2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
23 static EVP_KDF_CTX *get_kdfbyname_libctx(OSSL_LIB_CTX *libctx, const char *name)
25 EVP_KDF *kdf = EVP_KDF_fetch(libctx, name, NULL);
26 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
32 static EVP_KDF_CTX *get_kdfbyname(const char *name)
34 return get_kdfbyname_libctx(NULL, name);
37 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
40 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
41 OSSL_PARAM *p = params;
46 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
49 (unsigned char *)secret,
51 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
52 (unsigned char *)seed,
54 *p = OSSL_PARAM_construct_end();
59 static int test_kdf_tls1_prf(void)
62 EVP_KDF_CTX *kctx = NULL;
63 unsigned char out[16];
65 static const unsigned char expected[sizeof(out)] = {
66 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
67 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
70 params = construct_tls1_prf_params("sha256", "secret", "seed");
72 ret = TEST_ptr(params)
73 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
74 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
75 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
77 EVP_KDF_CTX_free(kctx);
82 static int test_kdf_tls1_prf_invalid_digest(void)
85 EVP_KDF_CTX *kctx = NULL;
88 params = construct_tls1_prf_params("blah", "secret", "seed");
90 ret = TEST_ptr(params)
91 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
92 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
94 EVP_KDF_CTX_free(kctx);
99 static int test_kdf_tls1_prf_zero_output_size(void)
102 EVP_KDF_CTX *kctx = NULL;
103 unsigned char out[16];
106 params = construct_tls1_prf_params("sha256", "secret", "seed");
108 /* Negative test - derive should fail */
109 ret = TEST_ptr(params)
110 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
111 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
112 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
114 EVP_KDF_CTX_free(kctx);
115 OPENSSL_free(params);
119 static int test_kdf_tls1_prf_empty_secret(void)
122 EVP_KDF_CTX *kctx = NULL;
123 unsigned char out[16];
126 params = construct_tls1_prf_params("sha256", "", "seed");
128 ret = TEST_ptr(params)
129 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
130 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
132 EVP_KDF_CTX_free(kctx);
133 OPENSSL_free(params);
137 static int test_kdf_tls1_prf_1byte_secret(void)
140 EVP_KDF_CTX *kctx = NULL;
141 unsigned char out[16];
144 params = construct_tls1_prf_params("sha256", "1", "seed");
146 ret = TEST_ptr(params)
147 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
148 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
150 EVP_KDF_CTX_free(kctx);
151 OPENSSL_free(params);
155 static int test_kdf_tls1_prf_empty_seed(void)
158 EVP_KDF_CTX *kctx = NULL;
159 unsigned char out[16];
162 params = construct_tls1_prf_params("sha256", "secret", "");
164 /* Negative test - derive should fail */
165 ret = TEST_ptr(params)
166 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
167 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
168 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
170 EVP_KDF_CTX_free(kctx);
171 OPENSSL_free(params);
175 static int test_kdf_tls1_prf_1byte_seed(void)
178 EVP_KDF_CTX *kctx = NULL;
179 unsigned char out[16];
182 params = construct_tls1_prf_params("sha256", "secret", "1");
184 ret = TEST_ptr(params)
185 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
186 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
188 EVP_KDF_CTX_free(kctx);
189 OPENSSL_free(params);
193 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
194 size_t keylen, char *salt, char *info)
196 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
197 OSSL_PARAM *p = params;
203 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
205 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
207 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
208 (unsigned char *)key, keylen);
210 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
213 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
215 *p = OSSL_PARAM_construct_end();
220 static int test_kdf_hkdf(void)
223 EVP_KDF_CTX *kctx = NULL;
224 unsigned char out[10];
226 static const unsigned char expected[sizeof(out)] = {
227 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
230 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
232 ret = TEST_ptr(params)
233 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
234 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
235 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
237 EVP_KDF_CTX_free(kctx);
238 OPENSSL_free(params);
242 static int do_kdf_hkdf_gettables(int expand_only, int has_digest)
247 OSSL_PARAM params_get[2];
248 const OSSL_PARAM *gettables, *p;
249 EVP_KDF_CTX *kctx = NULL;
251 if (!TEST_ptr(params = construct_hkdf_params(
252 has_digest ? "sha256" : NULL,
254 expand_only ? NULL : "label"))
255 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
256 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)))
259 /* Check OSSL_KDF_PARAM_SIZE is gettable */
260 if (!TEST_ptr(gettables = EVP_KDF_CTX_gettable_params(kctx))
261 || !TEST_ptr(p = OSSL_PARAM_locate_const(gettables, OSSL_KDF_PARAM_SIZE)))
264 /* Get OSSL_KDF_PARAM_SIZE as a size_t */
265 params_get[0] = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_SIZE, &sz);
266 params_get[1] = OSSL_PARAM_construct_end();
268 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 1)
269 || !TEST_size_t_eq(sz, expand_only ? SHA256_DIGEST_LENGTH : SIZE_MAX))
272 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 0))
276 /* Get params returns -2 if an unsupported parameter is requested */
277 params_get[0] = OSSL_PARAM_construct_end();
278 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), -2))
282 EVP_KDF_CTX_free(kctx);
283 OPENSSL_free(params);
287 static int test_kdf_hkdf_gettables(void)
289 return do_kdf_hkdf_gettables(0, 1);
292 static int test_kdf_hkdf_gettables_expandonly(void)
294 return do_kdf_hkdf_gettables(1, 1);
297 static int test_kdf_hkdf_gettables_no_digest(void)
299 return do_kdf_hkdf_gettables(1, 0);
302 static int test_kdf_hkdf_invalid_digest(void)
305 EVP_KDF_CTX *kctx = NULL;
308 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
310 ret = TEST_ptr(params)
311 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
312 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
314 EVP_KDF_CTX_free(kctx);
315 OPENSSL_free(params);
319 static int test_kdf_hkdf_derive_set_params_fail(void)
322 EVP_KDF_CTX *kctx = NULL;
323 OSSL_PARAM params[2];
324 unsigned char out[10];
326 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
329 * Set the wrong type for the digest so that it causes a failure
330 * inside kdf_hkdf_derive() when kdf_hkdf_set_ctx_params() is called
332 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_DIGEST, &i);
333 params[1] = OSSL_PARAM_construct_end();
334 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), params), 0))
338 EVP_KDF_CTX_free(kctx);
342 static int test_kdf_hkdf_set_invalid_mode(void)
344 int ret = 0, bad_mode = 100;
345 EVP_KDF_CTX *kctx = NULL;
346 OSSL_PARAM params[2];
348 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
350 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
352 params[1] = OSSL_PARAM_construct_end();
353 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
356 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &bad_mode);
357 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
362 EVP_KDF_CTX_free(kctx);
366 static int do_kdf_hkdf_set_invalid_param(const char *key, int type)
369 EVP_KDF_CTX *kctx = NULL;
370 OSSL_PARAM params[2];
371 unsigned char buf[2];
373 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
375 /* Set the wrong type for the key so that it causes a failure */
376 if (type == OSSL_PARAM_UTF8_STRING)
377 params[0] = OSSL_PARAM_construct_utf8_string(key, "BAD", 0);
379 params[0] = OSSL_PARAM_construct_octet_string(key, buf, sizeof(buf));
380 params[1] = OSSL_PARAM_construct_end();
381 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
386 EVP_KDF_CTX_free(kctx);
390 static int test_kdf_hkdf_set_ctx_param_fail(void)
392 return do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_MODE,
393 OSSL_PARAM_OCTET_STRING)
394 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_KEY,
395 OSSL_PARAM_UTF8_STRING)
396 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_SALT,
397 OSSL_PARAM_UTF8_STRING)
398 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_INFO,
399 OSSL_PARAM_UTF8_STRING);
402 static int test_kdf_hkdf_zero_output_size(void)
405 EVP_KDF_CTX *kctx = NULL;
406 unsigned char out[10];
409 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
411 /* Negative test - derive should fail */
412 ret = TEST_ptr(params)
413 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
414 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
415 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
417 EVP_KDF_CTX_free(kctx);
418 OPENSSL_free(params);
422 static int test_kdf_hkdf_empty_key(void)
425 EVP_KDF_CTX *kctx = NULL;
426 unsigned char out[10];
429 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
431 ret = TEST_ptr(params)
432 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
433 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
435 EVP_KDF_CTX_free(kctx);
436 OPENSSL_free(params);
440 static int test_kdf_hkdf_1byte_key(void)
443 EVP_KDF_CTX *kctx = NULL;
444 unsigned char out[10];
447 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
449 ret = TEST_ptr(params)
450 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
451 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
453 EVP_KDF_CTX_free(kctx);
454 OPENSSL_free(params);
458 static int test_kdf_hkdf_empty_salt(void)
461 EVP_KDF_CTX *kctx = NULL;
462 unsigned char out[10];
465 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
467 ret = TEST_ptr(params)
468 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
469 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
471 EVP_KDF_CTX_free(kctx);
472 OPENSSL_free(params);
476 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
479 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
480 OSSL_PARAM *p = params;
485 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
486 (unsigned char *)pass, strlen(pass));
487 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
488 (unsigned char *)salt, strlen(salt));
489 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
490 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
492 *p = OSSL_PARAM_construct_end();
497 static int test_kdf_pbkdf1(void)
500 EVP_KDF_CTX *kctx = NULL;
501 unsigned char out[25];
502 unsigned int iterations = 4096;
503 OSSL_LIB_CTX *libctx = NULL;
504 OSSL_PARAM *params = NULL;
505 OSSL_PROVIDER *legacyprov = NULL;
506 OSSL_PROVIDER *defprov = NULL;
507 const unsigned char expected[sizeof(out)] = {
508 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
509 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
513 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
516 /* PBKDF1 only available in the legacy provider */
517 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
518 if (legacyprov == NULL) {
519 OSSL_LIB_CTX_free(libctx);
520 return TEST_skip("PBKDF1 only available in legacy provider");
523 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
526 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
527 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
530 if (!TEST_ptr(params)
531 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
532 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
533 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
534 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
539 EVP_KDF_CTX_free(kctx);
540 OPENSSL_free(params);
541 OSSL_PROVIDER_unload(defprov);
542 OSSL_PROVIDER_unload(legacyprov);
543 OSSL_LIB_CTX_free(libctx);
547 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
548 unsigned int *iter, int *mode)
550 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
551 OSSL_PARAM *p = params;
556 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
557 (unsigned char *)pass, strlen(pass));
558 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
559 (unsigned char *)salt, strlen(salt));
560 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
561 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
563 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
564 *p = OSSL_PARAM_construct_end();
569 static int test_kdf_pbkdf2(void)
572 EVP_KDF_CTX *kctx = NULL;
573 unsigned char out[25];
574 unsigned int iterations = 4096;
577 const unsigned char expected[sizeof(out)] = {
578 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
579 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
580 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
584 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
585 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
588 if (!TEST_ptr(params)
589 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
590 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
591 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
596 EVP_KDF_CTX_free(kctx);
597 OPENSSL_free(params);
601 static int test_kdf_pbkdf2_small_output(void)
604 EVP_KDF_CTX *kctx = NULL;
605 unsigned char out[25];
606 unsigned int iterations = 4096;
610 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
611 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
614 if (!TEST_ptr(params)
615 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
616 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
617 /* A key length that is too small should fail */
618 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
623 EVP_KDF_CTX_free(kctx);
624 OPENSSL_free(params);
628 static int test_kdf_pbkdf2_large_output(void)
631 EVP_KDF_CTX *kctx = NULL;
632 unsigned char out[25];
634 unsigned int iterations = 4096;
638 if (sizeof(len) > 32)
641 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
642 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
645 if (!TEST_ptr(params)
646 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
647 /* A key length that is too large should fail */
648 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
649 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
654 EVP_KDF_CTX_free(kctx);
655 OPENSSL_free(params);
659 static int test_kdf_pbkdf2_small_salt(void)
662 EVP_KDF_CTX *kctx = NULL;
663 unsigned int iterations = 4096;
667 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
671 if (!TEST_ptr(params)
672 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
673 /* A salt that is too small should fail */
674 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
679 EVP_KDF_CTX_free(kctx);
680 OPENSSL_free(params);
684 static int test_kdf_pbkdf2_small_iterations(void)
687 EVP_KDF_CTX *kctx = NULL;
688 unsigned int iterations = 1;
692 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
693 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
696 if (!TEST_ptr(params)
697 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
698 /* An iteration count that is too small should fail */
699 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
704 EVP_KDF_CTX_free(kctx);
705 OPENSSL_free(params);
709 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
712 EVP_KDF_CTX *kctx = NULL;
713 unsigned char out[25];
714 unsigned int iterations = 4096;
717 OSSL_PARAM mode_params[2];
719 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
723 if (!TEST_ptr(params)
724 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
725 /* A salt that is too small should pass in pkcs5 mode */
726 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
727 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
731 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
732 mode_params[1] = OSSL_PARAM_construct_end();
734 /* If the "pkcs5" mode is disabled then the derive will now fail */
735 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
736 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
741 EVP_KDF_CTX_free(kctx);
742 OPENSSL_free(params);
746 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
749 EVP_KDF_CTX *kctx = NULL;
750 unsigned char out[25];
751 unsigned int iterations = 1;
754 OSSL_PARAM mode_params[2];
756 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
757 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
760 if (!TEST_ptr(params)
761 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
762 /* An iteration count that is too small will pass in pkcs5 mode */
763 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
764 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
768 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
769 mode_params[1] = OSSL_PARAM_construct_end();
771 /* If the "pkcs5" mode is disabled then the derive will now fail */
772 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
773 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
778 EVP_KDF_CTX_free(kctx);
779 OPENSSL_free(params);
783 static int test_kdf_pbkdf2_invalid_digest(void)
786 EVP_KDF_CTX *kctx = NULL;
787 unsigned int iterations = 4096;
791 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
792 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
795 if (!TEST_ptr(params)
796 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
797 /* Unknown digest should fail */
798 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
803 EVP_KDF_CTX_free(kctx);
804 OPENSSL_free(params);
808 #ifndef OPENSSL_NO_SCRYPT
809 static int test_kdf_scrypt(void)
813 OSSL_PARAM params[7], *p = params;
814 unsigned char out[64];
815 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
816 static const unsigned char expected[sizeof(out)] = {
817 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
818 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
819 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
820 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
821 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
822 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
823 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
824 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
827 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
828 (char *)"password", 8);
829 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
831 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
832 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
833 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
834 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
835 *p = OSSL_PARAM_construct_end();
838 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
839 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
841 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
842 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
843 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
844 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
845 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
847 EVP_KDF_CTX_free(kctx);
850 #endif /* OPENSSL_NO_SCRYPT */
852 static int test_kdf_ss_hash(void)
856 OSSL_PARAM params[4], *p = params;
857 unsigned char out[14];
858 static unsigned char z[] = {
859 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
860 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
861 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
862 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
864 static unsigned char other[] = {
865 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
866 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
867 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
868 0xe0,0xec,0x3f,0x8d,0xbe
870 static const unsigned char expected[sizeof(out)] = {
871 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
874 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
875 (char *)"sha224", 0);
876 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
877 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
879 *p = OSSL_PARAM_construct_end();
882 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
883 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
884 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
886 EVP_KDF_CTX_free(kctx);
890 static int test_kdf_x963(void)
894 OSSL_PARAM params[4], *p = params;
895 unsigned char out[1024 / 8];
897 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
898 * Cryptographic-Algorithm-Validation-Program/documents/components/
899 * 800-135testvectors/ansx963_2001.zip
901 static unsigned char z[] = {
902 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
903 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
904 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
905 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
906 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
907 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
909 static unsigned char shared[] = {
910 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
911 0x37, 0x89, 0x5d, 0x31
913 static const unsigned char expected[sizeof(out)] = {
914 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
915 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
916 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
917 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
918 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
919 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
920 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
921 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
922 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
923 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
924 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
927 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
928 (char *)"sha512", 0);
929 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
930 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
932 *p = OSSL_PARAM_construct_end();
935 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
936 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
937 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
939 EVP_KDF_CTX_free(kctx);
943 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
945 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
948 static int test_kdf_kbkdf_6803_128(void)
952 OSSL_PARAM params[7];
953 static unsigned char input_key[] = {
954 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
955 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
957 static unsigned char constants[][5] = {
958 { 0x00, 0x00, 0x00, 0x02, 0x99 },
959 { 0x00, 0x00, 0x00, 0x02, 0xaa },
960 { 0x00, 0x00, 0x00, 0x02, 0x55 },
962 static unsigned char outputs[][16] = {
963 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
964 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
965 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
966 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
967 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
968 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
970 static unsigned char iv[16] = { 0 };
971 unsigned char result[16] = { 0 };
973 for (i = 0; i < 3; i++) {
975 params[p++] = OSSL_PARAM_construct_utf8_string(
976 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
977 params[p++] = OSSL_PARAM_construct_utf8_string(
978 OSSL_KDF_PARAM_MAC, "CMAC", 0);
979 params[p++] = OSSL_PARAM_construct_utf8_string(
980 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
981 params[p++] = OSSL_PARAM_construct_octet_string(
982 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
983 params[p++] = OSSL_PARAM_construct_octet_string(
984 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
985 params[p++] = OSSL_PARAM_construct_octet_string(
986 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
987 params[p] = OSSL_PARAM_construct_end();
989 kctx = get_kdfbyname("KBKDF");
991 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
993 && TEST_mem_eq(result, sizeof(result), outputs[i],
995 EVP_KDF_CTX_free(kctx);
1003 static int test_kdf_kbkdf_6803_256(void)
1007 OSSL_PARAM params[7];
1008 static unsigned char input_key[] = {
1009 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
1010 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
1011 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
1012 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
1014 static unsigned char constants[][5] = {
1015 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1016 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1017 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1019 static unsigned char outputs[][32] = {
1020 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
1021 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
1022 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
1023 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
1025 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
1026 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
1027 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
1028 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
1030 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
1031 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
1032 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
1033 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
1036 static unsigned char iv[16] = { 0 };
1037 unsigned char result[32] = { 0 };
1039 for (i = 0; i < 3; i++) {
1041 params[p++] = OSSL_PARAM_construct_utf8_string(
1042 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
1043 params[p++] = OSSL_PARAM_construct_utf8_string(
1044 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1045 params[p++] = OSSL_PARAM_construct_utf8_string(
1046 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1047 params[p++] = OSSL_PARAM_construct_octet_string(
1048 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1049 params[p++] = OSSL_PARAM_construct_octet_string(
1050 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1051 params[p++] = OSSL_PARAM_construct_octet_string(
1052 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1053 params[p] = OSSL_PARAM_construct_end();
1055 kctx = get_kdfbyname("KBKDF");
1056 ret = TEST_ptr(kctx)
1057 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1059 && TEST_mem_eq(result, sizeof(result), outputs[i],
1060 sizeof(outputs[i]));
1061 EVP_KDF_CTX_free(kctx);
1070 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
1071 size_t keylen, char *salt, char *info, int *r)
1073 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 8);
1074 OSSL_PARAM *p = params;
1079 *p++ = OSSL_PARAM_construct_utf8_string(
1080 OSSL_KDF_PARAM_DIGEST, digest, 0);
1081 *p++ = OSSL_PARAM_construct_utf8_string(
1082 OSSL_KDF_PARAM_MAC, mac, 0);
1083 *p++ = OSSL_PARAM_construct_utf8_string(
1084 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
1085 *p++ = OSSL_PARAM_construct_octet_string(
1086 OSSL_KDF_PARAM_KEY, key, keylen);
1087 *p++ = OSSL_PARAM_construct_octet_string(
1088 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
1089 *p++ = OSSL_PARAM_construct_octet_string(
1090 OSSL_KDF_PARAM_INFO, info, strlen(info));
1091 *p++ = OSSL_PARAM_construct_int(
1092 OSSL_KDF_PARAM_KBKDF_R, r);
1093 *p = OSSL_PARAM_construct_end();
1098 static int test_kdf_kbkdf_invalid_digest(void)
1104 static unsigned char key[] = {0x01};
1107 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test", &r);
1108 if (!TEST_ptr(params))
1111 /* Negative test case - set_params should fail */
1112 kctx = get_kdfbyname("KBKDF");
1113 ret = TEST_ptr(kctx)
1114 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1116 EVP_KDF_CTX_free(kctx);
1117 OPENSSL_free(params);
1121 static int test_kdf_kbkdf_invalid_mac(void)
1127 static unsigned char key[] = {0x01};
1130 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test", &r);
1131 if (!TEST_ptr(params))
1134 /* Negative test case - set_params should fail */
1135 kctx = get_kdfbyname("KBKDF");
1136 ret = TEST_ptr(kctx)
1137 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1139 EVP_KDF_CTX_free(kctx);
1140 OPENSSL_free(params);
1144 static int test_kdf_kbkdf_invalid_r(void)
1150 static unsigned char key[] = {0x01};
1153 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1154 if (!TEST_ptr(params))
1157 /* Negative test case - derive should fail */
1158 kctx = get_kdfbyname("KBKDF");
1159 ret = TEST_ptr(kctx)
1160 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1162 EVP_KDF_CTX_free(kctx);
1163 OPENSSL_free(params);
1168 static int test_kdf_kbkdf_empty_key(void)
1174 static unsigned char key[] = {0x01};
1175 unsigned char result[32] = { 0 };
1178 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test", &r);
1179 if (!TEST_ptr(params))
1182 /* Negative test case - derive should fail */
1183 kctx = get_kdfbyname("KBKDF");
1184 ret = TEST_ptr(kctx)
1185 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1186 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
1188 EVP_KDF_CTX_free(kctx);
1189 OPENSSL_free(params);
1193 static int test_kdf_kbkdf_1byte_key(void)
1199 static unsigned char key[] = {0x01};
1200 unsigned char result[32] = { 0 };
1203 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1204 if (!TEST_ptr(params))
1207 kctx = get_kdfbyname("KBKDF");
1208 ret = TEST_ptr(kctx)
1209 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1211 EVP_KDF_CTX_free(kctx);
1212 OPENSSL_free(params);
1216 static int test_kdf_kbkdf_zero_output_size(void)
1222 static unsigned char key[] = {0x01};
1223 unsigned char result[32] = { 0 };
1226 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1227 if (!TEST_ptr(params))
1230 /* Negative test case - derive should fail */
1231 kctx = get_kdfbyname("KBKDF");
1232 ret = TEST_ptr(kctx)
1233 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1234 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1236 EVP_KDF_CTX_free(kctx);
1237 OPENSSL_free(params);
1241 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1243 static int test_kdf_kbkdf_8009_prf1(void)
1247 OSSL_PARAM params[6];
1248 char *label = "prf", *digest = "sha256", *prf_input = "test",
1250 static unsigned char input_key[] = {
1251 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1252 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1254 static unsigned char output[] = {
1255 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1256 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1257 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1258 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1260 unsigned char result[sizeof(output)] = { 0 };
1262 params[i++] = OSSL_PARAM_construct_utf8_string(
1263 OSSL_KDF_PARAM_DIGEST, digest, 0);
1264 params[i++] = OSSL_PARAM_construct_utf8_string(
1265 OSSL_KDF_PARAM_MAC, mac, 0);
1266 params[i++] = OSSL_PARAM_construct_octet_string(
1267 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1268 params[i++] = OSSL_PARAM_construct_octet_string(
1269 OSSL_KDF_PARAM_SALT, label, strlen(label));
1270 params[i++] = OSSL_PARAM_construct_octet_string(
1271 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1272 params[i] = OSSL_PARAM_construct_end();
1274 kctx = get_kdfbyname("KBKDF");
1275 ret = TEST_ptr(kctx)
1276 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1277 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1279 EVP_KDF_CTX_free(kctx);
1283 static int test_kdf_kbkdf_8009_prf2(void)
1287 OSSL_PARAM params[6];
1288 char *label = "prf", *digest = "sha384", *prf_input = "test",
1290 static unsigned char input_key[] = {
1291 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1292 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1293 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1294 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1296 static unsigned char output[] = {
1297 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1298 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1299 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1300 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1301 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1302 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1304 unsigned char result[sizeof(output)] = { 0 };
1306 params[i++] = OSSL_PARAM_construct_utf8_string(
1307 OSSL_KDF_PARAM_DIGEST, digest, 0);
1308 params[i++] = OSSL_PARAM_construct_utf8_string(
1309 OSSL_KDF_PARAM_MAC, mac, 0);
1310 params[i++] = OSSL_PARAM_construct_octet_string(
1311 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1312 params[i++] = OSSL_PARAM_construct_octet_string(
1313 OSSL_KDF_PARAM_SALT, label, strlen(label));
1314 params[i++] = OSSL_PARAM_construct_octet_string(
1315 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1316 params[i] = OSSL_PARAM_construct_end();
1318 kctx = get_kdfbyname("KBKDF");
1319 ret = TEST_ptr(kctx)
1320 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1321 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1323 EVP_KDF_CTX_free(kctx);
1327 #if !defined(OPENSSL_NO_CMAC)
1329 * Test vector taken from
1330 * https://csrc.nist.gov/CSRC/media/Projects/
1331 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1333 static int test_kdf_kbkdf_fixedinfo(void)
1337 OSSL_PARAM params[8], *p = params;
1338 static char *cipher = "AES128";
1339 static char *mac = "CMAC";
1340 static char *mode = "COUNTER";
1342 int use_separator = 0;
1344 static unsigned char input_key[] = {
1345 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1346 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1348 static unsigned char fixed_input[] = {
1349 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1350 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1351 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1352 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1353 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1354 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1355 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1356 0xb4, 0x8d, 0x36, 0xc4,
1359 static unsigned char output[] = {
1360 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1361 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1363 unsigned char result[sizeof(output)] = { 0 };
1365 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1366 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1367 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1368 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1370 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1371 fixed_input, sizeof(fixed_input));
1372 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1373 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1375 *p = OSSL_PARAM_construct_end();
1377 kctx = get_kdfbyname("KBKDF");
1378 ret = TEST_ptr(kctx)
1379 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1380 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1382 EVP_KDF_CTX_free(kctx);
1385 #endif /* OPENSSL_NO_CMAC */
1387 static int test_kdf_kbkdf_kmac(void)
1391 OSSL_PARAM params[5], *p = params;
1392 static char *mac = "KMAC256";
1394 static unsigned char input_key[] = {
1395 0xDD, 0x81, 0xEF, 0xC8, 0x2C, 0xDD, 0xEC, 0x51,
1396 0xC4, 0x09, 0xBD, 0x8C, 0xCB, 0xAF, 0x94, 0xF6,
1397 0x5F, 0xFA, 0x7B, 0x92, 0xF1, 0x11, 0xF9, 0x40,
1398 0x2B, 0x0D, 0x6A, 0xE0, 0x5E, 0x44, 0x92, 0x34,
1399 0xF0, 0x3B, 0xBA, 0xF5, 0x4F, 0xEF, 0x19, 0x45,
1402 static unsigned char context[] = {
1403 0x81, 0xA1, 0xFE, 0x39, 0x91, 0xEE, 0x3F, 0xD3,
1404 0x90, 0x4E, 0x82, 0xE6, 0x13, 0x20, 0xEC, 0x6B,
1405 0x6E, 0x14, 0x0B, 0xBA, 0x95, 0x5D, 0x0B, 0x52,
1406 0x8E, 0x27, 0x67, 0xB3, 0xE0, 0x77, 0x05, 0x15,
1407 0xBD, 0x78, 0xF6, 0xE8, 0x8A, 0x7D, 0x9B, 0x08,
1408 0x20, 0x0F, 0xE9, 0x8D, 0xD6, 0x24, 0x67, 0xE2,
1409 0xCC, 0x6D, 0x42, 0xE6, 0x60, 0x50, 0x20, 0x77,
1410 0x89, 0x89, 0xB7, 0x2D, 0xF7, 0x5F, 0xE2, 0x79,
1411 0xDB, 0x58, 0x0B, 0x7B, 0x02, 0xB9, 0xD9, 0xB0,
1412 0xFA, 0x6B, 0x0B, 0xB6, 0xD4, 0x95, 0xDB, 0x46,
1413 0x55, 0x5F, 0x12, 0xC3, 0xF0, 0xE0, 0x6E, 0xC8,
1414 0xF4, 0xF8, 0xA1, 0x64, 0x2E, 0x96, 0x74, 0x2B,
1415 0xC6, 0xBD, 0x22, 0xB1, 0x6A, 0xBC, 0x41, 0xDF,
1416 0x30, 0x32, 0xC7, 0xCE, 0x18, 0x14, 0x70, 0x2A,
1417 0xED, 0xE5, 0xC4, 0x6B, 0x8A, 0xA8, 0x36, 0xFD,
1418 0x0A, 0x76, 0x38, 0x44, 0x98, 0x0A, 0xE3, 0xC2,
1419 0x3A, 0x24, 0xCB, 0x45, 0xBF, 0xC9, 0x2C, 0x19,
1420 0xCB, 0x9D, 0x6C, 0x27, 0xDE, 0x78, 0x3E, 0x2C,
1421 0x3D, 0x39, 0x6E, 0x11, 0x59, 0xAE, 0x4F, 0x91,
1422 0x03, 0xE2, 0x7B, 0x97, 0xD6, 0x0C, 0x7D, 0x9D,
1423 0x5A, 0xA5, 0x47, 0x57, 0x41, 0xAD, 0x64, 0x5B,
1424 0xF7, 0x1D, 0x1A, 0xDA, 0x3A, 0x39, 0xDF, 0x85,
1425 0x0D, 0x0F, 0x50, 0x15, 0xA7, 0x3D, 0x68, 0x81,
1426 0x7B, 0x0D, 0xF2, 0x24, 0x24, 0x23, 0x37, 0xE5,
1427 0x77, 0xA6, 0x61, 0xBE, 0xFE, 0x4B, 0x3B, 0x8E,
1428 0x4F, 0x15, 0x4F, 0xC1, 0x30, 0xCB, 0x9E, 0xF5,
1429 0x06, 0x9F, 0xBB, 0x0E, 0xF2, 0xF4, 0x43, 0xBB,
1430 0x64, 0x45, 0xA3, 0x7D, 0x3B, 0xB4, 0x70, 0x47,
1431 0xDF, 0x4A, 0xA5, 0xD9, 0x2F, 0xE6, 0x25, 0xC8,
1432 0x1D, 0x43, 0x0A, 0xEA, 0xF9, 0xCC, 0xC7, 0x1F,
1433 0x8A, 0x2D, 0xD8, 0x95, 0x6B, 0x16, 0x30, 0x1D,
1434 0x80, 0x90, 0xA4, 0x23, 0x14, 0x59, 0xD1, 0x5A,
1435 0x00, 0x48, 0x8D, 0xF7, 0xEA, 0x29, 0x23, 0xDF,
1436 0x35, 0x26, 0x25, 0x22, 0x12, 0xC4, 0x4C, 0x09,
1437 0x69, 0xB8, 0xD6, 0x0C, 0x0E, 0x71, 0x90, 0x6C,
1438 0x42, 0x90, 0x02, 0x53, 0xC5, 0x5A, 0xEF, 0x42,
1439 0x66, 0x1D, 0xAF, 0x45, 0xD5, 0x31, 0xD7, 0x61,
1440 0x3A, 0xE6, 0x06, 0xFB, 0x83, 0x72, 0xAD, 0x82,
1441 0xE3, 0x6A, 0x7E, 0x03, 0x9B, 0x37, 0x77, 0xAF,
1442 0x8D, 0x63, 0x28, 0xC2, 0x8A, 0x5E, 0xC6, 0x3B,
1443 0x22, 0xA8, 0x94, 0xC0, 0x46, 0x2F, 0x73, 0xE7,
1444 0xBB, 0x72, 0x44, 0x85, 0x20, 0x1D, 0xD0, 0x6A,
1445 0x52, 0x8C, 0xB1, 0x8B, 0x96, 0x11, 0xEB, 0xFB,
1446 0xDD, 0xF5, 0x74, 0x49, 0x19, 0x93, 0xD3, 0x7F,
1447 0x6C, 0x27, 0x19, 0x54, 0xDD, 0x00, 0x0F, 0x95,
1448 0xF6, 0x14, 0x15, 0x87, 0x32, 0x54, 0xA5, 0x02,
1449 0xAD, 0x41, 0x55, 0x5E, 0xDD, 0x32, 0x62, 0x3B,
1450 0xFC, 0x71, 0xC1, 0x56, 0xC4, 0x6A, 0xFC, 0xD0,
1451 0xF9, 0x77, 0xDA, 0xC5, 0x20, 0x7D, 0xAC, 0xA8,
1452 0xEB, 0x8F, 0xBE, 0xF9, 0x4D, 0xE8, 0x6D, 0x9E,
1453 0x4C, 0x39, 0xB3, 0x15, 0x63, 0xCD, 0xF6, 0x46,
1454 0xEC, 0x3A, 0xD2, 0x89, 0xA9, 0xFA, 0x24, 0xB4,
1455 0x0E, 0x62, 0x6F, 0x9F, 0xF3, 0xF1, 0x3C, 0x61,
1456 0x57, 0xB9, 0x2C, 0xD4, 0x78, 0x4F, 0x76, 0xCF,
1457 0xFB, 0x6A, 0x51, 0xE8, 0x1E, 0x0A, 0x33, 0x69,
1458 0x16, 0xCD, 0xB7, 0x5C, 0xDF, 0x03, 0x62, 0x17,
1459 0x63, 0x37, 0x49, 0xC3, 0xB7, 0x68, 0x09, 0x9E,
1460 0x22, 0xD2, 0x20, 0x96, 0x37, 0x0D, 0x13, 0xA4,
1461 0x96, 0xB1, 0x8D, 0x0B, 0x12, 0x87, 0xEB, 0x57,
1462 0x25, 0x27, 0x08, 0xFC, 0x90, 0x5E, 0x33, 0x77,
1463 0x50, 0x63, 0xE1, 0x8C, 0xF4, 0x0C, 0x80, 0x89,
1464 0x76, 0x63, 0x70, 0x0A, 0x61, 0x59, 0x90, 0x1F,
1465 0xC9, 0x47, 0xBA, 0x12, 0x7B, 0xB2, 0x7A, 0x44,
1466 0xC3, 0x3D, 0xD0, 0x38, 0xF1, 0x7F, 0x02, 0x92
1468 static unsigned char label[] = {
1469 0xA5, 0xDE, 0x2A, 0x0A, 0xF0, 0xDA, 0x59, 0x04,
1470 0xCC, 0xFF, 0x50, 0xD3, 0xA5, 0xD2, 0xDE, 0xA3,
1471 0x33, 0xC0, 0x27, 0xED, 0xDC, 0x6A, 0x54, 0x54,
1472 0x95, 0x78, 0x74, 0x0D, 0xE7, 0xB7, 0x92, 0xD6,
1473 0x64, 0xD5, 0xFB, 0x1F, 0x0F, 0x87, 0xFD, 0x65,
1474 0x79, 0x8B, 0x81, 0x83, 0x95, 0x40, 0x7A, 0x19,
1475 0x8D, 0xCA, 0xE0, 0x4A, 0x93, 0xA8
1477 static unsigned char output[] = {
1478 0xB5, 0x61, 0xE3, 0x7D, 0x06, 0xD5, 0x34, 0x80,
1479 0x74, 0x61, 0x16, 0x08, 0x6F, 0x89, 0x6F, 0xB1,
1480 0x43, 0xAF, 0x61, 0x28, 0x93, 0xD8, 0xDF, 0xF6,
1481 0xB6, 0x23, 0x43, 0x68, 0xE4, 0x84, 0xF3, 0xED,
1482 0x50, 0xB6, 0x81, 0x6D, 0x50, 0xF4, 0xAF, 0xF2,
1483 0xA5, 0x50, 0x7E, 0x25, 0xBF, 0x05, 0xBE, 0xE7,
1484 0x07, 0xB0, 0x95, 0xC3, 0x04, 0x38, 0xB4, 0xF9,
1485 0xC1, 0x1E, 0x96, 0x08, 0xF4, 0xC9, 0x05, 0x54,
1486 0x4A, 0xB6, 0x81, 0x92, 0x5B, 0x34, 0x8A, 0x45,
1487 0xDD, 0x7D, 0x98, 0x51, 0x1F, 0xD9, 0x90, 0x23,
1488 0x59, 0x97, 0xA2, 0x4E, 0x43, 0x49, 0xEB, 0x4E,
1489 0x86, 0xEC, 0x20, 0x3C, 0x31, 0xFF, 0x49, 0x55,
1490 0x49, 0xF5, 0xF5, 0x16, 0x79, 0xD9, 0x1C, 0x8E,
1491 0x6E, 0xB3, 0x1C, 0xAF, 0xC8, 0xAB, 0x3A, 0x5A,
1492 0xCE, 0xB1, 0xBD, 0x59, 0x69, 0xEE, 0xC0, 0x28,
1493 0x3E, 0x94, 0xD2, 0xCC, 0x91, 0x93, 0x73, 0x6A,
1494 0xD6, 0xB6, 0xC1, 0x42, 0x97, 0xB1, 0x13, 0xCF,
1495 0xF9, 0x55, 0x35, 0x50, 0xFC, 0x86, 0x75, 0x98,
1496 0x9F, 0xFC, 0x96, 0xB1, 0x43, 0x41, 0x8F, 0xFC,
1497 0x31, 0x09, 0x3B, 0x35, 0x22, 0x7B, 0x01, 0x96,
1498 0xA7, 0xF0, 0x78, 0x7B, 0x57, 0x00, 0xF2, 0xE5,
1499 0x92, 0x36, 0xCE, 0x64, 0xFD, 0x65, 0x09, 0xD8,
1500 0xBC, 0x5C, 0x82, 0x5C, 0x4C, 0x62, 0x5B, 0xCE,
1501 0x09, 0xB6, 0xCF, 0x4D, 0xAD, 0x8E, 0xDD, 0x96,
1502 0xB0, 0xCA, 0x52, 0xC1, 0xF4, 0x17, 0x0E, 0x2D,
1503 0x4E, 0xC3, 0xF9, 0x89, 0x1A, 0x24, 0x3D, 0x01,
1504 0xC8, 0x05, 0xBF, 0x7D, 0x2A, 0x46, 0xCD, 0x9A,
1505 0x66, 0xEE, 0x05, 0x78, 0x88, 0x2A, 0xEF, 0x37,
1506 0x9E, 0x72, 0x55, 0xDA, 0x82, 0x7A, 0x9B, 0xE8,
1507 0xF7, 0xA6, 0x74, 0xB8, 0x74, 0x39, 0x03, 0xE8,
1508 0xB9, 0x1F, 0x97, 0x78, 0xB9, 0xD9, 0x37, 0x16,
1509 0xFD, 0x2F, 0x31, 0xDE, 0xCC, 0x06, 0xD6, 0x5A,
1510 0xEB, 0xD1, 0xBB, 0x84, 0x30, 0x16, 0x81, 0xB0,
1511 0x7E, 0x04, 0x8C, 0x06, 0x67, 0xD1, 0x8A, 0x07,
1512 0x33, 0x76, 0x42, 0x8E, 0x87, 0xAB, 0x90, 0x6F,
1513 0x08, 0xED, 0x8D, 0xE8, 0xD0, 0x20, 0x00, 0x7E,
1514 0x3C, 0x4D, 0xA4, 0x40, 0x37, 0x13, 0x0F, 0x00,
1515 0x0C, 0xB7, 0x26, 0x03, 0x93, 0xD0, 0xBB, 0x08,
1516 0xD3, 0xCC, 0xA9, 0x28, 0xC2
1518 unsigned char result[sizeof(output)] = { 0 };
1520 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1521 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
1522 input_key, sizeof(input_key));
1523 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1524 context, sizeof(context));
1525 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
1526 label, sizeof(label));
1527 *p = OSSL_PARAM_construct_end();
1529 kctx = get_kdfbyname("KBKDF");
1530 ret = TEST_ptr(kctx)
1531 && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX)
1532 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1533 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1535 EVP_KDF_CTX_free(kctx);
1539 static int test_kdf_ss_hmac(void)
1543 OSSL_PARAM params[6], *p = params;
1544 unsigned char out[16];
1545 static unsigned char z[] = {
1546 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1548 static unsigned char other[] = {
1549 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1551 static unsigned char salt[] = {
1552 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1555 static const unsigned char expected[sizeof(out)] = {
1556 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1560 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1561 (char *)OSSL_MAC_NAME_HMAC, 0);
1562 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1563 (char *)"sha256", 0);
1564 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1565 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1567 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1569 *p = OSSL_PARAM_construct_end();
1572 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1573 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1574 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1576 EVP_KDF_CTX_free(kctx);
1580 static int test_kdf_ss_kmac(void)
1584 OSSL_PARAM params[7], *p = params;
1585 unsigned char out[64];
1586 size_t mac_size = 20;
1587 static unsigned char z[] = {
1588 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1590 static unsigned char other[] = {
1591 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1593 static unsigned char salt[] = {
1594 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1597 static const unsigned char expected[sizeof(out)] = {
1598 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1599 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1600 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1601 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1602 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1605 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1606 (char *)OSSL_MAC_NAME_KMAC128, 0);
1607 /* The digest parameter is not needed here and should be ignored */
1608 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1609 (char *)"SHA256", 0);
1610 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1611 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1613 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1615 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1616 *p = OSSL_PARAM_construct_end();
1619 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1620 && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), 0)
1621 && TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1)
1622 /* The bug fix for KMAC returning SIZE_MAX was added in 3.0.8 */
1623 && (fips_provider_version_lt(NULL, 3, 0, 8)
1624 || TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX))
1625 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
1626 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1628 EVP_KDF_CTX_free(kctx);
1632 static int test_kdf_sshkdf(void)
1636 OSSL_PARAM params[6], *p = params;
1637 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1638 unsigned char out[8];
1639 /* Test data from NIST CAVS 14.1 test vectors */
1640 static unsigned char key[] = {
1641 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1642 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1643 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1644 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1645 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1646 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1647 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1648 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1649 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1650 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1651 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1654 static unsigned char xcghash[] = {
1655 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1656 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1657 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1659 static unsigned char sessid[] = {
1660 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1661 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1662 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1664 static const unsigned char expected[sizeof(out)] = {
1665 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1668 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1669 (char *)"sha256", 0);
1670 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1672 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1673 xcghash, sizeof(xcghash));
1674 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1675 sessid, sizeof(sessid));
1676 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1677 &kdftype, sizeof(kdftype));
1678 *p = OSSL_PARAM_construct_end();
1681 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1682 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1683 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1685 EVP_KDF_CTX_free(kctx);
1689 static int test_kdfs_same(EVP_KDF *kdf1, EVP_KDF *kdf2)
1691 /* Fast path in case the two are the same algorithm pointer */
1695 * Compare their names and providers instead.
1696 * This is necessary in a non-caching build (or a cache flush during fetch)
1697 * because without the algorithm in the cache, fetching it a second time
1698 * will result in a different pointer.
1700 return TEST_ptr_eq(EVP_KDF_get0_provider(kdf1), EVP_KDF_get0_provider(kdf2))
1701 && TEST_str_eq(EVP_KDF_get0_name(kdf1), EVP_KDF_get0_name(kdf2));
1704 static int test_kdf_get_kdf(void)
1706 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1710 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1711 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1712 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1714 || !test_kdfs_same(kdf1, kdf2))
1721 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1722 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1723 || !test_kdfs_same(kdf1, kdf2))
1725 /* kdf1 is re-used below, so don't free it here */
1729 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1730 || !test_kdfs_same(kdf1, kdf2))
1740 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1741 static int test_kdf_x942_asn1(void)
1744 EVP_KDF_CTX *kctx = NULL;
1745 OSSL_PARAM params[4], *p = params;
1746 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1747 unsigned char out[24];
1748 /* RFC2631 Section 2.1.6 Test data */
1749 static unsigned char z[] = {
1750 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1751 0x0e,0x0f,0x10,0x11,0x12,0x13
1753 static const unsigned char expected[sizeof(out)] = {
1754 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1755 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1756 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1759 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1761 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1763 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1764 (char *)cek_alg, 0);
1765 *p = OSSL_PARAM_construct_end();
1768 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1769 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1770 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1772 EVP_KDF_CTX_free(kctx);
1775 #endif /* OPENSSL_NO_CMS */
1777 static int test_kdf_krb5kdf(void)
1781 OSSL_PARAM params[4], *p = params;
1782 unsigned char out[16];
1783 static unsigned char key[] = {
1784 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1785 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1787 static unsigned char constant[] = {
1788 0x00, 0x00, 0x00, 0x02, 0x99
1790 static const unsigned char expected[sizeof(out)] = {
1791 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1792 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1795 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1796 (char *)"AES-128-CBC", 0);
1797 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1799 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1800 constant, sizeof(constant));
1801 *p = OSSL_PARAM_construct_end();
1804 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1805 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1806 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1808 EVP_KDF_CTX_free(kctx);
1812 static int test_kdf_hmac_drbg_settables(void)
1814 int ret = 0, i = 0, j = 0;
1815 EVP_KDF_CTX *kctx = NULL;
1816 const OSSL_PARAM *settableparams;
1817 OSSL_PARAM params[5];
1818 static const unsigned char ent[32] = { 0 };
1819 unsigned char out[32];
1820 char digestname[32];
1822 EVP_MD *shake256 = NULL;
1824 /* Test there are settables */
1825 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HMACDRBGKDF))
1826 || !TEST_ptr(settableparams = EVP_KDF_CTX_settable_params(kctx)))
1829 /* Fail if no params have been set when doing a derive */
1830 if (!TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
1833 /* Fail if we pass the wrong type for params */
1834 params[1] = OSSL_PARAM_construct_end();
1835 for (i = 0; settableparams[i].key != NULL; ++i) {
1836 /* Skip "properties" key since it returns 1 unless the digest is also set */
1837 if (OPENSSL_strcasecmp(settableparams[i].key,
1838 OSSL_KDF_PARAM_PROPERTIES) != 0) {
1839 TEST_note("Testing set int into %s fails", settableparams[i].key);
1840 params[0] = OSSL_PARAM_construct_int(settableparams[i].key, &j);
1841 if (!TEST_int_le(EVP_KDF_CTX_set_params(kctx, params), 0))
1845 /* Test that we can set values multiple times */
1846 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY,
1847 (char *)ent, sizeof(ent));
1848 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE,
1849 (char *)ent, sizeof(ent));
1850 params[2] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST, "SHA256",
1852 params[3] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, "",
1854 params[4] = OSSL_PARAM_construct_end();
1855 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1))
1857 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1))
1859 /* Test we can retrieve values back */
1860 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
1861 digestname, sizeof(digestname));
1862 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_MAC,
1863 macname, sizeof(macname));
1864 params[2] = OSSL_PARAM_construct_end();
1865 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params), 1)
1866 || !TEST_mem_eq(digestname, params[0].return_size, "SHA2-256", 8)
1867 || !TEST_mem_eq(macname, params[1].return_size, "HMAC", 4))
1870 /* Test the derive */
1871 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 1))
1874 /* test that XOF digests are not allowed */
1875 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
1877 params[1] = OSSL_PARAM_construct_end();
1878 if (!TEST_int_le(EVP_KDF_CTX_set_params(kctx, params), 0))
1883 EVP_MD_free(shake256);
1884 EVP_KDF_CTX_free(kctx);
1888 static int test_kdf_hmac_drbg_gettables(void)
1890 int ret = 0, i, j = 0;
1891 EVP_KDF_CTX *kctx = NULL;
1892 const OSSL_PARAM *gettableparams;
1893 OSSL_PARAM params[3];
1896 /* Test there are gettables */
1897 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HMACDRBGKDF))
1898 || !TEST_ptr(gettableparams = EVP_KDF_CTX_gettable_params(kctx)))
1900 /* Fail if we pass the wrong type for params */
1901 params[1] = OSSL_PARAM_construct_end();
1902 for (i = 0; gettableparams[i].key != NULL; ++i) {
1903 params[0] = OSSL_PARAM_construct_int(gettableparams[i].key, &j);
1904 if (!TEST_int_le(EVP_KDF_CTX_get_params(kctx, params), 0))
1907 /* fail to get params if they are not set yet */
1908 for (i = 0; gettableparams[i].key != NULL; ++i) {
1909 params[0] = OSSL_PARAM_construct_utf8_string(gettableparams[i].key,
1911 if (!TEST_int_le(EVP_KDF_CTX_get_params(kctx, params), 0))
1916 EVP_KDF_CTX_free(kctx);
1920 int setup_tests(void)
1922 ADD_TEST(test_kdf_pbkdf1);
1923 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1924 ADD_TEST(test_kdf_kbkdf_6803_128);
1925 ADD_TEST(test_kdf_kbkdf_6803_256);
1927 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1928 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1929 ADD_TEST(test_kdf_kbkdf_invalid_r);
1930 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1931 ADD_TEST(test_kdf_kbkdf_empty_key);
1932 ADD_TEST(test_kdf_kbkdf_1byte_key);
1933 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1934 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1935 #if !defined(OPENSSL_NO_CMAC)
1936 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1938 if (fips_provider_version_ge(NULL, 3, 1, 0))
1939 ADD_TEST(test_kdf_kbkdf_kmac);
1940 ADD_TEST(test_kdf_get_kdf);
1941 ADD_TEST(test_kdf_tls1_prf);
1942 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1943 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1944 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1945 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1946 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1947 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1948 ADD_TEST(test_kdf_hkdf);
1949 ADD_TEST(test_kdf_hkdf_invalid_digest);
1950 ADD_TEST(test_kdf_hkdf_zero_output_size);
1951 ADD_TEST(test_kdf_hkdf_empty_key);
1952 ADD_TEST(test_kdf_hkdf_1byte_key);
1953 ADD_TEST(test_kdf_hkdf_empty_salt);
1954 ADD_TEST(test_kdf_hkdf_gettables);
1955 ADD_TEST(test_kdf_hkdf_gettables_expandonly);
1956 ADD_TEST(test_kdf_hkdf_gettables_no_digest);
1957 ADD_TEST(test_kdf_hkdf_derive_set_params_fail);
1958 ADD_TEST(test_kdf_hkdf_set_invalid_mode);
1959 ADD_TEST(test_kdf_hkdf_set_ctx_param_fail);
1960 ADD_TEST(test_kdf_pbkdf2);
1961 ADD_TEST(test_kdf_pbkdf2_small_output);
1962 ADD_TEST(test_kdf_pbkdf2_large_output);
1963 ADD_TEST(test_kdf_pbkdf2_small_salt);
1964 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1965 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1966 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1967 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1968 #ifndef OPENSSL_NO_SCRYPT
1969 ADD_TEST(test_kdf_scrypt);
1971 ADD_TEST(test_kdf_ss_hash);
1972 ADD_TEST(test_kdf_ss_hmac);
1973 ADD_TEST(test_kdf_ss_kmac);
1974 ADD_TEST(test_kdf_sshkdf);
1975 ADD_TEST(test_kdf_x963);
1976 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1977 ADD_TEST(test_kdf_x942_asn1);
1979 ADD_TEST(test_kdf_krb5kdf);
1980 ADD_TEST(test_kdf_hmac_drbg_settables);
1981 ADD_TEST(test_kdf_hmac_drbg_gettables);