xref: /freebsd/crypto/openssl/test/evp_extra_test.c (revision c57c26179033f64c2011a2d2a904ee3fa62e826a)
1 /*
2  * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <openssl/bio.h>
17 #include <openssl/conf.h>
18 #include <openssl/crypto.h>
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <openssl/pem.h>
23 #include <openssl/kdf.h>
24 #include <openssl/provider.h>
25 #include <openssl/core_names.h>
26 #include <openssl/params.h>
27 #include <openssl/param_build.h>
28 #include <openssl/dsa.h>
29 #include <openssl/dh.h>
30 #include <openssl/aes.h>
31 #include <openssl/decoder.h>
32 #include <openssl/rsa.h>
33 #include <openssl/engine.h>
34 #include <openssl/proverr.h>
35 #include "testutil.h"
36 #include "internal/nelem.h"
37 #include "internal/sizes.h"
38 #include "crypto/evp.h"
39 
40 #ifdef STATIC_LEGACY
41 OSSL_provider_init_fn ossl_legacy_provider_init;
42 #endif
43 
44 static OSSL_LIB_CTX *testctx = NULL;
45 static char *testpropq = NULL;
46 
47 static OSSL_PROVIDER *nullprov = NULL;
48 static OSSL_PROVIDER *deflprov = NULL;
49 static OSSL_PROVIDER *lgcyprov = NULL;
50 
51 /*
52  * kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
53  * should never use this key anywhere but in an example.
54  */
55 static const unsigned char kExampleRSAKeyDER[] = {
56     0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xf8,
57     0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
58     0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
59     0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
60     0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
61     0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
62     0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
63     0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
64     0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
65     0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
66     0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
67     0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
68     0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a, 0x6d, 0xc7,
69     0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5, 0x32, 0x85,
70     0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6, 0x5f, 0xee,
71     0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8, 0x66, 0x85,
72     0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6, 0xa4, 0x0a,
73     0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f, 0xc2, 0x15,
74     0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c, 0x5b, 0x83,
75     0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78, 0x80, 0x1b,
76     0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71, 0x99, 0x73,
77     0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60, 0x1f, 0x99,
78     0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d, 0xb1, 0x02,
79     0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3, 0x40, 0x41,
80     0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d, 0x3d, 0x59,
81     0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18, 0xc6, 0xd9,
82     0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d, 0x9f, 0xef,
83     0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32, 0x46, 0x87,
84     0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc, 0x2c, 0xdf,
85     0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63, 0x55, 0xf5,
86     0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05, 0xcd, 0xb5,
87     0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16, 0xb3, 0x62,
88     0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3, 0x9b, 0x64,
89     0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85, 0xfa, 0xb8,
90     0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97, 0xe8, 0xba,
91     0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7, 0xe7, 0xfe,
92     0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99, 0x75, 0xe7,
93     0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4, 0x9d, 0xfe,
94     0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d, 0xf1, 0xdb,
95     0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40, 0x5a, 0x34,
96     0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26, 0x84, 0x27,
97     0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1, 0xe9, 0xc0,
98     0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c, 0xb9, 0xba,
99     0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30, 0x10, 0x06,
100     0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea, 0x52, 0x2c,
101     0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b, 0xc4, 0x1e,
102     0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e, 0x49, 0xaf,
103     0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9, 0xd1, 0x8a,
104     0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae, 0x17, 0x17,
105     0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d, 0x08, 0xf1,
106     0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
107 };
108 
109 /*
110 * kExampleDSAKeyDER is a DSA private key in ASN.1, DER format. Of course, you
111  * should never use this key anywhere but in an example.
112  */
113 #ifndef OPENSSL_NO_DSA
114 static const unsigned char kExampleDSAKeyDER[] = {
115     0x30, 0x82, 0x01, 0xba, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0x9a,
116     0x05, 0x6d, 0x33, 0xcd, 0x5d, 0x78, 0xa1, 0xbb, 0xcb, 0x7d, 0x5b, 0x8d,
117     0xb4, 0xcc, 0xbf, 0x03, 0x99, 0x64, 0xde, 0x38, 0x78, 0x06, 0x15, 0x2f,
118     0x86, 0x26, 0x77, 0xf3, 0xb1, 0x85, 0x00, 0xed, 0xfc, 0x28, 0x3a, 0x42,
119     0x4d, 0xab, 0xab, 0xdf, 0xbc, 0x9c, 0x16, 0xd0, 0x22, 0x50, 0xd1, 0x38,
120     0xdd, 0x3f, 0x64, 0x05, 0x9e, 0x68, 0x7a, 0x1e, 0xf1, 0x56, 0xbf, 0x1e,
121     0x2c, 0xc5, 0x97, 0x2a, 0xfe, 0x7a, 0x22, 0xdc, 0x6c, 0x68, 0xb8, 0x2e,
122     0x06, 0xdb, 0x41, 0xca, 0x98, 0xd8, 0x54, 0xc7, 0x64, 0x48, 0x24, 0x04,
123     0x20, 0xbc, 0x59, 0xe3, 0x6b, 0xea, 0x7e, 0xfc, 0x7e, 0xc5, 0x4e, 0xd4,
124     0xd8, 0x3a, 0xed, 0xcd, 0x5d, 0x99, 0xb8, 0x5c, 0xa2, 0x8b, 0xbb, 0x0b,
125     0xac, 0xe6, 0x8e, 0x25, 0x56, 0x22, 0x3a, 0x2d, 0x3a, 0x56, 0x41, 0x14,
126     0x1f, 0x1c, 0x8f, 0x53, 0x46, 0x13, 0x85, 0x02, 0x15, 0x00, 0x98, 0x7e,
127     0x92, 0x81, 0x88, 0xc7, 0x3f, 0x70, 0x49, 0x54, 0xf6, 0x76, 0xb4, 0xa3,
128     0x9e, 0x1d, 0x45, 0x98, 0x32, 0x7f, 0x02, 0x81, 0x80, 0x69, 0x4d, 0xef,
129     0x55, 0xff, 0x4d, 0x59, 0x2c, 0x01, 0xfa, 0x6a, 0x38, 0xe0, 0x70, 0x9f,
130     0x9e, 0x66, 0x8e, 0x3e, 0x8c, 0x52, 0x22, 0x9d, 0x15, 0x7e, 0x3c, 0xef,
131     0x4c, 0x7a, 0x61, 0x26, 0xe0, 0x2b, 0x81, 0x3f, 0xeb, 0xaf, 0x35, 0x38,
132     0x8d, 0xfe, 0xed, 0x46, 0xff, 0x5f, 0x03, 0x9b, 0x81, 0x92, 0xe7, 0x6f,
133     0x76, 0x4f, 0x1d, 0xd9, 0xbb, 0x89, 0xc9, 0x3e, 0xd9, 0x0b, 0xf9, 0xf4,
134     0x78, 0x11, 0x59, 0xc0, 0x1d, 0xcd, 0x0e, 0xa1, 0x6f, 0x15, 0xf1, 0x4d,
135     0xc1, 0xc9, 0x22, 0xed, 0x8d, 0xad, 0x67, 0xc5, 0x4b, 0x95, 0x93, 0x86,
136     0xa6, 0xaf, 0x8a, 0xee, 0x06, 0x89, 0x2f, 0x37, 0x7e, 0x64, 0xaa, 0xf6,
137     0xe7, 0xb1, 0x5a, 0x0a, 0x93, 0x95, 0x5d, 0x3e, 0x53, 0x9a, 0xde, 0x8a,
138     0xc2, 0x95, 0x45, 0x81, 0xbe, 0x5c, 0x2f, 0xc2, 0xb2, 0x92, 0x58, 0x19,
139     0x72, 0x80, 0xe9, 0x79, 0xa1, 0x02, 0x81, 0x80, 0x07, 0xd7, 0x62, 0xff,
140     0xdf, 0x1a, 0x3f, 0xed, 0x32, 0xd4, 0xd4, 0x88, 0x7b, 0x2c, 0x63, 0x7f,
141     0x97, 0xdc, 0x44, 0xd4, 0x84, 0xa2, 0xdd, 0x17, 0x16, 0x85, 0x13, 0xe0,
142     0xac, 0x51, 0x8d, 0x29, 0x1b, 0x75, 0x9a, 0xe4, 0xe3, 0x8a, 0x92, 0x69,
143     0x09, 0x03, 0xc5, 0x68, 0xae, 0x5e, 0x94, 0xfe, 0xc9, 0x92, 0x6c, 0x07,
144     0xb4, 0x1e, 0x64, 0x62, 0x87, 0xc6, 0xa4, 0xfd, 0x0d, 0x5f, 0xe5, 0xf9,
145     0x1b, 0x4f, 0x85, 0x5f, 0xae, 0xf3, 0x11, 0xe5, 0x18, 0xd4, 0x4d, 0x79,
146     0x9f, 0xc4, 0x79, 0x26, 0x04, 0x27, 0xf0, 0x0b, 0xee, 0x2b, 0x86, 0x9f,
147     0x86, 0x61, 0xe6, 0x51, 0xce, 0x04, 0x9b, 0x5d, 0x6b, 0x34, 0x43, 0x8c,
148     0x85, 0x3c, 0xf1, 0x51, 0x9b, 0x08, 0x23, 0x1b, 0xf5, 0x7e, 0x33, 0x12,
149     0xea, 0xab, 0x1f, 0xb7, 0x2d, 0xe2, 0x5f, 0xe6, 0x97, 0x99, 0xb5, 0x45,
150     0x16, 0x5b, 0xc3, 0x41, 0x02, 0x14, 0x61, 0xbf, 0x51, 0x60, 0xcf, 0xc8,
151     0xf1, 0x8c, 0x82, 0x97, 0xf2, 0xf4, 0x19, 0xba, 0x2b, 0xf3, 0x16, 0xbe,
152     0x40, 0x48
153 };
154 #endif
155 
156 /*
157  * kExampleBadRSAKeyDER is an RSA private key in ASN.1, DER format. The private
158  * components are not correct.
159  */
160 static const unsigned char kExampleBadRSAKeyDER[] = {
161     0x30, 0x82, 0x04, 0x27, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
162     0xa6, 0x1a, 0x1e, 0x6e, 0x7b, 0xee, 0xc6, 0x89, 0x66, 0xe7, 0x93, 0xef,
163     0x54, 0x12, 0x68, 0xea, 0xbf, 0x86, 0x2f, 0xdd, 0xd2, 0x79, 0xb8, 0xa9,
164     0x6e, 0x03, 0xc2, 0xa3, 0xb9, 0xa3, 0xe1, 0x4b, 0x2a, 0xb3, 0xf8, 0xb4,
165     0xcd, 0xea, 0xbe, 0x24, 0xa6, 0x57, 0x5b, 0x83, 0x1f, 0x0f, 0xf2, 0xd3,
166     0xb7, 0xac, 0x7e, 0xd6, 0x8e, 0x6e, 0x1e, 0xbf, 0xb8, 0x73, 0x8c, 0x05,
167     0x56, 0xe6, 0x35, 0x1f, 0xe9, 0x04, 0x0b, 0x09, 0x86, 0x7d, 0xf1, 0x26,
168     0x08, 0x99, 0xad, 0x7b, 0xc8, 0x4d, 0x94, 0xb0, 0x0b, 0x8b, 0x38, 0xa0,
169     0x5c, 0x62, 0xa0, 0xab, 0xd3, 0x8f, 0xd4, 0x09, 0x60, 0x72, 0x1e, 0x33,
170     0x50, 0x80, 0x6e, 0x22, 0xa6, 0x77, 0x57, 0x6b, 0x9a, 0x33, 0x21, 0x66,
171     0x87, 0x6e, 0x21, 0x7b, 0xc7, 0x24, 0x0e, 0xd8, 0x13, 0xdf, 0x83, 0xde,
172     0xcd, 0x40, 0x58, 0x1d, 0x84, 0x86, 0xeb, 0xb8, 0x12, 0x4e, 0xd2, 0xfa,
173     0x80, 0x1f, 0xe4, 0xe7, 0x96, 0x29, 0xb8, 0xcc, 0xce, 0x66, 0x6d, 0x53,
174     0xca, 0xb9, 0x5a, 0xd7, 0xf6, 0x84, 0x6c, 0x2d, 0x9a, 0x1a, 0x14, 0x1c,
175     0x4e, 0x93, 0x39, 0xba, 0x74, 0xed, 0xed, 0x87, 0x87, 0x5e, 0x48, 0x75,
176     0x36, 0xf0, 0xbc, 0x34, 0xfb, 0x29, 0xf9, 0x9f, 0x96, 0x5b, 0x0b, 0xa7,
177     0x54, 0x30, 0x51, 0x29, 0x18, 0x5b, 0x7d, 0xac, 0x0f, 0xd6, 0x5f, 0x7c,
178     0xf8, 0x98, 0x8c, 0xd8, 0x86, 0x62, 0xb3, 0xdc, 0xff, 0x0f, 0xff, 0x7a,
179     0xaf, 0x5c, 0x4c, 0x61, 0x49, 0x2e, 0xc8, 0x95, 0x86, 0xc4, 0x0e, 0x87,
180     0xfc, 0x1d, 0xcf, 0x8b, 0x7c, 0x61, 0xf6, 0xd8, 0xd0, 0x69, 0xf6, 0xcd,
181     0x8a, 0x8c, 0xf6, 0x62, 0xa2, 0x56, 0xa9, 0xe3, 0xd1, 0xcf, 0x4d, 0xa0,
182     0xf6, 0x2d, 0x20, 0x0a, 0x04, 0xb7, 0xa2, 0xf7, 0xb5, 0x99, 0x47, 0x18,
183     0x56, 0x85, 0x87, 0xc7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,
184     0x01, 0x00, 0x99, 0x41, 0x38, 0x1a, 0xd0, 0x96, 0x7a, 0xf0, 0x83, 0xd5,
185     0xdf, 0x94, 0xce, 0x89, 0x3d, 0xec, 0x7a, 0x52, 0x21, 0x10, 0x16, 0x06,
186     0xe0, 0xee, 0xd2, 0xe6, 0xfd, 0x4b, 0x7b, 0x19, 0x4d, 0xe1, 0xc0, 0xc0,
187     0xd5, 0x14, 0x5d, 0x79, 0xdd, 0x7e, 0x8b, 0x4b, 0xc6, 0xcf, 0xb0, 0x75,
188     0x52, 0xa3, 0x2d, 0xb1, 0x26, 0x46, 0x68, 0x9c, 0x0a, 0x1a, 0xf2, 0xe1,
189     0x09, 0xac, 0x53, 0x85, 0x8c, 0x36, 0xa9, 0x14, 0x65, 0xea, 0xa0, 0x00,
190     0xcb, 0xe3, 0x3f, 0xc4, 0x2b, 0x61, 0x2e, 0x6b, 0x06, 0x69, 0x77, 0xfd,
191     0x38, 0x7e, 0x1d, 0x3f, 0x92, 0xe7, 0x77, 0x08, 0x19, 0xa7, 0x9d, 0x29,
192     0x2d, 0xdc, 0x42, 0xc6, 0x7c, 0xd7, 0xd3, 0xa8, 0x01, 0x2c, 0xf2, 0xd5,
193     0x82, 0x57, 0xcb, 0x55, 0x3d, 0xe7, 0xaa, 0xd2, 0x06, 0x30, 0x30, 0x05,
194     0xe6, 0xf2, 0x47, 0x86, 0xba, 0xc6, 0x61, 0x64, 0xeb, 0x4f, 0x2a, 0x5e,
195     0x07, 0x29, 0xe0, 0x96, 0xb2, 0x43, 0xff, 0x5f, 0x1a, 0x54, 0x16, 0xcf,
196     0xb5, 0x56, 0x5c, 0xa0, 0x9b, 0x0c, 0xfd, 0xb3, 0xd2, 0xe3, 0x79, 0x1d,
197     0x21, 0xe2, 0xd6, 0x13, 0xc4, 0x74, 0xa6, 0xf5, 0x8e, 0x8e, 0x81, 0xbb,
198     0xb4, 0xad, 0x8a, 0xf0, 0x93, 0x0a, 0xd8, 0x0a, 0x42, 0x36, 0xbc, 0xe5,
199     0x26, 0x2a, 0x0d, 0x5d, 0x57, 0x13, 0xc5, 0x4e, 0x2f, 0x12, 0x0e, 0xef,
200     0xa7, 0x81, 0x1e, 0xc3, 0xa5, 0xdb, 0xc9, 0x24, 0xeb, 0x1a, 0xa1, 0xf9,
201     0xf6, 0xa1, 0x78, 0x98, 0x93, 0x77, 0x42, 0x45, 0x03, 0xe2, 0xc9, 0xa2,
202     0xfe, 0x2d, 0x77, 0xc8, 0xc6, 0xac, 0x9b, 0x98, 0x89, 0x6d, 0x9a, 0xe7,
203     0x61, 0x63, 0xb7, 0xf2, 0xec, 0xd6, 0xb1, 0xa1, 0x6e, 0x0a, 0x1a, 0xff,
204     0xfd, 0x43, 0x28, 0xc3, 0x0c, 0xdc, 0xf2, 0x47, 0x4f, 0x27, 0xaa, 0x99,
205     0x04, 0x8e, 0xac, 0xe8, 0x7c, 0x01, 0x02, 0x04, 0x12, 0x34, 0x56, 0x78,
206     0x02, 0x81, 0x81, 0x00, 0xca, 0x69, 0xe5, 0xbb, 0x3a, 0x90, 0x82, 0xcb,
207     0x82, 0x50, 0x2f, 0x29, 0xe2, 0x76, 0x6a, 0x57, 0x55, 0x45, 0x4e, 0x35,
208     0x18, 0x61, 0xe0, 0x12, 0x70, 0xc0, 0xab, 0xc7, 0x80, 0xa2, 0xd4, 0x46,
209     0x34, 0x03, 0xa0, 0x19, 0x26, 0x23, 0x9e, 0xef, 0x1a, 0xcb, 0x75, 0xd6,
210     0xba, 0x81, 0xf4, 0x7e, 0x52, 0xe5, 0x2a, 0xe8, 0xf1, 0x49, 0x6c, 0x0f,
211     0x1a, 0xa0, 0xf9, 0xc6, 0xe7, 0xec, 0x60, 0xe4, 0xcb, 0x2a, 0xb5, 0x56,
212     0xe9, 0x9c, 0xcd, 0x19, 0x75, 0x92, 0xb1, 0x66, 0xce, 0xc3, 0xd9, 0x3d,
213     0x11, 0xcb, 0xc4, 0x09, 0xce, 0x1e, 0x30, 0xba, 0x2f, 0x60, 0x60, 0x55,
214     0x8d, 0x02, 0xdc, 0x5d, 0xaf, 0xf7, 0x52, 0x31, 0x17, 0x07, 0x53, 0x20,
215     0x33, 0xad, 0x8c, 0xd5, 0x2f, 0x5a, 0xd0, 0x57, 0xd7, 0xd1, 0x80, 0xd6,
216     0x3a, 0x9b, 0x04, 0x4f, 0x35, 0xbf, 0xe7, 0xd5, 0xbc, 0x8f, 0xd4, 0x81,
217     0x02, 0x81, 0x81, 0x00, 0xc0, 0x9f, 0xf8, 0xcd, 0xf7, 0x3f, 0x26, 0x8a,
218     0x3d, 0x4d, 0x2b, 0x0c, 0x01, 0xd0, 0xa2, 0xb4, 0x18, 0xfe, 0xf7, 0x5e,
219     0x2f, 0x06, 0x13, 0xcd, 0x63, 0xaa, 0x12, 0xa9, 0x24, 0x86, 0xe3, 0xf3,
220     0x7b, 0xda, 0x1a, 0x3c, 0xb1, 0x38, 0x80, 0x80, 0xef, 0x64, 0x64, 0xa1,
221     0x9b, 0xfe, 0x76, 0x63, 0x8e, 0x83, 0xd2, 0xd9, 0xb9, 0x86, 0xb0, 0xe6,
222     0xa6, 0x0c, 0x7e, 0xa8, 0x84, 0x90, 0x98, 0x0c, 0x1e, 0xf3, 0x14, 0x77,
223     0xe0, 0x5f, 0x81, 0x08, 0x11, 0x8f, 0xa6, 0x23, 0xc4, 0xba, 0xc0, 0x8a,
224     0xe4, 0xc6, 0xe3, 0x5c, 0xbe, 0xc5, 0xec, 0x2c, 0xb9, 0xd8, 0x8c, 0x4d,
225     0x1a, 0x9d, 0xe7, 0x7c, 0x85, 0x4c, 0x0d, 0x71, 0x4e, 0x72, 0x33, 0x1b,
226     0xfe, 0xa9, 0x17, 0x72, 0x76, 0x56, 0x9d, 0x74, 0x7e, 0x52, 0x67, 0x9a,
227     0x87, 0x9a, 0xdb, 0x30, 0xde, 0xe4, 0x49, 0x28, 0x3b, 0xd2, 0x67, 0xaf,
228     0x02, 0x81, 0x81, 0x00, 0x89, 0x74, 0x9a, 0x8e, 0xa7, 0xb9, 0xa5, 0x28,
229     0xc0, 0x68, 0xe5, 0x6e, 0x63, 0x1c, 0x99, 0x20, 0x8f, 0x86, 0x8e, 0x12,
230     0x9e, 0x69, 0x30, 0xfa, 0x34, 0xd9, 0x92, 0x8d, 0xdb, 0x7c, 0x37, 0xfd,
231     0x28, 0xab, 0x61, 0x98, 0x52, 0x7f, 0x14, 0x1a, 0x39, 0xae, 0xfb, 0x6a,
232     0x03, 0xa3, 0xe6, 0xbd, 0xb6, 0x5b, 0x6b, 0xe5, 0x5e, 0x9d, 0xc6, 0xa5,
233     0x07, 0x27, 0x54, 0x17, 0xd0, 0x3d, 0x84, 0x9b, 0x3a, 0xa0, 0xd9, 0x1e,
234     0x99, 0x6c, 0x63, 0x17, 0xab, 0xf1, 0x1f, 0x49, 0xba, 0x95, 0xe3, 0x3b,
235     0x86, 0x8f, 0x42, 0xa4, 0x89, 0xf5, 0x94, 0x8f, 0x8b, 0x46, 0xbe, 0x84,
236     0xba, 0x4a, 0xbc, 0x0d, 0x5f, 0x46, 0xeb, 0xe8, 0xec, 0x43, 0x8c, 0x1e,
237     0xad, 0x19, 0x69, 0x2f, 0x08, 0x86, 0x7a, 0x3f, 0x7d, 0x0f, 0x07, 0x97,
238     0xf3, 0x9a, 0x7b, 0xb5, 0xb2, 0xc1, 0x8c, 0x95, 0x68, 0x04, 0xa0, 0x81,
239     0x02, 0x81, 0x80, 0x4e, 0xbf, 0x7e, 0x1b, 0xcb, 0x13, 0x61, 0x75, 0x3b,
240     0xdb, 0x59, 0x5f, 0xb1, 0xd4, 0xb8, 0xeb, 0x9e, 0x73, 0xb5, 0xe7, 0xf6,
241     0x89, 0x3d, 0x1c, 0xda, 0xf0, 0x36, 0xff, 0x35, 0xbd, 0x1e, 0x0b, 0x74,
242     0xe3, 0x9e, 0xf0, 0xf2, 0xf7, 0xd7, 0x82, 0xb7, 0x7b, 0x6a, 0x1b, 0x0e,
243     0x30, 0x4a, 0x98, 0x0e, 0xb4, 0xf9, 0x81, 0x07, 0xe4, 0x75, 0x39, 0xe9,
244     0x53, 0xca, 0xbb, 0x5c, 0xaa, 0x93, 0x07, 0x0e, 0xa8, 0x2f, 0xba, 0x98,
245     0x49, 0x30, 0xa7, 0xcc, 0x1a, 0x3c, 0x68, 0x0c, 0xe1, 0xa4, 0xb1, 0x05,
246     0xe6, 0xe0, 0x25, 0x78, 0x58, 0x14, 0x37, 0xf5, 0x1f, 0xe3, 0x22, 0xef,
247     0xa8, 0x0e, 0x22, 0xa0, 0x94, 0x3a, 0xf6, 0xc9, 0x13, 0xe6, 0x06, 0xbf,
248     0x7f, 0x99, 0xc6, 0xcc, 0xd8, 0xc6, 0xbe, 0xd9, 0x2e, 0x24, 0xc7, 0x69,
249     0x8c, 0x95, 0xba, 0xf6, 0x04, 0xb3, 0x0a, 0xf4, 0xcb, 0xf0, 0xce,
250 };
251 
252 /*
253  * kExampleBad2RSAKeyDER is an RSA private key in ASN.1, DER format. All
254  * values are 0.
255  */
256 static const unsigned char kExampleBad2RSAKeyDER[] = {
257     0x30, 0x1b, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02,
258     0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x02,
259     0x01, 0x00, 0x02, 0x01, 0x00
260 };
261 
262 static const unsigned char kMsg[] = { 1, 2, 3, 4 };
263 
264 static const unsigned char kSignature[] = {
265     0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
266     0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
267     0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
268     0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
269     0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
270     0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
271     0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
272     0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
273     0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
274     0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
275     0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
276 };
277 
278 /*
279  * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
280  * PrivateKeyInfo.
281  */
282 static const unsigned char kExampleRSAKeyPKCS8[] = {
283     0x30, 0x82, 0x02, 0x76, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
284     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
285     0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
286     0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
287     0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
288     0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
289     0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
290     0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
291     0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
292     0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
293     0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
294     0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
295     0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
296     0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
297     0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
298     0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
299     0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
300     0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
301     0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
302     0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
303     0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
304     0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
305     0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
306     0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
307     0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
308     0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
309     0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
310     0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
311     0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
312     0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
313     0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
314     0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
315     0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
316     0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
317     0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
318     0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
319     0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
320     0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
321     0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
322     0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
323     0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
324     0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
325     0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
326     0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
327     0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
328     0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
329     0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
330     0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
331     0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
332     0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
333     0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
334     0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
335     0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
336 };
337 
338 #ifndef OPENSSL_NO_EC
339 /*
340  * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
341  * structure.
342  */
343 static const unsigned char kExampleECKeyDER[] = {
344     0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a,
345     0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08,
346     0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a,
347     0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
348     0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69,
349     0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c,
350     0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9,
351     0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18,
352     0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16,
353     0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22,
354     0xc1,
355 };
356 
357 /*
358  * kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
359  * structure. The private key is equal to the order and will fail to import
360  */
361 static const unsigned char kExampleBadECKeyDER[] = {
362     0x30, 0x66, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48,
363     0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
364     0x01, 0x07, 0x04, 0x4C, 0x30, 0x4A, 0x02, 0x01, 0x01, 0x04, 0x20, 0xFF,
365     0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
366     0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3,
367     0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, 0xA1, 0x23, 0x03, 0x21, 0x00,
368     0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
369     0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
370     0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
371 };
372 
373 /* prime256v1 */
374 static const unsigned char kExampleECPubKeyDER[] = {
375     0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
376     0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
377     0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53,
378     0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8,
379     0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7,
380     0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b,
381     0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20,
382     0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5
383 };
384 
385 /*
386  * kExampleBadECPubKeyDER is a sample EC public key with a wrong OID
387  * 1.2.840.10045.2.2 instead of 1.2.840.10045.2.1 - EC Public Key
388  */
389 static const unsigned char kExampleBadECPubKeyDER[] = {
390     0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
391     0x02, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
392     0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53,
393     0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8,
394     0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7,
395     0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b,
396     0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20,
397     0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5
398 };
399 
400 static const unsigned char pExampleECParamDER[] = {
401     0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
402 };
403 
404 static const unsigned char kExampleED25519KeyDER[] = {
405     0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
406     0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a,
407     0xe8, 0x88, 0xfe, 0x00, 0xcd, 0x8b, 0xc6, 0xf4, 0x5c, 0x47, 0x09, 0x46,
408     0x66, 0xe4, 0x72, 0x85, 0x25, 0x26, 0x5e, 0x12, 0x33, 0x48, 0xf6, 0x50
409 };
410 
411 static const unsigned char kExampleED25519PubKeyDER[] = {
412     0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,
413     0xf5, 0xc5, 0xeb, 0x52, 0x3e, 0x7d, 0x07, 0x86, 0xb2, 0x55, 0x07, 0x45,
414     0xef, 0x5b, 0x7c, 0x20, 0xe8, 0x66, 0x28, 0x30, 0x3c, 0x8a, 0x82, 0x40,
415     0x97, 0xa3, 0x08, 0xdc, 0x65, 0x80, 0x39, 0x29
416 };
417 
418 # ifndef OPENSSL_NO_DEPRECATED_3_0
419 static const unsigned char kExampleX25519KeyDER[] = {
420     0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e,
421     0x04, 0x22, 0x04, 0x20, 0xa0, 0x24, 0x3a, 0x31, 0x24, 0xc3, 0x3f, 0xf6,
422     0x7b, 0x96, 0x0b, 0xd4, 0x8f, 0xd1, 0xee, 0x67, 0xf2, 0x9b, 0x88, 0xac,
423     0x50, 0xce, 0x97, 0x36, 0xdd, 0xaf, 0x25, 0xf6, 0x10, 0x34, 0x96, 0x6e
424 };
425 # endif
426 #endif
427 
428 /* kExampleDHKeyDER is a DH private key in ASN.1, DER format. */
429 #ifndef OPENSSL_NO_DEPRECATED_3_0
430 # ifndef OPENSSL_NO_DH
431 static const unsigned char kExampleDHKeyDER[] = {
432     0x30, 0x82, 0x01, 0x21, 0x02, 0x01, 0x00, 0x30, 0x81, 0x95, 0x06, 0x09,
433     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x03, 0x01, 0x30, 0x81, 0x87,
434     0x02, 0x81, 0x81, 0x00, 0xf7, 0x52, 0xc2, 0x68, 0xcc, 0x66, 0xc4, 0x8d,
435     0x03, 0x3f, 0xfa, 0x9c, 0x52, 0xd0, 0xd8, 0x33, 0xf2, 0xe1, 0xc9, 0x9e,
436     0xb7, 0xe7, 0x6e, 0x90, 0x97, 0xeb, 0x92, 0x91, 0x6a, 0x9a, 0x85, 0x63,
437     0x92, 0x79, 0xab, 0xb6, 0x3d, 0x23, 0x58, 0x5a, 0xe8, 0x45, 0x06, 0x81,
438     0x97, 0x77, 0xe1, 0xcc, 0x34, 0x4e, 0xae, 0x36, 0x80, 0xf2, 0xc4, 0x7f,
439     0x8a, 0x52, 0xb8, 0xdb, 0x58, 0xc8, 0x4b, 0x12, 0x4c, 0xf1, 0x4c, 0x53,
440     0xc1, 0x89, 0x39, 0x8d, 0xb6, 0x06, 0xd8, 0xea, 0x7f, 0x2d, 0x36, 0x53,
441     0x96, 0x29, 0xbe, 0xb6, 0x75, 0xfc, 0xe7, 0xf3, 0x36, 0xd6, 0xf4, 0x8f,
442     0x16, 0xa6, 0xc7, 0xec, 0x7b, 0xce, 0x42, 0x8d, 0x48, 0x2e, 0xb7, 0x74,
443     0x00, 0x11, 0x52, 0x61, 0xb4, 0x19, 0x35, 0xec, 0x5c, 0xe4, 0xbe, 0x34,
444     0xc6, 0x59, 0x64, 0x5e, 0x42, 0x61, 0x70, 0x54, 0xf4, 0xe9, 0x6b, 0x53,
445     0x02, 0x01, 0x02, 0x04, 0x81, 0x83, 0x02, 0x81, 0x80, 0x64, 0xc2, 0xe3,
446     0x09, 0x69, 0x37, 0x3c, 0xd2, 0x4a, 0xba, 0xc3, 0x78, 0x6a, 0x9b, 0x8a,
447     0x2a, 0xdb, 0xe7, 0xe6, 0xc0, 0xfa, 0x3a, 0xbe, 0x39, 0x67, 0xc0, 0xa9,
448     0x2a, 0xf0, 0x0a, 0xc1, 0x53, 0x1c, 0xdb, 0xfa, 0x1a, 0x26, 0x98, 0xb0,
449     0x8c, 0xc6, 0x06, 0x4a, 0xa2, 0x48, 0xd3, 0xa4, 0x3b, 0xbd, 0x05, 0x48,
450     0xea, 0x59, 0xdb, 0x18, 0xa4, 0xca, 0x66, 0xd9, 0x5d, 0xb8, 0x95, 0xd1,
451     0xeb, 0x97, 0x3d, 0x66, 0x97, 0x5c, 0x86, 0x8f, 0x7e, 0x90, 0xd3, 0x43,
452     0xd1, 0xa2, 0x0d, 0xcb, 0xe7, 0xeb, 0x90, 0xea, 0x09, 0x40, 0xb1, 0x6f,
453     0xf7, 0x4c, 0xf2, 0x41, 0x83, 0x1d, 0xd0, 0x76, 0xef, 0xaf, 0x55, 0x6f,
454     0x5d, 0xa9, 0xa3, 0x55, 0x81, 0x2a, 0xd1, 0x5d, 0x9d, 0x22, 0x77, 0x97,
455     0x83, 0xde, 0xad, 0xb6, 0x5d, 0x19, 0xc1, 0x53, 0xec, 0xfb, 0xaf, 0x06,
456     0x2e, 0x87, 0x2a, 0x0b, 0x7a
457 };
458 # endif
459 #endif
460 
461 static const unsigned char kCFBDefaultKey[] = {
462     0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
463     0x09, 0xCF, 0x4F, 0x3C
464 };
465 
466 static const unsigned char kGCMDefaultKey[32] = { 0 };
467 
468 static const unsigned char kGCMResetKey[] = {
469     0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94,
470     0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
471     0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
472 };
473 
474 static const unsigned char iCFBIV[] = {
475     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
476     0x0C, 0x0D, 0x0E, 0x0F
477 };
478 
479 static const unsigned char iGCMDefaultIV[12] = { 0 };
480 
481 static const unsigned char iGCMResetIV1[] = {
482     0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
483 };
484 
485 static const unsigned char iGCMResetIV2[] = {
486     0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
487 };
488 
489 static const unsigned char cfbPlaintext[] = {
490     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
491     0x73, 0x93, 0x17, 0x2A
492 };
493 static const unsigned char cfbPlaintext_partial[] = {
494     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
495     0x73, 0x93, 0x17, 0x2A, 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
496 };
497 
498 static const unsigned char gcmDefaultPlaintext[16] = { 0 };
499 
500 static const unsigned char gcmResetPlaintext[] = {
501     0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5,
502     0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
503     0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95,
504     0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
505     0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39
506 };
507 
508 static const unsigned char cfbCiphertext[] = {
509     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
510     0xE8, 0x3C, 0xFB, 0x4A
511 };
512 
513 static const unsigned char cfbCiphertext_partial[] = {
514     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
515     0xE8, 0x3C, 0xFB, 0x4A, 0x0D, 0x4A, 0x71, 0x82, 0x90, 0xF0, 0x9A, 0x35
516 };
517 
518 static const unsigned char ofbCiphertext_partial[] = {
519     0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
520     0xE8, 0x3C, 0xFB, 0x4A, 0xB2, 0x65, 0x64, 0x38, 0x26, 0xD2, 0xBC, 0x09
521 };
522 
523 static const unsigned char gcmDefaultCiphertext[] = {
524     0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 0x07, 0x4e, 0xc5, 0xd3,
525     0xba, 0xf3, 0x9d, 0x18
526 };
527 
528 static const unsigned char gcmResetCiphertext1[] = {
529     0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32, 0xae, 0x47, 0xc1, 0x3b,
530     0xf1, 0x98, 0x44, 0xcb, 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
531     0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, 0xfe, 0xb5, 0x82, 0xd3,
532     0x39, 0x34, 0xa4, 0xf0, 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
533     0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99, 0xf4, 0x7c, 0x9b, 0x1f
534 };
535 
536 static const unsigned char gcmResetCiphertext2[] = {
537     0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3,
538     0x2a, 0x84, 0x42, 0x7d, 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
539     0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 0x8c, 0xb0, 0x8e, 0x48,
540     0x59, 0x0d, 0xbb, 0x3d, 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
541     0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 0xbc, 0xc9, 0xf6, 0x62
542 };
543 
544 static const unsigned char gcmAAD[] = {
545     0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce,
546     0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2
547 };
548 
549 static const unsigned char gcmDefaultTag[] = {
550     0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0, 0x26, 0x5b, 0x98, 0xb5,
551     0xd4, 0x8a, 0xb9, 0x19
552 };
553 
554 static const unsigned char gcmResetTag1[] = {
555     0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4, 0x5e, 0x45, 0x49, 0x13,
556     0xfe, 0x2e, 0xa8, 0xf2
557 };
558 
559 static const unsigned char gcmResetTag2[] = {
560     0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, 0xdf, 0x88, 0x53,
561     0xbb, 0x2d, 0x55, 0x1b
562 };
563 
564 typedef struct APK_DATA_st {
565     const unsigned char *kder;
566     size_t size;
567     const char *keytype;
568     int evptype;
569     int check;
570     int pub_check;
571     int param_check;
572     int type; /* 0 for private, 1 for public, 2 for params */
573 } APK_DATA;
574 
575 static APK_DATA keydata[] = {
576     {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA},
577     {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), "RSA", EVP_PKEY_RSA},
578 #ifndef OPENSSL_NO_EC
579     {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC}
580 #endif
581 };
582 
583 static APK_DATA keycheckdata[] = {
584     {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1,
585      0},
586     {kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), "RSA", EVP_PKEY_RSA,
587      0, 1, 1, 0},
588     {kExampleBad2RSAKeyDER, sizeof(kExampleBad2RSAKeyDER), "RSA", EVP_PKEY_RSA,
589      0, 0, 1 /* Since there are no "params" in an RSA key this passes */, 0},
590 #ifndef OPENSSL_NO_EC
591     {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC, 1, 1, 1, 0},
592     /* group is also associated in our pub key */
593     {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1,
594      1, 1},
595     {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1,
596      2},
597     {kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519",
598      EVP_PKEY_ED25519, 1, 1, 1, 0},
599     {kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519",
600      EVP_PKEY_ED25519, 0, 1, 1, 1},
601 #endif
602 };
603 
604 static EVP_PKEY *load_example_key(const char *keytype,
605                                   const unsigned char *data, size_t data_len)
606 {
607     const unsigned char **pdata = &data;
608     EVP_PKEY *pkey = NULL;
609     OSSL_DECODER_CTX *dctx =
610         OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, keytype, 0,
611                                       testctx, testpropq);
612 
613     /* |pkey| will be NULL on error */
614     (void)OSSL_DECODER_from_data(dctx, pdata, &data_len);
615     OSSL_DECODER_CTX_free(dctx);
616     return pkey;
617 }
618 
619 static EVP_PKEY *load_example_rsa_key(void)
620 {
621     return load_example_key("RSA", kExampleRSAKeyDER,
622                             sizeof(kExampleRSAKeyDER));
623 }
624 
625 #ifndef OPENSSL_NO_DSA
626 static EVP_PKEY *load_example_dsa_key(void)
627 {
628     return load_example_key("DSA", kExampleDSAKeyDER,
629                             sizeof(kExampleDSAKeyDER));
630 }
631 #endif
632 
633 #ifndef OPENSSL_NO_EC
634 static EVP_PKEY *load_example_ec_key(void)
635 {
636     return load_example_key("EC", kExampleECKeyDER,
637                             sizeof(kExampleECKeyDER));
638 }
639 #endif
640 
641 #ifndef OPENSSL_NO_DEPRECATED_3_0
642 # ifndef OPENSSL_NO_DH
643 static EVP_PKEY *load_example_dh_key(void)
644 {
645     return load_example_key("DH", kExampleDHKeyDER,
646                             sizeof(kExampleDHKeyDER));
647 }
648 # endif
649 
650 # ifndef OPENSSL_NO_EC
651 static EVP_PKEY *load_example_ed25519_key(void)
652 {
653     return load_example_key("ED25519", kExampleED25519KeyDER,
654                             sizeof(kExampleED25519KeyDER));
655 }
656 
657 static EVP_PKEY *load_example_x25519_key(void)
658 {
659     return load_example_key("X25519", kExampleX25519KeyDER,
660                             sizeof(kExampleX25519KeyDER));
661 }
662 # endif
663 #endif /* OPENSSL_NO_DEPRECATED_3_0 */
664 
665 static EVP_PKEY *load_example_hmac_key(void)
666 {
667     EVP_PKEY *pkey = NULL;
668     unsigned char key[] = {
669         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
670         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
671         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
672     };
673 
674     pkey = EVP_PKEY_new_raw_private_key_ex(testctx, "HMAC",
675                                            NULL, key, sizeof(key));
676     if (!TEST_ptr(pkey))
677         return NULL;
678 
679     return pkey;
680 }
681 
682 static int test_EVP_set_default_properties(void)
683 {
684     OSSL_LIB_CTX *ctx;
685     EVP_MD *md = NULL;
686     int res = 0;
687 
688     if (!TEST_ptr(ctx = OSSL_LIB_CTX_new())
689             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", NULL)))
690         goto err;
691     EVP_MD_free(md);
692     md = NULL;
693 
694     if (!TEST_true(EVP_set_default_properties(ctx, "provider=fizzbang"))
695             || !TEST_ptr_null(md = EVP_MD_fetch(ctx, "sha256", NULL))
696             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", "-provider")))
697         goto err;
698     EVP_MD_free(md);
699     md = NULL;
700 
701     if (!TEST_true(EVP_set_default_properties(ctx, NULL))
702             || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", NULL)))
703         goto err;
704     res = 1;
705 err:
706     EVP_MD_free(md);
707     OSSL_LIB_CTX_free(ctx);
708     return res;
709 }
710 
711 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
712 static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params)
713 {
714     EVP_PKEY_CTX *pctx = NULL;
715     EVP_PKEY *tmp_pkey = NULL, *pkey = NULL;
716 
717     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq)))
718         goto err;
719     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
720         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR,
721                                           params), 0))
722         goto err;
723 
724     if (!TEST_ptr(tmp_pkey))
725         goto err;
726 
727     pkey = tmp_pkey;
728     tmp_pkey = NULL;
729  err:
730     EVP_PKEY_free(tmp_pkey);
731     EVP_PKEY_CTX_free(pctx);
732     return pkey;
733 }
734 
735 static int test_selection(EVP_PKEY *pkey, int selection)
736 {
737     int testresult = 0;
738     int ret;
739     BIO *bio = BIO_new(BIO_s_mem());
740 
741     ret = PEM_write_bio_PUBKEY(bio, pkey);
742     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
743         if (!TEST_true(ret))
744             goto err;
745     } else {
746         if (!TEST_false(ret))
747             goto err;
748     }
749     ret = PEM_write_bio_PrivateKey_ex(bio, pkey, NULL, NULL, 0, NULL, NULL,
750                                       testctx, NULL);
751     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
752         if (!TEST_true(ret))
753             goto err;
754     } else {
755         if (!TEST_false(ret))
756             goto err;
757     }
758 
759     testresult = 1;
760  err:
761     BIO_free(bio);
762 
763     return testresult;
764 }
765 #endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA || !OPENSSL_NO_EC */
766 
767 /*
768  * Test combinations of private, public, missing and private + public key
769  * params to ensure they are all accepted
770  */
771 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA)
772 static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
773 {
774     OSSL_PARAM_BLD *bld = NULL;
775     OSSL_PARAM *params = NULL;
776     EVP_PKEY *just_params = NULL;
777     EVP_PKEY *params_and_priv = NULL;
778     EVP_PKEY *params_and_pub = NULL;
779     EVP_PKEY *params_and_keypair = NULL;
780     BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
781     int ret = 0;
782 
783     /*
784      * Setup the parameters for our pkey object. For our purposes they don't
785      * have to actually be *valid* parameters. We just need to set something.
786      */
787     if (!TEST_ptr(p = BN_new())
788         || !TEST_ptr(q = BN_new())
789         || !TEST_ptr(g = BN_new())
790         || !TEST_ptr(pub = BN_new())
791         || !TEST_ptr(priv = BN_new()))
792         goto err;
793 
794     /* Test !priv and !pub */
795     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
796         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
797         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
798         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)))
799         goto err;
800     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
801         || !TEST_ptr(just_params = make_key_fromdata(keytype, params)))
802         goto err;
803 
804     OSSL_PARAM_free(params);
805     OSSL_PARAM_BLD_free(bld);
806     params = NULL;
807     bld = NULL;
808 
809     if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
810         || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR))
811         goto err;
812 
813     /* Test priv and !pub */
814     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
815         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
816         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
817         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
818         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
819                                              priv)))
820         goto err;
821     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
822         || !TEST_ptr(params_and_priv = make_key_fromdata(keytype, params)))
823         goto err;
824 
825     OSSL_PARAM_free(params);
826     OSSL_PARAM_BLD_free(bld);
827     params = NULL;
828     bld = NULL;
829 
830     if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
831         || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
832         goto err;
833 
834     /* Test !priv and pub */
835     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
836         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
837         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
838         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
839         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
840                                              pub)))
841         goto err;
842     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
843         || !TEST_ptr(params_and_pub = make_key_fromdata(keytype, params)))
844         goto err;
845 
846     OSSL_PARAM_free(params);
847     OSSL_PARAM_BLD_free(bld);
848     params = NULL;
849     bld = NULL;
850 
851     if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
852         || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
853         goto err;
854 
855     /* Test priv and pub */
856     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
857         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
858         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
859         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
860         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
861                                              pub))
862         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
863                                              priv)))
864         goto err;
865     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
866         || !TEST_ptr(params_and_keypair = make_key_fromdata(keytype, params)))
867         goto err;
868 
869     if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR))
870         goto err;
871 
872     ret = 1;
873  err:
874     OSSL_PARAM_free(params);
875     OSSL_PARAM_BLD_free(bld);
876     EVP_PKEY_free(just_params);
877     EVP_PKEY_free(params_and_priv);
878     EVP_PKEY_free(params_and_pub);
879     EVP_PKEY_free(params_and_keypair);
880     BN_free(p);
881     BN_free(q);
882     BN_free(g);
883     BN_free(pub);
884     BN_free(priv);
885 
886     return ret;
887 }
888 #endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA */
889 
890 /*
891  * Test combinations of private, public, missing and private + public key
892  * params to ensure they are all accepted for EC keys
893  */
894 #ifndef OPENSSL_NO_EC
895 static unsigned char ec_priv[] = {
896     0xe9, 0x25, 0xf7, 0x66, 0x58, 0xa4, 0xdd, 0x99, 0x61, 0xe7, 0xe8, 0x23,
897     0x85, 0xc2, 0xe8, 0x33, 0x27, 0xc5, 0x5c, 0xeb, 0xdb, 0x43, 0x9f, 0xd5,
898     0xf2, 0x5a, 0x75, 0x55, 0xd0, 0x2e, 0x6d, 0x16
899 };
900 static unsigned char ec_pub[] = {
901     0x04, 0xad, 0x11, 0x90, 0x77, 0x4b, 0x46, 0xee, 0x72, 0x51, 0x15, 0x97,
902     0x4a, 0x6a, 0xa7, 0xaf, 0x59, 0xfa, 0x4b, 0xf2, 0x41, 0xc8, 0x3a, 0x81,
903     0x23, 0xb6, 0x90, 0x04, 0x6c, 0x67, 0x66, 0xd0, 0xdc, 0xf2, 0x15, 0x1d,
904     0x41, 0x61, 0xb7, 0x95, 0x85, 0x38, 0x5a, 0x84, 0x56, 0xe8, 0xb3, 0x0e,
905     0xf5, 0xc6, 0x5d, 0xa4, 0x54, 0x26, 0xb0, 0xf7, 0xa5, 0x4a, 0x33, 0xf1,
906     0x08, 0x09, 0xb8, 0xdb, 0x03
907 };
908 
909 static int test_EC_priv_pub(void)
910 {
911     OSSL_PARAM_BLD *bld = NULL;
912     OSSL_PARAM *params = NULL;
913     EVP_PKEY *just_params = NULL;
914     EVP_PKEY *params_and_priv = NULL;
915     EVP_PKEY *params_and_pub = NULL;
916     EVP_PKEY *params_and_keypair = NULL;
917     BIGNUM *priv = NULL;
918     int ret = 0;
919     unsigned char *encoded = NULL;
920     size_t len = 0;
921     unsigned char buffer[128];
922 
923     /*
924      * Setup the parameters for our pkey object. For our purposes they don't
925      * have to actually be *valid* parameters. We just need to set something.
926      */
927     if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL)))
928         goto err;
929 
930     /* Test !priv and !pub */
931     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
932         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
933                                                       OSSL_PKEY_PARAM_GROUP_NAME,
934                                                       "P-256", 0)))
935         goto err;
936     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
937         || !TEST_ptr(just_params = make_key_fromdata("EC", params)))
938         goto err;
939 
940     OSSL_PARAM_free(params);
941     OSSL_PARAM_BLD_free(bld);
942     params = NULL;
943     bld = NULL;
944 
945     if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
946         || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR))
947         goto err;
948 
949     /* Test priv and !pub */
950     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
951         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
952                                                       OSSL_PKEY_PARAM_GROUP_NAME,
953                                                       "P-256", 0))
954         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
955                                              priv)))
956         goto err;
957     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
958         || !TEST_ptr(params_and_priv = make_key_fromdata("EC", params)))
959         goto err;
960 
961     OSSL_PARAM_free(params);
962     OSSL_PARAM_BLD_free(bld);
963     params = NULL;
964     bld = NULL;
965 
966     /*
967      * We indicate only parameters here, in spite of having built a key that
968      * has a private part, because the PEM_write_bio_PrivateKey_ex call is
969      * expected to fail because it does not support exporting a private EC
970      * key without a corresponding public key
971      */
972     if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)
973         || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
974         goto err;
975 
976     /* Test !priv and pub */
977     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
978         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
979                                                       OSSL_PKEY_PARAM_GROUP_NAME,
980                                                       "P-256", 0))
981         || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
982                                                        OSSL_PKEY_PARAM_PUB_KEY,
983                                                        ec_pub, sizeof(ec_pub))))
984         goto err;
985     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
986         || !TEST_ptr(params_and_pub = make_key_fromdata("EC", params)))
987         goto err;
988 
989     OSSL_PARAM_free(params);
990     OSSL_PARAM_BLD_free(bld);
991     params = NULL;
992     bld = NULL;
993 
994     if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
995         || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
996         goto err;
997 
998     /* Test priv and pub */
999     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
1000         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
1001                                                       OSSL_PKEY_PARAM_GROUP_NAME,
1002                                                       "P-256", 0))
1003         || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1004                                                        OSSL_PKEY_PARAM_PUB_KEY,
1005                                                        ec_pub, sizeof(ec_pub)))
1006         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
1007                                              priv)))
1008         goto err;
1009     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
1010         || !TEST_ptr(params_and_keypair = make_key_fromdata("EC", params)))
1011         goto err;
1012 
1013     if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR))
1014         goto err;
1015 
1016     /* Try key equality */
1017     if (!TEST_int_gt(EVP_PKEY_parameters_eq(just_params, just_params), 0)
1018         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_pub),
1019                         0)
1020         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_priv),
1021                         0)
1022         || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_keypair),
1023                         0)
1024         || !TEST_int_gt(EVP_PKEY_eq(params_and_pub, params_and_pub), 0)
1025         || !TEST_int_gt(EVP_PKEY_eq(params_and_priv, params_and_priv), 0)
1026         || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_pub), 0)
1027         || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_priv), 0))
1028         goto err;
1029 
1030     /* Positive and negative testcase for EVP_PKEY_get1_encoded_public_key */
1031     if (!TEST_int_gt(EVP_PKEY_get1_encoded_public_key(params_and_pub, &encoded), 0))
1032         goto err;
1033     OPENSSL_free(encoded);
1034     encoded = NULL;
1035     if (!TEST_int_eq(EVP_PKEY_get1_encoded_public_key(just_params, &encoded), 0)) {
1036         OPENSSL_free(encoded);
1037         encoded = NULL;
1038         goto err;
1039     }
1040 
1041     /* Positive and negative testcase for EVP_PKEY_get_octet_string_param */
1042     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1043                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1044                                                      buffer, sizeof(buffer), &len), 1)
1045         || !TEST_int_eq(len, 65))
1046         goto err;
1047 
1048     len = 0;
1049     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1050                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1051                                                      NULL, 0, &len), 1)
1052         || !TEST_int_eq(len, 65))
1053         goto err;
1054 
1055     /* too-short buffer len*/
1056     if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
1057                                                      OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1058                                                      buffer, 10, &len), 0))
1059         goto err;
1060 
1061     ret = 1;
1062  err:
1063     OSSL_PARAM_free(params);
1064     OSSL_PARAM_BLD_free(bld);
1065     EVP_PKEY_free(just_params);
1066     EVP_PKEY_free(params_and_priv);
1067     EVP_PKEY_free(params_and_pub);
1068     EVP_PKEY_free(params_and_keypair);
1069     BN_free(priv);
1070 
1071     return ret;
1072 }
1073 
1074 /* Test that using a legacy EC key with only a private key in it works */
1075 # ifndef OPENSSL_NO_DEPRECATED_3_0
1076 static int test_EC_priv_only_legacy(void)
1077 {
1078     BIGNUM *priv = NULL;
1079     int ret = 0;
1080     EC_KEY *eckey = NULL;
1081     EVP_PKEY *pkey = NULL, *dup_pk = NULL;
1082     EVP_MD_CTX *ctx = NULL;
1083 
1084     /* Create the low level EC_KEY */
1085     if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL)))
1086         goto err;
1087 
1088     eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1089     if (!TEST_ptr(eckey))
1090         goto err;
1091 
1092     if (!TEST_true(EC_KEY_set_private_key(eckey, priv)))
1093         goto err;
1094 
1095     pkey = EVP_PKEY_new();
1096     if (!TEST_ptr(pkey))
1097         goto err;
1098 
1099     if (!TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
1100         goto err;
1101     eckey = NULL;
1102 
1103     while (dup_pk == NULL) {
1104         ret = 0;
1105         ctx = EVP_MD_CTX_new();
1106         if (!TEST_ptr(ctx))
1107             goto err;
1108 
1109         /*
1110          * The EVP_DigestSignInit function should create the key on the
1111          * provider side which is sufficient for this test.
1112          */
1113         if (!TEST_true(EVP_DigestSignInit_ex(ctx, NULL, NULL, testctx,
1114                                              testpropq, pkey, NULL)))
1115             goto err;
1116         EVP_MD_CTX_free(ctx);
1117         ctx = NULL;
1118 
1119         if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)))
1120             goto err;
1121         /* EVP_PKEY_eq() returns -2 with missing public keys */
1122         ret = TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), -2);
1123         EVP_PKEY_free(pkey);
1124         pkey = dup_pk;
1125         if (!ret)
1126             goto err;
1127     }
1128 
1129  err:
1130     EVP_MD_CTX_free(ctx);
1131     EVP_PKEY_free(pkey);
1132     EC_KEY_free(eckey);
1133     BN_free(priv);
1134 
1135     return ret;
1136 }
1137 # endif /* OPENSSL_NO_DEPRECATED_3_0 */
1138 #endif /* OPENSSL_NO_EC */
1139 
1140 static int test_EVP_PKEY_sign(int tst)
1141 {
1142     int ret = 0;
1143     EVP_PKEY *pkey = NULL;
1144     unsigned char *sig = NULL;
1145     size_t sig_len = 0, shortsig_len = 1;
1146     EVP_PKEY_CTX *ctx = NULL;
1147     unsigned char tbs[] = {
1148         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
1149         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13
1150     };
1151 
1152     if (tst == 0 ) {
1153         if (!TEST_ptr(pkey = load_example_rsa_key()))
1154             goto out;
1155     } else if (tst == 1) {
1156 #ifndef OPENSSL_NO_DSA
1157         if (!TEST_ptr(pkey = load_example_dsa_key()))
1158             goto out;
1159 #else
1160         ret = 1;
1161         goto out;
1162 #endif
1163     } else {
1164 #ifndef OPENSSL_NO_EC
1165         if (!TEST_ptr(pkey = load_example_ec_key()))
1166             goto out;
1167 #else
1168         ret = 1;
1169         goto out;
1170 #endif
1171     }
1172 
1173     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL);
1174     if (!TEST_ptr(ctx)
1175             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0)
1176             || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs,
1177                                           sizeof(tbs)), 0))
1178         goto out;
1179     sig = OPENSSL_malloc(sig_len);
1180     if (!TEST_ptr(sig)
1181             /* Test sending a signature buffer that is too short is rejected */
1182             || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs,
1183                                           sizeof(tbs)), 0)
1184             || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)),
1185                             0)
1186             /* Test the signature round-trips */
1187             || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0)
1188             || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)),
1189                             0))
1190         goto out;
1191 
1192     ret = 1;
1193  out:
1194     EVP_PKEY_CTX_free(ctx);
1195     OPENSSL_free(sig);
1196     EVP_PKEY_free(pkey);
1197     return ret;
1198 }
1199 
1200 #ifndef OPENSSL_NO_DEPRECATED_3_0
1201 static int test_EVP_PKEY_sign_with_app_method(int tst)
1202 {
1203     int ret = 0;
1204     EVP_PKEY *pkey = NULL;
1205     RSA *rsa = NULL;
1206     RSA_METHOD *rsa_meth = NULL;
1207 #ifndef OPENSSL_NO_DSA
1208     DSA *dsa = NULL;
1209     DSA_METHOD *dsa_meth = NULL;
1210 #endif
1211     unsigned char *sig = NULL;
1212     size_t sig_len = 0, shortsig_len = 1;
1213     EVP_PKEY_CTX *ctx = NULL;
1214     unsigned char tbs[] = {
1215         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
1216         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13
1217     };
1218 
1219     if (tst == 0) {
1220         if (!TEST_ptr(pkey = load_example_rsa_key()))
1221             goto out;
1222         if (!TEST_ptr(rsa_meth = RSA_meth_dup(RSA_get_default_method())))
1223             goto out;
1224 
1225         if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey))
1226             || !TEST_int_gt(RSA_set_method(rsa, rsa_meth), 0)
1227             || !TEST_int_gt(EVP_PKEY_assign_RSA(pkey, rsa), 0))
1228             goto out;
1229         rsa = NULL; /* now owned by the pkey */
1230     } else {
1231 #ifndef OPENSSL_NO_DSA
1232         if (!TEST_ptr(pkey = load_example_dsa_key()))
1233                 goto out;
1234         if (!TEST_ptr(dsa_meth = DSA_meth_dup(DSA_get_default_method())))
1235             goto out;
1236 
1237         if (!TEST_ptr(dsa = EVP_PKEY_get1_DSA(pkey))
1238             || !TEST_int_gt(DSA_set_method(dsa, dsa_meth), 0)
1239             || !TEST_int_gt(EVP_PKEY_assign_DSA(pkey, dsa), 0))
1240             goto out;
1241         dsa = NULL; /* now owned by the pkey */
1242 #else
1243         ret = 1;
1244         goto out;
1245 #endif
1246     }
1247 
1248     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL);
1249     if (!TEST_ptr(ctx)
1250             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0)
1251             || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs,
1252                                           sizeof(tbs)), 0))
1253         goto out;
1254     sig = OPENSSL_malloc(sig_len);
1255     if (!TEST_ptr(sig)
1256             /* Test sending a signature buffer that is too short is rejected */
1257             || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs,
1258                                           sizeof(tbs)), 0)
1259             || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)),
1260                             0)
1261             /* Test the signature round-trips */
1262             || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0)
1263             || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)),
1264                             0))
1265         goto out;
1266 
1267     ret = 1;
1268  out:
1269     EVP_PKEY_CTX_free(ctx);
1270     OPENSSL_free(sig);
1271     EVP_PKEY_free(pkey);
1272     RSA_free(rsa);
1273     RSA_meth_free(rsa_meth);
1274 #ifndef OPENSSL_NO_DSA
1275     DSA_free(dsa);
1276     DSA_meth_free(dsa_meth);
1277 #endif
1278     return ret;
1279 }
1280 #endif /* !OPENSSL_NO_DEPRECATED_3_0 */
1281 
1282 /*
1283  * n = 0 => test using legacy cipher
1284  * n = 1 => test using fetched cipher
1285  */
1286 static int test_EVP_Enveloped(int n)
1287 {
1288     int ret = 0;
1289     EVP_CIPHER_CTX *ctx = NULL;
1290     EVP_PKEY *keypair = NULL;
1291     unsigned char *kek = NULL;
1292     unsigned char iv[EVP_MAX_IV_LENGTH];
1293     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
1294     int len, kek_len, ciphertext_len, plaintext_len;
1295     unsigned char ciphertext[32], plaintext[16];
1296     EVP_CIPHER *type = NULL;
1297 
1298     if (nullprov != NULL)
1299         return TEST_skip("Test does not support a non-default library context");
1300 
1301     if (n == 0)
1302         type = (EVP_CIPHER *)EVP_aes_256_cbc();
1303     else if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "AES-256-CBC",
1304                                                testpropq)))
1305         goto err;
1306 
1307     if (!TEST_ptr(keypair = load_example_rsa_key())
1308             || !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_get_size(keypair)))
1309             || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
1310             || !TEST_true(EVP_SealInit(ctx, type, &kek, &kek_len, iv,
1311                                        &keypair, 1))
1312             || !TEST_true(EVP_SealUpdate(ctx, ciphertext, &ciphertext_len,
1313                                          msg, sizeof(msg)))
1314             || !TEST_true(EVP_SealFinal(ctx, ciphertext + ciphertext_len,
1315                                         &len)))
1316         goto err;
1317 
1318     ciphertext_len += len;
1319 
1320     if (!TEST_true(EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair))
1321             || !TEST_true(EVP_OpenUpdate(ctx, plaintext, &plaintext_len,
1322                                          ciphertext, ciphertext_len))
1323             || !TEST_true(EVP_OpenFinal(ctx, plaintext + plaintext_len, &len)))
1324         goto err;
1325 
1326     plaintext_len += len;
1327     if (!TEST_mem_eq(msg, sizeof(msg), plaintext, plaintext_len))
1328         goto err;
1329 
1330     ret = 1;
1331 err:
1332     if (n != 0)
1333         EVP_CIPHER_free(type);
1334     OPENSSL_free(kek);
1335     EVP_PKEY_free(keypair);
1336     EVP_CIPHER_CTX_free(ctx);
1337     return ret;
1338 }
1339 
1340 /*
1341  * Test 0: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, RSA)
1342  * Test 1: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, DSA)
1343  * Test 2: Standard calls to EVP_DigestSignInit/Update/Final (Implicit fetch digest, HMAC)
1344  * Test 3: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch digest, RSA)
1345  * Test 4: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch digest, DSA)
1346  * Test 5: Standard calls to EVP_DigestSignInit/Update/Final (Explicit fetch diegst, HMAC)
1347  * Test 6: Use an MD BIO to do the Update calls instead (RSA)
1348  * Test 7: Use an MD BIO to do the Update calls instead (DSA)
1349  * Test 8: Use an MD BIO to do the Update calls instead (HMAC)
1350  * Test 9: Use EVP_DigestSign (Implicit fetch digest, RSA, short sig)
1351  * Test 10: Use EVP_DigestSign (Implicit fetch digest, DSA, short sig)
1352  * Test 11: Use EVP_DigestSign (Implicit fetch digest, HMAC, short sig)
1353  * Test 12: Use EVP_DigestSign (Implicit fetch digest, RSA)
1354  * Test 13: Use EVP_DigestSign (Implicit fetch digest, DSA)
1355  * Test 14: Use EVP_DigestSign (Implicit fetch digest, HMAC)
1356  * Test 15-29: Same as above with reinitialization
1357  */
1358 static int test_EVP_DigestSignInit(int tst)
1359 {
1360     int ret = 0;
1361     EVP_PKEY *pkey = NULL;
1362     unsigned char *sig = NULL, *sig2 = NULL;
1363     size_t sig_len = 0, sig2_len = 0, shortsig_len = 1;
1364     EVP_MD_CTX *md_ctx = NULL, *md_ctx_verify = NULL;
1365     EVP_MD_CTX *a_md_ctx = NULL, *a_md_ctx_verify = NULL;
1366     BIO *mdbio = NULL, *membio = NULL;
1367     size_t written;
1368     const EVP_MD *md;
1369     EVP_MD *mdexp = NULL;
1370     int reinit = 0;
1371 
1372     if (nullprov != NULL)
1373         return TEST_skip("Test does not support a non-default library context");
1374 
1375     if (tst >= 15) {
1376         reinit = 1;
1377         tst -= 15;
1378     }
1379 
1380     if (tst >= 6 && tst <= 8) {
1381         membio = BIO_new(BIO_s_mem());
1382         mdbio = BIO_new(BIO_f_md());
1383         if (!TEST_ptr(membio) || !TEST_ptr(mdbio))
1384             goto out;
1385         BIO_push(mdbio, membio);
1386         if (!TEST_int_gt(BIO_get_md_ctx(mdbio, &md_ctx), 0))
1387             goto out;
1388     } else {
1389         if (!TEST_ptr(a_md_ctx = md_ctx = EVP_MD_CTX_new())
1390                 || !TEST_ptr(a_md_ctx_verify = md_ctx_verify = EVP_MD_CTX_new()))
1391             goto out;
1392     }
1393 
1394     if (tst % 3 == 0) {
1395         if (!TEST_ptr(pkey = load_example_rsa_key()))
1396                 goto out;
1397     } else if (tst % 3 == 1) {
1398 #ifndef OPENSSL_NO_DSA
1399         if (!TEST_ptr(pkey = load_example_dsa_key()))
1400                 goto out;
1401 #else
1402         ret = 1;
1403         goto out;
1404 #endif
1405     } else {
1406         if (!TEST_ptr(pkey = load_example_hmac_key()))
1407                 goto out;
1408     }
1409 
1410     if (tst >= 3 && tst <= 5)
1411         md = mdexp = EVP_MD_fetch(NULL, "SHA256", NULL);
1412     else
1413         md = EVP_sha256();
1414 
1415     if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, md, NULL, pkey)))
1416         goto out;
1417 
1418     if (reinit && !TEST_true(EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, NULL)))
1419         goto out;
1420 
1421     if (tst >= 6 && tst <= 8) {
1422         if (!BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written))
1423             goto out;
1424     } else if (tst < 6) {
1425         if (!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))))
1426             goto out;
1427     }
1428 
1429     if (tst >= 9) {
1430         /* Determine the size of the signature. */
1431         if (!TEST_true(EVP_DigestSign(md_ctx, NULL, &sig_len, kMsg,
1432                                       sizeof(kMsg)))
1433                 || !TEST_ptr(sig = OPENSSL_malloc(sig_len)))
1434             goto out;
1435         if (tst <= 11) {
1436             /* Test that supply a short sig buffer fails */
1437             if (!TEST_false(EVP_DigestSign(md_ctx, sig, &shortsig_len, kMsg,
1438                                            sizeof(kMsg))))
1439                 goto out;
1440             /*
1441              * We end here because once EVP_DigestSign() has failed you should
1442              * not call it again without re-initing the ctx
1443              */
1444             ret = 1;
1445             goto out;
1446         }
1447         if (!TEST_true(EVP_DigestSign(md_ctx, sig, &sig_len, kMsg,
1448                                       sizeof(kMsg))))
1449             goto out;
1450     } else {
1451         /* Determine the size of the signature. */
1452         if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len))
1453                 || !TEST_ptr(sig = OPENSSL_malloc(sig_len))
1454                 /*
1455                     * Trying to create a signature with a deliberately short
1456                     * buffer should fail.
1457                     */
1458                 || !TEST_false(EVP_DigestSignFinal(md_ctx, sig, &shortsig_len))
1459                 || !TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len)))
1460             goto out;
1461     }
1462 
1463     /*
1464      * Ensure that the signature round-trips (Verification isn't supported for
1465      * HMAC via EVP_DigestVerify*)
1466      */
1467     if (tst % 3 != 2) {
1468         if (tst >= 6 && tst <= 8) {
1469             if (!TEST_int_gt(BIO_reset(mdbio), 0)
1470                 || !TEST_int_gt(BIO_get_md_ctx(mdbio, &md_ctx_verify), 0))
1471                 goto out;
1472         }
1473 
1474         if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, md,
1475                                             NULL, pkey)))
1476             goto out;
1477 
1478         if (tst >= 6 && tst <= 8) {
1479             if (!TEST_true(BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written)))
1480                 goto out;
1481         } else {
1482             if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg,
1483                                                   sizeof(kMsg))))
1484                 goto out;
1485         }
1486         if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
1487             goto out;
1488 
1489         /* Multiple calls to EVP_DigestVerifyFinal should work */
1490         if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
1491             goto out;
1492     } else {
1493         /*
1494          * For HMAC a doubled call to DigestSignFinal should produce the same
1495          * value as finalization should not happen.
1496          */
1497         if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig2_len))
1498             || !TEST_ptr(sig2 = OPENSSL_malloc(sig2_len))
1499             || !TEST_true(EVP_DigestSignFinal(md_ctx, sig2, &sig2_len)))
1500             goto out;
1501 
1502         if (!TEST_mem_eq(sig, sig_len, sig2, sig2_len))
1503             goto out;
1504     }
1505 
1506     ret = 1;
1507 
1508  out:
1509     BIO_free(membio);
1510     BIO_free(mdbio);
1511     EVP_MD_CTX_free(a_md_ctx);
1512     EVP_MD_CTX_free(a_md_ctx_verify);
1513     EVP_PKEY_free(pkey);
1514     OPENSSL_free(sig);
1515     OPENSSL_free(sig2);
1516     EVP_MD_free(mdexp);
1517 
1518     return ret;
1519 }
1520 
1521 static int test_EVP_DigestVerifyInit(void)
1522 {
1523     int ret = 0;
1524     EVP_PKEY *pkey = NULL;
1525     EVP_MD_CTX *md_ctx = NULL;
1526 
1527     if (nullprov != NULL)
1528         return TEST_skip("Test does not support a non-default library context");
1529 
1530     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new())
1531             || !TEST_ptr(pkey = load_example_rsa_key()))
1532         goto out;
1533 
1534     if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, EVP_sha256(), NULL, pkey))
1535             || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg)))
1536             || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature,
1537                                                  sizeof(kSignature)), 0))
1538         goto out;
1539 
1540     /* test with reinitialization */
1541     if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, NULL))
1542             || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg)))
1543             || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature,
1544                                                  sizeof(kSignature)), 0))
1545         goto out;
1546     ret = 1;
1547 
1548  out:
1549     EVP_MD_CTX_free(md_ctx);
1550     EVP_PKEY_free(pkey);
1551     return ret;
1552 }
1553 
1554 #ifndef OPENSSL_NO_SIPHASH
1555 /* test SIPHASH MAC via EVP_PKEY with non-default parameters and reinit */
1556 static int test_siphash_digestsign(void)
1557 {
1558     unsigned char key[16];
1559     unsigned char buf[8], digest[8];
1560     unsigned char expected[8] = {
1561         0x6d, 0x3e, 0x54, 0xc2, 0x2f, 0xf1, 0xfe, 0xe2
1562     };
1563     EVP_PKEY *pkey = NULL;
1564     EVP_MD_CTX *mdctx = NULL;
1565     EVP_PKEY_CTX *ctx = NULL;
1566     int ret = 0;
1567     size_t len = 8;
1568 
1569     if (nullprov != NULL)
1570         return TEST_skip("Test does not support a non-default library context");
1571 
1572     memset(buf, 0, 8);
1573     memset(key, 1, 16);
1574     if (!TEST_ptr(pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_SIPHASH, NULL,
1575                                                       key, 16)))
1576         goto out;
1577 
1578     if (!TEST_ptr(mdctx = EVP_MD_CTX_create()))
1579         goto out;
1580 
1581     if (!TEST_true(EVP_DigestSignInit(mdctx, &ctx, NULL, NULL, pkey)))
1582         goto out;
1583     if (!TEST_int_eq(EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_SIGNCTX,
1584                                        EVP_PKEY_CTRL_SET_DIGEST_SIZE,
1585                                        8, NULL), 1))
1586         goto out;
1587     /* reinitialize */
1588     if (!TEST_true(EVP_DigestSignInit(mdctx, NULL, NULL, NULL, NULL)))
1589         goto out;
1590     if (!TEST_true(EVP_DigestSignUpdate(mdctx, buf, 8)))
1591         goto out;
1592     if (!TEST_true(EVP_DigestSignFinal(mdctx, digest, &len)))
1593         goto out;
1594     if (!TEST_mem_eq(digest, len, expected, sizeof(expected)))
1595         goto out;
1596 
1597     ret = 1;
1598  out:
1599     EVP_PKEY_free(pkey);
1600     EVP_MD_CTX_free(mdctx);
1601     return ret;
1602 }
1603 #endif
1604 
1605 /*
1606  * Test corner cases of EVP_DigestInit/Update/Final API call behavior.
1607  */
1608 static int test_EVP_Digest(void)
1609 {
1610     int ret = 0;
1611     EVP_MD_CTX *md_ctx = NULL;
1612     unsigned char md[EVP_MAX_MD_SIZE];
1613     EVP_MD *sha256 = NULL;
1614     EVP_MD *shake256 = NULL;
1615 
1616     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
1617         goto out;
1618 
1619     if (!TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", testpropq))
1620             || !TEST_ptr(shake256 = EVP_MD_fetch(testctx, "shake256", testpropq)))
1621         goto out;
1622 
1623     if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL))
1624             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1625             || !TEST_true(EVP_DigestFinal(md_ctx, md, NULL))
1626             /* EVP_DigestFinal resets the EVP_MD_CTX. */
1627             || !TEST_ptr_eq(EVP_MD_CTX_get0_md(md_ctx), NULL))
1628         goto out;
1629 
1630     if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL))
1631             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1632             || !TEST_true(EVP_DigestFinal_ex(md_ctx, md, NULL))
1633             /* EVP_DigestFinal_ex does not reset the EVP_MD_CTX. */
1634             || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx))
1635             /*
1636              * EVP_DigestInit_ex with NULL type should work on
1637              * pre-initialized context.
1638              */
1639             || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL)))
1640         goto out;
1641 
1642     if (!TEST_true(EVP_DigestInit_ex(md_ctx, shake256, NULL))
1643             || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg)))
1644             || !TEST_true(EVP_DigestFinalXOF(md_ctx, md, sizeof(md)))
1645             /* EVP_DigestFinalXOF does not reset the EVP_MD_CTX. */
1646             || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx))
1647             || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL)))
1648         goto out;
1649     ret = 1;
1650 
1651  out:
1652     EVP_MD_CTX_free(md_ctx);
1653     EVP_MD_free(sha256);
1654     EVP_MD_free(shake256);
1655     return ret;
1656 }
1657 
1658 static int test_EVP_md_null(void)
1659 {
1660     int ret = 0;
1661     EVP_MD_CTX *md_ctx = NULL;
1662     const EVP_MD *md_null = EVP_md_null();
1663     unsigned char md_value[EVP_MAX_MD_SIZE];
1664     unsigned int md_len = sizeof(md_value);
1665 
1666     if (nullprov != NULL)
1667         return TEST_skip("Test does not support a non-default library context");
1668 
1669     if (!TEST_ptr(md_null)
1670         || !TEST_ptr(md_ctx = EVP_MD_CTX_new()))
1671         goto out;
1672 
1673     if (!TEST_true(EVP_DigestInit_ex(md_ctx, md_null, NULL))
1674         || !TEST_true(EVP_DigestUpdate(md_ctx, "test", 4))
1675         || !TEST_true(EVP_DigestFinal_ex(md_ctx, md_value, &md_len)))
1676         goto out;
1677 
1678     if (!TEST_uint_eq(md_len, 0))
1679         goto out;
1680 
1681     ret = 1;
1682  out:
1683     EVP_MD_CTX_free(md_ctx);
1684     return ret;
1685 }
1686 
1687 static int test_d2i_AutoPrivateKey(int i)
1688 {
1689     int ret = 0;
1690     const unsigned char *p;
1691     EVP_PKEY *pkey = NULL;
1692     const APK_DATA *ak = &keydata[i];
1693     const unsigned char *input = ak->kder;
1694     size_t input_len = ak->size;
1695     int expected_id = ak->evptype;
1696 
1697     p = input;
1698     if (!TEST_ptr(pkey = d2i_AutoPrivateKey(NULL, &p, input_len))
1699             || !TEST_ptr_eq(p, input + input_len)
1700             || !TEST_int_eq(EVP_PKEY_get_id(pkey), expected_id))
1701         goto done;
1702 
1703     ret = 1;
1704 
1705  done:
1706     EVP_PKEY_free(pkey);
1707     return ret;
1708 }
1709 
1710 #ifndef OPENSSL_NO_EC
1711 
1712 static const unsigned char ec_public_sect163k1_validxy[] = {
1713     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1714     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1715     0x02, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1716     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0x79, 0x02, 0xd1, 0x7b,
1717     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1718     0x6a, 0xd8, 0x17, 0x65, 0x41, 0x2f
1719 };
1720 
1721 static const unsigned char ec_public_sect163k1_badx[] = {
1722     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1723     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1724     0x0a, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1725     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0xb0, 0x02, 0xd1, 0x7b,
1726     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1727     0x6a, 0xd8, 0x17, 0x65, 0x41, 0x2f
1728 };
1729 
1730 static const unsigned char ec_public_sect163k1_bady[] = {
1731     0x30, 0x40, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
1732     0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x01, 0x03, 0x2c, 0x00, 0x04,
1733     0x02, 0x84, 0x58, 0xa6, 0xd4, 0xa0, 0x35, 0x2b, 0xae, 0xf0, 0xc0, 0x69,
1734     0x05, 0xcf, 0x2a, 0x50, 0x33, 0xf9, 0xe3, 0x92, 0x79, 0x0a, 0xd1, 0x7b,
1735     0x9f, 0x22, 0x00, 0xf0, 0x3b, 0x0e, 0x5d, 0x2e, 0xb7, 0x23, 0x24, 0xf3,
1736     0x6a, 0xd8, 0x17, 0x65, 0x41, 0xe6
1737 };
1738 
1739 static struct ec_der_pub_keys_st {
1740     const unsigned char *der;
1741     size_t len;
1742     int valid;
1743 } ec_der_pub_keys[] = {
1744     { ec_public_sect163k1_validxy, sizeof(ec_public_sect163k1_validxy), 1 },
1745     { ec_public_sect163k1_badx, sizeof(ec_public_sect163k1_badx), 0 },
1746     { ec_public_sect163k1_bady, sizeof(ec_public_sect163k1_bady), 0 },
1747 };
1748 
1749 /*
1750  * Tests the range of the decoded EC char2 public point.
1751  * See ec_GF2m_simple_oct2point().
1752  */
1753 static int test_invalide_ec_char2_pub_range_decode(int id)
1754 {
1755     int ret = 0;
1756     EVP_PKEY *pkey;
1757 
1758     pkey = load_example_key("EC", ec_der_pub_keys[id].der,
1759                             ec_der_pub_keys[id].len);
1760 
1761     ret = (ec_der_pub_keys[id].valid && TEST_ptr(pkey))
1762           || TEST_ptr_null(pkey);
1763     EVP_PKEY_free(pkey);
1764     return ret;
1765 }
1766 
1767 /* Tests loading a bad key in PKCS8 format */
1768 static int test_EVP_PKCS82PKEY(void)
1769 {
1770     int ret = 0;
1771     const unsigned char *derp = kExampleBadECKeyDER;
1772     PKCS8_PRIV_KEY_INFO *p8inf = NULL;
1773     EVP_PKEY *pkey = NULL;
1774 
1775     if (!TEST_ptr(p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp,
1776                                               sizeof(kExampleBadECKeyDER))))
1777         goto done;
1778 
1779     if (!TEST_ptr_eq(derp,
1780                      kExampleBadECKeyDER + sizeof(kExampleBadECKeyDER)))
1781         goto done;
1782 
1783     if (!TEST_ptr_null(pkey = EVP_PKCS82PKEY(p8inf)))
1784         goto done;
1785 
1786     ret = 1;
1787 
1788  done:
1789     PKCS8_PRIV_KEY_INFO_free(p8inf);
1790     EVP_PKEY_free(pkey);
1791 
1792     return ret;
1793 }
1794 
1795 #endif
1796 static int test_EVP_PKCS82PKEY_wrong_tag(void)
1797 {
1798     EVP_PKEY *pkey = NULL;
1799     EVP_PKEY *pkey2 = NULL;
1800     BIO *membio = NULL;
1801     char *membuf = NULL;
1802     PKCS8_PRIV_KEY_INFO *p8inf = NULL;
1803     int ok = 0;
1804 
1805     if (testctx != NULL)
1806         /* test not supported with non-default context */
1807         return 1;
1808 
1809     if (!TEST_ptr(membio = BIO_new(BIO_s_mem()))
1810         || !TEST_ptr(pkey = load_example_rsa_key())
1811         || !TEST_int_gt(i2d_PKCS8PrivateKey_bio(membio, pkey, NULL,
1812                                                 NULL, 0, NULL, NULL),
1813                         0)
1814         || !TEST_int_gt(BIO_get_mem_data(membio, &membuf), 0)
1815         || !TEST_ptr(p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(membio, NULL))
1816         || !TEST_ptr(pkey2 = EVP_PKCS82PKEY(p8inf))
1817         || !TEST_int_eq(ERR_peek_last_error(), 0)) {
1818         goto done;
1819     }
1820 
1821     ok = 1;
1822  done:
1823     EVP_PKEY_free(pkey);
1824     EVP_PKEY_free(pkey2);
1825     PKCS8_PRIV_KEY_INFO_free(p8inf);
1826     BIO_free_all(membio);
1827     return ok;
1828 }
1829 
1830 /* This uses kExampleRSAKeyDER and kExampleRSAKeyPKCS8 to verify encoding */
1831 static int test_privatekey_to_pkcs8(void)
1832 {
1833     EVP_PKEY *pkey = NULL;
1834     BIO *membio = NULL;
1835     char *membuf = NULL;
1836     long membuf_len = 0;
1837     int ok = 0;
1838 
1839     if (!TEST_ptr(membio = BIO_new(BIO_s_mem()))
1840         || !TEST_ptr(pkey = load_example_rsa_key())
1841         || !TEST_int_gt(i2d_PKCS8PrivateKey_bio(membio, pkey, NULL,
1842                                                 NULL, 0, NULL, NULL),
1843                         0)
1844         || !TEST_int_gt(membuf_len = BIO_get_mem_data(membio, &membuf), 0)
1845         || !TEST_ptr(membuf)
1846         || !TEST_mem_eq(membuf, (size_t)membuf_len,
1847                         kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8))
1848         /*
1849          * We try to write PEM as well, just to see that it doesn't err, but
1850          * assume that the result is correct.
1851          */
1852         || !TEST_int_gt(PEM_write_bio_PKCS8PrivateKey(membio, pkey, NULL,
1853                                                       NULL, 0, NULL, NULL),
1854                         0))
1855         goto done;
1856 
1857     ok = 1;
1858  done:
1859     EVP_PKEY_free(pkey);
1860     BIO_free_all(membio);
1861     return ok;
1862 }
1863 
1864 #ifndef OPENSSL_NO_EC
1865 static const struct {
1866     int encoding;
1867     const char *encoding_name;
1868 } ec_encodings[] = {
1869     { OPENSSL_EC_EXPLICIT_CURVE, OSSL_PKEY_EC_ENCODING_EXPLICIT },
1870     { OPENSSL_EC_NAMED_CURVE,    OSSL_PKEY_EC_ENCODING_GROUP }
1871 };
1872 
1873 static int ec_export_get_encoding_cb(const OSSL_PARAM params[], void *arg)
1874 {
1875     const OSSL_PARAM *p;
1876     const char *enc_name = NULL;
1877     int *enc = arg;
1878     size_t i;
1879 
1880     *enc = -1;
1881 
1882     if (!TEST_ptr(p = OSSL_PARAM_locate_const(params,
1883                                               OSSL_PKEY_PARAM_EC_ENCODING))
1884         || !TEST_true(OSSL_PARAM_get_utf8_string_ptr(p, &enc_name)))
1885         return 0;
1886 
1887     for (i = 0; i < OSSL_NELEM(ec_encodings); i++) {
1888         if (OPENSSL_strcasecmp(enc_name, ec_encodings[i].encoding_name) == 0) {
1889             *enc = ec_encodings[i].encoding;
1890             break;
1891         }
1892     }
1893 
1894     return (*enc != -1);
1895 }
1896 
1897 static int test_EC_keygen_with_enc(int idx)
1898 {
1899     EVP_PKEY *params = NULL, *key = NULL;
1900     EVP_PKEY_CTX *pctx = NULL, *kctx = NULL;
1901     int enc;
1902     int ret = 0;
1903 
1904     enc = ec_encodings[idx].encoding;
1905 
1906     /* Create key parameters */
1907     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "EC", NULL))
1908         || !TEST_int_gt(EVP_PKEY_paramgen_init(pctx), 0)
1909         || !TEST_int_gt(EVP_PKEY_CTX_set_group_name(pctx, "P-256"), 0)
1910         || !TEST_int_gt(EVP_PKEY_CTX_set_ec_param_enc(pctx, enc), 0)
1911         || !TEST_true(EVP_PKEY_paramgen(pctx, &params))
1912         || !TEST_ptr(params))
1913         goto done;
1914 
1915     /* Create key */
1916     if (!TEST_ptr(kctx = EVP_PKEY_CTX_new_from_pkey(testctx, params, NULL))
1917         || !TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)
1918         || !TEST_true(EVP_PKEY_keygen(kctx, &key))
1919         || !TEST_ptr(key))
1920         goto done;
1921 
1922     /* Check that the encoding got all the way into the key */
1923     if (!TEST_true(evp_keymgmt_util_export(key, OSSL_KEYMGMT_SELECT_ALL,
1924                                            ec_export_get_encoding_cb, &enc))
1925         || !TEST_int_eq(enc, ec_encodings[idx].encoding))
1926         goto done;
1927 
1928     ret = 1;
1929  done:
1930     EVP_PKEY_free(key);
1931     EVP_PKEY_free(params);
1932     EVP_PKEY_CTX_free(kctx);
1933     EVP_PKEY_CTX_free(pctx);
1934     return ret;
1935 }
1936 #endif
1937 
1938 #if !defined(OPENSSL_NO_SM2)
1939 
1940 static int test_EVP_SM2_verify(void)
1941 {
1942     const char *pubkey =
1943         "-----BEGIN PUBLIC KEY-----\n"
1944         "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEp1KLWq1ZE2jmoAnnBJE1LBGxVr18\n"
1945         "YvvqECWCpXfAQ9qUJ+UmthnUPf0iM3SaXKHe6PlLIDyNlWMWb9RUh/yU3g==\n"
1946         "-----END PUBLIC KEY-----\n";
1947 
1948     const char *msg = "message digest";
1949     const char *id = "ALICE123@YAHOO.COM";
1950 
1951     const uint8_t signature[] = {
1952         0x30, 0x44, 0x02, 0x20, 0x5b, 0xdb, 0xab, 0x81, 0x4f, 0xbb,
1953         0x8b, 0x69, 0xb1, 0x05, 0x9c, 0x99, 0x3b, 0xb2, 0x45, 0x06,
1954         0x4a, 0x30, 0x15, 0x59, 0x84, 0xcd, 0xee, 0x30, 0x60, 0x36,
1955         0x57, 0x87, 0xef, 0x5c, 0xd0, 0xbe, 0x02, 0x20, 0x43, 0x8d,
1956         0x1f, 0xc7, 0x77, 0x72, 0x39, 0xbb, 0x72, 0xe1, 0xfd, 0x07,
1957         0x58, 0xd5, 0x82, 0xc8, 0x2d, 0xba, 0x3b, 0x2c, 0x46, 0x24,
1958         0xe3, 0x50, 0xff, 0x04, 0xc7, 0xa0, 0x71, 0x9f, 0xa4, 0x70
1959     };
1960 
1961     int rc = 0;
1962     BIO *bio = NULL;
1963     EVP_PKEY *pkey = NULL;
1964     EVP_MD_CTX *mctx = NULL;
1965     EVP_PKEY_CTX *pctx = NULL;
1966     EVP_MD *sm3 = NULL;
1967 
1968     bio = BIO_new_mem_buf(pubkey, strlen(pubkey));
1969     if (!TEST_true(bio != NULL))
1970         goto done;
1971 
1972     pkey = PEM_read_bio_PUBKEY_ex(bio, NULL, NULL, NULL, testctx, testpropq);
1973     if (!TEST_true(pkey != NULL))
1974         goto done;
1975 
1976     if (!TEST_true(EVP_PKEY_is_a(pkey, "SM2")))
1977         goto done;
1978 
1979     if (!TEST_ptr(mctx = EVP_MD_CTX_new()))
1980         goto done;
1981 
1982     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
1983         goto done;
1984 
1985     EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
1986 
1987     if (!TEST_ptr(sm3 = EVP_MD_fetch(testctx, "sm3", testpropq)))
1988         goto done;
1989 
1990     if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, sm3, NULL, pkey)))
1991         goto done;
1992 
1993     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, id, strlen(id)), 0))
1994         goto done;
1995 
1996     if (!TEST_true(EVP_DigestVerifyUpdate(mctx, msg, strlen(msg))))
1997         goto done;
1998 
1999     if (!TEST_int_gt(EVP_DigestVerifyFinal(mctx, signature, sizeof(signature)), 0))
2000         goto done;
2001     rc = 1;
2002 
2003  done:
2004     BIO_free(bio);
2005     EVP_PKEY_free(pkey);
2006     EVP_PKEY_CTX_free(pctx);
2007     EVP_MD_CTX_free(mctx);
2008     EVP_MD_free(sm3);
2009     return rc;
2010 }
2011 
2012 static int test_EVP_SM2(void)
2013 {
2014     int ret = 0;
2015     EVP_PKEY *pkey = NULL;
2016     EVP_PKEY *pkeyparams = NULL;
2017     EVP_PKEY_CTX *pctx = NULL;
2018     EVP_PKEY_CTX *kctx = NULL;
2019     EVP_PKEY_CTX *sctx = NULL;
2020     size_t sig_len = 0;
2021     unsigned char *sig = NULL;
2022     EVP_MD_CTX *md_ctx = NULL;
2023     EVP_MD_CTX *md_ctx_verify = NULL;
2024     EVP_PKEY_CTX *cctx = NULL;
2025     EVP_MD *check_md = NULL;
2026 
2027     uint8_t ciphertext[128];
2028     size_t ctext_len = sizeof(ciphertext);
2029 
2030     uint8_t plaintext[8];
2031     size_t ptext_len = sizeof(plaintext);
2032 
2033     uint8_t sm2_id[] = {1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r'};
2034 
2035     OSSL_PARAM sparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
2036     OSSL_PARAM gparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
2037     int i;
2038     char mdname[OSSL_MAX_NAME_SIZE];
2039 
2040     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx,
2041                                                     "SM2", testpropq)))
2042         goto done;
2043 
2044     if (!TEST_true(EVP_PKEY_paramgen_init(pctx) == 1))
2045         goto done;
2046 
2047     if (!TEST_int_gt(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_sm2), 0))
2048         goto done;
2049 
2050     if (!TEST_true(EVP_PKEY_paramgen(pctx, &pkeyparams)))
2051         goto done;
2052 
2053     if (!TEST_ptr(kctx = EVP_PKEY_CTX_new_from_pkey(testctx,
2054                                                     pkeyparams, testpropq)))
2055         goto done;
2056 
2057     if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0))
2058         goto done;
2059 
2060     if (!TEST_true(EVP_PKEY_keygen(kctx, &pkey)))
2061         goto done;
2062 
2063     if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
2064         goto done;
2065 
2066     if (!TEST_ptr(md_ctx_verify = EVP_MD_CTX_new()))
2067         goto done;
2068 
2069     if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
2070         goto done;
2071 
2072     EVP_MD_CTX_set_pkey_ctx(md_ctx, sctx);
2073     EVP_MD_CTX_set_pkey_ctx(md_ctx_verify, sctx);
2074 
2075     if (!TEST_ptr(check_md = EVP_MD_fetch(testctx, "sm3", testpropq)))
2076         goto done;
2077 
2078     if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, check_md, NULL, pkey)))
2079         goto done;
2080 
2081     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, sm2_id, sizeof(sm2_id)), 0))
2082         goto done;
2083 
2084     if (!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))))
2085         goto done;
2086 
2087     /* Determine the size of the signature. */
2088     if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len)))
2089         goto done;
2090 
2091     if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)))
2092         goto done;
2093 
2094     if (!TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len)))
2095         goto done;
2096 
2097     /* Ensure that the signature round-trips. */
2098 
2099     if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, check_md, NULL,
2100                                         pkey)))
2101         goto done;
2102 
2103     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, sm2_id, sizeof(sm2_id)), 0))
2104         goto done;
2105 
2106     if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg))))
2107         goto done;
2108 
2109     if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
2110         goto done;
2111 
2112     /*
2113      * Try verify again with non-matching 0 length id but ensure that it can
2114      * be set on the context and overrides the previous value.
2115      */
2116 
2117     if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, check_md, NULL,
2118                                         pkey)))
2119         goto done;
2120 
2121     if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, NULL, 0), 0))
2122         goto done;
2123 
2124     if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg))))
2125         goto done;
2126 
2127     if (!TEST_int_eq(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0))
2128         goto done;
2129 
2130     /* now check encryption/decryption */
2131 
2132     gparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
2133                                                   mdname, sizeof(mdname));
2134     for (i = 0; i < 2; i++) {
2135         const char *mdnames[] = {
2136 #ifndef OPENSSL_NO_SM3
2137             "SM3",
2138 #else
2139             NULL,
2140 #endif
2141             "SHA2-256" };
2142         EVP_PKEY_CTX_free(cctx);
2143 
2144         if (mdnames[i] == NULL)
2145             continue;
2146 
2147         sparams[0] =
2148             OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
2149                                              (char *)mdnames[i], 0);
2150 
2151         if (!TEST_ptr(cctx = EVP_PKEY_CTX_new_from_pkey(testctx,
2152                                                         pkey, testpropq)))
2153             goto done;
2154 
2155         if (!TEST_true(EVP_PKEY_encrypt_init(cctx)))
2156             goto done;
2157 
2158         if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
2159             goto done;
2160 
2161         if (!TEST_true(EVP_PKEY_encrypt(cctx, ciphertext, &ctext_len, kMsg,
2162                                         sizeof(kMsg))))
2163             goto done;
2164 
2165         if (!TEST_int_gt(EVP_PKEY_decrypt_init(cctx), 0))
2166             goto done;
2167 
2168         if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
2169             goto done;
2170 
2171         if (!TEST_int_gt(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext,
2172                                         ctext_len), 0))
2173             goto done;
2174 
2175         if (!TEST_true(EVP_PKEY_CTX_get_params(cctx, gparams)))
2176             goto done;
2177 
2178         /*
2179          * Test we're still using the digest we think we are.
2180          * Because of aliases, the easiest is to fetch the digest and
2181          * check the name with EVP_MD_is_a().
2182          */
2183         EVP_MD_free(check_md);
2184         if (!TEST_ptr(check_md = EVP_MD_fetch(testctx, mdname, testpropq)))
2185             goto done;
2186         if (!TEST_true(EVP_MD_is_a(check_md, mdnames[i]))) {
2187             TEST_info("Fetched md %s isn't %s", mdname, mdnames[i]);
2188             goto done;
2189         }
2190 
2191         if (!TEST_true(ptext_len == sizeof(kMsg)))
2192             goto done;
2193 
2194         if (!TEST_true(memcmp(plaintext, kMsg, sizeof(kMsg)) == 0))
2195             goto done;
2196     }
2197 
2198     ret = 1;
2199 done:
2200     EVP_PKEY_CTX_free(pctx);
2201     EVP_PKEY_CTX_free(kctx);
2202     EVP_PKEY_CTX_free(sctx);
2203     EVP_PKEY_CTX_free(cctx);
2204     EVP_PKEY_free(pkey);
2205     EVP_PKEY_free(pkeyparams);
2206     EVP_MD_CTX_free(md_ctx);
2207     EVP_MD_CTX_free(md_ctx_verify);
2208     EVP_MD_free(check_md);
2209     OPENSSL_free(sig);
2210     return ret;
2211 }
2212 
2213 #endif
2214 
2215 static struct keys_st {
2216     int type;
2217     char *priv;
2218     char *pub;
2219 } keys[] = {
2220     {
2221         EVP_PKEY_HMAC, "0123456789", NULL
2222     },
2223     {
2224         EVP_PKEY_HMAC, "", NULL
2225 #ifndef OPENSSL_NO_POLY1305
2226     }, {
2227         EVP_PKEY_POLY1305, "01234567890123456789012345678901", NULL
2228 #endif
2229 #ifndef OPENSSL_NO_SIPHASH
2230     }, {
2231         EVP_PKEY_SIPHASH, "0123456789012345", NULL
2232 #endif
2233     },
2234 #ifndef OPENSSL_NO_EC
2235     {
2236         EVP_PKEY_X25519, "01234567890123456789012345678901",
2237         "abcdefghijklmnopqrstuvwxyzabcdef"
2238     }, {
2239         EVP_PKEY_ED25519, "01234567890123456789012345678901",
2240         "abcdefghijklmnopqrstuvwxyzabcdef"
2241     }, {
2242         EVP_PKEY_X448,
2243         "01234567890123456789012345678901234567890123456789012345",
2244         "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcd"
2245     }, {
2246         EVP_PKEY_ED448,
2247         "012345678901234567890123456789012345678901234567890123456",
2248         "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcde"
2249     }
2250 #endif
2251 };
2252 
2253 static int test_set_get_raw_keys_int(int tst, int pub, int uselibctx)
2254 {
2255     int ret = 0;
2256     unsigned char buf[80];
2257     unsigned char *in;
2258     size_t inlen, len = 0, shortlen = 1;
2259     EVP_PKEY *pkey;
2260 
2261     /* Check if this algorithm supports public keys */
2262     if (pub && keys[tst].pub == NULL)
2263         return 1;
2264 
2265     memset(buf, 0, sizeof(buf));
2266 
2267     if (pub) {
2268 #ifndef OPENSSL_NO_EC
2269         inlen = strlen(keys[tst].pub);
2270         in = (unsigned char *)keys[tst].pub;
2271         if (uselibctx) {
2272             pkey = EVP_PKEY_new_raw_public_key_ex(
2273                         testctx,
2274                         OBJ_nid2sn(keys[tst].type),
2275                         NULL,
2276                         in,
2277                         inlen);
2278         } else {
2279             pkey = EVP_PKEY_new_raw_public_key(keys[tst].type,
2280                                                NULL,
2281                                                in,
2282                                                inlen);
2283         }
2284 #else
2285         return 1;
2286 #endif
2287     } else {
2288         inlen = strlen(keys[tst].priv);
2289         in = (unsigned char *)keys[tst].priv;
2290         if (uselibctx) {
2291             pkey = EVP_PKEY_new_raw_private_key_ex(
2292                         testctx, OBJ_nid2sn(keys[tst].type),
2293                         NULL,
2294                         in,
2295                         inlen);
2296         } else {
2297             pkey = EVP_PKEY_new_raw_private_key(keys[tst].type,
2298                                                 NULL,
2299                                                 in,
2300                                                 inlen);
2301         }
2302     }
2303 
2304     if (!TEST_ptr(pkey)
2305             || !TEST_int_eq(EVP_PKEY_eq(pkey, pkey), 1)
2306             || (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, NULL, &len)))
2307             || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, NULL, &len)))
2308             || !TEST_true(len == inlen))
2309         goto done;
2310     if (tst != 1) {
2311         /*
2312          * Test that supplying a buffer that is too small fails. Doesn't apply
2313          * to HMAC with a zero length key
2314          */
2315         if ((!pub && !TEST_false(EVP_PKEY_get_raw_private_key(pkey, buf,
2316                                                                  &shortlen)))
2317                 || (pub && !TEST_false(EVP_PKEY_get_raw_public_key(pkey, buf,
2318                                                                    &shortlen))))
2319             goto done;
2320     }
2321     if ((!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, buf, &len)))
2322             || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, buf, &len)))
2323             || !TEST_mem_eq(in, inlen, buf, len))
2324         goto done;
2325 
2326     ret = 1;
2327  done:
2328     EVP_PKEY_free(pkey);
2329     return ret;
2330 }
2331 
2332 static int test_set_get_raw_keys(int tst)
2333 {
2334     return (nullprov != NULL || test_set_get_raw_keys_int(tst, 0, 0))
2335            && test_set_get_raw_keys_int(tst, 0, 1)
2336            && (nullprov != NULL || test_set_get_raw_keys_int(tst, 1, 0))
2337            && test_set_get_raw_keys_int(tst, 1, 1);
2338 }
2339 
2340 #ifndef OPENSSL_NO_DEPRECATED_3_0
2341 static int pkey_custom_check(EVP_PKEY *pkey)
2342 {
2343     return 0xbeef;
2344 }
2345 
2346 static int pkey_custom_pub_check(EVP_PKEY *pkey)
2347 {
2348     return 0xbeef;
2349 }
2350 
2351 static int pkey_custom_param_check(EVP_PKEY *pkey)
2352 {
2353     return 0xbeef;
2354 }
2355 
2356 static EVP_PKEY_METHOD *custom_pmeth;
2357 #endif
2358 
2359 static int test_EVP_PKEY_check(int i)
2360 {
2361     int ret = 0;
2362     EVP_PKEY *pkey = NULL;
2363     EVP_PKEY_CTX *ctx = NULL;
2364 #ifndef OPENSSL_NO_DEPRECATED_3_0
2365     EVP_PKEY_CTX *ctx2 = NULL;
2366 #endif
2367     const APK_DATA *ak = &keycheckdata[i];
2368     const unsigned char *input = ak->kder;
2369     size_t input_len = ak->size;
2370     int expected_id = ak->evptype;
2371     int expected_check = ak->check;
2372     int expected_pub_check = ak->pub_check;
2373     int expected_param_check = ak->param_check;
2374     int type = ak->type;
2375 
2376     if (!TEST_ptr(pkey = load_example_key(ak->keytype, input, input_len)))
2377         goto done;
2378     if (type == 0
2379         && !TEST_int_eq(EVP_PKEY_get_id(pkey), expected_id))
2380         goto done;
2381 
2382     if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq)))
2383         goto done;
2384 
2385     if (!TEST_int_eq(EVP_PKEY_check(ctx), expected_check))
2386         goto done;
2387 
2388     if (!TEST_int_eq(EVP_PKEY_public_check(ctx), expected_pub_check))
2389         goto done;
2390 
2391     if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check))
2392         goto done;
2393 
2394 #ifndef OPENSSL_NO_DEPRECATED_3_0
2395     ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
2396     /* assign the pkey directly, as an internal test */
2397     EVP_PKEY_up_ref(pkey);
2398     ctx2->pkey = pkey;
2399 
2400     if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
2401         goto done;
2402 
2403     if (!TEST_int_eq(EVP_PKEY_public_check(ctx2), 0xbeef))
2404         goto done;
2405 
2406     if (!TEST_int_eq(EVP_PKEY_param_check(ctx2), 0xbeef))
2407         goto done;
2408 #endif
2409 
2410     ret = 1;
2411 
2412  done:
2413     EVP_PKEY_CTX_free(ctx);
2414 #ifndef OPENSSL_NO_DEPRECATED_3_0
2415     EVP_PKEY_CTX_free(ctx2);
2416 #endif
2417     EVP_PKEY_free(pkey);
2418     return ret;
2419 }
2420 
2421 #ifndef OPENSSL_NO_CMAC
2422 static int get_cmac_val(EVP_PKEY *pkey, unsigned char *mac)
2423 {
2424     EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
2425     const char msg[] = "Hello World";
2426     size_t maclen = AES_BLOCK_SIZE;
2427     int ret = 1;
2428 
2429     if (!TEST_ptr(mdctx)
2430             || !TEST_true(EVP_DigestSignInit_ex(mdctx, NULL, NULL, testctx,
2431                                                 testpropq, pkey, NULL))
2432             || !TEST_true(EVP_DigestSignUpdate(mdctx, msg, sizeof(msg)))
2433             || !TEST_true(EVP_DigestSignFinal(mdctx, mac, &maclen))
2434             || !TEST_size_t_eq(maclen, AES_BLOCK_SIZE))
2435         ret = 0;
2436 
2437     EVP_MD_CTX_free(mdctx);
2438 
2439     return ret;
2440 }
2441 static int test_CMAC_keygen(void)
2442 {
2443     static unsigned char key[] = {
2444         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2445         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2446         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
2447     };
2448     EVP_PKEY_CTX *kctx = NULL;
2449     int ret = 0;
2450     EVP_PKEY *pkey = NULL;
2451     unsigned char mac[AES_BLOCK_SIZE];
2452 # if !defined(OPENSSL_NO_DEPRECATED_3_0)
2453     unsigned char mac2[AES_BLOCK_SIZE];
2454 # endif
2455 
2456     if (nullprov != NULL)
2457         return TEST_skip("Test does not support a non-default library context");
2458 
2459     /*
2460      * This is a legacy method for CMACs, but should still work.
2461      * This verifies that it works without an ENGINE.
2462      */
2463     kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL);
2464 
2465     /* Test a CMAC key created using the "generated" method */
2466     if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)
2467             || !TEST_int_gt(EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
2468                                             EVP_PKEY_CTRL_CIPHER,
2469                                             0, (void *)EVP_aes_256_ecb()), 0)
2470             || !TEST_int_gt(EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
2471                                             EVP_PKEY_CTRL_SET_MAC_KEY,
2472                                             sizeof(key), (void *)key), 0)
2473             || !TEST_int_gt(EVP_PKEY_keygen(kctx, &pkey), 0)
2474             || !TEST_ptr(pkey)
2475             || !TEST_true(get_cmac_val(pkey, mac)))
2476         goto done;
2477 
2478 # if !defined(OPENSSL_NO_DEPRECATED_3_0)
2479     EVP_PKEY_free(pkey);
2480 
2481     /*
2482      * Test a CMAC key using the direct method, and compare with the mac
2483      * created above.
2484      */
2485     pkey = EVP_PKEY_new_CMAC_key(NULL, key, sizeof(key), EVP_aes_256_ecb());
2486     if (!TEST_ptr(pkey)
2487             || !TEST_true(get_cmac_val(pkey, mac2))
2488             || !TEST_mem_eq(mac, sizeof(mac), mac2, sizeof(mac2)))
2489         goto done;
2490 # endif
2491 
2492     ret = 1;
2493 
2494  done:
2495     EVP_PKEY_free(pkey);
2496     EVP_PKEY_CTX_free(kctx);
2497     return ret;
2498 }
2499 #endif
2500 
2501 static int test_HKDF(void)
2502 {
2503     EVP_PKEY_CTX *pctx;
2504     unsigned char out[20];
2505     size_t outlen;
2506     int i, ret = 0;
2507     unsigned char salt[] = "0123456789";
2508     unsigned char key[] = "012345678901234567890123456789";
2509     unsigned char info[] = "infostring";
2510     const unsigned char expected[] = {
2511         0xe5, 0x07, 0x70, 0x7f, 0xc6, 0x78, 0xd6, 0x54, 0x32, 0x5f, 0x7e, 0xc5,
2512         0x7b, 0x59, 0x3e, 0xd8, 0x03, 0x6b, 0xed, 0xca
2513     };
2514     size_t expectedlen = sizeof(expected);
2515 
2516     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
2517         goto done;
2518 
2519     /* We do this twice to test reuse of the EVP_PKEY_CTX */
2520     for (i = 0; i < 2; i++) {
2521         outlen = sizeof(out);
2522         memset(out, 0, outlen);
2523 
2524         if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
2525                 || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
2526                 || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
2527                                                             sizeof(salt) - 1), 0)
2528                 || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
2529                                                            sizeof(key) - 1), 0)
2530                 || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
2531                                                             sizeof(info) - 1), 0)
2532                 || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
2533                 || !TEST_mem_eq(out, outlen, expected, expectedlen))
2534             goto done;
2535     }
2536 
2537     ret = 1;
2538 
2539  done:
2540     EVP_PKEY_CTX_free(pctx);
2541 
2542     return ret;
2543 }
2544 
2545 static int test_emptyikm_HKDF(void)
2546 {
2547     EVP_PKEY_CTX *pctx;
2548     unsigned char out[20];
2549     size_t outlen;
2550     int ret = 0;
2551     unsigned char salt[] = "9876543210";
2552     unsigned char key[] = "";
2553     unsigned char info[] = "stringinfo";
2554     const unsigned char expected[] = {
2555         0x68, 0x81, 0xa5, 0x3e, 0x5b, 0x9c, 0x7b, 0x6f, 0x2e, 0xec, 0xc8, 0x47,
2556         0x7c, 0xfa, 0x47, 0x35, 0x66, 0x82, 0x15, 0x30
2557     };
2558     size_t expectedlen = sizeof(expected);
2559 
2560     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
2561         goto done;
2562 
2563     outlen = sizeof(out);
2564     memset(out, 0, outlen);
2565 
2566     if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
2567             || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
2568             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
2569                                                         sizeof(salt) - 1), 0)
2570             || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
2571                                                        sizeof(key) - 1), 0)
2572             || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
2573                                                         sizeof(info) - 1), 0)
2574             || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
2575             || !TEST_mem_eq(out, outlen, expected, expectedlen))
2576         goto done;
2577 
2578     ret = 1;
2579 
2580  done:
2581     EVP_PKEY_CTX_free(pctx);
2582 
2583     return ret;
2584 }
2585 
2586 #ifndef OPENSSL_NO_EC
2587 static int test_X509_PUBKEY_inplace(void)
2588 {
2589     int ret = 0;
2590     X509_PUBKEY *xp = X509_PUBKEY_new_ex(testctx, testpropq);
2591     const unsigned char *p = kExampleECPubKeyDER;
2592     size_t input_len = sizeof(kExampleECPubKeyDER);
2593 
2594     if (!TEST_ptr(xp))
2595         goto done;
2596     if (!TEST_ptr(d2i_X509_PUBKEY(&xp, &p, input_len)))
2597         goto done;
2598 
2599     if (!TEST_ptr(X509_PUBKEY_get0(xp)))
2600         goto done;
2601 
2602     p = kExampleBadECPubKeyDER;
2603     input_len = sizeof(kExampleBadECPubKeyDER);
2604 
2605     if (!TEST_ptr(xp = d2i_X509_PUBKEY(&xp, &p, input_len)))
2606         goto done;
2607 
2608     if (!TEST_true(X509_PUBKEY_get0(xp) == NULL))
2609         goto done;
2610 
2611     ret = 1;
2612 
2613  done:
2614     X509_PUBKEY_free(xp);
2615     return ret;
2616 }
2617 
2618 static int test_X509_PUBKEY_dup(void)
2619 {
2620     int ret = 0;
2621     X509_PUBKEY *xp = NULL, *xq = NULL;
2622     const unsigned char *p = kExampleECPubKeyDER;
2623     size_t input_len = sizeof(kExampleECPubKeyDER);
2624 
2625     xp = X509_PUBKEY_new_ex(testctx, testpropq);
2626     if (!TEST_ptr(xp)
2627             || !TEST_ptr(d2i_X509_PUBKEY(&xp, &p, input_len))
2628             || !TEST_ptr(xq = X509_PUBKEY_dup(xp))
2629             || !TEST_ptr_ne(xp, xq))
2630         goto done;
2631 
2632     if (!TEST_ptr(X509_PUBKEY_get0(xq))
2633             || !TEST_ptr(X509_PUBKEY_get0(xp))
2634             || !TEST_ptr_ne(X509_PUBKEY_get0(xq), X509_PUBKEY_get0(xp)))
2635         goto done;
2636 
2637     X509_PUBKEY_free(xq);
2638     xq = NULL;
2639     p = kExampleBadECPubKeyDER;
2640     input_len = sizeof(kExampleBadECPubKeyDER);
2641 
2642     if (!TEST_ptr(xp = d2i_X509_PUBKEY(&xp, &p, input_len))
2643             || !TEST_ptr(xq = X509_PUBKEY_dup(xp)))
2644         goto done;
2645 
2646     X509_PUBKEY_free(xp);
2647     xp = NULL;
2648     if (!TEST_true(X509_PUBKEY_get0(xq) == NULL))
2649         goto done;
2650 
2651     ret = 1;
2652 
2653  done:
2654     X509_PUBKEY_free(xp);
2655     X509_PUBKEY_free(xq);
2656     return ret;
2657 }
2658 #endif /* OPENSSL_NO_EC */
2659 
2660 /* Test getting and setting parameters on an EVP_PKEY_CTX */
2661 static int test_EVP_PKEY_CTX_get_set_params(EVP_PKEY *pkey)
2662 {
2663     EVP_MD_CTX *mdctx = NULL;
2664     EVP_PKEY_CTX *ctx = NULL;
2665     const OSSL_PARAM *params;
2666     OSSL_PARAM ourparams[2], *param = ourparams, *param_md;
2667     int ret = 0;
2668     const EVP_MD *md;
2669     char mdname[OSSL_MAX_NAME_SIZE];
2670     char ssl3ms[48];
2671 
2672     /* Initialise a sign operation */
2673     ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, testpropq);
2674     if (!TEST_ptr(ctx)
2675             || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0))
2676         goto err;
2677 
2678     /*
2679      * We should be able to query the parameters now.
2680      */
2681     params = EVP_PKEY_CTX_settable_params(ctx);
2682     if (!TEST_ptr(params)
2683         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2684                                              OSSL_SIGNATURE_PARAM_DIGEST)))
2685         goto err;
2686 
2687     params = EVP_PKEY_CTX_gettable_params(ctx);
2688     if (!TEST_ptr(params)
2689         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2690                                              OSSL_SIGNATURE_PARAM_ALGORITHM_ID))
2691         || !TEST_ptr(OSSL_PARAM_locate_const(params,
2692                                              OSSL_SIGNATURE_PARAM_DIGEST)))
2693         goto err;
2694 
2695     /*
2696      * Test getting and setting params via EVP_PKEY_CTX_set_params() and
2697      * EVP_PKEY_CTX_get_params()
2698      */
2699     strcpy(mdname, "SHA512");
2700     param_md = param;
2701     *param++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST,
2702                                                 mdname, 0);
2703     *param++ = OSSL_PARAM_construct_end();
2704 
2705     if (!TEST_true(EVP_PKEY_CTX_set_params(ctx, ourparams)))
2706         goto err;
2707 
2708     mdname[0] = '\0';
2709     *param_md = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST,
2710                                                  mdname, sizeof(mdname));
2711     if (!TEST_true(EVP_PKEY_CTX_get_params(ctx, ourparams))
2712             || !TEST_str_eq(mdname, "SHA512"))
2713         goto err;
2714 
2715     /*
2716      * Test the TEST_PKEY_CTX_set_signature_md() and
2717      * TEST_PKEY_CTX_get_signature_md() functions
2718      */
2719     if (!TEST_int_gt(EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()), 0)
2720             || !TEST_int_gt(EVP_PKEY_CTX_get_signature_md(ctx, &md), 0)
2721             || !TEST_ptr_eq(md, EVP_sha256()))
2722         goto err;
2723 
2724     /*
2725      * Test getting MD parameters via an associated EVP_PKEY_CTX
2726      */
2727     mdctx = EVP_MD_CTX_new();
2728     if (!TEST_ptr(mdctx)
2729         || !TEST_true(EVP_DigestSignInit_ex(mdctx, NULL, "SHA1", testctx, testpropq,
2730                                             pkey, NULL)))
2731         goto err;
2732 
2733     /*
2734      * We now have an EVP_MD_CTX with an EVP_PKEY_CTX inside it. We should be
2735      * able to obtain the digest's settable parameters from the provider.
2736      */
2737     params = EVP_MD_CTX_settable_params(mdctx);
2738     if (!TEST_ptr(params)
2739             || !TEST_int_eq(strcmp(params[0].key, OSSL_DIGEST_PARAM_SSL3_MS), 0)
2740                /* The final key should be NULL */
2741             || !TEST_ptr_null(params[1].key))
2742         goto err;
2743 
2744     param = ourparams;
2745     memset(ssl3ms, 0, sizeof(ssl3ms));
2746     *param++ = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS,
2747                                                  ssl3ms, sizeof(ssl3ms));
2748     *param++ = OSSL_PARAM_construct_end();
2749 
2750     if (!TEST_true(EVP_MD_CTX_set_params(mdctx, ourparams)))
2751         goto err;
2752 
2753     ret = 1;
2754 
2755  err:
2756     EVP_MD_CTX_free(mdctx);
2757     EVP_PKEY_CTX_free(ctx);
2758 
2759     return ret;
2760 }
2761 
2762 #ifndef OPENSSL_NO_DSA
2763 static int test_DSA_get_set_params(void)
2764 {
2765     OSSL_PARAM_BLD *bld = NULL;
2766     OSSL_PARAM *params = NULL;
2767     BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
2768     EVP_PKEY_CTX *pctx = NULL;
2769     EVP_PKEY *pkey = NULL;
2770     int ret = 0;
2771 
2772     /*
2773      * Setup the parameters for our DSA object. For our purposes they don't
2774      * have to actually be *valid* parameters. We just need to set something.
2775      */
2776     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "DSA", NULL))
2777         || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
2778         || !TEST_ptr(p = BN_new())
2779         || !TEST_ptr(q = BN_new())
2780         || !TEST_ptr(g = BN_new())
2781         || !TEST_ptr(pub = BN_new())
2782         || !TEST_ptr(priv = BN_new()))
2783         goto err;
2784     if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
2785         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
2786         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
2787         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
2788                                              pub))
2789         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
2790                                              priv)))
2791         goto err;
2792     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
2793         goto err;
2794 
2795     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
2796         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR,
2797                                           params), 0))
2798         goto err;
2799 
2800     if (!TEST_ptr(pkey))
2801         goto err;
2802 
2803     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
2804 
2805  err:
2806     EVP_PKEY_free(pkey);
2807     EVP_PKEY_CTX_free(pctx);
2808     OSSL_PARAM_free(params);
2809     OSSL_PARAM_BLD_free(bld);
2810     BN_free(p);
2811     BN_free(q);
2812     BN_free(g);
2813     BN_free(pub);
2814     BN_free(priv);
2815 
2816     return ret;
2817 }
2818 
2819 /*
2820  * Test combinations of private, public, missing and private + public key
2821  * params to ensure they are all accepted
2822  */
2823 static int test_DSA_priv_pub(void)
2824 {
2825     return test_EVP_PKEY_ffc_priv_pub("DSA");
2826 }
2827 
2828 #endif /* !OPENSSL_NO_DSA */
2829 
2830 static int test_RSA_get_set_params(void)
2831 {
2832     OSSL_PARAM_BLD *bld = NULL;
2833     OSSL_PARAM *params = NULL;
2834     BIGNUM *n = NULL, *e = NULL, *d = NULL;
2835     EVP_PKEY_CTX *pctx = NULL;
2836     EVP_PKEY *pkey = NULL;
2837     int ret = 0;
2838 
2839     /*
2840      * Setup the parameters for our RSA object. For our purposes they don't
2841      * have to actually be *valid* parameters. We just need to set something.
2842      */
2843     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA", NULL))
2844         || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
2845         || !TEST_ptr(n = BN_new())
2846         || !TEST_ptr(e = BN_new())
2847         || !TEST_ptr(d = BN_new()))
2848         goto err;
2849     if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
2850         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
2851         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)))
2852         goto err;
2853     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
2854         goto err;
2855 
2856     if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
2857         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR,
2858                                           params), 0))
2859         goto err;
2860 
2861     if (!TEST_ptr(pkey))
2862         goto err;
2863 
2864     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
2865 
2866  err:
2867     EVP_PKEY_free(pkey);
2868     EVP_PKEY_CTX_free(pctx);
2869     OSSL_PARAM_free(params);
2870     OSSL_PARAM_BLD_free(bld);
2871     BN_free(n);
2872     BN_free(e);
2873     BN_free(d);
2874 
2875     return ret;
2876 }
2877 
2878 static int test_RSA_OAEP_set_get_params(void)
2879 {
2880     int ret = 0;
2881     EVP_PKEY *key = NULL;
2882     EVP_PKEY_CTX *key_ctx = NULL;
2883 
2884     if (nullprov != NULL)
2885         return TEST_skip("Test does not support a non-default library context");
2886 
2887     if (!TEST_ptr(key = load_example_rsa_key())
2888         || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(0, key, 0)))
2889         goto err;
2890 
2891     {
2892         int padding = RSA_PKCS1_OAEP_PADDING;
2893         OSSL_PARAM params[4];
2894 
2895         params[0] = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PAD_MODE, &padding);
2896         params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
2897                                                      OSSL_DIGEST_NAME_SHA2_256, 0);
2898         params[2] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
2899                                                      OSSL_DIGEST_NAME_SHA1, 0);
2900         params[3] = OSSL_PARAM_construct_end();
2901 
2902         if (!TEST_int_gt(EVP_PKEY_encrypt_init_ex(key_ctx, params),0))
2903             goto err;
2904     }
2905     {
2906         OSSL_PARAM params[3];
2907         char oaepmd[30] = { '\0' };
2908         char mgf1md[30] = { '\0' };
2909 
2910         params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
2911                                                      oaepmd, sizeof(oaepmd));
2912         params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
2913                                                      mgf1md, sizeof(mgf1md));
2914         params[2] = OSSL_PARAM_construct_end();
2915 
2916         if (!TEST_true(EVP_PKEY_CTX_get_params(key_ctx, params)))
2917             goto err;
2918 
2919         if (!TEST_str_eq(oaepmd, OSSL_DIGEST_NAME_SHA2_256)
2920             || !TEST_str_eq(mgf1md, OSSL_DIGEST_NAME_SHA1))
2921             goto err;
2922     }
2923 
2924     ret = 1;
2925 
2926  err:
2927     EVP_PKEY_free(key);
2928     EVP_PKEY_CTX_free(key_ctx);
2929 
2930     return ret;
2931 }
2932 
2933 /* https://github.com/openssl/openssl/issues/21288 */
2934 static int test_RSA_OAEP_set_null_label(void)
2935 {
2936     int ret = 0;
2937     EVP_PKEY *key = NULL;
2938     EVP_PKEY_CTX *key_ctx = NULL;
2939 
2940     if (!TEST_ptr(key = load_example_rsa_key())
2941         || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, key, NULL))
2942         || !TEST_true(EVP_PKEY_encrypt_init(key_ctx)))
2943         goto err;
2944 
2945     if (!TEST_true(EVP_PKEY_CTX_set_rsa_padding(key_ctx, RSA_PKCS1_OAEP_PADDING)))
2946         goto err;
2947 
2948     if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, OPENSSL_strdup("foo"), 0)))
2949         goto err;
2950 
2951     if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, NULL, 0)))
2952         goto err;
2953 
2954     ret = 1;
2955 
2956  err:
2957     EVP_PKEY_free(key);
2958     EVP_PKEY_CTX_free(key_ctx);
2959 
2960     return ret;
2961 }
2962 
2963 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2964 static int test_decrypt_null_chunks(void)
2965 {
2966     EVP_CIPHER_CTX* ctx = NULL;
2967     EVP_CIPHER *cipher = NULL;
2968     const unsigned char key[32] = {
2969         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2970         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2971         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1
2972     };
2973     unsigned char iv[12] = {
2974         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b
2975     };
2976     unsigned char msg[] = "It was the best of times, it was the worst of times";
2977     unsigned char ciphertext[80];
2978     unsigned char plaintext[80];
2979     /* We initialise tmp to a non zero value on purpose */
2980     int ctlen, ptlen, tmp = 99;
2981     int ret = 0;
2982     const int enc_offset = 10, dec_offset = 20;
2983 
2984     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "ChaCha20-Poly1305", testpropq))
2985             || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
2986             || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL,
2987                                              key, iv))
2988             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &ctlen, msg,
2989                                             enc_offset))
2990             /* Deliberate add a zero length update */
2991             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext + ctlen, &tmp, NULL,
2992                                             0))
2993             || !TEST_int_eq(tmp, 0)
2994             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext + ctlen, &tmp,
2995                                             msg + enc_offset,
2996                                             sizeof(msg) - enc_offset))
2997             || !TEST_int_eq(ctlen += tmp, sizeof(msg))
2998             || !TEST_true(EVP_EncryptFinal(ctx, ciphertext + ctlen, &tmp))
2999             || !TEST_int_eq(tmp, 0))
3000         goto err;
3001 
3002     /* Deliberately initialise tmp to a non zero value */
3003     tmp = 99;
3004     if (!TEST_true(EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv))
3005             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext, &ptlen, ciphertext,
3006                                             dec_offset))
3007             /*
3008              * Deliberately add a zero length update. We also deliberately do
3009              * this at a different offset than for encryption.
3010              */
3011             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext + ptlen, &tmp, NULL,
3012                                             0))
3013             || !TEST_int_eq(tmp, 0)
3014             || !TEST_true(EVP_DecryptUpdate(ctx, plaintext + ptlen, &tmp,
3015                                             ciphertext + dec_offset,
3016                                             ctlen - dec_offset))
3017             || !TEST_int_eq(ptlen += tmp, sizeof(msg))
3018             || !TEST_true(EVP_DecryptFinal(ctx, plaintext + ptlen, &tmp))
3019             || !TEST_int_eq(tmp, 0)
3020             || !TEST_mem_eq(msg, sizeof(msg), plaintext, ptlen))
3021         goto err;
3022 
3023     ret = 1;
3024  err:
3025     EVP_CIPHER_CTX_free(ctx);
3026     EVP_CIPHER_free(cipher);
3027     return ret;
3028 }
3029 #endif /* !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) */
3030 
3031 #ifndef OPENSSL_NO_DH
3032 /*
3033  * Test combinations of private, public, missing and private + public key
3034  * params to ensure they are all accepted
3035  */
3036 static int test_DH_priv_pub(void)
3037 {
3038     return test_EVP_PKEY_ffc_priv_pub("DH");
3039 }
3040 
3041 # ifndef OPENSSL_NO_DEPRECATED_3_0
3042 static int test_EVP_PKEY_set1_DH(void)
3043 {
3044     DH *x942dh = NULL, *noqdh = NULL;
3045     EVP_PKEY *pkey1 = NULL, *pkey2 = NULL;
3046     int ret = 0;
3047     BIGNUM *p, *g = NULL;
3048     BIGNUM *pubkey = NULL;
3049     unsigned char pub[2048 / 8];
3050     size_t len = 0;
3051 
3052     if (!TEST_ptr(p = BN_new())
3053             || !TEST_ptr(g = BN_new())
3054             || !TEST_ptr(pubkey = BN_new())
3055             || !TEST_true(BN_set_word(p, 9999))
3056             || !TEST_true(BN_set_word(g, 2))
3057             || !TEST_true(BN_set_word(pubkey, 4321))
3058             || !TEST_ptr(noqdh = DH_new())
3059             || !TEST_true(DH_set0_pqg(noqdh, p, NULL, g))
3060             || !TEST_true(DH_set0_key(noqdh, pubkey, NULL))
3061             || !TEST_ptr(pubkey = BN_new())
3062             || !TEST_true(BN_set_word(pubkey, 4321)))
3063         goto err;
3064     p = g = NULL;
3065 
3066     x942dh = DH_get_2048_256();
3067     pkey1 = EVP_PKEY_new();
3068     pkey2 = EVP_PKEY_new();
3069     if (!TEST_ptr(x942dh)
3070             || !TEST_ptr(noqdh)
3071             || !TEST_ptr(pkey1)
3072             || !TEST_ptr(pkey2)
3073             || !TEST_true(DH_set0_key(x942dh, pubkey, NULL)))
3074         goto err;
3075     pubkey = NULL;
3076 
3077     if (!TEST_true(EVP_PKEY_set1_DH(pkey1, x942dh))
3078             || !TEST_int_eq(EVP_PKEY_get_id(pkey1), EVP_PKEY_DHX))
3079         goto err;
3080 
3081     if (!TEST_true(EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PUB_KEY,
3082                                          &pubkey))
3083             || !TEST_ptr(pubkey))
3084         goto err;
3085 
3086     if (!TEST_true(EVP_PKEY_set1_DH(pkey2, noqdh))
3087             || !TEST_int_eq(EVP_PKEY_get_id(pkey2), EVP_PKEY_DH))
3088         goto err;
3089 
3090     if (!TEST_true(EVP_PKEY_get_octet_string_param(pkey2,
3091                                                    OSSL_PKEY_PARAM_PUB_KEY,
3092                                                    pub, sizeof(pub), &len))
3093             || !TEST_size_t_ne(len, 0))
3094         goto err;
3095 
3096     ret = 1;
3097  err:
3098     BN_free(p);
3099     BN_free(g);
3100     BN_free(pubkey);
3101     EVP_PKEY_free(pkey1);
3102     EVP_PKEY_free(pkey2);
3103     DH_free(x942dh);
3104     DH_free(noqdh);
3105 
3106     return ret;
3107 }
3108 # endif /* !OPENSSL_NO_DEPRECATED_3_0 */
3109 #endif /* !OPENSSL_NO_DH */
3110 
3111 /*
3112  * We test what happens with an empty template.  For the sake of this test,
3113  * the template must be ignored, and we know that's the case for RSA keys
3114  * (this might arguably be a misfeature, but that's what we currently do,
3115  * even in provider code, since that's how the legacy RSA implementation
3116  * does things)
3117  */
3118 static int test_keygen_with_empty_template(int n)
3119 {
3120     EVP_PKEY_CTX *ctx = NULL;
3121     EVP_PKEY *pkey = NULL;
3122     EVP_PKEY *tkey = NULL;
3123     int ret = 0;
3124 
3125     if (nullprov != NULL)
3126         return TEST_skip("Test does not support a non-default library context");
3127 
3128     switch (n) {
3129     case 0:
3130         /* We do test with no template at all as well */
3131         if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)))
3132             goto err;
3133         break;
3134     case 1:
3135         /* Here we create an empty RSA key that serves as our template */
3136         if (!TEST_ptr(tkey = EVP_PKEY_new())
3137             || !TEST_true(EVP_PKEY_set_type(tkey, EVP_PKEY_RSA))
3138             || !TEST_ptr(ctx = EVP_PKEY_CTX_new(tkey, NULL)))
3139             goto err;
3140         break;
3141     }
3142 
3143     if (!TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3144         || !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0))
3145         goto err;
3146 
3147     ret = 1;
3148  err:
3149     EVP_PKEY_CTX_free(ctx);
3150     EVP_PKEY_free(pkey);
3151     EVP_PKEY_free(tkey);
3152     return ret;
3153 }
3154 
3155 /*
3156  * Test that we fail if we attempt to use an algorithm that is not available
3157  * in the current library context (unless we are using an algorithm that
3158  * should be made available via legacy codepaths).
3159  *
3160  * 0:   RSA
3161  * 1:   SM2
3162  */
3163 static int test_pkey_ctx_fail_without_provider(int tst)
3164 {
3165     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
3166     OSSL_PROVIDER *tmpnullprov = NULL;
3167     EVP_PKEY_CTX *pctx = NULL;
3168     const char *keytype = NULL;
3169     int expect_null = 0;
3170     int ret = 0;
3171 
3172     if (!TEST_ptr(tmpctx))
3173         goto err;
3174 
3175     tmpnullprov = OSSL_PROVIDER_load(tmpctx, "null");
3176     if (!TEST_ptr(tmpnullprov))
3177         goto err;
3178 
3179     /*
3180      * We check for certain algos in the null provider.
3181      * If an algo is expected to have a provider keymgmt, contructing an
3182      * EVP_PKEY_CTX is expected to fail (return NULL).
3183      * Otherwise, if it's expected to have legacy support, contructing an
3184      * EVP_PKEY_CTX is expected to succeed (return non-NULL).
3185      */
3186     switch (tst) {
3187     case 0:
3188         keytype = "RSA";
3189         expect_null = 1;
3190         break;
3191     case 1:
3192         keytype = "SM2";
3193         expect_null = 1;
3194 #ifdef OPENSSL_NO_EC
3195         TEST_info("EC disable, skipping SM2 check...");
3196         goto end;
3197 #endif
3198 #ifdef OPENSSL_NO_SM2
3199         TEST_info("SM2 disable, skipping SM2 check...");
3200         goto end;
3201 #endif
3202         break;
3203     default:
3204         TEST_error("No test for case %d", tst);
3205         goto err;
3206     }
3207 
3208     pctx = EVP_PKEY_CTX_new_from_name(tmpctx, keytype, "");
3209     if (expect_null ? !TEST_ptr_null(pctx) : !TEST_ptr(pctx))
3210         goto err;
3211 
3212 #if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SM2)
3213  end:
3214 #endif
3215     ret = 1;
3216 
3217  err:
3218     EVP_PKEY_CTX_free(pctx);
3219     OSSL_PROVIDER_unload(tmpnullprov);
3220     OSSL_LIB_CTX_free(tmpctx);
3221     return ret;
3222 }
3223 
3224 static int test_rand_agglomeration(void)
3225 {
3226     EVP_RAND *rand;
3227     EVP_RAND_CTX *ctx;
3228     OSSL_PARAM params[3], *p = params;
3229     int res;
3230     unsigned int step = 7;
3231     static unsigned char seed[] = "It does not matter how slowly you go "
3232                                   "as long as you do not stop.";
3233     unsigned char out[sizeof(seed)];
3234 
3235     if (!TEST_int_ne(sizeof(seed) % step, 0)
3236             || !TEST_ptr(rand = EVP_RAND_fetch(testctx, "TEST-RAND", testpropq)))
3237         return 0;
3238     ctx = EVP_RAND_CTX_new(rand, NULL);
3239     EVP_RAND_free(rand);
3240     if (!TEST_ptr(ctx))
3241         return 0;
3242 
3243     memset(out, 0, sizeof(out));
3244     *p++ = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
3245                                              seed, sizeof(seed));
3246     *p++ = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_MAX_REQUEST, &step);
3247     *p = OSSL_PARAM_construct_end();
3248     res = TEST_true(EVP_RAND_CTX_set_params(ctx, params))
3249           && TEST_true(EVP_RAND_generate(ctx, out, sizeof(out), 0, 1, NULL, 0))
3250           && TEST_mem_eq(seed, sizeof(seed), out, sizeof(out));
3251     EVP_RAND_CTX_free(ctx);
3252     return res;
3253 }
3254 
3255 /*
3256  * Test that we correctly return the original or "running" IV after
3257  * an encryption operation.
3258  * Run multiple times for some different relevant algorithms/modes.
3259  */
3260 static int test_evp_iv_aes(int idx)
3261 {
3262     int ret = 0;
3263     EVP_CIPHER_CTX *ctx = NULL;
3264     unsigned char key[16] = {0x4c, 0x43, 0xdb, 0xdd, 0x42, 0x73, 0x47, 0xd1,
3265                              0xe5, 0x62, 0x7d, 0xcd, 0x4d, 0x76, 0x4d, 0x57};
3266     unsigned char init_iv[EVP_MAX_IV_LENGTH] =
3267         {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
3268          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34};
3269     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8,
3270                                          9, 10, 11, 12, 13, 14, 15, 16 };
3271     unsigned char ciphertext[32], oiv[16], iv[16];
3272     unsigned char *ref_iv;
3273     unsigned char cbc_state[16] = {0x10, 0x2f, 0x05, 0xcc, 0xc2, 0x55, 0x72, 0xb9,
3274                                    0x88, 0xe6, 0x4a, 0x17, 0x10, 0x74, 0x22, 0x5e};
3275 
3276     unsigned char ofb_state[16] = {0x76, 0xe6, 0x66, 0x61, 0xd0, 0x8a, 0xe4, 0x64,
3277                                    0xdd, 0x66, 0xbf, 0x00, 0xf0, 0xe3, 0x6f, 0xfd};
3278     unsigned char cfb_state[16] = {0x77, 0xe4, 0x65, 0x65, 0xd5, 0x8c, 0xe3, 0x6c,
3279                                    0xd4, 0x6c, 0xb4, 0x0c, 0xfd, 0xed, 0x60, 0xed};
3280     unsigned char gcm_state[12] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b,
3281                                    0x98, 0x82, 0x5a, 0x55, 0x91, 0x81};
3282     unsigned char ccm_state[7] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98};
3283 #ifndef OPENSSL_NO_OCB
3284     unsigned char ocb_state[12] = {0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b,
3285                                    0x98, 0x82, 0x5a, 0x55, 0x91, 0x81};
3286 #endif
3287     int len = sizeof(ciphertext);
3288     size_t ivlen, ref_len;
3289     const EVP_CIPHER *type = NULL;
3290     int iv_reset = 0;
3291 
3292     if (nullprov != NULL && idx < 6)
3293         return TEST_skip("Test does not support a non-default library context");
3294 
3295     switch(idx) {
3296     case 0:
3297         type = EVP_aes_128_cbc();
3298         /* FALLTHROUGH */
3299     case 6:
3300         type = (type != NULL) ? type :
3301                                 EVP_CIPHER_fetch(testctx, "aes-128-cbc", testpropq);
3302         ref_iv = cbc_state;
3303         ref_len = sizeof(cbc_state);
3304         iv_reset = 1;
3305         break;
3306     case 1:
3307         type = EVP_aes_128_ofb();
3308         /* FALLTHROUGH */
3309     case 7:
3310         type = (type != NULL) ? type :
3311                                 EVP_CIPHER_fetch(testctx, "aes-128-ofb", testpropq);
3312         ref_iv = ofb_state;
3313         ref_len = sizeof(ofb_state);
3314         iv_reset = 1;
3315         break;
3316     case 2:
3317         type = EVP_aes_128_cfb();
3318         /* FALLTHROUGH */
3319     case 8:
3320         type = (type != NULL) ? type :
3321                                 EVP_CIPHER_fetch(testctx, "aes-128-cfb", testpropq);
3322         ref_iv = cfb_state;
3323         ref_len = sizeof(cfb_state);
3324         iv_reset = 1;
3325         break;
3326     case 3:
3327         type = EVP_aes_128_gcm();
3328         /* FALLTHROUGH */
3329     case 9:
3330         type = (type != NULL) ? type :
3331                                 EVP_CIPHER_fetch(testctx, "aes-128-gcm", testpropq);
3332         ref_iv = gcm_state;
3333         ref_len = sizeof(gcm_state);
3334         break;
3335     case 4:
3336         type = EVP_aes_128_ccm();
3337         /* FALLTHROUGH */
3338     case 10:
3339         type = (type != NULL) ? type :
3340                                 EVP_CIPHER_fetch(testctx, "aes-128-ccm", testpropq);
3341         ref_iv = ccm_state;
3342         ref_len = sizeof(ccm_state);
3343         break;
3344 #ifdef OPENSSL_NO_OCB
3345     case 5:
3346     case 11:
3347         return 1;
3348 #else
3349     case 5:
3350         type = EVP_aes_128_ocb();
3351         /* FALLTHROUGH */
3352     case 11:
3353         type = (type != NULL) ? type :
3354                                 EVP_CIPHER_fetch(testctx, "aes-128-ocb", testpropq);
3355         ref_iv = ocb_state;
3356         ref_len = sizeof(ocb_state);
3357         break;
3358 #endif
3359     default:
3360         return 0;
3361     }
3362 
3363     if (!TEST_ptr(type)
3364             || !TEST_ptr((ctx = EVP_CIPHER_CTX_new()))
3365             || !TEST_true(EVP_EncryptInit_ex(ctx, type, NULL, key, init_iv))
3366             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &len, msg,
3367                           (int)sizeof(msg)))
3368             || !TEST_true(EVP_CIPHER_CTX_get_original_iv(ctx, oiv, sizeof(oiv)))
3369             || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv)))
3370             || !TEST_true(EVP_EncryptFinal_ex(ctx, ciphertext, &len)))
3371         goto err;
3372     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
3373     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)
3374             || !TEST_mem_eq(ref_iv, ref_len, iv, ivlen))
3375         goto err;
3376 
3377     /* CBC, OFB, and CFB modes: the updated iv must be reset after reinit */
3378     if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, NULL))
3379         || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))))
3380         goto err;
3381     if (iv_reset) {
3382         if (!TEST_mem_eq(init_iv, ivlen, iv, ivlen))
3383             goto err;
3384     } else {
3385         if (!TEST_mem_eq(ref_iv, ivlen, iv, ivlen))
3386             goto err;
3387     }
3388 
3389     ret = 1;
3390 err:
3391     EVP_CIPHER_CTX_free(ctx);
3392     if (idx >= 6)
3393         EVP_CIPHER_free((EVP_CIPHER *)type);
3394     return ret;
3395 }
3396 
3397 #ifndef OPENSSL_NO_DES
3398 static int test_evp_iv_des(int idx)
3399 {
3400     int ret = 0;
3401     EVP_CIPHER_CTX *ctx = NULL;
3402     static const unsigned char key[24] = {
3403         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
3404         0xf1, 0xe0, 0xd3, 0xc2, 0xb5, 0xa4, 0x97, 0x86,
3405         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
3406     };
3407     static const unsigned char init_iv[8] = {
3408         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
3409     };
3410     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8,
3411                                          9, 10, 11, 12, 13, 14, 15, 16 };
3412     unsigned char ciphertext[32], oiv[8], iv[8];
3413     unsigned const char *ref_iv;
3414     static const unsigned char cbc_state_des[8] = {
3415         0x4f, 0xa3, 0x85, 0xcd, 0x8b, 0xf3, 0x06, 0x2a
3416     };
3417     static const unsigned char cbc_state_3des[8] = {
3418         0x35, 0x27, 0x7d, 0x65, 0x6c, 0xfb, 0x50, 0xd9
3419     };
3420     static const unsigned char ofb_state_des[8] = {
3421         0xa7, 0x0d, 0x1d, 0x45, 0xf9, 0x96, 0x3f, 0x2c
3422     };
3423     static const unsigned char ofb_state_3des[8] = {
3424         0xab, 0x16, 0x24, 0xbb, 0x5b, 0xac, 0xed, 0x5e
3425     };
3426     static const unsigned char cfb_state_des[8] = {
3427         0x91, 0xeb, 0x6d, 0x29, 0x4b, 0x08, 0xbd, 0x73
3428     };
3429     static const unsigned char cfb_state_3des[8] = {
3430         0x34, 0xdd, 0xfb, 0x47, 0x33, 0x1c, 0x61, 0xf7
3431     };
3432     int len = sizeof(ciphertext);
3433     size_t ivlen, ref_len;
3434     EVP_CIPHER *type = NULL;
3435 
3436     if (lgcyprov == NULL && idx < 3)
3437         return TEST_skip("Test requires legacy provider to be loaded");
3438 
3439     switch(idx) {
3440     case 0:
3441         type = EVP_CIPHER_fetch(testctx, "des-cbc", testpropq);
3442         ref_iv = cbc_state_des;
3443         ref_len = sizeof(cbc_state_des);
3444         break;
3445     case 1:
3446         type = EVP_CIPHER_fetch(testctx, "des-ofb", testpropq);
3447         ref_iv = ofb_state_des;
3448         ref_len = sizeof(ofb_state_des);
3449         break;
3450     case 2:
3451         type = EVP_CIPHER_fetch(testctx, "des-cfb", testpropq);
3452         ref_iv = cfb_state_des;
3453         ref_len = sizeof(cfb_state_des);
3454         break;
3455     case 3:
3456         type = EVP_CIPHER_fetch(testctx, "des-ede3-cbc", testpropq);
3457         ref_iv = cbc_state_3des;
3458         ref_len = sizeof(cbc_state_3des);
3459         break;
3460     case 4:
3461         type = EVP_CIPHER_fetch(testctx, "des-ede3-ofb", testpropq);
3462         ref_iv = ofb_state_3des;
3463         ref_len = sizeof(ofb_state_3des);
3464         break;
3465     case 5:
3466         type = EVP_CIPHER_fetch(testctx, "des-ede3-cfb", testpropq);
3467         ref_iv = cfb_state_3des;
3468         ref_len = sizeof(cfb_state_3des);
3469         break;
3470     default:
3471         return 0;
3472     }
3473 
3474     if (!TEST_ptr(type)
3475             || !TEST_ptr((ctx = EVP_CIPHER_CTX_new()))
3476             || !TEST_true(EVP_EncryptInit_ex(ctx, type, NULL, key, init_iv))
3477             || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &len, msg,
3478                           (int)sizeof(msg)))
3479             || !TEST_true(EVP_CIPHER_CTX_get_original_iv(ctx, oiv, sizeof(oiv)))
3480             || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv)))
3481             || !TEST_true(EVP_EncryptFinal_ex(ctx, ciphertext, &len)))
3482         goto err;
3483     ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
3484     if (!TEST_mem_eq(init_iv, ivlen, oiv, ivlen)
3485             || !TEST_mem_eq(ref_iv, ref_len, iv, ivlen))
3486         goto err;
3487 
3488     if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, NULL))
3489         || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))))
3490         goto err;
3491     if (!TEST_mem_eq(init_iv, ivlen, iv, ivlen))
3492         goto err;
3493 
3494     ret = 1;
3495 err:
3496     EVP_CIPHER_CTX_free(ctx);
3497     EVP_CIPHER_free(type);
3498     return ret;
3499 }
3500 #endif
3501 
3502 #ifndef OPENSSL_NO_BF
3503 static int test_evp_bf_default_keylen(int idx)
3504 {
3505     int ret = 0;
3506     static const char *algos[4] = {
3507         "bf-ecb", "bf-cbc", "bf-cfb", "bf-ofb"
3508     };
3509     int ivlen[4] = { 0, 8, 8, 8 };
3510     EVP_CIPHER *cipher = NULL;
3511 
3512     if (lgcyprov == NULL)
3513         return TEST_skip("Test requires legacy provider to be loaded");
3514 
3515     if (!TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, algos[idx], testpropq))
3516             || !TEST_int_eq(EVP_CIPHER_get_key_length(cipher), 16)
3517             || !TEST_int_eq(EVP_CIPHER_get_iv_length(cipher), ivlen[idx]))
3518         goto err;
3519 
3520     ret = 1;
3521 err:
3522     EVP_CIPHER_free(cipher);
3523     return ret;
3524 }
3525 #endif
3526 
3527 #ifndef OPENSSL_NO_EC
3528 static int ecpub_nids[] = {
3529     NID_brainpoolP256r1, NID_X9_62_prime256v1,
3530     NID_secp384r1, NID_secp521r1,
3531 # ifndef OPENSSL_NO_EC2M
3532     NID_sect233k1, NID_sect233r1, NID_sect283r1,
3533     NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1,
3534 # endif
3535     NID_brainpoolP384r1, NID_brainpoolP512r1
3536 };
3537 
3538 static int test_ecpub(int idx)
3539 {
3540     int ret = 0, len, savelen;
3541     int nid;
3542     unsigned char buf[1024];
3543     unsigned char *p;
3544     EVP_PKEY *pkey = NULL;
3545     EVP_PKEY_CTX *ctx = NULL;
3546 # ifndef OPENSSL_NO_DEPRECATED_3_0
3547     const unsigned char *q;
3548     EVP_PKEY *pkey2 = NULL;
3549     EC_KEY *ec = NULL;
3550 # endif
3551 
3552     if (nullprov != NULL)
3553         return TEST_skip("Test does not support a non-default library context");
3554 
3555     nid = ecpub_nids[idx];
3556 
3557     ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
3558     if (!TEST_ptr(ctx)
3559         || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3560         || !TEST_int_gt(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid), 0)
3561         || !TEST_true(EVP_PKEY_keygen(ctx, &pkey)))
3562         goto done;
3563     len = i2d_PublicKey(pkey, NULL);
3564     savelen = len;
3565     if (!TEST_int_ge(len, 1)
3566         || !TEST_int_lt(len, 1024))
3567         goto done;
3568     p = buf;
3569     len = i2d_PublicKey(pkey, &p);
3570     if (!TEST_int_ge(len, 1)
3571             || !TEST_int_eq(len, savelen))
3572         goto done;
3573 
3574 # ifndef OPENSSL_NO_DEPRECATED_3_0
3575     /* Now try to decode the just-created DER. */
3576     q = buf;
3577     if (!TEST_ptr((pkey2 = EVP_PKEY_new()))
3578             || !TEST_ptr((ec = EC_KEY_new_by_curve_name(nid)))
3579             || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey2, ec)))
3580         goto done;
3581     /* EC_KEY ownership transferred */
3582     ec = NULL;
3583     if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_EC, &pkey2, &q, savelen)))
3584         goto done;
3585     /* The keys should match. */
3586     if (!TEST_int_eq(EVP_PKEY_eq(pkey, pkey2), 1))
3587         goto done;
3588 # endif
3589 
3590     ret = 1;
3591 
3592  done:
3593     EVP_PKEY_CTX_free(ctx);
3594     EVP_PKEY_free(pkey);
3595 # ifndef OPENSSL_NO_DEPRECATED_3_0
3596     EVP_PKEY_free(pkey2);
3597     EC_KEY_free(ec);
3598 # endif
3599     return ret;
3600 }
3601 #endif
3602 
3603 static int test_EVP_rsa_pss_with_keygen_bits(void)
3604 {
3605     int ret = 0;
3606     EVP_PKEY_CTX *ctx = NULL;
3607     EVP_PKEY *pkey = NULL;
3608     EVP_MD *md;
3609 
3610     md = EVP_MD_fetch(testctx, "sha256", testpropq);
3611     ret = TEST_ptr(md)
3612         && TEST_ptr((ctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA-PSS", testpropq)))
3613         && TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
3614         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 512), 0)
3615         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md), 0)
3616         && TEST_true(EVP_PKEY_keygen(ctx, &pkey));
3617 
3618     EVP_MD_free(md);
3619     EVP_PKEY_free(pkey);
3620     EVP_PKEY_CTX_free(ctx);
3621     return ret;
3622 }
3623 
3624 static int test_EVP_rsa_pss_set_saltlen(void)
3625 {
3626     int ret = 0;
3627     EVP_PKEY *pkey = NULL;
3628     EVP_PKEY_CTX *pkey_ctx = NULL;
3629     EVP_MD *sha256 = NULL;
3630     EVP_MD_CTX *sha256_ctx = NULL;
3631     int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
3632     const int test_value = 32;
3633 
3634     ret = TEST_ptr(pkey = load_example_rsa_key())
3635         && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
3636         && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
3637         && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
3638         && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
3639         && TEST_int_gt(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value), 0)
3640         && TEST_int_gt(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen), 0)
3641         && TEST_int_eq(saltlen, test_value);
3642 
3643     EVP_MD_CTX_free(sha256_ctx);
3644     EVP_PKEY_free(pkey);
3645     EVP_MD_free(sha256);
3646 
3647     return ret;
3648 }
3649 
3650 static int success = 1;
3651 static void md_names(const char *name, void *vctx)
3652 {
3653     OSSL_LIB_CTX *ctx = (OSSL_LIB_CTX *)vctx;
3654     /* Force a namemap update */
3655     EVP_CIPHER *aes128 = EVP_CIPHER_fetch(ctx, "AES-128-CBC", NULL);
3656 
3657     if (!TEST_ptr(aes128))
3658         success = 0;
3659 
3660     EVP_CIPHER_free(aes128);
3661 }
3662 
3663 /*
3664  * Test that changing the namemap in a user callback works in a names_do_all
3665  * function.
3666  */
3667 static int test_names_do_all(void)
3668 {
3669     /* We use a custom libctx so that we know the state of the namemap */
3670     OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
3671     EVP_MD *sha256 = NULL;
3672     int testresult = 0;
3673 
3674     if (!TEST_ptr(ctx))
3675         goto err;
3676 
3677     sha256 = EVP_MD_fetch(ctx, "SHA2-256", NULL);
3678     if (!TEST_ptr(sha256))
3679         goto err;
3680 
3681     /*
3682      * We loop through all the names for a given digest. This should still work
3683      * even if the namemap changes part way through.
3684      */
3685     if (!TEST_true(EVP_MD_names_do_all(sha256, md_names, ctx)))
3686         goto err;
3687 
3688     if (!TEST_true(success))
3689         goto err;
3690 
3691     testresult = 1;
3692  err:
3693     EVP_MD_free(sha256);
3694     OSSL_LIB_CTX_free(ctx);
3695     return testresult;
3696 }
3697 
3698 typedef struct {
3699     const char *cipher;
3700     const unsigned char *key;
3701     const unsigned char *iv;
3702     const unsigned char *input;
3703     const unsigned char *expected;
3704     const unsigned char *tag;
3705     size_t ivlen; /* 0 if we do not need to set a specific IV len */
3706     size_t inlen;
3707     size_t expectedlen;
3708     size_t taglen;
3709     int keyfirst;
3710     int initenc;
3711     int finalenc;
3712 } EVP_INIT_TEST_st;
3713 
3714 static const EVP_INIT_TEST_st evp_init_tests[] = {
3715     {
3716         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
3717         cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
3718         0, 1, 0, 1
3719     },
3720     {
3721         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
3722         gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3723         sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
3724         sizeof(gcmDefaultTag), 1, 0, 1
3725     },
3726     {
3727         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
3728         cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
3729         0, 0, 0, 1
3730     },
3731     {
3732         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
3733         gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3734         sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
3735         sizeof(gcmDefaultTag), 0, 0, 1
3736     },
3737     {
3738         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
3739         cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
3740         0, 1, 1, 0
3741     },
3742     {
3743         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
3744         gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3745         sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
3746         sizeof(gcmDefaultTag), 1, 1, 0
3747     },
3748     {
3749         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
3750         cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
3751         0, 0, 1, 0
3752     },
3753     {
3754         "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
3755         gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
3756         sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
3757         sizeof(gcmDefaultTag), 0, 1, 0
3758     }
3759 };
3760 
3761 /* use same key, iv and plaintext for cfb and ofb */
3762 static const EVP_INIT_TEST_st evp_reinit_tests[] = {
3763     {
3764         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
3765         cfbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
3766         sizeof(cfbCiphertext_partial), 0, 0, 1, 0
3767     },
3768     {
3769         "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext_partial,
3770         cfbPlaintext_partial, NULL, 0, sizeof(cfbCiphertext_partial),
3771         sizeof(cfbPlaintext_partial), 0, 0, 0, 0
3772     },
3773     {
3774         "aes-128-ofb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
3775         ofbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
3776         sizeof(ofbCiphertext_partial), 0, 0, 1, 0
3777     },
3778     {
3779         "aes-128-ofb", kCFBDefaultKey, iCFBIV, ofbCiphertext_partial,
3780         cfbPlaintext_partial, NULL, 0, sizeof(ofbCiphertext_partial),
3781         sizeof(cfbPlaintext_partial), 0, 0, 0, 0
3782     },
3783 };
3784 
3785 static int evp_init_seq_set_iv(EVP_CIPHER_CTX *ctx, const EVP_INIT_TEST_st *t)
3786 {
3787     int res = 0;
3788 
3789     if (t->ivlen != 0) {
3790         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen, NULL), 0))
3791             goto err;
3792     }
3793     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv, -1)))
3794         goto err;
3795     res = 1;
3796  err:
3797     return res;
3798 }
3799 
3800 /*
3801  * Test step-wise cipher initialization via EVP_CipherInit_ex where the
3802  * arguments are given one at a time and a final adjustment to the enc
3803  * parameter sets the correct operation.
3804  */
3805 static int test_evp_init_seq(int idx)
3806 {
3807     int outlen1, outlen2;
3808     int testresult = 0;
3809     unsigned char outbuf[1024];
3810     unsigned char tag[16];
3811     const EVP_INIT_TEST_st *t = &evp_init_tests[idx];
3812     EVP_CIPHER_CTX *ctx = NULL;
3813     EVP_CIPHER *type = NULL;
3814     size_t taglen = sizeof(tag);
3815     char *errmsg = NULL;
3816 
3817     ctx = EVP_CIPHER_CTX_new();
3818     if (ctx == NULL) {
3819         errmsg = "CTX_ALLOC";
3820         goto err;
3821     }
3822     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq))) {
3823         errmsg = "CIPHER_FETCH";
3824         goto err;
3825     }
3826     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, t->initenc))) {
3827         errmsg = "EMPTY_ENC_INIT";
3828         goto err;
3829     }
3830     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
3831         errmsg = "PADDING";
3832         goto err;
3833     }
3834     if (t->keyfirst && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
3835         errmsg = "KEY_INIT (before iv)";
3836         goto err;
3837     }
3838     if (!evp_init_seq_set_iv(ctx, t)) {
3839         errmsg = "IV_INIT";
3840         goto err;
3841     }
3842     if (t->keyfirst == 0 &&  !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
3843         errmsg = "KEY_INIT (after iv)";
3844         goto err;
3845     }
3846     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, t->finalenc))) {
3847         errmsg = "FINAL_ENC_INIT";
3848         goto err;
3849     }
3850     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
3851         errmsg = "CIPHER_UPDATE";
3852         goto err;
3853     }
3854     if (t->finalenc == 0 && t->tag != NULL) {
3855         /* Set expected tag */
3856         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
3857                                            t->taglen, (void *)t->tag), 0)) {
3858             errmsg = "SET_TAG";
3859             goto err;
3860         }
3861     }
3862     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
3863         errmsg = "CIPHER_FINAL";
3864         goto err;
3865     }
3866     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
3867         errmsg = "WRONG_RESULT";
3868         goto err;
3869     }
3870     if (t->finalenc != 0 && t->tag != NULL) {
3871         if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
3872             errmsg = "GET_TAG";
3873             goto err;
3874         }
3875         if (!TEST_mem_eq(t->tag, t->taglen, tag, taglen)) {
3876             errmsg = "TAG_ERROR";
3877             goto err;
3878         }
3879     }
3880     testresult = 1;
3881  err:
3882     if (errmsg != NULL)
3883         TEST_info("evp_init_test %d: %s", idx, errmsg);
3884     EVP_CIPHER_CTX_free(ctx);
3885     EVP_CIPHER_free(type);
3886     return testresult;
3887 }
3888 
3889 /*
3890  * Test re-initialization of cipher context without changing key or iv.
3891  * The result of both iteration should be the same.
3892  */
3893 static int test_evp_reinit_seq(int idx)
3894 {
3895     int outlen1, outlen2, outlen_final;
3896     int testresult = 0;
3897     unsigned char outbuf1[1024];
3898     unsigned char outbuf2[1024];
3899     const EVP_INIT_TEST_st *t = &evp_reinit_tests[idx];
3900     EVP_CIPHER_CTX *ctx = NULL;
3901     EVP_CIPHER *type = NULL;
3902 
3903     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
3904             || !TEST_ptr(type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq))
3905             /* setup cipher context */
3906             || !TEST_true(EVP_CipherInit_ex2(ctx, type, t->key, t->iv, t->initenc, NULL))
3907             /* first iteration */
3908             || !TEST_true(EVP_CipherUpdate(ctx, outbuf1, &outlen1, t->input, t->inlen))
3909             || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf1, &outlen_final))
3910             /* check test results iteration 1 */
3911             || !TEST_mem_eq(t->expected, t->expectedlen, outbuf1, outlen1 + outlen_final)
3912             /* now re-init the context (same cipher, key and iv) */
3913             || !TEST_true(EVP_CipherInit_ex2(ctx, NULL, NULL, NULL, -1, NULL))
3914             /* second iteration */
3915             || !TEST_true(EVP_CipherUpdate(ctx, outbuf2, &outlen2, t->input, t->inlen))
3916             || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf2, &outlen_final))
3917             /* check test results iteration 2 */
3918             || !TEST_mem_eq(t->expected, t->expectedlen, outbuf2, outlen2 + outlen_final))
3919         goto err;
3920     testresult = 1;
3921  err:
3922     EVP_CIPHER_CTX_free(ctx);
3923     EVP_CIPHER_free(type);
3924     return testresult;
3925 }
3926 
3927 typedef struct {
3928     const unsigned char *input;
3929     const unsigned char *expected;
3930     size_t inlen;
3931     size_t expectedlen;
3932     int enc;
3933 } EVP_RESET_TEST_st;
3934 
3935 static const EVP_RESET_TEST_st evp_reset_tests[] = {
3936     {
3937         cfbPlaintext, cfbCiphertext,
3938         sizeof(cfbPlaintext), sizeof(cfbCiphertext), 1
3939     },
3940     {
3941         cfbCiphertext, cfbPlaintext,
3942         sizeof(cfbCiphertext), sizeof(cfbPlaintext), 0
3943     }
3944 };
3945 
3946 /*
3947  * Test a reset of a cipher via EVP_CipherInit_ex after the cipher has already
3948  * been used.
3949  */
3950 static int test_evp_reset(int idx)
3951 {
3952     const EVP_RESET_TEST_st *t = &evp_reset_tests[idx];
3953     int outlen1, outlen2;
3954     int testresult = 0;
3955     unsigned char outbuf[1024];
3956     EVP_CIPHER_CTX *ctx = NULL;
3957     EVP_CIPHER *type = NULL;
3958     char *errmsg = NULL;
3959 
3960     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
3961         errmsg = "CTX_ALLOC";
3962         goto err;
3963     }
3964     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "aes-128-cfb", testpropq))) {
3965         errmsg = "CIPHER_FETCH";
3966         goto err;
3967     }
3968     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
3969         errmsg = "CIPHER_INIT";
3970         goto err;
3971     }
3972     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
3973         errmsg = "PADDING";
3974         goto err;
3975     }
3976     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
3977         errmsg = "CIPHER_UPDATE";
3978         goto err;
3979     }
3980     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
3981         errmsg = "CIPHER_FINAL";
3982         goto err;
3983     }
3984     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
3985         errmsg = "WRONG_RESULT";
3986         goto err;
3987     }
3988     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1))) {
3989         errmsg = "CIPHER_REINIT";
3990         goto err;
3991     }
3992     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
3993         errmsg = "CIPHER_UPDATE (reinit)";
3994         goto err;
3995     }
3996     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
3997         errmsg = "CIPHER_FINAL (reinit)";
3998         goto err;
3999     }
4000     if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
4001         errmsg = "WRONG_RESULT (reinit)";
4002         goto err;
4003     }
4004     testresult = 1;
4005  err:
4006     if (errmsg != NULL)
4007         TEST_info("test_evp_reset %d: %s", idx, errmsg);
4008     EVP_CIPHER_CTX_free(ctx);
4009     EVP_CIPHER_free(type);
4010     return testresult;
4011 }
4012 
4013 typedef struct {
4014     const char *cipher;
4015     int enc;
4016 } EVP_UPDATED_IV_TEST_st;
4017 
4018 static const EVP_UPDATED_IV_TEST_st evp_updated_iv_tests[] = {
4019     {
4020         "aes-128-cfb", 1
4021     },
4022     {
4023         "aes-128-cfb", 0
4024     },
4025     {
4026         "aes-128-cfb1", 1
4027     },
4028     {
4029         "aes-128-cfb1", 0
4030     },
4031     {
4032         "aes-128-cfb8", 1
4033     },
4034     {
4035         "aes-128-cfb8", 0
4036     },
4037     {
4038         "aes-128-ofb", 1
4039     },
4040     {
4041         "aes-128-ofb", 0
4042     },
4043     {
4044         "aes-128-ctr", 1
4045     },
4046     {
4047         "aes-128-ctr", 0
4048     },
4049     {
4050         "aes-128-cbc", 1
4051     },
4052     {
4053         "aes-128-cbc", 0
4054     }
4055 };
4056 
4057 /*
4058  * Test that the IV in the context is updated during a crypto operation for CFB
4059  * and OFB.
4060  */
4061 static int test_evp_updated_iv(int idx)
4062 {
4063     const EVP_UPDATED_IV_TEST_st *t = &evp_updated_iv_tests[idx];
4064     int outlen1, outlen2;
4065     int testresult = 0;
4066     unsigned char outbuf[1024];
4067     EVP_CIPHER_CTX *ctx = NULL;
4068     EVP_CIPHER *type = NULL;
4069     unsigned char updated_iv[EVP_MAX_IV_LENGTH];
4070     int iv_len;
4071     char *errmsg = NULL;
4072 
4073     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
4074         errmsg = "CTX_ALLOC";
4075         goto err;
4076     }
4077     if ((type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq)) == NULL) {
4078         TEST_info("cipher %s not supported, skipping", t->cipher);
4079         goto ok;
4080     }
4081 
4082     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
4083         errmsg = "CIPHER_INIT";
4084         goto err;
4085     }
4086     if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
4087         errmsg = "PADDING";
4088         goto err;
4089     }
4090     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, cfbPlaintext, sizeof(cfbPlaintext)))) {
4091         errmsg = "CIPHER_UPDATE";
4092         goto err;
4093     }
4094     if (!TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, updated_iv, sizeof(updated_iv)))) {
4095         errmsg = "CIPHER_CTX_GET_UPDATED_IV";
4096         goto err;
4097     }
4098     if (!TEST_true(iv_len = EVP_CIPHER_CTX_get_iv_length(ctx))) {
4099         errmsg = "CIPHER_CTX_GET_IV_LEN";
4100         goto err;
4101     }
4102     if (!TEST_mem_ne(iCFBIV, sizeof(iCFBIV), updated_iv, iv_len)) {
4103         errmsg = "IV_NOT_UPDATED";
4104         goto err;
4105     }
4106     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4107         errmsg = "CIPHER_FINAL";
4108         goto err;
4109     }
4110  ok:
4111     testresult = 1;
4112  err:
4113     if (errmsg != NULL)
4114         TEST_info("test_evp_updated_iv %d: %s", idx, errmsg);
4115     EVP_CIPHER_CTX_free(ctx);
4116     EVP_CIPHER_free(type);
4117     return testresult;
4118 }
4119 
4120 typedef struct {
4121     const unsigned char *iv1;
4122     const unsigned char *iv2;
4123     const unsigned char *expected1;
4124     const unsigned char *expected2;
4125     const unsigned char *tag1;
4126     const unsigned char *tag2;
4127     size_t ivlen1;
4128     size_t ivlen2;
4129     size_t expectedlen1;
4130     size_t expectedlen2;
4131 } TEST_GCM_IV_REINIT_st;
4132 
4133 static const TEST_GCM_IV_REINIT_st gcm_reinit_tests[] = {
4134     {
4135         iGCMResetIV1, iGCMResetIV2, gcmResetCiphertext1, gcmResetCiphertext2,
4136         gcmResetTag1, gcmResetTag2, sizeof(iGCMResetIV1), sizeof(iGCMResetIV2),
4137         sizeof(gcmResetCiphertext1), sizeof(gcmResetCiphertext2)
4138     },
4139     {
4140         iGCMResetIV2, iGCMResetIV1, gcmResetCiphertext2, gcmResetCiphertext1,
4141         gcmResetTag2, gcmResetTag1, sizeof(iGCMResetIV2), sizeof(iGCMResetIV1),
4142         sizeof(gcmResetCiphertext2), sizeof(gcmResetCiphertext1)
4143     }
4144 };
4145 
4146 static int test_gcm_reinit(int idx)
4147 {
4148     int outlen1, outlen2, outlen3;
4149     int testresult = 0;
4150     unsigned char outbuf[1024];
4151     unsigned char tag[16];
4152     const TEST_GCM_IV_REINIT_st *t = &gcm_reinit_tests[idx];
4153     EVP_CIPHER_CTX *ctx = NULL;
4154     EVP_CIPHER *type = NULL;
4155     size_t taglen = sizeof(tag);
4156     char *errmsg = NULL;
4157 
4158     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
4159         errmsg = "CTX_ALLOC";
4160         goto err;
4161     }
4162     if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "aes-256-gcm", testpropq))) {
4163         errmsg = "CIPHER_FETCH";
4164         goto err;
4165     }
4166     if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, 1))) {
4167         errmsg = "ENC_INIT";
4168         goto err;
4169     }
4170     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen1, NULL), 0)) {
4171         errmsg = "SET_IVLEN1";
4172         goto err;
4173     }
4174     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, kGCMResetKey, t->iv1, 1))) {
4175         errmsg = "SET_IV1";
4176         goto err;
4177     }
4178     if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
4179         errmsg = "AAD1";
4180         goto err;
4181     }
4182     EVP_CIPHER_CTX_set_padding(ctx, 0);
4183     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
4184                                     sizeof(gcmResetPlaintext)))) {
4185         errmsg = "CIPHER_UPDATE1";
4186         goto err;
4187     }
4188     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4189         errmsg = "CIPHER_FINAL1";
4190         goto err;
4191     }
4192     if (!TEST_mem_eq(t->expected1, t->expectedlen1, outbuf, outlen1 + outlen2)) {
4193         errmsg = "WRONG_RESULT1";
4194         goto err;
4195     }
4196     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
4197         errmsg = "GET_TAG1";
4198         goto err;
4199     }
4200     if (!TEST_mem_eq(t->tag1, taglen, tag, taglen)) {
4201         errmsg = "TAG_ERROR1";
4202         goto err;
4203     }
4204     /* Now reinit */
4205     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen2, NULL), 0)) {
4206         errmsg = "SET_IVLEN2";
4207         goto err;
4208     }
4209     if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv2, -1))) {
4210         errmsg = "SET_IV2";
4211         goto err;
4212     }
4213     if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
4214         errmsg = "AAD2";
4215         goto err;
4216     }
4217     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
4218                                     sizeof(gcmResetPlaintext)))) {
4219         errmsg = "CIPHER_UPDATE2";
4220         goto err;
4221     }
4222     if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
4223         errmsg = "CIPHER_FINAL2";
4224         goto err;
4225     }
4226     if (!TEST_mem_eq(t->expected2, t->expectedlen2, outbuf, outlen1 + outlen2)) {
4227         errmsg = "WRONG_RESULT2";
4228         goto err;
4229     }
4230     if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag), 0)) {
4231         errmsg = "GET_TAG2";
4232         goto err;
4233     }
4234     if (!TEST_mem_eq(t->tag2, taglen, tag, taglen)) {
4235         errmsg = "TAG_ERROR2";
4236         goto err;
4237     }
4238     testresult = 1;
4239  err:
4240     if (errmsg != NULL)
4241         TEST_info("evp_init_test %d: %s", idx, errmsg);
4242     EVP_CIPHER_CTX_free(ctx);
4243     EVP_CIPHER_free(type);
4244     return testresult;
4245 }
4246 
4247 static const char *ivlen_change_ciphers[] = {
4248     "AES-256-GCM",
4249 #ifndef OPENSSL_NO_OCB
4250     "AES-256-OCB",
4251 #endif
4252     "AES-256-CCM"
4253 };
4254 
4255 /* Negative test for ivlen change after iv being set */
4256 static int test_ivlen_change(int idx)
4257 {
4258     int outlen;
4259     int res = 0;
4260     unsigned char outbuf[1024];
4261     static const unsigned char iv[] = {
4262          0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
4263          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
4264     };
4265     EVP_CIPHER_CTX *ctx = NULL;
4266     EVP_CIPHER *ciph = NULL;
4267     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
4268     size_t ivlen = 13; /* non-default IV length */
4269 
4270     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
4271         goto err;
4272 
4273     if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, ivlen_change_ciphers[idx],
4274                                           testpropq)))
4275         goto err;
4276 
4277     if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, kGCMDefaultKey, iv, 1)))
4278         goto err;
4279 
4280     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4281                                     sizeof(gcmDefaultPlaintext))))
4282         goto err;
4283 
4284     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
4285                                             &ivlen);
4286     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
4287         goto err;
4288 
4289     ERR_set_mark();
4290     if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4291                                     sizeof(gcmDefaultPlaintext)))) {
4292         ERR_clear_last_mark();
4293         goto err;
4294     }
4295     ERR_pop_to_mark();
4296 
4297     res = 1;
4298  err:
4299     EVP_CIPHER_CTX_free(ctx);
4300     EVP_CIPHER_free(ciph);
4301     return res;
4302 }
4303 
4304 static const char *keylen_change_ciphers[] = {
4305 #ifndef OPENSSL_NO_BF
4306     "BF-ECB",
4307 #endif
4308 #ifndef OPENSSL_NO_CAST
4309     "CAST5-ECB",
4310 #endif
4311 #ifndef OPENSSL_NO_RC2
4312     "RC2-ECB",
4313 #endif
4314 #ifndef OPENSSL_NO_RC4
4315     "RC4",
4316 #endif
4317 #ifndef OPENSSL_NO_RC5
4318     "RC5-ECB",
4319 #endif
4320     NULL
4321 };
4322 
4323 /* Negative test for keylen change after key was set */
4324 static int test_keylen_change(int idx)
4325 {
4326     int outlen;
4327     int res = 0;
4328     unsigned char outbuf[1024];
4329     static const unsigned char key[] = {
4330          0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
4331          0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
4332     };
4333     EVP_CIPHER_CTX *ctx = NULL;
4334     EVP_CIPHER *ciph = NULL;
4335     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
4336     size_t keylen = 12; /* non-default key length */
4337 
4338     if (lgcyprov == NULL)
4339         return TEST_skip("Test requires legacy provider to be loaded");
4340 
4341     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
4342         goto err;
4343 
4344     if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, keylen_change_ciphers[idx],
4345                                           testpropq)))
4346         goto err;
4347 
4348     if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, key, NULL, 1)))
4349         goto err;
4350 
4351     if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4352                                     sizeof(gcmDefaultPlaintext))))
4353         goto err;
4354 
4355     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
4356                                             &keylen);
4357     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
4358         goto err;
4359 
4360     ERR_set_mark();
4361     if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
4362                                     sizeof(gcmDefaultPlaintext)))) {
4363         ERR_clear_last_mark();
4364         goto err;
4365     }
4366     ERR_pop_to_mark();
4367 
4368     res = 1;
4369  err:
4370     EVP_CIPHER_CTX_free(ctx);
4371     EVP_CIPHER_free(ciph);
4372     return res;
4373 }
4374 
4375 #ifndef OPENSSL_NO_DEPRECATED_3_0
4376 static EVP_PKEY_METHOD *custom_pmeth =  NULL;
4377 static const EVP_PKEY_METHOD *orig_pmeth = NULL;
4378 
4379 # define EVP_PKEY_CTRL_MY_COMMAND 9999
4380 
4381 static int custom_pmeth_init(EVP_PKEY_CTX *ctx)
4382 {
4383     int (*pinit)(EVP_PKEY_CTX *ctx);
4384 
4385     EVP_PKEY_meth_get_init(orig_pmeth, &pinit);
4386     return pinit(ctx);
4387 }
4388 
4389 static void custom_pmeth_cleanup(EVP_PKEY_CTX *ctx)
4390 {
4391     void (*pcleanup)(EVP_PKEY_CTX *ctx);
4392 
4393     EVP_PKEY_meth_get_cleanup(orig_pmeth, &pcleanup);
4394     pcleanup(ctx);
4395 }
4396 
4397 static int custom_pmeth_sign(EVP_PKEY_CTX *ctx, unsigned char *out,
4398                              size_t *outlen, const unsigned char *in,
4399                              size_t inlen)
4400 {
4401     int (*psign)(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
4402                  const unsigned char *tbs, size_t tbslen);
4403 
4404     EVP_PKEY_meth_get_sign(orig_pmeth, NULL, &psign);
4405     return psign(ctx, out, outlen, in, inlen);
4406 }
4407 
4408 static int custom_pmeth_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
4409                                    size_t *siglen, const unsigned char *tbs,
4410                                    size_t tbslen)
4411 {
4412     int (*pdigestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
4413                        const unsigned char *tbs, size_t tbslen);
4414 
4415     EVP_PKEY_meth_get_digestsign(orig_pmeth, &pdigestsign);
4416     return pdigestsign(ctx, sig, siglen, tbs, tbslen);
4417 }
4418 
4419 static int custom_pmeth_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
4420                                size_t *keylen)
4421 {
4422     int (*pderive)(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
4423 
4424     EVP_PKEY_meth_get_derive(orig_pmeth, NULL, &pderive);
4425     return pderive(ctx, key, keylen);
4426 }
4427 
4428 static int custom_pmeth_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
4429 {
4430     int (*pcopy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
4431 
4432     EVP_PKEY_meth_get_copy(orig_pmeth, &pcopy);
4433     return pcopy(dst, src);
4434 }
4435 
4436 static int ctrl_called;
4437 
4438 static int custom_pmeth_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
4439 {
4440     int (*pctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
4441 
4442     EVP_PKEY_meth_get_ctrl(orig_pmeth, &pctrl, NULL);
4443 
4444     if (type == EVP_PKEY_CTRL_MY_COMMAND) {
4445         ctrl_called = 1;
4446         return 1;
4447     }
4448 
4449     return pctrl(ctx, type, p1, p2);
4450 }
4451 
4452 static int test_custom_pmeth(int idx)
4453 {
4454     EVP_PKEY_CTX *pctx = NULL;
4455     EVP_MD_CTX *ctx = NULL;
4456     EVP_PKEY *pkey = NULL;
4457     int id, orig_id, orig_flags;
4458     int testresult = 0;
4459     size_t reslen;
4460     unsigned char *res = NULL;
4461     unsigned char msg[] = { 'H', 'e', 'l', 'l', 'o' };
4462     const EVP_MD *md = EVP_sha256();
4463     int doderive = 0;
4464 
4465     ctrl_called = 0;
4466 
4467     /* We call deprecated APIs so this test doesn't support a custom libctx */
4468     if (testctx != NULL)
4469         return 1;
4470 
4471     switch(idx) {
4472     case 0:
4473     case 6:
4474         id = EVP_PKEY_RSA;
4475         pkey = load_example_rsa_key();
4476         break;
4477     case 1:
4478     case 7:
4479 # ifndef OPENSSL_NO_DSA
4480         id = EVP_PKEY_DSA;
4481         pkey = load_example_dsa_key();
4482         break;
4483 # else
4484         return 1;
4485 # endif
4486     case 2:
4487     case 8:
4488 # ifndef OPENSSL_NO_EC
4489         id = EVP_PKEY_EC;
4490         pkey = load_example_ec_key();
4491         break;
4492 # else
4493         return 1;
4494 # endif
4495     case 3:
4496     case 9:
4497 # ifndef OPENSSL_NO_EC
4498         id = EVP_PKEY_ED25519;
4499         md = NULL;
4500         pkey = load_example_ed25519_key();
4501         break;
4502 # else
4503         return 1;
4504 # endif
4505     case 4:
4506     case 10:
4507 # ifndef OPENSSL_NO_DH
4508         id = EVP_PKEY_DH;
4509         doderive = 1;
4510         pkey = load_example_dh_key();
4511         break;
4512 # else
4513         return 1;
4514 # endif
4515     case 5:
4516     case 11:
4517 # ifndef OPENSSL_NO_EC
4518         id = EVP_PKEY_X25519;
4519         doderive = 1;
4520         pkey = load_example_x25519_key();
4521         break;
4522 # else
4523         return 1;
4524 # endif
4525     default:
4526         TEST_error("Should not happen");
4527         goto err;
4528     }
4529 
4530     if (!TEST_ptr(pkey))
4531         goto err;
4532 
4533     if (idx < 6) {
4534         if (!TEST_true(evp_pkey_is_provided(pkey)))
4535             goto err;
4536     } else {
4537         EVP_PKEY *tmp = pkey;
4538 
4539         /* Convert to a legacy key */
4540         pkey = EVP_PKEY_new();
4541         if (!TEST_ptr(pkey)) {
4542             pkey = tmp;
4543             goto err;
4544         }
4545         if (!TEST_true(evp_pkey_copy_downgraded(&pkey, tmp))) {
4546             EVP_PKEY_free(tmp);
4547             goto err;
4548         }
4549         EVP_PKEY_free(tmp);
4550         if (!TEST_true(evp_pkey_is_legacy(pkey)))
4551             goto err;
4552     }
4553 
4554     if (!TEST_ptr(orig_pmeth = EVP_PKEY_meth_find(id))
4555             || !TEST_ptr(pkey))
4556         goto err;
4557 
4558     EVP_PKEY_meth_get0_info(&orig_id, &orig_flags, orig_pmeth);
4559     if (!TEST_int_eq(orig_id, id)
4560             || !TEST_ptr(custom_pmeth = EVP_PKEY_meth_new(id, orig_flags)))
4561         goto err;
4562 
4563     if (id == EVP_PKEY_ED25519) {
4564         EVP_PKEY_meth_set_digestsign(custom_pmeth, custom_pmeth_digestsign);
4565     } if (id == EVP_PKEY_DH || id == EVP_PKEY_X25519) {
4566         EVP_PKEY_meth_set_derive(custom_pmeth, NULL, custom_pmeth_derive);
4567     } else {
4568         EVP_PKEY_meth_set_sign(custom_pmeth, NULL, custom_pmeth_sign);
4569     }
4570     if (id != EVP_PKEY_ED25519 && id != EVP_PKEY_X25519) {
4571         EVP_PKEY_meth_set_init(custom_pmeth, custom_pmeth_init);
4572         EVP_PKEY_meth_set_cleanup(custom_pmeth, custom_pmeth_cleanup);
4573         EVP_PKEY_meth_set_copy(custom_pmeth, custom_pmeth_copy);
4574     }
4575     EVP_PKEY_meth_set_ctrl(custom_pmeth, custom_pmeth_ctrl, NULL);
4576     if (!TEST_true(EVP_PKEY_meth_add0(custom_pmeth)))
4577         goto err;
4578 
4579     if (doderive) {
4580         pctx = EVP_PKEY_CTX_new(pkey, NULL);
4581         if (!TEST_ptr(pctx)
4582                 || !TEST_int_eq(EVP_PKEY_derive_init(pctx), 1)
4583                 || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1,
4584                                                 EVP_PKEY_CTRL_MY_COMMAND, 0, NULL),
4585                                 1)
4586                 || !TEST_int_eq(ctrl_called, 1)
4587                 || !TEST_int_ge(EVP_PKEY_derive_set_peer(pctx, pkey), 1)
4588                 || !TEST_int_ge(EVP_PKEY_derive(pctx, NULL, &reslen), 1)
4589                 || !TEST_ptr(res = OPENSSL_malloc(reslen))
4590                 || !TEST_int_ge(EVP_PKEY_derive(pctx, res, &reslen), 1))
4591             goto err;
4592     } else {
4593         ctx = EVP_MD_CTX_new();
4594         reslen = EVP_PKEY_size(pkey);
4595         res = OPENSSL_malloc(reslen);
4596         if (!TEST_ptr(ctx)
4597                 || !TEST_ptr(res)
4598                 || !TEST_true(EVP_DigestSignInit(ctx, &pctx, md, NULL, pkey))
4599                 || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1,
4600                                                 EVP_PKEY_CTRL_MY_COMMAND, 0, NULL),
4601                                 1)
4602                 || !TEST_int_eq(ctrl_called, 1))
4603             goto err;
4604 
4605         if (id == EVP_PKEY_ED25519) {
4606             if (!TEST_true(EVP_DigestSign(ctx, res, &reslen, msg, sizeof(msg))))
4607                 goto err;
4608         } else {
4609             if (!TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg)))
4610                     || !TEST_true(EVP_DigestSignFinal(ctx, res, &reslen)))
4611                 goto err;
4612         }
4613     }
4614 
4615     testresult = 1;
4616  err:
4617     OPENSSL_free(res);
4618     EVP_MD_CTX_free(ctx);
4619     if (doderive)
4620         EVP_PKEY_CTX_free(pctx);
4621     EVP_PKEY_free(pkey);
4622     EVP_PKEY_meth_remove(custom_pmeth);
4623     EVP_PKEY_meth_free(custom_pmeth);
4624     custom_pmeth = NULL;
4625     return testresult;
4626 }
4627 
4628 static int test_evp_md_cipher_meth(void)
4629 {
4630     EVP_MD *md = EVP_MD_meth_dup(EVP_sha256());
4631     EVP_CIPHER *ciph = EVP_CIPHER_meth_dup(EVP_aes_128_cbc());
4632     int testresult = 0;
4633 
4634     if (!TEST_ptr(md) || !TEST_ptr(ciph))
4635         goto err;
4636 
4637     testresult = 1;
4638 
4639  err:
4640     EVP_MD_meth_free(md);
4641     EVP_CIPHER_meth_free(ciph);
4642 
4643     return testresult;
4644 }
4645 
4646 typedef struct {
4647         int data;
4648 } custom_dgst_ctx;
4649 
4650 static int custom_md_init_called = 0;
4651 static int custom_md_cleanup_called = 0;
4652 
4653 static int custom_md_init(EVP_MD_CTX *ctx)
4654 {
4655     custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
4656 
4657     if (p == NULL)
4658         return 0;
4659 
4660     custom_md_init_called++;
4661     return 1;
4662 }
4663 
4664 static int custom_md_cleanup(EVP_MD_CTX *ctx)
4665 {
4666     custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
4667 
4668     if (p == NULL)
4669         /* Nothing to do */
4670         return 1;
4671 
4672     custom_md_cleanup_called++;
4673     return 1;
4674 }
4675 
4676 static int test_custom_md_meth(void)
4677 {
4678     EVP_MD_CTX *mdctx = NULL;
4679     EVP_MD *tmp = NULL;
4680     char mess[] = "Test Message\n";
4681     unsigned char md_value[EVP_MAX_MD_SIZE];
4682     unsigned int md_len;
4683     int testresult = 0;
4684     int nid;
4685 
4686     /*
4687      * We are testing deprecated functions. We don't support a non-default
4688      * library context in this test.
4689      */
4690     if (testctx != NULL)
4691         return TEST_skip("Non-default libctx");
4692 
4693     custom_md_init_called = custom_md_cleanup_called = 0;
4694 
4695     nid = OBJ_create("1.3.6.1.4.1.16604.998866.1", "custom-md", "custom-md");
4696     if (!TEST_int_ne(nid, NID_undef))
4697         goto err;
4698     tmp = EVP_MD_meth_new(nid, NID_undef);
4699     if (!TEST_ptr(tmp))
4700         goto err;
4701 
4702     if (!TEST_true(EVP_MD_meth_set_init(tmp, custom_md_init))
4703             || !TEST_true(EVP_MD_meth_set_cleanup(tmp, custom_md_cleanup))
4704             || !TEST_true(EVP_MD_meth_set_app_datasize(tmp,
4705                                                        sizeof(custom_dgst_ctx))))
4706         goto err;
4707 
4708     mdctx = EVP_MD_CTX_new();
4709     if (!TEST_ptr(mdctx)
4710                /*
4711                 * Initing our custom md and then initing another md should
4712                 * result in the init and cleanup functions of the custom md
4713                 * being called.
4714                 */
4715             || !TEST_true(EVP_DigestInit_ex(mdctx, tmp, NULL))
4716             || !TEST_true(EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
4717             || !TEST_true(EVP_DigestUpdate(mdctx, mess, strlen(mess)))
4718             || !TEST_true(EVP_DigestFinal_ex(mdctx, md_value, &md_len))
4719             || !TEST_int_eq(custom_md_init_called, 1)
4720             || !TEST_int_eq(custom_md_cleanup_called, 1))
4721         goto err;
4722 
4723     testresult = 1;
4724  err:
4725     EVP_MD_CTX_free(mdctx);
4726     EVP_MD_meth_free(tmp);
4727     return testresult;
4728 }
4729 
4730 typedef struct {
4731         int data;
4732 } custom_ciph_ctx;
4733 
4734 static int custom_ciph_init_called = 0;
4735 static int custom_ciph_cleanup_called = 0;
4736 
4737 static int custom_ciph_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
4738                             const unsigned char *iv, int enc)
4739 {
4740     custom_ciph_ctx *p = EVP_CIPHER_CTX_get_cipher_data(ctx);
4741 
4742     if (p == NULL)
4743         return 0;
4744 
4745     custom_ciph_init_called++;
4746     return 1;
4747 }
4748 
4749 static int custom_ciph_cleanup(EVP_CIPHER_CTX *ctx)
4750 {
4751     custom_ciph_ctx *p = EVP_CIPHER_CTX_get_cipher_data(ctx);
4752 
4753     if (p == NULL)
4754         /* Nothing to do */
4755         return 1;
4756 
4757     custom_ciph_cleanup_called++;
4758     return 1;
4759 }
4760 
4761 static int test_custom_ciph_meth(void)
4762 {
4763     EVP_CIPHER_CTX *ciphctx = NULL;
4764     EVP_CIPHER *tmp = NULL;
4765     int testresult = 0;
4766     int nid;
4767 
4768     /*
4769      * We are testing deprecated functions. We don't support a non-default
4770      * library context in this test.
4771      */
4772     if (testctx != NULL)
4773         return TEST_skip("Non-default libctx");
4774 
4775     custom_ciph_init_called = custom_ciph_cleanup_called = 0;
4776 
4777     nid = OBJ_create("1.3.6.1.4.1.16604.998866.2", "custom-ciph", "custom-ciph");
4778     if (!TEST_int_ne(nid, NID_undef))
4779         goto err;
4780     tmp = EVP_CIPHER_meth_new(nid, 16, 16);
4781     if (!TEST_ptr(tmp))
4782         goto err;
4783 
4784     if (!TEST_true(EVP_CIPHER_meth_set_init(tmp, custom_ciph_init))
4785             || !TEST_true(EVP_CIPHER_meth_set_flags(tmp, EVP_CIPH_ALWAYS_CALL_INIT))
4786             || !TEST_true(EVP_CIPHER_meth_set_cleanup(tmp, custom_ciph_cleanup))
4787             || !TEST_true(EVP_CIPHER_meth_set_impl_ctx_size(tmp,
4788                                                             sizeof(custom_ciph_ctx))))
4789         goto err;
4790 
4791     ciphctx = EVP_CIPHER_CTX_new();
4792     if (!TEST_ptr(ciphctx)
4793             /*
4794              * Initing our custom cipher and then initing another cipher
4795              * should result in the init and cleanup functions of the custom
4796              * cipher being called.
4797              */
4798             || !TEST_true(EVP_CipherInit_ex(ciphctx, tmp, NULL, NULL, NULL, 1))
4799             || !TEST_true(EVP_CipherInit_ex(ciphctx, EVP_aes_128_cbc(), NULL,
4800                                             NULL, NULL, 1))
4801             || !TEST_int_eq(custom_ciph_init_called, 1)
4802             || !TEST_int_eq(custom_ciph_cleanup_called, 1))
4803         goto err;
4804 
4805     testresult = 1;
4806  err:
4807     EVP_CIPHER_CTX_free(ciphctx);
4808     EVP_CIPHER_meth_free(tmp);
4809     return testresult;
4810 }
4811 
4812 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
4813 /* Test we can create a signature keys with an associated ENGINE */
4814 static int test_signatures_with_engine(int tst)
4815 {
4816     ENGINE *e;
4817     const char *engine_id = "dasync";
4818     EVP_PKEY *pkey = NULL;
4819     const unsigned char badcmackey[] = { 0x00, 0x01 };
4820     const unsigned char cmackey[] = {
4821         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4822         0x0c, 0x0d, 0x0e, 0x0f
4823     };
4824     const unsigned char ed25519key[] = {
4825         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4826         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4827         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
4828     };
4829     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
4830     int testresult = 0;
4831     EVP_MD_CTX *ctx = NULL;
4832     unsigned char *mac = NULL;
4833     size_t maclen = 0;
4834     int ret;
4835 
4836 #  ifdef OPENSSL_NO_CMAC
4837     /* Skip CMAC tests in a no-cmac build */
4838     if (tst <= 1)
4839         return 1;
4840 #  endif
4841 
4842     if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
4843         return 0;
4844 
4845     if (!TEST_true(ENGINE_init(e))) {
4846         ENGINE_free(e);
4847         return 0;
4848     }
4849 
4850     switch (tst) {
4851     case 0:
4852         pkey = EVP_PKEY_new_CMAC_key(e, cmackey, sizeof(cmackey),
4853                                      EVP_aes_128_cbc());
4854         break;
4855     case 1:
4856         pkey = EVP_PKEY_new_CMAC_key(e, badcmackey, sizeof(badcmackey),
4857                                      EVP_aes_128_cbc());
4858         break;
4859     case 2:
4860         pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, e, ed25519key,
4861                                             sizeof(ed25519key));
4862         break;
4863     default:
4864         TEST_error("Invalid test case");
4865         goto err;
4866     }
4867     if (!TEST_ptr(pkey))
4868         goto err;
4869 
4870     if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
4871         goto err;
4872 
4873     ret = EVP_DigestSignInit(ctx, NULL, tst == 2 ? NULL : EVP_sha256(), NULL,
4874                              pkey);
4875     if (tst == 0) {
4876         if (!TEST_true(ret))
4877             goto err;
4878 
4879         if (!TEST_true(EVP_DigestSignUpdate(ctx, msg, sizeof(msg)))
4880                 || !TEST_true(EVP_DigestSignFinal(ctx, NULL, &maclen)))
4881             goto err;
4882 
4883         if (!TEST_ptr(mac = OPENSSL_malloc(maclen)))
4884             goto err;
4885 
4886         if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen)))
4887             goto err;
4888     } else {
4889         /* We used a bad key. We expect a failure here */
4890         if (!TEST_false(ret))
4891             goto err;
4892     }
4893 
4894     testresult = 1;
4895  err:
4896     EVP_MD_CTX_free(ctx);
4897     OPENSSL_free(mac);
4898     EVP_PKEY_free(pkey);
4899     ENGINE_finish(e);
4900     ENGINE_free(e);
4901 
4902     return testresult;
4903 }
4904 
4905 static int test_cipher_with_engine(void)
4906 {
4907     ENGINE *e;
4908     const char *engine_id = "dasync";
4909     const unsigned char keyiv[] = {
4910         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4911         0x0c, 0x0d, 0x0e, 0x0f
4912     };
4913     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
4914     int testresult = 0;
4915     EVP_CIPHER_CTX *ctx = NULL, *ctx2 = NULL;
4916     unsigned char buf[AES_BLOCK_SIZE];
4917     int len = 0;
4918 
4919     if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
4920         return 0;
4921 
4922     if (!TEST_true(ENGINE_init(e))) {
4923         ENGINE_free(e);
4924         return 0;
4925     }
4926 
4927     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
4928             || !TEST_ptr(ctx2 = EVP_CIPHER_CTX_new()))
4929         goto err;
4930 
4931     if (!TEST_true(EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), e, keyiv, keyiv)))
4932         goto err;
4933 
4934     /* Copy the ctx, and complete the operation with the new ctx */
4935     if (!TEST_true(EVP_CIPHER_CTX_copy(ctx2, ctx)))
4936         goto err;
4937 
4938     if (!TEST_true(EVP_EncryptUpdate(ctx2, buf, &len, msg, sizeof(msg)))
4939             || !TEST_true(EVP_EncryptFinal_ex(ctx2, buf + len, &len)))
4940         goto err;
4941 
4942     testresult = 1;
4943  err:
4944     EVP_CIPHER_CTX_free(ctx);
4945     EVP_CIPHER_CTX_free(ctx2);
4946     ENGINE_finish(e);
4947     ENGINE_free(e);
4948 
4949     return testresult;
4950 }
4951 # endif /* OPENSSL_NO_DYNAMIC_ENGINE */
4952 #endif /* OPENSSL_NO_DEPRECATED_3_0 */
4953 
4954 static int ecxnids[] = {
4955     NID_X25519,
4956     NID_X448,
4957     NID_ED25519,
4958     NID_ED448
4959 };
4960 
4961 /* Test that creating ECX keys with a short private key fails as expected */
4962 static int test_ecx_short_keys(int tst)
4963 {
4964     unsigned char ecxkeydata = 1;
4965     EVP_PKEY *pkey;
4966 
4967 
4968     pkey = EVP_PKEY_new_raw_private_key_ex(testctx, OBJ_nid2sn(ecxnids[tst]),
4969                                            NULL, &ecxkeydata, 1);
4970     if (!TEST_ptr_null(pkey)) {
4971         EVP_PKEY_free(pkey);
4972         return 0;
4973     }
4974 
4975     return 1;
4976 }
4977 
4978 typedef enum OPTION_choice {
4979     OPT_ERR = -1,
4980     OPT_EOF = 0,
4981     OPT_CONTEXT,
4982     OPT_TEST_ENUM
4983 } OPTION_CHOICE;
4984 
4985 const OPTIONS *test_get_options(void)
4986 {
4987     static const OPTIONS options[] = {
4988         OPT_TEST_OPTIONS_DEFAULT_USAGE,
4989         { "context", OPT_CONTEXT, '-', "Explicitly use a non-default library context" },
4990         { NULL }
4991     };
4992     return options;
4993 }
4994 
4995 #ifndef OPENSSL_NO_EC
4996 /* Test that trying to sign with a public key errors out gracefully */
4997 static int test_ecx_not_private_key(int tst)
4998 {
4999     EVP_PKEY *pkey = NULL;
5000 
5001     const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
5002     int testresult = 0;
5003     EVP_MD_CTX *ctx = NULL;
5004     unsigned char *mac = NULL;
5005     size_t maclen = 0;
5006     unsigned char *pubkey;
5007     size_t pubkeylen;
5008 
5009     switch (keys[tst].type) {
5010     case NID_X25519:
5011     case NID_X448:
5012         return TEST_skip("signing not supported for X25519/X448");
5013     }
5014 
5015     /* Check if this algorithm supports public keys */
5016     if (keys[tst].pub == NULL)
5017         return TEST_skip("no public key present");
5018 
5019     pubkey = (unsigned char *)keys[tst].pub;
5020     pubkeylen = strlen(keys[tst].pub);
5021 
5022     pkey = EVP_PKEY_new_raw_public_key_ex(testctx, OBJ_nid2sn(keys[tst].type),
5023                                           NULL, pubkey, pubkeylen);
5024     if (!TEST_ptr(pkey))
5025         goto err;
5026 
5027     if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
5028         goto err;
5029 
5030     if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1)
5031         goto check_err;
5032 
5033     if (EVP_DigestSign(ctx, NULL, &maclen, msg, sizeof(msg)) != 1)
5034         goto check_err;
5035 
5036     if (!TEST_ptr(mac = OPENSSL_malloc(maclen)))
5037         goto err;
5038 
5039     if (!TEST_int_eq(EVP_DigestSign(ctx, mac, &maclen, msg, sizeof(msg)), 0))
5040         goto err;
5041 
5042  check_err:
5043     /*
5044      * Currently only EVP_DigestSign will throw PROV_R_NOT_A_PRIVATE_KEY,
5045      * but we relax the check to allow error also thrown by
5046      * EVP_DigestSignInit and EVP_DigestSign.
5047      */
5048     if (ERR_GET_REASON(ERR_peek_error()) == PROV_R_NOT_A_PRIVATE_KEY) {
5049         testresult = 1;
5050         ERR_clear_error();
5051     }
5052 
5053  err:
5054     EVP_MD_CTX_free(ctx);
5055     OPENSSL_free(mac);
5056     EVP_PKEY_free(pkey);
5057 
5058     return testresult;
5059 }
5060 #endif /* OPENSSL_NO_EC */
5061 
5062 static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
5063                            const unsigned char *gcm_iv, size_t gcm_ivlen,
5064                            const unsigned char *gcm_pt, size_t gcm_pt_s,
5065                            const unsigned char *gcm_aad, size_t gcm_aad_s,
5066                            const unsigned char *gcm_ct, size_t gcm_ct_s,
5067                            const unsigned char *gcm_tag, size_t gcm_tag_s)
5068 {
5069     int ret = 0;
5070     EVP_CIPHER_CTX *ctx;
5071     EVP_CIPHER *cipher = NULL;
5072     int outlen, tmplen;
5073     unsigned char outbuf[1024];
5074     unsigned char outtag[16];
5075     OSSL_PARAM params[2] = {
5076         OSSL_PARAM_END, OSSL_PARAM_END
5077     };
5078 
5079     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
5080             || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
5081         goto err;
5082 
5083     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
5084                                             &gcm_ivlen);
5085 
5086     if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
5087             || (gcm_aad != NULL
5088                 && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
5089                                                 gcm_aad, gcm_aad_s)))
5090             || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
5091                                             gcm_pt, gcm_pt_s))
5092             || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
5093         goto err;
5094 
5095     params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
5096                                                   outtag, sizeof(outtag));
5097 
5098     if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
5099             || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
5100             || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
5101         goto err;
5102 
5103     ret = 1;
5104 err:
5105     EVP_CIPHER_free(cipher);
5106     EVP_CIPHER_CTX_free(ctx);
5107 
5108     return ret;
5109 }
5110 
5111 static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
5112                            const unsigned char *gcm_iv, size_t gcm_ivlen,
5113                            const unsigned char *gcm_pt, size_t gcm_pt_s,
5114                            const unsigned char *gcm_aad, size_t gcm_aad_s,
5115                            const unsigned char *gcm_ct, size_t gcm_ct_s,
5116                            const unsigned char *gcm_tag, size_t gcm_tag_s)
5117 {
5118     int ret = 0;
5119     EVP_CIPHER_CTX *ctx;
5120     EVP_CIPHER *cipher = NULL;
5121     int outlen;
5122     unsigned char outbuf[1024];
5123     OSSL_PARAM params[2] = {
5124         OSSL_PARAM_END, OSSL_PARAM_END
5125     };
5126 
5127     if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
5128         goto err;
5129 
5130     if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
5131         goto err;
5132 
5133     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
5134                                             &gcm_ivlen);
5135 
5136     if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
5137             || (gcm_aad != NULL
5138                 && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
5139                                                 gcm_aad, gcm_aad_s)))
5140             || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
5141                                             gcm_ct, gcm_ct_s))
5142             || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
5143         goto err;
5144 
5145     params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
5146                                                   (void*)gcm_tag, gcm_tag_s);
5147 
5148     if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
5149             ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
5150         goto err;
5151 
5152     ret = 1;
5153 err:
5154     EVP_CIPHER_free(cipher);
5155     EVP_CIPHER_CTX_free(ctx);
5156 
5157     return ret;
5158 }
5159 
5160 static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
5161 {
5162     /* AES-GCM test data obtained from NIST public test vectors */
5163     static const unsigned char gcm_key[] = {
5164         0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
5165         0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
5166         0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
5167     };
5168     static const unsigned char gcm_iv[] = {
5169         0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
5170         0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
5171         0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
5172         0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
5173         0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
5174         0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
5175         0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
5176         0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
5177         0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
5178         0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
5179         0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
5180     };
5181     static const unsigned char gcm_pt[] = {
5182         0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
5183         0x4f, 0xe3, 0x6f, 0x81,
5184     };
5185     static const unsigned char gcm_ct[] = {
5186         0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
5187         0xe2, 0xd0, 0xec, 0xed,
5188     };
5189     static const unsigned char gcm_tag[] = {
5190         0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
5191         0xdb, 0x99, 0x6c, 0x21,
5192     };
5193 
5194     return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
5195                            gcm_pt, sizeof(gcm_pt), NULL, 0,
5196                            gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
5197         && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
5198                            gcm_pt, sizeof(gcm_pt), NULL, 0,
5199                            gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
5200 }
5201 
5202 #ifndef OPENSSL_NO_RC4
5203 static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
5204                        const unsigned char *rc4_pt, size_t rc4_pt_s,
5205                        const unsigned char *rc4_ct, size_t rc4_ct_s)
5206 {
5207     int ret = 0;
5208     EVP_CIPHER_CTX *ctx;
5209     EVP_CIPHER *cipher = NULL;
5210     int outlen, tmplen;
5211     unsigned char outbuf[1024];
5212     OSSL_PARAM params[2] = {
5213         OSSL_PARAM_END, OSSL_PARAM_END
5214     };
5215 
5216     if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
5217             || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
5218         goto err;
5219 
5220     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
5221                                             &rc4_key_s);
5222 
5223     if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
5224             || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
5225                                             rc4_pt, rc4_pt_s))
5226             || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
5227         goto err;
5228 
5229     if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
5230         goto err;
5231 
5232     ret = 1;
5233 err:
5234     EVP_CIPHER_free(cipher);
5235     EVP_CIPHER_CTX_free(ctx);
5236 
5237     return ret;
5238 }
5239 
5240 static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
5241                        const unsigned char *rc4_pt, size_t rc4_pt_s,
5242                        const unsigned char *rc4_ct, size_t rc4_ct_s)
5243 {
5244     int ret = 0;
5245     EVP_CIPHER_CTX *ctx;
5246     EVP_CIPHER *cipher = NULL;
5247     int outlen;
5248     unsigned char outbuf[1024];
5249     OSSL_PARAM params[2] = {
5250         OSSL_PARAM_END, OSSL_PARAM_END
5251     };
5252 
5253     if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
5254         goto err;
5255 
5256     if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
5257         goto err;
5258 
5259     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
5260                                             &rc4_key_s);
5261 
5262     if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
5263             || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
5264                                             rc4_ct, rc4_ct_s))
5265             || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
5266         goto err;
5267 
5268     ret = 1;
5269 err:
5270     EVP_CIPHER_free(cipher);
5271     EVP_CIPHER_CTX_free(ctx);
5272 
5273     return ret;
5274 }
5275 
5276 static int test_aes_rc4_keylen_change_cve_2023_5363(void)
5277 {
5278     /* RC4 test data obtained from RFC 6229 */
5279     static const struct {
5280         unsigned char key[5];
5281         unsigned char padding[11];
5282     } rc4_key = {
5283         {   /* Five bytes of key material */
5284             0x83, 0x32, 0x22, 0x77, 0x2a,
5285         },
5286         {   /* Random padding to 16 bytes */
5287             0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
5288         }
5289     };
5290     static const unsigned char rc4_pt[] = {
5291         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5292         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
5293     };
5294     static const unsigned char rc4_ct[] = {
5295         0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
5296         0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
5297     };
5298 
5299     if (lgcyprov == NULL)
5300         return TEST_skip("Test requires legacy provider to be loaded");
5301 
5302     return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
5303                        rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
5304         && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
5305                        rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
5306 }
5307 #endif
5308 
5309 int setup_tests(void)
5310 {
5311     OPTION_CHOICE o;
5312 
5313     while ((o = opt_next()) != OPT_EOF) {
5314         switch (o) {
5315         case OPT_CONTEXT:
5316             /* Set up an alternate library context */
5317             testctx = OSSL_LIB_CTX_new();
5318             if (!TEST_ptr(testctx))
5319                 return 0;
5320 #ifdef STATIC_LEGACY
5321 	    /*
5322 	     * This test is always statically linked against libcrypto. We must not
5323 	     * attempt to load legacy.so that might be dynamically linked against
5324 	     * libcrypto. Instead we use a built-in version of the legacy provider.
5325 	     */
5326 	    if (!OSSL_PROVIDER_add_builtin(testctx, "legacy", ossl_legacy_provider_init))
5327 		return 0;
5328 #endif
5329             /* Swap the libctx to test non-default context only */
5330             nullprov = OSSL_PROVIDER_load(NULL, "null");
5331             deflprov = OSSL_PROVIDER_load(testctx, "default");
5332             lgcyprov = OSSL_PROVIDER_load(testctx, "legacy");
5333             break;
5334         case OPT_TEST_CASES:
5335             break;
5336         default:
5337             return 0;
5338         }
5339     }
5340 
5341     ADD_TEST(test_EVP_set_default_properties);
5342     ADD_ALL_TESTS(test_EVP_DigestSignInit, 30);
5343     ADD_TEST(test_EVP_DigestVerifyInit);
5344 #ifndef OPENSSL_NO_SIPHASH
5345     ADD_TEST(test_siphash_digestsign);
5346 #endif
5347     ADD_TEST(test_EVP_Digest);
5348     ADD_TEST(test_EVP_md_null);
5349     ADD_ALL_TESTS(test_EVP_PKEY_sign, 3);
5350 #ifndef OPENSSL_NO_DEPRECATED_3_0
5351     ADD_ALL_TESTS(test_EVP_PKEY_sign_with_app_method, 2);
5352 #endif
5353     ADD_ALL_TESTS(test_EVP_Enveloped, 2);
5354     ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
5355     ADD_TEST(test_privatekey_to_pkcs8);
5356     ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);
5357 #ifndef OPENSSL_NO_EC
5358     ADD_TEST(test_EVP_PKCS82PKEY);
5359 #endif
5360 #ifndef OPENSSL_NO_EC
5361     ADD_ALL_TESTS(test_EC_keygen_with_enc, OSSL_NELEM(ec_encodings));
5362 #endif
5363 #if !defined(OPENSSL_NO_SM2)
5364     ADD_TEST(test_EVP_SM2);
5365     ADD_TEST(test_EVP_SM2_verify);
5366 #endif
5367     ADD_ALL_TESTS(test_set_get_raw_keys, OSSL_NELEM(keys));
5368 #ifndef OPENSSL_NO_DEPRECATED_3_0
5369     custom_pmeth = EVP_PKEY_meth_new(0xdefaced, 0);
5370     if (!TEST_ptr(custom_pmeth))
5371         return 0;
5372     EVP_PKEY_meth_set_check(custom_pmeth, pkey_custom_check);
5373     EVP_PKEY_meth_set_public_check(custom_pmeth, pkey_custom_pub_check);
5374     EVP_PKEY_meth_set_param_check(custom_pmeth, pkey_custom_param_check);
5375     if (!TEST_int_eq(EVP_PKEY_meth_add0(custom_pmeth), 1))
5376         return 0;
5377 #endif
5378     ADD_ALL_TESTS(test_EVP_PKEY_check, OSSL_NELEM(keycheckdata));
5379 #ifndef OPENSSL_NO_CMAC
5380     ADD_TEST(test_CMAC_keygen);
5381 #endif
5382     ADD_TEST(test_HKDF);
5383     ADD_TEST(test_emptyikm_HKDF);
5384 #ifndef OPENSSL_NO_EC
5385     ADD_TEST(test_X509_PUBKEY_inplace);
5386     ADD_TEST(test_X509_PUBKEY_dup);
5387     ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode,
5388                   OSSL_NELEM(ec_der_pub_keys));
5389 #endif
5390 #ifndef OPENSSL_NO_DSA
5391     ADD_TEST(test_DSA_get_set_params);
5392     ADD_TEST(test_DSA_priv_pub);
5393 #endif
5394     ADD_TEST(test_RSA_get_set_params);
5395     ADD_TEST(test_RSA_OAEP_set_get_params);
5396     ADD_TEST(test_RSA_OAEP_set_null_label);
5397 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5398     ADD_TEST(test_decrypt_null_chunks);
5399 #endif
5400 #ifndef OPENSSL_NO_DH
5401     ADD_TEST(test_DH_priv_pub);
5402 # ifndef OPENSSL_NO_DEPRECATED_3_0
5403     ADD_TEST(test_EVP_PKEY_set1_DH);
5404 # endif
5405 #endif
5406 #ifndef OPENSSL_NO_EC
5407     ADD_TEST(test_EC_priv_pub);
5408 # ifndef OPENSSL_NO_DEPRECATED_3_0
5409     ADD_TEST(test_EC_priv_only_legacy);
5410 # endif
5411 #endif
5412     ADD_ALL_TESTS(test_keygen_with_empty_template, 2);
5413     ADD_ALL_TESTS(test_pkey_ctx_fail_without_provider, 2);
5414 
5415     ADD_TEST(test_rand_agglomeration);
5416     ADD_ALL_TESTS(test_evp_iv_aes, 12);
5417 #ifndef OPENSSL_NO_DES
5418     ADD_ALL_TESTS(test_evp_iv_des, 6);
5419 #endif
5420 #ifndef OPENSSL_NO_BF
5421     ADD_ALL_TESTS(test_evp_bf_default_keylen, 4);
5422 #endif
5423     ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
5424     ADD_TEST(test_EVP_rsa_pss_set_saltlen);
5425 #ifndef OPENSSL_NO_EC
5426     ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
5427 #endif
5428 
5429     ADD_TEST(test_names_do_all);
5430 
5431     ADD_ALL_TESTS(test_evp_init_seq, OSSL_NELEM(evp_init_tests));
5432     ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests));
5433     ADD_ALL_TESTS(test_evp_reinit_seq, OSSL_NELEM(evp_reinit_tests));
5434     ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
5435     ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
5436     ADD_ALL_TESTS(test_ivlen_change, OSSL_NELEM(ivlen_change_ciphers));
5437     if (OSSL_NELEM(keylen_change_ciphers) - 1 > 0)
5438         ADD_ALL_TESTS(test_keylen_change, OSSL_NELEM(keylen_change_ciphers) - 1);
5439 
5440 #ifndef OPENSSL_NO_DEPRECATED_3_0
5441     ADD_ALL_TESTS(test_custom_pmeth, 12);
5442     ADD_TEST(test_evp_md_cipher_meth);
5443     ADD_TEST(test_custom_md_meth);
5444     ADD_TEST(test_custom_ciph_meth);
5445 
5446 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
5447     /* Tests only support the default libctx */
5448     if (testctx == NULL) {
5449 #  ifndef OPENSSL_NO_EC
5450         ADD_ALL_TESTS(test_signatures_with_engine, 3);
5451 #  else
5452         ADD_ALL_TESTS(test_signatures_with_engine, 2);
5453 #  endif
5454         ADD_TEST(test_cipher_with_engine);
5455     }
5456 # endif
5457 #endif
5458 
5459     ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
5460 
5461 #ifndef OPENSSL_NO_EC
5462     ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys));
5463 #endif
5464 
5465     /* Test cases for CVE-2023-5363 */
5466     ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
5467 #ifndef OPENSSL_NO_RC4
5468     ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
5469 #endif
5470 
5471     return 1;
5472 }
5473 
5474 void cleanup_tests(void)
5475 {
5476     OSSL_PROVIDER_unload(nullprov);
5477     OSSL_PROVIDER_unload(deflprov);
5478     OSSL_PROVIDER_unload(lgcyprov);
5479     OSSL_LIB_CTX_free(testctx);
5480 }
5481