2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
23 static EVP_KDF_CTX *get_kdfbyname_libctx(OSSL_LIB_CTX *libctx, const char *name)
25 EVP_KDF *kdf = EVP_KDF_fetch(libctx, name, NULL);
26 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
32 static EVP_KDF_CTX *get_kdfbyname(const char *name)
34 return get_kdfbyname_libctx(NULL, name);
37 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
40 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
41 OSSL_PARAM *p = params;
46 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
49 (unsigned char *)secret,
51 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
52 (unsigned char *)seed,
54 *p = OSSL_PARAM_construct_end();
59 static int test_kdf_tls1_prf(void)
62 EVP_KDF_CTX *kctx = NULL;
63 unsigned char out[16];
65 static const unsigned char expected[sizeof(out)] = {
66 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
67 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
70 params = construct_tls1_prf_params("sha256", "secret", "seed");
72 ret = TEST_ptr(params)
73 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
74 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
75 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
77 EVP_KDF_CTX_free(kctx);
82 static int test_kdf_tls1_prf_invalid_digest(void)
85 EVP_KDF_CTX *kctx = NULL;
88 params = construct_tls1_prf_params("blah", "secret", "seed");
90 ret = TEST_ptr(params)
91 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
92 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
94 EVP_KDF_CTX_free(kctx);
99 static int test_kdf_tls1_prf_zero_output_size(void)
102 EVP_KDF_CTX *kctx = NULL;
103 unsigned char out[16];
106 params = construct_tls1_prf_params("sha256", "secret", "seed");
108 /* Negative test - derive should fail */
109 ret = TEST_ptr(params)
110 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
111 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
112 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
114 EVP_KDF_CTX_free(kctx);
115 OPENSSL_free(params);
119 static int test_kdf_tls1_prf_empty_secret(void)
122 EVP_KDF_CTX *kctx = NULL;
123 unsigned char out[16];
126 params = construct_tls1_prf_params("sha256", "", "seed");
128 ret = TEST_ptr(params)
129 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
130 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
132 EVP_KDF_CTX_free(kctx);
133 OPENSSL_free(params);
137 static int test_kdf_tls1_prf_1byte_secret(void)
140 EVP_KDF_CTX *kctx = NULL;
141 unsigned char out[16];
144 params = construct_tls1_prf_params("sha256", "1", "seed");
146 ret = TEST_ptr(params)
147 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
148 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
150 EVP_KDF_CTX_free(kctx);
151 OPENSSL_free(params);
155 static int test_kdf_tls1_prf_empty_seed(void)
158 EVP_KDF_CTX *kctx = NULL;
159 unsigned char out[16];
162 params = construct_tls1_prf_params("sha256", "secret", "");
164 /* Negative test - derive should fail */
165 ret = TEST_ptr(params)
166 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
167 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
168 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
170 EVP_KDF_CTX_free(kctx);
171 OPENSSL_free(params);
175 static int test_kdf_tls1_prf_1byte_seed(void)
178 EVP_KDF_CTX *kctx = NULL;
179 unsigned char out[16];
182 params = construct_tls1_prf_params("sha256", "secret", "1");
184 ret = TEST_ptr(params)
185 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
186 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
188 EVP_KDF_CTX_free(kctx);
189 OPENSSL_free(params);
193 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
194 size_t keylen, char *salt, char *info)
196 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
197 OSSL_PARAM *p = params;
202 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
204 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
206 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
207 (unsigned char *)key, keylen);
208 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
210 *p = OSSL_PARAM_construct_end();
215 static int test_kdf_hkdf(void)
218 EVP_KDF_CTX *kctx = NULL;
219 unsigned char out[10];
221 static const unsigned char expected[sizeof(out)] = {
222 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
225 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
227 ret = TEST_ptr(params)
228 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
229 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
230 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
232 EVP_KDF_CTX_free(kctx);
233 OPENSSL_free(params);
237 static int test_kdf_hkdf_invalid_digest(void)
240 EVP_KDF_CTX *kctx = NULL;
243 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
245 ret = TEST_ptr(params)
246 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
247 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
249 EVP_KDF_CTX_free(kctx);
250 OPENSSL_free(params);
254 static int test_kdf_hkdf_zero_output_size(void)
257 EVP_KDF_CTX *kctx = NULL;
258 unsigned char out[10];
261 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
263 /* Negative test - derive should fail */
264 ret = TEST_ptr(params)
265 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
266 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
267 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
269 EVP_KDF_CTX_free(kctx);
270 OPENSSL_free(params);
274 static int test_kdf_hkdf_empty_key(void)
277 EVP_KDF_CTX *kctx = NULL;
278 unsigned char out[10];
281 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
283 ret = TEST_ptr(params)
284 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
285 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
287 EVP_KDF_CTX_free(kctx);
288 OPENSSL_free(params);
292 static int test_kdf_hkdf_1byte_key(void)
295 EVP_KDF_CTX *kctx = NULL;
296 unsigned char out[10];
299 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
301 ret = TEST_ptr(params)
302 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
303 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
305 EVP_KDF_CTX_free(kctx);
306 OPENSSL_free(params);
310 static int test_kdf_hkdf_empty_salt(void)
313 EVP_KDF_CTX *kctx = NULL;
314 unsigned char out[10];
317 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
319 ret = TEST_ptr(params)
320 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
321 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
323 EVP_KDF_CTX_free(kctx);
324 OPENSSL_free(params);
328 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
331 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
332 OSSL_PARAM *p = params;
337 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
338 (unsigned char *)pass, strlen(pass));
339 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
340 (unsigned char *)salt, strlen(salt));
341 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
342 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
344 *p = OSSL_PARAM_construct_end();
349 static int test_kdf_pbkdf1(void)
352 EVP_KDF_CTX *kctx = NULL;
353 unsigned char out[25];
354 unsigned int iterations = 4096;
355 OSSL_LIB_CTX *libctx = NULL;
356 OSSL_PARAM *params = NULL;
357 OSSL_PROVIDER *prov = NULL;
358 const unsigned char expected[sizeof(out)] = {
359 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
360 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
364 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
367 /* PBKDF1 only available in the legacy provider */
368 prov = OSSL_PROVIDER_load(libctx, "legacy");
370 return TEST_skip("PBKDF1 only available in legacy provider");
372 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
373 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
376 if (!TEST_ptr(params)
377 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
378 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
379 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
380 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
385 EVP_KDF_CTX_free(kctx);
386 OPENSSL_free(params);
387 OSSL_PROVIDER_unload(prov);
388 OSSL_LIB_CTX_free(libctx);
392 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
393 unsigned int *iter, int *mode)
395 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
396 OSSL_PARAM *p = params;
401 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
402 (unsigned char *)pass, strlen(pass));
403 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
404 (unsigned char *)salt, strlen(salt));
405 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
406 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
408 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
409 *p = OSSL_PARAM_construct_end();
414 static int test_kdf_pbkdf2(void)
417 EVP_KDF_CTX *kctx = NULL;
418 unsigned char out[25];
419 unsigned int iterations = 4096;
422 const unsigned char expected[sizeof(out)] = {
423 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
424 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
425 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
429 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
430 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
433 if (!TEST_ptr(params)
434 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
435 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
436 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
441 EVP_KDF_CTX_free(kctx);
442 OPENSSL_free(params);
446 static int test_kdf_pbkdf2_small_output(void)
449 EVP_KDF_CTX *kctx = NULL;
450 unsigned char out[25];
451 unsigned int iterations = 4096;
455 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
456 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
459 if (!TEST_ptr(params)
460 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
461 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
462 /* A key length that is too small should fail */
463 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
468 EVP_KDF_CTX_free(kctx);
469 OPENSSL_free(params);
473 static int test_kdf_pbkdf2_large_output(void)
476 EVP_KDF_CTX *kctx = NULL;
477 unsigned char out[25];
479 unsigned int iterations = 4096;
483 if (sizeof(len) > 32)
486 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
487 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
490 if (!TEST_ptr(params)
491 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
492 /* A key length that is too large should fail */
493 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
494 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
499 EVP_KDF_CTX_free(kctx);
500 OPENSSL_free(params);
504 static int test_kdf_pbkdf2_small_salt(void)
507 EVP_KDF_CTX *kctx = NULL;
508 unsigned int iterations = 4096;
512 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
516 if (!TEST_ptr(params)
517 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
518 /* A salt that is too small should fail */
519 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
524 EVP_KDF_CTX_free(kctx);
525 OPENSSL_free(params);
529 static int test_kdf_pbkdf2_small_iterations(void)
532 EVP_KDF_CTX *kctx = NULL;
533 unsigned int iterations = 1;
537 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
538 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
541 if (!TEST_ptr(params)
542 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
543 /* An iteration count that is too small should fail */
544 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
549 EVP_KDF_CTX_free(kctx);
550 OPENSSL_free(params);
554 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
557 EVP_KDF_CTX *kctx = NULL;
558 unsigned char out[25];
559 unsigned int iterations = 4096;
562 OSSL_PARAM mode_params[2];
564 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
568 if (!TEST_ptr(params)
569 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
570 /* A salt that is too small should pass in pkcs5 mode */
571 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
572 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
576 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
577 mode_params[1] = OSSL_PARAM_construct_end();
579 /* If the "pkcs5" mode is disabled then the derive will now fail */
580 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
581 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
586 EVP_KDF_CTX_free(kctx);
587 OPENSSL_free(params);
591 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
594 EVP_KDF_CTX *kctx = NULL;
595 unsigned char out[25];
596 unsigned int iterations = 1;
599 OSSL_PARAM mode_params[2];
601 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
602 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
605 if (!TEST_ptr(params)
606 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
607 /* An iteration count that is too small will pass in pkcs5 mode */
608 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
609 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
613 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
614 mode_params[1] = OSSL_PARAM_construct_end();
616 /* If the "pkcs5" mode is disabled then the derive will now fail */
617 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
618 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
623 EVP_KDF_CTX_free(kctx);
624 OPENSSL_free(params);
628 static int test_kdf_pbkdf2_invalid_digest(void)
631 EVP_KDF_CTX *kctx = NULL;
632 unsigned int iterations = 4096;
636 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
637 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
640 if (!TEST_ptr(params)
641 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
642 /* Unknown digest should fail */
643 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
648 EVP_KDF_CTX_free(kctx);
649 OPENSSL_free(params);
653 #ifndef OPENSSL_NO_SCRYPT
654 static int test_kdf_scrypt(void)
658 OSSL_PARAM params[7], *p = params;
659 unsigned char out[64];
660 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
661 static const unsigned char expected[sizeof(out)] = {
662 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
663 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
664 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
665 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
666 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
667 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
668 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
669 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
672 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
673 (char *)"password", 8);
674 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
676 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
677 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
678 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
679 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
680 *p = OSSL_PARAM_construct_end();
683 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
684 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
686 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
687 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
688 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
689 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
690 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
692 EVP_KDF_CTX_free(kctx);
695 #endif /* OPENSSL_NO_SCRYPT */
697 static int test_kdf_ss_hash(void)
701 OSSL_PARAM params[4], *p = params;
702 unsigned char out[14];
703 static unsigned char z[] = {
704 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
705 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
706 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
707 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
709 static unsigned char other[] = {
710 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
711 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
712 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
713 0xe0,0xec,0x3f,0x8d,0xbe
715 static const unsigned char expected[sizeof(out)] = {
716 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
719 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
720 (char *)"sha224", 0);
721 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
722 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
724 *p = OSSL_PARAM_construct_end();
727 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
728 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
729 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
731 EVP_KDF_CTX_free(kctx);
735 static int test_kdf_x963(void)
739 OSSL_PARAM params[4], *p = params;
740 unsigned char out[1024 / 8];
742 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
743 * Cryptographic-Algorithm-Validation-Program/documents/components/
744 * 800-135testvectors/ansx963_2001.zip
746 static unsigned char z[] = {
747 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
748 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
749 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
750 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
751 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
752 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
754 static unsigned char shared[] = {
755 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
756 0x37, 0x89, 0x5d, 0x31
758 static const unsigned char expected[sizeof(out)] = {
759 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
760 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
761 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
762 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
763 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
764 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
765 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
766 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
767 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
768 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
769 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
772 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
773 (char *)"sha512", 0);
774 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
775 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
777 *p = OSSL_PARAM_construct_end();
780 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
781 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
782 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
784 EVP_KDF_CTX_free(kctx);
788 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
790 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
793 static int test_kdf_kbkdf_6803_128(void)
797 OSSL_PARAM params[7];
798 static unsigned char input_key[] = {
799 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
800 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
802 static unsigned char constants[][5] = {
803 { 0x00, 0x00, 0x00, 0x02, 0x99 },
804 { 0x00, 0x00, 0x00, 0x02, 0xaa },
805 { 0x00, 0x00, 0x00, 0x02, 0x55 },
807 static unsigned char outputs[][16] = {
808 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
809 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
810 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
811 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
812 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
813 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
815 static unsigned char iv[16] = { 0 };
816 unsigned char result[16] = { 0 };
818 for (i = 0; i < 3; i++) {
820 params[p++] = OSSL_PARAM_construct_utf8_string(
821 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
822 params[p++] = OSSL_PARAM_construct_utf8_string(
823 OSSL_KDF_PARAM_MAC, "CMAC", 0);
824 params[p++] = OSSL_PARAM_construct_utf8_string(
825 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
826 params[p++] = OSSL_PARAM_construct_octet_string(
827 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
828 params[p++] = OSSL_PARAM_construct_octet_string(
829 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
830 params[p++] = OSSL_PARAM_construct_octet_string(
831 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
832 params[p] = OSSL_PARAM_construct_end();
834 kctx = get_kdfbyname("KBKDF");
836 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
838 && TEST_mem_eq(result, sizeof(result), outputs[i],
840 EVP_KDF_CTX_free(kctx);
848 static int test_kdf_kbkdf_6803_256(void)
852 OSSL_PARAM params[7];
853 static unsigned char input_key[] = {
854 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
855 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
856 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
857 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
859 static unsigned char constants[][5] = {
860 { 0x00, 0x00, 0x00, 0x02, 0x99 },
861 { 0x00, 0x00, 0x00, 0x02, 0xaa },
862 { 0x00, 0x00, 0x00, 0x02, 0x55 },
864 static unsigned char outputs[][32] = {
865 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
866 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
867 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
868 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
870 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
871 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
872 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
873 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
875 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
876 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
877 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
878 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
881 static unsigned char iv[16] = { 0 };
882 unsigned char result[32] = { 0 };
884 for (i = 0; i < 3; i++) {
886 params[p++] = OSSL_PARAM_construct_utf8_string(
887 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
888 params[p++] = OSSL_PARAM_construct_utf8_string(
889 OSSL_KDF_PARAM_MAC, "CMAC", 0);
890 params[p++] = OSSL_PARAM_construct_utf8_string(
891 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
892 params[p++] = OSSL_PARAM_construct_octet_string(
893 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
894 params[p++] = OSSL_PARAM_construct_octet_string(
895 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
896 params[p++] = OSSL_PARAM_construct_octet_string(
897 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
898 params[p] = OSSL_PARAM_construct_end();
900 kctx = get_kdfbyname("KBKDF");
902 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
904 && TEST_mem_eq(result, sizeof(result), outputs[i],
906 EVP_KDF_CTX_free(kctx);
915 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
916 size_t keylen, char *salt, char *info)
918 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
919 OSSL_PARAM *p = params;
924 *p++ = OSSL_PARAM_construct_utf8_string(
925 OSSL_KDF_PARAM_DIGEST, digest, 0);
926 *p++ = OSSL_PARAM_construct_utf8_string(
927 OSSL_KDF_PARAM_MAC, mac, 0);
928 *p++ = OSSL_PARAM_construct_utf8_string(
929 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
930 *p++ = OSSL_PARAM_construct_octet_string(
931 OSSL_KDF_PARAM_KEY, key, keylen);
932 *p++ = OSSL_PARAM_construct_octet_string(
933 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
934 *p++ = OSSL_PARAM_construct_octet_string(
935 OSSL_KDF_PARAM_INFO, info, strlen(info));
936 *p = OSSL_PARAM_construct_end();
941 static int test_kdf_kbkdf_invalid_digest(void)
947 static unsigned char key[] = {0x01};
949 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
950 if (!TEST_ptr(params))
953 /* Negative test case - set_params should fail */
954 kctx = get_kdfbyname("KBKDF");
956 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
958 EVP_KDF_CTX_free(kctx);
959 OPENSSL_free(params);
963 static int test_kdf_kbkdf_invalid_mac(void)
969 static unsigned char key[] = {0x01};
971 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
972 if (!TEST_ptr(params))
975 /* Negative test case - set_params should fail */
976 kctx = get_kdfbyname("KBKDF");
978 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
980 EVP_KDF_CTX_free(kctx);
981 OPENSSL_free(params);
985 static int test_kdf_kbkdf_empty_key(void)
991 static unsigned char key[] = {0x01};
992 unsigned char result[32] = { 0 };
994 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
995 if (!TEST_ptr(params))
998 /* Negative test case - derive should fail */
999 kctx = get_kdfbyname("KBKDF");
1000 ret = TEST_ptr(kctx)
1001 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1002 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
1004 EVP_KDF_CTX_free(kctx);
1005 OPENSSL_free(params);
1009 static int test_kdf_kbkdf_1byte_key(void)
1015 static unsigned char key[] = {0x01};
1016 unsigned char result[32] = { 0 };
1018 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1019 if (!TEST_ptr(params))
1022 kctx = get_kdfbyname("KBKDF");
1023 ret = TEST_ptr(kctx)
1024 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1026 EVP_KDF_CTX_free(kctx);
1027 OPENSSL_free(params);
1031 static int test_kdf_kbkdf_zero_output_size(void)
1037 static unsigned char key[] = {0x01};
1038 unsigned char result[32] = { 0 };
1040 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1041 if (!TEST_ptr(params))
1044 /* Negative test case - derive should fail */
1045 kctx = get_kdfbyname("KBKDF");
1046 ret = TEST_ptr(kctx)
1047 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1048 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1050 EVP_KDF_CTX_free(kctx);
1051 OPENSSL_free(params);
1055 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1057 static int test_kdf_kbkdf_8009_prf1(void)
1061 OSSL_PARAM params[6];
1062 char *label = "prf", *digest = "sha256", *prf_input = "test",
1064 static unsigned char input_key[] = {
1065 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1066 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1068 static unsigned char output[] = {
1069 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1070 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1071 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1072 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1074 unsigned char result[sizeof(output)] = { 0 };
1076 params[i++] = OSSL_PARAM_construct_utf8_string(
1077 OSSL_KDF_PARAM_DIGEST, digest, 0);
1078 params[i++] = OSSL_PARAM_construct_utf8_string(
1079 OSSL_KDF_PARAM_MAC, mac, 0);
1080 params[i++] = OSSL_PARAM_construct_octet_string(
1081 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1082 params[i++] = OSSL_PARAM_construct_octet_string(
1083 OSSL_KDF_PARAM_SALT, label, strlen(label));
1084 params[i++] = OSSL_PARAM_construct_octet_string(
1085 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1086 params[i] = OSSL_PARAM_construct_end();
1088 kctx = get_kdfbyname("KBKDF");
1089 ret = TEST_ptr(kctx)
1090 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1091 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1093 EVP_KDF_CTX_free(kctx);
1097 static int test_kdf_kbkdf_8009_prf2(void)
1101 OSSL_PARAM params[6];
1102 char *label = "prf", *digest = "sha384", *prf_input = "test",
1104 static unsigned char input_key[] = {
1105 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1106 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1107 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1108 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1110 static unsigned char output[] = {
1111 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1112 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1113 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1114 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1115 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1116 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1118 unsigned char result[sizeof(output)] = { 0 };
1120 params[i++] = OSSL_PARAM_construct_utf8_string(
1121 OSSL_KDF_PARAM_DIGEST, digest, 0);
1122 params[i++] = OSSL_PARAM_construct_utf8_string(
1123 OSSL_KDF_PARAM_MAC, mac, 0);
1124 params[i++] = OSSL_PARAM_construct_octet_string(
1125 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1126 params[i++] = OSSL_PARAM_construct_octet_string(
1127 OSSL_KDF_PARAM_SALT, label, strlen(label));
1128 params[i++] = OSSL_PARAM_construct_octet_string(
1129 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1130 params[i] = OSSL_PARAM_construct_end();
1132 kctx = get_kdfbyname("KBKDF");
1133 ret = TEST_ptr(kctx)
1134 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1135 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1137 EVP_KDF_CTX_free(kctx);
1141 #if !defined(OPENSSL_NO_CMAC)
1143 * Test vector taken from
1144 * https://csrc.nist.gov/CSRC/media/Projects/
1145 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1146 * Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1148 static int test_kdf_kbkdf_fixedinfo(void)
1152 OSSL_PARAM params[8], *p = params;
1153 static char *cipher = "AES128";
1154 static char *mac = "CMAC";
1155 static char *mode = "COUNTER";
1157 int use_separator = 0;
1159 static unsigned char input_key[] = {
1160 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1161 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1163 static unsigned char fixed_input[] = {
1164 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1165 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1166 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1167 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1168 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1169 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1170 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1171 0xb4, 0x8d, 0x36, 0xc4,
1174 static unsigned char output[] = {
1175 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1176 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1178 unsigned char result[sizeof(output)] = { 0 };
1180 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1181 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1182 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1183 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1185 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1186 fixed_input, sizeof(fixed_input));
1187 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1188 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1190 *p = OSSL_PARAM_construct_end();
1192 kctx = get_kdfbyname("KBKDF");
1193 ret = TEST_ptr(kctx)
1194 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1195 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1197 EVP_KDF_CTX_free(kctx);
1200 #endif /* OPENSSL_NO_CMAC */
1202 static int test_kdf_ss_hmac(void)
1206 OSSL_PARAM params[6], *p = params;
1207 unsigned char out[16];
1208 static unsigned char z[] = {
1209 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1211 static unsigned char other[] = {
1212 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1214 static unsigned char salt[] = {
1215 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1218 static const unsigned char expected[sizeof(out)] = {
1219 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1223 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1224 (char *)OSSL_MAC_NAME_HMAC, 0);
1225 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1226 (char *)"sha256", 0);
1227 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1228 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1230 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1232 *p = OSSL_PARAM_construct_end();
1235 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1236 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1237 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1239 EVP_KDF_CTX_free(kctx);
1243 static int test_kdf_ss_kmac(void)
1247 OSSL_PARAM params[6], *p = params;
1248 unsigned char out[64];
1249 size_t mac_size = 20;
1250 static unsigned char z[] = {
1251 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1253 static unsigned char other[] = {
1254 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1256 static unsigned char salt[] = {
1257 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1260 static const unsigned char expected[sizeof(out)] = {
1261 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1262 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1263 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1264 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1265 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1268 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1269 (char *)OSSL_MAC_NAME_KMAC128, 0);
1270 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1271 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1273 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1275 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1276 *p = OSSL_PARAM_construct_end();
1279 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1280 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1281 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1283 EVP_KDF_CTX_free(kctx);
1287 static int test_kdf_sshkdf(void)
1291 OSSL_PARAM params[6], *p = params;
1292 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1293 unsigned char out[8];
1294 /* Test data from NIST CAVS 14.1 test vectors */
1295 static unsigned char key[] = {
1296 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1297 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1298 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1299 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1300 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1301 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1302 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1303 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1304 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1305 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1306 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1309 static unsigned char xcghash[] = {
1310 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1311 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1312 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1314 static unsigned char sessid[] = {
1315 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1316 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1317 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1319 static const unsigned char expected[sizeof(out)] = {
1320 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1323 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1324 (char *)"sha256", 0);
1325 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1327 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1328 xcghash, sizeof(xcghash));
1329 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1330 sessid, sizeof(sessid));
1331 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1332 &kdftype, sizeof(kdftype));
1333 *p = OSSL_PARAM_construct_end();
1336 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1337 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1338 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1340 EVP_KDF_CTX_free(kctx);
1344 static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2)
1346 /* Fast path in case the two are the same algorithm pointer */
1350 * Compare their names and providers instead.
1351 * This is necessary in a non-caching build (or a cache flush during fetch)
1352 * because without the algorithm in the cache, fetching it a second time
1353 * will result in a different pointer.
1355 return TEST_ptr_eq(EVP_KDF_get0_provider(kdf1), EVP_KDF_get0_provider(kdf2))
1356 && TEST_str_eq(EVP_KDF_get0_name(kdf1), EVP_KDF_get0_name(kdf2));
1359 static int test_kdf_get_kdf(void)
1361 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1365 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1366 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1367 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1369 || !test_kdfs_same(kdf1, kdf2))
1376 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1377 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1378 || !test_kdfs_same(kdf1, kdf2))
1380 /* kdf1 is re-used below, so don't free it here */
1384 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1385 || !test_kdfs_same(kdf1, kdf2))
1395 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1396 static int test_kdf_x942_asn1(void)
1399 EVP_KDF_CTX *kctx = NULL;
1400 OSSL_PARAM params[4], *p = params;
1401 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1402 unsigned char out[24];
1403 /* RFC2631 Section 2.1.6 Test data */
1404 static unsigned char z[] = {
1405 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1406 0x0e,0x0f,0x10,0x11,0x12,0x13
1408 static const unsigned char expected[sizeof(out)] = {
1409 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1410 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1411 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1414 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1416 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1418 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1419 (char *)cek_alg, 0);
1420 *p = OSSL_PARAM_construct_end();
1423 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1424 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1425 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1427 EVP_KDF_CTX_free(kctx);
1430 #endif /* OPENSSL_NO_CMS */
1432 static int test_kdf_krb5kdf(void)
1436 OSSL_PARAM params[4], *p = params;
1437 unsigned char out[16];
1438 static unsigned char key[] = {
1439 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1440 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1442 static unsigned char constant[] = {
1443 0x00, 0x00, 0x00, 0x02, 0x99
1445 static const unsigned char expected[sizeof(out)] = {
1446 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1447 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1450 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1451 (char *)"AES-128-CBC", 0);
1452 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1454 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1455 constant, sizeof(constant));
1456 *p = OSSL_PARAM_construct_end();
1459 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1460 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1461 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1463 EVP_KDF_CTX_free(kctx);
1467 int setup_tests(void)
1469 ADD_TEST(test_kdf_pbkdf1);
1470 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1471 ADD_TEST(test_kdf_kbkdf_6803_128);
1472 ADD_TEST(test_kdf_kbkdf_6803_256);
1474 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1475 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1476 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1477 ADD_TEST(test_kdf_kbkdf_empty_key);
1478 ADD_TEST(test_kdf_kbkdf_1byte_key);
1479 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1480 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1481 #if !defined(OPENSSL_NO_CMAC)
1482 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1484 ADD_TEST(test_kdf_get_kdf);
1485 ADD_TEST(test_kdf_tls1_prf);
1486 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1487 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1488 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1489 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1490 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1491 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1492 ADD_TEST(test_kdf_hkdf);
1493 ADD_TEST(test_kdf_hkdf_invalid_digest);
1494 ADD_TEST(test_kdf_hkdf_zero_output_size);
1495 ADD_TEST(test_kdf_hkdf_empty_key);
1496 ADD_TEST(test_kdf_hkdf_1byte_key);
1497 ADD_TEST(test_kdf_hkdf_empty_salt);
1498 ADD_TEST(test_kdf_pbkdf2);
1499 ADD_TEST(test_kdf_pbkdf2_small_output);
1500 ADD_TEST(test_kdf_pbkdf2_large_output);
1501 ADD_TEST(test_kdf_pbkdf2_small_salt);
1502 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1503 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1504 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1505 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1506 #ifndef OPENSSL_NO_SCRYPT
1507 ADD_TEST(test_kdf_scrypt);
1509 ADD_TEST(test_kdf_ss_hash);
1510 ADD_TEST(test_kdf_ss_hmac);
1511 ADD_TEST(test_kdf_ss_kmac);
1512 ADD_TEST(test_kdf_sshkdf);
1513 ADD_TEST(test_kdf_x963);
1514 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1515 ADD_TEST(test_kdf_x942_asn1);
1517 ADD_TEST(test_kdf_krb5kdf);