2 * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
23 static EVP_KDF_CTX *get_kdfbyname_libctx(OSSL_LIB_CTX *libctx, const char *name)
25 EVP_KDF *kdf = EVP_KDF_fetch(libctx, name, NULL);
26 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
32 static EVP_KDF_CTX *get_kdfbyname(const char *name)
34 return get_kdfbyname_libctx(NULL, name);
37 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
40 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
41 OSSL_PARAM *p = params;
46 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
49 (unsigned char *)secret,
51 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
52 (unsigned char *)seed,
54 *p = OSSL_PARAM_construct_end();
59 static int test_kdf_tls1_prf(void)
62 EVP_KDF_CTX *kctx = NULL;
63 unsigned char out[16];
65 static const unsigned char expected[sizeof(out)] = {
66 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
67 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
70 params = construct_tls1_prf_params("sha256", "secret", "seed");
72 ret = TEST_ptr(params)
73 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
74 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
75 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
77 EVP_KDF_CTX_free(kctx);
82 static int test_kdf_tls1_prf_invalid_digest(void)
85 EVP_KDF_CTX *kctx = NULL;
88 params = construct_tls1_prf_params("blah", "secret", "seed");
90 ret = TEST_ptr(params)
91 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
92 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
94 EVP_KDF_CTX_free(kctx);
99 static int test_kdf_tls1_prf_zero_output_size(void)
102 EVP_KDF_CTX *kctx = NULL;
103 unsigned char out[16];
106 params = construct_tls1_prf_params("sha256", "secret", "seed");
108 /* Negative test - derive should fail */
109 ret = TEST_ptr(params)
110 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
111 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
112 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
114 EVP_KDF_CTX_free(kctx);
115 OPENSSL_free(params);
119 static int test_kdf_tls1_prf_empty_secret(void)
122 EVP_KDF_CTX *kctx = NULL;
123 unsigned char out[16];
126 params = construct_tls1_prf_params("sha256", "", "seed");
128 ret = TEST_ptr(params)
129 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
130 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
132 EVP_KDF_CTX_free(kctx);
133 OPENSSL_free(params);
137 static int test_kdf_tls1_prf_1byte_secret(void)
140 EVP_KDF_CTX *kctx = NULL;
141 unsigned char out[16];
144 params = construct_tls1_prf_params("sha256", "1", "seed");
146 ret = TEST_ptr(params)
147 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
148 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
150 EVP_KDF_CTX_free(kctx);
151 OPENSSL_free(params);
155 static int test_kdf_tls1_prf_empty_seed(void)
158 EVP_KDF_CTX *kctx = NULL;
159 unsigned char out[16];
162 params = construct_tls1_prf_params("sha256", "secret", "");
164 /* Negative test - derive should fail */
165 ret = TEST_ptr(params)
166 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
167 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
168 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
170 EVP_KDF_CTX_free(kctx);
171 OPENSSL_free(params);
175 static int test_kdf_tls1_prf_1byte_seed(void)
178 EVP_KDF_CTX *kctx = NULL;
179 unsigned char out[16];
182 params = construct_tls1_prf_params("sha256", "secret", "1");
184 ret = TEST_ptr(params)
185 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
186 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
188 EVP_KDF_CTX_free(kctx);
189 OPENSSL_free(params);
193 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
194 size_t keylen, char *salt, char *info)
196 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
197 OSSL_PARAM *p = params;
203 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
205 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
207 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
208 (unsigned char *)key, keylen);
210 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
213 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
215 *p = OSSL_PARAM_construct_end();
220 static int test_kdf_hkdf(void)
223 EVP_KDF_CTX *kctx = NULL;
224 unsigned char out[10];
226 static const unsigned char expected[sizeof(out)] = {
227 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
230 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
232 ret = TEST_ptr(params)
233 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
234 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
235 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
237 EVP_KDF_CTX_free(kctx);
238 OPENSSL_free(params);
242 static int do_kdf_hkdf_gettables(int expand_only, int has_digest)
247 OSSL_PARAM params_get[2];
248 const OSSL_PARAM *gettables, *p;
249 EVP_KDF_CTX *kctx = NULL;
251 if (!TEST_ptr(params = construct_hkdf_params(
252 has_digest ? "sha256" : NULL,
254 expand_only ? NULL : "label"))
255 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
256 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)))
259 /* Check OSSL_KDF_PARAM_SIZE is gettable */
260 if (!TEST_ptr(gettables = EVP_KDF_CTX_gettable_params(kctx))
261 || !TEST_ptr(p = OSSL_PARAM_locate_const(gettables, OSSL_KDF_PARAM_SIZE)))
264 /* Get OSSL_KDF_PARAM_SIZE as a size_t */
265 params_get[0] = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_SIZE, &sz);
266 params_get[1] = OSSL_PARAM_construct_end();
268 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 1)
269 || !TEST_size_t_eq(sz, expand_only ? SHA256_DIGEST_LENGTH : SIZE_MAX))
272 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 0))
276 /* Get params returns -2 if an unsupported parameter is requested */
277 params_get[0] = OSSL_PARAM_construct_end();
278 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), -2))
282 EVP_KDF_CTX_free(kctx);
283 OPENSSL_free(params);
287 static int test_kdf_hkdf_gettables(void)
289 return do_kdf_hkdf_gettables(0, 1);
292 static int test_kdf_hkdf_gettables_expandonly(void)
294 return do_kdf_hkdf_gettables(1, 1);
297 static int test_kdf_hkdf_gettables_no_digest(void)
299 return do_kdf_hkdf_gettables(1, 0);
302 static int test_kdf_hkdf_invalid_digest(void)
305 EVP_KDF_CTX *kctx = NULL;
308 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
310 ret = TEST_ptr(params)
311 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
312 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
314 EVP_KDF_CTX_free(kctx);
315 OPENSSL_free(params);
319 static int test_kdf_hkdf_derive_set_params_fail(void)
322 EVP_KDF_CTX *kctx = NULL;
323 OSSL_PARAM params[2];
324 unsigned char out[10];
326 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
329 * Set the wrong type for the digest so that it causes a failure
330 * inside kdf_hkdf_derive() when kdf_hkdf_set_ctx_params() is called
332 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_DIGEST, &i);
333 params[1] = OSSL_PARAM_construct_end();
334 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), params), 0))
338 EVP_KDF_CTX_free(kctx);
342 static int test_kdf_hkdf_set_invalid_mode(void)
344 int ret = 0, bad_mode = 100;
345 EVP_KDF_CTX *kctx = NULL;
346 OSSL_PARAM params[2];
348 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
350 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
352 params[1] = OSSL_PARAM_construct_end();
353 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
356 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &bad_mode);
357 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
362 EVP_KDF_CTX_free(kctx);
366 static int do_kdf_hkdf_set_invalid_param(const char *key, int type)
369 EVP_KDF_CTX *kctx = NULL;
370 OSSL_PARAM params[2];
371 unsigned char buf[2];
373 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
375 /* Set the wrong type for the key so that it causes a failure */
376 if (type == OSSL_PARAM_UTF8_STRING)
377 params[0] = OSSL_PARAM_construct_utf8_string(key, "BAD", 0);
379 params[0] = OSSL_PARAM_construct_octet_string(key, buf, sizeof(buf));
380 params[1] = OSSL_PARAM_construct_end();
381 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
386 EVP_KDF_CTX_free(kctx);
390 static int test_kdf_hkdf_set_ctx_param_fail(void)
392 return do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_MODE,
393 OSSL_PARAM_OCTET_STRING)
394 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_KEY,
395 OSSL_PARAM_UTF8_STRING)
396 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_SALT,
397 OSSL_PARAM_UTF8_STRING)
398 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_INFO,
399 OSSL_PARAM_UTF8_STRING);
402 static int test_kdf_hkdf_zero_output_size(void)
405 EVP_KDF_CTX *kctx = NULL;
406 unsigned char out[10];
409 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
411 /* Negative test - derive should fail */
412 ret = TEST_ptr(params)
413 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
414 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
415 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
417 EVP_KDF_CTX_free(kctx);
418 OPENSSL_free(params);
422 static int test_kdf_hkdf_empty_key(void)
425 EVP_KDF_CTX *kctx = NULL;
426 unsigned char out[10];
429 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
431 ret = TEST_ptr(params)
432 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
433 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
435 EVP_KDF_CTX_free(kctx);
436 OPENSSL_free(params);
440 static int test_kdf_hkdf_1byte_key(void)
443 EVP_KDF_CTX *kctx = NULL;
444 unsigned char out[10];
447 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
449 ret = TEST_ptr(params)
450 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
451 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
453 EVP_KDF_CTX_free(kctx);
454 OPENSSL_free(params);
458 static int test_kdf_hkdf_empty_salt(void)
461 EVP_KDF_CTX *kctx = NULL;
462 unsigned char out[10];
465 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
467 ret = TEST_ptr(params)
468 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
469 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
471 EVP_KDF_CTX_free(kctx);
472 OPENSSL_free(params);
476 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
479 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
480 OSSL_PARAM *p = params;
485 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
486 (unsigned char *)pass, strlen(pass));
487 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
488 (unsigned char *)salt, strlen(salt));
489 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
490 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
492 *p = OSSL_PARAM_construct_end();
497 static int test_kdf_pbkdf1(void)
500 EVP_KDF_CTX *kctx = NULL;
501 unsigned char out[25];
502 unsigned int iterations = 4096;
503 OSSL_LIB_CTX *libctx = NULL;
504 OSSL_PARAM *params = NULL;
505 OSSL_PROVIDER *legacyprov = NULL;
506 OSSL_PROVIDER *defprov = NULL;
507 const unsigned char expected[sizeof(out)] = {
508 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
509 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
513 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
516 /* PBKDF1 only available in the legacy provider */
517 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
518 if (legacyprov == NULL) {
519 OSSL_LIB_CTX_free(libctx);
520 return TEST_skip("PBKDF1 only available in legacy provider");
523 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
526 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
527 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
530 if (!TEST_ptr(params)
531 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
532 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
533 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
534 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
539 EVP_KDF_CTX_free(kctx);
540 OPENSSL_free(params);
541 OSSL_PROVIDER_unload(defprov);
542 OSSL_PROVIDER_unload(legacyprov);
543 OSSL_LIB_CTX_free(libctx);
547 static int test_kdf_pbkdf1_key_too_long(void)
550 EVP_KDF_CTX *kctx = NULL;
551 unsigned char out[EVP_MAX_MD_SIZE + 1];
552 unsigned int iterations = 4096;
553 OSSL_LIB_CTX *libctx = NULL;
554 OSSL_PARAM *params = NULL;
555 OSSL_PROVIDER *legacyprov = NULL;
556 OSSL_PROVIDER *defprov = NULL;
558 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
561 /* PBKDF1 only available in the legacy provider */
562 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
563 if (legacyprov == NULL) {
564 OSSL_LIB_CTX_free(libctx);
565 return TEST_skip("PBKDF1 only available in legacy provider");
568 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
571 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
572 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
576 * This is the same test sequence as test_kdf_pbkdf1, but we expect
577 * failure here as the requested key size is longer than the digest
580 if (!TEST_ptr(params)
581 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
582 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
583 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
588 EVP_KDF_CTX_free(kctx);
589 OPENSSL_free(params);
590 OSSL_PROVIDER_unload(defprov);
591 OSSL_PROVIDER_unload(legacyprov);
592 OSSL_LIB_CTX_free(libctx);
596 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
597 unsigned int *iter, int *mode)
599 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
600 OSSL_PARAM *p = params;
605 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
606 (unsigned char *)pass, strlen(pass));
607 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
608 (unsigned char *)salt, strlen(salt));
609 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
610 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
612 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
613 *p = OSSL_PARAM_construct_end();
618 static int test_kdf_pbkdf2(void)
621 EVP_KDF_CTX *kctx = NULL;
622 unsigned char out[25];
623 unsigned int iterations = 4096;
626 const unsigned char expected[sizeof(out)] = {
627 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
628 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
629 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
633 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
634 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
637 if (!TEST_ptr(params)
638 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
639 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
640 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
645 EVP_KDF_CTX_free(kctx);
646 OPENSSL_free(params);
650 static int test_kdf_pbkdf2_small_output(void)
653 EVP_KDF_CTX *kctx = NULL;
654 unsigned char out[25];
655 unsigned int iterations = 4096;
659 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
660 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
663 if (!TEST_ptr(params)
664 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
665 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
666 /* A key length that is too small should fail */
667 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
672 EVP_KDF_CTX_free(kctx);
673 OPENSSL_free(params);
677 static int test_kdf_pbkdf2_large_output(void)
680 EVP_KDF_CTX *kctx = NULL;
681 unsigned char out[25];
683 unsigned int iterations = 4096;
687 if (sizeof(len) > 32)
690 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
691 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
694 if (!TEST_ptr(params)
695 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
696 /* A key length that is too large should fail */
697 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
698 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
703 EVP_KDF_CTX_free(kctx);
704 OPENSSL_free(params);
708 static int test_kdf_pbkdf2_small_salt(void)
711 EVP_KDF_CTX *kctx = NULL;
712 unsigned int iterations = 4096;
716 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
720 if (!TEST_ptr(params)
721 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
722 /* A salt that is too small should fail */
723 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
728 EVP_KDF_CTX_free(kctx);
729 OPENSSL_free(params);
733 static int test_kdf_pbkdf2_small_iterations(void)
736 EVP_KDF_CTX *kctx = NULL;
737 unsigned int iterations = 1;
741 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
742 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
745 if (!TEST_ptr(params)
746 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
747 /* An iteration count that is too small should fail */
748 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
753 EVP_KDF_CTX_free(kctx);
754 OPENSSL_free(params);
758 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
761 EVP_KDF_CTX *kctx = NULL;
762 unsigned char out[25];
763 unsigned int iterations = 4096;
766 OSSL_PARAM mode_params[2];
768 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
772 if (!TEST_ptr(params)
773 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
774 /* A salt that is too small should pass in pkcs5 mode */
775 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
776 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
780 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
781 mode_params[1] = OSSL_PARAM_construct_end();
783 /* If the "pkcs5" mode is disabled then the derive will now fail */
784 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
785 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
790 EVP_KDF_CTX_free(kctx);
791 OPENSSL_free(params);
795 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
798 EVP_KDF_CTX *kctx = NULL;
799 unsigned char out[25];
800 unsigned int iterations = 1;
803 OSSL_PARAM mode_params[2];
805 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
806 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
809 if (!TEST_ptr(params)
810 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
811 /* An iteration count that is too small will pass in pkcs5 mode */
812 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
813 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
817 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
818 mode_params[1] = OSSL_PARAM_construct_end();
820 /* If the "pkcs5" mode is disabled then the derive will now fail */
821 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
822 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
827 EVP_KDF_CTX_free(kctx);
828 OPENSSL_free(params);
832 static int test_kdf_pbkdf2_invalid_digest(void)
835 EVP_KDF_CTX *kctx = NULL;
836 unsigned int iterations = 4096;
840 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
841 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
844 if (!TEST_ptr(params)
845 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
846 /* Unknown digest should fail */
847 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
852 EVP_KDF_CTX_free(kctx);
853 OPENSSL_free(params);
857 #ifndef OPENSSL_NO_SCRYPT
858 static int test_kdf_scrypt(void)
862 OSSL_PARAM params[7], *p = params;
863 unsigned char out[64];
864 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
865 static const unsigned char expected[sizeof(out)] = {
866 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
867 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
868 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
869 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
870 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
871 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
872 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
873 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
876 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
877 (char *)"password", 8);
878 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
880 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
881 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
882 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
883 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
884 *p = OSSL_PARAM_construct_end();
887 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
888 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
890 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
891 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
892 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
893 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
894 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
896 EVP_KDF_CTX_free(kctx);
899 #endif /* OPENSSL_NO_SCRYPT */
901 static int test_kdf_ss_hash(void)
905 OSSL_PARAM params[4], *p = params;
906 unsigned char out[14];
907 static unsigned char z[] = {
908 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
909 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
910 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
911 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
913 static unsigned char other[] = {
914 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
915 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
916 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
917 0xe0,0xec,0x3f,0x8d,0xbe
919 static const unsigned char expected[sizeof(out)] = {
920 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
923 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
924 (char *)"sha224", 0);
925 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
926 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
928 *p = OSSL_PARAM_construct_end();
931 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
932 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
933 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
935 EVP_KDF_CTX_free(kctx);
939 static int test_kdf_x963(void)
943 OSSL_PARAM params[4], *p = params;
944 unsigned char out[1024 / 8];
946 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
947 * Cryptographic-Algorithm-Validation-Program/documents/components/
948 * 800-135testvectors/ansx963_2001.zip
950 static unsigned char z[] = {
951 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
952 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
953 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
954 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
955 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
956 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
958 static unsigned char shared[] = {
959 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
960 0x37, 0x89, 0x5d, 0x31
962 static const unsigned char expected[sizeof(out)] = {
963 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
964 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
965 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
966 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
967 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
968 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
969 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
970 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
971 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
972 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
973 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
976 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
977 (char *)"sha512", 0);
978 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
979 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
981 *p = OSSL_PARAM_construct_end();
984 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
985 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
986 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
988 EVP_KDF_CTX_free(kctx);
992 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
994 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
997 static int test_kdf_kbkdf_6803_128(void)
1001 OSSL_PARAM params[7];
1002 static unsigned char input_key[] = {
1003 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
1004 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
1006 static unsigned char constants[][5] = {
1007 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1008 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1009 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1011 static unsigned char outputs[][16] = {
1012 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
1013 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
1014 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
1015 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
1016 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
1017 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
1019 static unsigned char iv[16] = { 0 };
1020 unsigned char result[16] = { 0 };
1022 for (i = 0; i < 3; i++) {
1024 params[p++] = OSSL_PARAM_construct_utf8_string(
1025 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
1026 params[p++] = OSSL_PARAM_construct_utf8_string(
1027 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1028 params[p++] = OSSL_PARAM_construct_utf8_string(
1029 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1030 params[p++] = OSSL_PARAM_construct_octet_string(
1031 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1032 params[p++] = OSSL_PARAM_construct_octet_string(
1033 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1034 params[p++] = OSSL_PARAM_construct_octet_string(
1035 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1036 params[p] = OSSL_PARAM_construct_end();
1038 kctx = get_kdfbyname("KBKDF");
1039 ret = TEST_ptr(kctx)
1040 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1042 && TEST_mem_eq(result, sizeof(result), outputs[i],
1043 sizeof(outputs[i]));
1044 EVP_KDF_CTX_free(kctx);
1052 static int test_kdf_kbkdf_6803_256(void)
1056 OSSL_PARAM params[7];
1057 static unsigned char input_key[] = {
1058 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
1059 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
1060 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
1061 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
1063 static unsigned char constants[][5] = {
1064 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1065 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1066 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1068 static unsigned char outputs[][32] = {
1069 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
1070 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
1071 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
1072 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
1074 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
1075 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
1076 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
1077 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
1079 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
1080 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
1081 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
1082 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
1085 static unsigned char iv[16] = { 0 };
1086 unsigned char result[32] = { 0 };
1088 for (i = 0; i < 3; i++) {
1090 params[p++] = OSSL_PARAM_construct_utf8_string(
1091 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
1092 params[p++] = OSSL_PARAM_construct_utf8_string(
1093 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1094 params[p++] = OSSL_PARAM_construct_utf8_string(
1095 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1096 params[p++] = OSSL_PARAM_construct_octet_string(
1097 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1098 params[p++] = OSSL_PARAM_construct_octet_string(
1099 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1100 params[p++] = OSSL_PARAM_construct_octet_string(
1101 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1102 params[p] = OSSL_PARAM_construct_end();
1104 kctx = get_kdfbyname("KBKDF");
1105 ret = TEST_ptr(kctx)
1106 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1108 && TEST_mem_eq(result, sizeof(result), outputs[i],
1109 sizeof(outputs[i]));
1110 EVP_KDF_CTX_free(kctx);
1119 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
1120 size_t keylen, char *salt, char *info, int *r)
1122 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 8);
1123 OSSL_PARAM *p = params;
1128 *p++ = OSSL_PARAM_construct_utf8_string(
1129 OSSL_KDF_PARAM_DIGEST, digest, 0);
1130 *p++ = OSSL_PARAM_construct_utf8_string(
1131 OSSL_KDF_PARAM_MAC, mac, 0);
1132 *p++ = OSSL_PARAM_construct_utf8_string(
1133 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
1134 *p++ = OSSL_PARAM_construct_octet_string(
1135 OSSL_KDF_PARAM_KEY, key, keylen);
1136 *p++ = OSSL_PARAM_construct_octet_string(
1137 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
1138 *p++ = OSSL_PARAM_construct_octet_string(
1139 OSSL_KDF_PARAM_INFO, info, strlen(info));
1140 *p++ = OSSL_PARAM_construct_int(
1141 OSSL_KDF_PARAM_KBKDF_R, r);
1142 *p = OSSL_PARAM_construct_end();
1147 static int test_kdf_kbkdf_invalid_digest(void)
1153 static unsigned char key[] = {0x01};
1156 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test", &r);
1157 if (!TEST_ptr(params))
1160 /* Negative test case - set_params should fail */
1161 kctx = get_kdfbyname("KBKDF");
1162 ret = TEST_ptr(kctx)
1163 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1165 EVP_KDF_CTX_free(kctx);
1166 OPENSSL_free(params);
1170 static int test_kdf_kbkdf_invalid_mac(void)
1176 static unsigned char key[] = {0x01};
1179 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test", &r);
1180 if (!TEST_ptr(params))
1183 /* Negative test case - set_params should fail */
1184 kctx = get_kdfbyname("KBKDF");
1185 ret = TEST_ptr(kctx)
1186 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1188 EVP_KDF_CTX_free(kctx);
1189 OPENSSL_free(params);
1193 static int test_kdf_kbkdf_invalid_r(void)
1199 static unsigned char key[] = {0x01};
1202 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1203 if (!TEST_ptr(params))
1206 /* Negative test case - derive should fail */
1207 kctx = get_kdfbyname("KBKDF");
1208 ret = TEST_ptr(kctx)
1209 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1211 EVP_KDF_CTX_free(kctx);
1212 OPENSSL_free(params);
1217 static int test_kdf_kbkdf_empty_key(void)
1223 static unsigned char key[] = {0x01};
1224 unsigned char result[32] = { 0 };
1227 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test", &r);
1228 if (!TEST_ptr(params))
1231 /* Negative test case - derive should fail */
1232 kctx = get_kdfbyname("KBKDF");
1233 ret = TEST_ptr(kctx)
1234 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1235 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
1237 EVP_KDF_CTX_free(kctx);
1238 OPENSSL_free(params);
1242 static int test_kdf_kbkdf_1byte_key(void)
1248 static unsigned char key[] = {0x01};
1249 unsigned char result[32] = { 0 };
1252 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1253 if (!TEST_ptr(params))
1256 kctx = get_kdfbyname("KBKDF");
1257 ret = TEST_ptr(kctx)
1258 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1260 EVP_KDF_CTX_free(kctx);
1261 OPENSSL_free(params);
1265 static int test_kdf_kbkdf_zero_output_size(void)
1271 static unsigned char key[] = {0x01};
1272 unsigned char result[32] = { 0 };
1275 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r);
1276 if (!TEST_ptr(params))
1279 /* Negative test case - derive should fail */
1280 kctx = get_kdfbyname("KBKDF");
1281 ret = TEST_ptr(kctx)
1282 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1283 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1285 EVP_KDF_CTX_free(kctx);
1286 OPENSSL_free(params);
1290 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1292 static int test_kdf_kbkdf_8009_prf1(void)
1296 OSSL_PARAM params[6];
1297 char *label = "prf", *digest = "sha256", *prf_input = "test",
1299 static unsigned char input_key[] = {
1300 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1301 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1303 static unsigned char output[] = {
1304 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1305 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1306 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1307 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1309 unsigned char result[sizeof(output)] = { 0 };
1311 params[i++] = OSSL_PARAM_construct_utf8_string(
1312 OSSL_KDF_PARAM_DIGEST, digest, 0);
1313 params[i++] = OSSL_PARAM_construct_utf8_string(
1314 OSSL_KDF_PARAM_MAC, mac, 0);
1315 params[i++] = OSSL_PARAM_construct_octet_string(
1316 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1317 params[i++] = OSSL_PARAM_construct_octet_string(
1318 OSSL_KDF_PARAM_SALT, label, strlen(label));
1319 params[i++] = OSSL_PARAM_construct_octet_string(
1320 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1321 params[i] = OSSL_PARAM_construct_end();
1323 kctx = get_kdfbyname("KBKDF");
1324 ret = TEST_ptr(kctx)
1325 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1326 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1328 EVP_KDF_CTX_free(kctx);
1332 static int test_kdf_kbkdf_8009_prf2(void)
1336 OSSL_PARAM params[6];
1337 char *label = "prf", *digest = "sha384", *prf_input = "test",
1339 static unsigned char input_key[] = {
1340 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1341 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1342 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1343 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1345 static unsigned char output[] = {
1346 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1347 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1348 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1349 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1350 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1351 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1353 unsigned char result[sizeof(output)] = { 0 };
1355 params[i++] = OSSL_PARAM_construct_utf8_string(
1356 OSSL_KDF_PARAM_DIGEST, digest, 0);
1357 params[i++] = OSSL_PARAM_construct_utf8_string(
1358 OSSL_KDF_PARAM_MAC, mac, 0);
1359 params[i++] = OSSL_PARAM_construct_octet_string(
1360 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1361 params[i++] = OSSL_PARAM_construct_octet_string(
1362 OSSL_KDF_PARAM_SALT, label, strlen(label));
1363 params[i++] = OSSL_PARAM_construct_octet_string(
1364 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1365 params[i] = OSSL_PARAM_construct_end();
1367 kctx = get_kdfbyname("KBKDF");
1368 ret = TEST_ptr(kctx)
1369 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1370 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1372 EVP_KDF_CTX_free(kctx);
1376 #if !defined(OPENSSL_NO_CMAC)
1378 * Test vector taken from
1379 * https://csrc.nist.gov/CSRC/media/Projects/
1380 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1382 static int test_kdf_kbkdf_fixedinfo(void)
1386 OSSL_PARAM params[8], *p = params;
1387 static char *cipher = "AES128";
1388 static char *mac = "CMAC";
1389 static char *mode = "COUNTER";
1391 int use_separator = 0;
1393 static unsigned char input_key[] = {
1394 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1395 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1397 static unsigned char fixed_input[] = {
1398 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1399 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1400 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1401 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1402 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1403 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1404 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1405 0xb4, 0x8d, 0x36, 0xc4,
1408 static unsigned char output[] = {
1409 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1410 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1412 unsigned char result[sizeof(output)] = { 0 };
1414 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1415 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1416 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1417 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1419 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1420 fixed_input, sizeof(fixed_input));
1421 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1422 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1424 *p = OSSL_PARAM_construct_end();
1426 kctx = get_kdfbyname("KBKDF");
1427 ret = TEST_ptr(kctx)
1428 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1429 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1431 EVP_KDF_CTX_free(kctx);
1434 #endif /* OPENSSL_NO_CMAC */
1436 static int test_kdf_kbkdf_kmac(void)
1440 OSSL_PARAM params[5], *p = params;
1441 static char *mac = "KMAC256";
1443 static unsigned char input_key[] = {
1444 0xDD, 0x81, 0xEF, 0xC8, 0x2C, 0xDD, 0xEC, 0x51,
1445 0xC4, 0x09, 0xBD, 0x8C, 0xCB, 0xAF, 0x94, 0xF6,
1446 0x5F, 0xFA, 0x7B, 0x92, 0xF1, 0x11, 0xF9, 0x40,
1447 0x2B, 0x0D, 0x6A, 0xE0, 0x5E, 0x44, 0x92, 0x34,
1448 0xF0, 0x3B, 0xBA, 0xF5, 0x4F, 0xEF, 0x19, 0x45,
1451 static unsigned char context[] = {
1452 0x81, 0xA1, 0xFE, 0x39, 0x91, 0xEE, 0x3F, 0xD3,
1453 0x90, 0x4E, 0x82, 0xE6, 0x13, 0x20, 0xEC, 0x6B,
1454 0x6E, 0x14, 0x0B, 0xBA, 0x95, 0x5D, 0x0B, 0x52,
1455 0x8E, 0x27, 0x67, 0xB3, 0xE0, 0x77, 0x05, 0x15,
1456 0xBD, 0x78, 0xF6, 0xE8, 0x8A, 0x7D, 0x9B, 0x08,
1457 0x20, 0x0F, 0xE9, 0x8D, 0xD6, 0x24, 0x67, 0xE2,
1458 0xCC, 0x6D, 0x42, 0xE6, 0x60, 0x50, 0x20, 0x77,
1459 0x89, 0x89, 0xB7, 0x2D, 0xF7, 0x5F, 0xE2, 0x79,
1460 0xDB, 0x58, 0x0B, 0x7B, 0x02, 0xB9, 0xD9, 0xB0,
1461 0xFA, 0x6B, 0x0B, 0xB6, 0xD4, 0x95, 0xDB, 0x46,
1462 0x55, 0x5F, 0x12, 0xC3, 0xF0, 0xE0, 0x6E, 0xC8,
1463 0xF4, 0xF8, 0xA1, 0x64, 0x2E, 0x96, 0x74, 0x2B,
1464 0xC6, 0xBD, 0x22, 0xB1, 0x6A, 0xBC, 0x41, 0xDF,
1465 0x30, 0x32, 0xC7, 0xCE, 0x18, 0x14, 0x70, 0x2A,
1466 0xED, 0xE5, 0xC4, 0x6B, 0x8A, 0xA8, 0x36, 0xFD,
1467 0x0A, 0x76, 0x38, 0x44, 0x98, 0x0A, 0xE3, 0xC2,
1468 0x3A, 0x24, 0xCB, 0x45, 0xBF, 0xC9, 0x2C, 0x19,
1469 0xCB, 0x9D, 0x6C, 0x27, 0xDE, 0x78, 0x3E, 0x2C,
1470 0x3D, 0x39, 0x6E, 0x11, 0x59, 0xAE, 0x4F, 0x91,
1471 0x03, 0xE2, 0x7B, 0x97, 0xD6, 0x0C, 0x7D, 0x9D,
1472 0x5A, 0xA5, 0x47, 0x57, 0x41, 0xAD, 0x64, 0x5B,
1473 0xF7, 0x1D, 0x1A, 0xDA, 0x3A, 0x39, 0xDF, 0x85,
1474 0x0D, 0x0F, 0x50, 0x15, 0xA7, 0x3D, 0x68, 0x81,
1475 0x7B, 0x0D, 0xF2, 0x24, 0x24, 0x23, 0x37, 0xE5,
1476 0x77, 0xA6, 0x61, 0xBE, 0xFE, 0x4B, 0x3B, 0x8E,
1477 0x4F, 0x15, 0x4F, 0xC1, 0x30, 0xCB, 0x9E, 0xF5,
1478 0x06, 0x9F, 0xBB, 0x0E, 0xF2, 0xF4, 0x43, 0xBB,
1479 0x64, 0x45, 0xA3, 0x7D, 0x3B, 0xB4, 0x70, 0x47,
1480 0xDF, 0x4A, 0xA5, 0xD9, 0x2F, 0xE6, 0x25, 0xC8,
1481 0x1D, 0x43, 0x0A, 0xEA, 0xF9, 0xCC, 0xC7, 0x1F,
1482 0x8A, 0x2D, 0xD8, 0x95, 0x6B, 0x16, 0x30, 0x1D,
1483 0x80, 0x90, 0xA4, 0x23, 0x14, 0x59, 0xD1, 0x5A,
1484 0x00, 0x48, 0x8D, 0xF7, 0xEA, 0x29, 0x23, 0xDF,
1485 0x35, 0x26, 0x25, 0x22, 0x12, 0xC4, 0x4C, 0x09,
1486 0x69, 0xB8, 0xD6, 0x0C, 0x0E, 0x71, 0x90, 0x6C,
1487 0x42, 0x90, 0x02, 0x53, 0xC5, 0x5A, 0xEF, 0x42,
1488 0x66, 0x1D, 0xAF, 0x45, 0xD5, 0x31, 0xD7, 0x61,
1489 0x3A, 0xE6, 0x06, 0xFB, 0x83, 0x72, 0xAD, 0x82,
1490 0xE3, 0x6A, 0x7E, 0x03, 0x9B, 0x37, 0x77, 0xAF,
1491 0x8D, 0x63, 0x28, 0xC2, 0x8A, 0x5E, 0xC6, 0x3B,
1492 0x22, 0xA8, 0x94, 0xC0, 0x46, 0x2F, 0x73, 0xE7,
1493 0xBB, 0x72, 0x44, 0x85, 0x20, 0x1D, 0xD0, 0x6A,
1494 0x52, 0x8C, 0xB1, 0x8B, 0x96, 0x11, 0xEB, 0xFB,
1495 0xDD, 0xF5, 0x74, 0x49, 0x19, 0x93, 0xD3, 0x7F,
1496 0x6C, 0x27, 0x19, 0x54, 0xDD, 0x00, 0x0F, 0x95,
1497 0xF6, 0x14, 0x15, 0x87, 0x32, 0x54, 0xA5, 0x02,
1498 0xAD, 0x41, 0x55, 0x5E, 0xDD, 0x32, 0x62, 0x3B,
1499 0xFC, 0x71, 0xC1, 0x56, 0xC4, 0x6A, 0xFC, 0xD0,
1500 0xF9, 0x77, 0xDA, 0xC5, 0x20, 0x7D, 0xAC, 0xA8,
1501 0xEB, 0x8F, 0xBE, 0xF9, 0x4D, 0xE8, 0x6D, 0x9E,
1502 0x4C, 0x39, 0xB3, 0x15, 0x63, 0xCD, 0xF6, 0x46,
1503 0xEC, 0x3A, 0xD2, 0x89, 0xA9, 0xFA, 0x24, 0xB4,
1504 0x0E, 0x62, 0x6F, 0x9F, 0xF3, 0xF1, 0x3C, 0x61,
1505 0x57, 0xB9, 0x2C, 0xD4, 0x78, 0x4F, 0x76, 0xCF,
1506 0xFB, 0x6A, 0x51, 0xE8, 0x1E, 0x0A, 0x33, 0x69,
1507 0x16, 0xCD, 0xB7, 0x5C, 0xDF, 0x03, 0x62, 0x17,
1508 0x63, 0x37, 0x49, 0xC3, 0xB7, 0x68, 0x09, 0x9E,
1509 0x22, 0xD2, 0x20, 0x96, 0x37, 0x0D, 0x13, 0xA4,
1510 0x96, 0xB1, 0x8D, 0x0B, 0x12, 0x87, 0xEB, 0x57,
1511 0x25, 0x27, 0x08, 0xFC, 0x90, 0x5E, 0x33, 0x77,
1512 0x50, 0x63, 0xE1, 0x8C, 0xF4, 0x0C, 0x80, 0x89,
1513 0x76, 0x63, 0x70, 0x0A, 0x61, 0x59, 0x90, 0x1F,
1514 0xC9, 0x47, 0xBA, 0x12, 0x7B, 0xB2, 0x7A, 0x44,
1515 0xC3, 0x3D, 0xD0, 0x38, 0xF1, 0x7F, 0x02, 0x92
1517 static unsigned char label[] = {
1518 0xA5, 0xDE, 0x2A, 0x0A, 0xF0, 0xDA, 0x59, 0x04,
1519 0xCC, 0xFF, 0x50, 0xD3, 0xA5, 0xD2, 0xDE, 0xA3,
1520 0x33, 0xC0, 0x27, 0xED, 0xDC, 0x6A, 0x54, 0x54,
1521 0x95, 0x78, 0x74, 0x0D, 0xE7, 0xB7, 0x92, 0xD6,
1522 0x64, 0xD5, 0xFB, 0x1F, 0x0F, 0x87, 0xFD, 0x65,
1523 0x79, 0x8B, 0x81, 0x83, 0x95, 0x40, 0x7A, 0x19,
1524 0x8D, 0xCA, 0xE0, 0x4A, 0x93, 0xA8
1526 static unsigned char output[] = {
1527 0xB5, 0x61, 0xE3, 0x7D, 0x06, 0xD5, 0x34, 0x80,
1528 0x74, 0x61, 0x16, 0x08, 0x6F, 0x89, 0x6F, 0xB1,
1529 0x43, 0xAF, 0x61, 0x28, 0x93, 0xD8, 0xDF, 0xF6,
1530 0xB6, 0x23, 0x43, 0x68, 0xE4, 0x84, 0xF3, 0xED,
1531 0x50, 0xB6, 0x81, 0x6D, 0x50, 0xF4, 0xAF, 0xF2,
1532 0xA5, 0x50, 0x7E, 0x25, 0xBF, 0x05, 0xBE, 0xE7,
1533 0x07, 0xB0, 0x95, 0xC3, 0x04, 0x38, 0xB4, 0xF9,
1534 0xC1, 0x1E, 0x96, 0x08, 0xF4, 0xC9, 0x05, 0x54,
1535 0x4A, 0xB6, 0x81, 0x92, 0x5B, 0x34, 0x8A, 0x45,
1536 0xDD, 0x7D, 0x98, 0x51, 0x1F, 0xD9, 0x90, 0x23,
1537 0x59, 0x97, 0xA2, 0x4E, 0x43, 0x49, 0xEB, 0x4E,
1538 0x86, 0xEC, 0x20, 0x3C, 0x31, 0xFF, 0x49, 0x55,
1539 0x49, 0xF5, 0xF5, 0x16, 0x79, 0xD9, 0x1C, 0x8E,
1540 0x6E, 0xB3, 0x1C, 0xAF, 0xC8, 0xAB, 0x3A, 0x5A,
1541 0xCE, 0xB1, 0xBD, 0x59, 0x69, 0xEE, 0xC0, 0x28,
1542 0x3E, 0x94, 0xD2, 0xCC, 0x91, 0x93, 0x73, 0x6A,
1543 0xD6, 0xB6, 0xC1, 0x42, 0x97, 0xB1, 0x13, 0xCF,
1544 0xF9, 0x55, 0x35, 0x50, 0xFC, 0x86, 0x75, 0x98,
1545 0x9F, 0xFC, 0x96, 0xB1, 0x43, 0x41, 0x8F, 0xFC,
1546 0x31, 0x09, 0x3B, 0x35, 0x22, 0x7B, 0x01, 0x96,
1547 0xA7, 0xF0, 0x78, 0x7B, 0x57, 0x00, 0xF2, 0xE5,
1548 0x92, 0x36, 0xCE, 0x64, 0xFD, 0x65, 0x09, 0xD8,
1549 0xBC, 0x5C, 0x82, 0x5C, 0x4C, 0x62, 0x5B, 0xCE,
1550 0x09, 0xB6, 0xCF, 0x4D, 0xAD, 0x8E, 0xDD, 0x96,
1551 0xB0, 0xCA, 0x52, 0xC1, 0xF4, 0x17, 0x0E, 0x2D,
1552 0x4E, 0xC3, 0xF9, 0x89, 0x1A, 0x24, 0x3D, 0x01,
1553 0xC8, 0x05, 0xBF, 0x7D, 0x2A, 0x46, 0xCD, 0x9A,
1554 0x66, 0xEE, 0x05, 0x78, 0x88, 0x2A, 0xEF, 0x37,
1555 0x9E, 0x72, 0x55, 0xDA, 0x82, 0x7A, 0x9B, 0xE8,
1556 0xF7, 0xA6, 0x74, 0xB8, 0x74, 0x39, 0x03, 0xE8,
1557 0xB9, 0x1F, 0x97, 0x78, 0xB9, 0xD9, 0x37, 0x16,
1558 0xFD, 0x2F, 0x31, 0xDE, 0xCC, 0x06, 0xD6, 0x5A,
1559 0xEB, 0xD1, 0xBB, 0x84, 0x30, 0x16, 0x81, 0xB0,
1560 0x7E, 0x04, 0x8C, 0x06, 0x67, 0xD1, 0x8A, 0x07,
1561 0x33, 0x76, 0x42, 0x8E, 0x87, 0xAB, 0x90, 0x6F,
1562 0x08, 0xED, 0x8D, 0xE8, 0xD0, 0x20, 0x00, 0x7E,
1563 0x3C, 0x4D, 0xA4, 0x40, 0x37, 0x13, 0x0F, 0x00,
1564 0x0C, 0xB7, 0x26, 0x03, 0x93, 0xD0, 0xBB, 0x08,
1565 0xD3, 0xCC, 0xA9, 0x28, 0xC2
1567 unsigned char result[sizeof(output)] = { 0 };
1569 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1570 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
1571 input_key, sizeof(input_key));
1572 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1573 context, sizeof(context));
1574 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
1575 label, sizeof(label));
1576 *p = OSSL_PARAM_construct_end();
1578 kctx = get_kdfbyname("KBKDF");
1579 ret = TEST_ptr(kctx)
1580 && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX)
1581 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1582 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1584 EVP_KDF_CTX_free(kctx);
1588 static int test_kdf_ss_hmac(void)
1592 OSSL_PARAM params[6], *p = params;
1593 unsigned char out[16];
1594 static unsigned char z[] = {
1595 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1597 static unsigned char other[] = {
1598 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1600 static unsigned char salt[] = {
1601 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1604 static const unsigned char expected[sizeof(out)] = {
1605 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1609 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1610 (char *)OSSL_MAC_NAME_HMAC, 0);
1611 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1612 (char *)"sha256", 0);
1613 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1614 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1616 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1618 *p = OSSL_PARAM_construct_end();
1621 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1622 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1623 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1625 EVP_KDF_CTX_free(kctx);
1629 static int test_kdf_ss_kmac(void)
1633 OSSL_PARAM params[7], *p = params;
1634 unsigned char out[64];
1635 size_t mac_size = 20;
1636 static unsigned char z[] = {
1637 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1639 static unsigned char other[] = {
1640 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1642 static unsigned char salt[] = {
1643 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1646 static const unsigned char expected[sizeof(out)] = {
1647 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1648 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1649 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1650 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1651 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1654 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1655 (char *)OSSL_MAC_NAME_KMAC128, 0);
1656 /* The digest parameter is not needed here and should be ignored */
1657 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1658 (char *)"SHA256", 0);
1659 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1660 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1662 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1664 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1665 *p = OSSL_PARAM_construct_end();
1668 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1669 && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), 0)
1670 && TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1)
1671 /* The bug fix for KMAC returning SIZE_MAX was added in 3.0.8 */
1672 && (fips_provider_version_lt(NULL, 3, 0, 8)
1673 || TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX))
1674 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
1675 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1677 EVP_KDF_CTX_free(kctx);
1681 static int test_kdf_sshkdf(void)
1685 OSSL_PARAM params[6], *p = params;
1686 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1687 unsigned char out[8];
1688 /* Test data from NIST CAVS 14.1 test vectors */
1689 static unsigned char key[] = {
1690 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1691 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1692 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1693 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1694 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1695 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1696 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1697 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1698 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1699 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1700 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1703 static unsigned char xcghash[] = {
1704 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1705 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1706 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1708 static unsigned char sessid[] = {
1709 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1710 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1711 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1713 static const unsigned char expected[sizeof(out)] = {
1714 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1717 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1718 (char *)"sha256", 0);
1719 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1721 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1722 xcghash, sizeof(xcghash));
1723 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1724 sessid, sizeof(sessid));
1725 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1726 &kdftype, sizeof(kdftype));
1727 *p = OSSL_PARAM_construct_end();
1730 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1731 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1732 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1734 EVP_KDF_CTX_free(kctx);
1738 static int test_kdfs_same(EVP_KDF *kdf1, EVP_KDF *kdf2)
1740 /* Fast path in case the two are the same algorithm pointer */
1744 * Compare their names and providers instead.
1745 * This is necessary in a non-caching build (or a cache flush during fetch)
1746 * because without the algorithm in the cache, fetching it a second time
1747 * will result in a different pointer.
1749 return TEST_ptr_eq(EVP_KDF_get0_provider(kdf1), EVP_KDF_get0_provider(kdf2))
1750 && TEST_str_eq(EVP_KDF_get0_name(kdf1), EVP_KDF_get0_name(kdf2));
1753 static int test_kdf_get_kdf(void)
1755 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1759 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1760 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1761 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1763 || !test_kdfs_same(kdf1, kdf2))
1770 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1771 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1772 || !test_kdfs_same(kdf1, kdf2))
1774 /* kdf1 is re-used below, so don't free it here */
1778 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1779 || !test_kdfs_same(kdf1, kdf2))
1789 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1790 static int test_kdf_x942_asn1(void)
1793 EVP_KDF_CTX *kctx = NULL;
1794 OSSL_PARAM params[4], *p = params;
1795 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1796 unsigned char out[24];
1797 /* RFC2631 Section 2.1.6 Test data */
1798 static unsigned char z[] = {
1799 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1800 0x0e,0x0f,0x10,0x11,0x12,0x13
1802 static const unsigned char expected[sizeof(out)] = {
1803 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1804 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1805 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1808 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1810 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1812 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1813 (char *)cek_alg, 0);
1814 *p = OSSL_PARAM_construct_end();
1817 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1818 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1819 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1821 EVP_KDF_CTX_free(kctx);
1824 #endif /* OPENSSL_NO_CMS */
1826 static int test_kdf_krb5kdf(void)
1830 OSSL_PARAM params[4], *p = params;
1831 unsigned char out[16];
1832 static unsigned char key[] = {
1833 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1834 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1836 static unsigned char constant[] = {
1837 0x00, 0x00, 0x00, 0x02, 0x99
1839 static const unsigned char expected[sizeof(out)] = {
1840 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1841 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1844 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1845 (char *)"AES-128-CBC", 0);
1846 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1848 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1849 constant, sizeof(constant));
1850 *p = OSSL_PARAM_construct_end();
1853 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1854 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1855 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1857 EVP_KDF_CTX_free(kctx);
1861 static int test_kdf_hmac_drbg_settables(void)
1863 int ret = 0, i = 0, j = 0;
1864 EVP_KDF_CTX *kctx = NULL;
1865 const OSSL_PARAM *settableparams;
1866 OSSL_PARAM params[5];
1867 static const unsigned char ent[32] = { 0 };
1868 unsigned char out[32];
1869 char digestname[32];
1871 EVP_MD *shake256 = NULL;
1873 /* Test there are settables */
1874 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HMACDRBGKDF))
1875 || !TEST_ptr(settableparams = EVP_KDF_CTX_settable_params(kctx)))
1878 /* Fail if no params have been set when doing a derive */
1879 if (!TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
1882 /* Fail if we pass the wrong type for params */
1883 params[1] = OSSL_PARAM_construct_end();
1884 for (i = 0; settableparams[i].key != NULL; ++i) {
1885 /* Skip "properties" key since it returns 1 unless the digest is also set */
1886 if (OPENSSL_strcasecmp(settableparams[i].key,
1887 OSSL_KDF_PARAM_PROPERTIES) != 0) {
1888 TEST_note("Testing set int into %s fails", settableparams[i].key);
1889 params[0] = OSSL_PARAM_construct_int(settableparams[i].key, &j);
1890 if (!TEST_int_le(EVP_KDF_CTX_set_params(kctx, params), 0))
1894 /* Test that we can set values multiple times */
1895 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_ENTROPY,
1896 (char *)ent, sizeof(ent));
1897 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_HMACDRBG_NONCE,
1898 (char *)ent, sizeof(ent));
1899 params[2] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST, "SHA256",
1901 params[3] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, "",
1903 params[4] = OSSL_PARAM_construct_end();
1904 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1))
1906 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1))
1908 /* Test we can retrieve values back */
1909 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
1910 digestname, sizeof(digestname));
1911 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_MAC,
1912 macname, sizeof(macname));
1913 params[2] = OSSL_PARAM_construct_end();
1914 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params), 1)
1915 || !TEST_mem_eq(digestname, params[0].return_size, "SHA2-256", 8)
1916 || !TEST_mem_eq(macname, params[1].return_size, "HMAC", 4))
1919 /* Test the derive */
1920 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 1))
1923 /* test that XOF digests are not allowed */
1924 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
1926 params[1] = OSSL_PARAM_construct_end();
1927 if (!TEST_int_le(EVP_KDF_CTX_set_params(kctx, params), 0))
1932 EVP_MD_free(shake256);
1933 EVP_KDF_CTX_free(kctx);
1937 static int test_kdf_hmac_drbg_gettables(void)
1939 int ret = 0, i, j = 0;
1940 EVP_KDF_CTX *kctx = NULL;
1941 const OSSL_PARAM *gettableparams;
1942 OSSL_PARAM params[3];
1945 /* Test there are gettables */
1946 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HMACDRBGKDF))
1947 || !TEST_ptr(gettableparams = EVP_KDF_CTX_gettable_params(kctx)))
1949 /* Fail if we pass the wrong type for params */
1950 params[1] = OSSL_PARAM_construct_end();
1951 for (i = 0; gettableparams[i].key != NULL; ++i) {
1952 params[0] = OSSL_PARAM_construct_int(gettableparams[i].key, &j);
1953 if (!TEST_int_le(EVP_KDF_CTX_get_params(kctx, params), 0))
1956 /* fail to get params if they are not set yet */
1957 for (i = 0; gettableparams[i].key != NULL; ++i) {
1958 params[0] = OSSL_PARAM_construct_utf8_string(gettableparams[i].key,
1960 if (!TEST_int_le(EVP_KDF_CTX_get_params(kctx, params), 0))
1965 EVP_KDF_CTX_free(kctx);
1969 int setup_tests(void)
1971 ADD_TEST(test_kdf_pbkdf1);
1972 ADD_TEST(test_kdf_pbkdf1_key_too_long);
1973 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1974 ADD_TEST(test_kdf_kbkdf_6803_128);
1975 ADD_TEST(test_kdf_kbkdf_6803_256);
1977 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1978 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1979 ADD_TEST(test_kdf_kbkdf_invalid_r);
1980 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1981 ADD_TEST(test_kdf_kbkdf_empty_key);
1982 ADD_TEST(test_kdf_kbkdf_1byte_key);
1983 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1984 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1985 #if !defined(OPENSSL_NO_CMAC)
1986 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1988 if (fips_provider_version_ge(NULL, 3, 1, 0))
1989 ADD_TEST(test_kdf_kbkdf_kmac);
1990 ADD_TEST(test_kdf_get_kdf);
1991 ADD_TEST(test_kdf_tls1_prf);
1992 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1993 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1994 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1995 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1996 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1997 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1998 ADD_TEST(test_kdf_hkdf);
1999 ADD_TEST(test_kdf_hkdf_invalid_digest);
2000 ADD_TEST(test_kdf_hkdf_zero_output_size);
2001 ADD_TEST(test_kdf_hkdf_empty_key);
2002 ADD_TEST(test_kdf_hkdf_1byte_key);
2003 ADD_TEST(test_kdf_hkdf_empty_salt);
2004 ADD_TEST(test_kdf_hkdf_gettables);
2005 ADD_TEST(test_kdf_hkdf_gettables_expandonly);
2006 ADD_TEST(test_kdf_hkdf_gettables_no_digest);
2007 ADD_TEST(test_kdf_hkdf_derive_set_params_fail);
2008 ADD_TEST(test_kdf_hkdf_set_invalid_mode);
2009 ADD_TEST(test_kdf_hkdf_set_ctx_param_fail);
2010 ADD_TEST(test_kdf_pbkdf2);
2011 ADD_TEST(test_kdf_pbkdf2_small_output);
2012 ADD_TEST(test_kdf_pbkdf2_large_output);
2013 ADD_TEST(test_kdf_pbkdf2_small_salt);
2014 ADD_TEST(test_kdf_pbkdf2_small_iterations);
2015 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
2016 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
2017 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
2018 #ifndef OPENSSL_NO_SCRYPT
2019 ADD_TEST(test_kdf_scrypt);
2021 ADD_TEST(test_kdf_ss_hash);
2022 ADD_TEST(test_kdf_ss_hmac);
2023 ADD_TEST(test_kdf_ss_kmac);
2024 ADD_TEST(test_kdf_sshkdf);
2025 ADD_TEST(test_kdf_x963);
2026 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
2027 ADD_TEST(test_kdf_x942_asn1);
2029 ADD_TEST(test_kdf_krb5kdf);
2030 ADD_TEST(test_kdf_hmac_drbg_settables);
2031 ADD_TEST(test_kdf_hmac_drbg_gettables);
projects / openssl.git / blob