2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 * These tests are setup to load null into the default library context.
13 * Any tests are expected to use the created 'libctx' to find algorithms.
14 * The framework runs the tests twice using the 'default' provider or
15 * 'fips' provider as inputs.
19 * DSA/DH low level APIs are deprecated for public use, but still ok for
22 #include "internal/deprecated.h"
24 #include <openssl/evp.h>
25 #include <openssl/provider.h>
26 #include <openssl/dsa.h>
27 #include <openssl/dh.h>
28 #include <openssl/safestack.h>
29 #include <openssl/core_dispatch.h>
30 #include <openssl/core_names.h>
31 #include <openssl/x509.h>
32 #include <openssl/encoder.h>
34 #include "internal/nelem.h"
35 #include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */
37 static OSSL_LIB_CTX *libctx = NULL;
38 static OSSL_PROVIDER *nullprov = NULL;
39 static OSSL_PROVIDER *libprov = NULL;
40 static STACK_OF(OPENSSL_STRING) *cipher_names = NULL;
42 typedef enum OPTION_choice {
50 const OPTIONS *test_get_options(void)
52 static const OPTIONS test_options[] = {
53 OPT_TEST_OPTIONS_DEFAULT_USAGE,
54 { "config", OPT_CONFIG_FILE, '<',
55 "The configuration file to use for the libctx" },
56 { "provider", OPT_PROVIDER_NAME, 's',
57 "The provider to load (The default value is 'default')" },
64 static const char *getname(int id)
66 const char *name[] = {"p", "q", "g" };
68 if (id >= 0 && id < 3)
74 static int test_evp_cipher_api_safety(void)
77 EVP_CIPHER_CTX *ctx = NULL;
79 ctx = EVP_CIPHER_CTX_new();
85 * Ensure that EVP_CIPHER_get_block_size returns 0
86 * if we haven't initalized the cipher in this context
88 if (!TEST_int_eq(EVP_CIPHER_CTX_get_block_size(ctx), 0))
92 * Ensure that EVP_CIPHER_get_iv_length returns 0
93 * if we haven't initalized the cipher in this context
95 if (!TEST_int_eq(EVP_CIPHER_CTX_get_iv_length(ctx), 0))
100 EVP_CIPHER_CTX_free(ctx);
106 * We're using some DH specific values in this test, so we skip compilation if
107 * we're in a no-dh build.
109 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
111 static int test_dsa_param_keygen(int tstid)
115 EVP_PKEY_CTX *gen_ctx = NULL;
116 EVP_PKEY *pkey_parm = NULL;
117 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
119 int pind, qind, gind;
120 BIGNUM *p = NULL, *q = NULL, *g = NULL;
123 * Just grab some fixed dh p, q, g values for testing,
124 * these 'safe primes' should not be used normally for dsa *.
126 static const BIGNUM *bn[] = {
127 &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q,
128 &ossl_bignum_dh2048_256_g
132 * These tests are using bad values for p, q, g by reusing the values.
133 * A value of 0 uses p, 1 uses q and 2 uses g.
134 * There are 27 different combinations, with only the 1 valid combination.
137 qind = (tstid / 3) % 3;
139 expected = (pind == 0 && qind == 1 && gind == 2);
141 TEST_note("Testing with (p, q, g) = (%s, %s, %s)\n", getname(pind),
142 getname(qind), getname(gind));
144 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
145 || !TEST_ptr(dsa = DSA_new())
146 || !TEST_ptr(p = BN_dup(bn[pind]))
147 || !TEST_ptr(q = BN_dup(bn[qind]))
148 || !TEST_ptr(g = BN_dup(bn[gind]))
149 || !TEST_true(DSA_set0_pqg(dsa, p, q, g)))
153 if (!TEST_true(EVP_PKEY_assign_DSA(pkey_parm, dsa)))
157 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
158 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
159 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
163 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
164 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
171 EVP_PKEY_free(dup_pk);
172 EVP_PKEY_CTX_free(gen_ctx);
173 EVP_PKEY_free(pkey_parm);
180 #endif /* OPENSSL_NO_DSA */
182 #ifndef OPENSSL_NO_DH
183 static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
187 EVP_PKEY_CTX *gen_ctx = NULL;
188 EVP_PKEY *pkey_parm = NULL;
189 EVP_PKEY *pkey = NULL, *dup_pk = NULL;
191 int pind, qind, gind;
192 BIGNUM *p = NULL, *q = NULL, *g = NULL;
195 * These tests are using bad values for p, q, g by reusing the values.
196 * A value of 0 uses p, 1 uses q and 2 uses g.
197 * There are 27 different combinations, with only the 1 valid combination.
200 qind = (tstid / 3) % 3;
202 expected = (pind == 0 && qind == 1 && gind == 2);
204 TEST_note("Testing with (p, q, g) = (%s, %s, %s)", getname(pind),
205 getname(qind), getname(gind));
207 if (!TEST_ptr(pkey_parm = EVP_PKEY_new())
208 || !TEST_ptr(dh = DH_new())
209 || !TEST_ptr(p = BN_dup(bn[pind]))
210 || !TEST_ptr(q = BN_dup(bn[qind]))
211 || !TEST_ptr(g = BN_dup(bn[gind]))
212 || !TEST_true(DH_set0_pqg(dh, p, q, g)))
216 if (!TEST_true(EVP_PKEY_assign_DH(pkey_parm, dh)))
220 if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
221 || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
222 || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
226 if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))
227 || !TEST_int_eq(EVP_PKEY_eq(pkey, dup_pk), 1))
234 EVP_PKEY_free(dup_pk);
235 EVP_PKEY_CTX_free(gen_ctx);
236 EVP_PKEY_free(pkey_parm);
245 * Note that we get the fips186-4 path being run for most of these cases since
246 * the internal code will detect that the p, q, g does not match a safe prime
247 * group (Except for when tstid = 5, which sets the correct p, q, g)
249 static int test_dh_safeprime_param_keygen(int tstid)
251 static const BIGNUM *bn[] = {
252 &ossl_bignum_ffdhe2048_p, &ossl_bignum_ffdhe2048_q,
255 return do_dh_param_keygen(tstid, bn);
258 static int dhx_cert_load(void)
264 static const unsigned char dhx_cert[] = {
265 0x30,0x82,0x03,0xff,0x30,0x82,0x02,0xe7,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
266 0xdb,0xf5,0x4d,0x22,0xa0,0x7a,0x67,0xa6,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
267 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x44,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
268 0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0a,0x0c,
269 0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,0x72,0x6f,0x75,0x70,0x31,0x1d,
270 0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,0x65,0x73,0x74,0x20,0x53,0x2f,
271 0x4d,0x49,0x4d,0x45,0x20,0x52,0x53,0x41,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,
272 0x0d,0x31,0x33,0x30,0x38,0x30,0x32,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x17,0x0d,
273 0x32,0x33,0x30,0x36,0x31,0x31,0x31,0x34,0x34,0x39,0x32,0x39,0x5a,0x30,0x44,0x31,
274 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x4b,0x31,0x16,0x30,0x14,
275 0x06,0x03,0x55,0x04,0x0a,0x0c,0x0d,0x4f,0x70,0x65,0x6e,0x53,0x53,0x4c,0x20,0x47,
276 0x72,0x6f,0x75,0x70,0x31,0x1d,0x30,0x1b,0x06,0x03,0x55,0x04,0x03,0x0c,0x14,0x54,
277 0x65,0x73,0x74,0x20,0x53,0x2f,0x4d,0x49,0x4d,0x45,0x20,0x45,0x45,0x20,0x44,0x48,
278 0x20,0x23,0x31,0x30,0x82,0x01,0xb6,0x30,0x82,0x01,0x2b,0x06,0x07,0x2a,0x86,0x48,
279 0xce,0x3e,0x02,0x01,0x30,0x82,0x01,0x1e,0x02,0x81,0x81,0x00,0xd4,0x0c,0x4a,0x0c,
280 0x04,0x72,0x71,0x19,0xdf,0x59,0x19,0xc5,0xaf,0x44,0x7f,0xca,0x8e,0x2b,0xf0,0x09,
281 0xf5,0xd3,0x25,0xb1,0x73,0x16,0x55,0x89,0xdf,0xfd,0x07,0xaf,0x19,0xd3,0x7f,0xd0,
282 0x07,0xa2,0xfe,0x3f,0x5a,0xf1,0x01,0xc6,0xf8,0x2b,0xef,0x4e,0x6d,0x03,0x38,0x42,
283 0xa1,0x37,0xd4,0x14,0xb4,0x00,0x4a,0xb1,0x86,0x5a,0x83,0xce,0xb9,0x08,0x0e,0xc1,
284 0x99,0x27,0x47,0x8d,0x0b,0x85,0xa8,0x82,0xed,0xcc,0x0d,0xb9,0xb0,0x32,0x7e,0xdf,
285 0xe8,0xe4,0xf6,0xf6,0xec,0xb3,0xee,0x7a,0x11,0x34,0x65,0x97,0xfc,0x1a,0xb0,0x95,
286 0x4b,0x19,0xb9,0xa6,0x1c,0xd9,0x01,0x32,0xf7,0x35,0x7c,0x2d,0x5d,0xfe,0xc1,0x85,
287 0x70,0x49,0xf8,0xcc,0x99,0xd0,0xbe,0xf1,0x5a,0x78,0xc8,0x03,0x02,0x81,0x80,0x69,
288 0x00,0xfd,0x66,0xf2,0xfc,0x15,0x8b,0x09,0xb8,0xdc,0x4d,0xea,0xaa,0x79,0x55,0xf9,
289 0xdf,0x46,0xa6,0x2f,0xca,0x2d,0x8f,0x59,0x2a,0xad,0x44,0xa3,0xc6,0x18,0x2f,0x95,
290 0xb6,0x16,0x20,0xe3,0xd3,0xd1,0x8f,0x03,0xce,0x71,0x7c,0xef,0x3a,0xc7,0x44,0x39,
291 0x0e,0xe2,0x1f,0xd8,0xd3,0x89,0x2b,0xe7,0x51,0xdc,0x12,0x48,0x4c,0x18,0x4d,0x99,
292 0x12,0x06,0xe4,0x17,0x02,0x03,0x8c,0x24,0x05,0x8e,0xa6,0x85,0xf2,0x69,0x1b,0xe1,
293 0x6a,0xdc,0xe2,0x04,0x3a,0x01,0x9d,0x64,0xbe,0xfe,0x45,0xf9,0x44,0x18,0x71,0xbd,
294 0x2d,0x3e,0x7a,0x6f,0x72,0x7d,0x1a,0x80,0x42,0x57,0xae,0x18,0x6f,0x91,0xd6,0x61,
295 0x03,0x8a,0x1c,0x89,0x73,0xc7,0x56,0x41,0x03,0xd3,0xf8,0xed,0x65,0xe2,0x85,0x02,
296 0x15,0x00,0x89,0x94,0xab,0x10,0x67,0x45,0x41,0xad,0x63,0xc6,0x71,0x40,0x8d,0x6b,
297 0x9e,0x19,0x5b,0xa4,0xc7,0xf5,0x03,0x81,0x84,0x00,0x02,0x81,0x80,0x2f,0x5b,0xde,
298 0x72,0x02,0x36,0x6b,0x00,0x5e,0x24,0x7f,0x14,0x2c,0x18,0x52,0x42,0x97,0x4b,0xdb,
299 0x6e,0x15,0x50,0x3c,0x45,0x3e,0x25,0xf3,0xb7,0xc5,0x6e,0xe5,0x52,0xe7,0xc4,0xfb,
300 0xf4,0xa5,0xf0,0x39,0x12,0x7f,0xbc,0x54,0x1c,0x93,0xb9,0x5e,0xee,0xe9,0x14,0xb0,
301 0xdf,0xfe,0xfc,0x36,0xe4,0xf2,0xaf,0xfb,0x13,0xc8,0xdf,0x18,0x94,0x1d,0x40,0xb9,
302 0x71,0xdd,0x4c,0x9c,0xa7,0x03,0x52,0x02,0xb5,0xed,0x71,0x80,0x3e,0x23,0xda,0x28,
303 0xe5,0xab,0xe7,0x6f,0xf2,0x0a,0x0e,0x00,0x5b,0x7d,0xc6,0x4b,0xd7,0xc7,0xb2,0xc3,
304 0xba,0x62,0x7f,0x70,0x28,0xa0,0x9d,0x71,0x13,0x70,0xd1,0x9f,0x32,0x2f,0x3e,0xd2,
305 0xcd,0x1b,0xa4,0xc6,0x72,0xa0,0x74,0x5d,0x71,0xef,0x03,0x43,0x6e,0xa3,0x60,0x30,
306 0x5e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30,
307 0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x05,0xe0,0x30,
308 0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x0b,0x5a,0x4d,0x5f,0x7d,0x25,
309 0xc7,0xf2,0x9d,0xc1,0xaa,0xb7,0x63,0x82,0x2f,0xfa,0x8f,0x32,0xe7,0xc0,0x30,0x1f,
310 0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xdf,0x7e,0x5e,0x88,0x05,
311 0x24,0x33,0x08,0xdd,0x22,0x81,0x02,0x97,0xcc,0x9a,0xb7,0xb1,0x33,0x27,0x30,0x30,
312 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
313 0x01,0x01,0x00,0x5a,0xf2,0x63,0xef,0xd3,0x16,0xd7,0xf5,0xaa,0xdd,0x12,0x00,0x36,
314 0x00,0x21,0xa2,0x7b,0x08,0xd6,0x3b,0x9f,0x62,0xac,0x53,0x1f,0xed,0x4c,0xd1,0x15,
315 0x34,0x65,0x71,0xee,0x96,0x07,0xa6,0xef,0xb2,0xde,0xd8,0xbb,0x35,0x6e,0x2c,0xe2,
316 0xd1,0x26,0xef,0x7e,0x94,0xe2,0x88,0x51,0xa4,0x6c,0xaa,0x27,0x2a,0xd3,0xb6,0xc2,
317 0xf7,0xea,0xc3,0x0b,0xa9,0xb5,0x28,0x37,0xa2,0x63,0x08,0xe4,0x88,0xc0,0x1b,0x16,
318 0x1b,0xca,0xfd,0x8a,0x07,0x32,0x29,0xa7,0x53,0xb5,0x2d,0x30,0xe4,0xf5,0x16,0xc3,
319 0xe3,0xc2,0x4c,0x30,0x5d,0x35,0x80,0x1c,0xa2,0xdb,0xe3,0x4b,0x51,0x0d,0x4c,0x60,
320 0x5f,0xb9,0x46,0xac,0xa8,0x46,0xa7,0x32,0xa7,0x9c,0x76,0xf8,0xe9,0xb5,0x19,0xe2,
321 0x0c,0xe1,0x0f,0xc6,0x46,0xe2,0x38,0xa7,0x87,0x72,0x6d,0x6c,0xbc,0x88,0x2f,0x9d,
322 0x2d,0xe5,0xd0,0x7d,0x1e,0xc7,0x5d,0xf8,0x7e,0xb4,0x0b,0xa6,0xf9,0x6c,0xe3,0x7c,
323 0xb2,0x70,0x6e,0x75,0x9b,0x1e,0x63,0xe1,0x4d,0xb2,0x81,0xd3,0x55,0x38,0x94,0x1a,
324 0x7a,0xfa,0xbf,0x01,0x18,0x70,0x2d,0x35,0xd3,0xe3,0x10,0x7a,0x9a,0xa7,0x8f,0xf3,
325 0xbd,0x56,0x55,0x5e,0xd8,0xbd,0x4e,0x16,0x76,0xd0,0x48,0x4c,0xf9,0x51,0x54,0xdf,
326 0x2d,0xb0,0xc9,0xaa,0x5e,0x42,0x38,0x50,0xbf,0x0f,0xc0,0xd9,0x84,0x44,0x4b,0x42,
327 0x24,0xec,0x14,0xa3,0xde,0x11,0xdf,0x58,0x7f,0xc2,0x4d,0xb2,0xd5,0x42,0x78,0x6e,
328 0x52,0x3e,0xad,0xc3,0x5f,0x04,0xc4,0xe6,0x31,0xaa,0x81,0x06,0x8b,0x13,0x4b,0x3c,
332 if (!TEST_ptr(bio = BIO_new_mem_buf(dhx_cert, sizeof(dhx_cert)))
333 || !TEST_ptr(cert = X509_new_ex(libctx, NULL))
334 || !TEST_ptr(d2i_X509_bio(bio, &cert)))
343 #endif /* OPENSSL_NO_DH */
345 static int test_cipher_reinit(int test_id)
347 int ret = 0, diff, ccm, siv, no_null_key;
348 int out1_len = 0, out2_len = 0, out3_len = 0;
349 EVP_CIPHER *cipher = NULL;
350 EVP_CIPHER_CTX *ctx = NULL;
351 unsigned char out1[256];
352 unsigned char out2[256];
353 unsigned char out3[256];
354 unsigned char in[16] = {
355 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
356 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10
358 unsigned char key[64] = {
359 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
360 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
361 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
362 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
363 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
364 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
365 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
366 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
368 unsigned char iv[16] = {
369 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
370 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
372 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
374 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
377 TEST_note("Fetching %s\n", name);
378 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
381 /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */
382 ccm = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE);
384 /* siv cannot be called with NULL key as the iv is irrelevant */
385 siv = (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_SIV_MODE);
388 * Skip init call with a null key for RC4 as the stream cipher does not
389 * handle reinit (1.1.1 behaviour).
391 no_null_key = EVP_CIPHER_is_a(cipher, "RC4")
392 || EVP_CIPHER_is_a(cipher, "RC4-40")
393 || EVP_CIPHER_is_a(cipher, "RC4-HMAC-MD5");
395 /* DES3-WRAP uses random every update - so it will give a different value */
396 diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP");
398 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
399 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, sizeof(in)))
400 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
401 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, &out2_len, in, sizeof(in)),
404 && (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
405 || !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, &out3_len, in, sizeof(in)),
406 ccm || siv ? 0 : 1))))
411 if (!TEST_mem_ne(out1, out1_len, out2, out2_len)
412 || !TEST_mem_ne(out1, out1_len, out3, out3_len)
413 || !TEST_mem_ne(out2, out2_len, out3, out3_len))
416 if (!TEST_mem_eq(out1, out1_len, out2, out2_len)
417 || (!siv && !no_null_key && !TEST_mem_eq(out1, out1_len, out3, out3_len)))
423 EVP_CIPHER_free(cipher);
424 EVP_CIPHER_CTX_free(ctx);
429 * This test only uses a partial block (half the block size) of input for each
430 * EVP_EncryptUpdate() in order to test that the second init/update is not using
431 * a leftover buffer from the first init/update.
432 * Note: some ciphers don't need a full block to produce output.
434 static int test_cipher_reinit_partialupdate(int test_id)
437 int out1_len = 0, out2_len = 0, out3_len = 0;
438 EVP_CIPHER *cipher = NULL;
439 EVP_CIPHER_CTX *ctx = NULL;
440 unsigned char out1[256];
441 unsigned char out2[256];
442 unsigned char out3[256];
443 static const unsigned char in[32] = {
444 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
445 0xba, 0xbe, 0xba, 0xbe, 0x00, 0x00, 0xba, 0xbe,
446 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
447 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
449 static const unsigned char key[64] = {
450 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
451 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
452 0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
453 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
454 0x02, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
455 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
456 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
457 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
459 static const unsigned char iv[16] = {
460 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
461 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
463 const char *name = sk_OPENSSL_STRING_value(cipher_names, test_id);
465 if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
468 TEST_note("Fetching %s\n", name);
469 if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, name, NULL)))
472 in_len = EVP_CIPHER_get_block_size(cipher);
473 if (!TEST_int_gt(in_len, 0))
478 /* skip any ciphers that don't allow partial updates */
479 if (((EVP_CIPHER_get_flags(cipher)
480 & (EVP_CIPH_FLAG_CTS | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) != 0)
481 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_CCM_MODE
482 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE
483 || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_WRAP_MODE) {
488 if (!TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
489 || !TEST_true(EVP_EncryptUpdate(ctx, out1, &out1_len, in, in_len))
490 || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
491 || !TEST_true(EVP_EncryptUpdate(ctx, out2, &out2_len, in, in_len)))
494 if (EVP_CIPHER_get_iv_length(cipher) != 0)
495 if (!TEST_mem_eq(out1, out1_len, out2, out2_len))
498 if (EVP_CIPHER_get_mode(cipher) != EVP_CIPH_SIV_MODE) {
499 if (!TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv))
500 || !TEST_true(EVP_EncryptUpdate(ctx, out3, &out3_len, in, in_len)))
503 if (EVP_CIPHER_get_iv_length(cipher) != 0)
504 if (!TEST_mem_eq(out1, out1_len, out3, out3_len))
509 EVP_CIPHER_free(cipher);
510 EVP_CIPHER_CTX_free(ctx);
515 static int name_cmp(const char * const *a, const char * const *b)
517 return OPENSSL_strcasecmp(*a, *b);
520 static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list)
522 STACK_OF(OPENSSL_STRING) *names = cipher_names_list;
523 const char *name = EVP_CIPHER_get0_name(cipher);
524 char *namedup = NULL;
526 assert(name != NULL);
527 /* the cipher will be freed after returning, strdup is needed */
528 if ((namedup = OPENSSL_strdup(name)) != NULL
529 && !sk_OPENSSL_STRING_push(names, namedup))
530 OPENSSL_free(namedup);
533 static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv)
536 unsigned char *pub_der = NULL;
537 const unsigned char *pp = NULL;
539 OSSL_ENCODER_CTX *ectx = NULL;
541 if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits))
543 OSSL_ENCODER_CTX_new_for_pkey(*priv,
545 "DER", "type-specific",
547 || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len)))
550 if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_RSA, pub, &pp, len)))
554 OSSL_ENCODER_CTX_free(ectx);
555 OPENSSL_free(pub_der);
559 static int kem_rsa_gen_recover(void)
562 EVP_PKEY *pub = NULL;
563 EVP_PKEY *priv = NULL;
564 EVP_PKEY_CTX *sctx = NULL, *rctx = NULL, *dctx = NULL;
565 unsigned char secret[256] = { 0, };
566 unsigned char ct[256] = { 0, };
567 unsigned char unwrap[256] = { 0, };
568 size_t ctlen = 0, unwraplen = 0, secretlen = 0;
571 ret = TEST_true(rsa_keygen(bits, &pub, &priv))
572 && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
573 && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
574 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
575 && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx))
576 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL,
578 && TEST_int_eq(ctlen, secretlen)
579 && TEST_int_eq(ctlen, bits / 8)
580 && TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret,
582 && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
583 && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1)
584 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1)
585 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen,
587 && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen,
589 && TEST_mem_eq(unwrap, unwraplen, secret, secretlen);
592 EVP_PKEY_CTX_free(rctx);
593 EVP_PKEY_CTX_free(dctx);
594 EVP_PKEY_CTX_free(sctx);
598 #ifndef OPENSSL_NO_DES
600 * This test makes sure that EVP_CIPHER_CTX_rand_key() works correctly
601 * For fips mode this code would produce an error if the flag is not set.
603 static int test_cipher_tdes_randkey(void)
606 EVP_CIPHER_CTX *ctx = NULL;
607 EVP_CIPHER *tdes_cipher = NULL, *aes_cipher = NULL;
608 unsigned char key[24] = { 0 };
610 ret = TEST_ptr(aes_cipher = EVP_CIPHER_fetch(libctx, "AES-256-CBC", NULL))
611 && TEST_int_eq(EVP_CIPHER_get_flags(aes_cipher) & EVP_CIPH_RAND_KEY, 0)
612 && TEST_ptr(tdes_cipher = EVP_CIPHER_fetch(libctx, "DES-EDE3-CBC", NULL))
613 && TEST_int_ne(EVP_CIPHER_get_flags(tdes_cipher) & EVP_CIPH_RAND_KEY, 0)
614 && TEST_ptr(ctx = EVP_CIPHER_CTX_new())
615 && TEST_true(EVP_CipherInit_ex(ctx, tdes_cipher, NULL, NULL, NULL, 1))
616 && TEST_int_gt(EVP_CIPHER_CTX_rand_key(ctx, key), 0);
618 EVP_CIPHER_CTX_free(ctx);
619 EVP_CIPHER_free(tdes_cipher);
620 EVP_CIPHER_free(aes_cipher);
623 #endif /* OPENSSL_NO_DES */
625 static int kem_rsa_params(void)
628 EVP_PKEY *pub = NULL;
629 EVP_PKEY *priv = NULL;
630 EVP_PKEY_CTX *pubctx = NULL, *privctx = NULL;
631 unsigned char secret[256] = { 0, };
632 unsigned char ct[256] = { 0, };
633 size_t ctlen = 0, secretlen = 0;
635 ret = TEST_true(rsa_keygen(2048, &pub, &priv))
636 && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
637 && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
638 /* Test setting kem op before the init fails */
639 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2)
640 /* Test NULL ctx passed */
641 && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0)
642 && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0)
643 && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0)
644 && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0)
645 /* Test Invalid operation */
646 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1)
647 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0)
648 /* Wrong key component - no secret should be returned on failure */
649 && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1)
650 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
651 && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct,
653 && TEST_uchar_eq(secret[0], 0)
654 /* Test encapsulate fails if the mode is not set */
655 && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1)
656 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2)
657 /* Test setting a bad kem ops fail */
658 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0)
659 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0)
660 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0)
661 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0)
662 /* Test secretlen is optional */
663 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
664 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1)
665 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
666 /* Test outlen is optional */
667 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
668 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1)
669 /* test that either len must be set if out is NULL */
670 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0)
671 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1)
672 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1)
673 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1)
674 /* Secret buffer should be set if there is an output buffer */
675 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0)
676 /* Test that lengths are optional if ct is not NULL */
677 && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1)
678 /* Pass if secret or secret length are not NULL */
679 && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1)
680 && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1)
681 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1)
682 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1)
683 && TEST_int_eq(secretlen, 256)
684 /* Fail if passed NULL arguments */
685 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0)
686 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0)
687 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0)
688 && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0);
692 EVP_PKEY_CTX_free(pubctx);
693 EVP_PKEY_CTX_free(privctx);
697 #ifndef OPENSSL_NO_DH
698 static EVP_PKEY *gen_dh_key(void)
700 EVP_PKEY_CTX *gctx = NULL;
701 EVP_PKEY *pkey = NULL;
702 OSSL_PARAM params[2];
704 params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
705 params[1] = OSSL_PARAM_construct_end();
707 if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL))
708 || !TEST_int_gt(EVP_PKEY_keygen_init(gctx), 0)
709 || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params))
710 || !TEST_true(EVP_PKEY_keygen(gctx, &pkey)))
713 EVP_PKEY_CTX_free(gctx);
717 /* Fail if we try to use a dh key */
718 static int kem_invalid_keytype(void)
721 EVP_PKEY *key = NULL;
722 EVP_PKEY_CTX *sctx = NULL;
724 if (!TEST_ptr(key = gen_dh_key()))
727 if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL)))
729 if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2))
735 EVP_PKEY_CTX_free(sctx);
738 #endif /* OPENSSL_NO_DH */
740 int setup_tests(void)
742 const char *prov_name = "default";
743 char *config_file = NULL;
746 while ((o = opt_next()) != OPT_EOF) {
748 case OPT_PROVIDER_NAME:
749 prov_name = opt_arg();
751 case OPT_CONFIG_FILE:
752 config_file = opt_arg();
762 if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
765 ADD_TEST(test_evp_cipher_api_safety);
767 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
768 ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
770 #ifndef OPENSSL_NO_DH
771 ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
772 ADD_TEST(dhx_cert_load);
775 if (!TEST_ptr(cipher_names = sk_OPENSSL_STRING_new(name_cmp)))
777 EVP_CIPHER_do_all_provided(libctx, collect_cipher_names, cipher_names);
779 ADD_ALL_TESTS(test_cipher_reinit, sk_OPENSSL_STRING_num(cipher_names));
780 ADD_ALL_TESTS(test_cipher_reinit_partialupdate,
781 sk_OPENSSL_STRING_num(cipher_names));
782 ADD_TEST(kem_rsa_gen_recover);
783 ADD_TEST(kem_rsa_params);
784 #ifndef OPENSSL_NO_DH
785 ADD_TEST(kem_invalid_keytype);
787 #ifndef OPENSSL_NO_DES
788 ADD_TEST(test_cipher_tdes_randkey);
793 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */
794 static void string_free(char *m)
799 void cleanup_tests(void)
801 sk_OPENSSL_STRING_pop_free(cipher_names, string_free);
802 OSSL_PROVIDER_unload(libprov);
803 OSSL_LIB_CTX_free(libctx);
804 OSSL_PROVIDER_unload(nullprov);