xref: /freebsd/contrib/wpa/src/crypto/crypto_module_tests.c (revision a90b9d0159070121c221b966469c3e36d912bf82)
1 /*
2  * crypto module tests
3  * Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/module_tests.h"
13 #include "crypto/aes_siv.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/aes.h"
16 #include "crypto/ms_funcs.h"
17 #include "crypto/crypto.h"
18 #include "crypto/sha1.h"
19 #include "crypto/sha256.h"
20 #include "crypto/sha384.h"
21 
22 
test_siv(void)23 static int test_siv(void)
24 {
25 #ifdef CONFIG_MESH
26 	/* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
27 	u8 key[] = {
28 		0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
29 		0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
30 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
31 		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
32 	};
33 	u8 ad[] = {
34 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
35 		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
36 		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27
37 	};
38 	u8 plaintext[] = {
39 		0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
40 		0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee
41 	};
42 	u8 iv_c[] = {
43 		0x85, 0x63, 0x2d, 0x07, 0xc6, 0xe8, 0xf3, 0x7f,
44 		0x95, 0x0a, 0xcd, 0x32, 0x0a, 0x2e, 0xcc, 0x93,
45 		0x40, 0xc0, 0x2b, 0x96, 0x90, 0xc4, 0xdc, 0x04,
46 		0xda, 0xef, 0x7f, 0x6a, 0xfe, 0x5c
47 	};
48 	/* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
49 	u8 key_2[] = {
50 		0x7f, 0x7e, 0x7d, 0x7c, 0x7b, 0x7a, 0x79, 0x78,
51 		0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70,
52 		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
53 		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
54 	};
55 	u8 ad1_2[] = {
56 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
57 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
58 		0xde, 0xad, 0xda, 0xda, 0xde, 0xad, 0xda, 0xda,
59 		0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
60 		0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00
61 	};
62 	u8 ad2_2[] = {
63 		0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
64 		0x90, 0xa0
65 	};
66 	u8 nonce_2[] = {
67 		0x09, 0xf9, 0x11, 0x02, 0x9d, 0x74, 0xe3, 0x5b,
68 		0xd8, 0x41, 0x56, 0xc5, 0x63, 0x56, 0x88, 0xc0
69 	};
70 	u8 plaintext_2[] = {
71 		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
72 		0x73, 0x6f, 0x6d, 0x65, 0x20, 0x70, 0x6c, 0x61,
73 		0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x20, 0x74,
74 		0x6f, 0x20, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
75 		0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20,
76 		0x53, 0x49, 0x56, 0x2d, 0x41, 0x45, 0x53
77 	};
78 	u8 iv_c_2[] = {
79 		0x7b, 0xdb, 0x6e, 0x3b, 0x43, 0x26, 0x67, 0xeb,
80 		0x06, 0xf4, 0xd1, 0x4b, 0xff, 0x2f, 0xbd, 0x0f,
81 		0xcb, 0x90, 0x0f, 0x2f, 0xdd, 0xbe, 0x40, 0x43,
82 		0x26, 0x60, 0x19, 0x65, 0xc8, 0x89, 0xbf, 0x17,
83 		0xdb, 0xa7, 0x7c, 0xeb, 0x09, 0x4f, 0xa6, 0x63,
84 		0xb7, 0xa3, 0xf7, 0x48, 0xba, 0x8a, 0xf8, 0x29,
85 		0xea, 0x64, 0xad, 0x54, 0x4a, 0x27, 0x2e, 0x9c,
86 		0x48, 0x5b, 0x62, 0xa3, 0xfd, 0x5c, 0x0d
87 	};
88 	u8 out[2 * AES_BLOCK_SIZE + sizeof(plaintext_2)];
89 	const u8 *addr[3];
90 	size_t len[3];
91 
92 	/* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
93 	addr[0] = ad;
94 	len[0] = sizeof(ad);
95 
96 	if (aes_siv_encrypt(key, sizeof(key), plaintext, sizeof(plaintext),
97 			    1, addr, len, out)) {
98 		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
99 		return 1;
100 	}
101 	if (os_memcmp(out, iv_c, sizeof(iv_c)) != 0) {
102 		wpa_printf(MSG_ERROR,
103 			   "AES-SIV mode encryption returned invalid cipher text");
104 		return 1;
105 	}
106 
107 	if (aes_siv_decrypt(key, sizeof(key), iv_c, sizeof(iv_c),
108 			    1, addr, len, out)) {
109 		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
110 		return 1;
111 	}
112 	if (os_memcmp(out, plaintext, sizeof(plaintext)) != 0) {
113 		wpa_printf(MSG_ERROR,
114 			   "AES-SIV mode decryption returned invalid plain text");
115 		return 1;
116 	}
117 
118 	/* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
119 	addr[0] = ad1_2;
120 	len[0] = sizeof(ad1_2);
121 	addr[1] = ad2_2;
122 	len[1] = sizeof(ad2_2);
123 	addr[2] = nonce_2;
124 	len[2] = sizeof(nonce_2);
125 
126 	if (aes_siv_encrypt(key_2, sizeof(key_2),
127 			    plaintext_2, sizeof(plaintext_2),
128 			    3, addr, len, out)) {
129 		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
130 		return 1;
131 	}
132 	if (os_memcmp(out, iv_c_2, sizeof(iv_c_2)) != 0) {
133 		wpa_printf(MSG_ERROR,
134 			   "AES-SIV mode encryption returned invalid cipher text");
135 		return 1;
136 	}
137 
138 	if (aes_siv_decrypt(key_2, sizeof(key_2), iv_c_2, sizeof(iv_c_2),
139 			    3, addr, len, out)) {
140 		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
141 		return 1;
142 	}
143 	if (os_memcmp(out, plaintext_2, sizeof(plaintext_2)) != 0) {
144 		wpa_printf(MSG_ERROR,
145 			   "AES-SIV mode decryption returned invalid plain text");
146 		return 1;
147 	}
148 
149 	wpa_printf(MSG_INFO, "AES-SIV test cases passed");
150 #endif /* CONFIG_MESH */
151 
152 	return 0;
153 }
154 
155 
156 /* OMAC1 AES-128 test vectors from
157  * http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/omac/omac-ad.pdf
158  * which are same as the examples from NIST SP800-38B
159  * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf
160  */
161 
162 struct omac1_test_vector {
163 	u8 k[16];
164 	u8 msg[64];
165 	int msg_len;
166 	u8 tag[16];
167 };
168 
169 static const struct omac1_test_vector omac1_test_vectors[] =
170 {
171 	{
172 		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
173 		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
174 		{ },
175 		0,
176 		{ 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
177 		  0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 }
178 	},
179 	{
180 		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
181 		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
182 		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
183 		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a},
184 		16,
185 		{ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
186 		  0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c }
187 	},
188 	{
189 		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
190 		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
191 		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
192 		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
193 		  0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
194 		  0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
195 		  0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11 },
196 		40,
197 		{ 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
198 		  0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27 }
199 	},
200 	{
201 		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
202 		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
203 		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
204 		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
205 		  0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
206 		  0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
207 		  0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
208 		  0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
209 		  0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
210 		  0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
211 		64,
212 		{ 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
213 		  0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe }
214 	},
215 };
216 
217 
test_omac1_vector(const struct omac1_test_vector * tv,unsigned int i)218 static int test_omac1_vector(const struct omac1_test_vector *tv,
219 			     unsigned int i)
220 {
221 	u8 key[] = {
222 		0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
223 		0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
224 	};
225 	u8 msg[] = { 0x12, 0x34, 0x56 };
226 	u8 result[24], result2[24];
227 	const u8 *addr[3];
228 	size_t len[3];
229 
230 	if (omac1_aes_128(tv->k, tv->msg, tv->msg_len, result) ||
231 	    os_memcmp(result, tv->tag, 16) != 0) {
232 		wpa_printf(MSG_ERROR, "OMAC1-AES-128 test vector %u failed", i);
233 		return 1;
234 	}
235 
236 	if (tv->msg_len > 1) {
237 
238 		addr[0] = tv->msg;
239 		len[0] = 1;
240 		addr[1] = tv->msg + 1;
241 		len[1] = tv->msg_len - 1;
242 
243 		if (omac1_aes_128_vector(tv->k, 2, addr, len, result) ||
244 		    os_memcmp(result, tv->tag, 16) != 0) {
245 			wpa_printf(MSG_ERROR,
246 				   "OMAC1-AES-128(vector) test vector %u failed",
247 				   i);
248 			return 1;
249 		}
250 
251 		addr[0] = tv->msg;
252 		len[0] = tv->msg_len - 2;
253 		addr[1] = tv->msg + tv->msg_len - 2;
254 		len[1] = 1;
255 		addr[2] = tv->msg + tv->msg_len - 1;
256 		len[2] = 1;
257 
258 		if (omac1_aes_128_vector(tv->k, 3, addr, len, result) ||
259 		    os_memcmp(result, tv->tag, 16) != 0) {
260 			wpa_printf(MSG_ERROR,
261 				   "OMAC1-AES-128(vector2) test vector %u failed",
262 				   i);
263 			return 1;
264 		}
265 	}
266 
267 	addr[0] = &msg[0];
268 	len[0] = 1;
269 	addr[1] = &msg[1];
270 	len[1] = 1;
271 	addr[2] = &msg[2];
272 	len[2] = 1;
273 	if (omac1_aes_128(key, msg, sizeof(msg), result) ||
274 	    omac1_aes_128_vector(key, 3, addr, len, result2) ||
275 	    os_memcmp(result, result2, 16) != 0) {
276 		wpa_printf(MSG_ERROR, "OMAC1-AES-128 short test mismatch");
277 		return 1;
278 	}
279 
280 	return 0;
281 }
282 
283 
test_omac1(void)284 static int test_omac1(void)
285 {
286 	unsigned int i;
287 
288 	for (i = 0; i < ARRAY_SIZE(omac1_test_vectors); i++) {
289 		if (test_omac1_vector(&omac1_test_vectors[i], i))
290 			return 1;
291 	}
292 
293 	wpa_printf(MSG_INFO, "OMAC1-AES-128 test cases passed");
294 
295 	return 0;
296 }
297 
298 
test_eax(void)299 static int test_eax(void)
300 {
301 #ifdef EAP_PSK
302 	u8 msg[] = { 0xF7, 0xFB };
303 	u8 key[] = { 0x91, 0x94, 0x5D, 0x3F, 0x4D, 0xCB, 0xEE, 0x0B,
304 		     0xF4, 0x5E, 0xF5, 0x22, 0x55, 0xF0, 0x95, 0xA4 };
305 	u8 nonce[] = { 0xBE, 0xCA, 0xF0, 0x43, 0xB0, 0xA2, 0x3D, 0x84,
306 		       0x31, 0x94, 0xBA, 0x97, 0x2C, 0x66, 0xDE, 0xBD };
307 	u8 hdr[] = { 0xFA, 0x3B, 0xFD, 0x48, 0x06, 0xEB, 0x53, 0xFA };
308 	u8 cipher[] = { 0x19, 0xDD, 0x5C, 0x4C, 0x93, 0x31, 0x04, 0x9D,
309 			0x0B, 0xDA, 0xB0, 0x27, 0x74, 0x08, 0xF6, 0x79,
310 			0x67, 0xE5 };
311 	u8 data[sizeof(msg)], tag[AES_BLOCK_SIZE];
312 
313 	os_memcpy(data, msg, sizeof(msg));
314 	if (aes_128_eax_encrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
315 				data, sizeof(data), tag)) {
316 		wpa_printf(MSG_ERROR, "AES-128 EAX mode encryption failed");
317 		return 1;
318 	}
319 	if (os_memcmp(data, cipher, sizeof(data)) != 0) {
320 		wpa_printf(MSG_ERROR,
321 			   "AES-128 EAX mode encryption returned invalid cipher text");
322 		return 1;
323 	}
324 	if (os_memcmp(tag, cipher + sizeof(data), AES_BLOCK_SIZE) != 0) {
325 		wpa_printf(MSG_ERROR,
326 			   "AES-128 EAX mode encryption returned invalid tag");
327 		return 1;
328 	}
329 
330 	if (aes_128_eax_decrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
331 				data, sizeof(data), tag)) {
332 		wpa_printf(MSG_ERROR, "AES-128 EAX mode decryption failed");
333 		return 1;
334 	}
335 	if (os_memcmp(data, msg, sizeof(data)) != 0) {
336 		wpa_printf(MSG_ERROR,
337 			   "AES-128 EAX mode decryption returned invalid plain text");
338 		return 1;
339 	}
340 
341 	wpa_printf(MSG_INFO, "AES-128 EAX mode test cases passed");
342 #endif /* EAP_PSK */
343 
344 	return 0;
345 }
346 
347 
test_cbc(void)348 static int test_cbc(void)
349 {
350 	struct cbc_test_vector {
351 		u8 key[16];
352 		u8 iv[16];
353 		u8 plain[32];
354 		u8 cipher[32];
355 		size_t len;
356 	} vectors[] = {
357 		{
358 			{ 0x06, 0xa9, 0x21, 0x40, 0x36, 0xb8, 0xa1, 0x5b,
359 			  0x51, 0x2e, 0x03, 0xd5, 0x34, 0x12, 0x00, 0x06 },
360 			{ 0x3d, 0xaf, 0xba, 0x42, 0x9d, 0x9e, 0xb4, 0x30,
361 			  0xb4, 0x22, 0xda, 0x80, 0x2c, 0x9f, 0xac, 0x41 },
362 			"Single block msg",
363 			{ 0xe3, 0x53, 0x77, 0x9c, 0x10, 0x79, 0xae, 0xb8,
364 			  0x27, 0x08, 0x94, 0x2d, 0xbe, 0x77, 0x18, 0x1a },
365 			16
366 		},
367 		{
368 			{ 0xc2, 0x86, 0x69, 0x6d, 0x88, 0x7c, 0x9a, 0xa0,
369 			  0x61, 0x1b, 0xbb, 0x3e, 0x20, 0x25, 0xa4, 0x5a },
370 			{ 0x56, 0x2e, 0x17, 0x99, 0x6d, 0x09, 0x3d, 0x28,
371 			  0xdd, 0xb3, 0xba, 0x69, 0x5a, 0x2e, 0x6f, 0x58 },
372 			{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
373 			  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
374 			  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
375 			  0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
376 			{ 0xd2, 0x96, 0xcd, 0x94, 0xc2, 0xcc, 0xcf, 0x8a,
377 			  0x3a, 0x86, 0x30, 0x28, 0xb5, 0xe1, 0xdc, 0x0a,
378 			  0x75, 0x86, 0x60, 0x2d, 0x25, 0x3c, 0xff, 0xf9,
379 			  0x1b, 0x82, 0x66, 0xbe, 0xa6, 0xd6, 0x1a, 0xb1 },
380 			32
381 		}
382 	};
383 	int ret = 0;
384 	u8 *buf;
385 	unsigned int i;
386 
387 	for (i = 0; i < ARRAY_SIZE(vectors); i++) {
388 		struct cbc_test_vector *tv = &vectors[i];
389 
390 		buf = os_malloc(tv->len);
391 		if (buf == NULL) {
392 			ret++;
393 			break;
394 		}
395 
396 		os_memcpy(buf, tv->plain, tv->len);
397 		if (aes_128_cbc_encrypt(tv->key, tv->iv, buf, tv->len) ||
398 		    os_memcmp(buf, tv->cipher, tv->len) != 0) {
399 			wpa_printf(MSG_ERROR, "AES-CBC encrypt %d failed", i);
400 			ret++;
401 		}
402 
403 		os_memcpy(buf, tv->cipher, tv->len);
404 		if (aes_128_cbc_decrypt(tv->key, tv->iv, buf, tv->len) ||
405 		    os_memcmp(buf, tv->plain, tv->len) != 0) {
406 			wpa_printf(MSG_ERROR, "AES-CBC decrypt %d failed", i);
407 			ret++;
408 		}
409 
410 		os_free(buf);
411 	}
412 
413 	return ret;
414 }
415 
416 
test_ecb(void)417 static int test_ecb(void)
418 {
419 #ifdef EAP_PSK
420 	struct ecb_test_vector {
421 		char *key;
422 		char *plaintext;
423 		char *ciphertext;
424 	} vectors[] = {
425 		/* CAVS 11.1 - ECBGFSbox128.rsp */
426 		{
427 			"00000000000000000000000000000000",
428 			"f34481ec3cc627bacd5dc3fb08f273e6",
429 			"0336763e966d92595a567cc9ce537f5e"
430 		},
431 		{
432 			"00000000000000000000000000000000",
433 			"9798c4640bad75c7c3227db910174e72",
434 			"a9a1631bf4996954ebc093957b234589"
435 		},
436 		{
437 			"00000000000000000000000000000000",
438 			"96ab5c2ff612d9dfaae8c31f30c42168",
439 			"ff4f8391a6a40ca5b25d23bedd44a597"
440 		},
441 		{
442 			"00000000000000000000000000000000",
443 			"6a118a874519e64e9963798a503f1d35",
444 			"dc43be40be0e53712f7e2bf5ca707209"
445 		},
446 		{
447 			"00000000000000000000000000000000",
448 			"cb9fceec81286ca3e989bd979b0cb284",
449 			"92beedab1895a94faa69b632e5cc47ce"
450 		},
451 		{
452 			"00000000000000000000000000000000",
453 			"b26aeb1874e47ca8358ff22378f09144",
454 			"459264f4798f6a78bacb89c15ed3d601"
455 		},
456 		{
457 			"00000000000000000000000000000000",
458 			"58c8e00b2631686d54eab84b91f0aca1",
459 			"08a4e2efec8a8e3312ca7460b9040bbf"
460 		},
461 		/* CAVS 11.1 - ECBKeySbox128.rsp */
462 		{
463 			"10a58869d74be5a374cf867cfb473859",
464 			"00000000000000000000000000000000",
465 			"6d251e6944b051e04eaa6fb4dbf78465"
466 		},
467 		{
468 			"caea65cdbb75e9169ecd22ebe6e54675",
469 			"00000000000000000000000000000000",
470 			"6e29201190152df4ee058139def610bb",
471 		}
472 	};
473 	int ret = 0;
474 	unsigned int i;
475 	u8 key[16], plain[16], cipher[16], out[16];
476 
477 	for (i = 0; i < ARRAY_SIZE(vectors); i++) {
478 		struct ecb_test_vector *tv = &vectors[i];
479 
480 		if (hexstr2bin(tv->key, key, sizeof(key)) ||
481 		    hexstr2bin(tv->plaintext, plain, sizeof(plain)) ||
482 		    hexstr2bin(tv->ciphertext, cipher, sizeof(cipher))) {
483 			wpa_printf(MSG_ERROR, "Invalid AES-ECB test vector %u",
484 				   i);
485 			ret++;
486 			continue;
487 		}
488 
489 		if (aes_128_encrypt_block(key, plain, out) < 0 ||
490 		    os_memcmp(out, cipher, 16) != 0) {
491 			wpa_printf(MSG_ERROR, "AES-ECB encrypt %u failed", i);
492 			ret++;
493 		}
494 	}
495 
496 	if (!ret)
497 		wpa_printf(MSG_INFO, "AES ECB mode test cases passed");
498 
499 	return ret;
500 #endif /* EAP_PSK */
501 
502 	return 0;
503 }
504 
505 
test_key_wrap(void)506 static int test_key_wrap(void)
507 {
508 	int ret = 0;
509 
510 	/* RFC 3394 - Test vector 4.1 */
511 	u8 kek41[] = {
512 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
513 		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
514 	};
515 	u8 plain41[] = {
516 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
517 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
518 	};
519 	u8 crypt41[] = {
520 		0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
521 		0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
522 		0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
523 	};
524 #ifndef CONFIG_BORINGSSL
525 	/* RFC 3394 - Test vector 4.2 */
526 	u8 kek42[] = {
527 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
528 		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
529 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
530 	};
531 	u8 plain42[] = {
532 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
533 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
534 	};
535 	u8 crypt42[] = {
536 		0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
537 		0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
538 		0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
539 	};
540 #endif /* CONFIG_BORINGSSL */
541 	/* RFC 3394 - Test vector 4.3 */
542 	u8 kek43[] = {
543 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
544 		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
545 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
546 		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
547 	};
548 	u8 plain43[] = {
549 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
550 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
551 	};
552 	u8 crypt43[] = {
553 		0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
554 		0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
555 		0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7,
556 	};
557 #ifndef CONFIG_BORINGSSL
558 	/* RFC 3394 - Test vector 4.4 */
559 	u8 kek44[] = {
560 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
561 		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
562 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
563 	};
564 	u8 plain44[] = {
565 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
566 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
567 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
568 	};
569 	u8 crypt44[] = {
570 		0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
571 		0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
572 		0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
573 		0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
574 	};
575 #endif /* CONFIG_BORINGSSL */
576 	/* RFC 3394 - Test vector 4.5 */
577 	u8 kek45[] = {
578 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
579 		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
580 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
581 		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
582 	};
583 	u8 plain45[] = {
584 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
585 		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
586 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
587 	};
588 	u8 crypt45[] = {
589 		0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
590 		0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
591 		0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
592 		0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1,
593 	};
594 	/* RFC 3394 - Test vector 4.6 */
595 	u8 kek46[] = {
596 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
597 		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
598 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
599 		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
600 	};
601 	u8 plain46[] = {
602 		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
603 		0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
604 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
605 		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
606 	};
607 	u8 crypt46[] = {
608 		0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
609 		0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
610 		0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
611 		0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
612 		0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
613 	};
614 	u8 result[40];
615 
616 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.1");
617 	if (aes_wrap(kek41, sizeof(kek41), sizeof(plain41) / 8, plain41,
618 		     result)) {
619 		wpa_printf(MSG_ERROR, "AES-WRAP-128 reported failure");
620 		ret++;
621 	}
622 	if (os_memcmp(result, crypt41, sizeof(crypt41)) != 0) {
623 		wpa_printf(MSG_ERROR, "AES-WRAP-128 failed");
624 		ret++;
625 	}
626 	if (aes_unwrap(kek41, sizeof(kek41), sizeof(plain41) / 8, crypt41,
627 		       result)) {
628 		wpa_printf(MSG_ERROR, "AES-UNWRAP-128 reported failure");
629 		ret++;
630 	}
631 	if (os_memcmp(result, plain41, sizeof(plain41)) != 0) {
632 		wpa_printf(MSG_ERROR, "AES-UNWRAP-128 failed");
633 		ret++;
634 	}
635 
636 #ifndef CONFIG_BORINGSSL
637 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.2");
638 	if (aes_wrap(kek42, sizeof(kek42), sizeof(plain42) / 8, plain42,
639 		     result)) {
640 		wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
641 		ret++;
642 	}
643 	if (os_memcmp(result, crypt42, sizeof(crypt42)) != 0) {
644 		wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
645 		ret++;
646 	}
647 	if (aes_unwrap(kek42, sizeof(kek42), sizeof(plain42) / 8, crypt42,
648 		       result)) {
649 		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
650 		ret++;
651 	}
652 	if (os_memcmp(result, plain42, sizeof(plain42)) != 0) {
653 		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
654 		ret++;
655 	}
656 #endif /* CONFIG_BORINGSSL */
657 
658 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.3");
659 	if (aes_wrap(kek43, sizeof(kek43), sizeof(plain43) / 8, plain43,
660 		     result)) {
661 		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
662 		ret++;
663 	}
664 	if (os_memcmp(result, crypt43, sizeof(crypt43)) != 0) {
665 		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
666 		ret++;
667 	}
668 	if (aes_unwrap(kek43, sizeof(kek43), sizeof(plain43) / 8, crypt43,
669 		       result)) {
670 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
671 		ret++;
672 	}
673 	if (os_memcmp(result, plain43, sizeof(plain43)) != 0) {
674 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
675 		ret++;
676 	}
677 
678 #ifndef CONFIG_BORINGSSL
679 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.4");
680 	if (aes_wrap(kek44, sizeof(kek44), sizeof(plain44) / 8, plain44,
681 		     result)) {
682 		wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
683 		ret++;
684 	}
685 	if (os_memcmp(result, crypt44, sizeof(crypt44)) != 0) {
686 		wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
687 		ret++;
688 	}
689 	if (aes_unwrap(kek44, sizeof(kek44), sizeof(plain44) / 8, crypt44,
690 		       result)) {
691 		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
692 		ret++;
693 	}
694 	if (os_memcmp(result, plain44, sizeof(plain44)) != 0) {
695 		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
696 		ret++;
697 	}
698 #endif /* CONFIG_BORINGSSL */
699 
700 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.5");
701 	if (aes_wrap(kek45, sizeof(kek45), sizeof(plain45) / 8, plain45,
702 		     result)) {
703 		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
704 		ret++;
705 	}
706 	if (os_memcmp(result, crypt45, sizeof(crypt45)) != 0) {
707 		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
708 		ret++;
709 	}
710 	if (aes_unwrap(kek45, sizeof(kek45), sizeof(plain45) / 8, crypt45,
711 		       result)) {
712 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
713 		ret++;
714 	}
715 	if (os_memcmp(result, plain45, sizeof(plain45)) != 0) {
716 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
717 		ret++;
718 	}
719 
720 	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.6");
721 	if (aes_wrap(kek46, sizeof(kek46), sizeof(plain46) / 8, plain46,
722 		     result)) {
723 		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
724 		ret++;
725 	}
726 	if (os_memcmp(result, crypt46, sizeof(crypt46)) != 0) {
727 		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
728 		ret++;
729 	}
730 	if (aes_unwrap(kek46, sizeof(kek46), sizeof(plain46) / 8, crypt46,
731 		       result)) {
732 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
733 		ret++;
734 	}
735 	if (os_memcmp(result, plain46, sizeof(plain46)) != 0) {
736 		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
737 		ret++;
738 	}
739 
740 	if (!ret)
741 		wpa_printf(MSG_INFO, "AES key wrap/unwrap test cases passed");
742 
743 	return ret;
744 }
745 
746 
test_aes_ctr(void)747 static int test_aes_ctr(void)
748 {
749 	int res = 0;
750 
751 #if defined(CONFIG_MESH) || defined(CONFIG_PSK)
752 	/* CTR-AES*.Encrypt test vectors from NIST SP 800-38a */
753 	const u8 key128[] = {
754 		0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
755 		0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
756 	};
757 	const u8 counter128[] = {
758 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
759 		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
760 	};
761 	const u8 plain128[] = {
762 		0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
763 		0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
764 		0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
765 		0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
766 		0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
767 		0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
768 		0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
769 		0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
770 	};
771 	const u8 cipher128[] = {
772 		0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26,
773 		0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
774 		0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff,
775 		0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
776 		0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e,
777 		0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab,
778 		0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1,
779 		0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee
780 	};
781 	const u8 key192[] = {
782 		0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
783 		0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
784 		0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
785 	};
786 	const u8 counter192[] = {
787 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
788 		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
789 	};
790 	const u8 plain192[] = {
791 		0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
792 		0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
793 		0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
794 		0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
795 		0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
796 		0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
797 		0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
798 		0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
799 	};
800 	const u8 cipher192[] = {
801 		0x1a, 0xbc, 0x93, 0x24, 0x17, 0x52, 0x1c, 0xa2,
802 		0x4f, 0x2b, 0x04, 0x59, 0xfe, 0x7e, 0x6e, 0x0b,
803 		0x09, 0x03, 0x39, 0xec, 0x0a, 0xa6, 0xfa, 0xef,
804 		0xd5, 0xcc, 0xc2, 0xc6, 0xf4, 0xce, 0x8e, 0x94,
805 		0x1e, 0x36, 0xb2, 0x6b, 0xd1, 0xeb, 0xc6, 0x70,
806 		0xd1, 0xbd, 0x1d, 0x66, 0x56, 0x20, 0xab, 0xf7,
807 		0x4f, 0x78, 0xa7, 0xf6, 0xd2, 0x98, 0x09, 0x58,
808 		0x5a, 0x97, 0xda, 0xec, 0x58, 0xc6, 0xb0, 0x50
809 	};
810 	const u8 key256[] = {
811 		0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
812 		0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
813 		0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
814 		0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
815 	};
816 	const u8 counter256[] = {
817 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
818 		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
819 	};
820 	const u8 plain256[] = {
821 		0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
822 		0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
823 		0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
824 		0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
825 		0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
826 		0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
827 		0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
828 		0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
829 	};
830 	const u8 cipher256[] = {
831 		0x60, 0x1e, 0xc3, 0x13, 0x77, 0x57, 0x89, 0xa5,
832 		0xb7, 0xa7, 0xf5, 0x04, 0xbb, 0xf3, 0xd2, 0x28,
833 		0xf4, 0x43, 0xe3, 0xca, 0x4d, 0x62, 0xb5, 0x9a,
834 		0xca, 0x84, 0xe9, 0x90, 0xca, 0xca, 0xf5, 0xc5,
835 		0x2b, 0x09, 0x30, 0xda, 0xa2, 0x3d, 0xe9, 0x4c,
836 		0xe8, 0x70, 0x17, 0xba, 0x2d, 0x84, 0x98, 0x8d,
837 		0xdf, 0xc9, 0xc5, 0x8d, 0xb6, 0x7a, 0xad, 0xa6,
838 		0x13, 0xc2, 0xdd, 0x08, 0x45, 0x79, 0x41, 0xa6
839 	};
840 	size_t len;
841 	u8 *tmp;
842 
843 	wpa_printf(MSG_DEBUG, "CTR-AES128.Encrypt");
844 	len = sizeof(plain128);
845 	tmp = os_malloc(len);
846 	if (!tmp)
847 		return -1;
848 	os_memcpy(tmp, plain128, len);
849 	if (aes_ctr_encrypt(key128, sizeof(key128), counter128, tmp, len) < 0) {
850 		wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
851 		res = -1;
852 	} else if (os_memcmp(tmp, cipher128, len) != 0) {
853 		wpa_printf(MSG_ERROR,
854 			   "CTR-AES128.Encrypt test vector did not match");
855 		res = -1;
856 	}
857 	os_free(tmp);
858 
859 	wpa_printf(MSG_DEBUG, "CTR-AES192.Encrypt");
860 	len = sizeof(plain192);
861 	tmp = os_malloc(len);
862 	if (!tmp)
863 		return -1;
864 	os_memcpy(tmp, plain192, len);
865 	if (aes_ctr_encrypt(key192, sizeof(key192), counter192, tmp, len) < 0) {
866 		wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
867 		res = -1;
868 	} else if (os_memcmp(tmp, cipher192, len) != 0) {
869 		wpa_printf(MSG_ERROR,
870 			   "CTR-AES192.Encrypt test vector did not match");
871 		res = -1;
872 	}
873 	os_free(tmp);
874 
875 	wpa_printf(MSG_DEBUG, "CTR-AES256.Encrypt");
876 	len = sizeof(plain256);
877 	tmp = os_malloc(len);
878 	if (!tmp)
879 		return -1;
880 	os_memcpy(tmp, plain256, len);
881 	if (aes_ctr_encrypt(key256, sizeof(key256), counter256, tmp, len) < 0) {
882 		wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
883 		res = -1;
884 	} else if (os_memcmp(tmp, cipher256, len) != 0) {
885 		wpa_printf(MSG_ERROR,
886 			   "CTR-AES256.Encrypt test vector did not match");
887 		res = -1;
888 	}
889 	os_free(tmp);
890 #endif
891 
892 	return res;
893 }
894 
895 
test_md5(void)896 static int test_md5(void)
897 {
898 #ifndef CONFIG_FIPS
899 	struct {
900 		char *data;
901 		char *hash;
902 	} tests[] = {
903 		{
904 			"",
905 			"\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04"
906 			"\xe9\x80\x09\x98\xec\xf8\x42\x7e"
907 		},
908 		{
909 			"a",
910 			"\x0c\xc1\x75\xb9\xc0\xf1\xb6\xa8"
911 			"\x31\xc3\x99\xe2\x69\x77\x26\x61"
912 		},
913 		{
914 			"abc",
915 			"\x90\x01\x50\x98\x3c\xd2\x4f\xb0"
916 			"\xd6\x96\x3f\x7d\x28\xe1\x7f\x72"
917 		},
918 		{
919 			"message digest",
920 			"\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d"
921 			"\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"
922 		},
923 		{
924 			"abcdefghijklmnopqrstuvwxyz",
925 			"\xc3\xfc\xd3\xd7\x61\x92\xe4\x00"
926 			"\x7d\xfb\x49\x6c\xca\x67\xe1\x3b"
927 		},
928 		{
929 			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
930 			"0123456789",
931 			"\xd1\x74\xab\x98\xd2\x77\xd9\xf5"
932 			"\xa5\x61\x1c\x2c\x9f\x41\x9d\x9f"
933 		},
934 		{
935 			"12345678901234567890123456789012345678901234567890"
936 			"123456789012345678901234567890",
937 			"\x57\xed\xf4\xa2\x2b\xe3\xc9\x55"
938 			"\xac\x49\xda\x2e\x21\x07\xb6\x7a"
939 		}
940 	};
941 	unsigned int i;
942 	u8 hash[16];
943 	const u8 *addr[2];
944 	size_t len[2];
945 	int errors = 0;
946 
947 	for (i = 0; i < ARRAY_SIZE(tests); i++) {
948 		wpa_printf(MSG_INFO, "MD5 test case %d", i);
949 
950 		addr[0] = (u8 *) tests[i].data;
951 		len[0] = strlen(tests[i].data);
952 		if (md5_vector(1, addr, len, hash) < 0 ||
953 		    os_memcmp(hash, tests[i].hash, 16) != 0) {
954 			wpa_printf(MSG_INFO, " FAIL");
955 			errors++;
956 		} else
957 			wpa_printf(MSG_INFO, " OK");
958 
959 		if (len[0]) {
960 			addr[0] = (u8 *) tests[i].data;
961 			len[0] = strlen(tests[i].data);
962 			addr[1] = (u8 *) tests[i].data + 1;
963 			len[1] = strlen(tests[i].data) - 1;
964 			if (md5_vector(1, addr, len, hash) < 0 ||
965 			    os_memcmp(hash, tests[i].hash, 16) != 0) {
966 				wpa_printf(MSG_INFO, " FAIL");
967 				errors++;
968 			} else
969 				wpa_printf(MSG_INFO, " OK");
970 		}
971 	}
972 
973 	if (!errors)
974 		wpa_printf(MSG_INFO, "MD5 test cases passed");
975 
976 	return errors;
977 #else /* CONFIG_FIPS */
978 	wpa_printf(MSG_INFO, "MD5 test cases skipped due to CONFIG_FIPS");
979 	return 0;
980 #endif /* CONFIG_FIPS */
981 }
982 
983 
test_eap_fast(void)984 static int test_eap_fast(void)
985 {
986 #ifdef EAP_FAST
987 	/* RFC 4851, Appendix B.1 */
988 	const u8 pac_key[] = {
989 		0x0B, 0x97, 0x39, 0x0F, 0x37, 0x51, 0x78, 0x09,
990 		0x81, 0x1E, 0xFD, 0x9C, 0x6E, 0x65, 0x94, 0x2B,
991 		0x63, 0x2C, 0xE9, 0x53, 0x89, 0x38, 0x08, 0xBA,
992 		0x36, 0x0B, 0x03, 0x7C, 0xD1, 0x85, 0xE4, 0x14
993 	};
994 	const u8 seed[] = {
995 		0x3F, 0xFB, 0x11, 0xC4, 0x6C, 0xBF, 0xA5, 0x7A,
996 		0x54, 0x40, 0xDA, 0xE8, 0x22, 0xD3, 0x11, 0xD3,
997 		0xF7, 0x6D, 0xE4, 0x1D, 0xD9, 0x33, 0xE5, 0x93,
998 		0x70, 0x97, 0xEB, 0xA9, 0xB3, 0x66, 0xF4, 0x2A,
999 		0x00, 0x00, 0x00, 0x02, 0x6A, 0x66, 0x43, 0x2A,
1000 		0x8D, 0x14, 0x43, 0x2C, 0xEC, 0x58, 0x2D, 0x2F,
1001 		0xC7, 0x9C, 0x33, 0x64, 0xBA, 0x04, 0xAD, 0x3A,
1002 		0x52, 0x54, 0xD6, 0xA5, 0x79, 0xAD, 0x1E, 0x00
1003 	};
1004 	const u8 master_secret[] = {
1005 		0x4A, 0x1A, 0x51, 0x2C, 0x01, 0x60, 0xBC, 0x02,
1006 		0x3C, 0xCF, 0xBC, 0x83, 0x3F, 0x03, 0xBC, 0x64,
1007 		0x88, 0xC1, 0x31, 0x2F, 0x0B, 0xA9, 0xA2, 0x77,
1008 		0x16, 0xA8, 0xD8, 0xE8, 0xBD, 0xC9, 0xD2, 0x29,
1009 		0x38, 0x4B, 0x7A, 0x85, 0xBE, 0x16, 0x4D, 0x27,
1010 		0x33, 0xD5, 0x24, 0x79, 0x87, 0xB1, 0xC5, 0xA2
1011 	};
1012 #ifndef CONFIG_FIPS
1013 	const u8 key_block[] = {
1014 		0x59, 0x59, 0xBE, 0x8E, 0x41, 0x3A, 0x77, 0x74,
1015 		0x8B, 0xB2, 0xE5, 0xD3, 0x60, 0xAC, 0x4D, 0x35,
1016 		0xDF, 0xFB, 0xC8, 0x1E, 0x9C, 0x24, 0x9C, 0x8B,
1017 		0x0E, 0xC3, 0x1D, 0x72, 0xC8, 0x84, 0x9D, 0x57,
1018 		0x48, 0x51, 0x2E, 0x45, 0x97, 0x6C, 0x88, 0x70,
1019 		0xBE, 0x5F, 0x01, 0xD3, 0x64, 0xE7, 0x4C, 0xBB,
1020 		0x11, 0x24, 0xE3, 0x49, 0xE2, 0x3B, 0xCD, 0xEF,
1021 		0x7A, 0xB3, 0x05, 0x39, 0x5D, 0x64, 0x8A, 0x44,
1022 		0x11, 0xB6, 0x69, 0x88, 0x34, 0x2E, 0x8E, 0x29,
1023 		0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
1024 		0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
1025 		0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
1026 		0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
1027 		0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
1028 	};
1029 #endif /* CONFIG_FIPS */
1030 	const u8 sks[] = {
1031 		0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
1032 		0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
1033 		0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
1034 		0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
1035 		0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
1036 	};
1037 	const u8 isk[] = {
1038 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1040 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1042 	};
1043 	const u8 imck[] = {
1044 		0x16, 0x15, 0x3C, 0x3F, 0x21, 0x55, 0xEF, 0xD9,
1045 		0x7F, 0x34, 0xAE, 0xC8, 0x1A, 0x4E, 0x66, 0x80,
1046 		0x4C, 0xC3, 0x76, 0xF2, 0x8A, 0xA9, 0x6F, 0x96,
1047 		0xC2, 0x54, 0x5F, 0x8C, 0xAB, 0x65, 0x02, 0xE1,
1048 		0x18, 0x40, 0x7B, 0x56, 0xBE, 0xEA, 0xA7, 0xC5,
1049 		0x76, 0x5D, 0x8F, 0x0B, 0xC5, 0x07, 0xC6, 0xB9,
1050 		0x04, 0xD0, 0x69, 0x56, 0x72, 0x8B, 0x6B, 0xB8,
1051 		0x15, 0xEC, 0x57, 0x7B
1052 	};
1053 	const u8 msk[] = {
1054 		0x4D, 0x83, 0xA9, 0xBE, 0x6F, 0x8A, 0x74, 0xED,
1055 		0x6A, 0x02, 0x66, 0x0A, 0x63, 0x4D, 0x2C, 0x33,
1056 		0xC2, 0xDA, 0x60, 0x15, 0xC6, 0x37, 0x04, 0x51,
1057 		0x90, 0x38, 0x63, 0xDA, 0x54, 0x3E, 0x14, 0xB9,
1058 		0x27, 0x99, 0x18, 0x1E, 0x07, 0xBF, 0x0F, 0x5A,
1059 		0x5E, 0x3C, 0x32, 0x93, 0x80, 0x8C, 0x6C, 0x49,
1060 		0x67, 0xED, 0x24, 0xFE, 0x45, 0x40, 0xA0, 0x59,
1061 		0x5E, 0x37, 0xC2, 0xE9, 0xD0, 0x5D, 0x0A, 0xE3
1062 	};
1063 	const u8 emsk[] = {
1064 		0x3A, 0xD4, 0xAB, 0xDB, 0x76, 0xB2, 0x7F, 0x3B,
1065 		0xEA, 0x32, 0x2C, 0x2B, 0x74, 0xF4, 0x28, 0x55,
1066 		0xEF, 0x2D, 0xBA, 0x78, 0xC9, 0x57, 0x2F, 0x0D,
1067 		0x06, 0xCD, 0x51, 0x7C, 0x20, 0x93, 0x98, 0xA9,
1068 		0x76, 0xEA, 0x70, 0x21, 0xD7, 0x0E, 0x25, 0x54,
1069 		0x97, 0xED, 0xB2, 0x8A, 0xF6, 0xED, 0xFD, 0x0A,
1070 		0x2A, 0xE7, 0xA1, 0x58, 0x90, 0x10, 0x50, 0x44,
1071 		0xB3, 0x82, 0x85, 0xDB, 0x06, 0x14, 0xD2, 0xF9
1072 	};
1073 	/* RFC 4851, Appendix B.2 */
1074 	u8 tlv[] = {
1075 		0x80, 0x0C, 0x00, 0x38, 0x00, 0x01, 0x01, 0x00,
1076 		0xD8, 0x6A, 0x8C, 0x68, 0x3C, 0x32, 0x31, 0xA8,
1077 		0x56, 0x63, 0xB6, 0x40, 0x21, 0xFE, 0x21, 0x14,
1078 		0x4E, 0xE7, 0x54, 0x20, 0x79, 0x2D, 0x42, 0x62,
1079 		0xC9, 0xBF, 0x53, 0x7F, 0x54, 0xFD, 0xAC, 0x58,
1080 		0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
1081 		0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
1082 		0x05, 0xC5, 0x5B, 0xB7
1083 	};
1084 	const u8 compound_mac[] = {
1085 		0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
1086 		0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
1087 		0x05, 0xC5, 0x5B, 0xB7
1088 	};
1089 	u8 buf[512];
1090 	const u8 *simck, *cmk;
1091 	int errors = 0;
1092 
1093 	wpa_printf(MSG_INFO, "EAP-FAST test cases");
1094 
1095 	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / master_secret");
1096 	if (sha1_t_prf(pac_key, sizeof(pac_key),
1097 		       "PAC to master secret label hash",
1098 		       seed, sizeof(seed), buf, sizeof(master_secret)) < 0 ||
1099 	    os_memcmp(master_secret, buf, sizeof(master_secret)) != 0) {
1100 		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1101 		errors++;
1102 	}
1103 
1104 #ifndef CONFIG_FIPS
1105 	wpa_printf(MSG_INFO, "- PRF (TLS, SHA1/MD5) test case / key_block");
1106 	if (tls_prf_sha1_md5(master_secret, sizeof(master_secret),
1107 			     "key expansion", seed, sizeof(seed),
1108 			     buf, sizeof(key_block)) ||
1109 	    os_memcmp(key_block, buf, sizeof(key_block)) != 0) {
1110 		wpa_printf(MSG_INFO, "PRF test - FAILED!");
1111 		errors++;
1112 	}
1113 #endif /* CONFIG_FIPS */
1114 
1115 	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / IMCK");
1116 	if (sha1_t_prf(sks, sizeof(sks), "Inner Methods Compound Keys",
1117 		       isk, sizeof(isk), buf, sizeof(imck)) < 0 ||
1118 	    os_memcmp(imck, buf, sizeof(imck)) != 0) {
1119 		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1120 		errors++;
1121 	}
1122 
1123 	simck = imck;
1124 	cmk = imck + 40;
1125 
1126 	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / MSK");
1127 	if (sha1_t_prf(simck, 40, "Session Key Generating Function",
1128 		       (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
1129 	    os_memcmp(msk, buf, sizeof(msk)) != 0) {
1130 		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1131 		errors++;
1132 	}
1133 
1134 	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / EMSK");
1135 	if (sha1_t_prf(simck, 40, "Extended Session Key Generating Function",
1136 		       (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
1137 	    os_memcmp(emsk, buf, sizeof(emsk)) != 0) {
1138 		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1139 		errors++;
1140 	}
1141 
1142 	wpa_printf(MSG_INFO, "- Compound MAC test case");
1143 	os_memset(tlv + sizeof(tlv) - 20, 0, 20);
1144 	if (hmac_sha1(cmk, 20, tlv, sizeof(tlv), tlv + sizeof(tlv) - 20) < 0 ||
1145 	    os_memcmp(tlv + sizeof(tlv) - 20, compound_mac,
1146 		      sizeof(compound_mac)) != 0) {
1147 		wpa_printf(MSG_INFO, "Compound MAC test - FAILED!");
1148 		errors++;
1149 	}
1150 
1151 	return errors;
1152 #else /* EAP_FAST */
1153 	return 0;
1154 #endif /* EAP_FAST */
1155 }
1156 
1157 
1158 static const u8 key0[] =
1159 {
1160 	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1161 	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1162 	0x0b, 0x0b, 0x0b, 0x0b
1163 };
1164 static const u8 data0[] = "Hi There";
1165 static const u8 prf0[] =
1166 {
1167 	0xbc, 0xd4, 0xc6, 0x50, 0xb3, 0x0b, 0x96, 0x84,
1168 	0x95, 0x18, 0x29, 0xe0, 0xd7, 0x5f, 0x9d, 0x54,
1169 	0xb8, 0x62, 0x17, 0x5e, 0xd9, 0xf0, 0x06, 0x06,
1170 	0xe1, 0x7d, 0x8d, 0xa3, 0x54, 0x02, 0xff, 0xee,
1171 	0x75, 0xdf, 0x78, 0xc3, 0xd3, 0x1e, 0x0f, 0x88,
1172 	0x9f, 0x01, 0x21, 0x20, 0xc0, 0x86, 0x2b, 0xeb,
1173 	0x67, 0x75, 0x3e, 0x74, 0x39, 0xae, 0x24, 0x2e,
1174 	0xdb, 0x83, 0x73, 0x69, 0x83, 0x56, 0xcf, 0x5a
1175 };
1176 
1177 static const u8 key1[] = "Jefe";
1178 static const u8 data1[] = "what do ya want for nothing?";
1179 static const u8 prf1[] =
1180 {
1181 	0x51, 0xf4, 0xde, 0x5b, 0x33, 0xf2, 0x49, 0xad,
1182 	0xf8, 0x1a, 0xeb, 0x71, 0x3a, 0x3c, 0x20, 0xf4,
1183 	0xfe, 0x63, 0x14, 0x46, 0xfa, 0xbd, 0xfa, 0x58,
1184 	0x24, 0x47, 0x59, 0xae, 0x58, 0xef, 0x90, 0x09,
1185 	0xa9, 0x9a, 0xbf, 0x4e, 0xac, 0x2c, 0xa5, 0xfa,
1186 	0x87, 0xe6, 0x92, 0xc4, 0x40, 0xeb, 0x40, 0x02,
1187 	0x3e, 0x7b, 0xab, 0xb2, 0x06, 0xd6, 0x1d, 0xe7,
1188 	0xb9, 0x2f, 0x41, 0x52, 0x90, 0x92, 0xb8, 0xfc
1189 };
1190 
1191 
1192 static const u8 key2[] =
1193 {
1194 	0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1195 	0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1196 	0xaa, 0xaa, 0xaa, 0xaa
1197 };
1198 static const u8 data2[] =
1199 {
1200 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1201 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1202 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1203 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1204 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1205 	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1206 	0xdd, 0xdd
1207 };
1208 static const u8 prf2[] =
1209 {
1210 	0xe1, 0xac, 0x54, 0x6e, 0xc4, 0xcb, 0x63, 0x6f,
1211 	0x99, 0x76, 0x48, 0x7b, 0xe5, 0xc8, 0x6b, 0xe1,
1212 	0x7a, 0x02, 0x52, 0xca, 0x5d, 0x8d, 0x8d, 0xf1,
1213 	0x2c, 0xfb, 0x04, 0x73, 0x52, 0x52, 0x49, 0xce,
1214 	0x9d, 0xd8, 0xd1, 0x77, 0xea, 0xd7, 0x10, 0xbc,
1215 	0x9b, 0x59, 0x05, 0x47, 0x23, 0x91, 0x07, 0xae,
1216 	0xf7, 0xb4, 0xab, 0xd4, 0x3d, 0x87, 0xf0, 0xa6,
1217 	0x8f, 0x1c, 0xbd, 0x9e, 0x2b, 0x6f, 0x76, 0x07
1218 };
1219 
1220 
1221 struct passphrase_test {
1222 	char *passphrase;
1223 	char *ssid;
1224 	char psk[32];
1225 };
1226 
1227 static const struct passphrase_test passphrase_tests[] =
1228 {
1229 	{
1230 		"password",
1231 		"IEEE",
1232 		{
1233 			0xf4, 0x2c, 0x6f, 0xc5, 0x2d, 0xf0, 0xeb, 0xef,
1234 			0x9e, 0xbb, 0x4b, 0x90, 0xb3, 0x8a, 0x5f, 0x90,
1235 			0x2e, 0x83, 0xfe, 0x1b, 0x13, 0x5a, 0x70, 0xe2,
1236 			0x3a, 0xed, 0x76, 0x2e, 0x97, 0x10, 0xa1, 0x2e
1237 		}
1238 	},
1239 	{
1240 		"ThisIsAPassword",
1241 		"ThisIsASSID",
1242 		{
1243 			0x0d, 0xc0, 0xd6, 0xeb, 0x90, 0x55, 0x5e, 0xd6,
1244 			0x41, 0x97, 0x56, 0xb9, 0xa1, 0x5e, 0xc3, 0xe3,
1245 			0x20, 0x9b, 0x63, 0xdf, 0x70, 0x7d, 0xd5, 0x08,
1246 			0xd1, 0x45, 0x81, 0xf8, 0x98, 0x27, 0x21, 0xaf
1247 		}
1248 	},
1249 	{
1250 		"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
1251 		"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
1252 		{
1253 			0xbe, 0xcb, 0x93, 0x86, 0x6b, 0xb8, 0xc3, 0x83,
1254 			0x2c, 0xb7, 0x77, 0xc2, 0xf5, 0x59, 0x80, 0x7c,
1255 			0x8c, 0x59, 0xaf, 0xcb, 0x6e, 0xae, 0x73, 0x48,
1256 			0x85, 0x00, 0x13, 0x00, 0xa9, 0x81, 0xcc, 0x62
1257 		}
1258 	},
1259 };
1260 
1261 #define NUM_PASSPHRASE_TESTS ARRAY_SIZE(passphrase_tests)
1262 
1263 
1264 struct rfc6070_test {
1265 	char *p;
1266 	char *s;
1267 	int c;
1268 	char dk[32];
1269 	size_t dk_len;
1270 };
1271 
1272 static const struct rfc6070_test rfc6070_tests[] =
1273 {
1274 	{
1275 		"password",
1276 		"salt",
1277 		1,
1278 		{
1279 			0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
1280 			0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
1281 			0x2f, 0xe0, 0x37, 0xa6
1282 		},
1283 		20
1284 	},
1285 	{
1286 		"password",
1287 		"salt",
1288 		2,
1289 		{
1290 			0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
1291 			0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
1292 			0xd8, 0xde, 0x89, 0x57
1293 		},
1294 		20
1295 	},
1296 	{
1297 		"password",
1298 		"salt",
1299 		4096,
1300 		{
1301 			0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
1302 			0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
1303 			0x65, 0xa4, 0x29, 0xc1
1304 		},
1305 		20
1306 	},
1307 #if 0 /* This takes quite long to derive.. */
1308 	{
1309 		"password",
1310 		"salt",
1311 		16777216,
1312 		{
1313 			0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
1314 			0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
1315 			0x26, 0x34, 0xe9, 0x84
1316 		},
1317 		20
1318 	},
1319 #endif
1320 	{
1321 		"passwordPASSWORDpassword",
1322 		"saltSALTsaltSALTsaltSALTsaltSALTsalt",
1323 		4096,
1324 		{
1325 			0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
1326 			0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
1327 			0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
1328 			0x38
1329 		},
1330 		25
1331 	},
1332 #if 0 /* \0 not currently supported in passphrase parameters.. */
1333 	{
1334 		"pass\0word",
1335 		"sa\0lt",
1336 		4096,
1337 		{
1338 			0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
1339 			0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3
1340 		},
1341 		16
1342 	},
1343 #endif
1344 };
1345 
1346 #define NUM_RFC6070_TESTS ARRAY_SIZE(rfc6070_tests)
1347 
1348 
test_sha1(void)1349 static int test_sha1(void)
1350 {
1351 	u8 res[512];
1352 	int ret = 0;
1353 	unsigned int i;
1354 
1355 	wpa_printf(MSG_INFO, "PRF-SHA1 test cases:");
1356 
1357 	if (sha1_prf(key0, sizeof(key0), "prefix", data0, sizeof(data0) - 1,
1358 		     res, sizeof(prf0)) == 0 &&
1359 	    os_memcmp(res, prf0, sizeof(prf0)) == 0)
1360 		wpa_printf(MSG_INFO, "Test case 0 - OK");
1361 	else {
1362 		wpa_printf(MSG_INFO, "Test case 0 - FAILED!");
1363 		ret++;
1364 	}
1365 
1366 	if (sha1_prf(key1, sizeof(key1) - 1, "prefix", data1, sizeof(data1) - 1,
1367 		     res, sizeof(prf1)) == 0 &&
1368 	    os_memcmp(res, prf1, sizeof(prf1)) == 0)
1369 		wpa_printf(MSG_INFO, "Test case 1 - OK");
1370 	else {
1371 		wpa_printf(MSG_INFO, "Test case 1 - FAILED!");
1372 		ret++;
1373 	}
1374 
1375 	if (sha1_prf(key2, sizeof(key2), "prefix", data2, sizeof(data2),
1376 		     res, sizeof(prf2)) == 0 &&
1377 	    os_memcmp(res, prf2, sizeof(prf2)) == 0)
1378 		wpa_printf(MSG_INFO, "Test case 2 - OK");
1379 	else {
1380 		wpa_printf(MSG_INFO, "Test case 2 - FAILED!");
1381 		ret++;
1382 	}
1383 
1384 	ret += test_eap_fast();
1385 
1386 	wpa_printf(MSG_INFO, "PBKDF2-SHA1 Passphrase test cases:");
1387 	for (i = 0; i < NUM_PASSPHRASE_TESTS; i++) {
1388 		u8 psk[32];
1389 		const struct passphrase_test *test = &passphrase_tests[i];
1390 
1391 		if (pbkdf2_sha1(test->passphrase,
1392 				(const u8 *) test->ssid, strlen(test->ssid),
1393 				4096, psk, 32) == 0 &&
1394 		    os_memcmp(psk, test->psk, 32) == 0)
1395 			wpa_printf(MSG_INFO, "Test case %d - OK", i);
1396 		else {
1397 			wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1398 			ret++;
1399 		}
1400 	}
1401 
1402 	wpa_printf(MSG_INFO, "PBKDF2-SHA1 test cases (RFC 6070):");
1403 	for (i = 0; i < NUM_RFC6070_TESTS; i++) {
1404 		u8 dk[25];
1405 		const struct rfc6070_test *test = &rfc6070_tests[i];
1406 
1407 		if (pbkdf2_sha1(test->p, (const u8 *) test->s, strlen(test->s),
1408 				test->c, dk, test->dk_len) == 0 &&
1409 		    os_memcmp(dk, test->dk, test->dk_len) == 0)
1410 			wpa_printf(MSG_INFO, "Test case %d - OK", i);
1411 		else {
1412 			wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1413 			ret++;
1414 		}
1415 	}
1416 
1417 	if (!ret)
1418 		wpa_printf(MSG_INFO, "SHA1 test cases passed");
1419 	return ret;
1420 }
1421 
1422 
1423 static const struct {
1424 	char *data;
1425 	u8 hash[32];
1426 } tests[] = {
1427 	{
1428 		"abc",
1429 		{
1430 			0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
1431 			0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
1432 			0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
1433 			0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
1434 		}
1435 	},
1436 	{
1437 		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1438 		{
1439 			0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8,
1440 			0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39,
1441 			0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67,
1442 			0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1
1443 		}
1444 	}
1445 };
1446 
1447 static const struct hmac_test {
1448 	u8 key[150];
1449 	size_t key_len;
1450 	u8 data[160];
1451 	size_t data_len;
1452 	u8 hash[32]; /* HMAC-SHA-256 */
1453 	u8 hash384[48]; /* HMAC-SHA-384 */
1454 } hmac_tests[] = {
1455 	/* draft-ietf-ipsec-ciph-sha-256-01.txt; RFC 4231 */
1456 	{
1457 		{
1458 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1459 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1460 			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1461 			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1462 		},
1463 		32,
1464 		"abc", 3,
1465 		{
1466 			0xa2, 0x1b, 0x1f, 0x5d, 0x4c, 0xf4, 0xf7, 0x3a,
1467 			0x4d, 0xd9, 0x39, 0x75, 0x0f, 0x7a, 0x06, 0x6a,
1468 			0x7f, 0x98, 0xcc, 0x13, 0x1c, 0xb1, 0x6a, 0x66,
1469 			0x92, 0x75, 0x90, 0x21, 0xcf, 0xab, 0x81, 0x81
1470 		},
1471 		{ }
1472 	},
1473 	{
1474 		{
1475 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1476 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1477 			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1478 			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1479 		},
1480 		32,
1481 		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1482 		56,
1483 		{
1484 			0x10, 0x4f, 0xdc, 0x12, 0x57, 0x32, 0x8f, 0x08,
1485 			0x18, 0x4b, 0xa7, 0x31, 0x31, 0xc5, 0x3c, 0xae,
1486 			0xe6, 0x98, 0xe3, 0x61, 0x19, 0x42, 0x11, 0x49,
1487 			0xea, 0x8c, 0x71, 0x24, 0x56, 0x69, 0x7d, 0x30
1488 		},
1489 		{ }
1490 	},
1491 	{
1492 		{
1493 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1494 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1495 			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1496 			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1497 		},
1498 		32,
1499 		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
1500 		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1501 		112,
1502 		{
1503 			0x47, 0x03, 0x05, 0xfc, 0x7e, 0x40, 0xfe, 0x34,
1504 			0xd3, 0xee, 0xb3, 0xe7, 0x73, 0xd9, 0x5a, 0xab,
1505 			0x73, 0xac, 0xf0, 0xfd, 0x06, 0x04, 0x47, 0xa5,
1506 			0xeb, 0x45, 0x95, 0xbf, 0x33, 0xa9, 0xd1, 0xa3
1507 		},
1508 		{ }
1509 	},
1510 	{
1511 		{
1512 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1513 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1514 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1515 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
1516 		},
1517 		32,
1518 		"Hi There",
1519 		8,
1520 		{
1521 			0x19, 0x8a, 0x60, 0x7e, 0xb4, 0x4b, 0xfb, 0xc6,
1522 			0x99, 0x03, 0xa0, 0xf1, 0xcf, 0x2b, 0xbd, 0xc5,
1523 			0xba, 0x0a, 0xa3, 0xf3, 0xd9, 0xae, 0x3c, 0x1c,
1524 			0x7a, 0x3b, 0x16, 0x96, 0xa0, 0xb6, 0x8c, 0xf7
1525 		},
1526 		{ }
1527 	},
1528 	{ /* RFC 4231 - Test Case 1 */
1529 		{
1530 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1531 			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1532 			0x0b, 0x0b, 0x0b, 0x0b
1533 		},
1534 		20,
1535 		"Hi There",
1536 		8,
1537 		{
1538 			0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53,
1539 			0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b,
1540 			0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7,
1541 			0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7
1542 		},
1543 		{
1544 			0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62,
1545 			0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f,
1546 			0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
1547 			0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c,
1548 			0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f,
1549 			0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6
1550 		}
1551 	},
1552 	{ /* RFC 4231 - Test Case 2 */
1553 		"Jefe",
1554 		4,
1555 		"what do ya want for nothing?",
1556 		28,
1557 		{
1558 			0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e,
1559 			0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7,
1560 			0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
1561 			0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43
1562 		},
1563 		{
1564 			0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31,
1565 			0x61, 0x7f, 0x78, 0xd2, 0xb5, 0x8a, 0x6b, 0x1b,
1566 			0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
1567 			0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e,
1568 			0x8e, 0x22, 0x40, 0xca, 0x5e, 0x69, 0xe2, 0xc7,
1569 			0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49
1570 		}
1571 	},
1572 	{
1573 		{
1574 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1575 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1576 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1577 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1578 		},
1579 		32,
1580 		{
1581 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1582 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1583 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1584 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1585 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1586 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1587 			0xdd, 0xdd
1588 		},
1589 		50,
1590 		{
1591 			0xcd, 0xcb, 0x12, 0x20, 0xd1, 0xec, 0xcc, 0xea,
1592 			0x91, 0xe5, 0x3a, 0xba, 0x30, 0x92, 0xf9, 0x62,
1593 			0xe5, 0x49, 0xfe, 0x6c, 0xe9, 0xed, 0x7f, 0xdc,
1594 			0x43, 0x19, 0x1f, 0xbd, 0xe4, 0x5c, 0x30, 0xb0
1595 		},
1596 		{ }
1597 	},
1598 	{ /* RFC 4231 - Test Case 3 */
1599 		{
1600 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1601 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1602 			0xaa, 0xaa, 0xaa, 0xaa
1603 		},
1604 		20,
1605 		{
1606 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1607 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1608 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1609 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1610 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1611 			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1612 			0xdd, 0xdd
1613 		},
1614 		50,
1615 		{
1616 			0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46,
1617 			0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7,
1618 			0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22,
1619 			0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe
1620 		},
1621 		{
1622 			0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a,
1623 			0x0a, 0xa2, 0xac, 0xe0, 0x14, 0xc8, 0xa8, 0x6f,
1624 			0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1625 			0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b,
1626 			0x2a, 0x5a, 0xb3, 0x9d, 0xc1, 0x38, 0x14, 0xb9,
1627 			0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27
1628 		}
1629 	},
1630 	{
1631 		{
1632 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1633 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1634 			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1635 			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1636 			0x21, 0x22, 0x23, 0x24, 0x25
1637 		},
1638 		37,
1639 		{
1640 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1641 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1642 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1643 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1644 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1645 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1646 			0xcd, 0xcd
1647 		},
1648 		50,
1649 		{
1650 			0xd4, 0x63, 0x3c, 0x17, 0xf6, 0xfb, 0x8d, 0x74,
1651 			0x4c, 0x66, 0xde, 0xe0, 0xf8, 0xf0, 0x74, 0x55,
1652 			0x6e, 0xc4, 0xaf, 0x55, 0xef, 0x07, 0x99, 0x85,
1653 			0x41, 0x46, 0x8e, 0xb4, 0x9b, 0xd2, 0xe9, 0x17
1654 		},
1655 		{ }
1656 	},
1657 	{ /* RFC 4231 - Test Case 4 */
1658 		{
1659 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1660 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1661 			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1662 			0x19,
1663 		},
1664 		25,
1665 		{
1666 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1667 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1668 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1669 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1670 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1671 			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1672 			0xcd, 0xcd
1673 		},
1674 		50,
1675 		{
1676 			0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e,
1677 			0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a,
1678 			0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07,
1679 			0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b
1680 		},
1681 		{
1682 			0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85,
1683 			0x19, 0x33, 0xab, 0x62, 0x90, 0xaf, 0x6c, 0xa7,
1684 			0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
1685 			0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e,
1686 			0x68, 0x01, 0xdd, 0x23, 0xc4, 0xa7, 0xd6, 0x79,
1687 			0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb
1688 		}
1689 	},
1690 	{
1691 		{
1692 			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1693 			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1694 			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1695 			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c
1696 		},
1697 		32,
1698 		"Test With Truncation",
1699 		20,
1700 		{
1701 			0x75, 0x46, 0xaf, 0x01, 0x84, 0x1f, 0xc0, 0x9b,
1702 			0x1a, 0xb9, 0xc3, 0x74, 0x9a, 0x5f, 0x1c, 0x17,
1703 			0xd4, 0xf5, 0x89, 0x66, 0x8a, 0x58, 0x7b, 0x27,
1704 			0x00, 0xa9, 0xc9, 0x7c, 0x11, 0x93, 0xcf, 0x42
1705 		},
1706 		{ }
1707 	},
1708 	{
1709 		{
1710 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1711 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1712 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1713 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1714 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1715 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1716 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1717 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1718 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1719 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1720 		},
1721 		80,
1722 		"Test Using Larger Than Block-Size Key - Hash Key First",
1723 		54,
1724 		{
1725 			0x69, 0x53, 0x02, 0x5e, 0xd9, 0x6f, 0x0c, 0x09,
1726 			0xf8, 0x0a, 0x96, 0xf7, 0x8e, 0x65, 0x38, 0xdb,
1727 			0xe2, 0xe7, 0xb8, 0x20, 0xe3, 0xdd, 0x97, 0x0e,
1728 			0x7d, 0xdd, 0x39, 0x09, 0x1b, 0x32, 0x35, 0x2f
1729 		},
1730 		{ }
1731 	},
1732 	{ /* RFC 4231 - Test Case 6 */
1733 		{
1734 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1735 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1736 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1737 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1738 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1739 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1740 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1741 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1742 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1743 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1744 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1745 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1746 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1747 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1748 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1749 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1750 			0xaa, 0xaa, 0xaa
1751 		},
1752 		131,
1753 		"Test Using Larger Than Block-Size Key - Hash Key First",
1754 		54,
1755 		{
1756 			0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f,
1757 			0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f,
1758 			0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14,
1759 			0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54
1760 		},
1761 		{
1762 			0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90,
1763 			0x88, 0xd2, 0xc6, 0x3a, 0x04, 0x1b, 0xc5, 0xb4,
1764 			0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1765 			0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6,
1766 			0x0c, 0x2e, 0xf6, 0xab, 0x40, 0x30, 0xfe, 0x82,
1767 			0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52
1768 		}
1769 	},
1770 	{
1771 		{
1772 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1773 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1774 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1775 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1776 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1777 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1778 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1779 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1780 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1781 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1782 		},
1783 		80,
1784 		"Test Using Larger Than Block-Size Key and Larger Than One "
1785 		"Block-Size Data",
1786 		73,
1787 		{
1788 			0x63, 0x55, 0xac, 0x22, 0xe8, 0x90, 0xd0, 0xa3,
1789 			0xc8, 0x48, 0x1a, 0x5c, 0xa4, 0x82, 0x5b, 0xc8,
1790 			0x84, 0xd3, 0xe7, 0xa1, 0xff, 0x98, 0xa2, 0xfc,
1791 			0x2a, 0xc7, 0xd8, 0xe0, 0x64, 0xc3, 0xb2, 0xe6
1792 		},
1793 		{ }
1794 	},
1795 	{ /* RFC 4231 - Test Case 7 */
1796 		{
1797 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1798 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1799 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1800 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1801 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1802 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1803 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1804 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1805 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1806 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1807 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1808 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1809 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1810 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1811 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1812 			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1813 			0xaa, 0xaa, 0xaa
1814 		},
1815 		131,
1816 		"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.",
1817 		152,
1818 		{
1819 			0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb,
1820 			0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44,
1821 			0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93,
1822 			0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2
1823 		},
1824 		{
1825 			0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d,
1826 			0x35, 0x1e, 0x2f, 0x25, 0x4e, 0x8f, 0xd3, 0x2c,
1827 			0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1828 			0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5,
1829 			0xa6, 0x78, 0xcc, 0x31, 0xe7, 0x99, 0x17, 0x6d,
1830 			0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e
1831 		}
1832 	}
1833 };
1834 
1835 
test_sha256(void)1836 static int test_sha256(void)
1837 {
1838 	unsigned int i;
1839 	u8 hash[32];
1840 	const u8 *addr[2];
1841 	size_t len[2];
1842 	int errors = 0;
1843 	u8 *key;
1844 
1845 	for (i = 0; i < ARRAY_SIZE(tests); i++) {
1846 		wpa_printf(MSG_INFO, "SHA256 test case %d:", i + 1);
1847 
1848 		addr[0] = (u8 *) tests[i].data;
1849 		len[0] = strlen(tests[i].data);
1850 		sha256_vector(1, addr, len, hash);
1851 		if (memcmp(hash, tests[i].hash, 32) != 0) {
1852 			wpa_printf(MSG_INFO, " FAIL");
1853 			errors++;
1854 		} else
1855 			wpa_printf(MSG_INFO, " OK");
1856 
1857 		if (len[0]) {
1858 			addr[0] = (u8 *) tests[i].data;
1859 			len[0] = 1;
1860 			addr[1] = (u8 *) tests[i].data + 1;
1861 			len[1] = strlen(tests[i].data) - 1;
1862 			sha256_vector(2, addr, len, hash);
1863 			if (memcmp(hash, tests[i].hash, 32) != 0) {
1864 				wpa_printf(MSG_INFO, " FAIL");
1865 				errors++;
1866 			} else
1867 				wpa_printf(MSG_INFO, " OK");
1868 		}
1869 	}
1870 
1871 	for (i = 0; i < ARRAY_SIZE(hmac_tests); i++) {
1872 		const struct hmac_test *t = &hmac_tests[i];
1873 
1874 		wpa_printf(MSG_INFO, "HMAC-SHA256 test case %d:", i + 1);
1875 
1876 		if (hmac_sha256(t->key, t->key_len, t->data, t->data_len,
1877 				hash) < 0 ||
1878 		    os_memcmp(hash, t->hash, 32) != 0) {
1879 			wpa_printf(MSG_INFO, " FAIL");
1880 			errors++;
1881 		} else
1882 			wpa_printf(MSG_INFO, " OK");
1883 
1884 		addr[0] = t->data;
1885 		len[0] = t->data_len;
1886 		if (hmac_sha256_vector(t->key, t->key_len, 1, addr, len,
1887 				       hash) < 0 ||
1888 		    os_memcmp(hash, t->hash, 32) != 0) {
1889 			wpa_printf(MSG_INFO, " FAIL");
1890 			errors++;
1891 		} else
1892 			wpa_printf(MSG_INFO, " OK");
1893 
1894 		if (len[0]) {
1895 			addr[0] = t->data;
1896 			len[0] = 1;
1897 			addr[1] = t->data + 1;
1898 			len[1] = t->data_len - 1;
1899 			if (hmac_sha256_vector(t->key, t->key_len, 2, addr, len,
1900 					       hash) < 0 ||
1901 			    os_memcmp(hash, t->hash, 32) != 0) {
1902 				wpa_printf(MSG_INFO, " FAIL");
1903 				errors++;
1904 			} else
1905 				wpa_printf(MSG_INFO, " OK");
1906 		}
1907 	}
1908 
1909 	wpa_printf(MSG_INFO, "Test IEEE 802.11r KDF");
1910 	sha256_prf((u8 *) "abc", 3, "KDF test", (u8 *) "data", 4,
1911 		   hash, sizeof(hash));
1912 	/* TODO: add proper test case for this */
1913 
1914 	key = os_malloc(8161);
1915 	if (key) {
1916 #ifdef CONFIG_HMAC_SHA256_KDF
1917 		int res;
1918 
1919 		res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1920 				      (u8 *) "seed", 4, key, 8160);
1921 		if (res) {
1922 			wpa_printf(MSG_INFO,
1923 				   "Unexpected hmac_sha256_kdf(outlen=8160) failure");
1924 			errors++;
1925 		}
1926 
1927 		res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1928 				      (u8 *) "seed", 4, key, 8161);
1929 		if (res == 0) {
1930 			wpa_printf(MSG_INFO,
1931 				   "Unexpected hmac_sha256_kdf(outlen=8161) success");
1932 			errors++;
1933 		}
1934 #endif /* CONFIG_HMAC_SHA256_KDF */
1935 
1936 		os_free(key);
1937 	}
1938 
1939 	if (!errors)
1940 		wpa_printf(MSG_INFO, "SHA256 test cases passed");
1941 	return errors;
1942 }
1943 
1944 
test_sha384(void)1945 static int test_sha384(void)
1946 {
1947 #ifdef CONFIG_SHA384
1948 	unsigned int i;
1949 	u8 hash[48];
1950 	const u8 *addr[2];
1951 	size_t len[2];
1952 	int errors = 0;
1953 	const char *data = "hello";
1954 	const u8 hash_res[] = {
1955 		0x59, 0xe1, 0x74, 0x87, 0x77, 0x44, 0x8c, 0x69,
1956 		0xde, 0x6b, 0x80, 0x0d, 0x7a, 0x33, 0xbb, 0xfb,
1957 		0x9f, 0xf1, 0xb4, 0x63, 0xe4, 0x43, 0x54, 0xc3,
1958 		0x55, 0x3b, 0xcd, 0xb9, 0xc6, 0x66, 0xfa, 0x90,
1959 		0x12, 0x5a, 0x3c, 0x79, 0xf9, 0x03, 0x97, 0xbd,
1960 		0xf5, 0xf6, 0xa1, 0x3d, 0xe8, 0x28, 0x68, 0x4f
1961 	};
1962 
1963 	addr[0] = (const u8 *) data;
1964 	len[0] = 5;
1965 	if (sha384_vector(1, addr, len, hash) < 0 ||
1966 	    os_memcmp(hash, hash_res, 48) != 0) {
1967 		wpa_printf(MSG_INFO, "SHA384 test case 1: FAIL");
1968 		errors++;
1969 	} else {
1970 		wpa_printf(MSG_INFO, "SHA384 test case 1: OK");
1971 	}
1972 
1973 	addr[0] = (const u8 *) data;
1974 	len[0] = 4;
1975 	addr[1] = (const u8 *) data + 4;
1976 	len[1] = 1;
1977 	if (sha384_vector(2, addr, len, hash) < 0 ||
1978 	    os_memcmp(hash, hash_res, 48) != 0) {
1979 		wpa_printf(MSG_INFO, "SHA384 test case 2: FAIL");
1980 		errors++;
1981 	} else {
1982 		wpa_printf(MSG_INFO, "SHA384 test case 2: OK");
1983 	}
1984 
1985 	for (i = 0; i < ARRAY_SIZE(hmac_tests); i++) {
1986 		const struct hmac_test *t = &hmac_tests[i];
1987 
1988 		if (t->hash384[0] == 0 && t->hash384[1] == 0 &&
1989 		    t->hash384[2] == 0 && t->hash384[3] == 0)
1990 			continue;
1991 		wpa_printf(MSG_INFO, "HMAC-SHA384 test case %d:", i + 1);
1992 
1993 		if (hmac_sha384(t->key, t->key_len, t->data, t->data_len,
1994 				hash) < 0 ||
1995 		    os_memcmp(hash, t->hash384, 48) != 0) {
1996 			wpa_printf(MSG_INFO, " FAIL");
1997 			errors++;
1998 		} else
1999 			wpa_printf(MSG_INFO, " OK");
2000 
2001 		addr[0] = t->data;
2002 		len[0] = t->data_len;
2003 		if (hmac_sha384_vector(t->key, t->key_len, 1, addr, len,
2004 				       hash) < 0 ||
2005 		    os_memcmp(hash, t->hash384, 48) != 0) {
2006 			wpa_printf(MSG_INFO, " FAIL");
2007 			errors++;
2008 		} else
2009 			wpa_printf(MSG_INFO, " OK");
2010 
2011 		if (len[0]) {
2012 			addr[0] = t->data;
2013 			len[0] = 1;
2014 			addr[1] = t->data + 1;
2015 			len[1] = t->data_len - 1;
2016 			if (hmac_sha384_vector(t->key, t->key_len, 2, addr, len,
2017 					       hash) < 0 ||
2018 			    os_memcmp(hash, t->hash384, 48) != 0) {
2019 				wpa_printf(MSG_INFO, " FAIL");
2020 				errors++;
2021 			} else
2022 				wpa_printf(MSG_INFO, " OK");
2023 		}
2024 	}
2025 
2026 	if (!errors)
2027 		wpa_printf(MSG_INFO, "SHA384 test cases passed");
2028 	return errors;
2029 #else /* CONFIG_SHA384 */
2030 	return 0;
2031 #endif /* CONFIG_SHA384 */
2032 }
2033 
2034 
test_fips186_2_prf(void)2035 static int test_fips186_2_prf(void)
2036 {
2037 	/* http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf */
2038 	u8 xkey[] = {
2039 		0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
2040 		0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
2041 		0xeb, 0x5a, 0x38, 0xb6
2042 	};
2043 	u8 w[] = {
2044 		0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
2045 		0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
2046 		0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
2047 		0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
2048 		0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
2049 	};
2050 	u8 buf[40];
2051 
2052 	wpa_printf(MSG_INFO,
2053 		   "Testing EAP-SIM PRF (FIPS 186-2 + change notice 1)");
2054 	if (fips186_2_prf(xkey, sizeof(xkey), buf, sizeof(buf)) < 0 ||
2055 	    os_memcmp(w, buf, sizeof(w)) != 0) {
2056 		wpa_printf(MSG_INFO, "fips186_2_prf failed");
2057 		return 1;
2058 	}
2059 
2060 	return 0;
2061 }
2062 
2063 
test_extract_expand_hkdf(void)2064 static int test_extract_expand_hkdf(void)
2065 {
2066 	u8 prk[SHA256_MAC_LEN];
2067 	u8 okm[82];
2068 
2069 	/* RFC 5869, A.1 */
2070 	u8 ikm1[22] = {
2071 		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
2072 		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
2073 		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
2074 	};
2075 	u8 salt1[13] = {
2076 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2077 		0x08, 0x09, 0x0a, 0x0b, 0x0c
2078 	};
2079 	u8 info1[10] = {
2080 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2081 		0xf8, 0xf9
2082 	};
2083 	u8 prk1[32] = {
2084 		0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
2085 		0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
2086 		0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
2087 		0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5
2088 	};
2089 	u8 okm1[42] = {
2090 		0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
2091 		0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
2092 		0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
2093 		0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
2094 		0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
2095 		0x58, 0x65
2096 	};
2097 
2098 	/* RFC 5869, A.2 */
2099 	u8 ikm2[80] = {
2100 		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2101 		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
2102 		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2103 		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
2104 		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
2105 		0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
2106 		0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2107 		0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
2108 		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
2109 		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
2110 	};
2111 	u8 salt2[80] = {
2112 		0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
2113 		0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
2114 		0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
2115 		0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
2116 		0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
2117 		0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
2118 		0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
2119 		0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
2120 		0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
2121 		0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf
2122 	};
2123 	u8 info2[80] = {
2124 		0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
2125 		0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
2126 		0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
2127 		0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
2128 		0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
2129 		0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
2130 		0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
2131 		0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
2132 		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2133 		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
2134 	};
2135 	u8 prk2[32] = {
2136 		0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
2137 		0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
2138 		0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
2139 		0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44
2140 	};
2141 	u8 okm2[82] = {
2142 		0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
2143 		0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
2144 		0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
2145 		0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
2146 		0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
2147 		0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
2148 		0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
2149 		0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
2150 		0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
2151 		0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
2152 		0x1d, 0x87
2153 	};
2154 
2155 	wpa_printf(MSG_INFO, "Testing Extract-and-Expand HKDF (RFC 5869)");
2156 
2157 	wpa_printf(MSG_INFO, "RFC 5869 - Test Case 1");
2158 	if (hmac_sha256(salt1, sizeof(salt1), ikm1, sizeof(ikm1), prk) < 0)
2159 		return -1;
2160 	if (os_memcmp(prk, prk1, SHA256_MAC_LEN) != 0) {
2161 		wpa_printf(MSG_INFO, "HKDF-Extract mismatch in PRK");
2162 		return -1;
2163 	}
2164 	if (hmac_sha256_kdf(prk1, sizeof(prk1), NULL, info1, sizeof(info1),
2165 			    okm, sizeof(okm1)) < 0)
2166 		return -1;
2167 	if (os_memcmp(okm, okm1, sizeof(okm1)) != 0) {
2168 		wpa_printf(MSG_INFO, "HKDF-Expand mismatch in OKM");
2169 		return -1;
2170 	}
2171 
2172 	wpa_printf(MSG_INFO, "RFC 5869 - Test Case 2");
2173 	if (hmac_sha256(salt2, sizeof(salt2), ikm2, sizeof(ikm2), prk) < 0)
2174 		return -1;
2175 	if (os_memcmp(prk, prk2, SHA256_MAC_LEN) != 0) {
2176 		wpa_printf(MSG_INFO, "HKDF-Extract mismatch in PRK");
2177 		return -1;
2178 	}
2179 	if (hmac_sha256_kdf(prk2, sizeof(prk2), NULL, info2, sizeof(info2),
2180 			    okm, sizeof(okm2)) < 0)
2181 		return -1;
2182 	if (os_memcmp(okm, okm2, sizeof(okm2)) != 0) {
2183 		wpa_printf(MSG_INFO, "HKDF-Expand mismatch in OKM");
2184 		return -1;
2185 	}
2186 
2187 	wpa_printf(MSG_INFO, "Extract-and-Expand HKDF test cases passed");
2188 
2189 	return 0;
2190 }
2191 
2192 
2193 #ifdef CONFIG_DPP3
2194 
2195 static const struct hpke_test {
2196 	const char *name;
2197 	enum hpke_mode mode;
2198 	enum hpke_kem_id kem_id;
2199 	enum hpke_kdf_id kdf_id;
2200 	enum hpke_aead_id aead_id;
2201 	const char *info;
2202 	int sk_r_group;
2203 	const char *pk_r;
2204 	const char *sk_r;
2205 	const char *enc;
2206 	const char *pt;
2207 	const char *aad;
2208 	const char *ct;
2209 } hpke_tests[] = {
2210 	{
2211 		.name = "A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM",
2212 		.mode = HPKE_MODE_BASE,
2213 		.kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2214 		.kdf_id = HPKE_KDF_HKDF_SHA256,
2215 		.aead_id = HPKE_AEAD_AES_128_GCM,
2216 		.info = "4f6465206f6e2061204772656369616e2055726e",
2217 		.sk_r_group = 19,
2218 		.pk_r = "04fe8c19ce0905191ebc298a9245792531f26f0cece2460639e8bc39cb7f706a826a779b4cf969b8a0e539c7f62fb3d30ad6aa8f80e30f1d128aafd68a2ce72ea0",
2219 		.sk_r = "f3ce7fdae57e1a310d87f1ebbde6f328be0a99cdbcadf4d6589cf29de4b8ffd2",
2220 		.enc = "04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4",
2221 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2222 		.aad = "436f756e742d30",
2223 		.ct = "5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f9076ac232e3ab2523f39513434",
2224 	},
2225 	{
2226 		.name = "A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM",
2227 		.mode = HPKE_MODE_BASE,
2228 		.kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2229 		.kdf_id = HPKE_KDF_HKDF_SHA512,
2230 		.aead_id = HPKE_AEAD_AES_128_GCM,
2231 		.info = "4f6465206f6e2061204772656369616e2055726e",
2232 		.sk_r_group = 19,
2233 		.pk_r = "04085aa5b665dc3826f9650ccbcc471be268c8ada866422f739e2d531d4a8818a9466bc6b449357096232919ec4fe9070ccbac4aac30f4a1a53efcf7af90610edd",
2234 		.sk_r = "3ac8530ad1b01885960fab38cf3cdc4f7aef121eaa239f222623614b4079fb38",
2235 		.enc = "0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580",
2236 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2237 		.aad = "436f756e742d30",
2238 		.ct = "d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c88907200b332003543754eb51917ba",
2239 	},
2240 	{
2241 		.name = "A.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM",
2242 		.mode = HPKE_MODE_BASE,
2243 		.kem_id = HPKE_DHKEM_P521_HKDF_SHA512,
2244 		.kdf_id = HPKE_KDF_HKDF_SHA512,
2245 		.aead_id = HPKE_AEAD_AES_256_GCM,
2246 		.info = "4f6465206f6e2061204772656369616e2055726e",
2247 		.sk_r_group = 21,
2248 		.pk_r = "0401b45498c1714e2dce167d3caf162e45e0642afc7ed435df7902ccae0e84ba0f7d373f646b7738bbbdca11ed91bdeae3cdcba3301f2457be452f271fa6837580e661012af49583a62e48d44bed350c7118c0d8dc861c238c72a2bda17f64704f464b57338e7f40b60959480c0e58e6559b190d81663ed816e523b6b6a418f66d2451ec64",
2249 		.sk_r = "01462680369ae375e4b3791070a7458ed527842f6a98a79ff5e0d4cbde83c27196a3916956655523a6a2556a7af62c5cadabe2ef9da3760bb21e005202f7b2462847",
2250 		.enc = "040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0",
2251 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2252 		.aad = "436f756e742d30",
2253 		.ct = "170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b200aafcc6d80ea4c795a7c5b841a",
2254 	},
2255 	{ /* self-generated test vector for P-384 */
2256 		.name = "custom DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM",
2257 		.mode = HPKE_MODE_BASE,
2258 		.kem_id = HPKE_DHKEM_P384_HKDF_SHA384,
2259 		.kdf_id = HPKE_KDF_HKDF_SHA384,
2260 		.aead_id = HPKE_AEAD_AES_256_GCM,
2261 		.info = "4f6465206f6e2061204772656369616e2055726e",
2262 		.sk_r_group = 20,
2263 		.pk_r = "049c0e4dcbbb3c80715cafaa1839d0bc3c3adcc95eb8062f84175f9c3cec115e6b799061c65a0605907785c25b3571564706a8ba6a204452b38c7c205db17d328f2353df05d5f1c568e7503331178c36c2d37bbed48401295407face3f8dae5ed8",
2264 		.sk_r = "cabffb07d20ffcfdaa043e1de49e1654659e0f0aba5de56523e8b73dc80c579a9e5c89ed3810ec21c4bafcf74ad2a245",
2265 		.enc = "04b30bea96d0e51582033b02a4d676d0464a5eb2d858be86cda1c4e6f8b2aa9fb80f5365483f781b1b3a8b3b8efd50b0f7bca16f06d0435fa3da1d671ea0a318b40fe170a074923c651e5dc824966b7b98d0e36bdf932875dae7130369a793cecc",
2266 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2267 		.aad = "436f756e742d30",
2268 		.ct = "ae7feccfea0f8fcd620d15369a28db8701cdc90d55c20efff6296bd441697b0da34671d1f3c4864183e86d27fc",
2269 	},
2270 	{ /* self-generated test vector for BP-256 */
2271 		.name = "custom PB-256 using DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM",
2272 		.mode = HPKE_MODE_BASE,
2273 		.kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2274 		.kdf_id = HPKE_KDF_HKDF_SHA256,
2275 		.aead_id = HPKE_AEAD_AES_128_GCM,
2276 		.info = "4f6465206f6e2061204772656369616e2055726e",
2277 		.sk_r_group = 28,
2278 		.pk_r = "04a2cb9c4cae90cdc1c27516e9f84b6b166e4b1dcc517286268239ddb0bf74cca6390fed092ac4423ab2192b8bb41a4824d908d2053b93fc813830bebac5ce19b9",
2279 		.sk_r = "11d9db41c4341166ca52f5a1775595c0bdb4934350daeb7bce659c4b7a40e314",
2280 		.enc = "047a25e309c7ee50ec27f13d44734a3ccd8c703e3affcc728513df416511ef9bf02f5e7750e7415de8b5f306ebd3fc88ea9b9368523eb1733a8d82c1a877e5a0f4",
2281 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2282 		.aad = "436f756e742d30",
2283 		.ct = "17c84b3f07f6ffe08ff2be45c709ea782229504aa5b2253876725c6c39f8d8c992304fc5877994f79d6c10d462",
2284 	},
2285 	{ /* self-generated test vector for BP-384 */
2286 		.name = "custom PB-384 using DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM",
2287 		.mode = HPKE_MODE_BASE,
2288 		.kem_id = HPKE_DHKEM_P384_HKDF_SHA384,
2289 		.kdf_id = HPKE_KDF_HKDF_SHA384,
2290 		.aead_id = HPKE_AEAD_AES_256_GCM,
2291 		.info = "4f6465206f6e2061204772656369616e2055726e",
2292 		.sk_r_group = 29,
2293 		.pk_r = "041f4199ad28835908079c45d165d55630098be53eb4beede9921f5b2204fa396111f99ac54c56411f7cb2c43ec18d8e604d895027228cf975f5a4b598f189d8fb03e3fefe020258c40d4d1b15fd7587d209925d67a41f9659a8ed6f662fb441e4",
2294 		.sk_r = "7017cf8a5a9a81ad4e0d755ccbea27a378b787561f8d5662639850805fefcbaab6b9a15729872abb7dc53d19a6cf77e4",
2295 		.enc = "0415d49dedc5bc1ffe9f8de9022c266bb605ec6cd7b77b6ce68974095398856f8aefa4b7abbfbd496b99a2dda3a9c65f1a71b9d40255aa1c7c4205a8b4ef611b96ed29fd2d7b0cde4c0e82058805e6276025cc4fc606f6e5771c31bd9704e9ba0b",
2296 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2297 		.aad = "436f756e742d30",
2298 		.ct = "5f5e9f82bedadec0e9b01a1b304cb48b05c0d6d397b1c8a95ed541218ec54f634a41cbc4066910a409e47b254e",
2299 	},
2300 	{ /* self-generated test vector for BP-512 */
2301 		.name = "custom PB-512 using DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM",
2302 		.mode = HPKE_MODE_BASE,
2303 		.kem_id = HPKE_DHKEM_P521_HKDF_SHA512,
2304 		.kdf_id = HPKE_KDF_HKDF_SHA512,
2305 		.aead_id = HPKE_AEAD_AES_256_GCM,
2306 		.info = "4f6465206f6e2061204772656369616e2055726e",
2307 		.sk_r_group = 30,
2308 		.pk_r = "049e81046a531365a3b5215ac37e7b38f5fa34f86c4eb2e03113b197390a26c555bb007596e131c2541f336eb24a45f44283b5b53fedddfa5642675602fdec17d34120a35efffb44952e32dee7732f2f3245c3314269996b610703a63fb8555a75ca5092690a1125ae8712c1e31fd77aee42bd052e71f9f9459814d6f4065bcea0",
2309 		.sk_r = "483b6882608182b296843fa7dfffbdd61ed0372574d4aa32a035c8e33a493927aaf00d42bd9124ebe4df26010b38124668c02b35a749e74845d565734310cfe9",
2310 		.enc = "04158d18473aeb3b283d3345b1a87d3de2b192ff9e41b5a98f91daacfb24be72e698cbc04c33078681e507bf346c0ea70c927083a22ca9ea027f420067ee42285b798d95fea51002d097ce28371883202bfd300fb64943669e32c6f1a348087368bb480b757892ebd199a9389978c92cbc44076626d705a771fbbd90c030a6767e",
2311 		.pt = "4265617574792069732074727574682c20747275746820626561757479",
2312 		.aad = "436f756e742d30",
2313 		.ct = "033d91c4514857da5b833635180c1acc09f175cbf44777a7b71e177705cfd17437b1c85d671dd767bb4fe20e2e",
2314 	},
2315 };
2316 
2317 
run_hpke_test(const struct hpke_test * test)2318 static int run_hpke_test(const struct hpke_test *test)
2319 {
2320 	struct wpabuf *info, *pk_r, *sk_r, *enc, *pt, *aad, *ct;
2321 	struct wpabuf *res_pt = NULL, *enc_ct = NULL, *res_ct = NULL;
2322 	struct crypto_ec_key *own_priv = NULL, *peer_pub = NULL;
2323 	int res = -1;
2324 	size_t coord_len;
2325 
2326 	wpa_printf(MSG_INFO, "- %s", test->name);
2327 
2328 	info = wpabuf_parse_bin(test->info);
2329 	pk_r = wpabuf_parse_bin(test->pk_r);
2330 	sk_r = wpabuf_parse_bin(test->sk_r);
2331 	enc = wpabuf_parse_bin(test->enc);
2332 	pt = wpabuf_parse_bin(test->pt);
2333 	aad = wpabuf_parse_bin(test->aad);
2334 	ct = wpabuf_parse_bin(test->ct);
2335 	if (!info || !pk_r || !sk_r || !enc || !pt || !aad || !ct) {
2336 		wpa_printf(MSG_ERROR, "Could not parse test data");
2337 		goto fail;
2338 	}
2339 
2340 	/* Receiver - decryption against the test vector */
2341 
2342 	enc_ct = wpabuf_concat(enc, ct);
2343 	enc = NULL;
2344 	ct = NULL;
2345 	if (!enc_ct)
2346 		goto fail;
2347 
2348 	own_priv = crypto_ec_key_set_priv(test->sk_r_group, wpabuf_head(sk_r),
2349 					  wpabuf_len(sk_r));
2350 	if (!own_priv) {
2351 		wpa_printf(MSG_ERROR,
2352 			   "HPKE base open - failed to set private key");
2353 		goto fail;
2354 	}
2355 
2356 	res_pt = hpke_base_open(test->kem_id, test->kdf_id, test->aead_id,
2357 				own_priv,
2358 				wpabuf_head(info), wpabuf_len(info),
2359 				wpabuf_head(aad), wpabuf_len(aad),
2360 				wpabuf_head(enc_ct), wpabuf_len(enc_ct));
2361 	if (!res_pt) {
2362 		wpa_printf(MSG_ERROR, "HPKE base open - failed to decrypt");
2363 		wpa_hexdump_buf(MSG_INFO, "pt", res_pt);
2364 		goto fail;
2365 	}
2366 	if (wpabuf_len(res_pt) != wpabuf_len(pt) ||
2367 	    os_memcmp(wpabuf_head(res_pt), wpabuf_head(pt),
2368 		      wpabuf_len(pt)) != 0) {
2369 		wpa_printf(MSG_ERROR,
2370 			   "HPKE base open - failed - decryption mismatch");
2371 		goto fail;
2372 	}
2373 
2374 	/* Sender - encryption (randomized algorithm) */
2375 
2376 	if (test->sk_r_group == 19)
2377 		coord_len = 32;
2378 	else if (test->sk_r_group == 20)
2379 		coord_len = 48;
2380 	else if (test->sk_r_group == 21)
2381 		coord_len = 66;
2382 	else if (test->sk_r_group == 28)
2383 		coord_len = 32;
2384 	else if (test->sk_r_group == 29)
2385 		coord_len = 48;
2386 	else if (test->sk_r_group == 30)
2387 		coord_len = 64;
2388 	else
2389 		goto fail;
2390 	if (wpabuf_len(pk_r) != 1 + 2 * coord_len) {
2391 		wpa_printf(MSG_ERROR, "Unexpected pkR length (%zu != %zu)",
2392 			   wpabuf_len(pk_r), 1 + 2 * coord_len);
2393 		goto fail;
2394 	}
2395 	peer_pub = crypto_ec_key_set_pub(test->sk_r_group,
2396 					 wpabuf_head_u8(pk_r) + 1,
2397 					 wpabuf_head_u8(pk_r) + 1 + coord_len,
2398 					 coord_len);
2399 	if (!peer_pub) {
2400 		wpa_printf(MSG_ERROR,
2401 			   "HPKE base open - failed to set public key");
2402 		goto fail;
2403 	}
2404 
2405 	res_ct = hpke_base_seal(test->kem_id, test->kdf_id, test->aead_id,
2406 				peer_pub,
2407 				wpabuf_head(info), wpabuf_len(info),
2408 				wpabuf_head(aad), wpabuf_len(aad),
2409 				wpabuf_head(pt), wpabuf_len(pt));
2410 	if (!res_ct) {
2411 		wpa_printf(MSG_ERROR, "HPKE base open - failed to encrypt");
2412 		goto fail;
2413 	}
2414 
2415 	/* Receiver - decryption (to verify own encryption) */
2416 
2417 	wpabuf_free(res_pt);
2418 	res_pt = hpke_base_open(test->kem_id, test->kdf_id, test->aead_id,
2419 				own_priv,
2420 				wpabuf_head(info), wpabuf_len(info),
2421 				wpabuf_head(aad), wpabuf_len(aad),
2422 				wpabuf_head(res_ct), wpabuf_len(res_ct));
2423 	if (!res_pt) {
2424 		wpa_printf(MSG_ERROR, "HPKE base open - failed to decrypt own encrypted version");
2425 		goto fail;
2426 	}
2427 	if (wpabuf_len(res_pt) != wpabuf_len(pt) ||
2428 	    os_memcmp(wpabuf_head(res_pt), wpabuf_head(pt),
2429 		      wpabuf_len(pt)) != 0) {
2430 		wpa_printf(MSG_ERROR,
2431 			   "HPKE base open - failed - decryption mismatch for own encrypted version");
2432 		wpa_hexdump_buf(MSG_INFO, "pt", res_pt);
2433 		goto fail;
2434 	}
2435 
2436 	res = 0;
2437 fail:
2438 	wpabuf_free(info);
2439 	wpabuf_free(pk_r);
2440 	wpabuf_free(sk_r);
2441 	wpabuf_free(enc);
2442 	wpabuf_free(pt);
2443 	wpabuf_free(aad);
2444 	wpabuf_free(ct);
2445 	wpabuf_free(enc_ct);
2446 	wpabuf_free(res_pt);
2447 	wpabuf_free(res_ct);
2448 	crypto_ec_key_deinit(own_priv);
2449 	crypto_ec_key_deinit(peer_pub);
2450 	return res;
2451 }
2452 
2453 #endif /* CONFIG_DPP3 */
2454 
2455 
test_hpke(void)2456 static int test_hpke(void)
2457 {
2458 #ifdef CONFIG_DPP3
2459 	unsigned int i;
2460 
2461 	wpa_printf(MSG_INFO, "RFC 9180 - HPKE");
2462 	for (i = 0; i < ARRAY_SIZE(hpke_tests); i++) {
2463 		if (run_hpke_test(&hpke_tests[i]) < 0)
2464 			return -1;
2465 	}
2466 
2467 	wpa_printf(MSG_INFO, "HPKE base open test cases passed");
2468 #endif /* CONFIG_DPP3 */
2469 	return 0;
2470 }
2471 
2472 
test_ms_funcs(void)2473 static int test_ms_funcs(void)
2474 {
2475 #ifndef CONFIG_FIPS
2476 	/* Test vector from RFC2759 example */
2477 	char *username = "User";
2478 	char *password = "clientPass";
2479 	u8 auth_challenge[] = {
2480 		0x5B, 0x5D, 0x7C, 0x7D, 0x7B, 0x3F, 0x2F, 0x3E,
2481 		0x3C, 0x2C, 0x60, 0x21, 0x32, 0x26, 0x26, 0x28
2482 	};
2483 	u8 peer_challenge[] = {
2484 		0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A,
2485 		0x28, 0x29, 0x5F, 0x2B, 0x3A, 0x33, 0x7C, 0x7E
2486 	};
2487 	u8 password_hash[] = {
2488 		0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
2489 		0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
2490 	};
2491 	u8 nt_response[] = {
2492 		0x82, 0x30, 0x9E, 0xCD, 0x8D, 0x70, 0x8B, 0x5E,
2493 		0xA0, 0x8F, 0xAA, 0x39, 0x81, 0xCD, 0x83, 0x54,
2494 		0x42, 0x33, 0x11, 0x4A, 0x3D, 0x85, 0xD6, 0xDF
2495 	};
2496 	u8 password_hash_hash[] = {
2497 		0x41, 0xC0, 0x0C, 0x58, 0x4B, 0xD2, 0xD9, 0x1C,
2498 		0x40, 0x17, 0xA2, 0xA1, 0x2F, 0xA5, 0x9F, 0x3F
2499 	};
2500 	u8 authenticator_response[] = {
2501 		0x40, 0x7A, 0x55, 0x89, 0x11, 0x5F, 0xD0, 0xD6,
2502 		0x20, 0x9F, 0x51, 0x0F, 0xE9, 0xC0, 0x45, 0x66,
2503 		0x93, 0x2C, 0xDA, 0x56
2504 	};
2505 	u8 master_key[] = {
2506 		0xFD, 0xEC, 0xE3, 0x71, 0x7A, 0x8C, 0x83, 0x8C,
2507 		0xB3, 0x88, 0xE5, 0x27, 0xAE, 0x3C, 0xDD, 0x31
2508 	};
2509 	u8 send_start_key[] = {
2510 		0x8B, 0x7C, 0xDC, 0x14, 0x9B, 0x99, 0x3A, 0x1B,
2511 		0xA1, 0x18, 0xCB, 0x15, 0x3F, 0x56, 0xDC, 0xCB
2512 	};
2513 	u8 buf[32];
2514 	int errors = 0;
2515 
2516 	if (nt_password_hash((u8 *) password, os_strlen(password), buf) ||
2517 	    os_memcmp(password_hash, buf, sizeof(password_hash)) != 0) {
2518 		wpa_printf(MSG_ERROR, "nt_password_hash failed");
2519 		errors++;
2520 	}
2521 
2522 	if (generate_nt_response(auth_challenge, peer_challenge,
2523 				 (u8 *) username, os_strlen(username),
2524 				 (u8 *) password, os_strlen(password), buf) ||
2525 	    os_memcmp(nt_response, buf, sizeof(nt_response)) != 0) {
2526 		wpa_printf(MSG_ERROR, "generate_nt_response failed");
2527 		errors++;
2528 	}
2529 
2530 	if (hash_nt_password_hash(password_hash, buf) ||
2531 	    os_memcmp(password_hash_hash, buf,
2532 		      sizeof(password_hash_hash)) != 0) {
2533 		wpa_printf(MSG_ERROR, "hash_nt_password_hash failed");
2534 		errors++;
2535 	}
2536 
2537 	if (generate_authenticator_response((u8 *) password,
2538 					    os_strlen(password),
2539 					    peer_challenge, auth_challenge,
2540 					    (u8 *) username,
2541 					    os_strlen(username),
2542 					    nt_response, buf) ||
2543 	    os_memcmp(authenticator_response, buf,
2544 		      sizeof(authenticator_response)) != 0) {
2545 		wpa_printf(MSG_ERROR, "generate_authenticator_response failed");
2546 		errors++;
2547 	}
2548 
2549 	if (get_master_key(password_hash_hash, nt_response, buf) ||
2550 	    os_memcmp(master_key, buf, sizeof(master_key)) != 0) {
2551 		wpa_printf(MSG_ERROR, "get_master_key failed");
2552 		errors++;
2553 	}
2554 
2555 	if (get_asymetric_start_key(master_key, buf, sizeof(send_start_key),
2556 				    1, 1) ||
2557 	    os_memcmp(send_start_key, buf, sizeof(send_start_key)) != 0) {
2558 		wpa_printf(MSG_ERROR, "get_asymetric_start_key failed");
2559 		errors++;
2560 	}
2561 
2562 	if (errors)
2563 		wpa_printf(MSG_ERROR, "ms_funcs: %d errors", errors);
2564 	else
2565 		wpa_printf(MSG_INFO, "ms_funcs test cases passed");
2566 
2567 	return errors;
2568 #else /* CONFIG_FIPS */
2569 	wpa_printf(MSG_INFO, "ms_funcs test cases skipped due to CONFIG_FIPS");
2570 	return 0;
2571 #endif /* CONFIG_FIPS */
2572 }
2573 
2574 
crypto_module_tests(void)2575 int crypto_module_tests(void)
2576 {
2577 	int ret = 0;
2578 
2579 	wpa_printf(MSG_INFO, "crypto module tests");
2580 	if (test_siv() ||
2581 	    test_omac1() ||
2582 	    test_eax() ||
2583 	    test_cbc() ||
2584 	    test_ecb() ||
2585 	    test_key_wrap() ||
2586 	    test_aes_ctr() ||
2587 	    test_md5() ||
2588 	    test_sha1() ||
2589 	    test_sha256() ||
2590 	    test_sha384() ||
2591 	    test_fips186_2_prf() ||
2592 	    test_extract_expand_hkdf() ||
2593 	    test_hpke() ||
2594 	    test_ms_funcs())
2595 		ret = -1;
2596 
2597 	return ret;
2598 }
2599