Fix decoders so that they use the passed in propq.

Fixes #21198

decoder objects were setting propq as NULL.
Added a set_ctx/settable_ctx to all decoders that should supply
a property query parameter to internal functions.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21219)

3 files changed, 137 insertions, 2 deletions

diff --git a/test/build.info b/test/build.info
index 57bf3cea63..d897f726a8 100644
--- a/test/build.info
+++ b/test/build.info
@@ -1071,6 +1071,11 @@ IF[{- !$disabled{tests} -}]
     DEPEND[endecoder_legacy_test]=../libcrypto.a libtestutil.a
   ENDIF
 
+  PROGRAMS{noinst}=decoder_propq_test
+  SOURCE[decoder_propq_test]=decoder_propq_test.c
+  INCLUDE[decoder_propq_test]=.. ../include ../apps/include
+  DEPEND[decoder_propq_test]=../libcrypto.a libtestutil.a
+
   PROGRAMS{noinst}=namemap_internal_test
   SOURCE[namemap_internal_test]=namemap_internal_test.c
   INCLUDE[namemap_internal_test]=.. ../include ../apps/include
diff --git a/test/decoder_propq_test.c b/test/decoder_propq_test.c
new file mode 100644
index 0000000000..aa374da74c
--- /dev/null
+++ b/test/decoder_propq_test.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include "testutil.h"
+
+static OSSL_LIB_CTX *libctx = NULL;
+static OSSL_PROVIDER *nullprov = NULL;
+static OSSL_PROVIDER *libprov = NULL;
+static const char *filename = NULL;
+static pem_password_cb passcb;
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1,
+    OPT_EOF = 0,
+    OPT_CONFIG_FILE,
+    OPT_PROVIDER_NAME,
+    OPT_TEST_ENUM
+} OPTION_CHOICE;
+
+const OPTIONS *test_get_options(void)
+{
+    static const OPTIONS test_options[] = {
+        OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file\n"),
+        { "config", OPT_CONFIG_FILE, '<',
+          "The configuration file to use for the libctx" },
+        { "provider", OPT_PROVIDER_NAME, 's',
+          "The provider to load (The default value is 'default')" },
+        { OPT_HELP_STR, 1, '-', "file\tFile to decode.\n" },
+        { NULL }
+    };
+    return test_options;
+}
+
+static int passcb(char *buf, int size, int rwflag, void *userdata)
+{
+    strcpy(buf, "pass");
+    return strlen(buf);
+}
+
+static int test_decode_nonfipsalg(void)
+{
+    int ret = 0;
+    EVP_PKEY *privkey = NULL;
+    BIO *bio = NULL;
+
+    /*
+     * Apply the "fips=true" property to all fetches for the libctx.
+     * We do this to test that we are using the propq override
+     */
+    EVP_default_properties_enable_fips(libctx, 1);
+
+    if (!TEST_ptr(bio = BIO_new_file(filename, "r")))
+        goto err;
+
+    /*
+     * If NULL is passed as the propq here it uses the global property "fips=true",
+     * Which we expect to fail if the decode uses a non FIPS algorithm
+     */
+    if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, NULL)))
+        goto err;
+
+    /*
+     * Pass if we override the libctx global prop query to optionally use fips=true
+     * This assumes that the libctx contains the default provider
+     */
+    if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, "?fips=true")))
+        goto err;
+
+    ret = 1;
+err:
+    BIO_free(bio);
+    EVP_PKEY_free(privkey);
+    return ret;
+}
+
+int setup_tests(void)
+{
+    const char *prov_name = "default";
+    char *config_file = NULL;
+    OPTION_CHOICE o;
+
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_PROVIDER_NAME:
+            prov_name = opt_arg();
+            break;
+        case OPT_CONFIG_FILE:
+            config_file = opt_arg();
+            break;
+        case OPT_TEST_CASES:
+           break;
+        default:
+        case OPT_ERR:
+            return 0;
+        }
+    }
+
+    filename = test_get_argument(0);
+    if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
+        return 0;
+
+    ADD_TEST(test_decode_nonfipsalg);
+    return 1;
+}
+
+void cleanup_tests(void)
+{
+    OSSL_PROVIDER_unload(libprov);
+    OSSL_LIB_CTX_free(libctx);
+    OSSL_PROVIDER_unload(nullprov);
+}
diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
index 19541610a9..817c95ee64 100644
--- a/test/recipes/04-test_encoder_decoder.t
+++ b/test/recipes/04-test_encoder_decoder.t
@@ -25,7 +25,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
 my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem");
 
-plan tests => ($no_fips ? 0 : 1) + 2;     # FIPS install test + test
+plan tests => ($no_fips ? 0 : 3) + 2;     # FIPS install test + test
 
 my $conf = srctop_file("test", "default.cnf");
 ok(run(test(["endecode_test", "-rsa", $rsa_key,
@@ -47,5 +47,16 @@ unless ($no_fips) {
                                   "-pss", $pss_key,
                                   "-config", $conf,
                                   "-provider", "fips"])));
-}
 
+    my $no_des = disabled("des");
+SKIP: {
+    skip "DES disabled", 2 if disabled("des");
+    ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem',
+                 '-passout', 'pass:pass' ])),
+       "rsa encrypt using a non fips algorithm");
+
+    my $conf2 = srctop_file("test", "default-and-fips.cnf");
+    ok(run(test(['decoder_propq_test', '-config', $conf2,
+                 '-provider', 'fips', 'epki.pem'])));
+}
+}