2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
22 static EVP_KDF_CTX *get_kdfbyname(const char *name)
24 EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
25 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
31 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
34 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
35 OSSL_PARAM *p = params;
40 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
42 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
43 (unsigned char *)secret,
45 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
46 (unsigned char *)seed,
48 *p = OSSL_PARAM_construct_end();
53 static int test_kdf_tls1_prf(void)
56 EVP_KDF_CTX *kctx = NULL;
57 unsigned char out[16];
59 static const unsigned char expected[sizeof(out)] = {
60 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
61 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
64 params = construct_tls1_prf_params("sha256", "secret", "seed");
66 ret = TEST_ptr(params)
67 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
68 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
69 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
71 EVP_KDF_CTX_free(kctx);
76 static int test_kdf_tls1_prf_invalid_digest(void)
79 EVP_KDF_CTX *kctx = NULL;
82 params = construct_tls1_prf_params("blah", "secret", "seed");
84 ret = TEST_ptr(params)
85 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
86 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
88 EVP_KDF_CTX_free(kctx);
93 static int test_kdf_tls1_prf_zero_output_size(void)
96 EVP_KDF_CTX *kctx = NULL;
97 unsigned char out[16];
100 params = construct_tls1_prf_params("sha256", "secret", "seed");
102 /* Negative test - derive should fail */
103 ret = TEST_ptr(params)
104 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
105 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
106 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
108 EVP_KDF_CTX_free(kctx);
109 OPENSSL_free(params);
113 static int test_kdf_tls1_prf_empty_secret(void)
116 EVP_KDF_CTX *kctx = NULL;
117 unsigned char out[16];
120 params = construct_tls1_prf_params("sha256", "", "seed");
122 ret = TEST_ptr(params)
123 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
124 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
126 EVP_KDF_CTX_free(kctx);
127 OPENSSL_free(params);
131 static int test_kdf_tls1_prf_1byte_secret(void)
134 EVP_KDF_CTX *kctx = NULL;
135 unsigned char out[16];
138 params = construct_tls1_prf_params("sha256", "1", "seed");
140 ret = TEST_ptr(params)
141 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
142 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
144 EVP_KDF_CTX_free(kctx);
145 OPENSSL_free(params);
149 static int test_kdf_tls1_prf_empty_seed(void)
152 EVP_KDF_CTX *kctx = NULL;
153 unsigned char out[16];
156 params = construct_tls1_prf_params("sha256", "secret", "");
158 /* Negative test - derive should fail */
159 ret = TEST_ptr(params)
160 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
161 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
162 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
164 EVP_KDF_CTX_free(kctx);
165 OPENSSL_free(params);
169 static int test_kdf_tls1_prf_1byte_seed(void)
172 EVP_KDF_CTX *kctx = NULL;
173 unsigned char out[16];
176 params = construct_tls1_prf_params("sha256", "secret", "1");
178 ret = TEST_ptr(params)
179 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
180 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
182 EVP_KDF_CTX_free(kctx);
183 OPENSSL_free(params);
187 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
188 size_t keylen, char *salt, char *info)
190 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
191 OSSL_PARAM *p = params;
196 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
198 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
200 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
201 (unsigned char *)key, keylen);
202 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
204 *p = OSSL_PARAM_construct_end();
209 static int test_kdf_hkdf(void)
212 EVP_KDF_CTX *kctx = NULL;
213 unsigned char out[10];
215 static const unsigned char expected[sizeof(out)] = {
216 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
219 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
221 ret = TEST_ptr(params)
222 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
223 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
224 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
226 EVP_KDF_CTX_free(kctx);
227 OPENSSL_free(params);
231 static int test_kdf_hkdf_invalid_digest(void)
234 EVP_KDF_CTX *kctx = NULL;
237 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
239 ret = TEST_ptr(params)
240 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
241 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
243 EVP_KDF_CTX_free(kctx);
244 OPENSSL_free(params);
248 static int test_kdf_hkdf_zero_output_size(void)
251 EVP_KDF_CTX *kctx = NULL;
252 unsigned char out[10];
255 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
257 /* Negative test - derive should fail */
258 ret = TEST_ptr(params)
259 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
260 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
261 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
263 EVP_KDF_CTX_free(kctx);
264 OPENSSL_free(params);
268 static int test_kdf_hkdf_empty_key(void)
271 EVP_KDF_CTX *kctx = NULL;
272 unsigned char out[10];
275 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
277 ret = TEST_ptr(params)
278 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
279 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
281 EVP_KDF_CTX_free(kctx);
282 OPENSSL_free(params);
286 static int test_kdf_hkdf_1byte_key(void)
289 EVP_KDF_CTX *kctx = NULL;
290 unsigned char out[10];
293 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
295 ret = TEST_ptr(params)
296 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
297 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
299 EVP_KDF_CTX_free(kctx);
300 OPENSSL_free(params);
304 static int test_kdf_hkdf_empty_salt(void)
307 EVP_KDF_CTX *kctx = NULL;
308 unsigned char out[10];
311 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
313 ret = TEST_ptr(params)
314 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
315 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
317 EVP_KDF_CTX_free(kctx);
318 OPENSSL_free(params);
322 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
325 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
326 OSSL_PARAM *p = params;
331 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
332 (unsigned char *)pass, strlen(pass));
333 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
334 (unsigned char *)salt, strlen(salt));
335 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
336 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
338 *p = OSSL_PARAM_construct_end();
343 static int test_kdf_pbkdf1(void)
346 EVP_KDF_CTX *kctx = NULL;
347 unsigned char out[25];
348 unsigned int iterations = 4096;
350 OSSL_PROVIDER *prov = NULL;
351 const unsigned char expected[sizeof(out)] = {
352 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
353 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
357 /* PBKDF1 only available in the legacy provider */
358 prov = OSSL_PROVIDER_load(NULL, "legacy");
360 return TEST_skip("PBKDF1 only available in legacy provider");
362 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
363 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
366 if (!TEST_ptr(params)
367 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF1))
368 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
369 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
370 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
375 EVP_KDF_CTX_free(kctx);
376 OPENSSL_free(params);
377 OSSL_PROVIDER_unload(prov);
381 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
382 unsigned int *iter, int *mode)
384 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
385 OSSL_PARAM *p = params;
390 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
391 (unsigned char *)pass, strlen(pass));
392 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
393 (unsigned char *)salt, strlen(salt));
394 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
395 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
397 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
398 *p = OSSL_PARAM_construct_end();
403 static int test_kdf_pbkdf2(void)
406 EVP_KDF_CTX *kctx = NULL;
407 unsigned char out[25];
408 unsigned int iterations = 4096;
411 const unsigned char expected[sizeof(out)] = {
412 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
413 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
414 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
418 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
419 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
422 if (!TEST_ptr(params)
423 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
424 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
425 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
430 EVP_KDF_CTX_free(kctx);
431 OPENSSL_free(params);
435 static int test_kdf_pbkdf2_small_output(void)
438 EVP_KDF_CTX *kctx = NULL;
439 unsigned char out[25];
440 unsigned int iterations = 4096;
444 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
445 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
448 if (!TEST_ptr(params)
449 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
450 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
451 /* A key length that is too small should fail */
452 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
457 EVP_KDF_CTX_free(kctx);
458 OPENSSL_free(params);
462 static int test_kdf_pbkdf2_large_output(void)
465 EVP_KDF_CTX *kctx = NULL;
466 unsigned char out[25];
468 unsigned int iterations = 4096;
472 if (sizeof(len) > 32)
475 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
476 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
479 if (!TEST_ptr(params)
480 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
481 /* A key length that is too large should fail */
482 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
483 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
488 EVP_KDF_CTX_free(kctx);
489 OPENSSL_free(params);
493 static int test_kdf_pbkdf2_small_salt(void)
496 EVP_KDF_CTX *kctx = NULL;
497 unsigned int iterations = 4096;
501 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
505 if (!TEST_ptr(params)
506 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
507 /* A salt that is too small should fail */
508 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
513 EVP_KDF_CTX_free(kctx);
514 OPENSSL_free(params);
518 static int test_kdf_pbkdf2_small_iterations(void)
521 EVP_KDF_CTX *kctx = NULL;
522 unsigned int iterations = 1;
526 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
527 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
530 if (!TEST_ptr(params)
531 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
532 /* An iteration count that is too small should fail */
533 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
538 EVP_KDF_CTX_free(kctx);
539 OPENSSL_free(params);
543 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
546 EVP_KDF_CTX *kctx = NULL;
547 unsigned char out[25];
548 unsigned int iterations = 4096;
551 OSSL_PARAM mode_params[2];
553 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
557 if (!TEST_ptr(params)
558 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
559 /* A salt that is too small should pass in pkcs5 mode */
560 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
561 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
565 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
566 mode_params[1] = OSSL_PARAM_construct_end();
568 /* If the "pkcs5" mode is disabled then the derive will now fail */
569 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
570 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
575 EVP_KDF_CTX_free(kctx);
576 OPENSSL_free(params);
580 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
583 EVP_KDF_CTX *kctx = NULL;
584 unsigned char out[25];
585 unsigned int iterations = 1;
588 OSSL_PARAM mode_params[2];
590 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
591 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
594 if (!TEST_ptr(params)
595 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
596 /* An iteration count that is too small will pass in pkcs5 mode */
597 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
598 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
602 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
603 mode_params[1] = OSSL_PARAM_construct_end();
605 /* If the "pkcs5" mode is disabled then the derive will now fail */
606 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
607 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
612 EVP_KDF_CTX_free(kctx);
613 OPENSSL_free(params);
617 static int test_kdf_pbkdf2_invalid_digest(void)
620 EVP_KDF_CTX *kctx = NULL;
621 unsigned int iterations = 4096;
625 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
626 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
629 if (!TEST_ptr(params)
630 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
631 /* Unknown digest should fail */
632 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
637 EVP_KDF_CTX_free(kctx);
638 OPENSSL_free(params);
642 #ifndef OPENSSL_NO_SCRYPT
643 static int test_kdf_scrypt(void)
647 OSSL_PARAM params[7], *p = params;
648 unsigned char out[64];
649 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
650 static const unsigned char expected[sizeof(out)] = {
651 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
652 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
653 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
654 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
655 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
656 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
657 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
658 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
661 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
662 (char *)"password", 8);
663 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
665 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
666 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
667 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
668 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
669 *p = OSSL_PARAM_construct_end();
672 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
673 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
675 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
676 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
677 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
678 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
679 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
681 EVP_KDF_CTX_free(kctx);
684 #endif /* OPENSSL_NO_SCRYPT */
686 static int test_kdf_ss_hash(void)
690 OSSL_PARAM params[4], *p = params;
691 unsigned char out[14];
692 static unsigned char z[] = {
693 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
694 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
695 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
696 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
698 static unsigned char other[] = {
699 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
700 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
701 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
702 0xe0,0xec,0x3f,0x8d,0xbe
704 static const unsigned char expected[sizeof(out)] = {
705 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
708 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
709 (char *)"sha224", 0);
710 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
711 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
713 *p = OSSL_PARAM_construct_end();
716 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
717 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
718 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
720 EVP_KDF_CTX_free(kctx);
724 static int test_kdf_x963(void)
728 OSSL_PARAM params[4], *p = params;
729 unsigned char out[1024 / 8];
731 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
732 * Cryptographic-Algorithm-Validation-Program/documents/components/
733 * 800-135testvectors/ansx963_2001.zip
735 static unsigned char z[] = {
736 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
737 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
738 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
739 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
740 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
741 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
743 static unsigned char shared[] = {
744 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
745 0x37, 0x89, 0x5d, 0x31
747 static const unsigned char expected[sizeof(out)] = {
748 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
749 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
750 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
751 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
752 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
753 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
754 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
755 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
756 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
757 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
758 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
761 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
762 (char *)"sha512", 0);
763 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
764 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
766 *p = OSSL_PARAM_construct_end();
769 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
770 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
771 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
773 EVP_KDF_CTX_free(kctx);
777 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
779 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
782 static int test_kdf_kbkdf_6803_128(void)
786 OSSL_PARAM params[7];
787 static unsigned char input_key[] = {
788 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
789 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
791 static unsigned char constants[][5] = {
792 { 0x00, 0x00, 0x00, 0x02, 0x99 },
793 { 0x00, 0x00, 0x00, 0x02, 0xaa },
794 { 0x00, 0x00, 0x00, 0x02, 0x55 },
796 static unsigned char outputs[][16] = {
797 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
798 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
799 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
800 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
801 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
802 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
804 static unsigned char iv[16] = { 0 };
805 unsigned char result[16] = { 0 };
807 for (i = 0; i < 3; i++) {
809 params[p++] = OSSL_PARAM_construct_utf8_string(
810 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
811 params[p++] = OSSL_PARAM_construct_utf8_string(
812 OSSL_KDF_PARAM_MAC, "CMAC", 0);
813 params[p++] = OSSL_PARAM_construct_utf8_string(
814 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
815 params[p++] = OSSL_PARAM_construct_octet_string(
816 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
817 params[p++] = OSSL_PARAM_construct_octet_string(
818 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
819 params[p++] = OSSL_PARAM_construct_octet_string(
820 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
821 params[p] = OSSL_PARAM_construct_end();
823 kctx = get_kdfbyname("KBKDF");
825 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
827 && TEST_mem_eq(result, sizeof(result), outputs[i],
829 EVP_KDF_CTX_free(kctx);
837 static int test_kdf_kbkdf_6803_256(void)
841 OSSL_PARAM params[7];
842 static unsigned char input_key[] = {
843 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
844 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
845 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
846 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
848 static unsigned char constants[][5] = {
849 { 0x00, 0x00, 0x00, 0x02, 0x99 },
850 { 0x00, 0x00, 0x00, 0x02, 0xaa },
851 { 0x00, 0x00, 0x00, 0x02, 0x55 },
853 static unsigned char outputs[][32] = {
854 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
855 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
856 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
857 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
859 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
860 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
861 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
862 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
864 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
865 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
866 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
867 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
870 static unsigned char iv[16] = { 0 };
871 unsigned char result[32] = { 0 };
873 for (i = 0; i < 3; i++) {
875 params[p++] = OSSL_PARAM_construct_utf8_string(
876 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
877 params[p++] = OSSL_PARAM_construct_utf8_string(
878 OSSL_KDF_PARAM_MAC, "CMAC", 0);
879 params[p++] = OSSL_PARAM_construct_utf8_string(
880 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
881 params[p++] = OSSL_PARAM_construct_octet_string(
882 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
883 params[p++] = OSSL_PARAM_construct_octet_string(
884 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
885 params[p++] = OSSL_PARAM_construct_octet_string(
886 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
887 params[p] = OSSL_PARAM_construct_end();
889 kctx = get_kdfbyname("KBKDF");
891 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
893 && TEST_mem_eq(result, sizeof(result), outputs[i],
895 EVP_KDF_CTX_free(kctx);
904 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
905 size_t keylen, char *salt, char *info)
907 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
908 OSSL_PARAM *p = params;
913 *p++ = OSSL_PARAM_construct_utf8_string(
914 OSSL_KDF_PARAM_DIGEST, digest, 0);
915 *p++ = OSSL_PARAM_construct_utf8_string(
916 OSSL_KDF_PARAM_MAC, mac, 0);
917 *p++ = OSSL_PARAM_construct_utf8_string(
918 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
919 *p++ = OSSL_PARAM_construct_octet_string(
920 OSSL_KDF_PARAM_KEY, key, keylen);
921 *p++ = OSSL_PARAM_construct_octet_string(
922 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
923 *p++ = OSSL_PARAM_construct_octet_string(
924 OSSL_KDF_PARAM_INFO, info, strlen(info));
925 *p = OSSL_PARAM_construct_end();
930 static int test_kdf_kbkdf_invalid_digest(void)
936 static unsigned char key[] = {0x01};
938 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
939 if (!TEST_ptr(params))
942 /* Negative test case - set_params should fail */
943 kctx = get_kdfbyname("KBKDF");
945 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
947 EVP_KDF_CTX_free(kctx);
948 OPENSSL_free(params);
952 static int test_kdf_kbkdf_invalid_mac(void)
958 static unsigned char key[] = {0x01};
960 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
961 if (!TEST_ptr(params))
964 /* Negative test case - set_params should fail */
965 kctx = get_kdfbyname("KBKDF");
967 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
969 EVP_KDF_CTX_free(kctx);
970 OPENSSL_free(params);
974 static int test_kdf_kbkdf_empty_key(void)
980 static unsigned char key[] = {0x01};
981 unsigned char result[32] = { 0 };
983 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
984 if (!TEST_ptr(params))
987 /* Negative test case - derive should fail */
988 kctx = get_kdfbyname("KBKDF");
990 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
991 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
993 EVP_KDF_CTX_free(kctx);
994 OPENSSL_free(params);
998 static int test_kdf_kbkdf_1byte_key(void)
1004 static unsigned char key[] = {0x01};
1005 unsigned char result[32] = { 0 };
1007 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1008 if (!TEST_ptr(params))
1011 kctx = get_kdfbyname("KBKDF");
1012 ret = TEST_ptr(kctx)
1013 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1015 EVP_KDF_CTX_free(kctx);
1016 OPENSSL_free(params);
1020 static int test_kdf_kbkdf_zero_output_size(void)
1026 static unsigned char key[] = {0x01};
1027 unsigned char result[32] = { 0 };
1029 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1030 if (!TEST_ptr(params))
1033 /* Negative test case - derive should fail */
1034 kctx = get_kdfbyname("KBKDF");
1035 ret = TEST_ptr(kctx)
1036 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1037 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1039 EVP_KDF_CTX_free(kctx);
1040 OPENSSL_free(params);
1044 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1046 static int test_kdf_kbkdf_8009_prf1(void)
1050 OSSL_PARAM params[6];
1051 char *label = "prf", *digest = "sha256", *prf_input = "test",
1053 static unsigned char input_key[] = {
1054 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1055 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1057 static unsigned char output[] = {
1058 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1059 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1060 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1061 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1063 unsigned char result[sizeof(output)] = { 0 };
1065 params[i++] = OSSL_PARAM_construct_utf8_string(
1066 OSSL_KDF_PARAM_DIGEST, digest, 0);
1067 params[i++] = OSSL_PARAM_construct_utf8_string(
1068 OSSL_KDF_PARAM_MAC, mac, 0);
1069 params[i++] = OSSL_PARAM_construct_octet_string(
1070 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1071 params[i++] = OSSL_PARAM_construct_octet_string(
1072 OSSL_KDF_PARAM_SALT, label, strlen(label));
1073 params[i++] = OSSL_PARAM_construct_octet_string(
1074 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1075 params[i] = OSSL_PARAM_construct_end();
1077 kctx = get_kdfbyname("KBKDF");
1078 ret = TEST_ptr(kctx)
1079 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1080 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1082 EVP_KDF_CTX_free(kctx);
1086 static int test_kdf_kbkdf_8009_prf2(void)
1090 OSSL_PARAM params[6];
1091 char *label = "prf", *digest = "sha384", *prf_input = "test",
1093 static unsigned char input_key[] = {
1094 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1095 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1096 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1097 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1099 static unsigned char output[] = {
1100 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1101 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1102 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1103 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1104 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1105 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1107 unsigned char result[sizeof(output)] = { 0 };
1109 params[i++] = OSSL_PARAM_construct_utf8_string(
1110 OSSL_KDF_PARAM_DIGEST, digest, 0);
1111 params[i++] = OSSL_PARAM_construct_utf8_string(
1112 OSSL_KDF_PARAM_MAC, mac, 0);
1113 params[i++] = OSSL_PARAM_construct_octet_string(
1114 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1115 params[i++] = OSSL_PARAM_construct_octet_string(
1116 OSSL_KDF_PARAM_SALT, label, strlen(label));
1117 params[i++] = OSSL_PARAM_construct_octet_string(
1118 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1119 params[i] = OSSL_PARAM_construct_end();
1121 kctx = get_kdfbyname("KBKDF");
1122 ret = TEST_ptr(kctx)
1123 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1124 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1126 EVP_KDF_CTX_free(kctx);
1130 #if !defined(OPENSSL_NO_CMAC)
1132 * Test vector taken from
1133 * https://csrc.nist.gov/CSRC/media/Projects/
1134 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1135 * Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1137 static int test_kdf_kbkdf_fixedinfo(void)
1141 OSSL_PARAM params[8], *p = params;
1142 static char *cipher = "AES128";
1143 static char *mac = "CMAC";
1144 static char *mode = "COUNTER";
1146 int use_separator = 0;
1148 static unsigned char input_key[] = {
1149 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1150 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1152 static unsigned char fixed_input[] = {
1153 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1154 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1155 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1156 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1157 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1158 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1159 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1160 0xb4, 0x8d, 0x36, 0xc4,
1163 static unsigned char output[] = {
1164 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1165 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1167 unsigned char result[sizeof(output)] = { 0 };
1169 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1170 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1171 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1172 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1174 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1175 fixed_input, sizeof(fixed_input));
1176 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1177 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1179 *p = OSSL_PARAM_construct_end();
1181 kctx = get_kdfbyname("KBKDF");
1182 ret = TEST_ptr(kctx)
1183 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1184 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1186 EVP_KDF_CTX_free(kctx);
1189 #endif /* OPENSSL_NO_CMAC */
1191 static int test_kdf_ss_hmac(void)
1195 OSSL_PARAM params[6], *p = params;
1196 unsigned char out[16];
1197 static unsigned char z[] = {
1198 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1200 static unsigned char other[] = {
1201 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1203 static unsigned char salt[] = {
1204 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1207 static const unsigned char expected[sizeof(out)] = {
1208 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1212 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1213 (char *)OSSL_MAC_NAME_HMAC, 0);
1214 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1215 (char *)"sha256", 0);
1216 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1217 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1219 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1221 *p = OSSL_PARAM_construct_end();
1224 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1225 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1226 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1228 EVP_KDF_CTX_free(kctx);
1232 static int test_kdf_ss_kmac(void)
1236 OSSL_PARAM params[6], *p = params;
1237 unsigned char out[64];
1238 size_t mac_size = 20;
1239 static unsigned char z[] = {
1240 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1242 static unsigned char other[] = {
1243 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1245 static unsigned char salt[] = {
1246 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1249 static const unsigned char expected[sizeof(out)] = {
1250 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1251 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1252 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1253 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1254 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1257 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1258 (char *)OSSL_MAC_NAME_KMAC128, 0);
1259 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1260 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1262 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1264 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1265 *p = OSSL_PARAM_construct_end();
1268 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1269 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1270 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1272 EVP_KDF_CTX_free(kctx);
1276 static int test_kdf_sshkdf(void)
1280 OSSL_PARAM params[6], *p = params;
1281 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1282 unsigned char out[8];
1283 /* Test data from NIST CAVS 14.1 test vectors */
1284 static unsigned char key[] = {
1285 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1286 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1287 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1288 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1289 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1290 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1291 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1292 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1293 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1294 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1295 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1298 static unsigned char xcghash[] = {
1299 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1300 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1301 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1303 static unsigned char sessid[] = {
1304 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1305 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1306 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1308 static const unsigned char expected[sizeof(out)] = {
1309 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1312 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1313 (char *)"sha256", 0);
1314 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1316 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1317 xcghash, sizeof(xcghash));
1318 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1319 sessid, sizeof(sessid));
1320 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1321 &kdftype, sizeof(kdftype));
1322 *p = OSSL_PARAM_construct_end();
1325 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1326 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1327 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1329 EVP_KDF_CTX_free(kctx);
1333 static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2)
1335 /* Fast path in case the two are the same algorithm pointer */
1339 * Compare their names and providers instead.
1340 * This is necessary in a non-caching build (or a cache flush during fetch)
1341 * because without the algorithm in the cache, fetching it a second time
1342 * will result in a different pointer.
1344 return TEST_ptr_eq(EVP_KDF_provider(kdf1), EVP_KDF_provider(kdf2))
1345 && TEST_str_eq(EVP_KDF_name(kdf1), EVP_KDF_name(kdf2));
1348 static int test_kdf_get_kdf(void)
1350 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1354 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1355 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1356 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1358 || !test_kdfs_same(kdf1, kdf2))
1365 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1366 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1367 || !test_kdfs_same(kdf1, kdf2))
1369 /* kdf1 is re-used below, so don't free it here */
1373 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1374 || !test_kdfs_same(kdf1, kdf2))
1384 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1385 static int test_kdf_x942_asn1(void)
1388 EVP_KDF_CTX *kctx = NULL;
1389 OSSL_PARAM params[4], *p = params;
1390 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1391 unsigned char out[24];
1392 /* RFC2631 Section 2.1.6 Test data */
1393 static unsigned char z[] = {
1394 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1395 0x0e,0x0f,0x10,0x11,0x12,0x13
1397 static const unsigned char expected[sizeof(out)] = {
1398 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1399 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1400 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1403 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1405 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1407 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1408 (char *)cek_alg, 0);
1409 *p = OSSL_PARAM_construct_end();
1412 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1413 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1414 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1416 EVP_KDF_CTX_free(kctx);
1419 #endif /* OPENSSL_NO_CMS */
1421 static int test_kdf_krb5kdf(void)
1425 OSSL_PARAM params[4], *p = params;
1426 unsigned char out[16];
1427 static unsigned char key[] = {
1428 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1429 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1431 static unsigned char constant[] = {
1432 0x00, 0x00, 0x00, 0x02, 0x99
1434 static const unsigned char expected[sizeof(out)] = {
1435 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1436 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1439 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1440 (char *)"AES-128-CBC", 0);
1441 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1443 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1444 constant, sizeof(constant));
1445 *p = OSSL_PARAM_construct_end();
1448 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1449 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1450 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1452 EVP_KDF_CTX_free(kctx);
1456 int setup_tests(void)
1458 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1459 ADD_TEST(test_kdf_kbkdf_6803_128);
1460 ADD_TEST(test_kdf_kbkdf_6803_256);
1462 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1463 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1464 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1465 ADD_TEST(test_kdf_kbkdf_empty_key);
1466 ADD_TEST(test_kdf_kbkdf_1byte_key);
1467 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1468 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1469 #if !defined(OPENSSL_NO_CMAC)
1470 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1472 ADD_TEST(test_kdf_get_kdf);
1473 ADD_TEST(test_kdf_tls1_prf);
1474 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1475 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1476 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1477 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1478 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1479 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1480 ADD_TEST(test_kdf_hkdf);
1481 ADD_TEST(test_kdf_hkdf_invalid_digest);
1482 ADD_TEST(test_kdf_hkdf_zero_output_size);
1483 ADD_TEST(test_kdf_hkdf_empty_key);
1484 ADD_TEST(test_kdf_hkdf_1byte_key);
1485 ADD_TEST(test_kdf_hkdf_empty_salt);
1486 ADD_TEST(test_kdf_pbkdf1);
1487 ADD_TEST(test_kdf_pbkdf2);
1488 ADD_TEST(test_kdf_pbkdf2_small_output);
1489 ADD_TEST(test_kdf_pbkdf2_large_output);
1490 ADD_TEST(test_kdf_pbkdf2_small_salt);
1491 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1492 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1493 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1494 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1495 #ifndef OPENSSL_NO_SCRYPT
1496 ADD_TEST(test_kdf_scrypt);
1498 ADD_TEST(test_kdf_ss_hash);
1499 ADD_TEST(test_kdf_ss_hmac);
1500 ADD_TEST(test_kdf_ss_kmac);
1501 ADD_TEST(test_kdf_sshkdf);
1502 ADD_TEST(test_kdf_x963);
1503 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1504 ADD_TEST(test_kdf_x942_asn1);
1506 ADD_TEST(test_kdf_krb5kdf);