Test RSA oaep in fips mode

Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11948)

6 files changed, 104 insertions, 17 deletions

diff --git a/apps/include/apps.h b/apps/include/apps.h
index 87d1b47..9a76dcd 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -65,6 +65,7 @@ CONF *app_load_config_bio(BIO *in, const char *filename);
 CONF *app_load_config(const char *filename);
 CONF *app_load_config_quiet(const char *filename);
 int app_load_modules(const CONF *config);
+CONF *app_load_config_modules(const char *configfile);
 void unbuffer(FILE *fp);
 void wait_for_async(SSL *s);
 # if defined(OPENSSL_SYS_MSDOS)
@@ -290,9 +291,12 @@ typedef struct verify_options_st {
 
 extern VERIFY_CB_ARGS verify_args;
 
+OPENSSL_CTX *app_create_libctx(void);
+OPENSSL_CTX *app_get0_libctx(void);
 OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
                                      const OSSL_PARAM *paramdefs);
 void app_params_free(OSSL_PARAM *params);
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name);
 void app_providers_cleanup(void);
 
 #endif
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 5afbad1..ad629c0 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -273,6 +273,9 @@
         OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \
         OPT_PROV__LAST
 
+# define OPT_CONFIG_OPTION \
+        { "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
+
 # define OPT_PROV_OPTIONS \
         OPT_SECTION("Provider"), \
         { "provider_path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
index ca24328..60645e2 100644
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@@ -8,6 +8,7 @@
  */
 
 #include "apps.h"
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #include <openssl/safestack.h>
@@ -21,14 +22,19 @@ enum prov_range { OPT_PROV_ENUM };
 
 static STACK_OF(OSSL_PROVIDER) *app_providers = NULL;
 
-static int opt_provider_load(const char *provider)
+static void provider_free(OSSL_PROVIDER *prov)
+{
+    OSSL_PROVIDER_unload(prov);
+}
+
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name)
 {
     OSSL_PROVIDER *prov;
 
-    prov = OSSL_PROVIDER_load(NULL, provider);
+    prov = OSSL_PROVIDER_load(libctx, provider_name);
     if (prov == NULL) {
         opt_printf_stderr("%s: unable to load provider %s\n",
-                          opt_getprog(), provider);
+                          opt_getprog(), provider_name);
         return 0;
     }
     if (app_providers == NULL)
@@ -41,11 +47,6 @@ static int opt_provider_load(const char *provider)
     return 1;
 }
 
-static void provider_free(OSSL_PROVIDER *prov)
-{
-    OSSL_PROVIDER_unload(prov);
-}
-
 void app_providers_cleanup(void)
 {
     sk_OSSL_PROVIDER_pop_free(app_providers, provider_free);
@@ -56,7 +57,7 @@ static int opt_provider_path(const char *path)
 {
     if (path != NULL && *path == '\0')
         path = NULL;
-    return OSSL_PROVIDER_set_default_search_path(NULL, path);
+    return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
 }
 
 int opt_provider(int opt)
@@ -66,7 +67,7 @@ int opt_provider(int opt)
     case OPT_PROV__LAST:
         return 1;
     case OPT_PROV_PROVIDER:
-        return opt_provider_load(opt_arg());
+        return app_provider_load(app_get0_libctx(), opt_arg());
     case OPT_PROV_PROVIDER_PATH:
         return opt_provider_path(opt_arg());
     }
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 777e4fe..ba40e9b 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -78,6 +78,8 @@ typedef struct {
     unsigned long mask;
 } NAME_EX_TBL;
 
+static OPENSSL_CTX *app_libctx = NULL;
+
 static int set_table_opts(unsigned long *flags, const char *arg,
                           const NAME_EX_TBL * in_tbl);
 static int set_multi_opts(unsigned long *flags, const char *arg,
@@ -335,13 +337,37 @@ static char *app_get_pass(const char *arg, int keepbio)
     return OPENSSL_strdup(tpass);
 }
 
+OPENSSL_CTX *app_get0_libctx(void)
+{
+    return app_libctx;
+}
+
+OPENSSL_CTX *app_create_libctx(void)
+{
+    /*
+     * Load the NULL provider into the default library context and create a
+     * library context which will then be used for any OPT_PROV options.
+     */
+    if (app_libctx == NULL) {
+
+        if (!app_provider_load(NULL, "null")) {
+            BIO_puts(bio_err, "Failed to create null provider\n");
+            return NULL;
+        }
+        app_libctx = OPENSSL_CTX_new();
+    }
+    if (app_libctx == NULL)
+        BIO_puts(bio_err, "Failed to create library context\n");
+    return app_libctx;
+}
+
 CONF *app_load_config_bio(BIO *in, const char *filename)
 {
     long errorline = -1;
     CONF *conf;
     int i;
 
-    conf = NCONF_new(NULL);
+    conf = NCONF_new_with_libctx(app_libctx, NULL);
     i = NCONF_load_bio(conf, in, &errorline);
     if (i > 0)
         return conf;
@@ -357,6 +383,7 @@ CONF *app_load_config_bio(BIO *in, const char *filename)
     else
         BIO_printf(bio_err, "config input");
 
+    CONF_modules_load(conf, NULL, 0);
     NCONF_free(conf);
     return NULL;
 }
@@ -434,6 +461,23 @@ int add_oid_section(CONF *conf)
     return 1;
 }
 
+CONF *app_load_config_modules(const char *configfile)
+{
+    CONF *conf = NULL;
+
+    if (configfile != NULL) {
+        BIO_printf(bio_err, "Using configuration from %s\n", configfile);
+
+        if ((conf = app_load_config(configfile)) == NULL)
+            return NULL;
+        if (configfile != default_config_file && !app_load_modules(conf)) {
+            NCONF_free(conf);
+            conf = NULL;
+        }
+    }
+    return conf;
+}
+
 X509 *load_cert_pass(const char *uri, int maybe_stdin,
                      const char *pass, const char *desc)
 {
diff --git a/apps/openssl.c b/apps/openssl.c
index a1b4443..6b2c2b9 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -58,6 +58,7 @@ static void warn_deprecated(const FUNCTION *fp)
 
 static int apps_startup(void)
 {
+    const char *use_libctx = NULL;
 #ifdef SIGPIPE
     signal(SIGPIPE, SIG_IGN);
 #endif
@@ -69,11 +70,26 @@ static int apps_startup(void)
 
     setup_ui_method();
 
+    /*
+     * NOTE: This is an undocumented feature required for testing only.
+     * There are no guarantees that it will exist in future builds.
+     */
+    use_libctx = getenv("OPENSSL_TEST_LIBCTX");
+    if (use_libctx != NULL) {
+        /* Set this to "1" to create a global libctx */
+        if (strcmp(use_libctx, "1") == 0) {
+            if (app_create_libctx() == NULL)
+                return 0;
+        }
+    }
+
     return 1;
 }
 
 static void apps_shutdown(void)
 {
+    app_providers_cleanup();
+    OPENSSL_CTX_free(app_get0_libctx());
     destroy_ui_method();
 }
 
@@ -273,7 +289,6 @@ int main(int argc, char *argv[])
         : do_cmd(prog, 1, help_argv);
 
  end:
-    app_providers_cleanup();
     OPENSSL_free(default_config_file);
     lh_FUNCTION_free(prog);
     OPENSSL_free(arg.argv);
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 231547e..4de2a56 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -25,7 +25,8 @@ DEFINE_STACK_OF_STRING()
 static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
-                              const int impl, int rawin, EVP_PKEY **ppkey);
+                              const int impl, int rawin, EVP_PKEY **ppkey,
+                              OPENSSL_CTX *libctx, const char *propq);
 
 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                       ENGINE *e);
@@ -47,6 +48,7 @@ typedef enum OPTION_choice {
     OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
     OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
     OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
+    OPT_CONFIG,
     OPT_RAWIN, OPT_DIGEST
 } OPTION_CHOICE;
 
@@ -63,6 +65,7 @@ const OPTIONS pkeyutl_options[] = {
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
     {"derive", OPT_DERIVE, '-', "Derive shared secret"},
+    OPT_CONFIG_OPTION,
 
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input file - default stdin"},
@@ -100,6 +103,7 @@ const OPTIONS pkeyutl_options[] = {
 
 int pkeyutl_main(int argc, char **argv)
 {
+    CONF *conf = NULL;
     BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
     EVP_PKEY_CTX *ctx = NULL;
@@ -122,6 +126,8 @@ int pkeyutl_main(int argc, char **argv)
     int rawin = 0;
     const EVP_MD *md = NULL;
     int filesize = -1;
+    OPENSSL_CTX *libctx = app_get0_libctx();
+    const char *propq = NULL;
 
     prog = opt_init(argc, argv, pkeyutl_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -168,6 +174,11 @@ int pkeyutl_main(int argc, char **argv)
             if (!opt_rand(o))
                 goto end;
             break;
+        case OPT_CONFIG:
+            conf = app_load_config_modules(opt_arg());
+            if (conf == NULL)
+                goto end;
+            break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
                 goto end;
@@ -281,7 +292,8 @@ int pkeyutl_main(int argc, char **argv)
         goto opthelp;
     }
     ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
-                   passinarg, pkey_op, e, engine_impl, rawin, &pkey);
+                   passinarg, pkey_op, e, engine_impl, rawin, &pkey,
+                   libctx, propq);
     if (ctx == NULL) {
         BIO_printf(bio_err, "%s: Error initializing context\n", prog);
         ERR_print_errors(bio_err);
@@ -484,6 +496,7 @@ int pkeyutl_main(int argc, char **argv)
     OPENSSL_free(sig);
     sk_OPENSSL_STRING_free(pkeyopts);
     sk_OPENSSL_STRING_free(pkeyopts_passin);
+    NCONF_free(conf);
     return ret;
 }
 
@@ -491,7 +504,8 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int engine_impl, int rawin,
-                              EVP_PKEY **ppkey)
+                              EVP_PKEY **ppkey,
+                              OPENSSL_CTX *libctx, const char *propq)
 {
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
@@ -547,13 +561,19 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                 goto end;
             }
         }
-        ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+        if (impl != NULL)
+            ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+        else
+            ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq);
     } else {
         if (pkey == NULL)
             goto end;
 
         *pkeysize = EVP_PKEY_size(pkey);
-        ctx = EVP_PKEY_CTX_new(pkey, impl);
+        if (impl != NULL)
+            ctx = EVP_PKEY_CTX_new(pkey, impl);
+        else
+            ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
         if (ppkey != NULL)
             *ppkey = pkey;
         EVP_PKEY_free(pkey);