2 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 /* Tests of the EVP_KDF_CTX APIs */
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
21 static EVP_KDF_CTX *get_kdfbyname(const char *name)
23 EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
24 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
30 static int test_kdf_tls1_prf(void)
33 EVP_KDF_CTX *kctx = NULL;
34 unsigned char out[16];
35 OSSL_PARAM params[4], *p = params;
36 static const unsigned char expected[sizeof(out)] = {
37 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
38 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
41 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
42 (char *)"sha256", sizeof("sha256"));
43 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
44 (unsigned char *)"secret",
46 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
47 (unsigned char *)"seed",
49 *p = OSSL_PARAM_construct_end();
52 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
53 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
54 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
55 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
57 EVP_KDF_CTX_free(kctx);
61 static int test_kdf_hkdf(void)
65 unsigned char out[10];
66 OSSL_PARAM params[5], *p = params;
67 static const unsigned char expected[sizeof(out)] = {
68 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
71 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
72 (char *)"sha256", sizeof("sha256"));
73 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
74 (unsigned char *)"salt", 4);
75 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
76 (unsigned char *)"secret", 6);
77 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
78 (unsigned char *)"label", 5);
79 *p = OSSL_PARAM_construct_end();
82 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
83 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
84 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
85 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
87 EVP_KDF_CTX_free(kctx);
91 static int test_kdf_pbkdf2(void)
95 unsigned char out[25];
97 unsigned int iterations = 4096;
99 OSSL_PARAM params[6], *p = params;
100 const unsigned char expected[sizeof(out)] = {
101 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
102 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
103 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
107 if (sizeof(len) > 32)
110 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
112 "passwordPASSWORDpassword", 24);
113 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
115 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
117 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, &iterations);
118 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
119 (char *)"sha256", 7);
120 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
121 *p = OSSL_PARAM_construct_end();
123 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
124 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
125 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
126 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
127 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
128 /* A key length that is too small should fail */
129 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
130 /* A key length that is too large should fail */
131 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0)))
135 /* Salt length less than 128 bits should fail */
136 || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
139 /* A small iteration count should fail */
140 || TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
141 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
143 /* Small salts will pass if the "pkcs5" mode is enabled */
144 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
147 /* A small iteration count will pass if "pkcs5" mode is enabled */
148 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
150 * If the "pkcs5" mode is disabled then the small salt and iter will
151 * fail when the derive gets called.
153 || TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
155 || TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
159 EVP_KDF_CTX_free(kctx);
163 #ifndef OPENSSL_NO_SCRYPT
164 static int test_kdf_scrypt(void)
168 OSSL_PARAM params[7], *p = params;
169 unsigned char out[64];
170 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
171 static const unsigned char expected[sizeof(out)] = {
172 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
173 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
174 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
175 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
176 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
177 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
178 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
179 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
182 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
183 (char *)"password", 8);
184 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
186 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
187 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
188 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
189 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
190 *p = OSSL_PARAM_construct_end();
193 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT))
194 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
196 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/
197 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
198 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1))
199 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
200 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
202 EVP_KDF_CTX_free(kctx);
205 #endif /* OPENSSL_NO_SCRYPT */
207 static int test_kdf_ss_hash(void)
211 OSSL_PARAM params[4], *p = params;
212 unsigned char out[14];
213 static unsigned char z[] = {
214 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
215 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
216 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
217 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
219 static unsigned char other[] = {
220 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
221 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
222 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
223 0xe0,0xec,0x3f,0x8d,0xbe
225 static const unsigned char expected[sizeof(out)] = {
226 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
229 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
230 (char *)"sha224", sizeof("sha224"));
231 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
232 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
234 *p = OSSL_PARAM_construct_end();
237 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
238 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
239 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
240 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
242 EVP_KDF_CTX_free(kctx);
246 static int test_kdf_x963(void)
250 OSSL_PARAM params[4], *p = params;
251 unsigned char out[1024 / 8];
253 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
254 * Cryptographic-Algorithm-Validation-Program/documents/components/
255 * 800-135testvectors/ansx963_2001.zip
257 static unsigned char z[] = {
258 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
259 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
260 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
261 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
262 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
263 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
265 static unsigned char shared[] = {
266 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
267 0x37, 0x89, 0x5d, 0x31
269 static const unsigned char expected[sizeof(out)] = {
270 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
271 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
272 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
273 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
274 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
275 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
276 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
277 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
278 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
279 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
280 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
283 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
284 (char *)"sha512", sizeof("sha512"));
285 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
286 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
288 *p = OSSL_PARAM_construct_end();
291 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
292 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
293 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
294 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
296 EVP_KDF_CTX_free(kctx);
301 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
304 static int test_kdf_kbkdf_6803_128(void)
308 OSSL_PARAM params[7];
309 static unsigned char input_key[] = {
310 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
311 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
313 static unsigned char constants[][5] = {
314 { 0x00, 0x00, 0x00, 0x02, 0x99 },
315 { 0x00, 0x00, 0x00, 0x02, 0xaa },
316 { 0x00, 0x00, 0x00, 0x02, 0x55 },
318 static unsigned char outputs[][16] = {
319 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
320 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
321 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
322 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
323 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
324 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
326 static unsigned char iv[16] = { 0 };
327 unsigned char result[16] = { 0 };
329 for (i = 0; i < 3; i++) {
331 params[p++] = OSSL_PARAM_construct_utf8_string(
332 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
333 params[p++] = OSSL_PARAM_construct_utf8_string(
334 OSSL_KDF_PARAM_MAC, "CMAC", 0);
335 params[p++] = OSSL_PARAM_construct_utf8_string(
336 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
337 params[p++] = OSSL_PARAM_construct_octet_string(
338 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
339 params[p++] = OSSL_PARAM_construct_octet_string(
340 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
341 params[p++] = OSSL_PARAM_construct_octet_string(
342 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
343 params[p] = OSSL_PARAM_construct_end();
345 kctx = get_kdfbyname("KBKDF");
347 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
348 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
349 && TEST_mem_eq(result, sizeof(result), outputs[i],
351 EVP_KDF_CTX_free(kctx);
359 static int test_kdf_kbkdf_6803_256(void)
363 OSSL_PARAM params[7];
364 static unsigned char input_key[] = {
365 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
366 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
367 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
368 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
370 static unsigned char constants[][5] = {
371 { 0x00, 0x00, 0x00, 0x02, 0x99 },
372 { 0x00, 0x00, 0x00, 0x02, 0xaa },
373 { 0x00, 0x00, 0x00, 0x02, 0x55 },
375 static unsigned char outputs[][32] = {
376 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
377 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
378 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
379 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
381 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
382 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
383 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
384 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
386 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
387 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
388 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
389 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
392 static unsigned char iv[16] = { 0 };
393 unsigned char result[32] = { 0 };
395 for (i = 0; i < 3; i++) {
397 params[p++] = OSSL_PARAM_construct_utf8_string(
398 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
399 params[p++] = OSSL_PARAM_construct_utf8_string(
400 OSSL_KDF_PARAM_MAC, "CMAC", 0);
401 params[p++] = OSSL_PARAM_construct_utf8_string(
402 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
403 params[p++] = OSSL_PARAM_construct_octet_string(
404 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
405 params[p++] = OSSL_PARAM_construct_octet_string(
406 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
407 params[p++] = OSSL_PARAM_construct_octet_string(
408 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
409 params[p] = OSSL_PARAM_construct_end();
411 kctx = get_kdfbyname("KBKDF");
413 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
414 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
415 && TEST_mem_eq(result, sizeof(result), outputs[i],
417 EVP_KDF_CTX_free(kctx);
425 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
427 static int test_kdf_kbkdf_8009_prf1(void)
431 OSSL_PARAM params[6];
432 char *label = "prf", *digest = "sha256", *prf_input = "test",
434 static unsigned char input_key[] = {
435 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
436 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
438 static unsigned char output[] = {
439 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
440 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
441 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
442 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
444 unsigned char result[sizeof(output)] = { 0 };
446 params[i++] = OSSL_PARAM_construct_utf8_string(
447 OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
448 params[i++] = OSSL_PARAM_construct_utf8_string(
449 OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
450 params[i++] = OSSL_PARAM_construct_octet_string(
451 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
452 params[i++] = OSSL_PARAM_construct_octet_string(
453 OSSL_KDF_PARAM_SALT, label, strlen(label));
454 params[i++] = OSSL_PARAM_construct_octet_string(
455 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
456 params[i] = OSSL_PARAM_construct_end();
458 kctx = get_kdfbyname("KBKDF");
460 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
461 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
462 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
464 EVP_KDF_CTX_free(kctx);
468 static int test_kdf_kbkdf_8009_prf2(void)
472 OSSL_PARAM params[6];
473 char *label = "prf", *digest = "sha384", *prf_input = "test",
475 static unsigned char input_key[] = {
476 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
477 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
478 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
479 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
481 static unsigned char output[] = {
482 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
483 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
484 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
485 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
486 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
487 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
489 unsigned char result[sizeof(output)] = { 0 };
491 params[i++] = OSSL_PARAM_construct_utf8_string(
492 OSSL_KDF_PARAM_DIGEST, digest, strlen(digest) + 1);
493 params[i++] = OSSL_PARAM_construct_utf8_string(
494 OSSL_KDF_PARAM_MAC, mac, strlen(mac) + 1);
495 params[i++] = OSSL_PARAM_construct_octet_string(
496 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
497 params[i++] = OSSL_PARAM_construct_octet_string(
498 OSSL_KDF_PARAM_SALT, label, strlen(label));
499 params[i++] = OSSL_PARAM_construct_octet_string(
500 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
501 params[i] = OSSL_PARAM_construct_end();
503 kctx = get_kdfbyname("KBKDF");
505 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
506 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
507 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
509 EVP_KDF_CTX_free(kctx);
513 static int test_kdf_ss_hmac(void)
517 OSSL_PARAM params[6], *p = params;
518 unsigned char out[16];
519 static unsigned char z[] = {
520 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
522 static unsigned char other[] = {
523 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
525 static unsigned char salt[] = {
526 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
529 static const unsigned char expected[sizeof(out)] = {
530 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
534 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
535 (char *)OSSL_MAC_NAME_HMAC,
536 sizeof(OSSL_MAC_NAME_HMAC));
537 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
538 (char *)"sha256", sizeof("sha256"));
539 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
540 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
542 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
544 *p = OSSL_PARAM_construct_end();
547 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
548 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
549 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
550 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
552 EVP_KDF_CTX_free(kctx);
556 static int test_kdf_ss_kmac(void)
560 OSSL_PARAM params[6], *p = params;
561 unsigned char out[64];
562 size_t mac_size = 20;
563 static unsigned char z[] = {
564 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
566 static unsigned char other[] = {
567 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
569 static unsigned char salt[] = {
570 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
573 static const unsigned char expected[sizeof(out)] = {
574 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
575 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
576 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
577 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
578 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
581 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
582 (char *)OSSL_MAC_NAME_KMAC128,
583 sizeof(OSSL_MAC_NAME_KMAC128));
584 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
585 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
587 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
589 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
590 *p = OSSL_PARAM_construct_end();
593 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
594 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
595 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
596 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
598 EVP_KDF_CTX_free(kctx);
602 static int test_kdf_sshkdf(void)
606 OSSL_PARAM params[6], *p = params;
607 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
608 unsigned char out[8];
609 /* Test data from NIST CAVS 14.1 test vectors */
610 static unsigned char key[] = {
611 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
612 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
613 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
614 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
615 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
616 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
617 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
618 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
619 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
620 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
621 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
624 static unsigned char xcghash[] = {
625 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
626 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
627 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
629 static unsigned char sessid[] = {
630 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
631 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
632 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
634 static const unsigned char expected[sizeof(out)] = {
635 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
638 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
639 (char *)"sha256", sizeof("sha256"));
640 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
642 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
643 xcghash, sizeof(xcghash));
644 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
645 sessid, sizeof(sessid));
646 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
647 &kdftype, sizeof(kdftype));
648 *p = OSSL_PARAM_construct_end();
651 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
652 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
653 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
654 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
656 EVP_KDF_CTX_free(kctx);
660 static int test_kdf_get_kdf(void)
662 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
666 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
667 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
668 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
670 || !TEST_ptr_eq(kdf1, kdf2))
677 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
678 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
679 || !TEST_ptr_eq(kdf1, kdf2))
681 /* kdf1 is re-used below, so don't free it here */
685 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
686 || !TEST_ptr_eq(kdf1, kdf2))
696 #ifndef OPENSSL_NO_CMS
697 static int test_kdf_x942_asn1(void)
700 EVP_KDF_CTX *kctx = NULL;
701 OSSL_PARAM params[4], *p = params;
702 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
703 unsigned char out[24];
704 /* RFC2631 Section 2.1.6 Test data */
705 static unsigned char z[] = {
706 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
707 0x0e,0x0f,0x10,0x11,0x12,0x13
709 static const unsigned char expected[sizeof(out)] = {
710 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
711 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
712 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
715 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
716 (char *)"sha1", sizeof("sha1"));
717 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
719 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
721 strlen(cek_alg) + 1);
722 *p = OSSL_PARAM_construct_end();
725 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
726 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
727 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
728 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
730 EVP_KDF_CTX_free(kctx);
733 #endif /* OPENSSL_NO_CMS */
735 int setup_tests(void)
737 ADD_TEST(test_kdf_kbkdf_6803_128);
738 ADD_TEST(test_kdf_kbkdf_6803_256);
739 ADD_TEST(test_kdf_kbkdf_8009_prf1);
740 ADD_TEST(test_kdf_kbkdf_8009_prf2);
741 ADD_TEST(test_kdf_get_kdf);
742 ADD_TEST(test_kdf_tls1_prf);
743 ADD_TEST(test_kdf_hkdf);
744 ADD_TEST(test_kdf_pbkdf2);
745 #ifndef OPENSSL_NO_SCRYPT
746 ADD_TEST(test_kdf_scrypt);
748 ADD_TEST(test_kdf_ss_hash);
749 ADD_TEST(test_kdf_ss_hmac);
750 ADD_TEST(test_kdf_ss_kmac);
751 ADD_TEST(test_kdf_sshkdf);
752 ADD_TEST(test_kdf_x963);
753 #ifndef OPENSSL_NO_CMS
754 ADD_TEST(test_kdf_x942_asn1);