[KDF] Add KBKDF implementation for counter-mode HMAC
[openssl.git] / test / evp_kdf_test.c
1 /*
2  * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10
11 /* Tests of the EVP_KDF_CTX APIs */
12
13 #include <stdio.h>
14 #include <string.h>
15
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "testutil.h"
20
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
22 {
23     EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24     EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
25
26     EVP_KDF_free(kdf);
27     return kctx;
28 }
29
30 static int test_kdf_tls1_prf(void)
31 {
32     int ret;
33     EVP_KDF_CTX *kctx = NULL;
34     unsigned char out[16];
35     OSSL_PARAM params[4], *p = params;
36     static const unsigned char expected[sizeof(out)] = {
37         0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
38         0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
39     };
40
41     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
42                                             (char *)"sha256", sizeof("sha256"));
43     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
44                                              (unsigned char *)"secret",
45                                              (size_t)6);
46     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
47                                              (unsigned char *)"seed",
48                                              (size_t)4);
49     *p = OSSL_PARAM_construct_end();
50
51     ret =
52         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
53         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
54         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
55         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
56
57     EVP_KDF_CTX_free(kctx);
58     return ret;
59 }
60
61 static int test_kdf_hkdf(void)
62 {
63     int ret;
64     EVP_KDF_CTX *kctx;
65     unsigned char out[10];
66     OSSL_PARAM params[5], *p = params;
67     static const unsigned char expected[sizeof(out)] = {
68         0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
69     };
70
71     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
72                                             (char *)"sha256", sizeof("sha256"));
73     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
74                                              (unsigned char *)"salt", 4);
75     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
76                                              (unsigned char *)"secret", 6);
77     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
78                                              (unsigned char *)"label", 5);
79     *p = OSSL_PARAM_construct_end();
80
81     ret =
82         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
83         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
84         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
85         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
86
87     EVP_KDF_CTX_free(kctx);
88     return ret;
89 }
90
91 static int test_kdf_pbkdf2(void)
92 {
93     int ret = 0;
94     EVP_KDF_CTX *kctx;
95     unsigned char out[25];
96     size_t len = 0;
97     unsigned int iterations = 4096;
98     int mode = 0;
99     OSSL_PARAM params[6], *p = params;
100     const unsigned char expected[sizeof(out)] = {
101         0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
102         0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
103         0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
104         0x1c
105     };
106
107     if (sizeof(len) > 32)
108         len = SIZE_MAX;
109
110     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
111                                              (unsigned char *)
112                                                 "passwordPASSWORDpassword", 24);
113     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
114                                              (unsigned char *)
115                                                 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
116                                                 36);
117     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, &iterations);
118     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
119                                              (char *)"sha256", 7);
120     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
121     *p = OSSL_PARAM_construct_end();
122
123     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
124         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
125         || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
126         || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
127         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
128         /* A key length that is too small should fail */
129         || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
130         /* A key length that is too large should fail */
131         || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0)))
132         goto err;
133 #if 0
134 /* TODO */
135           /* Salt length less than 128 bits should fail */
136           || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
137                                       "123456781234567",
138                                       (size_t)15), 0)
139           /* A small iteration count should fail */
140           || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
141           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
142                                       1), 0)
143           /* Small salts will pass if the "pkcs5" mode is enabled */
144           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
145                                       "123456781234567",
146                                       (size_t)15), 0)
147           /* A small iteration count will pass if "pkcs5" mode is enabled */
148           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
149           /*
150            * If the "pkcs5" mode is disabled then the small salt and iter will
151            * fail when the derive gets called.
152            */
153           || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
154                                       0), 0)
155           || TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
156 #endif
157     ret = 1;
158 err:
159     EVP_KDF_CTX_free(kctx);
160     return ret;
161 }
162
163 #ifndef OPENSSL_NO_SCRYPT
164 static int test_kdf_scrypt(void)
165 {
166     int ret;
167     EVP_KDF_CTX *kctx;
168     OSSL_PARAM params[7], *p = params;
169     unsigned char out[64];
170     unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
171     static const unsigned char expected[sizeof(out)] = {
172         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
173         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
174         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
175         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
176         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
177         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
178         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
179         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
180     };
181
182     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
183                                              (char *)"password", 8);
184     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
185                                              (char *)"NaCl", 4);
186     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
187     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
188     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
189     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
190     *p = OSSL_PARAM_construct_end();
191
192     ret =
193         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
194         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
195         /* failure test *//*
196         && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/
197         && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
198         && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
199         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
200         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
201
202     EVP_KDF_CTX_free(kctx);
203     return ret;
204 }
205 #endif /* OPENSSL_NO_SCRYPT */
206
207 static int test_kdf_ss_hash(void)
208 {
209     int ret;
210     EVP_KDF_CTX *kctx;
211     OSSL_PARAM params[4], *p = params;
212     unsigned char out[14];
213     static unsigned char z[] = {
214         0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
215         0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
216         0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
217         0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
218     };
219     static unsigned char other[] = {
220         0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
221         0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
222         0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
223         0xe0,0xec,0x3f,0x8d,0xbe
224     };
225     static const unsigned char expected[sizeof(out)] = {
226         0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
227     };
228
229     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
230                                             (char *)"sha224", sizeof("sha224"));
231     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
232     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
233                                              sizeof(other));
234     *p = OSSL_PARAM_construct_end();
235
236     ret =
237         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
238         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
239         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
240         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
241
242     EVP_KDF_CTX_free(kctx);
243     return ret;
244 }
245
246 static int test_kdf_x963(void)
247 {
248     int ret;
249     EVP_KDF_CTX *kctx;
250     OSSL_PARAM params[4], *p = params;
251     unsigned char out[1024 / 8];
252     /*
253      * Test data from https://csrc.nist.gov/CSRC/media/Projects/
254      *  Cryptographic-Algorithm-Validation-Program/documents/components/
255      *  800-135testvectors/ansx963_2001.zip
256      */
257     static unsigned char z[] = {
258         0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
259         0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
260         0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
261         0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
262         0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
263         0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
264     };
265     static unsigned char shared[] = {
266         0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
267         0x37, 0x89, 0x5d, 0x31
268     };
269     static const unsigned char expected[sizeof(out)] = {
270         0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
271         0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
272         0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
273         0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
274         0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
275         0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
276         0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
277         0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
278         0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
279         0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
280         0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
281     };
282
283     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
284                                             (char *)"sha512", sizeof("sha512"));
285     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
286     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
287                                              sizeof(shared));
288     *p = OSSL_PARAM_construct_end();
289
290     ret =
291         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
292         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
293         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
294         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
295
296     EVP_KDF_CTX_free(kctx);
297     return ret;
298 }
299
300 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
301  * 5) appendix A. */
302 static int test_kdf_kbkdf_8009_prf1(void)
303 {
304     int ret, i = 0;
305     EVP_KDF_CTX *kctx;
306     OSSL_PARAM params[6];
307     char *label = "prf", *digest = "sha256", *prf_input = "test",
308         *mac = "HMAC";
309     static unsigned char input_key[] = {
310         0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
311         0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
312     };
313     static unsigned char output[] = {
314         0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
315         0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
316         0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
317         0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
318     };
319     unsigned char result[sizeof(output)] = { 0 };
320
321     params[i++] = OSSL_PARAM_construct_utf8_string(
322         OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
323     params[i++] = OSSL_PARAM_construct_utf8_string(
324         OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
325     params[i++] = OSSL_PARAM_construct_octet_string(
326         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
327     params[i++] = OSSL_PARAM_construct_octet_string(
328         OSSL_KDF_PARAM_SALT, label, strlen(label));
329     params[i++] = OSSL_PARAM_construct_octet_string(
330         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
331     params[i] = OSSL_PARAM_construct_end();
332
333     kctx = get_kdfbyname("KBKDF");
334     ret = TEST_ptr(kctx)
335         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
336         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
337         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
338
339     EVP_KDF_CTX_free(kctx);
340     return ret;
341 }
342
343 static int test_kdf_kbkdf_8009_prf2(void)
344 {
345     int ret, i = 0;
346     EVP_KDF_CTX *kctx;
347     OSSL_PARAM params[6];
348     char *label = "prf", *digest = "sha384", *prf_input = "test",
349         *mac = "HMAC";
350     static unsigned char input_key[] = {
351         0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
352         0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
353         0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
354         0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
355     };
356     static unsigned char output[] = {
357         0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
358         0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
359         0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
360         0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
361         0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
362         0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
363     };
364     unsigned char result[sizeof(output)] = { 0 };
365
366     params[i++] = OSSL_PARAM_construct_utf8_string(
367         OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
368     params[i++] = OSSL_PARAM_construct_utf8_string(
369         OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
370     params[i++] = OSSL_PARAM_construct_octet_string(
371         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
372     params[i++] = OSSL_PARAM_construct_octet_string(
373         OSSL_KDF_PARAM_SALT, label, strlen(label));
374     params[i++] = OSSL_PARAM_construct_octet_string(
375         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
376     params[i] = OSSL_PARAM_construct_end();
377
378     kctx = get_kdfbyname("KBKDF");
379     ret = TEST_ptr(kctx)
380         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
381         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
382         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
383
384     EVP_KDF_CTX_free(kctx);
385     return ret;
386 }
387
388 static int test_kdf_ss_hmac(void)
389 {
390     int ret;
391     EVP_KDF_CTX *kctx;
392     OSSL_PARAM params[6], *p = params;
393     unsigned char out[16];
394     static unsigned char z[] = {
395         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
396     };
397     static unsigned char other[] = {
398         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
399     };
400     static unsigned char salt[] = {
401         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
402         0x3f,0x89
403     };
404     static const unsigned char expected[sizeof(out)] = {
405         0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
406         0x1c,0xa3
407     };
408
409     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
410                                             (char *)OSSL_MAC_NAME_HMAC,
411                                             sizeof(OSSL_MAC_NAME_HMAC));
412     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
413                                             (char *)"sha256", sizeof("sha256"));
414     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
415     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
416                                              sizeof(other));
417     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
418                                              sizeof(salt));
419     *p = OSSL_PARAM_construct_end();
420
421     ret =
422         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
423         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
424         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
425         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
426
427     EVP_KDF_CTX_free(kctx);
428     return ret;
429 }
430
431 static int test_kdf_ss_kmac(void)
432 {
433     int ret;
434     EVP_KDF_CTX *kctx;
435     OSSL_PARAM params[6], *p = params;
436     unsigned char out[64];
437     size_t mac_size = 20;
438     static unsigned char z[] = {
439         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
440     };
441     static unsigned char other[] = {
442         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
443     };
444     static unsigned char salt[] = {
445         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
446         0x3f,0x89
447     };
448     static const unsigned char expected[sizeof(out)] = {
449         0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
450         0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
451         0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
452         0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
453         0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
454     };
455
456     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
457                                             (char *)OSSL_MAC_NAME_KMAC128,
458                                             sizeof(OSSL_MAC_NAME_KMAC128));
459     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
460     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
461                                              sizeof(other));
462     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
463                                              sizeof(salt));
464     *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
465     *p = OSSL_PARAM_construct_end();
466
467     ret =
468         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
469         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
470         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
471         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
472
473     EVP_KDF_CTX_free(kctx);
474     return ret;
475 }
476
477 static int test_kdf_sshkdf(void)
478 {
479     int ret;
480     EVP_KDF_CTX *kctx;
481     OSSL_PARAM params[6], *p = params;
482     char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
483     unsigned char out[8];
484     /* Test data from NIST CAVS 14.1 test vectors */
485     static unsigned char key[] = {
486         0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
487         0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
488         0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
489         0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
490         0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
491         0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
492         0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
493         0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
494         0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
495         0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
496         0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
497         0x4e
498     };
499     static unsigned char xcghash[] = {
500         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
501         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
502         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
503     };
504     static unsigned char sessid[] = {
505         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
506         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
507         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
508     };
509     static const unsigned char expected[sizeof(out)] = {
510         0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
511     };
512
513     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
514                                             (char *)"sha256", sizeof("sha256"));
515     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
516                                              sizeof(key));
517     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
518                                              xcghash, sizeof(xcghash));
519     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
520                                              sessid, sizeof(sessid));
521     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
522                                             &kdftype, sizeof(kdftype));
523     *p = OSSL_PARAM_construct_end();
524
525     ret =
526         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
527         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
528         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
529         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
530
531     EVP_KDF_CTX_free(kctx);
532     return ret;
533 }
534
535 static int test_kdf_get_kdf(void)
536 {
537     EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
538     ASN1_OBJECT *obj;
539     int ok = 1;
540
541     if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
542         || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
543         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
544                                           NULL))
545         || !TEST_ptr_eq(kdf1, kdf2))
546         ok = 0;
547     EVP_KDF_free(kdf1);
548     kdf1 = NULL;
549     EVP_KDF_free(kdf2);
550     kdf2 = NULL;
551
552     if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
553         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
554         || !TEST_ptr_eq(kdf1, kdf2))
555         ok = 0;
556     /* kdf1 is re-used below, so don't free it here */
557     EVP_KDF_free(kdf2);
558     kdf2 = NULL;
559
560     if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
561         || !TEST_ptr_eq(kdf1, kdf2))
562         ok = 0;
563     EVP_KDF_free(kdf1);
564     kdf1 = NULL;
565     EVP_KDF_free(kdf2);
566     kdf2 = NULL;
567
568     return ok;
569 }
570
571 #ifndef OPENSSL_NO_CMS
572 static int test_kdf_x942_asn1(void)
573 {
574     int ret;
575     EVP_KDF_CTX *kctx = NULL;
576     OSSL_PARAM params[4], *p = params;
577     const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
578     unsigned char out[24];
579     /* RFC2631 Section 2.1.6 Test data */
580     static unsigned char z[] = {
581         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
582         0x0e,0x0f,0x10,0x11,0x12,0x13
583     };
584     static const unsigned char expected[sizeof(out)] = {
585         0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
586         0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
587         0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
588     };
589
590     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
591                                             (char *)"sha1", sizeof("sha1"));
592     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
593                                              sizeof(z));
594     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
595                                             (char *)cek_alg,
596                                             strlen(cek_alg) + 1);
597     *p = OSSL_PARAM_construct_end();
598
599     ret =
600         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
601         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
602         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
603         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
604
605     EVP_KDF_CTX_free(kctx);
606     return ret;
607 }
608 #endif /* OPENSSL_NO_CMS */
609
610 int setup_tests(void)
611 {
612     ADD_TEST(test_kdf_kbkdf_8009_prf1);
613     ADD_TEST(test_kdf_kbkdf_8009_prf2);
614     ADD_TEST(test_kdf_get_kdf);
615     ADD_TEST(test_kdf_tls1_prf);
616     ADD_TEST(test_kdf_hkdf);
617     ADD_TEST(test_kdf_pbkdf2);
618 #ifndef OPENSSL_NO_SCRYPT
619     ADD_TEST(test_kdf_scrypt);
620 #endif
621     ADD_TEST(test_kdf_ss_hash);
622     ADD_TEST(test_kdf_ss_hmac);
623     ADD_TEST(test_kdf_ss_kmac);
624     ADD_TEST(test_kdf_sshkdf);
625     ADD_TEST(test_kdf_x963);
626 #ifndef OPENSSL_NO_CMS
627     ADD_TEST(test_kdf_x942_asn1);
628 #endif
629     return 1;
630 }