1 /*
2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /* Tests of the EVP_KDF_CTX APIs */
12
13 #include <stdio.h>
14 #include <string.h>
15
16 #include <openssl/evp.h>
17 #include <openssl/kdf.h>
18 #include <openssl/core_names.h>
19 #include "internal/numbers.h"
20 #include "testutil.h"
21
22
get_kdfbyname_libctx(OSSL_LIB_CTX * libctx,const char * name)23 static EVP_KDF_CTX *get_kdfbyname_libctx(OSSL_LIB_CTX *libctx, const char *name)
24 {
25 EVP_KDF *kdf = EVP_KDF_fetch(libctx, name, NULL);
26 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
27
28 EVP_KDF_free(kdf);
29 return kctx;
30 }
31
get_kdfbyname(const char * name)32 static EVP_KDF_CTX *get_kdfbyname(const char *name)
33 {
34 return get_kdfbyname_libctx(NULL, name);
35 }
36
construct_tls1_prf_params(const char * digest,const char * secret,const char * seed)37 static OSSL_PARAM *construct_tls1_prf_params(const char *digest, const char *secret,
38 const char *seed)
39 {
40 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 4);
41 OSSL_PARAM *p = params;
42
43 if (params == NULL)
44 return NULL;
45
46 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
47 (char *)digest, 0);
48 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
49 (unsigned char *)secret,
50 strlen(secret));
51 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
52 (unsigned char *)seed,
53 strlen(seed));
54 *p = OSSL_PARAM_construct_end();
55
56 return params;
57 }
58
test_kdf_tls1_prf(void)59 static int test_kdf_tls1_prf(void)
60 {
61 int ret;
62 EVP_KDF_CTX *kctx = NULL;
63 unsigned char out[16];
64 OSSL_PARAM *params;
65 static const unsigned char expected[sizeof(out)] = {
66 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
67 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
68 };
69
70 params = construct_tls1_prf_params("sha256", "secret", "seed");
71
72 ret = TEST_ptr(params)
73 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
74 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
75 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
76
77 EVP_KDF_CTX_free(kctx);
78 OPENSSL_free(params);
79 return ret;
80 }
81
test_kdf_tls1_prf_invalid_digest(void)82 static int test_kdf_tls1_prf_invalid_digest(void)
83 {
84 int ret;
85 EVP_KDF_CTX *kctx = NULL;
86 OSSL_PARAM *params;
87
88 params = construct_tls1_prf_params("blah", "secret", "seed");
89
90 ret = TEST_ptr(params)
91 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
92 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
93
94 EVP_KDF_CTX_free(kctx);
95 OPENSSL_free(params);
96 return ret;
97 }
98
test_kdf_tls1_prf_zero_output_size(void)99 static int test_kdf_tls1_prf_zero_output_size(void)
100 {
101 int ret;
102 EVP_KDF_CTX *kctx = NULL;
103 unsigned char out[16];
104 OSSL_PARAM *params;
105
106 params = construct_tls1_prf_params("sha256", "secret", "seed");
107
108 /* Negative test - derive should fail */
109 ret = TEST_ptr(params)
110 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
111 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
112 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
113
114 EVP_KDF_CTX_free(kctx);
115 OPENSSL_free(params);
116 return ret;
117 }
118
test_kdf_tls1_prf_empty_secret(void)119 static int test_kdf_tls1_prf_empty_secret(void)
120 {
121 int ret;
122 EVP_KDF_CTX *kctx = NULL;
123 unsigned char out[16];
124 OSSL_PARAM *params;
125
126 params = construct_tls1_prf_params("sha256", "", "seed");
127
128 ret = TEST_ptr(params)
129 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
130 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
131
132 EVP_KDF_CTX_free(kctx);
133 OPENSSL_free(params);
134 return ret;
135 }
136
test_kdf_tls1_prf_1byte_secret(void)137 static int test_kdf_tls1_prf_1byte_secret(void)
138 {
139 int ret;
140 EVP_KDF_CTX *kctx = NULL;
141 unsigned char out[16];
142 OSSL_PARAM *params;
143
144 params = construct_tls1_prf_params("sha256", "1", "seed");
145
146 ret = TEST_ptr(params)
147 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
148 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
149
150 EVP_KDF_CTX_free(kctx);
151 OPENSSL_free(params);
152 return ret;
153 }
154
test_kdf_tls1_prf_empty_seed(void)155 static int test_kdf_tls1_prf_empty_seed(void)
156 {
157 int ret;
158 EVP_KDF_CTX *kctx = NULL;
159 unsigned char out[16];
160 OSSL_PARAM *params;
161
162 params = construct_tls1_prf_params("sha256", "secret", "");
163
164 /* Negative test - derive should fail */
165 ret = TEST_ptr(params)
166 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
167 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
168 && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0);
169
170 EVP_KDF_CTX_free(kctx);
171 OPENSSL_free(params);
172 return ret;
173 }
174
test_kdf_tls1_prf_1byte_seed(void)175 static int test_kdf_tls1_prf_1byte_seed(void)
176 {
177 int ret;
178 EVP_KDF_CTX *kctx = NULL;
179 unsigned char out[16];
180 OSSL_PARAM *params;
181
182 params = construct_tls1_prf_params("sha256", "secret", "1");
183
184 ret = TEST_ptr(params)
185 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF))
186 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
187
188 EVP_KDF_CTX_free(kctx);
189 OPENSSL_free(params);
190 return ret;
191 }
192
construct_hkdf_params(char * digest,char * key,size_t keylen,char * salt,char * info)193 static OSSL_PARAM *construct_hkdf_params(char *digest, char *key,
194 size_t keylen, char *salt, char *info)
195 {
196 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
197 OSSL_PARAM *p = params;
198
199 if (params == NULL)
200 return NULL;
201
202 if (digest != NULL)
203 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
204 digest, 0);
205 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
206 salt, strlen(salt));
207 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
208 (unsigned char *)key, keylen);
209 if (info != NULL)
210 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
211 info, strlen(info));
212 else
213 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
214 "EXTRACT_ONLY", 0);
215 *p = OSSL_PARAM_construct_end();
216
217 return params;
218 }
219
test_kdf_hkdf(void)220 static int test_kdf_hkdf(void)
221 {
222 int ret;
223 EVP_KDF_CTX *kctx = NULL;
224 unsigned char out[10];
225 OSSL_PARAM *params;
226 static const unsigned char expected[sizeof(out)] = {
227 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
228 };
229
230 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
231
232 ret = TEST_ptr(params)
233 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
234 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
235 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
236
237 EVP_KDF_CTX_free(kctx);
238 OPENSSL_free(params);
239 return ret;
240 }
241
do_kdf_hkdf_gettables(int expand_only,int has_digest)242 static int do_kdf_hkdf_gettables(int expand_only, int has_digest)
243 {
244 int ret = 0;
245 size_t sz = 0;
246 OSSL_PARAM *params;
247 OSSL_PARAM params_get[2];
248 const OSSL_PARAM *gettables, *p;
249 EVP_KDF_CTX *kctx = NULL;
250
251 if (!TEST_ptr(params = construct_hkdf_params(
252 has_digest ? "sha256" : NULL,
253 "secret", 6, "salt",
254 expand_only ? NULL : "label"))
255 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
256 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)))
257 goto err;
258
259 /* Check OSSL_KDF_PARAM_SIZE is gettable */
260 if (!TEST_ptr(gettables = EVP_KDF_CTX_gettable_params(kctx))
261 || !TEST_ptr(p = OSSL_PARAM_locate_const(gettables, OSSL_KDF_PARAM_SIZE)))
262 goto err;
263
264 /* Get OSSL_KDF_PARAM_SIZE as a size_t */
265 params_get[0] = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_SIZE, &sz);
266 params_get[1] = OSSL_PARAM_construct_end();
267 if (has_digest) {
268 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 1)
269 || !TEST_size_t_eq(sz, expand_only ? SHA256_DIGEST_LENGTH : SIZE_MAX))
270 goto err;
271 } else {
272 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 0))
273 goto err;
274 }
275
276 /* Get params returns -2 if an unsupported parameter is requested */
277 params_get[0] = OSSL_PARAM_construct_end();
278 if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), -2))
279 goto err;
280 ret = 1;
281 err:
282 EVP_KDF_CTX_free(kctx);
283 OPENSSL_free(params);
284 return ret;
285 }
286
test_kdf_hkdf_gettables(void)287 static int test_kdf_hkdf_gettables(void)
288 {
289 return do_kdf_hkdf_gettables(0, 1);
290 }
291
test_kdf_hkdf_gettables_expandonly(void)292 static int test_kdf_hkdf_gettables_expandonly(void)
293 {
294 return do_kdf_hkdf_gettables(1, 1);
295 }
296
test_kdf_hkdf_gettables_no_digest(void)297 static int test_kdf_hkdf_gettables_no_digest(void)
298 {
299 return do_kdf_hkdf_gettables(1, 0);
300 }
301
test_kdf_hkdf_invalid_digest(void)302 static int test_kdf_hkdf_invalid_digest(void)
303 {
304 int ret;
305 EVP_KDF_CTX *kctx = NULL;
306 OSSL_PARAM *params;
307
308 params = construct_hkdf_params("blah", "secret", 6, "salt", "label");
309
310 ret = TEST_ptr(params)
311 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
312 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
313
314 EVP_KDF_CTX_free(kctx);
315 OPENSSL_free(params);
316 return ret;
317 }
318
test_kdf_hkdf_derive_set_params_fail(void)319 static int test_kdf_hkdf_derive_set_params_fail(void)
320 {
321 int ret = 0, i = 0;
322 EVP_KDF_CTX *kctx = NULL;
323 OSSL_PARAM params[2];
324 unsigned char out[10];
325
326 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
327 goto end;
328 /*
329 * Set the wrong type for the digest so that it causes a failure
330 * inside kdf_hkdf_derive() when kdf_hkdf_set_ctx_params() is called
331 */
332 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_DIGEST, &i);
333 params[1] = OSSL_PARAM_construct_end();
334 if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), params), 0))
335 goto end;
336 ret = 1;
337 end:
338 EVP_KDF_CTX_free(kctx);
339 return ret;
340 }
341
test_kdf_hkdf_set_invalid_mode(void)342 static int test_kdf_hkdf_set_invalid_mode(void)
343 {
344 int ret = 0, bad_mode = 100;
345 EVP_KDF_CTX *kctx = NULL;
346 OSSL_PARAM params[2];
347
348 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
349 goto end;
350 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE,
351 "BADMODE", 0);
352 params[1] = OSSL_PARAM_construct_end();
353 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
354 goto end;
355
356 params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &bad_mode);
357 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
358 goto end;
359
360 ret = 1;
361 end:
362 EVP_KDF_CTX_free(kctx);
363 return ret;
364 }
365
do_kdf_hkdf_set_invalid_param(const char * key,int type)366 static int do_kdf_hkdf_set_invalid_param(const char *key, int type)
367 {
368 int ret = 0;
369 EVP_KDF_CTX *kctx = NULL;
370 OSSL_PARAM params[2];
371 unsigned char buf[2];
372
373 if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)))
374 goto end;
375 /* Set the wrong type for the key so that it causes a failure */
376 if (type == OSSL_PARAM_UTF8_STRING)
377 params[0] = OSSL_PARAM_construct_utf8_string(key, "BAD", 0);
378 else
379 params[0] = OSSL_PARAM_construct_octet_string(key, buf, sizeof(buf));
380 params[1] = OSSL_PARAM_construct_end();
381 if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0))
382 goto end;
383
384 ret = 1;
385 end:
386 EVP_KDF_CTX_free(kctx);
387 return ret;
388 }
389
test_kdf_hkdf_set_ctx_param_fail(void)390 static int test_kdf_hkdf_set_ctx_param_fail(void)
391 {
392 return do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_MODE,
393 OSSL_PARAM_OCTET_STRING)
394 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_KEY,
395 OSSL_PARAM_UTF8_STRING)
396 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_SALT,
397 OSSL_PARAM_UTF8_STRING)
398 && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_INFO,
399 OSSL_PARAM_UTF8_STRING);
400 }
401
test_kdf_hkdf_zero_output_size(void)402 static int test_kdf_hkdf_zero_output_size(void)
403 {
404 int ret;
405 EVP_KDF_CTX *kctx = NULL;
406 unsigned char out[10];
407 OSSL_PARAM *params;
408
409 params = construct_hkdf_params("sha256", "secret", 6, "salt", "label");
410
411 /* Negative test - derive should fail */
412 ret = TEST_ptr(params)
413 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
414 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
415 && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0);
416
417 EVP_KDF_CTX_free(kctx);
418 OPENSSL_free(params);
419 return ret;
420 }
421
test_kdf_hkdf_empty_key(void)422 static int test_kdf_hkdf_empty_key(void)
423 {
424 int ret;
425 EVP_KDF_CTX *kctx = NULL;
426 unsigned char out[10];
427 OSSL_PARAM *params;
428
429 params = construct_hkdf_params("sha256", "", 0, "salt", "label");
430
431 ret = TEST_ptr(params)
432 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
433 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
434
435 EVP_KDF_CTX_free(kctx);
436 OPENSSL_free(params);
437 return ret;
438 }
439
test_kdf_hkdf_1byte_key(void)440 static int test_kdf_hkdf_1byte_key(void)
441 {
442 int ret;
443 EVP_KDF_CTX *kctx = NULL;
444 unsigned char out[10];
445 OSSL_PARAM *params;
446
447 params = construct_hkdf_params("sha256", "1", 1, "salt", "label");
448
449 ret = TEST_ptr(params)
450 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
451 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
452
453 EVP_KDF_CTX_free(kctx);
454 OPENSSL_free(params);
455 return ret;
456 }
457
test_kdf_hkdf_empty_salt(void)458 static int test_kdf_hkdf_empty_salt(void)
459 {
460 int ret;
461 EVP_KDF_CTX *kctx = NULL;
462 unsigned char out[10];
463 OSSL_PARAM *params;
464
465 params = construct_hkdf_params("sha256", "secret", 6, "", "label");
466
467 ret = TEST_ptr(params)
468 && TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))
469 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0);
470
471 EVP_KDF_CTX_free(kctx);
472 OPENSSL_free(params);
473 return ret;
474 }
475
construct_pbkdf1_params(char * pass,char * digest,char * salt,unsigned int * iter)476 static OSSL_PARAM *construct_pbkdf1_params(char *pass, char *digest, char *salt,
477 unsigned int *iter)
478 {
479 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 5);
480 OSSL_PARAM *p = params;
481
482 if (params == NULL)
483 return NULL;
484
485 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
486 (unsigned char *)pass, strlen(pass));
487 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
488 (unsigned char *)salt, strlen(salt));
489 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
490 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
491 digest, 0);
492 *p = OSSL_PARAM_construct_end();
493
494 return params;
495 }
496
test_kdf_pbkdf1(void)497 static int test_kdf_pbkdf1(void)
498 {
499 int ret = 0;
500 EVP_KDF_CTX *kctx = NULL;
501 unsigned char out[25];
502 unsigned int iterations = 4096;
503 OSSL_LIB_CTX *libctx = NULL;
504 OSSL_PARAM *params = NULL;
505 OSSL_PROVIDER *legacyprov = NULL;
506 OSSL_PROVIDER *defprov = NULL;
507 const unsigned char expected[sizeof(out)] = {
508 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
509 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
510 0xcc
511 };
512
513 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
514 goto err;
515
516 /* PBKDF1 only available in the legacy provider */
517 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
518 if (legacyprov == NULL) {
519 OSSL_LIB_CTX_free(libctx);
520 return TEST_skip("PBKDF1 only available in legacy provider");
521 }
522
523 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
524 goto err;
525
526 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
527 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
528 &iterations);
529
530 if (!TEST_ptr(params)
531 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
532 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
533 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
534 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
535 goto err;
536
537 ret = 1;
538 err:
539 EVP_KDF_CTX_free(kctx);
540 OPENSSL_free(params);
541 OSSL_PROVIDER_unload(defprov);
542 OSSL_PROVIDER_unload(legacyprov);
543 OSSL_LIB_CTX_free(libctx);
544 return ret;
545 }
546
test_kdf_pbkdf1_key_too_long(void)547 static int test_kdf_pbkdf1_key_too_long(void)
548 {
549 int ret = 0;
550 EVP_KDF_CTX *kctx = NULL;
551 unsigned char out[EVP_MAX_MD_SIZE + 1];
552 unsigned int iterations = 4096;
553 OSSL_LIB_CTX *libctx = NULL;
554 OSSL_PARAM *params = NULL;
555 OSSL_PROVIDER *legacyprov = NULL;
556 OSSL_PROVIDER *defprov = NULL;
557
558 if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
559 goto err;
560
561 /* PBKDF1 only available in the legacy provider */
562 legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
563 if (legacyprov == NULL) {
564 OSSL_LIB_CTX_free(libctx);
565 return TEST_skip("PBKDF1 only available in legacy provider");
566 }
567
568 if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
569 goto err;
570
571 params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
572 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
573 &iterations);
574
575 /*
576 * This is the same test sequence as test_kdf_pbkdf1, but we expect
577 * failure here as the requested key size is longer than the digest
578 * can provide
579 */
580 if (!TEST_ptr(params)
581 || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
582 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
583 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
584 goto err;
585
586 ret = 1;
587 err:
588 EVP_KDF_CTX_free(kctx);
589 OPENSSL_free(params);
590 OSSL_PROVIDER_unload(defprov);
591 OSSL_PROVIDER_unload(legacyprov);
592 OSSL_LIB_CTX_free(libctx);
593 return ret;
594 }
595
construct_pbkdf2_params(char * pass,char * digest,char * salt,unsigned int * iter,int * mode)596 static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
597 unsigned int *iter, int *mode)
598 {
599 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 6);
600 OSSL_PARAM *p = params;
601
602 if (params == NULL)
603 return NULL;
604
605 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
606 (unsigned char *)pass, strlen(pass));
607 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
608 (unsigned char *)salt, strlen(salt));
609 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, iter);
610 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
611 digest, 0);
612 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, mode);
613 *p = OSSL_PARAM_construct_end();
614
615 return params;
616 }
617
test_kdf_pbkdf2(void)618 static int test_kdf_pbkdf2(void)
619 {
620 int ret = 0;
621 EVP_KDF_CTX *kctx = NULL;
622 unsigned char out[25];
623 unsigned int iterations = 4096;
624 int mode = 0;
625 OSSL_PARAM *params;
626 const unsigned char expected[sizeof(out)] = {
627 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
628 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
629 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
630 0x1c
631 };
632
633 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
634 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
635 &iterations, &mode);
636
637 if (!TEST_ptr(params)
638 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
639 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
640 || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
641 goto err;
642
643 ret = 1;
644 err:
645 EVP_KDF_CTX_free(kctx);
646 OPENSSL_free(params);
647 return ret;
648 }
649
test_kdf_pbkdf2_small_output(void)650 static int test_kdf_pbkdf2_small_output(void)
651 {
652 int ret = 0;
653 EVP_KDF_CTX *kctx = NULL;
654 unsigned char out[25];
655 unsigned int iterations = 4096;
656 int mode = 0;
657 OSSL_PARAM *params;
658
659 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
660 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
661 &iterations, &mode);
662
663 if (!TEST_ptr(params)
664 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
665 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
666 /* A key length that is too small should fail */
667 || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0))
668 goto err;
669
670 ret = 1;
671 err:
672 EVP_KDF_CTX_free(kctx);
673 OPENSSL_free(params);
674 return ret;
675 }
676
test_kdf_pbkdf2_large_output(void)677 static int test_kdf_pbkdf2_large_output(void)
678 {
679 int ret = 0;
680 EVP_KDF_CTX *kctx = NULL;
681 unsigned char out[25];
682 size_t len = 0;
683 unsigned int iterations = 4096;
684 int mode = 0;
685 OSSL_PARAM *params;
686
687 if (sizeof(len) > 32)
688 len = SIZE_MAX;
689
690 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
691 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
692 &iterations, &mode);
693
694 if (!TEST_ptr(params)
695 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
696 /* A key length that is too large should fail */
697 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
698 || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0)))
699 goto err;
700
701 ret = 1;
702 err:
703 EVP_KDF_CTX_free(kctx);
704 OPENSSL_free(params);
705 return ret;
706 }
707
test_kdf_pbkdf2_small_salt(void)708 static int test_kdf_pbkdf2_small_salt(void)
709 {
710 int ret = 0;
711 EVP_KDF_CTX *kctx = NULL;
712 unsigned int iterations = 4096;
713 int mode = 0;
714 OSSL_PARAM *params;
715
716 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
717 "saltSALT",
718 &iterations, &mode);
719
720 if (!TEST_ptr(params)
721 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
722 /* A salt that is too small should fail */
723 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
724 goto err;
725
726 ret = 1;
727 err:
728 EVP_KDF_CTX_free(kctx);
729 OPENSSL_free(params);
730 return ret;
731 }
732
test_kdf_pbkdf2_small_iterations(void)733 static int test_kdf_pbkdf2_small_iterations(void)
734 {
735 int ret = 0;
736 EVP_KDF_CTX *kctx = NULL;
737 unsigned int iterations = 1;
738 int mode = 0;
739 OSSL_PARAM *params;
740
741 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
742 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
743 &iterations, &mode);
744
745 if (!TEST_ptr(params)
746 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
747 /* An iteration count that is too small should fail */
748 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
749 goto err;
750
751 ret = 1;
752 err:
753 EVP_KDF_CTX_free(kctx);
754 OPENSSL_free(params);
755 return ret;
756 }
757
test_kdf_pbkdf2_small_salt_pkcs5(void)758 static int test_kdf_pbkdf2_small_salt_pkcs5(void)
759 {
760 int ret = 0;
761 EVP_KDF_CTX *kctx = NULL;
762 unsigned char out[25];
763 unsigned int iterations = 4096;
764 int mode = 1;
765 OSSL_PARAM *params;
766 OSSL_PARAM mode_params[2];
767
768 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
769 "saltSALT",
770 &iterations, &mode);
771
772 if (!TEST_ptr(params)
773 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
774 /* A salt that is too small should pass in pkcs5 mode */
775 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
776 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
777 goto err;
778
779 mode = 0;
780 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
781 mode_params[1] = OSSL_PARAM_construct_end();
782
783 /* If the "pkcs5" mode is disabled then the derive will now fail */
784 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
785 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
786 goto err;
787
788 ret = 1;
789 err:
790 EVP_KDF_CTX_free(kctx);
791 OPENSSL_free(params);
792 return ret;
793 }
794
test_kdf_pbkdf2_small_iterations_pkcs5(void)795 static int test_kdf_pbkdf2_small_iterations_pkcs5(void)
796 {
797 int ret = 0;
798 EVP_KDF_CTX *kctx = NULL;
799 unsigned char out[25];
800 unsigned int iterations = 1;
801 int mode = 1;
802 OSSL_PARAM *params;
803 OSSL_PARAM mode_params[2];
804
805 params = construct_pbkdf2_params("passwordPASSWORDpassword", "sha256",
806 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
807 &iterations, &mode);
808
809 if (!TEST_ptr(params)
810 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
811 /* An iteration count that is too small will pass in pkcs5 mode */
812 || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
813 || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
814 goto err;
815
816 mode = 0;
817 mode_params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_PKCS5, &mode);
818 mode_params[1] = OSSL_PARAM_construct_end();
819
820 /* If the "pkcs5" mode is disabled then the derive will now fail */
821 if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params))
822 || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
823 goto err;
824
825 ret = 1;
826 err:
827 EVP_KDF_CTX_free(kctx);
828 OPENSSL_free(params);
829 return ret;
830 }
831
test_kdf_pbkdf2_invalid_digest(void)832 static int test_kdf_pbkdf2_invalid_digest(void)
833 {
834 int ret = 0;
835 EVP_KDF_CTX *kctx = NULL;
836 unsigned int iterations = 4096;
837 int mode = 0;
838 OSSL_PARAM *params;
839
840 params = construct_pbkdf2_params("passwordPASSWORDpassword", "blah",
841 "saltSALTsaltSALTsaltSALTsaltSALTsalt",
842 &iterations, &mode);
843
844 if (!TEST_ptr(params)
845 || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2))
846 /* Unknown digest should fail */
847 || !TEST_false(EVP_KDF_CTX_set_params(kctx, params)))
848 goto err;
849
850 ret = 1;
851 err:
852 EVP_KDF_CTX_free(kctx);
853 OPENSSL_free(params);
854 return ret;
855 }
856
857 #ifndef OPENSSL_NO_SCRYPT
test_kdf_scrypt(void)858 static int test_kdf_scrypt(void)
859 {
860 int i, ret;
861 EVP_KDF_CTX *kctx;
862 OSSL_PARAM params[7], *p = params;
863 unsigned char out[64];
864 unsigned int nu = 1024, ru = 8, pu = 16, maxmem = 16;
865 static const unsigned char expected[sizeof(out)] = {
866 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
867 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
868 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
869 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
870 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
871 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
872 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
873 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
874 };
875
876 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
877 (char *)"password", 8);
878 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
879 (char *)"NaCl", 4);
880 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &nu);
881 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &ru);
882 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &pu);
883 *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem);
884 *p = OSSL_PARAM_construct_end();
885
886 ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT));
887 for (i = 0; ret && i < 2; ++i) {
888 ret = ret
889 && TEST_true(EVP_KDF_CTX_set_params(kctx, params));
890 if (i == 0)
891 ret = ret
892 && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
893 && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024))
894 && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1));
895 ret = ret
896 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
897 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
898 if (i == 0)
899 EVP_KDF_CTX_reset(kctx);
900 }
901
902 EVP_KDF_CTX_free(kctx);
903 return ret;
904 }
905 #endif /* OPENSSL_NO_SCRYPT */
906
test_kdf_ss_hash(void)907 static int test_kdf_ss_hash(void)
908 {
909 int ret;
910 EVP_KDF_CTX *kctx;
911 OSSL_PARAM params[4], *p = params;
912 unsigned char out[14];
913 static unsigned char z[] = {
914 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
915 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
916 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
917 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
918 };
919 static unsigned char other[] = {
920 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
921 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
922 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
923 0xe0,0xec,0x3f,0x8d,0xbe
924 };
925 static const unsigned char expected[sizeof(out)] = {
926 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
927 };
928
929 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
930 (char *)"sha224", 0);
931 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
932 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
933 sizeof(other));
934 *p = OSSL_PARAM_construct_end();
935
936 ret =
937 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
938 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
939 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
940
941 EVP_KDF_CTX_free(kctx);
942 return ret;
943 }
944
test_kdf_x963(void)945 static int test_kdf_x963(void)
946 {
947 int ret;
948 EVP_KDF_CTX *kctx;
949 OSSL_PARAM params[4], *p = params;
950 unsigned char out[1024 / 8];
951 /*
952 * Test data from https://csrc.nist.gov/CSRC/media/Projects/
953 * Cryptographic-Algorithm-Validation-Program/documents/components/
954 * 800-135testvectors/ansx963_2001.zip
955 */
956 static unsigned char z[] = {
957 0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
958 0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
959 0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
960 0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
961 0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
962 0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
963 };
964 static unsigned char shared[] = {
965 0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
966 0x37, 0x89, 0x5d, 0x31
967 };
968 static const unsigned char expected[sizeof(out)] = {
969 0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
970 0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
971 0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
972 0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
973 0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
974 0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
975 0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
976 0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
977 0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
978 0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
979 0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
980 };
981
982 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
983 (char *)"sha512", 0);
984 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
985 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared,
986 sizeof(shared));
987 *p = OSSL_PARAM_construct_end();
988
989 ret =
990 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF))
991 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
992 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
993
994 EVP_KDF_CTX_free(kctx);
995 return ret;
996 }
997
998 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
999 /*
1000 * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
1001 * section 10.
1002 */
test_kdf_kbkdf_6803_128(void)1003 static int test_kdf_kbkdf_6803_128(void)
1004 {
1005 int ret = 0, i, p;
1006 EVP_KDF_CTX *kctx;
1007 OSSL_PARAM params[7];
1008 static unsigned char input_key[] = {
1009 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
1010 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
1011 };
1012 static unsigned char constants[][5] = {
1013 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1014 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1015 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1016 };
1017 static unsigned char outputs[][16] = {
1018 {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
1019 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
1020 {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
1021 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
1022 {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
1023 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
1024 };
1025 static unsigned char iv[16] = { 0 };
1026 unsigned char result[16] = { 0 };
1027
1028 for (i = 0; i < 3; i++) {
1029 p = 0;
1030 params[p++] = OSSL_PARAM_construct_utf8_string(
1031 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-128-CBC", 0);
1032 params[p++] = OSSL_PARAM_construct_utf8_string(
1033 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1034 params[p++] = OSSL_PARAM_construct_utf8_string(
1035 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1036 params[p++] = OSSL_PARAM_construct_octet_string(
1037 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1038 params[p++] = OSSL_PARAM_construct_octet_string(
1039 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1040 params[p++] = OSSL_PARAM_construct_octet_string(
1041 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1042 params[p] = OSSL_PARAM_construct_end();
1043
1044 kctx = get_kdfbyname("KBKDF");
1045 ret = TEST_ptr(kctx)
1046 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1047 params), 0)
1048 && TEST_mem_eq(result, sizeof(result), outputs[i],
1049 sizeof(outputs[i]));
1050 EVP_KDF_CTX_free(kctx);
1051 if (ret != 1)
1052 return ret;
1053 }
1054
1055 return ret;
1056 }
1057
test_kdf_kbkdf_6803_256(void)1058 static int test_kdf_kbkdf_6803_256(void)
1059 {
1060 int ret = 0, i, p;
1061 EVP_KDF_CTX *kctx;
1062 OSSL_PARAM params[7];
1063 static unsigned char input_key[] = {
1064 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
1065 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
1066 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
1067 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
1068 };
1069 static unsigned char constants[][5] = {
1070 { 0x00, 0x00, 0x00, 0x02, 0x99 },
1071 { 0x00, 0x00, 0x00, 0x02, 0xaa },
1072 { 0x00, 0x00, 0x00, 0x02, 0x55 },
1073 };
1074 static unsigned char outputs[][32] = {
1075 {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
1076 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
1077 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
1078 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
1079 },
1080 {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
1081 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
1082 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
1083 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
1084 },
1085 {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
1086 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
1087 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
1088 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
1089 },
1090 };
1091 static unsigned char iv[16] = { 0 };
1092 unsigned char result[32] = { 0 };
1093
1094 for (i = 0; i < 3; i++) {
1095 p = 0;
1096 params[p++] = OSSL_PARAM_construct_utf8_string(
1097 OSSL_KDF_PARAM_CIPHER, "CAMELLIA-256-CBC", 0);
1098 params[p++] = OSSL_PARAM_construct_utf8_string(
1099 OSSL_KDF_PARAM_MAC, "CMAC", 0);
1100 params[p++] = OSSL_PARAM_construct_utf8_string(
1101 OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
1102 params[p++] = OSSL_PARAM_construct_octet_string(
1103 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1104 params[p++] = OSSL_PARAM_construct_octet_string(
1105 OSSL_KDF_PARAM_SALT, constants[i], sizeof(constants[i]));
1106 params[p++] = OSSL_PARAM_construct_octet_string(
1107 OSSL_KDF_PARAM_SEED, iv, sizeof(iv));
1108 params[p] = OSSL_PARAM_construct_end();
1109
1110 kctx = get_kdfbyname("KBKDF");
1111 ret = TEST_ptr(kctx)
1112 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result),
1113 params), 0)
1114 && TEST_mem_eq(result, sizeof(result), outputs[i],
1115 sizeof(outputs[i]));
1116 EVP_KDF_CTX_free(kctx);
1117 if (ret != 1)
1118 return ret;
1119 }
1120
1121 return ret;
1122 }
1123 #endif
1124
construct_kbkdf_params(char * digest,char * mac,unsigned char * key,size_t keylen,char * salt,char * info)1125 static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key,
1126 size_t keylen, char *salt, char *info)
1127 {
1128 OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7);
1129 OSSL_PARAM *p = params;
1130
1131 if (params == NULL)
1132 return NULL;
1133
1134 *p++ = OSSL_PARAM_construct_utf8_string(
1135 OSSL_KDF_PARAM_DIGEST, digest, 0);
1136 *p++ = OSSL_PARAM_construct_utf8_string(
1137 OSSL_KDF_PARAM_MAC, mac, 0);
1138 *p++ = OSSL_PARAM_construct_utf8_string(
1139 OSSL_KDF_PARAM_MODE, "COUNTER", 0);
1140 *p++ = OSSL_PARAM_construct_octet_string(
1141 OSSL_KDF_PARAM_KEY, key, keylen);
1142 *p++ = OSSL_PARAM_construct_octet_string(
1143 OSSL_KDF_PARAM_SALT, salt, strlen(salt));
1144 *p++ = OSSL_PARAM_construct_octet_string(
1145 OSSL_KDF_PARAM_INFO, info, strlen(info));
1146 *p = OSSL_PARAM_construct_end();
1147
1148 return params;
1149 }
1150
test_kdf_kbkdf_invalid_digest(void)1151 static int test_kdf_kbkdf_invalid_digest(void)
1152 {
1153 int ret;
1154 EVP_KDF_CTX *kctx;
1155 OSSL_PARAM *params;
1156
1157 static unsigned char key[] = {0x01};
1158
1159 params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test");
1160 if (!TEST_ptr(params))
1161 return 0;
1162
1163 /* Negative test case - set_params should fail */
1164 kctx = get_kdfbyname("KBKDF");
1165 ret = TEST_ptr(kctx)
1166 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1167
1168 EVP_KDF_CTX_free(kctx);
1169 OPENSSL_free(params);
1170 return ret;
1171 }
1172
test_kdf_kbkdf_invalid_mac(void)1173 static int test_kdf_kbkdf_invalid_mac(void)
1174 {
1175 int ret;
1176 EVP_KDF_CTX *kctx;
1177 OSSL_PARAM *params;
1178
1179 static unsigned char key[] = {0x01};
1180
1181 params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test");
1182 if (!TEST_ptr(params))
1183 return 0;
1184
1185 /* Negative test case - set_params should fail */
1186 kctx = get_kdfbyname("KBKDF");
1187 ret = TEST_ptr(kctx)
1188 && TEST_false(EVP_KDF_CTX_set_params(kctx, params));
1189
1190 EVP_KDF_CTX_free(kctx);
1191 OPENSSL_free(params);
1192 return ret;
1193 }
1194
test_kdf_kbkdf_empty_key(void)1195 static int test_kdf_kbkdf_empty_key(void)
1196 {
1197 int ret;
1198 EVP_KDF_CTX *kctx;
1199 OSSL_PARAM *params;
1200
1201 static unsigned char key[] = {0x01};
1202 unsigned char result[32] = { 0 };
1203
1204 params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test");
1205 if (!TEST_ptr(params))
1206 return 0;
1207
1208 /* Negative test case - derive should fail */
1209 kctx = get_kdfbyname("KBKDF");
1210 ret = TEST_ptr(kctx)
1211 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1212 && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0);
1213
1214 EVP_KDF_CTX_free(kctx);
1215 OPENSSL_free(params);
1216 return ret;
1217 }
1218
test_kdf_kbkdf_1byte_key(void)1219 static int test_kdf_kbkdf_1byte_key(void)
1220 {
1221 int ret;
1222 EVP_KDF_CTX *kctx;
1223 OSSL_PARAM *params;
1224
1225 static unsigned char key[] = {0x01};
1226 unsigned char result[32] = { 0 };
1227
1228 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1229 if (!TEST_ptr(params))
1230 return 0;
1231
1232 kctx = get_kdfbyname("KBKDF");
1233 ret = TEST_ptr(kctx)
1234 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0);
1235
1236 EVP_KDF_CTX_free(kctx);
1237 OPENSSL_free(params);
1238 return ret;
1239 }
1240
test_kdf_kbkdf_zero_output_size(void)1241 static int test_kdf_kbkdf_zero_output_size(void)
1242 {
1243 int ret;
1244 EVP_KDF_CTX *kctx;
1245 OSSL_PARAM *params;
1246
1247 static unsigned char key[] = {0x01};
1248 unsigned char result[32] = { 0 };
1249
1250 params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test");
1251 if (!TEST_ptr(params))
1252 return 0;
1253
1254 /* Negative test case - derive should fail */
1255 kctx = get_kdfbyname("KBKDF");
1256 ret = TEST_ptr(kctx)
1257 && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
1258 && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0);
1259
1260 EVP_KDF_CTX_free(kctx);
1261 OPENSSL_free(params);
1262 return ret;
1263 }
1264
1265 /* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
1266 * 5) appendix A. */
test_kdf_kbkdf_8009_prf1(void)1267 static int test_kdf_kbkdf_8009_prf1(void)
1268 {
1269 int ret, i = 0;
1270 EVP_KDF_CTX *kctx;
1271 OSSL_PARAM params[6];
1272 char *label = "prf", *digest = "sha256", *prf_input = "test",
1273 *mac = "HMAC";
1274 static unsigned char input_key[] = {
1275 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
1276 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
1277 };
1278 static unsigned char output[] = {
1279 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
1280 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
1281 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
1282 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
1283 };
1284 unsigned char result[sizeof(output)] = { 0 };
1285
1286 params[i++] = OSSL_PARAM_construct_utf8_string(
1287 OSSL_KDF_PARAM_DIGEST, digest, 0);
1288 params[i++] = OSSL_PARAM_construct_utf8_string(
1289 OSSL_KDF_PARAM_MAC, mac, 0);
1290 params[i++] = OSSL_PARAM_construct_octet_string(
1291 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1292 params[i++] = OSSL_PARAM_construct_octet_string(
1293 OSSL_KDF_PARAM_SALT, label, strlen(label));
1294 params[i++] = OSSL_PARAM_construct_octet_string(
1295 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1296 params[i] = OSSL_PARAM_construct_end();
1297
1298 kctx = get_kdfbyname("KBKDF");
1299 ret = TEST_ptr(kctx)
1300 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1301 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1302
1303 EVP_KDF_CTX_free(kctx);
1304 return ret;
1305 }
1306
test_kdf_kbkdf_8009_prf2(void)1307 static int test_kdf_kbkdf_8009_prf2(void)
1308 {
1309 int ret, i = 0;
1310 EVP_KDF_CTX *kctx;
1311 OSSL_PARAM params[6];
1312 char *label = "prf", *digest = "sha384", *prf_input = "test",
1313 *mac = "HMAC";
1314 static unsigned char input_key[] = {
1315 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
1316 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
1317 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
1318 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
1319 };
1320 static unsigned char output[] = {
1321 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
1322 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
1323 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
1324 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
1325 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
1326 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
1327 };
1328 unsigned char result[sizeof(output)] = { 0 };
1329
1330 params[i++] = OSSL_PARAM_construct_utf8_string(
1331 OSSL_KDF_PARAM_DIGEST, digest, 0);
1332 params[i++] = OSSL_PARAM_construct_utf8_string(
1333 OSSL_KDF_PARAM_MAC, mac, 0);
1334 params[i++] = OSSL_PARAM_construct_octet_string(
1335 OSSL_KDF_PARAM_KEY, input_key, sizeof(input_key));
1336 params[i++] = OSSL_PARAM_construct_octet_string(
1337 OSSL_KDF_PARAM_SALT, label, strlen(label));
1338 params[i++] = OSSL_PARAM_construct_octet_string(
1339 OSSL_KDF_PARAM_INFO, prf_input, strlen(prf_input));
1340 params[i] = OSSL_PARAM_construct_end();
1341
1342 kctx = get_kdfbyname("KBKDF");
1343 ret = TEST_ptr(kctx)
1344 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1345 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1346
1347 EVP_KDF_CTX_free(kctx);
1348 return ret;
1349 }
1350
1351 #if !defined(OPENSSL_NO_CMAC)
1352 /*
1353 * Test vector taken from
1354 * https://csrc.nist.gov/CSRC/media/Projects/
1355 * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
1356 * Note: Only 32 bit counter is supported ([RLEN=32_BITS])
1357 */
test_kdf_kbkdf_fixedinfo(void)1358 static int test_kdf_kbkdf_fixedinfo(void)
1359 {
1360 int ret;
1361 EVP_KDF_CTX *kctx;
1362 OSSL_PARAM params[8], *p = params;
1363 static char *cipher = "AES128";
1364 static char *mac = "CMAC";
1365 static char *mode = "COUNTER";
1366 int use_l = 0;
1367 int use_separator = 0;
1368
1369 static unsigned char input_key[] = {
1370 0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
1371 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05,
1372 };
1373 static unsigned char fixed_input[] = {
1374 0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
1375 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
1376 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
1377 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
1378 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
1379 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
1380 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
1381 0xb4, 0x8d, 0x36, 0xc4,
1382
1383 };
1384 static unsigned char output[] = {
1385 0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
1386 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f,
1387 };
1388 unsigned char result[sizeof(output)] = { 0 };
1389
1390 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, cipher, 0);
1391 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, mac, 0);
1392 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, mode, 0);
1393 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, input_key,
1394 sizeof(input_key));
1395 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
1396 fixed_input, sizeof(fixed_input));
1397 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &use_l);
1398 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR,
1399 &use_separator);
1400 *p = OSSL_PARAM_construct_end();
1401
1402 kctx = get_kdfbyname("KBKDF");
1403 ret = TEST_ptr(kctx)
1404 && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0)
1405 && TEST_mem_eq(result, sizeof(result), output, sizeof(output));
1406
1407 EVP_KDF_CTX_free(kctx);
1408 return ret;
1409 }
1410 #endif /* OPENSSL_NO_CMAC */
1411
test_kdf_ss_hmac(void)1412 static int test_kdf_ss_hmac(void)
1413 {
1414 int ret;
1415 EVP_KDF_CTX *kctx;
1416 OSSL_PARAM params[6], *p = params;
1417 unsigned char out[16];
1418 static unsigned char z[] = {
1419 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1420 };
1421 static unsigned char other[] = {
1422 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1423 };
1424 static unsigned char salt[] = {
1425 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1426 0x3f,0x89
1427 };
1428 static const unsigned char expected[sizeof(out)] = {
1429 0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
1430 0x1c,0xa3
1431 };
1432
1433 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1434 (char *)OSSL_MAC_NAME_HMAC, 0);
1435 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1436 (char *)"sha256", 0);
1437 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1438 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1439 sizeof(other));
1440 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1441 sizeof(salt));
1442 *p = OSSL_PARAM_construct_end();
1443
1444 ret =
1445 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1446 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1447 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1448
1449 EVP_KDF_CTX_free(kctx);
1450 return ret;
1451 }
1452
test_kdf_ss_kmac(void)1453 static int test_kdf_ss_kmac(void)
1454 {
1455 int ret;
1456 EVP_KDF_CTX *kctx;
1457 OSSL_PARAM params[7], *p = params;
1458 unsigned char out[64];
1459 size_t mac_size = 20;
1460 static unsigned char z[] = {
1461 0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
1462 };
1463 static unsigned char other[] = {
1464 0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
1465 };
1466 static unsigned char salt[] = {
1467 0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
1468 0x3f,0x89
1469 };
1470 static const unsigned char expected[sizeof(out)] = {
1471 0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
1472 0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
1473 0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
1474 0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
1475 0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
1476 };
1477
1478 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
1479 (char *)OSSL_MAC_NAME_KMAC128, 0);
1480 /* The digest parameter is not needed here and should be ignored */
1481 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1482 (char *)"SHA256", 0);
1483 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z));
1484 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other,
1485 sizeof(other));
1486 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt,
1487 sizeof(salt));
1488 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, &mac_size);
1489 *p = OSSL_PARAM_construct_end();
1490
1491 ret =
1492 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF))
1493 && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), 0)
1494 && TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1)
1495 /* The bug fix for KMAC returning SIZE_MAX was added in 3.0.8 */
1496 && (fips_provider_version_lt(NULL, 3, 0, 8)
1497 || TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX))
1498 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)
1499 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1500
1501 EVP_KDF_CTX_free(kctx);
1502 return ret;
1503 }
1504
test_kdf_sshkdf(void)1505 static int test_kdf_sshkdf(void)
1506 {
1507 int ret;
1508 EVP_KDF_CTX *kctx;
1509 OSSL_PARAM params[6], *p = params;
1510 char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
1511 unsigned char out[8];
1512 /* Test data from NIST CAVS 14.1 test vectors */
1513 static unsigned char key[] = {
1514 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
1515 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
1516 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
1517 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
1518 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
1519 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
1520 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
1521 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
1522 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
1523 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
1524 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
1525 0x4e
1526 };
1527 static unsigned char xcghash[] = {
1528 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1529 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1530 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1531 };
1532 static unsigned char sessid[] = {
1533 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
1534 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
1535 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
1536 };
1537 static const unsigned char expected[sizeof(out)] = {
1538 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
1539 };
1540
1541 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1542 (char *)"sha256", 0);
1543 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1544 sizeof(key));
1545 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
1546 xcghash, sizeof(xcghash));
1547 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
1548 sessid, sizeof(sessid));
1549 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
1550 &kdftype, sizeof(kdftype));
1551 *p = OSSL_PARAM_construct_end();
1552
1553 ret =
1554 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF))
1555 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1556 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1557
1558 EVP_KDF_CTX_free(kctx);
1559 return ret;
1560 }
1561
test_kdfs_same(EVP_KDF * kdf1,EVP_KDF * kdf2)1562 static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2)
1563 {
1564 /* Fast path in case the two are the same algorithm pointer */
1565 if (kdf1 == kdf2)
1566 return 1;
1567 /*
1568 * Compare their names and providers instead.
1569 * This is necessary in a non-caching build (or a cache flush during fetch)
1570 * because without the algorithm in the cache, fetching it a second time
1571 * will result in a different pointer.
1572 */
1573 return TEST_ptr_eq(EVP_KDF_get0_provider(kdf1), EVP_KDF_get0_provider(kdf2))
1574 && TEST_str_eq(EVP_KDF_get0_name(kdf1), EVP_KDF_get0_name(kdf2));
1575 }
1576
test_kdf_get_kdf(void)1577 static int test_kdf_get_kdf(void)
1578 {
1579 EVP_KDF *kdf1 = NULL, *kdf2 = NULL;
1580 ASN1_OBJECT *obj;
1581 int ok = 1;
1582
1583 if (!TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
1584 || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL))
1585 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)),
1586 NULL))
1587 || !test_kdfs_same(kdf1, kdf2))
1588 ok = 0;
1589 EVP_KDF_free(kdf1);
1590 kdf1 = NULL;
1591 EVP_KDF_free(kdf2);
1592 kdf2 = NULL;
1593
1594 if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL))
1595 || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL))
1596 || !test_kdfs_same(kdf1, kdf2))
1597 ok = 0;
1598 /* kdf1 is re-used below, so don't free it here */
1599 EVP_KDF_free(kdf2);
1600 kdf2 = NULL;
1601
1602 if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL))
1603 || !test_kdfs_same(kdf1, kdf2))
1604 ok = 0;
1605 EVP_KDF_free(kdf1);
1606 kdf1 = NULL;
1607 EVP_KDF_free(kdf2);
1608 kdf2 = NULL;
1609
1610 return ok;
1611 }
1612
1613 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
test_kdf_x942_asn1(void)1614 static int test_kdf_x942_asn1(void)
1615 {
1616 int ret;
1617 EVP_KDF_CTX *kctx = NULL;
1618 OSSL_PARAM params[4], *p = params;
1619 const char *cek_alg = SN_id_smime_alg_CMS3DESwrap;
1620 unsigned char out[24];
1621 /* RFC2631 Section 2.1.6 Test data */
1622 static unsigned char z[] = {
1623 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
1624 0x0e,0x0f,0x10,0x11,0x12,0x13
1625 };
1626 static const unsigned char expected[sizeof(out)] = {
1627 0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
1628 0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
1629 0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
1630 };
1631
1632 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1633 (char *)"sha1", 0);
1634 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z,
1635 sizeof(z));
1636 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
1637 (char *)cek_alg, 0);
1638 *p = OSSL_PARAM_construct_end();
1639
1640 ret =
1641 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
1642 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1643 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1644
1645 EVP_KDF_CTX_free(kctx);
1646 return ret;
1647 }
1648 #endif /* OPENSSL_NO_CMS */
1649
test_kdf_krb5kdf(void)1650 static int test_kdf_krb5kdf(void)
1651 {
1652 int ret;
1653 EVP_KDF_CTX *kctx;
1654 OSSL_PARAM params[4], *p = params;
1655 unsigned char out[16];
1656 static unsigned char key[] = {
1657 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
1658 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
1659 };
1660 static unsigned char constant[] = {
1661 0x00, 0x00, 0x00, 0x02, 0x99
1662 };
1663 static const unsigned char expected[sizeof(out)] = {
1664 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
1665 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
1666 };
1667
1668 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER,
1669 (char *)"AES-128-CBC", 0);
1670 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key,
1671 sizeof(key));
1672 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT,
1673 constant, sizeof(constant));
1674 *p = OSSL_PARAM_construct_end();
1675
1676 ret =
1677 TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF))
1678 && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)
1679 && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
1680
1681 EVP_KDF_CTX_free(kctx);
1682 return ret;
1683 }
1684
setup_tests(void)1685 int setup_tests(void)
1686 {
1687 ADD_TEST(test_kdf_pbkdf1);
1688 ADD_TEST(test_kdf_pbkdf1_key_too_long);
1689 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
1690 ADD_TEST(test_kdf_kbkdf_6803_128);
1691 ADD_TEST(test_kdf_kbkdf_6803_256);
1692 #endif
1693 ADD_TEST(test_kdf_kbkdf_invalid_digest);
1694 ADD_TEST(test_kdf_kbkdf_invalid_mac);
1695 ADD_TEST(test_kdf_kbkdf_zero_output_size);
1696 ADD_TEST(test_kdf_kbkdf_empty_key);
1697 ADD_TEST(test_kdf_kbkdf_1byte_key);
1698 ADD_TEST(test_kdf_kbkdf_8009_prf1);
1699 ADD_TEST(test_kdf_kbkdf_8009_prf2);
1700 #if !defined(OPENSSL_NO_CMAC)
1701 ADD_TEST(test_kdf_kbkdf_fixedinfo);
1702 #endif
1703 ADD_TEST(test_kdf_get_kdf);
1704 ADD_TEST(test_kdf_tls1_prf);
1705 ADD_TEST(test_kdf_tls1_prf_invalid_digest);
1706 ADD_TEST(test_kdf_tls1_prf_zero_output_size);
1707 ADD_TEST(test_kdf_tls1_prf_empty_secret);
1708 ADD_TEST(test_kdf_tls1_prf_1byte_secret);
1709 ADD_TEST(test_kdf_tls1_prf_empty_seed);
1710 ADD_TEST(test_kdf_tls1_prf_1byte_seed);
1711 ADD_TEST(test_kdf_hkdf);
1712 ADD_TEST(test_kdf_hkdf_invalid_digest);
1713 ADD_TEST(test_kdf_hkdf_zero_output_size);
1714 ADD_TEST(test_kdf_hkdf_empty_key);
1715 ADD_TEST(test_kdf_hkdf_1byte_key);
1716 ADD_TEST(test_kdf_hkdf_empty_salt);
1717 ADD_TEST(test_kdf_hkdf_gettables);
1718 ADD_TEST(test_kdf_hkdf_gettables_expandonly);
1719 ADD_TEST(test_kdf_hkdf_gettables_no_digest);
1720 ADD_TEST(test_kdf_hkdf_derive_set_params_fail);
1721 ADD_TEST(test_kdf_hkdf_set_invalid_mode);
1722 ADD_TEST(test_kdf_hkdf_set_ctx_param_fail);
1723 ADD_TEST(test_kdf_pbkdf2);
1724 ADD_TEST(test_kdf_pbkdf2_small_output);
1725 ADD_TEST(test_kdf_pbkdf2_large_output);
1726 ADD_TEST(test_kdf_pbkdf2_small_salt);
1727 ADD_TEST(test_kdf_pbkdf2_small_iterations);
1728 ADD_TEST(test_kdf_pbkdf2_small_salt_pkcs5);
1729 ADD_TEST(test_kdf_pbkdf2_small_iterations_pkcs5);
1730 ADD_TEST(test_kdf_pbkdf2_invalid_digest);
1731 #ifndef OPENSSL_NO_SCRYPT
1732 ADD_TEST(test_kdf_scrypt);
1733 #endif
1734 ADD_TEST(test_kdf_ss_hash);
1735 ADD_TEST(test_kdf_ss_hmac);
1736 ADD_TEST(test_kdf_ss_kmac);
1737 ADD_TEST(test_kdf_sshkdf);
1738 ADD_TEST(test_kdf_x963);
1739 #if !defined(OPENSSL_NO_CMS) && !defined(OPENSSL_NO_DES)
1740 ADD_TEST(test_kdf_x942_asn1);
1741 #endif
1742 ADD_TEST(test_kdf_krb5kdf);
1743 return 1;
1744 }
1745