2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
23 static EVP_KDF_CTX *get_kdfbyname_libctx(OSSL_LIB_CTX *libctx, const char *name)
25 EVP_KDF *kdf = EVP_KDF_fetch(libctx, name, NULL);
26 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
32 static EVP_KDF_CTX *get_kdfbyname(const char *name)
34 return get_kdfbyname_libctx(NULL, name);
37 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
40 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
41 OSSL_PARAM *p = params;
46 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
49 (unsigned char *)secret,
51 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
52 (unsigned char *)seed,
54 *p = OSSL_PARAM_construct_end();
59 static int test_kdf_tls1_prf(void)
62 EVP_KDF_CTX *kctx = NULL;
63 unsigned char out[16];
65 static const unsigned char expected[sizeof(out)] = {
66 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
67 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
70 params = construct_tls1_prf_params("sha256", "secret", "seed");
72 ret = TEST_ptr(params)
73 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
74 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
75 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
77 EVP_KDF_CTX_free(kctx);
82 static int test_kdf_tls1_prf_invalid_digest(void)
85 EVP_KDF_CTX *kctx = NULL;
88 params = construct_tls1_prf_params("blah", "secret", "seed");
90 ret = TEST_ptr(params)
91 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
92 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
94 EVP_KDF_CTX_free(kctx);
99 static int test_kdf_tls1_prf_zero_output_size(void)
102 EVP_KDF_CTX *kctx = NULL;
103 unsigned char out[16];
106 params = construct_tls1_prf_params("sha256", "secret", "seed");
108 /* Negative test - derive should fail */
109 ret = TEST_ptr(params)
110 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
111 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
112 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
114 EVP_KDF_CTX_free(kctx);
115 OPENSSL_free(params);
119 static int test_kdf_tls1_prf_empty_secret(void)
122 EVP_KDF_CTX *kctx = NULL;
123 unsigned char out[16];
126 params = construct_tls1_prf_params("sha256", "", "seed");
128 ret = TEST_ptr(params)
129 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
130 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
132 EVP_KDF_CTX_free(kctx);
133 OPENSSL_free(params);
137 static int test_kdf_tls1_prf_1byte_secret(void)
140 EVP_KDF_CTX *kctx = NULL;
141 unsigned char out[16];
144 params = construct_tls1_prf_params("sha256", "1", "seed");
146 ret = TEST_ptr(params)
147 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
148 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
150 EVP_KDF_CTX_free(kctx);
151 OPENSSL_free(params);
155 static int test_kdf_tls1_prf_empty_seed(void)
158 EVP_KDF_CTX *kctx = NULL;
159 unsigned char out[16];
162 params = construct_tls1_prf_params("sha256", "secret", "");
164 /* Negative test - derive should fail */
165 ret = TEST_ptr(params)
166 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
167 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
168 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
170 EVP_KDF_CTX_free(kctx);
171 OPENSSL_free(params);
175 static int test_kdf_tls1_prf_1byte_seed(void)
178 EVP_KDF_CTX *kctx = NULL;
179 unsigned char out[16];
182 params = construct_tls1_prf_params("sha256", "secret", "1");
184 ret = TEST_ptr(params)
185 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
186 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
188 EVP_KDF_CTX_free(kctx);
189 OPENSSL_free(params);
193 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
194 size_t keylen, char *salt, char *info)
196 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
197 OSSL_PARAM *p = params;
203 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
205 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
207 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
208 (unsigned char *)key, keylen);
210 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
213 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
215 *p = OSSL_PARAM_construct_end();
220 static int test_kdf_hkdf(void)
223 EVP_KDF_CTX *kctx = NULL;
224 unsigned char out[10];
226 static const unsigned char expected[sizeof(out)] = {
227 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
230 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
232 ret = TEST_ptr(params)
233 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
234 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
235 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
237 EVP_KDF_CTX_free(kctx);
238 OPENSSL_free(params);
242 static int do_kdf_hkdf_gettables(int expand_only, int has_digest)
247 OSSL_PARAM params_get[2];
248 const OSSL_PARAM *gettables, *p;
249 EVP_KDF_CTX *kctx = NULL;
251 if (!TEST_ptr(params = construct_hkdf_params(
252 has_digest ? "sha256" : NULL,
254 expand_only ? NULL : "label"))
255 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
256 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)))
259 /* Check OSSL_KDF_PARAM_SIZE is gettable */
260 if (!TEST_ptr(gettables = EVP_KDF_CTX_gettable_params(kctx))
261 || !TEST_ptr(p = OSSL_PARAM_locate_const(gettables, OSSL_KDF_PARAM_SIZE)))
264 /* Get OSSL_KDF_PARAM_SIZE as a size_t */
265 params_get[0] = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_SIZE, &sz);
266 params_get[1] = OSSL_PARAM_construct_end();
268 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 1)
269 || !TEST_size_t_eq(sz, expand_only ? SHA256_DIGEST_LENGTH : SIZE_MAX))
272 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 0))
276 /* Get params returns -2 if an unsupported parameter is requested */
277 params_get[0] = OSSL_PARAM_construct_end();
278 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), -2))
282 EVP_KDF_CTX_free(kctx);
283 OPENSSL_free(params);
287 static int test_kdf_hkdf_gettables(void)
289 return do_kdf_hkdf_gettables(0, 1);
292 static int test_kdf_hkdf_gettables_expandonly(void)
294 return do_kdf_hkdf_gettables(1, 1);
297 static int test_kdf_hkdf_gettables_no_digest(void)
299 return do_kdf_hkdf_gettables(1, 0);
302 static int test_kdf_hkdf_invalid_digest(void)
305 EVP_KDF_CTX *kctx = NULL;
308 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
310 ret = TEST_ptr(params)
311 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
312 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
314 EVP_KDF_CTX_free(kctx);
315 OPENSSL_free(params);
319 static int test_kdf_hkdf_derive_set_params_fail(void)
322 EVP_KDF_CTX *kctx = NULL;
323 OSSL_PARAM params[2];
324 unsigned char out[10];
326 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
329 * Set the wrong type for the digest so that it causes a failure
330 * inside kdf_hkdf_derive() when kdf_hkdf_set_ctx_params() is called
332 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_DIGEST, &i);
333 params[1] = OSSL_PARAM_construct_end();
334 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), params), 0))
338 EVP_KDF_CTX_free(kctx);
342 static int test_kdf_hkdf_set_invalid_mode(void)
344 int ret = 0, bad_mode = 100;
345 EVP_KDF_CTX *kctx = NULL;
346 OSSL_PARAM params[2];
348 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
350 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
352 params[1] = OSSL_PARAM_construct_end();
353 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
356 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &bad_mode);
357 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
362 EVP_KDF_CTX_free(kctx);
366 static int do_kdf_hkdf_set_invalid_param(const char *key, int type)
369 EVP_KDF_CTX *kctx = NULL;
370 OSSL_PARAM params[2];
371 unsigned char buf[2];
373 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
375 /* Set the wrong type for the key so that it causes a failure */
376 if (type == OSSL_PARAM_UTF8_STRING)
377 params[0] = OSSL_PARAM_construct_utf8_string(key, "BAD", 0);
379 params[0] = OSSL_PARAM_construct_octet_string(key, buf, sizeof(buf));
380 params[1] = OSSL_PARAM_construct_end();
381 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
386 EVP_KDF_CTX_free(kctx);
390 static int test_kdf_hkdf_set_ctx_param_fail(void)
392 return do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_MODE,
393 OSSL_PARAM_OCTET_STRING)
394 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_KEY,
395 OSSL_PARAM_UTF8_STRING)
396 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_SALT,
397 OSSL_PARAM_UTF8_STRING)
398 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_INFO,
399 OSSL_PARAM_UTF8_STRING);
402 static int test_kdf_hkdf_zero_output_size(void)
405 EVP_KDF_CTX *kctx = NULL;
406 unsigned char out[10];
409 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
411 /* Negative test - derive should fail */
412 ret = TEST_ptr(params)
413 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
414 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
415 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
417 EVP_KDF_CTX_free(kctx);
418 OPENSSL_free(params);
422 static int test_kdf_hkdf_empty_key(void)
425 EVP_KDF_CTX *kctx = NULL;
426 unsigned char out[10];
429 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
431 ret = TEST_ptr(params)
432 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
433 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
435 EVP_KDF_CTX_free(kctx);
436 OPENSSL_free(params);
440 static int test_kdf_hkdf_1byte_key(void)
443 EVP_KDF_CTX *kctx = NULL;
444 unsigned char out[10];
447 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
449 ret = TEST_ptr(params)
450 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
451 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
453 EVP_KDF_CTX_free(kctx);
454 OPENSSL_free(params);
458 static int test_kdf_hkdf_empty_salt(void)
461 EVP_KDF_CTX *kctx = NULL;
462 unsigned char out[10];
465 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
467 ret = TEST_ptr(params)
468 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
469 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
471 EVP_KDF_CTX_free(kctx);
472 OPENSSL_free(params);
476 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
479 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
480 OSSL_PARAM *p = params;
485 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
486 (unsigned char *)pass, strlen(pass));
487 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
488 (unsigned char *)salt, strlen(salt));
489 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
490 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
492 *p = OSSL_PARAM_construct_end();
497 static int test_kdf_pbkdf1(void)
500 EVP_KDF_CTX *kctx = NULL;
501 unsigned char out[25];
502 unsigned int iterations = 4096;
503 OSSL_LIB_CTX *libctx = NULL;
504 OSSL_PARAM *params = NULL;
505 OSSL_PROVIDER *legacyprov = NULL;
506 OSSL_PROVIDER *defprov = NULL;
507 const unsigned char expected[sizeof(out)] = {
508 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
509 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
513 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
516 /* PBKDF1 only available in the legacy provider */
517 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
518 if (legacyprov == NULL) {
519 OSSL_LIB_CTX_free(libctx);
520 return TEST_skip("PBKDF1 only available in legacy provider");
523 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
526 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
527 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
530 if (!TEST_ptr(params)
531 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
532 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
533 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
534 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
539 EVP_KDF_CTX_free(kctx);
540 OPENSSL_free(params);
541 OSSL_PROVIDER_unload(defprov);
542 OSSL_PROVIDER_unload(legacyprov);
543 OSSL_LIB_CTX_free(libctx);
547 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
548 unsigned int *iter, int *mode)
550 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
551 OSSL_PARAM *p = params;
556 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
557 (unsigned char *)pass, strlen(pass));
558 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
559 (unsigned char *)salt, strlen(salt));
560 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
561 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
563 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
564 *p = OSSL_PARAM_construct_end();
569 static int test_kdf_pbkdf2(void)
572 EVP_KDF_CTX *kctx = NULL;
573 unsigned char out[25];
574 unsigned int iterations = 4096;
577 const unsigned char expected[sizeof(out)] = {
578 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
579 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
580 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
584 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
585 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
588 if (!TEST_ptr(params)
589 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
590 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
591 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
596 EVP_KDF_CTX_free(kctx);
597 OPENSSL_free(params);
601 static int test_kdf_pbkdf2_small_output(void)
604 EVP_KDF_CTX *kctx = NULL;
605 unsigned char out[25];
606 unsigned int iterations = 4096;
610 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
611 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
614 if (!TEST_ptr(params)
615 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
616 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
617 /* A key length that is too small should fail */
618 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
623 EVP_KDF_CTX_free(kctx);
624 OPENSSL_free(params);
628 static int test_kdf_pbkdf2_large_output(void)
631 EVP_KDF_CTX *kctx = NULL;
632 unsigned char out[25];
634 unsigned int iterations = 4096;
638 if (sizeof(len) > 32)
641 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
642 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
645 if (!TEST_ptr(params)
646 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
647 /* A key length that is too large should fail */
648 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
649 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
654 EVP_KDF_CTX_free(kctx);
655 OPENSSL_free(params);
659 static int test_kdf_pbkdf2_small_salt(void)
662 EVP_KDF_CTX *kctx = NULL;
663 unsigned int iterations = 4096;
667 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
671 if (!TEST_ptr(params)
672 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
673 /* A salt that is too small should fail */
674 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
679 EVP_KDF_CTX_free(kctx);
680 OPENSSL_free(params);
684 static int test_kdf_pbkdf2_small_iterations(void)
687 EVP_KDF_CTX *kctx = NULL;
688 unsigned int iterations = 1;
692 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
693 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
696 if (!TEST_ptr(params)
697 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
698 /* An iteration count that is too small should fail */
699 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
704 EVP_KDF_CTX_free(kctx);
705 OPENSSL_free(params);
709 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
712 EVP_KDF_CTX *kctx = NULL;
713 unsigned char out[25];
714 unsigned int iterations = 4096;
717 OSSL_PARAM mode_params[2];
719 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
723 if (!TEST_ptr(params)
724 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
725 /* A salt that is too small should pass in pkcs5 mode */
726 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
727 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
731 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
732 mode_params[1] = OSSL_PARAM_construct_end();
734 /* If the "pkcs5" mode is disabled then the derive will now fail */
735 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
736 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
741 EVP_KDF_CTX_free(kctx);
742 OPENSSL_free(params);
746 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
749 EVP_KDF_CTX *kctx = NULL;
750 unsigned char out[25];
751 unsigned int iterations = 1;
754 OSSL_PARAM mode_params[2];
756 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
757 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
760 if (!TEST_ptr(params)
761 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
762 /* An iteration count that is too small will pass in pkcs5 mode */
763 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
764 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
768 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
769 mode_params[1] = OSSL_PARAM_construct_end();
771 /* If the "pkcs5" mode is disabled then the derive will now fail */
772 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
773 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
778 EVP_KDF_CTX_free(kctx);
779 OPENSSL_free(params);
783 static int test_kdf_pbkdf2_invalid_digest(void)
786 EVP_KDF_CTX *kctx = NULL;
787 unsigned int iterations = 4096;
791 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
792 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
795 if (!TEST_ptr(params)
796 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
797 /* Unknown digest should fail */
798 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
803 EVP_KDF_CTX_free(kctx);
804 OPENSSL_free(params);
808 #ifndef OPENSSL_NO_SCRYPT
809 static int test_kdf_scrypt(void)
813 OSSL_PARAM params[7], *p = params;
814 unsigned char out[64];
815 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
816 static const unsigned char expected[sizeof(out)] = {
817 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
818 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
819 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
820 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
821 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
822 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
823 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
824 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
827 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
828 (char *)"password", 8);
829 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
831 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
832 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
833 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
834 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
835 *p = OSSL_PARAM_construct_end();
838 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
839 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
841 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
842 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
843 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
844 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
845 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
847 EVP_KDF_CTX_free(kctx);
850 #endif /* OPENSSL_NO_SCRYPT */
852 static int test_kdf_ss_hash(void)
856 OSSL_PARAM params[4], *p = params;
857 unsigned char out[14];
858 static unsigned char z[] = {
859 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
860 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
861 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
862 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
864 static unsigned char other[] = {
865 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
866 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
867 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
868 0xe0,0xec,0x3f,0x8d,0xbe
870 static const unsigned char expected[sizeof(out)] = {
871 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
874 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
875 (char *)"sha224", 0);
876 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
877 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
879 *p = OSSL_PARAM_construct_end();
882 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
883 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
884 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
886 EVP_KDF_CTX_free(kctx);
890 static int test_kdf_x963(void)
894 OSSL_PARAM params[4], *p = params;
895 unsigned char out[1024 / 8];
897 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
898 * Cryptographic-Algorithm-Validation-Program/documents/components/
899 * 800-135testvectors/ansx963_2001.zip
901 static unsigned char z[] = {
902 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
903 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
904 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
905 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
906 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
907 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
909 static unsigned char shared[] = {
910 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
911 0x37, 0x89, 0x5d, 0x31
913 static const unsigned char expected[sizeof(out)] = {
914 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
915 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
916 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
917 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
918 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
919 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
920 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
921 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
922 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
923 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
924 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
927 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
928 (char *)"sha512", 0);
929 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
930 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
932 *p = OSSL_PARAM_construct_end();
935 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
936 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
937 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
939 EVP_KDF_CTX_free(kctx);
943 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
945 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
948 static int test_kdf_kbkdf_6803_128(void)
952 OSSL_PARAM params[7];
953 static unsigned char input_key[] = {
954 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
955 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
957 static unsigned char constants[][5] = {
958 { 0x00, 0x00, 0x00, 0x02, 0x99 },
959 { 0x00, 0x00, 0x00, 0x02, 0xaa },
960 { 0x00, 0x00, 0x00, 0x02, 0x55 },
962 static unsigned char outputs[][16] = {
963 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
964 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
965 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
966 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
967 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
968 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
970 static unsigned char iv[16] = { 0 };
971 unsigned char result[16] = { 0 };
973 for (i = 0; i < 3; i++) {
975 params[p++] = OSSL_PARAM_construct_utf8_string(
976 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
977 params[p++] = OSSL_PARAM_construct_utf8_string(
978 OSSL_KDF_PARAM_MAC, "CMAC", 0);
979 params[p++] = OSSL_PARAM_construct_utf8_string(
980 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
981 params[p++] = OSSL_PARAM_construct_octet_string(
982 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
983 params[p++] = OSSL_PARAM_construct_octet_string(
984 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
985 params[p++] = OSSL_PARAM_construct_octet_string(
986 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
987 params[p] = OSSL_PARAM_construct_end();
989 kctx = get_kdfbyname("KBKDF");
991 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
993 && TEST_mem_eq(result, sizeof(result), outputs[i],
995 EVP_KDF_CTX_free(kctx);
1003 static int test_kdf_kbkdf_6803_256(void)
1007 OSSL_PARAM params[7];
1008 static unsigned char input_key[] = {
1009 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
1010 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
1011 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
1012 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
1014 static unsigned char constants[][5] = {
1015 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1016 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1017 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1019 static unsigned char outputs[][32] = {
1020 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
1021 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
1022 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
1023 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
1025 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
1026 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
1027 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
1028 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
1030 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
1031 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
1032 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
1033 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
1036 static unsigned char iv[16] = { 0 };
1037 unsigned char result[32] = { 0 };
1039 for (i = 0; i < 3; i++) {
1041 params[p++] = OSSL_PARAM_construct_utf8_string(
1042 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
1043 params[p++] = OSSL_PARAM_construct_utf8_string(
1044 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1045 params[p++] = OSSL_PARAM_construct_utf8_string(
1046 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1047 params[p++] = OSSL_PARAM_construct_octet_string(
1048 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1049 params[p++] = OSSL_PARAM_construct_octet_string(
1050 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1051 params[p++] = OSSL_PARAM_construct_octet_string(
1052 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1053 params[p] = OSSL_PARAM_construct_end();
1055 kctx = get_kdfbyname("KBKDF");
1056 ret = TEST_ptr(kctx)
1057 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1059 && TEST_mem_eq(result, sizeof(result), outputs[i],
1060 sizeof(outputs[i]));
1061 EVP_KDF_CTX_free(kctx);
1070 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
1071 size_t keylen, char *salt, char *info)
1073 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
1074 OSSL_PARAM *p = params;
1079 *p++ = OSSL_PARAM_construct_utf8_string(
1080 OSSL_KDF_PARAM_DIGEST, digest, 0);
1081 *p++ = OSSL_PARAM_construct_utf8_string(
1082 OSSL_KDF_PARAM_MAC, mac, 0);
1083 *p++ = OSSL_PARAM_construct_utf8_string(
1084 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
1085 *p++ = OSSL_PARAM_construct_octet_string(
1086 OSSL_KDF_PARAM_KEY, key, keylen);
1087 *p++ = OSSL_PARAM_construct_octet_string(
1088 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
1089 *p++ = OSSL_PARAM_construct_octet_string(
1090 OSSL_KDF_PARAM_INFO, info, strlen(info));
1091 *p = OSSL_PARAM_construct_end();
1096 static int test_kdf_kbkdf_invalid_digest(void)
1102 static unsigned char key[] = {0x01};
1104 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
1105 if (!TEST_ptr(params))
1108 /* Negative test case - set_params should fail */
1109 kctx = get_kdfbyname("KBKDF");
1110 ret = TEST_ptr(kctx)
1111 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1113 EVP_KDF_CTX_free(kctx);
1114 OPENSSL_free(params);
1118 static int test_kdf_kbkdf_invalid_mac(void)
1124 static unsigned char key[] = {0x01};
1126 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
1127 if (!TEST_ptr(params))
1130 /* Negative test case - set_params should fail */
1131 kctx = get_kdfbyname("KBKDF");
1132 ret = TEST_ptr(kctx)
1133 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1135 EVP_KDF_CTX_free(kctx);
1136 OPENSSL_free(params);
1140 static int test_kdf_kbkdf_empty_key(void)
1146 static unsigned char key[] = {0x01};
1147 unsigned char result[32] = { 0 };
1149 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
1150 if (!TEST_ptr(params))
1153 /* Negative test case - derive should fail */
1154 kctx = get_kdfbyname("KBKDF");
1155 ret = TEST_ptr(kctx)
1156 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1157 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
1159 EVP_KDF_CTX_free(kctx);
1160 OPENSSL_free(params);
1164 static int test_kdf_kbkdf_1byte_key(void)
1170 static unsigned char key[] = {0x01};
1171 unsigned char result[32] = { 0 };
1173 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1174 if (!TEST_ptr(params))
1177 kctx = get_kdfbyname("KBKDF");
1178 ret = TEST_ptr(kctx)
1179 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1181 EVP_KDF_CTX_free(kctx);
1182 OPENSSL_free(params);
1186 static int test_kdf_kbkdf_zero_output_size(void)
1192 static unsigned char key[] = {0x01};
1193 unsigned char result[32] = { 0 };
1195 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1196 if (!TEST_ptr(params))
1199 /* Negative test case - derive should fail */
1200 kctx = get_kdfbyname("KBKDF");
1201 ret = TEST_ptr(kctx)
1202 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1203 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1205 EVP_KDF_CTX_free(kctx);
1206 OPENSSL_free(params);
1210 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1212 static int test_kdf_kbkdf_8009_prf1(void)
1216 OSSL_PARAM params[6];
1217 char *label = "prf", *digest = "sha256", *prf_input = "test",
1219 static unsigned char input_key[] = {
1220 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1221 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1223 static unsigned char output[] = {
1224 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1225 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1226 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1227 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1229 unsigned char result[sizeof(output)] = { 0 };
1231 params[i++] = OSSL_PARAM_construct_utf8_string(
1232 OSSL_KDF_PARAM_DIGEST, digest, 0);
1233 params[i++] = OSSL_PARAM_construct_utf8_string(
1234 OSSL_KDF_PARAM_MAC, mac, 0);
1235 params[i++] = OSSL_PARAM_construct_octet_string(
1236 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1237 params[i++] = OSSL_PARAM_construct_octet_string(
1238 OSSL_KDF_PARAM_SALT, label, strlen(label));
1239 params[i++] = OSSL_PARAM_construct_octet_string(
1240 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1241 params[i] = OSSL_PARAM_construct_end();
1243 kctx = get_kdfbyname("KBKDF");
1244 ret = TEST_ptr(kctx)
1245 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1246 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1248 EVP_KDF_CTX_free(kctx);
1252 static int test_kdf_kbkdf_8009_prf2(void)
1256 OSSL_PARAM params[6];
1257 char *label = "prf", *digest = "sha384", *prf_input = "test",
1259 static unsigned char input_key[] = {
1260 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1261 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1262 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1263 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1265 static unsigned char output[] = {
1266 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1267 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1268 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1269 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1270 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1271 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1273 unsigned char result[sizeof(output)] = { 0 };
1275 params[i++] = OSSL_PARAM_construct_utf8_string(
1276 OSSL_KDF_PARAM_DIGEST, digest, 0);
1277 params[i++] = OSSL_PARAM_construct_utf8_string(
1278 OSSL_KDF_PARAM_MAC, mac, 0);
1279 params[i++] = OSSL_PARAM_construct_octet_string(
1280 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1281 params[i++] = OSSL_PARAM_construct_octet_string(
1282 OSSL_KDF_PARAM_SALT, label, strlen(label));
1283 params[i++] = OSSL_PARAM_construct_octet_string(
1284 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1285 params[i] = OSSL_PARAM_construct_end();
1287 kctx = get_kdfbyname("KBKDF");
1288 ret = TEST_ptr(kctx)
1289 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1290 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1292 EVP_KDF_CTX_free(kctx);
1296 #if !defined(OPENSSL_NO_CMAC)
1298 * Test vector taken from
1299 * https://csrc.nist.gov/CSRC/media/Projects/
1300 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1301 * Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1303 static int test_kdf_kbkdf_fixedinfo(void)
1307 OSSL_PARAM params[8], *p = params;
1308 static char *cipher = "AES128";
1309 static char *mac = "CMAC";
1310 static char *mode = "COUNTER";
1312 int use_separator = 0;
1314 static unsigned char input_key[] = {
1315 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1316 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1318 static unsigned char fixed_input[] = {
1319 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1320 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1321 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1322 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1323 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1324 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1325 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1326 0xb4, 0x8d, 0x36, 0xc4,
1329 static unsigned char output[] = {
1330 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1331 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1333 unsigned char result[sizeof(output)] = { 0 };
1335 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1336 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1337 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1338 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1340 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1341 fixed_input, sizeof(fixed_input));
1342 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1343 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1345 *p = OSSL_PARAM_construct_end();
1347 kctx = get_kdfbyname("KBKDF");
1348 ret = TEST_ptr(kctx)
1349 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1350 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1352 EVP_KDF_CTX_free(kctx);
1355 #endif /* OPENSSL_NO_CMAC */
1357 static int test_kdf_ss_hmac(void)
1361 OSSL_PARAM params[6], *p = params;
1362 unsigned char out[16];
1363 static unsigned char z[] = {
1364 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1366 static unsigned char other[] = {
1367 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1369 static unsigned char salt[] = {
1370 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1373 static const unsigned char expected[sizeof(out)] = {
1374 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1378 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1379 (char *)OSSL_MAC_NAME_HMAC, 0);
1380 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1381 (char *)"sha256", 0);
1382 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1383 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1385 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1387 *p = OSSL_PARAM_construct_end();
1390 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1391 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1392 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1394 EVP_KDF_CTX_free(kctx);
1398 static int test_kdf_ss_kmac(void)
1402 OSSL_PARAM params[6], *p = params;
1403 unsigned char out[64];
1404 size_t mac_size = 20;
1405 static unsigned char z[] = {
1406 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1408 static unsigned char other[] = {
1409 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1411 static unsigned char salt[] = {
1412 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1415 static const unsigned char expected[sizeof(out)] = {
1416 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1417 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1418 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1419 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1420 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1423 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1424 (char *)OSSL_MAC_NAME_KMAC128, 0);
1425 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1426 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1428 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1430 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1431 *p = OSSL_PARAM_construct_end();
1434 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1435 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1436 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1438 EVP_KDF_CTX_free(kctx);
1442 static int test_kdf_sshkdf(void)
1446 OSSL_PARAM params[6], *p = params;
1447 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1448 unsigned char out[8];
1449 /* Test data from NIST CAVS 14.1 test vectors */
1450 static unsigned char key[] = {
1451 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1452 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1453 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1454 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1455 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1456 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1457 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1458 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1459 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1460 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1461 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1464 static unsigned char xcghash[] = {
1465 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1466 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1467 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1469 static unsigned char sessid[] = {
1470 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1471 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1472 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1474 static const unsigned char expected[sizeof(out)] = {
1475 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1478 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1479 (char *)"sha256", 0);
1480 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1482 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1483 xcghash, sizeof(xcghash));
1484 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1485 sessid, sizeof(sessid));
1486 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1487 &kdftype, sizeof(kdftype));
1488 *p = OSSL_PARAM_construct_end();
1491 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1492 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1493 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1495 EVP_KDF_CTX_free(kctx);
1499 static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2)
1501 /* Fast path in case the two are the same algorithm pointer */
1505 * Compare their names and providers instead.
1506 * This is necessary in a non-caching build (or a cache flush during fetch)
1507 * because without the algorithm in the cache, fetching it a second time
1508 * will result in a different pointer.
1510 return TEST_ptr_eq(EVP_KDF_get0_provider(kdf1), EVP_KDF_get0_provider(kdf2))
1511 && TEST_str_eq(EVP_KDF_get0_name(kdf1), EVP_KDF_get0_name(kdf2));
1514 static int test_kdf_get_kdf(void)
1516 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1520 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1521 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1522 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1524 || !test_kdfs_same(kdf1, kdf2))
1531 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1532 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1533 || !test_kdfs_same(kdf1, kdf2))
1535 /* kdf1 is re-used below, so don't free it here */
1539 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1540 || !test_kdfs_same(kdf1, kdf2))
1550 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1551 static int test_kdf_x942_asn1(void)
1554 EVP_KDF_CTX *kctx = NULL;
1555 OSSL_PARAM params[4], *p = params;
1556 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1557 unsigned char out[24];
1558 /* RFC2631 Section 2.1.6 Test data */
1559 static unsigned char z[] = {
1560 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1561 0x0e,0x0f,0x10,0x11,0x12,0x13
1563 static const unsigned char expected[sizeof(out)] = {
1564 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1565 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1566 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1569 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1571 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1573 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1574 (char *)cek_alg, 0);
1575 *p = OSSL_PARAM_construct_end();
1578 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1579 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1580 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1582 EVP_KDF_CTX_free(kctx);
1585 #endif /* OPENSSL_NO_CMS */
1587 static int test_kdf_krb5kdf(void)
1591 OSSL_PARAM params[4], *p = params;
1592 unsigned char out[16];
1593 static unsigned char key[] = {
1594 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1595 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1597 static unsigned char constant[] = {
1598 0x00, 0x00, 0x00, 0x02, 0x99
1600 static const unsigned char expected[sizeof(out)] = {
1601 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1602 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1605 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1606 (char *)"AES-128-CBC", 0);
1607 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1609 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1610 constant, sizeof(constant));
1611 *p = OSSL_PARAM_construct_end();
1614 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1615 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1616 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1618 EVP_KDF_CTX_free(kctx);
1622 int setup_tests(void)
1624 ADD_TEST(test_kdf_pbkdf1);
1625 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1626 ADD_TEST(test_kdf_kbkdf_6803_128);
1627 ADD_TEST(test_kdf_kbkdf_6803_256);
1629 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1630 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1631 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1632 ADD_TEST(test_kdf_kbkdf_empty_key);
1633 ADD_TEST(test_kdf_kbkdf_1byte_key);
1634 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1635 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1636 #if !defined(OPENSSL_NO_CMAC)
1637 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1639 ADD_TEST(test_kdf_get_kdf);
1640 ADD_TEST(test_kdf_tls1_prf);
1641 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1642 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1643 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1644 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1645 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1646 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1647 ADD_TEST(test_kdf_hkdf);
1648 ADD_TEST(test_kdf_hkdf_invalid_digest);
1649 ADD_TEST(test_kdf_hkdf_zero_output_size);
1650 ADD_TEST(test_kdf_hkdf_empty_key);
1651 ADD_TEST(test_kdf_hkdf_1byte_key);
1652 ADD_TEST(test_kdf_hkdf_empty_salt);
1653 ADD_TEST(test_kdf_hkdf_gettables);
1654 ADD_TEST(test_kdf_hkdf_gettables_expandonly);
1655 ADD_TEST(test_kdf_hkdf_gettables_no_digest);
1656 ADD_TEST(test_kdf_hkdf_derive_set_params_fail);
1657 ADD_TEST(test_kdf_hkdf_set_invalid_mode);
1658 ADD_TEST(test_kdf_hkdf_set_ctx_param_fail);
1659 ADD_TEST(test_kdf_pbkdf2);
1660 ADD_TEST(test_kdf_pbkdf2_small_output);
1661 ADD_TEST(test_kdf_pbkdf2_large_output);
1662 ADD_TEST(test_kdf_pbkdf2_small_salt);
1663 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1664 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1665 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1666 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1667 #ifndef OPENSSL_NO_SCRYPT
1668 ADD_TEST(test_kdf_scrypt);
1670 ADD_TEST(test_kdf_ss_hash);
1671 ADD_TEST(test_kdf_ss_hmac);
1672 ADD_TEST(test_kdf_ss_kmac);
1673 ADD_TEST(test_kdf_sshkdf);
1674 ADD_TEST(test_kdf_x963);
1675 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1676 ADD_TEST(test_kdf_x942_asn1);
1678 ADD_TEST(test_kdf_krb5kdf);