From 7bb82f92d94375e7673fe02cb8186595b2c539f2 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Sun, 15 Sep 2019 19:55:10 +1000 Subject: Add fips module integrity check Add environment variable for setting CONF .include path Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9769) --- test/evp_fetch_prov_test.c | 251 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 251 insertions(+) create mode 100644 test/evp_fetch_prov_test.c (limited to 'test/evp_fetch_prov_test.c') diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c new file mode 100644 index 0000000000..3fd695e84b --- /dev/null +++ b/test/evp_fetch_prov_test.c @@ -0,0 +1,251 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "testutil.h" + +static char *alg = "digest"; +static int use_default_ctx = 0; +static char *fetch_property = NULL; +static int expected_fetch_result = 1; + +typedef enum OPTION_choice { + OPT_ERR = -1, + OPT_EOF = 0, + OPT_ALG_FETCH_TYPE, + OPT_FETCH_PROPERTY, + OPT_FETCH_FAILURE, + OPT_USE_DEFAULTCTX, + OPT_TEST_ENUM +} OPTION_CHOICE; + +const OPTIONS *test_get_options(void) +{ + static const OPTIONS test_options[] = { + OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("[provname...]\n"), + { "type", OPT_ALG_FETCH_TYPE, 's', "The fetch type to test" }, + { "property", OPT_FETCH_PROPERTY, 's', "The fetch property e.g. fips=yes" }, + { "fetchfail", OPT_FETCH_FAILURE, '-', "fetch is expected to fail" }, + { "defaultctx", OPT_USE_DEFAULTCTX, '-', + "Use the default context if this is set" }, + { OPT_HELP_STR, 1, '-', + "file\tProvider names to explicitly load\n" }, + { NULL } + }; + return test_options; +} + +static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, + const unsigned char *exptd) +{ + unsigned char out[SHA256_DIGEST_LENGTH]; + EVP_MD_CTX *ctx; + int ret = 0; + + if (!TEST_ptr(ctx = EVP_MD_CTX_new()) + || !TEST_true(EVP_DigestInit_ex(ctx, md, NULL)) + || !TEST_true(EVP_DigestUpdate(ctx, msg, len)) + || !TEST_true(EVP_DigestFinal_ex(ctx, out, NULL)) + || !TEST_mem_eq(out, SHA256_DIGEST_LENGTH, exptd, + SHA256_DIGEST_LENGTH) + || !TEST_true(md == EVP_MD_CTX_md(ctx))) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + return ret; +} + +static int load_providers(OPENSSL_CTX **libctx, OSSL_PROVIDER *prov[]) +{ + OPENSSL_CTX *ctx; + int ret = 0; + size_t i; + + ctx = OPENSSL_CTX_new(); + if (!TEST_ptr(ctx)) + goto err; + + if (test_get_argument_count() > 2) + goto err; + + for (i = 0; i < test_get_argument_count(); ++i) { + char *provname = test_get_argument(i); + prov[i] = OSSL_PROVIDER_load(ctx, provname); + if (!TEST_ptr(prov[i])) + goto err; + } + ret = 1; + *libctx = ctx; +err: + return ret; +} + +/* + * Test EVP_MD_fetch() + */ +static int test_EVP_MD_fetch(void) +{ + OPENSSL_CTX *ctx = NULL; + EVP_MD *md = NULL; + OSSL_PROVIDER *prov[2] = {NULL, NULL}; + int ret = 0; + const char testmsg[] = "Hello world"; + const unsigned char exptd[] = { + 0x27, 0x51, 0x8b, 0xa9, 0x68, 0x30, 0x11, 0xf6, 0xb3, 0x96, 0x07, 0x2c, + 0x05, 0xf6, 0x65, 0x6d, 0x04, 0xf5, 0xfb, 0xc3, 0x78, 0x7c, 0xf9, 0x24, + 0x90, 0xec, 0x60, 0x6e, 0x50, 0x92, 0xe3, 0x26 + }; + + if (use_default_ctx == 0 && !load_providers(&ctx, prov)) + goto err; + + /* Implicit fetching of the MD should produce the expected result */ + if (!TEST_true(calculate_digest(EVP_sha256(), testmsg, sizeof(testmsg), + exptd)) + || !TEST_int_eq(EVP_MD_size(EVP_sha256()), SHA256_DIGEST_LENGTH) + || !TEST_int_eq(EVP_MD_block_size(EVP_sha256()), SHA256_CBLOCK)) + goto err; + + /* Fetch the digest from a provider using properties. */ + md = EVP_MD_fetch(ctx, "SHA256", fetch_property); + if (expected_fetch_result != 0) { + if (!TEST_ptr(md) + || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) + || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd)) + || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) + || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) + goto err; + + /* Also test EVP_MD_up_ref() while we're doing this */ + if (!TEST_true(EVP_MD_up_ref(md))) + goto err; + /* Ref count should now be 2. Release first one here */ + EVP_MD_meth_free(md); + } else { + if (!TEST_ptr_null(md)) + goto err; + } + ret = 1; + +err: + EVP_MD_meth_free(md); + OSSL_PROVIDER_unload(prov[0]); + OSSL_PROVIDER_unload(prov[1]); + /* Not normally needed, but we would like to test that + * OPENSSL_thread_stop_ex() behaves as expected. + */ + if (ctx != NULL) { + OPENSSL_thread_stop_ex(ctx); + OPENSSL_CTX_free(ctx); + } + return ret; +} + +static int encrypt_decrypt(const EVP_CIPHER *cipher, const unsigned char *msg, + size_t len) +{ + int ret = 0, ctlen, ptlen; + EVP_CIPHER_CTX *ctx = NULL; + unsigned char key[128 / 8]; + unsigned char ct[64], pt[64]; + + memset(key, 0, sizeof(key)); + if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) + || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 1)) + || !TEST_true(EVP_CipherUpdate(ctx, ct, &ctlen, msg, len)) + || !TEST_true(EVP_CipherFinal_ex(ctx, ct, &ctlen)) + || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 0)) + || !TEST_true(EVP_CipherUpdate(ctx, pt, &ptlen, ct, ctlen)) + || !TEST_true(EVP_CipherFinal_ex(ctx, pt, &ptlen)) + || !TEST_mem_eq(pt, ptlen, msg, len)) + goto err; + + ret = 1; +err: + EVP_CIPHER_CTX_free(ctx); + return ret; +} + +/* + * Test EVP_CIPHER_fetch() + */ +static int test_EVP_CIPHER_fetch(void) +{ + OPENSSL_CTX *ctx = NULL; + EVP_CIPHER *cipher = NULL; + OSSL_PROVIDER *prov[2] = {NULL, NULL}; + int ret = 0; + const unsigned char testmsg[] = "Hello world"; + + if (use_default_ctx == 0 && !load_providers(&ctx, prov)) + goto err; + + /* Implicit fetching of the cipher should produce the expected result */ + if (!TEST_true(encrypt_decrypt(EVP_aes_128_cbc(), testmsg, sizeof(testmsg)))) + goto err; + + /* Fetch the cipher from a provider using properties. */ + cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", fetch_property); + if (expected_fetch_result != 0) { + if (!TEST_ptr(cipher) + || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg)))) { + if (!TEST_true(EVP_CIPHER_up_ref(cipher))) + goto err; + /* Ref count should now be 2. Release first one here */ + EVP_CIPHER_meth_free(cipher); + } + } else { + if (!TEST_ptr_null(cipher)) + goto err; + } + ret = 1; +err: + EVP_CIPHER_meth_free(cipher); + OSSL_PROVIDER_unload(prov[0]); + OSSL_PROVIDER_unload(prov[1]); + OPENSSL_CTX_free(ctx); + return ret; +} + +int setup_tests(void) +{ + OPTION_CHOICE o; + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_ALG_FETCH_TYPE: + alg = opt_arg(); + break; + case OPT_FETCH_PROPERTY: + fetch_property = opt_arg(); + break; + case OPT_FETCH_FAILURE: + expected_fetch_result = 0; + break; + case OPT_USE_DEFAULTCTX: + use_default_ctx = 1; + break; + case OPT_TEST_CASES: + break; + default: + case OPT_ERR: + return 0; + } + } + if (strcmp(alg, "digest") == 0) + ADD_TEST(test_EVP_MD_fetch); + else + ADD_TEST(test_EVP_CIPHER_fetch); + return 1; +} -- cgit v1.2.1