diff options
| author | Enji Cooper <ngie@FreeBSD.org> | 2025-03-06 17:49:50 +0000 |
|---|---|---|
| committer | Enji Cooper <ngie@FreeBSD.org> | 2025-03-06 17:49:50 +0000 |
| commit | 1c34280346af8284acdc0eae39496811d37df25d (patch) | |
| tree | dbe4218057c550b3be955f331fc1198c6cab5f3f /test | |
| parent | 108164cf95d9594884c2dcccba2691335e6f221b (diff) | |
Diffstat (limited to 'test')
| -rw-r--r-- | test/acvp_test.c | 2 | ||||
| -rw-r--r-- | test/build.info | 6 | ||||
| -rw-r--r-- | test/cmactest.c | 8 | ||||
| -rw-r--r-- | test/conf_include_test.c | 2 | ||||
| -rw-r--r-- | test/drbgtest.c | 2 | ||||
| -rw-r--r-- | test/ec_internal_test.c | 51 | ||||
| -rw-r--r-- | test/enginetest.c | 4 | ||||
| -rw-r--r-- | test/evp_kdf_test.c | 28 | ||||
| -rw-r--r-- | test/evp_libctx_test.c | 126 | ||||
| -rw-r--r-- | test/hmactest.c | 12 | ||||
| -rw-r--r-- | test/memleaktest.c | 4 | ||||
| -rw-r--r-- | test/p_test.c | 34 | ||||
| -rw-r--r-- | test/pkcs12_format_test.c | 9 | ||||
| -rw-r--r-- | test/property_test.c | 41 | ||||
| -rw-r--r-- | test/recipes/03-test_fipsinstall.t | 4 | ||||
| -rw-r--r-- | test/recipes/04-test_encoder_decoder.t | 29 | ||||
| -rw-r--r-- | test/recipes/25-test_verify.t | 8 | ||||
| -rw-r--r-- | test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 10 | ||||
| -rw-r--r-- | test/recipes/80-test_cmp_http.t | 4 | ||||
| -rw-r--r-- | test/recipes/80-test_cmp_http_data/test_connection.csv | 4 | ||||
| -rw-r--r-- | test/recipes/80-test_cms.t | 81 | ||||
| -rw-r--r-- | test/sslapitest.c | 5 | ||||
| -rw-r--r-- | test/testutil/tests.c | 3 | ||||
| -rw-r--r-- | test/threadstest.c | 2 |
24 files changed, 348 insertions, 131 deletions
diff --git a/test/acvp_test.c b/test/acvp_test.c index fee880d441b0..eccf9d90a021 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1251,7 +1251,7 @@ static int rsa_decryption_primitive_test(int id) BN_CTX *bn_ctx = NULL; const struct rsa_decrypt_prim_st *tst = &rsa_decrypt_prim_data[id]; - if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", 2048)) + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)2048)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_N, &n, &n_len)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_E, &e, &e_len)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, "")) diff --git a/test/build.info b/test/build.info index 76ff945ab8b3..6089b8c97cf8 100644 --- a/test/build.info +++ b/test/build.info @@ -61,7 +61,7 @@ IF[{- !$disabled{tests} -}] keymgmt_internal_test hexstr_test provider_status_test defltfips_test \ bio_readbuffer_test user_property_test pkcs7_test upcallstest \ provfetchtest prov_config_test rand_test fips_version_test \ - nodefltctxtest + nodefltctxtest bio_pw_callback_test IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=enginetest @@ -943,6 +943,10 @@ ENDIF INCLUDE[ssl_ctx_test]=../include ../apps/include DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a + SOURCE[bio_pw_callback_test]=bio_pw_callback_test.c + INCLUDE[bio_pw_callback_test]=../include ../apps/include + DEPEND[bio_pw_callback_test]=../libcrypto libtestutil.a + {- use File::Spec::Functions; use File::Basename; diff --git a/test/cmactest.c b/test/cmactest.c index cb2b273b0f4f..72f7a0d9366b 100644 --- a/test/cmactest.c +++ b/test/cmactest.c @@ -196,13 +196,15 @@ err: return ret; } +#define OSSL_HEX_CHARS_PER_BYTE 2 static char *pt(unsigned char *md, unsigned int len) { unsigned int i; - static char buf[80]; + static char buf[81]; - for (i = 0; i < len; i++) - sprintf(&(buf[i * 2]), "%02x", md[i]); + for (i = 0; i < len && (i + 1) * OSSL_HEX_CHARS_PER_BYTE < sizeof(buf); i++) + BIO_snprintf(buf + i * OSSL_HEX_CHARS_PER_BYTE, + OSSL_HEX_CHARS_PER_BYTE + 1, "%02x", md[i]); return buf; } diff --git a/test/conf_include_test.c b/test/conf_include_test.c index 2481a2380b76..f6835d59e79e 100644 --- a/test/conf_include_test.c +++ b/test/conf_include_test.c @@ -158,7 +158,7 @@ static int test_check_overflow(void) char max[(sizeof(long) * 8) / 3 + 3]; char *p; - p = max + sprintf(max, "0%ld", LONG_MAX) - 1; + p = max + BIO_snprintf(max, sizeof(max), "0%ld", LONG_MAX) - 1; setenv("FNORD", max, 1); if (!TEST_true(NCONF_get_number(NULL, "missing", "FNORD", &val)) || !TEST_long_eq(val, LONG_MAX)) diff --git a/test/drbgtest.c b/test/drbgtest.c index b5122b60bdd4..afbc55112529 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -423,7 +423,7 @@ static int test_rand_reseed_on_fork(EVP_RAND_CTX *primary, presult[0].pindex = presult[1].pindex = i; - sprintf(presult[0].name, "child %d", i); + BIO_snprintf(presult[0].name, sizeof(presult[0].name), "child %d", i); strcpy(presult[1].name, presult[0].name); /* collect the random output of the children */ diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c index 8c2cd0563169..02cfd4e9d885 100644 --- a/test/ec_internal_test.c +++ b/test/ec_internal_test.c @@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) } #ifndef OPENSSL_NO_EC2M +/* Test that decoding of invalid GF2m field parameters fails. */ +static int ec2m_field_sanity(void) +{ + int ret = 0; + BN_CTX *ctx = BN_CTX_new(); + BIGNUM *p, *a, *b; + EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; + + TEST_info("Testing GF2m hardening\n"); + + BN_CTX_start(ctx); + p = BN_CTX_get(ctx); + a = BN_CTX_get(ctx); + if (!TEST_ptr(b = BN_CTX_get(ctx)) + || !TEST_true(BN_one(a)) + || !TEST_true(BN_one(b))) + goto out; + + /* Even pentanomial value should be rejected */ + if (!TEST_true(BN_set_word(p, 0xf2))) + goto out; + if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) + TEST_error("Zero constant term accepted in GF2m polynomial"); + + /* Odd hexanomial should also be rejected */ + if (!TEST_true(BN_set_word(p, 0xf3))) + goto out; + if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) + TEST_error("Hexanomial accepted as GF2m polynomial"); + + /* Excessive polynomial degree should also be rejected */ + if (!TEST_true(BN_set_word(p, 0x71)) + || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) + goto out; + if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) + TEST_error("GF2m polynomial degree > %d accepted", + OPENSSL_ECC_MAX_FIELD_BITS); + + ret = group1 == NULL && group2 == NULL && group3 == NULL; + + out: + EC_GROUP_free(group1); + EC_GROUP_free(group2); + EC_GROUP_free(group3); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + + return ret; +} + /* test EC_GF2m_simple_method directly */ static int field_tests_ec2_simple(void) { @@ -443,6 +493,7 @@ int setup_tests(void) ADD_TEST(field_tests_ecp_simple); ADD_TEST(field_tests_ecp_mont); #ifndef OPENSSL_NO_EC2M + ADD_TEST(ec2m_field_sanity); ADD_TEST(field_tests_ec2_simple); #endif ADD_ALL_TESTS(field_tests_default, crv_len); diff --git a/test/enginetest.c b/test/enginetest.c index 8ba999b0176b..79ffb2305485 100644 --- a/test/enginetest.c +++ b/test/enginetest.c @@ -147,9 +147,9 @@ static int test_engines(void) TEST_info("About to beef up the engine-type list"); for (loop = 0; loop < NUMTOADD; loop++) { - sprintf(buf, "id%d", loop); + BIO_snprintf(buf, sizeof(buf), "id%d", loop); eid[loop] = OPENSSL_strdup(buf); - sprintf(buf, "Fake engine type %d", loop); + BIO_snprintf(buf, sizeof(buf), "Fake engine type %d", loop); ename[loop] = OPENSSL_strdup(buf); if (!TEST_ptr(block[loop] = ENGINE_new()) || !TEST_true(ENGINE_set_id(block[loop], eid[loop])) diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 8f35900bdd8b..0ee1aaea6f37 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -857,7 +857,7 @@ err: #ifndef OPENSSL_NO_SCRYPT static int test_kdf_scrypt(void) { - int ret; + int i, ret; EVP_KDF_CTX *kctx; OSSL_PARAM params[7], *p = params; unsigned char out[64]; @@ -883,15 +883,21 @@ static int test_kdf_scrypt(void) *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem); *p = OSSL_PARAM_construct_end(); - ret = - TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - /* failure test *//* - && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/ - && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) - && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); + ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT)); + for (i = 0; ret && i < 2; ++i) { + ret = ret + && TEST_true(EVP_KDF_CTX_set_params(kctx, params)); + if (i == 0) + ret = ret + && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) + && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024)) + && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1)); + ret = ret + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) + && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); + if (i == 0) + EVP_KDF_CTX_reset(kctx); + } EVP_KDF_CTX_free(kctx); return ret; diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 2448c35a149f..fd114a118cb2 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -501,7 +501,7 @@ static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv) size_t len = 0; OSSL_ENCODER_CTX *ectx = NULL; - if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits)) + if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)bits)) || !TEST_ptr(ectx = OSSL_ENCODER_CTX_new_for_pkey(*priv, EVP_PKEY_PUBLIC_KEY, @@ -536,6 +536,8 @@ static int kem_rsa_gen_recover(void) && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1) && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1) && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx)) + /* Test that providing a NULL wrappedlen fails */ + && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, NULL, NULL, NULL), 0) && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL, &secretlen), 1) && TEST_int_eq(ctlen, secretlen) @@ -545,11 +547,26 @@ static int kem_rsa_gen_recover(void) && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1) && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1) + /* Test that providing a NULL unwrappedlen fails */ + && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, NULL, ct, ctlen), 0) && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen, ct, ctlen), 1) && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, ct, ctlen), 1) && TEST_mem_eq(unwrap, unwraplen, secret, secretlen); + + /* Test that providing a too short unwrapped/ctlen fails */ + if (fips_provider_version_match(libctx, ">=3.4.0")) { + ctlen = 1; + if (!TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret, + &secretlen), 0)) + ret = 0; + unwraplen = 1; + if (!TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, ct, + ctlen), 0)) + ret = 0; + } + EVP_PKEY_free(pub); EVP_PKEY_free(priv); EVP_PKEY_CTX_free(rctx); @@ -596,59 +613,60 @@ static int kem_rsa_params(void) size_t ctlen = 0, secretlen = 0; ret = TEST_true(rsa_keygen(2048, &pub, &priv)) - && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) - && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) - /* Test setting kem op before the init fails */ - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2) - /* Test NULL ctx passed */ - && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0) - && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0) - && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0) - && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0) - /* Test Invalid operation */ - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0) - /* Wrong key component - no secret should be returned on failure */ - && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1) - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) - && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, - sizeof(ct)), 0) - && TEST_uchar_eq(secret[0], 0) - /* Test encapsulate fails if the mode is not set */ - && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) - /* Test setting a bad kem ops fail */ - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0) - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0) - /* Test secretlen is optional */ - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) - /* Test outlen is optional */ - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1) - /* test that either len must be set if out is NULL */ - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) - /* Secret buffer should be set if there is an output buffer */ - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0) - /* Test that lengths are optional if ct is not NULL */ - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1) - /* Pass if secret or secret length are not NULL */ - && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1) - && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1) - && TEST_int_eq(secretlen, 256) - /* Fail if passed NULL arguments */ - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0) - && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0); + && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) + && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) + /* Test setting kem op before the init fails */ + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2) + /* Test NULL ctx passed */ + && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0) + && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0) + && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0) + && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0) + /* Test Invalid operation */ + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0) + /* Wrong key component - no secret should be returned on failure */ + && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) + && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, + sizeof(ct)), 0) + && TEST_uchar_eq(secret[0], 0) + /* Test encapsulate fails if the mode is not set */ + && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) + /* Test setting a bad kem ops fail */ + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0) + /* Test secretlen is optional */ + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) + /* Test outlen is optional */ + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1) + /* test that either len must be set if out is NULL */ + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) + /* Secret buffer should be set if there is an output buffer */ + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0) + /* Test that lengths are optional if ct is not NULL */ + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1) + /* Pass if secret or secret length are not NULL */ + && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1) + && TEST_int_eq(secretlen, 256) + /* Fail if passed NULL arguments */ + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0) + && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0); EVP_PKEY_free(pub); EVP_PKEY_free(priv); diff --git a/test/hmactest.c b/test/hmactest.c index 8f5bf32f8708..0a29c58731f6 100644 --- a/test/hmactest.c +++ b/test/hmactest.c @@ -275,19 +275,21 @@ static int test_hmac_copy_uninited(void) return res; } -# ifndef OPENSSL_NO_MD5 +#ifndef OPENSSL_NO_MD5 +# define OSSL_HEX_CHARS_PER_BYTE 2 static char *pt(unsigned char *md, unsigned int len) { unsigned int i; - static char buf[80]; + static char buf[201]; if (md == NULL) return NULL; - for (i = 0; i < len; i++) - sprintf(&(buf[i * 2]), "%02x", md[i]); + for (i = 0; i < len && (i + 1) * OSSL_HEX_CHARS_PER_BYTE < sizeof(buf); i++) + BIO_snprintf(buf + i * OSSL_HEX_CHARS_PER_BYTE, + OSSL_HEX_CHARS_PER_BYTE + 1, "%02x", md[i]); return buf; } -# endif +#endif int setup_tests(void) { diff --git a/test/memleaktest.c b/test/memleaktest.c index 97827b8e9cd3..876168677398 100644 --- a/test/memleaktest.c +++ b/test/memleaktest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -44,7 +44,7 @@ int main(int argc, char *argv[]) */ int exitcode = EXIT_FAILURE; #endif - char *lost; + char *volatile lost; lost = OPENSSL_malloc(3); if (!TEST_ptr(lost)) diff --git a/test/p_test.c b/test/p_test.c index 80f0784dd9d5..46f990113fb6 100644 --- a/test/p_test.c +++ b/test/p_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,8 @@ #include <string.h> #include <stdio.h> +#include <stdarg.h> + /* * When built as an object file to link the application with, we get the * init function name through the macro PROVIDER_INIT_FUNCTION_NAME. If @@ -46,6 +48,7 @@ static OSSL_FUNC_core_get_params_fn *c_get_params = NULL; static OSSL_FUNC_core_new_error_fn *c_new_error; static OSSL_FUNC_core_set_error_debug_fn *c_set_error_debug; static OSSL_FUNC_core_vset_error_fn *c_vset_error; +static OSSL_FUNC_BIO_vsnprintf_fn *c_BIO_vsnprintf; /* Tell the core what params we provide and what type they are */ static const OSSL_PARAM p_param_types[] = { @@ -60,6 +63,17 @@ static OSSL_FUNC_provider_get_params_fn p_get_params; static OSSL_FUNC_provider_get_reason_strings_fn p_get_reason_strings; static OSSL_FUNC_provider_teardown_fn p_teardown; +static int local_snprintf(char *buf, size_t n, const char *format, ...) +{ + va_list args; + int ret; + + va_start(args, format); + ret = (*c_BIO_vsnprintf)(buf, n, format, args); + va_end(args); + return ret; +} + static void p_set_error(int lib, int reason, const char *file, int line, const char *func, const char *fmt, ...) { @@ -114,11 +128,11 @@ static int p_get_params(void *provctx, OSSL_PARAM params[]) const char *versionp = *(void **)counter_request[0].data; const char *namep = *(void **)counter_request[1].data; - sprintf(buf, "Hello OpenSSL %.20s, greetings from %s!", - versionp, namep); + local_snprintf(buf, sizeof(buf), "Hello OpenSSL %.20s, greetings from %s!", + versionp, namep); } } else { - sprintf(buf, "Howdy stranger..."); + local_snprintf(buf, sizeof(buf), "Howdy stranger..."); } p->return_size = buf_l = strlen(buf) + 1; @@ -216,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_) return reason_strings; } +static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov, + int operation_id, + int *no_cache) +{ + *no_cache = 1; + return NULL; +} + static const OSSL_DISPATCH p_test_table[] = { { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params }, { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params }, { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, (void (*)(void))p_get_reason_strings}, { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query }, { 0, NULL } }; @@ -250,6 +273,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_VSET_ERROR: c_vset_error = OSSL_FUNC_core_vset_error(in); break; + case OSSL_FUNC_BIO_VSNPRINTF: + c_BIO_vsnprintf = OSSL_FUNC_BIO_vsnprintf(in); + break; default: /* Just ignore anything we don't understand */ break; diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index c142093f72bb..f7ecd7c1e635 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -358,7 +358,8 @@ static int test_single_key(PKCS12_ENC *enc) char fname[80]; PKCS12_BUILDER *pb; - sprintf(fname, "1key_ciph-%s_iter-%d.p12", OBJ_nid2sn(enc->nid), enc->iter); + BIO_snprintf(fname, sizeof(fname), "1key_ciph-%s_iter-%d.p12", + OBJ_nid2sn(enc->nid), enc->iter); pb = new_pkcs12_builder(fname); @@ -457,7 +458,8 @@ static int test_single_cert_mac(PKCS12_ENC *mac) char fname[80]; PKCS12_BUILDER *pb; - sprintf(fname, "1cert_mac-%s_iter-%d.p12", OBJ_nid2sn(mac->nid), mac->iter); + BIO_snprintf(fname, sizeof(fname), "1cert_mac-%s_iter-%d.p12", + OBJ_nid2sn(mac->nid), mac->iter); pb = new_pkcs12_builder(fname); @@ -617,7 +619,8 @@ static int test_single_secret(PKCS12_ENC *enc) char fname[80]; PKCS12_BUILDER *pb; - sprintf(fname, "1secret_ciph-%s_iter-%d.p12", OBJ_nid2sn(enc->nid), enc->iter); + BIO_snprintf(fname, sizeof(fname), "1secret_ciph-%s_iter-%d.p12", + OBJ_nid2sn(enc->nid), enc->iter); pb = new_pkcs12_builder(fname); custom_nid = get_custom_oid(); diff --git a/test/property_test.c b/test/property_test.c index 88c5342c538e..1f1171ad90a6 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -50,30 +50,37 @@ static void down_ref(void *p) static int test_property_string(void) { - OSSL_METHOD_STORE *store; + OSSL_LIB_CTX *ctx; + OSSL_METHOD_STORE *store = NULL; int res = 0; OSSL_PROPERTY_IDX i, j; - if (TEST_ptr(store = ossl_method_store_new(NULL)) - && TEST_int_eq(ossl_property_name(NULL, "fnord", 0), 0) - && TEST_int_ne(ossl_property_name(NULL, "fnord", 1), 0) - && TEST_int_ne(ossl_property_name(NULL, "name", 1), 0) + /*- + * Use our own library context because we depend on ordering from a + * pristine state. + */ + if (TEST_ptr(ctx = OSSL_LIB_CTX_new()) + && TEST_ptr(store = ossl_method_store_new(ctx)) + && TEST_int_eq(ossl_property_name(ctx, "fnord", 0), 0) + && TEST_int_ne(ossl_property_name(ctx, "fnord", 1), 0) + && TEST_int_ne(ossl_property_name(ctx, "name", 1), 0) /* Property value checks */ - && TEST_int_eq(ossl_property_value(NULL, "fnord", 0), 0) - && TEST_int_ne(i = ossl_property_value(NULL, "no", 0), 0) - && TEST_int_ne(j = ossl_property_value(NULL, "yes", 0), 0) + && TEST_int_eq(ossl_property_value(ctx, "fnord", 0), 0) + && TEST_int_ne(i = ossl_property_value(ctx, "no", 0), 0) + && TEST_int_ne(j = ossl_property_value(ctx, "yes", 0), 0) && TEST_int_ne(i, j) - && TEST_int_eq(ossl_property_value(NULL, "yes", 1), j) - && TEST_int_eq(ossl_property_value(NULL, "no", 1), i) - && TEST_int_ne(i = ossl_property_value(NULL, "illuminati", 1), 0) - && TEST_int_eq(j = ossl_property_value(NULL, "fnord", 1), i + 1) - && TEST_int_eq(ossl_property_value(NULL, "fnord", 1), j) + && TEST_int_eq(ossl_property_value(ctx, "yes", 1), j) + && TEST_int_eq(ossl_property_value(ctx, "no", 1), i) + && TEST_int_ne(i = ossl_property_value(ctx, "illuminati", 1), 0) + && TEST_int_eq(j = ossl_property_value(ctx, "fnord", 1), i + 1) + && TEST_int_eq(ossl_property_value(ctx, "fnord", 1), j) /* Check name and values are distinct */ - && TEST_int_eq(ossl_property_value(NULL, "cold", 0), 0) - && TEST_int_ne(ossl_property_name(NULL, "fnord", 0), - ossl_property_value(NULL, "fnord", 0))) + && TEST_int_eq(ossl_property_value(ctx, "cold", 0), 0) + && TEST_int_ne(ossl_property_name(ctx, "fnord", 0), + ossl_property_value(ctx, "fnord", 0))) res = 1; ossl_method_store_free(store); + OSSL_LIB_CTX_free(ctx); return res; } diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 5f514e231b59..c243b5646d37 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -253,6 +253,10 @@ SKIP: { SKIP: { skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 if disabled("rsa"); + run(test(["fips_version_test", "-config", $provconf, "<3.5.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too new for Asymmetric RSA corruption test", 1 + if !$exit; ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, '-corrupt_desc', 'RSA_Encrypt', '-corrupt_type', 'KAT_AsymmetricCipher'])), diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t index 19541610a9a9..d5d79f3a5754 100644 --- a/test/recipes/04-test_encoder_decoder.t +++ b/test/recipes/04-test_encoder_decoder.t @@ -25,9 +25,26 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); my $rsa_key = srctop_file("test", "certs", "ee-key.pem"); my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem"); -plan tests => ($no_fips ? 0 : 1) + 2; # FIPS install test + test +plan tests => ($no_fips ? 0 : 3) + 2; # FIPS install test + test my $conf = srctop_file("test", "default.cnf"); + +# Check if the specified pattern occurs in the given file +# Returns 1 if the pattern is found and 0 if not +sub find_line_file { + my ($key, $file) = @_; + + open(my $in, $file) or return -1; + while (my $line = <$in>) { + if ($line =~ /$key/) { + close($in); + return 1; + } + } + close($in); + return 0; +} + ok(run(test(["endecode_test", "-rsa", $rsa_key, "-pss", $pss_key, "-config", $conf, @@ -47,5 +64,13 @@ unless ($no_fips) { "-pss", $pss_key, "-config", $conf, "-provider", "fips"]))); +SKIP: { + skip "EC disabled", 2 if disabled("ec"); + ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'EC', + '-pkeyopt', 'group:P-256', '-text', + '-config', $conf, '-provider', 'fips', '-out', 'ec.txt' ])), + 'Print a FIPS provider EC private key'); + ok(find_line_file('NIST CURVE: P-256', 'ec.txt') == 1, + 'Printing an FIPS provider EC private key'); +} } - diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 818c9ac50dd3..7fa14d9daa8b 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -61,7 +61,7 @@ ok(verify("ee-cert-ocsp-nocheck", "", ["root-cert"], ["ca-cert"]), ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), "accept server purpose"); ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), - "fail client purpose"); + "fail client purpose"); # beware, questionable non-standard EKU check on trust anchor ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), "accept server trust"); ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), @@ -81,7 +81,7 @@ ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), "accept client mistrust with server purpose"); ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), - "fail client mistrust with client purpose"); + "fail client mistrust with client purpose"); # beware, questionable non-standard EKU check on trust anchor # Inapplicable trust ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), "fail client trust"); @@ -150,7 +150,7 @@ ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]), ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), "accept partial chain with server purpose"); ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), - "fail partial chain with client purpose"); + "fail partial chain with client purpose"); # beware, questionable non-standard EKU check on trust anchor ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), "accept server trust partial chain"); ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), @@ -188,7 +188,7 @@ ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]) ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), "accept wildcard trust and client purpose"); ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), - "fail client purpose"); + "fail client purpose intermediate trusted"); # beware, questionable non-standard EKU check on trust anchor ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), "fail wildcard mistrust"); ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt index 9ad8b9fbd2df..c7e7b4b5bf90 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt @@ -4935,3 +4935,13 @@ Ctrl.mode = mode:EXTRACT_AND_EXPAND Ctrl.digest = digest:SHA256 Result = KDF_CTRL_ERROR +# Test that salt of arbitrary length works +FIPSversion = >=3.4.0 +KDF = TLS13-KDF +Ctrl.mode = mode:EXTRACT_ONLY +Ctrl.digest = digest:SHA2-256 +Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 +Ctrl.salt = hexsalt:00010203040506070809000102030405060708090001020304050607080900010203040506070809 +Ctrl.prefix = hexprefix:746c73313320 +Ctrl.label = hexlabel:64657269766564 +Output = ef0aa4925ab6f4588759e15dfadcf7602ca7aa39ebb092bd7ab48f6a68c54449 diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 0ca547354fc7..c704cc758e91 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # @@ -270,7 +270,7 @@ sub start_mock_server { print "Current directory is ".getcwd()."\n"; print "Launching mock server: $cmd\n"; die "Invalid port: $server_port" unless $server_port =~ m/^\d+$/; - my $pid = open($server_fh, "$cmd|") or die "Trying to $cmd"; + my $pid = open($server_fh, "$cmd 2>".result_dir()."/error.txt |") or die "Trying to $cmd"; print "Pid is: $pid\n"; if ($server_port == 0) { # Find out the actual server port diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv index 33a572a29da1..cc012411ea5f 100644 --- a/test/recipes/80-test_cmp_http_data/test_connection.csv +++ b/test/recipes/80-test_cmp_http_data/test_connection.csv @@ -2,8 +2,8 @@ expected,description, -section,val, -server,val, -proxy,val, -no_proxy,val, -tls ,Message transfer options:,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,, 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK, -TBD,Domain name, -section,, -server,_SERVER_CN:_SERVER_PORT,,,,,,,,,,,,,, -TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,,,,,,,,,,,,,, +1,disabled as not supported by some host IP configurations: server domain name, -section,, -server,localhost:_SERVER_PORT,,,,,,,,,,,,,, +1,disabled as not supported by some host IP configurations: server IPv6 address, -section,, -server,[::1]:_SERVER_PORT,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,, 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 31f9fbd1280a..0e8b0259f1c2 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -25,6 +25,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $old_fips = 0; plan skip_all => "CMS is not supported by this OpenSSL build" if disabled("cms"); @@ -50,13 +51,17 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 19; +plan tests => 20; ok(run(test(["pkcs7_test"])), "test pkcs7"); unless ($no_fips) { - @config = ( "-config", srctop_file("test", "fips-and-base.cnf") ); + my $provconf = srctop_file("test", "fips-and-base.cnf"); + @config = ( "-config", $provconf ); $provname = 'fips'; + + run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]), + capture => 1, statusvar => $old_fips); } $ENV{OPENSSL_TEST_LIBCTX} = "1"; @@ -394,6 +399,13 @@ my @smime_cms_tests = ( "-out", "{output}.txt" ], \&final_compare ], + + [ "encrypted content test streaming PEM format -noout, 128 bit AES key", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-noout" ], + [ "{cmd2}", @prov, "-help" ] + ], ); my @smime_cms_cades_tests = ( @@ -604,6 +616,7 @@ my @smime_cms_param_tests = ( "-stream", "-out", "{output}.cms", "-recip", catfile($smdir, "smec1.pem"), "-aes128", "-keyopt", "ecdh_kdf_md:sha256" ], + sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "enveloped-data"); }, [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare @@ -613,6 +626,7 @@ my @smime_cms_param_tests = ( [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ], + sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "authEnveloped-data"); }, [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare @@ -626,18 +640,23 @@ my @smime_cms_param_tests = ( [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare - ], - - [ "enveloped content test streaming S/MIME format, X9.42 DH", - [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - "-stream", "-out", "{output}.cms", - "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], - [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), - "-in", "{output}.cms", "-out", "{output}.txt" ], - \&final_compare ] ); +if ($no_fips || $old_fips) { + # Only SHA1 supported in dh_cms_encrypt() + push(@smime_cms_param_tests, + [ "enveloped content test streaming S/MIME format, X9.42 DH", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], + [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] + ); +} + my @contenttype_cms_test = ( [ "signed content test - check that content type is added to additional signerinfo, RSA keys", [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, @@ -765,6 +784,28 @@ sub contentType_matches { return scalar(@c); } +# Returns 1 if the smime-type matches the passed parameter, otherwise 0. +sub smimeType_matches { + my ($in, $expected_smime_type) = @_; + + # Read the text file + open(my $fh, '<', $in) or die("open failed for $in : $!"); + local $/; + my $content = <$fh>; + close($fh); + + # Extract the Content-Type line with the smime-type attribute + if ($content =~ /Content-Type:\s*application\/pkcs7-mime.*smime-type=([^\s;]+)/) { + my $smime_type = $1; + + # Compare the extracted smime-type with the expected value + return ($smime_type eq $expected_smime_type) ? 1 : 0; + } + + # If no smime-type is found, return 0 + return 0; +} + sub rsapssSaltlen { my ($in) = @_; my $exit = 0; @@ -986,6 +1027,22 @@ ok(!run(app(['openssl', 'cms', '-verify', ])), "issue#19643"); +# Check that kari encryption with originator does not segfault +with({ exit_checker => sub { return shift == 3; } }, + sub { + SKIP: { + skip "EC is not supported in this build", 1 if $no_ec; + + ok(run(app(['openssl', 'cms', '-encrypt', + '-in', srctop_file("test", "smcont.txt"), '-aes128', + '-recip', catfile($smdir, "smec1.pem"), + '-originator', catfile($smdir, "smec3.pem"), + '-inkey', catfile($smdir, "smec3.pem") + ])), + "Check failure for currently not supported kari encryption with static originator"); + } + }); + # Check that we get the expected failure return code with({ exit_checker => sub { return shift == 6; } }, sub { diff --git a/test/sslapitest.c b/test/sslapitest.c index 97cf0f3ef092..368b15f22b72 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -190,7 +190,7 @@ static int compare_hex_encoded_buffer(const char *hex_encoded, return 1; for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { - sprintf(hexed, "%02x", raw[i]); + BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]); if (!TEST_int_eq(hexed[0], hex_encoded[j]) || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) return 1; @@ -10918,6 +10918,7 @@ static int npn_advert_cb(SSL *ssl, const unsigned char **out, return SSL_TLSEXT_ERR_OK; case 1: + *out = NULL; *outlen = 0; return SSL_TLSEXT_ERR_OK; diff --git a/test/testutil/tests.c b/test/testutil/tests.c index ef7e224cd119..05526870acd3 100644 --- a/test/testutil/tests.c +++ b/test/testutil/tests.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -146,6 +146,7 @@ void test_perror(const char *s) void test_note(const char *fmt, ...) { + test_flush_stdout(); if (fmt != NULL) { va_list ap; diff --git a/test/threadstest.c b/test/threadstest.c index 289565c14b5d..046a9eb80239 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -358,7 +358,7 @@ static void thread_general_worker(void) * Therefore we use an insecure bit length where we can (512). * In the FIPS module though we must use a longer length. */ - pkey = EVP_PKEY_Q_keygen(multi_libctx, NULL, "RSA", isfips ? 2048 : 512); + pkey = EVP_PKEY_Q_keygen(multi_libctx, NULL, "RSA", (size_t)(isfips ? 2048 : 512)); if (!TEST_ptr(pkey)) goto err; |