Software APIs
kdf_hmac_ctr_functest.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/drivers/entropy.h"
6 #include "sw/device/lib/crypto/impl/integrity.h"
7 #include "sw/device/lib/crypto/impl/keyblob.h"
8 #include "sw/device/lib/crypto/include/datatypes.h"
9 #include "sw/device/lib/crypto/include/kdf_ctr.h"
10 #include "sw/device/lib/runtime/log.h"
11 #include "sw/device/lib/testing/test_framework/check.h"
12 #include "sw/device/lib/testing/test_framework/ottf_main.h"
13 
14 /**
15  * Represents a test for KDF.
16  */
17 typedef struct kdf_test_vector {
18  /**
19  * Key mode for KDF (e.g. kOtcryptoKeyModeHmacSha256).
20  */
21  otcrypto_key_mode_t key_mode;
22  /**
23  * Input key derivation key.
24  */
25  uint32_t *key_derivation_key;
26  /**
27  * Length of key derivation key in bytes.
28  */
29  size_t kdk_bytelen;
30  /**
31  * Context string.
32  */
33  uint8_t *kdf_context;
34  /**
35  * Length of context in bytes.
36  */
37  size_t kdf_context_bytelen;
38  /**
39  * Label string.
40  */
41  uint8_t *kdf_label;
42  /**
43  * Length of label in bytes.
44  */
45  size_t kdf_label_bytelen;
46  /**
47  * Key mode of the keying material.
48  */
49  otcrypto_key_mode_t km_mode;
50  /**
51  * Expected output keying material.
52  */
53  uint32_t *keying_material;
54  /**
55  * Length of keying material in bytes.
56  */
57  size_t km_bytelen;
58 } kdf_test_vector_t;
59 
60 // Random value for masking, as large as the longest test key. This value
61 // should not affect the result.
62 static const uint32_t kTestMask[512] = {
63  0x8cb847c3, 0xc6d34f36, 0x72edbf7b, 0x9bc0317f, 0x8f003c7f, 0x1d7ba049,
64  0xfd463b63, 0xbb720c44, 0x784c215e, 0xeb101d65, 0x35beb911, 0xab481345,
65  0xa7ebc3e3, 0x04b2a1b9, 0x764a9630, 0x78b8f9c5, 0x3f2a1d8e, 0x8cb847c3,
66  0xc6d34f36, 0x72edbf7b, 0x9bc0317f, 0x8f003c7f, 0x1d7ba049, 0xfd463b63,
67  0xbb720c44, 0x784c215e, 0xeb101d65, 0x35beb911, 0xab481345, 0xa7ebc3e3,
68  0x04b2a1b9, 0x764a9630, 0x78b8f9c5, 0x3f2a1d8e,
69 };
70 
71 /**
72  * Call KDF through the API and check the result.
73  *
74  * @param test Test vector to run.
75  * @return Result (OK or error).
76  */
77 static status_t run_test(kdf_test_vector_t *test) {
78  if (test->kdk_bytelen > sizeof(kTestMask)) {
79  // If we get this error, we probably just need to make `kTestMask` longer.
80  return OUT_OF_RANGE();
81  }
82 
83  // Construct the input key derivation key.
84  otcrypto_key_config_t kdk_config = {
85  .version = kOtcryptoLibVersion1,
86  .key_mode = test->key_mode,
87  .key_length = test->kdk_bytelen,
88  .hw_backed = kHardenedBoolFalse,
89  .exportable = kHardenedBoolFalse,
90  .security_level = kOtcryptoKeySecurityLevelLow,
91  };
92  uint32_t kdk_keyblob[keyblob_num_words(kdk_config)];
93  TRY(keyblob_from_key_and_mask(test->key_derivation_key, kTestMask, kdk_config,
94  kdk_keyblob));
95  otcrypto_blinded_key_t kdk = {
96  .config = kdk_config,
97  .keyblob = kdk_keyblob,
98  .keyblob_length = sizeof(kdk_keyblob),
99  };
100  kdk.checksum = integrity_blinded_checksum(&kdk);
101 
102  // Construct a blinded key struct for the output keying material. The key mode
103  // here doesn't really matter, it just needs to be some symmetric key.
104  otcrypto_key_config_t km_config = {
105  .version = kOtcryptoLibVersion1,
106  .key_mode = test->km_mode,
107  .key_length = test->km_bytelen,
108  .hw_backed = kHardenedBoolFalse,
109  .exportable = kHardenedBoolFalse,
110  .security_level = kOtcryptoKeySecurityLevelLow,
111  };
112  uint32_t km_keyblob[keyblob_num_words(km_config)];
113  otcrypto_blinded_key_t km = {
114  .config = km_config,
115  .keyblob = km_keyblob,
116  .keyblob_length = sizeof(km_keyblob),
117  };
118 
119  // Construct a buffer for the context.
120  otcrypto_const_byte_buf_t context = {
121  .data = test->kdf_context,
122  .len = test->kdf_context_bytelen,
123  };
124 
125  // Construct a buffer for the label.
126  otcrypto_const_byte_buf_t label = {
127  .data = test->kdf_label,
128  .len = test->kdf_label_bytelen,
129  };
130 
131  // Run the KDF specified by the key mode.
132  switch (test->key_mode) {
133  case kOtcryptoKeyModeHmacSha256:
134  case kOtcryptoKeyModeHmacSha384:
135  case kOtcryptoKeyModeHmacSha512:
136  TRY(otcrypto_kdf_ctr_hmac(kdk, label, context, &km));
137  break;
138  default:
139  LOG_INFO("Should never end up here.");
140  return INVALID_ARGUMENT();
141  }
142 
143  LOG_INFO("KDF operation completed.");
144 
145  // Unmask the output key value and compare to the expected value.
146  uint32_t *km_share0;
147  uint32_t *km_share1;
148 
149  TRY(keyblob_to_shares(&km, &km_share0, &km_share1));
150  uint32_t unmasked_km[keyblob_share_num_words(km_config)];
151  for (size_t i = 0; i < ARRAYSIZE(unmasked_km); i++) {
152  unmasked_km[i] = km_share0[i] ^ km_share1[i];
153  }
154 
155  TRY_CHECK_ARRAYS_EQ((unsigned char *)unmasked_km,
156  (unsigned char *)test->keying_material, test->km_bytelen);
157  return OK_STATUS();
158 }
159 
160 /**
161  * Test case 1:
162  *
163  * Basic test case with HMAC SHA256 using 128 bit input and output keys
164  *
165  * KDF Mode = HMAC Counter
166  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
167  * context = 0x01020304 (4 octets)
168  * label = 0xf0f1f2f3 (4 octets)
169  * L = 128 bits
170  *
171  * KM = 0xe934f5c810d429b26c747541d898e19a (16 octets)
172  */
173 static status_t kdf_hmac_ctr_sha256_kdk16_km16_test(void) {
174  uint32_t kdk_data[] = {
175  0x0b0b0b0b,
176  0x0b0b0b0b,
177  0x0b0b0b0b,
178  0x0b0b0b0b,
179  };
180  uint8_t context_data[] = {
181  0x01,
182  0x02,
183  0x03,
184  0x04,
185  };
186  uint8_t label_data[] = {
187  0xf0,
188  0xf1,
189  0xf2,
190  0xf3,
191  };
192  uint32_t km_data[] = {
193  0xc8f534e9,
194  0xb229d410,
195  0x4175746c,
196  0x9ae198d8,
197  };
198 
199  kdf_test_vector_t test = {
200  .key_mode = kOtcryptoKeyModeHmacSha256,
201  .key_derivation_key = kdk_data,
202  .kdk_bytelen = 16,
203  .kdf_context = context_data,
204  .kdf_context_bytelen = sizeof(context_data),
205  .kdf_label = label_data,
206  .kdf_label_bytelen = sizeof(label_data),
207  .km_mode = kOtcryptoKeyModeAesCtr,
208  .keying_material = km_data,
209  .km_bytelen = 16,
210  };
211  return run_test(&test);
212 }
213 
214 /**
215  * Test case 2:
216  *
217  * Basic test case with HMAC SHA256 using 256 bit input and output keys
218  *
219  * KDF Mode = HMAC Counter
220  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
221  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
222  * context = 0x606162636465 (6 octets)
223  * label = 0xb0b1b2b3b4b5 (6 octets)
224  * L = 256 bits
225  *
226  * KM = 0x12b44b700276c03074cd99f98763574b
227  * 7bf71c30340223790bf0b8f53fcf3c86 (32 octets)
228  */
229 static status_t kdf_hmac_ctr_sha256_kdk32_km32_test(void) {
230  uint32_t kdk_data[] = {
231  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
232  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
233  };
234  uint8_t context_data[] = {
235  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
236  };
237  uint8_t label_data[] = {
238  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
239  };
240  uint32_t km_data[] = {
241  0x704bb412, 0x30c07602, 0xf999cd74, 0x4b576387,
242  0x301cf77b, 0x79230234, 0xf5b8f00b, 0x863ccf3f,
243  };
244 
245  kdf_test_vector_t test = {
246  .key_mode = kOtcryptoKeyModeHmacSha256,
247  .key_derivation_key = kdk_data,
248  .kdk_bytelen = 32,
249  .kdf_context = context_data,
250  .kdf_context_bytelen = sizeof(context_data),
251  .kdf_label = label_data,
252  .kdf_label_bytelen = sizeof(label_data),
253  .km_mode = kOtcryptoKeyModeAesCbc,
254  .keying_material = km_data,
255  .km_bytelen = 32,
256  };
257  return run_test(&test);
258 }
259 
260 /**
261  * Test case 3:
262  *
263  * Basic test case with HMAC SHA256 using 384 bit input and output keys
264  *
265  * KDF Mode = HMAC Counter
266  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
267  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
268  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
269  * context = (0 octets)
270  * label = (0 octets)
271  * L = 384 bits
272  *
273  * KM = 0xf42c0c520de76893bba8aa7271431fdd
274  * 86b55523d3287a8e81b206685d3b3b95
275  * c099031b5aa56d98656220a715a1b145 (48 octets)
276  */
277 static status_t kdf_hmac_ctr_sha256_kdk48_km48_test(void) {
278  uint32_t kdk_data[] = {
279  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
280  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
281  };
282  uint32_t km_data[] = {
283  0x520c2cf4, 0x9368e70d, 0x72aaa8bb, 0xdd1f4371, 0x2355b586, 0x8e7a28d3,
284  0x6806b281, 0x953b3b5d, 0x1b0399c0, 0x986da55a, 0xa7206265, 0x45b1a115,
285  };
286 
287  kdf_test_vector_t test = {
288  .key_mode = kOtcryptoKeyModeHmacSha256,
289  .key_derivation_key = kdk_data,
290  .kdk_bytelen = 48,
291  .kdf_context = NULL,
292  .kdf_context_bytelen = 0,
293  .kdf_label = NULL,
294  .kdf_label_bytelen = 0,
295  .km_mode = kOtcryptoKeyModeAesEcb,
296  .keying_material = km_data,
297  .km_bytelen = 48,
298  };
299  return run_test(&test);
300 }
301 
302 /**
303  * Test case 4:
304  *
305  * Basic test case with HMAC SHA256 using 2048 bit input and output keys
306  *
307  * KDF Mode = HMAC Counter
308  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
309  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
310  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
311  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
312  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
313  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
314  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
315  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
316  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
317  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
318  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
319  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
320  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
321  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
322  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
323  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
324  * context = 0x8081828384858687 (8 octets)
325  * label = 0xc0c1c2c3c4c5(6 octets)
326  * L = 2048 bits
327  *
328  * KM = 0x555a7c55afffa007213b9fd8560362d1
329  * d1fa720e5273e66ab5454516b809c48f
330  * 8da0380745a93db45e3a46212e05ce04
331  * 93b85b5a7cd46d22202b75b4c6dfb16f
332  * 4fc70602188836591c2ab936e44ee94a
333  * 7413e28ebcb0e896f4f0ddb1311c19b6
334  * 4cc79e9abe86fe60dca62a1328c8f444
335  * 9db4e63d1dde6cebad5a21e649080c94
336  * 6438a31f50428aaa88c379e188ec09e5
337  * 515d5acddfd68b4907d895b2213d8d47
338  * f2f521dee8c3abf00e3b3b119ff60375
339  * 18b12d0136a0c3f3ce414ad211939f1a
340  * fbd1526772a2f3df7899b477a2f13ed7
341  * 57657d423655920c8b7adc56adbac307
342  * 9dca7183554f46b4864d9aa0f9dadfc0
343  * d62fa1f4c7e8459b607aad9946003982 (256 octets)
344  */
345 static status_t kdf_hmac_ctr_sha256_kdk256_km256_test(void) {
346  uint32_t kdk_data[] = {
347  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
348  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
349  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
350  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
351  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
352  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
353  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
354  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
355  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
356  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
357  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
358  };
359  uint8_t context_data[] = {
360  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
361  };
362  uint8_t label_data[] = {
363  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
364  };
365  uint32_t km_data[] = {
366  0x557c5a55, 0x07a0ffaf, 0xd89f3b21, 0xd1620356, 0x0e72fad1, 0x6ae67352,
367  0x164545b5, 0x8fc409b8, 0x0738a08d, 0xb43da945, 0x21463a5e, 0x04ce052e,
368  0x5a5bb893, 0x226dd47c, 0xb4752b20, 0x6fb1dfc6, 0x0206c74f, 0x59368818,
369  0x36b92a1c, 0x4ae94ee4, 0x8ee21374, 0x96e8b0bc, 0xb1ddf0f4, 0xb6191c31,
370  0x9a9ec74c, 0x60fe86be, 0x132aa6dc, 0x44f4c828, 0x3de6b49d, 0xeb6cde1d,
371  0xe6215aad, 0x940c0849, 0x1fa33864, 0xaa8a4250, 0xe179c388, 0xe509ec88,
372  0xcd5a5d51, 0x498bd6df, 0xb295d807, 0x478d3d21, 0xde21f5f2, 0xf0abc3e8,
373  0x113b3b0e, 0x7503f69f, 0x012db118, 0xf3c3a036, 0xd24a41ce, 0x1a9f9311,
374  0x6752d1fb, 0xdff3a272, 0x77b49978, 0xd73ef1a2, 0x427d6557, 0x0c925536,
375  0x56dc7a8b, 0x07c3baad, 0x8371ca9d, 0xb4464f55, 0xa09a4d86, 0xc0dfdaf9,
376  0xf4a12fd6, 0x9b45e8c7, 0x99ad7a60, 0x82390046,
377  };
378 
379  kdf_test_vector_t test = {
380  .key_mode = kOtcryptoKeyModeHmacSha256,
381  .key_derivation_key = kdk_data,
382  .kdk_bytelen = 256,
383  .kdf_context = context_data,
384  .kdf_context_bytelen = sizeof(context_data),
385  .kdf_label = label_data,
386  .kdf_label_bytelen = sizeof(label_data),
387  .km_mode = kOtcryptoKeyModeAesGcm,
388  .keying_material = km_data,
389  .km_bytelen = 256,
390  };
391  return run_test(&test);
392 }
393 
394 /**
395  * Test case 5:
396  *
397  * Basic test case with HMAC SHA256 using 2048 bit input and 128 bit output key
398  *
399  * KDF Mode = HMAC Counter
400  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
401  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
402  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
403  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
404  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
405  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
406  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
407  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
408  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
409  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
410  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
411  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
412  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
413  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
414  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
415  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
416  * context = 0x90919293 (4 octets)
417  * label = 0xd0d1 (2 octets)
418  * L = 128 bits
419  *
420  * KM = 0xac81a3a1f7c07a3f21d4fce68fd5ac92 (16 octets)
421  */
422 static status_t kdf_hmac_ctr_sha256_kdk256_km16_test(void) {
423  uint32_t kdk_data[] = {
424  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
425  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
426  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
427  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
428  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
429  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
430  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
431  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
432  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
433  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
434  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
435  };
436  uint8_t context_data[] = {
437  0x90,
438  0x91,
439  0x92,
440  0x93,
441  };
442  uint8_t label_data[] = {
443  0xd0,
444  0xd1,
445  };
446  uint32_t km_data[] = {
447  0xa1a381ac,
448  0x3f7ac0f7,
449  0xe6fcd421,
450  0x92acd58f,
451  };
452 
453  kdf_test_vector_t test = {
454  .key_mode = kOtcryptoKeyModeHmacSha256,
455  .key_derivation_key = kdk_data,
456  .kdk_bytelen = 256,
457  .kdf_context = context_data,
458  .kdf_context_bytelen = sizeof(context_data),
459  .kdf_label = label_data,
460  .kdf_label_bytelen = sizeof(label_data),
461  .km_mode = kOtcryptoKeyModeAesGcm,
462  .keying_material = km_data,
463  .km_bytelen = 16,
464  };
465  return run_test(&test);
466 }
467 
468 /**
469  * Test case 6:
470  *
471  * Basic test case with HMAC SHA384 using 128 bit input and output keys
472  *
473  * KDF Mode = HMAC Counter
474  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
475  * context = 0x01020304 (4 octets)
476  * label = 0xf0f1f2f3 (4 octets)
477  * L = 128 bits
478  *
479  * KM = 0x76a2316d74b63c290c009bf74798e932 (16 octets)
480  */
481 static status_t kdf_hmac_ctr_sha384_kdk16_km16_test(void) {
482  uint32_t kdk_data[] = {
483  0x0b0b0b0b,
484  0x0b0b0b0b,
485  0x0b0b0b0b,
486  0x0b0b0b0b,
487  };
488  uint8_t context_data[] = {
489  0x01,
490  0x02,
491  0x03,
492  0x04,
493  };
494  uint8_t label_data[] = {
495  0xf0,
496  0xf1,
497  0xf2,
498  0xf3,
499  };
500  uint32_t km_data[] = {
501  0x6d31a276,
502  0x293cb674,
503  0xf79b000c,
504  0x32e99847,
505  };
506 
507  kdf_test_vector_t test = {
508  .key_mode = kOtcryptoKeyModeHmacSha384,
509  .key_derivation_key = kdk_data,
510  .kdk_bytelen = 16,
511  .kdf_context = context_data,
512  .kdf_context_bytelen = sizeof(context_data),
513  .kdf_label = label_data,
514  .kdf_label_bytelen = sizeof(label_data),
515  .km_mode = kOtcryptoKeyModeAesCtr,
516  .keying_material = km_data,
517  .km_bytelen = 16,
518  };
519  return run_test(&test);
520 }
521 
522 /**
523  * Test case 7:
524  *
525  * Basic test case with HMAC SHA384 using 256 bit input and output keys
526  *
527  * KDF Mode = HMAC Counter
528  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
529  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
530  * context = 0x606162636465 (6 octets)
531  * label = 0xb0b1b2b3b4b5 (6 octets)
532  * L = 256 bits
533  *
534  * KM = 0x6049a11f8be91aa7d4550a75a02513ac
535  * 0987b8beba3461d6e85919f64c789140 (32 octets)
536  */
537 static status_t kdf_hmac_ctr_sha384_kdk32_km32_test(void) {
538  uint32_t kdk_data[] = {
539  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
540  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
541  };
542  uint8_t context_data[] = {
543  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
544  };
545  uint8_t label_data[] = {
546  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
547  };
548  uint32_t km_data[] = {
549  0x1fa14960, 0xa71ae98b, 0x750a55d4, 0xac1325a0,
550  0xbeb88709, 0xd66134ba, 0xf61959e8, 0x4091784c,
551  };
552 
553  kdf_test_vector_t test = {
554  .key_mode = kOtcryptoKeyModeHmacSha384,
555  .key_derivation_key = kdk_data,
556  .kdk_bytelen = 32,
557  .kdf_context = context_data,
558  .kdf_context_bytelen = sizeof(context_data),
559  .kdf_label = label_data,
560  .kdf_label_bytelen = sizeof(label_data),
561  .km_mode = kOtcryptoKeyModeAesCbc,
562  .keying_material = km_data,
563  .km_bytelen = 32,
564  };
565  return run_test(&test);
566 }
567 
568 /**
569  * Test case 8:
570  *
571  * Basic test case with HMAC SHA384 using 384 bit input and output keys
572  *
573  * KDF Mode = HMAC Counter
574  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
575  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
576  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
577  * context = (0 octets)
578  * label = (0 octets)
579  * L = 384 bits
580  *
581  * KM = 0xdfeb8693d58307a31d467e72de28dfc2
582  * 2af5d6610d2d25a409a517e412505936
583  * b3d730de63521cfed045d50b5a047415 (48 octets)
584  */
585 static status_t kdf_hmac_ctr_sha384_kdk48_km48_test(void) {
586  uint32_t kdk_data[] = {
587  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
588  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
589  };
590  uint32_t km_data[] = {
591  0x9386ebdf, 0xa30783d5, 0x727e461d, 0xc2df28de, 0x61d6f52a, 0xa4252d0d,
592  0xe417a509, 0x36595012, 0xde30d7b3, 0xfe1c5263, 0x0bd545d0, 0x1574045a,
593  };
594 
595  kdf_test_vector_t test = {
596  .key_mode = kOtcryptoKeyModeHmacSha384,
597  .key_derivation_key = kdk_data,
598  .kdk_bytelen = 48,
599  .kdf_context = NULL,
600  .kdf_context_bytelen = 0,
601  .kdf_label = NULL,
602  .kdf_label_bytelen = 0,
603  .km_mode = kOtcryptoKeyModeAesEcb,
604  .keying_material = km_data,
605  .km_bytelen = 48,
606  };
607  return run_test(&test);
608 }
609 
610 /**
611  * Test case 9:
612  *
613  * Basic test case with HMAC SHA384 using 2048 bit input and output keys
614  *
615  * KDF Mode = HMAC Counter
616  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
617  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
618  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
619  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
620  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
621  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
622  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
623  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
624  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
625  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
626  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
627  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
628  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
629  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
630  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
631  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
632  * context = 0x8081828384858687 (8 octets)
633  * label = 0xc0c1c2c3c4c5 (6 octets)
634  * L = 2048 bits
635  *
636  * KM = 0x364f6a06f49bd8c5769f307f02f77408
637  * 021b18e6f7164d0072d1619802ce4d26
638  * 8703c2151600c7b0407d3ab360632555
639  * 4884349b297de9dc881ba3f0b4192922
640  * d31debad207f1f5814bddc5cdc83f88c
641  * c3a355cf51a208021c98c3120eeced6d
642  * 1a42a893d762c19fd3d25ef7002187cd
643  * 27ee87dfede8c7edba7fce4b7ac3a4a1
644  * 474fb01d3dc71ecde102895968e0d579
645  * dad0a08e66ba3675a5b3c10647514dd9
646  * f6530ef6261d3b43a9c5a32332f5a3fc
647  * e7f5b78b285f78aab1edce2500999fc7
648  * 3d47d6b99191a1e3ea92ecef2cba3010
649  * 2ae7f786def30988e0d35e7d41f3d0e1
650  * 88d9aff0710de8e6742d11af66854dc6
651  * c3033fe680f0ee5a03613d1b168e7e24 (256 octets)
652  */
653 static status_t kdf_hmac_ctr_sha384_kdk256_km256_test(void) {
654  uint32_t kdk_data[] = {
655  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
656  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
657  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
658  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
659  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
660  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
661  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
662  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
663  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
664  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
665  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
666  };
667  uint8_t context_data[] = {
668  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
669  };
670  uint8_t label_data[] = {
671  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
672  };
673  uint32_t km_data[] = {
674  0x066a4f36, 0xc5d89bf4, 0x7f309f76, 0x0874f702, 0xe6181b02, 0x004d16f7,
675  0x9861d172, 0x264dce02, 0x15c20387, 0xb0c70016, 0xb33a7d40, 0x55256360,
676  0x9b348448, 0xdce97d29, 0xf0a31b88, 0x222919b4, 0xadeb1dd3, 0x581f7f20,
677  0x5cdcbd14, 0x8cf883dc, 0xcf55a3c3, 0x0208a251, 0x12c3981c, 0x6dedec0e,
678  0x93a8421a, 0x9fc162d7, 0xf75ed2d3, 0xcd872100, 0xdf87ee27, 0xedc7e8ed,
679  0x4bce7fba, 0xa1a4c37a, 0x1db04f47, 0xcd1ec73d, 0x598902e1, 0x79d5e068,
680  0x8ea0d0da, 0x7536ba66, 0x06c1b3a5, 0xd94d5147, 0xf60e53f6, 0x433b1d26,
681  0x23a3c5a9, 0xfca3f532, 0x8bb7f5e7, 0xaa785f28, 0x25ceedb1, 0xc79f9900,
682  0xb9d6473d, 0xe3a19191, 0xefec92ea, 0x1030ba2c, 0x86f7e72a, 0x8809f3de,
683  0x7d5ed3e0, 0xe1d0f341, 0xf0afd988, 0xe6e80d71, 0xaf112d74, 0xc64d8566,
684  0xe63f03c3, 0x5aeef080, 0x1b3d6103, 0x247e8e16,
685  };
686 
687  kdf_test_vector_t test = {
688  .key_mode = kOtcryptoKeyModeHmacSha384,
689  .key_derivation_key = kdk_data,
690  .kdk_bytelen = 256,
691  .kdf_context = context_data,
692  .kdf_context_bytelen = sizeof(context_data),
693  .kdf_label = label_data,
694  .kdf_label_bytelen = sizeof(label_data),
695  .km_mode = kOtcryptoKeyModeAesGcm,
696  .keying_material = km_data,
697  .km_bytelen = 256,
698  };
699  return run_test(&test);
700 }
701 
702 /**
703  * Test case 10:
704  *
705  * Basic test case with HMAC SHA384 using 2048 bit input and 128 bit output key
706  *
707  * KDF Mode = HMAC Counter
708  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
709  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
710  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
711  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
712  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
713  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
714  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
715  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
716  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
717  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
718  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
719  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
720  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
721  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
722  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
723  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
724  * context = 0x90919293 (4 octets)
725  * label = 0xd0d1 (2 octets)
726  * L = 128 bits
727  *
728  * KM = 0x65c3b1827789b4ba126751e404f23e2f (16 octets)
729  */
730 static status_t kdf_hmac_ctr_sha384_kdk256_km16_test(void) {
731  uint32_t kdk_data[] = {
732  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
733  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
734  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
735  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
736  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
737  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
738  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
739  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
740  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
741  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
742  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
743  };
744  uint8_t context_data[] = {
745  0x90,
746  0x91,
747  0x92,
748  0x93,
749  };
750  uint8_t label_data[] = {
751  0xd0,
752  0xd1,
753  };
754  uint32_t km_data[] = {
755  0x82b1c365,
756  0xbab48977,
757  0xe4516712,
758  0x2f3ef204,
759  };
760 
761  kdf_test_vector_t test = {
762  .key_mode = kOtcryptoKeyModeHmacSha384,
763  .key_derivation_key = kdk_data,
764  .kdk_bytelen = 256,
765  .kdf_context = context_data,
766  .kdf_context_bytelen = sizeof(context_data),
767  .kdf_label = label_data,
768  .kdf_label_bytelen = sizeof(label_data),
769  .km_mode = kOtcryptoKeyModeAesGcm,
770  .keying_material = km_data,
771  .km_bytelen = 16,
772  };
773  return run_test(&test);
774 }
775 
776 /**
777  * Test case 11:
778  *
779  * Basic test case with HMAC SHA512 using 128 bit input and output keys
780  *
781  * KDF Mode = HMAC Counter
782  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
783  * context = 0x01020304 (4 octets)
784  * label = 0xf0f1f2f3 (4 octets)
785  * L = 128 bits
786  *
787  * KM = 0x40bc39aef846dec913e2753b96b88208 (16 octets)
788  */
789 static status_t kdf_hmac_ctr_sha512_kdk16_km16_test(void) {
790  uint32_t kdk_data[] = {
791  0x0b0b0b0b,
792  0x0b0b0b0b,
793  0x0b0b0b0b,
794  0x0b0b0b0b,
795  };
796  uint8_t context_data[] = {
797  0x01,
798  0x02,
799  0x03,
800  0x04,
801  };
802  uint8_t label_data[] = {
803  0xf0,
804  0xf1,
805  0xf2,
806  0xf3,
807  };
808  uint32_t km_data[] = {
809  0xae39bc40,
810  0xc9de46f8,
811  0x3b75e213,
812  0x0882b896,
813  };
814 
815  kdf_test_vector_t test = {
816  .key_mode = kOtcryptoKeyModeHmacSha512,
817  .key_derivation_key = kdk_data,
818  .kdk_bytelen = 16,
819  .kdf_context = context_data,
820  .kdf_context_bytelen = sizeof(context_data),
821  .kdf_label = label_data,
822  .kdf_label_bytelen = sizeof(label_data),
823  .km_mode = kOtcryptoKeyModeAesCtr,
824  .keying_material = km_data,
825  .km_bytelen = 16,
826  };
827  return run_test(&test);
828 }
829 
830 /**
831  * Test case 12:
832  *
833  * Basic test case with HMAC SHA512 using 256 bit input and output keys
834  *
835  * KDF Mode = HMAC Counter
836  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
837  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
838  * context = 0x606162636465 (6 octets)
839  * label = 0xb0b1b2b3b4b5 (6 octets)
840  * L = 256 bits
841  *
842  * KM = 0xbaab49e94918b8cb76efb15f1b2f3ffe
843  * af750e91898ebb1f6aa05f8b32392564 (32 octets)
844  */
845 static status_t kdf_hmac_ctr_sha512_kdk32_km32_test(void) {
846  uint32_t kdk_data[] = {
847  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
848  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
849  };
850  uint8_t context_data[] = {
851  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
852  };
853  uint8_t label_data[] = {
854  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
855  };
856  uint32_t km_data[] = {
857  0xe949abba, 0xcbb81849, 0x5fb1ef76, 0xfe3f2f1b,
858  0x910e75af, 0x1fbb8e89, 0x8b5fa06a, 0x64253932,
859  };
860 
861  kdf_test_vector_t test = {
862  .key_mode = kOtcryptoKeyModeHmacSha512,
863  .key_derivation_key = kdk_data,
864  .kdk_bytelen = 32,
865  .kdf_context = context_data,
866  .kdf_context_bytelen = sizeof(context_data),
867  .kdf_label = label_data,
868  .kdf_label_bytelen = sizeof(label_data),
869  .km_mode = kOtcryptoKeyModeAesCbc,
870  .keying_material = km_data,
871  .km_bytelen = 32,
872  };
873  return run_test(&test);
874 }
875 
876 /**
877  * Test case 13:
878  *
879  * Basic test case with HMAC SHA512 using 384 bit input and output keys
880  *
881  * KDF Mode = HMAC Counter
882  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
883  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
884  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
885  * context = (0 octets)
886  * label = (0 octets)
887  * L = 384 bits
888  *
889  * KM = 0x57374ecdffd0b2fee3f3352566216954
890  * 4d5527dcb80b856f06f83c130089142e
891  * 0a271fd516d967a43b7af81728256b9a (48 octets)
892  */
893 static status_t kdf_hmac_ctr_sha512_kdk48_km48_test(void) {
894  uint32_t kdk_data[] = {
895  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
896  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
897  };
898  uint32_t km_data[] = {
899  0xcd4e3757, 0xfeb2d0ff, 0x2535f3e3, 0x54692166, 0xdc27554d, 0x6f850bb8,
900  0x133cf806, 0x2e148900, 0xd51f270a, 0xa467d916, 0x17f87a3b, 0x9a6b2528,
901  };
902 
903  kdf_test_vector_t test = {
904  .key_mode = kOtcryptoKeyModeHmacSha512,
905  .key_derivation_key = kdk_data,
906  .kdk_bytelen = 48,
907  .kdf_context = NULL,
908  .kdf_context_bytelen = 0,
909  .kdf_label = NULL,
910  .kdf_label_bytelen = 0,
911  .km_mode = kOtcryptoKeyModeAesEcb,
912  .keying_material = km_data,
913  .km_bytelen = 48,
914  };
915  return run_test(&test);
916 }
917 
918 /**
919  * Test case 14:
920  *
921  * Basic test case with HMAC SHA512 using 2048 bit input and output keys
922  *
923  * KDF Mode = HMAC Counter
924  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
925  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
926  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
927  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
928  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
929  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
930  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
931  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
932  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
933  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
934  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
935  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
936  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
937  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
938  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
939  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
940  * context = 0x8081828384858687 (8 octets)
941  * label = 0xc0c1c2c3c4c5 (6 octets)
942  * L = 2048 bits
943  *
944  * KM = 0x77308324dafd68b6c51e50be73bb1a41
945  * c36a6b15c2216716ba21f1e41f5ca60d
946  * 7aa5fa4960d16ba679d3083bb484dbd2
947  * 42071daca754316f57bf7f892154c62a
948  * 51598f2a3b26faf7f554f8e5d24357a2
949  * ae61198e9b5f2dc24e669d3943250631
950  * 08a40a54011b6c4f908ac8bbf3dc95d2
951  * 4cdc35c983fd19a9a3a7c075fc2be70f
952  * 8cc9693f13e952c7c1be7cfd3aaaf163
953  * 63873670e10bf17d0bcccdfc0ccce9c9
954  * 2349326b09b9fe8c354944d4d1c5729f
955  * af8b4d2d9f44b9231f1397688544c6a5
956  * cc9254987851dea4372403267eb579d3
957  * 95c3b926db7c0207954d95782f6db2b7
958  * 8546e10571a2d47c9ff33226d5229975
959  * f4181322a22b863f588f13a385f5eb79 (256 octets)
960  */
961 static status_t kdf_hmac_ctr_sha512_kdk256_km256_test(void) {
962  uint32_t kdk_data[] = {
963  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
964  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
965  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
966  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
967  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
968  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
969  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
970  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
971  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
972  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
973  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
974  };
975  uint8_t context_data[] = {
976  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
977  };
978  uint8_t label_data[] = {
979  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
980  };
981  uint32_t km_data[] = {
982  0x24833077, 0xb668fdda, 0xbe501ec5, 0x411abb73, 0x156b6ac3, 0x166721c2,
983  0xe4f121ba, 0x0da65c1f, 0x49faa57a, 0xa66bd160, 0x3b08d379, 0xd2db84b4,
984  0xac1d0742, 0x6f3154a7, 0x897fbf57, 0x2ac65421, 0x2a8f5951, 0xf7fa263b,
985  0xe5f854f5, 0xa25743d2, 0x8e1961ae, 0xc22d5f9b, 0x399d664e, 0x31062543,
986  0x540aa408, 0x4f6c1b01, 0xbbc88a90, 0xd295dcf3, 0xc935dc4c, 0xa919fd83,
987  0x75c0a7a3, 0x0fe72bfc, 0x3f69c98c, 0xc752e913, 0xfd7cbec1, 0x63f1aa3a,
988  0x70368763, 0x7df10be1, 0xfccdcc0b, 0xc9e9cc0c, 0x6b324923, 0x8cfeb909,
989  0xd4444935, 0x9f72c5d1, 0x2d4d8baf, 0x23b9449f, 0x6897131f, 0xa5c64485,
990  0x985492cc, 0xa4de5178, 0x26032437, 0xd379b57e, 0x26b9c395, 0x07027cdb,
991  0x78954d95, 0xb7b26d2f, 0x05e14685, 0x7cd4a271, 0x2632f39f, 0x759922d5,
992  0x221318f4, 0x3f862ba2, 0xa3138f58, 0x79ebf585,
993  };
994 
995  kdf_test_vector_t test = {
996  .key_mode = kOtcryptoKeyModeHmacSha512,
997  .key_derivation_key = kdk_data,
998  .kdk_bytelen = 256,
999  .kdf_context = context_data,
1000  .kdf_context_bytelen = sizeof(context_data),
1001  .kdf_label = label_data,
1002  .kdf_label_bytelen = sizeof(label_data),
1003  .km_mode = kOtcryptoKeyModeAesGcm,
1004  .keying_material = km_data,
1005  .km_bytelen = 256,
1006  };
1007  return run_test(&test);
1008 }
1009 
1010 /**
1011  * Test case 15:
1012  *
1013  * Basic test case with HMAC SHA512 using 2048 bit input and 128 bit output key
1014  *
1015  * KDF Mode = HMAC Counter
1016  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1017  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1018  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1019  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1020  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1021  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1022  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1023  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1024  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1025  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1026  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1027  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1028  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1029  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1030  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1031  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
1032  * context = 0x90919293 (4 octets)
1033  * label = 0xd0d1 (2 octets)
1034  * L = 128 bits
1035  *
1036  * KM = 0x5ca93058c2a2dfb5d15063fcea57c88f (16 octets)
1037  */
1038 static status_t kdf_hmac_ctr_sha512_kdk256_km16_test(void) {
1039  uint32_t kdk_data[] = {
1040  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1041  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1042  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1043  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1044  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1045  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1046  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1047  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1048  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1049  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1050  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1051  };
1052  uint8_t context_data[] = {
1053  0x90,
1054  0x91,
1055  0x92,
1056  0x93,
1057  };
1058  uint8_t label_data[] = {
1059  0xd0,
1060  0xd1,
1061  };
1062  uint32_t km_data[] = {
1063  0x5830a95c,
1064  0xb5dfa2c2,
1065  0xfc6350d1,
1066  0x8fc857ea,
1067  };
1068 
1069  kdf_test_vector_t test = {
1070  .key_mode = kOtcryptoKeyModeHmacSha512,
1071  .key_derivation_key = kdk_data,
1072  .kdk_bytelen = 256,
1073  .kdf_context = context_data,
1074  .kdf_context_bytelen = sizeof(context_data),
1075  .kdf_label = label_data,
1076  .kdf_label_bytelen = sizeof(label_data),
1077  .km_mode = kOtcryptoKeyModeAesGcm,
1078  .keying_material = km_data,
1079  .km_bytelen = 16,
1080  };
1081  return run_test(&test);
1082 }
1083 
1084 OTTF_DEFINE_TEST_CONFIG();
1085 
1086 bool test_main(void) {
1087  // Start the entropy complex.
1088  CHECK_STATUS_OK(entropy_complex_init());
1089 
1090  status_t test_result = OK_STATUS();
1091 
1092  // SHA256 tests
1093  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk16_km16_test);
1094  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk32_km32_test);
1095  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk48_km48_test);
1096  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk256_km256_test);
1097  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk256_km16_test);
1098 
1099  // SHA384 tests
1100  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk16_km16_test);
1101  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk32_km32_test);
1102  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk48_km48_test);
1103  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk256_km256_test);
1104  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk256_km16_test);
1105 
1106  // SHA512 tests
1107  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk16_km16_test);
1108  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk32_km32_test);
1109  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk48_km48_test);
1110  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk256_km256_test);
1111  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk256_km16_test);
1112 
1113  return status_ok(test_result);
1114 }
Return to OpenTitan Documentation