2
0

hpke_test.c 75 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008
  1. /*
  2. * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/evp.h>
  10. #include <openssl/core_names.h>
  11. #include <openssl/rand.h>
  12. #include <openssl/hpke.h>
  13. #include "testutil.h"
  14. /* a size to use for stack buffers */
  15. #define OSSL_HPKE_TSTSIZE 512
  16. static OSSL_LIB_CTX *testctx = NULL;
  17. static OSSL_PROVIDER *nullprov = NULL;
  18. static OSSL_PROVIDER *deflprov = NULL;
  19. static char *testpropq = "provider=default";
  20. static int verbose = 0;
  21. typedef struct {
  22. int mode;
  23. OSSL_HPKE_SUITE suite;
  24. const unsigned char *ikmE;
  25. size_t ikmElen;
  26. const unsigned char *expected_pkEm;
  27. size_t expected_pkEmlen;
  28. const unsigned char *ikmR;
  29. size_t ikmRlen;
  30. const unsigned char *expected_pkRm;
  31. size_t expected_pkRmlen;
  32. const unsigned char *expected_skRm;
  33. size_t expected_skRmlen;
  34. const unsigned char *expected_secret;
  35. size_t expected_secretlen;
  36. const unsigned char *ksinfo;
  37. size_t ksinfolen;
  38. const unsigned char *ikmAuth;
  39. size_t ikmAuthlen;
  40. const unsigned char *psk;
  41. size_t psklen;
  42. const char *pskid; /* want terminating NUL here */
  43. } TEST_BASEDATA;
  44. typedef struct
  45. {
  46. int seq;
  47. const unsigned char *pt;
  48. size_t ptlen;
  49. const unsigned char *aad;
  50. size_t aadlen;
  51. const unsigned char *expected_ct;
  52. size_t expected_ctlen;
  53. } TEST_AEADDATA;
  54. typedef struct
  55. {
  56. const unsigned char *context;
  57. size_t contextlen;
  58. const unsigned char *expected_secret;
  59. size_t expected_secretlen;
  60. } TEST_EXPORTDATA;
  61. /**
  62. * @brief Test that an EVP_PKEY encoded public key matches the supplied buffer
  63. * @param pkey is the EVP_PKEY we want to check
  64. * @param pub is the expected public key buffer
  65. * @param publen is the length of the above
  66. * @return 1 for good, 0 for bad
  67. */
  68. static int cmpkey(const EVP_PKEY *pkey,
  69. const unsigned char *pub, size_t publen)
  70. {
  71. unsigned char pubbuf[256];
  72. size_t pubbuflen = 0;
  73. int erv = 0;
  74. if (!TEST_true(publen <= sizeof(pubbuf)))
  75. return 0;
  76. erv = EVP_PKEY_get_octet_string_param(pkey,
  77. OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
  78. pubbuf, sizeof(pubbuf), &pubbuflen);
  79. if (!TEST_true(erv))
  80. return 0;
  81. if (pub != NULL && !TEST_mem_eq(pubbuf, pubbuflen, pub, publen))
  82. return 0;
  83. return 1;
  84. }
  85. static int do_testhpke(const TEST_BASEDATA *base,
  86. const TEST_AEADDATA *aead, size_t aeadsz,
  87. const TEST_EXPORTDATA *export, size_t exportsz)
  88. {
  89. OSSL_LIB_CTX *libctx = testctx;
  90. const char *propq = testpropq;
  91. OSSL_HPKE_CTX *sealctx = NULL, *openctx = NULL;
  92. unsigned char ct[256];
  93. unsigned char enc[256];
  94. unsigned char ptout[256];
  95. size_t ptoutlen = sizeof(ptout);
  96. size_t enclen = sizeof(enc);
  97. size_t ctlen = sizeof(ct);
  98. unsigned char pub[OSSL_HPKE_TSTSIZE];
  99. size_t publen = sizeof(pub);
  100. EVP_PKEY *privE = NULL;
  101. unsigned char authpub[OSSL_HPKE_TSTSIZE];
  102. size_t authpublen = sizeof(authpub);
  103. EVP_PKEY *authpriv = NULL;
  104. unsigned char rpub[OSSL_HPKE_TSTSIZE];
  105. size_t rpublen = sizeof(pub);
  106. EVP_PKEY *privR = NULL;
  107. int ret = 0;
  108. size_t i;
  109. uint64_t lastseq = 0;
  110. if (!TEST_true(OSSL_HPKE_keygen(base->suite, pub, &publen, &privE,
  111. base->ikmE, base->ikmElen, libctx, propq)))
  112. goto end;
  113. if (!TEST_true(cmpkey(privE, base->expected_pkEm, base->expected_pkEmlen)))
  114. goto end;
  115. if (!TEST_ptr(sealctx = OSSL_HPKE_CTX_new(base->mode, base->suite,
  116. OSSL_HPKE_ROLE_SENDER,
  117. libctx, propq)))
  118. goto end;
  119. if (!TEST_true(OSSL_HPKE_CTX_set1_ikme(sealctx, base->ikmE, base->ikmElen)))
  120. goto end;
  121. if (base->mode == OSSL_HPKE_MODE_AUTH
  122. || base->mode == OSSL_HPKE_MODE_PSKAUTH) {
  123. if (!TEST_true(base->ikmAuth != NULL && base->ikmAuthlen > 0))
  124. goto end;
  125. if (!TEST_true(OSSL_HPKE_keygen(base->suite,
  126. authpub, &authpublen, &authpriv,
  127. base->ikmAuth, base->ikmAuthlen,
  128. libctx, propq)))
  129. goto end;
  130. if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(sealctx, authpriv)))
  131. goto end;
  132. }
  133. if (!TEST_true(OSSL_HPKE_keygen(base->suite, rpub, &rpublen, &privR,
  134. base->ikmR, base->ikmRlen, libctx, propq)))
  135. goto end;
  136. if (!TEST_true(cmpkey(privR, base->expected_pkRm, base->expected_pkRmlen)))
  137. goto end;
  138. if (base->mode == OSSL_HPKE_MODE_PSK
  139. || base->mode == OSSL_HPKE_MODE_PSKAUTH) {
  140. if (!TEST_true(OSSL_HPKE_CTX_set1_psk(sealctx, base->pskid,
  141. base->psk, base->psklen)))
  142. goto end;
  143. }
  144. if (!TEST_true(OSSL_HPKE_encap(sealctx, enc, &enclen,
  145. rpub, rpublen,
  146. base->ksinfo, base->ksinfolen)))
  147. goto end;
  148. if (!TEST_true(cmpkey(privE, enc, enclen)))
  149. goto end;
  150. for (i = 0; i < aeadsz; ++i) {
  151. ctlen = sizeof(ct);
  152. memset(ct, 0, ctlen);
  153. if (!TEST_true(OSSL_HPKE_seal(sealctx, ct, &ctlen,
  154. aead[i].aad, aead[i].aadlen,
  155. aead[i].pt, aead[i].ptlen)))
  156. goto end;
  157. if (!TEST_mem_eq(ct, ctlen, aead[i].expected_ct,
  158. aead[i].expected_ctlen))
  159. goto end;
  160. if (!TEST_true(OSSL_HPKE_CTX_get_seq(sealctx, &lastseq)))
  161. goto end;
  162. if (lastseq != (uint64_t)(i + 1))
  163. goto end;
  164. }
  165. if (!TEST_ptr(openctx = OSSL_HPKE_CTX_new(base->mode, base->suite,
  166. OSSL_HPKE_ROLE_RECEIVER,
  167. libctx, propq)))
  168. goto end;
  169. if (base->mode == OSSL_HPKE_MODE_PSK
  170. || base->mode == OSSL_HPKE_MODE_PSKAUTH) {
  171. if (!TEST_true(base->pskid != NULL && base->psk != NULL
  172. && base->psklen > 0))
  173. goto end;
  174. if (!TEST_true(OSSL_HPKE_CTX_set1_psk(openctx, base->pskid,
  175. base->psk, base->psklen)))
  176. goto end;
  177. }
  178. if (base->mode == OSSL_HPKE_MODE_AUTH
  179. || base->mode == OSSL_HPKE_MODE_PSKAUTH) {
  180. if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(openctx,
  181. authpub, authpublen)))
  182. goto end;
  183. }
  184. if (!TEST_true(OSSL_HPKE_decap(openctx, enc, enclen, privR,
  185. base->ksinfo, base->ksinfolen)))
  186. goto end;
  187. for (i = 0; i < aeadsz; ++i) {
  188. ptoutlen = sizeof(ptout);
  189. memset(ptout, 0, ptoutlen);
  190. if (!TEST_true(OSSL_HPKE_open(openctx, ptout, &ptoutlen,
  191. aead[i].aad, aead[i].aadlen,
  192. aead[i].expected_ct,
  193. aead[i].expected_ctlen)))
  194. goto end;
  195. if (!TEST_mem_eq(aead[i].pt, aead[i].ptlen, ptout, ptoutlen))
  196. goto end;
  197. /* check the sequence is being incremented as expected */
  198. if (!TEST_true(OSSL_HPKE_CTX_get_seq(openctx, &lastseq)))
  199. goto end;
  200. if (lastseq != (uint64_t)(i + 1))
  201. goto end;
  202. }
  203. /* check exporters */
  204. for (i = 0; i < exportsz; ++i) {
  205. size_t len = export[i].expected_secretlen;
  206. unsigned char eval[OSSL_HPKE_TSTSIZE];
  207. if (len > sizeof(eval))
  208. goto end;
  209. /* export with too long label should fail */
  210. if (!TEST_false(OSSL_HPKE_export(sealctx, eval, len,
  211. export[i].context, -1)))
  212. goto end;
  213. /* good export call */
  214. if (!TEST_true(OSSL_HPKE_export(sealctx, eval, len,
  215. export[i].context,
  216. export[i].contextlen)))
  217. goto end;
  218. if (!TEST_mem_eq(eval, len, export[i].expected_secret,
  219. export[i].expected_secretlen))
  220. goto end;
  221. /* check seal fails if export only mode */
  222. if (aeadsz == 0) {
  223. if (!TEST_false(OSSL_HPKE_seal(sealctx, ct, &ctlen,
  224. NULL, 0, ptout, ptoutlen)))
  225. goto end;
  226. }
  227. }
  228. ret = 1;
  229. end:
  230. OSSL_HPKE_CTX_free(sealctx);
  231. OSSL_HPKE_CTX_free(openctx);
  232. EVP_PKEY_free(privE);
  233. EVP_PKEY_free(privR);
  234. EVP_PKEY_free(authpriv);
  235. return ret;
  236. }
  237. static const unsigned char pt[] = {
  238. 0x42, 0x65, 0x61, 0x75, 0x74, 0x79, 0x20, 0x69,
  239. 0x73, 0x20, 0x74, 0x72, 0x75, 0x74, 0x68, 0x2c,
  240. 0x20, 0x74, 0x72, 0x75, 0x74, 0x68, 0x20, 0x62,
  241. 0x65, 0x61, 0x75, 0x74, 0x79
  242. };
  243. static const unsigned char ksinfo[] = {
  244. 0x4f, 0x64, 0x65, 0x20, 0x6f, 0x6e, 0x20, 0x61,
  245. 0x20, 0x47, 0x72, 0x65, 0x63, 0x69, 0x61, 0x6e,
  246. 0x20, 0x55, 0x72, 0x6e
  247. };
  248. #ifndef OPENSSL_NO_ECX
  249. /*
  250. * static const char *pskid = "Ennyn Durin aran Moria";
  251. */
  252. static const unsigned char pskid[] = {
  253. 0x45, 0x6e, 0x6e, 0x79, 0x6e, 0x20, 0x44, 0x75,
  254. 0x72, 0x69, 0x6e, 0x20, 0x61, 0x72, 0x61, 0x6e,
  255. 0x20, 0x4d, 0x6f, 0x72, 0x69, 0x61, 0x00
  256. };
  257. static const unsigned char psk[] = {
  258. 0x02, 0x47, 0xfd, 0x33, 0xb9, 0x13, 0x76, 0x0f,
  259. 0xa1, 0xfa, 0x51, 0xe1, 0x89, 0x2d, 0x9f, 0x30,
  260. 0x7f, 0xbe, 0x65, 0xeb, 0x17, 0x1e, 0x81, 0x32,
  261. 0xc2, 0xaf, 0x18, 0x55, 0x5a, 0x73, 0x8b, 0x82
  262. };
  263. /* these need to be "outside" the function below to keep check-ansi CI happy */
  264. static const unsigned char first_ikme[] = {
  265. 0x78, 0x62, 0x8c, 0x35, 0x4e, 0x46, 0xf3, 0xe1,
  266. 0x69, 0xbd, 0x23, 0x1b, 0xe7, 0xb2, 0xff, 0x1c,
  267. 0x77, 0xaa, 0x30, 0x24, 0x60, 0xa2, 0x6d, 0xbf,
  268. 0xa1, 0x55, 0x15, 0x68, 0x4c, 0x00, 0x13, 0x0b
  269. };
  270. static const unsigned char first_ikmr[] = {
  271. 0xd4, 0xa0, 0x9d, 0x09, 0xf5, 0x75, 0xfe, 0xf4,
  272. 0x25, 0x90, 0x5d, 0x2a, 0xb3, 0x96, 0xc1, 0x44,
  273. 0x91, 0x41, 0x46, 0x3f, 0x69, 0x8f, 0x8e, 0xfd,
  274. 0xb7, 0xac, 0xcf, 0xaf, 0xf8, 0x99, 0x50, 0x98
  275. };
  276. static const unsigned char first_ikmepub[] = {
  277. 0x0a, 0xd0, 0x95, 0x0d, 0x9f, 0xb9, 0x58, 0x8e,
  278. 0x59, 0x69, 0x0b, 0x74, 0xf1, 0x23, 0x7e, 0xcd,
  279. 0xf1, 0xd7, 0x75, 0xcd, 0x60, 0xbe, 0x2e, 0xca,
  280. 0x57, 0xaf, 0x5a, 0x4b, 0x04, 0x71, 0xc9, 0x1b,
  281. };
  282. static const unsigned char first_ikmrpub[] = {
  283. 0x9f, 0xed, 0x7e, 0x8c, 0x17, 0x38, 0x75, 0x60,
  284. 0xe9, 0x2c, 0xc6, 0x46, 0x2a, 0x68, 0x04, 0x96,
  285. 0x57, 0x24, 0x6a, 0x09, 0xbf, 0xa8, 0xad, 0xe7,
  286. 0xae, 0xfe, 0x58, 0x96, 0x72, 0x01, 0x63, 0x66
  287. };
  288. static const unsigned char first_ikmrpriv[] = {
  289. 0xc5, 0xeb, 0x01, 0xeb, 0x45, 0x7f, 0xe6, 0xc6,
  290. 0xf5, 0x75, 0x77, 0xc5, 0x41, 0x3b, 0x93, 0x15,
  291. 0x50, 0xa1, 0x62, 0xc7, 0x1a, 0x03, 0xac, 0x8d,
  292. 0x19, 0x6b, 0xab, 0xbd, 0x4e, 0x5c, 0xe0, 0xfd
  293. };
  294. static const unsigned char first_expected_shared_secret[] = {
  295. 0x72, 0x76, 0x99, 0xf0, 0x09, 0xff, 0xe3, 0xc0,
  296. 0x76, 0x31, 0x50, 0x19, 0xc6, 0x96, 0x48, 0x36,
  297. 0x6b, 0x69, 0x17, 0x14, 0x39, 0xbd, 0x7d, 0xd0,
  298. 0x80, 0x77, 0x43, 0xbd, 0xe7, 0x69, 0x86, 0xcd
  299. };
  300. static const unsigned char first_aad0[] = {
  301. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
  302. };
  303. static const unsigned char first_ct0[] = {
  304. 0xe5, 0x2c, 0x6f, 0xed, 0x7f, 0x75, 0x8d, 0x0c,
  305. 0xf7, 0x14, 0x56, 0x89, 0xf2, 0x1b, 0xc1, 0xbe,
  306. 0x6e, 0xc9, 0xea, 0x09, 0x7f, 0xef, 0x4e, 0x95,
  307. 0x94, 0x40, 0x01, 0x2f, 0x4f, 0xeb, 0x73, 0xfb,
  308. 0x61, 0x1b, 0x94, 0x61, 0x99, 0xe6, 0x81, 0xf4,
  309. 0xcf, 0xc3, 0x4d, 0xb8, 0xea
  310. };
  311. static const unsigned char first_aad1[] = {
  312. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
  313. };
  314. static const unsigned char first_ct1[] = {
  315. 0x49, 0xf3, 0xb1, 0x9b, 0x28, 0xa9, 0xea, 0x9f,
  316. 0x43, 0xe8, 0xc7, 0x12, 0x04, 0xc0, 0x0d, 0x4a,
  317. 0x49, 0x0e, 0xe7, 0xf6, 0x13, 0x87, 0xb6, 0x71,
  318. 0x9d, 0xb7, 0x65, 0xe9, 0x48, 0x12, 0x3b, 0x45,
  319. 0xb6, 0x16, 0x33, 0xef, 0x05, 0x9b, 0xa2, 0x2c,
  320. 0xd6, 0x24, 0x37, 0xc8, 0xba
  321. };
  322. static const unsigned char first_aad2[] = {
  323. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x32
  324. };
  325. static const unsigned char first_ct2[] = {
  326. 0x25, 0x7c, 0xa6, 0xa0, 0x84, 0x73, 0xdc, 0x85,
  327. 0x1f, 0xde, 0x45, 0xaf, 0xd5, 0x98, 0xcc, 0x83,
  328. 0xe3, 0x26, 0xdd, 0xd0, 0xab, 0xe1, 0xef, 0x23,
  329. 0xba, 0xa3, 0xba, 0xa4, 0xdd, 0x8c, 0xde, 0x99,
  330. 0xfc, 0xe2, 0xc1, 0xe8, 0xce, 0x68, 0x7b, 0x0b,
  331. 0x47, 0xea, 0xd1, 0xad, 0xc9
  332. };
  333. static const unsigned char first_export1[] = {
  334. 0xdf, 0xf1, 0x7a, 0xf3, 0x54, 0xc8, 0xb4, 0x16,
  335. 0x73, 0x56, 0x7d, 0xb6, 0x25, 0x9f, 0xd6, 0x02,
  336. 0x99, 0x67, 0xb4, 0xe1, 0xaa, 0xd1, 0x30, 0x23,
  337. 0xc2, 0xae, 0x5d, 0xf8, 0xf4, 0xf4, 0x3b, 0xf6
  338. };
  339. static const unsigned char first_context2[] = { 0x00 };
  340. static const unsigned char first_export2[] = {
  341. 0x6a, 0x84, 0x72, 0x61, 0xd8, 0x20, 0x7f, 0xe5,
  342. 0x96, 0xbe, 0xfb, 0x52, 0x92, 0x84, 0x63, 0x88,
  343. 0x1a, 0xb4, 0x93, 0xda, 0x34, 0x5b, 0x10, 0xe1,
  344. 0xdc, 0xc6, 0x45, 0xe3, 0xb9, 0x4e, 0x2d, 0x95
  345. };
  346. static const unsigned char first_context3[] = {
  347. 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
  348. 0x65, 0x78, 0x74
  349. };
  350. static const unsigned char first_export3[] = {
  351. 0x8a, 0xff, 0x52, 0xb4, 0x5a, 0x1b, 0xe3, 0xa7,
  352. 0x34, 0xbc, 0x7a, 0x41, 0xe2, 0x0b, 0x4e, 0x05,
  353. 0x5a, 0xd4, 0xc4, 0xd2, 0x21, 0x04, 0xb0, 0xc2,
  354. 0x02, 0x85, 0xa7, 0xc4, 0x30, 0x24, 0x01, 0xcd
  355. };
  356. static int x25519kdfsha256_hkdfsha256_aes128gcm_psk_test(void)
  357. {
  358. const TEST_BASEDATA pskdata = {
  359. /* "X25519", NULL, "SHA256", "SHA256", "AES-128-GCM", */
  360. OSSL_HPKE_MODE_PSK,
  361. {
  362. OSSL_HPKE_KEM_ID_X25519,
  363. OSSL_HPKE_KDF_ID_HKDF_SHA256,
  364. OSSL_HPKE_AEAD_ID_AES_GCM_128
  365. },
  366. first_ikme, sizeof(first_ikme),
  367. first_ikmepub, sizeof(first_ikmepub),
  368. first_ikmr, sizeof(first_ikmr),
  369. first_ikmrpub, sizeof(first_ikmrpub),
  370. first_ikmrpriv, sizeof(first_ikmrpriv),
  371. first_expected_shared_secret, sizeof(first_expected_shared_secret),
  372. ksinfo, sizeof(ksinfo),
  373. NULL, 0, /* No Auth */
  374. psk, sizeof(psk), (char *) pskid
  375. };
  376. const TEST_AEADDATA aeaddata[] = {
  377. {
  378. 0,
  379. pt, sizeof(pt),
  380. first_aad0, sizeof(first_aad0),
  381. first_ct0, sizeof(first_ct0)
  382. },
  383. {
  384. 1,
  385. pt, sizeof(pt),
  386. first_aad1, sizeof(first_aad1),
  387. first_ct1, sizeof(first_ct1)
  388. },
  389. {
  390. 2,
  391. pt, sizeof(pt),
  392. first_aad2, sizeof(first_aad2),
  393. first_ct2, sizeof(first_ct2)
  394. }
  395. };
  396. const TEST_EXPORTDATA exportdata[] = {
  397. { NULL, 0, first_export1, sizeof(first_export1) },
  398. { first_context2, sizeof(first_context2),
  399. first_export2, sizeof(first_export2) },
  400. { first_context3, sizeof(first_context3),
  401. first_export3, sizeof(first_export3) },
  402. };
  403. return do_testhpke(&pskdata, aeaddata, OSSL_NELEM(aeaddata),
  404. exportdata, OSSL_NELEM(exportdata));
  405. }
  406. static const unsigned char second_ikme[] = {
  407. 0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
  408. 0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13,
  409. 0x52, 0x7c, 0xff, 0x65, 0x5c, 0x13, 0x43, 0xf2,
  410. 0x98, 0x12, 0xe6, 0x67, 0x06, 0xdf, 0x32, 0x34
  411. };
  412. static const unsigned char second_ikmepub[] = {
  413. 0x37, 0xfd, 0xa3, 0x56, 0x7b, 0xdb, 0xd6, 0x28,
  414. 0xe8, 0x86, 0x68, 0xc3, 0xc8, 0xd7, 0xe9, 0x7d,
  415. 0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44,
  416. 0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31,
  417. };
  418. static const unsigned char second_ikmr[] = {
  419. 0x6d, 0xb9, 0xdf, 0x30, 0xaa, 0x07, 0xdd, 0x42,
  420. 0xee, 0x5e, 0x81, 0x81, 0xaf, 0xdb, 0x97, 0x7e,
  421. 0x53, 0x8f, 0x5e, 0x1f, 0xec, 0x8a, 0x06, 0x22,
  422. 0x3f, 0x33, 0xf7, 0x01, 0x3e, 0x52, 0x50, 0x37
  423. };
  424. static const unsigned char second_ikmrpub[] = {
  425. 0x39, 0x48, 0xcf, 0xe0, 0xad, 0x1d, 0xdb, 0x69,
  426. 0x5d, 0x78, 0x0e, 0x59, 0x07, 0x71, 0x95, 0xda,
  427. 0x6c, 0x56, 0x50, 0x6b, 0x02, 0x73, 0x29, 0x79,
  428. 0x4a, 0xb0, 0x2b, 0xca, 0x80, 0x81, 0x5c, 0x4d
  429. };
  430. static const unsigned char second_ikmrpriv[] = {
  431. 0x46, 0x12, 0xc5, 0x50, 0x26, 0x3f, 0xc8, 0xad,
  432. 0x58, 0x37, 0x5d, 0xf3, 0xf5, 0x57, 0xaa, 0xc5,
  433. 0x31, 0xd2, 0x68, 0x50, 0x90, 0x3e, 0x55, 0xa9,
  434. 0xf2, 0x3f, 0x21, 0xd8, 0x53, 0x4e, 0x8a, 0xc8
  435. };
  436. static const unsigned char second_expected_shared_secret[] = {
  437. 0xfe, 0x0e, 0x18, 0xc9, 0xf0, 0x24, 0xce, 0x43,
  438. 0x79, 0x9a, 0xe3, 0x93, 0xc7, 0xe8, 0xfe, 0x8f,
  439. 0xce, 0x9d, 0x21, 0x88, 0x75, 0xe8, 0x22, 0x7b,
  440. 0x01, 0x87, 0xc0, 0x4e, 0x7d, 0x2e, 0xa1, 0xfc
  441. };
  442. static const unsigned char second_aead0[] = {
  443. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
  444. };
  445. static const unsigned char second_ct0[] = {
  446. 0xf9, 0x38, 0x55, 0x8b, 0x5d, 0x72, 0xf1, 0xa2,
  447. 0x38, 0x10, 0xb4, 0xbe, 0x2a, 0xb4, 0xf8, 0x43,
  448. 0x31, 0xac, 0xc0, 0x2f, 0xc9, 0x7b, 0xab, 0xc5,
  449. 0x3a, 0x52, 0xae, 0x82, 0x18, 0xa3, 0x55, 0xa9,
  450. 0x6d, 0x87, 0x70, 0xac, 0x83, 0xd0, 0x7b, 0xea,
  451. 0x87, 0xe1, 0x3c, 0x51, 0x2a
  452. };
  453. static const unsigned char second_aead1[] = {
  454. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
  455. };
  456. static const unsigned char second_ct1[] = {
  457. 0xaf, 0x2d, 0x7e, 0x9a, 0xc9, 0xae, 0x7e, 0x27,
  458. 0x0f, 0x46, 0xba, 0x1f, 0x97, 0x5b, 0xe5, 0x3c,
  459. 0x09, 0xf8, 0xd8, 0x75, 0xbd, 0xc8, 0x53, 0x54,
  460. 0x58, 0xc2, 0x49, 0x4e, 0x8a, 0x6e, 0xab, 0x25,
  461. 0x1c, 0x03, 0xd0, 0xc2, 0x2a, 0x56, 0xb8, 0xca,
  462. 0x42, 0xc2, 0x06, 0x3b, 0x84
  463. };
  464. static const unsigned char second_export1[] = {
  465. 0x38, 0x53, 0xfe, 0x2b, 0x40, 0x35, 0x19, 0x5a,
  466. 0x57, 0x3f, 0xfc, 0x53, 0x85, 0x6e, 0x77, 0x05,
  467. 0x8e, 0x15, 0xd9, 0xea, 0x06, 0x4d, 0xe3, 0xe5,
  468. 0x9f, 0x49, 0x61, 0xd0, 0x09, 0x52, 0x50, 0xee
  469. };
  470. static const unsigned char second_context2[] = { 0x00 };
  471. static const unsigned char second_export2[] = {
  472. 0x2e, 0x8f, 0x0b, 0x54, 0x67, 0x3c, 0x70, 0x29,
  473. 0x64, 0x9d, 0x4e, 0xb9, 0xd5, 0xe3, 0x3b, 0xf1,
  474. 0x87, 0x2c, 0xf7, 0x6d, 0x62, 0x3f, 0xf1, 0x64,
  475. 0xac, 0x18, 0x5d, 0xa9, 0xe8, 0x8c, 0x21, 0xa5
  476. };
  477. static const unsigned char second_context3[] = {
  478. 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
  479. 0x65, 0x78, 0x74
  480. };
  481. static const unsigned char second_export3[] = {
  482. 0xe9, 0xe4, 0x30, 0x65, 0x10, 0x2c, 0x38, 0x36,
  483. 0x40, 0x1b, 0xed, 0x8c, 0x3c, 0x3c, 0x75, 0xae,
  484. 0x46, 0xbe, 0x16, 0x39, 0x86, 0x93, 0x91, 0xd6,
  485. 0x2c, 0x61, 0xf1, 0xec, 0x7a, 0xf5, 0x49, 0x31
  486. };
  487. static int x25519kdfsha256_hkdfsha256_aes128gcm_base_test(void)
  488. {
  489. const TEST_BASEDATA basedata = {
  490. OSSL_HPKE_MODE_BASE,
  491. {
  492. OSSL_HPKE_KEM_ID_X25519,
  493. OSSL_HPKE_KDF_ID_HKDF_SHA256,
  494. OSSL_HPKE_AEAD_ID_AES_GCM_128
  495. },
  496. second_ikme, sizeof(second_ikme),
  497. second_ikmepub, sizeof(second_ikmepub),
  498. second_ikmr, sizeof(second_ikmr),
  499. second_ikmrpub, sizeof(second_ikmrpub),
  500. second_ikmrpriv, sizeof(second_ikmrpriv),
  501. second_expected_shared_secret, sizeof(second_expected_shared_secret),
  502. ksinfo, sizeof(ksinfo),
  503. NULL, 0, /* no auth ikm */
  504. NULL, 0, NULL /* no psk */
  505. };
  506. const TEST_AEADDATA aeaddata[] = {
  507. {
  508. 0,
  509. pt, sizeof(pt),
  510. second_aead0, sizeof(second_aead0),
  511. second_ct0, sizeof(second_ct0)
  512. },
  513. {
  514. 1,
  515. pt, sizeof(pt),
  516. second_aead1, sizeof(second_aead1),
  517. second_ct1, sizeof(second_ct1)
  518. }
  519. };
  520. const TEST_EXPORTDATA exportdata[] = {
  521. { NULL, 0, second_export1, sizeof(second_export1) },
  522. { second_context2, sizeof(second_context2),
  523. second_export2, sizeof(second_export2) },
  524. { second_context3, sizeof(second_context3),
  525. second_export3, sizeof(second_export3) },
  526. };
  527. return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata),
  528. exportdata, OSSL_NELEM(exportdata));
  529. }
  530. #endif
  531. static const unsigned char third_ikme[] = {
  532. 0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
  533. 0x59, 0x28, 0x02, 0x0a, 0xf4, 0x68, 0x6d, 0x8f,
  534. 0x6b, 0x7d, 0x35, 0xdb, 0xe4, 0x70, 0x26, 0x5f,
  535. 0x1f, 0x5a, 0xa2, 0x28, 0x16, 0xce, 0x86, 0x0e
  536. };
  537. static const unsigned char third_ikmepub[] = {
  538. 0x04, 0xa9, 0x27, 0x19, 0xc6, 0x19, 0x5d, 0x50,
  539. 0x85, 0x10, 0x4f, 0x46, 0x9a, 0x8b, 0x98, 0x14,
  540. 0xd5, 0x83, 0x8f, 0xf7, 0x2b, 0x60, 0x50, 0x1e,
  541. 0x2c, 0x44, 0x66, 0xe5, 0xe6, 0x7b, 0x32, 0x5a,
  542. 0xc9, 0x85, 0x36, 0xd7, 0xb6, 0x1a, 0x1a, 0xf4,
  543. 0xb7, 0x8e, 0x5b, 0x7f, 0x95, 0x1c, 0x09, 0x00,
  544. 0xbe, 0x86, 0x3c, 0x40, 0x3c, 0xe6, 0x5c, 0x9b,
  545. 0xfc, 0xb9, 0x38, 0x26, 0x57, 0x22, 0x2d, 0x18,
  546. 0xc4,
  547. };
  548. static const unsigned char third_ikmr[] = {
  549. 0x66, 0x8b, 0x37, 0x17, 0x1f, 0x10, 0x72, 0xf3,
  550. 0xcf, 0x12, 0xea, 0x8a, 0x23, 0x6a, 0x45, 0xdf,
  551. 0x23, 0xfc, 0x13, 0xb8, 0x2a, 0xf3, 0x60, 0x9a,
  552. 0xd1, 0xe3, 0x54, 0xf6, 0xef, 0x81, 0x75, 0x50
  553. };
  554. static const unsigned char third_ikmrpub[] = {
  555. 0x04, 0xfe, 0x8c, 0x19, 0xce, 0x09, 0x05, 0x19,
  556. 0x1e, 0xbc, 0x29, 0x8a, 0x92, 0x45, 0x79, 0x25,
  557. 0x31, 0xf2, 0x6f, 0x0c, 0xec, 0xe2, 0x46, 0x06,
  558. 0x39, 0xe8, 0xbc, 0x39, 0xcb, 0x7f, 0x70, 0x6a,
  559. 0x82, 0x6a, 0x77, 0x9b, 0x4c, 0xf9, 0x69, 0xb8,
  560. 0xa0, 0xe5, 0x39, 0xc7, 0xf6, 0x2f, 0xb3, 0xd3,
  561. 0x0a, 0xd6, 0xaa, 0x8f, 0x80, 0xe3, 0x0f, 0x1d,
  562. 0x12, 0x8a, 0xaf, 0xd6, 0x8a, 0x2c, 0xe7, 0x2e,
  563. 0xa0
  564. };
  565. static const unsigned char third_ikmrpriv[] = {
  566. 0xf3, 0xce, 0x7f, 0xda, 0xe5, 0x7e, 0x1a, 0x31,
  567. 0x0d, 0x87, 0xf1, 0xeb, 0xbd, 0xe6, 0xf3, 0x28,
  568. 0xbe, 0x0a, 0x99, 0xcd, 0xbc, 0xad, 0xf4, 0xd6,
  569. 0x58, 0x9c, 0xf2, 0x9d, 0xe4, 0xb8, 0xff, 0xd2
  570. };
  571. static const unsigned char third_expected_shared_secret[] = {
  572. 0xc0, 0xd2, 0x6a, 0xea, 0xb5, 0x36, 0x60, 0x9a,
  573. 0x57, 0x2b, 0x07, 0x69, 0x5d, 0x93, 0x3b, 0x58,
  574. 0x9d, 0xcf, 0x36, 0x3f, 0xf9, 0xd9, 0x3c, 0x93,
  575. 0xad, 0xea, 0x53, 0x7a, 0xea, 0xbb, 0x8c, 0xb8
  576. };
  577. static const unsigned char third_aead0[] = {
  578. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x30
  579. };
  580. static const unsigned char third_ct0[] = {
  581. 0x5a, 0xd5, 0x90, 0xbb, 0x8b, 0xaa, 0x57, 0x7f,
  582. 0x86, 0x19, 0xdb, 0x35, 0xa3, 0x63, 0x11, 0x22,
  583. 0x6a, 0x89, 0x6e, 0x73, 0x42, 0xa6, 0xd8, 0x36,
  584. 0xd8, 0xb7, 0xbc, 0xd2, 0xf2, 0x0b, 0x6c, 0x7f,
  585. 0x90, 0x76, 0xac, 0x23, 0x2e, 0x3a, 0xb2, 0x52,
  586. 0x3f, 0x39, 0x51, 0x34, 0x34
  587. };
  588. static const unsigned char third_aead1[] = {
  589. 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x2d, 0x31
  590. };
  591. static const unsigned char third_ct1[] = {
  592. 0xfa, 0x6f, 0x03, 0x7b, 0x47, 0xfc, 0x21, 0x82,
  593. 0x6b, 0x61, 0x01, 0x72, 0xca, 0x96, 0x37, 0xe8,
  594. 0x2d, 0x6e, 0x58, 0x01, 0xeb, 0x31, 0xcb, 0xd3,
  595. 0x74, 0x82, 0x71, 0xaf, 0xfd, 0x4e, 0xcb, 0x06,
  596. 0x64, 0x6e, 0x03, 0x29, 0xcb, 0xdf, 0x3c, 0x3c,
  597. 0xd6, 0x55, 0xb2, 0x8e, 0x82
  598. };
  599. static const unsigned char third_export1[] = {
  600. 0x5e, 0x9b, 0xc3, 0xd2, 0x36, 0xe1, 0x91, 0x1d,
  601. 0x95, 0xe6, 0x5b, 0x57, 0x6a, 0x8a, 0x86, 0xd4,
  602. 0x78, 0xfb, 0x82, 0x7e, 0x8b, 0xdf, 0xe7, 0x7b,
  603. 0x74, 0x1b, 0x28, 0x98, 0x90, 0x49, 0x0d, 0x4d
  604. };
  605. static const unsigned char third_context2[] = { 0x00 };
  606. static const unsigned char third_export2[] = {
  607. 0x6c, 0xff, 0x87, 0x65, 0x89, 0x31, 0xbd, 0xa8,
  608. 0x3d, 0xc8, 0x57, 0xe6, 0x35, 0x3e, 0xfe, 0x49,
  609. 0x87, 0xa2, 0x01, 0xb8, 0x49, 0x65, 0x8d, 0x9b,
  610. 0x04, 0x7a, 0xab, 0x4c, 0xf2, 0x16, 0xe7, 0x96
  611. };
  612. static const unsigned char third_context3[] = {
  613. 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
  614. 0x65, 0x78, 0x74
  615. };
  616. static const unsigned char third_export3[] = {
  617. 0xd8, 0xf1, 0xea, 0x79, 0x42, 0xad, 0xbb, 0xa7,
  618. 0x41, 0x2c, 0x6d, 0x43, 0x1c, 0x62, 0xd0, 0x13,
  619. 0x71, 0xea, 0x47, 0x6b, 0x82, 0x3e, 0xb6, 0x97,
  620. 0xe1, 0xf6, 0xe6, 0xca, 0xe1, 0xda, 0xb8, 0x5a
  621. };
  622. static int P256kdfsha256_hkdfsha256_aes128gcm_base_test(void)
  623. {
  624. const TEST_BASEDATA basedata = {
  625. OSSL_HPKE_MODE_BASE,
  626. {
  627. OSSL_HPKE_KEM_ID_P256,
  628. OSSL_HPKE_KDF_ID_HKDF_SHA256,
  629. OSSL_HPKE_AEAD_ID_AES_GCM_128
  630. },
  631. third_ikme, sizeof(third_ikme),
  632. third_ikmepub, sizeof(third_ikmepub),
  633. third_ikmr, sizeof(third_ikmr),
  634. third_ikmrpub, sizeof(third_ikmrpub),
  635. third_ikmrpriv, sizeof(third_ikmrpriv),
  636. third_expected_shared_secret, sizeof(third_expected_shared_secret),
  637. ksinfo, sizeof(ksinfo),
  638. NULL, 0, /* no auth */
  639. NULL, 0, NULL /* PSK stuff */
  640. };
  641. const TEST_AEADDATA aeaddata[] = {
  642. {
  643. 0,
  644. pt, sizeof(pt),
  645. third_aead0, sizeof(third_aead0),
  646. third_ct0, sizeof(third_ct0)
  647. },
  648. {
  649. 1,
  650. pt, sizeof(pt),
  651. third_aead1, sizeof(third_aead1),
  652. third_ct1, sizeof(third_ct1)
  653. }
  654. };
  655. const TEST_EXPORTDATA exportdata[] = {
  656. { NULL, 0, third_export1, sizeof(third_export1) },
  657. { third_context2, sizeof(third_context2),
  658. third_export2, sizeof(third_export2) },
  659. { third_context3, sizeof(third_context3),
  660. third_export3, sizeof(third_export3) },
  661. };
  662. return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata),
  663. exportdata, OSSL_NELEM(exportdata));
  664. }
  665. #ifndef OPENSSL_NO_ECX
  666. static const unsigned char fourth_ikme[] = {
  667. 0x55, 0xbc, 0x24, 0x5e, 0xe4, 0xef, 0xda, 0x25,
  668. 0xd3, 0x8f, 0x2d, 0x54, 0xd5, 0xbb, 0x66, 0x65,
  669. 0x29, 0x1b, 0x99, 0xf8, 0x10, 0x8a, 0x8c, 0x4b,
  670. 0x68, 0x6c, 0x2b, 0x14, 0x89, 0x3e, 0xa5, 0xd9
  671. };
  672. static const unsigned char fourth_ikmepub[] = {
  673. 0xe5, 0xe8, 0xf9, 0xbf, 0xff, 0x6c, 0x2f, 0x29,
  674. 0x79, 0x1f, 0xc3, 0x51, 0xd2, 0xc2, 0x5c, 0xe1,
  675. 0x29, 0x9a, 0xa5, 0xea, 0xca, 0x78, 0xa7, 0x57,
  676. 0xc0, 0xb4, 0xfb, 0x4b, 0xcd, 0x83, 0x09, 0x18
  677. };
  678. static const unsigned char fourth_ikmr[] = {
  679. 0x68, 0x3a, 0xe0, 0xda, 0x1d, 0x22, 0x18, 0x1e,
  680. 0x74, 0xed, 0x2e, 0x50, 0x3e, 0xbf, 0x82, 0x84,
  681. 0x0d, 0xeb, 0x1d, 0x5e, 0x87, 0x2c, 0xad, 0xe2,
  682. 0x0f, 0x4b, 0x45, 0x8d, 0x99, 0x78, 0x3e, 0x31
  683. };
  684. static const unsigned char fourth_ikmrpub[] = {
  685. 0x19, 0x41, 0x41, 0xca, 0x6c, 0x3c, 0x3b, 0xeb,
  686. 0x47, 0x92, 0xcd, 0x97, 0xba, 0x0e, 0xa1, 0xfa,
  687. 0xff, 0x09, 0xd9, 0x84, 0x35, 0x01, 0x23, 0x45,
  688. 0x76, 0x6e, 0xe3, 0x3a, 0xae, 0x2d, 0x76, 0x64
  689. };
  690. static const unsigned char fourth_ikmrpriv[] = {
  691. 0x33, 0xd1, 0x96, 0xc8, 0x30, 0xa1, 0x2f, 0x9a,
  692. 0xc6, 0x5d, 0x6e, 0x56, 0x5a, 0x59, 0x0d, 0x80,
  693. 0xf0, 0x4e, 0xe9, 0xb1, 0x9c, 0x83, 0xc8, 0x7f,
  694. 0x2c, 0x17, 0x0d, 0x97, 0x2a, 0x81, 0x28, 0x48
  695. };
  696. static const unsigned char fourth_expected_shared_secret[] = {
  697. 0xe8, 0x17, 0x16, 0xce, 0x8f, 0x73, 0x14, 0x1d,
  698. 0x4f, 0x25, 0xee, 0x90, 0x98, 0xef, 0xc9, 0x68,
  699. 0xc9, 0x1e, 0x5b, 0x8c, 0xe5, 0x2f, 0xff, 0xf5,
  700. 0x9d, 0x64, 0x03, 0x9e, 0x82, 0x91, 0x8b, 0x66
  701. };
  702. static const unsigned char fourth_export1[] = {
  703. 0x7a, 0x36, 0x22, 0x1b, 0xd5, 0x6d, 0x50, 0xfb,
  704. 0x51, 0xee, 0x65, 0xed, 0xfd, 0x98, 0xd0, 0x6a,
  705. 0x23, 0xc4, 0xdc, 0x87, 0x08, 0x5a, 0xa5, 0x86,
  706. 0x6c, 0xb7, 0x08, 0x72, 0x44, 0xbd, 0x2a, 0x36
  707. };
  708. static const unsigned char fourth_context2[] = { 0x00 };
  709. static const unsigned char fourth_export2[] = {
  710. 0xd5, 0x53, 0x5b, 0x87, 0x09, 0x9c, 0x6c, 0x3c,
  711. 0xe8, 0x0d, 0xc1, 0x12, 0xa2, 0x67, 0x1c, 0x6e,
  712. 0xc8, 0xe8, 0x11, 0xa2, 0xf2, 0x84, 0xf9, 0x48,
  713. 0xce, 0xc6, 0xdd, 0x17, 0x08, 0xee, 0x33, 0xf0
  714. };
  715. static const unsigned char fourth_context3[] = {
  716. 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74,
  717. 0x65, 0x78, 0x74
  718. };
  719. static const unsigned char fourth_export3[] = {
  720. 0xff, 0xaa, 0xbc, 0x85, 0xa7, 0x76, 0x13, 0x6c,
  721. 0xa0, 0xc3, 0x78, 0xe5, 0xd0, 0x84, 0xc9, 0x14,
  722. 0x0a, 0xb5, 0x52, 0xb7, 0x8f, 0x03, 0x9d, 0x2e,
  723. 0x87, 0x75, 0xf2, 0x6e, 0xff, 0xf4, 0xc7, 0x0e
  724. };
  725. static int export_only_test(void)
  726. {
  727. /* based on RFC9180 A.7 */
  728. const TEST_BASEDATA basedata = {
  729. OSSL_HPKE_MODE_BASE,
  730. {
  731. OSSL_HPKE_KEM_ID_X25519,
  732. OSSL_HPKE_KDF_ID_HKDF_SHA256,
  733. OSSL_HPKE_AEAD_ID_EXPORTONLY
  734. },
  735. fourth_ikme, sizeof(fourth_ikme),
  736. fourth_ikmepub, sizeof(fourth_ikmepub),
  737. fourth_ikmr, sizeof(fourth_ikmr),
  738. fourth_ikmrpub, sizeof(fourth_ikmrpub),
  739. fourth_ikmrpriv, sizeof(fourth_ikmrpriv),
  740. fourth_expected_shared_secret, sizeof(fourth_expected_shared_secret),
  741. ksinfo, sizeof(ksinfo),
  742. NULL, 0, /* no auth */
  743. NULL, 0, NULL /* PSK stuff */
  744. };
  745. const TEST_EXPORTDATA exportdata[] = {
  746. { NULL, 0, fourth_export1, sizeof(fourth_export1) },
  747. { fourth_context2, sizeof(fourth_context2),
  748. fourth_export2, sizeof(fourth_export2) },
  749. { fourth_context3, sizeof(fourth_context3),
  750. fourth_export3, sizeof(fourth_export3) },
  751. };
  752. return do_testhpke(&basedata, NULL, 0,
  753. exportdata, OSSL_NELEM(exportdata));
  754. }
  755. #endif
  756. /*
  757. * Randomly toss a coin
  758. */
  759. #define COIN_IS_HEADS (test_random() % 2)
  760. /* tables of HPKE modes and suite values */
  761. static int hpke_mode_list[] = {
  762. OSSL_HPKE_MODE_BASE,
  763. OSSL_HPKE_MODE_PSK,
  764. OSSL_HPKE_MODE_AUTH,
  765. OSSL_HPKE_MODE_PSKAUTH
  766. };
  767. static uint16_t hpke_kem_list[] = {
  768. OSSL_HPKE_KEM_ID_P256,
  769. OSSL_HPKE_KEM_ID_P384,
  770. OSSL_HPKE_KEM_ID_P521,
  771. #ifndef OPENSSL_NO_ECX
  772. OSSL_HPKE_KEM_ID_X25519,
  773. OSSL_HPKE_KEM_ID_X448
  774. #endif
  775. };
  776. static uint16_t hpke_kdf_list[] = {
  777. OSSL_HPKE_KDF_ID_HKDF_SHA256,
  778. OSSL_HPKE_KDF_ID_HKDF_SHA384,
  779. OSSL_HPKE_KDF_ID_HKDF_SHA512
  780. };
  781. static uint16_t hpke_aead_list[] = {
  782. OSSL_HPKE_AEAD_ID_AES_GCM_128,
  783. OSSL_HPKE_AEAD_ID_AES_GCM_256,
  784. #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  785. OSSL_HPKE_AEAD_ID_CHACHA_POLY1305
  786. #endif
  787. };
  788. /*
  789. * Strings that can be used with names or IANA codepoints.
  790. * Note that the initial entries from these lists should
  791. * match the lists above, i.e. kem_str_list[0] and
  792. * hpke_kem_list[0] should refer to the same KEM. We use
  793. * that for verbose output via TEST_note() below.
  794. * Subsequent entries are only used for tests of
  795. * OSSL_HPKE_str2suite()
  796. */
  797. static const char *mode_str_list[] = {
  798. "base", "psk", "auth", "pskauth"
  799. };
  800. static const char *kem_str_list[] = {
  801. #ifndef OPENSSL_NO_ECX
  802. "P-256", "P-384", "P-521", "x25519", "x448",
  803. "0x10", "0x11", "0x12", "0x20", "0x21",
  804. "16", "17", "18", "32", "33"
  805. #else
  806. "P-256", "P-384", "P-521",
  807. "0x10", "0x11", "0x12",
  808. "16", "17", "18"
  809. #endif
  810. };
  811. static const char *kdf_str_list[] = {
  812. "hkdf-sha256", "hkdf-sha384", "hkdf-sha512",
  813. "0x1", "0x01", "0x2", "0x02", "0x3", "0x03",
  814. "1", "2", "3"
  815. };
  816. static const char *aead_str_list[] = {
  817. "aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "exporter",
  818. "0x1", "0x01", "0x2", "0x02", "0x3", "0x03",
  819. "1", "2", "3",
  820. "0xff", "255"
  821. };
  822. /* table of bogus strings that better not work */
  823. static const char *bogus_suite_strs[] = {
  824. "3,33,3",
  825. "bogus,bogus,bogus",
  826. "bogus,33,3,1,bogus",
  827. "bogus,33,3,1",
  828. "bogus,bogus",
  829. "bogus",
  830. /* one bad token */
  831. "0x10,0x01,bogus",
  832. "0x10,bogus,0x01",
  833. "bogus,0x02,0x01",
  834. /* in reverse order */
  835. "aes-256-gcm,hkdf-sha512,x25519",
  836. /* surplus separators */
  837. ",,0x10,0x01,0x02",
  838. "0x10,,0x01,0x02",
  839. "0x10,0x01,,0x02",
  840. /* embedded NUL chars */
  841. "0x10,\00x01,,0x02",
  842. "0x10,\0""0x01,0x02",
  843. "0x10\0,0x01,0x02",
  844. "0x10,0x01\0,0x02",
  845. "0x10,0x01,\0""0x02",
  846. /* embedded whitespace */
  847. " aes-256-gcm,hkdf-sha512,x25519",
  848. "aes-256-gcm, hkdf-sha512,x25519",
  849. "aes-256-gcm ,hkdf-sha512,x25519",
  850. "aes-256-gcm,hkdf-sha512, x25519",
  851. "aes-256-gcm,hkdf-sha512 ,x25519",
  852. "aes-256-gcm,hkdf-sha512,x25519 ",
  853. /* good value followed by extra stuff */
  854. "0x10,0x01,0x02,",
  855. "0x10,0x01,0x02,,,",
  856. "0x10,0x01,0x01,0x02",
  857. "0x10,0x01,0x01,blah",
  858. "0x10,0x01,0x01 0x02",
  859. /* too few but good tokens */
  860. "0x10,0x01",
  861. "0x10",
  862. /* empty things */
  863. NULL,
  864. "",
  865. ",",
  866. ",,"
  867. };
  868. /**
  869. * @brief round-trips, generating keys, encrypt and decrypt
  870. *
  871. * This iterates over all mode and ciphersuite options trying
  872. * a key gen, encrypt and decrypt for each. The aad, info, and
  873. * seq inputs are randomly set or omitted each time. EVP and
  874. * non-EVP key generation are randomly selected.
  875. *
  876. * @return 1 for success, other otherwise
  877. */
  878. static int test_hpke_modes_suites(void)
  879. {
  880. int overallresult = 1;
  881. size_t mind = 0; /* index into hpke_mode_list */
  882. size_t kemind = 0; /* index into hpke_kem_list */
  883. size_t kdfind = 0; /* index into hpke_kdf_list */
  884. size_t aeadind = 0; /* index into hpke_aead_list */
  885. /* iterate over the different modes */
  886. for (mind = 0; mind < OSSL_NELEM(hpke_mode_list); mind++) {
  887. int hpke_mode = hpke_mode_list[mind];
  888. size_t aadlen = OSSL_HPKE_TSTSIZE;
  889. unsigned char aad[OSSL_HPKE_TSTSIZE];
  890. unsigned char *aadp = NULL;
  891. size_t infolen = 32;
  892. unsigned char info[32];
  893. unsigned char *infop = NULL;
  894. unsigned char lpsk[32];
  895. unsigned char *pskp = NULL;
  896. char lpskid[32];
  897. size_t psklen = 32;
  898. char *pskidp = NULL;
  899. EVP_PKEY *privp = NULL;
  900. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  901. size_t plainlen = OSSL_HPKE_TSTSIZE;
  902. unsigned char plain[OSSL_HPKE_TSTSIZE];
  903. OSSL_HPKE_CTX *rctx = NULL;
  904. OSSL_HPKE_CTX *ctx = NULL;
  905. memset(plain, 0x00, OSSL_HPKE_TSTSIZE);
  906. strcpy((char *)plain, "a message not in a bottle");
  907. plainlen = strlen((char *)plain);
  908. /*
  909. * Randomly try with/without info, aad, seq. Given mode and suite
  910. * combos, and this being run even a few times, we'll exercise many
  911. * code paths fairly quickly. We don't really care what the values
  912. * are but it'll be easier to debug if they're known, so we set 'em.
  913. */
  914. if (COIN_IS_HEADS) {
  915. aadp = aad;
  916. memset(aad, 'a', aadlen);
  917. } else {
  918. aadlen = 0;
  919. }
  920. if (COIN_IS_HEADS) {
  921. infop = info;
  922. memset(info, 'i', infolen);
  923. } else {
  924. infolen = 0;
  925. }
  926. if (hpke_mode == OSSL_HPKE_MODE_PSK
  927. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  928. pskp = lpsk;
  929. memset(lpsk, 'P', psklen);
  930. pskidp = lpskid;
  931. memset(lpskid, 'I', psklen - 1);
  932. lpskid[psklen - 1] = '\0';
  933. } else {
  934. psklen = 0;
  935. }
  936. for (kemind = 0; /* iterate over the kems, kdfs and aeads */
  937. overallresult == 1 && kemind < OSSL_NELEM(hpke_kem_list);
  938. kemind++) {
  939. uint16_t kem_id = hpke_kem_list[kemind];
  940. size_t authpublen = OSSL_HPKE_TSTSIZE;
  941. unsigned char authpub[OSSL_HPKE_TSTSIZE];
  942. unsigned char *authpubp = NULL;
  943. EVP_PKEY *authpriv = NULL;
  944. hpke_suite.kem_id = kem_id;
  945. if (hpke_mode == OSSL_HPKE_MODE_AUTH
  946. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  947. if (TEST_true(OSSL_HPKE_keygen(hpke_suite, authpub, &authpublen,
  948. &authpriv, NULL, 0,
  949. testctx, NULL)) != 1) {
  950. overallresult = 0;
  951. }
  952. authpubp = authpub;
  953. } else {
  954. authpublen = 0;
  955. }
  956. for (kdfind = 0;
  957. overallresult == 1 && kdfind < OSSL_NELEM(hpke_kdf_list);
  958. kdfind++) {
  959. uint16_t kdf_id = hpke_kdf_list[kdfind];
  960. hpke_suite.kdf_id = kdf_id;
  961. for (aeadind = 0;
  962. overallresult == 1
  963. && aeadind < OSSL_NELEM(hpke_aead_list);
  964. aeadind++) {
  965. uint16_t aead_id = hpke_aead_list[aeadind];
  966. size_t publen = OSSL_HPKE_TSTSIZE;
  967. unsigned char pub[OSSL_HPKE_TSTSIZE];
  968. size_t senderpublen = OSSL_HPKE_TSTSIZE;
  969. unsigned char senderpub[OSSL_HPKE_TSTSIZE];
  970. size_t cipherlen = OSSL_HPKE_TSTSIZE;
  971. unsigned char cipher[OSSL_HPKE_TSTSIZE];
  972. size_t clearlen = OSSL_HPKE_TSTSIZE;
  973. unsigned char clear[OSSL_HPKE_TSTSIZE];
  974. hpke_suite.aead_id = aead_id;
  975. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite,
  976. pub, &publen, &privp,
  977. NULL, 0, testctx, NULL)))
  978. overallresult = 0;
  979. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  980. OSSL_HPKE_ROLE_SENDER,
  981. testctx, NULL)))
  982. overallresult = 0;
  983. if (hpke_mode == OSSL_HPKE_MODE_PSK
  984. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  985. if (!TEST_true(OSSL_HPKE_CTX_set1_psk(ctx, pskidp,
  986. pskp, psklen)))
  987. overallresult = 0;
  988. }
  989. if (hpke_mode == OSSL_HPKE_MODE_AUTH
  990. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  991. if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(ctx,
  992. authpriv)))
  993. overallresult = 0;
  994. }
  995. if (!TEST_true(OSSL_HPKE_encap(ctx, senderpub,
  996. &senderpublen,
  997. pub, publen,
  998. infop, infolen)))
  999. overallresult = 0;
  1000. /* throw in a call with a too-short cipherlen */
  1001. cipherlen = 15;
  1002. if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen,
  1003. aadp, aadlen,
  1004. plain, plainlen)))
  1005. overallresult = 0;
  1006. /* fix back real cipherlen */
  1007. cipherlen = OSSL_HPKE_TSTSIZE;
  1008. if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen,
  1009. aadp, aadlen,
  1010. plain, plainlen)))
  1011. overallresult = 0;
  1012. OSSL_HPKE_CTX_free(ctx);
  1013. memset(clear, 0, clearlen);
  1014. rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1015. OSSL_HPKE_ROLE_RECEIVER,
  1016. testctx, NULL);
  1017. if (!TEST_ptr(rctx))
  1018. overallresult = 0;
  1019. if (hpke_mode == OSSL_HPKE_MODE_PSK
  1020. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  1021. if (!TEST_true(OSSL_HPKE_CTX_set1_psk(rctx, pskidp,
  1022. pskp, psklen)))
  1023. overallresult = 0;
  1024. }
  1025. if (hpke_mode == OSSL_HPKE_MODE_AUTH
  1026. || hpke_mode == OSSL_HPKE_MODE_PSKAUTH) {
  1027. /* check a borked p256 key */
  1028. if (hpke_suite.kem_id == OSSL_HPKE_KEM_ID_P256) {
  1029. /* set to fail decode of authpub this time */
  1030. if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(rctx,
  1031. authpub,
  1032. 10
  1033. )))
  1034. overallresult = 0;
  1035. }
  1036. if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(rctx,
  1037. authpubp,
  1038. authpublen)))
  1039. overallresult = 0;
  1040. }
  1041. if (!TEST_true(OSSL_HPKE_decap(rctx, senderpub,
  1042. senderpublen, privp,
  1043. infop, infolen)))
  1044. overallresult = 0;
  1045. /* throw in a call with a too-short clearlen */
  1046. clearlen = 15;
  1047. if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen,
  1048. aadp, aadlen, cipher,
  1049. cipherlen)))
  1050. overallresult = 0;
  1051. /* fix up real clearlen again */
  1052. clearlen = OSSL_HPKE_TSTSIZE;
  1053. if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen,
  1054. aadp, aadlen, cipher,
  1055. cipherlen)))
  1056. overallresult = 0;
  1057. OSSL_HPKE_CTX_free(rctx);
  1058. EVP_PKEY_free(privp);
  1059. privp = NULL;
  1060. /* check output */
  1061. if (!TEST_mem_eq(clear, clearlen, plain, plainlen)) {
  1062. overallresult = 0;
  1063. }
  1064. if (verbose || overallresult != 1) {
  1065. const char *res = NULL;
  1066. res = (overallresult == 1 ? "worked" : "failed");
  1067. TEST_note("HPKE %s for mode: %s/0x%02x, "\
  1068. "kem: %s/0x%02x, kdf: %s/0x%02x, "\
  1069. "aead: %s/0x%02x", res,
  1070. mode_str_list[mind], (int) mind,
  1071. kem_str_list[kemind], kem_id,
  1072. kdf_str_list[kdfind], kdf_id,
  1073. aead_str_list[aeadind], aead_id);
  1074. }
  1075. }
  1076. }
  1077. EVP_PKEY_free(authpriv);
  1078. }
  1079. }
  1080. return overallresult;
  1081. }
  1082. /**
  1083. * @brief check roundtrip for export
  1084. * @return 1 for success, other otherwise
  1085. */
  1086. static int test_hpke_export(void)
  1087. {
  1088. int erv = 0;
  1089. EVP_PKEY *privp = NULL;
  1090. unsigned char pub[OSSL_HPKE_TSTSIZE];
  1091. size_t publen = sizeof(pub);
  1092. int hpke_mode = OSSL_HPKE_MODE_BASE;
  1093. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  1094. OSSL_HPKE_CTX *ctx = NULL;
  1095. OSSL_HPKE_CTX *rctx = NULL;
  1096. unsigned char exp[32];
  1097. unsigned char exp2[32];
  1098. unsigned char rexp[32];
  1099. unsigned char rexp2[32];
  1100. unsigned char plain[] = "quick brown fox";
  1101. size_t plainlen = sizeof(plain);
  1102. unsigned char enc[OSSL_HPKE_TSTSIZE];
  1103. size_t enclen = sizeof(enc);
  1104. unsigned char cipher[OSSL_HPKE_TSTSIZE];
  1105. size_t cipherlen = sizeof(cipher);
  1106. unsigned char clear[OSSL_HPKE_TSTSIZE];
  1107. size_t clearlen = sizeof(clear);
  1108. char *estr = "foo";
  1109. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1110. NULL, 0, testctx, NULL)))
  1111. goto end;
  1112. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1113. OSSL_HPKE_ROLE_SENDER,
  1114. testctx, NULL)))
  1115. goto end;
  1116. /* a few error cases 1st */
  1117. if (!TEST_false(OSSL_HPKE_export(NULL, exp, sizeof(exp),
  1118. (unsigned char *)estr, strlen(estr))))
  1119. goto end;
  1120. /* ctx before encap should fail too */
  1121. if (!TEST_false(OSSL_HPKE_export(ctx, exp, sizeof(exp),
  1122. (unsigned char *)estr, strlen(estr))))
  1123. goto end;
  1124. if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1125. goto end;
  1126. if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1127. plain, plainlen)))
  1128. goto end;
  1129. /* now for real */
  1130. if (!TEST_true(OSSL_HPKE_export(ctx, exp, sizeof(exp),
  1131. (unsigned char *)estr, strlen(estr))))
  1132. goto end;
  1133. /* check a 2nd call with same input gives same output */
  1134. if (!TEST_true(OSSL_HPKE_export(ctx, exp2, sizeof(exp2),
  1135. (unsigned char *)estr, strlen(estr))))
  1136. goto end;
  1137. if (!TEST_mem_eq(exp, sizeof(exp), exp2, sizeof(exp2)))
  1138. goto end;
  1139. if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1140. OSSL_HPKE_ROLE_RECEIVER,
  1141. testctx, NULL)))
  1142. goto end;
  1143. if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1144. goto end;
  1145. if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1146. cipher, cipherlen)))
  1147. goto end;
  1148. if (!TEST_true(OSSL_HPKE_export(rctx, rexp, sizeof(rexp),
  1149. (unsigned char *)estr, strlen(estr))))
  1150. goto end;
  1151. /* check a 2nd call with same input gives same output */
  1152. if (!TEST_true(OSSL_HPKE_export(rctx, rexp2, sizeof(rexp2),
  1153. (unsigned char *)estr, strlen(estr))))
  1154. goto end;
  1155. if (!TEST_mem_eq(rexp, sizeof(rexp), rexp2, sizeof(rexp2)))
  1156. goto end;
  1157. if (!TEST_mem_eq(exp, sizeof(exp), rexp, sizeof(rexp)))
  1158. goto end;
  1159. erv = 1;
  1160. end:
  1161. OSSL_HPKE_CTX_free(ctx);
  1162. OSSL_HPKE_CTX_free(rctx);
  1163. EVP_PKEY_free(privp);
  1164. return erv;
  1165. }
  1166. /**
  1167. * @brief Check mapping from strings to HPKE suites
  1168. * @return 1 for success, other otherwise
  1169. */
  1170. static int test_hpke_suite_strs(void)
  1171. {
  1172. int overallresult = 1;
  1173. int kemind = 0;
  1174. int kdfind = 0;
  1175. int aeadind = 0;
  1176. int sind = 0;
  1177. char sstr[128];
  1178. OSSL_HPKE_SUITE stirred;
  1179. char giant[2048];
  1180. for (kemind = 0; kemind != OSSL_NELEM(kem_str_list); kemind++) {
  1181. for (kdfind = 0; kdfind != OSSL_NELEM(kdf_str_list); kdfind++) {
  1182. for (aeadind = 0; aeadind != OSSL_NELEM(aead_str_list); aeadind++) {
  1183. BIO_snprintf(sstr, 128, "%s,%s,%s", kem_str_list[kemind],
  1184. kdf_str_list[kdfind], aead_str_list[aeadind]);
  1185. if (TEST_true(OSSL_HPKE_str2suite(sstr, &stirred)) != 1) {
  1186. if (verbose)
  1187. TEST_note("Unexpected str2suite fail for :%s",
  1188. bogus_suite_strs[sind]);
  1189. overallresult = 0;
  1190. }
  1191. }
  1192. }
  1193. }
  1194. for (sind = 0; sind != OSSL_NELEM(bogus_suite_strs); sind++) {
  1195. if (TEST_false(OSSL_HPKE_str2suite(bogus_suite_strs[sind],
  1196. &stirred)) != 1) {
  1197. if (verbose)
  1198. TEST_note("OSSL_HPKE_str2suite didn't fail for bogus[%d]:%s",
  1199. sind, bogus_suite_strs[sind]);
  1200. overallresult = 0;
  1201. }
  1202. }
  1203. /* check a few errors */
  1204. if (!TEST_false(OSSL_HPKE_str2suite("", &stirred)))
  1205. overallresult = 0;
  1206. if (!TEST_false(OSSL_HPKE_str2suite(NULL, &stirred)))
  1207. overallresult = 0;
  1208. if (!TEST_false(OSSL_HPKE_str2suite("", NULL)))
  1209. overallresult = 0;
  1210. memset(giant, 'A', sizeof(giant) - 1);
  1211. giant[sizeof(giant) - 1] = '\0';
  1212. if (!TEST_false(OSSL_HPKE_str2suite(giant, &stirred)))
  1213. overallresult = 0;
  1214. return overallresult;
  1215. }
  1216. /**
  1217. * @brief try the various GREASEy APIs
  1218. * @return 1 for success, other otherwise
  1219. */
  1220. static int test_hpke_grease(void)
  1221. {
  1222. int overallresult = 1;
  1223. OSSL_HPKE_SUITE g_suite;
  1224. unsigned char g_pub[OSSL_HPKE_TSTSIZE];
  1225. size_t g_pub_len = OSSL_HPKE_TSTSIZE;
  1226. unsigned char g_cipher[OSSL_HPKE_TSTSIZE];
  1227. size_t g_cipher_len = 266;
  1228. size_t clearlen = 128;
  1229. size_t expanded = 0;
  1230. size_t enclen = 0;
  1231. size_t ikmelen = 0;
  1232. memset(&g_suite, 0, sizeof(OSSL_HPKE_SUITE));
  1233. /* GREASEing */
  1234. /* check too short for public value */
  1235. g_pub_len = 10;
  1236. if (TEST_false(OSSL_HPKE_get_grease_value(NULL, &g_suite,
  1237. g_pub, &g_pub_len,
  1238. g_cipher, g_cipher_len,
  1239. testctx, NULL)) != 1) {
  1240. overallresult = 0;
  1241. }
  1242. /* reset to work */
  1243. g_pub_len = OSSL_HPKE_TSTSIZE;
  1244. if (TEST_true(OSSL_HPKE_get_grease_value(NULL, &g_suite,
  1245. g_pub, &g_pub_len,
  1246. g_cipher, g_cipher_len,
  1247. testctx, NULL)) != 1) {
  1248. overallresult = 0;
  1249. }
  1250. /* expansion */
  1251. expanded = OSSL_HPKE_get_ciphertext_size(g_suite, clearlen);
  1252. if (!TEST_size_t_gt(expanded, clearlen)) {
  1253. overallresult = 0;
  1254. }
  1255. enclen = OSSL_HPKE_get_public_encap_size(g_suite);
  1256. if (!TEST_size_t_ne(enclen, 0))
  1257. overallresult = 0;
  1258. /* not really GREASE but we'll check ikmelen thing */
  1259. ikmelen = OSSL_HPKE_get_recommended_ikmelen(g_suite);
  1260. if (!TEST_size_t_ne(ikmelen, 0))
  1261. overallresult = 0;
  1262. return overallresult;
  1263. }
  1264. /*
  1265. * Make a set of calls with odd parameters
  1266. */
  1267. static int test_hpke_oddcalls(void)
  1268. {
  1269. int erv = 0;
  1270. EVP_PKEY *privp = NULL;
  1271. unsigned char pub[OSSL_HPKE_TSTSIZE];
  1272. size_t publen = sizeof(pub);
  1273. int hpke_mode = OSSL_HPKE_MODE_BASE;
  1274. int bad_mode = 0xbad;
  1275. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  1276. OSSL_HPKE_SUITE bad_suite = { 0xbad, 0xbad, 0xbad };
  1277. OSSL_HPKE_CTX *ctx = NULL;
  1278. OSSL_HPKE_CTX *rctx = NULL;
  1279. unsigned char plain[] = "quick brown fox";
  1280. size_t plainlen = sizeof(plain);
  1281. unsigned char enc[OSSL_HPKE_TSTSIZE], smallenc[10];
  1282. size_t enclen = sizeof(enc), smallenclen = sizeof(smallenc);
  1283. unsigned char cipher[OSSL_HPKE_TSTSIZE];
  1284. size_t cipherlen = sizeof(cipher);
  1285. unsigned char clear[OSSL_HPKE_TSTSIZE];
  1286. size_t clearlen = sizeof(clear);
  1287. unsigned char fake_ikm[OSSL_HPKE_TSTSIZE];
  1288. char *badpropq = "yeah, this won't work";
  1289. uint64_t lseq = 0;
  1290. char giant_pskid[OSSL_HPKE_MAX_PARMLEN + 10];
  1291. unsigned char info[OSSL_HPKE_TSTSIZE];
  1292. /* many of the calls below are designed to get better test coverage */
  1293. /* NULL ctx calls */
  1294. OSSL_HPKE_CTX_free(NULL);
  1295. if (!TEST_false(OSSL_HPKE_CTX_set_seq(NULL, 1)))
  1296. goto end;
  1297. if (!TEST_false(OSSL_HPKE_CTX_get_seq(NULL, &lseq)))
  1298. goto end;
  1299. if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(NULL, pub, publen)))
  1300. goto end;
  1301. if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(NULL, privp)))
  1302. goto end;
  1303. if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(NULL, NULL, 0)))
  1304. goto end;
  1305. if (!TEST_false(OSSL_HPKE_CTX_set1_psk(NULL, NULL, NULL, 0)))
  1306. goto end;
  1307. /* bad suite calls */
  1308. hpke_suite.aead_id = 0xbad;
  1309. if (!TEST_false(OSSL_HPKE_suite_check(hpke_suite)))
  1310. goto end;
  1311. hpke_suite.aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_128;
  1312. if (!TEST_false(OSSL_HPKE_suite_check(bad_suite)))
  1313. goto end;
  1314. if (!TEST_false(OSSL_HPKE_get_recommended_ikmelen(bad_suite)))
  1315. goto end;
  1316. if (!TEST_false(OSSL_HPKE_get_public_encap_size(bad_suite)))
  1317. goto end;
  1318. if (!TEST_false(OSSL_HPKE_get_ciphertext_size(bad_suite, 0)))
  1319. goto end;
  1320. if (!TEST_false(OSSL_HPKE_keygen(bad_suite, pub, &publen, &privp,
  1321. NULL, 0, testctx, badpropq)))
  1322. goto end;
  1323. if (!TEST_false(OSSL_HPKE_keygen(bad_suite, pub, &publen, &privp,
  1324. NULL, 0, testctx, NULL)))
  1325. goto end;
  1326. /* dodgy keygen calls */
  1327. /* no pub */
  1328. if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, NULL, &publen, &privp,
  1329. NULL, 0, testctx, NULL)))
  1330. goto end;
  1331. /* ikmlen but NULL ikm */
  1332. if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1333. NULL, 80, testctx, NULL)))
  1334. goto end;
  1335. /* zero ikmlen but ikm */
  1336. if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1337. fake_ikm, 0, testctx, NULL)))
  1338. goto end;
  1339. /* GIANT ikmlen */
  1340. if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1341. fake_ikm, -1, testctx, NULL)))
  1342. goto end;
  1343. /* short publen */
  1344. publen = 10;
  1345. if (!TEST_false(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1346. NULL, 0, testctx, NULL)))
  1347. goto end;
  1348. publen = sizeof(pub);
  1349. /* encap/decap with NULLs */
  1350. if (!TEST_false(OSSL_HPKE_encap(NULL, NULL, NULL, NULL, 0, NULL, 0)))
  1351. goto end;
  1352. if (!TEST_false(OSSL_HPKE_decap(NULL, NULL, 0, NULL, NULL, 0)))
  1353. goto end;
  1354. /*
  1355. * run through a sender/recipient set of calls but with
  1356. * failing calls interspersed whenever possible
  1357. */
  1358. /* good keygen */
  1359. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1360. NULL, 0, testctx, NULL)))
  1361. goto end;
  1362. /* a psk context with no psk => encap fail */
  1363. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_PSK, hpke_suite,
  1364. OSSL_HPKE_ROLE_SENDER,
  1365. testctx, NULL)))
  1366. goto end;
  1367. /* set bad length psk */
  1368. if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, "foo",
  1369. (unsigned char *)"bar", -1)))
  1370. goto end;
  1371. /* set bad length pskid */
  1372. memset(giant_pskid, 'A', sizeof(giant_pskid) - 1);
  1373. giant_pskid[sizeof(giant_pskid) - 1] = '\0';
  1374. if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, giant_pskid,
  1375. (unsigned char *)"bar", 3)))
  1376. goto end;
  1377. /* still no psk really set so encap fails */
  1378. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1379. goto end;
  1380. OSSL_HPKE_CTX_free(ctx);
  1381. /* bad suite */
  1382. if (!TEST_ptr_null(ctx = OSSL_HPKE_CTX_new(hpke_mode, bad_suite,
  1383. OSSL_HPKE_ROLE_SENDER,
  1384. testctx, NULL)))
  1385. goto end;
  1386. /* bad mode */
  1387. if (!TEST_ptr_null(ctx = OSSL_HPKE_CTX_new(bad_mode, hpke_suite,
  1388. OSSL_HPKE_ROLE_SENDER,
  1389. testctx, NULL)))
  1390. goto end;
  1391. /* make good ctx */
  1392. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1393. OSSL_HPKE_ROLE_SENDER,
  1394. testctx, NULL)))
  1395. goto end;
  1396. /* too long ikm */
  1397. if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(ctx, fake_ikm, -1)))
  1398. goto end;
  1399. /* zero length ikm */
  1400. if (!TEST_false(OSSL_HPKE_CTX_set1_ikme(ctx, fake_ikm, 0)))
  1401. goto end;
  1402. /* NULL authpub */
  1403. if (!TEST_false(OSSL_HPKE_CTX_set1_authpub(ctx, NULL, 0)))
  1404. goto end;
  1405. /* NULL auth priv */
  1406. if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(ctx, NULL)))
  1407. goto end;
  1408. /* priv good, but mode is bad */
  1409. if (!TEST_false(OSSL_HPKE_CTX_set1_authpriv(ctx, privp)))
  1410. goto end;
  1411. /* bad mode for psk */
  1412. if (!TEST_false(OSSL_HPKE_CTX_set1_psk(ctx, "foo",
  1413. (unsigned char *)"bar", 3)))
  1414. goto end;
  1415. /* seal before encap */
  1416. if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1417. plain, plainlen)))
  1418. goto end;
  1419. /* encap with dodgy public */
  1420. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, NULL, 0)))
  1421. goto end;
  1422. /* encap with too big info */
  1423. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, info, -1)))
  1424. goto end;
  1425. /* encap with NULL info & non-zero infolen */
  1426. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, NULL, 1)))
  1427. goto end;
  1428. /* encap with non-NULL info & zero infolen */
  1429. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, 1, info, 0)))
  1430. goto end;
  1431. /* encap with too small enc */
  1432. if (!TEST_false(OSSL_HPKE_encap(ctx, smallenc, &smallenclen, pub, 1, NULL, 0)))
  1433. goto end;
  1434. /* good encap */
  1435. if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1436. goto end;
  1437. /* second encap fail */
  1438. if (!TEST_false(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1439. goto end;
  1440. plainlen = 0;
  1441. /* should fail for no plaintext */
  1442. if (!TEST_false(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1443. plain, plainlen)))
  1444. goto end;
  1445. plainlen = sizeof(plain);
  1446. /* working seal */
  1447. if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1448. plain, plainlen)))
  1449. goto end;
  1450. /* receiver side */
  1451. /* decap fail with psk mode but no psk set */
  1452. if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_PSK, hpke_suite,
  1453. OSSL_HPKE_ROLE_RECEIVER,
  1454. testctx, NULL)))
  1455. goto end;
  1456. if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1457. goto end;
  1458. /* done with PSK mode */
  1459. OSSL_HPKE_CTX_free(rctx);
  1460. /* back good calls for base mode */
  1461. if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1462. OSSL_HPKE_ROLE_RECEIVER,
  1463. testctx, NULL)))
  1464. goto end;
  1465. /* open before decap */
  1466. if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1467. cipher, cipherlen)))
  1468. goto end;
  1469. /* decap with info too long */
  1470. if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, info, -1)))
  1471. goto end;
  1472. /* good decap */
  1473. if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1474. goto end;
  1475. /* second decap fail */
  1476. if (!TEST_false(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1477. goto end;
  1478. /* no space for recovered clear */
  1479. clearlen = 0;
  1480. if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1481. cipher, cipherlen)))
  1482. goto end;
  1483. clearlen = OSSL_HPKE_TSTSIZE;
  1484. /* seq wrap around test */
  1485. if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, -1)))
  1486. goto end;
  1487. if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1488. cipher, cipherlen)))
  1489. goto end;
  1490. if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, 0)))
  1491. goto end;
  1492. if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1493. cipher, cipherlen)))
  1494. goto end;
  1495. if (!TEST_mem_eq(plain, plainlen, clear, clearlen))
  1496. goto end;
  1497. erv = 1;
  1498. end:
  1499. OSSL_HPKE_CTX_free(ctx);
  1500. OSSL_HPKE_CTX_free(rctx);
  1501. EVP_PKEY_free(privp);
  1502. return erv;
  1503. }
  1504. #ifndef OPENSSL_NO_ECX
  1505. /* from RFC 9180 Appendix A.1.1 */
  1506. static const unsigned char ikm25519[] = {
  1507. 0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
  1508. 0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13,
  1509. 0x52, 0x7c, 0xff, 0x65, 0x5c, 0x13, 0x43, 0xf2,
  1510. 0x98, 0x12, 0xe6, 0x67, 0x06, 0xdf, 0x32, 0x34
  1511. };
  1512. static const unsigned char pub25519[] = {
  1513. 0x37, 0xfd, 0xa3, 0x56, 0x7b, 0xdb, 0xd6, 0x28,
  1514. 0xe8, 0x86, 0x68, 0xc3, 0xc8, 0xd7, 0xe9, 0x7d,
  1515. 0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44,
  1516. 0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31
  1517. };
  1518. #endif
  1519. /* from RFC9180 Appendix A.3.1 */
  1520. static const unsigned char ikmp256[] = {
  1521. 0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
  1522. 0x59, 0x28, 0x02, 0x0a, 0xf4, 0x68, 0x6d, 0x8f,
  1523. 0x6b, 0x7d, 0x35, 0xdb, 0xe4, 0x70, 0x26, 0x5f,
  1524. 0x1f, 0x5a, 0xa2, 0x28, 0x16, 0xce, 0x86, 0x0e
  1525. };
  1526. static const unsigned char pubp256[] = {
  1527. 0x04, 0xa9, 0x27, 0x19, 0xc6, 0x19, 0x5d, 0x50,
  1528. 0x85, 0x10, 0x4f, 0x46, 0x9a, 0x8b, 0x98, 0x14,
  1529. 0xd5, 0x83, 0x8f, 0xf7, 0x2b, 0x60, 0x50, 0x1e,
  1530. 0x2c, 0x44, 0x66, 0xe5, 0xe6, 0x7b, 0x32, 0x5a,
  1531. 0xc9, 0x85, 0x36, 0xd7, 0xb6, 0x1a, 0x1a, 0xf4,
  1532. 0xb7, 0x8e, 0x5b, 0x7f, 0x95, 0x1c, 0x09, 0x00,
  1533. 0xbe, 0x86, 0x3c, 0x40, 0x3c, 0xe6, 0x5c, 0x9b,
  1534. 0xfc, 0xb9, 0x38, 0x26, 0x57, 0x22, 0x2d, 0x18,
  1535. 0xc4
  1536. };
  1537. /*
  1538. * A test vector that exercises the counter iteration
  1539. * for p256. This was contributed by Ilari L. on the
  1540. * CFRG list, see the mail archive:
  1541. * https://mailarchive.ietf.org/arch/msg/cfrg/4zwl_y5YN6OU9oeWZOMHNOlOa2w/
  1542. */
  1543. static const unsigned char ikmiter[] = {
  1544. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1545. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1546. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1547. 0x00, 0x00, 0x00, 0x03, 0x01, 0x38, 0xb5, 0xec
  1548. };
  1549. static const unsigned char pubiter[] = {
  1550. 0x04, 0x7d, 0x0c, 0x87, 0xff, 0xd5, 0xd1, 0x45,
  1551. 0x54, 0xa7, 0x51, 0xdf, 0xa3, 0x99, 0x26, 0xa9,
  1552. 0xe3, 0x0e, 0x7c, 0x3c, 0x65, 0x62, 0x4f, 0x4b,
  1553. 0x5f, 0xb3, 0xad, 0x7a, 0xa4, 0xda, 0xc2, 0x4a,
  1554. 0xd8, 0xf5, 0xbe, 0xd0, 0xe8, 0x6e, 0xb8, 0x84,
  1555. 0x1c, 0xe4, 0x89, 0x2e, 0x0f, 0xc3, 0x87, 0xbb,
  1556. 0xdb, 0xfe, 0x16, 0x0d, 0x58, 0x9c, 0x89, 0x2d,
  1557. 0xd4, 0xb1, 0x46, 0x4a, 0xc3, 0x51, 0xc5, 0x6f,
  1558. 0xb6
  1559. };
  1560. /* from RFC9180 Appendix A.6.1 */
  1561. static const unsigned char ikmp521[] = {
  1562. 0x7f, 0x06, 0xab, 0x82, 0x15, 0x10, 0x5f, 0xc4,
  1563. 0x6a, 0xce, 0xeb, 0x2e, 0x3d, 0xc5, 0x02, 0x8b,
  1564. 0x44, 0x36, 0x4f, 0x96, 0x04, 0x26, 0xeb, 0x0d,
  1565. 0x8e, 0x40, 0x26, 0xc2, 0xf8, 0xb5, 0xd7, 0xe7,
  1566. 0xa9, 0x86, 0x68, 0x8f, 0x15, 0x91, 0xab, 0xf5,
  1567. 0xab, 0x75, 0x3c, 0x35, 0x7a, 0x5d, 0x6f, 0x04,
  1568. 0x40, 0x41, 0x4b, 0x4e, 0xd4, 0xed, 0xe7, 0x13,
  1569. 0x17, 0x77, 0x2a, 0xc9, 0x8d, 0x92, 0x39, 0xf7,
  1570. 0x09, 0x04
  1571. };
  1572. static const unsigned char pubp521[] = {
  1573. 0x04, 0x01, 0x38, 0xb3, 0x85, 0xca, 0x16, 0xbb,
  1574. 0x0d, 0x5f, 0xa0, 0xc0, 0x66, 0x5f, 0xbb, 0xd7,
  1575. 0xe6, 0x9e, 0x3e, 0xe2, 0x9f, 0x63, 0x99, 0x1d,
  1576. 0x3e, 0x9b, 0x5f, 0xa7, 0x40, 0xaa, 0xb8, 0x90,
  1577. 0x0a, 0xae, 0xed, 0x46, 0xed, 0x73, 0xa4, 0x90,
  1578. 0x55, 0x75, 0x84, 0x25, 0xa0, 0xce, 0x36, 0x50,
  1579. 0x7c, 0x54, 0xb2, 0x9c, 0xc5, 0xb8, 0x5a, 0x5c,
  1580. 0xee, 0x6b, 0xae, 0x0c, 0xf1, 0xc2, 0x1f, 0x27,
  1581. 0x31, 0xec, 0xe2, 0x01, 0x3d, 0xc3, 0xfb, 0x7c,
  1582. 0x8d, 0x21, 0x65, 0x4b, 0xb1, 0x61, 0xb4, 0x63,
  1583. 0x96, 0x2c, 0xa1, 0x9e, 0x8c, 0x65, 0x4f, 0xf2,
  1584. 0x4c, 0x94, 0xdd, 0x28, 0x98, 0xde, 0x12, 0x05,
  1585. 0x1f, 0x1e, 0xd0, 0x69, 0x22, 0x37, 0xfb, 0x02,
  1586. 0xb2, 0xf8, 0xd1, 0xdc, 0x1c, 0x73, 0xe9, 0xb3,
  1587. 0x66, 0xb5, 0x29, 0xeb, 0x43, 0x6e, 0x98, 0xa9,
  1588. 0x96, 0xee, 0x52, 0x2a, 0xef, 0x86, 0x3d, 0xd5,
  1589. 0x73, 0x9d, 0x2f, 0x29, 0xb0
  1590. };
  1591. static int test_hpke_random_suites(void)
  1592. {
  1593. OSSL_HPKE_SUITE def_suite = OSSL_HPKE_SUITE_DEFAULT;
  1594. OSSL_HPKE_SUITE suite = OSSL_HPKE_SUITE_DEFAULT;
  1595. OSSL_HPKE_SUITE suite2 = { 0xff01, 0xff02, 0xff03 };
  1596. unsigned char enc[200];
  1597. size_t enclen = sizeof(enc);
  1598. unsigned char ct[500];
  1599. size_t ctlen = sizeof(ct);
  1600. /* test with NULL/0 inputs */
  1601. if (!TEST_false(OSSL_HPKE_get_grease_value(NULL, NULL,
  1602. NULL, NULL, NULL, 0,
  1603. testctx, NULL)))
  1604. return 0;
  1605. enclen = 10;
  1606. if (!TEST_false(OSSL_HPKE_get_grease_value(&def_suite, &suite2,
  1607. enc, &enclen, ct, ctlen,
  1608. testctx, NULL)))
  1609. return 0;
  1610. enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
  1611. /* test with a should-be-good suite */
  1612. if (!TEST_true(OSSL_HPKE_get_grease_value(&def_suite, &suite2,
  1613. enc, &enclen, ct, ctlen,
  1614. testctx, NULL)))
  1615. return 0;
  1616. /* no suggested suite */
  1617. enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
  1618. if (!TEST_true(OSSL_HPKE_get_grease_value(NULL, &suite2,
  1619. enc, &enclen,
  1620. ct, ctlen,
  1621. testctx, NULL)))
  1622. return 0;
  1623. /* suggested suite with P-521, just to be sure we hit long values */
  1624. enclen = sizeof(enc); /* reset, 'cause get_grease() will have set */
  1625. suite.kem_id = OSSL_HPKE_KEM_ID_P521;
  1626. if (!TEST_true(OSSL_HPKE_get_grease_value(&suite, &suite2,
  1627. enc, &enclen, ct, ctlen,
  1628. testctx, NULL)))
  1629. return 0;
  1630. enclen = sizeof(enc);
  1631. ctlen = 2; /* too-short cttext (can't fit an aead tag) */
  1632. if (!TEST_false(OSSL_HPKE_get_grease_value(NULL, &suite2,
  1633. enc, &enclen, ct, ctlen,
  1634. testctx, NULL)))
  1635. return 0;
  1636. ctlen = sizeof(ct);
  1637. enclen = sizeof(enc);
  1638. suite.kem_id = OSSL_HPKE_KEM_ID_X25519; /* back to default */
  1639. suite.aead_id = 0x1234; /* bad aead */
  1640. if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
  1641. enc, &enclen, ct, ctlen,
  1642. testctx, NULL)))
  1643. return 0;
  1644. enclen = sizeof(enc);
  1645. suite.aead_id = def_suite.aead_id; /* good aead */
  1646. suite.kdf_id = 0x3451; /* bad kdf */
  1647. if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
  1648. enc, &enclen, ct, ctlen,
  1649. testctx, NULL)))
  1650. return 0;
  1651. enclen = sizeof(enc);
  1652. suite.kdf_id = def_suite.kdf_id; /* good kdf */
  1653. suite.kem_id = 0x4517; /* bad kem */
  1654. if (!TEST_false(OSSL_HPKE_get_grease_value(&suite, &suite2,
  1655. enc, &enclen, ct, ctlen,
  1656. testctx, NULL)))
  1657. return 0;
  1658. return 1;
  1659. }
  1660. /*
  1661. * @brief generate a key pair from initial key material (ikm) and check public
  1662. * @param kem_id the KEM to use (RFC9180 code point)
  1663. * @ikm is the initial key material buffer
  1664. * @ikmlen is the length of ikm
  1665. * @pub is the public key buffer
  1666. * @publen is the length of the public key
  1667. * @return 1 for good, other otherwise
  1668. *
  1669. * This calls OSSL_HPKE_keygen specifying only the IKM, then
  1670. * compares the key pair values with the already-known values
  1671. * that were input.
  1672. */
  1673. static int test_hpke_one_ikm_gen(uint16_t kem_id,
  1674. const unsigned char *ikm, size_t ikmlen,
  1675. const unsigned char *pub, size_t publen)
  1676. {
  1677. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  1678. unsigned char lpub[OSSL_HPKE_TSTSIZE];
  1679. size_t lpublen = OSSL_HPKE_TSTSIZE;
  1680. EVP_PKEY *sk = NULL;
  1681. hpke_suite.kem_id = kem_id;
  1682. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, lpub, &lpublen, &sk,
  1683. ikm, ikmlen, testctx, NULL)))
  1684. return 0;
  1685. if (!TEST_ptr(sk))
  1686. return 0;
  1687. EVP_PKEY_free(sk);
  1688. if (!TEST_mem_eq(pub, publen, lpub, lpublen))
  1689. return 0;
  1690. return 1;
  1691. }
  1692. /*
  1693. * @brief test some uses of IKM produce the expected public keys
  1694. */
  1695. static int test_hpke_ikms(void)
  1696. {
  1697. int res = 1;
  1698. #ifndef OPENSSL_NO_ECX
  1699. res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_X25519,
  1700. ikm25519, sizeof(ikm25519),
  1701. pub25519, sizeof(pub25519));
  1702. if (res != 1)
  1703. return res;
  1704. #endif
  1705. res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P521,
  1706. ikmp521, sizeof(ikmp521),
  1707. pubp521, sizeof(pubp521));
  1708. if (res != 1)
  1709. return res;
  1710. res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P256,
  1711. ikmp256, sizeof(ikmp256),
  1712. pubp256, sizeof(pubp256));
  1713. if (res != 1)
  1714. return res;
  1715. res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P256,
  1716. ikmiter, sizeof(ikmiter),
  1717. pubiter, sizeof(pubiter));
  1718. if (res != 1)
  1719. return res;
  1720. return res;
  1721. }
  1722. /*
  1723. * Test that use of a compressed format auth public key works
  1724. * We'll do a typical round-trip for auth mode but provide the
  1725. * auth public key in compressed form. That should work.
  1726. */
  1727. static int test_hpke_compressed(void)
  1728. {
  1729. int erv = 0;
  1730. EVP_PKEY *privp = NULL;
  1731. unsigned char pub[OSSL_HPKE_TSTSIZE];
  1732. size_t publen = sizeof(pub);
  1733. EVP_PKEY *authpriv = NULL;
  1734. unsigned char authpub[OSSL_HPKE_TSTSIZE];
  1735. size_t authpublen = sizeof(authpub);
  1736. int hpke_mode = OSSL_HPKE_MODE_AUTH;
  1737. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  1738. OSSL_HPKE_CTX *ctx = NULL;
  1739. OSSL_HPKE_CTX *rctx = NULL;
  1740. unsigned char plain[] = "quick brown fox";
  1741. size_t plainlen = sizeof(plain);
  1742. unsigned char enc[OSSL_HPKE_TSTSIZE];
  1743. size_t enclen = sizeof(enc);
  1744. unsigned char cipher[OSSL_HPKE_TSTSIZE];
  1745. size_t cipherlen = sizeof(cipher);
  1746. unsigned char clear[OSSL_HPKE_TSTSIZE];
  1747. size_t clearlen = sizeof(clear);
  1748. hpke_suite.kem_id = OSSL_HPKE_KEM_ID_P256;
  1749. /* generate auth key pair */
  1750. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, authpub, &authpublen, &authpriv,
  1751. NULL, 0, testctx, NULL)))
  1752. goto end;
  1753. /* now get the compressed form public key */
  1754. if (!TEST_true(EVP_PKEY_set_utf8_string_param(authpriv,
  1755. OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
  1756. OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED)))
  1757. goto end;
  1758. if (!TEST_true(EVP_PKEY_get_octet_string_param(authpriv,
  1759. OSSL_PKEY_PARAM_PUB_KEY,
  1760. authpub,
  1761. sizeof(authpub),
  1762. &authpublen)))
  1763. goto end;
  1764. /* sender side as usual */
  1765. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1766. NULL, 0, testctx, NULL)))
  1767. goto end;
  1768. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1769. OSSL_HPKE_ROLE_SENDER,
  1770. testctx, NULL)))
  1771. goto end;
  1772. if (!TEST_true(OSSL_HPKE_CTX_set1_authpriv(ctx, authpriv)))
  1773. goto end;
  1774. if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1775. goto end;
  1776. if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1777. plain, plainlen)))
  1778. goto end;
  1779. /* receiver side providing compressed form of auth public */
  1780. if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1781. OSSL_HPKE_ROLE_RECEIVER,
  1782. testctx, NULL)))
  1783. goto end;
  1784. if (!TEST_true(OSSL_HPKE_CTX_set1_authpub(rctx, authpub, authpublen)))
  1785. goto end;
  1786. if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1787. goto end;
  1788. if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1789. cipher, cipherlen)))
  1790. goto end;
  1791. erv = 1;
  1792. end:
  1793. EVP_PKEY_free(privp);
  1794. EVP_PKEY_free(authpriv);
  1795. OSSL_HPKE_CTX_free(ctx);
  1796. OSSL_HPKE_CTX_free(rctx);
  1797. return erv;
  1798. }
  1799. /*
  1800. * Test that nonce reuse calls are prevented as we expect
  1801. */
  1802. static int test_hpke_noncereuse(void)
  1803. {
  1804. int erv = 0;
  1805. EVP_PKEY *privp = NULL;
  1806. unsigned char pub[OSSL_HPKE_TSTSIZE];
  1807. size_t publen = sizeof(pub);
  1808. int hpke_mode = OSSL_HPKE_MODE_BASE;
  1809. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  1810. OSSL_HPKE_CTX *ctx = NULL;
  1811. OSSL_HPKE_CTX *rctx = NULL;
  1812. unsigned char plain[] = "quick brown fox";
  1813. size_t plainlen = sizeof(plain);
  1814. unsigned char enc[OSSL_HPKE_TSTSIZE];
  1815. size_t enclen = sizeof(enc);
  1816. unsigned char cipher[OSSL_HPKE_TSTSIZE];
  1817. size_t cipherlen = sizeof(cipher);
  1818. unsigned char clear[OSSL_HPKE_TSTSIZE];
  1819. size_t clearlen = sizeof(clear);
  1820. uint64_t seq = 0xbad1dea;
  1821. /* sender side is not allowed set seq once some crypto done */
  1822. if (!TEST_true(OSSL_HPKE_keygen(hpke_suite, pub, &publen, &privp,
  1823. NULL, 0, testctx, NULL)))
  1824. goto end;
  1825. if (!TEST_ptr(ctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1826. OSSL_HPKE_ROLE_SENDER,
  1827. testctx, NULL)))
  1828. goto end;
  1829. /* set seq will fail before any crypto done */
  1830. if (!TEST_false(OSSL_HPKE_CTX_set_seq(ctx, seq)))
  1831. goto end;
  1832. if (!TEST_true(OSSL_HPKE_encap(ctx, enc, &enclen, pub, publen, NULL, 0)))
  1833. goto end;
  1834. /* set seq will also fail after some crypto done */
  1835. if (!TEST_false(OSSL_HPKE_CTX_set_seq(ctx, seq + 1)))
  1836. goto end;
  1837. if (!TEST_true(OSSL_HPKE_seal(ctx, cipher, &cipherlen, NULL, 0,
  1838. plain, plainlen)))
  1839. goto end;
  1840. /* receiver side is allowed control seq */
  1841. if (!TEST_ptr(rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  1842. OSSL_HPKE_ROLE_RECEIVER,
  1843. testctx, NULL)))
  1844. goto end;
  1845. /* set seq will work before any crypto done */
  1846. if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, seq)))
  1847. goto end;
  1848. if (!TEST_true(OSSL_HPKE_decap(rctx, enc, enclen, privp, NULL, 0)))
  1849. goto end;
  1850. /* set seq will work for receivers even after crypto done */
  1851. if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, seq)))
  1852. goto end;
  1853. /* but that value isn't good so decap will fail */
  1854. if (!TEST_false(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1855. cipher, cipherlen)))
  1856. goto end;
  1857. /* reset seq to correct value and _open() should work */
  1858. if (!TEST_true(OSSL_HPKE_CTX_set_seq(rctx, 0)))
  1859. goto end;
  1860. if (!TEST_true(OSSL_HPKE_open(rctx, clear, &clearlen, NULL, 0,
  1861. cipher, cipherlen)))
  1862. goto end;
  1863. erv = 1;
  1864. end:
  1865. EVP_PKEY_free(privp);
  1866. OSSL_HPKE_CTX_free(ctx);
  1867. OSSL_HPKE_CTX_free(rctx);
  1868. return erv;
  1869. }
  1870. typedef enum OPTION_choice {
  1871. OPT_ERR = -1,
  1872. OPT_EOF = 0,
  1873. OPT_VERBOSE,
  1874. OPT_TEST_ENUM
  1875. } OPTION_CHOICE;
  1876. const OPTIONS *test_get_options(void)
  1877. {
  1878. static const OPTIONS test_options[] = {
  1879. OPT_TEST_OPTIONS_DEFAULT_USAGE,
  1880. { "v", OPT_VERBOSE, '-', "Enable verbose mode" },
  1881. { OPT_HELP_STR, 1, '-', "Run HPKE tests\n" },
  1882. { NULL }
  1883. };
  1884. return test_options;
  1885. }
  1886. int setup_tests(void)
  1887. {
  1888. OPTION_CHOICE o;
  1889. while ((o = opt_next()) != OPT_EOF) {
  1890. switch (o) {
  1891. case OPT_VERBOSE:
  1892. verbose = 1; /* Print progress dots */
  1893. break;
  1894. case OPT_TEST_CASES:
  1895. break;
  1896. default:
  1897. return 0;
  1898. }
  1899. }
  1900. if (!test_get_libctx(&testctx, &nullprov, NULL, &deflprov, "default"))
  1901. return 0;
  1902. #ifndef OPENSSL_NO_ECX
  1903. ADD_TEST(export_only_test);
  1904. ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_base_test);
  1905. ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_psk_test);
  1906. #endif
  1907. ADD_TEST(P256kdfsha256_hkdfsha256_aes128gcm_base_test);
  1908. ADD_TEST(test_hpke_export);
  1909. ADD_TEST(test_hpke_modes_suites);
  1910. ADD_TEST(test_hpke_suite_strs);
  1911. ADD_TEST(test_hpke_grease);
  1912. ADD_TEST(test_hpke_ikms);
  1913. ADD_TEST(test_hpke_random_suites);
  1914. ADD_TEST(test_hpke_oddcalls);
  1915. ADD_TEST(test_hpke_compressed);
  1916. ADD_TEST(test_hpke_noncereuse);
  1917. return 1;
  1918. }
  1919. void cleanup_tests(void)
  1920. {
  1921. OSSL_PROVIDER_unload(deflprov);
  1922. OSSL_PROVIDER_unload(nullprov);
  1923. OSSL_LIB_CTX_free(testctx);
  1924. }