diff --git a/CMakeLists.txt b/CMakeLists.txt index b13a79432..fe44d22e3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2705,6 +2705,13 @@ if(WOLFSSL_EXAMPLES) tests/api/test_ossl_x509_str.c tests/api/test_ossl_x509_lu.c tests/api/test_ossl_pem.c + tests/api/test_ossl_rand.c + tests/api/test_ossl_obj.c + tests/api/test_ossl_p7p12.c + tests/api/test_evp_digest.c + tests/api/test_evp_cipher.c + tests/api/test_evp_pkey.c + tests/api/test_certman.c tests/api/test_tls13.c tests/srp.c tests/suites.c diff --git a/tests/api.c b/tests/api.c index 5f8406b20..b5a7f8fcd 100644 --- a/tests/api.c +++ b/tests/api.c @@ -240,6 +240,13 @@ #include #include #include +#include +#include +#include +#include +#include +#include +#include #include #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ @@ -249,12 +256,6 @@ #define HAVE_SSL_MEMIO_TESTS_DEPENDENCIES #endif -#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ - !defined(NO_CERTS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) - #define HAVE_CERT_CHAIN_VALIDATION -#endif - #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY) #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || defined(SESSION_CERTS) #ifdef OPENSSL_EXTRA @@ -2783,2053 +2784,6 @@ static int test_wolfSSL_CTX_load_system_CA_certs(void) return res; } -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz, - int file_type) -{ - int ret; - WOLFSSL_CERT_MANAGER* cm; - - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - fprintf(stderr, "test_cm_load_ca failed\n"); - return -1; - } - - ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, (sword32)cert_sz, file_type); - - wolfSSL_CertManagerFree(cm); - - return ret; -} - -static int test_cm_load_ca_file(const char* ca_cert_file) -{ - int ret = 0; - byte* cert_buf = NULL; - size_t cert_sz = 0; -#if defined(WOLFSSL_PEM_TO_DER) - DerBuffer* pDer = NULL; -#endif - - ret = load_file(ca_cert_file, &cert_buf, &cert_sz); - if (ret == 0) { - /* normal test */ - ret = test_cm_load_ca_buffer(cert_buf, cert_sz, CERT_FILETYPE); - - if (ret == WOLFSSL_SUCCESS) { - /* test including null terminator in length */ - byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); - if (tmp == NULL) { - ret = MEMORY_E; - } - else { - cert_buf = tmp; - cert_buf[cert_sz] = '\0'; - ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, - CERT_FILETYPE); - } - - } - - #if defined(WOLFSSL_PEM_TO_DER) - if (ret == WOLFSSL_SUCCESS) { - /* test loading DER */ - ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, - NULL, NULL, NULL); - if (ret == 0 && pDer != NULL) { - ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length, - WOLFSSL_FILETYPE_ASN1); - - wc_FreeDer(&pDer); - } - } - #endif - - } - free(cert_buf); - - return ret; -} - -static int test_cm_load_ca_buffer_ex(const byte* cert_buf, size_t cert_sz, - int file_type, word32 flags) -{ - int ret; - WOLFSSL_CERT_MANAGER* cm; - - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - fprintf(stderr, "test_cm_load_ca failed\n"); - return -1; - } - - ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, cert_buf, (sword32)cert_sz, file_type, - 0, flags); - - wolfSSL_CertManagerFree(cm); - - return ret; -} - -static int test_cm_load_ca_file_ex(const char* ca_cert_file, word32 flags) -{ - int ret = 0; - byte* cert_buf = NULL; - size_t cert_sz = 0; -#if defined(WOLFSSL_PEM_TO_DER) - DerBuffer* pDer = NULL; -#endif - - ret = load_file(ca_cert_file, &cert_buf, &cert_sz); - if (ret == 0) { - /* normal test */ - ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz, - CERT_FILETYPE, flags); - - if (ret == WOLFSSL_SUCCESS) { - /* test including null terminator in length */ - byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); - if (tmp == NULL) { - ret = MEMORY_E; - } - else { - cert_buf = tmp; - cert_buf[cert_sz] = '\0'; - ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz+1, - CERT_FILETYPE, flags); - } - - } - - #if defined(WOLFSSL_PEM_TO_DER) - if (ret == WOLFSSL_SUCCESS) { - /* test loading DER */ - ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, - NULL, NULL, NULL); - if (ret == 0 && pDer != NULL) { - ret = test_cm_load_ca_buffer_ex(pDer->buffer, pDer->length, - WOLFSSL_FILETYPE_ASN1, flags); - - wc_FreeDer(&pDer); - } - } - #endif - - } - free(cert_buf); - - return ret; -} - -#endif /* !NO_FILESYSTEM && !NO_CERTS */ - -static int test_wolfSSL_CertManagerAPI(void) -{ - EXPECT_DECLS; -#ifndef NO_CERTS - WOLFSSL_CERT_MANAGER* cm = NULL; - unsigned char c = 0; - - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - - wolfSSL_CertManagerFree(NULL); - ExpectIntEQ(wolfSSL_CertManager_up_ref(NULL), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_TRUST_PEER_CERT - ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#endif - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer_ex(NULL, &c, 1, - WOLFSSL_FILETYPE_ASN1, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - -#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, 1, -1), - WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); -#endif - -#if !defined(NO_FILESYSTEM) - { - #ifdef WOLFSSL_PEM_TO_DER - const char* ca_cert = "./certs/ca-cert.pem"; - #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - const char* ca_cert_der = "./certs/ca-cert.der"; - #endif - #else - const char* ca_cert = "./certs/ca-cert.der"; - #endif - const char* ca_path = "./certs"; - - #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, NULL, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, NULL, WOLFSSL_FILETYPE_ASN1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, ca_cert, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert, -1), - WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert_der, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); -#endif - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, "no-file", - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE)); - #endif - - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, ca_path), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, ca_path), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - } -#endif - -#ifdef OPENSSL_COMPATIBLE_DEFAULTS - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), 1); -#elif !defined(HAVE_CRL) - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); -#endif - - ExpectIntEQ(wolfSSL_CertManagerDisableCRL(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableCRL(cm), 1); -#ifdef HAVE_CRL - /* Test APIs when CRL is disabled. */ -#ifdef HAVE_CRL_IO - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); -#endif - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), 1); - ExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); -#endif - - /* OCSP */ - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ - !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); -#endif - -#ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, NULL, 0, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, NULL, 1, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, &c, 1, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, NULL), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, NULL), 1); - - ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(NULL, NULL, NULL, NULL), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(cm, NULL, NULL, NULL), 1); - - ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(cm), 1); - /* Test APIs when OCSP is disabled. */ - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, &c, 1, - NULL, NULL, NULL, NULL), 1); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, 1), 1); - -#endif - - ExpectIntEQ(wolfSSL_CertManager_up_ref(cm), 1); - if (EXPECT_SUCCESS()) { - wolfSSL_CertManagerFree(cm); - } - wolfSSL_CertManagerFree(cm); - cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - -#ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE | - WOLFSSL_OCSP_CHECKALL), 1); -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), 1); -#endif - - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); -#endif - -#ifdef WOLFSSL_TRUST_PEER_CERT - ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(cm), 1); -#endif - wolfSSL_CertManagerFree(cm); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerLoadCABuffer(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; -#endif - int ret; - - ExpectIntLE(ret = test_cm_load_ca_file(ca_cert), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif - - ExpectIntLE(ret = test_cm_load_ca_file(ca_expired_cert), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(NO_ASN_TIME) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerLoadCABuffer_ex(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; -#endif - int ret; - - ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_cert, WOLFSSL_LOAD_FLAG_NONE), - 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif - - ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_expired_cert, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \ - defined(OPENSSL_COMPATIBLE_DEFAULTS) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif - -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerLoadCABufferType(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(NO_SHA256) && \ - !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* int1_cert = "./certs/intermediate/ca-int-cert.pem"; - const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem"; - const char* client_cert = "./certs/intermediate/client-int-cert.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* int1_cert = "./certs/intermediate/ca-int-cert.der"; - const char* int2_cert = "./certs/intermediate/ca-int2-cert.der"; - const char* client_cert = "./certs/intermediate/client-int-cert.der"; -#endif - byte* ca_cert_buf = NULL; - byte* int1_cert_buf = NULL; - byte* int2_cert_buf = NULL; - byte* client_cert_buf = NULL; - size_t ca_cert_sz = 0; - size_t int1_cert_sz = 0; - size_t int2_cert_sz = 0; - size_t client_cert_sz = 0; - WOLFSSL_CERT_MANAGER* cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0); - ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0); - ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0); - ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0); - - ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, - (sword32)int1_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, - (sword32)int2_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, - (sword32)client_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - /* Intermediate certs have been unloaded, but CA cert is still - loaded. Expect first level intermediate to verify, rest to fail. */ - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, - (sword32)int1_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, - (sword32)int2_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, - (sword32)client_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA), - WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - if (cm) - wolfSSL_CertManagerFree(cm); - if (ca_cert_buf) - free(ca_cert_buf); - if (int1_cert_buf) - free(int1_cert_buf); - if (int2_cert_buf) - free(int2_cert_buf); - if (client_cert_buf) - free(client_cert_buf); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerGetCerts(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - defined(WOLFSSL_SIGNER_DER_CERT) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_STACK* sk = NULL; - X509* x509 = NULL; - X509* cert1 = NULL; - FILE* file1 = NULL; -#ifdef DEBUG_WOLFSSL_VERBOSE - WOLFSSL_BIO* bio = NULL; -#endif - int i = 0; - int ret = 0; - const byte* der = NULL; - int derSz = 0; - - ExpectNotNull(file1 = fopen("./certs/ca-cert.pem", "rb")); - - ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); - if (file1 != NULL) { - fclose(file1); - } - - ExpectNull(sk = wolfSSL_CertManagerGetCerts(NULL)); - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - ExpectNull(sk = wolfSSL_CertManagerGetCerts(cm)); - - ExpectNotNull(der = wolfSSL_X509_get_der(cert1, &derSz)); -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - /* Check that ASN_SELF_SIGNED_E is returned for a self-signed cert for QT - * and full OpenSSL compatibility */ - ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); -#else - ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); -#endif - - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, - "./certs/ca-cert.pem", NULL)); - - ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(cm)); - - for (i = 0; EXPECT_SUCCESS() && i < sk_X509_num(sk); i++) { - ExpectNotNull(x509 = sk_X509_value(sk, i)); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509, cert1)); - -#ifdef DEBUG_WOLFSSL_VERBOSE - bio = BIO_new(wolfSSL_BIO_s_file()); - if (bio != NULL) { - BIO_set_fp(bio, stderr, BIO_NOCLOSE); - X509_print(bio, x509); - BIO_free(bio); - } -#endif /* DEBUG_WOLFSSL_VERBOSE */ - } - wolfSSL_X509_free(cert1); - sk_X509_pop_free(sk, NULL); - wolfSSL_CertManagerFree(cm); -#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - defined(WOLFSSL_SIGNER_DER_CERT) */ - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerSetVerify(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) - WOLFSSL_CERT_MANAGER* cm = NULL; - int tmp = myVerifyAction; -#ifdef WOLFSSL_PEM_TO_DER - const char* ca_cert = "./certs/ca-cert.pem"; - const char* expiredCert = "./certs/test/expired/expired-cert.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* expiredCert = "./certs/test/expired/expired-cert.der"; -#endif - - wolfSSL_CertManagerSetVerify(NULL, NULL); - wolfSSL_CertManagerSetVerify(NULL, myVerify); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - - wolfSSL_CertManagerSetVerify(cm, myVerify); - -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), -1); -#else - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), - WOLFSSL_SUCCESS); -#endif - /* Use the test CB that always accepts certs */ - myVerifyAction = VERIFY_OVERRIDE_ERROR; - - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, expiredCert, - CERT_FILETYPE), WOLFSSL_SUCCESS); - -#ifdef WOLFSSL_ALWAYS_VERIFY_CB - { - const char* verifyCert = "./certs/server-cert.der"; - /* Use the test CB that always fails certs */ - myVerifyAction = VERIFY_FORCE_FAIL; - - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, verifyCert, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(VERIFY_CERT_ERROR)); - } -#endif - - wolfSSL_CertManagerFree(cm); - myVerifyAction = tmp; -#endif - - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_CertManagerNameConstraint(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-nc.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - int i = 0; - static const byte extNameConsOid[] = {85, 29, 30}; - - RsaKey key; - WC_RNG rng; - byte *der = NULL; - int derSz = 0; - word32 idx = 0; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - wc_InitRng(&rng); - - /* load in CA private key for signing */ - ExpectIntEQ(wc_InitRsaKey_ex(&key, HEAP_HINT, testDevId), 0); - ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, - sizeof_server_key_der_2048), 0); - - /* get ca certificate then alter it */ - ExpectNotNull(der = - (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull(pt = (byte*)wolfSSL_X509_get_tbs(x509, &derSz)); - if (EXPECT_SUCCESS() && (der != NULL)) { - XMEMCPY(der, pt, (size_t)derSz); - - /* find the name constraint extension and alter it */ - pt = der; - for (i = 0; i < derSz - 3; i++) { - if (XMEMCMP(pt, extNameConsOid, 3) == 0) { - pt += 3; - break; - } - pt++; - } - ExpectIntNE(i, derSz - 3); /* did not find OID if this case is hit */ - - /* go to the length value and set it to 0 */ - while (i < derSz && *pt != 0x81) { - pt++; - i++; - } - ExpectIntNE(i, derSz); /* did not place to alter */ - pt++; - *pt = 0x00; - } - - /* resign the altered certificate */ - ExpectIntGT((derSz = wc_SignCert(derSz, CTC_SHA256wRSA, der, - FOURK_BUF, &key, NULL, &rng)), 0); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); - wolfSSL_CertManagerFree(cm); - - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_X509_free(x509); - wc_FreeRsaKey(&key); - wc_FreeRng(&rng); - - /* add email alt name to satisfy constraint */ - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* Good cert test with proper alt email name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - - /* Cert with bad alt name list */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - - wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif - - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_CertManagerNameConstraint2(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) - const char* ca_cert = "./certs/test/cert-ext-ndir.der"; - const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der"; - const char* server_cert = "./certs/server-cert.pem"; - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - const unsigned char *der = NULL; - const unsigned char *pt; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - int derSz = 0; - - /* C=US*/ - char altName[] = { - 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53 - }; - - /* C=ID */ - char altNameFail[] = { - 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44 - }; - - /* C=US ST=California*/ - char altNameExc[] = { - 0x30, 0x22, - 0x31, 0x0B, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, - 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61 - }; - /* load in CA private key for signing */ - pt = ca_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, - sizeof_ca_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* Test no name case. */ - ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE), - WOLFSSL_SUCCESS); - /* IP not supported. */ - ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE), - WOLFSSL_FAILURE); - - /* add in matching DIR alt name and resign */ - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check verify fail */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - - /* add in miss matching DIR alt name and resign */ - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - - /* check that it still fails if one bad altname and one good altname is in - * the certificate */ - wolfSSL_X509_free(x509); - x509 = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - - /* check it fails with switching position of bad altname */ - wolfSSL_X509_free(x509); - x509 = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - wolfSSL_CertManagerFree(cm); - - wolfSSL_X509_free(x509); - x509 = NULL; - wolfSSL_X509_free(ca); - ca = NULL; - - /* now test with excluded name constraint */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc), - ASN_DIR_TYPE); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerNameConstraint3(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-mnc.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz = 0; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* check satisfying .wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check satisfying .random.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check fail case when neither constraint is matched */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - - wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerNameConstraint4(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-ncdns.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* check satisfying wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check satisfying example.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"example.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check satisfying wolfssl.com constraint passes with list of DNS's */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check fail when one DNS in the list is bad */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check fail case when neither constraint is matched */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"common", 6, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - - wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerNameConstraint5(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-ncmixed.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* check satisfying wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"example", 7, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* fail with DNS check because of common name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* fail on permitted DNS name constraint */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* fail on permitted email name constraint */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); - wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* success with empty email name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CRL_duplicate_extensions(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_CERTS) && \ - defined(HAVE_CRL) && !defined(NO_RSA) && !defined(WOLFSSL_NO_ASN_STRICT) && \ - (defined(WC_ASN_RUNTIME_DATE_CHECK_CONTROL) || defined(NO_ASN_TIME_CHECK)) - const unsigned char crl_duplicate_akd[] = - "-----BEGIN X509 CRL-----\n" - "MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE\n" - "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n" - "TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v\n" - "dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqBEMEIwHwYDVR0jBBgw\n" - "FoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q\n" - "9+K5XGRxgzUwDQYJKoZIhvcNAQELBQADggEBAIFVw4jrS4taSXR/9gPzqGrqFeHr\n" - "IXCnFtHJTLxqa8vUOAqSwqysvNpepVKioMVoGrLjFMjANjWQqTEiMROAnLfJ/+L8\n" - "FHZkV/mZwOKAXMhIC9MrJzifxBICwmvD028qnwQm09EP8z4ICZptD6wPdRTDzduc\n" - "KBuAX+zn8pNrJgyrheRKpPgno9KsbCzK4D/RIt1sTK2M3vVOtY+vpsN70QYUXvQ4\n" - "r2RZac3omlT43x5lddPxIlcouQpwWcVvr/K+Va770MRrjn88PBrJmvsEw/QYVBXp\n" - "Gxv2b78HFDacba80sMIm8ltRdqUCa5qIc6OATsz7izCQXEbkTEeESrcK1MA=\n" - "-----END X509 CRL-----\n"; - - WOLFSSL_CERT_MANAGER* cm = NULL; - int ret; - - (void)wc_AsnSetSkipDateCheck(1); - - cm = wolfSSL_CertManagerNew(); - ExpectNotNull(cm); - - /* Test loading CRL with duplicate extensions */ - WOLFSSL_MSG("Testing CRL with duplicate Authority Key Identifier extensions"); - ret = wolfSSL_CertManagerLoadCRLBuffer(cm, crl_duplicate_akd, - sizeof(crl_duplicate_akd), - WOLFSSL_FILETYPE_PEM); - ExpectIntEQ(ret, ASN_PARSE_E); - - wolfSSL_CertManagerFree(cm); - - (void)wc_AsnSetSkipDateCheck(0); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerCRL(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ - !defined(NO_RSA) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* crl1 = "./certs/crl/crl.pem"; - const char* crl2 = "./certs/crl/crl2.pem"; -#ifdef WC_RSA_PSS - const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; - const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem"; -#endif - /* ./certs/crl/crl.der */ - const unsigned char crl_buff[] = { - 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xED, 0x02, - 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, - 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, - 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, - 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, - 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, - 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, - 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, - 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, - 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, - 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, - 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, - 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, - 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, - 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, - 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, - 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x17, 0x0D, 0x32, 0x34, 0x30, 0x31, 0x30, 0x39, - 0x30, 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x17, - 0x0D, 0x32, 0x36, 0x31, 0x30, 0x30, 0x35, 0x30, - 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x30, 0x14, - 0x30, 0x12, 0x02, 0x01, 0x02, 0x17, 0x0D, 0x32, - 0x34, 0x30, 0x31, 0x30, 0x39, 0x30, 0x30, 0x33, - 0x34, 0x33, 0x30, 0x5A, 0xA0, 0x0E, 0x30, 0x0C, - 0x30, 0x0A, 0x06, 0x03, 0x55, 0x1D, 0x14, 0x04, - 0x03, 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, - 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, - 0xB3, 0x6F, 0xED, 0x72, 0xD2, 0x73, 0x6A, 0x77, - 0xBF, 0x3A, 0x55, 0xBC, 0x54, 0x18, 0x6A, 0x71, - 0xBC, 0x6A, 0xCC, 0xCD, 0x5D, 0x90, 0xF5, 0x64, - 0x8D, 0x1B, 0xF0, 0xE0, 0x48, 0x7B, 0xF2, 0x7B, - 0x06, 0x86, 0x53, 0x63, 0x9B, 0xD8, 0x24, 0x15, - 0x10, 0xB1, 0x19, 0x96, 0x9B, 0xD2, 0x75, 0xA8, - 0x25, 0xA2, 0x35, 0xA9, 0x14, 0xD6, 0xD5, 0x5E, - 0x53, 0xE3, 0x34, 0x9D, 0xF2, 0x8B, 0x07, 0x19, - 0x9B, 0x1F, 0xF1, 0x02, 0x0F, 0x04, 0x46, 0xE8, - 0xB8, 0xB6, 0xF2, 0x8D, 0xC7, 0xC0, 0x15, 0x3E, - 0x3E, 0x8E, 0x96, 0x73, 0x15, 0x1E, 0x62, 0xF6, - 0x4E, 0x2A, 0xF7, 0xAA, 0xA0, 0x91, 0x80, 0x12, - 0x7F, 0x81, 0x0C, 0x65, 0xCC, 0x38, 0xBE, 0x58, - 0x6C, 0x14, 0xA5, 0x21, 0xA1, 0x8D, 0xF7, 0x8A, - 0xB9, 0x24, 0xF4, 0x2D, 0xCA, 0xC0, 0x67, 0x43, - 0x0B, 0xC8, 0x1C, 0xB4, 0x7D, 0x12, 0x7F, 0xA2, - 0x1B, 0x19, 0x0E, 0x94, 0xCF, 0x7B, 0x9F, 0x75, - 0xA0, 0x08, 0x9A, 0x67, 0x3F, 0x87, 0x89, 0x3E, - 0xF8, 0x58, 0xA5, 0x8A, 0x1B, 0x2D, 0xDA, 0x9B, - 0xD0, 0x1B, 0x18, 0x92, 0xC3, 0xD2, 0x6A, 0xD7, - 0x1C, 0xFC, 0x45, 0x69, 0x77, 0xC3, 0x57, 0x65, - 0x75, 0x99, 0x9E, 0x47, 0x2A, 0x20, 0x25, 0xEF, - 0x90, 0xF2, 0x5F, 0x3B, 0x7D, 0x9C, 0x7D, 0x00, - 0xEA, 0x92, 0x54, 0xEB, 0x0B, 0xE7, 0x17, 0xAF, - 0x24, 0x1A, 0xF9, 0x7C, 0x83, 0x50, 0x68, 0x1D, - 0xDC, 0x5B, 0x60, 0x12, 0xA7, 0x52, 0x78, 0xD9, - 0xA9, 0xB0, 0x1F, 0x59, 0x48, 0x36, 0xC7, 0xA6, - 0x97, 0x34, 0xC7, 0x87, 0x3F, 0xAE, 0xFD, 0xA9, - 0x56, 0x5D, 0x48, 0xCC, 0x89, 0x7A, 0x79, 0x60, - 0x8F, 0x9B, 0x2B, 0x63, 0x3C, 0xB3, 0x04, 0x1D, - 0x5F, 0xF7, 0x20, 0xD2, 0xFD, 0xF2, 0x51, 0xB1, - 0x96, 0x93, 0x13, 0x5B, 0xAB, 0x74, 0x82, 0x8B - }; - - WOLFSSL_CERT_MANAGER* cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, - WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 16), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); - - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, 1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - - ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(cm, NULL), 1); -#ifdef HAVE_CRL_IO - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); -#endif - -#ifndef NO_FILESYSTEM - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(NULL, NULL, WOLFSSL_FILETYPE_ASN1, - 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, NULL, WOLFSSL_FILETYPE_ASN1, - 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* -1 seen as !WOLFSSL_FILETYPE_PEM */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, "./certs/crl", -1, 0), 1); - - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(NULL, NULL, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, NULL, WOLFSSL_FILETYPE_ASN1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* -1 seen as !WOLFSSL_FILETYPE_PEM */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, "./certs/crl/crl.pem", -1), - WC_NO_ERR_TRACE(ASN_PARSE_E)); -#endif - - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerFreeCRL(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - DoExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); - - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0)); - wolfSSL_CertManagerFreeCRL(cm); - -#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_MISSING)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048, - sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(CRL_MISSING)); -#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ - - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), - WOLFSSL_FILETYPE_ASN1), 1); - -#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS) - /* loading should fail without the CA set */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)); - - /* now successfully load the RSA-PSS crl once loading in it's CA */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); -#endif - - wolfSSL_CertManagerFree(cm); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerCheckOCSPResponse(void) -{ - EXPECT_DECLS; -#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) -/* Need one of these for wolfSSL_OCSP_REQUEST_new. */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ - defined(HAVE_LIGHTY) - WOLFSSL_CERT_MANAGER* cm = NULL; - /* Raw OCSP response bytes captured using the following setup: - * - Run responder with - * openssl ocsp -port 9999 -ndays 9999 - * -index certs/ocsp/index-intermediate1-ca-issued-certs.txt - * -rsigner certs/ocsp/ocsp-responder-cert.pem - * -rkey certs/ocsp/ocsp-responder-key.pem - * -CA certs/ocsp/intermediate1-ca-cert.pem - * - Run client with - * openssl ocsp -host 127.0.0.1:9999 -respout resp.out - * -issuer certs/ocsp/intermediate1-ca-cert.pem - * -cert certs/ocsp/server1-cert.pem - * -CAfile certs/ocsp/root-ca-cert.pem -noverify - * - Select the response packet in Wireshark, and export it using - * "File->Export Packet Dissection->As "C" Arrays". Select "Selected - * packets only". After importing into the editor, remove the initial - * ~148 bytes of header, ending with the Content-Length and the \r\n\r\n. - */ - static const byte response[] = { - 0x30, 0x82, 0x07, 0x40, /* ....0..@ */ - 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x39, 0x30, /* ......90 */ - 0x82, 0x07, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, /* ..5..+.. */ - 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, /* ...0.... */ - 0x07, 0x26, 0x30, 0x82, 0x07, 0x22, 0x30, 0x82, /* .&0.."0. */ - 0x01, 0x40, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, /* .@...0.. */ - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ - 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ - 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ - 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ - 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ - 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, /* ring1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, /* olfSSL O */ - 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, /* CSP Resp */ - 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, /* onder1.0 */ - 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, /* ...*.H.. */ - 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, /* ......in */ - 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */ - 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, /* sl.com.. */ - 0x32, 0x30, 0x32, 0x34, 0x31, 0x32, 0x32, 0x30, /* 20241220 */ - 0x31, 0x37, 0x30, 0x37, 0x30, 0x34, 0x5a, 0x30, /* 170704Z0 */ - 0x64, 0x30, 0x62, 0x30, 0x3a, 0x30, 0x09, 0x06, /* d0b0:0.. */ - 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, /* .+...... */ - 0x04, 0x14, 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, /* ..qM.#@Y */ - 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, /* ...7C.1. */ - 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04, 0x04, 0x14, /* ..C..... */ - 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, /* ..:.,... */ - 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, /* ..L.*.q. */ - 0x64, 0x44, 0xda, 0x0e, 0x02, 0x01, 0x05, 0x80, /* dD...... */ - 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x31, /* ...20241 */ - 0x32, 0x32, 0x30, 0x31, 0x37, 0x30, 0x37, 0x30, /* 22017070 */ - 0x34, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, /* 4Z....20 */ - 0x35, 0x32, 0x30, 0x35, 0x30, 0x36, 0x31, 0x37, /* 52050617 */ - 0x30, 0x37, 0x30, 0x34, 0x5a, 0xa1, 0x23, 0x30, /* 0704Z.#0 */ - 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, /* !0...+.. */ - 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, /* ...0.... */ - 0x04, 0x10, 0x12, 0x7c, 0x27, 0xbd, 0x22, 0x28, /* ...|'."( */ - 0x5e, 0x62, 0x81, 0xed, 0x6d, 0x2c, 0x2d, 0x59, /* ^b..m,-Y */ - 0x42, 0xd7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, /* B.0...*. */ - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, /* H....... */ - 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6c, 0xce, /* ......l. */ - 0xa8, 0xe8, 0xfe, 0xaf, 0x33, 0xe2, 0xce, 0x4e, /* ....3..N */ - 0x63, 0x8d, 0x61, 0x16, 0x0f, 0x70, 0xb2, 0x0c, /* c.a..p.. */ - 0x9a, 0xe3, 0x01, 0xd5, 0xca, 0xe5, 0x9b, 0x70, /* .......p */ - 0x81, 0x6f, 0x94, 0x09, 0xe8, 0x88, 0x98, 0x1a, /* .o...... */ - 0x67, 0xa0, 0xc2, 0xe7, 0x8f, 0x9b, 0x5f, 0x13, /* g....._. */ - 0x17, 0x8d, 0x93, 0x8c, 0x31, 0x61, 0x7d, 0x72, /* ....1a}r */ - 0x34, 0xbd, 0x21, 0x48, 0xca, 0xb2, 0xc9, 0xae, /* 4.!H.... */ - 0x28, 0x5f, 0x97, 0x19, 0xcb, 0xdf, 0xed, 0xd4, /* (_...... */ - 0x6e, 0x89, 0x30, 0x89, 0x11, 0xd1, 0x05, 0x08, /* n.0..... */ - 0x81, 0xe9, 0xa7, 0xba, 0xf7, 0x16, 0x0c, 0xbe, /* ........ */ - 0x48, 0x2e, 0xc0, 0x05, 0xac, 0x90, 0xc2, 0x35, /* H......5 */ - 0xce, 0x6c, 0x94, 0x5d, 0x2b, 0xad, 0x4f, 0x19, /* .l.]+.O. */ - 0xea, 0x7b, 0xd9, 0x4f, 0x49, 0x20, 0x8d, 0x98, /* .{.OI .. */ - 0xa9, 0xe4, 0x53, 0x6d, 0xca, 0x34, 0xdb, 0x4a, /* ..Sm.4.J */ - 0x28, 0xb3, 0x33, 0xfb, 0xfd, 0xcc, 0x4b, 0xfa, /* (.3...K. */ - 0xdb, 0x70, 0xe1, 0x96, 0xc8, 0xd4, 0xf1, 0x85, /* .p...... */ - 0x99, 0xaf, 0x06, 0xeb, 0xfd, 0x96, 0x21, 0x86, /* ......!. */ - 0x81, 0xee, 0xcf, 0xd2, 0xf4, 0x83, 0xc9, 0x1d, /* ........ */ - 0x8f, 0x42, 0xd1, 0xc1, 0xbc, 0x50, 0x0a, 0xfb, /* .B...P.. */ - 0x95, 0x39, 0x4c, 0x36, 0xa8, 0xfe, 0x2b, 0x8e, /* .9L6..+. */ - 0xc5, 0xb5, 0xe0, 0xab, 0xdb, 0xc0, 0xbf, 0x1d, /* ........ */ - 0x35, 0x4d, 0xc0, 0x52, 0xfb, 0x08, 0x04, 0x4c, /* 5M.R...L */ - 0x98, 0xf0, 0xb5, 0x5b, 0xff, 0x99, 0x74, 0xce, /* ...[..t. */ - 0xb7, 0xc9, 0xe3, 0xe5, 0x70, 0x2e, 0xd3, 0x1d, /* ....p... */ - 0x46, 0x38, 0xf9, 0x51, 0x17, 0x73, 0xd1, 0x08, /* F8.Q.s.. */ - 0x8d, 0x3d, 0x12, 0x47, 0xd0, 0x66, 0x77, 0xaf, /* .=.G.fw. */ - 0xfd, 0x4c, 0x75, 0x1f, 0xe9, 0x6c, 0xf4, 0x5a, /* .Lu..l.Z */ - 0xde, 0xec, 0x37, 0xc7, 0xc4, 0x0a, 0xbe, 0x91, /* ..7..... */ - 0xbc, 0x05, 0x08, 0x86, 0x47, 0x30, 0x2a, 0xc6, /* ....G0*. */ - 0x85, 0x4b, 0x55, 0x6c, 0xef, 0xdf, 0x2d, 0x5a, /* .KUl..-Z */ - 0xf7, 0x5b, 0xb5, 0xba, 0xed, 0x38, 0xb0, 0xcb, /* .[...8.. */ - 0xeb, 0x7e, 0x84, 0x3a, 0x69, 0x2c, 0xa0, 0x82, /* .~.:i,.. */ - 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, /* ..0...0. */ - 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, /* ..0..... */ - 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, /* ......0. */ - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, /* ..*.H... */ - 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, /* .....0.. */ - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ - 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ - 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ - 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ - 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ - 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, /* ring1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, /* olfSSL r */ - 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, /* oot CA1. */ - 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0...*.H. */ - 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, /* .......i */ - 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, /* nfo@wolf */ - 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, /* ssl.com0 */ - 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, /* ...24121 */ - 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, /* 8212531Z */ - 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, /* ..270914 */ - 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, /* 212531Z0 */ - 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* ..1.0... */ - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, /* U....US1 */ - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, /* .0...U.. */ - 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, /* ..Washin */ - 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, /* gton1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, /* ..U....S */ - 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, /* eattle1. */ - 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, /* 0...U... */ - 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, /* ...Engin */ - 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, /* eering1. */ - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, /* 0...U... */ - 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ - 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, /* OCSP Re */ - 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, /* sponder1 */ - 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, /* .0...*.H */ - 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, /* ........ */ - 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, /* info@wol */ - 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, /* fssl.com */ - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, /* 0.."0... */ - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, /* ........ */ - 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, /* 0....... */ - 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, /* ...#...{ */ - 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, /* .....a.. */ - 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, /* .c..#4Pm */ - 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, /* .|.....u */ - 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, /* \-.c...z */ - 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, /* ..E5+... */ - 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, /* "..A8..t */ - 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, /* ..0".Q.. */ - 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, /* .?F+..Z? */ - 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, /* Atgu.... */ - 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, /* ..B..... */ - 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, /* ..e.C... */ - 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, /* ....$5!. */ - 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, /* U.ZQ..-. */ - 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, /* .ZOJs1P. */ - 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, /* J..9...H */ - 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, /* .......r */ - 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, /* g.\..... */ - 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, /* v..J.... */ - 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, /* fL(q..f. */ - 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, /* ..0..... */ - 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, /* ....]... */ - 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, /* ..<..qx. */ - 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, /* .?2..q.. */ - 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, /* .'....CI */ - 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, /* ..p..... */ - 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, /* $..;..el */ - 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, /* .vP..... */ - 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, /* sh&...._ */ - 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, /* na...... */ - 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */ - 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, /* .et|qTe. */ - 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, /* 9....... */ - 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, /* ..0...0. */ - 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, /* ..U....0 */ - 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, /* .0...U.. */ - 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, /* ....2g.. */ - 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, /* y....#.p */ - 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, /* @P.FV.06 */ - 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, /* 0....U.# */ - 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, /* ...0.... */ - 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, /* s.../... */ - 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, /* G.8....: */ - 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, /* ~r.!.... */ - 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, /* ..0..1.0 */ - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, /* ...U.... */ - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, /* US1.0... */ - 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, /* U....Was */ - 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, /* hington1 */ - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, /* .0...U.. */ - 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, /* ..Seattl */ - 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, /* e1.0...U */ - 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ - 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, /* SSL1.0.. */ - 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, /* .U....En */ - 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, /* gineerin */ - 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, /* g1.0...U */ - 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ - 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, /* SSL root */ - 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, /* CA1.0.. */ - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, /* .*.H.... */ - 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, /* ....info */ - 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, /* @wolfssl */ - 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, /* .com..c0 */ - 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, /* ...U.%.. */ - 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, /* 0...+... */ - 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, /* ....0... */ - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ - 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, /* ........ */ - 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, /* M..U.+.. */ - 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, /* e..5.`.. */ - 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, /* k....XW7 */ - 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, /* ..(n.V*5 */ - 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, /* ..>.=G!. */ - 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, /* ......>. */ - 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, /* ...#.V.s */ - 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, /* .....Ki. */ - 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, /* .:.....Y */ - 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, /* .....L., */ - 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, /* .W..:.2. */ - 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, /* J.r...&i */ - 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, /* .jLLx.<. */ - 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, /* ....#.[' */ - 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, /* ..\+.Mx. */ - 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, /* k%./.... */ - 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, /* ..D!F.4k */ - 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, /* [...\`.. */ - 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, /* .f..cVP} */ - 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, /* .,/{G..X */ - 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, /* w..' .r. */ - 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, /* L~O.._.. */ - 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, /* .Yz..Sw" */ - 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, /* A....... */ - 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, /* e..q<... */ - 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, /* ........ */ - 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, /* ....+.[. */ - 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, /* (..1s\+. */ - 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, /* `..6.... */ - 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, /* .u.)B..A */ - 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, /* U.p..... */ - 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57 /* A.%..j.W */ - }; - OcspEntry entry[1]; - CertStatus status[1]; - OcspRequest* request = NULL; -#ifndef NO_FILESYSTEM - const char* ca_cert = "./certs/ca-cert.pem"; -#endif - - byte serial[] = {0x05}; - byte issuerHash[] = {0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04}; - byte issuerKeyHash[] = {0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, 0x64, 0x44, 0xda, 0x0e}; - - - XMEMSET(entry, 0, sizeof(OcspEntry)); - XMEMSET(status, 0, sizeof(CertStatus)); - - ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); - ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, - DYNAMIC_TYPE_OCSP_REQUEST)); - - if ((request != NULL) && (request->serial != NULL)) { - request->serialSz = sizeof(serial); - XMEMCPY(request->serial, serial, sizeof(serial)); - XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); - XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash)); - } - - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, - "./certs/ocsp/intermediate1-ca-cert.pem", NULL), WOLFSSL_SUCCESS); - - /* Response should be valid. */ - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, - sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); - - /* Flip a byte in the request serial number, response should be invalid - * now. */ - if ((request != NULL) && (request->serial != NULL)) - request->serial[0] ^= request->serial[0]; - ExpectIntNE(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, - sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); - -#ifndef NO_FILESYSTEM - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, - sizeof(server_cert_der_2048)), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, - sizeof(server_cert_der_2048)), 1); -#endif - - wolfSSL_OCSP_REQUEST_free(request); - wolfSSL_CertManagerFree(cm); -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || - * WOLFSSL_APACHE_HTTPD || HAVE_LIGHTY */ -#endif /* HAVE_OCSP */ - return EXPECT_RESULT(); -} - static int test_wolfSSL_CheckOCSPResponse(void) { EXPECT_DECLS; @@ -5183,103 +3137,6 @@ static int test_wolfSSL_CertRsaPss(void) #endif /* HAVE_CERT_CHAIN_VALIDATION */ -/* Test RSA-PSS digital signature creation and verification */ -static int test_wc_RsaPSS_DigitalSignVerify(void) -{ - EXPECT_DECLS; - - /* Early FIPS did not support PSS. */ -#if (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2))) && \ - (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ - (HAVE_SELFTEST_VERSION > 2))) && \ - !defined(NO_RSA) && defined(WC_RSA_PSS) && defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_KEY_GEN) && defined(WC_RSA_NO_PADDING) && \ - !defined(NO_SHA256) - - /* Test digest */ - const unsigned char test_digest[32] = { - 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, - 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, - 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, - 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 - }; - const unsigned int digest_len = sizeof(test_digest); - - /* Variables for RSA key generation and signature operations */ - EVP_PKEY_CTX *pkctx = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *sign_ctx = NULL; - EVP_PKEY_CTX *verify_ctx = NULL; - unsigned char signature[256+MAX_DER_DIGEST_ASN_SZ] = {0}; - size_t signature_len = sizeof(signature); - int modulus_bits = 2048; - - /* Generate RSA key pair to avoid file dependencies */ - ExpectNotNull(pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); - ExpectIntEQ(EVP_PKEY_keygen_init(pkctx), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, modulus_bits), 1); - ExpectIntEQ(EVP_PKEY_keygen(pkctx, &pkey), 1); - - /* Create signing context */ - ExpectNotNull(sign_ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_sign_init(sign_ctx), 1); - - /* Configure RSA-PSS parameters for signing. */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(sign_ctx, RSA_PKCS1_PSS_PADDING), - 1); - /* Default salt length matched hash so use 32 for SHA256 */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(sign_ctx, 32), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(sign_ctx, EVP_sha256()), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(sign_ctx, EVP_sha256()), 1); - - /* Create the digital signature */ - ExpectIntEQ(EVP_PKEY_sign(sign_ctx, signature, &signature_len, test_digest, - digest_len), 1); - ExpectIntGT((int)signature_len, 0); - - /* Create verification context */ - ExpectNotNull(verify_ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_verify_init(verify_ctx), 1); - - /* Configure RSA-PSS parameters for verification */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(verify_ctx, RSA_PKCS1_PSS_PADDING), - 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(verify_ctx, 32), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(verify_ctx, EVP_sha256()), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(verify_ctx, EVP_sha256()), 1); - - /* Verify the digital signature */ - ExpectIntEQ(EVP_PKEY_verify(verify_ctx, signature, signature_len, - test_digest, digest_len), 1); - - /* Test with wrong digest to ensure verification fails (negative test) */ - { - const unsigned char wrong_digest[32] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, - 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02 - }; - ExpectIntNE(EVP_PKEY_verify(verify_ctx, signature, signature_len, - wrong_digest, digest_len), 1); - } - - /* Clean up */ - if (verify_ctx) - EVP_PKEY_CTX_free(verify_ctx); - if (sign_ctx) - EVP_PKEY_CTX_free(sign_ctx); - if (pkey) - EVP_PKEY_free(pkey); - if (pkctx) - EVP_PKEY_CTX_free(pkctx); - -#endif - - return EXPECT_RESULT(); -} - static int test_wolfSSL_CTX_load_verify_locations_ex(void) { EXPECT_DECLS; @@ -6346,938 +4203,6 @@ static int test_wolfSSL_SetMinVersion(void) #include -/*----------------------------------------------------------------------------* - | EVP - *----------------------------------------------------------------------------*/ - -static int test_wolfSSL_EVP_PKEY_print_public(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) - WOLFSSL_BIO* rbio = NULL; - WOLFSSL_BIO* wbio = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - char line[256] = { 0 }; - char line1[256] = { 0 }; - int i = 0; - - /* test error cases */ - ExpectIntEQ( EVP_PKEY_print_public(NULL,NULL,0,NULL),0L); - - /* - * test RSA public key print - * in this test, pass '3' for indent - */ -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_1024) - - ExpectNotNull(rbio = BIO_new_mem_buf( client_keypub_der_1024, - sizeof_client_keypub_der_1024)); - - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); - - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,3,NULL),1); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " RSA Public-Key: (1024 bit)\n"); - ExpectIntEQ(XSTRNCMP(line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " Modulus:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " 00:bc:73:0e:a8:49:f3:74:a2:a9:ef:18:a5:da:55:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - - /* skip to the end of modulus element*/ - for (i = 0; i < 8 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " Exponent: 65537 (0x010001)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* !NO_RSA && USE_CERT_BUFFERS_1024*/ - - /* - * test DSA public key print - */ -#if !defined(NO_DSA) && defined(USE_CERT_BUFFERS_2048) - ExpectNotNull(rbio = BIO_new_mem_buf( dsa_pub_key_der_2048, - sizeof_dsa_pub_key_der_2048)); - - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); - - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "DSA Public-Key: (2048 bit)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "pub:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 00:C2:35:2D:EC:83:83:6C:73:13:9E:52:7C:74:C8:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of pub element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "P:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of P element*/ - for (i = 0; i < 18 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "Q:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of Q element*/ - for (i = 0; i < 3 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "G:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of G element*/ - for (i = 0; i < 18 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* !NO_DSA && USE_CERT_BUFFERS_2048 */ - - /* - * test ECC public key print - */ -#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - - ExpectNotNull(rbio = BIO_new_mem_buf( ecc_clikeypub_der_256, - sizeof_ecc_clikeypub_der_256)); - - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); - - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - ExpectStrEQ(line, "Public-Key: (256 bit)\n"); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "pub:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 04:55:BF:F4:0F:44:50:9A:3D:CE:9B:B7:F0:C5:4D:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of pub element*/ - for (i = 0; i < 4 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "ASN1 OID: prime256v1\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "NIST CURVE: P-256\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */ - - /* - * test DH public key print - */ -#if defined(WOLFSSL_DH_EXTRA) && defined(USE_CERT_BUFFERS_2048) - - ExpectNotNull(rbio = BIO_new_mem_buf( dh_pub_key_der_2048, - sizeof_dh_pub_key_der_2048)); - - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); - - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL), 1); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "DH Public-Key: (2048 bit)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "public-key:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 34:41:BF:E9:F2:11:BF:05:DB:B2:72:A8:29:CC:BD:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of public-key element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "prime:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 00:D3:B2:99:84:5C:0A:4C:E7:37:CC:FC:18:37:01:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* skip to the end of prime element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } - - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "generator: 2 (0x02)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* WOLFSSL_DH_EXTRA && USE_CERT_BUFFERS_2048 */ - - /* to prevent "unused variable" warning */ - (void)pkey; - (void)wbio; - (void)rbio; - (void)line; - (void)line1; - (void)i; -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} -/* Test functions for base64 encode/decode */ -static int test_wolfSSL_EVP_ENCODE_CTX_new(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && \ -( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ(ctx->remaining,0); - ExpectIntEQ(ctx->data[0],0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1],0); - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_ENCODE_CTX_free(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && \ -( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_EncodeInit(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ(ctx->remaining, 0); - ExpectIntEQ(ctx->data[0], 0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); - - if (ctx != NULL) { - /* make ctx dirty */ - ctx->remaining = 10; - XMEMSET(ctx->data, 0x77, sizeof(ctx->data)); - } - - EVP_EncodeInit(ctx); - - ExpectIntEQ(ctx->remaining, 0); - ExpectIntEQ(ctx->data[0], 0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); - - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_EncodeUpdate(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - int outl; - int total; - - const unsigned char plain0[] = {"Th"}; - const unsigned char plain1[] = {"This is a base64 encodeing test."}; - const unsigned char plain2[] = {"This is additional data."}; - - const unsigned char encBlock0[] = {"VGg="}; - const unsigned char enc0[] = {"VGg=\n"}; - /* expected encoded result for the first output 64 chars plus trailing LF*/ - const unsigned char enc1[] = {"VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n"}; - - const unsigned char enc2[] = - {"VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\nYWwgZGF0YS4=\n"}; - - unsigned char encOutBuff[300]; - - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - - EVP_EncodeInit(ctx); - - /* illegal parameter test */ - ExpectIntEQ( - EVP_EncodeUpdate( - NULL, /* pass NULL as ctx */ - encOutBuff, - &outl, - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - NULL, /* pass NULL as out buff */ - &outl, - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - NULL, /* pass NULL as outl */ - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - NULL, /* pass NULL as in */ - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); - - ExpectIntEQ(EVP_EncodeBlock(NULL, NULL, 0), -1); - - /* meaningless parameter test */ - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - plain1, - 0), /* pass zero input */ - 1 /* expected result code 1: success */ - ); - - /* very small data encoding test */ - - EVP_EncodeInit(ctx); - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - plain0, - sizeof(plain0)-1), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl,0); - - if (EXPECT_SUCCESS()) { - EVP_EncodeFinal( - ctx, - encOutBuff + outl, - &outl); - } - - ExpectIntEQ( outl, sizeof(enc0)-1); - ExpectIntEQ( - XSTRNCMP( - (const char*)encOutBuff, - (const char*)enc0,sizeof(enc0) ), - 0); - - XMEMSET( encOutBuff,0, sizeof(encOutBuff)); - ExpectIntEQ(EVP_EncodeBlock(encOutBuff, plain0, sizeof(plain0)-1), - sizeof(encBlock0)-1); - ExpectStrEQ(encOutBuff, encBlock0); - - /* pass small size( < 48bytes ) input, then make sure they are not - * encoded and just stored in ctx - */ - - EVP_EncodeInit(ctx); - - total = 0; - outl = 0; - XMEMSET( encOutBuff,0, sizeof(encOutBuff)); - - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, /* buffer for output */ - &outl, /* size of output */ - plain1, /* input */ - sizeof(plain1)-1), /* size of input */ - 1); /* expected result code 1:success */ - - total += outl; - - ExpectIntEQ(outl, 0); /* no output expected */ - ExpectIntEQ(ctx->remaining, sizeof(plain1) -1); - ExpectTrue( - XSTRNCMP((const char*)(ctx->data), - (const char*)plain1, - ctx->remaining) ==0 ); - ExpectTrue(encOutBuff[0] == 0); - - /* call wolfSSL_EVP_EncodeUpdate again to make it encode - * the stored data and the new input together - */ - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff + outl, /* buffer for output */ - &outl, /* size of output */ - plain2, /* additional input */ - sizeof(plain2) -1), /* size of additional input */ - 1); /* expected result code 1:success */ - - total += outl; - - ExpectIntNE(outl, 0); /* some output is expected this time*/ - ExpectIntEQ(outl, BASE64_ENCODE_RESULT_BLOCK_SIZE +1); /* 64 bytes and LF */ - ExpectIntEQ( - XSTRNCMP((const char*)encOutBuff,(const char*)enc1,sizeof(enc1) ),0); - - /* call wolfSSL_EVP_EncodeFinal to flush all the unprocessed input */ - EVP_EncodeFinal( - ctx, - encOutBuff + outl, - &outl); - - total += outl; - - ExpectIntNE(total,0); - ExpectIntNE(outl,0); - ExpectIntEQ(XSTRNCMP( - (const char*)encOutBuff,(const char*)enc2,sizeof(enc2) ),0); - - /* test with illeagal parameters */ - outl = 1; - EVP_EncodeFinal(NULL, encOutBuff + outl, &outl); - ExpectIntEQ(outl, 0); - outl = 1; - EVP_EncodeFinal(ctx, NULL, &outl); - ExpectIntEQ(outl, 0); - EVP_EncodeFinal(ctx, encOutBuff + outl, NULL); - EVP_EncodeFinal(NULL, NULL, NULL); - - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_EncodeFinal(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - /* tests for wolfSSL_EVP_EncodeFinal are included in - * test_wolfSSL_EVP_EncodeUpdate - */ - res = TEST_SUCCESS; -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return res; -} - - -static int test_wolfSSL_EVP_DecodeInit(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull( ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ( ctx->remaining,0); - ExpectIntEQ( ctx->data[0],0); - ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); - - if (ctx != NULL) { - /* make ctx dirty */ - ctx->remaining = 10; - XMEMSET( ctx->data, 0x77, sizeof(ctx->data)); - } - - EVP_DecodeInit(ctx); - - ExpectIntEQ( ctx->remaining,0); - ExpectIntEQ( ctx->data[0],0); - ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); - - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_DecodeUpdate(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - int outl; - unsigned char decOutBuff[300]; - - EVP_ENCODE_CTX* ctx = NULL; - - static const unsigned char enc1[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; -/* const unsigned char plain1[] = - {"This is a base64 decoding test."} */ - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - - EVP_DecodeInit(ctx); - - /* illegal parameter tests */ - - /* pass NULL as ctx */ - ExpectIntEQ( - EVP_DecodeUpdate( - NULL, /* pass NULL as ctx */ - decOutBuff, - &outl, - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - /* pass NULL as output */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - NULL, /* pass NULL as out buff */ - &outl, - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - /* pass NULL as outl */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - NULL, /* pass NULL as outl */ - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - - /* pass NULL as input */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - NULL, /* pass NULL as in */ - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1); - - /* pass zero length input */ - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc1, - 0), /* pass zero as input len */ - 1 /* expected result code 1: success */ - ); - - /* decode correct base64 string */ - - { - static const unsigned char enc2[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; - static const unsigned char plain2[] = - {"This is a base64 decoding test."}; - - EVP_EncodeInit(ctx); - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc2, - sizeof(enc2)-1), - 0 /* expected result code 0: success */ - ); - - ExpectIntEQ(outl,sizeof(plain2) -1); - - ExpectIntEQ( - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl, 0); /* expected DecodeFinal output no data */ - - ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, - sizeof(plain2) -1 ),0); - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc2, sizeof(enc2)), - sizeof(plain2)-1); - ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, - sizeof(plain2) -1 ),0); - } - - /* decode correct base64 string which does not have '\n' in its last*/ - - { - static const unsigned char enc3[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg=="}; /* 44 chars */ - static const unsigned char plain3[] = - {"This is a base64 decoding test."}; /* 31 chars */ - - EVP_EncodeInit(ctx); - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc3, - sizeof(enc3)-1), - 0 /* expected result code 0: success */ - ); - - ExpectIntEQ(outl,sizeof(plain3)-1); /* 31 chars should be output */ - - ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, - sizeof(plain3) -1 ),0); - - ExpectIntEQ( - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl), - 1 /* expected result code 1: success */ - ); - - ExpectIntEQ(outl,0 ); - - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc3, sizeof(enc3)-1), - sizeof(plain3)-1); - ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, - sizeof(plain3) -1 ),0); - } - - /* decode string which has a padding char ('=') in the illegal position*/ - - { - static const unsigned char enc4[] = - {"VGhpcyBpcyBhIGJhc2U2N=CBkZWNvZGluZyB0ZXN0Lg==\n"}; - - EVP_EncodeInit(ctx); - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc4, - sizeof(enc4)-1), - -1 /* expected result code -1: error */ - ); - ExpectIntEQ(outl,0); - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc4, sizeof(enc4)-1), -1); - } - - /* small data decode test */ - - { - static const unsigned char enc00[] = {"VG"}; - static const unsigned char enc01[] = {"g=\n"}; - static const unsigned char plain4[] = {"Th"}; - - EVP_EncodeInit(ctx); - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc00, - sizeof(enc00)-1), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl,0); - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff + outl, - &outl, - enc01, - sizeof(enc01)-1), - 0 /* expected result code 0: success */ - ); - - ExpectIntEQ(outl,sizeof(plain4)-1); - - /* test with illegal parameters */ - ExpectIntEQ(EVP_DecodeFinal(NULL,decOutBuff + outl,&outl), -1); - ExpectIntEQ(EVP_DecodeFinal(ctx,NULL,&outl), -1); - ExpectIntEQ(EVP_DecodeFinal(ctx,decOutBuff + outl, NULL), -1); - ExpectIntEQ(EVP_DecodeFinal(NULL,NULL, NULL), -1); - - if (EXPECT_SUCCESS()) { - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl); - } - - ExpectIntEQ( outl, 0); - ExpectIntEQ( - XSTRNCMP( - (const char*)decOutBuff, - (const char*)plain4,sizeof(plain4)-1 ), - 0); - } - - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_DecodeFinal(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - /* tests for wolfSSL_EVP_DecodeFinal are included in - * test_wolfSSL_EVP_DecodeUpdate - */ - res = TEST_SUCCESS; -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return res; -} - -/* Test function for wolfSSL_EVP_get_cipherbynid. - */ - -#ifdef OPENSSL_EXTRA -static int test_wolfSSL_EVP_get_cipherbynid(void) -{ - EXPECT_DECLS; -#ifndef NO_AES - const WOLFSSL_EVP_CIPHER* c; - - c = wolfSSL_EVP_get_cipherbynid(419); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_CBC", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(423); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_CBC", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(427); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_CBC", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(904); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_CTR", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(905); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_CTR", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(906); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_CTR", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(418); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_ECB", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(422); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_ECB", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(426); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_ECB", c)); - #else - ExpectNull(c); - #endif -#endif /* !NO_AES */ - -#ifndef NO_DES3 - ExpectNotNull(XSTRCMP("EVP_DES_CBC", wolfSSL_EVP_get_cipherbynid(31))); -#ifdef WOLFSSL_DES_ECB - ExpectNotNull(XSTRCMP("EVP_DES_ECB", wolfSSL_EVP_get_cipherbynid(29))); -#endif - ExpectNotNull(XSTRCMP("EVP_DES_EDE3_CBC", wolfSSL_EVP_get_cipherbynid(44))); -#ifdef WOLFSSL_DES_ECB - ExpectNotNull(XSTRCMP("EVP_DES_EDE3_ECB", wolfSSL_EVP_get_cipherbynid(33))); -#endif -#endif /* !NO_DES3 */ - -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - ExpectNotNull(XSTRCMP("EVP_CHACHA20_POLY13O5", EVP_get_cipherbynid(1018))); -#endif - - /* test for nid is out of range */ - ExpectNull(wolfSSL_EVP_get_cipherbynid(1)); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_CTX(void) -{ - EXPECT_DECLS; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - const EVP_CIPHER *init = EVP_aes_128_cbc(); - const EVP_CIPHER *test; - byte key[AES_BLOCK_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - - ExpectNotNull(ctx); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - test = EVP_CIPHER_CTX_cipher(ctx); - ExpectTrue(init == test); - ExpectIntEQ(EVP_CIPHER_nid(test), NID_aes_128_cbc); - - ExpectIntEQ(EVP_CIPHER_CTX_reset(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_reset(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - EVP_CIPHER_CTX_free(ctx); - /* test EVP_CIPHER_CTX_cleanup with NULL */ - ExpectIntEQ(EVP_CIPHER_CTX_cleanup(NULL), WOLFSSL_SUCCESS); -#endif /* !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_128 */ - return EXPECT_RESULT(); -} -#endif /* OPENSSL_EXTRA */ /*----------------------------------------------------------------------------* | IO @@ -13038,410 +9963,6 @@ static int test_tls_bad_legacy_version(void) | X509 Tests *----------------------------------------------------------------------------*/ -/* Testing functions dealing with PKCS12 parsing out X509 certs */ -static int test_wolfSSL_PKCS12(void) -{ - EXPECT_DECLS; - /* .p12 file is encrypted with DES3 */ -#ifndef HAVE_FIPS /* Password used in cert "wolfSSL test" is only 12-bytes - * (96-bit) FIPS mode requires Minimum of 14-byte (112-bit) - * Password Key - */ -#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ - !defined(NO_STDIO_FILESYSTEM) && !defined(NO_TLS) && \ - !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) && \ - !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) && \ - defined(WOLFSSL_AES_256) - byte buf[6000]; - char file[] = "./certs/test-servercert.p12"; - char order[] = "./certs/ecc-rsa-server.p12"; -#ifdef WC_RC2 - char rc2p12[] = "./certs/test-servercert-rc2.p12"; -#endif - char pass[] = "a password"; - const char goodPsw[] = "wolfSSL test"; - const char badPsw[] = "bad"; -#ifdef HAVE_ECC - WOLFSSL_X509_NAME *subject = NULL; - WOLFSSL_X509 *x509 = NULL; -#endif - XFILE f = XBADFILE; - int bytes = 0, ret = 0, goodPswLen = 0, badPswLen = 0; - WOLFSSL_BIO *bio = NULL; - WOLFSSL_EVP_PKEY *pkey = NULL; - WC_PKCS12 *pkcs12 = NULL; - WC_PKCS12 *pkcs12_2 = NULL; - WOLFSSL_X509 *cert = NULL; - WOLFSSL_X509 *tmp = NULL; - WOLF_STACK_OF(WOLFSSL_X509) *ca = NULL; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; -#endif - - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - goodPswLen = (int)XSTRLEN(goodPsw); - badPswLen = (int)XSTRLEN(badPsw); - - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - - ExpectIntEQ(BIO_write(bio, buf, bytes), bytes); /* d2i consumes BIO */ - ExpectNotNull(d2i_PKCS12_bio(bio, &pkcs12)); - ExpectNotNull(pkcs12); - BIO_free(bio); - bio = NULL; - - /* check verify MAC directly */ - ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, goodPsw, goodPswLen), 1); - - /* check verify MAC fail case directly */ - ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, badPsw, badPswLen), 0); - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with no extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) - - /* Check that SSL_CTX_set0_chain correctly sets the certChain buffer */ -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) -#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - /* Copy stack structure */ - ExpectNotNull(tmp_ca = X509_chain_up_ref(ca)); - ExpectIntEQ(SSL_CTX_set0_chain(ctx, tmp_ca), 1); - /* CTX now owns the tmp_ca stack structure */ - tmp_ca = NULL; - ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); - ExpectNotNull(tmp_ca); - ExpectIntEQ(sk_X509_num(tmp_ca), sk_X509_num(ca)); - /* Check that the main cert is also set */ - ExpectNotNull(SSL_CTX_get0_certificate(ctx)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(SSL_get_certificate(ssl)); - SSL_free(ssl); - SSL_CTX_free(ctx); - ctx = NULL; -#endif -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ - /* should be 2 other certs on stack */ - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNull(sk_X509_pop(ca)); - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, X509_free); - ca = NULL; - - /* check PKCS12_create */ - ExpectNull(PKCS12_create(pass, NULL, NULL, NULL, NULL, -1, -1, -1, -1,0)); - ExpectIntEQ(PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - SSL_SUCCESS); - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, - -1, -1, 100, -1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, - NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - 2000, 1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - /* convert to DER then back and parse */ - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(i2d_PKCS12_bio(bio, pkcs12_2), SSL_SUCCESS); - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - - ExpectNotNull(pkcs12_2 = d2i_PKCS12_bio(bio, NULL)); - BIO_free(bio); - bio = NULL; - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - - /* should be 2 other certs on stack */ - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNull(sk_X509_pop(ca)); - - -#ifndef NO_RC4 - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, NULL, - NID_pbe_WithSHA1And128BitRC4, - NID_pbe_WithSHA1And128BitRC4, - 2000, 1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - -#endif /* NO_RC4 */ - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - -#ifdef HAVE_ECC - /* test order of parsing */ - ExpectTrue((f = XFOPEN(order, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); - ExpectIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)), - WOLFSSL_SUCCESS); - - /* check use of pkey after parse */ -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) -#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), WOLFSSL_SUCCESS); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif - - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - /* compare subject lines of certificates */ - ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile, - SSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - X509_free(x509); - x509 = NULL; - - /* test expected fail case */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, - SSL_FILETYPE_PEM)); - ExpectIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - X509_free(x509); - x509 = NULL; - X509_free(cert); - cert = NULL; - - /* get subject line from ca stack */ - ExpectNotNull(cert = sk_X509_pop(ca)); - ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); - - /* compare subject from certificate in ca to expected */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, - SSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - - /* modify case and compare subject from certificate in ca to expected. - * The first bit of the name is: - * /C=US/ST=Washington - * So we'll change subject->name[1] to 'c' (lower case) */ - if (subject != NULL) { - subject->name[1] = 'c'; - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - } - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(x509); - x509 = NULL; - X509_free(cert); - cert = NULL; - BIO_free(bio); - bio = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; - sk_X509_pop_free(ca, NULL); /* TEST d2i_PKCS12_fp */ - ca = NULL; - - /* test order of parsing */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with no extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - PKCS12_free(pkcs12); - pkcs12 = NULL; -#endif /* HAVE_ECC */ - -#ifdef WC_RC2 - /* test PKCS#12 with RC2 encryption */ - ExpectTrue((f = XFOPEN(rc2p12, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with not extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - WOLFSSL_SUCCESS); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - WOLFSSL_SUCCESS); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - wolfSSL_EVP_PKEY_free(pkey); - wolfSSL_X509_free(cert); - sk_X509_pop_free(ca, NULL); - - BIO_free(bio); - bio = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; -#endif /* WC_RC2 */ - - /* Test i2d_PKCS12_bio */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(ret = i2d_PKCS12_bio(bio, pkcs12), 1); - - ExpectIntEQ(ret = i2d_PKCS12_bio(NULL, pkcs12), 0); - - ExpectIntEQ(ret = i2d_PKCS12_bio(bio, NULL), 0); - - PKCS12_free(pkcs12); - BIO_free(bio); - - (void)order; -#endif /* OPENSSL_EXTRA */ -#endif /* HAVE_FIPS */ - return EXPECT_RESULT(); -} - - #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_PWDBASED) && \ (!defined(NO_RSA) || defined(HAVE_ECC)) && !defined(NO_MD5) @@ -16161,754 +12682,6 @@ static int test_wolfSSL_ctrl(void) } -static int test_wolfSSL_EVP_PKEY_new_mac_key(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char pw[] = "password"; - static const int pwSz = sizeof(pw) - 1; - size_t checkPwSz = 0; - const unsigned char* checkPw = NULL; - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - pwSz)); - if (key != NULL) { - ExpectIntEQ(key->type, EVP_PKEY_HMAC); - ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); - ExpectIntEQ(key->pkey_sz, pwSz); - ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); - } - ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); - ExpectIntEQ((int)checkPwSz, pwSz); - ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); - } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); - } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA -#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && \ - defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_128) - const char *priv = "ABCDEFGHIJKLMNOP"; - const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, NULL, AES_128_KEY_SIZE, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, 0, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, NULL)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); - wolfSSL_EVP_PKEY_free(key); -#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT && WOLFSSL_AES_128 */ -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_Digest(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) - const char* in = "abc"; - int inLen = (int)XSTRLEN(in); - byte out[WC_SHA256_DIGEST_SIZE]; - unsigned int outLen; - const char* expOut = - "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" - "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" - "\x15\xAD"; - - ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, - "SHA256", NULL), 1); - ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); -#endif /* OPEN_EXTRA && ! NO_SHA256 */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_Digest_all(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const char* digests[] = { -#ifndef NO_MD5 - "MD5", -#endif -#ifndef NO_SHA - "SHA", -#endif -#ifdef WOLFSSL_SHA224 - "SHA224", -#endif -#ifndef NO_SHA256 - "SHA256", -#endif -#ifdef WOLFSSL_SHA384 - "SHA384", -#endif -#ifdef WOLFSSL_SHA512 - "SHA512", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) - "SHA512-224", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) - "SHA512-256", -#endif -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - "SHA3-224", -#endif -#ifndef WOLFSSL_NOSHA3_256 - "SHA3-256", -#endif - "SHA3-384", -#ifndef WOLFSSL_NOSHA3_512 - "SHA3-512", -#endif -#endif /* WOLFSSL_SHA3 */ - NULL - }; - const char** d; - const unsigned char in[] = "abc"; - int inLen = XSTR_SIZEOF(in); - byte out[WC_MAX_DIGEST_SIZE]; - unsigned int outLen; - - for (d = digests; *d != NULL; d++) { - ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); - ExpectIntGT(outLen, 0); - ExpectIntEQ(EVP_MD_size(*d), outLen); - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_MD_size(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - WOLFSSL_EVP_MD_CTX mdCtx; - -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif -#ifndef WOLFSSL_NOSHA3_256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#ifndef WOLFSSL_NOSHA3_512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif -#endif /* WOLFSSL_SHA3 */ - -#ifndef NO_SHA256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifndef NO_MD5 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA384 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifndef NO_SHA - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - /* error case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); - /* Cleanup is valid on uninit'ed struct */ - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_MD_pkey_type(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const WOLFSSL_EVP_MD* md; - -#ifndef NO_MD5 - ExpectNotNull(md = EVP_md5()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); -#endif -#ifndef NO_SHA - ExpectNotNull(md = EVP_sha1()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA224 - ExpectNotNull(md = EVP_sha224()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); -#endif - ExpectNotNull(md = EVP_sha256()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); -#ifdef WOLFSSL_SHA384 - ExpectNotNull(md = EVP_sha384()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA512 - ExpectNotNull(md = EVP_sha512()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); -#endif -#endif - return EXPECT_RESULT(); -} - -#ifdef OPENSSL_EXTRA -static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, - size_t testKeySz, const char* testData, size_t testDataSz, - const byte* testResult, size_t testResultSz) -{ - EXPECT_DECLS; - unsigned char check[WC_MAX_DIGEST_SIZE]; - size_t checkSz = 0; - WOLFSSL_EVP_PKEY* key = NULL; - WOLFSSL_EVP_MD_CTX mdCtx; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, - testKey, (int)testKeySz)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_PKEY_free(key); - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_EVP_MD_hmac_signing(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char testKey[] = - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b - }; - static const char testData[] = "Hi There"; -#ifdef WOLFSSL_SHA224 - static const unsigned char testResultSha224[] = - { - 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, - 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, - 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, - 0x53, 0x68, 0x4b, 0x22 - }; -#endif -#ifndef NO_SHA256 - static const unsigned char testResultSha256[] = - { - 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, - 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, - 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, - 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 - }; -#endif -#ifdef WOLFSSL_SHA384 - static const unsigned char testResultSha384[] = - { - 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, - 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, - 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, - 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, - 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, - 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 - }; -#endif -#ifdef WOLFSSL_SHA512 - static const unsigned char testResultSha512[] = - { - 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, - 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, - 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, - 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, - 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, - 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, - 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, - 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 - }; -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - static const unsigned char testResultSha3_224[] = - { - 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, - 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, - 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, - 0xf3, 0xc8, 0x60, 0xf7 - }; - #endif - #ifndef WOLFSSL_NOSHA3_256 - static const unsigned char testResultSha3_256[] = - { - 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, - 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, - 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, - 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb - }; - #endif - #ifndef WOLFSSL_NOSHA3_384 - static const unsigned char testResultSha3_384[] = - { - 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, - 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, - 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, - 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, - 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, - 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd - }; - #endif - #ifndef WOLFSSL_NOSHA3_512 - static const unsigned char testResultSha3_512[] = - { - 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, - 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, - 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, - 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, - 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, - 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, - 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, - 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e - }; - #endif -#endif - -#ifndef NO_SHA256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, - sizeof(testResultSha256)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, - sizeof(testResultSha224)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, - sizeof(testResultSha384)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, - sizeof(testResultSha512)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, - sizeof(testResultSha3_224)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, - sizeof(testResultSha3_256)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, - sizeof(testResultSha3_384)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, - sizeof(testResultSha3_512)), TEST_SUCCESS); - #endif -#endif -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_MD_rsa_signing(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_EVP_MD_CTX mdCtxCopy; - int ret; - size_t checkSz = -1; - int sz = 2048 / 8; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t i; - int paddings[] = { - RSA_PKCS1_PADDING, -#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) - RSA_PKCS1_PSS_PADDING, -#endif - }; - - - cp = client_key_der_2048; - ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, - sizeof_client_key_der_2048))); - p = client_keypub_der_2048; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_client_keypub_der_2048))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); - ExpectIntEQ(ret, 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - /* Check all signing padding types */ - for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - } - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_MD_ecc_signing(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; - int ret; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t checkSz = sizeof(check); - - XMEMSET(check, 0, sizeof(check)); - - cp = ecc_clikey_der_256; - ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, - sizeof_ecc_clikey_der_256)); - p = ecc_clikeypub_der_256; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_ecc_clikeypub_der_256))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} - - static int test_wolfSSL_CTX_add_extra_chain_cert(void) { EXPECT_DECLS; @@ -17093,80 +12866,6 @@ static int test_wolfSSL_ERR_peek_last_error_line(void) } #endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ -static int test_wolfSSL_PKCS7_certs(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) - STACK_OF(X509)* sk = NULL; - STACK_OF(X509_INFO)* info_sk = NULL; - PKCS7 *p7 = NULL; - BIO* bio = NULL; - const byte* p = NULL; - int buflen = 0; - int i; - - /* Test twice. Once with d2i and once without to test - * that everything is free'd correctly. */ - for (i = 0; i < 2; i++) { - ExpectNotNull(p7 = PKCS7_new()); - if (p7 != NULL) { - p7->version = 1; - #ifdef NO_SHA - p7->hashOID = SHA256h; - #else - p7->hashOID = SHAh; - #endif - } - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); - ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); - ExpectNotNull(sk = sk_X509_new_null()); - while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { - X509_INFO* info = NULL; - ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); - if (EXPECT_SUCCESS() && info != NULL) { - ExpectIntGT(sk_X509_push(sk, info->x509), 0); - info->x509 = NULL; - } - X509_INFO_free(info); - } - sk_X509_INFO_pop_free(info_sk, X509_INFO_free); - info_sk = NULL; - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); - if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { - sk_X509_pop_free(sk, X509_free); - } - sk = NULL; - ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); - - if (i == 0) { - PKCS7_free(p7); - p7 = NULL; - ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); - if (p7 != NULL) { - /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate - * them */ - ((WOLFSSL_PKCS7*)p7)->certs = NULL; - } - /* PKCS7_free free's the certs */ - ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); - } - - BIO_free(bio); - bio = NULL; - PKCS7_free(p7); - p7 = NULL; - } -#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ - return EXPECT_RESULT(); -} - static int test_wolfSSL_CTX_get0_set1_param(void) { EXPECT_DECLS; @@ -18839,289 +14538,6 @@ static int test_wolfSSL_set_tlsext_status_type(void) return EXPECT_RESULT(); } -#ifndef NO_BIO - -#if defined(OPENSSL_EXTRA) -static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, - long argl, long ret) -{ - (void)bio; - (void)cmd; - (void)argp; - (void)argi; - (void)argl; - return ret; -} -#endif - - -static int test_wolfSSL_BIO(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const unsigned char* p = NULL; - byte buff[20]; - BIO* bio1 = NULL; - BIO* bio2 = NULL; - BIO* bio3 = NULL; - char* bufPt = NULL; - int i; - - for (i = 0; i < 20; i++) { - buff[i] = i; - } - /* test BIO_free with NULL */ - ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Creating and testing type BIO_s_bio */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); - - /* read/write before set up */ - ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); - ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); - - ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); - ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); - - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); - ExpectNotNull(XMEMCPY(bufPt, buff, 10)); - ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); - /* write buffer full */ - ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); - - /* write the other direction with pair */ - ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); - ExpectNotNull(XMEMCPY(bufPt, buff, 8)); - ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); - - /* try read */ - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); - ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); - - /* try read using ctrl function */ - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); - - ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); - for (i = 0; i < 20; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); - ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); - for (i = 0; i < 8; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); - ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); - - /* new pair */ - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio2); /* free bio2 and automatically remove from pair */ - bio2 = NULL; - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); - - /* test wrap around... */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ(BIO_reset(bio3), 1); - - /* fill write buffer, read only small amount then write again */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], i); - } - - /* try writing over read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); - ExpectNotNull(XMEMSET(bufPt, 0, 4)); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); - - /* read and write 0 bytes */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); - - /* should read only to end of write buffer then need to read again */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); - for (i = 0; i < 16; i++) { - ExpectIntEQ(bufPt[i], buff[4 + i]); - } - - ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } - - /* read index should not have advanced with nread0 */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } - - /* write and fill up buffer checking reset of index state */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - - /* test reset on data in bio1 write buffer */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); - ExpectNotNull(p); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); - for (i = 0; i < 6; i++) { - ExpectIntEQ(bufPt[i], i); - } - - /* test case of writing twice with offset read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - - BIO_free(bio1); - bio1 = NULL; - BIO_free(bio3); - bio3 = NULL; - - #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) - { - BIO* bioA = NULL; - BIO* bioB = NULL; - ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); - BIO_free(bioA); - bioA = NULL; - BIO_free(bioB); - bioB = NULL; - } - #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ - - /* BIOs with file pointers */ - #if !defined(NO_FILESYSTEM) - { - XFILE f1 = XBADFILE; - XFILE f2 = XBADFILE; - BIO* f_bio1 = NULL; - BIO* f_bio2 = NULL; - unsigned char cert[300]; - char testFile[] = "tests/bio_write_test.txt"; - char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; - - ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); - ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); - - /* Failure due to wrong BIO type */ - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); - - ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); - ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_write_filename(f_bio2, testFile), - WOLFSSL_SUCCESS); - - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); - ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); - ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); - - ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_reset(f_bio2), 1); - ExpectIntEQ(BIO_tell(NULL),-1); - ExpectIntEQ(BIO_tell(f_bio2),0); - ExpectIntEQ(BIO_seek(f_bio2, 4), 0); - ExpectIntEQ(BIO_tell(f_bio2),4); - - BIO_free(f_bio1); - f_bio1 = NULL; - BIO_free(f_bio2); - f_bio2 = NULL; - - ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - BIO_free(f_bio1); - f_bio1 = NULL; - } - #endif /* !defined(NO_FILESYSTEM) */ - - /* BIO info callback */ - { - const char* testArg = "test"; - BIO* cb_bio = NULL; - ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); - - BIO_set_callback(cb_bio, bioCallback); - ExpectNotNull(BIO_get_callback(cb_bio)); - BIO_set_callback(cb_bio, NULL); - ExpectNull(BIO_get_callback(cb_bio)); - - BIO_set_callback_arg(cb_bio, (char*)testArg); - ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); - ExpectNull(BIO_get_callback_arg(NULL)); - - BIO_free(cb_bio); - cb_bio = NULL; - } - - /* BIO_vfree */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - BIO_vfree(NULL); - BIO_vfree(bio1); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_BIO_BIO_ring_read(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) - BIO* bio1 = NULL; - BIO* bio2 = NULL; - byte data[50]; - byte tmp[50]; - - XMEMSET(data, 42, sizeof(data)); - - - ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), - SSL_SUCCESS); - - ExpectIntEQ(BIO_write(bio1, data, 40), 40); - ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); - ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); - ExpectBufEQ(tmp, data, 20); - ExpectIntEQ(BIO_write(bio1, data, 20), 20); - ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); - ExpectBufEQ(tmp, data, 40); - - BIO_free(bio1); - BIO_free(bio2); -#endif - return EXPECT_RESULT(); -} - -#endif /* !NO_BIO */ - static int test_wolfSSL_a2i_IPADDRESS(void) { @@ -19351,304 +14767,6 @@ static int test_wolfSSL_BUF(void) return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) -static int stub_rand_seed(const void *buf, int num) -{ - (void)buf; - (void)num; - - return 123; -} - -static int stub_rand_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; - - return 456; -} - -static byte* was_stub_rand_cleanup_called(void) -{ - static byte was_called = 0; - - return &was_called; -} - -static void stub_rand_cleanup(void) -{ - byte* was_called = was_stub_rand_cleanup_called(); - - *was_called = 1; - - return; -} - -static byte* was_stub_rand_add_called(void) -{ - static byte was_called = 0; - - return &was_called; -} - -static int stub_rand_add(const void *buf, int num, double entropy) -{ - byte* was_called = was_stub_rand_add_called(); - - (void)buf; - (void)num; - (void)entropy; - - *was_called = 1; - - return 0; -} - -static int stub_rand_pseudo_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; - - return 9876; -} - -static int stub_rand_status(void) -{ - return 5432; -} -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ - -static int test_wolfSSL_RAND_set_rand_method(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) - RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; - unsigned char* buf = NULL; - int num = 0; - double entropy = 0; - int ret; - byte* was_cleanup_called = was_stub_rand_cleanup_called(); - byte* was_add_called = was_stub_rand_add_called(); - - ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - - ExpectIntNE(wolfSSL_RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); - - - rand_methods.seed = &stub_rand_seed; - rand_methods.bytes = &stub_rand_bytes; - rand_methods.cleanup = &stub_rand_cleanup; - rand_methods.add = &stub_rand_add; - rand_methods.pseudorand = &stub_rand_pseudo_bytes; - rand_methods.status = &stub_rand_status; - - ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); - ExpectIntEQ(RAND_seed(buf, num), 123); - ExpectIntEQ(RAND_bytes(buf, num), 456); - ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); - ExpectIntEQ(RAND_status(), 5432); - - ExpectIntEQ(*was_add_called, 0); - /* The function pointer for RAND_add returns int, but RAND_add itself - * returns void. */ - RAND_add(buf, num, entropy); - ExpectIntEQ(*was_add_called, 1); - was_add_called = 0; - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 1); - *was_cleanup_called = 0; - - - ret = RAND_set_rand_method(NULL); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - ExpectIntNE(RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); - - RAND_set_rand_method(NULL); - - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_RAND_bytes(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ - const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ - const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ - const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ - int max_bufsize; - byte *my_buf = NULL; -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - byte seed[16] = {0}; - byte randbuf[8] = {0}; - int pipefds[2] = {0}; - pid_t pid = 0; -#endif - - /* sanity check */ - ExpectIntEQ(RAND_bytes(NULL, 16), 0); - ExpectIntEQ(RAND_bytes(NULL, 0), 0); - - max_bufsize = size4; - - ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - - ExpectIntEQ(RAND_bytes(my_buf, 0), 1); - ExpectIntEQ(RAND_bytes(my_buf, -1), 0); - - ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); - ExpectIntEQ(RAND_bytes(my_buf, size1), 1); - ExpectIntEQ(RAND_bytes(my_buf, size2), 1); - ExpectIntEQ(RAND_bytes(my_buf, size3), 1); - ExpectIntEQ(RAND_bytes(my_buf, size4), 1); - XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - XMEMSET(seed, 0, sizeof(seed)); - RAND_cleanup(); - - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - - ExpectIntEQ(pipe(pipefds), 0); - pid = fork(); - ExpectIntGE(pid, 0); - if (pid == 0) { - ssize_t n_written = 0; - - /* Child process. */ - close(pipefds[0]); - RAND_bytes(randbuf, sizeof(randbuf)); - n_written = write(pipefds[1], randbuf, sizeof(randbuf)); - close(pipefds[1]); - exit(n_written == sizeof(randbuf) ? 0 : 1); - } - else { - /* Parent process. */ - byte childrand[8] = {0}; - int waitstatus = 0; - - close(pipefds[1]); - ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); - ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), - sizeof(childrand)); - #ifdef WOLFSSL_NO_GETPID - ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); - #else - ExpectBufNE(randbuf, childrand, sizeof(randbuf)); - #endif - close(pipefds[0]); - waitpid(pid, &waitstatus, 0); - } - RAND_cleanup(); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_RAND(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - byte seed[16]; - - XMEMSET(seed, 0, sizeof(seed)); - - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - RAND_cleanup(); - - ExpectIntEQ(RAND_egd(NULL), -1); -#ifndef NO_FILESYSTEM - { - char fname[100]; - - ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); - ExpectIntEQ(RAND_write_file(NULL), 0); - } -#endif -#endif - return EXPECT_RESULT(); -} - - -#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) -static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) -{ - word32 i; - for (i = 0; i < sz; i++ ) - output[i] = (byte)i; - - (void)os; - - return 0; -} -#endif /* WC_RNG_SEED_CB */ - - -static int test_wolfSSL_RAND_poll(void) -{ - EXPECT_DECLS; - -#if defined(OPENSSL_EXTRA) - byte seed[16]; - byte rand1[16]; -#ifdef WC_RNG_SEED_CB - byte rand2[16]; -#endif - - XMEMSET(seed, 0, sizeof(seed)); - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); - -#ifdef WC_RNG_SEED_CB - /* Test with custom seed and poll */ - wc_SetSeed_Cb(wc_DummyGenerateSeed); - - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); - - /* test that the same value is generated twice with dummy seed function */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); - RAND_cleanup(); - - /* test that doing a poll is reseeding RNG */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); - - /* reset the seed function used */ - wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); -#endif - RAND_cleanup(); - - ExpectIntEQ(RAND_egd(NULL), -1); -#endif - - return EXPECT_RESULT(); -} - - static int test_wolfSSL_PKCS8_Compat(void) { EXPECT_DECLS; @@ -20328,311 +15446,6 @@ static int test_wolfSSL_GetLoggingCb(void) #endif /* !NO_BIO */ -static int test_wolfSSL_OBJ(void) -{ -/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS - * mode - */ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ - !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ - defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; - char buf[50]; - - XFILE fp = XBADFILE; - X509 *x509 = NULL; - X509_NAME *x509Name = NULL; - X509_NAME_ENTRY *x509NameEntry = NULL; - ASN1_OBJECT *asn1Name = NULL; - int numNames = 0; - BIO *bio = NULL; - int nid; - int i, j; - const char *f[] = { - #ifndef NO_RSA - "./certs/ca-cert.der", - #endif - #ifdef HAVE_ECC - "./certs/ca-ecc-cert.der", - "./certs/ca-ecc384-cert.der", - #endif - NULL}; - ASN1_OBJECT *field_name_obj = NULL; - int lastpos = -1; - int tmp = -1; - ASN1_STRING *asn1 = NULL; - unsigned char *buf_dyn = NULL; - - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - - ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); -#ifdef WOLFSSL_CERT_EXT - ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); -#endif - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ExpectNotNull(obj2 = OBJ_dup(obj)); - ExpectIntEQ(OBJ_cmp(obj, obj2), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - ASN1_OBJECT_free(obj2); - obj2 = NULL; - - for (i = 0; f[i] != NULL; i++) - { - ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectNotNull(x509Name = X509_get_issuer_name(x509)); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - - /* Get the Common Name by using OBJ_txt2obj */ - ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), - WOLFSSL_FATAL_ERROR); - do - { - lastpos = tmp; - tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); - } while (tmp > -1); - ExpectIntNE(lastpos, -1); - ASN1_OBJECT_free(field_name_obj); - field_name_obj = NULL; - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); - ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); - ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); - /* - * All Common Names should be www.wolfssl.com - * This makes testing easier as we can test for the expected value. - */ - ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); - OPENSSL_free(buf_dyn); - buf_dyn = NULL; - bio = BIO_new(BIO_s_mem()); - ExpectTrue(bio != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; - - } - -#ifdef HAVE_PKCS12 - { - PKCS12 *p12 = NULL; - int boolRet; - EVP_PKEY *pkey = NULL; - const char *p12_f[] = { - /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ - #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) - "./certs/test-servercert.p12", - #endif - NULL - }; - - for (i = 0; p12_f[i] != NULL; i++) - { - ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); - ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", - &pkey, &x509, NULL)) > 0); - wc_PKCS12_free(p12); - p12 = NULL; - EVP_PKEY_free(pkey); - x509Name = X509_get_issuer_name(x509); - ExpectNotNull(x509Name); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = - X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; - } - } -#endif /* HAVE_PKCS12 */ -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_OBJ_cmp(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; - - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); - - ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj), 0); - ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); - - ASN1_OBJECT_free(obj); - ASN1_OBJECT_free(obj2); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_OBJ_txt2nid(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_APACHE_HTTPD) - int i; - static const struct { - const char* sn; - const char* ln; - const char* oid; - int nid; - } testVals[] = { -#ifdef WOLFSSL_APACHE_HTTPD - { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, - { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", - NID_id_on_dnsSRV }, - { "msUPN", "Microsoft User Principal Name", - "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, -#endif - { NULL, NULL, NULL, NID_undef } - }; - - /* Invalid cases */ - ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); - ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); - - /* Valid cases */ - for (i = 0; testVals[i].sn != NULL; i++) { - ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_OBJ_txt2obj(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) - int i; - char buf[50]; - ASN1_OBJECT* obj = NULL; - static const struct { - const char* oidStr; - const char* sn; - const char* ln; - } objs_list[] = { - #if defined(WOLFSSL_APACHE_HTTPD) - { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, - { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, - #endif - { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, - { NULL, NULL, NULL } - }; - static const struct { - const char* numeric; - const char* name; - } objs_named[] = { - /* In dictionary but not in normal list. */ - { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, - /* Made up OID. */ - { "1.3.5.7", "1.3.5.7" }, - { NULL, NULL } - }; - - ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); - ASN1_OBJECT_free(obj); - obj = NULL; - ExpectNull(obj = OBJ_txt2obj(NULL, 0)); - ASN1_OBJECT_free(obj); - obj = NULL; - - for (i = 0; objs_list[i].oidStr != NULL; i++) { - /* Test numerical value of oid (oidStr) */ - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Test short name (sn) */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Test long name (ln) - should fail when no_name = 1 */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - } - - for (i = 0; objs_named[i].numeric != NULL; i++) { - ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - } -#endif - return EXPECT_RESULT(); -} - /* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ static int test_GENERAL_NAME_set0_othername(void) { @@ -22701,248 +17514,6 @@ static int test_wolfSSL_msg_callback(void) return EXPECT_RESULT(); } -/* test_EVP_Cipher_extra, Extra-test on EVP_CipherUpdate/Final. see also test.c */ -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ - (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) -static void binary_dump(void *ptr, int size) -{ - #ifdef WOLFSSL_EVP_PRINT - int i = 0; - unsigned char *p = (unsigned char *) ptr; - - fprintf(stderr, "{"); - while ((p != NULL) && (i < size)) { - if ((i % 8) == 0) { - fprintf(stderr, "\n"); - fprintf(stderr, " "); - } - fprintf(stderr, "0x%02x, ", p[i]); - i++; - } - fprintf(stderr, "\n};\n"); - #else - (void) ptr; - (void) size; - #endif -} - -static int last_val = 0x0f; - -static int check_result(unsigned char *data, int len) -{ - int i; - - for ( ; len; ) { - last_val = (last_val + 1) % 16; - for (i = 0; i < 16; len--, i++, data++) - if (*data != last_val) { - return -1; - } - } - return 0; -} - -static int r_offset; -static int w_offset; - -static void init_offset(void) -{ - r_offset = 0; - w_offset = 0; -} -static void get_record(unsigned char *data, unsigned char *buf, int len) -{ - XMEMCPY(buf, data+r_offset, len); - r_offset += len; -} - -static void set_record(unsigned char *data, unsigned char *buf, int len) -{ - XMEMCPY(data+w_offset, buf, len); - w_offset += len; -} - -static void set_plain(unsigned char *plain, int rec) -{ - int i, j; - unsigned char *p = plain; - - #define BLOCKSZ 16 - - for (i=0; i<(rec/BLOCKSZ); i++) { - for (j=0; j 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); - } - - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); - - for (j = 0; j 0) - set_record(cipher, outb, outl); - } - - for (i = 0; test_drive[i]; i++) { - last_val = 0x0f; - - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); - - init_offset(); - - for (j = 0; test_drive[i][j]; j++) { - inl = test_drive[i][j]; - get_record(cipher, inb, inl); - - ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), - 0); - - binary_dump(outb, outl); - ExpectIntEQ((ret = check_result(outb, outl)), 0); - ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); - } - - ret = EVP_CipherFinal(evp, outb, &outl); - - binary_dump(outb, outl); - - ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || - (((test_drive_len[i] % 16) == 0) && (ret == 1)); - ExpectTrue(ret); - } - - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); - - EVP_CIPHER_CTX_free(evp); - evp = NULL; - - /* Do an extra test to verify correct behavior with empty input. */ - - ExpectNotNull(evp = EVP_CIPHER_CTX_new()); - ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); - - ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); - - klen = EVP_CIPHER_CTX_key_length(evp); - if (klen > 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); - } - - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); - - /* outl should be set to 0 after passing NULL, 0 for input args. */ - outl = -1; - ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); - ExpectIntEQ(outl, 0); - - EVP_CIPHER_CTX_free(evp); -#endif /* test_EVP_Cipher */ - return EXPECT_RESULT(); -} - static int test_wolfSSL_X509_SEP(void) { EXPECT_DECLS; @@ -23163,183 +17734,6 @@ static int test_wolfSSL_get_ciphers_compat(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) -{ - EXPECT_DECLS; -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - DSA *dsa = NULL; - DSA *setDsa = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY *set1Pkey = NULL; - - SHA_CTX sha; - byte signature[DSA_SIG_SIZE]; - byte hash[WC_SHA_DIGEST_SIZE]; - word32 bytes; - int answer; -#ifdef USE_CERT_BUFFERS_1024 - const unsigned char* dsaKeyDer = dsa_key_der_1024; - int dsaKeySz = sizeof_dsa_key_der_1024; - byte tmp[ONEK_BUF]; - - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = dsaKeySz; -#elif defined(USE_CERT_BUFFERS_2048) - const unsigned char* dsaKeyDer = dsa_key_der_2048; - int dsaKeySz = sizeof_dsa_key_der_2048; - byte tmp[TWOK_BUF]; - - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = (word32)dsaKeySz; -#else - byte tmp[TWOK_BUF]; - const unsigned char* dsaKeyDer = (const unsigned char*)tmp; - int dsaKeySz; - XFILE fp = XBADFILE; - - XMEMSET(tmp, 0, sizeof(tmp)); - ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); - ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); - if (fp != XBADFILE) - XFCLOSE(fp); -#endif /* END USE_CERT_BUFFERS_1024 */ - - /* Create hash to later Sign and Verify */ - ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); - - /* Initialize pkey with der format dsa key */ - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, - (long)dsaKeySz)); - - /* Test wolfSSL_EVP_PKEY_get1_DSA */ - /* Should Fail: NULL argument */ - ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); - ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); - /* Should Pass: Initialized pkey argument */ - ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); - ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); - -#ifdef USE_CERT_BUFFERS_1024 - ExpectIntEQ(DSA_bits(dsa), 1024); -#else - ExpectIntEQ(DSA_bits(dsa), 2048); -#endif - - /* Sign */ - ExpectIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS); - /* Verify. */ - ExpectIntEQ(wolfSSL_DSA_do_verify(hash, signature, dsa, &answer), - WOLFSSL_SUCCESS); - - /* Test wolfSSL_EVP_PKEY_set1_DSA */ - /* Should Fail: set1Pkey not initialized */ - ExpectIntNE(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); - - /* Initialize set1Pkey */ - set1Pkey = EVP_PKEY_new(); - - /* Should Fail Verify: setDsa not initialized from set1Pkey */ - ExpectIntNE(wolfSSL_DSA_do_verify(hash,signature,setDsa,&answer), - WOLFSSL_SUCCESS); - - /* Should Pass: set dsa into set1Pkey */ - ExpectIntEQ(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); - - DSA_free(dsa); - DSA_free(setDsa); - EVP_PKEY_free(pkey); - EVP_PKEY_free(set1Pkey); -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_DSA */ - -static int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void) -{ - EXPECT_DECLS; -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; - WOLFSSL_EC_KEY* ecGet1 = NULL; - EVP_PKEY* pkey = NULL; - - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - /* Test wolfSSL_EVP_PKEY_set1_EC_KEY */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(NULL, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Should fail since ecKey is empty */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); - - /* Test wolfSSL_EVP_PKEY_get1_EC_KEY */ - ExpectNull(wolfSSL_EVP_PKEY_get1_EC_KEY(NULL)); - ExpectNotNull(ecGet1 = wolfSSL_EVP_PKEY_get1_EC_KEY(pkey)); - - wolfSSL_EC_KEY_free(ecKey); - wolfSSL_EC_KEY_free(ecGet1); - EVP_PKEY_free(pkey); -#endif /* HAVE_ECC */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_EC_KEY */ - -static int test_wolfSSL_EVP_PKEY_set1_get1_DH (void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; - - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; - - XMEMSET(buf, 0, sizeof(buf)); - - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); - - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); - - ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - /* Set DH into PKEY */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - - /* Get DH from PKEY */ - ExpectNotNull(dh = wolfSSL_EVP_PKEY_get1_DH(pkey)); - - ExpectIntEQ(wolfSSL_DH_check(dh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - - EVP_PKEY_free(pkey); - DH_free(setDh); - setDh = NULL; - DH_free(dh); - dh = NULL; -#endif /* !NO_DH && WOLFSSL_DH_EXTRA && !NO_FILESYSTEM */ -#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ -#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_DH */ - static int test_wolfSSL_CTX_ctrl(void) { EXPECT_DECLS; @@ -23515,1542 +17909,6 @@ static int test_wolfSSL_CTX_ctrl(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_assign(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC) - int type; - WOLFSSL_EVP_PKEY* pkey = NULL; -#ifndef NO_RSA - WOLFSSL_RSA* rsa = NULL; -#endif -#ifndef NO_DSA - WOLFSSL_DSA* dsa = NULL; -#endif -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; -#endif - -#ifndef NO_RSA - type = EVP_PKEY_RSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_RSA */ - -#ifndef NO_DSA - type = EVP_PKEY_DSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dsa = wolfSSL_DSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DSA_free(dsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_DSA */ - -#ifdef HAVE_ECC - type = EVP_PKEY_EC; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ecKey); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* HAVE_ECC */ -#endif /* !NO_RSA || !NO_DSA || HAVE_ECC */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_assign_DH(void) -{ - EXPECT_DECLS; -#if !defined(NO_DH) && \ - !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* params1 = "./certs/dh2048.der"; - long len = 0; - WOLFSSL_DH* dh = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Load DH parameters DER. */ - ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DH_free(dh); - } - - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_base_id(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); - - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); - - EVP_PKEY_free(pkey); - - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_id(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); - - ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); - - EVP_PKEY_free(pkey); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_paramgen(void) -{ - EXPECT_DECLS; - /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ -#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ - ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ - ECC_MIN_KEY_SZ <= 256) - EVP_PKEY_CTX* ctx = NULL; - EVP_PKEY* pkey = NULL; - - /* Test error conditions. */ - ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - -#ifndef NO_RSA - EVP_PKEY_CTX_free(ctx); - /* Parameter generation for RSA not supported yet. */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - -#ifdef HAVE_ECC - EVP_PKEY_CTX_free(ctx); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, - NID_X9_62_prime256v1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); -#endif - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_keygen(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - WOLFSSL_EVP_PKEY* params = NULL; - DH* dh = NULL; - const BIGNUM* pubkey = NULL; - const BIGNUM* privkey = NULL; - ASN1_INTEGER* asn1int = NULL; - unsigned int length = 0; - byte* derBuffer = NULL; -#endif - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); - - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); - - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - /* Test DH keygen */ - { - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); - - DH_free(dh); - dh = NULL; - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(params); - - /* try exporting generated key to DER, to verify */ - ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); - DH_get0_key(dh, &pubkey, &privkey); - ExpectNotNull(pubkey); - ExpectNotNull(privkey); - ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); - ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); - - ASN1_INTEGER_free(asn1int); - DH_free(dh); - dh = NULL; - XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - EVP_PKEY_free(pkey); - } -#endif - - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_keygen_init(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_missing_parameters(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); - - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_copy_parameters(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ - defined(WOLFSSL_OPENSSH)) && defined(WOLFSSL_DH_EXTRA) && \ - !defined(NO_FILESYSTEM) - WOLFSSL_EVP_PKEY* params = NULL; - WOLFSSL_EVP_PKEY* copy = NULL; - DH* dh = NULL; - BIGNUM* p1; - BIGNUM* g1; - BIGNUM* q1; - BIGNUM* p2; - BIGNUM* g2; - BIGNUM* q2; - - /* create DH with DH_get_2048_256 params */ - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - DH_get0_pqg(dh, (const BIGNUM**)&p1, - (const BIGNUM**)&q1, - (const BIGNUM**)&g1); - DH_free(dh); - dh = NULL; - - /* create DH with random generated DH params */ - ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); - ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); - DH_free(dh); - dh = NULL; - - ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); - ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); - ExpectNotNull(dh->p); - ExpectNotNull(dh->g); - ExpectNotNull(dh->q); - DH_get0_pqg(dh, (const BIGNUM**)&p2, - (const BIGNUM**)&q2, - (const BIGNUM**)&g2); - - ExpectIntEQ(BN_cmp(p1, p2), 0); - ExpectIntEQ(BN_cmp(q1, q2), 0); - ExpectIntEQ(BN_cmp(g1, g2), 0); - - DH_free(dh); - dh = NULL; - EVP_PKEY_free(copy); - EVP_PKEY_free(params); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - int bits = 2048; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), - WOLFSSL_SUCCESS); - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) -{ - EXPECT_DECLS; - /* This is large enough to be used for all key sizes */ - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int iv_lengths[] = { - #ifdef HAVE_AES_CBC - AES_BLOCK_SIZE, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - GCM_NONCE_MID_SZ, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_BLOCK_SIZE, - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); - - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); - - EVP_CIPHER_CTX_free(ctx); - } - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) -{ - EXPECT_DECLS; - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int key_lengths[] = { - #ifdef HAVE_AES_CBC - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_KEY_SIZE, - DES3_KEY_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); - - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); - - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), - WOLFSSL_SUCCESS); - - EVP_CIPHER_CTX_free(ctx); - } - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && !defined(NO_DES3) - int ivLen, keyLen; - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -#ifdef HAVE_AESGCM - byte key[AES_128_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_aes_128_gcm(); -#else - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_des_ede3_cbc(); -#endif - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); - keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); - - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); - - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_CTX_new_id(void) -{ - EXPECT_DECLS; - WOLFSSL_ENGINE* e = NULL; - int id = 0; - EVP_PKEY_CTX *ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); - - EVP_PKEY_CTX_free(ctx); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_rc4(void) -{ - EXPECT_DECLS; -#if !defined(NO_RC4) - ExpectNotNull(wolfSSL_EVP_rc4()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_enc_null(void) -{ - EXPECT_DECLS; - ExpectNotNull(wolfSSL_EVP_enc_null()); - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_rc2_cbc(void) - -{ - EXPECT_DECLS; -#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_rc2_cbc()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_mdc2(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_mdc2()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_md4(void) -{ - EXPECT_DECLS; -#if !defined(NO_MD4) - ExpectNotNull(wolfSSL_EVP_md4()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_256_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_192_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_256_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_192_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_128_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) - ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_ripemd160(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_ripemd160()); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_get_digestbynid(void) -{ - EXPECT_DECLS; - -#ifndef NO_MD5 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); -#endif -#ifndef NO_SHA - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); -#endif -#ifndef NO_SHA256 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); -#endif - ExpectNull(wolfSSL_EVP_get_digestbynid(0)); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_MD_nid(void) -{ - EXPECT_DECLS; - -#ifndef NO_MD5 - ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); -#endif -#ifndef NO_SHA - ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); -#endif -#ifndef NO_SHA256 - ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); -#endif - ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) -{ - EXPECT_DECLS; -#if defined(HAVE_ECC) - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); - - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_X_STATE(void) -{ - EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; - - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ExpectNull(wolfSSL_EVP_X_STATE(NULL)); - ExpectNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_X_STATE_LEN(void) -{ - EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; - - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_block_size(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AES_CBC) || defined(HAVE_AESGCM) || \ - defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AES_ECB) || \ - defined(WOLFSSL_AES_OFB) || !defined(NO_RC4) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) - -#ifdef HAVE_AES_CBC - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); - #endif -#endif - -#ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); - #endif -#endif - -#ifdef HAVE_AESCCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); - #endif -#endif - -#ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); - #endif -#endif - -#ifdef HAVE_AES_ECB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); - #endif -#endif - -#ifdef WOLFSSL_AES_OFB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); - #endif -#endif - -#ifndef NO_RC4 - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); -#endif - -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); -#endif -#endif - -#ifdef WOLFSSL_SM4_ECB - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CBC - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CTR - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); -#endif -#ifdef WOLFSSL_SM4_GCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); -#endif -#ifdef WOLFSSL_SM4_CCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_CIPHER_iv_length(void) -{ - EXPECT_DECLS; - int nids[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - NID_aes_128_cbc, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_cbc, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - NID_aes_128_gcm, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_gcm, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - NID_aes_128_ctr, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_ctr, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - NID_chacha20_poly1305, - #endif - }; - int iv_lengths[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_192 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_256 - GCM_NONCE_MID_SZ, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - CHACHA20_POLY1305_AEAD_IV_SIZE, - #endif - }; - int i; - int nidsLen = (sizeof(nids)/sizeof(int)); - - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); - ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); - } - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_SignInit_ex(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_ENGINE* e = 0; - const EVP_MD* md = EVP_sha256(); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_DigestFinalXOF(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned char shake[256]; - unsigned char zeros[10]; - unsigned char data[] = "Test data"; - unsigned int sz; - - XMEMSET(zeros, 0, sizeof(zeros)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); - ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - XMEMSET(shake, 0, sizeof(shake)); - ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); - - /* make sure was only size of 10 */ - ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 32); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - - #if defined(WOLFSSL_SHAKE128) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 16); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - #endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_DigestFinal_ex(void) -{ - EXPECT_DECLS; -#if !defined(NO_SHA256) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned int s = 0; - unsigned char md[WC_SHA256_DIGEST_SIZE]; - unsigned char md2[WC_SHA256_DIGEST_SIZE]; - - /* Bad Case */ -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#else - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - -#endif - - /* Good Case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - -#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L - /* void */ - EVP_PKEY_CTX_free(ctx); -#else - /* int */ - ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); -#endif - - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_param_check(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - - FILE* f = NULL; - unsigned char buf[512]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; - - XMEMSET(buf, 0, sizeof(buf)); - - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); - - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; - - pkey = wolfSSL_EVP_PKEY_new(); - /* Set DH into PKEY */ - ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - /* create ctx from pkey */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); - - /* TODO: more invalid cases */ - ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - DH_free(setDh); - setDh = NULL; - DH_free(dh); - dh = NULL; -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_BytesToKey(void) -{ - EXPECT_DECLS; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) - byte key[AES_BLOCK_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int count = 0; - const EVP_MD* md = EVP_sha256(); - const EVP_CIPHER *type; - const unsigned char *salt = (unsigned char *)"salt1234"; - int sz = 5; - const byte data[] = { - 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, - 0x72,0x6c,0x64 - }; - - type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); - - /* Bad cases */ - ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), - 0); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), - 16); - md = "2"; - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Good case */ - md = EVP_sha256(); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - 16); -#endif - return EXPECT_RESULT(); -} - -static int test_evp_cipher_aes_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && ((!defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) - /* - * This test checks data at various points in the encrypt/decrypt process - * against known values produced using the same test with OpenSSL. This - * interop testing is critical for verifying the correctness of our - * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises - * a flow supported by OpenSSL that uses the control command - * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without - * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We - * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to - * wolfSSL OpenSSH clients because there was a bug in this flow that - * happened to "cancel out" if both sides of the connection had the bug. - */ - enum { - NUM_ENCRYPTIONS = 3, - AAD_SIZE = 4 - }; - static const byte plainText1[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 - }; - static const byte plainText2[] = { - 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, - 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, - 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c - }; - static const byte plainText3[] = { - 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, - 0x5b, 0x57, 0x10 - }; - static const byte* plainTexts[NUM_ENCRYPTIONS] = { - plainText1, - plainText2, - plainText3 - }; - static const int plainTextSzs[NUM_ENCRYPTIONS] = { - sizeof(plainText1), - sizeof(plainText2), - sizeof(plainText3) - }; - static const byte aad1[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x01 - }; - static const byte aad2[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x10 - }; - static const byte aad3[AAD_SIZE] = { - 0x00, 0x00, 0x01, 0x00 - }; - static const byte* aads[NUM_ENCRYPTIONS] = { - aad1, - aad2, - aad3 - }; - const byte iv[GCM_NONCE_MID_SZ] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte currentIv[GCM_NONCE_MID_SZ]; - const byte key[] = { - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, - 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f - }; - const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xEF - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF0 - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF1 - } - }; - const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { - { - 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, - 0x3D, 0x32, 0x18, 0x34, 0xA9 - }, - { - 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, - 0xA2, 0xFD, 0x2D, 0x6B, 0x7F - }, - { - 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, - 0x5B, 0xEC, 0x52, 0x49, 0x32, - } - }; - static const byte expCipherText1[] = { - 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, - 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, - 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE - }; - static const byte expCipherText2[] = { - 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, - 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, - 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 - }; - static const byte expCipherText3[] = { - 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, - 0x80, 0x5E, 0x6B, - }; - static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { - expCipherText1, - expCipherText2, - expCipherText3 - }; - byte* cipherText = NULL; - byte* calcPlainText = NULL; - byte tag[AES_BLOCK_SIZE]; - EVP_CIPHER_CTX* encCtx = NULL; - EVP_CIPHER_CTX* decCtx = NULL; - int i, j, outl; - - /****************************************************/ - for (i = 0; i < 3; ++i) { - ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); - ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); - - /* First iteration, set key before IV. */ - if (i == 0) { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), - SSL_SUCCESS); - - /* - * The call to EVP_CipherInit below (with NULL key) should clear the - * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a - * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL - * behavior. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), - SSL_SUCCESS); - } - /* Second iteration, IV before key. */ - else { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), - SSL_SUCCESS); - } - - /* - * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't - * been issued first. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - - for (j = 0; j < NUM_ENCRYPTIONS; ++j) { - /*************** Encrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); - } - - ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - - /* Encrypt plaintext. */ - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, - plainTexts[j], plainTextSzs[j]), - SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, cipherText, (byte *)plainTexts[j], - plainTextSzs[j]), plainTextSzs[j]); - } - - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), - SSL_SUCCESS); - } - else { - /* - * Calling EVP_Cipher with NULL input and output for AES-GCM is - * akin to calling EVP_CipherFinal. - */ - ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); - } - - /* Check ciphertext against expected. */ - ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), - 0); - - /* Get and check tag against expected. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, - sizeof(tag), tag), SSL_SUCCESS); - ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); - - /*************** Decrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); - } - - /* Set expected tag. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, - sizeof(tag), tag), SSL_SUCCESS); - - /* Decrypt ciphertext. */ - ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, - cipherText, plainTextSzs[j]), - SSL_SUCCESS); - } - else { - /* This first EVP_Cipher call will check the tag, too. */ - ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, - plainTextSzs[j]), plainTextSzs[j]); - } - - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), - SSL_SUCCESS); - } - else { - ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); - } - - /* Check plaintext against expected. */ - ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), - 0); - - XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - cipherText = NULL; - XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - calcPlainText = NULL; - } - - EVP_CIPHER_CTX_free(encCtx); - encCtx = NULL; - EVP_CIPHER_CTX_free(decCtx); - decCtx = NULL; - } -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_OBJ_ln(void) -{ - EXPECT_DECLS; - const int nid_set[] = { - NID_commonName, - NID_serialNumber, - NID_countryName, - NID_localityName, - NID_stateOrProvinceName, - NID_organizationName, - NID_organizationalUnitName, - NID_domainComponent, - NID_businessCategory, - NID_jurisdictionCountryName, - NID_jurisdictionStateOrProvinceName, - NID_emailAddress - }; - const char* ln_set[] = { - "commonName", - "serialNumber", - "countryName", - "localityName", - "stateOrProvinceName", - "organizationName", - "organizationalUnitName", - "domainComponent", - "businessCategory", - "jurisdictionCountryName", - "jurisdictionStateOrProvinceName", - "emailAddress", - }; - size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); - - ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); - -#ifdef HAVE_ECC -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - EC_builtin_curve r[27]; - size_t nCurves = sizeof(r) / sizeof(r[0]); - nCurves = EC_get_builtin_curves(r, nCurves); - - for (i = 0; i < nCurves; i++) { - /* skip ECC_CURVE_INVALID */ - if (r[i].nid != ECC_CURVE_INVALID) { - ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); - ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); - } - } - } -#endif -#endif - - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); - ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); - } - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_OBJ_sn(void) -{ - EXPECT_DECLS; - int i = 0, maxIdx = 7; - const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, - NID_stateOrProvinceName,NID_organizationName, - NID_organizationalUnitName,NID_emailAddress}; - const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; - - ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); - ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); - } - - return EXPECT_RESULT(); -} - #if !defined(NO_BIO) static word32 TXT_DB_hash(const WOLFSSL_STRING *s) { @@ -25146,24 +18004,6 @@ static int test_wolfSSL_NCONF(void) } #endif /* OPENSSL_ALL */ -static int test_wolfSSL_EVP_PKEY_up_ref(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) - EVP_PKEY* pkey; - - pkey = EVP_PKEY_new(); - ExpectNotNull(pkey); - ExpectIntEQ(EVP_PKEY_up_ref(NULL), 0); - ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); - EVP_PKEY_free(pkey); - ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); - EVP_PKEY_free(pkey); - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - static int test_wolfSSL_d2i_and_i2d_PublicKey(void) { EXPECT_DECLS; @@ -25983,155 +18823,6 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_derive(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) -#if (!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)) || defined(HAVE_ECC) - EVP_PKEY_CTX *ctx = NULL; - unsigned char *skey = NULL; - size_t skeylen; - EVP_PKEY *pkey = NULL; - EVP_PKEY *peerkey = NULL; - const unsigned char* key; - -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) - /* DH */ - key = dh_key_der_2048; - ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, - sizeof_dh_key_der_2048))); - ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(pkey)), 1); - key = dh_key_der_2048; - ExpectNotNull((peerkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, - sizeof_dh_key_der_2048))); - ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(peerkey)), 1); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); - ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); - ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); - ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, - DYNAMIC_TYPE_OPENSSL)); - ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); - - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_free(peerkey); - peerkey = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); - skey = NULL; -#endif - -#ifdef HAVE_ECC - /* ECDH */ - key = ecc_clikey_der_256; - ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &key, - sizeof_ecc_clikey_der_256))); - key = ecc_clikeypub_der_256; - ExpectNotNull((peerkey = d2i_PUBKEY(NULL, &key, - sizeof_ecc_clikeypub_der_256))); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); - ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); - ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); - ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, - DYNAMIC_TYPE_OPENSSL)); - ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(peerkey); - EVP_PKEY_free(pkey); - XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); -#endif /* HAVE_ECC */ -#endif /* (!NO_DH && WOLFSSL_DH_EXTRA) || HAVE_ECC */ -#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PBE_scrypt(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SCRYPT) && defined(HAVE_PBKDF2) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 5)) -#if !defined(NO_PWDBASED) && !defined(NO_SHA256) - int ret; - - const char pwd[] = {'p','a','s','s','w','o','r','d'}; - int pwdlen = sizeof(pwd); - const byte salt[] = {'N','a','C','l'}; - int saltlen = sizeof(salt); - byte key[80]; - word64 numOvr32 = (word64)INT32_MAX + 1; - - /* expected derived key for N:16, r:1, p:1 */ - const byte expectedKey[] = { - 0xAE, 0xC6, 0xB7, 0x48, 0x3E, 0xD2, 0x6E, 0x08, 0x80, 0x2B, - 0x41, 0xF4, 0x03, 0x20, 0x86, 0xA0, 0xE8, 0x86, 0xBE, 0x7A, - 0xC4, 0x8F, 0xCF, 0xD9, 0x2F, 0xF0, 0xCE, 0xF8, 0x10, 0x97, - 0x52, 0xF4, 0xAC, 0x74, 0xB0, 0x77, 0x26, 0x32, 0x56, 0xA6, - 0x5A, 0x99, 0x70, 0x1B, 0x7A, 0x30, 0x4D, 0x46, 0x61, 0x1C, - 0x8A, 0xA3, 0x91, 0xE7, 0x99, 0xCE, 0x10, 0xA2, 0x77, 0x53, - 0xE7, 0xE9, 0xC0, 0x9A}; - - /* N r p mx key keylen */ - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 0, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* N must be greater than 1 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 3, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* N must be power of 2 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 0, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* r must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 0, 0, key, 64); - ExpectIntEQ(ret, 0); /* p must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 0); - ExpectIntEQ(ret, 0); /* keylen must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 9, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* r must be smaller than 9 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, NULL, 64); - ExpectIntEQ(ret, 1); /* should succeed if key is NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, numOvr32, 1, 0, - key, 64); - ExpectIntEQ(ret, 0); /* should fail since r is greater than INT32_MAC */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, numOvr32, 0, - key, 64); - ExpectIntEQ(ret, 0); /* should fail since p is greater than INT32_MAC */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 0, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed even if salt is NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 4, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* if salt is NULL, saltlen must be 0, otherwise fail*/ - - ret = EVP_PBE_scrypt(NULL, 0, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed if pwd is NULL and pwdlen is 0*/ - - ret = EVP_PBE_scrypt(NULL, 4, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* if pwd is NULL, pwdlen must be 0 */ - - ret = EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed even both pwd and salt are NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 16, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); - - ret = XMEMCMP(expectedKey, key, sizeof(expectedKey)); - ExpectIntEQ(ret, 0); /* derived key must be the same as expected-key */ -#endif /* !NO_PWDBASED && !NO_SHA256 */ -#endif /* OPENSSL_EXTRA && HAVE_SCRYPT && HAVE_PBKDF2 */ - return EXPECT_RESULT(); -} - static int test_no_op_functions(void) { EXPECT_DECLS; @@ -26920,511 +19611,6 @@ static int test_MakeCertWithCaFalse(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_encrypt(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - WOLFSSL_RSA* rsa = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx = NULL; - const char* in = "What is easy to do is easy not to do."; - size_t inlen = XSTRLEN(in); - size_t outEncLen = 0; - byte* outEnc = NULL; - byte* outDec = NULL; - size_t outDecLen = 0; - size_t rsaKeySz = 2048/8; /* Bytes */ -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - byte* inTmp = NULL; - byte* outEncTmp = NULL; - byte* outDecTmp = NULL; -#endif - - ExpectNotNull(outEnc = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outEnc != NULL) { - XMEMSET(outEnc, 0, rsaKeySz); - } - ExpectNotNull(outDec = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outDec != NULL) { - XMEMSET(outDec, 0, rsaKeySz); - } - - ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - RSA_free(rsa); - } - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); - - /* Test pkey references count is decremented. pkey shouldn't be destroyed - since ctx uses it.*/ - ExpectIntEQ(pkey->ref.count, 2); - EVP_PKEY_free(pkey); - ExpectIntEQ(pkey->ref.count, 1); - - /* Encrypt data */ - /* Check that we can get the required output buffer length by passing in a - * NULL output buffer. */ - ExpectIntEQ(EVP_PKEY_encrypt(ctx, NULL, &outEncLen, - (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); - ExpectIntEQ(rsaKeySz, outEncLen); - /* Now do the actual encryption. */ - ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEnc, &outEncLen, - (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); - - /* Decrypt data */ - ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); - /* Check that we can get the required output buffer length by passing in a - * NULL output buffer. */ - ExpectIntEQ(EVP_PKEY_decrypt(ctx, NULL, &outDecLen, outEnc, outEncLen), - WOLFSSL_SUCCESS); - ExpectIntEQ(rsaKeySz, outDecLen); - /* Now do the actual decryption. */ - ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDec, &outDecLen, outEnc, outEncLen), - WOLFSSL_SUCCESS); - - ExpectIntEQ(XMEMCMP(in, outDec, outDecLen), 0); - -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - /* The input length must be the same size as the RSA key.*/ - ExpectNotNull(inTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (inTmp != NULL) { - XMEMSET(inTmp, 9, rsaKeySz); - } - ExpectNotNull(outEncTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outEncTmp != NULL) { - XMEMSET(outEncTmp, 0, rsaKeySz); - } - ExpectNotNull(outDecTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outDecTmp != NULL) { - XMEMSET(outDecTmp, 0, rsaKeySz); - } - ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEncTmp, &outEncLen, inTmp, rsaKeySz), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDecTmp, &outDecLen, outEncTmp, - outEncLen), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(inTmp, outDecTmp, outDecLen), 0); -#endif - EVP_PKEY_CTX_free(ctx); - XFREE(outEnc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outDec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - XFREE(inTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outEncTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outDecTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif -#endif - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif -#if defined(OPENSSL_EXTRA) -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif - -#ifdef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY -static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_RSA* rsa = NULL; -#endif -#endif -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - WOLFSSL_DSA* dsa = NULL; -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_EC_KEY* ecKey = NULL; -#endif -#endif - WOLFSSL_EVP_PKEY* pkey = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx_verify = NULL; - const char* in = "What is easy to do is easy not to do."; - size_t inlen = XSTRLEN(in); - byte hash[SHA256_DIGEST_LENGTH] = {0}; - byte zero[SHA256_DIGEST_LENGTH] = {0}; - SHA256_CTX c; - byte* sig = NULL; - byte* sigVerify = NULL; - size_t siglen; - size_t siglenOnlyLen; - size_t keySz = 2048/8; /* Bytes */ - - ExpectNotNull(sig = - (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectNotNull(sigVerify = - (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - - siglen = keySz; - ExpectNotNull(XMEMSET(sig, 0, keySz)); - ExpectNotNull(XMEMSET(sigVerify, 0, keySz)); - - /* Generate hash */ - SHA256_Init(&c); - SHA256_Update(&c, in, inlen); - SHA256_Final(hash, &c); -#ifdef WOLFSSL_SMALL_STACK_CACHE - /* workaround for small stack cache case */ - wc_Sha256Free((wc_Sha256*)&c); -#endif - - /* Generate key */ - ExpectNotNull(pkey = EVP_PKEY_new()); - switch (keyType) { - case EVP_PKEY_RSA: -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - } -#endif -#endif - break; - case EVP_PKEY_DSA: -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - ExpectNotNull(dsa = DSA_new()); - ExpectIntEQ(DSA_generate_parameters_ex(dsa, 2048, - NULL, 0, NULL, NULL, NULL), 1); - ExpectIntEQ(DSA_generate_key(dsa), 1); - ExpectIntEQ(EVP_PKEY_set1_DSA(pkey, dsa), WOLFSSL_SUCCESS); -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - break; - case EVP_PKEY_EC: -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - ExpectNotNull(ecKey = EC_KEY_new()); - ExpectIntEQ(EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ( - EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - EC_KEY_free(ecKey); - } - } -#endif -#endif - break; - } - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); -#endif -#endif - - /* Check returning only length */ - ExpectIntEQ(EVP_PKEY_sign(ctx, NULL, &siglenOnlyLen, hash, - SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); - ExpectIntGT(siglenOnlyLen, 0); - /* Sign data */ - ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, hash, - SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); - ExpectIntGE(siglenOnlyLen, siglen); - - /* Verify signature */ - ExpectNotNull(ctx_verify = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) - ExpectIntEQ( - EVP_PKEY_CTX_set_rsa_padding(ctx_verify, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); -#endif -#endif - ExpectIntEQ(EVP_PKEY_verify( - ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify( - ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) { - #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT) - /* Try RSA sign/verify with no padding. */ - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, - siglen), WOLFSSL_SUCCESS); - ExpectIntGE(siglenOnlyLen, siglen); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_NO_PADDING), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, - siglen), WOLFSSL_SUCCESS); - #endif - - /* Wrong padding schemes. */ - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, - RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, - siglen), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, - siglen), WOLFSSL_SUCCESS); - - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_PKCS1_PADDING), WOLFSSL_SUCCESS); - } -#endif -#endif - - /* error cases */ - siglen = keySz; /* Reset because sig size may vary slightly */ - ExpectIntNE(EVP_PKEY_sign_init(NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_sign(NULL, sig, &siglen, (byte*)in, inlen), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, (byte*)in, inlen), - WOLFSSL_SUCCESS); - - EVP_PKEY_free(pkey); - pkey = NULL; -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - DSA_free(dsa); - dsa = NULL; -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - EVP_PKEY_CTX_free(ctx_verify); - ctx_verify = NULL; - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - - XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigVerify, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_RSA), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_DSA), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_sign_verify_ec(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_EC), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_rsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) - WOLFSSL_RSA* rsa = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_RSA(NULL, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - ExpectPtrEq(EVP_PKEY_get0_RSA(pkey), rsa); - wolfSSL_EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_ec(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_EC_KEY* ecKey = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(NULL, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Should fail since ecKey is empty */ - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ecKey); - } - wolfSSL_EVP_PKEY_free(pkey); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_cmp(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - EVP_PKEY *a = NULL; - EVP_PKEY *b = NULL; - const unsigned char *in; - -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) - in = client_key_der_2048; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - in = client_key_der_2048; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - - /* Test success case RSA */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - -#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - in = ecc_clikey_der_256; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - in = ecc_clikey_der_256; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - - /* Test success case ECC */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - - /* Test failure cases */ -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && \ - defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - - in = client_key_der_2048; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - in = ecc_clikey_der_256; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), -1); -#else - ExpectIntNE(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - - /* invalid or empty failure cases */ - a = EVP_PKEY_new(); - b = EVP_PKEY_new(); -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(NULL, NULL), 0); - ExpectIntEQ(EVP_PKEY_cmp(a, NULL), 0); - ExpectIntEQ(EVP_PKEY_cmp(NULL, b), 0); -#ifdef NO_RSA - /* Type check will fail since RSA is the default EVP key type */ - ExpectIntEQ(EVP_PKEY_cmp(a, b), -2); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif -#else - ExpectIntNE(EVP_PKEY_cmp(NULL, NULL), 0); - ExpectIntNE(EVP_PKEY_cmp(a, NULL), 0); - ExpectIntNE(EVP_PKEY_cmp(NULL, b), 0); - ExpectIntNE(EVP_PKEY_cmp(a, b), 0); -#endif - EVP_PKEY_free(b); - EVP_PKEY_free(a); - - (void)in; -#endif - return EXPECT_RESULT(); -} - static int test_ERR_load_crypto_strings(void) { #if defined(OPENSSL_ALL) @@ -28033,817 +20219,6 @@ static int test_wolfSSL_X509_REQ_print(void) return EXPECT_RESULT(); } -static int test_wolfssl_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ - !defined(NO_RSA) - PKCS7* pkcs7 = NULL; - byte data[FOURK_BUF]; - word32 len = sizeof(data); - const byte* p = data; - byte content[] = "Test data to encode."; -#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) - BIO* bio = NULL; - byte key[sizeof(client_key_der_2048)]; - word32 keySz = (word32)sizeof(key); - byte* out = NULL; -#endif - - ExpectIntGT((len = (word32)CreatePKCS7SignedData(data, (int)len, content, - (word32)sizeof(content), 0, 0, 0, RSA_TYPE)), 0); - - ExpectNull(pkcs7 = d2i_PKCS7(NULL, NULL, (int)len)); - ExpectNull(pkcs7 = d2i_PKCS7(NULL, &p, 0)); - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL, - PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* fail case, without PKCS7_NOVERIFY */ - p = data; - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, - 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* success case, with PKCS7_NOVERIFY */ - p = data; - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, - PKCS7_NOVERIFY), WOLFSSL_SUCCESS); - -#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) - /* test i2d */ - XMEMCPY(key, client_key_der_2048, keySz); - if (pkcs7 != NULL) { - pkcs7->privateKey = key; - pkcs7->privateKeySz = (word32)sizeof(key); - pkcs7->encryptOID = RSAk; - #ifdef NO_SHA - pkcs7->hashOID = SHA256h; - #else - pkcs7->hashOID = SHAh; - #endif - } - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(i2d_PKCS7_bio(bio, pkcs7), 1); -#ifndef NO_ASN_TIME - ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 655); -#else - ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 625); -#endif - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - BIO_free(bio); -#endif - - PKCS7_free(NULL); - PKCS7_free(pkcs7); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS7_sign(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - - PKCS7* p7 = NULL; - PKCS7* p7Ver = NULL; - byte* out = NULL; - byte* tmpPtr = NULL; - int outLen = 0; - int flags = 0; - byte data[] = "Test data to encode."; - - const char* cert = "./certs/server-cert.pem"; - const char* key = "./certs/server-key.pem"; - const char* ca = "./certs/ca-cert.pem"; - - WOLFSSL_BIO* certBio = NULL; - WOLFSSL_BIO* keyBio = NULL; - WOLFSSL_BIO* caBio = NULL; - WOLFSSL_BIO* inBio = NULL; - X509* signCert = NULL; - EVP_PKEY* signKey = NULL; - X509* caCert = NULL; - X509_STORE* store = NULL; -#ifndef NO_PKCS7_STREAM - int z; - int ret; -#endif /* !NO_PKCS7_STREAM */ - - /* read signer cert/key into BIO */ - ExpectNotNull(certBio = BIO_new_file(cert, "r")); - ExpectNotNull(keyBio = BIO_new_file(key, "r")); - ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); - ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); - - /* read CA cert into store (for verify) */ - ExpectNotNull(caBio = BIO_new_file(ca, "r")); - ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); - - /* data to be signed into BIO */ - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - /* PKCS7_sign, bad args: signer NULL */ - ExpectNull(p7 = PKCS7_sign(NULL, signKey, NULL, inBio, 0)); - /* PKCS7_sign, bad args: signer key NULL */ - ExpectNull(p7 = PKCS7_sign(signCert, NULL, NULL, inBio, 0)); - /* PKCS7_sign, bad args: in data NULL without PKCS7_STREAM */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, NULL, 0)); - /* PKCS7_sign, bad args: PKCS7_NOCERTS flag not supported */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_NOCERTS)); - /* PKCS7_sign, bad args: PKCS7_PARTIAL flag not supported */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_PARTIAL)); - - /* TEST SUCCESS: Not detached, not streaming, not MIME */ - { - flags = PKCS7_BINARY; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* verify with d2i_PKCS7 */ - tmpPtr = out; - ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - PKCS7_free(p7Ver); - p7Ver = NULL; - - /* verify with wc_PKCS7_VerifySignedData */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); - /* test for streaming */ - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - #endif /* !NO_PKCS7_STREAM */ - - /* compare the signer found to expected signer */ - ExpectIntNE(p7Ver->verifyCertSz, 0); - tmpPtr = NULL; - ExpectIntEQ(i2d_X509(signCert, &tmpPtr), p7Ver->verifyCertSz); - ExpectIntEQ(XMEMCMP(tmpPtr, p7Ver->verifyCert, p7Ver->verifyCertSz), 0); - XFREE(tmpPtr, NULL, DYNAMIC_TYPE_OPENSSL); - tmpPtr = NULL; - - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Not detached, streaming, not MIME. Also bad arg - * tests for PKCS7_final() while we have a PKCS7 pointer to use */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* PKCS7_final, bad args: PKCS7 null */ - ExpectIntEQ(PKCS7_final(NULL, inBio, 0), 0); - /* PKCS7_final, bad args: PKCS7 null */ - ExpectIntEQ(PKCS7_final(p7, NULL, 0), 0); - - tmpPtr = out; - ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - PKCS7_free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Detached, not streaming, not MIME */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_DETACHED; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - ExpectNotNull(out); - - /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - /* test for streaming */ - if (EXPECT_SUCCESS()) { - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - } - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - #endif /* !NO_PKCS7_STREAM */ - - /* verify expected failure (NULL return) from d2i_PKCS7, it does not - * yet support detached content */ - tmpPtr = out; - ExpectNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - PKCS7_free(p7Ver); - p7Ver = NULL; - - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Detached, streaming, not MIME */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - /* test for streaming */ - if (EXPECT_SUCCESS()) { - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - } - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - #endif /* !NO_PKCS7_STREAM */ - - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - PKCS7_free(p7); - p7 = NULL; - } - - X509_STORE_free(store); - X509_free(caCert); - X509_free(signCert); - EVP_PKEY_free(signKey); - BIO_free(inBio); - BIO_free(keyBio); - BIO_free(certBio); - BIO_free(caBio); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS7_SIGNED_new(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) - PKCS7_SIGNED* pkcs7 = NULL; - - ExpectNotNull(pkcs7 = PKCS7_SIGNED_new()); - ExpectIntEQ(pkcs7->contentOID, SIGNED_DATA); - - PKCS7_SIGNED_free(pkcs7); -#endif - return EXPECT_RESULT(); -} - -#ifndef NO_BIO - -static int test_wolfSSL_PEM_write_bio_encryptedKey(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && \ - (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_DES3) - RSA* rsaKey = NULL; - RSA* retKey = NULL; - const EVP_CIPHER *cipher = NULL; - BIO* bio = NULL; - BIO* retbio = NULL; - byte* out; - const char* password = "wolfssl"; - word32 passwordSz =(word32)XSTRLEN((char*)password); - int membufSz = 0; - -#if defined(USE_CERT_BUFFERS_2048) - const byte* key = client_key_der_2048; - word32 keySz = sizeof_client_key_der_2048; -#elif defined(USE_CERT_BUFFERS_1024) - const byte* key = client_key_der_1024; - word32 keySz = sizeof_client_key_der_1024; -#endif - /* Import Rsa Key */ - ExpectNotNull(rsaKey = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_RSA_LoadDer_ex(rsaKey, key, keySz, - WOLFSSL_RSA_LOAD_PRIVATE), 1); - - ExpectNotNull(cipher = EVP_des_ede3_cbc()); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsaKey, cipher, - (byte*)password, passwordSz, NULL, NULL), 1); - ExpectIntGT((membufSz = BIO_get_mem_data(bio, &out)), 0); - ExpectNotNull(retbio = BIO_new_mem_buf(out, membufSz)); - ExpectNotNull((retKey = PEM_read_bio_RSAPrivateKey(retbio, NULL, - NULL, (void*)password))); - if (bio != NULL) { - BIO_free(bio); - } - if (retbio != NULL) { - BIO_free(retbio); - } - if (retKey != NULL) { - RSA_free(retKey); - } - if (rsaKey != NULL) { - RSA_free(rsaKey); - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PEM_write_bio_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) - PKCS7* pkcs7 = NULL; - BIO* bio = NULL; - const byte* cert_buf = NULL; - int ret = 0; - WC_RNG rng; - const byte data[] = { /* Hello World */ - 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, - 0x72,0x6c,0x64 - }; -#ifndef NO_RSA - #if defined(USE_CERT_BUFFERS_2048) - byte key[sizeof(client_key_der_2048)]; - byte cert[sizeof(client_cert_der_2048)]; - word32 keySz = (word32)sizeof(key); - word32 certSz = (word32)sizeof(cert); - XMEMSET(key, 0, keySz); - XMEMSET(cert, 0, certSz); - XMEMCPY(key, client_key_der_2048, keySz); - XMEMCPY(cert, client_cert_der_2048, certSz); - #elif defined(USE_CERT_BUFFERS_1024) - byte key[sizeof_client_key_der_1024]; - byte cert[sizeof(sizeof_client_cert_der_1024)]; - word32 keySz = (word32)sizeof(key); - word32 certSz = (word32)sizeof(cert); - XMEMSET(key, 0, keySz); - XMEMSET(cert, 0, certSz); - XMEMCPY(key, client_key_der_1024, keySz); - XMEMCPY(cert, client_cert_der_1024, certSz); - #else - unsigned char cert[ONEK_BUF]; - unsigned char key[ONEK_BUF]; - XFILE fp = XBADFILE; - int certSz; - int keySz; - - ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_client_cert_der_1024, - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectTrue((fp = XFOPEN("./certs/1024/client-key.der", "rb")) != - XBADFILE); - ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_client_key_der_1024, fp), - 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - #endif -#elif defined(HAVE_ECC) - #if defined(USE_CERT_BUFFERS_256) - unsigned char cert[sizeof(cliecc_cert_der_256)]; - unsigned char key[sizeof(ecc_clikey_der_256)]; - int certSz = (int)sizeof(cert); - int keySz = (int)sizeof(key); - XMEMSET(cert, 0, certSz); - XMEMSET(key, 0, keySz); - XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); - XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); - #else - unsigned char cert[ONEK_BUF]; - unsigned char key[ONEK_BUF]; - XFILE fp = XBADFILE; - int certSz, keySz; - - ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_cliecc_cert_der_256, - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectTrue((fp = XFOPEN("./certs/client-ecc-key.der", "rb")) != - XBADFILE); - ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_ecc_clikey_der_256, fp), - 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - #endif -#else - #error PKCS7 requires ECC or RSA -#endif - - ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); - /* initialize with DER encoded cert */ - ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0); - - /* init rng */ - XMEMSET(&rng, 0, sizeof(WC_RNG)); - ExpectIntEQ(wc_InitRng(&rng), 0); - - if (pkcs7 != NULL) { - pkcs7->rng = &rng; - pkcs7->content = (byte*)data; /* not used for ex */ - pkcs7->contentSz = (word32)sizeof(data); - pkcs7->contentOID = SIGNED_DATA; - pkcs7->privateKey = key; - pkcs7->privateKeySz = (word32)sizeof(key); - pkcs7->encryptOID = RSAk; - #ifdef NO_SHA - pkcs7->hashOID = SHA256h; - #else - pkcs7->hashOID = SHAh; - #endif - pkcs7->signedAttribs = NULL; - pkcs7->signedAttribsSz = 0; - } - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write PKCS#7 PEM to BIO, the function converts the DER to PEM cert*/ - ExpectIntEQ(PEM_write_bio_PKCS7(bio, pkcs7), WOLFSSL_SUCCESS); - - /* Read PKCS#7 PEM from BIO */ - ret = wolfSSL_BIO_get_mem_data(bio, &cert_buf); - ExpectIntGE(ret, 0); - - BIO_free(bio); - wc_PKCS7_Free(pkcs7); - wc_FreeRng(&rng); -#endif - return EXPECT_RESULT(); -} - -#ifdef HAVE_SMIME -/* // NOLINTBEGIN(clang-analyzer-unix.Stream) */ -static int test_wolfSSL_SMIME_read_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) - PKCS7* pkcs7 = NULL; - BIO* bio = NULL; - BIO* bcont = NULL; - BIO* out = NULL; - const byte* outBuf = NULL; - int outBufLen = 0; - static const char contTypeText[] = "Content-Type: text/plain\r\n\r\n"; - XFILE smimeTestFile = XBADFILE; - - ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "rb")) != - XBADFILE); - - /* smime-test.p7s */ - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - ExpectNotNull(bio); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-multipart.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-multipart-badsig.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", - "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */ - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-canon.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* Test PKCS7_TEXT, PKCS7_verify() should remove Content-Type: text/plain */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - out = wolfSSL_BIO_new(BIO_s_mem()); - ExpectNotNull(out); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, out, - PKCS7_NOVERIFY | PKCS7_TEXT), SSL_SUCCESS); - ExpectIntGT((outBufLen = BIO_get_mem_data(out, &outBuf)), 0); - /* Content-Type should not show up at beginning of output buffer */ - ExpectIntGT(outBufLen, XSTRLEN(contTypeText)); - ExpectIntGT(XMEMCMP(outBuf, contTypeText, XSTRLEN(contTypeText)), 0); - - BIO_free(out); - BIO_free(bio); - if (bcont) BIO_free(bcont); - wolfSSL_PKCS7_free(pkcs7); -#endif - return EXPECT_RESULT(); -} -/* // NOLINTEND(clang-analyzer-unix.Stream) */ - -static int test_wolfSSL_SMIME_write_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_RSA) - PKCS7* p7 = NULL; - PKCS7* p7Ver = NULL; - int flags = 0; - byte data[] = "Test data to encode."; - - const char* cert = "./certs/server-cert.pem"; - const char* key = "./certs/server-key.pem"; - const char* ca = "./certs/ca-cert.pem"; - - WOLFSSL_BIO* certBio = NULL; - WOLFSSL_BIO* keyBio = NULL; - WOLFSSL_BIO* caBio = NULL; - WOLFSSL_BIO* inBio = NULL; - WOLFSSL_BIO* outBio = NULL; - WOLFSSL_BIO* content = NULL; - X509* signCert = NULL; - EVP_PKEY* signKey = NULL; - X509* caCert = NULL; - X509_STORE* store = NULL; - - /* read signer cert/key into BIO */ - ExpectNotNull(certBio = BIO_new_file(cert, "r")); - ExpectNotNull(keyBio = BIO_new_file(key, "r")); - ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); - ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); - - /* read CA cert into store (for verify) */ - ExpectNotNull(caBio = BIO_new_file(ca, "r")); - ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); - - - /* generate and verify SMIME: not detached */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - /* bad arg: out NULL */ - ExpectIntEQ(SMIME_write_PKCS7(NULL, p7, inBio, flags), 0); - /* bad arg: pkcs7 NULL */ - ExpectIntEQ(SMIME_write_PKCS7(outBio, NULL, inBio, flags), 0); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: not detached, add Content-Type */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM | PKCS7_TEXT; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: detached */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_DETACHED | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: PKCS7_TEXT to add Content-Type header */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM | PKCS7_DETACHED | PKCS7_TEXT; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - X509_STORE_free(store); - X509_free(caCert); - X509_free(signCert); - EVP_PKEY_free(signKey); - BIO_free(keyBio); - BIO_free(certBio); - BIO_free(caBio); -#endif - return EXPECT_RESULT(); -} -#endif /* HAVE_SMIME */ -#endif /* !NO_BIO */ - - /*----------------------------------------------------------------------------* | Certificate Failure Checks *----------------------------------------------------------------------------*/ @@ -29573,1436 +20948,6 @@ static int test_wolfSSL_PEM_read(void) return EXPECT_RESULT(); } -static int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - const byte iv[12] = { 0 }; - const byte key[16] = { 0 }; - const byte cleartext[16] = { 0 }; - const byte aad[] = { - 0x01, 0x10, 0x00, 0x2a, 0x08, 0x00, 0x04, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, - 0x00, 0x00, 0xdc, 0x4d, 0xad, 0x6b, 0x06, 0x93, - 0x4f - }; - byte out1Part[16]; - byte outTag1Part[16]; - byte out2Part[16]; - byte outTag2Part[16]; - byte decryptBuf[16]; - int len = 0; - int tlen; - EVP_CIPHER_CTX* ctx = NULL; - - /* ENCRYPT */ - /* Send AAD and data in 1 part */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, out1Part, &len, cleartext, - sizeof(cleartext)), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out1Part, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, - outTag1Part), 1); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* DECRYPT */ - /* Send AAD and data in 1 part */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, - sizeof(cleartext)), 1); - tlen += len; - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, - outTag1Part), 1); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); - - /* ENCRYPT */ - /* Send AAD and data in 2 parts */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, 1), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), - 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part, &len, cleartext, 1), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part + tlen, &len, cleartext + 1, - sizeof(cleartext) - 1), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out2Part + tlen, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, - outTag2Part), 1); - - ExpectIntEQ(XMEMCMP(out1Part, out2Part, sizeof(out1Part)), 0); - ExpectIntEQ(XMEMCMP(outTag1Part, outTag2Part, sizeof(outTag1Part)), 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* DECRYPT */ - /* Send AAD and data in 2 parts */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, 1), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), - 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, 1), 1); - tlen += len; - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf + tlen, &len, out1Part + 1, - sizeof(cleartext) - 1), 1); - tlen += len; - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, - outTag1Part), 1); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf + tlen, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - - ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); - - /* Test AAD reuse */ - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_gcm_zeroLen(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) - /* Zero length plain text */ - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - unsigned char tag_kat[] = { - 0x53,0x0f,0x8a,0xfb,0xc7,0x45,0x36,0xb9, - 0xa9,0x63,0xb4,0xf1,0xc4,0xcb,0x73,0x8b - }; - - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_gcm(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = AES_BLOCK_SIZE; - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[AES_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, - AES_BLOCK_SIZE, tag)); - wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - tag[AES_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - - wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); - } -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aria_gcm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ARIA) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = ARIA_BLOCK_SIZE; - /* Message to be encrypted */ - const int plaintxtSz = 40; - byte plaintxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; - XMEMCPY(plaintxt,"for things to change you have to change",plaintxtSz); - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[ARIA_BLOCK_SIZE] = {0}; - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; - byte decryptedtxt[plaintxtSz]; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - #define TEST_ARIA_GCM_COUNT 6 - EVP_CIPHER_CTX en[TEST_ARIA_GCM_COUNT]; - EVP_CIPHER_CTX de[TEST_ARIA_GCM_COUNT]; - - for (i = 0; i < TEST_ARIA_GCM_COUNT; i++) { - - EVP_CIPHER_CTX_init(&en[i]); - switch (i) { - case 0: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), NULL, key, iv)); - break; - case 1: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), NULL, key, iv)); - break; - case 2: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), NULL, key, iv)); - break; - case 3: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - case 4: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - case 5: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - } - XMEMSET(ciphertxt,0,sizeof(ciphertxt)); - AssertIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, plaintxtSz)); - ciphertxtSz = len; - AssertIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - AssertIntNE(0, XMEMCMP(plaintxt, ciphertxt, plaintxtSz)); - ciphertxtSz += len; - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, ARIA_BLOCK_SIZE, tag)); - AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - switch (i) { - case 0: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), NULL, key, iv)); - break; - case 1: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), NULL, key, iv)); - break; - case 2: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), NULL, key, iv)); - break; - case 3: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - case 4: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - case 5: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - } - XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, ciphertxtSz)); - decryptedtxtSz = len; - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, ARIA_BLOCK_SIZE, tag)); - AssertIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - AssertIntEQ(plaintxtSz, decryptedtxtSz); - AssertIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); - /* modify tag*/ - tag[AES_BLOCK_SIZE-1]+=0xBB; - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, ARIA_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, ciphertxtSz)); - AssertIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - AssertIntEQ(0, len); - AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = TEST_RES_CHECK(1); -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ - return res; -} - -static int test_wolfssl_EVP_aes_ccm_zeroLen(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) - /* Zero length plain text */ - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_ccm(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012"; - int ivSz = (int)XSTRLEN((char*)iv); - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[AES_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - int ret; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, - AES_BLOCK_SIZE, tag)); - ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); - ExpectIntEQ(ret, 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[AES_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); - ExpectIntEQ(ret, 1); - } -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESCCM */ - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_chacha20_poly1305(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - byte key[CHACHA20_POLY1305_AEAD_KEYSIZE]; - byte iv [CHACHA20_POLY1305_AEAD_IV_SIZE]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte aad[] = {0xAA, 0XBB, 0xCC, 0xDD, 0xEE, 0xFF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - byte tag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; - EVP_CIPHER_CTX* ctx = NULL; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - /* Invalid IV length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE-1, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid IV length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); - /* Invalid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - /* Invalid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, tag), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20_poly1305(), - key, NULL, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, NULL, &outSz, - aad, sizeof(aad)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_chacha20(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) - byte key[CHACHA_MAX_KEY_SZ]; - byte iv [WOLFSSL_EVP_CHACHA_IV_BYTES]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - EVP_CIPHER_CTX* ctx = NULL; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - 16, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20(), - key, NULL, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_sm4_ecb(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_ECB) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte plainText[SM4_BLOCK_SIZE] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; - byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, SM4_BLOCK_SIZE); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_cbc(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CBC) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte iv[SM4_BLOCK_SIZE]; - byte plainText[SM4_BLOCK_SIZE] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; - byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, SM4_BLOCK_SIZE); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_cbc(), key, NULL, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_ctr(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CTR) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte iv[SM4_BLOCK_SIZE]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_ctr(), key, NULL, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_gcm_zeroLen(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) - /* Zero length plain text */ - EXPECT_DECLS; - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - unsigned char tag_kat[16] = { - 0x23,0x2f,0x0c,0xfe,0x30,0x8b,0x49,0xea, - 0x6f,0xc8,0x82,0x29,0xb5,0xdc,0x85,0x8d - }; - - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_gcm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) - EXPECT_DECLS; - byte *key = (byte*)"0123456789012345"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = SM4_BLOCK_SIZE; - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[SM4_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[SM4_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_ccm_zeroLen(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) - /* Zero length plain text */ - EXPECT_DECLS; - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_ccm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) - EXPECT_DECLS; - byte *key = (byte*)"0123456789012345"; - byte *iv = (byte*)"0123456789012"; - int ivSz = (int)XSTRLEN((char*)iv); - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[SM4_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[SM4_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ - return res; -} - -static int test_wolfSSL_EVP_PKEY_hkdf(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_HKDF) - EVP_PKEY_CTX* ctx = NULL; - byte salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}; - byte key[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F}; - byte info[] = {0X01, 0x02, 0x03, 0x04, 0x05}; - byte info2[] = {0X06, 0x07, 0x08, 0x09, 0x0A}; - byte outKey[34]; - size_t outKeySz = sizeof(outKey); - /* These expected outputs were gathered by running the same test below using - * OpenSSL. */ - const byte extractAndExpand[] = { - 0x8B, 0xEB, 0x90, 0xA9, 0x04, 0xFF, 0x05, 0x10, 0xE4, 0xB5, 0xB1, 0x10, - 0x31, 0x34, 0xFF, 0x07, 0x5B, 0xE3, 0xC6, 0x93, 0xD4, 0xF8, 0xC7, 0xEE, - 0x96, 0xDA, 0x78, 0x7A, 0xE2, 0x9A, 0x2D, 0x05, 0x4B, 0xF6 - }; - const byte extractOnly[] = { - 0xE7, 0x6B, 0x9E, 0x0F, 0xE4, 0x02, 0x1D, 0x62, 0xEA, 0x97, 0x74, 0x5E, - 0xF4, 0x3C, 0x65, 0x4D, 0xC1, 0x46, 0x98, 0xAA, 0x79, 0x9A, 0xCB, 0x9C, - 0xCC, 0x3E, 0x7F, 0x2A, 0x2B, 0x41, 0xA1, 0x9E - }; - const byte expandOnly[] = { - 0xFF, 0x29, 0x29, 0x56, 0x9E, 0xA7, 0x66, 0x02, 0xDB, 0x4F, 0xDB, 0x53, - 0x7D, 0x21, 0x67, 0x52, 0xC3, 0x0E, 0xF3, 0xFC, 0x71, 0xCE, 0x67, 0x2B, - 0xEA, 0x3B, 0xE9, 0xFC, 0xDD, 0xC8, 0xCC, 0xB7, 0x42, 0x74 - }; - const byte extractAndExpandAddInfo[] = { - 0x5A, 0x74, 0x79, 0x83, 0xA3, 0xA4, 0x2E, 0xB7, 0xD4, 0x08, 0xC2, 0x6A, - 0x2F, 0xA5, 0xE3, 0x4E, 0xF1, 0xF4, 0x87, 0x3E, 0xA6, 0xC7, 0x88, 0x45, - 0xD7, 0xE2, 0x15, 0xBC, 0xB8, 0x10, 0xEF, 0x6C, 0x4D, 0x7A - }; - - ExpectNotNull((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(NULL, EVP_sha256()), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL md. */ - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_sha256()), WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(NULL, salt, sizeof(salt)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL salt is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, sizeof(salt)), - WOLFSSL_SUCCESS); - /* Salt length <= 0. */ - /* Length 0 salt is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, sizeof(salt)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(NULL, key, sizeof(key)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL key. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, NULL, sizeof(key)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Key length <= 0 */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, sizeof(key)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(NULL, info, sizeof(info)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL info is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, NULL, sizeof(info)), - WOLFSSL_SUCCESS); - /* Info length <= 0 */ - /* Length 0 info is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, sizeof(info)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(NULL, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Extract and expand (default). */ - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractAndExpand)); - ExpectIntEQ(XMEMCMP(outKey, extractAndExpand, outKeySz), 0); - /* Extract only. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractOnly)); - ExpectIntEQ(XMEMCMP(outKey, extractOnly, outKeySz), 0); - outKeySz = sizeof(outKey); - /* Expand only. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(expandOnly)); - ExpectIntEQ(XMEMCMP(outKey, expandOnly, outKeySz), 0); - outKeySz = sizeof(outKey); - /* Extract and expand with appended additional info. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info2, sizeof(info2)), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, - EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractAndExpandAddInfo)); - ExpectIntEQ(XMEMCMP(outKey, extractAndExpandAddInfo, outKeySz), 0); - - EVP_PKEY_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_HKDF */ - return EXPECT_RESULT(); -} - static int test_wolfSSL_dup_CA_list(void) { int res = TEST_SKIPPED; @@ -32755,253 +22700,6 @@ static int test_wolfSSL_dtls_stateless(void) #endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE && * HAVE_IO_TESTS_DEPENDENCIES && !SINGLE_THREADED */ -#ifdef HAVE_CERT_CHAIN_VALIDATION -#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -#ifdef WOLFSSL_PEM_TO_DER -#ifndef NO_SHA256 -static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) -{ - int ret; - - if ((ret = wolfSSL_CertManagerLoadCA(cm, certA, 0)) != WOLFSSL_SUCCESS) { - fprintf(stderr, "loading cert %s failed\n", certA); - fprintf(stderr, "Error: (%d): %s\n", ret, - wolfSSL_ERR_reason_error_string((word32)ret)); - return -1; - } - - return 0; -} - -static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) -{ - int ret; - if ((ret = wolfSSL_CertManagerVerify(cm, certA, CERT_FILETYPE)) - != WOLFSSL_SUCCESS) { - fprintf(stderr, "could not verify the cert: %s\n", certA); - fprintf(stderr, "Error: (%d): %s\n", ret, - wolfSSL_ERR_reason_error_string((word32)ret)); - return -1; - } - else { - fprintf(stderr, "successfully verified: %s\n", certA); - } - - return 0; -} -#define LOAD_ONE_CA(a, b, c, d) \ - do { \ - (a) = load_ca_into_cm(c, d); \ - if ((a) != 0) \ - return (b); \ - else \ - (b)--; \ - } while(0) - -#define VERIFY_ONE_CERT(a, b, c, d) \ - do { \ - (a) = verify_cert_with_cm(c, d);\ - if ((a) != 0) \ - return (b); \ - else \ - (b)--; \ - } while(0) - -static int test_chainG(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain G is a valid chain per RFC 5280 section 4.2.1.9 */ - char chainGArr[9][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainG-ICA7-pathlen100.pem", - "certs/test-pathlen/chainG-ICA6-pathlen10.pem", - "certs/test-pathlen/chainG-ICA5-pathlen20.pem", - "certs/test-pathlen/chainG-ICA4-pathlen5.pem", - "certs/test-pathlen/chainG-ICA3-pathlen99.pem", - "certs/test-pathlen/chainG-ICA2-pathlen1.pem", - "certs/test-pathlen/chainG-ICA1-pathlen0.pem", - "certs/test-pathlen/chainG-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainGArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[4]); /* if failure, i = -5 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[5]); /* if failure, i = -6 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[6]); /* if failure, i = -7 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[7]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[1]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[2]); /* if failure, i = -10 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[3]); /* if failure, i = -11 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[4]); /* if failure, i = -12 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[5]); /* if failure, i = -13 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[6]); /* if failure, i = -14 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */ - - /* test validating the entity twice, should have no effect on pathLen since - * entity/leaf cert */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */ - - return ret; -} - -static int test_chainH(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain H is NOT a valid chain per RFC5280 section 4.2.1.9: - * ICA4-pathlen of 2 signing ICA3-pathlen of 2 (reduce max path len to 2) - * ICA3-pathlen of 2 signing ICA2-pathlen of 2 (reduce max path len to 1) - * ICA2-pathlen of 2 signing ICA1-pathlen of 0 (reduce max path len to 0) - * ICA1-pathlen of 0 signing entity (pathlen is already 0, ERROR) - * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 - */ - char chainHArr[6][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainH-ICA4-pathlen2.pem", - "certs/test-pathlen/chainH-ICA3-pathlen2.pem", - "certs/test-pathlen/chainH-ICA2-pathlen2.pem", - "certs/test-pathlen/chainH-ICA1-pathlen0.pem", - "certs/test-pathlen/chainH-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainHArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[4]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[1]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[2]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[3]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[4]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[5]); /* if failure, i = -10 here */ - - return ret; -} - -static int test_chainI(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain I is a valid chain per RFC5280 section 4.2.1.9: - * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 2) - * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 1) - * ICA1-no_pathlen signing entity (reduce maxPathLen to 0) - * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 - */ - char chainIArr[5][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainI-ICA3-pathlen2.pem", - "certs/test-pathlen/chainI-ICA2-no_pathlen.pem", - "certs/test-pathlen/chainI-ICA1-no_pathlen.pem", - "certs/test-pathlen/chainI-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainIArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[3]); /* if failure, i = -4 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[1]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[2]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[3]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[4]); /* if failure, i = -8 here */ - - return ret; -} - -static int test_chainJ(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain J is NOT a valid chain per RFC5280 section 4.2.1.9: - * ICA4-pathlen of 2 signing ICA3 without a pathlen (reduce maxPathLen to 2) - * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 1) - * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 0) - * ICA1-no_pathlen signing entity (ERROR, pathlen zero and non-leaf cert) - */ - char chainJArr[6][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainJ-ICA4-pathlen2.pem", - "certs/test-pathlen/chainJ-ICA3-no_pathlen.pem", - "certs/test-pathlen/chainJ-ICA2-no_pathlen.pem", - "certs/test-pathlen/chainJ-ICA1-no_pathlen.pem", - "certs/test-pathlen/chainJ-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainJArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[4]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[1]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[2]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[3]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[4]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[5]); /* if failure, i = -10 here */ - - return ret; -} -#endif - -static int test_various_pathlen_chains(void) -{ - EXPECT_DECLS; -#ifndef NO_SHA256 - WOLFSSL_CERT_MANAGER* cm = NULL; - - /* Test chain G (large chain with varying pathLens) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(test_chainG(cm), -1); -#else - ExpectIntEQ(test_chainG(cm), 0); -#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - /* end test chain G */ - - /* Test chain H (5 chain with same pathLens) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntLT(test_chainH(cm), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - /* end test chain H */ - - /* Test chain I (only first ICA has pathLen set and it's set to 2, - * followed by 2 ICA's, should pass) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(test_chainI(cm), -1); -#else - ExpectIntEQ(test_chainI(cm), 0); -#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - /* Test chain J (Again only first ICA has pathLen set and it's set to 2, - * this time followed by 3 ICA's, should fail */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntLT(test_chainJ(cm), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); -#endif - - return EXPECT_RESULT(); -} -#endif -#endif -#endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */ - #if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) static int test_export_keying_material_cb(WOLFSSL_CTX *ctx, WOLFSSL *ssl) { @@ -34859,243 +24557,6 @@ static int test_wolfSSL_ERR_strings(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_shake128(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ - defined(WOLFSSL_SHAKE128) - const EVP_MD* md = NULL; - - ExpectNotNull(md = EVP_shake128()); - ExpectIntEQ(XSTRNCMP(md, "SHAKE128", XSTRLEN("SHAKE128")), 0); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_shake256(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ - defined(WOLFSSL_SHAKE256) - const EVP_MD* md = NULL; - - ExpectNotNull(md = EVP_shake256()); - ExpectIntEQ(XSTRNCMP(md, "SHAKE256", XSTRLEN("SHAKE256")), 0); -#endif - - return EXPECT_RESULT(); -} - -/* - * Testing EVP digest API with SM3 - */ -static int test_wolfSSL_EVP_sm3(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM3) - EXPECT_DECLS; - const EVP_MD* md = NULL; - EVP_MD_CTX* mdCtx = NULL; - byte data[WC_SM3_BLOCK_SIZE * 4]; - byte hash[WC_SM3_DIGEST_SIZE]; - byte calcHash[WC_SM3_DIGEST_SIZE]; - byte expHash[WC_SM3_DIGEST_SIZE] = { - 0x38, 0x48, 0x15, 0xa7, 0x0e, 0xae, 0x0b, 0x27, - 0x5c, 0xde, 0x9d, 0xa5, 0xd1, 0xa4, 0x30, 0xa1, - 0xca, 0xd4, 0x54, 0x58, 0x44, 0xa2, 0x96, 0x1b, - 0xd7, 0x14, 0x80, 0x3f, 0x80, 0x1a, 0x07, 0xb6 - }; - word32 chunk; - word32 i; - unsigned int sz; - int ret; - - XMEMSET(data, 0, sizeof(data)); - - md = EVP_sm3(); - ExpectTrue(md != NULL); - ExpectIntEQ(XSTRNCMP(md, "SM3", XSTRLEN("SM3")), 0); - mdCtx = EVP_MD_CTX_new(); - ExpectTrue(mdCtx != NULL); - - /* Invalid Parameters */ - ExpectIntEQ(EVP_DigestInit(NULL, md), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestInit(mdCtx, md), WOLFSSL_SUCCESS); - - ExpectIntEQ(EVP_DigestUpdate(NULL, NULL, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestUpdate(NULL, data, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE - 2), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE * 2), - WOLFSSL_SUCCESS); - /* Ensure too many bytes for lengths. */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_PAD_SIZE), - WOLFSSL_SUCCESS); - - /* Invalid Parameters */ - ExpectIntEQ(EVP_DigestFinal(NULL, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); - ExpectBufEQ(hash, expHash, WC_SM3_DIGEST_SIZE); - - /* Chunk tests. */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, sizeof(data)), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(mdCtx, calcHash, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, WC_SM3_DIGEST_SIZE); - for (chunk = 1; chunk <= WC_SM3_BLOCK_SIZE + 1; chunk++) { - for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, chunk), - WOLFSSL_SUCCESS); - } - if (i < (word32)sizeof(data)) { - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, - (word32)sizeof(data) - i), WOLFSSL_SUCCESS); - } - ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); - ExpectBufEQ(hash, calcHash, WC_SM3_DIGEST_SIZE); - } - - /* Not testing when the low 32-bit length overflows. */ - - ret = EVP_MD_CTX_cleanup(mdCtx); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - wolfSSL_EVP_MD_CTX_free(mdCtx); - - res = EXPECT_RESULT(); -#endif - return res; -} /* END test_EVP_sm3 */ - -static int test_EVP_blake2(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && (defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)) - const EVP_MD* md = NULL; - (void)md; - -#if defined(HAVE_BLAKE2) - ExpectNotNull(md = EVP_blake2b512()); - ExpectIntEQ(XSTRNCMP(md, "BLAKE2b512", XSTRLEN("BLAKE2b512")), 0); -#endif - -#if defined(HAVE_BLAKE2S) - ExpectNotNull(md = EVP_blake2s256()); - ExpectIntEQ(XSTRNCMP(md, "BLAKE2s256", XSTRLEN("BLAKE2s256")), 0); -#endif -#endif - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) -static void list_md_fn(const EVP_MD* m, const char* from, - const char* to, void* arg) -{ - const char* mn; - BIO *bio; - - (void) from; - (void) to; - (void) arg; - (void) mn; - (void) bio; - - if (!m) { - /* alias */ - AssertNull(m); - AssertNotNull(to); - } - else { - AssertNotNull(m); - AssertNull(to); - } - - AssertNotNull(from); - -#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) - mn = EVP_get_digestbyname(from); - /* print to stderr */ - AssertNotNull(arg); - - bio = BIO_new(BIO_s_file()); - BIO_set_fp(bio, arg, BIO_NOCLOSE); - BIO_printf(bio, "Use %s message digest algorithm\n", mn); - BIO_free(bio); -#endif -} -#endif - -static int test_EVP_MD_do_all(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) - EVP_MD_do_all(NULL, stderr); - - EVP_MD_do_all(list_md_fn, stderr); - - res = TEST_SUCCESS; -#endif - - return res; -} - -#if defined(OPENSSL_EXTRA) -static void obj_name_t(const OBJ_NAME* nm, void* arg) -{ - (void)arg; - (void)nm; - - AssertIntGT(nm->type, OBJ_NAME_TYPE_UNDEF); - -#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) - /* print to stderr */ - AssertNotNull(arg); - - BIO *bio = BIO_new(BIO_s_file()); - BIO_set_fp(bio, arg, BIO_NOCLOSE); - BIO_printf(bio, "%s\n", nm); - BIO_free(bio); -#endif -} - -#endif -static int test_OBJ_NAME_do_all(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) - - OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, NULL, NULL); - - OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, NULL, stderr); - - OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_PKEY_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_COMP_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_NUM, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_UNDEF, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, obj_name_t, stderr); - OBJ_NAME_do_all(-1, obj_name_t, stderr); - - res = TEST_SUCCESS; -#endif - - return res; -} static int test_SSL_CIPHER_get_xxx(void) { @@ -41619,11 +31080,6 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_lhash), -#ifndef NO_BIO - TEST_DECL(test_wolfSSL_BIO), - TEST_DECL(test_wolfSSL_BIO_BIO_ring_read), -#endif - TEST_DECL(test_wolfSSL_certs), TEST_DECL(test_wolfSSL_X509_ext_d2i), @@ -41631,90 +31087,11 @@ TEST_CASE testCases[] = { TEST_SSL_PEM_DECLS, /* EVP API testing */ - TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_new), - TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_free), - TEST_DECL(test_wolfSSL_EVP_EncodeInit), - TEST_DECL(test_wolfSSL_EVP_EncodeUpdate), - TEST_DECL(test_wolfSSL_EVP_CipherUpdate_Null), - TEST_DECL(test_wolfSSL_EVP_CIPHER_type_string), - TEST_DECL(test_wolfSSL_EVP_EncodeFinal), - TEST_DECL(test_wolfSSL_EVP_DecodeInit), - TEST_DECL(test_wolfSSL_EVP_DecodeUpdate), - TEST_DECL(test_wolfSSL_EVP_DecodeFinal), + TEST_EVP_ENC_DECLS, + TEST_EVP_DIGEST_DECLS, + TEST_EVP_CIPHER_DECLS, + TEST_EVP_PKEY_DECLS, - TEST_DECL(test_wolfSSL_EVP_shake128), - TEST_DECL(test_wolfSSL_EVP_shake256), - TEST_DECL(test_wolfSSL_EVP_sm3), - TEST_DECL(test_EVP_blake2), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_md4), - TEST_DECL(test_wolfSSL_EVP_ripemd160), - TEST_DECL(test_wolfSSL_EVP_get_digestbynid), - TEST_DECL(test_wolfSSL_EVP_MD_nid), - - TEST_DECL(test_wolfSSL_EVP_DigestFinal_ex), - TEST_DECL(test_wolfSSL_EVP_DigestFinalXOF), -#endif - - TEST_DECL(test_EVP_MD_do_all), - TEST_DECL(test_wolfSSL_EVP_MD_size), - TEST_DECL(test_wolfSSL_EVP_MD_pkey_type), - TEST_DECL(test_wolfSSL_EVP_Digest), - TEST_DECL(test_wolfSSL_EVP_Digest_all), - TEST_DECL(test_wolfSSL_EVP_MD_hmac_signing), - TEST_DECL(test_wolfSSL_EVP_MD_rsa_signing), - TEST_DECL(test_wolfSSL_EVP_MD_ecc_signing), - - TEST_DECL(test_wolfssl_EVP_aes_gcm), - TEST_DECL(test_wolfssl_EVP_aes_gcm_AAD_2_parts), - TEST_DECL(test_wolfssl_EVP_aes_gcm_zeroLen), - TEST_DECL(test_wolfssl_EVP_aes_ccm), - TEST_DECL(test_wolfssl_EVP_aes_ccm_zeroLen), - TEST_DECL(test_wolfssl_EVP_chacha20), - TEST_DECL(test_wolfssl_EVP_chacha20_poly1305), - TEST_DECL(test_wolfssl_EVP_sm4_ecb), - TEST_DECL(test_wolfssl_EVP_sm4_cbc), - TEST_DECL(test_wolfssl_EVP_sm4_ctr), - TEST_DECL(test_wolfssl_EVP_sm4_gcm_zeroLen), - TEST_DECL(test_wolfssl_EVP_sm4_gcm), - TEST_DECL(test_wolfssl_EVP_sm4_ccm_zeroLen), - TEST_DECL(test_wolfssl_EVP_sm4_ccm), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_aes_256_gcm), - TEST_DECL(test_wolfSSL_EVP_aes_192_gcm), - TEST_DECL(test_wolfSSL_EVP_aes_256_ccm), - TEST_DECL(test_wolfSSL_EVP_aes_192_ccm), - TEST_DECL(test_wolfSSL_EVP_aes_128_ccm), - TEST_DECL(test_wolfSSL_EVP_rc4), - TEST_DECL(test_wolfSSL_EVP_enc_null), - TEST_DECL(test_wolfSSL_EVP_rc2_cbc), - TEST_DECL(test_wolfSSL_EVP_mdc2), - - TEST_DECL(test_evp_cipher_aes_gcm), -#endif - TEST_DECL(test_wolfssl_EVP_aria_gcm), - TEST_DECL(test_wolfSSL_EVP_Cipher_extra), -#ifdef OPENSSL_EXTRA - TEST_DECL(test_wolfSSL_EVP_get_cipherbynid), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX), -#endif -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_iv_length), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_key_length), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_set_iv), - TEST_DECL(test_wolfSSL_EVP_CIPHER_block_size), - TEST_DECL(test_wolfSSL_EVP_CIPHER_iv_length), - TEST_DECL(test_wolfSSL_EVP_X_STATE), - TEST_DECL(test_wolfSSL_EVP_X_STATE_LEN), - TEST_DECL(test_wolfSSL_EVP_BytesToKey), -#endif - - TEST_DECL(test_wolfSSL_EVP_PKEY_print_public), - TEST_DECL(test_wolfSSL_EVP_PKEY_new_mac_key), - TEST_DECL(test_wolfSSL_EVP_PKEY_new_CMAC_key), - TEST_DECL(test_wolfSSL_EVP_PKEY_up_ref), - TEST_DECL(test_wolfSSL_EVP_PKEY_hkdf), - TEST_DECL(test_wolfSSL_EVP_PKEY_derive), TEST_DECL(test_wolfSSL_d2i_and_i2d_PublicKey), TEST_DECL(test_wolfSSL_d2i_and_i2d_PublicKey_ecc), #ifndef NO_BIO @@ -41727,43 +31104,9 @@ TEST_CASE testCases[] = { #ifndef NO_BIO TEST_DECL(test_wolfSSL_d2i_PrivateKeys_bio), #endif /* !NO_BIO */ -#endif -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_DSA), - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY), - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_DH), - TEST_DECL(test_wolfSSL_EVP_PKEY_assign), - TEST_DECL(test_wolfSSL_EVP_PKEY_assign_DH), - TEST_DECL(test_wolfSSL_EVP_PKEY_base_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_paramgen), - TEST_DECL(test_wolfSSL_EVP_PKEY_keygen), - TEST_DECL(test_wolfSSL_EVP_PKEY_keygen_init), - TEST_DECL(test_wolfSSL_EVP_PKEY_missing_parameters), - TEST_DECL(test_wolfSSL_EVP_PKEY_copy_parameters), - TEST_DECL(test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits), - TEST_DECL(test_wolfSSL_EVP_PKEY_CTX_new_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_get0_EC_KEY), #endif - TEST_DECL(test_EVP_PKEY_rsa), - TEST_DECL(test_wc_RsaPSS_DigitalSignVerify), - TEST_DECL(test_EVP_PKEY_ec), - TEST_DECL(test_wolfSSL_EVP_PKEY_encrypt), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_rsa), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_dsa), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_ec), - TEST_DECL(test_EVP_PKEY_cmp), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_SignInit_ex), - TEST_DECL(test_wolfSSL_EVP_PKEY_param_check), - TEST_DECL(test_wolfSSL_QT_EVP_PKEY_CTX_free), -#endif - - TEST_DECL(test_wolfSSL_EVP_PBE_scrypt), - - TEST_DECL(test_wolfSSL_CTX_add_extra_chain_cert), #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) TEST_DECL(test_wolfSSL_ERR_peek_last_error_line), #endif @@ -41821,10 +31164,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_REQ_print), /* RAND compatibility API */ - TEST_DECL(test_wolfSSL_RAND_set_rand_method), - TEST_DECL(test_wolfSSL_RAND_bytes), - TEST_DECL(test_wolfSSL_RAND), - TEST_DECL(test_wolfSSL_RAND_poll), + TEST_OSSL_RAND_DECLS, /* BN compatibility API */ TEST_OSSL_ASN1_BN_DECLS, @@ -41837,21 +31177,10 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_PKCS8_d2i), /* OpenSSL PKCS7 API test */ - TEST_DECL(test_wolfssl_PKCS7), - TEST_DECL(test_wolfSSL_PKCS7_certs), - TEST_DECL(test_wolfSSL_PKCS7_sign), - TEST_DECL(test_wolfSSL_PKCS7_SIGNED_new), -#ifndef NO_BIO - TEST_DECL(test_wolfSSL_PEM_write_bio_PKCS7), - TEST_DECL(test_wolfSSL_PEM_write_bio_encryptedKey), -#ifdef HAVE_SMIME - TEST_DECL(test_wolfSSL_SMIME_read_PKCS7), - TEST_DECL(test_wolfSSL_SMIME_write_PKCS7), -#endif /* HAVE_SMIME */ -#endif /* !NO_BIO */ - + TEST_OSSL_PKCS7_DECLS, + TEST_OSSL_SMIME_DECLS, /* OpenSSL PKCS12 API test */ - TEST_DECL(test_wolfSSL_PKCS12), + TEST_OSSL_PKCS12_DECLS, /* Can't memory test as callbacks use Assert. */ TEST_DECL(test_error_queue_per_thread), @@ -41861,15 +31190,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_ERR_print_errors), #endif - TEST_DECL(test_OBJ_NAME_do_all), - TEST_DECL(test_wolfSSL_OBJ), - TEST_DECL(test_wolfSSL_OBJ_cmp), - TEST_DECL(test_wolfSSL_OBJ_txt2nid), - TEST_DECL(test_wolfSSL_OBJ_txt2obj), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_OBJ_ln), - TEST_DECL(test_wolfSSL_OBJ_sn), -#endif + TEST_OSSL_OBJ_DECLS, #ifndef NO_BIO TEST_OSSL_BIO_DECLS, @@ -41963,26 +31284,9 @@ TEST_CASE testCases[] = { /********************************* * CertManager API tests *********************************/ + TEST_CERTMAN_DECLS, - TEST_DECL(test_wolfSSL_CertManagerAPI), - TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer), - TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer_ex), - TEST_DECL(test_wolfSSL_CertManagerLoadCABufferType), - TEST_DECL(test_wolfSSL_CertManagerGetCerts), - TEST_DECL(test_wolfSSL_CertManagerSetVerify), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint2), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint3), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint4), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint5), - TEST_DECL(test_wolfSSL_CertManagerCRL), - TEST_DECL(test_wolfSSL_CRL_duplicate_extensions), - TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), TEST_DECL(test_wolfSSL_CheckOCSPResponse), -#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) && \ - defined(WOLFSSL_PEM_TO_DER) - TEST_DECL(test_various_pathlen_chains), -#endif /********************************* * SSL/TLS API tests @@ -42075,6 +31379,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CTX_load_verify_locations), /* Large number of memory allocations. */ TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs), + TEST_DECL(test_wolfSSL_CTX_add_extra_chain_cert), #if defined(HAVE_CERT_CHAIN_VALIDATION) && \ !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) diff --git a/tests/api/api.h b/tests/api/api.h index 125ec273d..fa14484c9 100644 --- a/tests/api/api.h +++ b/tests/api/api.h @@ -52,6 +52,11 @@ #define FOURK_BUF 4096 #endif +#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ + !defined(NO_CERTS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) + #define HAVE_CERT_CHAIN_VALIDATION +#endif #ifndef NO_RSA #define GEN_BUF 294 diff --git a/tests/api/include.am b/tests/api/include.am index 79d15c0ef..59091b081 100644 --- a/tests/api/include.am +++ b/tests/api/include.am @@ -93,6 +93,16 @@ tests_unit_test_SOURCES += tests/api/test_ossl_x509_str.c tests_unit_test_SOURCES += tests/api/test_ossl_x509_lu.c # SSL PEM tests_unit_test_SOURCES += tests/api/test_ossl_pem.c +# SSL Random +tests_unit_test_SOURCES += tests/api/test_ossl_rand.c +tests_unit_test_SOURCES += tests/api/test_ossl_obj.c +tests_unit_test_SOURCES += tests/api/test_ossl_p7p12.c +# EVP APIs +tests_unit_test_SOURCES += tests/api/test_evp_digest.c +tests_unit_test_SOURCES += tests/api/test_evp_cipher.c +tests_unit_test_SOURCES += tests/api/test_evp_pkey.c +# CertificateManager +tests_unit_test_SOURCES += tests/api/test_certman.c # TLS 1.3 specific tests_unit_test_SOURCES += tests/api/test_tls13.c endif @@ -174,5 +184,12 @@ EXTRA_DIST += tests/api/test_ossl_x509_info.h EXTRA_DIST += tests/api/test_ossl_x509_str.h EXTRA_DIST += tests/api/test_ossl_x509_lu.h EXTRA_DIST += tests/api/test_ossl_pem.h +EXTRA_DIST += tests/api/test_ossl_rand.h +EXTRA_DIST += tests/api/test_ossl_obj.h +EXTRA_DIST += tests/api/test_ossl_p7p12.h +EXTRA_DIST += tests/api/test_evp_digest.h +EXTRA_DIST += tests/api/test_evp_cipher.h +EXTRA_DIST += tests/api/test_evp_pkey.h +EXTRA_DIST += tests/api/test_certman.h EXTRA_DIST += tests/api/test_tls13.h diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c new file mode 100644 index 000000000..a2ff33373 --- /dev/null +++ b/tests/api/test_certman.c @@ -0,0 +1,2370 @@ +/* test_certman.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include +#include + +int test_wolfSSL_CertManagerAPI(void) +{ + EXPECT_DECLS; +#ifndef NO_CERTS + WOLFSSL_CERT_MANAGER* cm = NULL; + unsigned char c = 0; + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + + wolfSSL_CertManagerFree(NULL); + ExpectIntEQ(wolfSSL_CertManager_up_ref(NULL), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_TRUST_PEER_CERT + ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer_ex(NULL, &c, 1, + WOLFSSL_FILETYPE_ASN1, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, 1, -1), + WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); +#endif + +#if !defined(NO_FILESYSTEM) + { + #ifdef WOLFSSL_PEM_TO_DER + const char* ca_cert = "./certs/ca-cert.pem"; + #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + const char* ca_cert_der = "./certs/ca-cert.der"; + #endif + #else + const char* ca_cert = "./certs/ca-cert.der"; + #endif + const char* ca_path = "./certs"; + + #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, NULL, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, ca_cert, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert, -1), + WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert_der, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); +#endif + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, "no-file", + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE)); + #endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, ca_path), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, ca_path), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + } +#endif + +#ifdef OPENSSL_COMPATIBLE_DEFAULTS + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), 1); +#elif !defined(HAVE_CRL) + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerDisableCRL(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableCRL(cm), 1); +#ifdef HAVE_CRL + /* Test APIs when CRL is disabled. */ +#ifdef HAVE_CRL_IO + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); +#endif + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), 1); + ExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); +#endif + + /* OCSP */ + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); +#endif + +#ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, NULL, 0, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, NULL, 1, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, &c, 1, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, NULL), 1); + + ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(NULL, NULL, NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(cm, NULL, NULL, NULL), 1); + + ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(cm), 1); + /* Test APIs when OCSP is disabled. */ + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, &c, 1, + NULL, NULL, NULL, NULL), 1); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, 1), 1); + +#endif + + ExpectIntEQ(wolfSSL_CertManager_up_ref(cm), 1); + if (EXPECT_SUCCESS()) { + wolfSSL_CertManagerFree(cm); + } + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + +#ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE | + WOLFSSL_OCSP_CHECKALL), 1); +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), 1); +#endif + + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); +#endif + +#ifdef WOLFSSL_TRUST_PEER_CERT + ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(cm), 1); +#endif + wolfSSL_CertManagerFree(cm); +#endif + return EXPECT_RESULT(); +} + +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz, + int file_type) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) { + fprintf(stderr, "test_cm_load_ca failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, (sword32)cert_sz, + file_type); + + wolfSSL_CertManagerFree(cm); + + return ret; +} + +static int test_cm_load_ca_file(const char* ca_cert_file) +{ + int ret = 0; + byte* cert_buf = NULL; + size_t cert_sz = 0; +#if defined(WOLFSSL_PEM_TO_DER) + DerBuffer* pDer = NULL; +#endif + + ret = load_file(ca_cert_file, &cert_buf, &cert_sz); + if (ret == 0) { + /* normal test */ + ret = test_cm_load_ca_buffer(cert_buf, cert_sz, CERT_FILETYPE); + + if (ret == WOLFSSL_SUCCESS) { + /* test including null terminator in length */ + byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); + if (tmp == NULL) { + ret = MEMORY_E; + } + else { + cert_buf = tmp; + cert_buf[cert_sz] = '\0'; + ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, + CERT_FILETYPE); + } + + } + + #if defined(WOLFSSL_PEM_TO_DER) + if (ret == WOLFSSL_SUCCESS) { + /* test loading DER */ + ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, + NULL, NULL, NULL); + if (ret == 0 && pDer != NULL) { + ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length, + WOLFSSL_FILETYPE_ASN1); + + wc_FreeDer(&pDer); + } + } + #endif + + } + free(cert_buf); + + return ret; +} + +static int test_cm_load_ca_buffer_ex(const byte* cert_buf, size_t cert_sz, + int file_type, word32 flags) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) { + fprintf(stderr, "test_cm_load_ca failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, cert_buf, (sword32)cert_sz, + file_type, 0, flags); + + wolfSSL_CertManagerFree(cm); + + return ret; +} + +static int test_cm_load_ca_file_ex(const char* ca_cert_file, word32 flags) +{ + int ret = 0; + byte* cert_buf = NULL; + size_t cert_sz = 0; +#if defined(WOLFSSL_PEM_TO_DER) + DerBuffer* pDer = NULL; +#endif + + ret = load_file(ca_cert_file, &cert_buf, &cert_sz); + if (ret == 0) { + /* normal test */ + ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz, + CERT_FILETYPE, flags); + + if (ret == WOLFSSL_SUCCESS) { + /* test including null terminator in length */ + byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); + if (tmp == NULL) { + ret = MEMORY_E; + } + else { + cert_buf = tmp; + cert_buf[cert_sz] = '\0'; + ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz+1, + CERT_FILETYPE, flags); + } + + } + + #if defined(WOLFSSL_PEM_TO_DER) + if (ret == WOLFSSL_SUCCESS) { + /* test loading DER */ + ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, + NULL, NULL, NULL); + if (ret == 0 && pDer != NULL) { + ret = test_cm_load_ca_buffer_ex(pDer->buffer, pDer->length, + WOLFSSL_FILETYPE_ASN1, flags); + + wc_FreeDer(&pDer); + } + } + #endif + + } + free(cert_buf); + + return ret; +} + +#endif /* !NO_FILESYSTEM && !NO_CERTS */ + +int test_wolfSSL_CertManagerLoadCABuffer(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; +#endif + int ret; + + ExpectIntLE(ret = test_cm_load_ca_file(ca_cert), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + + ExpectIntLE(ret = test_cm_load_ca_file(ca_expired_cert), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \ + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerLoadCABuffer_ex(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; +#endif + int ret; + + ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_cert, WOLFSSL_LOAD_FLAG_NONE), + 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + + ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_expired_cert, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \ + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME) && \ + defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerLoadCABufferType(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* int1_cert = "./certs/intermediate/ca-int-cert.pem"; + const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem"; + const char* client_cert = "./certs/intermediate/client-int-cert.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* int1_cert = "./certs/intermediate/ca-int-cert.der"; + const char* int2_cert = "./certs/intermediate/ca-int2-cert.der"; + const char* client_cert = "./certs/intermediate/client-int-cert.der"; +#endif + byte* ca_cert_buf = NULL; + byte* int1_cert_buf = NULL; + byte* int2_cert_buf = NULL; + byte* client_cert_buf = NULL; + size_t ca_cert_sz = 0; + size_t int1_cert_sz = 0; + size_t int2_cert_sz = 0; + size_t client_cert_sz = 0; + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0); + ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0); + ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0); + ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0); + + ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, + (sword32)int1_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, + (sword32)int2_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, + (sword32)client_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + /* Intermediate certs have been unloaded, but CA cert is still + loaded. Expect first level intermediate to verify, rest to fail. */ + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, + (sword32)int1_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, + (sword32)int2_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, + (sword32)client_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA), + WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + if (cm) + wolfSSL_CertManagerFree(cm); + if (ca_cert_buf) + free(ca_cert_buf); + if (int1_cert_buf) + free(int1_cert_buf); + if (int2_cert_buf) + free(int2_cert_buf); + if (client_cert_buf) + free(client_cert_buf); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerGetCerts(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_STACK* sk = NULL; + X509* x509 = NULL; + X509* cert1 = NULL; + FILE* file1 = NULL; +#ifdef DEBUG_WOLFSSL_VERBOSE + WOLFSSL_BIO* bio = NULL; +#endif + int i = 0; + int ret = 0; + const byte* der = NULL; + int derSz = 0; + + ExpectNotNull(file1 = fopen("./certs/ca-cert.pem", "rb")); + + ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); + if (file1 != NULL) { + fclose(file1); + } + + ExpectNull(sk = wolfSSL_CertManagerGetCerts(NULL)); + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectNull(sk = wolfSSL_CertManagerGetCerts(cm)); + + ExpectNotNull(der = wolfSSL_X509_get_der(cert1, &derSz)); +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + /* Check that ASN_SELF_SIGNED_E is returned for a self-signed cert for QT + * and full OpenSSL compatibility */ + ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); +#else + ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); +#endif + + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, + "./certs/ca-cert.pem", NULL)); + + ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(cm)); + + for (i = 0; EXPECT_SUCCESS() && i < sk_X509_num(sk); i++) { + ExpectNotNull(x509 = sk_X509_value(sk, i)); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509, cert1)); + +#ifdef DEBUG_WOLFSSL_VERBOSE + bio = BIO_new(wolfSSL_BIO_s_file()); + if (bio != NULL) { + BIO_set_fp(bio, stderr, BIO_NOCLOSE); + X509_print(bio, x509); + BIO_free(bio); + } +#endif /* DEBUG_WOLFSSL_VERBOSE */ + } + wolfSSL_X509_free(cert1); + sk_X509_pop_free(sk, NULL); + wolfSSL_CertManagerFree(cm); +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) */ + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerSetVerify(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) + WOLFSSL_CERT_MANAGER* cm = NULL; + int tmp = myVerifyAction; +#ifdef WOLFSSL_PEM_TO_DER + const char* ca_cert = "./certs/ca-cert.pem"; + const char* expiredCert = "./certs/test/expired/expired-cert.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* expiredCert = "./certs/test/expired/expired-cert.der"; +#endif + + wolfSSL_CertManagerSetVerify(NULL, NULL); + wolfSSL_CertManagerSetVerify(NULL, myVerify); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + + wolfSSL_CertManagerSetVerify(cm, myVerify); + +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), -1); +#else + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), + WOLFSSL_SUCCESS); +#endif + /* Use the test CB that always accepts certs */ + myVerifyAction = VERIFY_OVERRIDE_ERROR; + + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, expiredCert, + CERT_FILETYPE), WOLFSSL_SUCCESS); + +#ifdef WOLFSSL_ALWAYS_VERIFY_CB + { + const char* verifyCert = "./certs/server-cert.der"; + /* Use the test CB that always fails certs */ + myVerifyAction = VERIFY_FORCE_FAIL; + + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, verifyCert, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(VERIFY_CERT_ERROR)); + } +#endif + + wolfSSL_CertManagerFree(cm); + myVerifyAction = tmp; +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-nc.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + int i = 0; + static const byte extNameConsOid[] = {85, 29, 30}; + + RsaKey key; + WC_RNG rng; + byte *der = NULL; + int derSz = 0; + word32 idx = 0; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + wc_InitRng(&rng); + + /* load in CA private key for signing */ + ExpectIntEQ(wc_InitRsaKey_ex(&key, HEAP_HINT, testDevId), 0); + ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, + sizeof_server_key_der_2048), 0); + + /* get ca certificate then alter it */ + ExpectNotNull(der = + (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull(pt = (byte*)wolfSSL_X509_get_tbs(x509, &derSz)); + if (EXPECT_SUCCESS() && (der != NULL)) { + XMEMCPY(der, pt, (size_t)derSz); + + /* find the name constraint extension and alter it */ + pt = der; + for (i = 0; i < derSz - 3; i++) { + if (XMEMCMP(pt, extNameConsOid, 3) == 0) { + pt += 3; + break; + } + pt++; + } + ExpectIntNE(i, derSz - 3); /* did not find OID if this case is hit */ + + /* go to the length value and set it to 0 */ + while (i < derSz && *pt != 0x81) { + pt++; + i++; + } + ExpectIntNE(i, derSz); /* did not place to alter */ + pt++; + *pt = 0x00; + } + + /* resign the altered certificate */ + ExpectIntGT((derSz = wc_SignCert(derSz, CTC_SHA256wRSA, der, + FOURK_BUF, &key, NULL, &rng)), 0); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); + wolfSSL_CertManagerFree(cm); + + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wolfSSL_X509_free(x509); + wc_FreeRsaKey(&key); + wc_FreeRng(&rng); + + /* add email alt name to satisfy constraint */ + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* Good cert test with proper alt email name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + + /* Cert with bad alt name list */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint2(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) + const char* ca_cert = "./certs/test/cert-ext-ndir.der"; + const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der"; + const char* server_cert = "./certs/server-cert.pem"; + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + const unsigned char *der = NULL; + const unsigned char *pt; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + int derSz = 0; + + /* C=US*/ + char altName[] = { + 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53 + }; + + /* C=ID */ + char altNameFail[] = { + 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44 + }; + + /* C=US ST=California*/ + char altNameExc[] = { + 0x30, 0x22, + 0x31, 0x0B, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, + 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, + 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61 + }; + /* load in CA private key for signing */ + pt = ca_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, + sizeof_ca_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* Test no name case. */ + ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + /* IP not supported. */ + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE), + WOLFSSL_FAILURE); + + /* add in matching DIR alt name and resign */ + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check verify fail */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + + /* add in miss matching DIR alt name and resign */ + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + + /* check that it still fails if one bad altname and one good altname is in + * the certificate */ + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + + /* check it fails with switching position of bad altname */ + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + wolfSSL_CertManagerFree(cm); + + wolfSSL_X509_free(x509); + x509 = NULL; + wolfSSL_X509_free(ca); + ca = NULL; + + /* now test with excluded name constraint */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc), + ASN_DIR_TYPE); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint3(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-mnc.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz = 0; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying .wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying .random.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail case when neither constraint is matched */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint4(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-ncdns.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying example.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"example.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying wolfssl.com constraint passes with list of DNS's */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail when one DNS in the list is bad */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail case when neither constraint is matched */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"common", 6, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint5(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-ncmixed.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"example", 7, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail with DNS check because of common name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail on permitted DNS name constraint */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail on permitted email name constraint */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); + wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* success with empty email name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerCRL(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ + !defined(NO_RSA) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* crl1 = "./certs/crl/crl.pem"; + const char* crl2 = "./certs/crl/crl2.pem"; +#ifdef WC_RSA_PSS + const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; + const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem"; +#endif + /* ./certs/crl/crl.der */ + const unsigned char crl_buff[] = { + 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xED, 0x02, + 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, + 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, + 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, + 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, + 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, + 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, + 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, + 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, + 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, + 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, + 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, + 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, + 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, + 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x17, 0x0D, 0x32, 0x34, 0x30, 0x31, 0x30, 0x39, + 0x30, 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x17, + 0x0D, 0x32, 0x36, 0x31, 0x30, 0x30, 0x35, 0x30, + 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x30, 0x14, + 0x30, 0x12, 0x02, 0x01, 0x02, 0x17, 0x0D, 0x32, + 0x34, 0x30, 0x31, 0x30, 0x39, 0x30, 0x30, 0x33, + 0x34, 0x33, 0x30, 0x5A, 0xA0, 0x0E, 0x30, 0x0C, + 0x30, 0x0A, 0x06, 0x03, 0x55, 0x1D, 0x14, 0x04, + 0x03, 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, + 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0xB3, 0x6F, 0xED, 0x72, 0xD2, 0x73, 0x6A, 0x77, + 0xBF, 0x3A, 0x55, 0xBC, 0x54, 0x18, 0x6A, 0x71, + 0xBC, 0x6A, 0xCC, 0xCD, 0x5D, 0x90, 0xF5, 0x64, + 0x8D, 0x1B, 0xF0, 0xE0, 0x48, 0x7B, 0xF2, 0x7B, + 0x06, 0x86, 0x53, 0x63, 0x9B, 0xD8, 0x24, 0x15, + 0x10, 0xB1, 0x19, 0x96, 0x9B, 0xD2, 0x75, 0xA8, + 0x25, 0xA2, 0x35, 0xA9, 0x14, 0xD6, 0xD5, 0x5E, + 0x53, 0xE3, 0x34, 0x9D, 0xF2, 0x8B, 0x07, 0x19, + 0x9B, 0x1F, 0xF1, 0x02, 0x0F, 0x04, 0x46, 0xE8, + 0xB8, 0xB6, 0xF2, 0x8D, 0xC7, 0xC0, 0x15, 0x3E, + 0x3E, 0x8E, 0x96, 0x73, 0x15, 0x1E, 0x62, 0xF6, + 0x4E, 0x2A, 0xF7, 0xAA, 0xA0, 0x91, 0x80, 0x12, + 0x7F, 0x81, 0x0C, 0x65, 0xCC, 0x38, 0xBE, 0x58, + 0x6C, 0x14, 0xA5, 0x21, 0xA1, 0x8D, 0xF7, 0x8A, + 0xB9, 0x24, 0xF4, 0x2D, 0xCA, 0xC0, 0x67, 0x43, + 0x0B, 0xC8, 0x1C, 0xB4, 0x7D, 0x12, 0x7F, 0xA2, + 0x1B, 0x19, 0x0E, 0x94, 0xCF, 0x7B, 0x9F, 0x75, + 0xA0, 0x08, 0x9A, 0x67, 0x3F, 0x87, 0x89, 0x3E, + 0xF8, 0x58, 0xA5, 0x8A, 0x1B, 0x2D, 0xDA, 0x9B, + 0xD0, 0x1B, 0x18, 0x92, 0xC3, 0xD2, 0x6A, 0xD7, + 0x1C, 0xFC, 0x45, 0x69, 0x77, 0xC3, 0x57, 0x65, + 0x75, 0x99, 0x9E, 0x47, 0x2A, 0x20, 0x25, 0xEF, + 0x90, 0xF2, 0x5F, 0x3B, 0x7D, 0x9C, 0x7D, 0x00, + 0xEA, 0x92, 0x54, 0xEB, 0x0B, 0xE7, 0x17, 0xAF, + 0x24, 0x1A, 0xF9, 0x7C, 0x83, 0x50, 0x68, 0x1D, + 0xDC, 0x5B, 0x60, 0x12, 0xA7, 0x52, 0x78, 0xD9, + 0xA9, 0xB0, 0x1F, 0x59, 0x48, 0x36, 0xC7, 0xA6, + 0x97, 0x34, 0xC7, 0x87, 0x3F, 0xAE, 0xFD, 0xA9, + 0x56, 0x5D, 0x48, 0xCC, 0x89, 0x7A, 0x79, 0x60, + 0x8F, 0x9B, 0x2B, 0x63, 0x3C, 0xB3, 0x04, 0x1D, + 0x5F, 0xF7, 0x20, 0xD2, 0xFD, 0xF2, 0x51, 0xB1, + 0x96, 0x93, 0x13, 0x5B, 0xAB, 0x74, 0x82, 0x8B + }; + + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, + WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 16), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); + + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + + ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(cm, NULL), 1); +#ifdef HAVE_CRL_IO + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); +#endif + +#ifndef NO_FILESYSTEM + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(NULL, NULL, WOLFSSL_FILETYPE_ASN1, + 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, NULL, WOLFSSL_FILETYPE_ASN1, + 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* -1 seen as !WOLFSSL_FILETYPE_PEM */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, "./certs/crl", -1, 0), 1); + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(NULL, NULL, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, NULL, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* -1 seen as !WOLFSSL_FILETYPE_PEM */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, "./certs/crl/crl.pem", -1), + WC_NO_ERR_TRACE(ASN_PARSE_E)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerFreeCRL(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + DoExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); + + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0)); + wolfSSL_CertManagerFreeCRL(cm); + +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_MISSING)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(CRL_MISSING)); +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), + WOLFSSL_FILETYPE_ASN1), 1); + +#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS) + /* loading should fail without the CA set */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)); + + /* now successfully load the RSA-PSS crl once loading in it's CA */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); +#endif + + wolfSSL_CertManagerFree(cm); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CRL_duplicate_extensions(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_CERTS) && \ + defined(HAVE_CRL) && !defined(NO_RSA) && \ + !defined(WOLFSSL_NO_ASN_STRICT) && \ + (defined(WC_ASN_RUNTIME_DATE_CHECK_CONTROL) || defined(NO_ASN_TIME_CHECK)) + const unsigned char crl_duplicate_akd[] = + "-----BEGIN X509 CRL-----\n" + "MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE\n" + "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n" + "TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v\n" + "dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqBEMEIwHwYDVR0jBBgw\n" + "FoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q\n" + "9+K5XGRxgzUwDQYJKoZIhvcNAQELBQADggEBAIFVw4jrS4taSXR/9gPzqGrqFeHr\n" + "IXCnFtHJTLxqa8vUOAqSwqysvNpepVKioMVoGrLjFMjANjWQqTEiMROAnLfJ/+L8\n" + "FHZkV/mZwOKAXMhIC9MrJzifxBICwmvD028qnwQm09EP8z4ICZptD6wPdRTDzduc\n" + "KBuAX+zn8pNrJgyrheRKpPgno9KsbCzK4D/RIt1sTK2M3vVOtY+vpsN70QYUXvQ4\n" + "r2RZac3omlT43x5lddPxIlcouQpwWcVvr/K+Va770MRrjn88PBrJmvsEw/QYVBXp\n" + "Gxv2b78HFDacba80sMIm8ltRdqUCa5qIc6OATsz7izCQXEbkTEeESrcK1MA=\n" + "-----END X509 CRL-----\n"; + + WOLFSSL_CERT_MANAGER* cm = NULL; + int ret; + + (void)wc_AsnSetSkipDateCheck(1); + + cm = wolfSSL_CertManagerNew(); + ExpectNotNull(cm); + + /* Test loading CRL with duplicate extensions */ + WOLFSSL_MSG("Testing CRL with duplicate Authority Key Identifier " + "extensions"); + ret = wolfSSL_CertManagerLoadCRLBuffer(cm, crl_duplicate_akd, + sizeof(crl_duplicate_akd), + WOLFSSL_FILETYPE_PEM); + ExpectIntEQ(ret, ASN_PARSE_E); + + wolfSSL_CertManagerFree(cm); + + (void)wc_AsnSetSkipDateCheck(0); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerCheckOCSPResponse(void) +{ + EXPECT_DECLS; +#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) +/* Need one of these for wolfSSL_OCSP_REQUEST_new. */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ + defined(HAVE_LIGHTY) + WOLFSSL_CERT_MANAGER* cm = NULL; + /* Raw OCSP response bytes captured using the following setup: + * - Run responder with + * openssl ocsp -port 9999 -ndays 9999 + * -index certs/ocsp/index-intermediate1-ca-issued-certs.txt + * -rsigner certs/ocsp/ocsp-responder-cert.pem + * -rkey certs/ocsp/ocsp-responder-key.pem + * -CA certs/ocsp/intermediate1-ca-cert.pem + * - Run client with + * openssl ocsp -host 127.0.0.1:9999 -respout resp.out + * -issuer certs/ocsp/intermediate1-ca-cert.pem + * -cert certs/ocsp/server1-cert.pem + * -CAfile certs/ocsp/root-ca-cert.pem -noverify + * - Select the response packet in Wireshark, and export it using + * "File->Export Packet Dissection->As "C" Arrays". Select "Selected + * packets only". After importing into the editor, remove the initial + * ~148 bytes of header, ending with the Content-Length and the \r\n\r\n. + */ + static const byte response[] = { + 0x30, 0x82, 0x07, 0x40, /* ....0..@ */ + 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x39, 0x30, /* ......90 */ + 0x82, 0x07, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, /* ..5..+.. */ + 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, /* ...0.... */ + 0x07, 0x26, 0x30, 0x82, 0x07, 0x22, 0x30, 0x82, /* .&0.."0. */ + 0x01, 0x40, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, /* .@...0.. */ + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ + 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ + 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, /* ring1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, /* olfSSL O */ + 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, /* CSP Resp */ + 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, /* onder1.0 */ + 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, /* ...*.H.. */ + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, /* ......in */ + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */ + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, /* sl.com.. */ + 0x32, 0x30, 0x32, 0x34, 0x31, 0x32, 0x32, 0x30, /* 20241220 */ + 0x31, 0x37, 0x30, 0x37, 0x30, 0x34, 0x5a, 0x30, /* 170704Z0 */ + 0x64, 0x30, 0x62, 0x30, 0x3a, 0x30, 0x09, 0x06, /* d0b0:0.. */ + 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, /* .+...... */ + 0x04, 0x14, 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, /* ..qM.#@Y */ + 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, /* ...7C.1. */ + 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04, 0x04, 0x14, /* ..C..... */ + 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, /* ..:.,... */ + 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, /* ..L.*.q. */ + 0x64, 0x44, 0xda, 0x0e, 0x02, 0x01, 0x05, 0x80, /* dD...... */ + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x31, /* ...20241 */ + 0x32, 0x32, 0x30, 0x31, 0x37, 0x30, 0x37, 0x30, /* 22017070 */ + 0x34, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, /* 4Z....20 */ + 0x35, 0x32, 0x30, 0x35, 0x30, 0x36, 0x31, 0x37, /* 52050617 */ + 0x30, 0x37, 0x30, 0x34, 0x5a, 0xa1, 0x23, 0x30, /* 0704Z.#0 */ + 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, /* !0...+.. */ + 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, /* ...0.... */ + 0x04, 0x10, 0x12, 0x7c, 0x27, 0xbd, 0x22, 0x28, /* ...|'."( */ + 0x5e, 0x62, 0x81, 0xed, 0x6d, 0x2c, 0x2d, 0x59, /* ^b..m,-Y */ + 0x42, 0xd7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, /* B.0...*. */ + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, /* H....... */ + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6c, 0xce, /* ......l. */ + 0xa8, 0xe8, 0xfe, 0xaf, 0x33, 0xe2, 0xce, 0x4e, /* ....3..N */ + 0x63, 0x8d, 0x61, 0x16, 0x0f, 0x70, 0xb2, 0x0c, /* c.a..p.. */ + 0x9a, 0xe3, 0x01, 0xd5, 0xca, 0xe5, 0x9b, 0x70, /* .......p */ + 0x81, 0x6f, 0x94, 0x09, 0xe8, 0x88, 0x98, 0x1a, /* .o...... */ + 0x67, 0xa0, 0xc2, 0xe7, 0x8f, 0x9b, 0x5f, 0x13, /* g....._. */ + 0x17, 0x8d, 0x93, 0x8c, 0x31, 0x61, 0x7d, 0x72, /* ....1a}r */ + 0x34, 0xbd, 0x21, 0x48, 0xca, 0xb2, 0xc9, 0xae, /* 4.!H.... */ + 0x28, 0x5f, 0x97, 0x19, 0xcb, 0xdf, 0xed, 0xd4, /* (_...... */ + 0x6e, 0x89, 0x30, 0x89, 0x11, 0xd1, 0x05, 0x08, /* n.0..... */ + 0x81, 0xe9, 0xa7, 0xba, 0xf7, 0x16, 0x0c, 0xbe, /* ........ */ + 0x48, 0x2e, 0xc0, 0x05, 0xac, 0x90, 0xc2, 0x35, /* H......5 */ + 0xce, 0x6c, 0x94, 0x5d, 0x2b, 0xad, 0x4f, 0x19, /* .l.]+.O. */ + 0xea, 0x7b, 0xd9, 0x4f, 0x49, 0x20, 0x8d, 0x98, /* .{.OI .. */ + 0xa9, 0xe4, 0x53, 0x6d, 0xca, 0x34, 0xdb, 0x4a, /* ..Sm.4.J */ + 0x28, 0xb3, 0x33, 0xfb, 0xfd, 0xcc, 0x4b, 0xfa, /* (.3...K. */ + 0xdb, 0x70, 0xe1, 0x96, 0xc8, 0xd4, 0xf1, 0x85, /* .p...... */ + 0x99, 0xaf, 0x06, 0xeb, 0xfd, 0x96, 0x21, 0x86, /* ......!. */ + 0x81, 0xee, 0xcf, 0xd2, 0xf4, 0x83, 0xc9, 0x1d, /* ........ */ + 0x8f, 0x42, 0xd1, 0xc1, 0xbc, 0x50, 0x0a, 0xfb, /* .B...P.. */ + 0x95, 0x39, 0x4c, 0x36, 0xa8, 0xfe, 0x2b, 0x8e, /* .9L6..+. */ + 0xc5, 0xb5, 0xe0, 0xab, 0xdb, 0xc0, 0xbf, 0x1d, /* ........ */ + 0x35, 0x4d, 0xc0, 0x52, 0xfb, 0x08, 0x04, 0x4c, /* 5M.R...L */ + 0x98, 0xf0, 0xb5, 0x5b, 0xff, 0x99, 0x74, 0xce, /* ...[..t. */ + 0xb7, 0xc9, 0xe3, 0xe5, 0x70, 0x2e, 0xd3, 0x1d, /* ....p... */ + 0x46, 0x38, 0xf9, 0x51, 0x17, 0x73, 0xd1, 0x08, /* F8.Q.s.. */ + 0x8d, 0x3d, 0x12, 0x47, 0xd0, 0x66, 0x77, 0xaf, /* .=.G.fw. */ + 0xfd, 0x4c, 0x75, 0x1f, 0xe9, 0x6c, 0xf4, 0x5a, /* .Lu..l.Z */ + 0xde, 0xec, 0x37, 0xc7, 0xc4, 0x0a, 0xbe, 0x91, /* ..7..... */ + 0xbc, 0x05, 0x08, 0x86, 0x47, 0x30, 0x2a, 0xc6, /* ....G0*. */ + 0x85, 0x4b, 0x55, 0x6c, 0xef, 0xdf, 0x2d, 0x5a, /* .KUl..-Z */ + 0xf7, 0x5b, 0xb5, 0xba, 0xed, 0x38, 0xb0, 0xcb, /* .[...8.. */ + 0xeb, 0x7e, 0x84, 0x3a, 0x69, 0x2c, 0xa0, 0x82, /* .~.:i,.. */ + 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, /* ..0...0. */ + 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, /* ..0..... */ + 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, /* ......0. */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, /* ..*.H... */ + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, /* .....0.. */ + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ + 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ + 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, /* ring1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, /* olfSSL r */ + 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, /* oot CA1. */ + 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0...*.H. */ + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, /* .......i */ + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, /* nfo@wolf */ + 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, /* ssl.com0 */ + 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, /* ...24121 */ + 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, /* 8212531Z */ + 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, /* ..270914 */ + 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, /* 212531Z0 */ + 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* ..1.0... */ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, /* U....US1 */ + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, /* .0...U.. */ + 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, /* ..Washin */ + 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, /* gton1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, /* ..U....S */ + 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, /* eattle1. */ + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, /* 0...U... */ + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, /* ...Engin */ + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, /* eering1. */ + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, /* 0...U... */ + 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ + 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, /* OCSP Re */ + 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, /* sponder1 */ + 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, /* .0...*.H */ + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, /* ........ */ + 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, /* info@wol */ + 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, /* fssl.com */ + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, /* 0.."0... */ + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, /* ........ */ + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, /* 0....... */ + 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, /* ...#...{ */ + 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, /* .....a.. */ + 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, /* .c..#4Pm */ + 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, /* .|.....u */ + 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, /* \-.c...z */ + 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, /* ..E5+... */ + 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, /* "..A8..t */ + 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, /* ..0".Q.. */ + 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, /* .?F+..Z? */ + 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, /* Atgu.... */ + 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, /* ..B..... */ + 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, /* ..e.C... */ + 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, /* ....$5!. */ + 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, /* U.ZQ..-. */ + 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, /* .ZOJs1P. */ + 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, /* J..9...H */ + 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, /* .......r */ + 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, /* g.\..... */ + 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, /* v..J.... */ + 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, /* fL(q..f. */ + 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, /* ..0..... */ + 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, /* ....]... */ + 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, /* ..<..qx. */ + 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, /* .?2..q.. */ + 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, /* .'....CI */ + 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, /* ..p..... */ + 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, /* $..;..el */ + 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, /* .vP..... */ + 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, /* sh&...._ */ + 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, /* na...... */ + 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */ + 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, /* .et|qTe. */ + 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, /* 9....... */ + 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, /* ..0...0. */ + 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, /* ..U....0 */ + 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, /* .0...U.. */ + 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, /* ....2g.. */ + 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, /* y....#.p */ + 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, /* @P.FV.06 */ + 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, /* 0....U.# */ + 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, /* ...0.... */ + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, /* s.../... */ + 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, /* G.8....: */ + 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, /* ~r.!.... */ + 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, /* ..0..1.0 */ + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, /* ...U.... */ + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, /* US1.0... */ + 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, /* U....Was */ + 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, /* hington1 */ + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, /* .0...U.. */ + 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, /* ..Seattl */ + 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, /* e1.0...U */ + 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ + 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, /* SSL1.0.. */ + 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, /* .U....En */ + 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, /* gineerin */ + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, /* g1.0...U */ + 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ + 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, /* SSL root */ + 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, /* CA1.0.. */ + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, /* .*.H.... */ + 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, /* ....info */ + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, /* @wolfssl */ + 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, /* .com..c0 */ + 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, /* ...U.%.. */ + 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, /* 0...+... */ + 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, /* ....0... */ + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ + 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, /* ........ */ + 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, /* M..U.+.. */ + 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, /* e..5.`.. */ + 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, /* k....XW7 */ + 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, /* ..(n.V*5 */ + 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, /* ..>.=G!. */ + 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, /* ......>. */ + 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, /* ...#.V.s */ + 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, /* .....Ki. */ + 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, /* .:.....Y */ + 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, /* .....L., */ + 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, /* .W..:.2. */ + 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, /* J.r...&i */ + 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, /* .jLLx.<. */ + 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, /* ....#.[' */ + 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, /* ..\+.Mx. */ + 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, /* k%./.... */ + 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, /* ..D!F.4k */ + 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, /* [...\`.. */ + 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, /* .f..cVP} */ + 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, /* .,/{G..X */ + 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, /* w..' .r. */ + 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, /* L~O.._.. */ + 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, /* .Yz..Sw" */ + 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, /* A....... */ + 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, /* e..q<... */ + 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, /* ........ */ + 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, /* ....+.[. */ + 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, /* (..1s\+. */ + 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, /* `..6.... */ + 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, /* .u.)B..A */ + 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, /* U.p..... */ + 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57 /* A.%..j.W */ + }; + OcspEntry entry[1]; + CertStatus status[1]; + OcspRequest* request = NULL; +#ifndef NO_FILESYSTEM + const char* ca_cert = "./certs/ca-cert.pem"; +#endif + + byte serial[] = {0x05}; + byte issuerHash[] = { + 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, 0xc0, 0x96, + 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, 0xba, 0xb1, + 0x43, 0x18, 0xda, 0x04 + }; + byte issuerKeyHash[] = { + 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, + 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, + 0x64, 0x44, 0xda, 0x0e + }; + + + XMEMSET(entry, 0, sizeof(OcspEntry)); + XMEMSET(status, 0, sizeof(CertStatus)); + + ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); + ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, + DYNAMIC_TYPE_OCSP_REQUEST)); + + if ((request != NULL) && (request->serial != NULL)) { + request->serialSz = sizeof(serial); + XMEMCPY(request->serial, serial, sizeof(serial)); + XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); + XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash)); + } + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, + "./certs/ocsp/intermediate1-ca-cert.pem", NULL), WOLFSSL_SUCCESS); + + /* Response should be valid. */ + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, + sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + + /* Flip a byte in the request serial number, response should be invalid + * now. */ + if ((request != NULL) && (request->serial != NULL)) + request->serial[0] ^= request->serial[0]; + ExpectIntNE(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, + sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + +#ifndef NO_FILESYSTEM + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, + sizeof(server_cert_der_2048)), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, + sizeof(server_cert_der_2048)), 1); +#endif + + wolfSSL_OCSP_REQUEST_free(request); + wolfSSL_CertManagerFree(cm); +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || + * WOLFSSL_APACHE_HTTPD || HAVE_LIGHTY */ +#endif /* HAVE_OCSP */ + return EXPECT_RESULT(); +} + +#ifdef HAVE_CERT_CHAIN_VALIDATION +#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION +#ifdef WOLFSSL_PEM_TO_DER +#ifndef NO_SHA256 +static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) +{ + int ret; + + if ((ret = wolfSSL_CertManagerLoadCA(cm, certA, 0)) != WOLFSSL_SUCCESS) { + fprintf(stderr, "loading cert %s failed\n", certA); + fprintf(stderr, "Error: (%d): %s\n", ret, + wolfSSL_ERR_reason_error_string((word32)ret)); + return -1; + } + + return 0; +} + +static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) +{ + int ret; + if ((ret = wolfSSL_CertManagerVerify(cm, certA, CERT_FILETYPE)) + != WOLFSSL_SUCCESS) { + fprintf(stderr, "could not verify the cert: %s\n", certA); + fprintf(stderr, "Error: (%d): %s\n", ret, + wolfSSL_ERR_reason_error_string((word32)ret)); + return -1; + } + else { + fprintf(stderr, "successfully verified: %s\n", certA); + } + + return 0; +} +#define LOAD_ONE_CA(a, b, c, d) \ + do { \ + (a) = load_ca_into_cm(c, d); \ + if ((a) != 0) \ + return (b); \ + else \ + (b)--; \ + } while(0) + +#define VERIFY_ONE_CERT(a, b, c, d) \ + do { \ + (a) = verify_cert_with_cm(c, d);\ + if ((a) != 0) \ + return (b); \ + else \ + (b)--; \ + } while(0) + +static int test_chainG(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain G is a valid chain per RFC 5280 section 4.2.1.9 */ + char chainGArr[9][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainG-ICA7-pathlen100.pem", + "certs/test-pathlen/chainG-ICA6-pathlen10.pem", + "certs/test-pathlen/chainG-ICA5-pathlen20.pem", + "certs/test-pathlen/chainG-ICA4-pathlen5.pem", + "certs/test-pathlen/chainG-ICA3-pathlen99.pem", + "certs/test-pathlen/chainG-ICA2-pathlen1.pem", + "certs/test-pathlen/chainG-ICA1-pathlen0.pem", + "certs/test-pathlen/chainG-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainGArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[4]); /* if failure, i = -5 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[5]); /* if failure, i = -6 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[6]); /* if failure, i = -7 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[7]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[1]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[2]); /* if failure, i = -10 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[3]); /* if failure, i = -11 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[4]); /* if failure, i = -12 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[5]); /* if failure, i = -13 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[6]); /* if failure, i = -14 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */ + + /* test validating the entity twice, should have no effect on pathLen since + * entity/leaf cert */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */ + + return ret; +} + +static int test_chainH(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain H is NOT a valid chain per RFC5280 section 4.2.1.9: + * ICA4-pathlen of 2 signing ICA3-pathlen of 2 (reduce max path len to 2) + * ICA3-pathlen of 2 signing ICA2-pathlen of 2 (reduce max path len to 1) + * ICA2-pathlen of 2 signing ICA1-pathlen of 0 (reduce max path len to 0) + * ICA1-pathlen of 0 signing entity (pathlen is already 0, ERROR) + * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 + */ + char chainHArr[6][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainH-ICA4-pathlen2.pem", + "certs/test-pathlen/chainH-ICA3-pathlen2.pem", + "certs/test-pathlen/chainH-ICA2-pathlen2.pem", + "certs/test-pathlen/chainH-ICA1-pathlen0.pem", + "certs/test-pathlen/chainH-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainHArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[4]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[1]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[2]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[3]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[4]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[5]); /* if failure, i = -10 here */ + + return ret; +} + +static int test_chainI(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain I is a valid chain per RFC5280 section 4.2.1.9: + * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 2) + * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 1) + * ICA1-no_pathlen signing entity (reduce maxPathLen to 0) + * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 + */ + char chainIArr[5][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainI-ICA3-pathlen2.pem", + "certs/test-pathlen/chainI-ICA2-no_pathlen.pem", + "certs/test-pathlen/chainI-ICA1-no_pathlen.pem", + "certs/test-pathlen/chainI-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainIArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[3]); /* if failure, i = -4 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[1]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[2]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[3]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[4]); /* if failure, i = -8 here */ + + return ret; +} + +static int test_chainJ(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain J is NOT a valid chain per RFC5280 section 4.2.1.9: + * ICA4-pathlen of 2 signing ICA3 without a pathlen (reduce maxPathLen to 2) + * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 1) + * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 0) + * ICA1-no_pathlen signing entity (ERROR, pathlen zero and non-leaf cert) + */ + char chainJArr[6][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainJ-ICA4-pathlen2.pem", + "certs/test-pathlen/chainJ-ICA3-no_pathlen.pem", + "certs/test-pathlen/chainJ-ICA2-no_pathlen.pem", + "certs/test-pathlen/chainJ-ICA1-no_pathlen.pem", + "certs/test-pathlen/chainJ-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainJArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[4]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[1]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[2]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[3]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[4]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[5]); /* if failure, i = -10 here */ + + return ret; +} +#endif +#endif +#endif +#endif + +int test_various_pathlen_chains(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_CERT_CHAIN_VALIDATION) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) +#ifndef NO_SHA256 + WOLFSSL_CERT_MANAGER* cm = NULL; + + /* Test chain G (large chain with varying pathLens) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(test_chainG(cm), -1); +#else + ExpectIntEQ(test_chainG(cm), 0); +#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + /* end test chain G */ + + /* Test chain H (5 chain with same pathLens) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntLT(test_chainH(cm), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + /* end test chain H */ + + /* Test chain I (only first ICA has pathLen set and it's set to 2, + * followed by 2 ICA's, should pass) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(test_chainI(cm), -1); +#else + ExpectIntEQ(test_chainI(cm), 0); +#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + /* Test chain J (Again only first ICA has pathLen set and it's set to 2, + * this time followed by 3 ICA's, should fail */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntLT(test_chainJ(cm), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); +#endif +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_certman.h b/tests/api/test_certman.h new file mode 100644 index 000000000..e278b76a1 --- /dev/null +++ b/tests/api/test_certman.h @@ -0,0 +1,61 @@ +/* test_certman.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_CERTMAN_H +#define WOLFCRYPT_TEST_CERTMAN_H + +#include + +int test_wolfSSL_CertManagerAPI(void); +int test_wolfSSL_CertManagerLoadCABuffer(void); +int test_wolfSSL_CertManagerLoadCABuffer_ex(void); +int test_wolfSSL_CertManagerLoadCABufferType(void); +int test_wolfSSL_CertManagerGetCerts(void); +int test_wolfSSL_CertManagerSetVerify(void); +int test_wolfSSL_CertManagerNameConstraint(void); +int test_wolfSSL_CertManagerNameConstraint2(void); +int test_wolfSSL_CertManagerNameConstraint3(void); +int test_wolfSSL_CertManagerNameConstraint4(void); +int test_wolfSSL_CertManagerNameConstraint5(void); +int test_wolfSSL_CertManagerCRL(void); +int test_wolfSSL_CRL_duplicate_extensions(void); +int test_wolfSSL_CertManagerCheckOCSPResponse(void); +int test_various_pathlen_chains(void); + +#define TEST_CERTMAN_DECLS \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerAPI), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABuffer), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABuffer_ex), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABufferType), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerGetCerts), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerSetVerify), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint2), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint3), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint4), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint5), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCRL), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CRL_duplicate_extensions), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCheckOCSPResponse), \ + TEST_DECL_GROUP("certman", test_various_pathlen_chains) + +#endif /* WOLFCRYPT_TEST_CERTMAN_H */ + diff --git a/tests/api/test_evp.c b/tests/api/test_evp.c index 43166aab2..8c768eb87 100644 --- a/tests/api/test_evp.c +++ b/tests/api/test_evp.c @@ -26,75 +26,546 @@ #include #include -/* Test for NULL_CIPHER_TYPE in wolfSSL_EVP_CipherUpdate() */ -int test_wolfSSL_EVP_CipherUpdate_Null(void) +/* Test functions for base64 encode/decode */ +int test_wolfSSL_EVP_ENCODE_CTX_new(void) { EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - WOLFSSL_EVP_CIPHER_CTX* ctx; - const char* testData = "Test NULL cipher data"; - unsigned char output[100]; - int outputLen = 0; - int testDataLen = (int)XSTRLEN(testData); +#if defined(OPENSSL_EXTRA) && \ +( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) + EVP_ENCODE_CTX* ctx = NULL; - /* Create and initialize the cipher context */ - ctx = wolfSSL_EVP_CIPHER_CTX_new(); - ExpectNotNull(ctx); - - /* Initialize with NULL cipher */ - ExpectIntEQ(wolfSSL_EVP_CipherInit_ex(ctx, wolfSSL_EVP_enc_null(), - NULL, NULL, NULL, 1), WOLFSSL_SUCCESS); - - /* Test encryption (which should just copy the data) */ - ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, output, &outputLen, - (const unsigned char*)testData, - testDataLen), WOLFSSL_SUCCESS); - - /* Verify output length matches input length */ - ExpectIntEQ(outputLen, testDataLen); - - /* Verify output data matches input data (no encryption occurred) */ - ExpectIntEQ(XMEMCMP(output, testData, testDataLen), 0); - - /* Clean up */ - wolfSSL_EVP_CIPHER_CTX_free(ctx); -#endif /* OPENSSL_EXTRA */ + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ(ctx->remaining,0); + ExpectIntEQ(ctx->data[0],0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1],0); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_ENCODE_CTX_free(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && \ +( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) + EVP_ENCODE_CTX* ctx = NULL; + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ return EXPECT_RESULT(); } -/* Test for wolfSSL_EVP_CIPHER_type_string() */ -int test_wolfSSL_EVP_CIPHER_type_string(void) +int test_wolfSSL_EVP_EncodeInit(void) { EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const char* cipherStr; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + EVP_ENCODE_CTX* ctx = NULL; - /* Test with valid cipher types */ -#ifdef HAVE_AES_CBC - #ifdef WOLFSSL_AES_128 - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_AES_128_CBC_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "AES-128-CBC"); - #endif -#endif + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ(ctx->remaining, 0); + ExpectIntEQ(ctx->data[0], 0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); -#ifndef NO_DES3 - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_DES_CBC_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "DES-CBC"); -#endif + if (ctx != NULL) { + /* make ctx dirty */ + ctx->remaining = 10; + XMEMSET(ctx->data, 0x77, sizeof(ctx->data)); + } - /* Test with NULL cipher type */ - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_NULL_CIPHER_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "NULL"); + EVP_EncodeInit(ctx); - /* Test with invalid cipher type */ - cipherStr = wolfSSL_EVP_CIPHER_type_string(0xFFFF); - ExpectNull(cipherStr); -#endif /* OPENSSL_EXTRA */ + ExpectIntEQ(ctx->remaining, 0); + ExpectIntEQ(ctx->data[0], 0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ return EXPECT_RESULT(); } +int test_wolfSSL_EVP_EncodeUpdate(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + int outl; + int total; + + const unsigned char plain0[] = {"Th"}; + const unsigned char plain1[] = {"This is a base64 encodeing test."}; + const unsigned char plain2[] = {"This is additional data."}; + + const unsigned char encBlock0[] = {"VGg="}; + const unsigned char enc0[] = {"VGg=\n"}; + /* expected encoded result for the first output 64 chars plus trailing LF*/ + const unsigned char enc1[] = { + "VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n" + }; + + const unsigned char enc2[] = { + "VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n" + "YWwgZGF0YS4=\n" + }; + + unsigned char encOutBuff[300]; + + EVP_ENCODE_CTX* ctx = NULL; + + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + + EVP_EncodeInit(ctx); + + /* illegal parameter test */ + ExpectIntEQ( + EVP_EncodeUpdate( + NULL, /* pass NULL as ctx */ + encOutBuff, + &outl, + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + NULL, /* pass NULL as out buff */ + &outl, + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + NULL, /* pass NULL as outl */ + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + NULL, /* pass NULL as in */ + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ(EVP_EncodeBlock(NULL, NULL, 0), -1); + + /* meaningless parameter test */ + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + plain1, + 0), /* pass zero input */ + 1 /* expected result code 1: success */ + ); + + /* very small data encoding test */ + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + plain0, + sizeof(plain0)-1), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl,0); + + if (EXPECT_SUCCESS()) { + EVP_EncodeFinal( + ctx, + encOutBuff + outl, + &outl); + } + + ExpectIntEQ( outl, sizeof(enc0)-1); + ExpectIntEQ( + XSTRNCMP( + (const char*)encOutBuff, + (const char*)enc0,sizeof(enc0) ), + 0); + + XMEMSET( encOutBuff,0, sizeof(encOutBuff)); + ExpectIntEQ(EVP_EncodeBlock(encOutBuff, plain0, sizeof(plain0)-1), + sizeof(encBlock0)-1); + ExpectStrEQ(encOutBuff, encBlock0); + + /* pass small size( < 48bytes ) input, then make sure they are not + * encoded and just stored in ctx + */ + + EVP_EncodeInit(ctx); + + total = 0; + outl = 0; + XMEMSET( encOutBuff,0, sizeof(encOutBuff)); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, /* buffer for output */ + &outl, /* size of output */ + plain1, /* input */ + sizeof(plain1)-1), /* size of input */ + 1); /* expected result code 1:success */ + + total += outl; + + ExpectIntEQ(outl, 0); /* no output expected */ + ExpectIntEQ(ctx->remaining, sizeof(plain1) -1); + ExpectTrue( + XSTRNCMP((const char*)(ctx->data), + (const char*)plain1, + ctx->remaining) ==0 ); + ExpectTrue(encOutBuff[0] == 0); + + /* call wolfSSL_EVP_EncodeUpdate again to make it encode + * the stored data and the new input together + */ + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff + outl, /* buffer for output */ + &outl, /* size of output */ + plain2, /* additional input */ + sizeof(plain2) -1), /* size of additional input */ + 1); /* expected result code 1:success */ + + total += outl; + + ExpectIntNE(outl, 0); /* some output is expected this time*/ + ExpectIntEQ(outl, BASE64_ENCODE_RESULT_BLOCK_SIZE +1); /* 64 bytes and LF */ + ExpectIntEQ( + XSTRNCMP((const char*)encOutBuff,(const char*)enc1,sizeof(enc1) ),0); + + /* call wolfSSL_EVP_EncodeFinal to flush all the unprocessed input */ + EVP_EncodeFinal( + ctx, + encOutBuff + outl, + &outl); + + total += outl; + + ExpectIntNE(total,0); + ExpectIntNE(outl,0); + ExpectIntEQ(XSTRNCMP( + (const char*)encOutBuff,(const char*)enc2,sizeof(enc2) ),0); + + /* test with illeagal parameters */ + outl = 1; + EVP_EncodeFinal(NULL, encOutBuff + outl, &outl); + ExpectIntEQ(outl, 0); + outl = 1; + EVP_EncodeFinal(ctx, NULL, &outl); + ExpectIntEQ(outl, 0); + EVP_EncodeFinal(ctx, encOutBuff + outl, NULL); + EVP_EncodeFinal(NULL, NULL, NULL); + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_EncodeFinal(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + /* tests for wolfSSL_EVP_EncodeFinal are included in + * test_wolfSSL_EVP_EncodeUpdate + */ + res = TEST_SUCCESS; +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ + return res; +} + + +int test_wolfSSL_EVP_DecodeInit(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + EVP_ENCODE_CTX* ctx = NULL; + + ExpectNotNull( ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ( ctx->remaining,0); + ExpectIntEQ( ctx->data[0],0); + ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); + + if (ctx != NULL) { + /* make ctx dirty */ + ctx->remaining = 10; + XMEMSET( ctx->data, 0x77, sizeof(ctx->data)); + } + + EVP_DecodeInit(ctx); + + ExpectIntEQ( ctx->remaining,0); + ExpectIntEQ( ctx->data[0],0); + ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_DecodeUpdate(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + int outl; + unsigned char decOutBuff[300]; + + EVP_ENCODE_CTX* ctx = NULL; + + static const unsigned char enc1[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; +/* const unsigned char plain1[] = + {"This is a base64 decoding test."} */ + + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + + EVP_DecodeInit(ctx); + + /* illegal parameter tests */ + + /* pass NULL as ctx */ + ExpectIntEQ( + EVP_DecodeUpdate( + NULL, /* pass NULL as ctx */ + decOutBuff, + &outl, + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + /* pass NULL as output */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + NULL, /* pass NULL as out buff */ + &outl, + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + /* pass NULL as outl */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + NULL, /* pass NULL as outl */ + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + + /* pass NULL as input */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + NULL, /* pass NULL as in */ + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1); + + /* pass zero length input */ + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc1, + 0), /* pass zero as input len */ + 1 /* expected result code 1: success */ + ); + + /* decode correct base64 string */ + + { + static const unsigned char enc2[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; + static const unsigned char plain2[] = + {"This is a base64 decoding test."}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc2, + sizeof(enc2)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain2) -1); + + ExpectIntEQ( + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl, 0); /* expected DecodeFinal output no data */ + + ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, + sizeof(plain2) -1 ),0); + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc2, sizeof(enc2)), + sizeof(plain2)-1); + ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, + sizeof(plain2) -1 ),0); + } + + /* decode correct base64 string which does not have '\n' in its last*/ + + { + static const unsigned char enc3[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg=="}; /* 44 chars */ + static const unsigned char plain3[] = + {"This is a base64 decoding test."}; /* 31 chars */ + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc3, + sizeof(enc3)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain3)-1); /* 31 chars should be output */ + + ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, + sizeof(plain3) -1 ),0); + + ExpectIntEQ( + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl), + 1 /* expected result code 1: success */ + ); + + ExpectIntEQ(outl,0 ); + + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc3, sizeof(enc3)-1), + sizeof(plain3)-1); + ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, + sizeof(plain3) -1 ),0); + } + + /* decode string which has a padding char ('=') in the illegal position*/ + + { + static const unsigned char enc4[] = + {"VGhpcyBpcyBhIGJhc2U2N=CBkZWNvZGluZyB0ZXN0Lg==\n"}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc4, + sizeof(enc4)-1), + -1 /* expected result code -1: error */ + ); + ExpectIntEQ(outl,0); + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc4, sizeof(enc4)-1), -1); + } + + /* small data decode test */ + + { + static const unsigned char enc00[] = {"VG"}; + static const unsigned char enc01[] = {"g=\n"}; + static const unsigned char plain4[] = {"Th"}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc00, + sizeof(enc00)-1), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl,0); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff + outl, + &outl, + enc01, + sizeof(enc01)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain4)-1); + + /* test with illegal parameters */ + ExpectIntEQ(EVP_DecodeFinal(NULL,decOutBuff + outl,&outl), -1); + ExpectIntEQ(EVP_DecodeFinal(ctx,NULL,&outl), -1); + ExpectIntEQ(EVP_DecodeFinal(ctx,decOutBuff + outl, NULL), -1); + ExpectIntEQ(EVP_DecodeFinal(NULL,NULL, NULL), -1); + + if (EXPECT_SUCCESS()) { + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl); + } + + ExpectIntEQ( outl, 0); + ExpectIntEQ( + XSTRNCMP( + (const char*)decOutBuff, + (const char*)plain4,sizeof(plain4)-1 ), + 0); + } + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_DecodeFinal(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + /* tests for wolfSSL_EVP_DecodeFinal are included in + * test_wolfSSL_EVP_DecodeUpdate + */ + res = TEST_SUCCESS; +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return res; +} + diff --git a/tests/api/test_evp.h b/tests/api/test_evp.h index 013ac50aa..a24609903 100644 --- a/tests/api/test_evp.h +++ b/tests/api/test_evp.h @@ -22,7 +22,25 @@ #ifndef WOLFSSL_TEST_EVP_H #define WOLFSSL_TEST_EVP_H -int test_wolfSSL_EVP_CipherUpdate_Null(void); -int test_wolfSSL_EVP_CIPHER_type_string(void); +#include + +int test_wolfSSL_EVP_ENCODE_CTX_new(void); +int test_wolfSSL_EVP_ENCODE_CTX_free(void); +int test_wolfSSL_EVP_EncodeInit(void); +int test_wolfSSL_EVP_EncodeUpdate(void); +int test_wolfSSL_EVP_EncodeFinal(void); +int test_wolfSSL_EVP_DecodeInit(void); +int test_wolfSSL_EVP_DecodeUpdate(void); +int test_wolfSSL_EVP_DecodeFinal(void); + +#define TEST_EVP_ENC_DECLS \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_ENCODE_CTX_new), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_ENCODE_CTX_free), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeInit), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeUpdate), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeFinal), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeInit), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeUpdate), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeFinal) #endif /* WOLFSSL_TEST_EVP_H */ diff --git a/tests/api/test_evp_cipher.c b/tests/api/test_evp_cipher.c new file mode 100644 index 000000000..99fae5a65 --- /dev/null +++ b/tests/api/test_evp_cipher.c @@ -0,0 +1,2704 @@ +/* test_evp_cipher.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) + #include +#endif + + +int test_wolfSSL_EVP_CIPHER_CTX(void) +{ + EXPECT_DECLS; +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \ + defined(OPENSSL_EXTRA) + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + const EVP_CIPHER *init = EVP_aes_128_cbc(); + const EVP_CIPHER *test; + byte key[AES_BLOCK_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + + ExpectNotNull(ctx); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + test = EVP_CIPHER_CTX_cipher(ctx); + ExpectTrue(init == test); + ExpectIntEQ(EVP_CIPHER_nid(test), NID_aes_128_cbc); + + ExpectIntEQ(EVP_CIPHER_CTX_reset(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_reset(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + EVP_CIPHER_CTX_free(ctx); + /* test EVP_CIPHER_CTX_cleanup with NULL */ + ExpectIntEQ(EVP_CIPHER_CTX_cleanup(NULL), WOLFSSL_SUCCESS); +#endif /* !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_128 && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + /* This is large enough to be used for all key sizes */ + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + }; + int iv_lengths[] = { + #ifdef HAVE_AES_CBC + AES_BLOCK_SIZE, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + GCM_NONCE_MID_SZ, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_BLOCK_SIZE, + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif + }; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); + + EVP_CIPHER_CTX_free(ctx); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + }; + int key_lengths[] = { + #ifdef HAVE_AES_CBC + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_KEY_SIZE, + DES3_KEY_SIZE, + #endif + }; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); + + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), + WOLFSSL_SUCCESS); + + EVP_CIPHER_CTX_free(ctx); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && !defined(NO_DES3) && defined(OPENSSL_ALL) + int ivLen, keyLen; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); +#ifdef HAVE_AESGCM + byte key[AES_128_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_aes_128_gcm(); +#else + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_des_ede3_cbc(); +#endif + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); + keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); + + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_get_cipherbynid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA +#ifndef NO_AES + const WOLFSSL_EVP_CIPHER* c; + + c = wolfSSL_EVP_get_cipherbynid(419); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(423); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(427); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(904); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(905); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(906); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(418); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_ECB", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(422); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_ECB", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(426); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_ECB", c)); + #else + ExpectNull(c); + #endif +#endif /* !NO_AES */ + +#ifndef NO_DES3 + ExpectNotNull(XSTRCMP("EVP_DES_CBC", wolfSSL_EVP_get_cipherbynid(31))); +#ifdef WOLFSSL_DES_ECB + ExpectNotNull(XSTRCMP("EVP_DES_ECB", wolfSSL_EVP_get_cipherbynid(29))); +#endif + ExpectNotNull(XSTRCMP("EVP_DES_EDE3_CBC", wolfSSL_EVP_get_cipherbynid(44))); +#ifdef WOLFSSL_DES_ECB + ExpectNotNull(XSTRCMP("EVP_DES_EDE3_ECB", wolfSSL_EVP_get_cipherbynid(33))); +#endif +#endif /* !NO_DES3 */ + +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + ExpectNotNull(XSTRCMP("EVP_CHACHA20_POLY13O5", EVP_get_cipherbynid(1018))); +#endif + + /* test for nid is out of range */ + ExpectNull(wolfSSL_EVP_get_cipherbynid(1)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_block_size(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifdef HAVE_AES_CBC + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); + #endif +#endif + +#ifdef HAVE_AESCCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); + #endif +#endif + +#ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); + #endif +#endif + +#ifdef HAVE_AES_ECB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); + #endif +#endif + +#ifndef NO_RC4 + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); +#endif + +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); +#endif + +#ifdef WOLFSSL_SM4_ECB + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CBC + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CTR + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); +#endif +#ifdef WOLFSSL_SM4_GCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); +#endif +#ifdef WOLFSSL_SM4_CCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_iv_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + int nids[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + NID_aes_128_cbc, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_cbc, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + NID_aes_128_gcm, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_gcm, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + NID_aes_128_ctr, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_ctr, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + NID_chacha20_poly1305, + #endif + }; + int iv_lengths[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_192 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_256 + GCM_NONCE_MID_SZ, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + CHACHA20_POLY1305_AEAD_IV_SIZE, + #endif + }; + int i; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); + ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); + } +#endif + return EXPECT_RESULT(); +} + +/* Test for NULL_CIPHER_TYPE in wolfSSL_EVP_CipherUpdate() */ +int test_wolfSSL_EVP_CipherUpdate_Null(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + WOLFSSL_EVP_CIPHER_CTX* ctx; + const char* testData = "Test NULL cipher data"; + unsigned char output[100]; + int outputLen = 0; + int testDataLen = (int)XSTRLEN(testData); + + /* Create and initialize the cipher context */ + ctx = wolfSSL_EVP_CIPHER_CTX_new(); + ExpectNotNull(ctx); + + /* Initialize with NULL cipher */ + ExpectIntEQ(wolfSSL_EVP_CipherInit_ex(ctx, wolfSSL_EVP_enc_null(), + NULL, NULL, NULL, 1), WOLFSSL_SUCCESS); + + /* Test encryption (which should just copy the data) */ + ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, output, &outputLen, + (const unsigned char*)testData, + testDataLen), WOLFSSL_SUCCESS); + + /* Verify output length matches input length */ + ExpectIntEQ(outputLen, testDataLen); + + /* Verify output data matches input data (no encryption occurred) */ + ExpectIntEQ(XMEMCMP(output, testData, testDataLen), 0); + + /* Clean up */ + wolfSSL_EVP_CIPHER_CTX_free(ctx); +#endif /* OPENSSL_EXTRA */ + + return EXPECT_RESULT(); +} + +/* Test for wolfSSL_EVP_CIPHER_type_string() */ +int test_wolfSSL_EVP_CIPHER_type_string(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const char* cipherStr; + + /* Test with valid cipher types */ +#ifdef HAVE_AES_CBC + #ifdef WOLFSSL_AES_128 + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_AES_128_CBC_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "AES-128-CBC"); + #endif +#endif + +#ifndef NO_DES3 + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_DES_CBC_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "DES-CBC"); +#endif + + /* Test with NULL cipher type */ + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_NULL_CIPHER_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "NULL"); + + /* Test with invalid cipher type */ + cipherStr = wolfSSL_EVP_CIPHER_type_string(0xFFFF); + ExpectNull(cipherStr); +#endif /* OPENSSL_EXTRA */ + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_BytesToKey(void) +{ + EXPECT_DECLS; +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(OPENSSL_ALL) + byte key[AES_BLOCK_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int count = 0; + const EVP_MD* md = EVP_sha256(); + const EVP_CIPHER *type; + const unsigned char *salt = (unsigned char *)"salt1234"; + int sz = 5; + const byte data[] = { + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; + + type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); + + /* Bad cases */ + ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), + 0); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), + 16); + md = "2"; + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + md = EVP_sha256(); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + 16); +#endif + return EXPECT_RESULT(); +} + +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ + (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) +static void binary_dump(void *ptr, int size) +{ + #ifdef WOLFSSL_EVP_PRINT + int i = 0; + unsigned char *p = (unsigned char *) ptr; + + fprintf(stderr, "{"); + while ((p != NULL) && (i < size)) { + if ((i % 8) == 0) { + fprintf(stderr, "\n"); + fprintf(stderr, " "); + } + fprintf(stderr, "0x%02x, ", p[i]); + i++; + } + fprintf(stderr, "\n};\n"); + #else + (void) ptr; + (void) size; + #endif +} + +static int last_val = 0x0f; + +static int check_result(unsigned char *data, int len) +{ + int i; + + for ( ; len; ) { + last_val = (last_val + 1) % 16; + for (i = 0; i < 16; len--, i++, data++) + if (*data != last_val) { + return -1; + } + } + return 0; +} + +static int r_offset; +static int w_offset; + +static void init_offset(void) +{ + r_offset = 0; + w_offset = 0; +} + +static void get_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(buf, data+r_offset, len); + r_offset += len; +} + +static void set_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(data+w_offset, buf, len); + w_offset += len; +} + +static void set_plain(unsigned char *plain, int rec) +{ + int i, j; + unsigned char *p = plain; + + #define BLOCKSZ 16 + + for (i=0; i<(rec/BLOCKSZ); i++) { + for (j=0; j 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + + for (j = 0; j 0) + set_record(cipher, outb, outl); + } + + for (i = 0; test_drive[i]; i++) { + last_val = 0x0f; + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); + + init_offset(); + + for (j = 0; test_drive[i][j]; j++) { + inl = test_drive[i][j]; + get_record(cipher, inb, inl); + + ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), + 0); + + binary_dump(outb, outl); + ExpectIntEQ((ret = check_result(outb, outl)), 0); + ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); + } + + ret = EVP_CipherFinal(evp, outb, &outl); + + binary_dump(outb, outl); + + ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || + (((test_drive_len[i] % 16) == 0) && (ret == 1)); + ExpectTrue(ret); + } + + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); + + EVP_CIPHER_CTX_free(evp); + evp = NULL; + + /* Do an extra test to verify correct behavior with empty input. */ + + ExpectNotNull(evp = EVP_CIPHER_CTX_new()); + ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); + + ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); + + klen = EVP_CIPHER_CTX_key_length(evp); + if (klen > 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + + /* outl should be set to 0 after passing NULL, 0 for input args. */ + outl = -1; + ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); + ExpectIntEQ(outl, 0); + + EVP_CIPHER_CTX_free(evp); +#endif /* test_EVP_Cipher */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_X_STATE(void) +{ + EXPECT_DECLS; +#if !defined(NO_DES3) && !defined(NO_RC4) && defined(OPENSSL_ALL) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; + + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNull(wolfSSL_EVP_X_STATE(NULL)); + ExpectNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_X_STATE_LEN(void) +{ + EXPECT_DECLS; +#if !defined(NO_DES3) && !defined(NO_RC4) && defined(OPENSSL_ALL) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; + + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_aes_256_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_192_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_128_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_128_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_evp_cipher_aes_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(OPENSSL_ALL) && ((!defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) + /* + * This test checks data at various points in the encrypt/decrypt process + * against known values produced using the same test with OpenSSL. This + * interop testing is critical for verifying the correctness of our + * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises + * a flow supported by OpenSSL that uses the control command + * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without + * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We + * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to + * wolfSSL OpenSSH clients because there was a bug in this flow that + * happened to "cancel out" if both sides of the connection had the bug. + */ + enum { + NUM_ENCRYPTIONS = 3, + AAD_SIZE = 4 + }; + static const byte plainText1[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 + }; + static const byte plainText2[] = { + 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, + 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, + 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c + }; + static const byte plainText3[] = { + 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, + 0x5b, 0x57, 0x10 + }; + static const byte* plainTexts[NUM_ENCRYPTIONS] = { + plainText1, + plainText2, + plainText3 + }; + static const int plainTextSzs[NUM_ENCRYPTIONS] = { + sizeof(plainText1), + sizeof(plainText2), + sizeof(plainText3) + }; + static const byte aad1[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x01 + }; + static const byte aad2[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x10 + }; + static const byte aad3[AAD_SIZE] = { + 0x00, 0x00, 0x01, 0x00 + }; + static const byte* aads[NUM_ENCRYPTIONS] = { + aad1, + aad2, + aad3 + }; + const byte iv[GCM_NONCE_MID_SZ] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte currentIv[GCM_NONCE_MID_SZ]; + const byte key[] = { + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, + 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f + }; + const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xEF + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF0 + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF1 + } + }; + const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { + { + 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, + 0x3D, 0x32, 0x18, 0x34, 0xA9 + }, + { + 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, + 0xA2, 0xFD, 0x2D, 0x6B, 0x7F + }, + { + 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, + 0x5B, 0xEC, 0x52, 0x49, 0x32, + } + }; + static const byte expCipherText1[] = { + 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, + 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, + 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE + }; + static const byte expCipherText2[] = { + 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, + 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, + 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 + }; + static const byte expCipherText3[] = { + 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, + 0x80, 0x5E, 0x6B, + }; + static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { + expCipherText1, + expCipherText2, + expCipherText3 + }; + byte* cipherText = NULL; + byte* calcPlainText = NULL; + byte tag[AES_BLOCK_SIZE]; + EVP_CIPHER_CTX* encCtx = NULL; + EVP_CIPHER_CTX* decCtx = NULL; + int i, j, outl; + + /****************************************************/ + for (i = 0; i < 3; ++i) { + ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); + ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); + + /* First iteration, set key before IV. */ + if (i == 0) { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), + SSL_SUCCESS); + + /* + * The call to EVP_CipherInit below (with NULL key) should clear the + * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a + * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL + * behavior. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, + -1, (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), + SSL_SUCCESS); + } + /* Second iteration, IV before key. */ + else { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), + SSL_SUCCESS); + } + + /* + * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't + * been issued first. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + + for (j = 0; j < NUM_ENCRYPTIONS; ++j) { + /*************** Encrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } + + ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + + /* Encrypt plaintext. */ + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, + plainTexts[j], plainTextSzs[j]), + SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, cipherText, + (byte *)plainTexts[j], plainTextSzs[j]), + plainTextSzs[j]); + } + + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), + SSL_SUCCESS); + } + else { + /* + * Calling EVP_Cipher with NULL input and output for AES-GCM is + * akin to calling EVP_CipherFinal. + */ + ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); + } + + /* Check ciphertext against expected. */ + ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), + 0); + + /* Get and check tag against expected. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, + sizeof(tag), tag), SSL_SUCCESS); + ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); + + /*************** Decrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } + + /* Set expected tag. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, + sizeof(tag), tag), SSL_SUCCESS); + + /* Decrypt ciphertext. */ + ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, + cipherText, plainTextSzs[j]), + SSL_SUCCESS); + } + else { + /* This first EVP_Cipher call will check the tag, too. */ + ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, + plainTextSzs[j]), plainTextSzs[j]); + } + + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), + SSL_SUCCESS); + } + else { + ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); + } + + /* Check plaintext against expected. */ + ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), + 0); + + XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + cipherText = NULL; + XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + calcPlainText = NULL; + } + + EVP_CIPHER_CTX_free(encCtx); + encCtx = NULL; + EVP_CIPHER_CTX_free(decCtx); + decCtx = NULL; + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = AES_BLOCK_SIZE; + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[AES_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + AES_BLOCK_SIZE, tag)); + wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + tag[AES_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + + wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); + } +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + const byte iv[12] = { 0 }; + const byte key[16] = { 0 }; + const byte cleartext[16] = { 0 }; + const byte aad[] = { + 0x01, 0x10, 0x00, 0x2a, 0x08, 0x00, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, + 0x00, 0x00, 0xdc, 0x4d, 0xad, 0x6b, 0x06, 0x93, + 0x4f + }; + byte out1Part[16]; + byte outTag1Part[16]; + byte out2Part[16]; + byte outTag2Part[16]; + byte decryptBuf[16]; + int len = 0; + int tlen; + EVP_CIPHER_CTX* ctx = NULL; + + /* ENCRYPT */ + /* Send AAD and data in 1 part */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, out1Part, &len, cleartext, + sizeof(cleartext)), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out1Part, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, + outTag1Part), 1); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* DECRYPT */ + /* Send AAD and data in 1 part */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, + sizeof(cleartext)), 1); + tlen += len; + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, + outTag1Part), 1); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); + + /* ENCRYPT */ + /* Send AAD and data in 2 parts */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, 1), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), + 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part, &len, cleartext, 1), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part + tlen, &len, cleartext + 1, + sizeof(cleartext) - 1), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out2Part + tlen, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, + outTag2Part), 1); + + ExpectIntEQ(XMEMCMP(out1Part, out2Part, sizeof(out1Part)), 0); + ExpectIntEQ(XMEMCMP(outTag1Part, outTag2Part, sizeof(outTag1Part)), 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* DECRYPT */ + /* Send AAD and data in 2 parts */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, 1), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), + 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, 1), 1); + tlen += len; + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf + tlen, &len, out1Part + 1, + sizeof(cleartext) - 1), 1); + tlen += len; + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, + outTag1Part), 1); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf + tlen, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + + ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); + + /* Test AAD reuse */ + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm_zeroLen(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) + /* Zero length plain text */ + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + unsigned char tag_kat[] = { + 0x53,0x0f,0x8a,0xfb,0xc7,0x45,0x36,0xb9, + 0xa9,0x63,0xb4,0xf1,0xc4,0xcb,0x73,0x8b + }; + + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_256_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_192_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_128_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_ccm(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012"; + int ivSz = (int)XSTRLEN((char*)iv); + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[AES_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + int ret; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, + AES_BLOCK_SIZE, tag)); + ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); + ExpectIntEQ(ret, 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[AES_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); + ExpectIntEQ(ret, 1); + } +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESCCM */ + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_ccm_zeroLen(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) + /* Zero length plain text */ + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_chacha20(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) + byte key[CHACHA_MAX_KEY_SZ]; + byte iv [WOLFSSL_EVP_CHACHA_IV_BYTES]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + EVP_CIPHER_CTX* ctx = NULL; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + 16, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20(), + key, NULL, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_chacha20_poly1305(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + byte key[CHACHA20_POLY1305_AEAD_KEYSIZE]; + byte iv [CHACHA20_POLY1305_AEAD_IV_SIZE]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte aad[] = {0xAA, 0XBB, 0xCC, 0xDD, 0xEE, 0xFF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + byte tag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; + EVP_CIPHER_CTX* ctx = NULL; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + /* Invalid IV length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE-1, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid IV length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); + /* Invalid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + /* Invalid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, tag), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20_poly1305(), + key, NULL, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, NULL, &outSz, + aad, sizeof(aad)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aria_gcm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ARIA) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = ARIA_BLOCK_SIZE; + /* Message to be encrypted */ + const int plaintxtSz = 40; + byte plaintxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; + XMEMCPY(plaintxt,"for things to change you have to change",plaintxtSz); + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[ARIA_BLOCK_SIZE] = {0}; + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; + byte decryptedtxt[plaintxtSz]; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + #define TEST_ARIA_GCM_COUNT 6 + EVP_CIPHER_CTX en[TEST_ARIA_GCM_COUNT]; + EVP_CIPHER_CTX de[TEST_ARIA_GCM_COUNT]; + + for (i = 0; i < TEST_ARIA_GCM_COUNT; i++) { + + EVP_CIPHER_CTX_init(&en[i]); + switch (i) { + case 0: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), + NULL, key, iv)); + break; + case 1: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), + NULL, key, iv)); + break; + case 2: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), + NULL, key, iv)); + break; + case 3: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + case 4: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + case 5: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + } + XMEMSET(ciphertxt,0,sizeof(ciphertxt)); + AssertIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + AssertIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + AssertIntNE(0, XMEMCMP(plaintxt, ciphertxt, plaintxtSz)); + ciphertxtSz += len; + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + ARIA_BLOCK_SIZE, tag)); + AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + switch (i) { + case 0: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), + NULL, key, iv)); + break; + case 1: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), + NULL, key, iv)); + break; + case 2: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), + NULL, key, iv)); + break; + case 3: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + case 4: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + case 5: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + } + XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + ARIA_BLOCK_SIZE, tag)); + AssertIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + AssertIntEQ(plaintxtSz, decryptedtxtSz); + AssertIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); + /* modify tag*/ + tag[AES_BLOCK_SIZE-1]+=0xBB; + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + ARIA_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + AssertIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + AssertIntEQ(0, len); + AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = TEST_RES_CHECK(1); +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ecb(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_ECB) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte plainText[SM4_BLOCK_SIZE] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; + byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, SM4_BLOCK_SIZE); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_cbc(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CBC) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte iv[SM4_BLOCK_SIZE]; + byte plainText[SM4_BLOCK_SIZE] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; + byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, SM4_BLOCK_SIZE); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_cbc(), key, NULL, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_ctr(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CTR) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte iv[SM4_BLOCK_SIZE]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_ctr(), key, NULL, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_gcm_zeroLen(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) + /* Zero length plain text */ + EXPECT_DECLS; + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + unsigned char tag_kat[16] = { + 0x23,0x2f,0x0c,0xfe,0x30,0x8b,0x49,0xea, + 0x6f,0xc8,0x82,0x29,0xb5,0xdc,0x85,0x8d + }; + + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ + return res; +} + +int test_wolfssl_EVP_sm4_gcm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) + EXPECT_DECLS; + byte *key = (byte*)"0123456789012345"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = SM4_BLOCK_SIZE; + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[SM4_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[SM4_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ccm_zeroLen(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) + /* Zero length plain text */ + EXPECT_DECLS; + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ccm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) + EXPECT_DECLS; + byte *key = (byte*)"0123456789012345"; + byte *iv = (byte*)"0123456789012"; + int ivSz = (int)XSTRLEN((char*)iv); + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[SM4_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[SM4_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ + return res; +} + + +int test_wolfSSL_EVP_rc4(void) +{ + EXPECT_DECLS; +#if !defined(NO_RC4) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_rc4()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_enc_null(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + ExpectNotNull(wolfSSL_EVP_enc_null()); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_rc2_cbc(void) + +{ + EXPECT_DECLS; +#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) + ExpectNull(wolfSSL_EVP_rc2_cbc()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_mdc2(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) && defined(OPENSSL_ALL) + ExpectNull(wolfSSL_EVP_mdc2()); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_cipher.h b/tests/api/test_evp_cipher.h new file mode 100644 index 000000000..eef58ed12 --- /dev/null +++ b/tests/api/test_evp_cipher.h @@ -0,0 +1,108 @@ +/* test_evp_cipher.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_CIPHER_H +#define WOLFCRYPT_TEST_EVP_CIPHER_H + +#include + +int test_wolfSSL_EVP_CIPHER_CTX(void); +int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void); +int test_wolfSSL_EVP_CIPHER_CTX_key_length(void); +int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void); +int test_wolfSSL_EVP_get_cipherbynid(void); +int test_wolfSSL_EVP_CIPHER_block_size(void); +int test_wolfSSL_EVP_CIPHER_iv_length(void); +int test_wolfSSL_EVP_CipherUpdate_Null(void); +int test_wolfSSL_EVP_CIPHER_type_string(void); +int test_wolfSSL_EVP_BytesToKey(void); +int test_wolfSSL_EVP_Cipher_extra(void); +int test_wolfSSL_EVP_X_STATE(void); +int test_wolfSSL_EVP_X_STATE_LEN(void); +int test_wolfSSL_EVP_aes_256_gcm(void); +int test_wolfSSL_EVP_aes_192_gcm(void); +int test_wolfSSL_EVP_aes_128_gcm(void); +int test_evp_cipher_aes_gcm(void); +int test_wolfssl_EVP_aes_gcm(void); +int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void); +int test_wolfssl_EVP_aes_gcm_zeroLen(void); +int test_wolfSSL_EVP_aes_256_ccm(void); +int test_wolfSSL_EVP_aes_192_ccm(void); +int test_wolfSSL_EVP_aes_128_ccm(void); +int test_wolfssl_EVP_aes_ccm(void); +int test_wolfssl_EVP_aes_ccm_zeroLen(void); +int test_wolfssl_EVP_chacha20(void); +int test_wolfssl_EVP_chacha20_poly1305(void); +int test_wolfssl_EVP_aria_gcm(void); +int test_wolfssl_EVP_sm4_ecb(void); +int test_wolfssl_EVP_sm4_cbc(void); +int test_wolfssl_EVP_sm4_ctr(void); +int test_wolfssl_EVP_sm4_gcm_zeroLen(void); +int test_wolfssl_EVP_sm4_gcm(void); +int test_wolfssl_EVP_sm4_ccm_zeroLen(void); +int test_wolfssl_EVP_sm4_ccm(void); +int test_wolfSSL_EVP_rc4(void); +int test_wolfSSL_EVP_enc_null(void); +int test_wolfSSL_EVP_rc2_cbc(void); +int test_wolfSSL_EVP_mdc2(void); + +#define TEST_EVP_CIPHER_DECLS \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_iv_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_key_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_set_iv), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_get_cipherbynid), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_block_size), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_iv_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CipherUpdate_Null), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_type_string), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_BytesToKey), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_Cipher_extra), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_X_STATE), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_X_STATE_LEN), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_256_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_192_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_128_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_evp_cipher_aes_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm_AAD_2_parts), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_256_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_192_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_128_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_ccm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_chacha20), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_chacha20_poly1305), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aria_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ecb), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_cbc), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ctr), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_gcm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ccm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_rc4), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_enc_null), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_rc2_cbc), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_mdc2) + +#endif /* WOLFCRYPT_TEST_EVP_CIPHER_H */ diff --git a/tests/api/test_evp_digest.c b/tests/api/test_evp_digest.c new file mode 100644 index 000000000..798175ef3 --- /dev/null +++ b/tests/api/test_evp_digest.c @@ -0,0 +1,589 @@ +/* test_evp_digest.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include + +int test_wolfSSL_EVP_shake128(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ + defined(WOLFSSL_SHAKE128) + const EVP_MD* md = NULL; + + ExpectNotNull(md = EVP_shake128()); + ExpectIntEQ(XSTRNCMP(md, "SHAKE128", XSTRLEN("SHAKE128")), 0); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_shake256(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ + defined(WOLFSSL_SHAKE256) + const EVP_MD* md = NULL; + + ExpectNotNull(md = EVP_shake256()); + ExpectIntEQ(XSTRNCMP(md, "SHAKE256", XSTRLEN("SHAKE256")), 0); +#endif + + return EXPECT_RESULT(); +} + +/* + * Testing EVP digest API with SM3 + */ +int test_wolfSSL_EVP_sm3(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM3) + EXPECT_DECLS; + const EVP_MD* md = NULL; + EVP_MD_CTX* mdCtx = NULL; + byte data[WC_SM3_BLOCK_SIZE * 4]; + byte hash[WC_SM3_DIGEST_SIZE]; + byte calcHash[WC_SM3_DIGEST_SIZE]; + byte expHash[WC_SM3_DIGEST_SIZE] = { + 0x38, 0x48, 0x15, 0xa7, 0x0e, 0xae, 0x0b, 0x27, + 0x5c, 0xde, 0x9d, 0xa5, 0xd1, 0xa4, 0x30, 0xa1, + 0xca, 0xd4, 0x54, 0x58, 0x44, 0xa2, 0x96, 0x1b, + 0xd7, 0x14, 0x80, 0x3f, 0x80, 0x1a, 0x07, 0xb6 + }; + word32 chunk; + word32 i; + unsigned int sz; + int ret; + + XMEMSET(data, 0, sizeof(data)); + + md = EVP_sm3(); + ExpectTrue(md != NULL); + ExpectIntEQ(XSTRNCMP(md, "SM3", XSTRLEN("SM3")), 0); + mdCtx = EVP_MD_CTX_new(); + ExpectTrue(mdCtx != NULL); + + /* Invalid Parameters */ + ExpectIntEQ(EVP_DigestInit(NULL, md), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestInit(mdCtx, md), WOLFSSL_SUCCESS); + + ExpectIntEQ(EVP_DigestUpdate(NULL, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestUpdate(NULL, data, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE - 2), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE * 2), + WOLFSSL_SUCCESS); + /* Ensure too many bytes for lengths. */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_PAD_SIZE), + WOLFSSL_SUCCESS); + + /* Invalid Parameters */ + ExpectIntEQ(EVP_DigestFinal(NULL, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); + ExpectBufEQ(hash, expHash, WC_SM3_DIGEST_SIZE); + + /* Chunk tests. */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, sizeof(data)), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(mdCtx, calcHash, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, WC_SM3_DIGEST_SIZE); + for (chunk = 1; chunk <= WC_SM3_BLOCK_SIZE + 1; chunk++) { + for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { + for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, chunk), + WOLFSSL_SUCCESS); + } + if (i < (word32)sizeof(data)) { + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, + (word32)sizeof(data) - i), WOLFSSL_SUCCESS); + } + ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); + ExpectBufEQ(hash, calcHash, WC_SM3_DIGEST_SIZE); + } + + /* Not testing when the low 32-bit length overflows. */ + + ret = EVP_MD_CTX_cleanup(mdCtx); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + wolfSSL_EVP_MD_CTX_free(mdCtx); + + res = EXPECT_RESULT(); +#endif + return res; +} /* END test_EVP_sm3 */ + +int test_EVP_blake2(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && (defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)) + const EVP_MD* md = NULL; + (void)md; + +#if defined(HAVE_BLAKE2) + ExpectNotNull(md = EVP_blake2b512()); + ExpectIntEQ(XSTRNCMP(md, "BLAKE2b512", XSTRLEN("BLAKE2b512")), 0); +#endif + +#if defined(HAVE_BLAKE2S) + ExpectNotNull(md = EVP_blake2s256()); + ExpectIntEQ(XSTRNCMP(md, "BLAKE2s256", XSTRLEN("BLAKE2s256")), 0); +#endif +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_md4(void) +{ + EXPECT_DECLS; +#if !defined(NO_MD4) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_md4()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_ripemd160(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) && defined(OPENSSL_ALL) + ExpectNull(wolfSSL_EVP_ripemd160()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_get_digestbynid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifndef NO_MD5 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); +#endif +#ifndef NO_SHA + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); +#endif +#ifndef NO_SHA256 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); +#endif + ExpectNull(wolfSSL_EVP_get_digestbynid(0)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_Digest(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + const char* in = "abc"; + int inLen = (int)XSTRLEN(in); + byte out[WC_SHA256_DIGEST_SIZE]; + unsigned int outLen; + const char* expOut = + "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" + "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" + "\x15\xAD"; + + ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, + "SHA256", NULL), 1); + ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); +#endif /* OPEN_EXTRA && ! NO_SHA256 */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_Digest_all(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const char* digests[] = { +#ifndef NO_MD5 + "MD5", +#endif +#ifndef NO_SHA + "SHA", +#endif +#ifdef WOLFSSL_SHA224 + "SHA224", +#endif +#ifndef NO_SHA256 + "SHA256", +#endif +#ifdef WOLFSSL_SHA384 + "SHA384", +#endif +#ifdef WOLFSSL_SHA512 + "SHA512", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) + "SHA512-224", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) + "SHA512-256", +#endif +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + "SHA3-224", +#endif +#ifndef WOLFSSL_NOSHA3_256 + "SHA3-256", +#endif + "SHA3-384", +#ifndef WOLFSSL_NOSHA3_512 + "SHA3-512", +#endif +#endif /* WOLFSSL_SHA3 */ + NULL + }; + const char** d; + const unsigned char in[] = "abc"; + int inLen = XSTR_SIZEOF(in); + byte out[WC_MAX_DIGEST_SIZE]; + unsigned int outLen; + + for (d = digests; *d != NULL; d++) { + ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); + ExpectIntGT(outLen, 0); + ExpectIntEQ(EVP_MD_size(*d), outLen); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_DigestFinal_ex(void) +{ + EXPECT_DECLS; +#if !defined(NO_SHA256) && defined(OPENSSL_ALL) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned int s = 0; + unsigned char md[WC_SHA256_DIGEST_SIZE]; + unsigned char md2[WC_SHA256_DIGEST_SIZE]; + + /* Bad Case */ +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#else + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + +#endif + + /* Good Case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_DigestFinalXOF(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned char shake[256]; + unsigned char zeros[10]; + unsigned char data[] = "Test data"; + unsigned int sz; + + XMEMSET(zeros, 0, sizeof(zeros)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); + ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + XMEMSET(shake, 0, sizeof(shake)); + ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); + + /* make sure was only size of 10 */ + ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 32); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + + #if defined(WOLFSSL_SHAKE128) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 16); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + #endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_nid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifndef NO_MD5 + ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); +#endif +#ifndef NO_SHA + ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); +#endif +#ifndef NO_SHA256 + ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); +#endif + ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) +static void list_md_fn(const EVP_MD* m, const char* from, + const char* to, void* arg) +{ + const char* mn; + BIO *bio; + + (void) from; + (void) to; + (void) arg; + (void) mn; + (void) bio; + + if (!m) { + /* alias */ + AssertNull(m); + AssertNotNull(to); + } + else { + AssertNotNull(m); + AssertNull(to); + } + + AssertNotNull(from); + +#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) + mn = EVP_get_digestbyname(from); + /* print to stderr */ + AssertNotNull(arg); + + bio = BIO_new(BIO_s_file()); + BIO_set_fp(bio, arg, BIO_NOCLOSE); + BIO_printf(bio, "Use %s message digest algorithm\n", mn); + BIO_free(bio); +#endif +} +#endif + +int test_EVP_MD_do_all(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) + EVP_MD_do_all(NULL, stderr); + + EVP_MD_do_all(list_md_fn, stderr); + + res = TEST_SUCCESS; +#endif + + return res; +} + +int test_wolfSSL_EVP_MD_size(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + WOLFSSL_EVP_MD_CTX mdCtx; + +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#ifndef WOLFSSL_NOSHA3_256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#ifndef WOLFSSL_NOSHA3_512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#endif /* WOLFSSL_SHA3 */ + +#ifndef NO_SHA256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifndef NO_MD5 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA384 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifndef NO_SHA + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + /* error case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); + /* Cleanup is valid on uninit'ed struct */ + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_digest.h b/tests/api/test_evp_digest.h new file mode 100644 index 000000000..e6989139e --- /dev/null +++ b/tests/api/test_evp_digest.h @@ -0,0 +1,58 @@ +/* test_evp_digest.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_DIGEST_H +#define WOLFCRYPT_TEST_EVP_DIGEST_H + +#include + +int test_wolfSSL_EVP_shake128(void); +int test_wolfSSL_EVP_shake256(void); +int test_wolfSSL_EVP_sm3(void); +int test_EVP_blake2(void); +int test_wolfSSL_EVP_md4(void); +int test_wolfSSL_EVP_ripemd160(void); +int test_wolfSSL_EVP_get_digestbynid(void); +int test_wolfSSL_EVP_Digest(void); +int test_wolfSSL_EVP_Digest_all(void); +int test_wolfSSL_EVP_DigestFinal_ex(void); +int test_wolfSSL_EVP_DigestFinalXOF(void); +int test_wolfSSL_EVP_MD_nid(void); +int test_EVP_MD_do_all(void); +int test_wolfSSL_EVP_MD_size(void); + +#define TEST_EVP_DIGEST_DECLS \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_shake128), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_shake256), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_sm3), \ + TEST_DECL_GROUP("evp_digest", test_EVP_blake2), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_md4), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_ripemd160), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_get_digestbynid), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_Digest), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_Digest_all), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_DigestFinal_ex), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_DigestFinalXOF), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_MD_nid), \ + TEST_DECL_GROUP("evp_digest", test_EVP_MD_do_all), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_MD_size) + +#endif /* WOLFCRYPT_TEST_EVP_DIGEST_H */ diff --git a/tests/api/test_evp_pkey.c b/tests/api/test_evp_pkey.c new file mode 100644 index 000000000..35f1c720b --- /dev/null +++ b/tests/api/test_evp_pkey.c @@ -0,0 +1,2359 @@ +/* test_evp_pkey.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + + +int test_wolfSSL_EVP_PKEY_CTX_new_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_ENGINE* e = NULL; + int id = 0; + EVP_PKEY_CTX *ctx = NULL; + + ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); + + EVP_PKEY_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + int bits = 2048; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), + WOLFSSL_SUCCESS); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(OPENSSL_ALL) + EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L + /* void */ + EVP_PKEY_CTX_free(ctx); +#else + /* int */ + ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); +#endif + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_up_ref(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) + EVP_PKEY* pkey; + + pkey = EVP_PKEY_new(); + ExpectNotNull(pkey); + ExpectIntEQ(EVP_PKEY_up_ref(NULL), 0); + ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); + EVP_PKEY_free(pkey); + ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_base_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); + + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); + + ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_pkey_type(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const WOLFSSL_EVP_MD* md; + +#ifndef NO_MD5 + ExpectNotNull(md = EVP_md5()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); +#endif +#ifndef NO_SHA + ExpectNotNull(md = EVP_sha1()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA224 + ExpectNotNull(md = EVP_sha224()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); +#endif + ExpectNotNull(md = EVP_sha256()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); +#ifdef WOLFSSL_SHA384 + ExpectNotNull(md = EVP_sha384()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA512 + ExpectNotNull(md = EVP_sha512()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); +#endif +#endif + return EXPECT_RESULT(); +} + +#ifdef OPENSSL_EXTRA +static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, + size_t testKeySz, const char* testData, size_t testDataSz, + const byte* testResult, size_t testResultSz) +{ + EXPECT_DECLS; + unsigned char check[WC_MAX_DIGEST_SIZE]; + size_t checkSz = 0; + WOLFSSL_EVP_PKEY* key = NULL; + WOLFSSL_EVP_MD_CTX mdCtx; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, + testKey, (int)testKeySz)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + wolfSSL_EVP_PKEY_free(key); + + return EXPECT_RESULT(); +} +#endif + +int test_wolfSSL_EVP_MD_hmac_signing(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + static const unsigned char testKey[] = + { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b + }; + static const char testData[] = "Hi There"; +#ifdef WOLFSSL_SHA224 + static const unsigned char testResultSha224[] = + { + 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, + 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, + 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, + 0x53, 0x68, 0x4b, 0x22 + }; +#endif +#ifndef NO_SHA256 + static const unsigned char testResultSha256[] = + { + 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, + 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, + 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, + 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 + }; +#endif +#ifdef WOLFSSL_SHA384 + static const unsigned char testResultSha384[] = + { + 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, + 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, + 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, + 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, + 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, + 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 + }; +#endif +#ifdef WOLFSSL_SHA512 + static const unsigned char testResultSha512[] = + { + 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, + 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, + 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, + 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, + 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, + 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, + 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, + 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 + }; +#endif +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + static const unsigned char testResultSha3_224[] = + { + 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, + 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, + 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, + 0xf3, 0xc8, 0x60, 0xf7 + }; + #endif + #ifndef WOLFSSL_NOSHA3_256 + static const unsigned char testResultSha3_256[] = + { + 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, + 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, + 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, + 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb + }; + #endif + #ifndef WOLFSSL_NOSHA3_384 + static const unsigned char testResultSha3_384[] = + { + 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, + 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, + 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, + 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, + 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, + 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd + }; + #endif + #ifndef WOLFSSL_NOSHA3_512 + static const unsigned char testResultSha3_512[] = + { + 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, + 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, + 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, + 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, + 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, + 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, + 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, + 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e + }; + #endif +#endif + +#ifndef NO_SHA256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, + sizeof(testResultSha256)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, + sizeof(testResultSha224)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, + sizeof(testResultSha384)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, + sizeof(testResultSha512)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, + sizeof(testResultSha3_224)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, + sizeof(testResultSha3_256)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, + sizeof(testResultSha3_384)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, + sizeof(testResultSha3_512)), TEST_SUCCESS); + #endif +#endif +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_new_mac_key(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + static const unsigned char pw[] = "password"; + static const int pwSz = sizeof(pw) - 1; + size_t checkPwSz = 0; + const unsigned char* checkPw = NULL; + WOLFSSL_EVP_PKEY* key = NULL; + + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + pwSz)); + if (key != NULL) { + ExpectIntEQ(key->type, EVP_PKEY_HMAC); + ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); + ExpectIntEQ(key->pkey_sz, pwSz); + ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); + } + ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); + ExpectIntEQ((int)checkPwSz, pwSz); + ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_hkdf(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_HKDF) + EVP_PKEY_CTX* ctx = NULL; + byte salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}; + byte key[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F}; + byte info[] = {0X01, 0x02, 0x03, 0x04, 0x05}; + byte info2[] = {0X06, 0x07, 0x08, 0x09, 0x0A}; + byte outKey[34]; + size_t outKeySz = sizeof(outKey); + /* These expected outputs were gathered by running the same test below using + * OpenSSL. */ + const byte extractAndExpand[] = { + 0x8B, 0xEB, 0x90, 0xA9, 0x04, 0xFF, 0x05, 0x10, 0xE4, 0xB5, 0xB1, 0x10, + 0x31, 0x34, 0xFF, 0x07, 0x5B, 0xE3, 0xC6, 0x93, 0xD4, 0xF8, 0xC7, 0xEE, + 0x96, 0xDA, 0x78, 0x7A, 0xE2, 0x9A, 0x2D, 0x05, 0x4B, 0xF6 + }; + const byte extractOnly[] = { + 0xE7, 0x6B, 0x9E, 0x0F, 0xE4, 0x02, 0x1D, 0x62, 0xEA, 0x97, 0x74, 0x5E, + 0xF4, 0x3C, 0x65, 0x4D, 0xC1, 0x46, 0x98, 0xAA, 0x79, 0x9A, 0xCB, 0x9C, + 0xCC, 0x3E, 0x7F, 0x2A, 0x2B, 0x41, 0xA1, 0x9E + }; + const byte expandOnly[] = { + 0xFF, 0x29, 0x29, 0x56, 0x9E, 0xA7, 0x66, 0x02, 0xDB, 0x4F, 0xDB, 0x53, + 0x7D, 0x21, 0x67, 0x52, 0xC3, 0x0E, 0xF3, 0xFC, 0x71, 0xCE, 0x67, 0x2B, + 0xEA, 0x3B, 0xE9, 0xFC, 0xDD, 0xC8, 0xCC, 0xB7, 0x42, 0x74 + }; + const byte extractAndExpandAddInfo[] = { + 0x5A, 0x74, 0x79, 0x83, 0xA3, 0xA4, 0x2E, 0xB7, 0xD4, 0x08, 0xC2, 0x6A, + 0x2F, 0xA5, 0xE3, 0x4E, 0xF1, 0xF4, 0x87, 0x3E, 0xA6, 0xC7, 0x88, 0x45, + 0xD7, 0xE2, 0x15, 0xBC, 0xB8, 0x10, 0xEF, 0x6C, 0x4D, 0x7A + }; + + ExpectNotNull((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(NULL, EVP_sha256()), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL md. */ + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_sha256()), WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(NULL, salt, sizeof(salt)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL salt is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, sizeof(salt)), + WOLFSSL_SUCCESS); + /* Salt length <= 0. */ + /* Length 0 salt is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, sizeof(salt)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(NULL, key, sizeof(key)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL key. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, NULL, sizeof(key)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Key length <= 0 */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, sizeof(key)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(NULL, info, sizeof(info)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL info is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, NULL, sizeof(info)), + WOLFSSL_SUCCESS); + /* Info length <= 0 */ + /* Length 0 info is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, sizeof(info)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(NULL, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Extract and expand (default). */ + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractAndExpand)); + ExpectIntEQ(XMEMCMP(outKey, extractAndExpand, outKeySz), 0); + /* Extract only. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractOnly)); + ExpectIntEQ(XMEMCMP(outKey, extractOnly, outKeySz), 0); + outKeySz = sizeof(outKey); + /* Expand only. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(expandOnly)); + ExpectIntEQ(XMEMCMP(outKey, expandOnly, outKeySz), 0); + outKeySz = sizeof(outKey); + /* Extract and expand with appended additional info. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info2, sizeof(info2)), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, + EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractAndExpandAddInfo)); + ExpectIntEQ(XMEMCMP(outKey, extractAndExpandAddInfo, outKeySz), 0); + + EVP_PKEY_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_HKDF */ + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_PBE_scrypt(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SCRYPT) && defined(HAVE_PBKDF2) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 5)) +#if !defined(NO_PWDBASED) && !defined(NO_SHA256) + int ret; + + const char pwd[] = {'p','a','s','s','w','o','r','d'}; + int pwdlen = sizeof(pwd); + const byte salt[] = {'N','a','C','l'}; + int saltlen = sizeof(salt); + byte key[80]; + word64 numOvr32 = (word64)INT32_MAX + 1; + + /* expected derived key for N:16, r:1, p:1 */ + const byte expectedKey[] = { + 0xAE, 0xC6, 0xB7, 0x48, 0x3E, 0xD2, 0x6E, 0x08, 0x80, 0x2B, + 0x41, 0xF4, 0x03, 0x20, 0x86, 0xA0, 0xE8, 0x86, 0xBE, 0x7A, + 0xC4, 0x8F, 0xCF, 0xD9, 0x2F, 0xF0, 0xCE, 0xF8, 0x10, 0x97, + 0x52, 0xF4, 0xAC, 0x74, 0xB0, 0x77, 0x26, 0x32, 0x56, 0xA6, + 0x5A, 0x99, 0x70, 0x1B, 0x7A, 0x30, 0x4D, 0x46, 0x61, 0x1C, + 0x8A, 0xA3, 0x91, 0xE7, 0x99, 0xCE, 0x10, 0xA2, 0x77, 0x53, + 0xE7, 0xE9, 0xC0, 0x9A}; + + /* N r p mx key keylen */ + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 0, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* N must be greater than 1 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 3, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* N must be power of 2 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 0, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* r must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 0, 0, key, 64); + ExpectIntEQ(ret, 0); /* p must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 0); + ExpectIntEQ(ret, 0); /* keylen must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 9, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* r must be smaller than 9 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, NULL, 64); + ExpectIntEQ(ret, 1); /* should succeed if key is NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, numOvr32, 1, 0, + key, 64); + ExpectIntEQ(ret, 0); /* should fail since r is greater than INT32_MAC */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, numOvr32, 0, + key, 64); + ExpectIntEQ(ret, 0); /* should fail since p is greater than INT32_MAC */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 0, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed even if salt is NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 4, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* if salt is NULL, saltlen must be 0, otherwise fail*/ + + ret = EVP_PBE_scrypt(NULL, 0, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed if pwd is NULL and pwdlen is 0*/ + + ret = EVP_PBE_scrypt(NULL, 4, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* if pwd is NULL, pwdlen must be 0 */ + + ret = EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed even both pwd and salt are NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 16, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); + + ret = XMEMCMP(expectedKey, key, sizeof(expectedKey)); + ExpectIntEQ(ret, 0); /* derived key must be the same as expected-key */ +#endif /* !NO_PWDBASED && !NO_SHA256 */ +#endif /* OPENSSL_EXTRA && HAVE_SCRYPT && HAVE_PBKDF2 */ + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + EVP_PKEY *a = NULL; + EVP_PKEY *b = NULL; + const unsigned char *in; + +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + in = client_key_der_2048; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + in = client_key_der_2048; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + + /* Test success case RSA */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + +#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + in = ecc_clikey_der_256; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + in = ecc_clikey_der_256; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + + /* Test success case ECC */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + + /* Test failure cases */ +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && \ + defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + + in = client_key_der_2048; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + in = ecc_clikey_der_256; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), -1); +#else + ExpectIntNE(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + + /* invalid or empty failure cases */ + a = EVP_PKEY_new(); + b = EVP_PKEY_new(); +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(NULL, NULL), 0); + ExpectIntEQ(EVP_PKEY_cmp(a, NULL), 0); + ExpectIntEQ(EVP_PKEY_cmp(NULL, b), 0); +#ifdef NO_RSA + /* Type check will fail since RSA is the default EVP key type */ + ExpectIntEQ(EVP_PKEY_cmp(a, b), -2); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif +#else + ExpectIntNE(EVP_PKEY_cmp(NULL, NULL), 0); + ExpectIntNE(EVP_PKEY_cmp(a, NULL), 0); + ExpectIntNE(EVP_PKEY_cmp(NULL, b), 0); + ExpectIntNE(EVP_PKEY_cmp(a, b), 0); +#endif + EVP_PKEY_free(b); + EVP_PKEY_free(a); + + (void)in; +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined (NO_DSA) && !defined(HAVE_SELFTEST) && \ + defined(WOLFSSL_KEY_GEN) + DSA *dsa = NULL; + DSA *setDsa = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *set1Pkey = NULL; + + SHA_CTX sha; + byte signature[DSA_SIG_SIZE]; + byte hash[WC_SHA_DIGEST_SIZE]; + word32 bytes; + int answer; +#ifdef USE_CERT_BUFFERS_1024 + const unsigned char* dsaKeyDer = dsa_key_der_1024; + int dsaKeySz = sizeof_dsa_key_der_1024; + byte tmp[ONEK_BUF]; + + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = dsaKeySz; +#elif defined(USE_CERT_BUFFERS_2048) + const unsigned char* dsaKeyDer = dsa_key_der_2048; + int dsaKeySz = sizeof_dsa_key_der_2048; + byte tmp[TWOK_BUF]; + + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = (word32)dsaKeySz; +#else + byte tmp[TWOK_BUF]; + const unsigned char* dsaKeyDer = (const unsigned char*)tmp; + int dsaKeySz; + XFILE fp = XBADFILE; + + XMEMSET(tmp, 0, sizeof(tmp)); + ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); + ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); + if (fp != XBADFILE) + XFCLOSE(fp); +#endif /* END USE_CERT_BUFFERS_1024 */ + + /* Create hash to later Sign and Verify */ + ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); + + /* Initialize pkey with der format dsa key */ + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, + (long)dsaKeySz)); + + /* Test wolfSSL_EVP_PKEY_get1_DSA */ + /* Should Fail: NULL argument */ + ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); + ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); + /* Should Pass: Initialized pkey argument */ + ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); + ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); + +#ifdef USE_CERT_BUFFERS_1024 + ExpectIntEQ(DSA_bits(dsa), 1024); +#else + ExpectIntEQ(DSA_bits(dsa), 2048); +#endif + + /* Sign */ + ExpectIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS); + /* Verify. */ + ExpectIntEQ(wolfSSL_DSA_do_verify(hash, signature, dsa, &answer), + WOLFSSL_SUCCESS); + + /* Test wolfSSL_EVP_PKEY_set1_DSA */ + /* Should Fail: set1Pkey not initialized */ + ExpectIntNE(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + + /* Initialize set1Pkey */ + set1Pkey = EVP_PKEY_new(); + + /* Should Fail Verify: setDsa not initialized from set1Pkey */ + ExpectIntNE(wolfSSL_DSA_do_verify(hash,signature,setDsa,&answer), + WOLFSSL_SUCCESS); + + /* Should Pass: set dsa into set1Pkey */ + ExpectIntEQ(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + + DSA_free(dsa); + DSA_free(setDsa); + EVP_PKEY_free(pkey); + EVP_PKEY_free(set1Pkey); +#endif /* OPENSSL_ALL && !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_DSA */ + +int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY(void) +{ + EXPECT_DECLS; +#if defined(HAVE_ECC) && defined(OPENSSL_ALL) + WOLFSSL_EC_KEY* ecKey = NULL; + WOLFSSL_EC_KEY* ecGet1 = NULL; + EVP_PKEY* pkey = NULL; + + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Test wolfSSL_EVP_PKEY_set1_EC_KEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(NULL, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should fail since ecKey is empty */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + + /* Test wolfSSL_EVP_PKEY_get1_EC_KEY */ + ExpectNull(wolfSSL_EVP_PKEY_get1_EC_KEY(NULL)); + ExpectNotNull(ecGet1 = wolfSSL_EVP_PKEY_get1_EC_KEY(pkey)); + + wolfSSL_EC_KEY_free(ecKey); + wolfSSL_EC_KEY_free(ecGet1); + EVP_PKEY_free(pkey); +#endif /* HAVE_ECC && OPENSSL_ALL */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_EC_KEY */ + +int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) +{ + EXPECT_DECLS; +#if defined(HAVE_ECC) && defined(OPENSSL_ALL) + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); + + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_set1_get1_DH(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; + + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; + + XMEMSET(buf, 0, sizeof(buf)); + + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + + ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Set DH into PKEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); + + /* Get DH from PKEY */ + ExpectNotNull(dh = wolfSSL_EVP_PKEY_get1_DH(pkey)); + + ExpectIntEQ(wolfSSL_DH_check(dh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; +#endif /* !NO_DH && WOLFSSL_DH_EXTRA && !NO_FILESYSTEM */ +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_DH */ + +int test_wolfSSL_EVP_PKEY_assign(void) +{ + EXPECT_DECLS; +#if (!defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC)) && \ + defined(OPENSSL_ALL) + int type; + WOLFSSL_EVP_PKEY* pkey = NULL; +#ifndef NO_RSA + WOLFSSL_RSA* rsa = NULL; +#endif +#ifndef NO_DSA + WOLFSSL_DSA* dsa = NULL; +#endif +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; +#endif + +#ifndef NO_RSA + type = EVP_PKEY_RSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_RSA */ + +#ifndef NO_DSA + type = EVP_PKEY_DSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dsa = wolfSSL_DSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DSA_free(dsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_DSA */ + +#ifdef HAVE_ECC + type = EVP_PKEY_EC; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ecKey); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* HAVE_ECC */ +#endif /* (!NO_RSA || !NO_DSA || HAVE_ECC) && OPENSSL_ALL */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_assign_DH(void) +{ + EXPECT_DECLS; +#if !defined(NO_DH) && defined(OPENSSL_ALL) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* params1 = "./certs/dh2048.der"; + long len = 0; + WOLFSSL_DH* dh = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Load DH parameters DER. */ + ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DH_free(dh); + } + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_rsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) + WOLFSSL_RSA* rsa = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_RSA(NULL, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + ExpectPtrEq(EVP_PKEY_get0_RSA(pkey), rsa); + wolfSSL_EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_ec(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_EC_KEY* ecKey = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(NULL, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should fail since ecKey is empty */ + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ecKey); + } + wolfSSL_EVP_PKEY_free(pkey); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_missing_parameters(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_copy_parameters(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) && defined(WOLFSSL_DH_EXTRA) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && !defined(NO_FILESYSTEM) + WOLFSSL_EVP_PKEY* params = NULL; + WOLFSSL_EVP_PKEY* copy = NULL; + DH* dh = NULL; + BIGNUM* p1; + BIGNUM* g1; + BIGNUM* q1; + BIGNUM* p2; + BIGNUM* g2; + BIGNUM* q2; + + /* create DH with DH_get_2048_256 params */ + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + DH_get0_pqg(dh, (const BIGNUM**)&p1, + (const BIGNUM**)&q1, + (const BIGNUM**)&g1); + DH_free(dh); + dh = NULL; + + /* create DH with random generated DH params */ + ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); + ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); + DH_free(dh); + dh = NULL; + + ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); + ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); + ExpectNotNull(dh->p); + ExpectNotNull(dh->g); + ExpectNotNull(dh->q); + DH_get0_pqg(dh, (const BIGNUM**)&p2, + (const BIGNUM**)&q2, + (const BIGNUM**)&g2); + + ExpectIntEQ(BN_cmp(p1, p2), 0); + ExpectIntEQ(BN_cmp(q1, q2), 0); + ExpectIntEQ(BN_cmp(g1, g2), 0); + + DH_free(dh); + dh = NULL; + EVP_PKEY_free(copy); + EVP_PKEY_free(params); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_paramgen(void) +{ + EXPECT_DECLS; + /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ +#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ + ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ + ECC_MIN_KEY_SZ <= 256) + EVP_PKEY_CTX* ctx = NULL; + EVP_PKEY* pkey = NULL; + + /* Test error conditions. */ + ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + +#ifndef NO_RSA + EVP_PKEY_CTX_free(ctx); + /* Parameter generation for RSA not supported yet. */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + +#ifdef HAVE_ECC + EVP_PKEY_CTX_free(ctx); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, + NID_X9_62_prime256v1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); +#endif + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_param_check(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) + + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + + FILE* f = NULL; + unsigned char buf[512]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; + + XMEMSET(buf, 0, sizeof(buf)); + + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; + + pkey = wolfSSL_EVP_PKEY_new(); + /* Set DH into PKEY */ + ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); + /* create ctx from pkey */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); + + /* TODO: more invalid cases */ + ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_keygen_init(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_keygen(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + WOLFSSL_EVP_PKEY* params = NULL; + DH* dh = NULL; + const BIGNUM* pubkey = NULL; + const BIGNUM* privkey = NULL; + ASN1_INTEGER* asn1int = NULL; + unsigned int length = 0; + byte* derBuffer = NULL; +#endif + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + /* Test DH keygen */ + { + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); + + DH_free(dh); + dh = NULL; + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(params); + + /* try exporting generated key to DER, to verify */ + ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); + DH_get0_key(dh, &pubkey, &privkey); + ExpectNotNull(pubkey); + ExpectNotNull(privkey); + ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); + ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); + + ASN1_INTEGER_free(asn1int); + DH_free(dh); + dh = NULL; + XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + EVP_PKEY_free(pkey); + } +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_SignInit_ex(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_ENGINE* e = 0; + const EVP_MD* md = EVP_sha256(); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif +#if defined(OPENSSL_EXTRA) +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif + +#ifdef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY +static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_RSA* rsa = NULL; +#endif +#endif +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + WOLFSSL_DSA* dsa = NULL; +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_EC_KEY* ecKey = NULL; +#endif +#endif + WOLFSSL_EVP_PKEY* pkey = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx_verify = NULL; + const char* in = "What is easy to do is easy not to do."; + size_t inlen = XSTRLEN(in); + byte hash[SHA256_DIGEST_LENGTH] = {0}; + byte zero[SHA256_DIGEST_LENGTH] = {0}; + SHA256_CTX c; + byte* sig = NULL; + byte* sigVerify = NULL; + size_t siglen; + size_t siglenOnlyLen; + size_t keySz = 2048/8; /* Bytes */ + + ExpectNotNull(sig = + (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(sigVerify = + (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + + siglen = keySz; + ExpectNotNull(XMEMSET(sig, 0, keySz)); + ExpectNotNull(XMEMSET(sigVerify, 0, keySz)); + + /* Generate hash */ + SHA256_Init(&c); + SHA256_Update(&c, in, inlen); + SHA256_Final(hash, &c); +#ifdef WOLFSSL_SMALL_STACK_CACHE + /* workaround for small stack cache case */ + wc_Sha256Free((wc_Sha256*)&c); +#endif + + /* Generate key */ + ExpectNotNull(pkey = EVP_PKEY_new()); + switch (keyType) { + case EVP_PKEY_RSA: +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + } +#endif +#endif + break; + case EVP_PKEY_DSA: +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + ExpectNotNull(dsa = DSA_new()); + ExpectIntEQ(DSA_generate_parameters_ex(dsa, 2048, + NULL, 0, NULL, NULL, NULL), 1); + ExpectIntEQ(DSA_generate_key(dsa), 1); + ExpectIntEQ(EVP_PKEY_set1_DSA(pkey, dsa), WOLFSSL_SUCCESS); +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + break; + case EVP_PKEY_EC: +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + ExpectNotNull(ecKey = EC_KEY_new()); + ExpectIntEQ(EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ( + EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + EC_KEY_free(ecKey); + } + } +#endif +#endif + break; + } + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); +#endif +#endif + + /* Check returning only length */ + ExpectIntEQ(EVP_PKEY_sign(ctx, NULL, &siglenOnlyLen, hash, + SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); + ExpectIntGT(siglenOnlyLen, 0); + /* Sign data */ + ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, hash, + SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); + ExpectIntGE(siglenOnlyLen, siglen); + + /* Verify signature */ + ExpectNotNull(ctx_verify = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) + ExpectIntEQ( + EVP_PKEY_CTX_set_rsa_padding(ctx_verify, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); +#endif +#endif + ExpectIntEQ(EVP_PKEY_verify( + ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify( + ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) { + #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT) + /* Try RSA sign/verify with no padding. */ + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, + siglen), WOLFSSL_SUCCESS); + ExpectIntGE(siglenOnlyLen, siglen); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_NO_PADDING), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, + siglen), WOLFSSL_SUCCESS); + #endif + + /* Wrong padding schemes. */ + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, + RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, + siglen), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, + siglen), WOLFSSL_SUCCESS); + + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_PKCS1_PADDING), WOLFSSL_SUCCESS); + } +#endif +#endif + + /* error cases */ + siglen = keySz; /* Reset because sig size may vary slightly */ + ExpectIntNE(EVP_PKEY_sign_init(NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_sign(NULL, sig, &siglen, (byte*)in, inlen), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, (byte*)in, inlen), + WOLFSSL_SUCCESS); + + EVP_PKEY_free(pkey); + pkey = NULL; +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + DSA_free(dsa); + dsa = NULL; +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + EVP_PKEY_CTX_free(ctx_verify); + ctx_verify = NULL; + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + + XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sigVerify, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} +#endif + +int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_RSA), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_DSA), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_sign_verify_ec(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_EC), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_MD_rsa_signing(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_EVP_MD_CTX mdCtxCopy; + int ret; + size_t checkSz = -1; + int sz = 2048 / 8; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t i; + int paddings[] = { + RSA_PKCS1_PADDING, +#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) + RSA_PKCS1_PSS_PADDING, +#endif + }; + + + cp = client_key_der_2048; + ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, + sizeof_client_key_der_2048))); + p = client_keypub_der_2048; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_client_keypub_der_2048))); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); + ExpectIntEQ(ret, 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + /* Check all signing padding types */ + for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + } + + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} + +/* Test RSA-PSS digital signature creation and verification */ +int test_wc_RsaPSS_DigitalSignVerify(void) +{ + EXPECT_DECLS; + + /* Early FIPS did not support PSS. */ +#if (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && \ + (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ + (HAVE_SELFTEST_VERSION > 2))) && \ + !defined(NO_RSA) && defined(WC_RSA_PSS) && defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_KEY_GEN) && defined(WC_RSA_NO_PADDING) && \ + !defined(NO_SHA256) + + /* Test digest */ + const unsigned char test_digest[32] = { + 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, + 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, + 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, + 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 + }; + const unsigned int digest_len = sizeof(test_digest); + + /* Variables for RSA key generation and signature operations */ + EVP_PKEY_CTX *pkctx = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *sign_ctx = NULL; + EVP_PKEY_CTX *verify_ctx = NULL; + unsigned char signature[256+MAX_DER_DIGEST_ASN_SZ] = {0}; + size_t signature_len = sizeof(signature); + int modulus_bits = 2048; + + /* Generate RSA key pair to avoid file dependencies */ + ExpectNotNull(pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); + ExpectIntEQ(EVP_PKEY_keygen_init(pkctx), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, modulus_bits), 1); + ExpectIntEQ(EVP_PKEY_keygen(pkctx, &pkey), 1); + + /* Create signing context */ + ExpectNotNull(sign_ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_sign_init(sign_ctx), 1); + + /* Configure RSA-PSS parameters for signing. */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(sign_ctx, RSA_PKCS1_PSS_PADDING), + 1); + /* Default salt length matched hash so use 32 for SHA256 */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(sign_ctx, 32), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(sign_ctx, EVP_sha256()), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(sign_ctx, EVP_sha256()), 1); + + /* Create the digital signature */ + ExpectIntEQ(EVP_PKEY_sign(sign_ctx, signature, &signature_len, test_digest, + digest_len), 1); + ExpectIntGT((int)signature_len, 0); + + /* Create verification context */ + ExpectNotNull(verify_ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_verify_init(verify_ctx), 1); + + /* Configure RSA-PSS parameters for verification */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(verify_ctx, RSA_PKCS1_PSS_PADDING), + 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(verify_ctx, 32), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(verify_ctx, EVP_sha256()), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(verify_ctx, EVP_sha256()), 1); + + /* Verify the digital signature */ + ExpectIntEQ(EVP_PKEY_verify(verify_ctx, signature, signature_len, + test_digest, digest_len), 1); + + /* Test with wrong digest to ensure verification fails (negative test) */ + { + const unsigned char wrong_digest[32] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02 + }; + ExpectIntNE(EVP_PKEY_verify(verify_ctx, signature, signature_len, + wrong_digest, digest_len), 1); + } + + /* Clean up */ + if (verify_ctx) + EVP_PKEY_CTX_free(verify_ctx); + if (sign_ctx) + EVP_PKEY_CTX_free(sign_ctx); + if (pkey) + EVP_PKEY_free(pkey); + if (pkctx) + EVP_PKEY_CTX_free(pkctx); + +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_ecc_signing(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + int ret; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t checkSz = sizeof(check); + + XMEMSET(check, 0, sizeof(check)); + + cp = ecc_clikey_der_256; + ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, + sizeof_ecc_clikey_der_256)); + p = ecc_clikeypub_der_256; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_ecc_clikeypub_der_256))); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_PKEY_encrypt(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + WOLFSSL_RSA* rsa = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx = NULL; + const char* in = "What is easy to do is easy not to do."; + size_t inlen = XSTRLEN(in); + size_t outEncLen = 0; + byte* outEnc = NULL; + byte* outDec = NULL; + size_t outDecLen = 0; + size_t rsaKeySz = 2048/8; /* Bytes */ +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + byte* inTmp = NULL; + byte* outEncTmp = NULL; + byte* outDecTmp = NULL; +#endif + + ExpectNotNull(outEnc = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outEnc != NULL) { + XMEMSET(outEnc, 0, rsaKeySz); + } + ExpectNotNull(outDec = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outDec != NULL) { + XMEMSET(outDec, 0, rsaKeySz); + } + + ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + RSA_free(rsa); + } + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); + + /* Test pkey references count is decremented. pkey shouldn't be destroyed + since ctx uses it.*/ + ExpectIntEQ(pkey->ref.count, 2); + EVP_PKEY_free(pkey); + ExpectIntEQ(pkey->ref.count, 1); + + /* Encrypt data */ + /* Check that we can get the required output buffer length by passing in a + * NULL output buffer. */ + ExpectIntEQ(EVP_PKEY_encrypt(ctx, NULL, &outEncLen, + (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); + ExpectIntEQ(rsaKeySz, outEncLen); + /* Now do the actual encryption. */ + ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEnc, &outEncLen, + (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); + + /* Decrypt data */ + ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); + /* Check that we can get the required output buffer length by passing in a + * NULL output buffer. */ + ExpectIntEQ(EVP_PKEY_decrypt(ctx, NULL, &outDecLen, outEnc, outEncLen), + WOLFSSL_SUCCESS); + ExpectIntEQ(rsaKeySz, outDecLen); + /* Now do the actual decryption. */ + ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDec, &outDecLen, outEnc, outEncLen), + WOLFSSL_SUCCESS); + + ExpectIntEQ(XMEMCMP(in, outDec, outDecLen), 0); + +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + /* The input length must be the same size as the RSA key.*/ + ExpectNotNull(inTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (inTmp != NULL) { + XMEMSET(inTmp, 9, rsaKeySz); + } + ExpectNotNull(outEncTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outEncTmp != NULL) { + XMEMSET(outEncTmp, 0, rsaKeySz); + } + ExpectNotNull(outDecTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outDecTmp != NULL) { + XMEMSET(outDecTmp, 0, rsaKeySz); + } + ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEncTmp, &outEncLen, inTmp, rsaKeySz), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDecTmp, &outDecLen, outEncTmp, + outEncLen), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(inTmp, outDecTmp, outDecLen), 0); +#endif + EVP_PKEY_CTX_free(ctx); + XFREE(outEnc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outDec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + XFREE(inTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outEncTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outDecTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_derive(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) +#if (!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)) || defined(HAVE_ECC) + EVP_PKEY_CTX *ctx = NULL; + unsigned char *skey = NULL; + size_t skeylen; + EVP_PKEY *pkey = NULL; + EVP_PKEY *peerkey = NULL; + const unsigned char* key; + +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) + /* DH */ + key = dh_key_der_2048; + ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, + sizeof_dh_key_der_2048))); + ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(pkey)), 1); + key = dh_key_der_2048; + ExpectNotNull((peerkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, + sizeof_dh_key_der_2048))); + ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(peerkey)), 1); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); + ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); + ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); + ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, + DYNAMIC_TYPE_OPENSSL)); + ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(peerkey); + peerkey = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); + skey = NULL; +#endif + +#ifdef HAVE_ECC + /* ECDH */ + key = ecc_clikey_der_256; + ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &key, + sizeof_ecc_clikey_der_256))); + key = ecc_clikeypub_der_256; + ExpectNotNull((peerkey = d2i_PUBKEY(NULL, &key, + sizeof_ecc_clikeypub_der_256))); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); + ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); + ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); + ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, + DYNAMIC_TYPE_OPENSSL)); + ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(peerkey); + EVP_PKEY_free(pkey); + XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); +#endif /* HAVE_ECC */ +#endif /* (!NO_DH && WOLFSSL_DH_EXTRA) || HAVE_ECC */ +#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_print_public(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) + WOLFSSL_BIO* rbio = NULL; + WOLFSSL_BIO* wbio = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + char line[256] = { 0 }; + char line1[256] = { 0 }; + int i = 0; + + /* test error cases */ + ExpectIntEQ( EVP_PKEY_print_public(NULL,NULL,0,NULL),0L); + + /* + * test RSA public key print + * in this test, pass '3' for indent + */ +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_1024) + + ExpectNotNull(rbio = BIO_new_mem_buf( client_keypub_der_1024, + sizeof_client_keypub_der_1024)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,3,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " RSA Public-Key: (1024 bit)\n"); + ExpectIntEQ(XSTRNCMP(line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " Modulus:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " 00:bc:73:0e:a8:49:f3:74:a2:a9:ef:18:a5:da:55:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of modulus element*/ + for (i = 0; i < 8 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " Exponent: 65537 (0x010001)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* !NO_RSA && USE_CERT_BUFFERS_1024*/ + + /* + * test DSA public key print + */ +#if !defined(NO_DSA) && defined(USE_CERT_BUFFERS_2048) + ExpectNotNull(rbio = BIO_new_mem_buf( dsa_pub_key_der_2048, + sizeof_dsa_pub_key_der_2048)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "DSA Public-Key: (2048 bit)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "pub:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 00:C2:35:2D:EC:83:83:6C:73:13:9E:52:7C:74:C8:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of pub element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "P:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of P element*/ + for (i = 0; i < 18 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "Q:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of Q element*/ + for (i = 0; i < 3 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "G:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of G element*/ + for (i = 0; i < 18 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* !NO_DSA && USE_CERT_BUFFERS_2048 */ + + /* + * test ECC public key print + */ +#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + + ExpectNotNull(rbio = BIO_new_mem_buf( ecc_clikeypub_der_256, + sizeof_ecc_clikeypub_der_256)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + ExpectStrEQ(line, "Public-Key: (256 bit)\n"); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "pub:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 04:55:BF:F4:0F:44:50:9A:3D:CE:9B:B7:F0:C5:4D:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of pub element*/ + for (i = 0; i < 4 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "ASN1 OID: prime256v1\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "NIST CURVE: P-256\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */ + + /* + * test DH public key print + */ +#if defined(WOLFSSL_DH_EXTRA) && defined(USE_CERT_BUFFERS_2048) + + ExpectNotNull(rbio = BIO_new_mem_buf( dh_pub_key_der_2048, + sizeof_dh_pub_key_der_2048)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL), 1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "DH Public-Key: (2048 bit)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "public-key:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 34:41:BF:E9:F2:11:BF:05:DB:B2:72:A8:29:CC:BD:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of public-key element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "prime:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 00:D3:B2:99:84:5C:0A:4C:E7:37:CC:FC:18:37:01:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of prime element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "generator: 2 (0x02)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* WOLFSSL_DH_EXTRA && USE_CERT_BUFFERS_2048 */ + + /* to prevent "unused variable" warning */ + (void)pkey; + (void)wbio; + (void)rbio; + (void)line; + (void)line1; + (void)i; +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_pkey.h b/tests/api/test_evp_pkey.h new file mode 100644 index 000000000..222a19ea5 --- /dev/null +++ b/tests/api/test_evp_pkey.h @@ -0,0 +1,102 @@ +/* test_evp_pkey.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_PKEY_H +#define WOLFCRYPT_TEST_EVP_PKEY_H + +#include + +int test_wolfSSL_EVP_PKEY_CTX_new_id(void); +int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void); +int test_wolfSSL_QT_EVP_PKEY_CTX_free(void); +int test_wolfSSL_EVP_PKEY_up_ref(void); +int test_wolfSSL_EVP_PKEY_base_id(void); +int test_wolfSSL_EVP_PKEY_id(void); +int test_wolfSSL_EVP_MD_pkey_type(void); +int test_wolfSSL_EVP_MD_hmac_signing(void); +int test_wolfSSL_EVP_PKEY_new_mac_key(void); +int test_wolfSSL_EVP_PKEY_hkdf(void); +int test_wolfSSL_EVP_PBE_scrypt(void); +int test_EVP_PKEY_cmp(void); +int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void); +int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void); +int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void); +int test_wolfSSL_EVP_PKEY_set1_get1_DH (void); +int test_wolfSSL_EVP_PKEY_assign(void); +int test_wolfSSL_EVP_PKEY_assign_DH(void); +int test_EVP_PKEY_rsa(void); +int test_EVP_PKEY_ec(void); +int test_wolfSSL_EVP_PKEY_missing_parameters(void); +int test_wolfSSL_EVP_PKEY_copy_parameters(void); +int test_wolfSSL_EVP_PKEY_paramgen(void); +int test_wolfSSL_EVP_PKEY_param_check(void); +int test_wolfSSL_EVP_PKEY_keygen_init(void); +int test_wolfSSL_EVP_PKEY_keygen(void); +int test_wolfSSL_EVP_SignInit_ex(void); +int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void); +int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void); +int test_wolfSSL_EVP_PKEY_sign_verify_ec(void); +int test_wolfSSL_EVP_MD_rsa_signing(void); +int test_wc_RsaPSS_DigitalSignVerify(void); +int test_wolfSSL_EVP_MD_ecc_signing(void); +int test_wolfSSL_EVP_PKEY_encrypt(void); +int test_wolfSSL_EVP_PKEY_derive(void); +int test_wolfSSL_EVP_PKEY_print_public(void); + +#define TEST_EVP_PKEY_DECLS \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_CTX_new_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits),\ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_QT_EVP_PKEY_CTX_free), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_up_ref), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_base_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_pkey_type), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_hmac_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_new_mac_key), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_hkdf), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PBE_scrypt), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_cmp), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_DSA), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_get0_EC_KEY), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_DH), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_assign), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_assign_DH), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_rsa), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_ec), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_missing_parameters), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_copy_parameters), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_paramgen), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_param_check), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_keygen_init), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_keygen), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_SignInit_ex), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_rsa), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_dsa), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_ec), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_rsa_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wc_RsaPSS_DigitalSignVerify), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_ecc_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_encrypt), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_derive), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_print_public) + +#endif /* WOLFCRYPT_TEST_EVP_PKEY_H */ diff --git a/tests/api/test_ossl_asn1.c b/tests/api/test_ossl_asn1.c index b046fd4c3..f91cd0c6a 100644 --- a/tests/api/test_ossl_asn1.c +++ b/tests/api/test_ossl_asn1.c @@ -1195,7 +1195,8 @@ int test_wolfSSL_ASN1_STRING_to_UTF8(void) ExpectNotNull(e = wolfSSL_X509_NAME_get_entry(subject, idx)); ExpectNotNull(a = wolfSSL_X509_NAME_ENTRY_get_data(e)); ExpectIntEQ((len = wolfSSL_ASN1_STRING_to_UTF8(&actual_output, a)), 15); - ExpectIntEQ(strncmp((const char*)actual_output, targetOutput, (size_t)len), 0); + ExpectIntEQ(strncmp((const char*)actual_output, targetOutput, (size_t)len), + 0); a = NULL; /* wolfSSL_ASN1_STRING_to_UTF8(NULL, valid) */ @@ -1269,9 +1270,12 @@ int test_wolfSSL_ASN1_STRING_canon(void) ExpectNotNull(canon = ASN1_STRING_new()); /* Invalid parameter testing. */ - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, orig), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, orig), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, orig), 1); ExpectIntEQ(ASN1_STRING_cmp(orig, canon), 0); @@ -1622,9 +1626,12 @@ int test_wolfSSL_ASN1_GENERALIZEDTIME_print(void) ExpectIntEQ(wolfSSL_ASN1_TIME_set_string(gtime, "20180504123500Z"), 1); /* Invalid parameters testing. */ - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, gtime), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, gtime), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, gtime), 1); ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 20); diff --git a/tests/api/test_ossl_bio.c b/tests/api/test_ossl_bio.c index cedf9f918..2fdc792cc 100644 --- a/tests/api/test_ossl_bio.c +++ b/tests/api/test_ossl_bio.c @@ -58,7 +58,8 @@ int test_wolfSSL_BIO_gets(void) /* try with bad args */ ExpectNull(bio = BIO_new_mem_buf(NULL, sizeof(msg))); #ifdef OPENSSL_ALL - ExpectIntEQ(BIO_set_mem_buf(bio, NULL, BIO_NOCLOSE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(BIO_set_mem_buf(bio, NULL, BIO_NOCLOSE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); #endif /* try with real msg */ @@ -594,7 +595,8 @@ int test_wolfSSL_BIO_tls(void) int test_wolfSSL_BIO_datagram(void) { EXPECT_DECLS; -#if !defined(NO_BIO) && defined(WOLFSSL_DTLS) && defined(WOLFSSL_HAVE_BIO_ADDR) && defined(OPENSSL_EXTRA) +#if !defined(NO_BIO) && defined(WOLFSSL_DTLS) && \ + defined(WOLFSSL_HAVE_BIO_ADDR) && defined(OPENSSL_EXTRA) int ret; SOCKET_T fd1 = SOCKET_INVALID, fd2 = SOCKET_INVALID; WOLFSSL_BIO *bio1 = NULL, *bio2 = NULL; @@ -636,7 +638,8 @@ int test_wolfSSL_BIO_datagram(void) sin1.sin_port = 0; slen = (socklen_t)sizeof(sin1); ExpectIntEQ(bind(fd1, (const struct sockaddr *)&sin1, slen), 0); - ExpectIntEQ(setsockopt(fd1, SOL_SOCKET, SO_RCVTIMEO, (const char *)&timeout, sizeof(timeout)), 0); + ExpectIntEQ(setsockopt(fd1, SOL_SOCKET, SO_RCVTIMEO, + (const char *)&timeout, sizeof(timeout)), 0); ExpectIntEQ(getsockname(fd1, (struct sockaddr *)&sin1, &slen), 0); } @@ -646,7 +649,8 @@ int test_wolfSSL_BIO_datagram(void) sin2.sin_port = 0; slen = (socklen_t)sizeof(sin2); ExpectIntEQ(bind(fd2, (const struct sockaddr *)&sin2, slen), 0); - ExpectIntEQ(setsockopt(fd2, SOL_SOCKET, SO_RCVTIMEO, (const char *)&timeout, sizeof(timeout)), 0); + ExpectIntEQ(setsockopt(fd2, SOL_SOCKET, SO_RCVTIMEO, + (const char *)&timeout, sizeof(timeout)), 0); ExpectIntEQ(getsockname(fd2, (struct sockaddr *)&sin2, &slen), 0); } @@ -661,15 +665,19 @@ int test_wolfSSL_BIO_datagram(void) } if (EXPECT_SUCCESS()) { - /* for OpenSSL compatibility, direct copying of sockaddrs into BIO_ADDRs must work right. */ + /* for OpenSSL compatibility, direct copying of sockaddrs into BIO_ADDRs + * must work right. */ XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); #ifdef WOLFSSL_BIO_HAVE_FLOW_STATS @@ -682,58 +690,76 @@ int test_wolfSSL_BIO_datagram(void) */ test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), WOLFSSL_BIO_ERROR); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + WOLFSSL_BIO_ERROR); ExpectIntNE(BIO_should_retry(bio1), 0); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), WOLFSSL_BIO_ERROR); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + WOLFSSL_BIO_ERROR); ExpectIntNE(BIO_should_retry(bio2), 0); /* now "connect" the sockets. */ - ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin2, (socklen_t)sizeof(sin2)), 0); - ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin2, + (socklen_t)sizeof(sin2)), 0); + ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); if (EXPECT_SUCCESS()) { XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } if (EXPECT_SUCCESS()) { XMEMCPY(&bio_addr1->sa_in, &sin1, sizeof(sin1)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, bio_addr1), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + bio_addr1), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr1); } test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); #ifdef __linux__ /* now "disconnect" the sockets and attempt transmits expected to fail. */ sin1.sin_family = AF_UNSPEC; - ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); - ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); sin1.sin_family = AF_INET; - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + NULL), WOLFSSL_SUCCESS); if (EXPECT_SUCCESS()) { - sin2.sin_addr.s_addr = htonl(0xc0a8c0a8); /* 192.168.192.168 -- invalid for loopback interface. */ + /* 192.168.192.168 -- invalid for loopback interface. */ + sin2.sin_addr.s_addr = htonl(0xc0a8c0a8); XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } @@ -796,7 +822,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args) (void)args; - AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0); + AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, + wolfSSLPort), 0); clientBio = BIO_new_connect(connectAddr); AssertNotNull(clientBio); AssertIntEQ(BIO_do_connect(clientBio), 1); @@ -804,7 +831,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args) AssertNotNull(ctx); sslClient = SSL_new(ctx); AssertNotNull(sslClient); - AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), + WOLFSSL_SUCCESS); SSL_set_bio(sslClient, clientBio, clientBio); AssertIntEQ(SSL_connect(sslClient), 1); @@ -1156,5 +1184,287 @@ int test_wolfSSL_BIO_get_len(void) return EXPECT_RESULT(); } +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) +static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, + long argl, long ret) +{ + (void)bio; + (void)cmd; + (void)argp; + (void)argi; + (void)argl; + return ret; +} +#endif + +int test_wolfSSL_BIO(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) + const unsigned char* p = NULL; + byte buff[20]; + BIO* bio1 = NULL; + BIO* bio2 = NULL; + BIO* bio3 = NULL; + char* bufPt = NULL; + int i; + + for (i = 0; i < 20; i++) { + buff[i] = i; + } + /* test BIO_free with NULL */ + ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Creating and testing type BIO_s_bio */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); + + /* read/write before set up */ + ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); + ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); + + ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); + ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); + + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); + ExpectNotNull(XMEMCPY(bufPt, buff, 10)); + ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); + /* write buffer full */ + ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); + + /* write the other direction with pair */ + ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); + ExpectNotNull(XMEMCPY(bufPt, buff, 8)); + ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); + + /* try read */ + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); + ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); + + /* try read using ctrl function */ + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); + + ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); + for (i = 0; i < 20; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); + ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); + for (i = 0; i < 8; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); + ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); + + /* new pair */ + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio2); /* free bio2 and automatically remove from pair */ + bio2 = NULL; + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); + + /* test wrap around... */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ(BIO_reset(bio3), 1); + + /* fill write buffer, read only small amount then write again */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], i); + } + + /* try writing over read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); + ExpectNotNull(XMEMSET(bufPt, 0, 4)); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); + + /* read and write 0 bytes */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); + + /* should read only to end of write buffer then need to read again */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); + for (i = 0; i < 16; i++) { + ExpectIntEQ(bufPt[i], buff[4 + i]); + } + + ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } + + /* read index should not have advanced with nread0 */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } + + /* write and fill up buffer checking reset of index state */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + + /* test reset on data in bio1 write buffer */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); + ExpectNotNull(p); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); + for (i = 0; i < 6; i++) { + ExpectIntEQ(bufPt[i], i); + } + + /* test case of writing twice with offset read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + + BIO_free(bio1); + bio1 = NULL; + BIO_free(bio3); + bio3 = NULL; + + #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) + { + BIO* bioA = NULL; + BIO* bioB = NULL; + ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); + BIO_free(bioA); + bioA = NULL; + BIO_free(bioB); + bioB = NULL; + } + #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ + + /* BIOs with file pointers */ + #if !defined(NO_FILESYSTEM) + { + XFILE f1 = XBADFILE; + XFILE f2 = XBADFILE; + BIO* f_bio1 = NULL; + BIO* f_bio2 = NULL; + unsigned char cert[300]; + char testFile[] = "tests/bio_write_test.txt"; + char msg[] = "bio_write_test.txt contains the first 300 bytes of " + "certs/server-cert.pem\n" + "created by tests/unit.test\n\n"; + + ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); + ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); + + /* Failure due to wrong BIO type */ + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); + + ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); + ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_write_filename(f_bio2, testFile), + WOLFSSL_SUCCESS); + + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); + ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); + ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); + + ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_reset(f_bio2), 1); + ExpectIntEQ(BIO_tell(NULL),-1); + ExpectIntEQ(BIO_tell(f_bio2),0); + ExpectIntEQ(BIO_seek(f_bio2, 4), 0); + ExpectIntEQ(BIO_tell(f_bio2),4); + + BIO_free(f_bio1); + f_bio1 = NULL; + BIO_free(f_bio2); + f_bio2 = NULL; + + ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + BIO_free(f_bio1); + f_bio1 = NULL; + } + #endif /* !defined(NO_FILESYSTEM) */ + + /* BIO info callback */ + { + const char* testArg = "test"; + BIO* cb_bio = NULL; + ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); + + BIO_set_callback(cb_bio, bioCallback); + ExpectNotNull(BIO_get_callback(cb_bio)); + BIO_set_callback(cb_bio, NULL); + ExpectNull(BIO_get_callback(cb_bio)); + + BIO_set_callback_arg(cb_bio, (char*)testArg); + ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); + ExpectNull(BIO_get_callback_arg(NULL)); + + BIO_free(cb_bio); + cb_bio = NULL; + } + + /* BIO_vfree */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + BIO_vfree(NULL); + BIO_vfree(bio1); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_BIO_BIO_ring_read(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_BIO) + BIO* bio1 = NULL; + BIO* bio2 = NULL; + byte data[50]; + byte tmp[50]; + + XMEMSET(data, 42, sizeof(data)); + + + ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), + SSL_SUCCESS); + + ExpectIntEQ(BIO_write(bio1, data, 40), 40); + ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); + ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); + ExpectBufEQ(tmp, data, 20); + ExpectIntEQ(BIO_write(bio1, data, 20), 20); + ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); + ExpectBufEQ(tmp, data, 40); + + BIO_free(bio1); + BIO_free(bio2); +#endif + return EXPECT_RESULT(); +} + #endif /* !NO_BIO */ diff --git a/tests/api/test_ossl_bio.h b/tests/api/test_ossl_bio.h index 8bcbc743f..aff38a9bb 100644 --- a/tests/api/test_ossl_bio.h +++ b/tests/api/test_ossl_bio.h @@ -40,6 +40,8 @@ int test_wolfSSL_BIO_f_md(void); int test_wolfSSL_BIO_up_ref(void); int test_wolfSSL_BIO_reset(void); int test_wolfSSL_BIO_get_len(void); +int test_wolfSSL_BIO(void); +int test_wolfSSL_BIO_BIO_ring_read(void); #define TEST_OSSL_BIO_DECLS \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_gets), \ @@ -52,7 +54,9 @@ int test_wolfSSL_BIO_get_len(void); TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_f_md), \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_up_ref), \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_reset), \ - TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_get_len) + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_get_len), \ + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO), \ + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_BIO_ring_read) #define TEST_OSSL_BIO_TLS_DECLS \ TEST_DECL_GROUP("ossl_bio_tls", test_wolfSSL_BIO_connect), \ diff --git a/tests/api/test_ossl_bn.c b/tests/api/test_ossl_bn.c index 176772eec..be0841a39 100644 --- a/tests/api/test_ossl_bn.c +++ b/tests/api/test_ossl_bn.c @@ -217,14 +217,16 @@ int test_wolfSSL_BN_init(void) ExpectIntEQ(BN_set_word(&cv, 5), SSL_SUCCESS); /* a^b mod c = */ - ExpectIntEQ(BN_mod_exp(&dv, NULL, &bv, &cv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BN_mod_exp(&dv, NULL, &bv, &cv, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(BN_mod_exp(&dv, ap, &bv, &cv, NULL), WOLFSSL_SUCCESS); /* check result 3^2 mod 5 */ ExpectIntEQ(BN_get_word(&dv), 4); /* a*b mod c = */ - ExpectIntEQ(BN_mod_mul(&dv, NULL, &bv, &cv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BN_mod_mul(&dv, NULL, &bv, &cv, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(BN_mod_mul(&dv, ap, &bv, &cv, NULL), SSL_SUCCESS); /* check result 3*2 mod 5 */ @@ -1027,7 +1029,8 @@ int test_wolfSSL_BN_prime(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_ASN) && \ !defined(OPENSSL_EXTRA_NO_BN) && !defined(WOLFSSL_SP_MATH) -#if defined(WOLFSSL_KEY_GEN) && (!defined(NO_RSA) || !defined(NO_DH) || !defined(NO_DSA)) +#if defined(WOLFSSL_KEY_GEN) && (!defined(NO_RSA) || !defined(NO_DH) || \ + !defined(NO_DSA)) BIGNUM* a = NULL; BIGNUM* add = NULL; BIGNUM* rem = NULL; diff --git a/tests/api/test_ossl_dgst.c b/tests/api/test_ossl_dgst.c index 8bc6c467e..bce1f6229 100644 --- a/tests/api/test_ossl_dgst.c +++ b/tests/api/test_ossl_dgst.c @@ -161,8 +161,10 @@ int test_wolfSSL_MD5_Transform(void) ExpectIntEQ(MD5_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(MD5_Transform(&md5.compat, NULL), 0); ExpectIntEQ(wc_Md5Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Md5Transform(&md5.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Md5Transform(&md5.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init MD5 CTX */ ExpectIntEQ(wolfSSL_MD5_Init(&md5.compat), 1); @@ -359,8 +361,10 @@ int test_wolfSSL_SHA_Transform(void) ExpectIntEQ(SHA1_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA1_Transform(&sha.compat, NULL), 0); ExpectIntEQ(wc_ShaTransform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_ShaTransform(&sha.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_ShaTransform(&sha.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA CTX */ ExpectIntEQ(SHA_Init(&sha.compat), 1); @@ -500,8 +504,10 @@ int test_wolfSSL_SHA256_Transform(void) ExpectIntEQ(SHA256_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA256_Transform(&sha256.compat, NULL), 0); ExpectIntEQ(wc_Sha256Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha256Transform(&sha256.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha256Transform(&sha256.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA256 CTX */ ExpectIntEQ(SHA256_Init(&sha256.compat), 1); @@ -574,8 +580,10 @@ int test_wolfSSL_SHA512_Transform(void) ExpectIntEQ(SHA512_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_Transform(&sha512.compat, NULL), 0); ExpectIntEQ(wc_Sha512Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_Init(&sha512.compat), 1); @@ -584,8 +592,8 @@ int test_wolfSSL_SHA512_Transform(void) sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); ExpectIntEQ(SHA512_Transform(&sha512.compat, (const byte*)&local[0]), 1); - ExpectIntEQ(XMEMCMP(sha512.native.digest, output1, - WC_SHA512_DIGEST_SIZE), 0); + ExpectIntEQ(XMEMCMP(sha512.native.digest, output1, WC_SHA512_DIGEST_SIZE), + 0); ExpectIntEQ(SHA512_Final(local, &sha512.compat), 1); /* frees resources */ /* Init SHA512 CTX */ @@ -594,8 +602,8 @@ int test_wolfSSL_SHA512_Transform(void) XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); XMEMCPY(local, input2, sLen); ExpectIntEQ(SHA512_Transform(&sha512.compat, (const byte*)&local[0]), 1); - ExpectIntEQ(XMEMCMP(sha512.native.digest, output2, - WC_SHA512_DIGEST_SIZE), 0); + ExpectIntEQ(XMEMCMP(sha512.native.digest, output2, WC_SHA512_DIGEST_SIZE), + 0); ExpectIntEQ(SHA512_Final(local, &sha512.compat), 1); /* frees resources */ (void)input1; @@ -643,10 +651,12 @@ int test_wolfSSL_SHA512_224_Transform(void) ExpectIntEQ(SHA512_224_Transform(NULL, NULL), 0); ExpectIntEQ(SHA512_224_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_224_Transform(&sha512.compat, NULL), 0); - ExpectIntEQ(wc_Sha512_224Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_224Transform(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wc_Sha512_224Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512_224Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_224Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_224_Init(&sha512.compat), 1); @@ -716,10 +726,12 @@ int test_wolfSSL_SHA512_256_Transform(void) ExpectIntEQ(SHA512_256_Transform(NULL, NULL), 0); ExpectIntEQ(SHA512_256_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_256_Transform(&sha512.compat, NULL), 0); - ExpectIntEQ(wc_Sha512_256Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_256Transform(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wc_Sha512_256Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512_256Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_256Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_256_Init(&sha512.compat), 1); diff --git a/tests/api/test_ossl_ec.c b/tests/api/test_ossl_ec.c index dd5bf28cb..cf314a448 100644 --- a/tests/api/test_ossl_ec.c +++ b/tests/api/test_ossl_ec.c @@ -1345,12 +1345,15 @@ int test_wolfSSL_EC_KEY_print_fp(void) EC_KEY* key = NULL; /* Bad file pointer. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(NULL, key, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(NULL, key, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); /* NULL key. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectNotNull((key = wolfSSL_EC_KEY_new_by_curve_name(NID_secp224r1))); /* Negative indent. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, 4), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_EC_KEY_generate_key(key), WOLFSSL_SUCCESS); diff --git a/tests/api/test_ossl_obj.c b/tests/api/test_ossl_obj.c new file mode 100644 index 000000000..e6dc3f025 --- /dev/null +++ b/tests/api/test_ossl_obj.c @@ -0,0 +1,465 @@ +/* test_ossl_obj.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + +#if defined(OPENSSL_EXTRA) +static void obj_name_t(const OBJ_NAME* nm, void* arg) +{ + (void)arg; + (void)nm; + + AssertIntGT(nm->type, OBJ_NAME_TYPE_UNDEF); + +#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) + /* print to stderr */ + AssertNotNull(arg); + + BIO *bio = BIO_new(BIO_s_file()); + BIO_set_fp(bio, arg, BIO_NOCLOSE); + BIO_printf(bio, "%s\n", nm); + BIO_free(bio); +#endif +} + +#endif +int test_OBJ_NAME_do_all(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) + + OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, NULL, NULL); + + OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, NULL, stderr); + + OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_PKEY_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_COMP_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_NUM, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_UNDEF, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, obj_name_t, stderr); + OBJ_NAME_do_all(-1, obj_name_t, stderr); + + res = TEST_SUCCESS; +#endif + + return res; +} + +int test_wolfSSL_OBJ(void) +{ +/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS + * mode + */ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ + !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ + defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + char buf[50]; + + XFILE fp = XBADFILE; + X509 *x509 = NULL; + X509_NAME *x509Name = NULL; + X509_NAME_ENTRY *x509NameEntry = NULL; + ASN1_OBJECT *asn1Name = NULL; + int numNames = 0; + BIO *bio = NULL; + int nid; + int i, j; + const char *f[] = { + #ifndef NO_RSA + "./certs/ca-cert.der", + #endif + #ifdef HAVE_ECC + "./certs/ca-ecc-cert.der", + "./certs/ca-ecc384-cert.der", + #endif + NULL}; + ASN1_OBJECT *field_name_obj = NULL; + int lastpos = -1; + int tmp = -1; + ASN1_STRING *asn1 = NULL; + unsigned char *buf_dyn = NULL; + + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + + ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); +#ifdef WOLFSSL_CERT_EXT + ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); +#endif + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ExpectNotNull(obj2 = OBJ_dup(obj)); + ExpectIntEQ(OBJ_cmp(obj, obj2), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + ASN1_OBJECT_free(obj2); + obj2 = NULL; + + for (i = 0; f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectNotNull(x509Name = X509_get_issuer_name(x509)); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + + /* Get the Common Name by using OBJ_txt2obj */ + ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), + WOLFSSL_FATAL_ERROR); + do + { + lastpos = tmp; + tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); + } while (tmp > -1); + ExpectIntNE(lastpos, -1); + ASN1_OBJECT_free(field_name_obj); + field_name_obj = NULL; + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); + ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); + ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); + /* + * All Common Names should be www.wolfssl.com + * This makes testing easier as we can test for the expected value. + */ + ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); + OPENSSL_free(buf_dyn); + buf_dyn = NULL; + bio = BIO_new(BIO_s_mem()); + ExpectTrue(bio != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; + + } + +#ifdef HAVE_PKCS12 + { + PKCS12 *p12 = NULL; + int boolRet; + EVP_PKEY *pkey = NULL; + const char *p12_f[] = { + /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ + #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) + "./certs/test-servercert.p12", + #endif + NULL + }; + + for (i = 0; p12_f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); + ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", + &pkey, &x509, NULL)) > 0); + wc_PKCS12_free(p12); + p12 = NULL; + EVP_PKEY_free(pkey); + x509Name = X509_get_issuer_name(x509); + ExpectNotNull(x509Name); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = + X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; + } + } +#endif /* HAVE_PKCS12 */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); + + ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj), 0); + ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); + + ASN1_OBJECT_free(obj); + ASN1_OBJECT_free(obj2); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_txt2nid(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_APACHE_HTTPD) + int i; + static const struct { + const char* sn; + const char* ln; + const char* oid; + int nid; + } testVals[] = { +#ifdef WOLFSSL_APACHE_HTTPD + { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, + { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", + NID_id_on_dnsSRV }, + { "msUPN", "Microsoft User Principal Name", + "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, +#endif + { NULL, NULL, NULL, NID_undef } + }; + + /* Invalid cases */ + ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); + ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); + + /* Valid cases */ + for (i = 0; testVals[i].sn != NULL; i++) { + ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_txt2obj(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) + int i; + char buf[50]; + ASN1_OBJECT* obj = NULL; + static const struct { + const char* oidStr; + const char* sn; + const char* ln; + } objs_list[] = { + #if defined(WOLFSSL_APACHE_HTTPD) + { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, + { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, + #endif + { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, + { NULL, NULL, NULL } + }; + static const struct { + const char* numeric; + const char* name; + } objs_named[] = { + /* In dictionary but not in normal list. */ + { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, + /* Made up OID. */ + { "1.3.5.7", "1.3.5.7" }, + { NULL, NULL } + }; + + ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); + ASN1_OBJECT_free(obj); + obj = NULL; + ExpectNull(obj = OBJ_txt2obj(NULL, 0)); + ASN1_OBJECT_free(obj); + obj = NULL; + + for (i = 0; objs_list[i].oidStr != NULL; i++) { + /* Test numerical value of oid (oidStr) */ + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Test short name (sn) */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Test long name (ln) - should fail when no_name = 1 */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + } + + for (i = 0; objs_named[i].numeric != NULL; i++) { + ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_ln(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + const int nid_set[] = { + NID_commonName, + NID_serialNumber, + NID_countryName, + NID_localityName, + NID_stateOrProvinceName, + NID_organizationName, + NID_organizationalUnitName, + NID_domainComponent, + NID_businessCategory, + NID_jurisdictionCountryName, + NID_jurisdictionStateOrProvinceName, + NID_emailAddress + }; + const char* ln_set[] = { + "commonName", + "serialNumber", + "countryName", + "localityName", + "stateOrProvinceName", + "organizationName", + "organizationalUnitName", + "domainComponent", + "businessCategory", + "jurisdictionCountryName", + "jurisdictionStateOrProvinceName", + "emailAddress", + }; + size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); + + ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); + +#ifdef HAVE_ECC +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + EC_builtin_curve r[27]; + size_t nCurves = sizeof(r) / sizeof(r[0]); + nCurves = EC_get_builtin_curves(r, nCurves); + + for (i = 0; i < nCurves; i++) { + /* skip ECC_CURVE_INVALID */ + if (r[i].nid != ECC_CURVE_INVALID) { + ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); + ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); + } + } + } +#endif +#endif + + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); + ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_sn(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + int i = 0, maxIdx = 7; + const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, + NID_stateOrProvinceName,NID_organizationName, + NID_organizationalUnitName,NID_emailAddress}; + const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; + + ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); + ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); + } +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_obj.h b/tests/api/test_ossl_obj.h new file mode 100644 index 000000000..c780e664d --- /dev/null +++ b/tests/api/test_ossl_obj.h @@ -0,0 +1,45 @@ +/* test_ossl_obj.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_OBJ_H +#define WOLFCRYPT_TEST_OSSL_OBJ_H + +#include + +int test_OBJ_NAME_do_all(void); +int test_wolfSSL_OBJ(void); +int test_wolfSSL_OBJ_cmp(void); +int test_wolfSSL_OBJ_txt2nid(void); +int test_wolfSSL_OBJ_txt2obj(void); +int test_wolfSSL_OBJ_ln(void); +int test_wolfSSL_OBJ_sn(void); + +#define TEST_OSSL_OBJ_DECLS \ + TEST_DECL_GROUP("ossl_obj", test_OBJ_NAME_do_all), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_cmp), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_txt2nid), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_txt2obj), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_ln), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_sn) + +#endif /* WOLFCRYPT_TEST_OSSL_OBJ_H */ + diff --git a/tests/api/test_ossl_p7p12.c b/tests/api/test_ossl_p7p12.c new file mode 100644 index 000000000..6611cf831 --- /dev/null +++ b/tests/api/test_ossl_p7p12.c @@ -0,0 +1,1321 @@ +/* test_ossl_p7p12.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include +#include +#include + +int test_wolfssl_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ + !defined(NO_RSA) + PKCS7* pkcs7 = NULL; + byte data[FOURK_BUF]; + word32 len = sizeof(data); + const byte* p = data; + byte content[] = "Test data to encode."; +#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) + BIO* bio = NULL; + byte key[sizeof(client_key_der_2048)]; + word32 keySz = (word32)sizeof(key); + byte* out = NULL; +#endif + + ExpectIntGT((len = (word32)CreatePKCS7SignedData(data, (int)len, content, + (word32)sizeof(content), 0, 0, 0, RSA_TYPE)), 0); + + ExpectNull(pkcs7 = d2i_PKCS7(NULL, NULL, (int)len)); + ExpectNull(pkcs7 = d2i_PKCS7(NULL, &p, 0)); + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL, + PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* fail case, without PKCS7_NOVERIFY */ + p = data; + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, + 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* success case, with PKCS7_NOVERIFY */ + p = data; + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, + PKCS7_NOVERIFY), WOLFSSL_SUCCESS); + +#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) + /* test i2d */ + XMEMCPY(key, client_key_der_2048, keySz); + if (pkcs7 != NULL) { + pkcs7->privateKey = key; + pkcs7->privateKeySz = (word32)sizeof(key); + pkcs7->encryptOID = RSAk; + #ifdef NO_SHA + pkcs7->hashOID = SHA256h; + #else + pkcs7->hashOID = SHAh; + #endif + } + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(i2d_PKCS7_bio(bio, pkcs7), 1); +#ifndef NO_ASN_TIME + ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 655); +#else + ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 625); +#endif + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + BIO_free(bio); +#endif + + PKCS7_free(NULL); + PKCS7_free(pkcs7); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_certs(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) + STACK_OF(X509)* sk = NULL; + STACK_OF(X509_INFO)* info_sk = NULL; + PKCS7 *p7 = NULL; + BIO* bio = NULL; + const byte* p = NULL; + int buflen = 0; + int i; + + /* Test twice. Once with d2i and once without to test + * that everything is free'd correctly. */ + for (i = 0; i < 2; i++) { + ExpectNotNull(p7 = PKCS7_new()); + if (p7 != NULL) { + p7->version = 1; + #ifdef NO_SHA + p7->hashOID = SHA256h; + #else + p7->hashOID = SHAh; + #endif + } + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); + ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); + ExpectNotNull(sk = sk_X509_new_null()); + while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { + X509_INFO* info = NULL; + ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); + if (EXPECT_SUCCESS() && info != NULL) { + ExpectIntGT(sk_X509_push(sk, info->x509), 0); + info->x509 = NULL; + } + X509_INFO_free(info); + } + sk_X509_INFO_pop_free(info_sk, X509_INFO_free); + info_sk = NULL; + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); + if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { + sk_X509_pop_free(sk, X509_free); + } + sk = NULL; + ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); + + if (i == 0) { + PKCS7_free(p7); + p7 = NULL; + ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); + if (p7 != NULL) { + /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate + * them */ + ((WOLFSSL_PKCS7*)p7)->certs = NULL; + } + /* PKCS7_free free's the certs */ + ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); + } + + BIO_free(bio); + bio = NULL; + PKCS7_free(p7); + p7 = NULL; + } +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_sign(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + + PKCS7* p7 = NULL; + PKCS7* p7Ver = NULL; + byte* out = NULL; + byte* tmpPtr = NULL; + int outLen = 0; + int flags = 0; + byte data[] = "Test data to encode."; + + const char* cert = "./certs/server-cert.pem"; + const char* key = "./certs/server-key.pem"; + const char* ca = "./certs/ca-cert.pem"; + + WOLFSSL_BIO* certBio = NULL; + WOLFSSL_BIO* keyBio = NULL; + WOLFSSL_BIO* caBio = NULL; + WOLFSSL_BIO* inBio = NULL; + X509* signCert = NULL; + EVP_PKEY* signKey = NULL; + X509* caCert = NULL; + X509_STORE* store = NULL; +#ifndef NO_PKCS7_STREAM + int z; + int ret; +#endif /* !NO_PKCS7_STREAM */ + + /* read signer cert/key into BIO */ + ExpectNotNull(certBio = BIO_new_file(cert, "r")); + ExpectNotNull(keyBio = BIO_new_file(key, "r")); + ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); + ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); + + /* read CA cert into store (for verify) */ + ExpectNotNull(caBio = BIO_new_file(ca, "r")); + ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); + + /* data to be signed into BIO */ + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + /* PKCS7_sign, bad args: signer NULL */ + ExpectNull(p7 = PKCS7_sign(NULL, signKey, NULL, inBio, 0)); + /* PKCS7_sign, bad args: signer key NULL */ + ExpectNull(p7 = PKCS7_sign(signCert, NULL, NULL, inBio, 0)); + /* PKCS7_sign, bad args: in data NULL without PKCS7_STREAM */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, NULL, 0)); + /* PKCS7_sign, bad args: PKCS7_NOCERTS flag not supported */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_NOCERTS)); + /* PKCS7_sign, bad args: PKCS7_PARTIAL flag not supported */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_PARTIAL)); + + /* TEST SUCCESS: Not detached, not streaming, not MIME */ + { + flags = PKCS7_BINARY; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* verify with d2i_PKCS7 */ + tmpPtr = out; + ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + PKCS7_free(p7Ver); + p7Ver = NULL; + + /* verify with wc_PKCS7_VerifySignedData */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); + /* test for streaming */ + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + #endif /* !NO_PKCS7_STREAM */ + + /* compare the signer found to expected signer */ + ExpectIntNE(p7Ver->verifyCertSz, 0); + tmpPtr = NULL; + ExpectIntEQ(i2d_X509(signCert, &tmpPtr), p7Ver->verifyCertSz); + ExpectIntEQ(XMEMCMP(tmpPtr, p7Ver->verifyCert, p7Ver->verifyCertSz), 0); + XFREE(tmpPtr, NULL, DYNAMIC_TYPE_OPENSSL); + tmpPtr = NULL; + + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Not detached, streaming, not MIME. Also bad arg + * tests for PKCS7_final() while we have a PKCS7 pointer to use */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* PKCS7_final, bad args: PKCS7 null */ + ExpectIntEQ(PKCS7_final(NULL, inBio, 0), 0); + /* PKCS7_final, bad args: PKCS7 null */ + ExpectIntEQ(PKCS7_final(p7, NULL, 0), 0); + + tmpPtr = out; + ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + PKCS7_free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Detached, not streaming, not MIME */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_DETACHED; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + ExpectNotNull(out); + + /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + /* test for streaming */ + if (EXPECT_SUCCESS()) { + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + } + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + #endif /* !NO_PKCS7_STREAM */ + + /* verify expected failure (NULL return) from d2i_PKCS7, it does not + * yet support detached content */ + tmpPtr = out; + ExpectNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + PKCS7_free(p7Ver); + p7Ver = NULL; + + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Detached, streaming, not MIME */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + /* test for streaming */ + if (EXPECT_SUCCESS()) { + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + } + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + #endif /* !NO_PKCS7_STREAM */ + + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + PKCS7_free(p7); + p7 = NULL; + } + + X509_STORE_free(store); + X509_free(caCert); + X509_free(signCert); + EVP_PKEY_free(signKey); + BIO_free(inBio); + BIO_free(keyBio); + BIO_free(certBio); + BIO_free(caBio); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_SIGNED_new(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) + PKCS7_SIGNED* pkcs7 = NULL; + + ExpectNotNull(pkcs7 = PKCS7_SIGNED_new()); + ExpectIntEQ(pkcs7->contentOID, SIGNED_DATA); + + PKCS7_SIGNED_free(pkcs7); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_write_bio_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ + !defined(NO_BIO) + PKCS7* pkcs7 = NULL; + BIO* bio = NULL; + const byte* cert_buf = NULL; + int ret = 0; + WC_RNG rng; + const byte data[] = { /* Hello World */ + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; +#ifndef NO_RSA + #if defined(USE_CERT_BUFFERS_2048) + byte key[sizeof(client_key_der_2048)]; + byte cert[sizeof(client_cert_der_2048)]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_2048, keySz); + XMEMCPY(cert, client_cert_der_2048, certSz); + #elif defined(USE_CERT_BUFFERS_1024) + byte key[sizeof_client_key_der_1024]; + byte cert[sizeof(sizeof_client_cert_der_1024)]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_1024, keySz); + XMEMCPY(cert, client_cert_der_1024, certSz); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp = XBADFILE; + int certSz; + int keySz; + + ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_client_cert_der_1024, + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectTrue((fp = XFOPEN("./certs/1024/client-key.der", "rb")) != + XBADFILE); + ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_client_key_der_1024, fp), + 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof(cliecc_cert_der_256)]; + unsigned char key[sizeof(ecc_clikey_der_256)]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp = XBADFILE; + int certSz, keySz; + + ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_cliecc_cert_der_256, + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectTrue((fp = XFOPEN("./certs/client-ecc-key.der", "rb")) != + XBADFILE); + ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_ecc_clikey_der_256, fp), + 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + #endif +#else + #error PKCS7 requires ECC or RSA +#endif + + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + /* initialize with DER encoded cert */ + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0); + + /* init rng */ + XMEMSET(&rng, 0, sizeof(WC_RNG)); + ExpectIntEQ(wc_InitRng(&rng), 0); + + if (pkcs7 != NULL) { + pkcs7->rng = &rng; + pkcs7->content = (byte*)data; /* not used for ex */ + pkcs7->contentSz = (word32)sizeof(data); + pkcs7->contentOID = SIGNED_DATA; + pkcs7->privateKey = key; + pkcs7->privateKeySz = (word32)sizeof(key); + pkcs7->encryptOID = RSAk; + #ifdef NO_SHA + pkcs7->hashOID = SHA256h; + #else + pkcs7->hashOID = SHAh; + #endif + pkcs7->signedAttribs = NULL; + pkcs7->signedAttribsSz = 0; + } + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write PKCS#7 PEM to BIO, the function converts the DER to PEM cert*/ + ExpectIntEQ(PEM_write_bio_PKCS7(bio, pkcs7), WOLFSSL_SUCCESS); + + /* Read PKCS#7 PEM from BIO */ + ret = wolfSSL_BIO_get_mem_data(bio, &cert_buf); + ExpectIntGE(ret, 0); + + BIO_free(bio); + wc_PKCS7_Free(pkcs7); + wc_FreeRng(&rng); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_write_bio_encryptedKey(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ + defined(WOLFSSL_ENCRYPTED_KEYS) && \ + (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_BIO) && !defined(NO_CERTS) && \ + !defined(NO_DES3) + RSA* rsaKey = NULL; + RSA* retKey = NULL; + const EVP_CIPHER *cipher = NULL; + BIO* bio = NULL; + BIO* retbio = NULL; + byte* out; + const char* password = "wolfssl"; + word32 passwordSz =(word32)XSTRLEN((char*)password); + int membufSz = 0; + +#if defined(USE_CERT_BUFFERS_2048) + const byte* key = client_key_der_2048; + word32 keySz = sizeof_client_key_der_2048; +#elif defined(USE_CERT_BUFFERS_1024) + const byte* key = client_key_der_1024; + word32 keySz = sizeof_client_key_der_1024; +#endif + /* Import Rsa Key */ + ExpectNotNull(rsaKey = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_RSA_LoadDer_ex(rsaKey, key, keySz, + WOLFSSL_RSA_LOAD_PRIVATE), 1); + + ExpectNotNull(cipher = EVP_des_ede3_cbc()); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsaKey, cipher, + (byte*)password, passwordSz, NULL, NULL), 1); + ExpectIntGT((membufSz = BIO_get_mem_data(bio, &out)), 0); + ExpectNotNull(retbio = BIO_new_mem_buf(out, membufSz)); + ExpectNotNull((retKey = PEM_read_bio_RSAPrivateKey(retbio, NULL, + NULL, (void*)password))); + if (bio != NULL) { + BIO_free(bio); + } + if (retbio != NULL) { + BIO_free(retbio); + } + if (retKey != NULL) { + RSA_free(retKey); + } + if (rsaKey != NULL) { + RSA_free(rsaKey); + } +#endif + return EXPECT_RESULT(); +} + +/* // NOLINTBEGIN(clang-analyzer-unix.Stream) */ +int test_wolfSSL_SMIME_read_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && !defined(NO_BIO) && defined(HAVE_SMIME) + PKCS7* pkcs7 = NULL; + BIO* bio = NULL; + BIO* bcont = NULL; + BIO* out = NULL; + const byte* outBuf = NULL; + int outBufLen = 0; + static const char contTypeText[] = "Content-Type: text/plain\r\n\r\n"; + XFILE smimeTestFile = XBADFILE; + + ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "rb")) != + XBADFILE); + + /* smime-test.p7s */ + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + ExpectNotNull(bio); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-multipart.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-multipart-badsig.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", + "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */ + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-canon.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* Test PKCS7_TEXT, PKCS7_verify() should remove Content-Type: text/plain */ + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + out = wolfSSL_BIO_new(BIO_s_mem()); + ExpectNotNull(out); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, out, + PKCS7_NOVERIFY | PKCS7_TEXT), SSL_SUCCESS); + ExpectIntGT((outBufLen = BIO_get_mem_data(out, &outBuf)), 0); + /* Content-Type should not show up at beginning of output buffer */ + ExpectIntGT(outBufLen, XSTRLEN(contTypeText)); + ExpectIntGT(XMEMCMP(outBuf, contTypeText, XSTRLEN(contTypeText)), 0); + + BIO_free(out); + BIO_free(bio); + if (bcont) BIO_free(bcont); + wolfSSL_PKCS7_free(pkcs7); +#endif + return EXPECT_RESULT(); +} +/* // NOLINTEND(clang-analyzer-unix.Stream) */ + +int test_wolfSSL_SMIME_write_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_RSA) && \ + !defined(NO_BIO) && defined(HAVE_SMIME) + PKCS7* p7 = NULL; + PKCS7* p7Ver = NULL; + int flags = 0; + byte data[] = "Test data to encode."; + + const char* cert = "./certs/server-cert.pem"; + const char* key = "./certs/server-key.pem"; + const char* ca = "./certs/ca-cert.pem"; + + WOLFSSL_BIO* certBio = NULL; + WOLFSSL_BIO* keyBio = NULL; + WOLFSSL_BIO* caBio = NULL; + WOLFSSL_BIO* inBio = NULL; + WOLFSSL_BIO* outBio = NULL; + WOLFSSL_BIO* content = NULL; + X509* signCert = NULL; + EVP_PKEY* signKey = NULL; + X509* caCert = NULL; + X509_STORE* store = NULL; + + /* read signer cert/key into BIO */ + ExpectNotNull(certBio = BIO_new_file(cert, "r")); + ExpectNotNull(keyBio = BIO_new_file(key, "r")); + ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); + ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); + + /* read CA cert into store (for verify) */ + ExpectNotNull(caBio = BIO_new_file(ca, "r")); + ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); + + + /* generate and verify SMIME: not detached */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + /* bad arg: out NULL */ + ExpectIntEQ(SMIME_write_PKCS7(NULL, p7, inBio, flags), 0); + /* bad arg: pkcs7 NULL */ + ExpectIntEQ(SMIME_write_PKCS7(outBio, NULL, inBio, flags), 0); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: not detached, add Content-Type */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM | PKCS7_TEXT; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: detached */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_DETACHED | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: PKCS7_TEXT to add Content-Type header */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM | PKCS7_DETACHED | PKCS7_TEXT; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + X509_STORE_free(store); + X509_free(caCert); + X509_free(signCert); + EVP_PKEY_free(signKey); + BIO_free(keyBio); + BIO_free(certBio); + BIO_free(caBio); +#endif + return EXPECT_RESULT(); +} + +/* Testing functions dealing with PKCS12 parsing out X509 certs */ +int test_wolfSSL_PKCS12(void) +{ + EXPECT_DECLS; + /* .p12 file is encrypted with DES3 */ +#ifndef HAVE_FIPS /* Password used in cert "wolfSSL test" is only 12-bytes + * (96-bit) FIPS mode requires Minimum of 14-byte (112-bit) + * Password Key + */ +#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ + !defined(NO_STDIO_FILESYSTEM) && !defined(NO_TLS) && \ + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) && \ + !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) && \ + defined(WOLFSSL_AES_256) + byte buf[6000]; + char file[] = "./certs/test-servercert.p12"; + char order[] = "./certs/ecc-rsa-server.p12"; +#ifdef WC_RC2 + char rc2p12[] = "./certs/test-servercert-rc2.p12"; +#endif + char pass[] = "a password"; + const char goodPsw[] = "wolfSSL test"; + const char badPsw[] = "bad"; +#ifdef HAVE_ECC + WOLFSSL_X509_NAME *subject = NULL; + WOLFSSL_X509 *x509 = NULL; +#endif + XFILE f = XBADFILE; + int bytes = 0, ret = 0, goodPswLen = 0, badPswLen = 0; + WOLFSSL_BIO *bio = NULL; + WOLFSSL_EVP_PKEY *pkey = NULL; + WC_PKCS12 *pkcs12 = NULL; + WC_PKCS12 *pkcs12_2 = NULL; + WOLFSSL_X509 *cert = NULL; + WOLFSSL_X509 *tmp = NULL; + WOLF_STACK_OF(WOLFSSL_X509) *ca = NULL; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; +#endif + + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + goodPswLen = (int)XSTRLEN(goodPsw); + badPswLen = (int)XSTRLEN(badPsw); + + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + + ExpectIntEQ(BIO_write(bio, buf, bytes), bytes); /* d2i consumes BIO */ + ExpectNotNull(d2i_PKCS12_bio(bio, &pkcs12)); + ExpectNotNull(pkcs12); + BIO_free(bio); + bio = NULL; + + /* check verify MAC directly */ + ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, goodPsw, goodPswLen), 1); + + /* check verify MAC fail case directly */ + ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, badPsw, badPswLen), 0); + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with no extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) + + /* Check that SSL_CTX_set0_chain correctly sets the certChain buffer */ +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) +#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + /* Copy stack structure */ + ExpectNotNull(tmp_ca = X509_chain_up_ref(ca)); + ExpectIntEQ(SSL_CTX_set0_chain(ctx, tmp_ca), 1); + /* CTX now owns the tmp_ca stack structure */ + tmp_ca = NULL; + ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); + ExpectNotNull(tmp_ca); + ExpectIntEQ(sk_X509_num(tmp_ca), sk_X509_num(ca)); + /* Check that the main cert is also set */ + ExpectNotNull(SSL_CTX_get0_certificate(ctx)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(SSL_get_certificate(ssl)); + SSL_free(ssl); + SSL_CTX_free(ctx); + ctx = NULL; +#endif +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ + /* should be 2 other certs on stack */ + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNull(sk_X509_pop(ca)); + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, X509_free); + ca = NULL; + + /* check PKCS12_create */ + ExpectNull(PKCS12_create(pass, NULL, NULL, NULL, NULL, -1, -1, -1, -1,0)); + ExpectIntEQ(PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + SSL_SUCCESS); + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, + -1, -1, 100, -1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, + NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + 2000, 1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + /* convert to DER then back and parse */ + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(i2d_PKCS12_bio(bio, pkcs12_2), SSL_SUCCESS); + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + + ExpectNotNull(pkcs12_2 = d2i_PKCS12_bio(bio, NULL)); + BIO_free(bio); + bio = NULL; + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + + /* should be 2 other certs on stack */ + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNull(sk_X509_pop(ca)); + + +#ifndef NO_RC4 + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, NULL, + NID_pbe_WithSHA1And128BitRC4, + NID_pbe_WithSHA1And128BitRC4, + 2000, 1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + +#endif /* NO_RC4 */ + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + +#ifdef HAVE_ECC + /* test order of parsing */ + ExpectTrue((f = XFOPEN(order, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); + ExpectIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)), + WOLFSSL_SUCCESS); + + /* check use of pkey after parse */ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) +#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), WOLFSSL_SUCCESS); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif + + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + /* compare subject lines of certificates */ + ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + X509_free(x509); + x509 = NULL; + + /* test expected fail case */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, + SSL_FILETYPE_PEM)); + ExpectIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + X509_free(x509); + x509 = NULL; + X509_free(cert); + cert = NULL; + + /* get subject line from ca stack */ + ExpectNotNull(cert = sk_X509_pop(ca)); + ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); + + /* compare subject from certificate in ca to expected */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + + /* modify case and compare subject from certificate in ca to expected. + * The first bit of the name is: + * /C=US/ST=Washington + * So we'll change subject->name[1] to 'c' (lower case) */ + if (subject != NULL) { + subject->name[1] = 'c'; + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + } + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(x509); + x509 = NULL; + X509_free(cert); + cert = NULL; + BIO_free(bio); + bio = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; + sk_X509_pop_free(ca, NULL); /* TEST d2i_PKCS12_fp */ + ca = NULL; + + /* test order of parsing */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with no extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + PKCS12_free(pkcs12); + pkcs12 = NULL; +#endif /* HAVE_ECC */ + +#ifdef WC_RC2 + /* test PKCS#12 with RC2 encryption */ + ExpectTrue((f = XFOPEN(rc2p12, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with not extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + WOLFSSL_SUCCESS); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + WOLFSSL_SUCCESS); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + wolfSSL_EVP_PKEY_free(pkey); + wolfSSL_X509_free(cert); + sk_X509_pop_free(ca, NULL); + + BIO_free(bio); + bio = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; +#endif /* WC_RC2 */ + + /* Test i2d_PKCS12_bio */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(ret = i2d_PKCS12_bio(bio, pkcs12), 1); + + ExpectIntEQ(ret = i2d_PKCS12_bio(NULL, pkcs12), 0); + + ExpectIntEQ(ret = i2d_PKCS12_bio(bio, NULL), 0); + + PKCS12_free(pkcs12); + BIO_free(bio); + + (void)order; +#endif /* OPENSSL_EXTRA */ +#endif /* HAVE_FIPS */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_p7p12.h b/tests/api/test_ossl_p7p12.h new file mode 100644 index 000000000..32863c1ae --- /dev/null +++ b/tests/api/test_ossl_p7p12.h @@ -0,0 +1,54 @@ +/* test_ossl_p7p12.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_P7P12_H +#define WOLFCRYPT_TEST_OSSL_P7P12_H + +#include + +int test_wolfssl_PKCS7(void); +int test_wolfSSL_PKCS7_certs(void); +int test_wolfSSL_PKCS7_sign(void); +int test_wolfSSL_PKCS7_SIGNED_new(void); +int test_wolfSSL_PEM_write_bio_PKCS7(void); +int test_wolfSSL_PEM_write_bio_encryptedKey(void); +int test_wolfSSL_SMIME_read_PKCS7(void); +int test_wolfSSL_SMIME_write_PKCS7(void); +int test_wolfSSL_PKCS12(void); + +#define TEST_OSSL_PKCS7_DECLS \ + TEST_DECL_GROUP("ossl_p7", test_wolfssl_PKCS7), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_certs), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_sign), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_SIGNED_new), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PEM_write_bio_PKCS7), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PEM_write_bio_encryptedKey), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_RAND_poll) + +#define TEST_OSSL_SMIME_DECLS \ + TEST_DECL_GROUP("ossl_smime", test_wolfSSL_SMIME_read_PKCS7), \ + TEST_DECL_GROUP("ossl_smime", test_wolfSSL_SMIME_write_PKCS7) + +#define TEST_OSSL_PKCS12_DECLS \ + TEST_DECL_GROUP("ossl_p12", test_wolfSSL_PKCS12) + +#endif /* WOLFCRYPT_TEST_OSSL_P7P12_H */ + diff --git a/tests/api/test_ossl_rand.c b/tests/api/test_ossl_rand.c new file mode 100644 index 000000000..a5b028145 --- /dev/null +++ b/tests/api/test_ossl_rand.c @@ -0,0 +1,340 @@ +/* test_ossl_rand.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#if defined(__linux__) || defined(__FreeBSD__) +#include +#include +#endif + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + + +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) +static int stub_rand_seed(const void *buf, int num) +{ + (void)buf; + (void)num; + + return 123; +} + +static int stub_rand_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 456; +} + +static byte* was_stub_rand_cleanup_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static void stub_rand_cleanup(void) +{ + byte* was_called = was_stub_rand_cleanup_called(); + + *was_called = 1; + + return; +} + +static byte* was_stub_rand_add_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static int stub_rand_add(const void *buf, int num, double entropy) +{ + byte* was_called = was_stub_rand_add_called(); + + (void)buf; + (void)num; + (void)entropy; + + *was_called = 1; + + return 0; +} + +static int stub_rand_pseudo_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 9876; +} + +static int stub_rand_status(void) +{ + return 5432; +} +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + +int test_wolfSSL_RAND_set_rand_method(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) + RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; + unsigned char* buf = NULL; + int num = 0; + double entropy = 0; + int ret; + byte* was_cleanup_called = was_stub_rand_cleanup_called(); + byte* was_add_called = was_stub_rand_add_called(); + + ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + + ExpectIntNE(wolfSSL_RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); + + + rand_methods.seed = &stub_rand_seed; + rand_methods.bytes = &stub_rand_bytes; + rand_methods.cleanup = &stub_rand_cleanup; + rand_methods.add = &stub_rand_add; + rand_methods.pseudorand = &stub_rand_pseudo_bytes; + rand_methods.status = &stub_rand_status; + + ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); + ExpectIntEQ(RAND_seed(buf, num), 123); + ExpectIntEQ(RAND_bytes(buf, num), 456); + ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); + ExpectIntEQ(RAND_status(), 5432); + + ExpectIntEQ(*was_add_called, 0); + /* The function pointer for RAND_add returns int, but RAND_add itself + * returns void. */ + RAND_add(buf, num, entropy); + ExpectIntEQ(*was_add_called, 1); + was_add_called = 0; + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 1); + *was_cleanup_called = 0; + + + ret = RAND_set_rand_method(NULL); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntNE(RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); + + RAND_set_rand_method(NULL); + + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_RAND_bytes(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ + const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ + const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ + const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ + int max_bufsize; + byte *my_buf = NULL; +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + byte seed[16] = {0}; + byte randbuf[8] = {0}; + int pipefds[2] = {0}; + pid_t pid = 0; +#endif + + /* sanity check */ + ExpectIntEQ(RAND_bytes(NULL, 16), 0); + ExpectIntEQ(RAND_bytes(NULL, 0), 0); + + max_bufsize = size4; + + ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + + ExpectIntEQ(RAND_bytes(my_buf, 0), 1); + ExpectIntEQ(RAND_bytes(my_buf, -1), 0); + + ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); + ExpectIntEQ(RAND_bytes(my_buf, size1), 1); + ExpectIntEQ(RAND_bytes(my_buf, size2), 1); + ExpectIntEQ(RAND_bytes(my_buf, size3), 1); + ExpectIntEQ(RAND_bytes(my_buf, size4), 1); + XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + XMEMSET(seed, 0, sizeof(seed)); + RAND_cleanup(); + + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + + ExpectIntEQ(pipe(pipefds), 0); + pid = fork(); + ExpectIntGE(pid, 0); + if (pid == 0) { + ssize_t n_written = 0; + + /* Child process. */ + close(pipefds[0]); + RAND_bytes(randbuf, sizeof(randbuf)); + n_written = write(pipefds[1], randbuf, sizeof(randbuf)); + close(pipefds[1]); + exit(n_written == sizeof(randbuf) ? 0 : 1); + } + else { + /* Parent process. */ + byte childrand[8] = {0}; + int waitstatus = 0; + + close(pipefds[1]); + ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); + ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), + sizeof(childrand)); + #ifdef WOLFSSL_NO_GETPID + ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); + #else + ExpectBufNE(randbuf, childrand, sizeof(randbuf)); + #endif + close(pipefds[0]); + waitpid(pid, &waitstatus, 0); + } + RAND_cleanup(); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_RAND(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + byte seed[16]; + + XMEMSET(seed, 0, sizeof(seed)); + + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + RAND_cleanup(); + + ExpectIntEQ(RAND_egd(NULL), -1); +#ifndef NO_FILESYSTEM + { + char fname[100]; + + ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); + ExpectIntEQ(RAND_write_file(NULL), 0); + } +#endif +#endif + return EXPECT_RESULT(); +} + + +#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) +static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) +{ + word32 i; + for (i = 0; i < sz; i++ ) + output[i] = (byte)i; + + (void)os; + + return 0; +} +#endif /* WC_RNG_SEED_CB */ + + +int test_wolfSSL_RAND_poll(void) +{ + EXPECT_DECLS; + +#if defined(OPENSSL_EXTRA) + byte seed[16]; + byte rand1[16]; +#ifdef WC_RNG_SEED_CB + byte rand2[16]; +#endif + + XMEMSET(seed, 0, sizeof(seed)); + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); + +#ifdef WC_RNG_SEED_CB + /* Test with custom seed and poll */ + wc_SetSeed_Cb(wc_DummyGenerateSeed); + + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); + + /* test that the same value is generated twice with dummy seed function */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); + RAND_cleanup(); + + /* test that doing a poll is reseeding RNG */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); + + /* reset the seed function used */ + wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); +#endif + RAND_cleanup(); + + ExpectIntEQ(RAND_egd(NULL), -1); +#endif + + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_rand.h b/tests/api/test_ossl_rand.h new file mode 100644 index 000000000..4f10956aa --- /dev/null +++ b/tests/api/test_ossl_rand.h @@ -0,0 +1,39 @@ +/* test_ossl_rand.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_RAND_H +#define WOLFCRYPT_TEST_OSSL_RAND_H + +#include + +int test_wolfSSL_RAND_set_rand_method(void); +int test_wolfSSL_RAND_bytes(void); +int test_wolfSSL_RAND(void); +int test_wolfSSL_RAND_poll(void); + +#define TEST_OSSL_RAND_DECLS \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_set_rand_method), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_bytes), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_poll) + +#endif /* WOLFCRYPT_TEST_OSSL_RAND_H */ + diff --git a/tests/api/test_ossl_rsa.c b/tests/api/test_ossl_rsa.c index 1947ad7ee..7adbe126a 100644 --- a/tests/api/test_ossl_rsa.c +++ b/tests/api/test_ossl_rsa.c @@ -1470,8 +1470,10 @@ int test_wolfSSL_RSA_To_Der(void) rsa = NULL; ExpectNotNull(wolfSSL_d2i_RSAPrivateKey(&rsa, &der, privDerSz)); - ExpectIntEQ(wolfSSL_RSA_To_Der(NULL, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 2, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(NULL, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 2, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, NULL, 0, HEAP_HINT), privDerSz); outDer = out; @@ -1491,14 +1493,17 @@ int test_wolfSSL_RSA_To_Der(void) RSA_free(rsa); ExpectNotNull(rsa = RSA_new()); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 1, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 1, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); RSA_free(rsa); der = pubDer; rsa = NULL; ExpectNotNull(wolfSSL_d2i_RSAPublicKey(&rsa, &der, pubDerSz)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); RSA_free(rsa); #endif #endif