diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml new file mode 100644 index 00000000..2e687db9 --- /dev/null +++ b/.github/workflows/openssl-version.yml @@ -0,0 +1,81 @@ +name: OpenSSL Version Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + openssl_version_test: + name: OpenSSL Version Test + runs-on: ubuntu-22.04 + timeout-minutes: 30 + strategy: + matrix: + wolfssl_ref: ['v5.8.2-stable'] + openssl_ref: [ + 'openssl-3.0.3', + 'openssl-3.0.4', + 'openssl-3.0.5', + 'openssl-3.0.6', + 'openssl-3.0.7', + 'openssl-3.0.8', + 'openssl-3.0.9', + 'openssl-3.0.10', + 'openssl-3.0.11', + 'openssl-3.0.12', + 'openssl-3.0.13', + 'openssl-3.0.14', + 'openssl-3.0.15', + 'openssl-3.0.16', + 'openssl-3.0.17', + 'openssl-3.1.0', + 'openssl-3.1.1', + 'openssl-3.1.2', + 'openssl-3.1.3', + 'openssl-3.1.4', + 'openssl-3.1.5', + 'openssl-3.1.6', + 'openssl-3.1.7', + 'openssl-3.1.8', + 'openssl-3.2.0', + 'openssl-3.2.1', + 'openssl-3.2.2', + 'openssl-3.2.3', + 'openssl-3.2.4', + 'openssl-3.2.5', + 'openssl-3.3.0', + 'openssl-3.3.1', + 'openssl-3.3.2', + 'openssl-3.3.3', + 'openssl-3.3.4', + 'openssl-3.4.0', + 'openssl-3.4.1', + 'openssl-3.4.2', + 'openssl-3.5.0', + 'openssl-3.5.1'] + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Build and test wolfProvider + run: | + OPENSSL_TAG=${{ matrix.openssl_ref }} \ + WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ + ./scripts/build-wolfprovider.sh + + - name: Print errors + if: ${{ failure() }} + run: | + if [ -f test-suite.log ] ; then + cat test-suite.log + fi diff --git a/src/wp_kdf_exch.c b/src/wp_kdf_exch.c index 024ff2e4..40ec2057 100644 --- a/src/wp_kdf_exch.c +++ b/src/wp_kdf_exch.c @@ -221,6 +221,54 @@ static int wp_kdf_set_ctx_params(wp_KdfCtx* ctx, const OSSL_PARAM params[]) return EVP_KDF_CTX_set_params(ctx->kdfCtx, params); } +/** + * Get the KDF key exchange parameters. + * + * @param [in] ctx KDF key exchange context object. + * @param [in, out] params Array of parameters. + * @return 1 on success. + * @return 0 on failure. + */ +static int wp_kdf_get_ctx_params(wp_KdfCtx* ctx, OSSL_PARAM params[]) +{ + int ok = 1; + + WOLFPROV_ENTER(WP_LOG_KDF, "wp_kdf_get_ctx_params"); + + if (!wolfssl_prov_is_running()) { + ok = 0; + } + if (ok && !EVP_KDF_CTX_get_params(ctx->kdfCtx, params)) { + ok = 0; + } + + WOLFPROV_LEAVE(WP_LOG_KDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok); + return ok; +} + +/** + * Get the list of gettable parameters for a KDF context. + * + * @param [in] ctx KDF key exchange context object. Unused. + * @param [in] provCtx Provider context object. + * @param [in] kdfName Name of the KDF. + * @return Array of parameters with data type. + */ +static const OSSL_PARAM* wp_kdf_gettable_ctx_params(wp_KdfCtx* ctx, + WOLFPROV_CTX* provCtx, const char* kdfName) +{ + const OSSL_PARAM* params = NULL; + + (void)provCtx; + (void)kdfName; + + if (wolfssl_prov_is_running() && ctx != NULL && ctx->kdfCtx != NULL) { + params = EVP_KDF_CTX_gettable_params(ctx->kdfCtx); + } + + return params; +} + /** * Return an array of supported settable parameters for the HKDF ke context. * @@ -268,6 +316,32 @@ static const OSSL_PARAM* wp_tls1_prf_settable_ctx_params(wp_KdfCtx* ctx, return settable_ctx_params; } +/** + * Return an array of supported gettable parameters for the HKDF ke context. + * + * @param [in] ctx KDF key exchange context object. Unused. + * @param [in] provCtx Provider context object. + * @return Array of parameters with data type. + */ +static const OSSL_PARAM* wp_hkdf_gettable_ctx_params(wp_KdfCtx* ctx, + WOLFPROV_CTX* provCtx) +{ + return wp_kdf_gettable_ctx_params(ctx, provCtx, "HKDF"); +} + +/** + * Return an array of supported gettable parameters for the TLS1-PRF ke context. + * + * @param [in] ctx KDF key exchange context object. Unused. + * @param [in] provCtx Provider context object. + * @return Array of parameters with data type. + */ +static const OSSL_PARAM* wp_tls1_prf_gettable_ctx_params(wp_KdfCtx* ctx, + WOLFPROV_CTX* provCtx) +{ + return wp_kdf_gettable_ctx_params(ctx, provCtx, "TLS1-PRF"); +} + /* * HKDF */ @@ -292,8 +366,11 @@ const OSSL_DISPATCH wp_hkdf_keyexch_functions[] = { { OSSL_FUNC_KEYEXCH_INIT, (DFUNC)wp_kdf_init }, { OSSL_FUNC_KEYEXCH_DERIVE, (DFUNC)wp_kdf_derive }, { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (DFUNC)wp_kdf_set_ctx_params }, + { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (DFUNC)wp_kdf_get_ctx_params }, { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, (DFUNC)wp_hkdf_settable_ctx_params }, + { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, + (DFUNC)wp_hkdf_gettable_ctx_params }, { 0, NULL } }; @@ -321,8 +398,11 @@ const OSSL_DISPATCH wp_tls1_prf_keyexch_functions[] = { { OSSL_FUNC_KEYEXCH_INIT, (DFUNC)wp_kdf_init }, { OSSL_FUNC_KEYEXCH_DERIVE, (DFUNC)wp_kdf_derive }, { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (DFUNC)wp_kdf_set_ctx_params }, + { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (DFUNC)wp_kdf_get_ctx_params }, { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, (DFUNC)wp_tls1_prf_settable_ctx_params }, + { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, + (DFUNC)wp_tls1_prf_gettable_ctx_params }, { 0, NULL } }; diff --git a/test/test_ecc.c b/test/test_ecc.c index b9b602ed..ea1d0244 100644 --- a/test/test_ecc.c +++ b/test/test_ecc.c @@ -1670,8 +1670,10 @@ static int test_ec_pubkey_match_ex(EVP_PKEY *pkey1, EVP_PKEY *pkey2, static int test_ec_pubkey_match(EVP_PKEY *pkey1, EVP_PKEY *pkey2) { int err = 0; - + /* Older versions of OpenSSL use a different format for raw pub key */ +#if OPENSSL_VERSION_NUMBER >= 0x30008000L err = test_ec_pubkey_match_ex(pkey1, pkey2, OSSL_PKEY_PARAM_PUB_KEY); +#endif if (err == 0) { err = test_ec_pubkey_match_ex(pkey1, pkey2, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY); @@ -1902,6 +1904,8 @@ static int test_ec_import_priv(void) err = 1; } } + /* Older versions of OpenSSL will segfault on this */ +#if OPENSSL_VERSION_NUMBER >= 0x30006000L if (err == 0) { if (EVP_PKEY_get_octet_string_param(pkey1, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0, (size_t *)&len) != 0) { @@ -1914,6 +1918,7 @@ static int test_ec_import_priv(void) err = 1; } } +#endif EVP_PKEY_free(pkey1); EVP_PKEY_free(pkey2); diff --git a/test/test_hkdf.c b/test/test_hkdf.c index 751fd478..9a09814a 100644 --- a/test/test_hkdf.c +++ b/test/test_hkdf.c @@ -91,12 +91,12 @@ static int test_hkdf_calc(OSSL_LIB_CTX* libCtx, unsigned char *key, int keyLen, return err; } -#if OPENSSL_VERSION_NUMBER <= 0x30400000L - static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key, - int keyLen, const EVP_MD *md, int mode) + int keyLen, const EVP_MD *md, int mode, int isOssl) { int err = 0; + int ret = 0; + static int osslRet = 0; EVP_PKEY_CTX *ctx = NULL; unsigned char inKey[32] = { 0, }; unsigned char salt[32] = { 0, }; @@ -137,18 +137,17 @@ static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key, } } if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) { -#if OPENSSL_VERSION_NUMBER >= 0x30100000L && \ - OPENSSL_VERSION_NUMBER != 0x30200050L && \ - OPENSSL_VERSION_NUMBER != 0x30300040L - if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 1) { -#else - /* In 3.1.x, the following code was added to hkdf_common_set_ctx_params() - * if (p->data_size != 0 && p->data != NULL) { - * The above code is not present in 3.2.5 and 3.3.4. */ - if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 0) { -#endif - PRINT_MSG("Failed to set HKDF salt to NULL"); - err = 1; + ret = EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0); + if (isOssl) { + /* Record return value for whatever version of OpenSSL we are + * running against as expected result for next call */ + osslRet = ret; + } + else { + if (ret != osslRet) { + PRINT_MSG("Failed to set HKDF salt to NULL"); + err = 1; + } } } if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) { @@ -187,8 +186,6 @@ static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key, return err; } -#endif - static int test_hkdf_md(const EVP_MD *md, int mode) { int err = 0; @@ -218,14 +215,13 @@ static int test_hkdf_md(const EVP_MD *md, int mode) err = 1; } -#if OPENSSL_VERSION_NUMBER <= 0x30400000L - memset(oKey, 0, sizeof(oKey)); memset(wKey, 0, sizeof(wKey)); if (err == 0) { PRINT_MSG("Calc with OpenSSL"); - err = test_hkdf_double_set_salt(osslLibCtx, oKey, sizeof(oKey), md, mode); + err = test_hkdf_double_set_salt(osslLibCtx, + oKey, sizeof(oKey), md, mode, 1); if (err == 1) { PRINT_MSG("FAILED OpenSSL"); } @@ -233,7 +229,8 @@ static int test_hkdf_md(const EVP_MD *md, int mode) if (err == 0) { PRINT_MSG("Calc with wolfSSL"); - err = test_hkdf_double_set_salt(wpLibCtx, wKey, sizeof(wKey), md, mode); + err = test_hkdf_double_set_salt(wpLibCtx, + wKey, sizeof(wKey), md, mode, 0); if (err == 1) { PRINT_MSG("FAILED wolfSSL"); } @@ -245,8 +242,6 @@ static int test_hkdf_md(const EVP_MD *md, int mode) err = 1; } -#endif - return err; } diff --git a/test/test_rsa.c b/test/test_rsa.c index a136c804..2335dc9e 100644 --- a/test/test_rsa.c +++ b/test/test_rsa.c @@ -1170,7 +1170,9 @@ int test_rsa_fromdata(void* data) static const int selections[] = { EVP_PKEY_KEYPAIR, EVP_PKEY_PUBLIC_KEY, +#ifdef EVP_PKEY_PRIVATE_KEY EVP_PKEY_PRIVATE_KEY, /* added in 3.0.12 and 3.1.4 */ +#endif }; /* Parameter data fields */