#include "testutil.h"
#include "evp_test.h"
-DEFINE_STACK_OF_STRING()
-
#define AAD_NUM 4
typedef struct evp_test_method_st EVP_TEST_METHOD;
}
/* Check that we get the same IV back */
- if (expected->iv != NULL
- && (EVP_CIPHER_flags(expected->cipher) & EVP_CIPH_CUSTOM_IV) == 0
- && !TEST_mem_eq(expected->iv, expected->iv_len,
- EVP_CIPHER_CTX_iv(ctx_base), expected->iv_len)) {
- t->err = "INVALID_IV";
- goto err;
+ if (expected->iv != NULL) {
+ /* Some (e.g., GCM) tests use IVs longer than EVP_MAX_IV_LENGTH. */
+ unsigned char iv[128];
+ if (!TEST_true(EVP_CIPHER_CTX_get_iv_state(ctx_base, iv, sizeof(iv)))
+ || ((EVP_CIPHER_flags(expected->cipher) & EVP_CIPH_CUSTOM_IV) == 0
+ && !TEST_mem_eq(expected->iv, expected->iv_len, iv,
+ expected->iv_len))) {
+ t->err = "INVALID_IV";
+ goto err;
+ }
}
/* Test that the cipher dup functions correctly if it is supported */
OBJ_nid2sn(expected->type), expected->alg);
if (expected->type == EVP_PKEY_CMAC) {
- if (is_cipher_disabled(expected->alg)) {
+ if (expected->alg != NULL && is_cipher_disabled(expected->alg)) {
TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg);
t->skip = 1;
t->err = NULL;
t->err = "MAC_KEY_CREATE_ERROR";
goto err;
}
- key = EVP_PKEY_new_CMAC_key(NULL, expected->key, expected->key_len,
- cipher);
+ key = EVP_PKEY_new_CMAC_key_with_libctx(expected->key,
+ expected->key_len,
+ EVP_CIPHER_name(cipher),
+ libctx, NULL);
} else {
key = EVP_PKEY_new_raw_private_key_with_libctx(libctx,
OBJ_nid2sn(expected->type),
goto err;
}
- if (expected->type == EVP_PKEY_HMAC) {
+ if (expected->type == EVP_PKEY_HMAC && expected->alg != NULL) {
if (is_digest_disabled(expected->alg)) {
TEST_info("skipping, HMAC '%s' is disabled", expected->alg);
t->skip = 1;
EVP_PKEY *peer;
if (find_key(&peer, value, public_keys) == 0)
return -1;
- if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0)
- return -1;
+ if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0) {
+ t->err = "DERIVE_SET_PEER_ERROR";
+ return 1;
+ }
+ t->err = NULL;
return 1;
}
if (strcmp(keyword, "SharedSecret") == 0)
if (!TEST_ptr(rdata = OPENSSL_zalloc(sizeof(*rdata))))
return 0;
- rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
+ /* TEST-RAND is available in the FIPS provider but not with "fips=yes" */
+ rand = EVP_RAND_fetch(libctx, "TEST-RAND", "-fips");
if (rand == NULL)
goto err;
rdata->parent = EVP_RAND_CTX_new(rand, NULL);
*/
static int pkey_kdf_test_init(EVP_TEST *t, const char *name)
{
- OPENSSL_CTX *save_libctx = NULL;
PKEY_KDF_DATA *kdata = NULL;
- int kdf_nid = OBJ_sn2nid(name);
if (is_kdf_disabled(name)) {
TEST_info("skipping, '%s' is disabled", name);
return 1;
}
- if (kdf_nid == NID_undef)
- kdf_nid = OBJ_ln2nid(name);
-
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
return 0;
- /*
- * TODO(3.0): This should be using EVP_PKEY_CTX_new_from_name(),
- * but it does not currently since the PKEY_KDF is using legacy paths.
- * Internally it still uses fetches with the legacy path,
- * So for now we hack in the library context.
- */
- save_libctx = OPENSSL_CTX_set0_default(libctx);
- kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);
+
+ kdata->ctx = EVP_PKEY_CTX_new_from_name(libctx, name, NULL);
if (kdata->ctx == NULL
|| EVP_PKEY_derive_init(kdata->ctx) <= 0)
goto err;
- OPENSSL_CTX_set0_default(save_libctx);
t->data = kdata;
return 1;
err:
- OPENSSL_CTX_set0_default(save_libctx);
EVP_PKEY_CTX_free(kdata->ctx);
OPENSSL_free(kdata);
return 0;
*/
static int key_unsupported(void)
{
- long err = ERR_peek_error();
+ long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_EVP
- && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM
- || ERR_GET_REASON(err) == EVP_R_FETCH_FAILED)) {
+ && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM)) {
ERR_clear_error();
return 1;
}
* disabled).
*/
if (ERR_GET_LIB(err) == ERR_LIB_EC
- && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP) {
+ && (ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP
+ || ERR_GET_REASON(err) == EC_R_INVALID_CURVE)) {
ERR_clear_error();
return 1;
}
}
klist = &private_keys;
} else if (strcmp(pp->key, "PublicKey") == 0) {
- pkey = PEM_read_bio_PUBKEY(t->s.key, NULL, 0, NULL);
+ pkey = PEM_read_bio_PUBKEY_ex(t->s.key, NULL, 0, NULL, libctx, NULL);
if (pkey == NULL && !key_unsupported()) {
EVP_PKEY_free(pkey);
TEST_info("Can't read public key %s", pp->value);
}
for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) {
- if (strcmp(pp->key, "Availablein") == 0) {
+ if (strcmp(pp->key, "Securitycheck") == 0) {
+#if defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
+ TEST_info("skipping, securitycheck is not available: %s:%d",
+ t->s.test_file, t->s.start);
+ t->skip = 1;
+ return 0;
+#endif
+ } else if (strcmp(pp->key, "Availablein") == 0) {
TEST_info("Line %d: 'Availablein' should be the first option",
t->s.curr);
return 0;