21a0c270fe8c90f17b20cfcc41b16de0ede27c19
[openssl.git] / test / evp_kdf_test.c
1 /*
2  * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10
11 /* Tests of the EVP_KDF_CTX APIs */
12
13 #include <stdio.h>
14 #include <string.h>
15
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "testutil.h"
20
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
22 {
23     EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24     EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
25
26     EVP_KDF_free(kdf);
27     return kctx;
28 }
29
30 static int test_kdf_tls1_prf(void)
31 {
32     int ret;
33     EVP_KDF_CTX *kctx = NULL;
34     unsigned char out[16];
35     OSSL_PARAM params[4], *p = params;
36     static const unsigned char expected[sizeof(out)] = {
37         0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
38         0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
39     };
40
41     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
42                                             (char *)"sha256", sizeof("sha256"));
43     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
44                                              (unsigned char *)"secret",
45                                              (size_t)6);
46     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
47                                              (unsigned char *)"seed",
48                                              (size_t)4);
49     *p = OSSL_PARAM_construct_end();
50
51     ret =
52         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
53         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
54         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
55         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
56
57     EVP_KDF_CTX_free(kctx);
58     return ret;
59 }
60
61 static int test_kdf_hkdf(void)
62 {
63     int ret;
64     EVP_KDF_CTX *kctx;
65     unsigned char out[10];
66     OSSL_PARAM params[5], *p = params;
67     static const unsigned char expected[sizeof(out)] = {
68         0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
69     };
70
71     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
72                                             (char *)"sha256", sizeof("sha256"));
73     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
74                                              (unsigned char *)"salt", 4);
75     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
76                                              (unsigned char *)"secret", 6);
77     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
78                                              (unsigned char *)"label", 5);
79     *p = OSSL_PARAM_construct_end();
80
81     ret =
82         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
83         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
84         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
85         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
86
87     EVP_KDF_CTX_free(kctx);
88     return ret;
89 }
90
91 static int test_kdf_pbkdf2(void)
92 {
93     int ret = 0;
94     EVP_KDF_CTX *kctx;
95     unsigned char out[25];
96     size_t len = 0;
97     unsigned int iterations = 4096;
98     int mode = 0;
99     OSSL_PARAM params[6], *p = params;
100     const unsigned char expected[sizeof(out)] = {
101         0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
102         0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
103         0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
104         0x1c
105     };
106
107     if (sizeof(len) > 32)
108         len = SIZE_MAX;
109
110     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
111                                              (unsigned char *)
112                                                 "passwordPASSWORDpassword", 24);
113     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
114                                              (unsigned char *)
115                                                 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
116                                                 36);
117     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, &iterations);
118     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
119                                              (char *)"sha256", 7);
120     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
121     *p = OSSL_PARAM_construct_end();
122
123     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
124         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
125         || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
126         || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
127         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
128         /* A key length that is too small should fail */
129         || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
130         /* A key length that is too large should fail */
131         || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0)))
132         goto err;
133 #if 0
134 /* TODO */
135           /* Salt length less than 128 bits should fail */
136           || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
137                                       "123456781234567",
138                                       (size_t)15), 0)
139           /* A small iteration count should fail */
140           || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
141           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
142                                       1), 0)
143           /* Small salts will pass if the "pkcs5" mode is enabled */
144           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
145                                       "123456781234567",
146                                       (size_t)15), 0)
147           /* A small iteration count will pass if "pkcs5" mode is enabled */
148           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
149           /*
150            * If the "pkcs5" mode is disabled then the small salt and iter will
151            * fail when the derive gets called.
152            */
153           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
154                                       0), 0)
155           || TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
156 #endif
157     ret = 1;
158 err:
159     EVP_KDF_CTX_free(kctx);
160     return ret;
161 }
162
163 #ifndef OPENSSL_NO_SCRYPT
164 static int test_kdf_scrypt(void)
165 {
166     int ret;
167     EVP_KDF_CTX *kctx;
168     OSSL_PARAM params[7], *p = params;
169     unsigned char out[64];
170     unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
171     static const unsigned char expected[sizeof(out)] = {
172         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
173         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
174         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
175         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
176         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
177         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
178         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
179         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
180     };
181
182     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
183                                              (char *)"password", 8);
184     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
185                                              (char *)"NaCl", 4);
186     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
187     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
188     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
189     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
190     *p = OSSL_PARAM_construct_end();
191
192     ret =
193         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
194         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
195         /* failure test *//*
196         && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/
197         && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
198         && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
199         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
200         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
201
202     EVP_KDF_CTX_free(kctx);
203     return ret;
204 }
205 #endif /* OPENSSL_NO_SCRYPT */
206
207 static int test_kdf_ss_hash(void)
208 {
209     int ret;
210     EVP_KDF_CTX *kctx;
211     OSSL_PARAM params[4], *p = params;
212     unsigned char out[14];
213     static unsigned char z[] = {
214         0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
215         0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
216         0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
217         0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
218     };
219     static unsigned char other[] = {
220         0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
221         0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
222         0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
223         0xe0,0xec,0x3f,0x8d,0xbe
224     };
225     static const unsigned char expected[sizeof(out)] = {
226         0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
227     };
228
229     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
230                                             (char *)"sha224", sizeof("sha224"));
231     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
232     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
233                                              sizeof(other));
234     *p = OSSL_PARAM_construct_end();
235
236     ret =
237         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
238         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
239         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
240         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
241
242     EVP_KDF_CTX_free(kctx);
243     return ret;
244 }
245
246 static int test_kdf_x963(void)
247 {
248     int ret;
249     EVP_KDF_CTX *kctx;
250     OSSL_PARAM params[4], *p = params;
251     unsigned char out[1024 / 8];
252     /*
253      * Test data from https://csrc.nist.gov/CSRC/media/Projects/
254      *  Cryptographic-Algorithm-Validation-Program/documents/components/
255      *  800-135testvectors/ansx963_2001.zip
256      */
257     static unsigned char z[] = {
258         0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
259         0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
260         0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
261         0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
262         0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
263         0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
264     };
265     static unsigned char shared[] = {
266         0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
267         0x37, 0x89, 0x5d, 0x31
268     };
269     static const unsigned char expected[sizeof(out)] = {
270         0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
271         0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
272         0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
273         0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
274         0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
275         0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
276         0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
277         0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
278         0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
279         0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
280         0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
281     };
282
283     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
284                                             (char *)"sha512", sizeof("sha512"));
285     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
286     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
287                                              sizeof(shared));
288     *p = OSSL_PARAM_construct_end();
289
290     ret =
291         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
292         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
293         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
294         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
295
296     EVP_KDF_CTX_free(kctx);
297     return ret;
298 }
299
300 /*
301  * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
302  * section 10.
303  */
304 static int test_kdf_kbkdf_6803_128(void)
305 {
306     int ret = 0, i, p;
307     EVP_KDF_CTX *kctx;
308     OSSL_PARAM params[7];
309     static unsigned char input_key[] = {
310         0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
311         0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
312     };
313     static unsigned char constants[][5] = {
314         { 0x00, 0x00, 0x00, 0x02, 0x99 },
315         { 0x00, 0x00, 0x00, 0x02, 0xaa },
316         { 0x00, 0x00, 0x00, 0x02, 0x55 },
317     };
318     static unsigned char outputs[][16] = {
319         {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
320          0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
321         {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
322          0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
323         {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
324          0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
325     };
326     static unsigned char iv[16] = { 0 };
327     unsigned char result[16] = { 0 };
328
329     for (i = 0; i < 3; i++) {
330         p = 0;
331         params[p++] = OSSL_PARAM_construct_utf8_string(
332             OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
333         params[p++] = OSSL_PARAM_construct_utf8_string(
334             OSSL_KDF_PARAM_MAC, "CMAC", 0);
335         params[p++] = OSSL_PARAM_construct_utf8_string(
336             OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
337         params[p++] = OSSL_PARAM_construct_octet_string(
338             OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
339         params[p++] = OSSL_PARAM_construct_octet_string(
340             OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
341         params[p++] = OSSL_PARAM_construct_octet_string(
342             OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
343         params[p] = OSSL_PARAM_construct_end();
344
345         kctx = get_kdfbyname("KBKDF");
346         ret = TEST_ptr(kctx)
347             && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
348             && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
349             && TEST_mem_eq(result, sizeof(result), outputs[i],
350                            sizeof(outputs[i]));
351         EVP_KDF_CTX_free(kctx);
352         if (ret != 1)
353             return ret;
354     }
355
356     return ret;
357 }
358
359 static int test_kdf_kbkdf_6803_256(void)
360 {
361     int ret = 0, i, p;
362     EVP_KDF_CTX *kctx;
363     OSSL_PARAM params[7];
364     static unsigned char input_key[] = {
365         0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
366         0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
367         0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
368         0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
369     };
370     static unsigned char constants[][5] = {
371         { 0x00, 0x00, 0x00, 0x02, 0x99 },
372         { 0x00, 0x00, 0x00, 0x02, 0xaa },
373         { 0x00, 0x00, 0x00, 0x02, 0x55 },
374     };
375     static unsigned char outputs[][32] = {
376         {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
377          0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
378          0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
379          0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
380         },
381         {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
382          0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
383          0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
384          0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
385         },
386         {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
387          0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
388          0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
389          0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
390         },
391     };
392     static unsigned char iv[16] = { 0 };
393     unsigned char result[32] = { 0 };
394
395     for (i = 0; i < 3; i++) {
396         p = 0;
397         params[p++] = OSSL_PARAM_construct_utf8_string(
398             OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
399         params[p++] = OSSL_PARAM_construct_utf8_string(
400             OSSL_KDF_PARAM_MAC, "CMAC", 0);
401         params[p++] = OSSL_PARAM_construct_utf8_string(
402             OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
403         params[p++] = OSSL_PARAM_construct_octet_string(
404             OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
405         params[p++] = OSSL_PARAM_construct_octet_string(
406             OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
407         params[p++] = OSSL_PARAM_construct_octet_string(
408             OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
409         params[p] = OSSL_PARAM_construct_end();
410
411         kctx = get_kdfbyname("KBKDF");
412         ret = TEST_ptr(kctx)
413             && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
414             && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
415             && TEST_mem_eq(result, sizeof(result), outputs[i],
416                            sizeof(outputs[i]));
417         EVP_KDF_CTX_free(kctx);
418         if (ret != 1)
419             return ret;
420     }
421
422     return ret;
423 }
424
425 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
426  * 5) appendix A. */
427 static int test_kdf_kbkdf_8009_prf1(void)
428 {
429     int ret, i = 0;
430     EVP_KDF_CTX *kctx;
431     OSSL_PARAM params[6];
432     char *label = "prf", *digest = "sha256", *prf_input = "test",
433         *mac = "HMAC";
434     static unsigned char input_key[] = {
435         0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
436         0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
437     };
438     static unsigned char output[] = {
439         0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
440         0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
441         0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
442         0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
443     };
444     unsigned char result[sizeof(output)] = { 0 };
445
446     params[i++] = OSSL_PARAM_construct_utf8_string(
447         OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
448     params[i++] = OSSL_PARAM_construct_utf8_string(
449         OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
450     params[i++] = OSSL_PARAM_construct_octet_string(
451         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
452     params[i++] = OSSL_PARAM_construct_octet_string(
453         OSSL_KDF_PARAM_SALT, label, strlen(label));
454     params[i++] = OSSL_PARAM_construct_octet_string(
455         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
456     params[i] = OSSL_PARAM_construct_end();
457
458     kctx = get_kdfbyname("KBKDF");
459     ret = TEST_ptr(kctx)
460         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
461         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
462         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
463
464     EVP_KDF_CTX_free(kctx);
465     return ret;
466 }
467
468 static int test_kdf_kbkdf_8009_prf2(void)
469 {
470     int ret, i = 0;
471     EVP_KDF_CTX *kctx;
472     OSSL_PARAM params[6];
473     char *label = "prf", *digest = "sha384", *prf_input = "test",
474         *mac = "HMAC";
475     static unsigned char input_key[] = {
476         0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
477         0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
478         0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
479         0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
480     };
481     static unsigned char output[] = {
482         0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
483         0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
484         0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
485         0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
486         0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
487         0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
488     };
489     unsigned char result[sizeof(output)] = { 0 };
490
491     params[i++] = OSSL_PARAM_construct_utf8_string(
492         OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
493     params[i++] = OSSL_PARAM_construct_utf8_string(
494         OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
495     params[i++] = OSSL_PARAM_construct_octet_string(
496         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
497     params[i++] = OSSL_PARAM_construct_octet_string(
498         OSSL_KDF_PARAM_SALT, label, strlen(label));
499     params[i++] = OSSL_PARAM_construct_octet_string(
500         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
501     params[i] = OSSL_PARAM_construct_end();
502
503     kctx = get_kdfbyname("KBKDF");
504     ret = TEST_ptr(kctx)
505         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
506         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
507         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
508
509     EVP_KDF_CTX_free(kctx);
510     return ret;
511 }
512
513 static int test_kdf_ss_hmac(void)
514 {
515     int ret;
516     EVP_KDF_CTX *kctx;
517     OSSL_PARAM params[6], *p = params;
518     unsigned char out[16];
519     static unsigned char z[] = {
520         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
521     };
522     static unsigned char other[] = {
523         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
524     };
525     static unsigned char salt[] = {
526         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
527         0x3f,0x89
528     };
529     static const unsigned char expected[sizeof(out)] = {
530         0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
531         0x1c,0xa3
532     };
533
534     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
535                                             (char *)OSSL_MAC_NAME_HMAC,
536                                             sizeof(OSSL_MAC_NAME_HMAC));
537     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
538                                             (char *)"sha256", sizeof("sha256"));
539     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
540     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
541                                              sizeof(other));
542     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
543                                              sizeof(salt));
544     *p = OSSL_PARAM_construct_end();
545
546     ret =
547         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
548         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
549         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
550         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
551
552     EVP_KDF_CTX_free(kctx);
553     return ret;
554 }
555
556 static int test_kdf_ss_kmac(void)
557 {
558     int ret;
559     EVP_KDF_CTX *kctx;
560     OSSL_PARAM params[6], *p = params;
561     unsigned char out[64];
562     size_t mac_size = 20;
563     static unsigned char z[] = {
564         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
565     };
566     static unsigned char other[] = {
567         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
568     };
569     static unsigned char salt[] = {
570         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
571         0x3f,0x89
572     };
573     static const unsigned char expected[sizeof(out)] = {
574         0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
575         0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
576         0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
577         0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
578         0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
579     };
580
581     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
582                                             (char *)OSSL_MAC_NAME_KMAC128,
583                                             sizeof(OSSL_MAC_NAME_KMAC128));
584     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
585     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
586                                              sizeof(other));
587     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
588                                              sizeof(salt));
589     *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
590     *p = OSSL_PARAM_construct_end();
591
592     ret =
593         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
594         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
595         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
596         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
597
598     EVP_KDF_CTX_free(kctx);
599     return ret;
600 }
601
602 static int test_kdf_sshkdf(void)
603 {
604     int ret;
605     EVP_KDF_CTX *kctx;
606     OSSL_PARAM params[6], *p = params;
607     char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
608     unsigned char out[8];
609     /* Test data from NIST CAVS 14.1 test vectors */
610     static unsigned char key[] = {
611         0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
612         0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
613         0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
614         0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
615         0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
616         0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
617         0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
618         0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
619         0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
620         0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
621         0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
622         0x4e
623     };
624     static unsigned char xcghash[] = {
625         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
626         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
627         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
628     };
629     static unsigned char sessid[] = {
630         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
631         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
632         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
633     };
634     static const unsigned char expected[sizeof(out)] = {
635         0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
636     };
637
638     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
639                                             (char *)"sha256", sizeof("sha256"));
640     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
641                                              sizeof(key));
642     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
643                                              xcghash, sizeof(xcghash));
644     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
645                                              sessid, sizeof(sessid));
646     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
647                                             &kdftype, sizeof(kdftype));
648     *p = OSSL_PARAM_construct_end();
649
650     ret =
651         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
652         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
653         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
654         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
655
656     EVP_KDF_CTX_free(kctx);
657     return ret;
658 }
659
660 static int test_kdf_get_kdf(void)
661 {
662     EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
663     ASN1_OBJECT *obj;
664     int ok = 1;
665
666     if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
667         || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
668         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
669                                           NULL))
670         || !TEST_ptr_eq(kdf1, kdf2))
671         ok = 0;
672     EVP_KDF_free(kdf1);
673     kdf1 = NULL;
674     EVP_KDF_free(kdf2);
675     kdf2 = NULL;
676
677     if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
678         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
679         || !TEST_ptr_eq(kdf1, kdf2))
680         ok = 0;
681     /* kdf1 is re-used below, so don't free it here */
682     EVP_KDF_free(kdf2);
683     kdf2 = NULL;
684
685     if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
686         || !TEST_ptr_eq(kdf1, kdf2))
687         ok = 0;
688     EVP_KDF_free(kdf1);
689     kdf1 = NULL;
690     EVP_KDF_free(kdf2);
691     kdf2 = NULL;
692
693     return ok;
694 }
695
696 #ifndef OPENSSL_NO_CMS
697 static int test_kdf_x942_asn1(void)
698 {
699     int ret;
700     EVP_KDF_CTX *kctx = NULL;
701     OSSL_PARAM params[4], *p = params;
702     const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
703     unsigned char out[24];
704     /* RFC2631 Section 2.1.6 Test data */
705     static unsigned char z[] = {
706         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
707         0x0e,0x0f,0x10,0x11,0x12,0x13
708     };
709     static const unsigned char expected[sizeof(out)] = {
710         0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
711         0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
712         0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
713     };
714
715     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
716                                             (char *)"sha1", sizeof("sha1"));
717     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
718                                              sizeof(z));
719     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
720                                             (char *)cek_alg,
721                                             strlen(cek_alg) + 1);
722     *p = OSSL_PARAM_construct_end();
723
724     ret =
725         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
726         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
727         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
728         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
729
730     EVP_KDF_CTX_free(kctx);
731     return ret;
732 }
733 #endif /* OPENSSL_NO_CMS */
734
735 int setup_tests(void)
736 {
737     ADD_TEST(test_kdf_kbkdf_6803_128);
738     ADD_TEST(test_kdf_kbkdf_6803_256);
739     ADD_TEST(test_kdf_kbkdf_8009_prf1);
740     ADD_TEST(test_kdf_kbkdf_8009_prf2);
741     ADD_TEST(test_kdf_get_kdf);
742     ADD_TEST(test_kdf_tls1_prf);
743     ADD_TEST(test_kdf_hkdf);
744     ADD_TEST(test_kdf_pbkdf2);
745 #ifndef OPENSSL_NO_SCRYPT
746     ADD_TEST(test_kdf_scrypt);
747 #endif
748     ADD_TEST(test_kdf_ss_hash);
749     ADD_TEST(test_kdf_ss_hmac);
750     ADD_TEST(test_kdf_ss_kmac);
751     ADD_TEST(test_kdf_sshkdf);
752     ADD_TEST(test_kdf_x963);
753 #ifndef OPENSSL_NO_CMS
754     ADD_TEST(test_kdf_x942_asn1);
755 #endif
756     return 1;
757 }