Exercise EVP_chacha20_poly1305() with in-place decryption

This needs quite a bit of cleanup but let's have some tests rather than
none.

1 files changed, 143 insertions, 2 deletions

diff --git a/src/regress/lib/libcrypto/wycheproof/wycheproof.go b/src/regress/lib/libcrypto/wycheproof/wycheproof.go
index b158c142aa..ddd37030d4 100644
--- a/src/regress/lib/libcrypto/wycheproof/wycheproof.go
+++ b/src/regress/lib/libcrypto/wycheproof/wycheproof.go
@@ -1,7 +1,7 @@
-/* $OpenBSD: wycheproof.go,v 1.159 2023/11/07 21:22:34 tb Exp $ */
+/* $OpenBSD: wycheproof.go,v 1.160 2024/05/22 14:03:24 tb Exp $ */
 /*
  * Copyright (c) 2018,2023 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2018,2019,2022,2023 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2018,2019,2022-2024 Theo Buehler <tb@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1215,6 +1215,138 @@ func runChaCha20Poly1305Test(algorithm string, wt *wycheproofTestAead) bool {
         return openSuccess && sealSuccess
 }
 
+func runEvpChaCha20Poly1305Test(ctx *C.EVP_CIPHER_CTX, algorithm string, wt *wycheproofTestAead) bool {
+        var aead *C.EVP_CIPHER
+        switch algorithm {
+        case "CHACHA20-POLY1305":
+                aead = C.EVP_chacha20_poly1305()
+        case "XCHACHA20-POLY1305":
+                return true
+        }
+
+        key, _ := mustDecodeHexString(wt.Key, "key")
+        iv, ivLen := mustDecodeHexString(wt.IV, "iv")
+        aad, aadLen := mustDecodeHexString(wt.AAD, "aad")
+        msg, msgLen := mustDecodeHexString(wt.Msg, "msg")
+
+        ct, err := hex.DecodeString(wt.CT)
+        if err != nil {
+                log.Fatalf("Failed to decode ct %q: %v", wt.CT, err)
+        }
+        tag, err := hex.DecodeString(wt.Tag)
+        if err != nil {
+                log.Fatalf("Failed to decode tag %q: %v", wt.Tag, err)
+        }
+        ctLen, tagLen := len(ct), len(tag)
+
+        if C.EVP_EncryptInit_ex(ctx, aead, nil, nil, nil) != 1 {
+                log.Fatal("Failed to initialize EVP_CIPHER_CTX with cipher")
+        }
+        if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_AEAD_SET_IVLEN, C.int(ivLen), nil) != 1 {
+                log.Fatal("Failed EVP_CTRL_AEAD_SET_IVLEN")
+        }
+        if C.EVP_EncryptInit_ex(ctx, nil, nil, (*C.uchar)(unsafe.Pointer(&key[0])), nil) != 1 {
+                log.Fatal("Failed EVP_EncryptInit_ex key")
+        }
+        if C.EVP_EncryptInit_ex(ctx, nil, nil, nil, (*C.uchar)(unsafe.Pointer(&iv[0]))) != 1 {
+                log.Fatal("Failed EVP_EncryptInit_ex iv")
+        }
+
+        var len C.int
+
+        if C.EVP_EncryptUpdate(ctx, nil, (*C.int)(unsafe.Pointer(&len)), (*C.uchar)(&aad[0]), (C.int)(aadLen)) != 1 {
+                log.Fatal("Failed EVP_EncryptUpdate aad")
+        }
+
+        sealed := make([]byte, ctLen + tagLen)
+        copy(sealed, msg)
+        if C.EVP_EncryptUpdate(ctx, (*C.uchar)(unsafe.Pointer(&sealed[0])), (*C.int)(unsafe.Pointer(&len)), (*C.uchar)(unsafe.Pointer(&sealed[0])), (C.int)(msgLen)) != 1 {
+                log.Fatal("Failed EVP_EncryptUpdate msg")
+        }
+        outLen := len
+        if C.EVP_EncryptFinal_ex(ctx, (*C.uchar)(unsafe.Pointer(&sealed[outLen])), (*C.int)(unsafe.Pointer(&len))) != 1 {
+                log.Fatal("Failed EVP_EncryptFinal msg")
+        }
+        outLen += len
+        if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_AEAD_GET_TAG, (C.int)(tagLen), unsafe.Pointer(&sealed[outLen])) != 1 {
+                log.Fatal("Failed EVP_CTRL_AEAD_GET_TAG")
+        }
+        outLen += (C.int)(tagLen)
+
+        if (C.int)(ctLen + tagLen) != outLen {
+                fmt.Printf("%s\n", wt)
+        }
+
+        sealSuccess := false
+        ctMatch := bytes.Equal(ct, sealed[:ctLen])
+        tagMatch := bytes.Equal(tag, sealed[ctLen:])
+        if (ctMatch && tagMatch) == (wt.Result != "invalid") {
+                sealSuccess = true
+        } else  {
+                fmt.Printf("%s - ct match: %t tag match: %t\n", wt, ctMatch, tagMatch)
+        }
+
+        if C.EVP_DecryptInit_ex(ctx, aead, nil, nil, nil) != 1 {
+                log.Fatal("Failed to initialize EVP_CIPHER_CTX with cipher")
+        }
+        if C.EVP_DecryptInit_ex(ctx, nil, nil, (*C.uchar)(unsafe.Pointer(&key[0])), nil) != 1 {
+                log.Fatal("Failed EVP_EncryptInit_ex key")
+        }
+
+        if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_AEAD_SET_IVLEN, C.int(ivLen), nil) != 1 {
+                log.Fatal("Failed EVP_CTRL_AEAD_SET_IVLEN")
+        }
+        if C.EVP_DecryptInit_ex(ctx, nil, nil, nil, (*C.uchar)(unsafe.Pointer(&iv[0]))) != 1 {
+                log.Fatal("Failed EVP_EncryptInit_ex iv")
+        }
+
+        if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_AEAD_SET_TAG, (C.int)(tagLen), unsafe.Pointer(&tag[0])) != 1 {
+                log.Fatal("Failed EVP_CTRL_AEAD_SET_TAG")
+        }
+
+        if ctLen == 0 {
+                ct = append(ct, 0)
+        }
+
+        opened := make([]byte, msgLen + tagLen)
+        copy(opened, ct)
+        if msgLen + aadLen == 0 {
+                opened = append(opened, 0)
+        }
+
+        if C.EVP_DecryptUpdate(ctx, nil, (*C.int)(unsafe.Pointer(&len)), (*C.uchar)(unsafe.Pointer(&aad[0])), C.int(aadLen)) != 1 {
+                log.Fatal("Failed EVP_EncryptUpdate msg")
+        }
+
+        if C.EVP_DecryptUpdate(ctx, (*C.uchar)(unsafe.Pointer(&opened[0])), (*C.int)(unsafe.Pointer(&len)), (*C.uchar)(unsafe.Pointer(&opened[0])), (C.int)(ctLen)) != 1 {
+                log.Fatal("Failed EVP_EncryptUpdate msg")
+        }
+        outLen = len
+
+        var ret C.int
+        if wt.Result != "invalid" {
+                ret = 1
+        }
+
+        if C.EVP_DecryptFinal_ex(ctx, (*C.uchar)(unsafe.Pointer(&opened[outLen])), (*C.int)(unsafe.Pointer(&len))) != ret {
+                log.Fatalf("Failed EVP_EncryptFinal msg %s\n", wt)
+        }
+        outLen += len
+
+        openSuccess := true
+        if (C.int)(msgLen) != outLen {
+                openSuccess = false
+                fmt.Printf("%s\n", wt)
+        }
+
+        if wt.Result != "invalid" && !bytes.Equal(opened[:outLen], msg[:msgLen]) {
+                fmt.Printf("failed %s\n", wt)
+                openSuccess = false
+        }
+
+        return sealSuccess && openSuccess
+}
+
 func (wtg *wycheproofTestGroupChaCha) run(algorithm string, variant testVariant) bool {
         // ChaCha20-Poly1305 currently only supports nonces of length 12 (96 bits)
         if algorithm == "CHACHA20-POLY1305" && wtg.IVSize != 96 {
@@ -1223,11 +1355,20 @@ func (wtg *wycheproofTestGroupChaCha) run(algorithm string, variant testVariant)
 
         fmt.Printf("Running %v test group %v with IV size %d, key size %d, tag size %d...\n", algorithm, wtg.Type, wtg.IVSize, wtg.KeySize, wtg.TagSize)
 
+        ctx := C.EVP_CIPHER_CTX_new()
+        if ctx == nil {
+                log.Fatal("EVP_CIPHER_CTX_new() failed")
+        }
+        defer C.EVP_CIPHER_CTX_free(ctx)
+
         success := true
         for _, wt := range wtg.Tests {
                 if !runChaCha20Poly1305Test(algorithm, wt) {
                         success = false
                 }
+                if !runEvpChaCha20Poly1305Test(ctx, algorithm, wt) {
+                        success = false
+                }
         }
         return success
 }