1 /* 2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 12 * These tests are setup to load null into the default library context. 13 * Any tests are expected to use the created 'libctx' to find algorithms. 14 * The framework runs the tests twice using the 'default' provider or 15 * 'fips' provider as inputs. 16 */ 17 18 /* 19 * DSA/DH low level APIs are deprecated for public use, but still ok for 20 * internal use. 21 */ 22 #include "internal/deprecated.h" 23 #include <assert.h> 24 #include <openssl/evp.h> 25 #include <openssl/provider.h> 26 #include <openssl/dsa.h> 27 #include <openssl/dh.h> 28 #include <openssl/safestack.h> 29 #include <openssl/core_dispatch.h> 30 #include <openssl/core_names.h> 31 #include <openssl/x509.h> 32 #include <openssl/encoder.h> 33 #include "testutil.h" 34 #include "internal/nelem.h" 35 #include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */ 36 37 static OSSL_LIB_CTX *libctx = NULL; 38 static OSSL_PROVIDER *nullprov = NULL; 39 static OSSL_PROVIDER *libprov = NULL; 40 static STACK_OF(OPENSSL_STRING) *cipher_names = NULL; 41 42 typedef enum OPTION_choice { 43 OPT_ERR = -1, 44 OPT_EOF = 0, 45 OPT_CONFIG_FILE, 46 OPT_PROVIDER_NAME, 47 OPT_TEST_ENUM 48 } OPTION_CHOICE; 49 50 const OPTIONS *test_get_options(void) 51 { 52 static const OPTIONS test_options[] = { 53 OPT_TEST_OPTIONS_DEFAULT_USAGE, 54 { "config", OPT_CONFIG_FILE, '<', 55 "The configuration file to use for the libctx" }, 56 { "provider", OPT_PROVIDER_NAME, 's', 57 "The provider to load (The default value is 'default')" }, 58 { NULL } 59 }; 60 return test_options; 61 } 62 63 #ifndef OPENSSL_NO_DH 64 static const char *getname(int id) 65 { 66 const char *name[] = {"p", "q", "g" }; 67 68 if (id >= 0 && id < 3) 69 return name[id]; 70 return "?"; 71 } 72 #endif 73 74 /* 75 * We're using some DH specific values in this test, so we skip compilation if 76 * we're in a no-dh build. 77 */ 78 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) 79 80 static int test_dsa_param_keygen(int tstid) 81 { 82 int ret = 0; 83 int expected; 84 EVP_PKEY_CTX *gen_ctx = NULL; 85 EVP_PKEY *pkey_parm = NULL; 86 EVP_PKEY *pkey = NULL, *dup_pk = NULL; 87 DSA *dsa = NULL; 88 int pind, qind, gind; 89 BIGNUM *p = NULL, *q = NULL, *g = NULL; 90 91 /* 92 * Just grab some fixed dh p, q, g values for testing, 93 * these 'safe primes' should not be used normally for dsa *. 94 */ 95 static const BIGNUM *bn[] = { 96 &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q, 97 &ossl_bignum_dh2048_256_g 98 }; 99 100 /* 101 * These tests are using bad values for p, q, g by reusing the values. 102 * A value of 0 uses p, 1 uses q and 2 uses g. 103 * There are 27 different combinations, with only the 1 valid combination. 104 */ 105 pind = tstid / 9; 106 qind = (tstid / 3) % 3; 107 gind = tstid % 3; 108 expected = (pind == 0 && qind == 1 && gind == 2); 109 110 TEST_note("Testing with (p, q, g) = (%s, %s, %s)\n", getname(pind), 111 getname(qind), getname(gind)); 112 113 if (!TEST_ptr(pkey_parm = EVP_PKEY_new()) 114 || !TEST_ptr(dsa = DSA_new()) 115 || !TEST_ptr(p = BN_dup(bn[pind])) 116 || !TEST_ptr(q = BN_dup(bn[qind])) 117 || !TEST_ptr(g = BN_dup(bn[gind])) 118 || !TEST_true(DSA_set0_pqg(dsa, p, q, g))) 119 goto err; 120 p = q = g = NULL; 121 122 if (!TEST_true(EVP_PKEY_assign_DSA(pkey_parm, dsa))) 123 goto err; 124 dsa = NULL; 125 126 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) 127 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) 128 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) 129 goto err; 130 131 if (expected) { 132 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)) 133 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1)) 134 goto err; 135 } 136 137 ret = 1; 138 err: 139 EVP_PKEY_free(pkey); 140 EVP_PKEY_free(dup_pk); 141 EVP_PKEY_CTX_free(gen_ctx); 142 EVP_PKEY_free(pkey_parm); 143 DSA_free(dsa); 144 BN_free(g); 145 BN_free(q); 146 BN_free(p); 147 return ret; 148 } 149 #endif /* OPENSSL_NO_DSA */ 150 151 #ifndef OPENSSL_NO_DH 152 static int do_dh_param_keygen(int tstid, const BIGNUM **bn) 153 { 154 int ret = 0; 155 int expected; 156 EVP_PKEY_CTX *gen_ctx = NULL; 157 EVP_PKEY *pkey_parm = NULL; 158 EVP_PKEY *pkey = NULL, *dup_pk = NULL; 159 DH *dh = NULL; 160 int pind, qind, gind; 161 BIGNUM *p = NULL, *q = NULL, *g = NULL; 162 163 /* 164 * These tests are using bad values for p, q, g by reusing the values. 165 * A value of 0 uses p, 1 uses q and 2 uses g. 166 * There are 27 different combinations, with only the 1 valid combination. 167 */ 168 pind = tstid / 9; 169 qind = (tstid / 3) % 3; 170 gind = tstid % 3; 171 expected = (pind == 0 && qind == 1 && gind == 2); 172 173 TEST_note("Testing with (p, q, g) = (%s, %s, %s)", getname(pind), 174 getname(qind), getname(gind)); 175 176 if (!TEST_ptr(pkey_parm = EVP_PKEY_new()) 177 || !TEST_ptr(dh = DH_new()) 178 || !TEST_ptr(p = BN_dup(bn[pind])) 179 || !TEST_ptr(q = BN_dup(bn[qind])) 180 || !TEST_ptr(g = BN_dup(bn[gind])) 181 || !TEST_true(DH_set0_pqg(dh, p, q, g))) 182 goto err; 183 p = q = g = NULL; 184 185 if (!TEST_true(EVP_PKEY_assign_DH(pkey_parm, dh))) 186 goto err; 187 dh = NULL; 188 189 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) 190 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) 191 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) 192 goto err; 193 194 if (expected) { 195 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)) 196 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1)) 197 goto err; 198 } 199 200 ret = 1; 201 err: 202 EVP_PKEY_free(pkey); 203 EVP_PKEY_free(dup_pk); 204 EVP_PKEY_CTX_free(gen_ctx); 205 EVP_PKEY_free(pkey_parm); 206 DH_free(dh); 207 BN_free(g); 208 BN_free(q); 209 BN_free(p); 210 return ret; 211 } 212 213 /* 214 * Note that we get the fips186-4 path being run for most of these cases since 215 * the internal code will detect that the p, q, g does not match a safe prime 216 * group (Except for when tstid = 5, which sets the correct p, q, g) 217 */ 218 static int test_dh_safeprime_param_keygen(int tstid) 219 { 220 static const BIGNUM *bn[] = { 221 &ossl_bignum_ffdhe2048_p, &ossl_bignum_ffdhe2048_q, 222 &ossl_bignum_const_2 223 }; 224 return do_dh_param_keygen(tstid, bn); 225 } 226 227 static int dhx_cert_load(void) 228 { 229 int ret = 0; 230 X509 *cert = NULL; 231 BIO *bio = NULL; 232 233 static const unsigned char dhx_cert[] = { 234 0x30,0x82,0x03,0xff,0x30,0x82,0x02,0xe7,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, 235 0xdb,0xf5,0x4d,0x22,0xa0,0x7a,0x67,0xa6,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86, 236 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x44,0x31,0x0b,0x30,0x09,0x06,0x03,0x55, 237 0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0a,0x0c, 238 0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,0x72,0x6f,0x75,0x70,0x31,0x1d, 239 0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,0x65,0x73,0x74,0x20,0x53,0x2f, 240 0x4d,0x49,0x4d,0x45,0x20,0x52,0x53,0x41,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17, 241 0x0d,0x31,0x33,0x30,0x38,0x30,0x32,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x17,0x0d, 242 0x32,0x33,0x30,0x36,0x31,0x31,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x30,0x44,0x31, 243 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14, 244 0x06,0x03,0x55,0x04,0x0a,0x0c,0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47, 245 0x72,0x6f,0x75,0x70,0x31,0x1d,0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54, 246 0x65,0x73,0x74,0x20,0x53,0x2f,0x4d,0x49,0x4d,0x45,0x20,0x45,0x45,0x20,0x44,0x48, 247 0x20,0x23,0x31,0x30,0x82,0x01,0xb6,0x30,0x82,0x01,0x2b,0x06,0x07,0x2a,0x86,0x48, 248 0xce,0x3e,0x02,0x01,0x30,0x82,0x01,0x1e,0x02,0x81,0x81,0x00,0xd4,0x0c,0x4a,0x0c, 249 0x04,0x72,0x71,0x19,0xdf,0x59,0x19,0xc5,0xaf,0x44,0x7f,0xca,0x8e,0x2b,0xf0,0x09, 250 0xf5,0xd3,0x25,0xb1,0x73,0x16,0x55,0x89,0xdf,0xfd,0x07,0xaf,0x19,0xd3,0x7f,0xd0, 251 0x07,0xa2,0xfe,0x3f,0x5a,0xf1,0x01,0xc6,0xf8,0x2b,0xef,0x4e,0x6d,0x03,0x38,0x42, 252 0xa1,0x37,0xd4,0x14,0xb4,0x00,0x4a,0xb1,0x86,0x5a,0x83,0xce,0xb9,0x08,0x0e,0xc1, 253 0x99,0x27,0x47,0x8d,0x0b,0x85,0xa8,0x82,0xed,0xcc,0x0d,0xb9,0xb0,0x32,0x7e,0xdf, 254 0xe8,0xe4,0xf6,0xf6,0xec,0xb3,0xee,0x7a,0x11,0x34,0x65,0x97,0xfc,0x1a,0xb0,0x95, 255 0x4b,0x19,0xb9,0xa6,0x1c,0xd9,0x01,0x32,0xf7,0x35,0x7c,0x2d,0x5d,0xfe,0xc1,0x85, 256 0x70,0x49,0xf8,0xcc,0x99,0xd0,0xbe,0xf1,0x5a,0x78,0xc8,0x03,0x02,0x81,0x80,0x69, 257 0x00,0xfd,0x66,0xf2,0xfc,0x15,0x8b,0x09,0xb8,0xdc,0x4d,0xea,0xaa,0x79,0x55,0xf9, 258 0xdf,0x46,0xa6,0x2f,0xca,0x2d,0x8f,0x59,0x2a,0xad,0x44,0xa3,0xc6,0x18,0x2f,0x95, 259 0xb6,0x16,0x20,0xe3,0xd3,0xd1,0x8f,0x03,0xce,0x71,0x7c,0xef,0x3a,0xc7,0x44,0x39, 260 0x0e,0xe2,0x1f,0xd8,0xd3,0x89,0x2b,0xe7,0x51,0xdc,0x12,0x48,0x4c,0x18,0x4d,0x99, 261 0x12,0x06,0xe4,0x17,0x02,0x03,0x8c,0x24,0x05,0x8e,0xa6,0x85,0xf2,0x69,0x1b,0xe1, 262 0x6a,0xdc,0xe2,0x04,0x3a,0x01,0x9d,0x64,0xbe,0xfe,0x45,0xf9,0x44,0x18,0x71,0xbd, 263 0x2d,0x3e,0x7a,0x6f,0x72,0x7d,0x1a,0x80,0x42,0x57,0xae,0x18,0x6f,0x91,0xd6,0x61, 264 0x03,0x8a,0x1c,0x89,0x73,0xc7,0x56,0x41,0x03,0xd3,0xf8,0xed,0x65,0xe2,0x85,0x02, 265 0x15,0x00,0x89,0x94,0xab,0x10,0x67,0x45,0x41,0xad,0x63,0xc6,0x71,0x40,0x8d,0x6b, 266 0x9e,0x19,0x5b,0xa4,0xc7,0xf5,0x03,0x81,0x84,0x00,0x02,0x81,0x80,0x2f,0x5b,0xde, 267 0x72,0x02,0x36,0x6b,0x00,0x5e,0x24,0x7f,0x14,0x2c,0x18,0x52,0x42,0x97,0x4b,0xdb, 268 0x6e,0x15,0x50,0x3c,0x45,0x3e,0x25,0xf3,0xb7,0xc5,0x6e,0xe5,0x52,0xe7,0xc4,0xfb, 269 0xf4,0xa5,0xf0,0x39,0x12,0x7f,0xbc,0x54,0x1c,0x93,0xb9,0x5e,0xee,0xe9,0x14,0xb0, 270 0xdf,0xfe,0xfc,0x36,0xe4,0xf2,0xaf,0xfb,0x13,0xc8,0xdf,0x18,0x94,0x1d,0x40,0xb9, 271 0x71,0xdd,0x4c,0x9c,0xa7,0x03,0x52,0x02,0xb5,0xed,0x71,0x80,0x3e,0x23,0xda,0x28, 272 0xe5,0xab,0xe7,0x6f,0xf2,0x0a,0x0e,0x00,0x5b,0x7d,0xc6,0x4b,0xd7,0xc7,0xb2,0xc3, 273 0xba,0x62,0x7f,0x70,0x28,0xa0,0x9d,0x71,0x13,0x70,0xd1,0x9f,0x32,0x2f,0x3e,0xd2, 274 0xcd,0x1b,0xa4,0xc6,0x72,0xa0,0x74,0x5d,0x71,0xef,0x03,0x43,0x6e,0xa3,0x60,0x30, 275 0x5e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30, 276 0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x05,0xe0,0x30, 277 0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x0b,0x5a,0x4d,0x5f,0x7d,0x25, 278 0xc7,0xf2,0x9d,0xc1,0xaa,0xb7,0x63,0x82,0x2f,0xfa,0x8f,0x32,0xe7,0xc0,0x30,0x1f, 279 0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xdf,0x7e,0x5e,0x88,0x05, 280 0x24,0x33,0x08,0xdd,0x22,0x81,0x02,0x97,0xcc,0x9a,0xb7,0xb1,0x33,0x27,0x30,0x30, 281 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82, 282 0x01,0x01,0x00,0x5a,0xf2,0x63,0xef,0xd3,0x16,0xd7,0xf5,0xaa,0xdd,0x12,0x00,0x36, 283 0x00,0x21,0xa2,0x7b,0x08,0xd6,0x3b,0x9f,0x62,0xac,0x53,0x1f,0xed,0x4c,0xd1,0x15, 284 0x34,0x65,0x71,0xee,0x96,0x07,0xa6,0xef,0xb2,0xde,0xd8,0xbb,0x35,0x6e,0x2c,0xe2, 285 0xd1,0x26,0xef,0x7e,0x94,0xe2,0x88,0x51,0xa4,0x6c,0xaa,0x27,0x2a,0xd3,0xb6,0xc2, 286 0xf7,0xea,0xc3,0x0b,0xa9,0xb5,0x28,0x37,0xa2,0x63,0x08,0xe4,0x88,0xc0,0x1b,0x16, 287 0x1b,0xca,0xfd,0x8a,0x07,0x32,0x29,0xa7,0x53,0xb5,0x2d,0x30,0xe4,0xf5,0x16,0xc3, 288 0xe3,0xc2,0x4c,0x30,0x5d,0x35,0x80,0x1c,0xa2,0xdb,0xe3,0x4b,0x51,0x0d,0x4c,0x60, 289 0x5f,0xb9,0x46,0xac,0xa8,0x46,0xa7,0x32,0xa7,0x9c,0x76,0xf8,0xe9,0xb5,0x19,0xe2, 290 0x0c,0xe1,0x0f,0xc6,0x46,0xe2,0x38,0xa7,0x87,0x72,0x6d,0x6c,0xbc,0x88,0x2f,0x9d, 291 0x2d,0xe5,0xd0,0x7d,0x1e,0xc7,0x5d,0xf8,0x7e,0xb4,0x0b,0xa6,0xf9,0x6c,0xe3,0x7c, 292 0xb2,0x70,0x6e,0x75,0x9b,0x1e,0x63,0xe1,0x4d,0xb2,0x81,0xd3,0x55,0x38,0x94,0x1a, 293 0x7a,0xfa,0xbf,0x01,0x18,0x70,0x2d,0x35,0xd3,0xe3,0x10,0x7a,0x9a,0xa7,0x8f,0xf3, 294 0xbd,0x56,0x55,0x5e,0xd8,0xbd,0x4e,0x16,0x76,0xd0,0x48,0x4c,0xf9,0x51,0x54,0xdf, 295 0x2d,0xb0,0xc9,0xaa,0x5e,0x42,0x38,0x50,0xbf,0x0f,0xc0,0xd9,0x84,0x44,0x4b,0x42, 296 0x24,0xec,0x14,0xa3,0xde,0x11,0xdf,0x58,0x7f,0xc2,0x4d,0xb2,0xd5,0x42,0x78,0x6e, 297 0x52,0x3e,0xad,0xc3,0x5f,0x04,0xc4,0xe6,0x31,0xaa,0x81,0x06,0x8b,0x13,0x4b,0x3c, 298 0x0e,0x6a,0xb1 299 }; 300 301 if (!TEST_ptr(bio = BIO_new_mem_buf(dhx_cert, sizeof(dhx_cert))) 302 || !TEST_ptr(cert = X509_new_ex(libctx, NULL)) 303 || !TEST_ptr(d2i_X509_bio(bio, &cert))) 304 goto err; 305 ret = 1; 306 err: 307 X509_free(cert); 308 BIO_free(bio); 309 return ret; 310 } 311 312 #endif /* OPENSSL_NO_DH */ 313 314 static int test_cipher_reinit(int test_id) 315 { 316 int ret = 0, diff, ccm, siv, no_null_key; 317 int out1_len = 0, out2_len = 0, out3_len = 0; 318 EVP_CIPHER *cipher = NULL; 319 EVP_CIPHER_CTX *ctx = NULL; 320 unsigned char out1[256]; 321 unsigned char out2[256]; 322 unsigned char out3[256]; 323 unsigned char in[16] = { 324 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 325 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10 326 }; 327 unsigned char key[64] = { 328 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 329 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 330 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 331 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 332 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 333 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 334 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 335 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 336 }; 337 unsigned char iv[16] = { 338 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, 339 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 340 }; 341 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id); 342 343 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) 344 goto err; 345 346 TEST_note("Fetching %s\n", name); 347 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL))) 348 goto err; 349 350 /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */ 351 ccm = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE); 352 353 /* siv cannot be called with NULL key as the iv is irrelevant */ 354 siv = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_SIV_MODE); 355 356 /* 357 * Skip init call with a null key for RC4 as the stream cipher does not 358 * handle reinit (1.1.1 behaviour). 359 */ 360 no_null_key = EVP_CIPHER_is_a(cipher, "RC4") 361 || EVP_CIPHER_is_a(cipher, "RC4-40") 362 || EVP_CIPHER_is_a(cipher, "RC4-HMAC-MD5"); 363 364 /* DES3-WRAP uses random every update - so it will give a different value */ 365 diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP"); 366 367 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv)) 368 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, sizeof(in))) 369 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) 370 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, &out2_len, in, sizeof(in)), 371 ccm ? 0 : 1) 372 || (!no_null_key 373 && (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv)) 374 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, &out3_len, in, sizeof(in)), 375 ccm || siv ? 0 : 1)))) 376 goto err; 377 378 if (ccm == 0) { 379 if (diff) { 380 if (!TEST_mem_ne(out1, out1_len, out2, out2_len) 381 || !TEST_mem_ne(out1, out1_len, out3, out3_len) 382 || !TEST_mem_ne(out2, out2_len, out3, out3_len)) 383 goto err; 384 } else { 385 if (!TEST_mem_eq(out1, out1_len, out2, out2_len) 386 || (!siv && !no_null_key && !TEST_mem_eq(out1, out1_len, out3, out3_len))) 387 goto err; 388 } 389 } 390 ret = 1; 391 err: 392 EVP_CIPHER_free(cipher); 393 EVP_CIPHER_CTX_free(ctx); 394 return ret; 395 } 396 397 /* 398 * This test only uses a partial block (half the block size) of input for each 399 * EVP_EncryptUpdate() in order to test that the second init/update is not using 400 * a leftover buffer from the first init/update. 401 * Note: some ciphers don't need a full block to produce output. 402 */ 403 static int test_cipher_reinit_partialupdate(int test_id) 404 { 405 int ret = 0, in_len; 406 int out1_len = 0, out2_len = 0, out3_len = 0; 407 EVP_CIPHER *cipher = NULL; 408 EVP_CIPHER_CTX *ctx = NULL; 409 unsigned char out1[256]; 410 unsigned char out2[256]; 411 unsigned char out3[256]; 412 static const unsigned char in[32] = { 413 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 414 0xba, 0xbe, 0xba, 0xbe, 0x00, 0x00, 0xba, 0xbe, 415 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 416 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 417 }; 418 static const unsigned char key[64] = { 419 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 420 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 421 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 422 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 423 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 424 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 425 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 426 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 427 }; 428 static const unsigned char iv[16] = { 429 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, 430 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 431 }; 432 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id); 433 434 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) 435 goto err; 436 437 TEST_note("Fetching %s\n", name); 438 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL))) 439 goto err; 440 441 in_len = EVP_CIPHER_get_block_size(cipher) / 2; 442 443 /* skip any ciphers that don't allow partial updates */ 444 if (((EVP_CIPHER_get_flags(cipher) 445 & (EVP_CIPH_FLAG_CTS | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) != 0) 446 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE 447 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE 448 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_WRAP_MODE) { 449 ret = 1; 450 goto err; 451 } 452 453 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv)) 454 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, in_len)) 455 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) 456 || !TEST_true(EVP_EncryptUpdate(ctx, out2, &out2_len, in, in_len))) 457 goto err; 458 459 if (!TEST_mem_eq(out1, out1_len, out2, out2_len)) 460 goto err; 461 462 if (EVP_CIPHER_get_mode(cipher) != EVP_CIPH_SIV_MODE) { 463 if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv)) 464 || !TEST_true(EVP_EncryptUpdate(ctx, out3, &out3_len, in, in_len))) 465 goto err; 466 467 if (!TEST_mem_eq(out1, out1_len, out3, out3_len)) 468 goto err; 469 } 470 ret = 1; 471 err: 472 EVP_CIPHER_free(cipher); 473 EVP_CIPHER_CTX_free(ctx); 474 return ret; 475 } 476 477 478 static int name_cmp(const char * const *a, const char * const *b) 479 { 480 return OPENSSL_strcasecmp(*a, *b); 481 } 482 483 static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list) 484 { 485 STACK_OF(OPENSSL_STRING) *names = cipher_names_list; 486 const char *name = EVP_CIPHER_get0_name(cipher); 487 char *namedup = NULL; 488 489 assert(name != NULL); 490 /* the cipher will be freed after returning, strdup is needed */ 491 if ((namedup = OPENSSL_strdup(name)) != NULL 492 && !sk_OPENSSL_STRING_push(names, namedup)) 493 OPENSSL_free(namedup); 494 } 495 496 static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv) 497 { 498 int ret = 0; 499 unsigned char *pub_der = NULL; 500 const unsigned char *pp = NULL; 501 size_t len = 0; 502 OSSL_ENCODER_CTX *ectx = NULL; 503 504 if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)bits)) 505 || !TEST_ptr(ectx = 506 OSSL_ENCODER_CTX_new_for_pkey(*priv, 507 EVP_PKEY_PUBLIC_KEY, 508 "DER", "type-specific", 509 NULL)) 510 || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len))) 511 goto err; 512 pp = pub_der; 513 if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_RSA, pub, &pp, len))) 514 goto err; 515 ret = 1; 516 err: 517 OSSL_ENCODER_CTX_free(ectx); 518 OPENSSL_free(pub_der); 519 return ret; 520 } 521 522 static int kem_rsa_gen_recover(void) 523 { 524 int ret = 0; 525 EVP_PKEY *pub = NULL; 526 EVP_PKEY *priv = NULL; 527 EVP_PKEY_CTX *sctx = NULL, *rctx = NULL, *dctx = NULL; 528 unsigned char secret[256] = { 0, }; 529 unsigned char ct[256] = { 0, }; 530 unsigned char unwrap[256] = { 0, }; 531 size_t ctlen = 0, unwraplen = 0, secretlen = 0; 532 int bits = 2048; 533 534 ret = TEST_true(rsa_keygen(bits, &pub, &priv)) 535 && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) 536 && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1) 537 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1) 538 && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx)) 539 /* Test that providing a NULL wrappedlen fails */ 540 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, NULL, NULL, NULL), 0) 541 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL, 542 &secretlen), 1) 543 && TEST_int_eq(ctlen, secretlen) 544 && TEST_int_eq(ctlen, bits / 8) 545 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret, 546 &secretlen), 1) 547 && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) 548 && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1) 549 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1) 550 /* Test that providing a NULL unwrappedlen fails */ 551 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, NULL, ct, ctlen), 0) 552 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen, 553 ct, ctlen), 1) 554 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, 555 ct, ctlen), 1) 556 && TEST_mem_eq(unwrap, unwraplen, secret, secretlen); 557 558 /* Test that providing a too short unwrapped/ctlen fails */ 559 if (fips_provider_version_match(libctx, ">=3.4.0")) { 560 ctlen = 1; 561 if (!TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret, 562 &secretlen), 0)) 563 ret = 0; 564 unwraplen = 1; 565 if (!TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, ct, 566 ctlen), 0)) 567 ret = 0; 568 } 569 570 EVP_PKEY_free(pub); 571 EVP_PKEY_free(priv); 572 EVP_PKEY_CTX_free(rctx); 573 EVP_PKEY_CTX_free(dctx); 574 EVP_PKEY_CTX_free(sctx); 575 return ret; 576 } 577 578 #ifndef OPENSSL_NO_DES 579 /* 580 * This test makes sure that EVP_CIPHER_CTX_rand_key() works correctly 581 * For fips mode this code would produce an error if the flag is not set. 582 */ 583 static int test_cipher_tdes_randkey(void) 584 { 585 int ret; 586 EVP_CIPHER_CTX *ctx = NULL; 587 EVP_CIPHER *tdes_cipher = NULL, *aes_cipher = NULL; 588 unsigned char key[24] = { 0 }; 589 590 ret = TEST_ptr(aes_cipher = EVP_CIPHER_fetch(libctx, "AES-256-CBC", NULL)) 591 && TEST_int_eq(EVP_CIPHER_get_flags(aes_cipher) & EVP_CIPH_RAND_KEY, 0) 592 && TEST_ptr(tdes_cipher = EVP_CIPHER_fetch(libctx, "DES-EDE3-CBC", NULL)) 593 && TEST_int_ne(EVP_CIPHER_get_flags(tdes_cipher) & EVP_CIPH_RAND_KEY, 0) 594 && TEST_ptr(ctx = EVP_CIPHER_CTX_new()) 595 && TEST_true(EVP_CipherInit_ex(ctx, tdes_cipher, NULL, NULL, NULL, 1)) 596 && TEST_int_gt(EVP_CIPHER_CTX_rand_key(ctx, key), 0); 597 598 EVP_CIPHER_CTX_free(ctx); 599 EVP_CIPHER_free(tdes_cipher); 600 EVP_CIPHER_free(aes_cipher); 601 return ret; 602 } 603 #endif /* OPENSSL_NO_DES */ 604 605 static int kem_rsa_params(void) 606 { 607 int ret = 0; 608 EVP_PKEY *pub = NULL; 609 EVP_PKEY *priv = NULL; 610 EVP_PKEY_CTX *pubctx = NULL, *privctx = NULL; 611 unsigned char secret[256] = { 0, }; 612 unsigned char ct[256] = { 0, }; 613 size_t ctlen = 0, secretlen = 0; 614 615 ret = TEST_true(rsa_keygen(2048, &pub, &priv)) 616 && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) 617 && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) 618 /* Test setting kem op before the init fails */ 619 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2) 620 /* Test NULL ctx passed */ 621 && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0) 622 && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0) 623 && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0) 624 && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0) 625 /* Test Invalid operation */ 626 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1) 627 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0) 628 /* Wrong key component - no secret should be returned on failure */ 629 && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1) 630 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) 631 && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, 632 sizeof(ct)), 0) 633 && TEST_uchar_eq(secret[0], 0) 634 /* Test encapsulate fails if the mode is not set */ 635 && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) 636 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) 637 /* Test setting a bad kem ops fail */ 638 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) 639 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) 640 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0) 641 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0) 642 /* Test secretlen is optional */ 643 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) 644 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) 645 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1) 646 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) 647 /* Test outlen is optional */ 648 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) 649 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1) 650 /* test that either len must be set if out is NULL */ 651 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0) 652 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) 653 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) 654 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) 655 /* Secret buffer should be set if there is an output buffer */ 656 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0) 657 /* Test that lengths are optional if ct is not NULL */ 658 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1) 659 /* Pass if secret or secret length are not NULL */ 660 && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1) 661 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1) 662 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1) 663 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1) 664 && TEST_int_eq(secretlen, 256) 665 /* Fail if passed NULL arguments */ 666 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0) 667 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0) 668 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0) 669 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0); 670 671 EVP_PKEY_free(pub); 672 EVP_PKEY_free(priv); 673 EVP_PKEY_CTX_free(pubctx); 674 EVP_PKEY_CTX_free(privctx); 675 return ret; 676 } 677 678 #ifndef OPENSSL_NO_DH 679 static EVP_PKEY *gen_dh_key(void) 680 { 681 EVP_PKEY_CTX *gctx = NULL; 682 EVP_PKEY *pkey = NULL; 683 OSSL_PARAM params[2]; 684 685 params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); 686 params[1] = OSSL_PARAM_construct_end(); 687 688 if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL)) 689 || !TEST_int_gt(EVP_PKEY_keygen_init(gctx), 0) 690 || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params)) 691 || !TEST_true(EVP_PKEY_keygen(gctx, &pkey))) 692 goto err; 693 err: 694 EVP_PKEY_CTX_free(gctx); 695 return pkey; 696 } 697 698 /* Fail if we try to use a dh key */ 699 static int kem_invalid_keytype(void) 700 { 701 int ret = 0; 702 EVP_PKEY *key = NULL; 703 EVP_PKEY_CTX *sctx = NULL; 704 705 if (!TEST_ptr(key = gen_dh_key())) 706 goto done; 707 708 if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL))) 709 goto done; 710 if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2)) 711 goto done; 712 713 ret = 1; 714 done: 715 EVP_PKEY_free(key); 716 EVP_PKEY_CTX_free(sctx); 717 return ret; 718 } 719 #endif /* OPENSSL_NO_DH */ 720 721 int setup_tests(void) 722 { 723 const char *prov_name = "default"; 724 char *config_file = NULL; 725 OPTION_CHOICE o; 726 727 while ((o = opt_next()) != OPT_EOF) { 728 switch (o) { 729 case OPT_PROVIDER_NAME: 730 prov_name = opt_arg(); 731 break; 732 case OPT_CONFIG_FILE: 733 config_file = opt_arg(); 734 break; 735 case OPT_TEST_CASES: 736 break; 737 default: 738 case OPT_ERR: 739 return 0; 740 } 741 } 742 743 if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) 744 return 0; 745 746 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) 747 ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); 748 #endif 749 #ifndef OPENSSL_NO_DH 750 ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); 751 ADD_TEST(dhx_cert_load); 752 #endif 753 754 if (!TEST_ptr(cipher_names = sk_OPENSSL_STRING_new(name_cmp))) 755 return 0; 756 EVP_CIPHER_do_all_provided(libctx, collect_cipher_names, cipher_names); 757 758 ADD_ALL_TESTS(test_cipher_reinit, sk_OPENSSL_STRING_num(cipher_names)); 759 ADD_ALL_TESTS(test_cipher_reinit_partialupdate, 760 sk_OPENSSL_STRING_num(cipher_names)); 761 ADD_TEST(kem_rsa_gen_recover); 762 ADD_TEST(kem_rsa_params); 763 #ifndef OPENSSL_NO_DH 764 ADD_TEST(kem_invalid_keytype); 765 #endif 766 #ifndef OPENSSL_NO_DES 767 ADD_TEST(test_cipher_tdes_randkey); 768 #endif 769 return 1; 770 } 771 772 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */ 773 static void string_free(char *m) 774 { 775 OPENSSL_free(m); 776 } 777 778 void cleanup_tests(void) 779 { 780 sk_OPENSSL_STRING_pop_free(cipher_names, string_free); 781 OSSL_PROVIDER_unload(libprov); 782 OSSL_LIB_CTX_free(libctx); 783 OSSL_PROVIDER_unload(nullprov); 784 } 785