[thirdparty/openssl.git] / test / evp_kdf_test.c

/*
 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Tests of the EVP_KDF_CTX APIs */

#include <stdio.h>
#include <string.h>

#include <openssl/evp.h>
#include <openssl/kdf.h>
#include "testutil.h"

static int test_kdf_tls1_prf(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    const EVP_KDF *kdf;
    unsigned char out[16];
    const unsigned char expected[sizeof(out)] = {
        0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
        0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
    };

    ret =
        TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
        && TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
        && TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
        && TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
                                    "secret", (size_t)6), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_hkdf(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[10];
    const unsigned char expected[sizeof(out)] = {
        0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
                                    (size_t)6), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
                                    (size_t)5), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_pbkdf2(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[32];
    const unsigned char expected[sizeof(out)] = {
        0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
        0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
        0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
        0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
                                    (size_t)8), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

#ifndef OPENSSL_NO_SCRYPT
static int test_kdf_scrypt(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[64];
    const unsigned char expected[sizeof(out)] = {
        0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
        0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
        0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
        0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
        0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
        0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
        0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
        0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
                                    (size_t)8), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
                                    (uint64_t)1024), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
                                    (uint32_t)8), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
                                    (uint32_t)16), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
                                    (uint64_t)16), 0)
        /* failure test */
        && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
                                    (uint64_t)(10 * 1024 * 1024)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}
#endif /* OPENSSL_NO_SCRYPT */

static int test_kdf_ss_hash(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    const unsigned char z[] = {
        0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
        0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
        0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
        0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
    };
    const unsigned char other[] = {
        0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
        0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
        0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
        0xe0,0xec,0x3f,0x8d,0xbe
    };
    const unsigned char expected[] = {
        0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
    };
    unsigned char out[14];

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_ss_hmac(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    const EVP_MAC *mac;

    const unsigned char z[] = {
        0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
    };
    const unsigned char other[] = {
        0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
    };
    const unsigned char salt[] = {
        0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
        0x3f,0x89
    };
    const unsigned char expected[] = {
        0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
        0x1c,0xa3
    };
    unsigned char out[16];

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_ptr(mac = EVP_get_macbyname("HMAC"))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD,  EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
                                    sizeof(salt)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_ss_kmac(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[64];
    const EVP_MAC *mac;

    const unsigned char z[] = {
        0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
    };
    const unsigned char other[] = {
        0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
    };
    const unsigned char salt[] = {
        0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
        0x3f,0x89
    };
    const unsigned char expected[] = {
        0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
        0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
        0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
        0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
        0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
                                    sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
                                    sizeof(salt)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
                                    (size_t)20), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_sshkdf(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[8];
    /* Test data from NIST CAVS 14.1 test vectors */
    const unsigned char key[] = {
        0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
        0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
        0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
        0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
        0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
        0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
        0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
        0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
        0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
        0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
        0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
        0x4e
    };
    const unsigned char xcghash[] = {
        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
    };
    const unsigned char sessid[] = {
        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
    };
    const unsigned char expected[sizeof(out)] = {
        0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
                                    sizeof(key)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
                                    xcghash, sizeof(xcghash)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
                                    sessid, sizeof(sessid)), 0)
        && TEST_int_gt(
                EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
                            (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_get_kdf(void)
{
    const EVP_KDF *kdf1, *kdf2;
    ASN1_OBJECT *obj;

    return
        TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
        && TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
        && TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
        && TEST_ptr_eq(kdf1, kdf2)
        && TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
        && TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
        && TEST_ptr_eq(kdf1, kdf2)
        && TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
        && TEST_ptr_eq(kdf1, kdf2);
}

int setup_tests(void)
{
    ADD_TEST(test_kdf_get_kdf);
    ADD_TEST(test_kdf_tls1_prf);
    ADD_TEST(test_kdf_hkdf);
    ADD_TEST(test_kdf_pbkdf2);
#ifndef OPENSSL_NO_SCRYPT
    ADD_TEST(test_kdf_scrypt);
#endif
    ADD_TEST(test_kdf_ss_hash);
    ADD_TEST(test_kdf_ss_hmac);
    ADD_TEST(test_kdf_ss_kmac);
    ADD_TEST(test_kdf_sshkdf);
    return 1;
}
Commit	Line	Data
5a285add DM	1	/*
	2	* Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	* Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
	4	*
	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
	9	*/
	10
	11	/* Tests of the EVP_KDF_CTX APIs */
	12
	13	#include <stdio.h>
	14	#include <string.h>
	15
	16	#include <openssl/evp.h>
	17	#include <openssl/kdf.h>
	18	#include "testutil.h"
	19
	20	static int test_kdf_tls1_prf(void)
	21	{
a3c62426	22	int ret;
d2ba8123 SL	23	EVP_KDF_CTX *kctx = NULL;
d2ba8123 SL	24	const EVP_KDF *kdf;
5a285add	25	unsigned char out[16];
a3c62426 SL	26	const unsigned char expected[sizeof(out)] = {
	27	0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
	28	0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
	29	};
5a285add	30
d2ba8123 SL	31	ret =
	32	TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
	33	&& TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
	34	&& TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
	35	&& TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
	36	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	37	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
	38	"secret", (size_t)6), 0)
	39	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
	40	(size_t)4), 0)
	41	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	42	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	43
5a285add DM	44	EVP_KDF_CTX_free(kctx);
	45	return ret;
	46	}
	47
	48	static int test_kdf_hkdf(void)
	49	{
a3c62426	50	int ret;
5a285add DM	51	EVP_KDF_CTX *kctx;
5a285add DM	52	unsigned char out[10];
a3c62426 SL	53	const unsigned char expected[sizeof(out)] = {
	54	0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
	55	};
5a285add	56
d2ba8123 SL	57	ret =
	58	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
	59	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	60	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
	61	(size_t)4), 0)
	62	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
	63	(size_t)6), 0)
	64	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
	65	(size_t)5), 0)
	66	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	67	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	68
5a285add DM	69	EVP_KDF_CTX_free(kctx);
	70	return ret;
	71	}
	72
	73	static int test_kdf_pbkdf2(void)
	74	{
a3c62426	75	int ret;
5a285add DM	76	EVP_KDF_CTX *kctx;
5a285add DM	77	unsigned char out[32];
a3c62426 SL	78	const unsigned char expected[sizeof(out)] = {
	79	0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
	80	0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
	81	0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
	82	0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
	83	};
5a285add	84
d2ba8123 SL	85	ret =
	86	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
	87	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
	88	(size_t)8), 0)
	89	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
	90	(size_t)4), 0)
	91	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2), 0)
	92	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	93	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	94	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	95
5a285add DM	96	EVP_KDF_CTX_free(kctx);
	97	return ret;
	98	}
	99
	100	#ifndef OPENSSL_NO_SCRYPT
	101	static int test_kdf_scrypt(void)
	102	{
a3c62426	103	int ret;
5a285add DM	104	EVP_KDF_CTX *kctx;
5a285add DM	105	unsigned char out[64];
a3c62426 SL	106	const unsigned char expected[sizeof(out)] = {
	107	0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
	108	0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
	109	0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
	110	0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
	111	0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
	112	0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
	113	0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
	114	0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
	115	};
5a285add	116
d2ba8123 SL	117	ret =
	118	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
	119	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
	120	(size_t)8), 0)
	121	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
	122	(size_t)4), 0)
	123	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
	124	(uint64_t)1024), 0)
	125	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
	126	(uint32_t)8), 0)
	127	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
	128	(uint32_t)16), 0)
	129	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
	130	(uint64_t)16), 0)
	131	/* failure test */
	132	&& TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	133	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
	134	(uint64_t)(10 * 1024 * 1024)), 0)
	135	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	136	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	137
5a285add DM	138	EVP_KDF_CTX_free(kctx);
	139	return ret;
	140	}
a3c62426	141	#endif /* OPENSSL_NO_SCRYPT */
5a285add	142
9537fe57 SL	143	static int test_kdf_ss_hash(void)
9537fe57 SL	144	{
a3c62426 SL	145	int ret;
a3c62426 SL	146	EVP_KDF_CTX *kctx = NULL;
9537fe57 SL	147	const unsigned char z[] = {
	148	0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
	149	0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
	150	0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
	151	0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
	152	};
	153	const unsigned char other[] = {
	154	0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
	155	0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
	156	0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
	157	0xe0,0xec,0x3f,0x8d,0xbe
	158	};
	159	const unsigned char expected[] = {
	160	0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
	161	};
	162	unsigned char out[14];
	163
d2ba8123 SL	164	ret =
	165	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	166	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
	167	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	168	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	169	sizeof(other)), 0)
	170	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	171	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	172
9537fe57 SL	173	EVP_KDF_CTX_free(kctx);
a3c62426	174	return ret;
9537fe57 SL	175	}
	176
	177	static int test_kdf_ss_hmac(void)
	178	{
a3c62426	179	int ret;
9537fe57 SL	180	EVP_KDF_CTX *kctx;
	181	const EVP_MAC *mac;
	182
	183	const unsigned char z[] = {
	184	0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
	185	};
	186	const unsigned char other[] = {
	187	0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
	188	};
	189	const unsigned char salt[] = {
	190	0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
	191	0x3f,0x89
	192	};
	193	const unsigned char expected[] = {
	194	0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
	195	0x1c,0xa3
	196	};
	197	unsigned char out[16];
	198
d2ba8123 SL	199	ret =
	200	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	201	&& TEST_ptr(mac = EVP_get_macbyname("HMAC"))
	202	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
	203	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	204	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	205	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	206	sizeof(other)), 0)
	207	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
	208	sizeof(salt)), 0)
	209	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	210	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	211
9537fe57 SL	212	EVP_KDF_CTX_free(kctx);
a3c62426	213	return ret;
9537fe57 SL	214	}
	215
	216	static int test_kdf_ss_kmac(void)
	217	{
a3c62426	218	int ret;
9537fe57 SL	219	EVP_KDF_CTX *kctx;
	220	unsigned char out[64];
	221	const EVP_MAC *mac;
	222
	223	const unsigned char z[] = {
	224	0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
	225	};
	226	const unsigned char other[] = {
	227	0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
	228	};
	229	const unsigned char salt[] = {
	230	0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
	231	0x3f,0x89
	232	};
	233	const unsigned char expected[] = {
	234	0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
	235	0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
	236	0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
	237	0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
	238	0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
	239	};
	240
d2ba8123 SL	241	ret =
	242	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	243	&& TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
	244	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
	245	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
	246	sizeof(z)), 0)
	247	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	248	sizeof(other)), 0)
	249	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
	250	sizeof(salt)), 0)
	251	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
	252	(size_t)20), 0)
	253	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	254	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	255
9537fe57 SL	256	EVP_KDF_CTX_free(kctx);
a3c62426	257	return ret;
9537fe57 SL	258	}
9537fe57 SL	259
87d9955e SS	260	static int test_kdf_sshkdf(void)
	261	{
	262	int ret;
	263	EVP_KDF_CTX *kctx;
	264	unsigned char out[8];
	265	/* Test data from NIST CAVS 14.1 test vectors */
	266	const unsigned char key[] = {
	267	0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
	268	0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
	269	0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
	270	0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
	271	0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
	272	0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
	273	0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
	274	0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
	275	0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
	276	0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
	277	0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
	278	0x4e
	279	};
	280	const unsigned char xcghash[] = {
	281	0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
	282	0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
	283	0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
	284	};
	285	const unsigned char sessid[] = {
	286	0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
	287	0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
	288	0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
	289	};
	290	const unsigned char expected[sizeof(out)] = {
	291	0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
	292	};
	293
d2ba8123 SL	294	ret =
	295	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
	296	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	297	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
	298	sizeof(key)), 0)
	299	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
	300	xcghash, sizeof(xcghash)), 0)
	301	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
	302	sessid, sizeof(sessid)), 0)
	303	&& TEST_int_gt(
87d9955e	304	EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
d2ba8123 SL	305	(int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
	306	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	307	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
87d9955e SS	308
	309	EVP_KDF_CTX_free(kctx);
	310	return ret;
	311	}
	312
d2ba8123 SL	313	static int test_kdf_get_kdf(void)
	314	{
	315	const EVP_KDF kdf1, kdf2;
	316	ASN1_OBJECT *obj;
	317
	318	return
	319	TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
	320	&& TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
	321	&& TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
	322	&& TEST_ptr_eq(kdf1, kdf2)
	323	&& TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
	324	&& TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
	325	&& TEST_ptr_eq(kdf1, kdf2)
	326	&& TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
	327	&& TEST_ptr_eq(kdf1, kdf2);
	328	}
	329
5a285add DM	330	int setup_tests(void)
5a285add DM	331	{
d2ba8123	332	ADD_TEST(test_kdf_get_kdf);
5a285add DM	333	ADD_TEST(test_kdf_tls1_prf);
	334	ADD_TEST(test_kdf_hkdf);
	335	ADD_TEST(test_kdf_pbkdf2);
	336	#ifndef OPENSSL_NO_SCRYPT
	337	ADD_TEST(test_kdf_scrypt);
	338	#endif
9537fe57 SL	339	ADD_TEST(test_kdf_ss_hash);
	340	ADD_TEST(test_kdf_ss_hmac);
	341	ADD_TEST(test_kdf_ss_kmac);
87d9955e	342	ADD_TEST(test_kdf_sshkdf);
5a285add DM	343	return 1;
5a285add DM	344	}