mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
da1c088f59
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
2000 lines
74 KiB
C
2000 lines
74 KiB
C
/*
|
|
* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <openssl/evp.h>
|
|
#include <openssl/core_names.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/hpke.h>
|
|
#include "testutil.h"
|
|
|
|
/* a size to use for stack buffers */
|
|
#define OSSL_HPKE_TSTSIZE 512
|
|
|
|
static OSSL_LIB_CTX *testctx = NULL;
|
|
static OSSL_PROVIDER *nullprov = NULL;
|
|
static OSSL_PROVIDER *deflprov = NULL;
|
|
static char *testpropq = "provider=default";
|
|
static int verbose = 0;
|
|
|
|
typedef struct {
|
|
int mode;
|
|
OSSL_HPKE_SUITE suite;
|
|
const unsigned char *ikmE;
|
|
size_t ikmElen;
|
|
const unsigned char *expected_pkEm;
|
|
size_t expected_pkEmlen;
|
|
const unsigned char *ikmR;
|
|
size_t ikmRlen;
|
|
const unsigned char *expected_pkRm;
|
|
size_t expected_pkRmlen;
|
|
const unsigned char *expected_skRm;
|
|
size_t expected_skRmlen;
|
|
const unsigned char *expected_secret;
|
|
size_t expected_secretlen;
|
|
const unsigned char *ksinfo;
|
|
size_t ksinfolen;
|
|
const unsigned char *ikmAuth;
|
|
size_t ikmAuthlen;
|
|
const unsigned char *psk;
|
|
size_t psklen;
|
|
const char *pskid; /* want terminating NUL here */
|
|
} TEST_BASEDATA;
|
|
|
|
typedef struct
|
|
{
|
|
int seq;
|
|
const unsigned char *pt;
|
|
size_t ptlen;
|
|
const unsigned char *aad;
|
|
size_t aadlen;
|
|
const unsigned char *expected_ct;
|
|
size_t expected_ctlen;
|
|
} TEST_AEADDATA;
|
|
|
|
typedef struct
|
|
{
|
|
const unsigned char *context;
|
|
size_t contextlen;
|
|
const unsigned char *expected_secret;
|
|
size_t expected_secretlen;
|
|
} TEST_EXPORTDATA;
|
|
|
|
/**
|
|
* @brief Test that an EVP_PKEY encoded public key matches the supplied buffer
|
|
* @param pkey is the EVP_PKEY we want to check
|
|
* @param pub is the expected public key buffer
|
|
* @param publen is the length of the above
|
|
* @return 1 for good, 0 for bad
|
|
*/
|
|
static int cmpkey(const EVP_PKEY *pkey,
|
|
const unsigned char *pub, size_t publen)
|
|
{
|
|
unsigned char pubbuf[256];
|
|
size_t pubbuflen = 0;
|
|
int erv = 0;
|
|
|
|
if (!TEST_true(publen <= sizeof(pubbuf)))
|
|
return 0;
|
|
erv = EVP_PKEY_get_octet_string_param(pkey,
|
|
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
|
|
pubbuf, sizeof(pubbuf), &pubbuflen);
|
|
if (!TEST_true(erv))
|
|
return 0;
|
|
if (pub != NULL && !TEST_mem_eq(pubbuf, pubbuflen, pub, publen))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
static int do_testhpke(const TEST_BASEDATA *base,
|
|
const TEST_AEADDATA *aead, size_t aeadsz,
|
|
const TEST_EXPORTDATA *export, size_t exportsz)
|
|
{
|
|
OSSL_LIB_CTX *libctx = testctx;
|
|
const char *propq = testpropq;
|
|
OSSL_HPKE_CTX *sealctx = NULL, *openctx = NULL;
|
|
unsigned char ct[256];
|
|
unsigned char enc[256];
|
|
unsigned char ptout[256];
|
|
size_t ptoutlen = sizeof(ptout);
|
|
size_t enclen = sizeof(enc);
|
|
size_t ctlen = sizeof(ct);
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t publen = sizeof(pub);
|
|
EVP_PKEY *privE = NULL;
|
|
unsigned char authpub[OSSL_HPKE_TSTSIZE];
|
|
size_t authpublen = sizeof(authpub);
|
|
EVP_PKEY *authpriv = NULL;
|
|
unsigned char rpub[OSSL_HPKE_TSTSIZE];
|
|
size_t rpublen = sizeof(pub);
|
|
EVP_PKEY *privR = NULL;
|
|
int ret = 0;
|
|
size_t i;
|
|
uint64_t lastseq = 0;
|
|
|
|
if (!TEST_true(OSSL_HPKE_keygen(base->suite, pub, &publen, &privE,
|
|
base->ikmE, base->ikmElen, libctx, propq)))
|
|
goto end;
|
|
if (!TEST_true(cmpkey(privE, base->expected_pkEm, base->expected_pkEmlen)))
|
|
goto end;
|
|
if (!TEST_ptr(sealctx = OSSL_HPKE_CTX_new(base->mode, base->suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
libctx, propq)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_ikme(sealctx, base->ikmE, base->ikmElen)))
|
|
goto end;
|
|
if (base->mode == OSSL_HPKE_MODE_AUTH
|
|
|| base->mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(base->ikmAuth != NULL && base->ikmAuthlen > 0))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_keygen(base->suite,
|
|
authpub, &authpublen, &authpriv,
|
|
base->ikmAuth, base->ikmAuthlen,
|
|
libctx, propq)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(sealctx, authpriv)))
|
|
goto end;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_keygen(base->suite, rpub, &rpublen, &privR,
|
|
base->ikmR, base->ikmRlen, libctx, propq)))
|
|
goto end;
|
|
if (!TEST_true(cmpkey(privR, base->expected_pkRm, base->expected_pkRmlen)))
|
|
goto end;
|
|
if (base->mode == OSSL_HPKE_MODE_PSK
|
|
|| base->mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_psk(sealctx, base->pskid,
|
|
base->psk, base->psklen)))
|
|
goto end;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_encap(sealctx, enc, &enclen,
|
|
rpub, rpublen,
|
|
base->ksinfo, base->ksinfolen)))
|
|
goto end;
|
|
if (!TEST_true(cmpkey(privE, enc, enclen)))
|
|
goto end;
|
|
for (i = 0; i < aeadsz; ++i) {
|
|
ctlen = sizeof(ct);
|
|
memset(ct, 0, ctlen);
|
|
if (!TEST_true(OSSL_HPKE_seal(sealctx, ct, &ctlen,
|
|
aead[i].aad, aead[i].aadlen,
|
|
aead[i].pt, aead[i].ptlen)))
|
|
goto end;
|
|
if (!TEST_mem_eq(ct, ctlen, aead[i].expected_ct,
|
|
aead[i].expected_ctlen))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_get_seq(sealctx, &lastseq)))
|
|
goto end;
|
|
if (lastseq != (uint64_t)(i + 1))
|
|
goto end;
|
|
}
|
|
if (!TEST_ptr(openctx = OSSL_HPKE_CTX_new(base->mode, base->suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
libctx, propq)))
|
|
goto end;
|
|
if (base->mode == OSSL_HPKE_MODE_PSK
|
|
|| base->mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(base->pskid != NULL && base->psk != NULL
|
|
&& base->psklen > 0))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_psk(openctx, base->pskid,
|
|
base->psk, base->psklen)))
|
|
goto end;
|
|
}
|
|
if (base->mode == OSSL_HPKE_MODE_AUTH
|
|
|| base->mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(openctx,
|
|
authpub, authpublen)))
|
|
goto end;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_decap(openctx, enc, enclen, privR,
|
|
base->ksinfo, base->ksinfolen)))
|
|
goto end;
|
|
for (i = 0; i < aeadsz; ++i) {
|
|
ptoutlen = sizeof(ptout);
|
|
memset(ptout, 0, ptoutlen);
|
|
if (!TEST_true(OSSL_HPKE_open(openctx, ptout, &ptoutlen,
|
|
aead[i].aad, aead[i].aadlen,
|
|
aead[i].expected_ct,
|
|
aead[i].expected_ctlen)))
|
|
goto end;
|
|
if (!TEST_mem_eq(aead[i].pt, aead[i].ptlen, ptout, ptoutlen))
|
|
goto end;
|
|
/* check the sequence is being incremented as expected */
|
|
if (!TEST_true(OSSL_HPKE_CTX_get_seq(openctx, &lastseq)))
|
|
goto end;
|
|
if (lastseq != (uint64_t)(i + 1))
|
|
goto end;
|
|
}
|
|
/* check exporters */
|
|
for (i = 0; i < exportsz; ++i) {
|
|
size_t len = export[i].expected_secretlen;
|
|
unsigned char eval[OSSL_HPKE_TSTSIZE];
|
|
|
|
if (len > sizeof(eval))
|
|
goto end;
|
|
/* export with too long label should fail */
|
|
if (!TEST_false(OSSL_HPKE_export(sealctx, eval, len,
|
|
export[i].context, -1)))
|
|
goto end;
|
|
/* good export call */
|
|
if (!TEST_true(OSSL_HPKE_export(sealctx, eval, len,
|
|
export[i].context,
|
|
export[i].contextlen)))
|
|
goto end;
|
|
if (!TEST_mem_eq(eval, len, export[i].expected_secret,
|
|
export[i].expected_secretlen))
|
|
goto end;
|
|
|
|
/* check seal fails if export only mode */
|
|
if (aeadsz == 0) {
|
|
|
|
if (!TEST_false(OSSL_HPKE_seal(sealctx, ct, &ctlen,
|
|
NULL, 0, ptout, ptoutlen)))
|
|
goto end;
|
|
}
|
|
}
|
|
ret = 1;
|
|
end:
|
|
OSSL_HPKE_CTX_free(sealctx);
|
|
OSSL_HPKE_CTX_free(openctx);
|
|
EVP_PKEY_free(privE);
|
|
EVP_PKEY_free(privR);
|
|
EVP_PKEY_free(authpriv);
|
|
return ret;
|
|
}
|
|
|
|
static const unsigned char pt[] = {
|
|
0x42, 0x65, 0x61, 0x75, 0x74, 0x79, 0x20, 0x69,
|
|
0x73, 0x20, 0x74, 0x72, 0x75, 0x74, 0x68, 0x2c,
|
|
0x20, 0x74, 0x72, 0x75, 0x74, 0x68, 0x20, 0x62,
|
|
0x65, 0x61, 0x75, 0x74, 0x79
|
|
};
|
|
static const unsigned char ksinfo[] = {
|
|
0x4f, 0x64, 0x65, 0x20, 0x6f, 0x6e, 0x20, 0x61,
|
|
0x20, 0x47, 0x72, 0x65, 0x63, 0x69, 0x61, 0x6e,
|
|
0x20, 0x55, 0x72, 0x6e
|
|
};
|
|
#ifndef OPENSSL_NO_ECX
|
|
/*
|
|
* static const char *pskid = "Ennyn Durin aran Moria";
|
|
*/
|
|
static const unsigned char pskid[] = {
|
|
0x45, 0x6e, 0x6e, 0x79, 0x6e, 0x20, 0x44, 0x75,
|
|
0x72, 0x69, 0x6e, 0x20, 0x61, 0x72, 0x61, 0x6e,
|
|
0x20, 0x4d, 0x6f, 0x72, 0x69, 0x61, 0x00
|
|
};
|
|
static const unsigned char psk[] = {
|
|
0x02, 0x47, 0xfd, 0x33, 0xb9, 0x13, 0x76, 0x0f,
|
|
0xa1, 0xfa, 0x51, 0xe1, 0x89, 0x2d, 0x9f, 0x30,
|
|
0x7f, 0xbe, 0x65, 0xeb, 0x17, 0x1e, 0x81, 0x32,
|
|
0xc2, 0xaf, 0x18, 0x55, 0x5a, 0x73, 0x8b, 0x82
|
|
};
|
|
|
|
/* these need to be "outside" the function below to keep check-ansi CI happy */
|
|
static const unsigned char first_ikme[] = {
|
|
0x78, 0x62, 0x8c, 0x35, 0x4e, 0x46, 0xf3, 0xe1,
|
|
0x69, 0xbd, 0x23, 0x1b, 0xe7, 0xb2, 0xff, 0x1c,
|
|
0x77, 0xaa, 0x30, 0x24, 0x60, 0xa2, 0x6d, 0xbf,
|
|
0xa1, 0x55, 0x15, 0x68, 0x4c, 0x00, 0x13, 0x0b
|
|
};
|
|
static const unsigned char first_ikmr[] = {
|
|
0xd4, 0xa0, 0x9d, 0x09, 0xf5, 0x75, 0xfe, 0xf4,
|
|
0x25, 0x90, 0x5d, 0x2a, 0xb3, 0x96, 0xc1, 0x44,
|
|
0x91, 0x41, 0x46, 0x3f, 0x69, 0x8f, 0x8e, 0xfd,
|
|
0xb7, 0xac, 0xcf, 0xaf, 0xf8, 0x99, 0x50, 0x98
|
|
};
|
|
static const unsigned char first_ikmepub[] = {
|
|
0x0a, 0xd0, 0x95, 0x0d, 0x9f, 0xb9, 0x58, 0x8e,
|
|
0x59, 0x69, 0x0b, 0x74, 0xf1, 0x23, 0x7e, 0xcd,
|
|
0xf1, 0xd7, 0x75, 0xcd, 0x60, 0xbe, 0x2e, 0xca,
|
|
0x57, 0xaf, 0x5a, 0x4b, 0x04, 0x71, 0xc9, 0x1b,
|
|
};
|
|
static const unsigned char first_ikmrpub[] = {
|
|
0x9f, 0xed, 0x7e, 0x8c, 0x17, 0x38, 0x75, 0x60,
|
|
0xe9, 0x2c, 0xc6, 0x46, 0x2a, 0x68, 0x04, 0x96,
|
|
0x57, 0x24, 0x6a, 0x09, 0xbf, 0xa8, 0xad, 0xe7,
|
|
0xae, 0xfe, 0x58, 0x96, 0x72, 0x01, 0x63, 0x66
|
|
};
|
|
static const unsigned char first_ikmrpriv[] = {
|
|
0xc5, 0xeb, 0x01, 0xeb, 0x45, 0x7f, 0xe6, 0xc6,
|
|
0xf5, 0x75, 0x77, 0xc5, 0x41, 0x3b, 0x93, 0x15,
|
|
0x50, 0xa1, 0x62, 0xc7, 0x1a, 0x03, 0xac, 0x8d,
|
|
0x19, 0x6b, 0xab, 0xbd, 0x4e, 0x5c, 0xe0, 0xfd
|
|
};
|
|
static const unsigned char first_expected_shared_secret[] = {
|
|
0x72, 0x76, 0x99, 0xf0, 0x09, 0xff, 0xe3, 0xc0,
|
|
0x76, 0x31, 0x50, 0x19, 0xc6, 0x96, 0x48, 0x36,
|
|
0x6b, 0x69, 0x17, 0x14, 0x39, 0xbd, 0x7d, 0xd0,
|
|
0x80, 0x77, 0x43, 0xbd, 0xe7, 0x69, 0x86, 0xcd
|
|
};
|
|
static const unsigned char first_aad0[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
|
|
};
|
|
static const unsigned char first_ct0[] = {
|
|
0xe5, 0x2c, 0x6f, 0xed, 0x7f, 0x75, 0x8d, 0x0c,
|
|
0xf7, 0x14, 0x56, 0x89, 0xf2, 0x1b, 0xc1, 0xbe,
|
|
0x6e, 0xc9, 0xea, 0x09, 0x7f, 0xef, 0x4e, 0x95,
|
|
0x94, 0x40, 0x01, 0x2f, 0x4f, 0xeb, 0x73, 0xfb,
|
|
0x61, 0x1b, 0x94, 0x61, 0x99, 0xe6, 0x81, 0xf4,
|
|
0xcf, 0xc3, 0x4d, 0xb8, 0xea
|
|
};
|
|
static const unsigned char first_aad1[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
|
|
};
|
|
static const unsigned char first_ct1[] = {
|
|
0x49, 0xf3, 0xb1, 0x9b, 0x28, 0xa9, 0xea, 0x9f,
|
|
0x43, 0xe8, 0xc7, 0x12, 0x04, 0xc0, 0x0d, 0x4a,
|
|
0x49, 0x0e, 0xe7, 0xf6, 0x13, 0x87, 0xb6, 0x71,
|
|
0x9d, 0xb7, 0x65, 0xe9, 0x48, 0x12, 0x3b, 0x45,
|
|
0xb6, 0x16, 0x33, 0xef, 0x05, 0x9b, 0xa2, 0x2c,
|
|
0xd6, 0x24, 0x37, 0xc8, 0xba
|
|
};
|
|
static const unsigned char first_aad2[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x32
|
|
};
|
|
static const unsigned char first_ct2[] = {
|
|
0x25, 0x7c, 0xa6, 0xa0, 0x84, 0x73, 0xdc, 0x85,
|
|
0x1f, 0xde, 0x45, 0xaf, 0xd5, 0x98, 0xcc, 0x83,
|
|
0xe3, 0x26, 0xdd, 0xd0, 0xab, 0xe1, 0xef, 0x23,
|
|
0xba, 0xa3, 0xba, 0xa4, 0xdd, 0x8c, 0xde, 0x99,
|
|
0xfc, 0xe2, 0xc1, 0xe8, 0xce, 0x68, 0x7b, 0x0b,
|
|
0x47, 0xea, 0xd1, 0xad, 0xc9
|
|
};
|
|
static const unsigned char first_export1[] = {
|
|
0xdf, 0xf1, 0x7a, 0xf3, 0x54, 0xc8, 0xb4, 0x16,
|
|
0x73, 0x56, 0x7d, 0xb6, 0x25, 0x9f, 0xd6, 0x02,
|
|
0x99, 0x67, 0xb4, 0xe1, 0xaa, 0xd1, 0x30, 0x23,
|
|
0xc2, 0xae, 0x5d, 0xf8, 0xf4, 0xf4, 0x3b, 0xf6
|
|
};
|
|
static const unsigned char first_context2[] = { 0x00 };
|
|
static const unsigned char first_export2[] = {
|
|
0x6a, 0x84, 0x72, 0x61, 0xd8, 0x20, 0x7f, 0xe5,
|
|
0x96, 0xbe, 0xfb, 0x52, 0x92, 0x84, 0x63, 0x88,
|
|
0x1a, 0xb4, 0x93, 0xda, 0x34, 0x5b, 0x10, 0xe1,
|
|
0xdc, 0xc6, 0x45, 0xe3, 0xb9, 0x4e, 0x2d, 0x95
|
|
};
|
|
static const unsigned char first_context3[] = {
|
|
0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
|
|
0x65, 0x78, 0x74
|
|
};
|
|
static const unsigned char first_export3[] = {
|
|
0x8a, 0xff, 0x52, 0xb4, 0x5a, 0x1b, 0xe3, 0xa7,
|
|
0x34, 0xbc, 0x7a, 0x41, 0xe2, 0x0b, 0x4e, 0x05,
|
|
0x5a, 0xd4, 0xc4, 0xd2, 0x21, 0x04, 0xb0, 0xc2,
|
|
0x02, 0x85, 0xa7, 0xc4, 0x30, 0x24, 0x01, 0xcd
|
|
};
|
|
|
|
static int x25519kdfsha256_hkdfsha256_aes128gcm_psk_test(void)
|
|
{
|
|
const TEST_BASEDATA pskdata = {
|
|
/* "X25519", NULL, "SHA256", "SHA256", "AES-128-GCM", */
|
|
OSSL_HPKE_MODE_PSK,
|
|
{
|
|
OSSL_HPKE_KEM_ID_X25519,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA256,
|
|
OSSL_HPKE_AEAD_ID_AES_GCM_128
|
|
},
|
|
first_ikme, sizeof(first_ikme),
|
|
first_ikmepub, sizeof(first_ikmepub),
|
|
first_ikmr, sizeof(first_ikmr),
|
|
first_ikmrpub, sizeof(first_ikmrpub),
|
|
first_ikmrpriv, sizeof(first_ikmrpriv),
|
|
first_expected_shared_secret, sizeof(first_expected_shared_secret),
|
|
ksinfo, sizeof(ksinfo),
|
|
NULL, 0, /* No Auth */
|
|
psk, sizeof(psk), (char *) pskid
|
|
};
|
|
const TEST_AEADDATA aeaddata[] = {
|
|
{
|
|
0,
|
|
pt, sizeof(pt),
|
|
first_aad0, sizeof(first_aad0),
|
|
first_ct0, sizeof(first_ct0)
|
|
},
|
|
{
|
|
1,
|
|
pt, sizeof(pt),
|
|
first_aad1, sizeof(first_aad1),
|
|
first_ct1, sizeof(first_ct1)
|
|
},
|
|
{
|
|
2,
|
|
pt, sizeof(pt),
|
|
first_aad2, sizeof(first_aad2),
|
|
first_ct2, sizeof(first_ct2)
|
|
}
|
|
};
|
|
const TEST_EXPORTDATA exportdata[] = {
|
|
{ NULL, 0, first_export1, sizeof(first_export1) },
|
|
{ first_context2, sizeof(first_context2),
|
|
first_export2, sizeof(first_export2) },
|
|
{ first_context3, sizeof(first_context3),
|
|
first_export3, sizeof(first_export3) },
|
|
};
|
|
return do_testhpke(&pskdata, aeaddata, OSSL_NELEM(aeaddata),
|
|
exportdata, OSSL_NELEM(exportdata));
|
|
}
|
|
|
|
static const unsigned char second_ikme[] = {
|
|
0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
|
|
0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13,
|
|
0x52, 0x7c, 0xff, 0x65, 0x5c, 0x13, 0x43, 0xf2,
|
|
0x98, 0x12, 0xe6, 0x67, 0x06, 0xdf, 0x32, 0x34
|
|
};
|
|
static const unsigned char second_ikmepub[] = {
|
|
0x37, 0xfd, 0xa3, 0x56, 0x7b, 0xdb, 0xd6, 0x28,
|
|
0xe8, 0x86, 0x68, 0xc3, 0xc8, 0xd7, 0xe9, 0x7d,
|
|
0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44,
|
|
0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31,
|
|
};
|
|
static const unsigned char second_ikmr[] = {
|
|
0x6d, 0xb9, 0xdf, 0x30, 0xaa, 0x07, 0xdd, 0x42,
|
|
0xee, 0x5e, 0x81, 0x81, 0xaf, 0xdb, 0x97, 0x7e,
|
|
0x53, 0x8f, 0x5e, 0x1f, 0xec, 0x8a, 0x06, 0x22,
|
|
0x3f, 0x33, 0xf7, 0x01, 0x3e, 0x52, 0x50, 0x37
|
|
};
|
|
static const unsigned char second_ikmrpub[] = {
|
|
0x39, 0x48, 0xcf, 0xe0, 0xad, 0x1d, 0xdb, 0x69,
|
|
0x5d, 0x78, 0x0e, 0x59, 0x07, 0x71, 0x95, 0xda,
|
|
0x6c, 0x56, 0x50, 0x6b, 0x02, 0x73, 0x29, 0x79,
|
|
0x4a, 0xb0, 0x2b, 0xca, 0x80, 0x81, 0x5c, 0x4d
|
|
};
|
|
static const unsigned char second_ikmrpriv[] = {
|
|
0x46, 0x12, 0xc5, 0x50, 0x26, 0x3f, 0xc8, 0xad,
|
|
0x58, 0x37, 0x5d, 0xf3, 0xf5, 0x57, 0xaa, 0xc5,
|
|
0x31, 0xd2, 0x68, 0x50, 0x90, 0x3e, 0x55, 0xa9,
|
|
0xf2, 0x3f, 0x21, 0xd8, 0x53, 0x4e, 0x8a, 0xc8
|
|
};
|
|
static const unsigned char second_expected_shared_secret[] = {
|
|
0xfe, 0x0e, 0x18, 0xc9, 0xf0, 0x24, 0xce, 0x43,
|
|
0x79, 0x9a, 0xe3, 0x93, 0xc7, 0xe8, 0xfe, 0x8f,
|
|
0xce, 0x9d, 0x21, 0x88, 0x75, 0xe8, 0x22, 0x7b,
|
|
0x01, 0x87, 0xc0, 0x4e, 0x7d, 0x2e, 0xa1, 0xfc
|
|
};
|
|
static const unsigned char second_aead0[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
|
|
};
|
|
static const unsigned char second_ct0[] = {
|
|
0xf9, 0x38, 0x55, 0x8b, 0x5d, 0x72, 0xf1, 0xa2,
|
|
0x38, 0x10, 0xb4, 0xbe, 0x2a, 0xb4, 0xf8, 0x43,
|
|
0x31, 0xac, 0xc0, 0x2f, 0xc9, 0x7b, 0xab, 0xc5,
|
|
0x3a, 0x52, 0xae, 0x82, 0x18, 0xa3, 0x55, 0xa9,
|
|
0x6d, 0x87, 0x70, 0xac, 0x83, 0xd0, 0x7b, 0xea,
|
|
0x87, 0xe1, 0x3c, 0x51, 0x2a
|
|
};
|
|
static const unsigned char second_aead1[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
|
|
};
|
|
static const unsigned char second_ct1[] = {
|
|
0xaf, 0x2d, 0x7e, 0x9a, 0xc9, 0xae, 0x7e, 0x27,
|
|
0x0f, 0x46, 0xba, 0x1f, 0x97, 0x5b, 0xe5, 0x3c,
|
|
0x09, 0xf8, 0xd8, 0x75, 0xbd, 0xc8, 0x53, 0x54,
|
|
0x58, 0xc2, 0x49, 0x4e, 0x8a, 0x6e, 0xab, 0x25,
|
|
0x1c, 0x03, 0xd0, 0xc2, 0x2a, 0x56, 0xb8, 0xca,
|
|
0x42, 0xc2, 0x06, 0x3b, 0x84
|
|
};
|
|
static const unsigned char second_export1[] = {
|
|
0x38, 0x53, 0xfe, 0x2b, 0x40, 0x35, 0x19, 0x5a,
|
|
0x57, 0x3f, 0xfc, 0x53, 0x85, 0x6e, 0x77, 0x05,
|
|
0x8e, 0x15, 0xd9, 0xea, 0x06, 0x4d, 0xe3, 0xe5,
|
|
0x9f, 0x49, 0x61, 0xd0, 0x09, 0x52, 0x50, 0xee
|
|
};
|
|
static const unsigned char second_context2[] = { 0x00 };
|
|
static const unsigned char second_export2[] = {
|
|
0x2e, 0x8f, 0x0b, 0x54, 0x67, 0x3c, 0x70, 0x29,
|
|
0x64, 0x9d, 0x4e, 0xb9, 0xd5, 0xe3, 0x3b, 0xf1,
|
|
0x87, 0x2c, 0xf7, 0x6d, 0x62, 0x3f, 0xf1, 0x64,
|
|
0xac, 0x18, 0x5d, 0xa9, 0xe8, 0x8c, 0x21, 0xa5
|
|
};
|
|
static const unsigned char second_context3[] = {
|
|
0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
|
|
0x65, 0x78, 0x74
|
|
};
|
|
static const unsigned char second_export3[] = {
|
|
0xe9, 0xe4, 0x30, 0x65, 0x10, 0x2c, 0x38, 0x36,
|
|
0x40, 0x1b, 0xed, 0x8c, 0x3c, 0x3c, 0x75, 0xae,
|
|
0x46, 0xbe, 0x16, 0x39, 0x86, 0x93, 0x91, 0xd6,
|
|
0x2c, 0x61, 0xf1, 0xec, 0x7a, 0xf5, 0x49, 0x31
|
|
};
|
|
|
|
static int x25519kdfsha256_hkdfsha256_aes128gcm_base_test(void)
|
|
{
|
|
const TEST_BASEDATA basedata = {
|
|
OSSL_HPKE_MODE_BASE,
|
|
{
|
|
OSSL_HPKE_KEM_ID_X25519,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA256,
|
|
OSSL_HPKE_AEAD_ID_AES_GCM_128
|
|
},
|
|
second_ikme, sizeof(second_ikme),
|
|
second_ikmepub, sizeof(second_ikmepub),
|
|
second_ikmr, sizeof(second_ikmr),
|
|
second_ikmrpub, sizeof(second_ikmrpub),
|
|
second_ikmrpriv, sizeof(second_ikmrpriv),
|
|
second_expected_shared_secret, sizeof(second_expected_shared_secret),
|
|
ksinfo, sizeof(ksinfo),
|
|
NULL, 0, /* no auth ikm */
|
|
NULL, 0, NULL /* no psk */
|
|
};
|
|
const TEST_AEADDATA aeaddata[] = {
|
|
{
|
|
0,
|
|
pt, sizeof(pt),
|
|
second_aead0, sizeof(second_aead0),
|
|
second_ct0, sizeof(second_ct0)
|
|
},
|
|
{
|
|
1,
|
|
pt, sizeof(pt),
|
|
second_aead1, sizeof(second_aead1),
|
|
second_ct1, sizeof(second_ct1)
|
|
}
|
|
};
|
|
const TEST_EXPORTDATA exportdata[] = {
|
|
{ NULL, 0, second_export1, sizeof(second_export1) },
|
|
{ second_context2, sizeof(second_context2),
|
|
second_export2, sizeof(second_export2) },
|
|
{ second_context3, sizeof(second_context3),
|
|
second_export3, sizeof(second_export3) },
|
|
};
|
|
return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata),
|
|
exportdata, OSSL_NELEM(exportdata));
|
|
}
|
|
#endif
|
|
|
|
static const unsigned char third_ikme[] = {
|
|
0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
|
|
0x59, 0x28, 0x02, 0x0a, 0xf4, 0x68, 0x6d, 0x8f,
|
|
0x6b, 0x7d, 0x35, 0xdb, 0xe4, 0x70, 0x26, 0x5f,
|
|
0x1f, 0x5a, 0xa2, 0x28, 0x16, 0xce, 0x86, 0x0e
|
|
};
|
|
static const unsigned char third_ikmepub[] = {
|
|
0x04, 0xa9, 0x27, 0x19, 0xc6, 0x19, 0x5d, 0x50,
|
|
0x85, 0x10, 0x4f, 0x46, 0x9a, 0x8b, 0x98, 0x14,
|
|
0xd5, 0x83, 0x8f, 0xf7, 0x2b, 0x60, 0x50, 0x1e,
|
|
0x2c, 0x44, 0x66, 0xe5, 0xe6, 0x7b, 0x32, 0x5a,
|
|
0xc9, 0x85, 0x36, 0xd7, 0xb6, 0x1a, 0x1a, 0xf4,
|
|
0xb7, 0x8e, 0x5b, 0x7f, 0x95, 0x1c, 0x09, 0x00,
|
|
0xbe, 0x86, 0x3c, 0x40, 0x3c, 0xe6, 0x5c, 0x9b,
|
|
0xfc, 0xb9, 0x38, 0x26, 0x57, 0x22, 0x2d, 0x18,
|
|
0xc4,
|
|
};
|
|
static const unsigned char third_ikmr[] = {
|
|
0x66, 0x8b, 0x37, 0x17, 0x1f, 0x10, 0x72, 0xf3,
|
|
0xcf, 0x12, 0xea, 0x8a, 0x23, 0x6a, 0x45, 0xdf,
|
|
0x23, 0xfc, 0x13, 0xb8, 0x2a, 0xf3, 0x60, 0x9a,
|
|
0xd1, 0xe3, 0x54, 0xf6, 0xef, 0x81, 0x75, 0x50
|
|
};
|
|
static const unsigned char third_ikmrpub[] = {
|
|
0x04, 0xfe, 0x8c, 0x19, 0xce, 0x09, 0x05, 0x19,
|
|
0x1e, 0xbc, 0x29, 0x8a, 0x92, 0x45, 0x79, 0x25,
|
|
0x31, 0xf2, 0x6f, 0x0c, 0xec, 0xe2, 0x46, 0x06,
|
|
0x39, 0xe8, 0xbc, 0x39, 0xcb, 0x7f, 0x70, 0x6a,
|
|
0x82, 0x6a, 0x77, 0x9b, 0x4c, 0xf9, 0x69, 0xb8,
|
|
0xa0, 0xe5, 0x39, 0xc7, 0xf6, 0x2f, 0xb3, 0xd3,
|
|
0x0a, 0xd6, 0xaa, 0x8f, 0x80, 0xe3, 0x0f, 0x1d,
|
|
0x12, 0x8a, 0xaf, 0xd6, 0x8a, 0x2c, 0xe7, 0x2e,
|
|
0xa0
|
|
};
|
|
static const unsigned char third_ikmrpriv[] = {
|
|
0xf3, 0xce, 0x7f, 0xda, 0xe5, 0x7e, 0x1a, 0x31,
|
|
0x0d, 0x87, 0xf1, 0xeb, 0xbd, 0xe6, 0xf3, 0x28,
|
|
0xbe, 0x0a, 0x99, 0xcd, 0xbc, 0xad, 0xf4, 0xd6,
|
|
0x58, 0x9c, 0xf2, 0x9d, 0xe4, 0xb8, 0xff, 0xd2
|
|
};
|
|
static const unsigned char third_expected_shared_secret[] = {
|
|
0xc0, 0xd2, 0x6a, 0xea, 0xb5, 0x36, 0x60, 0x9a,
|
|
0x57, 0x2b, 0x07, 0x69, 0x5d, 0x93, 0x3b, 0x58,
|
|
0x9d, 0xcf, 0x36, 0x3f, 0xf9, 0xd9, 0x3c, 0x93,
|
|
0xad, 0xea, 0x53, 0x7a, 0xea, 0xbb, 0x8c, 0xb8
|
|
};
|
|
static const unsigned char third_aead0[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
|
|
};
|
|
static const unsigned char third_ct0[] = {
|
|
0x5a, 0xd5, 0x90, 0xbb, 0x8b, 0xaa, 0x57, 0x7f,
|
|
0x86, 0x19, 0xdb, 0x35, 0xa3, 0x63, 0x11, 0x22,
|
|
0x6a, 0x89, 0x6e, 0x73, 0x42, 0xa6, 0xd8, 0x36,
|
|
0xd8, 0xb7, 0xbc, 0xd2, 0xf2, 0x0b, 0x6c, 0x7f,
|
|
0x90, 0x76, 0xac, 0x23, 0x2e, 0x3a, 0xb2, 0x52,
|
|
0x3f, 0x39, 0x51, 0x34, 0x34
|
|
};
|
|
static const unsigned char third_aead1[] = {
|
|
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
|
|
};
|
|
static const unsigned char third_ct1[] = {
|
|
0xfa, 0x6f, 0x03, 0x7b, 0x47, 0xfc, 0x21, 0x82,
|
|
0x6b, 0x61, 0x01, 0x72, 0xca, 0x96, 0x37, 0xe8,
|
|
0x2d, 0x6e, 0x58, 0x01, 0xeb, 0x31, 0xcb, 0xd3,
|
|
0x74, 0x82, 0x71, 0xaf, 0xfd, 0x4e, 0xcb, 0x06,
|
|
0x64, 0x6e, 0x03, 0x29, 0xcb, 0xdf, 0x3c, 0x3c,
|
|
0xd6, 0x55, 0xb2, 0x8e, 0x82
|
|
};
|
|
static const unsigned char third_export1[] = {
|
|
0x5e, 0x9b, 0xc3, 0xd2, 0x36, 0xe1, 0x91, 0x1d,
|
|
0x95, 0xe6, 0x5b, 0x57, 0x6a, 0x8a, 0x86, 0xd4,
|
|
0x78, 0xfb, 0x82, 0x7e, 0x8b, 0xdf, 0xe7, 0x7b,
|
|
0x74, 0x1b, 0x28, 0x98, 0x90, 0x49, 0x0d, 0x4d
|
|
};
|
|
static const unsigned char third_context2[] = { 0x00 };
|
|
static const unsigned char third_export2[] = {
|
|
0x6c, 0xff, 0x87, 0x65, 0x89, 0x31, 0xbd, 0xa8,
|
|
0x3d, 0xc8, 0x57, 0xe6, 0x35, 0x3e, 0xfe, 0x49,
|
|
0x87, 0xa2, 0x01, 0xb8, 0x49, 0x65, 0x8d, 0x9b,
|
|
0x04, 0x7a, 0xab, 0x4c, 0xf2, 0x16, 0xe7, 0x96
|
|
};
|
|
static const unsigned char third_context3[] = {
|
|
0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
|
|
0x65, 0x78, 0x74
|
|
};
|
|
static const unsigned char third_export3[] = {
|
|
0xd8, 0xf1, 0xea, 0x79, 0x42, 0xad, 0xbb, 0xa7,
|
|
0x41, 0x2c, 0x6d, 0x43, 0x1c, 0x62, 0xd0, 0x13,
|
|
0x71, 0xea, 0x47, 0x6b, 0x82, 0x3e, 0xb6, 0x97,
|
|
0xe1, 0xf6, 0xe6, 0xca, 0xe1, 0xda, 0xb8, 0x5a
|
|
};
|
|
|
|
static int P256kdfsha256_hkdfsha256_aes128gcm_base_test(void)
|
|
{
|
|
const TEST_BASEDATA basedata = {
|
|
OSSL_HPKE_MODE_BASE,
|
|
{
|
|
OSSL_HPKE_KEM_ID_P256,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA256,
|
|
OSSL_HPKE_AEAD_ID_AES_GCM_128
|
|
},
|
|
third_ikme, sizeof(third_ikme),
|
|
third_ikmepub, sizeof(third_ikmepub),
|
|
third_ikmr, sizeof(third_ikmr),
|
|
third_ikmrpub, sizeof(third_ikmrpub),
|
|
third_ikmrpriv, sizeof(third_ikmrpriv),
|
|
third_expected_shared_secret, sizeof(third_expected_shared_secret),
|
|
ksinfo, sizeof(ksinfo),
|
|
NULL, 0, /* no auth */
|
|
NULL, 0, NULL /* PSK stuff */
|
|
};
|
|
const TEST_AEADDATA aeaddata[] = {
|
|
{
|
|
0,
|
|
pt, sizeof(pt),
|
|
third_aead0, sizeof(third_aead0),
|
|
third_ct0, sizeof(third_ct0)
|
|
},
|
|
{
|
|
1,
|
|
pt, sizeof(pt),
|
|
third_aead1, sizeof(third_aead1),
|
|
third_ct1, sizeof(third_ct1)
|
|
}
|
|
};
|
|
const TEST_EXPORTDATA exportdata[] = {
|
|
{ NULL, 0, third_export1, sizeof(third_export1) },
|
|
{ third_context2, sizeof(third_context2),
|
|
third_export2, sizeof(third_export2) },
|
|
{ third_context3, sizeof(third_context3),
|
|
third_export3, sizeof(third_export3) },
|
|
};
|
|
return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata),
|
|
exportdata, OSSL_NELEM(exportdata));
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_ECX
|
|
static const unsigned char fourth_ikme[] = {
|
|
0x55, 0xbc, 0x24, 0x5e, 0xe4, 0xef, 0xda, 0x25,
|
|
0xd3, 0x8f, 0x2d, 0x54, 0xd5, 0xbb, 0x66, 0x65,
|
|
0x29, 0x1b, 0x99, 0xf8, 0x10, 0x8a, 0x8c, 0x4b,
|
|
0x68, 0x6c, 0x2b, 0x14, 0x89, 0x3e, 0xa5, 0xd9
|
|
};
|
|
static const unsigned char fourth_ikmepub[] = {
|
|
0xe5, 0xe8, 0xf9, 0xbf, 0xff, 0x6c, 0x2f, 0x29,
|
|
0x79, 0x1f, 0xc3, 0x51, 0xd2, 0xc2, 0x5c, 0xe1,
|
|
0x29, 0x9a, 0xa5, 0xea, 0xca, 0x78, 0xa7, 0x57,
|
|
0xc0, 0xb4, 0xfb, 0x4b, 0xcd, 0x83, 0x09, 0x18
|
|
};
|
|
static const unsigned char fourth_ikmr[] = {
|
|
0x68, 0x3a, 0xe0, 0xda, 0x1d, 0x22, 0x18, 0x1e,
|
|
0x74, 0xed, 0x2e, 0x50, 0x3e, 0xbf, 0x82, 0x84,
|
|
0x0d, 0xeb, 0x1d, 0x5e, 0x87, 0x2c, 0xad, 0xe2,
|
|
0x0f, 0x4b, 0x45, 0x8d, 0x99, 0x78, 0x3e, 0x31
|
|
};
|
|
static const unsigned char fourth_ikmrpub[] = {
|
|
0x19, 0x41, 0x41, 0xca, 0x6c, 0x3c, 0x3b, 0xeb,
|
|
0x47, 0x92, 0xcd, 0x97, 0xba, 0x0e, 0xa1, 0xfa,
|
|
0xff, 0x09, 0xd9, 0x84, 0x35, 0x01, 0x23, 0x45,
|
|
0x76, 0x6e, 0xe3, 0x3a, 0xae, 0x2d, 0x76, 0x64
|
|
};
|
|
static const unsigned char fourth_ikmrpriv[] = {
|
|
0x33, 0xd1, 0x96, 0xc8, 0x30, 0xa1, 0x2f, 0x9a,
|
|
0xc6, 0x5d, 0x6e, 0x56, 0x5a, 0x59, 0x0d, 0x80,
|
|
0xf0, 0x4e, 0xe9, 0xb1, 0x9c, 0x83, 0xc8, 0x7f,
|
|
0x2c, 0x17, 0x0d, 0x97, 0x2a, 0x81, 0x28, 0x48
|
|
};
|
|
static const unsigned char fourth_expected_shared_secret[] = {
|
|
0xe8, 0x17, 0x16, 0xce, 0x8f, 0x73, 0x14, 0x1d,
|
|
0x4f, 0x25, 0xee, 0x90, 0x98, 0xef, 0xc9, 0x68,
|
|
0xc9, 0x1e, 0x5b, 0x8c, 0xe5, 0x2f, 0xff, 0xf5,
|
|
0x9d, 0x64, 0x03, 0x9e, 0x82, 0x91, 0x8b, 0x66
|
|
};
|
|
static const unsigned char fourth_export1[] = {
|
|
0x7a, 0x36, 0x22, 0x1b, 0xd5, 0x6d, 0x50, 0xfb,
|
|
0x51, 0xee, 0x65, 0xed, 0xfd, 0x98, 0xd0, 0x6a,
|
|
0x23, 0xc4, 0xdc, 0x87, 0x08, 0x5a, 0xa5, 0x86,
|
|
0x6c, 0xb7, 0x08, 0x72, 0x44, 0xbd, 0x2a, 0x36
|
|
};
|
|
static const unsigned char fourth_context2[] = { 0x00 };
|
|
static const unsigned char fourth_export2[] = {
|
|
0xd5, 0x53, 0x5b, 0x87, 0x09, 0x9c, 0x6c, 0x3c,
|
|
0xe8, 0x0d, 0xc1, 0x12, 0xa2, 0x67, 0x1c, 0x6e,
|
|
0xc8, 0xe8, 0x11, 0xa2, 0xf2, 0x84, 0xf9, 0x48,
|
|
0xce, 0xc6, 0xdd, 0x17, 0x08, 0xee, 0x33, 0xf0
|
|
};
|
|
static const unsigned char fourth_context3[] = {
|
|
0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
|
|
0x65, 0x78, 0x74
|
|
};
|
|
static const unsigned char fourth_export3[] = {
|
|
0xff, 0xaa, 0xbc, 0x85, 0xa7, 0x76, 0x13, 0x6c,
|
|
0xa0, 0xc3, 0x78, 0xe5, 0xd0, 0x84, 0xc9, 0x14,
|
|
0x0a, 0xb5, 0x52, 0xb7, 0x8f, 0x03, 0x9d, 0x2e,
|
|
0x87, 0x75, 0xf2, 0x6e, 0xff, 0xf4, 0xc7, 0x0e
|
|
};
|
|
|
|
static int export_only_test(void)
|
|
{
|
|
/* based on RFC9180 A.7 */
|
|
const TEST_BASEDATA basedata = {
|
|
OSSL_HPKE_MODE_BASE,
|
|
{
|
|
OSSL_HPKE_KEM_ID_X25519,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA256,
|
|
OSSL_HPKE_AEAD_ID_EXPORTONLY
|
|
},
|
|
fourth_ikme, sizeof(fourth_ikme),
|
|
fourth_ikmepub, sizeof(fourth_ikmepub),
|
|
fourth_ikmr, sizeof(fourth_ikmr),
|
|
fourth_ikmrpub, sizeof(fourth_ikmrpub),
|
|
fourth_ikmrpriv, sizeof(fourth_ikmrpriv),
|
|
fourth_expected_shared_secret, sizeof(fourth_expected_shared_secret),
|
|
ksinfo, sizeof(ksinfo),
|
|
NULL, 0, /* no auth */
|
|
NULL, 0, NULL /* PSK stuff */
|
|
};
|
|
const TEST_EXPORTDATA exportdata[] = {
|
|
{ NULL, 0, fourth_export1, sizeof(fourth_export1) },
|
|
{ fourth_context2, sizeof(fourth_context2),
|
|
fourth_export2, sizeof(fourth_export2) },
|
|
{ fourth_context3, sizeof(fourth_context3),
|
|
fourth_export3, sizeof(fourth_export3) },
|
|
};
|
|
return do_testhpke(&basedata, NULL, 0,
|
|
exportdata, OSSL_NELEM(exportdata));
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Randomly toss a coin
|
|
*/
|
|
#define COIN_IS_HEADS (test_random() % 2)
|
|
|
|
/* tables of HPKE modes and suite values */
|
|
static int hpke_mode_list[] = {
|
|
OSSL_HPKE_MODE_BASE,
|
|
OSSL_HPKE_MODE_PSK,
|
|
OSSL_HPKE_MODE_AUTH,
|
|
OSSL_HPKE_MODE_PSKAUTH
|
|
};
|
|
static uint16_t hpke_kem_list[] = {
|
|
OSSL_HPKE_KEM_ID_P256,
|
|
OSSL_HPKE_KEM_ID_P384,
|
|
OSSL_HPKE_KEM_ID_P521,
|
|
#ifndef OPENSSL_NO_ECX
|
|
OSSL_HPKE_KEM_ID_X25519,
|
|
OSSL_HPKE_KEM_ID_X448
|
|
#endif
|
|
};
|
|
static uint16_t hpke_kdf_list[] = {
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA256,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA384,
|
|
OSSL_HPKE_KDF_ID_HKDF_SHA512
|
|
};
|
|
static uint16_t hpke_aead_list[] = {
|
|
OSSL_HPKE_AEAD_ID_AES_GCM_128,
|
|
OSSL_HPKE_AEAD_ID_AES_GCM_256,
|
|
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
|
|
OSSL_HPKE_AEAD_ID_CHACHA_POLY1305
|
|
#endif
|
|
};
|
|
|
|
/*
|
|
* Strings that can be used with names or IANA codepoints.
|
|
* Note that the initial entries from these lists should
|
|
* match the lists above, i.e. kem_str_list[0] and
|
|
* hpke_kem_list[0] should refer to the same KEM. We use
|
|
* that for verbose output via TEST_note() below.
|
|
* Subsequent entries are only used for tests of
|
|
* OSSL_HPKE_str2suite()
|
|
*/
|
|
static const char *mode_str_list[] = {
|
|
"base", "psk", "auth", "pskauth"
|
|
};
|
|
static const char *kem_str_list[] = {
|
|
#ifndef OPENSSL_NO_ECX
|
|
"P-256", "P-384", "P-521", "x25519", "x448",
|
|
"0x10", "0x11", "0x12", "0x20", "0x21",
|
|
"16", "17", "18", "32", "33"
|
|
#else
|
|
"P-256", "P-384", "P-521",
|
|
"0x10", "0x11", "0x12",
|
|
"16", "17", "18"
|
|
#endif
|
|
};
|
|
static const char *kdf_str_list[] = {
|
|
"hkdf-sha256", "hkdf-sha384", "hkdf-sha512",
|
|
"0x1", "0x01", "0x2", "0x02", "0x3", "0x03",
|
|
"1", "2", "3"
|
|
};
|
|
static const char *aead_str_list[] = {
|
|
"aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "exporter",
|
|
"0x1", "0x01", "0x2", "0x02", "0x3", "0x03",
|
|
"1", "2", "3",
|
|
"0xff", "255"
|
|
};
|
|
/* table of bogus strings that better not work */
|
|
static const char *bogus_suite_strs[] = {
|
|
"3,33,3",
|
|
"bogus,bogus,bogus",
|
|
"bogus,33,3,1,bogus",
|
|
"bogus,33,3,1",
|
|
"bogus,bogus",
|
|
"bogus",
|
|
/* one bad token */
|
|
"0x10,0x01,bogus",
|
|
"0x10,bogus,0x01",
|
|
"bogus,0x02,0x01",
|
|
/* in reverse order */
|
|
"aes-256-gcm,hkdf-sha512,x25519",
|
|
/* surplus separators */
|
|
",,0x10,0x01,0x02",
|
|
"0x10,,0x01,0x02",
|
|
"0x10,0x01,,0x02",
|
|
/* embedded NUL chars */
|
|
"0x10,\00x01,,0x02",
|
|
"0x10,\0""0x01,0x02",
|
|
"0x10\0,0x01,0x02",
|
|
"0x10,0x01\0,0x02",
|
|
"0x10,0x01,\0""0x02",
|
|
/* embedded whitespace */
|
|
" aes-256-gcm,hkdf-sha512,x25519",
|
|
"aes-256-gcm, hkdf-sha512,x25519",
|
|
"aes-256-gcm ,hkdf-sha512,x25519",
|
|
"aes-256-gcm,hkdf-sha512, x25519",
|
|
"aes-256-gcm,hkdf-sha512 ,x25519",
|
|
"aes-256-gcm,hkdf-sha512,x25519 ",
|
|
/* good value followed by extra stuff */
|
|
"0x10,0x01,0x02,",
|
|
"0x10,0x01,0x02,,,",
|
|
"0x10,0x01,0x01,0x02",
|
|
"0x10,0x01,0x01,blah",
|
|
"0x10,0x01,0x01 0x02",
|
|
/* too few but good tokens */
|
|
"0x10,0x01",
|
|
"0x10",
|
|
/* empty things */
|
|
NULL,
|
|
"",
|
|
",",
|
|
",,"
|
|
};
|
|
|
|
/**
|
|
* @brief round-trips, generating keys, encrypt and decrypt
|
|
*
|
|
* This iterates over all mode and ciphersuite options trying
|
|
* a key gen, encrypt and decrypt for each. The aad, info, and
|
|
* seq inputs are randomly set or omitted each time. EVP and
|
|
* non-EVP key generation are randomly selected.
|
|
*
|
|
* @return 1 for success, other otherwise
|
|
*/
|
|
static int test_hpke_modes_suites(void)
|
|
{
|
|
int overallresult = 1;
|
|
size_t mind = 0; /* index into hpke_mode_list */
|
|
size_t kemind = 0; /* index into hpke_kem_list */
|
|
size_t kdfind = 0; /* index into hpke_kdf_list */
|
|
size_t aeadind = 0; /* index into hpke_aead_list */
|
|
|
|
/* iterate over the different modes */
|
|
for (mind = 0; mind < OSSL_NELEM(hpke_mode_list); mind++) {
|
|
int hpke_mode = hpke_mode_list[mind];
|
|
size_t aadlen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char aad[OSSL_HPKE_TSTSIZE];
|
|
unsigned char *aadp = NULL;
|
|
size_t infolen = 32;
|
|
unsigned char info[32];
|
|
unsigned char *infop = NULL;
|
|
unsigned char lpsk[32];
|
|
unsigned char *pskp = NULL;
|
|
char lpskid[32];
|
|
size_t psklen = 32;
|
|
char *pskidp = NULL;
|
|
EVP_PKEY *privp = NULL;
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
size_t plainlen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char plain[OSSL_HPKE_TSTSIZE];
|
|
OSSL_HPKE_CTX *rctx = NULL;
|
|
OSSL_HPKE_CTX *ctx = NULL;
|
|
|
|
memset(plain, 0x00, OSSL_HPKE_TSTSIZE);
|
|
strcpy((char *)plain, "a message not in a bottle");
|
|
plainlen = strlen((char *)plain);
|
|
/*
|
|
* Randomly try with/without info, aad, seq. Given mode and suite
|
|
* combos, and this being run even a few times, we'll exercise many
|
|
* code paths fairly quickly. We don't really care what the values
|
|
* are but it'll be easier to debug if they're known, so we set 'em.
|
|
*/
|
|
if (COIN_IS_HEADS) {
|
|
aadp = aad;
|
|
memset(aad, 'a', aadlen);
|
|
} else {
|
|
aadlen = 0;
|
|
}
|
|
if (COIN_IS_HEADS) {
|
|
infop = info;
|
|
memset(info, 'i', infolen);
|
|
} else {
|
|
infolen = 0;
|
|
}
|
|
if (hpke_mode == OSSL_HPKE_MODE_PSK
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
pskp = lpsk;
|
|
memset(lpsk, 'P', psklen);
|
|
pskidp = lpskid;
|
|
memset(lpskid, 'I', psklen - 1);
|
|
lpskid[psklen - 1] = '\0';
|
|
} else {
|
|
psklen = 0;
|
|
}
|
|
for (kemind = 0; /* iterate over the kems, kdfs and aeads */
|
|
overallresult == 1 && kemind < OSSL_NELEM(hpke_kem_list);
|
|
kemind++) {
|
|
uint16_t kem_id = hpke_kem_list[kemind];
|
|
size_t authpublen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char authpub[OSSL_HPKE_TSTSIZE];
|
|
unsigned char *authpubp = NULL;
|
|
EVP_PKEY *authpriv = NULL;
|
|
|
|
hpke_suite.kem_id = kem_id;
|
|
if (hpke_mode == OSSL_HPKE_MODE_AUTH
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (TEST_true(OSSL_HPKE_keygen(hpke_suite, authpub, &authpublen,
|
|
&authpriv, NULL, 0,
|
|
testctx, NULL)) != 1) {
|
|
overallresult = 0;
|
|
}
|
|
authpubp = authpub;
|
|
} else {
|
|
authpublen = 0;
|
|
}
|
|
for (kdfind = 0;
|
|
overallresult == 1 && kdfind < OSSL_NELEM(hpke_kdf_list);
|
|
kdfind++) {
|
|
uint16_t kdf_id = hpke_kdf_list[kdfind];
|
|
|
|
hpke_suite.kdf_id = kdf_id;
|
|
for (aeadind = 0;
|
|
overallresult == 1
|
|
&& aeadind < OSSL_NELEM(hpke_aead_list);
|
|
aeadind++) {
|
|
uint16_t aead_id = hpke_aead_list[aeadind];
|
|
size_t publen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t senderpublen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char senderpub[OSSL_HPKE_TSTSIZE];
|
|
size_t cipherlen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t clearlen = OSSL_HPKE_TSTSIZE;
|
|
unsigned char clear[OSSL_HPKE_TSTSIZE];
|
|
|
|
hpke_suite.aead_id = aead_id;
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite,
|
|
pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
overallresult = 0;
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
overallresult = 0;
|
|
if (hpke_mode == OSSL_HPKE_MODE_PSK
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_psk(ctx, pskidp,
|
|
pskp, psklen)))
|
|
overallresult = 0;
|
|
}
|
|
if (hpke_mode == OSSL_HPKE_MODE_AUTH
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(ctx,
|
|
authpriv)))
|
|
overallresult = 0;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_encap(ctx, senderpub,
|
|
&senderpublen,
|
|
pub, publen,
|
|
infop, infolen)))
|
|
overallresult = 0;
|
|
/* throw in a call with a too-short cipherlen */
|
|
cipherlen = 15;
|
|
if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen,
|
|
aadp, aadlen,
|
|
plain, plainlen)))
|
|
overallresult = 0;
|
|
/* fix back real cipherlen */
|
|
cipherlen = OSSL_HPKE_TSTSIZE;
|
|
if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen,
|
|
aadp, aadlen,
|
|
plain, plainlen)))
|
|
overallresult = 0;
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
memset(clear, 0, clearlen);
|
|
rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL);
|
|
if (!TEST_ptr(rctx))
|
|
overallresult = 0;
|
|
if (hpke_mode == OSSL_HPKE_MODE_PSK
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_psk(rctx, pskidp,
|
|
pskp, psklen)))
|
|
overallresult = 0;
|
|
}
|
|
if (hpke_mode == OSSL_HPKE_MODE_AUTH
|
|
|| hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
|
|
/* check a borked p256 key */
|
|
if (hpke_suite.kem_id == OSSL_HPKE_KEM_ID_P256) {
|
|
/* set to fail decode of authpub this time */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(rctx,
|
|
authpub,
|
|
10
|
|
)))
|
|
overallresult = 0;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(rctx,
|
|
authpubp,
|
|
authpublen)))
|
|
overallresult = 0;
|
|
}
|
|
if (!TEST_true(OSSL_HPKE_decap(rctx, senderpub,
|
|
senderpublen, privp,
|
|
infop, infolen)))
|
|
overallresult = 0;
|
|
/* throw in a call with a too-short clearlen */
|
|
clearlen = 15;
|
|
if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen,
|
|
aadp, aadlen, cipher,
|
|
cipherlen)))
|
|
overallresult = 0;
|
|
/* fix up real clearlen again */
|
|
clearlen = OSSL_HPKE_TSTSIZE;
|
|
if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen,
|
|
aadp, aadlen, cipher,
|
|
cipherlen)))
|
|
overallresult = 0;
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
EVP_PKEY_free(privp);
|
|
privp = NULL;
|
|
/* check output */
|
|
if (!TEST_mem_eq(clear, clearlen, plain, plainlen)) {
|
|
overallresult = 0;
|
|
}
|
|
if (verbose || overallresult != 1) {
|
|
const char *res = NULL;
|
|
|
|
res = (overallresult == 1 ? "worked" : "failed");
|
|
TEST_note("HPKE %s for mode: %s/0x%02x, "\
|
|
"kem: %s/0x%02x, kdf: %s/0x%02x, "\
|
|
"aead: %s/0x%02x", res,
|
|
mode_str_list[mind], (int) mind,
|
|
kem_str_list[kemind], kem_id,
|
|
kdf_str_list[kdfind], kdf_id,
|
|
aead_str_list[aeadind], aead_id);
|
|
}
|
|
}
|
|
}
|
|
EVP_PKEY_free(authpriv);
|
|
}
|
|
}
|
|
return overallresult;
|
|
}
|
|
|
|
/**
|
|
* @brief check roundtrip for export
|
|
* @return 1 for success, other otherwise
|
|
*/
|
|
static int test_hpke_export(void)
|
|
{
|
|
int erv = 0;
|
|
EVP_PKEY *privp = NULL;
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t publen = sizeof(pub);
|
|
int hpke_mode = OSSL_HPKE_MODE_BASE;
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_CTX *ctx = NULL;
|
|
OSSL_HPKE_CTX *rctx = NULL;
|
|
unsigned char exp[32];
|
|
unsigned char exp2[32];
|
|
unsigned char rexp[32];
|
|
unsigned char rexp2[32];
|
|
unsigned char plain[] = "quick brown fox";
|
|
size_t plainlen = sizeof(plain);
|
|
unsigned char enc[OSSL_HPKE_TSTSIZE];
|
|
size_t enclen = sizeof(enc);
|
|
unsigned char cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t cipherlen = sizeof(cipher);
|
|
unsigned char clear[OSSL_HPKE_TSTSIZE];
|
|
size_t clearlen = sizeof(clear);
|
|
char *estr = "foo";
|
|
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* a few error cases 1st */
|
|
if (!TEST_false(OSSL_HPKE_export(NULL, exp, sizeof(exp),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
/* ctx before encap should fail too */
|
|
if (!TEST_false(OSSL_HPKE_export(ctx, exp, sizeof(exp),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
/* now for real */
|
|
if (!TEST_true(OSSL_HPKE_export(ctx, exp, sizeof(exp),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
/* check a 2nd call with same input gives same output */
|
|
if (!TEST_true(OSSL_HPKE_export(ctx, exp2, sizeof(exp2),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
if (!TEST_mem_eq(exp, sizeof(exp), exp2, sizeof(exp2)))
|
|
goto end;
|
|
if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_export(rctx, rexp, sizeof(rexp),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
/* check a 2nd call with same input gives same output */
|
|
if (!TEST_true(OSSL_HPKE_export(rctx, rexp2, sizeof(rexp2),
|
|
(unsigned char *)estr, strlen(estr))))
|
|
goto end;
|
|
if (!TEST_mem_eq(rexp, sizeof(rexp), rexp2, sizeof(rexp2)))
|
|
goto end;
|
|
if (!TEST_mem_eq(exp, sizeof(exp), rexp, sizeof(rexp)))
|
|
goto end;
|
|
erv = 1;
|
|
end:
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
EVP_PKEY_free(privp);
|
|
return erv;
|
|
}
|
|
|
|
/**
|
|
* @brief Check mapping from strings to HPKE suites
|
|
* @return 1 for success, other otherwise
|
|
*/
|
|
static int test_hpke_suite_strs(void)
|
|
{
|
|
int overallresult = 1;
|
|
int kemind = 0;
|
|
int kdfind = 0;
|
|
int aeadind = 0;
|
|
int sind = 0;
|
|
char sstr[128];
|
|
OSSL_HPKE_SUITE stirred;
|
|
char giant[2048];
|
|
|
|
for (kemind = 0; kemind != OSSL_NELEM(kem_str_list); kemind++) {
|
|
for (kdfind = 0; kdfind != OSSL_NELEM(kdf_str_list); kdfind++) {
|
|
for (aeadind = 0; aeadind != OSSL_NELEM(aead_str_list); aeadind++) {
|
|
BIO_snprintf(sstr, 128, "%s,%s,%s", kem_str_list[kemind],
|
|
kdf_str_list[kdfind], aead_str_list[aeadind]);
|
|
if (TEST_true(OSSL_HPKE_str2suite(sstr, &stirred)) != 1) {
|
|
if (verbose)
|
|
TEST_note("Unexpected str2suite fail for :%s",
|
|
bogus_suite_strs[sind]);
|
|
overallresult = 0;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
for (sind = 0; sind != OSSL_NELEM(bogus_suite_strs); sind++) {
|
|
if (TEST_false(OSSL_HPKE_str2suite(bogus_suite_strs[sind],
|
|
&stirred)) != 1) {
|
|
if (verbose)
|
|
TEST_note("OSSL_HPKE_str2suite didn't fail for bogus[%d]:%s",
|
|
sind, bogus_suite_strs[sind]);
|
|
overallresult = 0;
|
|
}
|
|
}
|
|
/* check a few errors */
|
|
if (!TEST_false(OSSL_HPKE_str2suite("", &stirred)))
|
|
overallresult = 0;
|
|
if (!TEST_false(OSSL_HPKE_str2suite(NULL, &stirred)))
|
|
overallresult = 0;
|
|
if (!TEST_false(OSSL_HPKE_str2suite("", NULL)))
|
|
overallresult = 0;
|
|
memset(giant, 'A', sizeof(giant) - 1);
|
|
giant[sizeof(giant) - 1] = '\0';
|
|
if (!TEST_false(OSSL_HPKE_str2suite(giant, &stirred)))
|
|
overallresult = 0;
|
|
|
|
return overallresult;
|
|
}
|
|
|
|
/**
|
|
* @brief try the various GREASEy APIs
|
|
* @return 1 for success, other otherwise
|
|
*/
|
|
static int test_hpke_grease(void)
|
|
{
|
|
int overallresult = 1;
|
|
OSSL_HPKE_SUITE g_suite;
|
|
unsigned char g_pub[OSSL_HPKE_TSTSIZE];
|
|
size_t g_pub_len = OSSL_HPKE_TSTSIZE;
|
|
unsigned char g_cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t g_cipher_len = 266;
|
|
size_t clearlen = 128;
|
|
size_t expanded = 0;
|
|
size_t enclen = 0;
|
|
size_t ikmelen = 0;
|
|
|
|
memset(&g_suite, 0, sizeof(OSSL_HPKE_SUITE));
|
|
/* GREASEing */
|
|
/* check too short for public value */
|
|
g_pub_len = 10;
|
|
if (TEST_false(OSSL_HPKE_get_grease_value(NULL, &g_suite,
|
|
g_pub, &g_pub_len,
|
|
g_cipher, g_cipher_len,
|
|
testctx, NULL)) != 1) {
|
|
overallresult = 0;
|
|
}
|
|
/* reset to work */
|
|
g_pub_len = OSSL_HPKE_TSTSIZE;
|
|
if (TEST_true(OSSL_HPKE_get_grease_value(NULL, &g_suite,
|
|
g_pub, &g_pub_len,
|
|
g_cipher, g_cipher_len,
|
|
testctx, NULL)) != 1) {
|
|
overallresult = 0;
|
|
}
|
|
/* expansion */
|
|
expanded = OSSL_HPKE_get_ciphertext_size(g_suite, clearlen);
|
|
if (!TEST_size_t_gt(expanded, clearlen)) {
|
|
overallresult = 0;
|
|
}
|
|
enclen = OSSL_HPKE_get_public_encap_size(g_suite);
|
|
if (!TEST_size_t_ne(enclen, 0))
|
|
overallresult = 0;
|
|
/* not really GREASE but we'll check ikmelen thing */
|
|
ikmelen = OSSL_HPKE_get_recommended_ikmelen(g_suite);
|
|
if (!TEST_size_t_ne(ikmelen, 0))
|
|
overallresult = 0;
|
|
|
|
return overallresult;
|
|
}
|
|
|
|
/*
|
|
* Make a set of calls with odd parameters
|
|
*/
|
|
static int test_hpke_oddcalls(void)
|
|
{
|
|
int erv = 0;
|
|
EVP_PKEY *privp = NULL;
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t publen = sizeof(pub);
|
|
int hpke_mode = OSSL_HPKE_MODE_BASE;
|
|
int bad_mode = 0xbad;
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_SUITE bad_suite = { 0xbad, 0xbad, 0xbad };
|
|
OSSL_HPKE_CTX *ctx = NULL;
|
|
OSSL_HPKE_CTX *rctx = NULL;
|
|
unsigned char plain[] = "quick brown fox";
|
|
size_t plainlen = sizeof(plain);
|
|
unsigned char enc[OSSL_HPKE_TSTSIZE];
|
|
size_t enclen = sizeof(enc);
|
|
unsigned char cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t cipherlen = sizeof(cipher);
|
|
unsigned char clear[OSSL_HPKE_TSTSIZE];
|
|
size_t clearlen = sizeof(clear);
|
|
unsigned char fake_ikm[OSSL_HPKE_TSTSIZE];
|
|
char *badpropq = "yeah, this won't work";
|
|
uint64_t lseq = 0;
|
|
char giant_pskid[OSSL_HPKE_MAX_PARMLEN + 10];
|
|
unsigned char info[OSSL_HPKE_TSTSIZE];
|
|
|
|
/* many of the calls below are designed to get better test coverage */
|
|
|
|
/* NULL ctx calls */
|
|
OSSL_HPKE_CTX_free(NULL);
|
|
if (!TEST_false(OSSL_HPKE_CTX_set_seq(NULL, 1)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_CTX_get_seq(NULL, &lseq)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(NULL, pub, publen)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(NULL, privp)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(NULL, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_psk(NULL, NULL, NULL, 0)))
|
|
goto end;
|
|
|
|
/* bad suite calls */
|
|
hpke_suite.aead_id = 0xbad;
|
|
if (!TEST_false(OSSL_HPKE_suite_check(hpke_suite)))
|
|
goto end;
|
|
hpke_suite.aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_128;
|
|
if (!TEST_false(OSSL_HPKE_suite_check(bad_suite)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_get_recommended_ikmelen(bad_suite)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_get_public_encap_size(bad_suite)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_get_ciphertext_size(bad_suite, 0)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_keygen(bad_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, badpropq)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_keygen(bad_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
|
|
/* dodgy keygen calls */
|
|
/* no pub */
|
|
if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, NULL, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
/* ikmlen but NULL ikm */
|
|
if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 80, testctx, NULL)))
|
|
goto end;
|
|
/* zero ikmlen but ikm */
|
|
if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
fake_ikm, 0, testctx, NULL)))
|
|
goto end;
|
|
/* GIANT ikmlen */
|
|
if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
fake_ikm, -1, testctx, NULL)))
|
|
goto end;
|
|
/* short publen */
|
|
publen = 10;
|
|
if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
publen = sizeof(pub);
|
|
|
|
/* encap/decap with NULLs */
|
|
if (!TEST_false(OSSL_HPKE_encap(NULL, NULL, NULL, NULL, 0, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_decap(NULL, NULL, 0, NULL, NULL, 0)))
|
|
goto end;
|
|
|
|
/*
|
|
* run through a sender/recipient set of calls but with
|
|
* failing calls interspersed whenever possible
|
|
*/
|
|
/* good keygen */
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
|
|
/* a psk context with no psk => encap fail */
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_PSK, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* set bad length psk */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, "foo",
|
|
(unsigned char *)"bar", -1)))
|
|
goto end;
|
|
/* set bad length pskid */
|
|
memset(giant_pskid, 'A', sizeof(giant_pskid) - 1);
|
|
giant_pskid[sizeof(giant_pskid) - 1] = '\0';
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, giant_pskid,
|
|
(unsigned char *)"bar", 3)))
|
|
goto end;
|
|
/* still no psk really set so encap fails */
|
|
if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
|
|
/* bad suite */
|
|
if (!TEST_ptr_null(ctx = OSSL_HPKE_CTX_new(hpke_mode, bad_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* bad mode */
|
|
if (!TEST_ptr_null(ctx = OSSL_HPKE_CTX_new(bad_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* make good ctx */
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* too long ikm */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(ctx, fake_ikm, -1)))
|
|
goto end;
|
|
/* zero length ikm */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(ctx, fake_ikm, 0)))
|
|
goto end;
|
|
/* NULL authpub */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(ctx, NULL, 0)))
|
|
goto end;
|
|
/* NULL auth priv */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(ctx, NULL)))
|
|
goto end;
|
|
/* priv good, but mode is bad */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(ctx, privp)))
|
|
goto end;
|
|
/* bad mode for psk */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, "foo",
|
|
(unsigned char *)"bar", 3)))
|
|
goto end;
|
|
/* seal before encap */
|
|
if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
/* encap with dodgy public */
|
|
if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, NULL, 0)))
|
|
goto end;
|
|
/* encap with too big info */
|
|
if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, info, -1)))
|
|
goto end;
|
|
/* good encap */
|
|
if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
/* second encap fail */
|
|
if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
plainlen = 0;
|
|
/* should fail for no plaintext */
|
|
if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
plainlen = sizeof(plain);
|
|
/* working seal */
|
|
if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
|
|
/* receiver side */
|
|
/* decap fail with psk mode but no psk set */
|
|
if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_PSK, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
/* done with PSK mode */
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
|
|
/* back good calls for base mode */
|
|
if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* open before decap */
|
|
if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
/* decap with info too long */
|
|
if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, info, -1)))
|
|
goto end;
|
|
/* good decap */
|
|
if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
/* second decap fail */
|
|
if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
/* no space for recovered clear */
|
|
clearlen = 0;
|
|
if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
clearlen = OSSL_HPKE_TSTSIZE;
|
|
/* seq wrap around test */
|
|
if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, -1)))
|
|
goto end;
|
|
if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
if (!TEST_mem_eq(plain, plainlen, clear, clearlen))
|
|
goto end;
|
|
erv = 1;
|
|
end:
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
EVP_PKEY_free(privp);
|
|
return erv;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_ECX
|
|
/* from RFC 9180 Appendix A.1.1 */
|
|
static const unsigned char ikm25519[] = {
|
|
0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
|
|
0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13,
|
|
0x52, 0x7c, 0xff, 0x65, 0x5c, 0x13, 0x43, 0xf2,
|
|
0x98, 0x12, 0xe6, 0x67, 0x06, 0xdf, 0x32, 0x34
|
|
};
|
|
static const unsigned char pub25519[] = {
|
|
0x37, 0xfd, 0xa3, 0x56, 0x7b, 0xdb, 0xd6, 0x28,
|
|
0xe8, 0x86, 0x68, 0xc3, 0xc8, 0xd7, 0xe9, 0x7d,
|
|
0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44,
|
|
0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31
|
|
};
|
|
#endif
|
|
|
|
/* from RFC9180 Appendix A.3.1 */
|
|
static const unsigned char ikmp256[] = {
|
|
0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
|
|
0x59, 0x28, 0x02, 0x0a, 0xf4, 0x68, 0x6d, 0x8f,
|
|
0x6b, 0x7d, 0x35, 0xdb, 0xe4, 0x70, 0x26, 0x5f,
|
|
0x1f, 0x5a, 0xa2, 0x28, 0x16, 0xce, 0x86, 0x0e
|
|
};
|
|
static const unsigned char pubp256[] = {
|
|
0x04, 0xa9, 0x27, 0x19, 0xc6, 0x19, 0x5d, 0x50,
|
|
0x85, 0x10, 0x4f, 0x46, 0x9a, 0x8b, 0x98, 0x14,
|
|
0xd5, 0x83, 0x8f, 0xf7, 0x2b, 0x60, 0x50, 0x1e,
|
|
0x2c, 0x44, 0x66, 0xe5, 0xe6, 0x7b, 0x32, 0x5a,
|
|
0xc9, 0x85, 0x36, 0xd7, 0xb6, 0x1a, 0x1a, 0xf4,
|
|
0xb7, 0x8e, 0x5b, 0x7f, 0x95, 0x1c, 0x09, 0x00,
|
|
0xbe, 0x86, 0x3c, 0x40, 0x3c, 0xe6, 0x5c, 0x9b,
|
|
0xfc, 0xb9, 0x38, 0x26, 0x57, 0x22, 0x2d, 0x18,
|
|
0xc4
|
|
};
|
|
|
|
/*
|
|
* A test vector that exercises the counter iteration
|
|
* for p256. This was contributed by Ilari L. on the
|
|
* CFRG list, see the mail archive:
|
|
* https://mailarchive.ietf.org/arch/msg/cfrg/4zwl_y5YN6OU9oeWZOMHNOlOa2w/
|
|
*/
|
|
static const unsigned char ikmiter[] = {
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x03, 0x01, 0x38, 0xb5, 0xec
|
|
};
|
|
static const unsigned char pubiter[] = {
|
|
0x04, 0x7d, 0x0c, 0x87, 0xff, 0xd5, 0xd1, 0x45,
|
|
0x54, 0xa7, 0x51, 0xdf, 0xa3, 0x99, 0x26, 0xa9,
|
|
0xe3, 0x0e, 0x7c, 0x3c, 0x65, 0x62, 0x4f, 0x4b,
|
|
0x5f, 0xb3, 0xad, 0x7a, 0xa4, 0xda, 0xc2, 0x4a,
|
|
0xd8, 0xf5, 0xbe, 0xd0, 0xe8, 0x6e, 0xb8, 0x84,
|
|
0x1c, 0xe4, 0x89, 0x2e, 0x0f, 0xc3, 0x87, 0xbb,
|
|
0xdb, 0xfe, 0x16, 0x0d, 0x58, 0x9c, 0x89, 0x2d,
|
|
0xd4, 0xb1, 0x46, 0x4a, 0xc3, 0x51, 0xc5, 0x6f,
|
|
0xb6
|
|
};
|
|
|
|
/* from RFC9180 Appendix A.6.1 */
|
|
static const unsigned char ikmp521[] = {
|
|
0x7f, 0x06, 0xab, 0x82, 0x15, 0x10, 0x5f, 0xc4,
|
|
0x6a, 0xce, 0xeb, 0x2e, 0x3d, 0xc5, 0x02, 0x8b,
|
|
0x44, 0x36, 0x4f, 0x96, 0x04, 0x26, 0xeb, 0x0d,
|
|
0x8e, 0x40, 0x26, 0xc2, 0xf8, 0xb5, 0xd7, 0xe7,
|
|
0xa9, 0x86, 0x68, 0x8f, 0x15, 0x91, 0xab, 0xf5,
|
|
0xab, 0x75, 0x3c, 0x35, 0x7a, 0x5d, 0x6f, 0x04,
|
|
0x40, 0x41, 0x4b, 0x4e, 0xd4, 0xed, 0xe7, 0x13,
|
|
0x17, 0x77, 0x2a, 0xc9, 0x8d, 0x92, 0x39, 0xf7,
|
|
0x09, 0x04
|
|
};
|
|
static const unsigned char pubp521[] = {
|
|
0x04, 0x01, 0x38, 0xb3, 0x85, 0xca, 0x16, 0xbb,
|
|
0x0d, 0x5f, 0xa0, 0xc0, 0x66, 0x5f, 0xbb, 0xd7,
|
|
0xe6, 0x9e, 0x3e, 0xe2, 0x9f, 0x63, 0x99, 0x1d,
|
|
0x3e, 0x9b, 0x5f, 0xa7, 0x40, 0xaa, 0xb8, 0x90,
|
|
0x0a, 0xae, 0xed, 0x46, 0xed, 0x73, 0xa4, 0x90,
|
|
0x55, 0x75, 0x84, 0x25, 0xa0, 0xce, 0x36, 0x50,
|
|
0x7c, 0x54, 0xb2, 0x9c, 0xc5, 0xb8, 0x5a, 0x5c,
|
|
0xee, 0x6b, 0xae, 0x0c, 0xf1, 0xc2, 0x1f, 0x27,
|
|
0x31, 0xec, 0xe2, 0x01, 0x3d, 0xc3, 0xfb, 0x7c,
|
|
0x8d, 0x21, 0x65, 0x4b, 0xb1, 0x61, 0xb4, 0x63,
|
|
0x96, 0x2c, 0xa1, 0x9e, 0x8c, 0x65, 0x4f, 0xf2,
|
|
0x4c, 0x94, 0xdd, 0x28, 0x98, 0xde, 0x12, 0x05,
|
|
0x1f, 0x1e, 0xd0, 0x69, 0x22, 0x37, 0xfb, 0x02,
|
|
0xb2, 0xf8, 0xd1, 0xdc, 0x1c, 0x73, 0xe9, 0xb3,
|
|
0x66, 0xb5, 0x29, 0xeb, 0x43, 0x6e, 0x98, 0xa9,
|
|
0x96, 0xee, 0x52, 0x2a, 0xef, 0x86, 0x3d, 0xd5,
|
|
0x73, 0x9d, 0x2f, 0x29, 0xb0
|
|
};
|
|
|
|
static int test_hpke_random_suites(void)
|
|
{
|
|
OSSL_HPKE_SUITE def_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_SUITE suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_SUITE suite2 = { 0xff01, 0xff02, 0xff03 };
|
|
unsigned char enc[200];
|
|
size_t enclen = sizeof(enc);
|
|
unsigned char ct[500];
|
|
size_t ctlen = sizeof(ct);
|
|
|
|
/* test with NULL/0 inputs */
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(NULL, NULL,
|
|
NULL, NULL, NULL, 0,
|
|
testctx, NULL)))
|
|
return 0;
|
|
enclen = 10;
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(&def_suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
|
|
enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
|
|
/* test with a should-be-good suite */
|
|
if (!TEST_true(OSSL_HPKE_get_grease_value(&def_suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
/* no suggested suite */
|
|
enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
|
|
if (!TEST_true(OSSL_HPKE_get_grease_value(NULL, &suite2,
|
|
enc, &enclen,
|
|
ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
/* suggested suite with P-521, just to be sure we hit long values */
|
|
enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
|
|
suite.kem_id = OSSL_HPKE_KEM_ID_P521;
|
|
if (!TEST_true(OSSL_HPKE_get_grease_value(&suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
enclen = sizeof(enc);
|
|
ctlen = 2; /* too-short cttext (can't fit an aead tag) */
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(NULL, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
|
|
ctlen = sizeof(ct);
|
|
enclen = sizeof(enc);
|
|
|
|
suite.kem_id = OSSL_HPKE_KEM_ID_X25519; /* back to default */
|
|
suite.aead_id = 0x1234; /* bad aead */
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
enclen = sizeof(enc);
|
|
suite.aead_id = def_suite.aead_id; /* good aead */
|
|
suite.kdf_id = 0x3451; /* bad kdf */
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
enclen = sizeof(enc);
|
|
suite.kdf_id = def_suite.kdf_id; /* good kdf */
|
|
suite.kem_id = 0x4517; /* bad kem */
|
|
if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
|
|
enc, &enclen, ct, ctlen,
|
|
testctx, NULL)))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* @brief generate a key pair from initial key material (ikm) and check public
|
|
* @param kem_id the KEM to use (RFC9180 code point)
|
|
* @ikm is the initial key material buffer
|
|
* @ikmlen is the length of ikm
|
|
* @pub is the public key buffer
|
|
* @publen is the length of the public key
|
|
* @return 1 for good, other otherwise
|
|
*
|
|
* This calls OSSL_HPKE_keygen specifying only the IKM, then
|
|
* compares the key pair values with the already-known values
|
|
* that were input.
|
|
*/
|
|
static int test_hpke_one_ikm_gen(uint16_t kem_id,
|
|
const unsigned char *ikm, size_t ikmlen,
|
|
const unsigned char *pub, size_t publen)
|
|
{
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
unsigned char lpub[OSSL_HPKE_TSTSIZE];
|
|
size_t lpublen = OSSL_HPKE_TSTSIZE;
|
|
EVP_PKEY *sk = NULL;
|
|
|
|
hpke_suite.kem_id = kem_id;
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, lpub, &lpublen, &sk,
|
|
ikm, ikmlen, testctx, NULL)))
|
|
return 0;
|
|
if (!TEST_ptr(sk))
|
|
return 0;
|
|
EVP_PKEY_free(sk);
|
|
if (!TEST_mem_eq(pub, publen, lpub, lpublen))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* @brief test some uses of IKM produce the expected public keys
|
|
*/
|
|
static int test_hpke_ikms(void)
|
|
{
|
|
int res = 1;
|
|
|
|
#ifndef OPENSSL_NO_ECX
|
|
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_X25519,
|
|
ikm25519, sizeof(ikm25519),
|
|
pub25519, sizeof(pub25519));
|
|
if (res != 1)
|
|
return res;
|
|
#endif
|
|
|
|
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P521,
|
|
ikmp521, sizeof(ikmp521),
|
|
pubp521, sizeof(pubp521));
|
|
if (res != 1)
|
|
return res;
|
|
|
|
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P256,
|
|
ikmp256, sizeof(ikmp256),
|
|
pubp256, sizeof(pubp256));
|
|
if (res != 1)
|
|
return res;
|
|
|
|
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P256,
|
|
ikmiter, sizeof(ikmiter),
|
|
pubiter, sizeof(pubiter));
|
|
if (res != 1)
|
|
return res;
|
|
|
|
return res;
|
|
}
|
|
|
|
/*
|
|
* Test that use of a compressed format auth public key works
|
|
* We'll do a typical round-trip for auth mode but provide the
|
|
* auth public key in compressed form. That should work.
|
|
*/
|
|
static int test_hpke_compressed(void)
|
|
{
|
|
int erv = 0;
|
|
EVP_PKEY *privp = NULL;
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t publen = sizeof(pub);
|
|
EVP_PKEY *authpriv = NULL;
|
|
unsigned char authpub[OSSL_HPKE_TSTSIZE];
|
|
size_t authpublen = sizeof(authpub);
|
|
int hpke_mode = OSSL_HPKE_MODE_AUTH;
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_CTX *ctx = NULL;
|
|
OSSL_HPKE_CTX *rctx = NULL;
|
|
unsigned char plain[] = "quick brown fox";
|
|
size_t plainlen = sizeof(plain);
|
|
unsigned char enc[OSSL_HPKE_TSTSIZE];
|
|
size_t enclen = sizeof(enc);
|
|
unsigned char cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t cipherlen = sizeof(cipher);
|
|
unsigned char clear[OSSL_HPKE_TSTSIZE];
|
|
size_t clearlen = sizeof(clear);
|
|
|
|
hpke_suite.kem_id = OSSL_HPKE_KEM_ID_P256;
|
|
|
|
/* generate auth key pair */
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, authpub, &authpublen, &authpriv,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
/* now get the compressed form public key */
|
|
if (!TEST_true(EVP_PKEY_set_utf8_string_param(authpriv,
|
|
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
|
OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED)))
|
|
goto end;
|
|
if (!TEST_true(EVP_PKEY_get_octet_string_param(authpriv,
|
|
OSSL_PKEY_PARAM_PUB_KEY,
|
|
authpub,
|
|
sizeof(authpub),
|
|
&authpublen)))
|
|
goto end;
|
|
|
|
/* sender side as usual */
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(ctx, authpriv)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
|
|
/* receiver side providing compressed form of auth public */
|
|
if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(rctx, authpub, authpublen)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
erv = 1;
|
|
|
|
end:
|
|
EVP_PKEY_free(privp);
|
|
EVP_PKEY_free(authpriv);
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
return erv;
|
|
}
|
|
|
|
/*
|
|
* Test that nonce reuse calls are prevented as we expect
|
|
*/
|
|
static int test_hpke_noncereuse(void)
|
|
{
|
|
int erv = 0;
|
|
EVP_PKEY *privp = NULL;
|
|
unsigned char pub[OSSL_HPKE_TSTSIZE];
|
|
size_t publen = sizeof(pub);
|
|
int hpke_mode = OSSL_HPKE_MODE_BASE;
|
|
OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
|
|
OSSL_HPKE_CTX *ctx = NULL;
|
|
OSSL_HPKE_CTX *rctx = NULL;
|
|
unsigned char plain[] = "quick brown fox";
|
|
size_t plainlen = sizeof(plain);
|
|
unsigned char enc[OSSL_HPKE_TSTSIZE];
|
|
size_t enclen = sizeof(enc);
|
|
unsigned char cipher[OSSL_HPKE_TSTSIZE];
|
|
size_t cipherlen = sizeof(cipher);
|
|
unsigned char clear[OSSL_HPKE_TSTSIZE];
|
|
size_t clearlen = sizeof(clear);
|
|
uint64_t seq = 0xbad1dea;
|
|
|
|
/* sender side is not allowed set seq once some crypto done */
|
|
if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
|
|
NULL, 0, testctx, NULL)))
|
|
goto end;
|
|
if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_SENDER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* set seq will fail before any crypto done */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set_seq(ctx, seq)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
|
|
goto end;
|
|
/* set seq will also fail after some crypto done */
|
|
if (!TEST_false(OSSL_HPKE_CTX_set_seq(ctx, seq + 1)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
|
|
plain, plainlen)))
|
|
goto end;
|
|
|
|
/* receiver side is allowed control seq */
|
|
if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
|
|
OSSL_HPKE_ROLE_RECEIVER,
|
|
testctx, NULL)))
|
|
goto end;
|
|
/* set seq will work before any crypto done */
|
|
if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, seq)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
|
|
goto end;
|
|
/* set seq will work for receivers even after crypto done */
|
|
if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, seq)))
|
|
goto end;
|
|
/* but that value isn't good so decap will fail */
|
|
if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
/* reset seq to correct value and _open() should work */
|
|
if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, 0)))
|
|
goto end;
|
|
if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
|
|
cipher, cipherlen)))
|
|
goto end;
|
|
erv = 1;
|
|
|
|
end:
|
|
EVP_PKEY_free(privp);
|
|
OSSL_HPKE_CTX_free(ctx);
|
|
OSSL_HPKE_CTX_free(rctx);
|
|
return erv;
|
|
}
|
|
|
|
typedef enum OPTION_choice {
|
|
OPT_ERR = -1,
|
|
OPT_EOF = 0,
|
|
OPT_VERBOSE,
|
|
OPT_TEST_ENUM
|
|
} OPTION_CHOICE;
|
|
|
|
const OPTIONS *test_get_options(void)
|
|
{
|
|
static const OPTIONS test_options[] = {
|
|
OPT_TEST_OPTIONS_DEFAULT_USAGE,
|
|
{ "v", OPT_VERBOSE, '-', "Enable verbose mode" },
|
|
{ OPT_HELP_STR, 1, '-', "Run HPKE tests\n" },
|
|
{ NULL }
|
|
};
|
|
return test_options;
|
|
}
|
|
|
|
int setup_tests(void)
|
|
{
|
|
OPTION_CHOICE o;
|
|
|
|
while ((o = opt_next()) != OPT_EOF) {
|
|
switch (o) {
|
|
case OPT_VERBOSE:
|
|
verbose = 1; /* Print progress dots */
|
|
break;
|
|
case OPT_TEST_CASES:
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
if (!test_get_libctx(&testctx, &nullprov, NULL, &deflprov, "default"))
|
|
return 0;
|
|
#ifndef OPENSSL_NO_ECX
|
|
ADD_TEST(export_only_test);
|
|
ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_base_test);
|
|
ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_psk_test);
|
|
#endif
|
|
ADD_TEST(P256kdfsha256_hkdfsha256_aes128gcm_base_test);
|
|
ADD_TEST(test_hpke_export);
|
|
ADD_TEST(test_hpke_modes_suites);
|
|
ADD_TEST(test_hpke_suite_strs);
|
|
ADD_TEST(test_hpke_grease);
|
|
ADD_TEST(test_hpke_ikms);
|
|
ADD_TEST(test_hpke_random_suites);
|
|
ADD_TEST(test_hpke_oddcalls);
|
|
ADD_TEST(test_hpke_compressed);
|
|
ADD_TEST(test_hpke_noncereuse);
|
|
return 1;
|
|
}
|
|
|
|
void cleanup_tests(void)
|
|
{
|
|
OSSL_PROVIDER_unload(deflprov);
|
|
OSSL_PROVIDER_unload(nullprov);
|
|
OSSL_LIB_CTX_free(testctx);
|
|
}
|