xref: /freebsd-10.1-release/contrib/apr-util/test/testcrypto.c

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "testutil.h"
#include "apr.h"
#include "apu.h"
#include "apu_errno.h"
#include "apr_pools.h"
#include "apr_dso.h"
#include "apr_crypto.h"
#include "apr_strings.h"

#if APU_HAVE_CRYPTO

#define TEST_STRING "12345"
#define ALIGNED_STRING "123456789012345"

static const apr_crypto_driver_t *get_driver(abts_case *tc, apr_pool_t *pool,
        const char *name, const char *params)
{

    const apr_crypto_driver_t *driver = NULL;
    const apu_err_t *err = NULL;
    apr_status_t rv;

    rv = apr_crypto_init(pool);
    ABTS_ASSERT(tc, "failed to init apr_crypto", rv == APR_SUCCESS);

    rv = apr_crypto_get_driver(&driver, name, params, &err, pool);
    if (APR_SUCCESS != rv && err) {
        ABTS_NOT_IMPL(tc, err->msg);
        return NULL;
    }
    if (APR_ENOTIMPL == rv) {
        ABTS_NOT_IMPL(tc, (char *)driver);
        return NULL;
    }
    ABTS_ASSERT(tc, "failed to apr_crypto_get_driver", rv == APR_SUCCESS);
    ABTS_ASSERT(tc, "apr_crypto_get_driver returned NULL", driver != NULL);
    if (!driver || rv) {
        return NULL;
    }

    return driver;

}

static const apr_crypto_driver_t *get_nss_driver(abts_case *tc,
        apr_pool_t *pool)
{

    /* initialise NSS */
    return get_driver(tc, pool, "nss", "dir=data");

}

static const apr_crypto_driver_t *get_openssl_driver(abts_case *tc,
        apr_pool_t *pool)
{

    return get_driver(tc, pool, "openssl", NULL);

}

static apr_crypto_t *make(abts_case *tc, apr_pool_t *pool,
        const apr_crypto_driver_t *driver)
{

    apr_crypto_t *f = NULL;

    if (!driver) {
        return NULL;
    }

    /* get the context */
    apr_crypto_make(&f, driver, "engine=openssl", pool);
    ABTS_ASSERT(tc, "apr_crypto_make returned NULL", f != NULL);

    return f;

}

static const apr_crypto_key_t *passphrase(abts_case *tc, apr_pool_t *pool,
        const apr_crypto_driver_t *driver, const apr_crypto_t *f,
        apr_crypto_block_key_type_e type, apr_crypto_block_key_mode_e mode,
        int doPad, const char *description)
{

    apr_crypto_key_t *key = NULL;
    const apu_err_t *result = NULL;
    const char *pass = "secret";
    const char *salt = "salt";
    apr_status_t rv;

    if (!f) {
        return NULL;
    }

    /* init the passphrase */
    rv = apr_crypto_passphrase(&key, NULL, pass, strlen(pass),
            (unsigned char *) salt, strlen(salt), type, mode, doPad, 4096, f,
            pool);
    if (APR_ENOCIPHER == rv) {
        apr_crypto_error(&result, f);
        ABTS_NOT_IMPL(tc, apr_psprintf(pool,
                        "skipped: %s %s passphrase return APR_ENOCIPHER: error %d: %s (%s)\n",
                        description, apr_crypto_driver_name(driver), result->rc,
                        result->reason ? result->reason : "", result->msg ? result->msg : ""));
        return NULL;
    }
    else {
        if (APR_SUCCESS != rv) {
            apr_crypto_error(&result, f);
            fprintf(stderr, "passphrase: %s %s native error %d: %s (%s)\n",
                    description, apr_crypto_driver_name(driver), result->rc,
                    result->reason ? result->reason : "",
                    result->msg ? result->msg : "");
        }
        ABTS_ASSERT(tc, "apr_crypto_passphrase returned APR_ENOKEY", rv != APR_ENOKEY);
        ABTS_ASSERT(tc, "apr_crypto_passphrase returned APR_EPADDING", rv != APR_EPADDING);
        ABTS_ASSERT(tc, "apr_crypto_passphrase returned APR_EKEYTYPE", rv != APR_EKEYTYPE);
        ABTS_ASSERT(tc, "failed to apr_crypto_passphrase", rv == APR_SUCCESS);
        ABTS_ASSERT(tc, "apr_crypto_passphrase returned NULL context", key != NULL);
    }
    if (rv) {
        return NULL;
    }
    return key;

}

static unsigned char *encrypt_block(abts_case *tc, apr_pool_t *pool,
        const apr_crypto_driver_t *driver, const apr_crypto_t *f,
        const apr_crypto_key_t *key, const unsigned char *in,
        const apr_size_t inlen, unsigned char **cipherText,
        apr_size_t *cipherTextLen, const unsigned char **iv,
        apr_size_t *blockSize, const char *description)
{

    apr_crypto_block_t *block = NULL;
    const apu_err_t *result = NULL;
    apr_size_t len = 0;
    apr_status_t rv;

    if (!driver || !f || !key || !in) {
        return NULL;
    }

    /* init the encryption */
    rv = apr_crypto_block_encrypt_init(&block, iv, key, blockSize, pool);
    if (APR_ENOTIMPL == rv) {
        ABTS_NOT_IMPL(tc, "apr_crypto_block_encrypt_init returned APR_ENOTIMPL");
    }
    else {
        if (APR_SUCCESS != rv) {
            apr_crypto_error(&result, f);
            fprintf(stderr, "encrypt_init: %s %s native error %d: %s (%s)\n",
                    description, apr_crypto_driver_name(driver), result->rc,
                    result->reason ? result->reason : "",
                    result->msg ? result->msg : "");
        }
        ABTS_ASSERT(tc, "apr_crypto_block_encrypt_init returned APR_ENOKEY", rv != APR_ENOKEY);
        ABTS_ASSERT(tc, "apr_crypto_block_encrypt_init returned APR_ENOIV", rv != APR_ENOIV);
        ABTS_ASSERT(tc, "apr_crypto_block_encrypt_init returned APR_EKEYTYPE", rv != APR_EKEYTYPE);
        ABTS_ASSERT(tc, "apr_crypto_block_encrypt_init returned APR_EKEYLENGTH", rv != APR_EKEYLENGTH);
        ABTS_ASSERT(tc, "failed to apr_crypto_block_encrypt_init", rv == APR_SUCCESS);
        ABTS_ASSERT(tc, "apr_crypto_block_encrypt_init returned NULL context", block != NULL);
    }
    if (!block || rv) {
        return NULL;
    }

    /* encrypt the block */
    rv = apr_crypto_block_encrypt(cipherText, cipherTextLen, in, inlen, block);
    if (APR_SUCCESS != rv) {
        apr_crypto_error(&result, f);
        fprintf(stderr, "encrypt: %s %s native error %d: %s (%s)\n",
                description, apr_crypto_driver_name(driver), result->rc,
                result->reason ? result->reason : "", result->msg ? result->msg
                        : "");
    }
    ABTS_ASSERT(tc, "apr_crypto_block_encrypt returned APR_ECRYPT", rv != APR_ECRYPT);
    ABTS_ASSERT(tc, "failed to apr_crypto_block_encrypt", rv == APR_SUCCESS);
    ABTS_ASSERT(tc, "apr_crypto_block_encrypt failed to allocate buffer", *cipherText != NULL);
    if (rv) {
        return NULL;
    }

    /* finalise the encryption */
    rv = apr_crypto_block_encrypt_finish(*cipherText + *cipherTextLen, &len,
            block);
    if (APR_SUCCESS != rv) {
        apr_crypto_error(&result, f);
        fprintf(stderr, "encrypt_finish: %s %s native error %d: %s (%s)\n",
                description, apr_crypto_driver_name(driver), result->rc,
                result->reason ? result->reason : "", result->msg ? result->msg
                        : "");
    }
    ABTS_ASSERT(tc, "apr_crypto_block_encrypt_finish returned APR_ECRYPT", rv != APR_ECRYPT);
    ABTS_ASSERT(tc, "apr_crypto_block_encrypt_finish returned APR_EPADDING", rv != APR_EPADDING);
    ABTS_ASSERT(tc, "failed to apr_crypto_block_encrypt_finish", rv == APR_SUCCESS);
    *cipherTextLen += len;
    apr_crypto_block_cleanup(block);
    if (rv) {
        return NULL;
    }

    return *cipherText;

}

static unsigned char *decrypt_block(abts_case *tc, apr_pool_t *pool,
        const apr_crypto_driver_t *driver, const apr_crypto_t *f,
        const apr_crypto_key_t *key, unsigned char *cipherText,
        apr_size_t cipherTextLen, unsigned char **plainText,
        apr_size_t *plainTextLen, const unsigned char *iv,
        apr_size_t *blockSize, const char *description)
{

    apr_crypto_block_t *block = NULL;
    const apu_err_t *result = NULL;
    apr_size_t len = 0;
    apr_status_t rv;

    if (!driver || !f || !key || !cipherText) {
        return NULL;
    }

    /* init the decryption */
    rv = apr_crypto_block_decrypt_init(&block, blockSize, iv, key, pool);
    if (APR_ENOTIMPL == rv) {
        ABTS_NOT_IMPL(tc, "apr_crypto_block_decrypt_init returned APR_ENOTIMPL");
    }
    else {
        if (APR_SUCCESS != rv) {
            apr_crypto_error(&result, f);
            fprintf(stderr, "decrypt_init: %s %s native error %d: %s (%s)\n",
                    description, apr_crypto_driver_name(driver), result->rc,
                    result->reason ? result->reason : "",
                    result->msg ? result->msg : "");
        }
        ABTS_ASSERT(tc, "apr_crypto_block_decrypt_init returned APR_ENOKEY", rv != APR_ENOKEY);
        ABTS_ASSERT(tc, "apr_crypto_block_decrypt_init returned APR_ENOIV", rv != APR_ENOIV);
        ABTS_ASSERT(tc, "apr_crypto_block_decrypt_init returned APR_EKEYTYPE", rv != APR_EKEYTYPE);
        ABTS_ASSERT(tc, "apr_crypto_block_decrypt_init returned APR_EKEYLENGTH", rv != APR_EKEYLENGTH);
        ABTS_ASSERT(tc, "failed to apr_crypto_block_decrypt_init", rv == APR_SUCCESS);
        ABTS_ASSERT(tc, "apr_crypto_block_decrypt_init returned NULL context", block != NULL);
    }
    if (!block || rv) {
        return NULL;
    }

    /* decrypt the block */
    rv = apr_crypto_block_decrypt(plainText, plainTextLen, cipherText,
            cipherTextLen, block);
    if (APR_SUCCESS != rv) {
        apr_crypto_error(&result, f);
        fprintf(stderr, "decrypt: %s %s native error %d: %s (%s)\n",
                description, apr_crypto_driver_name(driver), result->rc,
                result->reason ? result->reason : "", result->msg ? result->msg
                        : "");
    }
    ABTS_ASSERT(tc, "apr_crypto_block_decrypt returned APR_ECRYPT", rv != APR_ECRYPT);
    ABTS_ASSERT(tc, "failed to apr_crypto_block_decrypt", rv == APR_SUCCESS);
    ABTS_ASSERT(tc, "apr_crypto_block_decrypt failed to allocate buffer", *plainText != NULL);
    if (rv) {
        return NULL;
    }

    /* finalise the decryption */
    rv = apr_crypto_block_decrypt_finish(*plainText + *plainTextLen, &len,
            block);
    if (APR_SUCCESS != rv) {
        apr_crypto_error(&result, f);
        fprintf(stderr, "decrypt_finish: %s %s native error %d: %s (%s)\n",
                description, apr_crypto_driver_name(driver), result->rc,
                result->reason ? result->reason : "", result->msg ? result->msg
                        : "");
    }
    ABTS_ASSERT(tc, "apr_crypto_block_decrypt_finish returned APR_ECRYPT", rv != APR_ECRYPT);
    ABTS_ASSERT(tc, "apr_crypto_block_decrypt_finish returned APR_EPADDING", rv != APR_EPADDING);
    ABTS_ASSERT(tc, "failed to apr_crypto_block_decrypt_finish", rv == APR_SUCCESS);
    if (rv) {
        return NULL;
    }

    *plainTextLen += len;
    apr_crypto_block_cleanup(block);

    return *plainText;

}

/**
 * Interoperability test.
 *
 * data must point at an array of two driver structures. Data will be encrypted
 * with the first driver, and decrypted with the second.
 *
 * If the two drivers interoperate, the test passes.
 */
static void crypto_block_cross(abts_case *tc, apr_pool_t *pool,
        const apr_crypto_driver_t **drivers,
        const apr_crypto_block_key_type_e type,
        const apr_crypto_block_key_mode_e mode, int doPad,
        const unsigned char *in, apr_size_t inlen, const char *description)
{
    const apr_crypto_driver_t *driver1 = drivers[0];
    const apr_crypto_driver_t *driver2 = drivers[1];
    apr_crypto_t *f1 = NULL;
    apr_crypto_t *f2 = NULL;
    const apr_crypto_key_t *key1 = NULL;
    const apr_crypto_key_t *key2 = NULL;

    unsigned char *cipherText = NULL;
    apr_size_t cipherTextLen = 0;
    unsigned char *plainText = NULL;
    apr_size_t plainTextLen = 0;
    const unsigned char *iv = NULL;
    apr_size_t blockSize = 0;

    f1 = make(tc, pool, driver1);
    f2 = make(tc, pool, driver2);
    key1 = passphrase(tc, pool, driver1, f1, type, mode, doPad, description);
    key2 = passphrase(tc, pool, driver2, f2, type, mode, doPad, description);

    cipherText = encrypt_block(tc, pool, driver1, f1, key1, in, inlen,
            &cipherText, &cipherTextLen, &iv, &blockSize, description);
    plainText = decrypt_block(tc, pool, driver2, f2, key2, cipherText,
            cipherTextLen, &plainText, &plainTextLen, iv, &blockSize,
            description);

    if (cipherText && plainText) {
        if (memcmp(in, plainText, inlen)) {
            fprintf(stderr, "cross mismatch: %s %s/%s\n", description,
                    apr_crypto_driver_name(driver1), apr_crypto_driver_name(
                            driver2));
        }
        ABTS_STR_EQUAL(tc, (char *)in, (char *)plainText);
    }

}

/**
 * Test initialisation.
 */
static void test_crypto_init(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    apr_status_t rv;

    apr_pool_create(&pool, NULL);

    rv = apr_crypto_init(pool);
    ABTS_ASSERT(tc, "failed to init apr_crypto", rv == APR_SUCCESS);

    apr_pool_destroy(pool);

}

/**
 * Simple test of OpenSSL block crypt.
 */
static void test_crypto_block_openssl(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) ALIGNED_STRING;
    apr_size_t inlen = sizeof(ALIGNED_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_openssl_driver(tc, pool);
    drivers[1] = get_openssl_driver(tc, pool);
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 0,
            in, inlen, "KEY_3DES_192/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_ECB, 0,
            in, inlen, "KEY_3DES_192/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_256/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_256/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_192/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_192/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_128/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_128/MODE_ECB");
    apr_pool_destroy(pool);

}

/**
 * Simple test of NSS block crypt.
 */
static void test_crypto_block_nss(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) ALIGNED_STRING;
    apr_size_t inlen = sizeof(ALIGNED_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_nss_driver(tc, pool);
    drivers[1] = get_nss_driver(tc, pool);
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 0,
            in, inlen, "KEY_3DES_192/MODE_CBC");
    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 0, in, inlen, "KEY_3DES_192/MODE_ECB"); */
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_256/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_256/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_192/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_192/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_128/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_128/MODE_ECB");
    apr_pool_destroy(pool);

}

/**
 * Encrypt NSS, decrypt OpenSSL.
 */
static void test_crypto_block_nss_openssl(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) ALIGNED_STRING;
    apr_size_t inlen = sizeof(ALIGNED_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_nss_driver(tc, pool);
    drivers[1] = get_openssl_driver(tc, pool);

    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 0,
            in, inlen, "KEY_3DES_192/MODE_CBC");

    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 0, in, inlen, "KEY_3DES_192/MODE_ECB"); */
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_256/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_256/MODE_ECB");

    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
     * investigated.
     */
    /*
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
     */
    apr_pool_destroy(pool);

}

/**
 * Encrypt OpenSSL, decrypt NSS.
 */
static void test_crypto_block_openssl_nss(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) ALIGNED_STRING;
    apr_size_t inlen = sizeof(ALIGNED_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_openssl_driver(tc, pool);
    drivers[1] = get_nss_driver(tc, pool);
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 0,
            in, inlen, "KEY_3DES_192/MODE_CBC");

    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 0, in, inlen, "KEY_3DES_192/MODE_ECB"); */

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 0, in,
            inlen, "KEY_AES_256/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 0, in,
            inlen, "KEY_AES_256/MODE_ECB");

    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
     * investigated.
     */
    /*
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 0, in, inlen, "KEY_AES_192/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 0, in, inlen, "KEY_AES_192/MODE_ECB");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 0, in, inlen, "KEY_AES_128/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 0, in, inlen, "KEY_AES_128/MODE_ECB");
     */
    apr_pool_destroy(pool);

}

/**
 * Simple test of OpenSSL block crypt.
 */
static void test_crypto_block_openssl_pad(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) TEST_STRING;
    apr_size_t inlen = sizeof(TEST_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_openssl_driver(tc, pool);
    drivers[1] = get_openssl_driver(tc, pool);

    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 1,
            in, inlen, "KEY_3DES_192/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_ECB, 1,
            in, inlen, "KEY_3DES_192/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_256/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_ECB, 1, in,
            inlen, "KEY_AES_256/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_192/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_ECB, 1, in,
            inlen, "KEY_AES_192/MODE_ECB");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_128/MODE_CBC");
    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_ECB, 1, in,
            inlen, "KEY_AES_128/MODE_ECB");

    apr_pool_destroy(pool);

}

/**
 * Simple test of NSS block crypt.
 */
static void test_crypto_block_nss_pad(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] =
    { NULL, NULL };

    const unsigned char *in = (const unsigned char *) TEST_STRING;
    apr_size_t inlen = sizeof(TEST_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_nss_driver(tc, pool);
    drivers[1] = get_nss_driver(tc, pool);

    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 1,
            in, inlen, "KEY_3DES_192/MODE_CBC");
    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 1, in, inlen, "KEY_3DES_192/MODE_ECB"); */

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_256/MODE_CBC");

    /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
    /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_192, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_192/MODE_CBC");

    /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
    /*crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");*/

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_128, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_128/MODE_CBC");

    /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
    /*crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");*/

    apr_pool_destroy(pool);

}

/**
 * Encrypt NSS, decrypt OpenSSL.
 */
static void test_crypto_block_nss_openssl_pad(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) TEST_STRING;
    apr_size_t inlen = sizeof(TEST_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_nss_driver(tc, pool);
    drivers[1] = get_openssl_driver(tc, pool);

    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 1,
            in, inlen, "KEY_3DES_192/MODE_CBC");

    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 1, in, inlen, "KEY_3DES_192/MODE_ECB"); */

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_256/MODE_CBC");

    /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
    /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/

    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
     * investigated.
     */
    /*
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
     */
    apr_pool_destroy(pool);

}

/**
 * Encrypt OpenSSL, decrypt NSS.
 */
static void test_crypto_block_openssl_nss_pad(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *drivers[] = { NULL, NULL };

    const unsigned char *in = (const unsigned char *) TEST_STRING;
    apr_size_t inlen = sizeof(TEST_STRING);

    apr_pool_create(&pool, NULL);
    drivers[0] = get_openssl_driver(tc, pool);
    drivers[1] = get_nss_driver(tc, pool);
    crypto_block_cross(tc, pool, drivers, APR_KEY_3DES_192, APR_MODE_CBC, 1,
            in, inlen, "KEY_3DES_192/MODE_CBC");

    /* KEY_3DES_192 / MODE_ECB doesn't work on NSS */
    /* crypto_block_cross(tc, pool, drivers, KEY_3DES_192, MODE_ECB, 1, in, inlen, "KEY_3DES_192/MODE_ECB"); */

    crypto_block_cross(tc, pool, drivers, APR_KEY_AES_256, APR_MODE_CBC, 1, in,
            inlen, "KEY_AES_256/MODE_CBC");

    /* KEY_AES_256 / MODE_ECB doesn't support padding on NSS */
    /*crypto_block_cross(tc, pool, drivers, KEY_AES_256, MODE_ECB, 1, in, inlen, "KEY_AES_256/MODE_ECB");*/

    /* all 4 of these tests fail to interoperate - a clue from the xml-security code is that
     * NSS cannot distinguish between the 128 and 192 bit versions of AES. Will need to be
     * investigated.
     */
    /*
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_CBC, 1, in, inlen, "KEY_AES_192/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_192, MODE_ECB, 1, in, inlen, "KEY_AES_192/MODE_ECB");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_CBC, 1, in, inlen, "KEY_AES_128/MODE_CBC");
     crypto_block_cross(tc, pool, drivers, KEY_AES_128, MODE_ECB, 1, in, inlen, "KEY_AES_128/MODE_ECB");
     */
    apr_pool_destroy(pool);

}

/**
 * Get Types, OpenSSL.
 */
static void test_crypto_get_block_key_types_openssl(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *driver;
    apr_crypto_t *f;
    apr_hash_t *types;
    int *key_3des_192;
    int *key_aes_128;
    int *key_aes_192;
    int *key_aes_256;

    apr_pool_create(&pool, NULL);
    driver = get_openssl_driver(tc, pool);
    if (driver) {

        f = make(tc, pool, driver);
        apr_crypto_get_block_key_types(&types, f);

        key_3des_192 = apr_hash_get(types, "3des192", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_3des_192);
        ABTS_INT_EQUAL(tc, *key_3des_192, APR_KEY_3DES_192);

        key_aes_128 = apr_hash_get(types, "aes128", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_128);
        ABTS_INT_EQUAL(tc, *key_aes_128, APR_KEY_AES_128);

        key_aes_192 = apr_hash_get(types, "aes192", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_192);
        ABTS_INT_EQUAL(tc, *key_aes_192, APR_KEY_AES_192);

        key_aes_256 = apr_hash_get(types, "aes256", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_256);
        ABTS_INT_EQUAL(tc, *key_aes_256, APR_KEY_AES_256);

    }

    apr_pool_destroy(pool);

}

/**
 * Get Types, NSS.
 */
static void test_crypto_get_block_key_types_nss(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *driver;
    apr_crypto_t *f;
    apr_hash_t *types;
    int *key_3des_192;
    int *key_aes_128;
    int *key_aes_192;
    int *key_aes_256;

    apr_pool_create(&pool, NULL);
    driver = get_nss_driver(tc, pool);
    if (driver) {

        f = make(tc, pool, driver);
        apr_crypto_get_block_key_types(&types, f);

        key_3des_192 = apr_hash_get(types, "3des192", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_3des_192);
        ABTS_INT_EQUAL(tc, *key_3des_192, APR_KEY_3DES_192);

        key_aes_128 = apr_hash_get(types, "aes128", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_128);
        ABTS_INT_EQUAL(tc, *key_aes_128, APR_KEY_AES_128);

        key_aes_192 = apr_hash_get(types, "aes192", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_192);
        ABTS_INT_EQUAL(tc, *key_aes_192, APR_KEY_AES_192);

        key_aes_256 = apr_hash_get(types, "aes256", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, key_aes_256);
        ABTS_INT_EQUAL(tc, *key_aes_256, APR_KEY_AES_256);

    }

    apr_pool_destroy(pool);

}

/**
 * Get Modes, OpenSSL.
 */
static void test_crypto_get_block_key_modes_openssl(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *driver;
    apr_crypto_t *f;
    apr_hash_t *modes;
    int *mode_ecb;
    int *mode_cbc;

    apr_pool_create(&pool, NULL);
    driver = get_openssl_driver(tc, pool);
    if (driver) {

        f = make(tc, pool, driver);
        apr_crypto_get_block_key_modes(&modes, f);

        mode_ecb = apr_hash_get(modes, "ecb", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, mode_ecb);
        ABTS_INT_EQUAL(tc, *mode_ecb, APR_MODE_ECB);

        mode_cbc = apr_hash_get(modes, "cbc", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, mode_cbc);
        ABTS_INT_EQUAL(tc, *mode_cbc, APR_MODE_CBC);

    }

    apr_pool_destroy(pool);

}

/**
 * Get Modes, NSS.
 */
static void test_crypto_get_block_key_modes_nss(abts_case *tc, void *data)
{
    apr_pool_t *pool = NULL;
    const apr_crypto_driver_t *driver;
    apr_crypto_t *f;
    apr_hash_t *modes;
    int *mode_ecb;
    int *mode_cbc;

    apr_pool_create(&pool, NULL);
    driver = get_nss_driver(tc, pool);
    if (driver) {

        f = make(tc, pool, driver);
        apr_crypto_get_block_key_modes(&modes, f);

        mode_ecb = apr_hash_get(modes, "ecb", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, mode_ecb);
        ABTS_INT_EQUAL(tc, *mode_ecb, APR_MODE_ECB);

        mode_cbc = apr_hash_get(modes, "cbc", APR_HASH_KEY_STRING);
        ABTS_PTR_NOTNULL(tc, mode_cbc);
        ABTS_INT_EQUAL(tc, *mode_cbc, APR_MODE_CBC);

    }

    apr_pool_destroy(pool);

}

abts_suite *testcrypto(abts_suite *suite)
{
    suite = ADD_SUITE(suite);

    /* test simple init and shutdown */
    abts_run_test(suite, test_crypto_init, NULL);

    /* test a simple encrypt / decrypt operation - openssl */
    abts_run_test(suite, test_crypto_block_openssl, NULL);

    /* test a padded encrypt / decrypt operation - openssl */
    abts_run_test(suite, test_crypto_block_openssl_pad, NULL);

    /* test a simple encrypt / decrypt operation - nss */
    abts_run_test(suite, test_crypto_block_nss, NULL);

    /* test a padded encrypt / decrypt operation - nss */
    abts_run_test(suite, test_crypto_block_nss_pad, NULL);

    /* test encrypt nss / decrypt openssl */
    abts_run_test(suite, test_crypto_block_nss_openssl, NULL);

    /* test padded encrypt nss / decrypt openssl */
    abts_run_test(suite, test_crypto_block_nss_openssl_pad, NULL);

    /* test encrypt openssl / decrypt nss */
    abts_run_test(suite, test_crypto_block_openssl_nss, NULL);

    /* test padded encrypt openssl / decrypt nss */
    abts_run_test(suite, test_crypto_block_openssl_nss_pad, NULL);

    /* test block key types openssl */
    abts_run_test(suite, test_crypto_get_block_key_types_openssl, NULL);

    /* test block key types nss */
    abts_run_test(suite, test_crypto_get_block_key_types_nss, NULL);

    /* test block key modes openssl */
    abts_run_test(suite, test_crypto_get_block_key_modes_openssl, NULL);

    /* test block key modes nss */
    abts_run_test(suite, test_crypto_get_block_key_modes_nss, NULL);

    return suite;
}

#else

/**
 * Dummy test suite when crypto is turned off.
 */
abts_suite *testcrypto(abts_suite *suite)
{
    return ADD_SUITE(suite);
}

#endif /* APU_HAVE_CRYPTO */