Add EVP_KDF-X942 to the fips module
[openssl.git] / test / evp_kdf_test.c
1 /*
2  * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2018-2020, Oracle and/or its affiliates.  All rights reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10
11 /* Tests of the EVP_KDF_CTX APIs */
12
13 #include <stdio.h>
14 #include <string.h>
15
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "testutil.h"
20
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
22 {
23     EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24     EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
25
26     EVP_KDF_free(kdf);
27     return kctx;
28 }
29
30 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
31     const char *seed)
32 {
33     OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
34     OSSL_PARAM *p = params;
35
36     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
37                                             (char *)digest, 0);
38     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
39                                              (unsigned char *)secret,
40                                              strlen(secret));
41     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
42                                              (unsigned char *)seed,
43                                              strlen(seed));
44     *p = OSSL_PARAM_construct_end();
45
46     return params;
47 }
48
49 static int test_kdf_tls1_prf(void)
50 {
51     int ret;
52     EVP_KDF_CTX *kctx = NULL;
53     unsigned char out[16];
54     OSSL_PARAM *params;
55     static const unsigned char expected[sizeof(out)] = {
56         0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
57         0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
58     };
59
60     params = construct_tls1_prf_params("sha256", "secret", "seed");
61
62     ret =
63         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
64         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
65         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
66         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
67
68     EVP_KDF_CTX_free(kctx);
69     OPENSSL_free(params);
70     return ret;
71 }
72
73 static int test_kdf_tls1_prf_invalid_digest(void)
74 {
75     int ret;
76     EVP_KDF_CTX *kctx = NULL;
77     OSSL_PARAM *params;
78
79     params = construct_tls1_prf_params("blah", "secret", "seed");
80
81     ret =
82         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
83         && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
84
85     EVP_KDF_CTX_free(kctx);
86     OPENSSL_free(params);
87     return ret;
88 }
89
90 static int test_kdf_tls1_prf_zero_output_size(void)
91 {
92     int ret;
93     EVP_KDF_CTX *kctx = NULL;
94     unsigned char out[16];
95     OSSL_PARAM *params;
96
97     params = construct_tls1_prf_params("sha256", "secret", "seed");
98
99     /* Negative test - derive should fail */
100     ret =
101         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
102         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
103         && TEST_int_eq(EVP_KDF_derive(kctx, out, 0), 0);
104
105     EVP_KDF_CTX_free(kctx);
106     OPENSSL_free(params);
107     return ret;
108 }
109
110 static int test_kdf_tls1_prf_empty_secret(void)
111 {
112     int ret;
113     EVP_KDF_CTX *kctx = NULL;
114     unsigned char out[16];
115     OSSL_PARAM *params;
116
117     params = construct_tls1_prf_params("sha256", "", "seed");
118
119     ret =
120         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
121         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
122         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
123
124     EVP_KDF_CTX_free(kctx);
125     OPENSSL_free(params);
126     return ret;
127 }
128
129 static int test_kdf_tls1_prf_1byte_secret(void)
130 {
131     int ret;
132     EVP_KDF_CTX *kctx = NULL;
133     unsigned char out[16];
134     OSSL_PARAM *params;
135
136     params = construct_tls1_prf_params("sha256", "1", "seed");
137
138     ret =
139         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
140         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
141         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
142
143     EVP_KDF_CTX_free(kctx);
144     OPENSSL_free(params);
145     return ret;
146 }
147
148 static int test_kdf_tls1_prf_empty_seed(void)
149 {
150     int ret;
151     EVP_KDF_CTX *kctx = NULL;
152     unsigned char out[16];
153     OSSL_PARAM *params;
154
155     params = construct_tls1_prf_params("sha256", "secret", "");
156
157     /* Negative test - derive should fail */
158     ret =
159         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
160         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
161         && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
162
163     EVP_KDF_CTX_free(kctx);
164     OPENSSL_free(params);
165     return ret;
166 }
167
168 static int test_kdf_tls1_prf_1byte_seed(void)
169 {
170     int ret;
171     EVP_KDF_CTX *kctx = NULL;
172     unsigned char out[16];
173     OSSL_PARAM *params;
174
175     params = construct_tls1_prf_params("sha256", "secret", "1");
176
177     ret =
178         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
179         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
180         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
181
182     EVP_KDF_CTX_free(kctx);
183     OPENSSL_free(params);
184     return ret;
185 }
186
187 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
188     size_t keylen, char *salt, char *info)
189 {
190     OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
191     OSSL_PARAM *p = params;
192
193     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
194                                             digest, 0);
195     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
196                                              salt, strlen(salt));
197     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
198                                              (unsigned char *)key, keylen);
199     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
200                                              info, strlen(info));
201     *p = OSSL_PARAM_construct_end();
202
203     return params;
204 }
205
206 static int test_kdf_hkdf(void)
207 {
208     int ret;
209     EVP_KDF_CTX *kctx;
210     unsigned char out[10];
211     OSSL_PARAM *params;
212     static const unsigned char expected[sizeof(out)] = {
213         0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
214     };
215
216     params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
217
218     ret =
219         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
220         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
221         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
222         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
223
224     EVP_KDF_CTX_free(kctx);
225     OPENSSL_free(params);
226     return ret;
227 }
228
229 static int test_kdf_hkdf_invalid_digest(void)
230 {
231     int ret;
232     EVP_KDF_CTX *kctx;
233     OSSL_PARAM *params;
234
235     params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
236
237     ret =
238         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
239         && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
240
241     EVP_KDF_CTX_free(kctx);
242     OPENSSL_free(params);
243     return ret;
244 }
245
246 static int test_kdf_hkdf_zero_output_size(void)
247 {
248     int ret;
249     EVP_KDF_CTX *kctx;
250     unsigned char out[10];
251     OSSL_PARAM *params;
252
253     params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
254
255     /* Negative test - derive should fail */
256     ret =
257         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
258         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
259         && TEST_int_eq(EVP_KDF_derive(kctx, out, 0), 0);
260
261     EVP_KDF_CTX_free(kctx);
262     OPENSSL_free(params);
263     return ret;
264 }
265
266 static int test_kdf_hkdf_empty_key(void)
267 {
268     int ret;
269     EVP_KDF_CTX *kctx;
270     unsigned char out[10];
271     OSSL_PARAM *params;
272
273     params = construct_hkdf_params("sha256", "", 0, "salt", "label");
274
275     ret =
276         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
277         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
278         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
279
280     EVP_KDF_CTX_free(kctx);
281     OPENSSL_free(params);
282     return ret;
283 }
284
285 static int test_kdf_hkdf_1byte_key(void)
286 {
287     int ret;
288     EVP_KDF_CTX *kctx;
289     unsigned char out[10];
290     OSSL_PARAM *params;
291
292     params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
293
294     ret =
295         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
296         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
297         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
298
299     EVP_KDF_CTX_free(kctx);
300     OPENSSL_free(params);
301     return ret;
302 }
303
304 static int test_kdf_hkdf_empty_salt(void)
305 {
306     int ret;
307     EVP_KDF_CTX *kctx;
308     unsigned char out[10];
309     OSSL_PARAM *params;
310
311     params = construct_hkdf_params("sha256", "secret", 6, "", "label");
312
313     ret =
314         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
315         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
316         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
317
318     EVP_KDF_CTX_free(kctx);
319     OPENSSL_free(params);
320     return ret;
321 }
322
323 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
324     unsigned int *iter, int *mode)
325 {
326     OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
327     OSSL_PARAM *p = params;
328
329     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
330                                              (unsigned char *)pass, strlen(pass));
331     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
332                                              (unsigned char *)salt, strlen(salt));
333     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
334     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
335                                              digest, 0);
336     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
337     *p = OSSL_PARAM_construct_end();
338
339     return params;
340 }
341
342 static int test_kdf_pbkdf2(void)
343 {
344     int ret = 0;
345     EVP_KDF_CTX *kctx;
346     unsigned char out[25];
347     unsigned int iterations = 4096;
348     int mode = 0;
349     OSSL_PARAM *params;
350     const unsigned char expected[sizeof(out)] = {
351         0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
352         0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
353         0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
354         0x1c
355     };
356
357     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
358                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
359                                      &iterations, &mode);
360
361     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
362         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
363         || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
364         || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
365         goto err;
366
367     ret = 1;
368 err:
369     EVP_KDF_CTX_free(kctx);
370     OPENSSL_free(params);
371     return ret;
372 }
373
374 static int test_kdf_pbkdf2_small_output(void)
375 {
376     int ret = 0;
377     EVP_KDF_CTX *kctx;
378     unsigned char out[25];
379     unsigned int iterations = 4096;
380     int mode = 0;
381     OSSL_PARAM *params;
382
383     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
384                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
385                                      &iterations, &mode);
386
387     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
388         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
389         /* A key length that is too small should fail */
390         || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0))
391         goto err;
392
393     ret = 1;
394 err:
395     EVP_KDF_CTX_free(kctx);
396     OPENSSL_free(params);
397     return ret;
398 }
399
400 static int test_kdf_pbkdf2_large_output(void)
401 {
402     int ret = 0;
403     EVP_KDF_CTX *kctx;
404     unsigned char out[25];
405     size_t len = 0;
406     unsigned int iterations = 4096;
407     int mode = 0;
408     OSSL_PARAM *params;
409
410     if (sizeof(len) > 32)
411         len = SIZE_MAX;
412
413     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
414                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
415                                      &iterations, &mode);
416
417     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
418         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
419         /* A key length that is too large should fail */
420         || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0)))
421         goto err;
422
423     ret = 1;
424 err:
425     EVP_KDF_CTX_free(kctx);
426     OPENSSL_free(params);
427     return ret;
428 }
429
430 static int test_kdf_pbkdf2_small_salt(void)
431 {
432     int ret = 0;
433     EVP_KDF_CTX *kctx;
434     unsigned int iterations = 4096;
435     int mode = 0;
436     OSSL_PARAM *params;
437
438     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
439                                      "saltSALT",
440                                      &iterations, &mode);
441
442     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
443         /* A salt that is too small should fail */
444         || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
445         goto err;
446
447     ret = 1;
448 err:
449     EVP_KDF_CTX_free(kctx);
450     OPENSSL_free(params);
451     return ret;
452 }
453
454 static int test_kdf_pbkdf2_small_iterations(void)
455 {
456     int ret = 0;
457     EVP_KDF_CTX *kctx;
458     unsigned int iterations = 1;
459     int mode = 0;
460     OSSL_PARAM *params;
461
462     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
463                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
464                                      &iterations, &mode);
465
466     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
467         /* An iteration count that is too small should fail */
468         || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
469         goto err;
470
471     ret = 1;
472 err:
473     EVP_KDF_CTX_free(kctx);
474     OPENSSL_free(params);
475     return ret;
476 }
477
478 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
479 {
480     int ret = 0;
481     EVP_KDF_CTX *kctx;
482     unsigned char out[25];
483     unsigned int iterations = 4096;
484     int mode = 1;
485     OSSL_PARAM *params;
486     OSSL_PARAM mode_params[2];
487
488     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
489                                      "saltSALT",
490                                      &iterations, &mode);
491
492     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
493         /* A salt that is too small should pass in pkcs5 mode */
494         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
495         || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0))
496         goto err;
497
498     mode = 0;
499     mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
500     mode_params[1] = OSSL_PARAM_construct_end();
501
502     /* If the "pkcs5" mode is disabled then the derive will now fail */
503     if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
504         || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0))
505         goto err;
506
507     ret = 1;
508 err:
509     EVP_KDF_CTX_free(kctx);
510     OPENSSL_free(params);
511     return ret;
512 }
513
514 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
515 {
516     int ret = 0;
517     EVP_KDF_CTX *kctx;
518     unsigned char out[25];
519     unsigned int iterations = 1;
520     int mode = 1;
521     OSSL_PARAM *params;
522     OSSL_PARAM mode_params[2];
523
524     params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
525                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
526                                      &iterations, &mode);
527
528     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
529         /* An iteration count that is too small will pass in pkcs5 mode */
530         || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
531         || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0))
532         goto err;
533
534     mode = 0;
535     mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
536     mode_params[1] = OSSL_PARAM_construct_end();
537
538     /* If the "pkcs5" mode is disabled then the derive will now fail */
539     if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
540         || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0))
541         goto err;
542
543     ret = 1;
544 err:
545     EVP_KDF_CTX_free(kctx);
546     OPENSSL_free(params);
547     return ret;
548 }
549
550 static int test_kdf_pbkdf2_invalid_digest(void)
551 {
552     int ret = 0;
553     EVP_KDF_CTX *kctx;
554     unsigned int iterations = 4096;
555     int mode = 0;
556     OSSL_PARAM *params;
557
558     params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
559                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
560                                      &iterations, &mode);
561
562     if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
563         /* Unknown digest should fail */
564         || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
565         goto err;
566
567     ret = 1;
568 err:
569     EVP_KDF_CTX_free(kctx);
570     OPENSSL_free(params);
571     return ret;
572 }
573
574 #ifndef OPENSSL_NO_SCRYPT
575 static int test_kdf_scrypt(void)
576 {
577     int ret;
578     EVP_KDF_CTX *kctx;
579     OSSL_PARAM params[7], *p = params;
580     unsigned char out[64];
581     unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
582     static const unsigned char expected[sizeof(out)] = {
583         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
584         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
585         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
586         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
587         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
588         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
589         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
590         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
591     };
592
593     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
594                                              (char *)"password", 8);
595     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
596                                              (char *)"NaCl", 4);
597     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
598     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
599     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
600     *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
601     *p = OSSL_PARAM_construct_end();
602
603     ret =
604         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
605         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
606         /* failure test *//*
607         && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/
608         && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
609         && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
610         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
611         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
612
613     EVP_KDF_CTX_free(kctx);
614     return ret;
615 }
616 #endif /* OPENSSL_NO_SCRYPT */
617
618 static int test_kdf_ss_hash(void)
619 {
620     int ret;
621     EVP_KDF_CTX *kctx;
622     OSSL_PARAM params[4], *p = params;
623     unsigned char out[14];
624     static unsigned char z[] = {
625         0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
626         0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
627         0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
628         0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
629     };
630     static unsigned char other[] = {
631         0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
632         0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
633         0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
634         0xe0,0xec,0x3f,0x8d,0xbe
635     };
636     static const unsigned char expected[sizeof(out)] = {
637         0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
638     };
639
640     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
641                                             (char *)"sha224", sizeof("sha224"));
642     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
643     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
644                                              sizeof(other));
645     *p = OSSL_PARAM_construct_end();
646
647     ret =
648         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
649         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
650         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
651         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
652
653     EVP_KDF_CTX_free(kctx);
654     return ret;
655 }
656
657 static int test_kdf_x963(void)
658 {
659     int ret;
660     EVP_KDF_CTX *kctx;
661     OSSL_PARAM params[4], *p = params;
662     unsigned char out[1024 / 8];
663     /*
664      * Test data from https://csrc.nist.gov/CSRC/media/Projects/
665      *  Cryptographic-Algorithm-Validation-Program/documents/components/
666      *  800-135testvectors/ansx963_2001.zip
667      */
668     static unsigned char z[] = {
669         0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
670         0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
671         0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
672         0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
673         0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
674         0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
675     };
676     static unsigned char shared[] = {
677         0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
678         0x37, 0x89, 0x5d, 0x31
679     };
680     static const unsigned char expected[sizeof(out)] = {
681         0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
682         0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
683         0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
684         0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
685         0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
686         0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
687         0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
688         0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
689         0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
690         0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
691         0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
692     };
693
694     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
695                                             (char *)"sha512", sizeof("sha512"));
696     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
697     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
698                                              sizeof(shared));
699     *p = OSSL_PARAM_construct_end();
700
701     ret =
702         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
703         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
704         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
705         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
706
707     EVP_KDF_CTX_free(kctx);
708     return ret;
709 }
710
711 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
712 /*
713  * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
714  * section 10.
715  */
716 static int test_kdf_kbkdf_6803_128(void)
717 {
718     int ret = 0, i, p;
719     EVP_KDF_CTX *kctx;
720     OSSL_PARAM params[7];
721     static unsigned char input_key[] = {
722         0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
723         0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
724     };
725     static unsigned char constants[][5] = {
726         { 0x00, 0x00, 0x00, 0x02, 0x99 },
727         { 0x00, 0x00, 0x00, 0x02, 0xaa },
728         { 0x00, 0x00, 0x00, 0x02, 0x55 },
729     };
730     static unsigned char outputs[][16] = {
731         {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
732          0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
733         {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
734          0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
735         {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
736          0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
737     };
738     static unsigned char iv[16] = { 0 };
739     unsigned char result[16] = { 0 };
740
741     for (i = 0; i < 3; i++) {
742         p = 0;
743         params[p++] = OSSL_PARAM_construct_utf8_string(
744             OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
745         params[p++] = OSSL_PARAM_construct_utf8_string(
746             OSSL_KDF_PARAM_MAC, "CMAC", 0);
747         params[p++] = OSSL_PARAM_construct_utf8_string(
748             OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
749         params[p++] = OSSL_PARAM_construct_octet_string(
750             OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
751         params[p++] = OSSL_PARAM_construct_octet_string(
752             OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
753         params[p++] = OSSL_PARAM_construct_octet_string(
754             OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
755         params[p] = OSSL_PARAM_construct_end();
756
757         kctx = get_kdfbyname("KBKDF");
758         ret = TEST_ptr(kctx)
759             && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
760             && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
761             && TEST_mem_eq(result, sizeof(result), outputs[i],
762                            sizeof(outputs[i]));
763         EVP_KDF_CTX_free(kctx);
764         if (ret != 1)
765             return ret;
766     }
767
768     return ret;
769 }
770
771 static int test_kdf_kbkdf_6803_256(void)
772 {
773     int ret = 0, i, p;
774     EVP_KDF_CTX *kctx;
775     OSSL_PARAM params[7];
776     static unsigned char input_key[] = {
777         0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
778         0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
779         0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
780         0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
781     };
782     static unsigned char constants[][5] = {
783         { 0x00, 0x00, 0x00, 0x02, 0x99 },
784         { 0x00, 0x00, 0x00, 0x02, 0xaa },
785         { 0x00, 0x00, 0x00, 0x02, 0x55 },
786     };
787     static unsigned char outputs[][32] = {
788         {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
789          0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
790          0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
791          0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
792         },
793         {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
794          0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
795          0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
796          0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
797         },
798         {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
799          0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
800          0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
801          0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
802         },
803     };
804     static unsigned char iv[16] = { 0 };
805     unsigned char result[32] = { 0 };
806
807     for (i = 0; i < 3; i++) {
808         p = 0;
809         params[p++] = OSSL_PARAM_construct_utf8_string(
810             OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
811         params[p++] = OSSL_PARAM_construct_utf8_string(
812             OSSL_KDF_PARAM_MAC, "CMAC", 0);
813         params[p++] = OSSL_PARAM_construct_utf8_string(
814             OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
815         params[p++] = OSSL_PARAM_construct_octet_string(
816             OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
817         params[p++] = OSSL_PARAM_construct_octet_string(
818             OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
819         params[p++] = OSSL_PARAM_construct_octet_string(
820             OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
821         params[p] = OSSL_PARAM_construct_end();
822
823         kctx = get_kdfbyname("KBKDF");
824         ret = TEST_ptr(kctx)
825             && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
826             && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
827             && TEST_mem_eq(result, sizeof(result), outputs[i],
828                            sizeof(outputs[i]));
829         EVP_KDF_CTX_free(kctx);
830         if (ret != 1)
831             return ret;
832     }
833
834     return ret;
835 }
836 #endif
837
838 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
839     size_t keylen, char *salt, char *info)
840 {
841     OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
842     OSSL_PARAM *p = params;
843
844     *p++ = OSSL_PARAM_construct_utf8_string(
845         OSSL_KDF_PARAM_DIGEST, digest, 0);
846     *p++ = OSSL_PARAM_construct_utf8_string(
847         OSSL_KDF_PARAM_MAC, mac, 0);
848     *p++ = OSSL_PARAM_construct_utf8_string(
849         OSSL_KDF_PARAM_MODE, "COUNTER", 0);
850     *p++ = OSSL_PARAM_construct_octet_string(
851         OSSL_KDF_PARAM_KEY, key, keylen);
852     *p++ = OSSL_PARAM_construct_octet_string(
853         OSSL_KDF_PARAM_SALT, salt, strlen(salt));
854     *p++ = OSSL_PARAM_construct_octet_string(
855         OSSL_KDF_PARAM_INFO, info, strlen(info));
856     *p = OSSL_PARAM_construct_end();
857
858     return params;
859 }
860
861 static int test_kdf_kbkdf_invalid_digest(void)
862 {
863     int ret;
864     EVP_KDF_CTX *kctx;
865     OSSL_PARAM *params;
866
867     static unsigned char key[] = {0x01};
868
869     params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
870
871     /* Negative test case - set_params should fail */
872     kctx = get_kdfbyname("KBKDF");
873     ret = TEST_ptr(kctx)
874         && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
875
876     EVP_KDF_CTX_free(kctx);
877     OPENSSL_free(params);
878     return ret;
879 }
880
881 static int test_kdf_kbkdf_invalid_mac(void)
882 {
883     int ret;
884     EVP_KDF_CTX *kctx;
885     OSSL_PARAM *params;
886
887     static unsigned char key[] = {0x01};
888
889     params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
890
891     /* Negative test case - set_params should fail */
892     kctx = get_kdfbyname("KBKDF");
893     ret = TEST_ptr(kctx)
894         && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
895
896     EVP_KDF_CTX_free(kctx);
897     OPENSSL_free(params);
898     return ret;
899 }
900
901 static int test_kdf_kbkdf_empty_key(void)
902 {
903     int ret;
904     EVP_KDF_CTX *kctx;
905     OSSL_PARAM *params;
906
907     static unsigned char key[] = {0x01};
908     unsigned char result[32] = { 0 };
909
910     params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
911
912     /* Negative test case - derive should fail */
913     kctx = get_kdfbyname("KBKDF");
914     ret = TEST_ptr(kctx)
915         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
916         && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result)), 0);
917
918     EVP_KDF_CTX_free(kctx);
919     OPENSSL_free(params);
920     return ret;
921 }
922
923 static int test_kdf_kbkdf_1byte_key(void)
924 {
925     int ret;
926     EVP_KDF_CTX *kctx;
927     OSSL_PARAM *params;
928
929     static unsigned char key[] = {0x01};
930     unsigned char result[32] = { 0 };
931
932     params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
933
934     kctx = get_kdfbyname("KBKDF");
935     ret = TEST_ptr(kctx)
936         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
937         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0);
938
939     EVP_KDF_CTX_free(kctx);
940     OPENSSL_free(params);
941     return ret;
942 }
943
944 static int test_kdf_kbkdf_zero_output_size(void)
945 {
946     int ret;
947     EVP_KDF_CTX *kctx;
948     OSSL_PARAM *params;
949
950     static unsigned char key[] = {0x01};
951     unsigned char result[32] = { 0 };
952
953     params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
954
955     /* Negative test case - derive should fail */
956     kctx = get_kdfbyname("KBKDF");
957     ret = TEST_ptr(kctx)
958         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
959         && TEST_int_eq(EVP_KDF_derive(kctx, result, 0), 0);
960
961     EVP_KDF_CTX_free(kctx);
962     OPENSSL_free(params);
963     return ret;
964 }
965
966 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
967  * 5) appendix A. */
968 static int test_kdf_kbkdf_8009_prf1(void)
969 {
970     int ret, i = 0;
971     EVP_KDF_CTX *kctx;
972     OSSL_PARAM params[6];
973     char *label = "prf", *digest = "sha256", *prf_input = "test",
974         *mac = "HMAC";
975     static unsigned char input_key[] = {
976         0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
977         0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
978     };
979     static unsigned char output[] = {
980         0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
981         0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
982         0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
983         0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
984     };
985     unsigned char result[sizeof(output)] = { 0 };
986
987     params[i++] = OSSL_PARAM_construct_utf8_string(
988         OSSL_KDF_PARAM_DIGEST, digest, 0);
989     params[i++] = OSSL_PARAM_construct_utf8_string(
990         OSSL_KDF_PARAM_MAC, mac, 0);
991     params[i++] = OSSL_PARAM_construct_octet_string(
992         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
993     params[i++] = OSSL_PARAM_construct_octet_string(
994         OSSL_KDF_PARAM_SALT, label, strlen(label));
995     params[i++] = OSSL_PARAM_construct_octet_string(
996         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
997     params[i] = OSSL_PARAM_construct_end();
998
999     kctx = get_kdfbyname("KBKDF");
1000     ret = TEST_ptr(kctx)
1001         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1002         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
1003         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1004
1005     EVP_KDF_CTX_free(kctx);
1006     return ret;
1007 }
1008
1009 static int test_kdf_kbkdf_8009_prf2(void)
1010 {
1011     int ret, i = 0;
1012     EVP_KDF_CTX *kctx;
1013     OSSL_PARAM params[6];
1014     char *label = "prf", *digest = "sha384", *prf_input = "test",
1015         *mac = "HMAC";
1016     static unsigned char input_key[] = {
1017         0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1018         0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1019         0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1020         0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1021     };
1022     static unsigned char output[] = {
1023         0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1024         0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1025         0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1026         0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1027         0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1028         0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1029     };
1030     unsigned char result[sizeof(output)] = { 0 };
1031
1032     params[i++] = OSSL_PARAM_construct_utf8_string(
1033         OSSL_KDF_PARAM_DIGEST, digest, 0);
1034     params[i++] = OSSL_PARAM_construct_utf8_string(
1035         OSSL_KDF_PARAM_MAC, mac, 0);
1036     params[i++] = OSSL_PARAM_construct_octet_string(
1037         OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1038     params[i++] = OSSL_PARAM_construct_octet_string(
1039         OSSL_KDF_PARAM_SALT, label, strlen(label));
1040     params[i++] = OSSL_PARAM_construct_octet_string(
1041         OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1042     params[i] = OSSL_PARAM_construct_end();
1043
1044     kctx = get_kdfbyname("KBKDF");
1045     ret = TEST_ptr(kctx)
1046         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1047         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
1048         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1049
1050     EVP_KDF_CTX_free(kctx);
1051     return ret;
1052 }
1053
1054 #if !defined(OPENSSL_NO_CMAC)
1055 /*
1056  * Test vector taken from
1057  * https://csrc.nist.gov/CSRC/media/Projects/
1058  *    Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1059  *    Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1060  */
1061 static int test_kdf_kbkdf_fixedinfo(void)
1062 {
1063     int ret;
1064     EVP_KDF_CTX *kctx;
1065     OSSL_PARAM params[8], *p = params;
1066     static char *cipher = "AES128";
1067     static char *mac = "CMAC";
1068     static char *mode = "COUNTER";
1069     int use_l = 0;
1070     int use_separator = 0;
1071
1072     static unsigned char input_key[] = {
1073         0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1074         0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1075     };
1076     static unsigned char fixed_input[] = {
1077         0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1078         0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1079         0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1080         0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1081         0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1082         0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1083         0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1084         0xb4, 0x8d, 0x36, 0xc4,
1085
1086     };
1087     static unsigned char output[] = {
1088         0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1089         0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1090     };
1091     unsigned char result[sizeof(output)] = { 0 };
1092
1093     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1094     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1095     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1096     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1097                                              sizeof(input_key));
1098     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1099                                              fixed_input, sizeof(fixed_input));
1100     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1101     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1102                                     &use_separator);
1103     *p = OSSL_PARAM_construct_end();
1104
1105     kctx = get_kdfbyname("KBKDF");
1106     ret = TEST_ptr(kctx)
1107         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1108         && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
1109         && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1110
1111     EVP_KDF_CTX_free(kctx);
1112     return ret;
1113 }
1114 #endif /* OPENSSL_NO_CMAC */
1115
1116 static int test_kdf_ss_hmac(void)
1117 {
1118     int ret;
1119     EVP_KDF_CTX *kctx;
1120     OSSL_PARAM params[6], *p = params;
1121     unsigned char out[16];
1122     static unsigned char z[] = {
1123         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1124     };
1125     static unsigned char other[] = {
1126         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1127     };
1128     static unsigned char salt[] = {
1129         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1130         0x3f,0x89
1131     };
1132     static const unsigned char expected[sizeof(out)] = {
1133         0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1134         0x1c,0xa3
1135     };
1136
1137     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1138                                             (char *)OSSL_MAC_NAME_HMAC,
1139                                             sizeof(OSSL_MAC_NAME_HMAC));
1140     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1141                                             (char *)"sha256", sizeof("sha256"));
1142     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1143     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1144                                              sizeof(other));
1145     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1146                                              sizeof(salt));
1147     *p = OSSL_PARAM_construct_end();
1148
1149     ret =
1150         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1151         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1152         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
1153         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1154
1155     EVP_KDF_CTX_free(kctx);
1156     return ret;
1157 }
1158
1159 static int test_kdf_ss_kmac(void)
1160 {
1161     int ret;
1162     EVP_KDF_CTX *kctx;
1163     OSSL_PARAM params[6], *p = params;
1164     unsigned char out[64];
1165     size_t mac_size = 20;
1166     static unsigned char z[] = {
1167         0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1168     };
1169     static unsigned char other[] = {
1170         0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1171     };
1172     static unsigned char salt[] = {
1173         0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1174         0x3f,0x89
1175     };
1176     static const unsigned char expected[sizeof(out)] = {
1177         0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1178         0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1179         0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1180         0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1181         0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1182     };
1183
1184     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1185                                             (char *)OSSL_MAC_NAME_KMAC128,
1186                                             sizeof(OSSL_MAC_NAME_KMAC128));
1187     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1188     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1189                                              sizeof(other));
1190     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1191                                              sizeof(salt));
1192     *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1193     *p = OSSL_PARAM_construct_end();
1194
1195     ret =
1196         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1197         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1198         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
1199         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1200
1201     EVP_KDF_CTX_free(kctx);
1202     return ret;
1203 }
1204
1205 static int test_kdf_sshkdf(void)
1206 {
1207     int ret;
1208     EVP_KDF_CTX *kctx;
1209     OSSL_PARAM params[6], *p = params;
1210     char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1211     unsigned char out[8];
1212     /* Test data from NIST CAVS 14.1 test vectors */
1213     static unsigned char key[] = {
1214         0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1215         0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1216         0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1217         0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1218         0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1219         0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1220         0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1221         0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1222         0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1223         0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1224         0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1225         0x4e
1226     };
1227     static unsigned char xcghash[] = {
1228         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1229         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1230         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1231     };
1232     static unsigned char sessid[] = {
1233         0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1234         0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1235         0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1236     };
1237     static const unsigned char expected[sizeof(out)] = {
1238         0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1239     };
1240
1241     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1242                                             (char *)"sha256", sizeof("sha256"));
1243     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1244                                              sizeof(key));
1245     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1246                                              xcghash, sizeof(xcghash));
1247     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1248                                              sessid, sizeof(sessid));
1249     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1250                                             &kdftype, sizeof(kdftype));
1251     *p = OSSL_PARAM_construct_end();
1252
1253     ret =
1254         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1255         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1256         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
1257         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1258
1259     EVP_KDF_CTX_free(kctx);
1260     return ret;
1261 }
1262
1263 static int test_kdf_get_kdf(void)
1264 {
1265     EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1266     ASN1_OBJECT *obj;
1267     int ok = 1;
1268
1269     if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1270         || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1271         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1272                                           NULL))
1273         || !TEST_ptr_eq(kdf1, kdf2))
1274         ok = 0;
1275     EVP_KDF_free(kdf1);
1276     kdf1 = NULL;
1277     EVP_KDF_free(kdf2);
1278     kdf2 = NULL;
1279
1280     if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1281         || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1282         || !TEST_ptr_eq(kdf1, kdf2))
1283         ok = 0;
1284     /* kdf1 is re-used below, so don't free it here */
1285     EVP_KDF_free(kdf2);
1286     kdf2 = NULL;
1287
1288     if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1289         || !TEST_ptr_eq(kdf1, kdf2))
1290         ok = 0;
1291     EVP_KDF_free(kdf1);
1292     kdf1 = NULL;
1293     EVP_KDF_free(kdf2);
1294     kdf2 = NULL;
1295
1296     return ok;
1297 }
1298
1299 #ifndef OPENSSL_NO_CMS
1300 static int test_kdf_x942_asn1(void)
1301 {
1302     int ret;
1303     EVP_KDF_CTX *kctx = NULL;
1304     OSSL_PARAM params[4], *p = params;
1305     const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1306     unsigned char out[24];
1307     /* RFC2631 Section 2.1.6 Test data */
1308     static unsigned char z[] = {
1309         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1310         0x0e,0x0f,0x10,0x11,0x12,0x13
1311     };
1312     static const unsigned char expected[sizeof(out)] = {
1313         0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1314         0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1315         0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1316     };
1317
1318     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1319                                             (char *)"sha1", 0);
1320     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1321                                              sizeof(z));
1322     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1323                                             (char *)cek_alg, 0);
1324     *p = OSSL_PARAM_construct_end();
1325
1326     ret =
1327         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1328         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1329         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
1330         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1331
1332     EVP_KDF_CTX_free(kctx);
1333     return ret;
1334 }
1335 #endif /* OPENSSL_NO_CMS */
1336
1337 static int test_kdf_krb5kdf(void)
1338 {
1339     int ret;
1340     EVP_KDF_CTX *kctx;
1341     OSSL_PARAM params[4], *p = params;
1342     unsigned char out[16];
1343     static unsigned char key[] = {
1344         0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1345         0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1346     };
1347     static unsigned char constant[] = {
1348         0x00, 0x00, 0x00, 0x02, 0x99
1349     };
1350     static const unsigned char expected[sizeof(out)] = {
1351         0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1352         0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1353     };
1354
1355     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1356                                             (char *)"AES-128-CBC",
1357                                             sizeof("AES-128-CBC"));
1358     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1359                                              sizeof(key));
1360     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1361                                              constant, sizeof(constant));
1362     *p = OSSL_PARAM_construct_end();
1363
1364     ret =
1365         TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1366         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1367         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
1368         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1369
1370     EVP_KDF_CTX_free(kctx);
1371     return ret;
1372 }
1373
1374 int setup_tests(void)
1375 {
1376 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1377     ADD_TEST(test_kdf_kbkdf_6803_128);
1378     ADD_TEST(test_kdf_kbkdf_6803_256);
1379 #endif
1380     ADD_TEST(test_kdf_kbkdf_invalid_digest);
1381     ADD_TEST(test_kdf_kbkdf_invalid_mac);
1382     ADD_TEST(test_kdf_kbkdf_zero_output_size);
1383     ADD_TEST(test_kdf_kbkdf_empty_key);
1384     ADD_TEST(test_kdf_kbkdf_1byte_key);
1385     ADD_TEST(test_kdf_kbkdf_8009_prf1);
1386     ADD_TEST(test_kdf_kbkdf_8009_prf2);
1387 #if !defined(OPENSSL_NO_CMAC)
1388     ADD_TEST(test_kdf_kbkdf_fixedinfo);
1389 #endif
1390     ADD_TEST(test_kdf_get_kdf);
1391     ADD_TEST(test_kdf_tls1_prf);
1392     ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1393     ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1394     ADD_TEST(test_kdf_tls1_prf_empty_secret);
1395     ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1396     ADD_TEST(test_kdf_tls1_prf_empty_seed);
1397     ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1398     ADD_TEST(test_kdf_hkdf);
1399     ADD_TEST(test_kdf_hkdf_invalid_digest);
1400     ADD_TEST(test_kdf_hkdf_zero_output_size);
1401     ADD_TEST(test_kdf_hkdf_empty_key);
1402     ADD_TEST(test_kdf_hkdf_1byte_key);
1403     ADD_TEST(test_kdf_hkdf_empty_salt);
1404     ADD_TEST(test_kdf_pbkdf2);
1405     ADD_TEST(test_kdf_pbkdf2_small_output);
1406     ADD_TEST(test_kdf_pbkdf2_large_output);
1407     ADD_TEST(test_kdf_pbkdf2_small_salt);
1408     ADD_TEST(test_kdf_pbkdf2_small_iterations);
1409     ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1410     ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1411     ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1412 #ifndef OPENSSL_NO_SCRYPT
1413     ADD_TEST(test_kdf_scrypt);
1414 #endif
1415     ADD_TEST(test_kdf_ss_hash);
1416     ADD_TEST(test_kdf_ss_hmac);
1417     ADD_TEST(test_kdf_ss_kmac);
1418     ADD_TEST(test_kdf_sshkdf);
1419     ADD_TEST(test_kdf_x963);
1420 #ifndef OPENSSL_NO_CMS
1421     ADD_TEST(test_kdf_x942_asn1);
1422 #endif
1423     ADD_TEST(test_kdf_krb5kdf);
1424     return 1;
1425 }