static int sign_and_verify(int len)
{
/*
* Per FIPS 186-4, the hash is recommended to be the same length as q.
* If the hash is longer than q, the leftmost N bits are used; if the hash
* is shorter, then we left-pad (see appendix C.2.1).
*/
size_t sigLength;
int digestlen = BN_num_bytes(DSA_get0_q(dsakey));
int ok = 0;
unsigned char *dataToSign = OPENSSL_malloc(len);
unsigned char *paddedData = OPENSSL_malloc(digestlen);
unsigned char *signature = NULL;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
if (!TEST_ptr(dataToSign) ||
!TEST_ptr(paddedData) ||
!TEST_int_eq(RAND_bytes(dataToSign, len), 1))
goto end;
memset(paddedData, 0, digestlen);
if (len > digestlen)
memcpy(paddedData, dataToSign, digestlen);
else
memcpy(paddedData + digestlen - len, dataToSign, len);
if (!TEST_ptr(pkey = EVP_PKEY_new()))
goto end;
EVP_PKEY_set1_DSA(pkey, dsakey);
if (!TEST_ptr(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto end;
if (!TEST_int_eq(EVP_PKEY_sign_init(ctx), 1))
goto end;
if (EVP_PKEY_sign(ctx, NULL, &sigLength, dataToSign, len) != 1) {
TEST_error("Failed to get signature length, len=%d", len);
goto end;
}
if (!TEST_ptr(signature = OPENSSL_malloc(sigLength)))
goto end;
if (EVP_PKEY_sign(ctx, signature, &sigLength, dataToSign, len) != 1) {
TEST_error("Failed to sign, len=%d", len);
goto end;
}
/* Check that the signature is okay via the EVP interface */
if (!TEST_int_eq(EVP_PKEY_verify_init(ctx), 1))
goto end;
/* ... using the same data we just signed */
if (EVP_PKEY_verify(ctx, signature, sigLength, dataToSign, len) != 1) {
TEST_error("EVP verify with unpadded length %d failed\n", len);
goto end;
}
/* ... padding/truncating the data to the appropriate digest size */
if (EVP_PKEY_verify(ctx, signature, sigLength, paddedData, digestlen) != 1) {
TEST_error("EVP verify with length %d failed\n", len);
goto end;
}
/* Verify again using the raw DSA interface */
if (DSA_verify(0, dataToSign, len, signature, sigLength, dsakey) != 1) {
TEST_error("Verification with unpadded data failed, len=%d", len);
goto end;
}
if (DSA_verify(0, paddedData, digestlen, signature, sigLength, dsakey) != 1) {
TEST_error("verify with length %d failed\n", len);
goto end;
}
ok = 1;
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
OPENSSL_free(signature);
OPENSSL_free(paddedData);
OPENSSL_free(dataToSign);
return ok;
}
static int test_sec_mem(void)
{
#if defined(OPENSSL_SYS_LINUX) || defined(OPENSSL_SYS_UNIX)
int testresult = 0;
char *p = NULL, *q = NULL, *r = NULL, *s = NULL;
s = OPENSSL_secure_malloc(20);
/* s = non-secure 20 */
if (!TEST_ptr(s)
|| !TEST_false(CRYPTO_secure_allocated(s)))
goto end;
r = OPENSSL_secure_malloc(20);
/* r = non-secure 20, s = non-secure 20 */
if (!TEST_ptr(r)
|| !TEST_true(CRYPTO_secure_malloc_init(4096, 32))
|| !TEST_false(CRYPTO_secure_allocated(r)))
goto end;
p = OPENSSL_secure_malloc(20);
if (!TEST_ptr(p)
/* r = non-secure 20, p = secure 20, s = non-secure 20 */
|| !TEST_true(CRYPTO_secure_allocated(p))
/* 20 secure -> 32-byte minimum allocation unit */
|| !TEST_size_t_eq(CRYPTO_secure_used(), 32))
goto end;
q = OPENSSL_malloc(20);
if (!TEST_ptr(q))
goto end;
/* r = non-secure 20, p = secure 20, q = non-secure 20, s = non-secure 20 */
if (!TEST_false(CRYPTO_secure_allocated(q)))
goto end;
OPENSSL_secure_clear_free(s, 20);
s = OPENSSL_secure_malloc(20);
if (!TEST_ptr(s)
/* r = non-secure 20, p = secure 20, q = non-secure 20, s = secure 20 */
|| !TEST_true(CRYPTO_secure_allocated(s))
/* 2 * 20 secure -> 64 bytes allocated */
|| !TEST_size_t_eq(CRYPTO_secure_used(), 64))
goto end;
OPENSSL_secure_clear_free(p, 20);
p = NULL;
/* 20 secure -> 32 bytes allocated */
if (!TEST_size_t_eq(CRYPTO_secure_used(), 32))
goto end;
OPENSSL_free(q);
q = NULL;
/* should not complete, as secure memory is still allocated */
if (!TEST_false(CRYPTO_secure_malloc_done())
|| !TEST_true(CRYPTO_secure_malloc_initialized()))
goto end;
OPENSSL_secure_free(s);
s = NULL;
/* secure memory should now be 0, so done should complete */
if (!TEST_size_t_eq(CRYPTO_secure_used(), 0)
|| !TEST_true(CRYPTO_secure_malloc_done())
|| !TEST_false(CRYPTO_secure_malloc_initialized()))
goto end;
TEST_info("Possible infinite loop: allocate more than available");
if (!TEST_true(CRYPTO_secure_malloc_init(32768, 16)))
goto end;
TEST_ptr_null(OPENSSL_secure_malloc((size_t)-1));
TEST_true(CRYPTO_secure_malloc_done());
/*
* If init fails, then initialized should be false, if not, this
* could cause an infinite loop secure_malloc, but we don't test it
*/
if (TEST_false(CRYPTO_secure_malloc_init(16, 16)) &&
!TEST_false(CRYPTO_secure_malloc_initialized())) {
TEST_true(CRYPTO_secure_malloc_done());
goto end;
}
/*-
* There was also a possible infinite loop when the number of
* elements was 1<<31, as |int i| was set to that, which is a
* negative number. However, it requires minimum input values:
*
* CRYPTO_secure_malloc_init((size_t)1<<34, (size_t)1<<4);
*
* Which really only works on 64-bit systems, since it took 16 GB
* secure memory arena to trigger the problem. It naturally takes
* corresponding amount of available virtual and physical memory
* for test to be feasible/representative. Since we can't assume
* that every system is equipped with that much memory, the test
* remains disabled. If the reader of this comment really wants
* to make sure that infinite loop is fixed, they can enable the
* code below.
*/
# if 0
/*-
* On Linux and BSD this test has a chance to complete in minimal
* time and with minimum side effects, because mlock is likely to
* fail because of RLIMIT_MEMLOCK, which is customarily [much]
* smaller than 16GB. In other words Linux and BSD users can be
* limited by virtual space alone...
*/
if (sizeof(size_t) > 4) {
TEST_info("Possible infinite loop: 1<<31 limit");
if (TEST_true(CRYPTO_secure_malloc_init((size_t)1<<34, (size_t)1<<4) != 0))
TEST_true(CRYPTO_secure_malloc_done());
}
# endif
/* this can complete - it was not really secure */
testresult = 1;
end:
OPENSSL_secure_free(p);
OPENSSL_free(q);
OPENSSL_secure_free(r);
OPENSSL_secure_free(s);
return testresult;
#else
/* Should fail. */
return TEST_false(CRYPTO_secure_malloc_init(4096, 32));
#endif
}
static int test_builtin(void)
{
EC_builtin_curve *curves = NULL;
size_t crv_len = 0, n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
ECDSA_SIG *ecdsa_sig = NULL, *modified_sig = NULL;
unsigned char digest[20], wrong_digest[20];
unsigned char *signature = NULL;
const unsigned char *sig_ptr;
unsigned char *sig_ptr2;
unsigned char *raw_buf = NULL;
const BIGNUM *sig_r, *sig_s;
BIGNUM *modified_r = NULL, *modified_s = NULL;
BIGNUM *unmodified_r = NULL, *unmodified_s = NULL;
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
if (!TEST_true(RAND_bytes(digest, 20))
|| !TEST_true(RAND_bytes(wrong_digest, 20)))
goto builtin_err;
/* create and verify a ecdsa signature with every available curve */
/* get a list of all internal curves */
crv_len = EC_get_builtin_curves(NULL, 0);
if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
|| !TEST_true(EC_get_builtin_curves(curves, crv_len)))
goto builtin_err;
/* now create and verify a signature for every curve */
for (n = 0; n < crv_len; n++) {
unsigned char dirt, offset;
nid = curves[n].nid;
if (nid == NID_ipsec4 || nid == NID_X25519)
continue;
/* create new ecdsa key (== EC_KEY) */
if (!TEST_ptr(eckey = EC_KEY_new())
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|| !TEST_true(EC_KEY_set_group(eckey, group)))
goto builtin_err;
EC_GROUP_free(group);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
if (degree < 160) {
/* drop the curve */
EC_KEY_free(eckey);
eckey = NULL;
continue;
}
TEST_info("testing %s", OBJ_nid2sn(nid));
/* create key */
if (!TEST_true(EC_KEY_generate_key(eckey)))
goto builtin_err;
/* create second key */
if (!TEST_ptr(wrong_eckey = EC_KEY_new())
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|| !TEST_true(EC_KEY_set_group(wrong_eckey, group)))
goto builtin_err;
EC_GROUP_free(group);
if (!TEST_true(EC_KEY_generate_key(wrong_eckey)))
goto builtin_err;
/* check key */
if (!TEST_true(EC_KEY_check_key(eckey)))
goto builtin_err;
/* create signature */
sig_len = ECDSA_size(eckey);
if (!TEST_ptr(signature = OPENSSL_malloc(sig_len))
|| !TEST_true(ECDSA_sign(0, digest, 20, signature, &sig_len,
eckey)))
goto builtin_err;
/* verify signature */
if (!TEST_int_eq(ECDSA_verify(0, digest, 20, signature, sig_len,
eckey), 1))
goto builtin_err;
/* verify signature with the wrong key */
if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature, sig_len,
wrong_eckey), 1))
goto builtin_err;
/* wrong digest */
if (!TEST_int_ne(ECDSA_verify(0, wrong_digest, 20, signature,
sig_len, eckey), 1))
goto builtin_err;
/* wrong length */
if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature,
sig_len - 1, eckey), 1))
goto builtin_err;
/*
* Modify a single byte of the signature: to ensure we don't garble
* the ASN1 structure, we read the raw signature and modify a byte in
* one of the bignums directly.
*/
sig_ptr = signature;
if (!TEST_ptr(ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)))
goto builtin_err;
ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s);
/* Store the two BIGNUMs in raw_buf. */
r_len = BN_num_bytes(sig_r);
s_len = BN_num_bytes(sig_s);
bn_len = (degree + 7) / 8;
if (!TEST_false(r_len > bn_len)
|| !TEST_false(s_len > bn_len))
goto builtin_err;
buf_len = 2 * bn_len;
if (!TEST_ptr(raw_buf = OPENSSL_zalloc(buf_len)))
goto builtin_err;
BN_bn2bin(sig_r, raw_buf + bn_len - r_len);
BN_bn2bin(sig_s, raw_buf + buf_len - s_len);
/* Modify a single byte in the buffer. */
offset = raw_buf[10] % buf_len;
dirt = raw_buf[11] ? raw_buf[11] : 1;
raw_buf[offset] ^= dirt;
/* Now read the BIGNUMs back in from raw_buf. */
if (!TEST_ptr(modified_sig = ECDSA_SIG_new()))
goto builtin_err;
if (!TEST_ptr(modified_r = BN_bin2bn(raw_buf, bn_len, NULL))
|| !TEST_ptr(modified_s = BN_bin2bn(raw_buf + bn_len,
bn_len, NULL))
|| !TEST_true(ECDSA_SIG_set0(modified_sig,
modified_r, modified_s))) {
BN_free(modified_r);
BN_free(modified_s);
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
if (!TEST_false(ECDSA_verify(0, digest, 20, signature, sig_len, eckey)))
goto builtin_err;
/* Sanity check: undo the modification and verify signature. */
raw_buf[offset] ^= dirt;
if (!TEST_ptr(unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL))
|| !TEST_ptr(unmodified_s = BN_bin2bn(raw_buf + bn_len,
bn_len, NULL))
|| !TEST_true(ECDSA_SIG_set0(modified_sig, unmodified_r,
unmodified_s))) {
BN_free(unmodified_r);
BN_free(unmodified_s);
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2);
if (!TEST_true(ECDSA_verify(0, digest, 20, signature, sig_len, eckey)))
goto builtin_err;
/* cleanup */
ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
ECDSA_SIG_free(modified_sig);
modified_sig = NULL;
OPENSSL_free(raw_buf);
raw_buf = NULL;
}
ret = 1;
builtin_err:
EC_KEY_free(eckey);
EC_KEY_free(wrong_eckey);
ECDSA_SIG_free(ecdsa_sig);
ECDSA_SIG_free(modified_sig);
OPENSSL_free(signature);
OPENSSL_free(raw_buf);
OPENSSL_free(curves);
return ret;
}
static int test_EVP_PKEY_check(int i)
{
int ret = 0;
const unsigned char *p;
EVP_PKEY *pkey = NULL;
#ifndef OPENSSL_NO_EC
EC_KEY *eckey = NULL;
#endif
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY_CTX *ctx2 = NULL;
const APK_DATA *ak = &keycheckdata[i];
const unsigned char *input = ak->kder;
size_t input_len = ak->size;
int expected_id = ak->evptype;
int expected_check = ak->check;
int expected_pub_check = ak->pub_check;
int expected_param_check = ak->param_check;
int type = ak->type;
BIO *pubkey = NULL;
p = input;
switch (type) {
case 0:
if (!TEST_ptr(pkey = d2i_AutoPrivateKey(NULL, &p, input_len))
|| !TEST_ptr_eq(p, input + input_len)
|| !TEST_int_eq(EVP_PKEY_id(pkey), expected_id))
goto done;
break;
#ifndef OPENSSL_NO_EC
case 1:
if (!TEST_ptr(pubkey = BIO_new_mem_buf(input, input_len))
|| !TEST_ptr(eckey = d2i_EC_PUBKEY_bio(pubkey, NULL))
|| !TEST_ptr(pkey = EVP_PKEY_new())
|| !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
goto done;
break;
case 2:
if (!TEST_ptr(eckey = d2i_ECParameters(NULL, &p, input_len))
|| !TEST_ptr_eq(p, input + input_len)
|| !TEST_ptr(pkey = EVP_PKEY_new())
|| !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
goto done;
break;
#endif
default:
return 0;
}
if (!TEST_ptr(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto done;
if (!TEST_int_eq(EVP_PKEY_check(ctx), expected_check))
goto done;
if (!TEST_int_eq(EVP_PKEY_public_check(ctx), expected_pub_check))
goto done;
if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check))
goto done;
ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
/* assign the pkey directly, as an internal test */
EVP_PKEY_up_ref(pkey);
ctx2->pkey = pkey;
if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
goto done;
if (!TEST_int_eq(EVP_PKEY_public_check(ctx2), 0xbeef))
goto done;
if (!TEST_int_eq(EVP_PKEY_param_check(ctx2), 0xbeef))
goto done;
ret = 1;
done:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_CTX_free(ctx2);
EVP_PKEY_free(pkey);
BIO_free(pubkey);
return ret;
}
static int test_table(struct testdata *tbl, int idx)
{
int error = 0;
ASN1_TIME atime;
ASN1_TIME *ptime;
struct testdata *td = &tbl[idx];
int day, sec;
atime.data = (unsigned char*)td->data;
atime.length = strlen((char*)atime.data);
atime.type = td->type;
atime.flags = 0;
if (!TEST_int_eq(ASN1_TIME_check(&atime), td->check_result)) {
TEST_info("ASN1_TIME_check(%s) unexpected result", atime.data);
error = 1;
}
if (td->check_result == 0)
return 1;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, td->t), 0)) {
TEST_info("ASN1_TIME_cmp_time_t(%s vs %ld) compare failed", atime.data, (long)td->t);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, &atime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to self failed", atime.data);
error = 1;
}
if (!TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(%s) to self not equal", atime.data);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, >ime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to baseline failed", atime.data);
error = 1;
} else if (!((td->cmp_result == 0 && TEST_true((day == 0 && sec == 0))) ||
(td->cmp_result == -1 && TEST_true((day < 0 || sec < 0))) ||
(td->cmp_result == 1 && TEST_true((day > 0 || sec > 0))))) {
TEST_info("ASN1_TIME_diff(%s) to baseline bad comparison", atime.data);
error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) to baseline bad comparison", atime.data);
error = 1;
}
ptime = ASN1_TIME_set(NULL, td->t);
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_set(%ld) failed", (long)td->t);
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_set(%ld) compare failed (%s->%s)",
(long)td->t, td->data, ptime->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set(%ld) unexpected type", (long)td->t);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_normalize(ptime), td->check_result)) {
TEST_info("ASN1_TIME_normalize(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) unexpected type", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string_gmt() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string_gnt() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string_gmt() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string(%s) failed", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
if (td->type == V_ASN1_UTCTIME) {
ptime = ASN1_TIME_to_generalizedtime(&atime, NULL);
if (td->convert_result == 1 && !TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) failed", atime.data);
error = 1;
} else if (td->convert_result == 0 && !TEST_ptr_null(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) should have failed", atime.data);
error = 1;
}
if (ptime != NULL && !TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s->%s) bad result", atime.data, ptime->data);
error = 1;
}
ASN1_TIME_free(ptime);
}
/* else cannot simply convert GENERALIZEDTIME to UTCTIME */
if (error)
TEST_error("atime=%s", atime.data);
return !error;
}
static int test_param_construct(void)
{
static const char *int_names[] = {
"int", "long", "int32", "int64"
};
static const char *uint_names[] = {
"uint", "ulong", "uint32", "uint64", "size_t"
};
static const unsigned char bn_val[16] = {
0xac, 0x75, 0x22, 0x7d, 0x81, 0x06, 0x7a, 0x23,
0xa6, 0xed, 0x87, 0xc7, 0xab, 0xf4, 0x73, 0x22
};
OSSL_PARAM params[20];
char buf[100], buf2[100], *bufp, *bufp2;
unsigned char ubuf[100];
void *vp, *vpn = NULL, *vp2;
OSSL_PARAM *p;
const OSSL_PARAM *cp;
static const OSSL_PARAM pend = OSSL_PARAM_END;
int i, n = 0, ret = 0;
unsigned int u;
long int l;
unsigned long int ul;
int32_t i32;
uint32_t u32;
int64_t i64;
uint64_t u64;
size_t j, k, s, sz;
double d, d2;
BIGNUM *bn = NULL, *bn2 = NULL;
params[n++] = OSSL_PARAM_construct_int("int", &i, &sz);
params[n++] = OSSL_PARAM_construct_uint("uint", &u, &sz);
params[n++] = OSSL_PARAM_construct_long("long", &l, &sz);
params[n++] = OSSL_PARAM_construct_ulong("ulong", &ul, &sz);
params[n++] = OSSL_PARAM_construct_int32("int32", &i32, &sz);
params[n++] = OSSL_PARAM_construct_int64("int64", &i64, &sz);
params[n++] = OSSL_PARAM_construct_uint32("uint32", &u32, &sz);
params[n++] = OSSL_PARAM_construct_uint64("uint64", &u64, &sz);
params[n++] = OSSL_PARAM_construct_size_t("size_t", &s, &sz);
params[n++] = OSSL_PARAM_construct_double("double", &d, &sz);
params[n++] = OSSL_PARAM_construct_BN("bignum", ubuf, sizeof(ubuf), &sz);
params[n++] = OSSL_PARAM_construct_utf8_string("utf8str", buf, sizeof(buf),
&sz);
params[n++] = OSSL_PARAM_construct_octet_string("octstr", buf, sizeof(buf),
&sz);
params[n++] = OSSL_PARAM_construct_utf8_ptr("utf8ptr", &bufp, &sz);
params[n++] = OSSL_PARAM_construct_octet_ptr("octptr", &vp, &sz);
params[n] = pend;
/* Search failure */
if (!TEST_ptr_null(OSSL_PARAM_locate(params, "fnord")))
goto err;
/* All signed integral types */
for (j = 0; j < OSSL_NELEM(int_names); j++) {
if (!TEST_ptr(cp = OSSL_PARAM_locate(params, int_names[j]))
|| !TEST_true(OSSL_PARAM_set_int32(cp, (int32_t)(3 + j)))
|| !TEST_true(OSSL_PARAM_get_int64(cp, &i64))
|| !TEST_size_t_eq(cp->data_size, sz)
|| !TEST_size_t_eq((size_t)i64, 3 + j)) {
TEST_note("iteration %zu var %s", j + 1, int_names[j]);
goto err;
}
}
/* All unsigned integral types */
for (j = 0; j < OSSL_NELEM(uint_names); j++) {
if (!TEST_ptr(cp = OSSL_PARAM_locate(params, uint_names[j]))
|| !TEST_true(OSSL_PARAM_set_uint32(cp, (uint32_t)(3 + j)))
|| !TEST_true(OSSL_PARAM_get_uint64(cp, &u64))
|| !TEST_size_t_eq(cp->data_size, sz)
|| !TEST_size_t_eq((size_t)u64, 3 + j)) {
TEST_note("iteration %zu var %s", j + 1, uint_names[j]);
goto err;
}
}
/* Real */
if (!TEST_ptr(cp = OSSL_PARAM_locate(params, "double"))
|| !TEST_true(OSSL_PARAM_set_double(cp, 3.14))
|| !TEST_true(OSSL_PARAM_get_double(cp, &d2))
|| !TEST_size_t_eq(sz, sizeof(double))
|| !TEST_double_eq(d, d2))
goto err;
/* UTF8 string */
bufp = NULL;
if (!TEST_ptr(cp = OSSL_PARAM_locate(params, "utf8str"))
|| !TEST_true(OSSL_PARAM_set_utf8_string(cp, "abcdef"))
|| !TEST_size_t_eq(sz, sizeof("abcdef"))
|| !TEST_true(OSSL_PARAM_get_utf8_string(cp, &bufp, 0))
|| !TEST_str_eq(bufp, "abcdef"))
goto err;
OPENSSL_free(bufp);
bufp = buf2;
if (!TEST_true(OSSL_PARAM_get_utf8_string(cp, &bufp, sizeof(buf2)))
|| !TEST_str_eq(buf2, "abcdef"))
goto err;
/* UTF8 pointer */
bufp = buf;
sz = 0;
if (!TEST_ptr(cp = OSSL_PARAM_locate(params, "utf8ptr"))
|| !TEST_true(OSSL_PARAM_set_utf8_ptr(cp, "tuvwxyz"))
|| !TEST_size_t_eq(sz, sizeof("tuvwxyz"))
|| !TEST_str_eq(bufp, "tuvwxyz")
|| !TEST_true(OSSL_PARAM_get_utf8_ptr(cp, (const char **)&bufp2))
|| !TEST_ptr_eq(bufp2, bufp))
goto err;
/* OCTET string */
if (!TEST_ptr(p = locate(params, "octstr"))
|| !TEST_true(OSSL_PARAM_set_octet_string(p, "abcdefghi",
sizeof("abcdefghi")))
|| !TEST_size_t_eq(sz, sizeof("abcdefghi")))
goto err;
/* Match the return size to avoid trailing garbage bytes */
p->data_size = *p->return_size;
if (!TEST_true(OSSL_PARAM_get_octet_string(p, &vpn, 0, &s))
|| !TEST_size_t_eq(s, sizeof("abcdefghi"))
|| !TEST_mem_eq(vpn, sizeof("abcdefghi"),
"abcdefghi", sizeof("abcdefghi")))
goto err;
vp = buf2;
if (!TEST_true(OSSL_PARAM_get_octet_string(p, &vp, sizeof(buf2), &s))
|| !TEST_size_t_eq(s, sizeof("abcdefghi"))
|| !TEST_mem_eq(vp, sizeof("abcdefghi"),
"abcdefghi", sizeof("abcdefghi")))
goto err;
/* OCTET pointer */
vp = &l;
sz = 0;
if (!TEST_ptr(p = locate(params, "octptr"))
|| !TEST_true(OSSL_PARAM_set_octet_ptr(p, &ul, sizeof(ul)))
|| !TEST_size_t_eq(sz, sizeof(ul))
|| !TEST_ptr_eq(vp, &ul))
goto err;
/* Match the return size to avoid trailing garbage bytes */
p->data_size = *p->return_size;
if (!TEST_true(OSSL_PARAM_get_octet_ptr(p, (const void **)&vp2, &k))
|| !TEST_size_t_eq(k, sizeof(ul))
|| !TEST_ptr_eq(vp2, vp))
goto err;
/* BIGNUM */
if (!TEST_ptr(p = locate(params, "bignum"))
|| !TEST_ptr(bn = BN_lebin2bn(bn_val, (int)sizeof(bn_val), NULL))
|| !TEST_true(OSSL_PARAM_set_BN(p, bn))
|| !TEST_size_t_eq(sz, sizeof(bn_val)))
goto err;
/* Match the return size to avoid trailing garbage bytes */
p->data_size = *p->return_size;
if(!TEST_true(OSSL_PARAM_get_BN(p, &bn2))
|| !TEST_BN_eq(bn, bn2))
goto err;
ret = 1;
err:
OPENSSL_free(vpn);
BN_free(bn);
BN_free(bn2);
return ret;
}
static int test_EVP_SM2_verify(void)
{
/* From https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02#appendix-A */
const char *pubkey =
"-----BEGIN PUBLIC KEY-----\n"
"MIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEAhULWnkwETxjouSQ1\n"
"v2/33kVyg5FcRVF9ci7biwjx38MwRAQgeHlotPoyw/0kF4Quc7v+/y88hItoMdfg\n"
"7GUiizk35JgEIGPkxtOyOwyEnPhCQUhL/kj2HVmlsWugbm4S0donxSSaBEEEQh3r\n"
"1hti6rZ0ZDTrw8wxXjIiCzut1QvcTE5sFH/t1D0GgFEry7QsB9RzSdIVO3DE5df9\n"
"/L+jbqGoWEG55G4JogIhAIVC1p5MBE8Y6LkkNb9v990pdyBjBIVijVrnTufDLnm3\n"
"AgEBA0IABArkx3mKoPEZRxvuEYJb5GICu3nipYRElel8BP9N8lSKfAJA+I8c1OFj\n"
"Uqc8F7fxbwc1PlOhdtaEqf4Ma7eY6Fc=\n"
"-----END PUBLIC KEY-----\n";
const char *msg = "message digest";
const char *id = "*****@*****.**";
const uint8_t signature[] = {
0x30, 0x44, 0x02, 0x20,
0x40, 0xF1, 0xEC, 0x59, 0xF7, 0x93, 0xD9, 0xF4, 0x9E, 0x09, 0xDC,
0xEF, 0x49, 0x13, 0x0D, 0x41, 0x94, 0xF7, 0x9F, 0xB1, 0xEE, 0xD2,
0xCA, 0xA5, 0x5B, 0xAC, 0xDB, 0x49, 0xC4, 0xE7, 0x55, 0xD1,
0x02, 0x20,
0x6F, 0xC6, 0xDA, 0xC3, 0x2C, 0x5D, 0x5C, 0xF1, 0x0C, 0x77, 0xDF,
0xB2, 0x0F, 0x7C, 0x2E, 0xB6, 0x67, 0xA4, 0x57, 0x87, 0x2F, 0xB0,
0x9E, 0xC5, 0x63, 0x27, 0xA6, 0x7E, 0xC7, 0xDE, 0xEB, 0xE7
};
int rc = 0;
BIO *bio = NULL;
EVP_PKEY *pkey = NULL;
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
bio = BIO_new_mem_buf(pubkey, strlen(pubkey));
if (!TEST_true(bio != NULL))
goto done;
pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
if (!TEST_true(pkey != NULL))
goto done;
if (!TEST_true(EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)))
goto done;
if (!TEST_ptr(mctx = EVP_MD_CTX_new()))
goto done;
if (!TEST_ptr(pctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto done;
if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(pctx, (const uint8_t *)id,
strlen(id)), 0))
goto done;
EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
if (!TEST_true(EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey)))
goto done;
if (!TEST_true(EVP_DigestVerifyUpdate(mctx, msg, strlen(msg))))
goto done;
if (!TEST_true(EVP_DigestVerifyFinal(mctx, signature, sizeof(signature))))
goto done;
rc = 1;
done:
BIO_free(bio);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(pctx);
EVP_MD_CTX_free(mctx);
return rc;
}
static int test_client_hello(int currtest)
{
SSL_CTX *ctx;
SSL *con = NULL;
BIO *rbio;
BIO *wbio;
long len;
unsigned char *data;
PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
char *dummytick = "Hello World!";
unsigned int type = 0;
int testresult = 0;
size_t msglen;
BIO *sessbio = NULL;
SSL_SESSION *sess = NULL;
#ifdef OPENSSL_NO_TLS1_3
if (currtest == TEST_ADD_PADDING_AND_PSK)
return 1;
#endif
/*
* For each test set up an SSL_CTX and SSL and see what ClientHello gets
* produced when we try to connect
*/
ctx = SSL_CTX_new(TLS_method());
if (!TEST_ptr(ctx))
goto end;
switch(currtest) {
case TEST_SET_SESSION_TICK_DATA_VER_NEG:
/* Testing for session tickets <= TLS1.2; not relevant for 1.3 */
if (!TEST_true(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)))
goto end;
break;
case TEST_ADD_PADDING_AND_PSK:
case TEST_ADD_PADDING:
case TEST_PADDING_NOT_NEEDED:
SSL_CTX_set_options(ctx, SSL_OP_TLSEXT_PADDING);
/*
* Add lots of ciphersuites so that the ClientHello is at least
* F5_WORKAROUND_MIN_MSG_LEN bytes long - meaning padding will be
* needed. Also add some dummy ALPN protocols in case we still don't
* have enough.
*/
if (currtest == TEST_ADD_PADDING
&& (!TEST_true(SSL_CTX_set_cipher_list(ctx, "ALL"))
|| !TEST_false(SSL_CTX_set_alpn_protos(ctx,
(unsigned char *)alpn_prots,
sizeof(alpn_prots) - 1))))
goto end;
break;
default:
goto end;
}
con = SSL_new(ctx);
if (!TEST_ptr(con))
goto end;
if (currtest == TEST_ADD_PADDING_AND_PSK) {
sessbio = BIO_new_file(sessionfile, "r");
if (!TEST_ptr(sessbio)) {
TEST_info("Unable to open session.pem");
goto end;
}
sess = PEM_read_bio_SSL_SESSION(sessbio, NULL, NULL, NULL);
if (!TEST_ptr(sess)) {
TEST_info("Unable to load SSL_SESSION");
goto end;
}
/*
* We reset the creation time so that we don't discard the session as
* too old.
*/
if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL)))
|| !TEST_true(SSL_set_session(con, sess)))
goto end;
}
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());
if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
BIO_free(rbio);
BIO_free(wbio);
goto end;
}
SSL_set_bio(con, rbio, wbio);
SSL_set_connect_state(con);
if (currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
if (!TEST_true(SSL_set_session_ticket_ext(con, dummytick,
strlen(dummytick))))
goto end;
}
if (!TEST_int_le(SSL_connect(con), 0)) {
/* This shouldn't succeed because we don't have a server! */
goto end;
}
len = BIO_get_mem_data(wbio, (char **)&data);
if (!TEST_true(PACKET_buf_init(&pkt, data, len))
/* Skip the record header */
|| !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH))
goto end;
msglen = PACKET_remaining(&pkt);
/* Skip the handshake message header */
if (!TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
/* Skip client version and random */
|| !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
+ SSL3_RANDOM_SIZE))
/* Skip session id */
|| !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
/* Skip ciphers */
|| !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
/* Skip compression */
|| !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
/* Extensions len */
|| !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
goto end;
/* Loop through all extensions */
while (PACKET_remaining(&pkt2)) {
if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
|| !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
goto end;
if (type == TLSEXT_TYPE_session_ticket) {
if (currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
if (TEST_true(PACKET_equal(&pkt3, dummytick,
strlen(dummytick)))) {
/* Ticket data is as we expected */
testresult = 1;
}
goto end;
}
}
if (type == TLSEXT_TYPE_padding) {
if (!TEST_false(currtest == TEST_PADDING_NOT_NEEDED))
goto end;
else if (TEST_true(currtest == TEST_ADD_PADDING
|| currtest == TEST_ADD_PADDING_AND_PSK))
testresult = TEST_true(msglen == F5_WORKAROUND_MAX_MSG_LEN);
}
}
if (currtest == TEST_PADDING_NOT_NEEDED)
testresult = 1;
end:
SSL_free(con);
SSL_CTX_free(ctx);
SSL_SESSION_free(sess);
BIO_free(sessbio);
return testresult;
}
int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum,
int type)
{
MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio);
MEMPACKET *thispkt, *looppkt, *nextpkt;
int i;
if (ctx == NULL)
return -1;
/* We only allow injection before we've started writing any data */
if (pktnum >= 0) {
if (ctx->noinject)
return -1;
} else {
ctx->noinject = 1;
}
if (!TEST_ptr(thispkt = OPENSSL_malloc(sizeof(*thispkt))))
return -1;
if (!TEST_ptr(thispkt->data = OPENSSL_malloc(inl))) {
mempacket_free(thispkt);
return -1;
}
memcpy(thispkt->data, in, inl);
thispkt->len = inl;
thispkt->num = (pktnum >= 0) ? (unsigned int)pktnum : ctx->lastpkt;
thispkt->type = type;
for(i = 0; (looppkt = sk_MEMPACKET_value(ctx->pkts, i)) != NULL; i++) {
/* Check if we found the right place to insert this packet */
if (looppkt->num > thispkt->num) {
if (sk_MEMPACKET_insert(ctx->pkts, thispkt, i) == 0) {
mempacket_free(thispkt);
return -1;
}
/* If we're doing up front injection then we're done */
if (pktnum >= 0)
return inl;
/*
* We need to do some accounting on lastpkt. We increment it first,
* but it might now equal the value of injected packets, so we need
* to skip over those
*/
ctx->lastpkt++;
do {
i++;
nextpkt = sk_MEMPACKET_value(ctx->pkts, i);
if (nextpkt != NULL && nextpkt->num == ctx->lastpkt)
ctx->lastpkt++;
else
return inl;
} while(1);
} else if (looppkt->num == thispkt->num) {
if (!ctx->noinject) {
/* We injected two packets with the same packet number! */
return -1;
}
ctx->lastpkt++;
thispkt->num++;
}
}
/*
* We didn't find any packets with a packet number equal to or greater than
* this one, so we just add it onto the end
*/
if (!sk_MEMPACKET_push(ctx->pkts, thispkt)) {
mempacket_free(thispkt);
return -1;
}
if (pktnum < 0)
ctx->lastpkt++;
return inl;
}
static int rfc5114_test(void)
{
int i;
DH *dhA = NULL;
DH *dhB = NULL;
unsigned char *Z1 = NULL;
unsigned char *Z2 = NULL;
const rfc5114_td *td = NULL;
BIGNUM *bady = NULL, *priv_key = NULL, *pub_key = NULL;
const BIGNUM *pub_key_tmp;
for (i = 0; i < (int)OSSL_NELEM(rfctd); i++) {
td = rfctd + i;
/* Set up DH structures setting key components */
if (!TEST_ptr(dhA = td->get_param())
|| !TEST_ptr(dhB = td->get_param()))
goto bad_err;
if (!TEST_ptr(priv_key = BN_bin2bn(td->xA, td->xA_len, NULL))
|| !TEST_ptr(pub_key = BN_bin2bn(td->yA, td->yA_len, NULL))
|| !TEST_true(DH_set0_key(dhA, pub_key, priv_key)))
goto bad_err;
if (!TEST_ptr(priv_key = BN_bin2bn(td->xB, td->xB_len, NULL))
|| !TEST_ptr(pub_key = BN_bin2bn(td->yB, td->yB_len, NULL))
|| !TEST_true( DH_set0_key(dhB, pub_key, priv_key)))
goto bad_err;
priv_key = pub_key = NULL;
if (!TEST_uint_eq(td->Z_len, (size_t)DH_size(dhA))
|| !TEST_uint_eq(td->Z_len, (size_t)DH_size(dhB)))
goto err;
if (!TEST_ptr(Z1 = OPENSSL_malloc(DH_size(dhA)))
|| !TEST_ptr(Z2 = OPENSSL_malloc(DH_size(dhB))))
goto bad_err;
/*
* Work out shared secrets using both sides and compare with expected
* values.
*/
DH_get0_key(dhB, &pub_key_tmp, NULL);
if (!TEST_int_ne(DH_compute_key(Z1, pub_key_tmp, dhA), -1))
goto bad_err;
DH_get0_key(dhA, &pub_key_tmp, NULL);
if (!TEST_int_ne(DH_compute_key(Z2, pub_key_tmp, dhB), -1))
goto bad_err;
if (!TEST_mem_eq(Z1, td->Z_len, td->Z, td->Z_len)
|| !TEST_mem_eq(Z2, td->Z_len, td->Z, td->Z_len))
goto err;
DH_free(dhA);
dhA = NULL;
DH_free(dhB);
dhB = NULL;
OPENSSL_free(Z1);
Z1 = NULL;
OPENSSL_free(Z2);
Z2 = NULL;
}
/* Now i == OSSL_NELEM(rfctd) */
/* RFC5114 uses unsafe primes, so now test an invalid y value */
if (!TEST_ptr(dhA = DH_get_2048_224())
|| !TEST_ptr(Z1 = OPENSSL_malloc(DH_size(dhA))))
goto bad_err;
if (!TEST_ptr(bady = BN_bin2bn(dhtest_rfc5114_2048_224_bad_y,
sizeof(dhtest_rfc5114_2048_224_bad_y),
NULL)))
goto bad_err;
if (!DH_generate_key(dhA))
goto bad_err;
if (DH_compute_key(Z1, bady, dhA) != -1) {
/*
* DH_compute_key should fail with -1. If we get here we unexpectedly
* allowed an invalid y value
*/
goto err;
}
/* We'll have a stale error on the queue from the above test so clear it */
ERR_clear_error();
BN_free(bady);
DH_free(dhA);
OPENSSL_free(Z1);
return 1;
bad_err:
BN_free(bady);
DH_free(dhA);
DH_free(dhB);
BN_free(pub_key);
BN_free(priv_key);
OPENSSL_free(Z1);
OPENSSL_free(Z2);
TEST_error("Initialisation error RFC5114 set %d\n", i + 1);
return 0;
err:
BN_free(bady);
DH_free(dhA);
DH_free(dhB);
OPENSSL_free(Z1);
OPENSSL_free(Z2);
TEST_error("Test failed RFC5114 set %d\n", i + 1);
return 0;
}
static int test_handshake_secrets(void)
{
SSL_CTX *ctx = NULL;
SSL *s = NULL;
int ret = 0;
size_t hashsize;
unsigned char out_master_secret[EVP_MAX_MD_SIZE];
size_t master_secret_length;
ctx = SSL_CTX_new(TLS_method());
if (!TEST_ptr(ctx))
goto err;
s = SSL_new(ctx);
if (!TEST_ptr(s ))
goto err;
s->session = SSL_SESSION_new();
if (!TEST_ptr(s->session))
goto err;
if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
(unsigned char *)&s->early_secret))) {
TEST_info("Early secret generation failed");
goto err;
}
if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
early_secret, sizeof(early_secret))) {
TEST_info("Early secret does not match");
goto err;
}
if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
sizeof(ecdhe_secret)))) {
TEST_info("Handshake secret generation failed");
goto err;
}
if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
handshake_secret, sizeof(handshake_secret)))
goto err;
hashsize = EVP_MD_size(ssl_handshake_md(s));
if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
goto err;
if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
goto err;
if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
goto err;
if (!TEST_true(test_secret(s, s->handshake_secret,
(unsigned char *)client_hts_label,
strlen(client_hts_label), client_hts,
client_hts_key, client_hts_iv))) {
TEST_info("Client handshake secret test failed");
goto err;
}
if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
goto err;
if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
goto err;
if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
goto err;
if (!TEST_true(test_secret(s, s->handshake_secret,
(unsigned char *)server_hts_label,
strlen(server_hts_label), server_hts,
server_hts_key, server_hts_iv))) {
TEST_info("Server handshake secret test failed");
goto err;
}
/*
* Ensure the mocked out ssl_handshake_hash() returns the full handshake
* hash.
*/
full_hash = 1;
if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
s->handshake_secret, hashsize,
&master_secret_length))) {
TEST_info("Master secret generation failed");
goto err;
}
if (!TEST_mem_eq(out_master_secret, master_secret_length,
master_secret, sizeof(master_secret))) {
TEST_info("Master secret does not match");
goto err;
}
if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
goto err;
if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
goto err;
if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
goto err;
if (!TEST_true(test_secret(s, out_master_secret,
(unsigned char *)client_ats_label,
strlen(client_ats_label), client_ats,
client_ats_key, client_ats_iv))) {
TEST_info("Client application data secret test failed");
goto err;
}
if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
goto err;
if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
goto err;
if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
goto err;
if (!TEST_true(test_secret(s, out_master_secret,
(unsigned char *)server_ats_label,
strlen(server_ats_label), server_ats,
server_ats_key, server_ats_iv))) {
TEST_info("Server application data secret test failed");
goto err;
}
ret = 1;
err:
SSL_free(s);
SSL_CTX_free(ctx);
return ret;
}
static int dh_test(void)
{
BN_GENCB *_cb = NULL;
DH *a = NULL;
DH *b = NULL;
const BIGNUM *ap = NULL, *ag = NULL, *apub_key = NULL;
const BIGNUM *bpub_key = NULL;
BIGNUM *bp = NULL, *bg = NULL;
unsigned char *abuf = NULL;
unsigned char *bbuf = NULL;
int i, alen, blen, aout, bout;
int ret = 0;
RAND_seed(rnd_seed, sizeof rnd_seed);
if (!TEST_ptr(_cb = BN_GENCB_new()))
goto err;
BN_GENCB_set(_cb, &cb, NULL);
if (!TEST_ptr(a = DH_new())
|| !TEST_true(DH_generate_parameters_ex(a, 64,
DH_GENERATOR_5, _cb)))
goto err;
if (!DH_check(a, &i))
goto err;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|| !TEST_false(i & DH_UNABLE_TO_CHECK_GENERATOR)
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR))
goto err;
DH_get0_pqg(a, &ap, NULL, &ag);
if (!TEST_ptr(b = DH_new()))
goto err;
if (!TEST_ptr(bp = BN_dup(ap))
|| !TEST_ptr(bg = BN_dup(ag))
|| !TEST_true(DH_set0_pqg(b, bp, NULL, bg)))
goto err;
bp = bg = NULL;
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, NULL);
if (!DH_generate_key(b))
goto err;
DH_get0_key(b, &bpub_key, NULL);
alen = DH_size(a);
if (!TEST_ptr(abuf = OPENSSL_malloc(alen))
|| !TEST_true((aout = DH_compute_key(abuf, bpub_key, a)) != -1))
goto err;
blen = DH_size(b);
if (!TEST_ptr(bbuf = OPENSSL_malloc(blen))
|| !TEST_true((bout = DH_compute_key(bbuf, apub_key, b)) != -1))
goto err;
if (!TEST_true(aout >= 4)
|| !TEST_mem_eq(abuf, aout, bbuf, bout))
goto err;
ret = 1;
err:
OPENSSL_free(abuf);
OPENSSL_free(bbuf);
DH_free(b);
DH_free(a);
BN_free(bp);
BN_free(bg);
BN_GENCB_free(_cb);
return ret;
}
static int run_srp(const char *username, const char *client_pass,
const char *server_pass)
{
int ret = 0;
BIGNUM *s = NULL;
BIGNUM *v = NULL;
BIGNUM *a = NULL;
BIGNUM *b = NULL;
BIGNUM *u = NULL;
BIGNUM *x = NULL;
BIGNUM *Apub = NULL;
BIGNUM *Bpub = NULL;
BIGNUM *Kclient = NULL;
BIGNUM *Kserver = NULL;
unsigned char rand_tmp[RANDOM_SIZE];
/* use builtin 1024-bit params */
const SRP_gN *GN;
if (!TEST_ptr(GN = SRP_get_default_gN("1024")))
return 0;
/* Set up server's password entry */
if (!TEST_true(SRP_create_verifier_BN(username, server_pass,
&s, &v, GN->N, GN->g)))
goto end;
showbn("N", GN->N);
showbn("g", GN->g);
showbn("Salt", s);
showbn("Verifier", v);
/* Server random */
RAND_bytes(rand_tmp, sizeof(rand_tmp));
b = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);
if (!TEST_BN_ne_zero(b))
goto end;
showbn("b", b);
/* Server's first message */
Bpub = SRP_Calc_B(b, GN->N, GN->g, v);
showbn("B", Bpub);
if (!TEST_true(SRP_Verify_B_mod_N(Bpub, GN->N)))
goto end;
/* Client random */
RAND_bytes(rand_tmp, sizeof(rand_tmp));
a = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);
if (!TEST_BN_ne_zero(a))
goto end;
showbn("a", a);
/* Client's response */
Apub = SRP_Calc_A(a, GN->N, GN->g);
showbn("A", Apub);
if (!TEST_true(SRP_Verify_A_mod_N(Apub, GN->N)))
goto end;
/* Both sides calculate u */
u = SRP_Calc_u(Apub, Bpub, GN->N);
/* Client's key */
x = SRP_Calc_x(s, username, client_pass);
Kclient = SRP_Calc_client_key(GN->N, Bpub, GN->g, x, a, u);
showbn("Client's key", Kclient);
/* Server's key */
Kserver = SRP_Calc_server_key(Apub, v, u, b, GN->N);
showbn("Server's key", Kserver);
if (!TEST_BN_eq(Kclient, Kserver))
goto end;
ret = 1;
end:
BN_clear_free(Kclient);
BN_clear_free(Kserver);
BN_clear_free(x);
BN_free(u);
BN_free(Apub);
BN_clear_free(a);
BN_free(Bpub);
BN_clear_free(b);
BN_free(s);
BN_clear_free(v);
return ret;
}
/* SRP test vectors from RFC5054 */
static int run_srp_kat(void)
{
int ret = 0;
BIGNUM *s = NULL;
BIGNUM *v = NULL;
BIGNUM *a = NULL;
BIGNUM *b = NULL;
BIGNUM *u = NULL;
BIGNUM *x = NULL;
BIGNUM *Apub = NULL;
BIGNUM *Bpub = NULL;
BIGNUM *Kclient = NULL;
BIGNUM *Kserver = NULL;
/* use builtin 1024-bit params */
const SRP_gN *GN;
if (!TEST_ptr(GN = SRP_get_default_gN("1024")))
goto err;
BN_hex2bn(&s, "BEB25379D1A8581EB5A727673A2441EE");
/* Set up server's password entry */
if (!TEST_true(SRP_create_verifier_BN("alice", "password123", &s, &v, GN->N,
GN->g)))
goto err;
if (!TEST_true(check_bn("v", v,
"7E273DE8696FFC4F4E337D05B4B375BEB0DDE1569E8FA00A9886D812"
"9BADA1F1822223CA1A605B530E379BA4729FDC59F105B4787E5186F5"
"C671085A1447B52A48CF1970B4FB6F8400BBF4CEBFBB168152E08AB5"
"EA53D15C1AFF87B2B9DA6E04E058AD51CC72BFC9033B564E26480D78"
"E955A5E29E7AB245DB2BE315E2099AFB")))
goto err;
/* Server random */
BN_hex2bn(&b, "E487CB59D31AC550471E81F00F6928E01DDA08E974A004F49E61F5D1"
"05284D20");
/* Server's first message */
Bpub = SRP_Calc_B(b, GN->N, GN->g, v);
if (!TEST_true(SRP_Verify_B_mod_N(Bpub, GN->N)))
goto err;
if (!TEST_true(check_bn("B", Bpub,
"BD0C61512C692C0CB6D041FA01BB152D4916A1E77AF46AE105393011"
"BAF38964DC46A0670DD125B95A981652236F99D9B681CBF87837EC99"
"6C6DA04453728610D0C6DDB58B318885D7D82C7F8DEB75CE7BD4FBAA"
"37089E6F9C6059F388838E7A00030B331EB76840910440B1B27AAEAE"
"EB4012B7D7665238A8E3FB004B117B58")))
goto err;
/* Client random */
BN_hex2bn(&a, "60975527035CF2AD1989806F0407210BC81EDC04E2762A56AFD529DD"
"DA2D4393");
/* Client's response */
Apub = SRP_Calc_A(a, GN->N, GN->g);
if (!TEST_true(SRP_Verify_A_mod_N(Apub, GN->N)))
goto err;
if (!TEST_true(check_bn("A", Apub,
"61D5E490F6F1B79547B0704C436F523DD0E560F0C64115BB72557EC4"
"4352E8903211C04692272D8B2D1A5358A2CF1B6E0BFCF99F921530EC"
"8E39356179EAE45E42BA92AEACED825171E1E8B9AF6D9C03E1327F44"
"BE087EF06530E69F66615261EEF54073CA11CF5858F0EDFDFE15EFEA"
"B349EF5D76988A3672FAC47B0769447B")))
goto err;
/* Both sides calculate u */
u = SRP_Calc_u(Apub, Bpub, GN->N);
if (!TEST_true(check_bn("u", u,
"CE38B9593487DA98554ED47D70A7AE5F462EF019")))
goto err;
/* Client's key */
x = SRP_Calc_x(s, "alice", "password123");
Kclient = SRP_Calc_client_key(GN->N, Bpub, GN->g, x, a, u);
if (!TEST_true(check_bn("Client's key", Kclient,
"B0DC82BABCF30674AE450C0287745E7990A3381F63B387AAF271A10D"
"233861E359B48220F7C4693C9AE12B0A6F67809F0876E2D013800D6C"
"41BB59B6D5979B5C00A172B4A2A5903A0BDCAF8A709585EB2AFAFA8F"
"3499B200210DCC1F10EB33943CD67FC88A2F39A4BE5BEC4EC0A3212D"
"C346D7E474B29EDE8A469FFECA686E5A")))
goto err;
/* Server's key */
Kserver = SRP_Calc_server_key(Apub, v, u, b, GN->N);
if (!TEST_true(check_bn("Server's key", Kserver,
"B0DC82BABCF30674AE450C0287745E7990A3381F63B387AAF271A10D"
"233861E359B48220F7C4693C9AE12B0A6F67809F0876E2D013800D6C"
"41BB59B6D5979B5C00A172B4A2A5903A0BDCAF8A709585EB2AFAFA8F"
"3499B200210DCC1F10EB33943CD67FC88A2F39A4BE5BEC4EC0A3212D"
"C346D7E474B29EDE8A469FFECA686E5A")))
goto err;
ret = 1;
err:
BN_clear_free(Kclient);
BN_clear_free(Kserver);
BN_clear_free(x);
BN_free(u);
BN_free(Apub);
BN_clear_free(a);
BN_free(Bpub);
BN_clear_free(b);
BN_free(s);
BN_clear_free(v);
return ret;
}
static int test_invalid_keypair(void)
{
int ret = 0;
RSA *key = NULL;
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL;
ret = TEST_ptr(key = RSA_new())
&& TEST_ptr(ctx = BN_CTX_new())
/* NULL parameters */
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
/* load key */
&& TEST_ptr(p = bn_load_new(cav_p, sizeof(cav_p)))
&& TEST_ptr(q = bn_load_new(cav_q, sizeof(cav_q)))
&& TEST_true(RSA_set0_factors(key, p, q));
if (!ret) {
BN_free(p);
BN_free(q);
goto end;
}
ret = TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e)))
&& TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n)))
&& TEST_ptr(d = bn_load_new(cav_d, sizeof(cav_d)))
&& TEST_true(RSA_set0_key(key, n, e, d));
if (!ret) {
BN_free(e);
BN_free(n);
BN_free(d);
goto end;
}
/* bad strength/key size */
ret = TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 100, 2048))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 112, 1024))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 128, 2048))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, 140, 3072))
/* mismatching exponent */
&& TEST_false(rsa_sp800_56b_check_keypair(key, BN_value_one(), -1,
2048))
/* bad exponent */
&& TEST_true(BN_add_word(e, 1))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1,
2048))
&& TEST_true(BN_sub_word(e, 1))
/* mismatch between bits and modulus */
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 3072))
&& TEST_true(rsa_sp800_56b_check_keypair(key, e, 112, 2048))
/* check n == pq failure */
&& TEST_true(BN_add_word(n, 1))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
&& TEST_true(BN_sub_word(n, 1))
/* check p */
&& TEST_true(BN_sub_word(p, 2))
&& TEST_true(BN_mul(n, p, q, ctx))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
&& TEST_true(BN_add_word(p, 2))
&& TEST_true(BN_mul(n, p, q, ctx))
/* check q */
&& TEST_true(BN_sub_word(q, 2))
&& TEST_true(BN_mul(n, p, q, ctx))
&& TEST_false(rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
&& TEST_true(BN_add_word(q, 2))
&& TEST_true(BN_mul(n, p, q, ctx));
end:
RSA_free(key);
BN_CTX_free(ctx);
return ret;
}
static int test_dtls_drop_records(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
BIO *c_to_s_fbio, *mempackbio;
int testresult = 0;
int epoch = 0;
SSL_SESSION *sess = NULL;
int cli_to_srv_epoch0, cli_to_srv_epoch1, srv_to_cli_epoch0;
if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, DTLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
if (idx >= TOTAL_FULL_HAND_RECORDS) {
/* We're going to do a resumption handshake. Get a session first. */
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
|| !TEST_ptr(sess = SSL_get1_session(clientssl)))
goto end;
SSL_shutdown(clientssl);
SSL_shutdown(serverssl);
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
cli_to_srv_epoch0 = CLI_TO_SRV_RESUME_EPOCH_0_RECS;
cli_to_srv_epoch1 = CLI_TO_SRV_RESUME_EPOCH_1_RECS;
srv_to_cli_epoch0 = SRV_TO_CLI_RESUME_EPOCH_0_RECS;
idx -= TOTAL_FULL_HAND_RECORDS;
} else {
cli_to_srv_epoch0 = CLI_TO_SRV_EPOCH_0_RECS;
cli_to_srv_epoch1 = CLI_TO_SRV_EPOCH_1_RECS;
srv_to_cli_epoch0 = SRV_TO_CLI_EPOCH_0_RECS;
}
c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());
if (!TEST_ptr(c_to_s_fbio))
goto end;
/* BIO is freed by create_ssl_connection on error */
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, c_to_s_fbio)))
goto end;
if (sess != NULL) {
if (!TEST_true(SSL_set_session(clientssl, sess)))
goto end;
}
DTLS_set_timer_cb(clientssl, timer_cb);
DTLS_set_timer_cb(serverssl, timer_cb);
/* Work out which record to drop based on the test number */
if (idx >= cli_to_srv_epoch0 + cli_to_srv_epoch1) {
mempackbio = SSL_get_wbio(serverssl);
idx -= cli_to_srv_epoch0 + cli_to_srv_epoch1;
if (idx >= srv_to_cli_epoch0) {
epoch = 1;
idx -= srv_to_cli_epoch0;
}
} else {
mempackbio = SSL_get_wbio(clientssl);
if (idx >= cli_to_srv_epoch0) {
epoch = 1;
idx -= cli_to_srv_epoch0;
}
mempackbio = BIO_next(mempackbio);
}
BIO_ctrl(mempackbio, MEMPACKET_CTRL_SET_DROP_EPOCH, epoch, NULL);
BIO_ctrl(mempackbio, MEMPACKET_CTRL_SET_DROP_REC, idx, NULL);
if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
goto end;
if (sess != NULL && !TEST_true(SSL_session_reused(clientssl)))
goto end;
/* If the test did what we planned then it should have dropped a record */
if (!TEST_int_eq((int)BIO_ctrl(mempackbio, MEMPACKET_CTRL_GET_DROP_REC, 0,
NULL), -1))
goto end;
testresult = 1;
end:
SSL_SESSION_free(sess);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
static int test_x509_check_cert_pkey(void)
{
BIO *bio = NULL;
X509 *x509 = NULL;
X509_REQ *x509_req = NULL;
EVP_PKEY *pkey = NULL;
int ret = 0, type = 0, expected = 0, result = 0;
/*
* we check them first thus if fails we don't need to do
* those PEM parsing operations.
*/
if (strcmp(t, "cert") == 0) {
type = 1;
} else if (strcmp(t, "req") == 0) {
type = 2;
} else {
TEST_error("invalid 'type'");
goto failed;
}
if (strcmp(e, "ok") == 0) {
expected = 1;
} else if (strcmp(e, "failed") == 0) {
expected = 0;
} else {
TEST_error("invalid 'expected'");
goto failed;
}
/* process private key */
if (!TEST_ptr(bio = BIO_new_file(k, "r")))
goto failed;
if (!TEST_ptr(pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)))
goto failed;
BIO_free(bio);
/* process cert or cert request, use the same local var */
if (!TEST_ptr(bio = BIO_new_file(c, "r")))
goto failed;
switch (type) {
case 1:
x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (x509 == NULL) {
TEST_error("read PEM x509 failed");
goto failed;
}
result = X509_check_private_key(x509, pkey);
break;
case 2:
x509_req = PEM_read_bio_X509_REQ(bio, NULL, NULL, NULL);
if (x509_req == NULL) {
TEST_error("read PEM x509 req failed");
goto failed;
}
result = X509_REQ_check_private_key(x509_req, pkey);
break;
default:
/* should never be here */
break;
}
if (!TEST_int_eq(result, expected)) {
TEST_error("check private key: expected: %d, got: %d", expected, result);
goto failed;
}
ret = 1;
failed:
BIO_free(bio);
X509_free(x509);
X509_REQ_free(x509_req);
EVP_PKEY_free(pkey);
return ret;
}
static int test_mod_exp(int round)
{
BN_CTX *ctx;
unsigned char c;
int ret = 0;
BIGNUM *r_mont = NULL;
BIGNUM *r_mont_const = NULL;
BIGNUM *r_recp = NULL;
BIGNUM *r_simple = NULL;
BIGNUM *a = NULL;
BIGNUM *b = NULL;
BIGNUM *m = NULL;
if (!TEST_ptr(ctx = BN_CTX_new()))
goto err;
if (!TEST_ptr(r_mont = BN_new())
|| !TEST_ptr(r_mont_const = BN_new())
|| !TEST_ptr(r_recp = BN_new())
|| !TEST_ptr(r_simple = BN_new())
|| !TEST_ptr(a = BN_new())
|| !TEST_ptr(b = BN_new())
|| !TEST_ptr(m = BN_new()))
goto err;
RAND_bytes(&c, 1);
c = (c % BN_BITS) - BN_BITS2;
BN_rand(a, NUM_BITS + c, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
RAND_bytes(&c, 1);
c = (c % BN_BITS) - BN_BITS2;
BN_rand(b, NUM_BITS + c, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
RAND_bytes(&c, 1);
c = (c % BN_BITS) - BN_BITS2;
BN_rand(m, NUM_BITS + c, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD);
if (!TEST_true(BN_mod(a, a, m, ctx))
|| !TEST_true(BN_mod(b, b, m, ctx))
|| !TEST_true(BN_mod_exp_mont(r_mont, a, b, m, ctx, NULL))
|| !TEST_true(BN_mod_exp_recp(r_recp, a, b, m, ctx))
|| !TEST_true(BN_mod_exp_simple(r_simple, a, b, m, ctx))
|| !TEST_true(BN_mod_exp_mont_consttime(r_mont_const, a, b, m, ctx, NULL)))
goto err;
if (!TEST_BN_eq(r_simple, r_mont)
|| !TEST_BN_eq(r_simple, r_recp)
|| !TEST_BN_eq(r_simple, r_mont_const)) {
if (BN_cmp(r_simple, r_mont) != 0)
TEST_info("simple and mont results differ");
if (BN_cmp(r_simple, r_mont_const) != 0)
TEST_info("simple and mont const time results differ");
if (BN_cmp(r_simple, r_recp) != 0)
TEST_info("simple and recp results differ");
BN_print_var(a);
BN_print_var(b);
BN_print_var(m);
BN_print_var(r_simple);
BN_print_var(r_recp);
BN_print_var(r_mont);
BN_print_var(r_mont_const);
goto err;
}
ret = 1;
err:
BN_free(r_mont);
BN_free(r_mont_const);
BN_free(r_recp);
BN_free(r_simple);
BN_free(a);
BN_free(b);
BN_free(m);
BN_CTX_free(ctx);
return ret;
}
static int test_fatalerr(void)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *sssl = NULL, *cssl = NULL;
const char *msg = "Dummy";
BIO *wbio = NULL;
int ret = 0, len;
char buf[80];
unsigned char dummyrec[] = {
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto err;
/*
* Deliberately set the cipher lists for client and server to be different
* to force a handshake failure.
*/
if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "AES128-SHA"))
|| !TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-SHA"))
|| !TEST_true(SSL_CTX_set_ciphersuites(sctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_256_GCM_SHA384"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL,
NULL)))
goto err;
wbio = SSL_get_wbio(cssl);
if (!TEST_ptr(wbio)) {
printf("Unexpected NULL bio received\n");
goto err;
}
/* Connection should fail */
if (!TEST_false(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE)))
goto err;
ERR_clear_error();
/* Inject a plaintext record from client to server */
if (!TEST_int_gt(BIO_write(wbio, dummyrec, sizeof(dummyrec)), 0))
goto err;
/* SSL_read()/SSL_write should fail because of a previous fatal error */
if (!TEST_int_le(len = SSL_read(sssl, buf, sizeof(buf) - 1), 0)) {
buf[len] = '\0';
TEST_error("Unexpected success reading data: %s\n", buf);
goto err;
}
if (!TEST_int_le(SSL_write(sssl, msg, strlen(msg)), 0))
goto err;
ret = 1;
err:
SSL_free(sssl);
SSL_free(cssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return ret;
}
/*
* test_mod_exp_zero tests that x**0 mod 1 == 0. It returns zero on success.
*/
static int test_mod_exp_zero(void)
{
BIGNUM *a = NULL, *p = NULL, *m = NULL;
BIGNUM *r = NULL;
BN_ULONG one_word = 1;
BN_CTX *ctx = BN_CTX_new();
int ret = 1, failed = 0;
if (!TEST_ptr(m = BN_new())
|| !TEST_ptr(a = BN_new())
|| !TEST_ptr(p = BN_new())
|| !TEST_ptr(r = BN_new()))
goto err;
BN_one(m);
BN_one(a);
BN_zero(p);
if (!TEST_true(BN_rand(a, 1024, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)))
goto err;
if (!TEST_true(BN_mod_exp(r, a, p, m, ctx)))
goto err;
if (!TEST_true(a_is_zero_mod_one("BN_mod_exp", r, a)))
failed = 1;
if (!TEST_true(BN_mod_exp_recp(r, a, p, m, ctx)))
goto err;
if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_recp", r, a)))
failed = 1;
if (!TEST_true(BN_mod_exp_simple(r, a, p, m, ctx)))
goto err;
if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_simple", r, a)))
failed = 1;
if (!TEST_true(BN_mod_exp_mont(r, a, p, m, ctx, NULL)))
goto err;
if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a)))
failed = 1;
if (!TEST_true(BN_mod_exp_mont_consttime(r, a, p, m, ctx, NULL)))
goto err;
if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a)))
failed = 1;
/*
* A different codepath exists for single word multiplication
* in non-constant-time only.
*/
if (!TEST_true(BN_mod_exp_mont_word(r, one_word, p, m, ctx, NULL)))
goto err;
if (!TEST_BN_eq_zero(r)) {
TEST_error("BN_mod_exp_mont_word failed: "
"1 ** 0 mod 1 = r (should be 0)");
BN_print_var(r);
goto err;
}
ret = !failed;
err:
BN_free(r);
BN_free(a);
BN_free(p);
BN_free(m);
BN_CTX_free(ctx);
return ret;
}
static int test_EVP_SM2(void)
{
int ret = 0;
EVP_PKEY *pkey = NULL;
EVP_PKEY *params = NULL;
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY_CTX *kctx = NULL;
EVP_PKEY_CTX *sctx = NULL;
size_t sig_len = 0;
unsigned char *sig = NULL;
EVP_MD_CTX *md_ctx = NULL;
EVP_MD_CTX *md_ctx_verify = NULL;
EVP_PKEY_CTX *cctx = NULL;
uint8_t ciphertext[128];
size_t ctext_len = sizeof(ciphertext);
uint8_t plaintext[8];
size_t ptext_len = sizeof(plaintext);
uint8_t sm2_id[] = {1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r'};
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (!TEST_ptr(pctx))
goto done;
if (!TEST_true(EVP_PKEY_paramgen_init(pctx) == 1))
goto done;
if (!TEST_true(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_sm2)))
goto done;
if (!TEST_true(EVP_PKEY_paramgen(pctx, ¶ms)))
goto done;
kctx = EVP_PKEY_CTX_new(params, NULL);
if (!TEST_ptr(kctx))
goto done;
if (!TEST_true(EVP_PKEY_keygen_init(kctx)))
goto done;
if (!TEST_true(EVP_PKEY_keygen(kctx, &pkey)))
goto done;
if (!TEST_true(EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)))
goto done;
if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
goto done;
if (!TEST_ptr(md_ctx_verify = EVP_MD_CTX_new()))
goto done;
if (!TEST_ptr(sctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto done;
EVP_MD_CTX_set_pkey_ctx(md_ctx, sctx);
EVP_MD_CTX_set_pkey_ctx(md_ctx_verify, sctx);
if (!TEST_int_gt(EVP_PKEY_CTX_set1_id(sctx, sm2_id, sizeof(sm2_id)), 0))
goto done;
if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, EVP_sm3(), NULL, pkey)))
goto done;
if(!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))))
goto done;
/* Determine the size of the signature. */
if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len)))
goto done;
if (!TEST_size_t_eq(sig_len, (size_t)EVP_PKEY_size(pkey)))
goto done;
if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)))
goto done;
if (!TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len)))
goto done;
/* Ensure that the signature round-trips. */
if (!TEST_true(EVP_DigestVerifyInit(md_ctx_verify, NULL, EVP_sm3(), NULL, pkey)))
goto done;
if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg))))
goto done;
if (!TEST_true(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len)))
goto done;
/* now check encryption/decryption */
if (!TEST_ptr(cctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto done;
if (!TEST_true(EVP_PKEY_encrypt_init(cctx)))
goto done;
if (!TEST_true(EVP_PKEY_encrypt(cctx, ciphertext, &ctext_len, kMsg, sizeof(kMsg))))
goto done;
if (!TEST_true(EVP_PKEY_decrypt_init(cctx)))
goto done;
if (!TEST_true(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext, ctext_len)))
goto done;
if (!TEST_true(ptext_len == sizeof(kMsg)))
goto done;
if (!TEST_true(memcmp(plaintext, kMsg, sizeof(kMsg)) == 0))
goto done;
ret = 1;
done:
EVP_PKEY_CTX_free(pctx);
EVP_PKEY_CTX_free(kctx);
EVP_PKEY_CTX_free(sctx);
EVP_PKEY_CTX_free(cctx);
EVP_PKEY_free(pkey);
EVP_PKEY_free(params);
EVP_MD_CTX_free(md_ctx);
EVP_MD_CTX_free(md_ctx_verify);
OPENSSL_free(sig);
return ret;
}
static int test_property(void)
{
static const struct {
int nid;
const char *prop;
char *impl;
} impls[] = {
{ 1, "fast=no, colour=green", "a" },
{ 1, "fast, colour=blue", "b" },
{ 1, "", "-" },
{ 9, "sky=blue, furry", "c" },
{ 3, NULL, "d" },
{ 6, "sky.colour=blue, sky=green, old.data", "e" },
};
static struct {
int nid;
const char *prop;
char *expected;
} queries[] = {
{ 1, "fast", "b" },
{ 1, "fast=yes", "b" },
{ 1, "fast=no, colour=green", "a" },
{ 1, "colour=blue, fast", "b" },
{ 1, "colour=blue", "b" },
{ 9, "furry", "c" },
{ 6, "sky.colour=blue", "e" },
{ 6, "old.data", "e" },
{ 9, "furry=yes, sky=blue", "c" },
{ 1, "", "a" },
{ 3, "", "d" },
};
OSSL_METHOD_STORE *store;
size_t i;
int ret = 0;
void *result;
if (!TEST_ptr(store = ossl_method_store_new(NULL))
|| !add_property_names("fast", "colour", "sky", "furry", NULL))
goto err;
for (i = 0; i < OSSL_NELEM(impls); i++)
if (!TEST_true(ossl_method_store_add(store, impls[i].nid, impls[i].prop,
impls[i].impl, NULL))) {
TEST_note("iteration %zd", i + 1);
goto err;
}
for (i = 0; i < OSSL_NELEM(queries); i++) {
OSSL_PROPERTY_LIST *pq = NULL;
if (!TEST_true(ossl_method_store_fetch(store, queries[i].nid,
queries[i].prop, &result))
|| !TEST_str_eq((char *)result, queries[i].expected)) {
TEST_note("iteration %zd", i + 1);
ossl_property_free(pq);
goto err;
}
ossl_property_free(pq);
}
ret = 1;
err:
ossl_method_store_free(store);
return ret;
}
static int test_tls13_encryption(void)
{
SSL_CTX *ctx = NULL;
SSL *s = NULL;
SSL3_RECORD rec;
unsigned char *key = NULL, *iv = NULL, *seq = NULL;
const EVP_CIPHER *ciph = EVP_aes_128_gcm();
int ret = 0;
size_t ivlen, ctr;
/*
* Encrypted TLSv1.3 records always have an outer content type of
* application data, and a record version of TLSv1.2.
*/
rec.data = NULL;
rec.type = SSL3_RT_APPLICATION_DATA;
rec.rec_version = TLS1_2_VERSION;
ctx = SSL_CTX_new(TLS_method());
if (!TEST_ptr(ctx)) {
TEST_info("Failed creating SSL_CTX");
goto err;
}
s = SSL_new(ctx);
if (!TEST_ptr(s)) {
TEST_info("Failed creating SSL");
goto err;
}
s->enc_read_ctx = EVP_CIPHER_CTX_new();
if (!TEST_ptr(s->enc_read_ctx))
goto err;
s->enc_write_ctx = EVP_CIPHER_CTX_new();
if (!TEST_ptr(s->enc_write_ctx))
goto err;
s->s3->tmp.new_cipher = SSL_CIPHER_find(s, TLS13_AES_128_GCM_SHA256_BYTES);
if (!TEST_ptr(s->s3->tmp.new_cipher)) {
TEST_info("Failed to find cipher");
goto err;
}
for (ctr = 0; ctr < OSSL_NELEM(refdata); ctr++) {
/* Load the record */
ivlen = EVP_CIPHER_iv_length(ciph);
if (!load_record(&rec, &refdata[ctr], &key, s->read_iv, ivlen,
RECORD_LAYER_get_read_sequence(&s->rlayer))) {
TEST_error("Failed loading key into EVP_CIPHER_CTX");
goto err;
}
/* Set up the read/write sequences */
memcpy(RECORD_LAYER_get_write_sequence(&s->rlayer),
RECORD_LAYER_get_read_sequence(&s->rlayer), SEQ_NUM_SIZE);
memcpy(s->write_iv, s->read_iv, ivlen);
/* Load the key into the EVP_CIPHER_CTXs */
if (EVP_CipherInit_ex(s->enc_write_ctx, ciph, NULL, key, NULL, 1) <= 0
|| EVP_CipherInit_ex(s->enc_read_ctx, ciph, NULL, key, NULL, 0)
<= 0) {
TEST_error("Failed loading key into EVP_CIPHER_CTX\n");
goto err;
}
/* Encrypt it */
if (!TEST_size_t_eq(tls13_enc(s, &rec, 1, 1), 1)) {
TEST_info("Failed to encrypt record %zu", ctr);
goto err;
}
if (!TEST_true(test_record(&rec, &refdata[ctr], 1))) {
TEST_info("Record %zu encryption test failed", ctr);
goto err;
}
/* Decrypt it */
if (!TEST_int_eq(tls13_enc(s, &rec, 1, 0), 1)) {
TEST_info("Failed to decrypt record %zu", ctr);
goto err;
}
if (!TEST_true(test_record(&rec, &refdata[ctr], 0))) {
TEST_info("Record %zu decryption test failed", ctr);
goto err;
}
OPENSSL_free(rec.data);
OPENSSL_free(key);
OPENSSL_free(iv);
OPENSSL_free(seq);
rec.data = NULL;
key = NULL;
iv = NULL;
seq = NULL;
}
TEST_note("PASS: %zu records tested", ctr);
ret = 1;
err:
OPENSSL_free(rec.data);
OPENSSL_free(key);
OPENSSL_free(iv);
OPENSSL_free(seq);
SSL_free(s);
SSL_CTX_free(ctx);
return ret;
}
/*
* Do a single KAT test. Return 0 on failure.
*/
static int single_kat(DRBG_SELFTEST_DATA *td)
{
RAND_DRBG *drbg = NULL;
TEST_CTX t;
int failures = 0;
unsigned char buff[1024];
/*
* Test without PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))
|| !TEST_true(disable_crngt(drbg))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.entropy = td->entropy;
t.entropylen = td->entropylen;
t.nonce = td->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
failures++;
/* Reseed DRBG with test entropy and additional input */
t.entropy = td->entropyreseed;
t.entropylen = td->entropyreseedlen;
if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
td->adin2, td->adin2len))
|| !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
failures++;
uninstantiate(drbg);
/*
* Now test with PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL)))
failures++;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
t.entropy = td->entropy_pr;
t.entropylen = td->entropylen_pr;
t.nonce = td->nonce_pr;
t.noncelen = td->noncelen_pr;
t.entropycnt = 0;
t.noncecnt = 0;
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)))
failures++;
/*
* Now generate with PR: we need to supply entropy as this will
* perform a reseed operation.
*/
t.entropy = td->entropypr_pr;
t.entropylen = td->entropyprlen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
td->adin_pr, td->adinlen_pr))
|| !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
failures++;
/*
* Now generate again with PR: supply new entropy again.
*/
t.entropy = td->entropyg_pr;
t.entropylen = td->entropyglen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
td->ading_pr, td->adinglen_pr))
|| !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
buff, td->kat2len_pr))
failures++;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
static int test_dtls_unprocessed(int testidx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
BIO *c_to_s_fbio, *c_to_s_mempacket;
int testresult = 0;
timer_cb_count = 0;
if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, DTLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA")))
goto end;
c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());
if (!TEST_ptr(c_to_s_fbio))
goto end;
/* BIO is freed by create_ssl_connection on error */
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
NULL, c_to_s_fbio)))
goto end;
DTLS_set_timer_cb(clientssl1, timer_cb);
if (testidx == 1)
certstatus[RECORD_SEQUENCE] = 0xff;
/*
* Inject a dummy record from the next epoch. In test 0, this should never
* get used because the message sequence number is too big. In test 1 we set
* the record sequence number to be way off in the future. This should not
* have an impact on the record replay protection because the record should
* be dropped before it is marked as arrived
*/
c_to_s_mempacket = SSL_get_wbio(clientssl1);
c_to_s_mempacket = BIO_next(c_to_s_mempacket);
mempacket_test_inject(c_to_s_mempacket, (char *)certstatus,
sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ);
if (!TEST_true(create_ssl_connection(serverssl1, clientssl1,
SSL_ERROR_NONE)))
goto end;
if (timer_cb_count == 0) {
printf("timer_callback was not called.\n");
goto end;
}
testresult = 1;
end:
SSL_free(serverssl1);
SSL_free(clientssl1);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
/*
* Perform extensive error checking as required by SP800-90.
* Induce several failure modes and check an error condition is set.
*/
static int error_check(DRBG_SELFTEST_DATA *td)
{
static char zero[sizeof(RAND_DRBG)];
RAND_DRBG *drbg = NULL;
TEST_CTX t;
unsigned char buff[1024];
unsigned int reseed_counter_tmp;
int ret = 0;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))
|| !TEST_true(disable_crngt(drbg)))
goto err;
/*
* Personalisation string tests
*/
/* Test detection of too large personlisation string */
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
goto err;
/*
* Entropy source tests
*/
/* Test entropy source failure detection: i.e. returns no data */
t.entropylen = 0;
if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
goto err;
/* Try to generate output from uninstantiated DRBG */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test insufficient entropy */
t.entropylen = drbg->min_entropylen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/* Test too much entropy */
t.entropylen = drbg->max_entropylen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/*
* Nonce tests
*/
/* Test too small nonce */
if (drbg->min_noncelen) {
t.noncelen = drbg->min_noncelen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Test too large nonce */
if (drbg->max_noncelen) {
t.noncelen = drbg->max_noncelen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Instantiate with valid data, Check generation is now OK */
if (!instantiate(drbg, td, &t)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen)))
goto err;
/* Request too much data for one request */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
td->adin, td->adinlen)))
goto err;
/* Try too large additional input */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, drbg->max_adinlen + 1)))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Instantiate again with valid data */
if (!instantiate(drbg, td, &t))
goto err;
reseed_counter_tmp = drbg->reseed_gen_counter;
drbg->reseed_gen_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test reseed counter works */
if (!instantiate(drbg, td, &t))
goto err;
reseed_counter_tmp = drbg->reseed_gen_counter;
drbg->reseed_gen_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Explicit reseed tests
*/
/* Test explicit reseed with too large additional input */
if (!instantiate(drbg, td, &t)
|| RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
goto err;
/* Test explicit reseed with entropy source failure */
t.entropylen = 0;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too much entropy */
if (!instantiate(drbg, td, &t))
goto err;
t.entropylen = drbg->max_entropylen + 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too little entropy */
if (!instantiate(drbg, td, &t))
goto err;
t.entropylen = drbg->min_entropylen - 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Standard says we have to check uninstantiate really zeroes */
if (!TEST_mem_eq(zero, sizeof(drbg->data), &drbg->data, sizeof(drbg->data)))
goto err;
ret = 1;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return ret;
}
/* some tests from the X9.62 draft */
static int x9_62_test_internal(int nid, const char *r_in, const char *s_in)
{
int ret = 0;
const char message[] = "abc";
unsigned char digest[20];
unsigned int dgst_len = 0;
EVP_MD_CTX *md_ctx;
EC_KEY *key = NULL;
ECDSA_SIG *signature = NULL;
BIGNUM *r = NULL, *s = NULL;
BIGNUM *kinv = NULL, *rp = NULL;
const BIGNUM *sig_r, *sig_s;
if (!TEST_ptr(md_ctx = EVP_MD_CTX_new()))
goto x962_int_err;
/* get the message digest */
if (!TEST_true(EVP_DigestInit(md_ctx, EVP_sha1()))
|| !TEST_true(EVP_DigestUpdate(md_ctx, (const void *)message, 3))
|| !TEST_true(EVP_DigestFinal(md_ctx, digest, &dgst_len)))
goto x962_int_err;
TEST_info("testing %s", OBJ_nid2sn(nid));
/* create the key */
if (!TEST_ptr(key = EC_KEY_new_by_curve_name(nid)))
goto x962_int_err;
use_fake = 1;
if (!TEST_true(EC_KEY_generate_key(key)))
goto x962_int_err;
/* create the signature */
use_fake = 1;
/* Use ECDSA_sign_setup to avoid use of ECDSA nonces */
if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)))
goto x962_int_err;
if (!TEST_ptr(signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key)))
goto x962_int_err;
/* compare the created signature with the expected signature */
if (!TEST_ptr(r = BN_new()) || !TEST_ptr(s = BN_new()))
goto x962_int_err;
if (!TEST_true(BN_dec2bn(&r, r_in)) || !TEST_true(BN_dec2bn(&s, s_in)))
goto x962_int_err;
ECDSA_SIG_get0(signature, &sig_r, &sig_s);
if (!TEST_BN_eq(sig_r, r)
|| !TEST_BN_eq(sig_s, s))
goto x962_int_err;
/* verify the signature */
if (!TEST_int_eq(ECDSA_do_verify(digest, 20, signature, key), 1))
goto x962_int_err;
ret = 1;
x962_int_err:
EC_KEY_free(key);
ECDSA_SIG_free(signature);
BN_free(r);
BN_free(s);
EVP_MD_CTX_free(md_ctx);
BN_clear_free(kinv);
BN_clear_free(rp);
return ret;
}
static int test_check_crt_components(void)
{
const int P = 15;
const int Q = 17;
const int E = 5;
const int N = P*Q;
const int DP = 3;
const int DQ = 13;
const int QINV = 8;
int ret = 0;
RSA *key = NULL;
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *q = NULL, *e = NULL;
ret = TEST_ptr(key = RSA_new())
&& TEST_ptr(ctx = BN_CTX_new())
&& TEST_ptr(p = BN_new())
&& TEST_ptr(q = BN_new())
&& TEST_ptr(e = BN_new())
&& TEST_true(BN_set_word(p, P))
&& TEST_true(BN_set_word(q, Q))
&& TEST_true(BN_set_word(e, E))
&& TEST_true(RSA_set0_factors(key, p, q));
if (!ret) {
BN_free(p);
BN_free(q);
goto end;
}
ret = TEST_true(rsa_sp800_56b_derive_params_from_pq(key, 8, e, ctx))
&& TEST_BN_eq_word(key->n, N)
&& TEST_BN_eq_word(key->dmp1, DP)
&& TEST_BN_eq_word(key->dmq1, DQ)
&& TEST_BN_eq_word(key->iqmp, QINV)
&& TEST_true(rsa_check_crt_components(key, ctx))
/* (a) 1 < dP < (p – 1). */
&& TEST_true(BN_set_word(key->dmp1, 1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmp1, P-1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmp1, DP))
/* (b) 1 < dQ < (q - 1). */
&& TEST_true(BN_set_word(key->dmq1, 1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmq1, Q-1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmq1, DQ))
/* (c) 1 < qInv < p */
&& TEST_true(BN_set_word(key->iqmp, 1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->iqmp, P))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->iqmp, QINV))
/* (d) 1 = (dP . e) mod (p - 1)*/
&& TEST_true(BN_set_word(key->dmp1, DP+1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmp1, DP))
/* (e) 1 = (dQ . e) mod (q - 1) */
&& TEST_true(BN_set_word(key->dmq1, DQ-1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->dmq1, DQ))
/* (f) 1 = (qInv . q) mod p */
&& TEST_true(BN_set_word(key->iqmp, QINV+1))
&& TEST_false(rsa_check_crt_components(key, ctx))
&& TEST_true(BN_set_word(key->iqmp, QINV))
/* check defaults are still valid */
&& TEST_true(rsa_check_crt_components(key, ctx));
end:
BN_free(e);
RSA_free(key);
BN_CTX_free(ctx);
return ret;
}
static int test_cipher_name(void)
{
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk = NULL;
const char *ciphers = "ALL:eNULL", *p, *q, *r;
int i, id = 0, ret = 0;
/* tests for invalid input */
p = SSL_CIPHER_standard_name(NULL);
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(std) failed: NULL input doesn't return \"(NONE)\"\n");
goto err;
}
p = OPENSSL_cipher_name(NULL);
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(ossl) failed: NULL input doesn't return \"(NONE)\"\n");
goto err;
}
p = OPENSSL_cipher_name("This is not a valid cipher");
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(ossl) failed: invalid input doesn't return \"(NONE)\"\n");
goto err;
}
/* tests for valid input */
ctx = SSL_CTX_new(TLS_server_method());
if (ctx == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
ssl = SSL_new(ctx);
if (ssl == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
sk = SSL_get_ciphers(ssl);
if (sk == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i);
id = SSL_CIPHER_get_id(c) & 0xFFFF;
if ((id == 0xFF85) || (id == 0xFF87))
/* skip GOST2012-GOST8912-GOST891 and GOST2012-NULL-GOST12 */
continue;
p = SSL_CIPHER_standard_name(c);
q = get_std_name_by_id(id);
if (!TEST_ptr(p)) {
TEST_info("test_cipher_name failed: expected %s, got NULL, cipher %x\n",
q, id);
goto err;
}
/* check if p is a valid standard name */
if (!TEST_str_eq(p, q)) {
TEST_info("test_cipher_name(std) failed: expected %s, got %s, cipher %x\n",
q, p, id);
goto err;
}
/* test OPENSSL_cipher_name */
q = SSL_CIPHER_get_name(c);
r = OPENSSL_cipher_name(p);
if (!TEST_str_eq(r, q)) {
TEST_info("test_cipher_name(ossl) failed: expected %s, got %s, cipher %x\n",
q, r, id);
goto err;
}
}
ret = 1;
err:
SSL_CTX_free(ctx);
SSL_free(ssl);
return ret;
}
/*-
* This function hijacks the RNG to feed it the chosen ECDSA key and nonce.
* The ECDSA KATs are from:
* - the X9.62 draft (4)
* - NIST CAVP (720)
*
* It uses the low-level ECDSA_sign_setup instead of EVP to control the RNG.
* NB: This is not how applications should use ECDSA; this is only for testing.
*
* Tests the library can successfully:
* - generate public keys that matches those KATs
* - create ECDSA signatures that match those KATs
* - accept those signatures as valid
*/
static int x9_62_tests(int n)
{
int nid, md_nid, ret = 0;
const char *r_in = NULL, *s_in = NULL, *tbs = NULL;
unsigned char *pbuf = NULL, *qbuf = NULL, *message = NULL;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dgst_len = 0;
long q_len, msg_len = 0;
size_t p_len;
EVP_MD_CTX *mctx = NULL;
EC_KEY *key = NULL;
ECDSA_SIG *signature = NULL;
BIGNUM *r = NULL, *s = NULL;
BIGNUM *kinv = NULL, *rp = NULL;
const BIGNUM *sig_r = NULL, *sig_s = NULL;
nid = ecdsa_cavs_kats[n].nid;
md_nid = ecdsa_cavs_kats[n].md_nid;
r_in = ecdsa_cavs_kats[n].r;
s_in = ecdsa_cavs_kats[n].s;
tbs = ecdsa_cavs_kats[n].msg;
numbers[0] = ecdsa_cavs_kats[n].d;
numbers[1] = ecdsa_cavs_kats[n].k;
TEST_info("ECDSA KATs for curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(mctx = EVP_MD_CTX_new())
/* get the message digest */
|| !TEST_ptr(message = OPENSSL_hexstr2buf(tbs, &msg_len))
|| !TEST_true(EVP_DigestInit_ex(mctx, EVP_get_digestbynid(md_nid), NULL))
|| !TEST_true(EVP_DigestUpdate(mctx, message, msg_len))
|| !TEST_true(EVP_DigestFinal_ex(mctx, digest, &dgst_len))
/* create the key */
|| !TEST_ptr(key = EC_KEY_new_by_curve_name(nid))
/* load KAT variables */
|| !TEST_ptr(r = BN_new())
|| !TEST_ptr(s = BN_new())
|| !TEST_true(BN_hex2bn(&r, r_in))
|| !TEST_true(BN_hex2bn(&s, s_in))
/* swap the RNG source */
|| !TEST_true(change_rand()))
goto err;
/* public key must match KAT */
use_fake = 1;
if (!TEST_true(EC_KEY_generate_key(key))
|| !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED,
&pbuf, NULL))
|| !TEST_ptr(qbuf = OPENSSL_hexstr2buf(ecdsa_cavs_kats[n].Q, &q_len))
|| !TEST_int_eq(q_len, p_len)
|| !TEST_mem_eq(qbuf, q_len, pbuf, p_len))
goto err;
/* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */
use_fake = 1;
if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp))
|| !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len,
kinv, rp, key))
/* verify the signature */
|| !TEST_int_eq(ECDSA_do_verify(digest, dgst_len, signature, key), 1))
goto err;
/* compare the created signature with the expected signature */
ECDSA_SIG_get0(signature, &sig_r, &sig_s);
if (!TEST_BN_eq(sig_r, r)
|| !TEST_BN_eq(sig_s, s))
goto err;
ret = 1;
err:
/* restore the RNG source */
if (!TEST_true(restore_rand()))
ret = 0;
OPENSSL_free(message);
OPENSSL_free(pbuf);
OPENSSL_free(qbuf);
EC_KEY_free(key);
ECDSA_SIG_free(signature);
BN_free(r);
BN_free(s);
EVP_MD_CTX_free(mctx);
BN_clear_free(kinv);
BN_clear_free(rp);
return ret;
}
