2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
20 static int test_kdf_tls1_prf(void)
23 EVP_KDF_CTX *kctx = NULL;
25 unsigned char out[16];
26 const unsigned char expected[sizeof(out)] = {
27 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
28 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
32 TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
33 && TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
34 && TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
35 && TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
36 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
37 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
38 "secret", (size_t)6), 0)
39 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
41 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
42 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
44 EVP_KDF_CTX_free(kctx);
48 static int test_kdf_hkdf(void)
52 unsigned char out[10];
53 const unsigned char expected[sizeof(out)] = {
54 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
58 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
59 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
60 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
62 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
64 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
66 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
67 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
69 EVP_KDF_CTX_free(kctx);
73 static int test_kdf_pbkdf2(void)
77 unsigned char out[32];
78 const unsigned char expected[sizeof(out)] = {
79 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
80 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
81 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
82 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
86 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
87 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
89 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
91 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2), 0)
92 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
93 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
94 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
96 EVP_KDF_CTX_free(kctx);
100 #ifndef OPENSSL_NO_SCRYPT
101 static int test_kdf_scrypt(void)
105 unsigned char out[64];
106 const unsigned char expected[sizeof(out)] = {
107 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
108 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
109 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
110 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
111 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
112 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
113 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
114 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
118 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
119 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
121 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
123 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
125 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
127 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
129 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
132 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
133 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
134 (uint64_t)(10 * 1024 * 1024)), 0)
135 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
136 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
138 EVP_KDF_CTX_free(kctx);
141 #endif /* OPENSSL_NO_SCRYPT */
143 static int test_kdf_ss_hash(void)
146 EVP_KDF_CTX *kctx = NULL;
147 const unsigned char z[] = {
148 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
149 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
150 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
151 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
153 const unsigned char other[] = {
154 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
155 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
156 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
157 0xe0,0xec,0x3f,0x8d,0xbe
159 const unsigned char expected[] = {
160 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
162 unsigned char out[14];
165 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
166 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
167 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
168 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
170 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
171 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
173 EVP_KDF_CTX_free(kctx);
177 static int test_kdf_ss_hmac(void)
183 const unsigned char z[] = {
184 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
186 const unsigned char other[] = {
187 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
189 const unsigned char salt[] = {
190 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
193 const unsigned char expected[] = {
194 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
197 unsigned char out[16];
200 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
201 && TEST_ptr(mac = EVP_get_macbyname("HMAC"))
202 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
203 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
204 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
205 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
207 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
209 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
210 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
212 EVP_KDF_CTX_free(kctx);
216 static int test_kdf_ss_kmac(void)
220 unsigned char out[64];
223 const unsigned char z[] = {
224 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
226 const unsigned char other[] = {
227 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
229 const unsigned char salt[] = {
230 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
233 const unsigned char expected[] = {
234 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
235 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
236 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
237 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
238 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
242 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
243 && TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
244 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
245 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
247 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
249 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
251 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
253 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
254 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
256 EVP_KDF_CTX_free(kctx);
260 static int test_kdf_sshkdf(void)
264 unsigned char out[8];
265 /* Test data from NIST CAVS 14.1 test vectors */
266 const unsigned char key[] = {
267 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
268 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
269 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
270 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
271 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
272 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
273 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
274 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
275 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
276 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
277 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
280 const unsigned char xcghash[] = {
281 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
282 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
283 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
285 const unsigned char sessid[] = {
286 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
287 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
288 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
290 const unsigned char expected[sizeof(out)] = {
291 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
295 TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
296 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
297 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
299 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
300 xcghash, sizeof(xcghash)), 0)
301 && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
302 sessid, sizeof(sessid)), 0)
304 EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
305 (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
306 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
307 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
309 EVP_KDF_CTX_free(kctx);
313 static int test_kdf_get_kdf(void)
315 const EVP_KDF *kdf1, *kdf2;
319 TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
320 && TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
321 && TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
322 && TEST_ptr_eq(kdf1, kdf2)
323 && TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
324 && TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
325 && TEST_ptr_eq(kdf1, kdf2)
326 && TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
327 && TEST_ptr_eq(kdf1, kdf2);
330 int setup_tests(void)
332 ADD_TEST(test_kdf_get_kdf);
333 ADD_TEST(test_kdf_tls1_prf);
334 ADD_TEST(test_kdf_hkdf);
335 ADD_TEST(test_kdf_pbkdf2);
336 #ifndef OPENSSL_NO_SCRYPT
337 ADD_TEST(test_kdf_scrypt);
339 ADD_TEST(test_kdf_ss_hash);
340 ADD_TEST(test_kdf_ss_hmac);
341 ADD_TEST(test_kdf_ss_kmac);
342 ADD_TEST(test_kdf_sshkdf);