[thirdparty/openssl.git] / test / evp_kdf_test.c

/*
 * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Tests of the EVP_KDF_CTX APIs */

#include <stdio.h>
#include <string.h>

#include <openssl/evp.h>
#include <openssl/kdf.h>
#include "testutil.h"

static int test_kdf_tls1_prf(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    const EVP_KDF *kdf;
    unsigned char out[16];
    static const unsigned char expected[sizeof(out)] = {
        0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
        0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
    };

    ret =
        TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
        && TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
        && TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
        && TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
                                    "secret", (size_t)6), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_hkdf(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[10];
    static const unsigned char expected[sizeof(out)] = {
        0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
                                    (size_t)6), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
                                    (size_t)5), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_pbkdf2(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[25];
    size_t len = 0;
    const unsigned char expected[sizeof(out)] = {
        0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
        0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
        0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
        0x1c
    };

    if (sizeof(len) > 32)
        len = SIZE_MAX;

    ret = TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS,
                                      "passwordPASSWORDpassword",
                                      (size_t)24), 0)
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
                                      (size_t)36), 0)
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096), 0)
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()),
                         0)
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
                                            0), 0)
          && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
          && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
          /* A key length that is too small should fail */
          && TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
          /* A key length that is too large should fail */
          && (len == 0 || TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0))
          /* Salt length less than 128 bits should fail */
          && TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
                                      "123456781234567",
                                      (size_t)15), 0)
          /* A small iteration count should fail */
          && TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
                                      1), 0)
          /* Small salts will pass if the "pkcs5" mode is enabled */
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
                                      "123456781234567",
                                      (size_t)15), 0)
          /* A small iteration count will pass if "pkcs5" mode is enabled */
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
          /*
           * If the "pkcs5" mode is disabled then the small salt and iter will
           * fail when the derive gets called.
           */
          && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
                                      0), 0)
          && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);

    EVP_KDF_CTX_free(kctx);
    return ret;
}

#ifndef OPENSSL_NO_SCRYPT
static int test_kdf_scrypt(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[64];
    static const unsigned char expected[sizeof(out)] = {
        0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
        0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
        0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
        0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
        0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
        0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
        0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
        0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
                                    (size_t)8), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
                                    (size_t)4), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
                                    (uint64_t)1024), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
                                    (uint32_t)8), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
                                    (uint32_t)16), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
                                    (uint64_t)16), 0)
        /* failure test */
        && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
                                    (uint64_t)(10 * 1024 * 1024)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}
#endif /* OPENSSL_NO_SCRYPT */

static int test_kdf_ss_hash(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    unsigned char out[14];
    static const unsigned char z[] = {
        0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
        0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
        0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
        0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
    };
    static const unsigned char other[] = {
        0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
        0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
        0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
        0xe0,0xec,0x3f,0x8d,0xbe
    };
    static const unsigned char expected[sizeof(out)] = {
        0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_x963(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    unsigned char out[1024 / 8];
    /*
     * Test data from https://csrc.nist.gov/CSRC/media/Projects/
     *  Cryptographic-Algorithm-Validation-Program/documents/components/
     *  800-135testvectors/ansx963_2001.zip
     */
    static const unsigned char z[] = {
        0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
        0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
        0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
        0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
        0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
        0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
    };
    static const unsigned char shared[] = {
        0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
        0x37, 0x89, 0x5d, 0x31
    };
    static const unsigned char expected[sizeof(out)] = {
        0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
        0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
        0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
        0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
        0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
        0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
        0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
        0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
        0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
        0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
        0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_X963))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha512()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SHARED_INFO, shared,
                                    sizeof(shared)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_ss_hmac(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    const EVP_MAC *mac;
    unsigned char out[16];
    static const unsigned char z[] = {
        0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
    };
    static const unsigned char other[] = {
        0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
    };
    static const unsigned char salt[] = {
        0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
        0x3f,0x89
    };
    static const unsigned char expected[sizeof(out)] = {
        0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
        0x1c,0xa3
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_ptr(mac = EVP_get_macbyname("HMAC"))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD,  EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
                                    sizeof(salt)), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_ss_kmac(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[64];
    const EVP_MAC *mac;
    static const unsigned char z[] = {
        0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
    };
    static const unsigned char other[] = {
        0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
    };
    static const unsigned char salt[] = {
        0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
        0x3f,0x89
    };
    static const unsigned char expected[sizeof(out)] = {
        0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
        0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
        0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
        0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
        0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
        && TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
                                    sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
                                    sizeof(other)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
                                    sizeof(salt)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
                                    (size_t)20), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_sshkdf(void)
{
    int ret;
    EVP_KDF_CTX *kctx;
    unsigned char out[8];
    /* Test data from NIST CAVS 14.1 test vectors */
    static const unsigned char key[] = {
        0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
        0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
        0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
        0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
        0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
        0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
        0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
        0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
        0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
        0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
        0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
        0x4e
    };
    static const unsigned char xcghash[] = {
        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
    };
    static const unsigned char sessid[] = {
        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
    };
    static const unsigned char expected[sizeof(out)] = {
        0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
                                    sizeof(key)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
                                    xcghash, sizeof(xcghash)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
                                    sessid, sizeof(sessid)), 0)
        && TEST_int_gt(
                EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
                            (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}

static int test_kdf_get_kdf(void)
{
    const EVP_KDF *kdf1, *kdf2;
    ASN1_OBJECT *obj;

    return
        TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
        && TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
        && TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
        && TEST_ptr_eq(kdf1, kdf2)
        && TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
        && TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
        && TEST_ptr_eq(kdf1, kdf2)
        && TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
        && TEST_ptr_eq(kdf1, kdf2);
}

#ifndef OPENSSL_NO_CMS
static int test_kdf_x942_asn1(void)
{
    int ret;
    EVP_KDF_CTX *kctx = NULL;
    unsigned char out[24];
    /* RFC2631 Section 2.1.6 Test data */
    static const unsigned char z[] = {
        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
        0x0e,0x0f,0x10,0x11,0x12,0x13
    };
    static const unsigned char expected[sizeof(out)] = {
        0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
        0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
        0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
    };

    ret =
        TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_X942))
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha1()), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
        && TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CEK_ALG,
                                    SN_id_smime_alg_CMS3DESwrap), 0)
        && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

    EVP_KDF_CTX_free(kctx);
    return ret;
}
#endif /* OPENSSL_NO_CMS */

int setup_tests(void)
{
    ADD_TEST(test_kdf_get_kdf);
    ADD_TEST(test_kdf_tls1_prf);
    ADD_TEST(test_kdf_hkdf);
    ADD_TEST(test_kdf_pbkdf2);
#ifndef OPENSSL_NO_SCRYPT
    ADD_TEST(test_kdf_scrypt);
#endif
    ADD_TEST(test_kdf_ss_hash);
    ADD_TEST(test_kdf_ss_hmac);
    ADD_TEST(test_kdf_ss_kmac);
    ADD_TEST(test_kdf_sshkdf);
    ADD_TEST(test_kdf_x963);
#ifndef OPENSSL_NO_CMS
    ADD_TEST(test_kdf_x942_asn1);
#endif
    return 1;
}
Commit	Line	Data
5a285add DM	1	/*
	2	* Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	* Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
	4	*
	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
	9	*/
	10
	11	/* Tests of the EVP_KDF_CTX APIs */
	12
	13	#include <stdio.h>
	14	#include <string.h>
	15
	16	#include <openssl/evp.h>
	17	#include <openssl/kdf.h>
	18	#include "testutil.h"
	19
	20	static int test_kdf_tls1_prf(void)
	21	{
a3c62426	22	int ret;
d2ba8123 SL	23	EVP_KDF_CTX *kctx = NULL;
d2ba8123 SL	24	const EVP_KDF *kdf;
5a285add	25	unsigned char out[16];
8bbeaaa4	26	static const unsigned char expected[sizeof(out)] = {
a3c62426 SL	27	0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
	28	0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
	29	};
5a285add	30
d2ba8123 SL	31	ret =
	32	TEST_ptr(kdf = EVP_get_kdfbyname(SN_tls1_prf))
	33	&& TEST_ptr(kctx = EVP_KDF_CTX_new(kdf))
	34	&& TEST_ptr_eq(EVP_KDF_CTX_kdf(kctx), kdf)
	35	&& TEST_str_eq(EVP_KDF_name(kdf), SN_tls1_prf)
	36	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	37	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
	38	"secret", (size_t)6), 0)
	39	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed",
	40	(size_t)4), 0)
	41	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	42	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	43
5a285add DM	44	EVP_KDF_CTX_free(kctx);
	45	return ret;
	46	}
	47
	48	static int test_kdf_hkdf(void)
	49	{
a3c62426	50	int ret;
5a285add DM	51	EVP_KDF_CTX *kctx;
5a285add DM	52	unsigned char out[10];
8bbeaaa4	53	static const unsigned char expected[sizeof(out)] = {
a3c62426 SL	54	0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
a3c62426 SL	55	};
5a285add	56
d2ba8123 SL	57	ret =
	58	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF))
	59	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	60	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt",
	61	(size_t)4), 0)
	62	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret",
	63	(size_t)6), 0)
	64	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label",
	65	(size_t)5), 0)
	66	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	67	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	68
5a285add DM	69	EVP_KDF_CTX_free(kctx);
	70	return ret;
	71	}
	72
	73	static int test_kdf_pbkdf2(void)
	74	{
a3c62426	75	int ret;
5a285add	76	EVP_KDF_CTX *kctx;
f0efeea2 SL	77	unsigned char out[25];
	78	size_t len = 0;
	79	const unsigned char expected[sizeof(out)] = {
	80	0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
	81	0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
	82	0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
	83	0x1c
a3c62426	84	};
5a285add	85
f0efeea2 SL	86	if (sizeof(len) > 32)
	87	len = SIZE_MAX;
	88
	89	ret = TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2))
	90	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS,
	91	"passwordPASSWORDpassword",
	92	(size_t)24), 0)
	93	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
	94	"saltSALTsaltSALTsaltSALTsaltSALTsalt",
	95	(size_t)36), 0)
	96	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096), 0)
	97	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()),
	98	0)
	99	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
	100	0), 0)
	101	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	102	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))
	103	/* A key length that is too small should fail */
	104	&& TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)
	105	/* A key length that is too large should fail */
	106	&& (len == 0 \|\| TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0))
	107	/* Salt length less than 128 bits should fail */
	108	&& TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
	109	"123456781234567",
	110	(size_t)15), 0)
	111	/* A small iteration count should fail */
	112	&& TEST_int_eq(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
	113	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
	114	1), 0)
	115	/* Small salts will pass if the "pkcs5" mode is enabled */
	116	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
	117	"123456781234567",
	118	(size_t)15), 0)
	119	/* A small iteration count will pass if "pkcs5" mode is enabled */
	120	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 1), 0)
	121	/*
	122	* If the "pkcs5" mode is disabled then the small salt and iter will
	123	* fail when the derive gets called.
	124	*/
	125	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE,
	126	0), 0)
	127	&& TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0);
5a285add	128
5a285add DM	129	EVP_KDF_CTX_free(kctx);
	130	return ret;
	131	}
	132
	133	#ifndef OPENSSL_NO_SCRYPT
	134	static int test_kdf_scrypt(void)
	135	{
a3c62426	136	int ret;
5a285add DM	137	EVP_KDF_CTX *kctx;
5a285add DM	138	unsigned char out[64];
8bbeaaa4	139	static const unsigned char expected[sizeof(out)] = {
a3c62426 SL	140	0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
	141	0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
	142	0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
	143	0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
	144	0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
	145	0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
	146	0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
	147	0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
	148	};
5a285add	149
d2ba8123 SL	150	ret =
	151	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT))
	152	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password",
	153	(size_t)8), 0)
	154	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl",
	155	(size_t)4), 0)
	156	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N,
	157	(uint64_t)1024), 0)
	158	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R,
	159	(uint32_t)8), 0)
	160	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P,
	161	(uint32_t)16), 0)
	162	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
	163	(uint64_t)16), 0)
	164	/* failure test */
	165	&& TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	166	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
	167	(uint64_t)(10 * 1024 * 1024)), 0)
	168	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	169	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
5a285add	170
5a285add DM	171	EVP_KDF_CTX_free(kctx);
	172	return ret;
	173	}
a3c62426	174	#endif /* OPENSSL_NO_SCRYPT */
5a285add	175
9537fe57 SL	176	static int test_kdf_ss_hash(void)
9537fe57 SL	177	{
a3c62426 SL	178	int ret;
a3c62426 SL	179	EVP_KDF_CTX *kctx = NULL;
8bbeaaa4 SL	180	unsigned char out[14];
8bbeaaa4 SL	181	static const unsigned char z[] = {
9537fe57 SL	182	0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
	183	0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
	184	0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
	185	0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
	186	};
8bbeaaa4	187	static const unsigned char other[] = {
9537fe57 SL	188	0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
	189	0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
	190	0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
	191	0xe0,0xec,0x3f,0x8d,0xbe
	192	};
8bbeaaa4	193	static const unsigned char expected[sizeof(out)] = {
9537fe57 SL	194	0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
9537fe57 SL	195	};
9537fe57	196
d2ba8123 SL	197	ret =
	198	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	199	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()), 0)
	200	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	201	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	202	sizeof(other)), 0)
	203	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	204	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	205
9537fe57 SL	206	EVP_KDF_CTX_free(kctx);
a3c62426	207	return ret;
9537fe57 SL	208	}
9537fe57 SL	209
8bbeaaa4 SL	210	static int test_kdf_x963(void)
	211	{
	212	int ret;
	213	EVP_KDF_CTX *kctx = NULL;
	214	unsigned char out[1024 / 8];
	215	/*
	216	* Test data from https://csrc.nist.gov/CSRC/media/Projects/
	217	* Cryptographic-Algorithm-Validation-Program/documents/components/
	218	* 800-135testvectors/ansx963_2001.zip
	219	*/
	220	static const unsigned char z[] = {
	221	0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89, 0xfa, 0x58, 0xce, 0xad,
	222	0xc0, 0x47, 0x19, 0x7f, 0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
	223	0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8, 0x15, 0x07, 0x39, 0x2f,
	224	0x1a, 0x86, 0xdd, 0xfd, 0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
	225	0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47, 0x47, 0xa9, 0xe2, 0xe7,
	226	0x53, 0xf5, 0x5e, 0xf0, 0x5a, 0x2d
	227	};
	228	static const unsigned char shared[] = {
	229	0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d, 0x2b, 0x3a, 0x2f, 0x99,
	230	0x37, 0x89, 0x5d, 0x31
	231	};
	232	static const unsigned char expected[sizeof(out)] = {
	233	0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76, 0x9b, 0x52, 0x26, 0x4b,
	234	0x01, 0x12, 0xb5, 0x85, 0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
	235	0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d, 0x6e, 0x4d, 0xd2, 0xa5,
	236	0x99, 0xac, 0xce, 0xb3, 0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
	237	0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50, 0xa5, 0xa8, 0xee, 0xee,
	238	0x20, 0x80, 0x02, 0x26, 0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
	239	0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d, 0xea, 0x9c, 0x4f, 0xf7,
	240	0x45, 0xa2, 0x5a, 0xc2, 0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
	241	0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc, 0x0a, 0xb2, 0xaa, 0x8e,
	242	0x2e, 0xfa, 0x7b, 0x17, 0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
	243	0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
	244	};
	245
	246	ret =
	247	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_X963))
	248	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha512()), 0)
	249	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	250	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SHARED_INFO, shared,
	251	sizeof(shared)), 0)
	252	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	253	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
	254
	255	EVP_KDF_CTX_free(kctx);
	256	return ret;
	257	}
	258
9537fe57 SL	259	static int test_kdf_ss_hmac(void)
9537fe57 SL	260	{
a3c62426	261	int ret;
9537fe57 SL	262	EVP_KDF_CTX *kctx;
9537fe57 SL	263	const EVP_MAC *mac;
8bbeaaa4 SL	264	unsigned char out[16];
8bbeaaa4 SL	265	static const unsigned char z[] = {
9537fe57 SL	266	0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
9537fe57 SL	267	};
8bbeaaa4	268	static const unsigned char other[] = {
9537fe57 SL	269	0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
9537fe57 SL	270	};
8bbeaaa4	271	static const unsigned char salt[] = {
9537fe57 SL	272	0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
	273	0x3f,0x89
	274	};
8bbeaaa4	275	static const unsigned char expected[sizeof(out)] = {
9537fe57 SL	276	0x44,0xf6,0x76,0xe8,0x5c,0x1b,0x1a,0x8b,0xbc,0x3d,0x31,0x92,0x18,0x63,
	277	0x1c,0xa3
	278	};
9537fe57	279
d2ba8123 SL	280	ret =
	281	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	282	&& TEST_ptr(mac = EVP_get_macbyname("HMAC"))
	283	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
	284	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	285	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	286	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	287	sizeof(other)), 0)
	288	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
	289	sizeof(salt)), 0)
	290	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	291	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	292
9537fe57 SL	293	EVP_KDF_CTX_free(kctx);
a3c62426	294	return ret;
9537fe57 SL	295	}
	296
	297	static int test_kdf_ss_kmac(void)
	298	{
a3c62426	299	int ret;
9537fe57 SL	300	EVP_KDF_CTX *kctx;
	301	unsigned char out[64];
	302	const EVP_MAC *mac;
8bbeaaa4	303	static const unsigned char z[] = {
9537fe57 SL	304	0xb7,0x4a,0x14,0x9a,0x16,0x15,0x46,0xf8,0xc2,0x0b,0x06,0xac,0x4e,0xd4
9537fe57 SL	305	};
8bbeaaa4	306	static const unsigned char other[] = {
9537fe57 SL	307	0x34,0x8a,0x37,0xa2,0x7e,0xf1,0x28,0x2f,0x5f,0x02,0x0d,0xcc
9537fe57 SL	308	};
8bbeaaa4	309	static const unsigned char salt[] = {
9537fe57 SL	310	0x36,0x38,0x27,0x1c,0xcd,0x68,0xa2,0x5d,0xc2,0x4e,0xcd,0xdd,0x39,0xef,
	311	0x3f,0x89
	312	};
8bbeaaa4	313	static const unsigned char expected[sizeof(out)] = {
9537fe57 SL	314	0xe9,0xc1,0x84,0x53,0xa0,0x62,0xb5,0x3b,0xdb,0xfc,0xbb,0x5a,0x34,0xbd,
	315	0xb8,0xe5,0xe7,0x07,0xee,0xbb,0x5d,0xd1,0x34,0x42,0x43,0xd8,0xcf,0xc2,
	316	0xc2,0xe6,0x33,0x2f,0x91,0xbd,0xa5,0x86,0xf3,0x7d,0xe4,0x8a,0x65,0xd4,
	317	0xc5,0x14,0xfd,0xef,0xaa,0x1e,0x67,0x54,0xf3,0x73,0xd2,0x38,0xe1,0x95,
	318	0xae,0x15,0x7e,0x1d,0xe8,0x14,0x98,0x03
	319	};
	320
d2ba8123 SL	321	ret =
	322	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS))
	323	&& TEST_ptr(mac = EVP_get_macbyname("KMAC128"))
	324	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC, mac), 0)
	325	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z,
	326	sizeof(z)), 0)
	327	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
	328	sizeof(other)), 0)
	329	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, salt,
	330	sizeof(salt)), 0)
	331	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAC_SIZE,
	332	(size_t)20), 0)
	333	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	334	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
9537fe57 SL	335
9537fe57 SL	336	EVP_KDF_CTX_free(kctx);
a3c62426	337	return ret;
9537fe57 SL	338	}
9537fe57 SL	339
87d9955e SS	340	static int test_kdf_sshkdf(void)
	341	{
	342	int ret;
	343	EVP_KDF_CTX *kctx;
	344	unsigned char out[8];
	345	/* Test data from NIST CAVS 14.1 test vectors */
8bbeaaa4	346	static const unsigned char key[] = {
87d9955e SS	347	0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
	348	0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
	349	0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
	350	0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
	351	0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
	352	0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
	353	0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
	354	0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
	355	0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
	356	0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
	357	0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
	358	0x4e
	359	};
8bbeaaa4	360	static const unsigned char xcghash[] = {
87d9955e SS	361	0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
	362	0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
	363	0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
	364	};
8bbeaaa4	365	static const unsigned char sessid[] = {
87d9955e SS	366	0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
	367	0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
	368	0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
	369	};
8bbeaaa4	370	static const unsigned char expected[sizeof(out)] = {
87d9955e SS	371	0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
	372	};
	373
d2ba8123 SL	374	ret =
	375	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF))
	376	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()), 0)
	377	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key,
	378	sizeof(key)), 0)
	379	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
	380	xcghash, sizeof(xcghash)), 0)
	381	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
	382	sessid, sizeof(sessid)), 0)
	383	&& TEST_int_gt(
87d9955e	384	EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
d2ba8123 SL	385	(int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV), 0)
	386	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	387	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
87d9955e SS	388
	389	EVP_KDF_CTX_free(kctx);
	390	return ret;
	391	}
	392
d2ba8123 SL	393	static int test_kdf_get_kdf(void)
	394	{
	395	const EVP_KDF kdf1, kdf2;
	396	ASN1_OBJECT *obj;
	397
	398	return
	399	TEST_ptr(obj = OBJ_nid2obj(NID_id_pbkdf2))
	400	&& TEST_ptr(kdf1 = EVP_get_kdfbyname(LN_id_pbkdf2))
	401	&& TEST_ptr(kdf2 = EVP_get_kdfbyobj(obj))
	402	&& TEST_ptr_eq(kdf1, kdf2)
	403	&& TEST_ptr(kdf1 = EVP_get_kdfbyname(SN_tls1_prf))
	404	&& TEST_ptr(kdf2 = EVP_get_kdfbyname(LN_tls1_prf))
	405	&& TEST_ptr_eq(kdf1, kdf2)
	406	&& TEST_ptr(kdf2 = EVP_get_kdfbynid(NID_tls1_prf))
	407	&& TEST_ptr_eq(kdf1, kdf2);
	408	}
	409
1aec7716 SL	410	#ifndef OPENSSL_NO_CMS
	411	static int test_kdf_x942_asn1(void)
	412	{
	413	int ret;
	414	EVP_KDF_CTX *kctx = NULL;
	415	unsigned char out[24];
	416	/* RFC2631 Section 2.1.6 Test data */
	417	static const unsigned char z[] = {
	418	0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,
	419	0x0e,0x0f,0x10,0x11,0x12,0x13
	420	};
	421	static const unsigned char expected[sizeof(out)] = {
	422	0xa0,0x96,0x61,0x39,0x23,0x76,0xf7,0x04,
	423	0x4d,0x90,0x52,0xa3,0x97,0x88,0x32,0x46,
	424	0xb6,0x7f,0x5f,0x1e,0xf6,0x3e,0xb5,0xfb
	425	};
	426
	427	ret =
	428	TEST_ptr(kctx = EVP_KDF_CTX_new_id(EVP_KDF_X942))
	429	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha1()), 0)
	430	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)), 0)
	431	&& TEST_int_gt(EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CEK_ALG,
	432	SN_id_smime_alg_CMS3DESwrap), 0)
	433	&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
	434	&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
	435
	436	EVP_KDF_CTX_free(kctx);
	437	return ret;
	438	}
	439	#endif /* OPENSSL_NO_CMS */
	440
5a285add DM	441	int setup_tests(void)
5a285add DM	442	{
d2ba8123	443	ADD_TEST(test_kdf_get_kdf);
5a285add DM	444	ADD_TEST(test_kdf_tls1_prf);
	445	ADD_TEST(test_kdf_hkdf);
	446	ADD_TEST(test_kdf_pbkdf2);
	447	#ifndef OPENSSL_NO_SCRYPT
	448	ADD_TEST(test_kdf_scrypt);
	449	#endif
9537fe57 SL	450	ADD_TEST(test_kdf_ss_hash);
	451	ADD_TEST(test_kdf_ss_hmac);
	452	ADD_TEST(test_kdf_ss_kmac);
87d9955e	453	ADD_TEST(test_kdf_sshkdf);
8bbeaaa4	454	ADD_TEST(test_kdf_x963);
1aec7716 SL	455	#ifndef OPENSSL_NO_CMS
	456	ADD_TEST(test_kdf_x942_asn1);
	457	#endif
5a285add DM	458	return 1;
5a285add DM	459	}