2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
20 static int test_kdf_tls1_prf(void)
23 EVP_KDF_CTX *kctx = NULL;
25 unsigned char out[16];
26 static const unsigned char expected[sizeof(out)] = {
27 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
28 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
32 TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
33 && TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
34 && TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
35 && TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
36 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
37 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
38 "secret", (size_t)6), 0)
39 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
41 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
42 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
44 EVP_KDF_CTX_free(kctx);
48 static int test_kdf_hkdf(void)
52 unsigned char out[10];
53 static const unsigned char expected[sizeof(out)] = {
54 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
58 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
59 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
60 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
62 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
64 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
66 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
67 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
69 EVP_KDF_CTX_free(kctx);
73 static int test_kdf_pbkdf2(void)
77 unsigned char out[32];
78 static const unsigned char expected[sizeof(out)] = {
79 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
80 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
81 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
82 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
86 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
87 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
89 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
91 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2), 0)
92 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
93 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
94 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
96 EVP_KDF_CTX_free(kctx);
100 #ifndef OPENSSL_NO_SCRYPT
101 static int test_kdf_scrypt(void)
105 unsigned char out[64];
106 static const unsigned char expected[sizeof(out)] = {
107 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
108 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
109 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
110 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
111 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
112 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
113 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
114 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
118 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
119 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
121 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
123 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
125 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
127 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
129 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
132 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
133 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
134 (uint64_t)(10 * 1024 * 1024)), 0)
135 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
136 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
138 EVP_KDF_CTX_free(kctx);
141 #endif /* OPENSSL_NO_SCRYPT */
143 static int test_kdf_ss_hash(void)
146 EVP_KDF_CTX *kctx = NULL;
147 unsigned char out[14];
148 static const unsigned char z[] = {
149 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
150 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
151 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
152 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
154 static const unsigned char other[] = {
155 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
156 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
157 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
158 0xe0,0xec,0x3f,0x8d,0xbe
160 static const unsigned char expected[sizeof(out)] = {
161 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
165 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
166 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
167 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
168 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
170 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
171 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
173 EVP_KDF_CTX_free(kctx);
177 static int test_kdf_x963(void)
180 EVP_KDF_CTX *kctx = NULL;
181 unsigned char out[1024 / 8];
183 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
184 * Cryptographic-Algorithm-Validation-Program/documents/components/
185 * 800-135testvectors/ansx963_2001.zip
187 static const unsigned char z[] = {
188 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
189 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
190 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
191 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
192 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
193 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
195 static const unsigned char shared[] = {
196 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
197 0x37, 0x89, 0x5d, 0x31
199 static const unsigned char expected[sizeof(out)] = {
200 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
201 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
202 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
203 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
204 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
205 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
206 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
207 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
208 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
209 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
210 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
214 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_X963))
215 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha512()), 0)
216 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
217 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SHARED_INFO, shared,
219 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
220 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
222 EVP_KDF_CTX_free(kctx);
226 static int test_kdf_ss_hmac(void)
231 unsigned char out[16];
232 static const unsigned char z[] = {
233 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
235 static const unsigned char other[] = {
236 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
238 static const unsigned char salt[] = {
239 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
242 static const unsigned char expected[sizeof(out)] = {
243 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
248 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
249 && TEST_ptr(mac = EVP_get_macbyname("HMAC"))
250 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
251 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
252 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
253 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
255 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
257 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
258 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
260 EVP_KDF_CTX_free(kctx);
264 static int test_kdf_ss_kmac(void)
268 unsigned char out[64];
270 static const unsigned char z[] = {
271 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
273 static const unsigned char other[] = {
274 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
276 static const unsigned char salt[] = {
277 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
280 static const unsigned char expected[sizeof(out)] = {
281 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
282 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
283 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
284 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
285 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
289 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
290 && TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
291 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
292 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
294 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
296 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
298 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
300 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
301 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
303 EVP_KDF_CTX_free(kctx);
307 static int test_kdf_sshkdf(void)
311 unsigned char out[8];
312 /* Test data from NIST CAVS 14.1 test vectors */
313 static const unsigned char key[] = {
314 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
315 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
316 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
317 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
318 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
319 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
320 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
321 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
322 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
323 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
324 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
327 static const unsigned char xcghash[] = {
328 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
329 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
330 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
332 static const unsigned char sessid[] = {
333 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
334 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
335 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
337 static const unsigned char expected[sizeof(out)] = {
338 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
342 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
343 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
344 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
346 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
347 xcghash, sizeof(xcghash)), 0)
348 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
349 sessid, sizeof(sessid)), 0)
351 EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
352 (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
353 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
354 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
356 EVP_KDF_CTX_free(kctx);
360 static int test_kdf_get_kdf(void)
362 const EVP_KDF *kdf1, *kdf2;
366 TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
367 && TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
368 && TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
369 && TEST_ptr_eq(kdf1, kdf2)
370 && TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
371 && TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
372 && TEST_ptr_eq(kdf1, kdf2)
373 && TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
374 && TEST_ptr_eq(kdf1, kdf2);
377 int setup_tests(void)
379 ADD_TEST(test_kdf_get_kdf);
380 ADD_TEST(test_kdf_tls1_prf);
381 ADD_TEST(test_kdf_hkdf);
382 ADD_TEST(test_kdf_pbkdf2);
383 #ifndef OPENSSL_NO_SCRYPT
384 ADD_TEST(test_kdf_scrypt);
386 ADD_TEST(test_kdf_ss_hash);
387 ADD_TEST(test_kdf_ss_hmac);
388 ADD_TEST(test_kdf_ss_kmac);
389 ADD_TEST(test_kdf_sshkdf);
390 ADD_TEST(test_kdf_x963);