Software APIs
kdf_hmac_ctr_functest.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/drivers/entropy.h"
6 #include "sw/device/lib/crypto/impl/integrity.h"
7 #include "sw/device/lib/crypto/impl/keyblob.h"
8 #include "sw/device/lib/crypto/include/datatypes.h"
9 #include "sw/device/lib/crypto/include/kdf.h"
10 #include "sw/device/lib/runtime/log.h"
11 #include "sw/device/lib/testing/test_framework/check.h"
12 #include "sw/device/lib/testing/test_framework/ottf_main.h"
13 
14 /**
15  * Represents a test for KDF.
16  */
17 typedef struct kdf_test_vector {
18  /**
19  * Key mode for KDF (e.g. kOtcryptoKeyModeHmacSha256).
20  */
21  otcrypto_key_mode_t key_mode;
22  /**
23  * Input key derivation key.
24  */
25  uint32_t *key_derivation_key;
26  /**
27  * Length of key derivation key in bytes.
28  */
29  size_t kdk_bytelen;
30  /**
31  * Context string.
32  */
33  uint8_t *kdf_context;
34  /**
35  * Length of context in bytes.
36  */
37  size_t kdf_context_bytelen;
38  /**
39  * Label string.
40  */
41  uint8_t *kdf_label;
42  /**
43  * Length of label in bytes.
44  */
45  size_t kdf_label_bytelen;
46  /**
47  * Key mode of the keying material.
48  */
49  otcrypto_key_mode_t km_mode;
50  /**
51  * Expected output keying material.
52  */
53  uint32_t *keying_material;
54  /**
55  * Length of keying material in bytes.
56  */
57  size_t km_bytelen;
58 } kdf_test_vector_t;
59 
60 // Random value for masking, as large as the longest test key. This value
61 // should not affect the result.
62 static const uint32_t kTestMask[512] = {
63  0x8cb847c3, 0xc6d34f36, 0x72edbf7b, 0x9bc0317f, 0x8f003c7f, 0x1d7ba049,
64  0xfd463b63, 0xbb720c44, 0x784c215e, 0xeb101d65, 0x35beb911, 0xab481345,
65  0xa7ebc3e3, 0x04b2a1b9, 0x764a9630, 0x78b8f9c5, 0x3f2a1d8e, 0x8cb847c3,
66  0xc6d34f36, 0x72edbf7b, 0x9bc0317f, 0x8f003c7f, 0x1d7ba049, 0xfd463b63,
67  0xbb720c44, 0x784c215e, 0xeb101d65, 0x35beb911, 0xab481345, 0xa7ebc3e3,
68  0x04b2a1b9, 0x764a9630, 0x78b8f9c5, 0x3f2a1d8e,
69 };
70 
71 /**
72  * Call KDF through the API and check the result.
73  *
74  * @param test Test vector to run.
75  * @return Result (OK or error).
76  */
77 static status_t run_test(kdf_test_vector_t *test) {
78  if (test->kdk_bytelen > sizeof(kTestMask)) {
79  // If we get this error, we probably just need to make `kTestMask` longer.
80  return OUT_OF_RANGE();
81  }
82 
83  // Construct the input key derivation key.
84  otcrypto_key_config_t kdk_config = {
85  .version = kOtcryptoLibVersion1,
86  .key_mode = test->key_mode,
87  .key_length = test->kdk_bytelen,
88  .hw_backed = kHardenedBoolFalse,
89  .exportable = kHardenedBoolFalse,
90  .security_level = kOtcryptoKeySecurityLevelLow,
91  };
92  uint32_t kdk_keyblob[keyblob_num_words(kdk_config)];
93  TRY(keyblob_from_key_and_mask(test->key_derivation_key, kTestMask, kdk_config,
94  kdk_keyblob));
95  otcrypto_blinded_key_t kdk = {
96  .config = kdk_config,
97  .keyblob = kdk_keyblob,
98  .keyblob_length = sizeof(kdk_keyblob),
99  };
100  kdk.checksum = integrity_blinded_checksum(&kdk);
101 
102  // Construct a blinded key struct for the output keying material. The key mode
103  // here doesn't really matter, it just needs to be some symmetric key.
104  otcrypto_key_config_t km_config = {
105  .version = kOtcryptoLibVersion1,
106  .key_mode = test->km_mode,
107  .key_length = test->km_bytelen,
108  .hw_backed = kHardenedBoolFalse,
109  .exportable = kHardenedBoolFalse,
110  .security_level = kOtcryptoKeySecurityLevelLow,
111  };
112  uint32_t km_keyblob[keyblob_num_words(km_config)];
113  otcrypto_blinded_key_t km = {
114  .config = km_config,
115  .keyblob = km_keyblob,
116  .keyblob_length = sizeof(km_keyblob),
117  };
118 
119  // Construct a buffer for the context.
120  otcrypto_const_byte_buf_t context = {
121  .data = test->kdf_context,
122  .len = test->kdf_context_bytelen,
123  };
124 
125  // Construct a buffer for the label.
126  otcrypto_const_byte_buf_t label = {
127  .data = test->kdf_label,
128  .len = test->kdf_label_bytelen,
129  };
130 
131  // Run the KDF specified by the key mode.
132  switch (test->key_mode) {
133  case kOtcryptoKeyModeHmacSha256:
134  case kOtcryptoKeyModeHmacSha384:
135  case kOtcryptoKeyModeHmacSha512:
136  TRY(otcrypto_kdf_hmac_ctr(kdk, label, context, km.config.key_length,
137  &km));
138  break;
139  default:
140  LOG_INFO("Should never end up here.");
141  return INVALID_ARGUMENT();
142  }
143 
144  LOG_INFO("KDF operation completed.");
145 
146  // Unmask the output key value and compare to the expected value.
147  uint32_t *km_share0;
148  uint32_t *km_share1;
149 
150  TRY(keyblob_to_shares(&km, &km_share0, &km_share1));
151  uint32_t unmasked_km[keyblob_share_num_words(km_config)];
152  for (size_t i = 0; i < ARRAYSIZE(unmasked_km); i++) {
153  unmasked_km[i] = km_share0[i] ^ km_share1[i];
154  }
155 
156  TRY_CHECK_ARRAYS_EQ((unsigned char *)unmasked_km,
157  (unsigned char *)test->keying_material, test->km_bytelen);
158  return OK_STATUS();
159 }
160 
161 /**
162  * Test case 1:
163  *
164  * Basic test case with HMAC SHA256 using 128 bit input and output keys
165  *
166  * KDF Mode = HMAC Counter
167  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
168  * context = 0x01020304 (4 octets)
169  * label = 0xf0f1f2f3 (4 octets)
170  * L = 128 bits
171  *
172  * KM = 0xe934f5c810d429b26c747541d898e19a (16 octets)
173  */
174 static status_t kdf_hmac_ctr_sha256_kdk16_km16_test(void) {
175  uint32_t kdk_data[] = {
176  0x0b0b0b0b,
177  0x0b0b0b0b,
178  0x0b0b0b0b,
179  0x0b0b0b0b,
180  };
181  uint8_t context_data[] = {
182  0x01,
183  0x02,
184  0x03,
185  0x04,
186  };
187  uint8_t label_data[] = {
188  0xf0,
189  0xf1,
190  0xf2,
191  0xf3,
192  };
193  uint32_t km_data[] = {
194  0xc8f534e9,
195  0xb229d410,
196  0x4175746c,
197  0x9ae198d8,
198  };
199 
200  kdf_test_vector_t test = {
201  .key_mode = kOtcryptoKeyModeHmacSha256,
202  .key_derivation_key = kdk_data,
203  .kdk_bytelen = 16,
204  .kdf_context = context_data,
205  .kdf_context_bytelen = sizeof(context_data),
206  .kdf_label = label_data,
207  .kdf_label_bytelen = sizeof(label_data),
208  .km_mode = kOtcryptoKeyModeAesCtr,
209  .keying_material = km_data,
210  .km_bytelen = 16,
211  };
212  return run_test(&test);
213 }
214 
215 /**
216  * Test case 2:
217  *
218  * Basic test case with HMAC SHA256 using 256 bit input and output keys
219  *
220  * KDF Mode = HMAC Counter
221  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
222  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
223  * context = 0x606162636465 (6 octets)
224  * label = 0xb0b1b2b3b4b5 (6 octets)
225  * L = 256 bits
226  *
227  * KM = 0x12b44b700276c03074cd99f98763574b
228  * 7bf71c30340223790bf0b8f53fcf3c86 (32 octets)
229  */
230 static status_t kdf_hmac_ctr_sha256_kdk32_km32_test(void) {
231  uint32_t kdk_data[] = {
232  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
233  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
234  };
235  uint8_t context_data[] = {
236  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
237  };
238  uint8_t label_data[] = {
239  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
240  };
241  uint32_t km_data[] = {
242  0x704bb412, 0x30c07602, 0xf999cd74, 0x4b576387,
243  0x301cf77b, 0x79230234, 0xf5b8f00b, 0x863ccf3f,
244  };
245 
246  kdf_test_vector_t test = {
247  .key_mode = kOtcryptoKeyModeHmacSha256,
248  .key_derivation_key = kdk_data,
249  .kdk_bytelen = 32,
250  .kdf_context = context_data,
251  .kdf_context_bytelen = sizeof(context_data),
252  .kdf_label = label_data,
253  .kdf_label_bytelen = sizeof(label_data),
254  .km_mode = kOtcryptoKeyModeAesCbc,
255  .keying_material = km_data,
256  .km_bytelen = 32,
257  };
258  return run_test(&test);
259 }
260 
261 /**
262  * Test case 3:
263  *
264  * Basic test case with HMAC SHA256 using 384 bit input and output keys
265  *
266  * KDF Mode = HMAC Counter
267  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
268  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
269  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
270  * context = (0 octets)
271  * label = (0 octets)
272  * L = 384 bits
273  *
274  * KM = 0xf42c0c520de76893bba8aa7271431fdd
275  * 86b55523d3287a8e81b206685d3b3b95
276  * c099031b5aa56d98656220a715a1b145 (48 octets)
277  */
278 static status_t kdf_hmac_ctr_sha256_kdk48_km48_test(void) {
279  uint32_t kdk_data[] = {
280  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
281  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
282  };
283  uint32_t km_data[] = {
284  0x520c2cf4, 0x9368e70d, 0x72aaa8bb, 0xdd1f4371, 0x2355b586, 0x8e7a28d3,
285  0x6806b281, 0x953b3b5d, 0x1b0399c0, 0x986da55a, 0xa7206265, 0x45b1a115,
286  };
287 
288  kdf_test_vector_t test = {
289  .key_mode = kOtcryptoKeyModeHmacSha256,
290  .key_derivation_key = kdk_data,
291  .kdk_bytelen = 48,
292  .kdf_context = NULL,
293  .kdf_context_bytelen = 0,
294  .kdf_label = NULL,
295  .kdf_label_bytelen = 0,
296  .km_mode = kOtcryptoKeyModeAesEcb,
297  .keying_material = km_data,
298  .km_bytelen = 48,
299  };
300  return run_test(&test);
301 }
302 
303 /**
304  * Test case 4:
305  *
306  * Basic test case with HMAC SHA256 using 2048 bit input and output keys
307  *
308  * KDF Mode = HMAC Counter
309  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
310  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
311  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
312  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
313  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
314  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
315  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
316  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
317  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
318  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
319  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
320  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
321  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
322  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
323  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
324  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
325  * context = 0x8081828384858687 (8 octets)
326  * label = 0xc0c1c2c3c4c5(6 octets)
327  * L = 2048 bits
328  *
329  * KM = 0x555a7c55afffa007213b9fd8560362d1
330  * d1fa720e5273e66ab5454516b809c48f
331  * 8da0380745a93db45e3a46212e05ce04
332  * 93b85b5a7cd46d22202b75b4c6dfb16f
333  * 4fc70602188836591c2ab936e44ee94a
334  * 7413e28ebcb0e896f4f0ddb1311c19b6
335  * 4cc79e9abe86fe60dca62a1328c8f444
336  * 9db4e63d1dde6cebad5a21e649080c94
337  * 6438a31f50428aaa88c379e188ec09e5
338  * 515d5acddfd68b4907d895b2213d8d47
339  * f2f521dee8c3abf00e3b3b119ff60375
340  * 18b12d0136a0c3f3ce414ad211939f1a
341  * fbd1526772a2f3df7899b477a2f13ed7
342  * 57657d423655920c8b7adc56adbac307
343  * 9dca7183554f46b4864d9aa0f9dadfc0
344  * d62fa1f4c7e8459b607aad9946003982 (256 octets)
345  */
346 static status_t kdf_hmac_ctr_sha256_kdk256_km256_test(void) {
347  uint32_t kdk_data[] = {
348  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
349  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
350  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
351  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
352  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
353  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
354  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
355  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
356  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
357  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
358  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
359  };
360  uint8_t context_data[] = {
361  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
362  };
363  uint8_t label_data[] = {
364  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
365  };
366  uint32_t km_data[] = {
367  0x557c5a55, 0x07a0ffaf, 0xd89f3b21, 0xd1620356, 0x0e72fad1, 0x6ae67352,
368  0x164545b5, 0x8fc409b8, 0x0738a08d, 0xb43da945, 0x21463a5e, 0x04ce052e,
369  0x5a5bb893, 0x226dd47c, 0xb4752b20, 0x6fb1dfc6, 0x0206c74f, 0x59368818,
370  0x36b92a1c, 0x4ae94ee4, 0x8ee21374, 0x96e8b0bc, 0xb1ddf0f4, 0xb6191c31,
371  0x9a9ec74c, 0x60fe86be, 0x132aa6dc, 0x44f4c828, 0x3de6b49d, 0xeb6cde1d,
372  0xe6215aad, 0x940c0849, 0x1fa33864, 0xaa8a4250, 0xe179c388, 0xe509ec88,
373  0xcd5a5d51, 0x498bd6df, 0xb295d807, 0x478d3d21, 0xde21f5f2, 0xf0abc3e8,
374  0x113b3b0e, 0x7503f69f, 0x012db118, 0xf3c3a036, 0xd24a41ce, 0x1a9f9311,
375  0x6752d1fb, 0xdff3a272, 0x77b49978, 0xd73ef1a2, 0x427d6557, 0x0c925536,
376  0x56dc7a8b, 0x07c3baad, 0x8371ca9d, 0xb4464f55, 0xa09a4d86, 0xc0dfdaf9,
377  0xf4a12fd6, 0x9b45e8c7, 0x99ad7a60, 0x82390046,
378  };
379 
380  kdf_test_vector_t test = {
381  .key_mode = kOtcryptoKeyModeHmacSha256,
382  .key_derivation_key = kdk_data,
383  .kdk_bytelen = 256,
384  .kdf_context = context_data,
385  .kdf_context_bytelen = sizeof(context_data),
386  .kdf_label = label_data,
387  .kdf_label_bytelen = sizeof(label_data),
388  .km_mode = kOtcryptoKeyModeAesGcm,
389  .keying_material = km_data,
390  .km_bytelen = 256,
391  };
392  return run_test(&test);
393 }
394 
395 /**
396  * Test case 5:
397  *
398  * Basic test case with HMAC SHA256 using 2048 bit input and 128 bit output key
399  *
400  * KDF Mode = HMAC Counter
401  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
402  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
403  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
404  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
405  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
406  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
407  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
408  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
409  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
410  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
411  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
412  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
413  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
414  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
415  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
416  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
417  * context = 0x90919293 (4 octets)
418  * label = 0xd0d1 (2 octets)
419  * L = 128 bits
420  *
421  * KM = 0xac81a3a1f7c07a3f21d4fce68fd5ac92 (16 octets)
422  */
423 static status_t kdf_hmac_ctr_sha256_kdk256_km16_test(void) {
424  uint32_t kdk_data[] = {
425  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
426  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
427  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
428  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
429  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
430  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
431  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
432  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
433  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
434  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
435  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
436  };
437  uint8_t context_data[] = {
438  0x90,
439  0x91,
440  0x92,
441  0x93,
442  };
443  uint8_t label_data[] = {
444  0xd0,
445  0xd1,
446  };
447  uint32_t km_data[] = {
448  0xa1a381ac,
449  0x3f7ac0f7,
450  0xe6fcd421,
451  0x92acd58f,
452  };
453 
454  kdf_test_vector_t test = {
455  .key_mode = kOtcryptoKeyModeHmacSha256,
456  .key_derivation_key = kdk_data,
457  .kdk_bytelen = 256,
458  .kdf_context = context_data,
459  .kdf_context_bytelen = sizeof(context_data),
460  .kdf_label = label_data,
461  .kdf_label_bytelen = sizeof(label_data),
462  .km_mode = kOtcryptoKeyModeAesGcm,
463  .keying_material = km_data,
464  .km_bytelen = 16,
465  };
466  return run_test(&test);
467 }
468 
469 /**
470  * Test case 6:
471  *
472  * Basic test case with HMAC SHA384 using 128 bit input and output keys
473  *
474  * KDF Mode = HMAC Counter
475  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
476  * context = 0x01020304 (4 octets)
477  * label = 0xf0f1f2f3 (4 octets)
478  * L = 128 bits
479  *
480  * KM = 0x76a2316d74b63c290c009bf74798e932 (16 octets)
481  */
482 static status_t kdf_hmac_ctr_sha384_kdk16_km16_test(void) {
483  uint32_t kdk_data[] = {
484  0x0b0b0b0b,
485  0x0b0b0b0b,
486  0x0b0b0b0b,
487  0x0b0b0b0b,
488  };
489  uint8_t context_data[] = {
490  0x01,
491  0x02,
492  0x03,
493  0x04,
494  };
495  uint8_t label_data[] = {
496  0xf0,
497  0xf1,
498  0xf2,
499  0xf3,
500  };
501  uint32_t km_data[] = {
502  0x6d31a276,
503  0x293cb674,
504  0xf79b000c,
505  0x32e99847,
506  };
507 
508  kdf_test_vector_t test = {
509  .key_mode = kOtcryptoKeyModeHmacSha384,
510  .key_derivation_key = kdk_data,
511  .kdk_bytelen = 16,
512  .kdf_context = context_data,
513  .kdf_context_bytelen = sizeof(context_data),
514  .kdf_label = label_data,
515  .kdf_label_bytelen = sizeof(label_data),
516  .km_mode = kOtcryptoKeyModeAesCtr,
517  .keying_material = km_data,
518  .km_bytelen = 16,
519  };
520  return run_test(&test);
521 }
522 
523 /**
524  * Test case 7:
525  *
526  * Basic test case with HMAC SHA384 using 256 bit input and output keys
527  *
528  * KDF Mode = HMAC Counter
529  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
530  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
531  * context = 0x606162636465 (6 octets)
532  * label = 0xb0b1b2b3b4b5 (6 octets)
533  * L = 256 bits
534  *
535  * KM = 0x6049a11f8be91aa7d4550a75a02513ac
536  * 0987b8beba3461d6e85919f64c789140 (32 octets)
537  */
538 static status_t kdf_hmac_ctr_sha384_kdk32_km32_test(void) {
539  uint32_t kdk_data[] = {
540  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
541  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
542  };
543  uint8_t context_data[] = {
544  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
545  };
546  uint8_t label_data[] = {
547  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
548  };
549  uint32_t km_data[] = {
550  0x1fa14960, 0xa71ae98b, 0x750a55d4, 0xac1325a0,
551  0xbeb88709, 0xd66134ba, 0xf61959e8, 0x4091784c,
552  };
553 
554  kdf_test_vector_t test = {
555  .key_mode = kOtcryptoKeyModeHmacSha384,
556  .key_derivation_key = kdk_data,
557  .kdk_bytelen = 32,
558  .kdf_context = context_data,
559  .kdf_context_bytelen = sizeof(context_data),
560  .kdf_label = label_data,
561  .kdf_label_bytelen = sizeof(label_data),
562  .km_mode = kOtcryptoKeyModeAesCbc,
563  .keying_material = km_data,
564  .km_bytelen = 32,
565  };
566  return run_test(&test);
567 }
568 
569 /**
570  * Test case 8:
571  *
572  * Basic test case with HMAC SHA384 using 384 bit input and output keys
573  *
574  * KDF Mode = HMAC Counter
575  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
576  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
577  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
578  * context = (0 octets)
579  * label = (0 octets)
580  * L = 384 bits
581  *
582  * KM = 0xdfeb8693d58307a31d467e72de28dfc2
583  * 2af5d6610d2d25a409a517e412505936
584  * b3d730de63521cfed045d50b5a047415 (48 octets)
585  */
586 static status_t kdf_hmac_ctr_sha384_kdk48_km48_test(void) {
587  uint32_t kdk_data[] = {
588  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
589  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
590  };
591  uint32_t km_data[] = {
592  0x9386ebdf, 0xa30783d5, 0x727e461d, 0xc2df28de, 0x61d6f52a, 0xa4252d0d,
593  0xe417a509, 0x36595012, 0xde30d7b3, 0xfe1c5263, 0x0bd545d0, 0x1574045a,
594  };
595 
596  kdf_test_vector_t test = {
597  .key_mode = kOtcryptoKeyModeHmacSha384,
598  .key_derivation_key = kdk_data,
599  .kdk_bytelen = 48,
600  .kdf_context = NULL,
601  .kdf_context_bytelen = 0,
602  .kdf_label = NULL,
603  .kdf_label_bytelen = 0,
604  .km_mode = kOtcryptoKeyModeAesEcb,
605  .keying_material = km_data,
606  .km_bytelen = 48,
607  };
608  return run_test(&test);
609 }
610 
611 /**
612  * Test case 9:
613  *
614  * Basic test case with HMAC SHA384 using 2048 bit input and output keys
615  *
616  * KDF Mode = HMAC Counter
617  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
618  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
619  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
620  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
621  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
622  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
623  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
624  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
625  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
626  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
627  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
628  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
629  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
630  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
631  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
632  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
633  * context = 0x8081828384858687 (8 octets)
634  * label = 0xc0c1c2c3c4c5 (6 octets)
635  * L = 2048 bits
636  *
637  * KM = 0x364f6a06f49bd8c5769f307f02f77408
638  * 021b18e6f7164d0072d1619802ce4d26
639  * 8703c2151600c7b0407d3ab360632555
640  * 4884349b297de9dc881ba3f0b4192922
641  * d31debad207f1f5814bddc5cdc83f88c
642  * c3a355cf51a208021c98c3120eeced6d
643  * 1a42a893d762c19fd3d25ef7002187cd
644  * 27ee87dfede8c7edba7fce4b7ac3a4a1
645  * 474fb01d3dc71ecde102895968e0d579
646  * dad0a08e66ba3675a5b3c10647514dd9
647  * f6530ef6261d3b43a9c5a32332f5a3fc
648  * e7f5b78b285f78aab1edce2500999fc7
649  * 3d47d6b99191a1e3ea92ecef2cba3010
650  * 2ae7f786def30988e0d35e7d41f3d0e1
651  * 88d9aff0710de8e6742d11af66854dc6
652  * c3033fe680f0ee5a03613d1b168e7e24 (256 octets)
653  */
654 static status_t kdf_hmac_ctr_sha384_kdk256_km256_test(void) {
655  uint32_t kdk_data[] = {
656  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
657  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
658  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
659  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
660  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
661  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
662  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
663  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
664  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
665  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
666  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
667  };
668  uint8_t context_data[] = {
669  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
670  };
671  uint8_t label_data[] = {
672  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
673  };
674  uint32_t km_data[] = {
675  0x066a4f36, 0xc5d89bf4, 0x7f309f76, 0x0874f702, 0xe6181b02, 0x004d16f7,
676  0x9861d172, 0x264dce02, 0x15c20387, 0xb0c70016, 0xb33a7d40, 0x55256360,
677  0x9b348448, 0xdce97d29, 0xf0a31b88, 0x222919b4, 0xadeb1dd3, 0x581f7f20,
678  0x5cdcbd14, 0x8cf883dc, 0xcf55a3c3, 0x0208a251, 0x12c3981c, 0x6dedec0e,
679  0x93a8421a, 0x9fc162d7, 0xf75ed2d3, 0xcd872100, 0xdf87ee27, 0xedc7e8ed,
680  0x4bce7fba, 0xa1a4c37a, 0x1db04f47, 0xcd1ec73d, 0x598902e1, 0x79d5e068,
681  0x8ea0d0da, 0x7536ba66, 0x06c1b3a5, 0xd94d5147, 0xf60e53f6, 0x433b1d26,
682  0x23a3c5a9, 0xfca3f532, 0x8bb7f5e7, 0xaa785f28, 0x25ceedb1, 0xc79f9900,
683  0xb9d6473d, 0xe3a19191, 0xefec92ea, 0x1030ba2c, 0x86f7e72a, 0x8809f3de,
684  0x7d5ed3e0, 0xe1d0f341, 0xf0afd988, 0xe6e80d71, 0xaf112d74, 0xc64d8566,
685  0xe63f03c3, 0x5aeef080, 0x1b3d6103, 0x247e8e16,
686  };
687 
688  kdf_test_vector_t test = {
689  .key_mode = kOtcryptoKeyModeHmacSha384,
690  .key_derivation_key = kdk_data,
691  .kdk_bytelen = 256,
692  .kdf_context = context_data,
693  .kdf_context_bytelen = sizeof(context_data),
694  .kdf_label = label_data,
695  .kdf_label_bytelen = sizeof(label_data),
696  .km_mode = kOtcryptoKeyModeAesGcm,
697  .keying_material = km_data,
698  .km_bytelen = 256,
699  };
700  return run_test(&test);
701 }
702 
703 /**
704  * Test case 10:
705  *
706  * Basic test case with HMAC SHA384 using 2048 bit input and 128 bit output key
707  *
708  * KDF Mode = HMAC Counter
709  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
710  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
711  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
712  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
713  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
714  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
715  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
716  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
717  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
718  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
719  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
720  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
721  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
722  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
723  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
724  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
725  * context = 0x90919293 (4 octets)
726  * label = 0xd0d1 (2 octets)
727  * L = 128 bits
728  *
729  * KM = 0x65c3b1827789b4ba126751e404f23e2f (16 octets)
730  */
731 static status_t kdf_hmac_ctr_sha384_kdk256_km16_test(void) {
732  uint32_t kdk_data[] = {
733  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
734  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
735  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
736  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
737  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
738  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
739  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
740  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
741  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
742  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
743  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
744  };
745  uint8_t context_data[] = {
746  0x90,
747  0x91,
748  0x92,
749  0x93,
750  };
751  uint8_t label_data[] = {
752  0xd0,
753  0xd1,
754  };
755  uint32_t km_data[] = {
756  0x82b1c365,
757  0xbab48977,
758  0xe4516712,
759  0x2f3ef204,
760  };
761 
762  kdf_test_vector_t test = {
763  .key_mode = kOtcryptoKeyModeHmacSha384,
764  .key_derivation_key = kdk_data,
765  .kdk_bytelen = 256,
766  .kdf_context = context_data,
767  .kdf_context_bytelen = sizeof(context_data),
768  .kdf_label = label_data,
769  .kdf_label_bytelen = sizeof(label_data),
770  .km_mode = kOtcryptoKeyModeAesGcm,
771  .keying_material = km_data,
772  .km_bytelen = 16,
773  };
774  return run_test(&test);
775 }
776 
777 /**
778  * Test case 11:
779  *
780  * Basic test case with HMAC SHA512 using 128 bit input and output keys
781  *
782  * KDF Mode = HMAC Counter
783  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (16 octets)
784  * context = 0x01020304 (4 octets)
785  * label = 0xf0f1f2f3 (4 octets)
786  * L = 128 bits
787  *
788  * KM = 0x40bc39aef846dec913e2753b96b88208 (16 octets)
789  */
790 static status_t kdf_hmac_ctr_sha512_kdk16_km16_test(void) {
791  uint32_t kdk_data[] = {
792  0x0b0b0b0b,
793  0x0b0b0b0b,
794  0x0b0b0b0b,
795  0x0b0b0b0b,
796  };
797  uint8_t context_data[] = {
798  0x01,
799  0x02,
800  0x03,
801  0x04,
802  };
803  uint8_t label_data[] = {
804  0xf0,
805  0xf1,
806  0xf2,
807  0xf3,
808  };
809  uint32_t km_data[] = {
810  0xae39bc40,
811  0xc9de46f8,
812  0x3b75e213,
813  0x0882b896,
814  };
815 
816  kdf_test_vector_t test = {
817  .key_mode = kOtcryptoKeyModeHmacSha512,
818  .key_derivation_key = kdk_data,
819  .kdk_bytelen = 16,
820  .kdf_context = context_data,
821  .kdf_context_bytelen = sizeof(context_data),
822  .kdf_label = label_data,
823  .kdf_label_bytelen = sizeof(label_data),
824  .km_mode = kOtcryptoKeyModeAesCtr,
825  .keying_material = km_data,
826  .km_bytelen = 16,
827  };
828  return run_test(&test);
829 }
830 
831 /**
832  * Test case 12:
833  *
834  * Basic test case with HMAC SHA512 using 256 bit input and output keys
835  *
836  * KDF Mode = HMAC Counter
837  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
838  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (32 octets)
839  * context = 0x606162636465 (6 octets)
840  * label = 0xb0b1b2b3b4b5 (6 octets)
841  * L = 256 bits
842  *
843  * KM = 0xbaab49e94918b8cb76efb15f1b2f3ffe
844  * af750e91898ebb1f6aa05f8b32392564 (32 octets)
845  */
846 static status_t kdf_hmac_ctr_sha512_kdk32_km32_test(void) {
847  uint32_t kdk_data[] = {
848  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
849  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
850  };
851  uint8_t context_data[] = {
852  0x60, 0x61, 0x62, 0x63, 0x64, 0x65,
853  };
854  uint8_t label_data[] = {
855  0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
856  };
857  uint32_t km_data[] = {
858  0xe949abba, 0xcbb81849, 0x5fb1ef76, 0xfe3f2f1b,
859  0x910e75af, 0x1fbb8e89, 0x8b5fa06a, 0x64253932,
860  };
861 
862  kdf_test_vector_t test = {
863  .key_mode = kOtcryptoKeyModeHmacSha512,
864  .key_derivation_key = kdk_data,
865  .kdk_bytelen = 32,
866  .kdf_context = context_data,
867  .kdf_context_bytelen = sizeof(context_data),
868  .kdf_label = label_data,
869  .kdf_label_bytelen = sizeof(label_data),
870  .km_mode = kOtcryptoKeyModeAesCbc,
871  .keying_material = km_data,
872  .km_bytelen = 32,
873  };
874  return run_test(&test);
875 }
876 
877 /**
878  * Test case 13:
879  *
880  * Basic test case with HMAC SHA512 using 384 bit input and output keys
881  *
882  * KDF Mode = HMAC Counter
883  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
884  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
885  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (48 octets)
886  * context = (0 octets)
887  * label = (0 octets)
888  * L = 384 bits
889  *
890  * KM = 0x57374ecdffd0b2fee3f3352566216954
891  * 4d5527dcb80b856f06f83c130089142e
892  * 0a271fd516d967a43b7af81728256b9a (48 octets)
893  */
894 static status_t kdf_hmac_ctr_sha512_kdk48_km48_test(void) {
895  uint32_t kdk_data[] = {
896  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
897  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
898  };
899  uint32_t km_data[] = {
900  0xcd4e3757, 0xfeb2d0ff, 0x2535f3e3, 0x54692166, 0xdc27554d, 0x6f850bb8,
901  0x133cf806, 0x2e148900, 0xd51f270a, 0xa467d916, 0x17f87a3b, 0x9a6b2528,
902  };
903 
904  kdf_test_vector_t test = {
905  .key_mode = kOtcryptoKeyModeHmacSha512,
906  .key_derivation_key = kdk_data,
907  .kdk_bytelen = 48,
908  .kdf_context = NULL,
909  .kdf_context_bytelen = 0,
910  .kdf_label = NULL,
911  .kdf_label_bytelen = 0,
912  .km_mode = kOtcryptoKeyModeAesEcb,
913  .keying_material = km_data,
914  .km_bytelen = 48,
915  };
916  return run_test(&test);
917 }
918 
919 /**
920  * Test case 14:
921  *
922  * Basic test case with HMAC SHA512 using 2048 bit input and output keys
923  *
924  * KDF Mode = HMAC Counter
925  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
926  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
927  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
928  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
929  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
930  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
931  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
932  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
933  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
934  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
935  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
936  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
937  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
938  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
939  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
940  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
941  * context = 0x8081828384858687 (8 octets)
942  * label = 0xc0c1c2c3c4c5 (6 octets)
943  * L = 2048 bits
944  *
945  * KM = 0x77308324dafd68b6c51e50be73bb1a41
946  * c36a6b15c2216716ba21f1e41f5ca60d
947  * 7aa5fa4960d16ba679d3083bb484dbd2
948  * 42071daca754316f57bf7f892154c62a
949  * 51598f2a3b26faf7f554f8e5d24357a2
950  * ae61198e9b5f2dc24e669d3943250631
951  * 08a40a54011b6c4f908ac8bbf3dc95d2
952  * 4cdc35c983fd19a9a3a7c075fc2be70f
953  * 8cc9693f13e952c7c1be7cfd3aaaf163
954  * 63873670e10bf17d0bcccdfc0ccce9c9
955  * 2349326b09b9fe8c354944d4d1c5729f
956  * af8b4d2d9f44b9231f1397688544c6a5
957  * cc9254987851dea4372403267eb579d3
958  * 95c3b926db7c0207954d95782f6db2b7
959  * 8546e10571a2d47c9ff33226d5229975
960  * f4181322a22b863f588f13a385f5eb79 (256 octets)
961  */
962 static status_t kdf_hmac_ctr_sha512_kdk256_km256_test(void) {
963  uint32_t kdk_data[] = {
964  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
965  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
966  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
967  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
968  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
969  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
970  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
971  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
972  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
973  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
974  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
975  };
976  uint8_t context_data[] = {
977  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
978  };
979  uint8_t label_data[] = {
980  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
981  };
982  uint32_t km_data[] = {
983  0x24833077, 0xb668fdda, 0xbe501ec5, 0x411abb73, 0x156b6ac3, 0x166721c2,
984  0xe4f121ba, 0x0da65c1f, 0x49faa57a, 0xa66bd160, 0x3b08d379, 0xd2db84b4,
985  0xac1d0742, 0x6f3154a7, 0x897fbf57, 0x2ac65421, 0x2a8f5951, 0xf7fa263b,
986  0xe5f854f5, 0xa25743d2, 0x8e1961ae, 0xc22d5f9b, 0x399d664e, 0x31062543,
987  0x540aa408, 0x4f6c1b01, 0xbbc88a90, 0xd295dcf3, 0xc935dc4c, 0xa919fd83,
988  0x75c0a7a3, 0x0fe72bfc, 0x3f69c98c, 0xc752e913, 0xfd7cbec1, 0x63f1aa3a,
989  0x70368763, 0x7df10be1, 0xfccdcc0b, 0xc9e9cc0c, 0x6b324923, 0x8cfeb909,
990  0xd4444935, 0x9f72c5d1, 0x2d4d8baf, 0x23b9449f, 0x6897131f, 0xa5c64485,
991  0x985492cc, 0xa4de5178, 0x26032437, 0xd379b57e, 0x26b9c395, 0x07027cdb,
992  0x78954d95, 0xb7b26d2f, 0x05e14685, 0x7cd4a271, 0x2632f39f, 0x759922d5,
993  0x221318f4, 0x3f862ba2, 0xa3138f58, 0x79ebf585,
994  };
995 
996  kdf_test_vector_t test = {
997  .key_mode = kOtcryptoKeyModeHmacSha512,
998  .key_derivation_key = kdk_data,
999  .kdk_bytelen = 256,
1000  .kdf_context = context_data,
1001  .kdf_context_bytelen = sizeof(context_data),
1002  .kdf_label = label_data,
1003  .kdf_label_bytelen = sizeof(label_data),
1004  .km_mode = kOtcryptoKeyModeAesGcm,
1005  .keying_material = km_data,
1006  .km_bytelen = 256,
1007  };
1008  return run_test(&test);
1009 }
1010 
1011 /**
1012  * Test case 15:
1013  *
1014  * Basic test case with HMAC SHA512 using 2048 bit input and 128 bit output key
1015  *
1016  * KDF Mode = HMAC Counter
1017  * KDK = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1018  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1019  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1020  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1021  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1022  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1023  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1024  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1025  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1026  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1027  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1028  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1029  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1030  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1031  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1032  * 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (256 octets)
1033  * context = 0x90919293 (4 octets)
1034  * label = 0xd0d1 (2 octets)
1035  * L = 128 bits
1036  *
1037  * KM = 0x5ca93058c2a2dfb5d15063fcea57c88f (16 octets)
1038  */
1039 static status_t kdf_hmac_ctr_sha512_kdk256_km16_test(void) {
1040  uint32_t kdk_data[] = {
1041  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1042  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1043  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1044  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1045  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1046  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1047  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1048  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1049  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1050  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1051  0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b, 0x0b0b0b0b,
1052  };
1053  uint8_t context_data[] = {
1054  0x90,
1055  0x91,
1056  0x92,
1057  0x93,
1058  };
1059  uint8_t label_data[] = {
1060  0xd0,
1061  0xd1,
1062  };
1063  uint32_t km_data[] = {
1064  0x5830a95c,
1065  0xb5dfa2c2,
1066  0xfc6350d1,
1067  0x8fc857ea,
1068  };
1069 
1070  kdf_test_vector_t test = {
1071  .key_mode = kOtcryptoKeyModeHmacSha512,
1072  .key_derivation_key = kdk_data,
1073  .kdk_bytelen = 256,
1074  .kdf_context = context_data,
1075  .kdf_context_bytelen = sizeof(context_data),
1076  .kdf_label = label_data,
1077  .kdf_label_bytelen = sizeof(label_data),
1078  .km_mode = kOtcryptoKeyModeAesGcm,
1079  .keying_material = km_data,
1080  .km_bytelen = 16,
1081  };
1082  return run_test(&test);
1083 }
1084 
1085 OTTF_DEFINE_TEST_CONFIG();
1086 
1087 bool test_main(void) {
1088  // Start the entropy complex.
1089  CHECK_STATUS_OK(entropy_complex_init());
1090 
1091  status_t test_result = OK_STATUS();
1092 
1093  // SHA256 tests
1094  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk16_km16_test);
1095  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk32_km32_test);
1096  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk48_km48_test);
1097  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk256_km256_test);
1098  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha256_kdk256_km16_test);
1099 
1100  // SHA384 tests
1101  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk16_km16_test);
1102  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk32_km32_test);
1103  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk48_km48_test);
1104  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk256_km256_test);
1105  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha384_kdk256_km16_test);
1106 
1107  // SHA512 tests
1108  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk16_km16_test);
1109  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk32_km32_test);
1110  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk48_km48_test);
1111  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk256_km256_test);
1112  EXECUTE_TEST(test_result, kdf_hmac_ctr_sha512_kdk256_km16_test);
1113 
1114  return status_ok(test_result);
1115 }
Return to OpenTitan Documentation