 
4449     EVP_PKEY_meth_get_sign(orig_pmeth, NULL, &psign);
4450     return psign(ctx, out, outlen, in, inlen);
4451 }
4452 
4453 static int custom_pmeth_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
4454                                    size_t *siglen, const unsigned char *tbs,
4455                                    size_t tbslen)
4456 {
4457     int (*pdigestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
4458                        const unsigned char *tbs, size_t tbslen);
4459 
4460     EVP_PKEY_meth_get_digestsign(orig_pmeth, &pdigestsign);
4461     return pdigestsign(ctx, sig, siglen, tbs, tbslen);
4462 }
4463 
4464 static int custom_pmeth_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
4465                                size_t *keylen)
4466 {
4467     int (*pderive)(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
4468 
4469     EVP_PKEY_meth_get_derive(orig_pmeth, NULL, &pderive);
4470     return pderive(ctx, key, keylen);
4471 }
4472 
4473 static int custom_pmeth_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
4474 {
4475     int (*pcopy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
4476 
4477     EVP_PKEY_meth_get_copy(orig_pmeth, &pcopy);
4478     return pcopy(dst, src);
4479 }
4480 
4481 static int ctrl_called;
4482 
4483 static int custom_pmeth_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
4484 {
4485     int (*pctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
4486 
4487     EVP_PKEY_meth_get_ctrl(orig_pmeth, &pctrl, NULL);
4488 
4489     if (type == EVP_PKEY_CTRL_MY_COMMAND) {
4490         ctrl_called = 1;
4491         return 1;
4492     }
4493 
4494     return pctrl(ctx, type, p1, p2);
4495 }
4496 
4497 static int test_custom_pmeth(int idx)
4498 {
4499     EVP_PKEY_CTX *pctx = NULL;
4500     EVP_MD_CTX *ctx = NULL;
4501     EVP_PKEY *pkey = NULL;
4502     int id, orig_id, orig_flags;
4503     int testresult = 0;
4504     size_t reslen;
4505     unsigned char *res = NULL;
4506     unsigned char msg[] = { 'H', 'e', 'l', 'l', 'o' };
4507     const EVP_MD *md = EVP_sha256();
4508     int doderive = 0;
4509 
4510     ctrl_called = 0;
4511 
4512     /* We call deprecated APIs so this test doesn't support a custom libctx */
4513     if (testctx != NULL)
4514         return 1;
4515 
4516     switch(idx) {
4517     case 0:
4518     case 6:
4519         id = EVP_PKEY_RSA;
4520         pkey = load_example_rsa_key();
4521         break;
4522     case 1:
4523     case 7:
4524 # ifndef OPENSSL_NO_DSA
4525         id = EVP_PKEY_DSA;
4526         pkey = load_example_dsa_key();
4527         break;
4528 # else
4529         return 1;
4530 # endif
4531     case 2:
4532     case 8:
4533 # ifndef OPENSSL_NO_EC
4534         id = EVP_PKEY_EC;
4535         pkey = load_example_ec_key();
4536         break;
4537 # else
4538         return 1;
4539 # endif
4540     case 3:
4541     case 9:
4542 # ifndef OPENSSL_NO_EC
4543         id = EVP_PKEY_ED25519;
4544         md = NULL;
4545         pkey = load_example_ed25519_key();
4546         break;
4547 # else
4548         return 1;
4549 # endif
4550     case 4:
4551     case 10:
4552 # ifndef OPENSSL_NO_DH
4553         id = EVP_PKEY_DH;
4554         doderive = 1;
4555         pkey = load_example_dh_key();
4556         break;
4557 # else
4558         return 1;
4559 # endif
4560     case 5:
4561     case 11:
4562 # ifndef OPENSSL_NO_EC
4563         id = EVP_PKEY_X25519;
4564         doderive = 1;
4565         pkey = load_example_x25519_key();
4566         break;
4567 # else
4568         return 1;
4569 # endif
4570     default:
4571         TEST_error("Should not happen");
4572         goto err;
4573     }
4574 
4575     if (!TEST_ptr(pkey))
4576         goto err;
4577 
4578     if (idx < 6) {
4579         if (!TEST_true(evp_pkey_is_provided(pkey)))
4580             goto err;
4581     } else {
4582         EVP_PKEY *tmp = pkey;
4583 
4584         /* Convert to a legacy key */
4585         pkey = EVP_PKEY_new();
4586         if (!TEST_ptr(pkey)) {
4587             pkey = tmp;
4588             goto err;
4589         }
4590         if (!TEST_true(evp_pkey_copy_downgraded(&pkey, tmp))) {
4591             EVP_PKEY_free(tmp);
4592             goto err;
4593         }
4594         EVP_PKEY_free(tmp);
4595         if (!TEST_true(evp_pkey_is_legacy(pkey)))
4596             goto err;
4597     }
4598 
4599     if (!TEST_ptr(orig_pmeth = EVP_PKEY_meth_find(id))
4600             || !TEST_ptr(pkey))
4601         goto err;
4602 
4603     EVP_PKEY_meth_get0_info(&orig_id, &orig_flags, orig_pmeth);
4604     if (!TEST_int_eq(orig_id, id)
4605             || !TEST_ptr(custom_pmeth = EVP_PKEY_meth_new(id, orig_flags)))
4606         goto err;
4607 
4608     if (id == EVP_PKEY_ED25519) {
4609         EVP_PKEY_meth_set_digestsign(custom_pmeth, custom_pmeth_digestsign);
4610     } if (id == EVP_PKEY_DH || id == EVP_PKEY_X25519) {
4611         EVP_PKEY_meth_set_derive(custom_pmeth, NULL, custom_pmeth_derive);
4612     } else {
4613         EVP_PKEY_meth_set_sign(custom_pmeth, NULL, custom_pmeth_sign);
4614     }
4615     if (id != EVP_PKEY_ED25519 && id != EVP_PKEY_X25519) {
4616         EVP_PKEY_meth_set_init(custom_pmeth, custom_pmeth_init);
4617         EVP_PKEY_meth_set_cleanup(custom_pmeth, custom_pmeth_cleanup);
4618         EVP_PKEY_meth_set_copy(custom_pmeth, custom_pmeth_copy);
4619     }
4620     EVP_PKEY_meth_set_ctrl(custom_pmeth, custom_pmeth_ctrl, NULL);
4621     if (!TEST_true(EVP_PKEY_meth_add0(custom_pmeth)))
4622         goto err;
4623 
4624     if (doderive) {
4625         pctx = EVP_PKEY_CTX_new(pkey, NULL);
4626         if (!TEST_ptr(pctx)
4627                 || !TEST_int_eq(EVP_PKEY_derive_init(pctx), 1)
4628                 || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1,
4629                                                 EVP_PKEY_CTRL_MY_COMMAND, 0, NULL),
4630                                 1)
4631                 || !TEST_int_eq(ctrl_called, 1)
4632                 || !TEST_int_ge(EVP_PKEY_derive_set_peer(pctx, pkey), 1)
4633                 || !TEST_int_ge(EVP_PKEY_derive(pctx, NULL, &reslen), 1)
4634                 || !TEST_ptr(res = OPENSSL_malloc(reslen))
4635                 || !TEST_int_ge(EVP_PKEY_derive(pctx, res, &reslen), 1))
4636             goto err;
4637     } else {
4638         ctx = EVP_MD_CTX_new();
4639         reslen = EVP_PKEY_size(pkey);
4640         res = OPENSSL_malloc(reslen);
4641         if (!TEST_ptr(ctx)
4642                 || !TEST_ptr(res)
4643                 || !TEST_true(EVP_DigestSignInit(ctx, &pctx, md, NULL, pkey))
4644                 || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1,
4645                                                 EVP_PKEY_CTRL_MY_COMMAND, 0, NULL),
4646                                 1)
4647                 || !TEST_int_eq(ctrl_called, 1))
4648             goto err;
4649 
4650         if (id == EVP_PKEY_ED25519) {
4651             if (!TEST_true(EVP_DigestSign(ctx, res, &reslen, msg, sizeof(msg))))
4652                 goto err;
4653         } else {
4654             if (!TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg)))
4655                     || !TEST_true(EVP_DigestSignFinal(ctx, res, &reslen)))
4656                 goto err;
4657         }
4658     }
4659 
4660     testresult = 1;
4661  err:
4662     OPENSSL_free(res);
4663     EVP_MD_CTX_free(ctx);
4664     if (doderive)
4665         EVP_PKEY_CTX_free(pctx);
4666     EVP_PKEY_free(pkey);
4667     EVP_PKEY_meth_remove(custom_pmeth);
4668     EVP_PKEY_meth_free(custom_pmeth);
4669     custom_pmeth = NULL;
4670     return testresult;
4671 }
4672 
4673 static int test_evp_md_cipher_meth(void)
4674 {
4675     EVP_MD *md = EVP_MD_meth_dup(EVP_sha256());
4676     EVP_CIPHER *ciph = EVP_CIPHER_meth_dup(EVP_aes_128_cbc());
4677     int testresult = 0;
4678 
4679     if (!TEST_ptr(md) || !TEST_ptr(ciph))
4680         goto err;
4681 
4682     testresult = 1;
4683 
4684  err:
4685     EVP_MD_meth_free(md);
4686     EVP_CIPHER_meth_free(ciph);
4687 
4688     return testresult;
4689 }
4690 
4691 typedef struct {
4692         int data;
4693 } custom_dgst_ctx;
4694 
4695 static int custom_md_init_called = 0;
4696 static int custom_md_cleanup_called = 0;
4697 
4698 static int custom_md_init(EVP_MD_CTX *ctx)
4699 {
4700     custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
4701 
4702     if (p == NULL)
4703         return 0;
4704 
4705     custom_md_init_called++;
4706     return 1;
4707 }
4708 
4709 static int custom_md_cleanup(EVP_MD_CTX *ctx)
4710 {
4711     custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
4712 
4713     if (p == NULL)
4714         /* Nothing to do */
4715         return 1;
4716 
4717     custom_md_cleanup_called++;
4718     return 1;
4719 }
4720 
4721 static int test_custom_md_meth(void)
4722 {
4723     EVP_MD_CTX *mdctx = NULL;
4724     EVP_MD *tmp = NULL;
4725     char mess[] = "Test Message\n";
4726     unsigned char md_value[EVP_MAX_MD_SIZE];
4727     unsigned int md_len;
4728     int testresult = 0;
4729     int nid;
4730 
4731     /*
4732      * We are testing deprecated functions. We don't support a non-default
4733      * library context in this test.
4734      */
4735     if (testctx != NULL)
4736         return TEST_skip("Non-default libctx");
4737 
4738     custom_md_init_called = custom_md_cleanup_called = 0;
4739 
4740     nid = OBJ_create("1.3.6.1.4.1.16604.998866.1", "custom-md", "custom-md");
4741     if (!TEST_int_ne(nid, NID_undef))
4742         goto err;
4743     tmp = EVP_MD_meth_new(nid, NID_undef);
4744     if (!TEST_ptr(tmp))
4745         goto err;
4746 
4747     if (!TEST_true(EVP_MD_meth_set_init(tmp, custom_md_init))
4748             || !TEST_true(EVP_MD_meth_set_cleanup(tmp, custom_md_cleanup))
4749             || !TEST_true(EVP_MD_meth_set_app_datasize(tmp,
4750                                                        sizeof(custom_dgst_ctx))))
4751         goto err;
4752 
4753     mdctx = EVP_MD_CTX_new();
4754     if (!TEST_ptr(mdctx)
4755                /*
4756                 * Initing our custom md and then initing another md should
4757                 * result in the init and cleanup functions of the custom md
4758                 * being called.
4759                 */
4760             || !TEST_true(EVP_DigestInit_ex(mdctx, tmp, NULL))
4761             || !TEST_true(EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
4762             || !TEST_true(EVP_DigestUpdate(mdctx, mess, strlen(mess)))
4763             || !TEST_true(EVP_DigestFinal_ex(mdctx, md_value, &md_len))
4764             || !TEST_int_eq(custom_md_init_called, 1)
4765             || !TEST_int_eq(custom_md_cleanup_called, 1))
4766         goto err;
4767 
4768     testresult = 1;
4769  err:
4770     EVP_MD_CTX_free(mdctx);
4771     EVP_MD_meth_free(tmp);
4772     return testresult;
4773 }
4774 
4775 typedef struct {
4776         int data;
4777 } custom_ciph_ctx;
4778 
4779 static int custom_ciph_init_called = 0;
4780 static int custom_ciph_cleanup_called = 0;
4781 
4782 static int custom_ciph_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
4783                             const unsigned char *iv, int enc)
4784 {
4785     custom_ciph_ctx *p = EVP_CIPHER_CTX_get_cipher_data(ctx);
4786 
4787     if (p == NULL)
4788         return 0;
4789 
4790     custom_ciph_init_called++;
4791     return 1;
4792 }
4793 
4794 static int custom_ciph_cleanup(EVP_CIPHER_CTX *ctx)
4795 {
4796     custom_ciph_ctx *p = EVP_CIPHER_CTX_get_cipher_data(ctx);
4797 
4798     if (p == NULL)
4799         /* Nothing to do */
4800         return 1;
4801 
4802     custom_ciph_cleanup_called++;
4803     return 1;
4804 }
4805 
4806 static int test_custom_ciph_meth(void)
4807 {
4808     EVP_CIPHER_CTX *ciphctx = NULL;
4809     EVP_CIPHER *tmp = NULL;
4810     int testresult = 0;
4811     int nid;
4812 
4813     /*
4814      * We are testing deprecated functions. We don't support a non-default
4815      * library context in this test.
4816      */
4817     if (testctx != NULL)
4818         return TEST_skip("Non-default libctx");
4819 
4820     custom_ciph_init_called = custom_ciph_cleanup_called = 0;
4821 
4822     nid = OBJ_create("1.3.6.1.4.1.16604.998866.2", "custom-ciph", "custom-ciph");
4823     if (!TEST_int_ne(nid, NID_undef))
4824         goto err;
4825     tmp = EVP_CIPHER_meth_new(nid, 16, 16);
4826     if (!TEST_ptr(tmp))
4827         goto err;
4828 
4829     if (!TEST_true(EVP_CIPHER_meth_set_init(tmp, custom_ciph_init))
4830             || !TEST_true(EVP_CIPHER_meth_set_flags(tmp, EVP_CIPH_ALWAYS_CALL_INIT))
4831             || !TEST_true(EVP_CIPHER_meth_set_cleanup(tmp, custom_ciph_cleanup))
4832             || !TEST_true(EVP_CIPHER_meth_set_impl_ctx_size(tmp,
4833                                                             sizeof(custom_ciph_ctx))))
4834         goto err;
4835 
4836     ciphctx = EVP_CIPHER_CTX_new();
4837     if (!TEST_ptr(ciphctx)
4838             /*
4839              * Initing our custom cipher and then initing another cipher
4840              * should result in the init and cleanup functions of the custom
4841              * cipher being called.
4842              */
4843             || !TEST_true(EVP_CipherInit_ex(ciphctx, tmp, NULL, NULL, NULL, 1))
4844             || !TEST_true(EVP_CipherInit_ex(ciphctx, EVP_aes_128_cbc(), NULL,
4845                                             NULL, NULL, 1))
4846             || !TEST_int_eq(custom_ciph_init_called, 1)
4847             || !TEST_int_eq(custom_ciph_cleanup_called, 1))
4848         goto err;
4849 
4850     testresult = 1;
4851  err:
4852     EVP_CIPHER_CTX_free(ciphctx);
4853     EVP_CIPHER_meth_free(tmp);
4854     return testresult;
4855 }
4856 
4857 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
4858 /* Test we can create a signature keys with an associated ENGINE */
4859 static int test_signatures_with_engine(int tst)
4860 {
4861     ENGINE *e;
4862     const char *engine_id = "dasync";
4863     EVP_PKEY *pkey = NULL;
4864     const unsigned char badcmackey[] = { 0x00, 0x01 };
4865     const unsigned char cmackey[] = {
4866         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4867         0x0c, 0x0d, 0x0e, 0x0f
4868     };
4869     const unsigned char ed25519key[] = {
4870         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4871         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4872         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
4873     };
4874     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
4875     int testresult = 0;
4876     EVP_MD_CTX *ctx = NULL;
4877     unsigned char *mac = NULL;
4878     size_t maclen = 0;
4879     int ret;
4880 
4881 #  ifdef OPENSSL_NO_CMAC
4882     /* Skip CMAC tests in a no-cmac build */
4883     if (tst <= 1)
4884         return 1;
4885 #  endif
4886 
4887     if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
4888         return 0;
4889 
4890     if (!TEST_true(ENGINE_init(e))) {
4891         ENGINE_free(e);
4892         return 0;
4893     }
4894 
4895     switch (tst) {
4896     case 0:
4897         pkey = EVP_PKEY_new_CMAC_key(e, cmackey, sizeof(cmackey),
4898                                      EVP_aes_128_cbc());
4899         break;
4900     case 1:
4901         pkey = EVP_PKEY_new_CMAC_key(e, badcmackey, sizeof(badcmackey),
4902                                      EVP_aes_128_cbc());
4903         break;
4904     case 2:
4905         pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, e, ed25519key,
4906                                             sizeof(ed25519key));
4907         break;
4908     default:
4909         TEST_error("Invalid test case");
4910         goto err;
4911     }
4912     if (!TEST_ptr(pkey))
4913         goto err;
4914 
4915     if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
4916         goto err;
4917 
4918     ret = EVP_DigestSignInit(ctx, NULL, tst == 2 ? NULL : EVP_sha256(), NULL,
4919                              pkey);
4920     if (tst == 0) {
4921         if (!TEST_true(ret))
4922             goto err;
4923 
4924         if (!TEST_true(EVP_DigestSignUpdate(ctx, msg, sizeof(msg)))
4925                 || !TEST_true(EVP_DigestSignFinal(ctx, NULL, &maclen)))
4926             goto err;
4927 
4928         if (!TEST_ptr(mac = OPENSSL_malloc(maclen)))
4929             goto err;
4930 
4931         if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen)))
4932             goto err;
4933     } else {
4934         /* We used a bad key. We expect a failure here */
4935         if (!TEST_false(ret))
4936             goto err;
4937     }
4938 
4939     testresult = 1;
4940  err:
4941     EVP_MD_CTX_free(ctx);
4942     OPENSSL_free(mac);
4943     EVP_PKEY_free(pkey);
4944     ENGINE_finish(e);
4945     ENGINE_free(e);
4946 
4947     return testresult;
4948 }
4949 
4950 static int test_cipher_with_engine(void)
4951 {
4952     ENGINE *e;
4953     const char *engine_id = "dasync";
4954     const unsigned char keyiv[] = {
4955         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4956         0x0c, 0x0d, 0x0e, 0x0f
4957     };
4958     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
4959     int testresult = 0;
4960     EVP_CIPHER_CTX *ctx = NULL, *ctx2 = NULL;
4961     unsigned char buf[AES_BLOCK_SIZE];
4962     int len = 0;
4963 
4964     if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
4965         return 0;
4966 
4967     if (!TEST_true(ENGINE_init(e))) {
4968         ENGINE_free(e);
4969         return 0;
4970     }
4971 
4972     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
4973             || !TEST_ptr(ctx2 = EVP_CIPHER_CTX_new()))
4974         goto err;
4975 
4976     if (!TEST_true(EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), e, keyiv, keyiv)))
4977         goto err;
4978 
4979     /* Copy the ctx, and complete the operation with the new ctx */
4980     if (!TEST_true(EVP_CIPHER_CTX_copy(ctx2, ctx)))
4981         goto err;
4982 
4983     if (!TEST_true(EVP_EncryptUpdate(ctx2, buf, &len, msg, sizeof(msg)))
4984             || !TEST_true(EVP_EncryptFinal_ex(ctx2, buf + len, &len)))
4985         goto err;
4986 
4987     testresult = 1;
4988  err:
4989     EVP_CIPHER_CTX_free(ctx);
4990     EVP_CIPHER_CTX_free(ctx2);
4991     ENGINE_finish(e);
4992     ENGINE_free(e);
4993 
4994     return testresult;
4995 }
4996 # endif /* OPENSSL_NO_DYNAMIC_ENGINE */
4997 #endif /* OPENSSL_NO_DEPRECATED_3_0 */
4998 
4999 static int ecxnids[] = {
5000     NID_X25519,
5001     NID_X448,
5002     NID_ED25519,
5003     NID_ED448
5004 };
5005 
5006 /* Test that creating ECX keys with a short private key fails as expected */
5007 static int test_ecx_short_keys(int tst)
5008 {
5009     unsigned char ecxkeydata = 1;
5010     EVP_PKEY *pkey;
5011 
5012 
5013     pkey = EVP_PKEY_new_raw_private_key_ex(testctx, OBJ_nid2sn(ecxnids[tst]),
5014                                            NULL, &ecxkeydata, 1);
5015     if (!TEST_ptr_null(pkey)) {
5016         EVP_PKEY_free(pkey);
5017         return 0;
5018     }
5019 
5020     return 1;
5021 }
5022 
5023 typedef enum OPTION_choice {
5024     OPT_ERR = -1,
5025     OPT_EOF = 0,
5026     OPT_CONTEXT,
5027     OPT_TEST_ENUM
5028 } OPTION_CHOICE;
5029 
5030 const OPTIONS *test_get_options(void)
5031 {
5032     static const OPTIONS options[] = {
5033         OPT_TEST_OPTIONS_DEFAULT_USAGE,
5034         { "context", OPT_CONTEXT, '-', "Explicitly use a non-default library context" },
5035         { NULL }
5036     };
5037     return options;
5038 }
5039 
5040 #ifndef OPENSSL_NO_EC
5041 /* Test that trying to sign with a public key errors out gracefully */
5042 static int test_ecx_not_private_key(int tst)
5043 {
5044     EVP_PKEY *pkey = NULL;
5045 
5046     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
5047     int testresult = 0;
5048     EVP_MD_CTX *ctx = NULL;
5049     unsigned char *mac = NULL;
5050     size_t maclen = 0;
5051     unsigned char *pubkey;
5052     size_t pubkeylen;
5053 
5054     switch (keys[tst].type) {
5055     case NID_X25519:
5056     case NID_X448:
5057         return TEST_skip("signing not supported for X25519/X448");
5058     }
5059 
5060     /* Check if this algorithm supports public keys */
5061     if (keys[tst].pub == NULL)
5062         return TEST_skip("no public key present");
5063 
5064     pubkey = (unsigned char *)keys[tst].pub;
5065     pubkeylen = strlen(keys[tst].pub);
5066 
5067     pkey = EVP_PKEY_new_raw_public_key_ex(testctx, OBJ_nid2sn(keys[tst].type),
5068                                           NULL, pubkey, pubkeylen);
5069     if (!TEST_ptr(pkey))
5070         goto err;
5071 
5072     if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
5073         goto err;
5074 
5075     if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1)
5076         goto check_err;
5077 
5078     if (EVP_DigestSign(ctx, NULL, &maclen, msg, sizeof(msg)) != 1)
5079         goto check_err;
5080 
5081     if (!TEST_ptr(mac = OPENSSL_malloc(maclen)))
5082         goto err;
5083 
5084     if (!TEST_int_eq(EVP_DigestSign(ctx, mac, &maclen, msg, sizeof(msg)), 0))
5085         goto err;
5086 
5087  check_err:
5088     /*
5089      * Currently only EVP_DigestSign will throw PROV_R_NOT_A_PRIVATE_KEY,
5090      * but we relax the check to allow error also thrown by
5091      * EVP_DigestSignInit and EVP_DigestSign.
5092      */
5093     if (ERR_GET_REASON(ERR_peek_error()) == PROV_R_NOT_A_PRIVATE_KEY) {
5094         testresult = 1;
5095         ERR_clear_error();
5096     }
5097 
5098  err:
5099     EVP_MD_CTX_free(ctx);
5100     OPENSSL_free(mac);
5101     EVP_PKEY_free(pkey);
5102 
5103     return testresult;
5104 }
5105 #endif /* OPENSSL_NO_EC */
5106 
5107 static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
5108                            const unsigned char *gcm_iv, size_t gcm_ivlen,
5109                            const unsigned char *gcm_pt, size_t gcm_pt_s,
5110                            const unsigned char *gcm_aad, size_t gcm_aad_s,
5111                            const unsigned char *gcm_ct, size_t gcm_ct_s,
5112                            const unsigned char *gcm_tag, size_t gcm_tag_s)
5113 {
5114     int ret = 0;
5115     EVP_CIPHER_CTX *ctx;
5116     EVP_CIPHER *cipher = NULL;
5117     int outlen, tmplen;
5118     unsigned char outbuf[1024];
5119     unsigned char outtag[16];
5120     OSSL_PARAM params[2] = {
5121         OSSL_PARAM_END, OSSL_PARAM_END
5122     };
5123 
5124     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
5125             || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
5126         goto err;
5127 
5128     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
5129                                             &gcm_ivlen);
5130 
5131     if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
5132             || (gcm_aad != NULL
5133                 && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
5134                                                 gcm_aad, gcm_aad_s)))
5135             || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
5136                                             gcm_pt, gcm_pt_s))
5137             || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
5138         goto err;
5139 
5140     params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
5141                                                   outtag, sizeof(outtag));
5142 
5143     if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
5144             || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
5145             || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
5146         goto err;
5147 
5148     ret = 1;
5149 err:
5150     EVP_CIPHER_free(cipher);
5151     EVP_CIPHER_CTX_free(ctx);
5152 
5153     return ret;
5154 }
5155 
5156 static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
5157                            const unsigned char *gcm_iv, size_t gcm_ivlen,
5158                            const unsigned char *gcm_pt, size_t gcm_pt_s,
5159                            const unsigned char *gcm_aad, size_t gcm_aad_s,
5160                            const unsigned char *gcm_ct, size_t gcm_ct_s,
5161                            const unsigned char *gcm_tag, size_t gcm_tag_s)
5162 {
5163     int ret = 0;
5164     EVP_CIPHER_CTX *ctx;
5165     EVP_CIPHER *cipher = NULL;
5166     int outlen;
5167     unsigned char outbuf[1024];
5168     OSSL_PARAM params[2] = {
5169         OSSL_PARAM_END, OSSL_PARAM_END
5170     };
5171 
5172     if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
5173         goto err;
5174 
5175     if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
5176         goto err;
5177 
5178     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
5179                                             &gcm_ivlen);
5180 
5181     if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
5182             || (gcm_aad != NULL
5183                 && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
5184                                                 gcm_aad, gcm_aad_s)))
5185             || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
5186                                             gcm_ct, gcm_ct_s))
5187             || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
5188         goto err;
5189 
5190     params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
5191                                                   (void*)gcm_tag, gcm_tag_s);
5192 
5193     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
5194             ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
5195         goto err;
5196 
5197     ret = 1;
5198 err:
5199     EVP_CIPHER_free(cipher);
5200     EVP_CIPHER_CTX_free(ctx);
5201 
5202     return ret;
5203 }
5204 
5205 static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
5206 {
5207     /* AES-GCM test data obtained from NIST public test vectors */
5208     static const unsigned char gcm_key[] = {
5209         0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
5210         0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
5211         0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
5212     };
5213     static const unsigned char gcm_iv[] = {
5214         0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
5215         0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
5216         0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
5217         0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
5218         0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
5219         0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
5220         0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
5221         0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
5222         0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
5223         0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
5224         0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
5225     };
5226     static const unsigned char gcm_pt[] = {
5227         0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
5228         0x4f, 0xe3, 0x6f, 0x81,
5229     };
5230     static const unsigned char gcm_ct[] = {
5231         0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
5232         0xe2, 0xd0, 0xec, 0xed,
5233     };
5234     static const unsigned char gcm_tag[] = {
5235         0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
5236         0xdb, 0x99, 0x6c, 0x21,
5237     };
5238 
5239     return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
5240                            gcm_pt, sizeof(gcm_pt), NULL, 0,
5241                            gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
5242         && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
5243                            gcm_pt, sizeof(gcm_pt), NULL, 0,
5244                            gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
5245 }
5246 
5247 #ifndef OPENSSL_NO_RC4
5248 static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
5249                        const unsigned char *rc4_pt, size_t rc4_pt_s,
5250                        const unsigned char *rc4_ct, size_t rc4_ct_s)
5251 {
5252     int ret = 0;
5253     EVP_CIPHER_CTX *ctx;
5254     EVP_CIPHER *cipher = NULL;
5255     int outlen, tmplen;
5256     unsigned char outbuf[1024];
5257     OSSL_PARAM params[2] = {
5258         OSSL_PARAM_END, OSSL_PARAM_END
5259     };
5260 
5261     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
5262             || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
5263         goto err;
5264 
5265     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
5266                                             &rc4_key_s);
5267 
5268     if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
5269             || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
5270                                             rc4_pt, rc4_pt_s))
5271             || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
5272         goto err;
5273 
5274     if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
5275         goto err;
5276 
5277     ret = 1;
5278 err:
5279     EVP_CIPHER_free(cipher);
5280     EVP_CIPHER_CTX_free(ctx);
5281 
5282     return ret;
5283 }
5284 
5285 static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
5286                        const unsigned char *rc4_pt, size_t rc4_pt_s,
5287                        const unsigned char *rc4_ct, size_t rc4_ct_s)
5288 {
5289     int ret = 0;
5290     EVP_CIPHER_CTX *ctx;
5291     EVP_CIPHER *cipher = NULL;
5292     int outlen;
5293     unsigned char outbuf[1024];
5294     OSSL_PARAM params[2] = {
5295         OSSL_PARAM_END, OSSL_PARAM_END
5296     };
5297 
5298     if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
5299         goto err;
5300 
5301     if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
5302         goto err;
5303 
5304     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
5305                                             &rc4_key_s);
5306 
5307     if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
5308             || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
5309                                             rc4_ct, rc4_ct_s))
5310             || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
5311         goto err;
5312 
5313     ret = 1;
5314 err:
5315     EVP_CIPHER_free(cipher);
5316     EVP_CIPHER_CTX_free(ctx);
5317 
5318     return ret;
5319 }
5320 
5321 static int test_aes_rc4_keylen_change_cve_2023_5363(void)
5322 {
5323     /* RC4 test data obtained from RFC 6229 */
5324     static const struct {
5325         unsigned char key[5];
5326         unsigned char padding[11];
5327     } rc4_key = {
5328         {   /* Five bytes of key material */
5329             0x83, 0x32, 0x22, 0x77, 0x2a,
5330         },
5331         {   /* Random padding to 16 bytes */
5332             0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
5333         }
5334     };
5335     static const unsigned char rc4_pt[] = {
5336         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5337         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
5338     };
5339     static const unsigned char rc4_ct[] = {
5340         0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
5341         0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
5342     };
5343 
5344     if (lgcyprov == NULL)
5345         return TEST_skip("Test requires legacy provider to be loaded");
5346 
5347     return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
5348                        rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
5349         && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
5350                        rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
5351 }
5352 #endif
5353 
5354 int setup_tests(void)
5355 {
5356     OPTION_CHOICE o;
5357 
5358     while ((o = opt_next()) != OPT_EOF) {
5359         switch (o) {
5360         case OPT_CONTEXT:
5361             /* Set up an alternate library context */
5362             testctx = OSSL_LIB_CTX_new();
5363             if (!TEST_ptr(testctx))
5364                 return 0;
5365 #ifdef STATIC_LEGACY
5366 	    /*
5367 	     * This test is always statically linked against libcrypto. We must not
5368 	     * attempt to load legacy.so that might be dynamically linked against
5369 	     * libcrypto. Instead we use a built-in version of the legacy provider.
5370 	     */
5371 	    if (!OSSL_PROVIDER_add_builtin(testctx, "legacy", ossl_legacy_provider_init))
5372 		return 0;
5373 #endif
5374             /* Swap the libctx to test non-default context only */
5375             nullprov = OSSL_PROVIDER_load(NULL, "null");
5376             deflprov = OSSL_PROVIDER_load(testctx, "default");
5377             lgcyprov = OSSL_PROVIDER_load(testctx, "legacy");
5378             break;
5379         case OPT_TEST_CASES:
5380             break;
5381         default:
5382             return 0;
5383         }
5384     }
5385 
5386     ADD_TEST(test_EVP_set_default_properties);
5387     ADD_ALL_TESTS(test_EVP_DigestSignInit, 30);
5388     ADD_TEST(test_EVP_DigestVerifyInit);
5389 #ifndef OPENSSL_NO_SIPHASH
5390     ADD_TEST(test_siphash_digestsign);
5391 #endif
5392     ADD_TEST(test_EVP_Digest);
5393     ADD_TEST(test_EVP_md_null);
5394     ADD_ALL_TESTS(test_EVP_PKEY_sign, 3);
5395 #ifndef OPENSSL_NO_DEPRECATED_3_0
5396     ADD_ALL_TESTS(test_EVP_PKEY_sign_with_app_method, 2);
5397 #endif
5398     ADD_ALL_TESTS(test_EVP_Enveloped, 2);
5399     ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
5400     ADD_TEST(test_privatekey_to_pkcs8);
5401     ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);
5402 #ifndef OPENSSL_NO_EC
5403     ADD_TEST(test_EVP_PKCS82PKEY);
5404 #endif
5405 #ifndef OPENSSL_NO_EC
5406     ADD_ALL_TESTS(test_EC_keygen_with_enc, OSSL_NELEM(ec_encodings));
5407 #endif
5408 #if !defined(OPENSSL_NO_SM2)
5409     ADD_TEST(test_EVP_SM2);
5410     ADD_TEST(test_EVP_SM2_verify);
5411 #endif
5412     ADD_ALL_TESTS(test_set_get_raw_keys, OSSL_NELEM(keys));
5413 #ifndef OPENSSL_NO_DEPRECATED_3_0
5414     custom_pmeth = EVP_PKEY_meth_new(0xdefaced, 0);
5415     if (!TEST_ptr(custom_pmeth))
5416         return 0;
5417     EVP_PKEY_meth_set_check(custom_pmeth, pkey_custom_check);
5418     EVP_PKEY_meth_set_public_check(custom_pmeth, pkey_custom_pub_check);
5419     EVP_PKEY_meth_set_param_check(custom_pmeth, pkey_custom_param_check);
5420     if (!TEST_int_eq(EVP_PKEY_meth_add0(custom_pmeth), 1))
5421         return 0;
5422 #endif
5423     ADD_ALL_TESTS(test_EVP_PKEY_check, OSSL_NELEM(keycheckdata));
5424 #ifndef OPENSSL_NO_CMAC
5425     ADD_TEST(test_CMAC_keygen);
5426 #endif
5427     ADD_TEST(test_HKDF);
5428     ADD_TEST(test_emptyikm_HKDF);
5429     ADD_TEST(test_empty_salt_info_HKDF);
5430 #ifndef OPENSSL_NO_EC
5431     ADD_TEST(test_X509_PUBKEY_inplace);
5432     ADD_TEST(test_X509_PUBKEY_dup);
5433     ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode,
5434                   OSSL_NELEM(ec_der_pub_keys));
5435 #endif
5436 #ifndef OPENSSL_NO_DSA
5437     ADD_TEST(test_DSA_get_set_params);
5438     ADD_TEST(test_DSA_priv_pub);
5439 #endif
5440     ADD_TEST(test_RSA_get_set_params);
5441     ADD_TEST(test_RSA_OAEP_set_get_params);
5442     ADD_TEST(test_RSA_OAEP_set_null_label);
5443 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5444     ADD_TEST(test_decrypt_null_chunks);
5445 #endif
5446 #ifndef OPENSSL_NO_DH
5447     ADD_TEST(test_DH_priv_pub);
5448 # ifndef OPENSSL_NO_DEPRECATED_3_0
5449     ADD_TEST(test_EVP_PKEY_set1_DH);
5450 # endif
5451 #endif
5452 #ifndef OPENSSL_NO_EC
5453     ADD_TEST(test_EC_priv_pub);
5454 # ifndef OPENSSL_NO_DEPRECATED_3_0
5455     ADD_TEST(test_EC_priv_only_legacy);
5456 # endif
5457 #endif
5458     ADD_ALL_TESTS(test_keygen_with_empty_template, 2);
5459     ADD_ALL_TESTS(test_pkey_ctx_fail_without_provider, 2);
5460 
5461     ADD_TEST(test_rand_agglomeration);
5462     ADD_ALL_TESTS(test_evp_iv_aes, 12);
5463 #ifndef OPENSSL_NO_DES
5464     ADD_ALL_TESTS(test_evp_iv_des, 6);
5465 #endif
5466 #ifndef OPENSSL_NO_BF
5467     ADD_ALL_TESTS(test_evp_bf_default_keylen, 4);
5468 #endif
5469     ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
5470     ADD_TEST(test_EVP_rsa_pss_set_saltlen);
5471 #ifndef OPENSSL_NO_EC
5472     ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
5473 #endif
5474 
5475     ADD_TEST(test_names_do_all);
5476 
5477     ADD_ALL_TESTS(test_evp_init_seq, OSSL_NELEM(evp_init_tests));
5478     ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests));
5479     ADD_ALL_TESTS(test_evp_reinit_seq, OSSL_NELEM(evp_reinit_tests));
5480     ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
5481     ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
5482     ADD_ALL_TESTS(test_ivlen_change, OSSL_NELEM(ivlen_change_ciphers));
5483     if (OSSL_NELEM(keylen_change_ciphers) - 1 > 0)
5484         ADD_ALL_TESTS(test_keylen_change, OSSL_NELEM(keylen_change_ciphers) - 1);
5485 
5486 #ifndef OPENSSL_NO_DEPRECATED_3_0
5487     ADD_ALL_TESTS(test_custom_pmeth, 12);
5488     ADD_TEST(test_evp_md_cipher_meth);
5489     ADD_TEST(test_custom_md_meth);
5490     ADD_TEST(test_custom_ciph_meth);
5491 
5492 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
5493     /* Tests only support the default libctx */
5494     if (testctx == NULL) {
5495 #  ifndef OPENSSL_NO_EC
5496         ADD_ALL_TESTS(test_signatures_with_engine, 3);
5497 #  else
5498         ADD_ALL_TESTS(test_signatures_with_engine, 2);
5499 #  endif
5500         ADD_TEST(test_cipher_with_engine);
5501     }
5502 # endif
5503 #endif
5504 
5505     ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
5506 
5507 #ifndef OPENSSL_NO_EC
5508     ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys));
5509 #endif
5510 
5511     /* Test cases for CVE-2023-5363 */
5512     ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
5513 #ifndef OPENSSL_NO_RC4
5514     ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
5515 #endif
5516 
5517     return 1;
5518 }
5519 
5520 void cleanup_tests(void)
5521 {
5522     OSSL_PROVIDER_unload(nullprov);
5523     OSSL_PROVIDER_unload(deflprov);
5524     OSSL_PROVIDER_unload(lgcyprov);
5525     OSSL_LIB_CTX_free(testctx);
5526 }
5527