2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
23 EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
30 static int test_kdf_tls1_prf(void)
33 EVP_KDF_CTX *kctx = NULL;
34 unsigned char out[16];
35 OSSL_PARAM params[4], *p = params;
36 static const unsigned char expected[sizeof(out)] = {
37 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
38 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
41 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
42 (char *)"sha256", sizeof("sha256"));
43 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
44 (unsigned char *)"secret",
46 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
47 (unsigned char *)"seed",
49 *p = OSSL_PARAM_construct_end();
52 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
53 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
54 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
55 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
57 EVP_KDF_CTX_free(kctx);
61 static int test_kdf_hkdf(void)
65 unsigned char out[10];
66 OSSL_PARAM params[5], *p = params;
67 static const unsigned char expected[sizeof(out)] = {
68 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
71 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
72 (char *)"sha256", sizeof("sha256"));
73 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
74 (unsigned char *)"salt", 4);
75 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
76 (unsigned char *)"secret", 6);
77 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
78 (unsigned char *)"label", 5);
79 *p = OSSL_PARAM_construct_end();
82 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
83 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
84 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
85 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
87 EVP_KDF_CTX_free(kctx);
91 static int test_kdf_pbkdf2(void)
95 unsigned char out[25];
97 unsigned int iterations = 4096;
99 OSSL_PARAM params[6], *p = params;
100 const unsigned char expected[sizeof(out)] = {
101 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
102 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
103 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
107 if (sizeof(len) > 32)
110 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
112 "passwordPASSWORDpassword", 24);
113 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
115 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
117 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, &iterations);
118 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
119 (char *)"sha256", 7);
120 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
121 *p = OSSL_PARAM_construct_end();
123 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
124 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
125 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
126 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
127 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
128 /* A key length that is too small should fail */
129 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
130 /* A key length that is too large should fail */
131 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0)))
135 /* Salt length less than 128 bits should fail */
136 || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
139 /* A small iteration count should fail */
140 || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
141 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
143 /* Small salts will pass if the "pkcs5" mode is enabled */
144 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
147 /* A small iteration count will pass if "pkcs5" mode is enabled */
148 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
150 * If the "pkcs5" mode is disabled then the small salt and iter will
151 * fail when the derive gets called.
153 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
155 || TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
159 EVP_KDF_CTX_free(kctx);
163 #ifndef OPENSSL_NO_SCRYPT
164 static int test_kdf_scrypt(void)
168 OSSL_PARAM params[7], *p = params;
169 unsigned char out[64];
170 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
171 static const unsigned char expected[sizeof(out)] = {
172 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
173 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
174 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
175 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
176 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
177 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
178 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
179 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
182 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
183 (char *)"password", 8);
184 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
186 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
187 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
188 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
189 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
190 *p = OSSL_PARAM_construct_end();
193 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
194 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
196 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/
197 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
198 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
199 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
200 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
202 EVP_KDF_CTX_free(kctx);
205 #endif /* OPENSSL_NO_SCRYPT */
207 static int test_kdf_ss_hash(void)
211 OSSL_PARAM params[4], *p = params;
212 unsigned char out[14];
213 static unsigned char z[] = {
214 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
215 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
216 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
217 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
219 static unsigned char other[] = {
220 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
221 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
222 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
223 0xe0,0xec,0x3f,0x8d,0xbe
225 static const unsigned char expected[sizeof(out)] = {
226 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
229 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
230 (char *)"sha224", sizeof("sha224"));
231 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
232 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
234 *p = OSSL_PARAM_construct_end();
237 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
238 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
239 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
240 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
242 EVP_KDF_CTX_free(kctx);
246 static int test_kdf_x963(void)
250 OSSL_PARAM params[4], *p = params;
251 unsigned char out[1024 / 8];
253 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
254 * Cryptographic-Algorithm-Validation-Program/documents/components/
255 * 800-135testvectors/ansx963_2001.zip
257 static unsigned char z[] = {
258 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
259 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
260 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
261 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
262 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
263 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
265 static unsigned char shared[] = {
266 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
267 0x37, 0x89, 0x5d, 0x31
269 static const unsigned char expected[sizeof(out)] = {
270 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
271 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
272 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
273 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
274 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
275 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
276 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
277 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
278 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
279 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
280 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
283 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
284 (char *)"sha512", sizeof("sha512"));
285 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
286 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
288 *p = OSSL_PARAM_construct_end();
291 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
292 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
293 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
294 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
296 EVP_KDF_CTX_free(kctx);
300 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
302 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
305 static int test_kdf_kbkdf_6803_128(void)
309 OSSL_PARAM params[7];
310 static unsigned char input_key[] = {
311 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
312 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
314 static unsigned char constants[][5] = {
315 { 0x00, 0x00, 0x00, 0x02, 0x99 },
316 { 0x00, 0x00, 0x00, 0x02, 0xaa },
317 { 0x00, 0x00, 0x00, 0x02, 0x55 },
319 static unsigned char outputs[][16] = {
320 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
321 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
322 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
323 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
324 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
325 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
327 static unsigned char iv[16] = { 0 };
328 unsigned char result[16] = { 0 };
330 for (i = 0; i < 3; i++) {
332 params[p++] = OSSL_PARAM_construct_utf8_string(
333 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
334 params[p++] = OSSL_PARAM_construct_utf8_string(
335 OSSL_KDF_PARAM_MAC, "CMAC", 0);
336 params[p++] = OSSL_PARAM_construct_utf8_string(
337 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
338 params[p++] = OSSL_PARAM_construct_octet_string(
339 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
340 params[p++] = OSSL_PARAM_construct_octet_string(
341 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
342 params[p++] = OSSL_PARAM_construct_octet_string(
343 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
344 params[p] = OSSL_PARAM_construct_end();
346 kctx = get_kdfbyname("KBKDF");
348 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
349 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
350 && TEST_mem_eq(result, sizeof(result), outputs[i],
352 EVP_KDF_CTX_free(kctx);
360 static int test_kdf_kbkdf_6803_256(void)
364 OSSL_PARAM params[7];
365 static unsigned char input_key[] = {
366 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
367 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
368 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
369 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
371 static unsigned char constants[][5] = {
372 { 0x00, 0x00, 0x00, 0x02, 0x99 },
373 { 0x00, 0x00, 0x00, 0x02, 0xaa },
374 { 0x00, 0x00, 0x00, 0x02, 0x55 },
376 static unsigned char outputs[][32] = {
377 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
378 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
379 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
380 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
382 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
383 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
384 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
385 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
387 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
388 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
389 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
390 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
393 static unsigned char iv[16] = { 0 };
394 unsigned char result[32] = { 0 };
396 for (i = 0; i < 3; i++) {
398 params[p++] = OSSL_PARAM_construct_utf8_string(
399 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
400 params[p++] = OSSL_PARAM_construct_utf8_string(
401 OSSL_KDF_PARAM_MAC, "CMAC", 0);
402 params[p++] = OSSL_PARAM_construct_utf8_string(
403 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
404 params[p++] = OSSL_PARAM_construct_octet_string(
405 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
406 params[p++] = OSSL_PARAM_construct_octet_string(
407 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
408 params[p++] = OSSL_PARAM_construct_octet_string(
409 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
410 params[p] = OSSL_PARAM_construct_end();
412 kctx = get_kdfbyname("KBKDF");
414 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
415 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
416 && TEST_mem_eq(result, sizeof(result), outputs[i],
418 EVP_KDF_CTX_free(kctx);
427 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
429 static int test_kdf_kbkdf_8009_prf1(void)
433 OSSL_PARAM params[6];
434 char *label = "prf", *digest = "sha256", *prf_input = "test",
436 static unsigned char input_key[] = {
437 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
438 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
440 static unsigned char output[] = {
441 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
442 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
443 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
444 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
446 unsigned char result[sizeof(output)] = { 0 };
448 params[i++] = OSSL_PARAM_construct_utf8_string(
449 OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
450 params[i++] = OSSL_PARAM_construct_utf8_string(
451 OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
452 params[i++] = OSSL_PARAM_construct_octet_string(
453 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
454 params[i++] = OSSL_PARAM_construct_octet_string(
455 OSSL_KDF_PARAM_SALT, label, strlen(label));
456 params[i++] = OSSL_PARAM_construct_octet_string(
457 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
458 params[i] = OSSL_PARAM_construct_end();
460 kctx = get_kdfbyname("KBKDF");
462 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
463 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
464 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
466 EVP_KDF_CTX_free(kctx);
470 static int test_kdf_kbkdf_8009_prf2(void)
474 OSSL_PARAM params[6];
475 char *label = "prf", *digest = "sha384", *prf_input = "test",
477 static unsigned char input_key[] = {
478 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
479 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
480 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
481 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
483 static unsigned char output[] = {
484 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
485 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
486 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
487 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
488 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
489 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
491 unsigned char result[sizeof(output)] = { 0 };
493 params[i++] = OSSL_PARAM_construct_utf8_string(
494 OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
495 params[i++] = OSSL_PARAM_construct_utf8_string(
496 OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
497 params[i++] = OSSL_PARAM_construct_octet_string(
498 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
499 params[i++] = OSSL_PARAM_construct_octet_string(
500 OSSL_KDF_PARAM_SALT, label, strlen(label));
501 params[i++] = OSSL_PARAM_construct_octet_string(
502 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
503 params[i] = OSSL_PARAM_construct_end();
505 kctx = get_kdfbyname("KBKDF");
507 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
508 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
509 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
511 EVP_KDF_CTX_free(kctx);
515 static int test_kdf_ss_hmac(void)
519 OSSL_PARAM params[6], *p = params;
520 unsigned char out[16];
521 static unsigned char z[] = {
522 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
524 static unsigned char other[] = {
525 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
527 static unsigned char salt[] = {
528 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
531 static const unsigned char expected[sizeof(out)] = {
532 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
536 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
537 (char *)OSSL_MAC_NAME_HMAC,
538 sizeof(OSSL_MAC_NAME_HMAC));
539 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
540 (char *)"sha256", sizeof("sha256"));
541 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
542 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
544 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
546 *p = OSSL_PARAM_construct_end();
549 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
550 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
551 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
552 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
554 EVP_KDF_CTX_free(kctx);
558 static int test_kdf_ss_kmac(void)
562 OSSL_PARAM params[6], *p = params;
563 unsigned char out[64];
564 size_t mac_size = 20;
565 static unsigned char z[] = {
566 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
568 static unsigned char other[] = {
569 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
571 static unsigned char salt[] = {
572 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
575 static const unsigned char expected[sizeof(out)] = {
576 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
577 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
578 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
579 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
580 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
583 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
584 (char *)OSSL_MAC_NAME_KMAC128,
585 sizeof(OSSL_MAC_NAME_KMAC128));
586 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
587 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
589 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
591 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
592 *p = OSSL_PARAM_construct_end();
595 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
596 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
597 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
598 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
600 EVP_KDF_CTX_free(kctx);
604 static int test_kdf_sshkdf(void)
608 OSSL_PARAM params[6], *p = params;
609 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
610 unsigned char out[8];
611 /* Test data from NIST CAVS 14.1 test vectors */
612 static unsigned char key[] = {
613 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
614 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
615 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
616 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
617 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
618 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
619 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
620 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
621 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
622 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
623 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
626 static unsigned char xcghash[] = {
627 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
628 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
629 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
631 static unsigned char sessid[] = {
632 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
633 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
634 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
636 static const unsigned char expected[sizeof(out)] = {
637 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
640 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
641 (char *)"sha256", sizeof("sha256"));
642 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
644 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
645 xcghash, sizeof(xcghash));
646 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
647 sessid, sizeof(sessid));
648 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
649 &kdftype, sizeof(kdftype));
650 *p = OSSL_PARAM_construct_end();
653 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
654 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
655 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
656 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
658 EVP_KDF_CTX_free(kctx);
662 static int test_kdf_get_kdf(void)
664 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
668 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
669 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
670 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
672 || !TEST_ptr_eq(kdf1, kdf2))
679 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
680 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
681 || !TEST_ptr_eq(kdf1, kdf2))
683 /* kdf1 is re-used below, so don't free it here */
687 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
688 || !TEST_ptr_eq(kdf1, kdf2))
698 #ifndef OPENSSL_NO_CMS
699 static int test_kdf_x942_asn1(void)
702 EVP_KDF_CTX *kctx = NULL;
703 OSSL_PARAM params[4], *p = params;
704 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
705 unsigned char out[24];
706 /* RFC2631 Section 2.1.6 Test data */
707 static unsigned char z[] = {
708 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
709 0x0e,0x0f,0x10,0x11,0x12,0x13
711 static const unsigned char expected[sizeof(out)] = {
712 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
713 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
714 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
717 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
718 (char *)"sha1", sizeof("sha1"));
719 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
721 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
723 strlen(cek_alg) + 1);
724 *p = OSSL_PARAM_construct_end();
727 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
728 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
729 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
730 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
732 EVP_KDF_CTX_free(kctx);
735 #endif /* OPENSSL_NO_CMS */
737 static int test_kdf_krb5kdf(void)
741 OSSL_PARAM params[4], *p = params;
742 unsigned char out[16];
743 static unsigned char key[] = {
744 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
745 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
747 static unsigned char constant[] = {
748 0x00, 0x00, 0x00, 0x02, 0x99
750 static const unsigned char expected[sizeof(out)] = {
751 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
752 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
755 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
756 (char *)"AES-128-CBC",
757 sizeof("AES-128-CBC"));
758 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
760 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
761 constant, sizeof(constant));
762 *p = OSSL_PARAM_construct_end();
765 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
766 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
767 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
768 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
770 EVP_KDF_CTX_free(kctx);
774 int setup_tests(void)
776 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
777 ADD_TEST(test_kdf_kbkdf_6803_128);
778 ADD_TEST(test_kdf_kbkdf_6803_256);
780 ADD_TEST(test_kdf_kbkdf_8009_prf1);
781 ADD_TEST(test_kdf_kbkdf_8009_prf2);
782 ADD_TEST(test_kdf_get_kdf);
783 ADD_TEST(test_kdf_tls1_prf);
784 ADD_TEST(test_kdf_hkdf);
785 ADD_TEST(test_kdf_pbkdf2);
786 #ifndef OPENSSL_NO_SCRYPT
787 ADD_TEST(test_kdf_scrypt);
789 ADD_TEST(test_kdf_ss_hash);
790 ADD_TEST(test_kdf_ss_hmac);
791 ADD_TEST(test_kdf_ss_kmac);
792 ADD_TEST(test_kdf_sshkdf);
793 ADD_TEST(test_kdf_x963);
794 #ifndef OPENSSL_NO_CMS
795 ADD_TEST(test_kdf_x942_asn1);
797 ADD_TEST(test_kdf_krb5kdf);