2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 * These tests are setup to load null into the default library context.
13 * Any tests are expected to use the created 'libctx' to find algorithms.
14 * The framework runs the tests twice using the 'default' provider or
15 * 'fips' provider as inputs.
19 * DSA/DH low level APIs are deprecated for public use, but still ok for
22 #include "internal/deprecated.h"
24 #include <openssl/evp.h>
25 #include <openssl/provider.h>
26 #include <openssl/dsa.h>
27 #include <openssl/dh.h>
28 #include <openssl/safestack.h>
29 #include <openssl/core_dispatch.h>
30 #include <openssl/core_names.h>
31 #include <openssl/x509.h>
32 #include <openssl/encoder.h>
34 #include "internal/nelem.h"
35 #include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */
36 #include "../e_os.h" /* strcasecmp */
38 static OSSL_LIB_CTX *libctx = NULL;
39 static OSSL_PROVIDER *nullprov = NULL;
40 static OSSL_PROVIDER *libprov = NULL;
41 static STACK_OF(OPENSSL_STRING) *cipher_names = NULL;
43 typedef enum OPTION_choice {
51 const OPTIONS *test_get_options(void)
53 static const OPTIONS test_options[] = {
54 OPT_TEST_OPTIONS_DEFAULT_USAGE,
55 { "config", OPT_CONFIG_FILE, '<',
56 "The configuration file to use for the libctx" },
57 { "provider", OPT_PROVIDER_NAME, 's',
58 "The provider to load (The default value is 'default')" },
65 static const char *getname(int id)
67 const char *name[] = {"p", "q", "g" };
69 if (id >= 0 && id < 3)
76 * We're using some DH specific values in this test, so we skip compilation if
77 * we're in a no-dh build.
79 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
81 static int test_dsa_param_keygen(int tstid)
85 EVP_PKEY_CTX *gen_ctx = NULL;
86 EVP_PKEY *pkey_parm = NULL;
87 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
90 BIGNUM *p = NULL, *q = NULL, *g = NULL;
93 * Just grab some fixed dh p, q, g values for testing,
94 * these 'safe primes' should not be used normally for dsa *.
96 static const BIGNUM *bn[] = {
97 &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q,
98 &ossl_bignum_dh2048_256_g
102 * These tests are using bad values for p, q, g by reusing the values.
103 * A value of 0 uses p, 1 uses q and 2 uses g.
104 * There are 27 different combinations, with only the 1 valid combination.
107 qind = (tstid / 3) % 3;
109 expected = (pind == 0 && qind == 1 && gind == 2);
111 TEST_note("Testing with (p, q, g) = (%s, %s, %s)\n", getname(pind),
112 getname(qind), getname(gind));
114 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
115 || !TEST_ptr(dsa = DSA_new())
116 || !TEST_ptr(p = BN_dup(bn[pind]))
117 || !TEST_ptr(q = BN_dup(bn[qind]))
118 || !TEST_ptr(g = BN_dup(bn[gind]))
119 || !TEST_true(DSA_set0_pqg(dsa, p, q, g)))
123 if (!TEST_true(EVP_PKEY_assign_DSA(pkey_parm, dsa)))
127 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
128 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
129 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
133 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
134 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
141 EVP_PKEY_free(dup_pk);
142 EVP_PKEY_CTX_free(gen_ctx);
143 EVP_PKEY_free(pkey_parm);
150 #endif /* OPENSSL_NO_DSA */
152 #ifndef OPENSSL_NO_DH
153 static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
157 EVP_PKEY_CTX *gen_ctx = NULL;
158 EVP_PKEY *pkey_parm = NULL;
159 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
161 int pind, qind, gind;
162 BIGNUM *p = NULL, *q = NULL, *g = NULL;
165 * These tests are using bad values for p, q, g by reusing the values.
166 * A value of 0 uses p, 1 uses q and 2 uses g.
167 * There are 27 different combinations, with only the 1 valid combination.
170 qind = (tstid / 3) % 3;
172 expected = (pind == 0 && qind == 1 && gind == 2);
174 TEST_note("Testing with (p, q, g) = (%s, %s, %s)", getname(pind),
175 getname(qind), getname(gind));
177 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
178 || !TEST_ptr(dh = DH_new())
179 || !TEST_ptr(p = BN_dup(bn[pind]))
180 || !TEST_ptr(q = BN_dup(bn[qind]))
181 || !TEST_ptr(g = BN_dup(bn[gind]))
182 || !TEST_true(DH_set0_pqg(dh, p, q, g)))
186 if (!TEST_true(EVP_PKEY_assign_DH(pkey_parm, dh)))
190 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
191 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
192 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
196 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
197 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
204 EVP_PKEY_free(dup_pk);
205 EVP_PKEY_CTX_free(gen_ctx);
206 EVP_PKEY_free(pkey_parm);
215 * Note that we get the fips186-4 path being run for most of these cases since
216 * the internal code will detect that the p, q, g does not match a safe prime
217 * group (Except for when tstid = 5, which sets the correct p, q, g)
219 static int test_dh_safeprime_param_keygen(int tstid)
221 static const BIGNUM *bn[] = {
222 &ossl_bignum_ffdhe2048_p, &ossl_bignum_ffdhe2048_q,
225 return do_dh_param_keygen(tstid, bn);
228 static int dhx_cert_load(void)
234 static const unsigned char dhx_cert[] = {
235 0x30,0x82,0x03,0xff,0x30,0x82,0x02,0xe7,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
236 0xdb,0xf5,0x4d,0x22,0xa0,0x7a,0x67,0xa6,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
237 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x44,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
238 0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0a,0x0c,
239 0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,0x72,0x6f,0x75,0x70,0x31,0x1d,
240 0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,0x65,0x73,0x74,0x20,0x53,0x2f,
241 0x4d,0x49,0x4d,0x45,0x20,0x52,0x53,0x41,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,
242 0x0d,0x31,0x33,0x30,0x38,0x30,0x32,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x17,0x0d,
243 0x32,0x33,0x30,0x36,0x31,0x31,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x30,0x44,0x31,
244 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,
245 0x06,0x03,0x55,0x04,0x0a,0x0c,0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,
246 0x72,0x6f,0x75,0x70,0x31,0x1d,0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,
247 0x65,0x73,0x74,0x20,0x53,0x2f,0x4d,0x49,0x4d,0x45,0x20,0x45,0x45,0x20,0x44,0x48,
248 0x20,0x23,0x31,0x30,0x82,0x01,0xb6,0x30,0x82,0x01,0x2b,0x06,0x07,0x2a,0x86,0x48,
249 0xce,0x3e,0x02,0x01,0x30,0x82,0x01,0x1e,0x02,0x81,0x81,0x00,0xd4,0x0c,0x4a,0x0c,
250 0x04,0x72,0x71,0x19,0xdf,0x59,0x19,0xc5,0xaf,0x44,0x7f,0xca,0x8e,0x2b,0xf0,0x09,
251 0xf5,0xd3,0x25,0xb1,0x73,0x16,0x55,0x89,0xdf,0xfd,0x07,0xaf,0x19,0xd3,0x7f,0xd0,
252 0x07,0xa2,0xfe,0x3f,0x5a,0xf1,0x01,0xc6,0xf8,0x2b,0xef,0x4e,0x6d,0x03,0x38,0x42,
253 0xa1,0x37,0xd4,0x14,0xb4,0x00,0x4a,0xb1,0x86,0x5a,0x83,0xce,0xb9,0x08,0x0e,0xc1,
254 0x99,0x27,0x47,0x8d,0x0b,0x85,0xa8,0x82,0xed,0xcc,0x0d,0xb9,0xb0,0x32,0x7e,0xdf,
255 0xe8,0xe4,0xf6,0xf6,0xec,0xb3,0xee,0x7a,0x11,0x34,0x65,0x97,0xfc,0x1a,0xb0,0x95,
256 0x4b,0x19,0xb9,0xa6,0x1c,0xd9,0x01,0x32,0xf7,0x35,0x7c,0x2d,0x5d,0xfe,0xc1,0x85,
257 0x70,0x49,0xf8,0xcc,0x99,0xd0,0xbe,0xf1,0x5a,0x78,0xc8,0x03,0x02,0x81,0x80,0x69,
258 0x00,0xfd,0x66,0xf2,0xfc,0x15,0x8b,0x09,0xb8,0xdc,0x4d,0xea,0xaa,0x79,0x55,0xf9,
259 0xdf,0x46,0xa6,0x2f,0xca,0x2d,0x8f,0x59,0x2a,0xad,0x44,0xa3,0xc6,0x18,0x2f,0x95,
260 0xb6,0x16,0x20,0xe3,0xd3,0xd1,0x8f,0x03,0xce,0x71,0x7c,0xef,0x3a,0xc7,0x44,0x39,
261 0x0e,0xe2,0x1f,0xd8,0xd3,0x89,0x2b,0xe7,0x51,0xdc,0x12,0x48,0x4c,0x18,0x4d,0x99,
262 0x12,0x06,0xe4,0x17,0x02,0x03,0x8c,0x24,0x05,0x8e,0xa6,0x85,0xf2,0x69,0x1b,0xe1,
263 0x6a,0xdc,0xe2,0x04,0x3a,0x01,0x9d,0x64,0xbe,0xfe,0x45,0xf9,0x44,0x18,0x71,0xbd,
264 0x2d,0x3e,0x7a,0x6f,0x72,0x7d,0x1a,0x80,0x42,0x57,0xae,0x18,0x6f,0x91,0xd6,0x61,
265 0x03,0x8a,0x1c,0x89,0x73,0xc7,0x56,0x41,0x03,0xd3,0xf8,0xed,0x65,0xe2,0x85,0x02,
266 0x15,0x00,0x89,0x94,0xab,0x10,0x67,0x45,0x41,0xad,0x63,0xc6,0x71,0x40,0x8d,0x6b,
267 0x9e,0x19,0x5b,0xa4,0xc7,0xf5,0x03,0x81,0x84,0x00,0x02,0x81,0x80,0x2f,0x5b,0xde,
268 0x72,0x02,0x36,0x6b,0x00,0x5e,0x24,0x7f,0x14,0x2c,0x18,0x52,0x42,0x97,0x4b,0xdb,
269 0x6e,0x15,0x50,0x3c,0x45,0x3e,0x25,0xf3,0xb7,0xc5,0x6e,0xe5,0x52,0xe7,0xc4,0xfb,
270 0xf4,0xa5,0xf0,0x39,0x12,0x7f,0xbc,0x54,0x1c,0x93,0xb9,0x5e,0xee,0xe9,0x14,0xb0,
271 0xdf,0xfe,0xfc,0x36,0xe4,0xf2,0xaf,0xfb,0x13,0xc8,0xdf,0x18,0x94,0x1d,0x40,0xb9,
272 0x71,0xdd,0x4c,0x9c,0xa7,0x03,0x52,0x02,0xb5,0xed,0x71,0x80,0x3e,0x23,0xda,0x28,
273 0xe5,0xab,0xe7,0x6f,0xf2,0x0a,0x0e,0x00,0x5b,0x7d,0xc6,0x4b,0xd7,0xc7,0xb2,0xc3,
274 0xba,0x62,0x7f,0x70,0x28,0xa0,0x9d,0x71,0x13,0x70,0xd1,0x9f,0x32,0x2f,0x3e,0xd2,
275 0xcd,0x1b,0xa4,0xc6,0x72,0xa0,0x74,0x5d,0x71,0xef,0x03,0x43,0x6e,0xa3,0x60,0x30,
276 0x5e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30,
277 0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x05,0xe0,0x30,
278 0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x0b,0x5a,0x4d,0x5f,0x7d,0x25,
279 0xc7,0xf2,0x9d,0xc1,0xaa,0xb7,0x63,0x82,0x2f,0xfa,0x8f,0x32,0xe7,0xc0,0x30,0x1f,
280 0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xdf,0x7e,0x5e,0x88,0x05,
281 0x24,0x33,0x08,0xdd,0x22,0x81,0x02,0x97,0xcc,0x9a,0xb7,0xb1,0x33,0x27,0x30,0x30,
282 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
283 0x01,0x01,0x00,0x5a,0xf2,0x63,0xef,0xd3,0x16,0xd7,0xf5,0xaa,0xdd,0x12,0x00,0x36,
284 0x00,0x21,0xa2,0x7b,0x08,0xd6,0x3b,0x9f,0x62,0xac,0x53,0x1f,0xed,0x4c,0xd1,0x15,
285 0x34,0x65,0x71,0xee,0x96,0x07,0xa6,0xef,0xb2,0xde,0xd8,0xbb,0x35,0x6e,0x2c,0xe2,
286 0xd1,0x26,0xef,0x7e,0x94,0xe2,0x88,0x51,0xa4,0x6c,0xaa,0x27,0x2a,0xd3,0xb6,0xc2,
287 0xf7,0xea,0xc3,0x0b,0xa9,0xb5,0x28,0x37,0xa2,0x63,0x08,0xe4,0x88,0xc0,0x1b,0x16,
288 0x1b,0xca,0xfd,0x8a,0x07,0x32,0x29,0xa7,0x53,0xb5,0x2d,0x30,0xe4,0xf5,0x16,0xc3,
289 0xe3,0xc2,0x4c,0x30,0x5d,0x35,0x80,0x1c,0xa2,0xdb,0xe3,0x4b,0x51,0x0d,0x4c,0x60,
290 0x5f,0xb9,0x46,0xac,0xa8,0x46,0xa7,0x32,0xa7,0x9c,0x76,0xf8,0xe9,0xb5,0x19,0xe2,
291 0x0c,0xe1,0x0f,0xc6,0x46,0xe2,0x38,0xa7,0x87,0x72,0x6d,0x6c,0xbc,0x88,0x2f,0x9d,
292 0x2d,0xe5,0xd0,0x7d,0x1e,0xc7,0x5d,0xf8,0x7e,0xb4,0x0b,0xa6,0xf9,0x6c,0xe3,0x7c,
293 0xb2,0x70,0x6e,0x75,0x9b,0x1e,0x63,0xe1,0x4d,0xb2,0x81,0xd3,0x55,0x38,0x94,0x1a,
294 0x7a,0xfa,0xbf,0x01,0x18,0x70,0x2d,0x35,0xd3,0xe3,0x10,0x7a,0x9a,0xa7,0x8f,0xf3,
295 0xbd,0x56,0x55,0x5e,0xd8,0xbd,0x4e,0x16,0x76,0xd0,0x48,0x4c,0xf9,0x51,0x54,0xdf,
296 0x2d,0xb0,0xc9,0xaa,0x5e,0x42,0x38,0x50,0xbf,0x0f,0xc0,0xd9,0x84,0x44,0x4b,0x42,
297 0x24,0xec,0x14,0xa3,0xde,0x11,0xdf,0x58,0x7f,0xc2,0x4d,0xb2,0xd5,0x42,0x78,0x6e,
298 0x52,0x3e,0xad,0xc3,0x5f,0x04,0xc4,0xe6,0x31,0xaa,0x81,0x06,0x8b,0x13,0x4b,0x3c,
302 if (!TEST_ptr(bio = BIO_new_mem_buf(dhx_cert, sizeof(dhx_cert)))
303 || !TEST_ptr(cert = X509_new_ex(libctx, NULL))
304 || !TEST_ptr(d2i_X509_bio(bio, &cert)))
313 #endif /* OPENSSL_NO_DH */
315 static int test_cipher_reinit(int test_id)
317 int ret = 0, diff, ccm, siv, no_null_key;
318 int out1_len = 0, out2_len = 0, out3_len = 0;
319 EVP_CIPHER *cipher = NULL;
320 EVP_CIPHER_CTX *ctx = NULL;
321 unsigned char out1[256];
322 unsigned char out2[256];
323 unsigned char out3[256];
324 unsigned char in[16] = {
325 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
326 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10
328 unsigned char key[64] = {
329 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
330 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
331 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
332 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
333 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
334 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
335 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
336 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
338 unsigned char iv[16] = {
339 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
340 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
342 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
344 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
347 TEST_note("Fetching %s\n", name);
348 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
351 /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */
352 ccm = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE);
354 /* siv cannot be called with NULL key as the iv is irrelevant */
355 siv = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_SIV_MODE);
358 * Skip init call with a null key for RC4 as the stream cipher does not
359 * handle reinit (1.1.1 behaviour).
361 no_null_key = EVP_CIPHER_is_a(cipher, "RC4")
362 || EVP_CIPHER_is_a(cipher, "RC4-40")
363 || EVP_CIPHER_is_a(cipher, "RC4-HMAC-MD5");
365 /* DES3-WRAP uses random every update - so it will give a different value */
366 diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP");
368 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
369 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, sizeof(in)))
370 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
371 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, &out2_len, in, sizeof(in)),
374 && (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
375 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, &out3_len, in, sizeof(in)),
376 ccm || siv ? 0 : 1))))
381 if (!TEST_mem_ne(out1, out1_len, out2, out2_len)
382 || !TEST_mem_ne(out1, out1_len, out3, out3_len)
383 || !TEST_mem_ne(out2, out2_len, out3, out3_len))
386 if (!TEST_mem_eq(out1, out1_len, out2, out2_len)
387 || (!siv && !no_null_key && !TEST_mem_eq(out1, out1_len, out3, out3_len)))
393 EVP_CIPHER_free(cipher);
394 EVP_CIPHER_CTX_free(ctx);
399 * This test only uses a partial block (half the block size) of input for each
400 * EVP_EncryptUpdate() in order to test that the second init/update is not using
401 * a leftover buffer from the first init/update.
402 * Note: some ciphers don't need a full block to produce output.
404 static int test_cipher_reinit_partialupdate(int test_id)
407 int out1_len = 0, out2_len = 0, out3_len = 0;
408 EVP_CIPHER *cipher = NULL;
409 EVP_CIPHER_CTX *ctx = NULL;
410 unsigned char out1[256];
411 unsigned char out2[256];
412 unsigned char out3[256];
413 static const unsigned char in[32] = {
414 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
415 0xba, 0xbe, 0xba, 0xbe, 0x00, 0x00, 0xba, 0xbe,
416 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
417 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
419 static const unsigned char key[64] = {
420 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
421 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
422 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
423 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
424 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
425 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
426 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
427 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
429 static const unsigned char iv[16] = {
430 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
431 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
433 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
435 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
438 TEST_note("Fetching %s\n", name);
439 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
442 in_len = EVP_CIPHER_get_block_size(cipher) / 2;
444 /* skip any ciphers that don't allow partial updates */
445 if (((EVP_CIPHER_get_flags(cipher)
446 & (EVP_CIPH_FLAG_CTS | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) != 0)
447 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE
448 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE
449 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_WRAP_MODE) {
454 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
455 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, in_len))
456 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
457 || !TEST_true(EVP_EncryptUpdate(ctx, out2, &out2_len, in, in_len)))
460 if (!TEST_mem_eq(out1, out1_len, out2, out2_len))
463 if (EVP_CIPHER_get_mode(cipher) != EVP_CIPH_SIV_MODE) {
464 if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
465 || !TEST_true(EVP_EncryptUpdate(ctx, out3, &out3_len, in, in_len)))
468 if (!TEST_mem_eq(out1, out1_len, out3, out3_len))
473 EVP_CIPHER_free(cipher);
474 EVP_CIPHER_CTX_free(ctx);
479 static int name_cmp(const char * const *a, const char * const *b)
481 return strcasecmp(*a, *b);
484 static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list)
486 STACK_OF(OPENSSL_STRING) *names = cipher_names_list;
487 const char *name = EVP_CIPHER_get0_name(cipher);
488 char *namedup = NULL;
490 assert(name != NULL);
491 /* the cipher will be freed after returning, strdup is needed */
492 if ((namedup = OPENSSL_strdup(name)) != NULL
493 && !sk_OPENSSL_STRING_push(names, namedup))
494 OPENSSL_free(namedup);
497 static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv)
500 unsigned char *pub_der = NULL;
501 const unsigned char *pp = NULL;
503 OSSL_ENCODER_CTX *ectx = NULL;
505 if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits))
507 OSSL_ENCODER_CTX_new_for_pkey(*priv,
509 "DER", "type-specific",
511 || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len)))
514 if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_RSA, pub, &pp, len)))
518 OSSL_ENCODER_CTX_free(ectx);
519 OPENSSL_free(pub_der);
523 static int kem_rsa_gen_recover(void)
526 EVP_PKEY *pub = NULL;
527 EVP_PKEY *priv = NULL;
528 EVP_PKEY_CTX *sctx = NULL, *rctx = NULL;
529 unsigned char secret[256] = { 0, };
530 unsigned char ct[256] = { 0, };
531 unsigned char unwrap[256] = { 0, };
532 size_t ctlen = 0, unwraplen = 0, secretlen = 0;
535 ret = TEST_true(rsa_keygen(bits, &pub, &priv))
536 && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
537 && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
538 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
539 && TEST_int_eq(EVP_PKEY_encapsulate(sctx, NULL, &ctlen, NULL,
541 && TEST_int_eq(ctlen, secretlen)
542 && TEST_int_eq(ctlen, bits / 8)
543 && TEST_int_eq(EVP_PKEY_encapsulate(sctx, ct, &ctlen, secret,
545 && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
546 && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1)
547 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1)
548 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen,
550 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen,
552 && TEST_mem_eq(unwrap, unwraplen, secret, secretlen);
555 EVP_PKEY_CTX_free(rctx);
556 EVP_PKEY_CTX_free(sctx);
560 static int kem_rsa_params(void)
563 EVP_PKEY *pub = NULL;
564 EVP_PKEY *priv = NULL;
565 EVP_PKEY_CTX *pubctx = NULL, *privctx = NULL;
566 unsigned char secret[256] = { 0, };
567 unsigned char ct[256] = { 0, };
568 size_t ctlen = 0, secretlen = 0;
570 ret = TEST_true(rsa_keygen(2048, &pub, &priv))
571 && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
572 && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
573 /* Test setting kem op before the init fails */
574 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2)
575 /* Test NULL ctx passed */
576 && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0)
577 && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0)
578 && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0)
579 && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0)
580 /* Test Invalid operation */
581 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1)
582 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0)
583 /* Wrong key component - no secret should be returned on failure */
584 && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1)
585 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
586 && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct,
588 && TEST_uchar_eq(secret[0], 0)
589 /* Test encapsulate fails if the mode is not set */
590 && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1)
591 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2)
592 /* Test setting a bad kem ops fail */
593 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0)
594 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0)
595 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0)
596 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0)
597 /* Test secretlen is optional */
598 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
599 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1)
600 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
601 /* Test outlen is optional */
602 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
603 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1)
604 /* test that either len must be set if out is NULL */
605 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0)
606 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
607 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
608 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1)
609 /* Secret buffer should be set if there is an output buffer */
610 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0)
611 /* Test that lengths are optional if ct is not NULL */
612 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1)
613 /* Pass if secret or secret length are not NULL */
614 && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1)
615 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1)
616 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1)
617 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1)
618 && TEST_int_eq(secretlen, 256)
619 /* Fail if passed NULL arguments */
620 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0)
621 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0)
622 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0)
623 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0);
627 EVP_PKEY_CTX_free(pubctx);
628 EVP_PKEY_CTX_free(privctx);
632 #ifndef OPENSSL_NO_DH
633 static EVP_PKEY *gen_dh_key(void)
635 EVP_PKEY_CTX *gctx = NULL;
636 EVP_PKEY *pkey = NULL;
637 OSSL_PARAM params[2];
639 params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
640 params[1] = OSSL_PARAM_construct_end();
642 if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL))
643 || !TEST_true(EVP_PKEY_keygen_init(gctx))
644 || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params))
645 || !TEST_true(EVP_PKEY_keygen(gctx, &pkey)))
648 EVP_PKEY_CTX_free(gctx);
652 /* Fail if we try to use a dh key */
653 static int kem_invalid_keytype(void)
656 EVP_PKEY *key = NULL;
657 EVP_PKEY_CTX *sctx = NULL;
659 if (!TEST_ptr(key = gen_dh_key()))
662 if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL)))
664 if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2))
670 EVP_PKEY_CTX_free(sctx);
673 #endif /* OPENSSL_NO_DH */
675 int setup_tests(void)
677 const char *prov_name = "default";
678 char *config_file = NULL;
681 while ((o = opt_next()) != OPT_EOF) {
683 case OPT_PROVIDER_NAME:
684 prov_name = opt_arg();
686 case OPT_CONFIG_FILE:
687 config_file = opt_arg();
697 if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
700 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
701 ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
703 #ifndef OPENSSL_NO_DH
704 ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
705 ADD_TEST(dhx_cert_load);
708 if (!TEST_ptr(cipher_names = sk_OPENSSL_STRING_new(name_cmp)))
710 EVP_CIPHER_do_all_provided(libctx, collect_cipher_names, cipher_names);
712 ADD_ALL_TESTS(test_cipher_reinit, sk_OPENSSL_STRING_num(cipher_names));
713 ADD_ALL_TESTS(test_cipher_reinit_partialupdate,
714 sk_OPENSSL_STRING_num(cipher_names));
715 ADD_TEST(kem_rsa_gen_recover);
716 ADD_TEST(kem_rsa_params);
717 #ifndef OPENSSL_NO_DH
718 ADD_TEST(kem_invalid_keytype);
723 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */
724 static void string_free(char *m)
729 void cleanup_tests(void)
731 sk_OPENSSL_STRING_pop_free(cipher_names, string_free);
732 OSSL_PROVIDER_unload(libprov);
733 OSSL_LIB_CTX_free(libctx);
734 OSSL_PROVIDER_unload(nullprov);