2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
23 EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
30 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
33 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
34 OSSL_PARAM *p = params;
36 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
38 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
39 (unsigned char *)secret,
41 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
42 (unsigned char *)seed,
44 *p = OSSL_PARAM_construct_end();
49 static int test_kdf_tls1_prf(void)
52 EVP_KDF_CTX *kctx = NULL;
53 unsigned char out[16];
55 static const unsigned char expected[sizeof(out)] = {
56 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
57 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
60 params = construct_tls1_prf_params("sha256", "secret", "seed");
63 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
64 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
65 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
67 EVP_KDF_CTX_free(kctx);
72 static int test_kdf_tls1_prf_invalid_digest(void)
75 EVP_KDF_CTX *kctx = NULL;
78 params = construct_tls1_prf_params("blah", "secret", "seed");
81 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
82 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
84 EVP_KDF_CTX_free(kctx);
89 static int test_kdf_tls1_prf_zero_output_size(void)
92 EVP_KDF_CTX *kctx = NULL;
93 unsigned char out[16];
96 params = construct_tls1_prf_params("sha256", "secret", "seed");
98 /* Negative test - derive should fail */
100 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
101 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
102 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
104 EVP_KDF_CTX_free(kctx);
105 OPENSSL_free(params);
109 static int test_kdf_tls1_prf_empty_secret(void)
112 EVP_KDF_CTX *kctx = NULL;
113 unsigned char out[16];
116 params = construct_tls1_prf_params("sha256", "", "seed");
119 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
120 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
122 EVP_KDF_CTX_free(kctx);
123 OPENSSL_free(params);
127 static int test_kdf_tls1_prf_1byte_secret(void)
130 EVP_KDF_CTX *kctx = NULL;
131 unsigned char out[16];
134 params = construct_tls1_prf_params("sha256", "1", "seed");
137 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
138 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
140 EVP_KDF_CTX_free(kctx);
141 OPENSSL_free(params);
145 static int test_kdf_tls1_prf_empty_seed(void)
148 EVP_KDF_CTX *kctx = NULL;
149 unsigned char out[16];
152 params = construct_tls1_prf_params("sha256", "secret", "");
154 /* Negative test - derive should fail */
156 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
157 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
158 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
160 EVP_KDF_CTX_free(kctx);
161 OPENSSL_free(params);
165 static int test_kdf_tls1_prf_1byte_seed(void)
168 EVP_KDF_CTX *kctx = NULL;
169 unsigned char out[16];
172 params = construct_tls1_prf_params("sha256", "secret", "1");
175 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
176 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
178 EVP_KDF_CTX_free(kctx);
179 OPENSSL_free(params);
183 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
184 size_t keylen, char *salt, char *info)
186 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
187 OSSL_PARAM *p = params;
189 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
191 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
193 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
194 (unsigned char *)key, keylen);
195 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
197 *p = OSSL_PARAM_construct_end();
202 static int test_kdf_hkdf(void)
206 unsigned char out[10];
208 static const unsigned char expected[sizeof(out)] = {
209 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
212 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
215 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
216 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
217 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
219 EVP_KDF_CTX_free(kctx);
220 OPENSSL_free(params);
224 static int test_kdf_hkdf_invalid_digest(void)
230 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
233 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
234 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
236 EVP_KDF_CTX_free(kctx);
237 OPENSSL_free(params);
241 static int test_kdf_hkdf_zero_output_size(void)
245 unsigned char out[10];
248 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
250 /* Negative test - derive should fail */
252 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
253 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
254 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
256 EVP_KDF_CTX_free(kctx);
257 OPENSSL_free(params);
261 static int test_kdf_hkdf_empty_key(void)
265 unsigned char out[10];
268 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
271 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
272 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
274 EVP_KDF_CTX_free(kctx);
275 OPENSSL_free(params);
279 static int test_kdf_hkdf_1byte_key(void)
283 unsigned char out[10];
286 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
289 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
290 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
292 EVP_KDF_CTX_free(kctx);
293 OPENSSL_free(params);
297 static int test_kdf_hkdf_empty_salt(void)
301 unsigned char out[10];
304 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
307 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
308 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
310 EVP_KDF_CTX_free(kctx);
311 OPENSSL_free(params);
315 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
316 unsigned int *iter, int *mode)
318 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
319 OSSL_PARAM *p = params;
321 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
322 (unsigned char *)pass, strlen(pass));
323 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
324 (unsigned char *)salt, strlen(salt));
325 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
326 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
328 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
329 *p = OSSL_PARAM_construct_end();
334 static int test_kdf_pbkdf2(void)
338 unsigned char out[25];
339 unsigned int iterations = 4096;
342 const unsigned char expected[sizeof(out)] = {
343 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
344 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
345 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
349 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
350 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
353 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
354 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
355 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
360 EVP_KDF_CTX_free(kctx);
361 OPENSSL_free(params);
365 static int test_kdf_pbkdf2_small_output(void)
369 unsigned char out[25];
370 unsigned int iterations = 4096;
374 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
375 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
378 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
379 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
380 /* A key length that is too small should fail */
381 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
386 EVP_KDF_CTX_free(kctx);
387 OPENSSL_free(params);
391 static int test_kdf_pbkdf2_large_output(void)
395 unsigned char out[25];
397 unsigned int iterations = 4096;
401 if (sizeof(len) > 32)
404 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
405 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
408 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
409 /* A key length that is too large should fail */
410 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
411 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
416 EVP_KDF_CTX_free(kctx);
417 OPENSSL_free(params);
421 static int test_kdf_pbkdf2_small_salt(void)
425 unsigned int iterations = 4096;
429 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
433 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
434 /* A salt that is too small should fail */
435 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
440 EVP_KDF_CTX_free(kctx);
441 OPENSSL_free(params);
445 static int test_kdf_pbkdf2_small_iterations(void)
449 unsigned int iterations = 1;
453 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
454 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
457 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
458 /* An iteration count that is too small should fail */
459 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
464 EVP_KDF_CTX_free(kctx);
465 OPENSSL_free(params);
469 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
473 unsigned char out[25];
474 unsigned int iterations = 4096;
477 OSSL_PARAM mode_params[2];
479 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
483 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
484 /* A salt that is too small should pass in pkcs5 mode */
485 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
486 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
490 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
491 mode_params[1] = OSSL_PARAM_construct_end();
493 /* If the "pkcs5" mode is disabled then the derive will now fail */
494 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
495 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
500 EVP_KDF_CTX_free(kctx);
501 OPENSSL_free(params);
505 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
509 unsigned char out[25];
510 unsigned int iterations = 1;
513 OSSL_PARAM mode_params[2];
515 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
516 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
519 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
520 /* An iteration count that is too small will pass in pkcs5 mode */
521 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
522 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
526 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
527 mode_params[1] = OSSL_PARAM_construct_end();
529 /* If the "pkcs5" mode is disabled then the derive will now fail */
530 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
531 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
536 EVP_KDF_CTX_free(kctx);
537 OPENSSL_free(params);
541 static int test_kdf_pbkdf2_invalid_digest(void)
545 unsigned int iterations = 4096;
549 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
550 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
553 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
554 /* Unknown digest should fail */
555 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
560 EVP_KDF_CTX_free(kctx);
561 OPENSSL_free(params);
565 #ifndef OPENSSL_NO_SCRYPT
566 static int test_kdf_scrypt(void)
570 OSSL_PARAM params[7], *p = params;
571 unsigned char out[64];
572 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
573 static const unsigned char expected[sizeof(out)] = {
574 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
575 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
576 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
577 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
578 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
579 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
580 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
581 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
584 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
585 (char *)"password", 8);
586 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
588 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
589 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
590 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
591 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
592 *p = OSSL_PARAM_construct_end();
595 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
596 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
598 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/
599 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
600 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
601 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
602 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
604 EVP_KDF_CTX_free(kctx);
607 #endif /* OPENSSL_NO_SCRYPT */
609 static int test_kdf_ss_hash(void)
613 OSSL_PARAM params[4], *p = params;
614 unsigned char out[14];
615 static unsigned char z[] = {
616 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
617 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
618 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
619 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
621 static unsigned char other[] = {
622 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
623 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
624 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
625 0xe0,0xec,0x3f,0x8d,0xbe
627 static const unsigned char expected[sizeof(out)] = {
628 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
631 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
632 (char *)"sha224", 0);
633 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
634 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
636 *p = OSSL_PARAM_construct_end();
639 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
640 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
641 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
643 EVP_KDF_CTX_free(kctx);
647 static int test_kdf_x963(void)
651 OSSL_PARAM params[4], *p = params;
652 unsigned char out[1024 / 8];
654 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
655 * Cryptographic-Algorithm-Validation-Program/documents/components/
656 * 800-135testvectors/ansx963_2001.zip
658 static unsigned char z[] = {
659 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
660 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
661 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
662 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
663 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
664 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
666 static unsigned char shared[] = {
667 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
668 0x37, 0x89, 0x5d, 0x31
670 static const unsigned char expected[sizeof(out)] = {
671 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
672 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
673 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
674 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
675 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
676 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
677 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
678 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
679 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
680 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
681 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
684 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
685 (char *)"sha512", 0);
686 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
687 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
689 *p = OSSL_PARAM_construct_end();
692 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
693 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
694 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
696 EVP_KDF_CTX_free(kctx);
700 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
702 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
705 static int test_kdf_kbkdf_6803_128(void)
709 OSSL_PARAM params[7];
710 static unsigned char input_key[] = {
711 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
712 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
714 static unsigned char constants[][5] = {
715 { 0x00, 0x00, 0x00, 0x02, 0x99 },
716 { 0x00, 0x00, 0x00, 0x02, 0xaa },
717 { 0x00, 0x00, 0x00, 0x02, 0x55 },
719 static unsigned char outputs[][16] = {
720 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
721 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
722 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
723 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
724 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
725 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
727 static unsigned char iv[16] = { 0 };
728 unsigned char result[16] = { 0 };
730 for (i = 0; i < 3; i++) {
732 params[p++] = OSSL_PARAM_construct_utf8_string(
733 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
734 params[p++] = OSSL_PARAM_construct_utf8_string(
735 OSSL_KDF_PARAM_MAC, "CMAC", 0);
736 params[p++] = OSSL_PARAM_construct_utf8_string(
737 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
738 params[p++] = OSSL_PARAM_construct_octet_string(
739 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
740 params[p++] = OSSL_PARAM_construct_octet_string(
741 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
742 params[p++] = OSSL_PARAM_construct_octet_string(
743 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
744 params[p] = OSSL_PARAM_construct_end();
746 kctx = get_kdfbyname("KBKDF");
748 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
750 && TEST_mem_eq(result, sizeof(result), outputs[i],
752 EVP_KDF_CTX_free(kctx);
760 static int test_kdf_kbkdf_6803_256(void)
764 OSSL_PARAM params[7];
765 static unsigned char input_key[] = {
766 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
767 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
768 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
769 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
771 static unsigned char constants[][5] = {
772 { 0x00, 0x00, 0x00, 0x02, 0x99 },
773 { 0x00, 0x00, 0x00, 0x02, 0xaa },
774 { 0x00, 0x00, 0x00, 0x02, 0x55 },
776 static unsigned char outputs[][32] = {
777 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
778 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
779 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
780 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
782 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
783 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
784 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
785 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
787 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
788 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
789 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
790 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
793 static unsigned char iv[16] = { 0 };
794 unsigned char result[32] = { 0 };
796 for (i = 0; i < 3; i++) {
798 params[p++] = OSSL_PARAM_construct_utf8_string(
799 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
800 params[p++] = OSSL_PARAM_construct_utf8_string(
801 OSSL_KDF_PARAM_MAC, "CMAC", 0);
802 params[p++] = OSSL_PARAM_construct_utf8_string(
803 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
804 params[p++] = OSSL_PARAM_construct_octet_string(
805 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
806 params[p++] = OSSL_PARAM_construct_octet_string(
807 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
808 params[p++] = OSSL_PARAM_construct_octet_string(
809 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
810 params[p] = OSSL_PARAM_construct_end();
812 kctx = get_kdfbyname("KBKDF");
814 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
816 && TEST_mem_eq(result, sizeof(result), outputs[i],
818 EVP_KDF_CTX_free(kctx);
827 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
828 size_t keylen, char *salt, char *info)
830 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
831 OSSL_PARAM *p = params;
833 *p++ = OSSL_PARAM_construct_utf8_string(
834 OSSL_KDF_PARAM_DIGEST, digest, 0);
835 *p++ = OSSL_PARAM_construct_utf8_string(
836 OSSL_KDF_PARAM_MAC, mac, 0);
837 *p++ = OSSL_PARAM_construct_utf8_string(
838 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
839 *p++ = OSSL_PARAM_construct_octet_string(
840 OSSL_KDF_PARAM_KEY, key, keylen);
841 *p++ = OSSL_PARAM_construct_octet_string(
842 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
843 *p++ = OSSL_PARAM_construct_octet_string(
844 OSSL_KDF_PARAM_INFO, info, strlen(info));
845 *p = OSSL_PARAM_construct_end();
850 static int test_kdf_kbkdf_invalid_digest(void)
856 static unsigned char key[] = {0x01};
858 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
860 /* Negative test case - set_params should fail */
861 kctx = get_kdfbyname("KBKDF");
863 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
865 EVP_KDF_CTX_free(kctx);
866 OPENSSL_free(params);
870 static int test_kdf_kbkdf_invalid_mac(void)
876 static unsigned char key[] = {0x01};
878 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
880 /* Negative test case - set_params should fail */
881 kctx = get_kdfbyname("KBKDF");
883 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
885 EVP_KDF_CTX_free(kctx);
886 OPENSSL_free(params);
890 static int test_kdf_kbkdf_empty_key(void)
896 static unsigned char key[] = {0x01};
897 unsigned char result[32] = { 0 };
899 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
901 /* Negative test case - derive should fail */
902 kctx = get_kdfbyname("KBKDF");
904 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
905 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
907 EVP_KDF_CTX_free(kctx);
908 OPENSSL_free(params);
912 static int test_kdf_kbkdf_1byte_key(void)
918 static unsigned char key[] = {0x01};
919 unsigned char result[32] = { 0 };
921 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
923 kctx = get_kdfbyname("KBKDF");
925 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
927 EVP_KDF_CTX_free(kctx);
928 OPENSSL_free(params);
932 static int test_kdf_kbkdf_zero_output_size(void)
938 static unsigned char key[] = {0x01};
939 unsigned char result[32] = { 0 };
941 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
943 /* Negative test case - derive should fail */
944 kctx = get_kdfbyname("KBKDF");
946 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
947 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
949 EVP_KDF_CTX_free(kctx);
950 OPENSSL_free(params);
954 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
956 static int test_kdf_kbkdf_8009_prf1(void)
960 OSSL_PARAM params[6];
961 char *label = "prf", *digest = "sha256", *prf_input = "test",
963 static unsigned char input_key[] = {
964 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
965 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
967 static unsigned char output[] = {
968 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
969 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
970 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
971 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
973 unsigned char result[sizeof(output)] = { 0 };
975 params[i++] = OSSL_PARAM_construct_utf8_string(
976 OSSL_KDF_PARAM_DIGEST, digest, 0);
977 params[i++] = OSSL_PARAM_construct_utf8_string(
978 OSSL_KDF_PARAM_MAC, mac, 0);
979 params[i++] = OSSL_PARAM_construct_octet_string(
980 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
981 params[i++] = OSSL_PARAM_construct_octet_string(
982 OSSL_KDF_PARAM_SALT, label, strlen(label));
983 params[i++] = OSSL_PARAM_construct_octet_string(
984 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
985 params[i] = OSSL_PARAM_construct_end();
987 kctx = get_kdfbyname("KBKDF");
989 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
990 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
992 EVP_KDF_CTX_free(kctx);
996 static int test_kdf_kbkdf_8009_prf2(void)
1000 OSSL_PARAM params[6];
1001 char *label = "prf", *digest = "sha384", *prf_input = "test",
1003 static unsigned char input_key[] = {
1004 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1005 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1006 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1007 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1009 static unsigned char output[] = {
1010 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1011 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1012 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1013 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1014 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1015 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1017 unsigned char result[sizeof(output)] = { 0 };
1019 params[i++] = OSSL_PARAM_construct_utf8_string(
1020 OSSL_KDF_PARAM_DIGEST, digest, 0);
1021 params[i++] = OSSL_PARAM_construct_utf8_string(
1022 OSSL_KDF_PARAM_MAC, mac, 0);
1023 params[i++] = OSSL_PARAM_construct_octet_string(
1024 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1025 params[i++] = OSSL_PARAM_construct_octet_string(
1026 OSSL_KDF_PARAM_SALT, label, strlen(label));
1027 params[i++] = OSSL_PARAM_construct_octet_string(
1028 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1029 params[i] = OSSL_PARAM_construct_end();
1031 kctx = get_kdfbyname("KBKDF");
1032 ret = TEST_ptr(kctx)
1033 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1034 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1036 EVP_KDF_CTX_free(kctx);
1040 #if !defined(OPENSSL_NO_CMAC)
1042 * Test vector taken from
1043 * https://csrc.nist.gov/CSRC/media/Projects/
1044 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1045 * Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1047 static int test_kdf_kbkdf_fixedinfo(void)
1051 OSSL_PARAM params[8], *p = params;
1052 static char *cipher = "AES128";
1053 static char *mac = "CMAC";
1054 static char *mode = "COUNTER";
1056 int use_separator = 0;
1058 static unsigned char input_key[] = {
1059 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1060 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1062 static unsigned char fixed_input[] = {
1063 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1064 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1065 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1066 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1067 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1068 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1069 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1070 0xb4, 0x8d, 0x36, 0xc4,
1073 static unsigned char output[] = {
1074 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1075 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1077 unsigned char result[sizeof(output)] = { 0 };
1079 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1080 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1081 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1082 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1084 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1085 fixed_input, sizeof(fixed_input));
1086 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1087 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1089 *p = OSSL_PARAM_construct_end();
1091 kctx = get_kdfbyname("KBKDF");
1092 ret = TEST_ptr(kctx)
1093 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1094 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1096 EVP_KDF_CTX_free(kctx);
1099 #endif /* OPENSSL_NO_CMAC */
1101 static int test_kdf_ss_hmac(void)
1105 OSSL_PARAM params[6], *p = params;
1106 unsigned char out[16];
1107 static unsigned char z[] = {
1108 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1110 static unsigned char other[] = {
1111 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1113 static unsigned char salt[] = {
1114 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1117 static const unsigned char expected[sizeof(out)] = {
1118 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1122 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1123 (char *)OSSL_MAC_NAME_HMAC, 0);
1124 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1125 (char *)"sha256", 0);
1126 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1127 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1129 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1131 *p = OSSL_PARAM_construct_end();
1134 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1135 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1136 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1138 EVP_KDF_CTX_free(kctx);
1142 static int test_kdf_ss_kmac(void)
1146 OSSL_PARAM params[6], *p = params;
1147 unsigned char out[64];
1148 size_t mac_size = 20;
1149 static unsigned char z[] = {
1150 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1152 static unsigned char other[] = {
1153 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1155 static unsigned char salt[] = {
1156 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1159 static const unsigned char expected[sizeof(out)] = {
1160 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1161 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1162 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1163 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1164 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1167 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1168 (char *)OSSL_MAC_NAME_KMAC128, 0);
1169 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1170 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1172 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1174 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1175 *p = OSSL_PARAM_construct_end();
1178 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1179 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1180 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1182 EVP_KDF_CTX_free(kctx);
1186 static int test_kdf_sshkdf(void)
1190 OSSL_PARAM params[6], *p = params;
1191 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1192 unsigned char out[8];
1193 /* Test data from NIST CAVS 14.1 test vectors */
1194 static unsigned char key[] = {
1195 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1196 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1197 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1198 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1199 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1200 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1201 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1202 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1203 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1204 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1205 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1208 static unsigned char xcghash[] = {
1209 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1210 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1211 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1213 static unsigned char sessid[] = {
1214 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1215 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1216 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1218 static const unsigned char expected[sizeof(out)] = {
1219 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1222 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1223 (char *)"sha256", 0);
1224 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1226 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1227 xcghash, sizeof(xcghash));
1228 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1229 sessid, sizeof(sessid));
1230 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1231 &kdftype, sizeof(kdftype));
1232 *p = OSSL_PARAM_construct_end();
1235 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1236 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1237 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1239 EVP_KDF_CTX_free(kctx);
1243 static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2)
1245 /* Fast path in case the two are the same algorithm pointer */
1249 * Compare their names and providers instead.
1250 * This is necessary in a non-caching build (or a cache flush during fetch)
1251 * because without the algorithm in the cache, fetching it a second time
1252 * will result in a different pointer.
1254 return TEST_ptr_eq(EVP_KDF_provider(kdf1), EVP_KDF_provider(kdf2))
1255 && TEST_str_eq(EVP_KDF_name(kdf1), EVP_KDF_name(kdf2));
1258 static int test_kdf_get_kdf(void)
1260 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1264 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1265 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1266 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1268 || !test_kdfs_same(kdf1, kdf2))
1275 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1276 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1277 || !test_kdfs_same(kdf1, kdf2))
1279 /* kdf1 is re-used below, so don't free it here */
1283 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1284 || !test_kdfs_same(kdf1, kdf2))
1294 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1295 static int test_kdf_x942_asn1(void)
1298 EVP_KDF_CTX *kctx = NULL;
1299 OSSL_PARAM params[4], *p = params;
1300 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1301 unsigned char out[24];
1302 /* RFC2631 Section 2.1.6 Test data */
1303 static unsigned char z[] = {
1304 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1305 0x0e,0x0f,0x10,0x11,0x12,0x13
1307 static const unsigned char expected[sizeof(out)] = {
1308 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1309 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1310 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1313 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1315 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1317 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1318 (char *)cek_alg, 0);
1319 *p = OSSL_PARAM_construct_end();
1322 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1323 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1324 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1326 EVP_KDF_CTX_free(kctx);
1329 #endif /* OPENSSL_NO_CMS */
1331 static int test_kdf_krb5kdf(void)
1335 OSSL_PARAM params[4], *p = params;
1336 unsigned char out[16];
1337 static unsigned char key[] = {
1338 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1339 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1341 static unsigned char constant[] = {
1342 0x00, 0x00, 0x00, 0x02, 0x99
1344 static const unsigned char expected[sizeof(out)] = {
1345 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1346 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1349 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1350 (char *)"AES-128-CBC", 0);
1351 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1353 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1354 constant, sizeof(constant));
1355 *p = OSSL_PARAM_construct_end();
1358 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1359 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1360 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1362 EVP_KDF_CTX_free(kctx);
1366 int setup_tests(void)
1368 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1369 ADD_TEST(test_kdf_kbkdf_6803_128);
1370 ADD_TEST(test_kdf_kbkdf_6803_256);
1372 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1373 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1374 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1375 ADD_TEST(test_kdf_kbkdf_empty_key);
1376 ADD_TEST(test_kdf_kbkdf_1byte_key);
1377 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1378 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1379 #if !defined(OPENSSL_NO_CMAC)
1380 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1382 ADD_TEST(test_kdf_get_kdf);
1383 ADD_TEST(test_kdf_tls1_prf);
1384 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1385 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1386 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1387 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1388 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1389 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1390 ADD_TEST(test_kdf_hkdf);
1391 ADD_TEST(test_kdf_hkdf_invalid_digest);
1392 ADD_TEST(test_kdf_hkdf_zero_output_size);
1393 ADD_TEST(test_kdf_hkdf_empty_key);
1394 ADD_TEST(test_kdf_hkdf_1byte_key);
1395 ADD_TEST(test_kdf_hkdf_empty_salt);
1396 ADD_TEST(test_kdf_pbkdf2);
1397 ADD_TEST(test_kdf_pbkdf2_small_output);
1398 ADD_TEST(test_kdf_pbkdf2_large_output);
1399 ADD_TEST(test_kdf_pbkdf2_small_salt);
1400 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1401 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1402 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1403 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1404 #ifndef OPENSSL_NO_SCRYPT
1405 ADD_TEST(test_kdf_scrypt);
1407 ADD_TEST(test_kdf_ss_hash);
1408 ADD_TEST(test_kdf_ss_hmac);
1409 ADD_TEST(test_kdf_ss_kmac);
1410 ADD_TEST(test_kdf_sshkdf);
1411 ADD_TEST(test_kdf_x963);
1412 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1413 ADD_TEST(test_kdf_x942_asn1);
1415 ADD_TEST(test_kdf_krb5kdf);