Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11948)
CONF *app_load_config(const char *filename);
CONF *app_load_config_quiet(const char *filename);
int app_load_modules(const CONF *config);
+CONF *app_load_config_modules(const char *configfile);
void unbuffer(FILE *fp);
void wait_for_async(SSL *s);
# if defined(OPENSSL_SYS_MSDOS)
extern VERIFY_CB_ARGS verify_args;
+OPENSSL_CTX *app_create_libctx(void);
+OPENSSL_CTX *app_get0_libctx(void);
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
const OSSL_PARAM *paramdefs);
void app_params_free(OSSL_PARAM *params);
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name);
void app_providers_cleanup(void);
#endif
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \
OPT_PROV__LAST
+# define OPT_CONFIG_OPTION \
+ { "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
+
# define OPT_PROV_OPTIONS \
OPT_SECTION("Provider"), \
{ "provider_path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
*/
#include "apps.h"
+#include <string.h>
#include <openssl/err.h>
#include <openssl/provider.h>
#include <openssl/safestack.h>
static STACK_OF(OSSL_PROVIDER) *app_providers = NULL;
-static int opt_provider_load(const char *provider)
+static void provider_free(OSSL_PROVIDER *prov)
+{
+ OSSL_PROVIDER_unload(prov);
+}
+
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name)
{
OSSL_PROVIDER *prov;
- prov = OSSL_PROVIDER_load(NULL, provider);
+ prov = OSSL_PROVIDER_load(libctx, provider_name);
if (prov == NULL) {
opt_printf_stderr("%s: unable to load provider %s\n",
- opt_getprog(), provider);
+ opt_getprog(), provider_name);
return 0;
}
if (app_providers == NULL)
return 1;
}
-static void provider_free(OSSL_PROVIDER *prov)
-{
- OSSL_PROVIDER_unload(prov);
-}
-
void app_providers_cleanup(void)
{
sk_OSSL_PROVIDER_pop_free(app_providers, provider_free);
{
if (path != NULL && *path == '\0')
path = NULL;
- return OSSL_PROVIDER_set_default_search_path(NULL, path);
+ return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
}
int opt_provider(int opt)
case OPT_PROV__LAST:
return 1;
case OPT_PROV_PROVIDER:
- return opt_provider_load(opt_arg());
+ return app_provider_load(app_get0_libctx(), opt_arg());
case OPT_PROV_PROVIDER_PATH:
return opt_provider_path(opt_arg());
}
unsigned long mask;
} NAME_EX_TBL;
+static OPENSSL_CTX *app_libctx = NULL;
+
static int set_table_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl);
static int set_multi_opts(unsigned long *flags, const char *arg,
return OPENSSL_strdup(tpass);
}
+OPENSSL_CTX *app_get0_libctx(void)
+{
+ return app_libctx;
+}
+
+OPENSSL_CTX *app_create_libctx(void)
+{
+ /*
+ * Load the NULL provider into the default library context and create a
+ * library context which will then be used for any OPT_PROV options.
+ */
+ if (app_libctx == NULL) {
+
+ if (!app_provider_load(NULL, "null")) {
+ BIO_puts(bio_err, "Failed to create null provider\n");
+ return NULL;
+ }
+ app_libctx = OPENSSL_CTX_new();
+ }
+ if (app_libctx == NULL)
+ BIO_puts(bio_err, "Failed to create library context\n");
+ return app_libctx;
+}
+
CONF *app_load_config_bio(BIO *in, const char *filename)
{
long errorline = -1;
CONF *conf;
int i;
- conf = NCONF_new(NULL);
+ conf = NCONF_new_with_libctx(app_libctx, NULL);
i = NCONF_load_bio(conf, in, &errorline);
if (i > 0)
return conf;
else
BIO_printf(bio_err, "config input");
+ CONF_modules_load(conf, NULL, 0);
NCONF_free(conf);
return NULL;
}
return 1;
}
+CONF *app_load_config_modules(const char *configfile)
+{
+ CONF *conf = NULL;
+
+ if (configfile != NULL) {
+ BIO_printf(bio_err, "Using configuration from %s\n", configfile);
+
+ if ((conf = app_load_config(configfile)) == NULL)
+ return NULL;
+ if (configfile != default_config_file && !app_load_modules(conf)) {
+ NCONF_free(conf);
+ conf = NULL;
+ }
+ }
+ return conf;
+}
+
X509 *load_cert_pass(const char *uri, int maybe_stdin,
const char *pass, const char *desc)
{
static int apps_startup(void)
{
+ const char *use_libctx = NULL;
#ifdef SIGPIPE
signal(SIGPIPE, SIG_IGN);
#endif
setup_ui_method();
+ /*
+ * NOTE: This is an undocumented feature required for testing only.
+ * There are no guarantees that it will exist in future builds.
+ */
+ use_libctx = getenv("OPENSSL_TEST_LIBCTX");
+ if (use_libctx != NULL) {
+ /* Set this to "1" to create a global libctx */
+ if (strcmp(use_libctx, "1") == 0) {
+ if (app_create_libctx() == NULL)
+ return 0;
+ }
+ }
+
return 1;
}
static void apps_shutdown(void)
{
+ app_providers_cleanup();
+ OPENSSL_CTX_free(app_get0_libctx());
destroy_ui_method();
}
: do_cmd(prog, 1, help_argv);
end:
- app_providers_cleanup();
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
- const int impl, int rawin, EVP_PKEY **ppkey);
+ const int impl, int rawin, EVP_PKEY **ppkey,
+ OPENSSL_CTX *libctx, const char *propq);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e);
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
+ OPT_CONFIG,
OPT_RAWIN, OPT_DIGEST
} OPTION_CHOICE;
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret"},
+ OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
int pkeyutl_main(int argc, char **argv)
{
+ CONF *conf = NULL;
BIO *in = NULL, *out = NULL;
ENGINE *e = NULL;
EVP_PKEY_CTX *ctx = NULL;
int rawin = 0;
const EVP_MD *md = NULL;
int filesize = -1;
+ OPENSSL_CTX *libctx = app_get0_libctx();
+ const char *propq = NULL;
prog = opt_init(argc, argv, pkeyutl_options);
while ((o = opt_next()) != OPT_EOF) {
if (!opt_rand(o))
goto end;
break;
+ case OPT_CONFIG:
+ conf = app_load_config_modules(opt_arg());
+ if (conf == NULL)
+ goto end;
+ break;
case OPT_PROV_CASES:
if (!opt_provider(o))
goto end;
goto opthelp;
}
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
- passinarg, pkey_op, e, engine_impl, rawin, &pkey);
+ passinarg, pkey_op, e, engine_impl, rawin, &pkey,
+ libctx, propq);
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
ERR_print_errors(bio_err);
OPENSSL_free(sig);
sk_OPENSSL_STRING_free(pkeyopts);
sk_OPENSSL_STRING_free(pkeyopts_passin);
+ NCONF_free(conf);
return ret;
}
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
- EVP_PKEY **ppkey)
+ EVP_PKEY **ppkey,
+ OPENSSL_CTX *libctx, const char *propq)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
goto end;
}
}
- ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+ if (impl != NULL)
+ ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+ else
+ ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq);
} else {
if (pkey == NULL)
goto end;
*pkeysize = EVP_PKEY_size(pkey);
- ctx = EVP_PKEY_CTX_new(pkey, impl);
+ if (impl != NULL)
+ ctx = EVP_PKEY_CTX_new(pkey, impl);
+ else
+ ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
if (ppkey != NULL)
*ppkey = pkey;
EVP_PKEY_free(pkey);
[B<-engine_impl>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
=for openssl ifdef engine engine_impl
{- $OpenSSL::safe::opt_provider_item -}
+{- $OpenSSL::safe::opt_config_item -}
+
=back
=head1 NOTES
Detailed documentation and use cases for most standard subcommands are available
(e.g., L<openssl-x509(1)>).
-Many commands use an external configuration file for some or all of their
-arguments and have a B<-config> option to specify that file.
-The default name of the file is F<openssl.cnf> in the default certificate
-storage area, which can be determined from the L<openssl-version(1)>
-command.
-The environment variable B<OPENSSL_CONF> can be used to specify
-a different location of the file.
-See L<openssl-env(7)>.
-
The list options B<-standard-commands>, B<-digest-commands>,
and B<-cipher-commands> output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
not able to detect pseudo-commands such as B<quit>,
B<list>, or B<no->I<XXX> itself.)
+=head2 Configuration Option
+
+Many commands use an external configuration file for some or all of their
+arguments and have a B<-config> option to specify that file.
+The default name of the file is F<openssl.cnf> in the default certificate
+storage area, which can be determined from the L<openssl-version(1)>
+command. This can be used to load modules.
+The environment variable B<OPENSSL_CONF> can be used to specify
+a different location of the file.
+See L<openssl-env(7)>.
+
=head2 Standard Commands
=over 4
. "\n"
. "See L<openssl(1)/Provider Options>.";
+# Configuration option
+$OpenSSL::safe::opt_config_synopsis = ""
+. "[B<-config> I<configfile>]\n";
+$OpenSSL::safe::opt_config_item = ""
+. "=item B<-config> I<configfile>\n"
+. "\n"
+. "See L<openssl(1)/Configuration Option>.";
+
# Engine option
$OpenSSL::safe::opt_engine_synopsis = "";
$OpenSSL::safe::opt_engine_item = "";
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw(:DEFAULT data_file bldtop_dir srctop_file srctop_dir bldtop_file);
+use OpenSSL::Test::Utils;
+use File::Compare qw/compare_text/;
+
+BEGIN {
+ setup("test_rsaoaep");
+}
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+
+plan tests =>
+ ($no_fips ? 0 : 1) # FIPS install test
+ + 9;
+
+my @prov = ( );
+my $provconf = srctop_file("test", "fips.cnf");
+my $provpath = bldtop_dir("providers");
+my $msg_file = data_file("plain_text");
+my $enc1_file = "enc1.bin";
+my $enc2_file = "enc2.bin";
+my $enc3_file = "enc3.bin";
+my $dec1_file = "dec1.txt";
+my $dec2_file = "dec2.txt";
+my $dec3_file = "dec3.txt";
+my $key_file = srctop_file("test", "testrsa.pem");
+
+unless ($no_fips) {
+ @prov = ( "-provider_path", $provpath, "-config", $provconf );
+ my $infile = bldtop_file('providers', platform->dso('fips'));
+
+ ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
+ '-module', $infile])),
+ "fipsinstall");
+ $ENV{OPENSSL_TEST_LIBCTX} = "1";
+}
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-encrypt',
+ '-in', $msg_file,
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha1',
+ '-out', $enc1_file])),
+ "RSA OAEP Encryption");
+
+ok(!run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-encrypt',
+ '-in', $key_file,
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha256',
+ '-pkeyopt', 'mgf1-digest:sha1'])),
+ "RSA OAEP Encryption should fail if the message is larger than the rsa modulus");
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-decrypt',
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha1',
+ '-in', $enc1_file,
+ '-out', $dec1_file]))
+ && compare_text($dec1_file, $msg_file) == 0,
+ "RSA OAEP Decryption");
+
+ok(!run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-decrypt',
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha256',
+ '-pkeyopt', 'mgf1-digest:sha224',
+ '-in', $enc1_file])),
+ "Incorrect digest for RSA OAEP Decryption");
+
+ok(!run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-decrypt',
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha224',
+ '-in', $enc1_file])),
+ "Incorrect mgf1-digest for RSA OAEP Decryption");
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-encrypt',
+ '-in', $msg_file,
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha1',
+ '-out', $enc2_file]))
+ && compare_text($enc2_file, $enc1_file) != 0,
+ "RSA OAEP Encryption should generate different encrypted data");
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-decrypt',
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-in', $enc2_file,
+ '-out', $dec2_file]))
+ && compare_text($dec2_file, $msg_file) == 0,
+ "RSA OAEP Decryption with default digests");
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-encrypt',
+ '-in', $msg_file,
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-out', $enc3_file])),
+ "RSA OAEP Encryption with default digests");
+
+ok(run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-decrypt',
+ '-inkey', $key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha1',
+ '-in', $enc3_file,
+ '-out', $dec3_file]))
+ && compare_text($dec3_file, $msg_file) == 0,
+ "RSA OAEP Decryption with explicit default digests");
--- /dev/null
+Hello world