1 /*
2  * crypto module tests
3  * Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/module_tests.h"
13 #include "crypto/aes_siv.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/aes.h"
16 #include "crypto/ms_funcs.h"
17 #include "crypto/crypto.h"
18 #include "crypto/sha1.h"
19 #include "crypto/sha256.h"
20 #include "crypto/sha384.h"
21 
22 
test_siv(void)23 static int test_siv(void)
24 {
25 #ifdef CONFIG_MESH
26           /* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
27           u8 key[] = {
28                     0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
29                     0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
30                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
31                     0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
32           };
33           u8 ad[] = {
34                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
35                     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
36                     0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27
37           };
38           u8 plaintext[] = {
39                     0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
40                     0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee
41           };
42           u8 iv_c[] = {
43                     0x85, 0x63, 0x2d, 0x07, 0xc6, 0xe8, 0xf3, 0x7f,
44                     0x95, 0x0a, 0xcd, 0x32, 0x0a, 0x2e, 0xcc, 0x93,
45                     0x40, 0xc0, 0x2b, 0x96, 0x90, 0xc4, 0xdc, 0x04,
46                     0xda, 0xef, 0x7f, 0x6a, 0xfe, 0x5c
47           };
48           /* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
49           u8 key_2[] = {
50                     0x7f, 0x7e, 0x7d, 0x7c, 0x7b, 0x7a, 0x79, 0x78,
51                     0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70,
52                     0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
53                     0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
54           };
55           u8 ad1_2[] = {
56                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
57                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
58                     0xde, 0xad, 0xda, 0xda, 0xde, 0xad, 0xda, 0xda,
59                     0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
60                     0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00
61           };
62           u8 ad2_2[] = {
63                     0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
64                     0x90, 0xa0
65           };
66           u8 nonce_2[] = {
67                     0x09, 0xf9, 0x11, 0x02, 0x9d, 0x74, 0xe3, 0x5b,
68                     0xd8, 0x41, 0x56, 0xc5, 0x63, 0x56, 0x88, 0xc0
69           };
70           u8 plaintext_2[] = {
71                     0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
72                     0x73, 0x6f, 0x6d, 0x65, 0x20, 0x70, 0x6c, 0x61,
73                     0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x20, 0x74,
74                     0x6f, 0x20, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
75                     0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20,
76                     0x53, 0x49, 0x56, 0x2d, 0x41, 0x45, 0x53
77           };
78           u8 iv_c_2[] = {
79                     0x7b, 0xdb, 0x6e, 0x3b, 0x43, 0x26, 0x67, 0xeb,
80                     0x06, 0xf4, 0xd1, 0x4b, 0xff, 0x2f, 0xbd, 0x0f,
81                     0xcb, 0x90, 0x0f, 0x2f, 0xdd, 0xbe, 0x40, 0x43,
82                     0x26, 0x60, 0x19, 0x65, 0xc8, 0x89, 0xbf, 0x17,
83                     0xdb, 0xa7, 0x7c, 0xeb, 0x09, 0x4f, 0xa6, 0x63,
84                     0xb7, 0xa3, 0xf7, 0x48, 0xba, 0x8a, 0xf8, 0x29,
85                     0xea, 0x64, 0xad, 0x54, 0x4a, 0x27, 0x2e, 0x9c,
86                     0x48, 0x5b, 0x62, 0xa3, 0xfd, 0x5c, 0x0d
87           };
88           u8 out[2 * AES_BLOCK_SIZE + sizeof(plaintext_2)];
89           const u8 *addr[3];
90           size_t len[3];
91 
92           /* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
93           addr[0] = ad;
94           len[0] = sizeof(ad);
95 
96           if (aes_siv_encrypt(key, sizeof(key), plaintext, sizeof(plaintext),
97                                   1, addr, len, out)) {
98                     wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
99                     return 1;
100           }
101           if (os_memcmp(out, iv_c, sizeof(iv_c)) != 0) {
102                     wpa_printf(MSG_ERROR,
103                                  "AES-SIV mode encryption returned invalid cipher text");
104                     return 1;
105           }
106 
107           if (aes_siv_decrypt(key, sizeof(key), iv_c, sizeof(iv_c),
108                                   1, addr, len, out)) {
109                     wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
110                     return 1;
111           }
112           if (os_memcmp(out, plaintext, sizeof(plaintext)) != 0) {
113                     wpa_printf(MSG_ERROR,
114                                  "AES-SIV mode decryption returned invalid plain text");
115                     return 1;
116           }
117 
118           /* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
119           addr[0] = ad1_2;
120           len[0] = sizeof(ad1_2);
121           addr[1] = ad2_2;
122           len[1] = sizeof(ad2_2);
123           addr[2] = nonce_2;
124           len[2] = sizeof(nonce_2);
125 
126           if (aes_siv_encrypt(key_2, sizeof(key_2),
127                                   plaintext_2, sizeof(plaintext_2),
128                                   3, addr, len, out)) {
129                     wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
130                     return 1;
131           }
132           if (os_memcmp(out, iv_c_2, sizeof(iv_c_2)) != 0) {
133                     wpa_printf(MSG_ERROR,
134                                  "AES-SIV mode encryption returned invalid cipher text");
135                     return 1;
136           }
137 
138           if (aes_siv_decrypt(key_2, sizeof(key_2), iv_c_2, sizeof(iv_c_2),
139                                   3, addr, len, out)) {
140                     wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
141                     return 1;
142           }
143           if (os_memcmp(out, plaintext_2, sizeof(plaintext_2)) != 0) {
144                     wpa_printf(MSG_ERROR,
145                                  "AES-SIV mode decryption returned invalid plain text");
146                     return 1;
147           }
148 
149           wpa_printf(MSG_INFO, "AES-SIV test cases passed");
150 #endif /* CONFIG_MESH */
151 
152           return 0;
153 }
154 
155 
156 /* OMAC1 AES-128 test vectors from
157  * http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/omac/omac-ad.pdf
158  * which are same as the examples from NIST SP800-38B
159  * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf
160  */
161 
162 struct omac1_test_vector {
163           u8 k[16];
164           u8 msg[64];
165           int msg_len;
166           u8 tag[16];
167 };
168 
169 static const struct omac1_test_vector omac1_test_vectors[] =
170 {
171           {
172                     { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
173                       0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
174                     { },
175                     0,
176                     { 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
177                       0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 }
178           },
179           {
180                     { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
181                       0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
182                     { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
183                       0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a},
184                     16,
185                     { 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
186                       0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c }
187           },
188           {
189                     { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
190                       0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
191                     { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
192                       0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
193                       0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
194                       0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
195                       0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11 },
196                     40,
197                     { 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
198                       0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27 }
199           },
200           {
201                     { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
202                       0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
203                     { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
204                       0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
205                       0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
206                       0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
207                       0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
208                       0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
209                       0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
210                       0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
211                     64,
212                     { 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
213                       0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe }
214           },
215 };
216 
217 
test_omac1_vector(const struct omac1_test_vector * tv,unsigned int i)218 static int test_omac1_vector(const struct omac1_test_vector *tv,
219                                    unsigned int i)
220 {
221           u8 key[] = {
222                     0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
223                     0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
224           };
225           u8 msg[] = { 0x12, 0x34, 0x56 };
226           u8 result[24], result2[24];
227           const u8 *addr[3];
228           size_t len[3];
229 
230           if (omac1_aes_128(tv->k, tv->msg, tv->msg_len, result) ||
231               os_memcmp(result, tv->tag, 16) != 0) {
232                     wpa_printf(MSG_ERROR, "OMAC1-AES-128 test vector %u failed", i);
233                     return 1;
234           }
235 
236           if (tv->msg_len > 1) {
237 
238                     addr[0] = tv->msg;
239                     len[0] = 1;
240                     addr[1] = tv->msg + 1;
241                     len[1] = tv->msg_len - 1;
242 
243                     if (omac1_aes_128_vector(tv->k, 2, addr, len, result) ||
244                         os_memcmp(result, tv->tag, 16) != 0) {
245                               wpa_printf(MSG_ERROR,
246                                            "OMAC1-AES-128(vector) test vector %u failed",
247                                            i);
248                               return 1;
249                     }
250 
251                     addr[0] = tv->msg;
252                     len[0] = tv->msg_len - 2;
253                     addr[1] = tv->msg + tv->msg_len - 2;
254                     len[1] = 1;
255                     addr[2] = tv->msg + tv->msg_len - 1;
256                     len[2] = 1;
257 
258                     if (omac1_aes_128_vector(tv->k, 3, addr, len, result) ||
259                         os_memcmp(result, tv->tag, 16) != 0) {
260                               wpa_printf(MSG_ERROR,
261                                            "OMAC1-AES-128(vector2) test vector %u failed",
262                                            i);
263                               return 1;
264                     }
265           }
266 
267           addr[0] = &msg[0];
268           len[0] = 1;
269           addr[1] = &msg[1];
270           len[1] = 1;
271           addr[2] = &msg[2];
272           len[2] = 1;
273           if (omac1_aes_128(key, msg, sizeof(msg), result) ||
274               omac1_aes_128_vector(key, 3, addr, len, result2) ||
275               os_memcmp(result, result2, 16) != 0) {
276                     wpa_printf(MSG_ERROR, "OMAC1-AES-128 short test mismatch");
277                     return 1;
278           }
279 
280           return 0;
281 }
282 
283 
test_omac1(void)284 static int test_omac1(void)
285 {
286           unsigned int i;
287 
288           for (i = 0; i < ARRAY_SIZE(omac1_test_vectors); i++) {
289                     if (test_omac1_vector(&omac1_test_vectors[i], i))
290                               return 1;
291           }
292 
293           wpa_printf(MSG_INFO, "OMAC1-AES-128 test cases passed");
294 
295           return 0;
296 }
297 
298 
test_eax(void)299 static int test_eax(void)
300 {
301 #ifdef EAP_PSK
302           u8 msg[] = { 0xF7, 0xFB };
303           u8 key[] = { 0x91, 0x94, 0x5D, 0x3F, 0x4D, 0xCB, 0xEE, 0x0B,
304                          0xF4, 0x5E, 0xF5, 0x22, 0x55, 0xF0, 0x95, 0xA4 };
305           u8 nonce[] = { 0xBE, 0xCA, 0xF0, 0x43, 0xB0, 0xA2, 0x3D, 0x84,
306                            0x31, 0x94, 0xBA, 0x97, 0x2C, 0x66, 0xDE, 0xBD };
307           u8 hdr[] = { 0xFA, 0x3B, 0xFD, 0x48, 0x06, 0xEB, 0x53, 0xFA };
308           u8 cipher[] = { 0x19, 0xDD, 0x5C, 0x4C, 0x93, 0x31, 0x04, 0x9D,
309                               0x0B, 0xDA, 0xB0, 0x27, 0x74, 0x08, 0xF6, 0x79,
310                               0x67, 0xE5 };
311           u8 data[sizeof(msg)], tag[AES_BLOCK_SIZE];
312 
313           os_memcpy(data, msg, sizeof(msg));
314           if (aes_128_eax_encrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
315                                         data, sizeof(data), tag)) {
316                     wpa_printf(MSG_ERROR, "AES-128 EAX mode encryption failed");
317                     return 1;
318           }
319           if (os_memcmp(data, cipher, sizeof(data)) != 0) {
320                     wpa_printf(MSG_ERROR,
321                                  "AES-128 EAX mode encryption returned invalid cipher text");
322                     return 1;
323           }
324           if (os_memcmp(tag, cipher + sizeof(data), AES_BLOCK_SIZE) != 0) {
325                     wpa_printf(MSG_ERROR,
326                                  "AES-128 EAX mode encryption returned invalid tag");
327                     return 1;
328           }
329 
330           if (aes_128_eax_decrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
331                                         data, sizeof(data), tag)) {
332                     wpa_printf(MSG_ERROR, "AES-128 EAX mode decryption failed");
333                     return 1;
334           }
335           if (os_memcmp(data, msg, sizeof(data)) != 0) {
336                     wpa_printf(MSG_ERROR,
337                                  "AES-128 EAX mode decryption returned invalid plain text");
338                     return 1;
339           }
340 
341           wpa_printf(MSG_INFO, "AES-128 EAX mode test cases passed");
342 #endif /* EAP_PSK */
343 
344           return 0;
345 }
346 
347 
test_cbc(void)348 static int test_cbc(void)
349 {
350           struct cbc_test_vector {
351                     u8 key[16];
352                     u8 iv[16];
353                     u8 plain[32];
354                     u8 cipher[32];
355                     size_t len;
356           } vectors[] = {
357                     {
358                               { 0x06, 0xa9, 0x21, 0x40, 0x36, 0xb8, 0xa1, 0x5b,
359                                 0x51, 0x2e, 0x03, 0xd5, 0x34, 0x12, 0x00, 0x06 },
360                               { 0x3d, 0xaf, 0xba, 0x42, 0x9d, 0x9e, 0xb4, 0x30,
361                                 0xb4, 0x22, 0xda, 0x80, 0x2c, 0x9f, 0xac, 0x41 },
362                               "Single block msg",
363                               { 0xe3, 0x53, 0x77, 0x9c, 0x10, 0x79, 0xae, 0xb8,
364                                 0x27, 0x08, 0x94, 0x2d, 0xbe, 0x77, 0x18, 0x1a },
365                               16
366                     },
367                     {
368                               { 0xc2, 0x86, 0x69, 0x6d, 0x88, 0x7c, 0x9a, 0xa0,
369                                 0x61, 0x1b, 0xbb, 0x3e, 0x20, 0x25, 0xa4, 0x5a },
370                               { 0x56, 0x2e, 0x17, 0x99, 0x6d, 0x09, 0x3d, 0x28,
371                                 0xdd, 0xb3, 0xba, 0x69, 0x5a, 0x2e, 0x6f, 0x58 },
372                               { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
373                                 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
374                                 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
375                                 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
376                               { 0xd2, 0x96, 0xcd, 0x94, 0xc2, 0xcc, 0xcf, 0x8a,
377                                 0x3a, 0x86, 0x30, 0x28, 0xb5, 0xe1, 0xdc, 0x0a,
378                                 0x75, 0x86, 0x60, 0x2d, 0x25, 0x3c, 0xff, 0xf9,
379                                 0x1b, 0x82, 0x66, 0xbe, 0xa6, 0xd6, 0x1a, 0xb1 },
380                               32
381                     }
382           };
383           int ret = 0;
384           u8 *buf;
385           unsigned int i;
386 
387           for (i = 0; i < ARRAY_SIZE(vectors); i++) {
388                     struct cbc_test_vector *tv = &vectors[i];
389 
390                     buf = os_malloc(tv->len);
391                     if (buf == NULL) {
392                               ret++;
393                               break;
394                     }
395 
396                     os_memcpy(buf, tv->plain, tv->len);
397                     if (aes_128_cbc_encrypt(tv->key, tv->iv, buf, tv->len) ||
398                         os_memcmp(buf, tv->cipher, tv->len) != 0) {
399                               wpa_printf(MSG_ERROR, "AES-CBC encrypt %d failed", i);
400                               ret++;
401                     }
402 
403                     os_memcpy(buf, tv->cipher, tv->len);
404                     if (aes_128_cbc_decrypt(tv->key, tv->iv, buf, tv->len) ||
405                         os_memcmp(buf, tv->plain, tv->len) != 0) {
406                               wpa_printf(MSG_ERROR, "AES-CBC decrypt %d failed", i);
407                               ret++;
408                     }
409 
410                     os_free(buf);
411           }
412 
413           return ret;
414 }
415 
416 
test_ecb(void)417 static int test_ecb(void)
418 {
419 #ifdef EAP_PSK
420           struct ecb_test_vector {
421                     char *key;
422                     char *plaintext;
423                     char *ciphertext;
424           } vectors[] = {
425                     /* CAVS 11.1 - ECBGFSbox128.rsp */
426                     {
427                               "00000000000000000000000000000000",
428                               "f34481ec3cc627bacd5dc3fb08f273e6",
429                               "0336763e966d92595a567cc9ce537f5e"
430                     },
431                     {
432                               "00000000000000000000000000000000",
433                               "9798c4640bad75c7c3227db910174e72",
434                               "a9a1631bf4996954ebc093957b234589"
435                     },
436                     {
437                               "00000000000000000000000000000000",
438                               "96ab5c2ff612d9dfaae8c31f30c42168",
439                               "ff4f8391a6a40ca5b25d23bedd44a597"
440                     },
441                     {
442                               "00000000000000000000000000000000",
443                               "6a118a874519e64e9963798a503f1d35",
444                               "dc43be40be0e53712f7e2bf5ca707209"
445                     },
446                     {
447                               "00000000000000000000000000000000",
448                               "cb9fceec81286ca3e989bd979b0cb284",
449                               "92beedab1895a94faa69b632e5cc47ce"
450                     },
451                     {
452                               "00000000000000000000000000000000",
453                               "b26aeb1874e47ca8358ff22378f09144",
454                               "459264f4798f6a78bacb89c15ed3d601"
455                     },
456                     {
457                               "00000000000000000000000000000000",
458                               "58c8e00b2631686d54eab84b91f0aca1",
459                               "08a4e2efec8a8e3312ca7460b9040bbf"
460                     },
461                     /* CAVS 11.1 - ECBKeySbox128.rsp */
462                     {
463                               "10a58869d74be5a374cf867cfb473859",
464                               "00000000000000000000000000000000",
465                               "6d251e6944b051e04eaa6fb4dbf78465"
466                     },
467                     {
468                               "caea65cdbb75e9169ecd22ebe6e54675",
469                               "00000000000000000000000000000000",
470                               "6e29201190152df4ee058139def610bb",
471                     }
472           };
473           int ret = 0;
474           unsigned int i;
475           u8 key[16], plain[16], cipher[16], out[16];
476 
477           for (i = 0; i < ARRAY_SIZE(vectors); i++) {
478                     struct ecb_test_vector *tv = &vectors[i];
479 
480                     if (hexstr2bin(tv->key, key, sizeof(key)) ||
481                         hexstr2bin(tv->plaintext, plain, sizeof(plain)) ||
482                         hexstr2bin(tv->ciphertext, cipher, sizeof(cipher))) {
483                               wpa_printf(MSG_ERROR, "Invalid AES-ECB test vector %u",
484                                            i);
485                               ret++;
486                               continue;
487                     }
488 
489                     if (aes_128_encrypt_block(key, plain, out) < 0 ||
490                         os_memcmp(out, cipher, 16) != 0) {
491                               wpa_printf(MSG_ERROR, "AES-ECB encrypt %u failed", i);
492                               ret++;
493                     }
494           }
495 
496           if (!ret)
497                     wpa_printf(MSG_INFO, "AES ECB mode test cases passed");
498 
499           return ret;
500 #endif /* EAP_PSK */
501 
502           return 0;
503 }
504 
505 
test_key_wrap(void)506 static int test_key_wrap(void)
507 {
508           int ret = 0;
509 
510           /* RFC 3394 - Test vector 4.1 */
511           u8 kek41[] = {
512                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
513                     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
514           };
515           u8 plain41[] = {
516                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
517                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
518           };
519           u8 crypt41[] = {
520                     0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
521                     0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
522                     0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
523           };
524 #ifndef CONFIG_BORINGSSL
525           /* RFC 3394 - Test vector 4.2 */
526           u8 kek42[] = {
527                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
528                     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
529                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
530           };
531           u8 plain42[] = {
532                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
533                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
534           };
535           u8 crypt42[] = {
536                     0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
537                     0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
538                     0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
539           };
540 #endif /* CONFIG_BORINGSSL */
541           /* RFC 3394 - Test vector 4.3 */
542           u8 kek43[] = {
543                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
544                     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
545                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
546                     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
547           };
548           u8 plain43[] = {
549                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
550                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
551           };
552           u8 crypt43[] = {
553                     0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
554                     0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
555                     0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7,
556           };
557 #ifndef CONFIG_BORINGSSL
558           /* RFC 3394 - Test vector 4.4 */
559           u8 kek44[] = {
560                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
561                     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
562                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
563           };
564           u8 plain44[] = {
565                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
566                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
567                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
568           };
569           u8 crypt44[] = {
570                     0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
571                     0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
572                     0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
573                     0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
574           };
575 #endif /* CONFIG_BORINGSSL */
576           /* RFC 3394 - Test vector 4.5 */
577           u8 kek45[] = {
578                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
579                     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
580                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
581                     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
582           };
583           u8 plain45[] = {
584                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
585                     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
586                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
587           };
588           u8 crypt45[] = {
589                     0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
590                     0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
591                     0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
592                     0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1,
593           };
594           /* RFC 3394 - Test vector 4.6 */
595           u8 kek46[] = {
596                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
597                     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
598                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
599                     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
600           };
601           u8 plain46[] = {
602                     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
603                     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
604                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
605                     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
606           };
607           u8 crypt46[] = {
608                     0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
609                     0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
610                     0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
611                     0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
612                     0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
613           };
614           u8 result[40];
615 
616           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.1");
617           if (aes_wrap(kek41, sizeof(kek41), sizeof(plain41) / 8, plain41,
618                          result)) {
619                     wpa_printf(MSG_ERROR, "AES-WRAP-128 reported failure");
620                     ret++;
621           }
622           if (os_memcmp(result, crypt41, sizeof(crypt41)) != 0) {
623                     wpa_printf(MSG_ERROR, "AES-WRAP-128 failed");
624                     ret++;
625           }
626           if (aes_unwrap(kek41, sizeof(kek41), sizeof(plain41) / 8, crypt41,
627                            result)) {
628                     wpa_printf(MSG_ERROR, "AES-UNWRAP-128 reported failure");
629                     ret++;
630           }
631           if (os_memcmp(result, plain41, sizeof(plain41)) != 0) {
632                     wpa_printf(MSG_ERROR, "AES-UNWRAP-128 failed");
633                     ret++;
634           }
635 
636 #ifndef CONFIG_BORINGSSL
637           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.2");
638           if (aes_wrap(kek42, sizeof(kek42), sizeof(plain42) / 8, plain42,
639                          result)) {
640                     wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
641                     ret++;
642           }
643           if (os_memcmp(result, crypt42, sizeof(crypt42)) != 0) {
644                     wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
645                     ret++;
646           }
647           if (aes_unwrap(kek42, sizeof(kek42), sizeof(plain42) / 8, crypt42,
648                            result)) {
649                     wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
650                     ret++;
651           }
652           if (os_memcmp(result, plain42, sizeof(plain42)) != 0) {
653                     wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
654                     ret++;
655           }
656 #endif /* CONFIG_BORINGSSL */
657 
658           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.3");
659           if (aes_wrap(kek43, sizeof(kek43), sizeof(plain43) / 8, plain43,
660                          result)) {
661                     wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
662                     ret++;
663           }
664           if (os_memcmp(result, crypt43, sizeof(crypt43)) != 0) {
665                     wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
666                     ret++;
667           }
668           if (aes_unwrap(kek43, sizeof(kek43), sizeof(plain43) / 8, crypt43,
669                            result)) {
670                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
671                     ret++;
672           }
673           if (os_memcmp(result, plain43, sizeof(plain43)) != 0) {
674                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
675                     ret++;
676           }
677 
678 #ifndef CONFIG_BORINGSSL
679           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.4");
680           if (aes_wrap(kek44, sizeof(kek44), sizeof(plain44) / 8, plain44,
681                          result)) {
682                     wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
683                     ret++;
684           }
685           if (os_memcmp(result, crypt44, sizeof(crypt44)) != 0) {
686                     wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
687                     ret++;
688           }
689           if (aes_unwrap(kek44, sizeof(kek44), sizeof(plain44) / 8, crypt44,
690                            result)) {
691                     wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
692                     ret++;
693           }
694           if (os_memcmp(result, plain44, sizeof(plain44)) != 0) {
695                     wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
696                     ret++;
697           }
698 #endif /* CONFIG_BORINGSSL */
699 
700           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.5");
701           if (aes_wrap(kek45, sizeof(kek45), sizeof(plain45) / 8, plain45,
702                          result)) {
703                     wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
704                     ret++;
705           }
706           if (os_memcmp(result, crypt45, sizeof(crypt45)) != 0) {
707                     wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
708                     ret++;
709           }
710           if (aes_unwrap(kek45, sizeof(kek45), sizeof(plain45) / 8, crypt45,
711                            result)) {
712                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
713                     ret++;
714           }
715           if (os_memcmp(result, plain45, sizeof(plain45)) != 0) {
716                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
717                     ret++;
718           }
719 
720           wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.6");
721           if (aes_wrap(kek46, sizeof(kek46), sizeof(plain46) / 8, plain46,
722                          result)) {
723                     wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
724                     ret++;
725           }
726           if (os_memcmp(result, crypt46, sizeof(crypt46)) != 0) {
727                     wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
728                     ret++;
729           }
730           if (aes_unwrap(kek46, sizeof(kek46), sizeof(plain46) / 8, crypt46,
731                            result)) {
732                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
733                     ret++;
734           }
735           if (os_memcmp(result, plain46, sizeof(plain46)) != 0) {
736                     wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
737                     ret++;
738           }
739 
740           if (!ret)
741                     wpa_printf(MSG_INFO, "AES key wrap/unwrap test cases passed");
742 
743           return ret;
744 }
745 
746 
test_aes_ctr(void)747 static int test_aes_ctr(void)
748 {
749           int res = 0;
750 
751 #if defined(CONFIG_MESH) || defined(CONFIG_PSK)
752           /* CTR-AES*.Encrypt test vectors from NIST SP 800-38a */
753           const u8 key128[] = {
754                     0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
755                     0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
756           };
757           const u8 counter128[] = {
758                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
759                     0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
760           };
761           const u8 plain128[] = {
762                     0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
763                     0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
764                     0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
765                     0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
766                     0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
767                     0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
768                     0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
769                     0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
770           };
771           const u8 cipher128[] = {
772                     0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26,
773                     0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
774                     0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff,
775                     0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
776                     0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e,
777                     0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab,
778                     0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1,
779                     0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee
780           };
781           const u8 key192[] = {
782                     0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
783                     0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
784                     0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
785           };
786           const u8 counter192[] = {
787                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
788                     0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
789           };
790           const u8 plain192[] = {
791                     0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
792                     0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
793                     0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
794                     0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
795                     0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
796                     0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
797                     0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
798                     0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
799           };
800           const u8 cipher192[] = {
801                     0x1a, 0xbc, 0x93, 0x24, 0x17, 0x52, 0x1c, 0xa2,
802                     0x4f, 0x2b, 0x04, 0x59, 0xfe, 0x7e, 0x6e, 0x0b,
803                     0x09, 0x03, 0x39, 0xec, 0x0a, 0xa6, 0xfa, 0xef,
804                     0xd5, 0xcc, 0xc2, 0xc6, 0xf4, 0xce, 0x8e, 0x94,
805                     0x1e, 0x36, 0xb2, 0x6b, 0xd1, 0xeb, 0xc6, 0x70,
806                     0xd1, 0xbd, 0x1d, 0x66, 0x56, 0x20, 0xab, 0xf7,
807                     0x4f, 0x78, 0xa7, 0xf6, 0xd2, 0x98, 0x09, 0x58,
808                     0x5a, 0x97, 0xda, 0xec, 0x58, 0xc6, 0xb0, 0x50
809           };
810           const u8 key256[] = {
811                     0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
812                     0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
813                     0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
814                     0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
815           };
816           const u8 counter256[] = {
817                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
818                     0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
819           };
820           const u8 plain256[] = {
821                     0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
822                     0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
823                     0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
824                     0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
825                     0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
826                     0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
827                     0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
828                     0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
829           };
830           const u8 cipher256[] = {
831                     0x60, 0x1e, 0xc3, 0x13, 0x77, 0x57, 0x89, 0xa5,
832                     0xb7, 0xa7, 0xf5, 0x04, 0xbb, 0xf3, 0xd2, 0x28,
833                     0xf4, 0x43, 0xe3, 0xca, 0x4d, 0x62, 0xb5, 0x9a,
834                     0xca, 0x84, 0xe9, 0x90, 0xca, 0xca, 0xf5, 0xc5,
835                     0x2b, 0x09, 0x30, 0xda, 0xa2, 0x3d, 0xe9, 0x4c,
836                     0xe8, 0x70, 0x17, 0xba, 0x2d, 0x84, 0x98, 0x8d,
837                     0xdf, 0xc9, 0xc5, 0x8d, 0xb6, 0x7a, 0xad, 0xa6,
838                     0x13, 0xc2, 0xdd, 0x08, 0x45, 0x79, 0x41, 0xa6
839           };
840           size_t len;
841           u8 *tmp;
842 
843           wpa_printf(MSG_DEBUG, "CTR-AES128.Encrypt");
844           len = sizeof(plain128);
845           tmp = os_malloc(len);
846           if (!tmp)
847                     return -1;
848           os_memcpy(tmp, plain128, len);
849           if (aes_ctr_encrypt(key128, sizeof(key128), counter128, tmp, len) < 0) {
850                     wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
851                     res = -1;
852           } else if (os_memcmp(tmp, cipher128, len) != 0) {
853                     wpa_printf(MSG_ERROR,
854                                  "CTR-AES128.Encrypt test vector did not match");
855                     res = -1;
856           }
857           os_free(tmp);
858 
859           wpa_printf(MSG_DEBUG, "CTR-AES192.Encrypt");
860           len = sizeof(plain192);
861           tmp = os_malloc(len);
862           if (!tmp)
863                     return -1;
864           os_memcpy(tmp, plain192, len);
865           if (aes_ctr_encrypt(key192, sizeof(key192), counter192, tmp, len) < 0) {
866                     wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
867                     res = -1;
868           } else if (os_memcmp(tmp, cipher192, len) != 0) {
869                     wpa_printf(MSG_ERROR,
870                                  "CTR-AES192.Encrypt test vector did not match");
871                     res = -1;
872           }
873           os_free(tmp);
874 
875           wpa_printf(MSG_DEBUG, "CTR-AES256.Encrypt");
876           len = sizeof(plain256);
877           tmp = os_malloc(len);
878           if (!tmp)
879                     return -1;
880           os_memcpy(tmp, plain256, len);
881           if (aes_ctr_encrypt(key256, sizeof(key256), counter256, tmp, len) < 0) {
882                     wpa_printf(MSG_ERROR, "aes_ctr_encrypt() failed");
883                     res = -1;
884           } else if (os_memcmp(tmp, cipher256, len) != 0) {
885                     wpa_printf(MSG_ERROR,
886                                  "CTR-AES256.Encrypt test vector did not match");
887                     res = -1;
888           }
889           os_free(tmp);
890 #endif
891 
892           return res;
893 }
894 
895 
test_md5(void)896 static int test_md5(void)
897 {
898 #ifndef CONFIG_FIPS
899           struct {
900                     char *data;
901                     char *hash;
902           } tests[] = {
903                     {
904                               "",
905                               "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04"
906                               "\xe9\x80\x09\x98\xec\xf8\x42\x7e"
907                     },
908                     {
909                               "a",
910                               "\x0c\xc1\x75\xb9\xc0\xf1\xb6\xa8"
911                               "\x31\xc3\x99\xe2\x69\x77\x26\x61"
912                     },
913                     {
914                               "abc",
915                               "\x90\x01\x50\x98\x3c\xd2\x4f\xb0"
916                               "\xd6\x96\x3f\x7d\x28\xe1\x7f\x72"
917                     },
918                     {
919                               "message digest",
920                               "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d"
921                               "\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"
922                     },
923                     {
924                               "abcdefghijklmnopqrstuvwxyz",
925                               "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00"
926                               "\x7d\xfb\x49\x6c\xca\x67\xe1\x3b"
927                     },
928                     {
929                               "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
930                               "0123456789",
931                               "\xd1\x74\xab\x98\xd2\x77\xd9\xf5"
932                               "\xa5\x61\x1c\x2c\x9f\x41\x9d\x9f"
933                     },
934                     {
935                               "12345678901234567890123456789012345678901234567890"
936                               "123456789012345678901234567890",
937                               "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55"
938                               "\xac\x49\xda\x2e\x21\x07\xb6\x7a"
939                     }
940           };
941           unsigned int i;
942           u8 hash[16];
943           const u8 *addr[2];
944           size_t len[2];
945           int errors = 0;
946 
947           for (i = 0; i < ARRAY_SIZE(tests); i++) {
948                     wpa_printf(MSG_INFO, "MD5 test case %d", i);
949 
950                     addr[0] = (u8 *) tests[i].data;
951                     len[0] = strlen(tests[i].data);
952                     if (md5_vector(1, addr, len, hash) < 0 ||
953                         os_memcmp(hash, tests[i].hash, 16) != 0) {
954                               wpa_printf(MSG_INFO, " FAIL");
955                               errors++;
956                     } else
957                               wpa_printf(MSG_INFO, " OK");
958 
959                     if (len[0]) {
960                               addr[0] = (u8 *) tests[i].data;
961                               len[0] = strlen(tests[i].data);
962                               addr[1] = (u8 *) tests[i].data + 1;
963                               len[1] = strlen(tests[i].data) - 1;
964                               if (md5_vector(1, addr, len, hash) < 0 ||
965                                   os_memcmp(hash, tests[i].hash, 16) != 0) {
966                                         wpa_printf(MSG_INFO, " FAIL");
967                                         errors++;
968                               } else
969                                         wpa_printf(MSG_INFO, " OK");
970                     }
971           }
972 
973           if (!errors)
974                     wpa_printf(MSG_INFO, "MD5 test cases passed");
975 
976           return errors;
977 #else /* CONFIG_FIPS */
978           wpa_printf(MSG_INFO, "MD5 test cases skipped due to CONFIG_FIPS");
979           return 0;
980 #endif /* CONFIG_FIPS */
981 }
982 
983 
test_eap_fast(void)984 static int test_eap_fast(void)
985 {
986 #ifdef EAP_FAST
987           /* RFC 4851, Appendix B.1 */
988           const u8 pac_key[] = {
989                     0x0B, 0x97, 0x39, 0x0F, 0x37, 0x51, 0x78, 0x09,
990                     0x81, 0x1E, 0xFD, 0x9C, 0x6E, 0x65, 0x94, 0x2B,
991                     0x63, 0x2C, 0xE9, 0x53, 0x89, 0x38, 0x08, 0xBA,
992                     0x36, 0x0B, 0x03, 0x7C, 0xD1, 0x85, 0xE4, 0x14
993           };
994           const u8 seed[] = {
995                     0x3F, 0xFB, 0x11, 0xC4, 0x6C, 0xBF, 0xA5, 0x7A,
996                     0x54, 0x40, 0xDA, 0xE8, 0x22, 0xD3, 0x11, 0xD3,
997                     0xF7, 0x6D, 0xE4, 0x1D, 0xD9, 0x33, 0xE5, 0x93,
998                     0x70, 0x97, 0xEB, 0xA9, 0xB3, 0x66, 0xF4, 0x2A,
999                     0x00, 0x00, 0x00, 0x02, 0x6A, 0x66, 0x43, 0x2A,
1000                     0x8D, 0x14, 0x43, 0x2C, 0xEC, 0x58, 0x2D, 0x2F,
1001                     0xC7, 0x9C, 0x33, 0x64, 0xBA, 0x04, 0xAD, 0x3A,
1002                     0x52, 0x54, 0xD6, 0xA5, 0x79, 0xAD, 0x1E, 0x00
1003           };
1004           const u8 master_secret[] = {
1005                     0x4A, 0x1A, 0x51, 0x2C, 0x01, 0x60, 0xBC, 0x02,
1006                     0x3C, 0xCF, 0xBC, 0x83, 0x3F, 0x03, 0xBC, 0x64,
1007                     0x88, 0xC1, 0x31, 0x2F, 0x0B, 0xA9, 0xA2, 0x77,
1008                     0x16, 0xA8, 0xD8, 0xE8, 0xBD, 0xC9, 0xD2, 0x29,
1009                     0x38, 0x4B, 0x7A, 0x85, 0xBE, 0x16, 0x4D, 0x27,
1010                     0x33, 0xD5, 0x24, 0x79, 0x87, 0xB1, 0xC5, 0xA2
1011           };
1012 #ifndef CONFIG_FIPS
1013           const u8 key_block[] = {
1014                     0x59, 0x59, 0xBE, 0x8E, 0x41, 0x3A, 0x77, 0x74,
1015                     0x8B, 0xB2, 0xE5, 0xD3, 0x60, 0xAC, 0x4D, 0x35,
1016                     0xDF, 0xFB, 0xC8, 0x1E, 0x9C, 0x24, 0x9C, 0x8B,
1017                     0x0E, 0xC3, 0x1D, 0x72, 0xC8, 0x84, 0x9D, 0x57,
1018                     0x48, 0x51, 0x2E, 0x45, 0x97, 0x6C, 0x88, 0x70,
1019                     0xBE, 0x5F, 0x01, 0xD3, 0x64, 0xE7, 0x4C, 0xBB,
1020                     0x11, 0x24, 0xE3, 0x49, 0xE2, 0x3B, 0xCD, 0xEF,
1021                     0x7A, 0xB3, 0x05, 0x39, 0x5D, 0x64, 0x8A, 0x44,
1022                     0x11, 0xB6, 0x69, 0x88, 0x34, 0x2E, 0x8E, 0x29,
1023                     0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
1024                     0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
1025                     0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
1026                     0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
1027                     0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
1028           };
1029 #endif /* CONFIG_FIPS */
1030           const u8 sks[] = {
1031                     0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
1032                     0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
1033                     0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
1034                     0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
1035                     0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
1036           };
1037           const u8 isk[] = {
1038                     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039                     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1040                     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041                     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1042           };
1043           const u8 imck[] = {
1044                     0x16, 0x15, 0x3C, 0x3F, 0x21, 0x55, 0xEF, 0xD9,
1045                     0x7F, 0x34, 0xAE, 0xC8, 0x1A, 0x4E, 0x66, 0x80,
1046                     0x4C, 0xC3, 0x76, 0xF2, 0x8A, 0xA9, 0x6F, 0x96,
1047                     0xC2, 0x54, 0x5F, 0x8C, 0xAB, 0x65, 0x02, 0xE1,
1048                     0x18, 0x40, 0x7B, 0x56, 0xBE, 0xEA, 0xA7, 0xC5,
1049                     0x76, 0x5D, 0x8F, 0x0B, 0xC5, 0x07, 0xC6, 0xB9,
1050                     0x04, 0xD0, 0x69, 0x56, 0x72, 0x8B, 0x6B, 0xB8,
1051                     0x15, 0xEC, 0x57, 0x7B
1052           };
1053           const u8 msk[] = {
1054                     0x4D, 0x83, 0xA9, 0xBE, 0x6F, 0x8A, 0x74, 0xED,
1055                     0x6A, 0x02, 0x66, 0x0A, 0x63, 0x4D, 0x2C, 0x33,
1056                     0xC2, 0xDA, 0x60, 0x15, 0xC6, 0x37, 0x04, 0x51,
1057                     0x90, 0x38, 0x63, 0xDA, 0x54, 0x3E, 0x14, 0xB9,
1058                     0x27, 0x99, 0x18, 0x1E, 0x07, 0xBF, 0x0F, 0x5A,
1059                     0x5E, 0x3C, 0x32, 0x93, 0x80, 0x8C, 0x6C, 0x49,
1060                     0x67, 0xED, 0x24, 0xFE, 0x45, 0x40, 0xA0, 0x59,
1061                     0x5E, 0x37, 0xC2, 0xE9, 0xD0, 0x5D, 0x0A, 0xE3
1062           };
1063           const u8 emsk[] = {
1064                     0x3A, 0xD4, 0xAB, 0xDB, 0x76, 0xB2, 0x7F, 0x3B,
1065                     0xEA, 0x32, 0x2C, 0x2B, 0x74, 0xF4, 0x28, 0x55,
1066                     0xEF, 0x2D, 0xBA, 0x78, 0xC9, 0x57, 0x2F, 0x0D,
1067                     0x06, 0xCD, 0x51, 0x7C, 0x20, 0x93, 0x98, 0xA9,
1068                     0x76, 0xEA, 0x70, 0x21, 0xD7, 0x0E, 0x25, 0x54,
1069                     0x97, 0xED, 0xB2, 0x8A, 0xF6, 0xED, 0xFD, 0x0A,
1070                     0x2A, 0xE7, 0xA1, 0x58, 0x90, 0x10, 0x50, 0x44,
1071                     0xB3, 0x82, 0x85, 0xDB, 0x06, 0x14, 0xD2, 0xF9
1072           };
1073           /* RFC 4851, Appendix B.2 */
1074           u8 tlv[] = {
1075                     0x80, 0x0C, 0x00, 0x38, 0x00, 0x01, 0x01, 0x00,
1076                     0xD8, 0x6A, 0x8C, 0x68, 0x3C, 0x32, 0x31, 0xA8,
1077                     0x56, 0x63, 0xB6, 0x40, 0x21, 0xFE, 0x21, 0x14,
1078                     0x4E, 0xE7, 0x54, 0x20, 0x79, 0x2D, 0x42, 0x62,
1079                     0xC9, 0xBF, 0x53, 0x7F, 0x54, 0xFD, 0xAC, 0x58,
1080                     0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
1081                     0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
1082                     0x05, 0xC5, 0x5B, 0xB7
1083           };
1084           const u8 compound_mac[] = {
1085                     0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
1086                     0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
1087                     0x05, 0xC5, 0x5B, 0xB7
1088           };
1089           u8 buf[512];
1090           const u8 *simck, *cmk;
1091           int errors = 0;
1092 
1093           wpa_printf(MSG_INFO, "EAP-FAST test cases");
1094 
1095           wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / master_secret");
1096           if (sha1_t_prf(pac_key, sizeof(pac_key),
1097                            "PAC to master secret label hash",
1098                            seed, sizeof(seed), buf, sizeof(master_secret)) < 0 ||
1099               os_memcmp(master_secret, buf, sizeof(master_secret)) != 0) {
1100                     wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1101                     errors++;
1102           }
1103 
1104 #ifndef CONFIG_FIPS
1105           wpa_printf(MSG_INFO, "- PRF (TLS, SHA1/MD5) test case / key_block");
1106           if (tls_prf_sha1_md5(master_secret, sizeof(master_secret),
1107                                    "key expansion", seed, sizeof(seed),
1108                                    buf, sizeof(key_block)) ||
1109               os_memcmp(key_block, buf, sizeof(key_block)) != 0) {
1110                     wpa_printf(MSG_INFO, "PRF test - FAILED!");
1111                     errors++;
1112           }
1113 #endif /* CONFIG_FIPS */
1114 
1115           wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / IMCK");
1116           if (sha1_t_prf(sks, sizeof(sks), "Inner Methods Compound Keys",
1117                            isk, sizeof(isk), buf, sizeof(imck)) < 0 ||
1118               os_memcmp(imck, buf, sizeof(imck)) != 0) {
1119                     wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1120                     errors++;
1121           }
1122 
1123           simck = imck;
1124           cmk = imck + 40;
1125 
1126           wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / MSK");
1127           if (sha1_t_prf(simck, 40, "Session Key Generating Function",
1128                            (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
1129               os_memcmp(msk, buf, sizeof(msk)) != 0) {
1130                     wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1131                     errors++;
1132           }
1133 
1134           wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / EMSK");
1135           if (sha1_t_prf(simck, 40, "Extended Session Key Generating Function",
1136                            (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
1137               os_memcmp(emsk, buf, sizeof(emsk)) != 0) {
1138                     wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
1139                     errors++;
1140           }
1141 
1142           wpa_printf(MSG_INFO, "- Compound MAC test case");
1143           os_memset(tlv + sizeof(tlv) - 20, 0, 20);
1144           if (hmac_sha1(cmk, 20, tlv, sizeof(tlv), tlv + sizeof(tlv) - 20) < 0 ||
1145               os_memcmp(tlv + sizeof(tlv) - 20, compound_mac,
1146                           sizeof(compound_mac)) != 0) {
1147                     wpa_printf(MSG_INFO, "Compound MAC test - FAILED!");
1148                     errors++;
1149           }
1150 
1151           return errors;
1152 #else /* EAP_FAST */
1153           return 0;
1154 #endif /* EAP_FAST */
1155 }
1156 
1157 
1158 static const u8 key0[] =
1159 {
1160           0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1161           0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1162           0x0b, 0x0b, 0x0b, 0x0b
1163 };
1164 static const u8 data0[] = "Hi There";
1165 static const u8 prf0[] =
1166 {
1167           0xbc, 0xd4, 0xc6, 0x50, 0xb3, 0x0b, 0x96, 0x84,
1168           0x95, 0x18, 0x29, 0xe0, 0xd7, 0x5f, 0x9d, 0x54,
1169           0xb8, 0x62, 0x17, 0x5e, 0xd9, 0xf0, 0x06, 0x06,
1170           0xe1, 0x7d, 0x8d, 0xa3, 0x54, 0x02, 0xff, 0xee,
1171           0x75, 0xdf, 0x78, 0xc3, 0xd3, 0x1e, 0x0f, 0x88,
1172           0x9f, 0x01, 0x21, 0x20, 0xc0, 0x86, 0x2b, 0xeb,
1173           0x67, 0x75, 0x3e, 0x74, 0x39, 0xae, 0x24, 0x2e,
1174           0xdb, 0x83, 0x73, 0x69, 0x83, 0x56, 0xcf, 0x5a
1175 };
1176 
1177 static const u8 key1[] = "Jefe";
1178 static const u8 data1[] = "what do ya want for nothing?";
1179 static const u8 prf1[] =
1180 {
1181           0x51, 0xf4, 0xde, 0x5b, 0x33, 0xf2, 0x49, 0xad,
1182           0xf8, 0x1a, 0xeb, 0x71, 0x3a, 0x3c, 0x20, 0xf4,
1183           0xfe, 0x63, 0x14, 0x46, 0xfa, 0xbd, 0xfa, 0x58,
1184           0x24, 0x47, 0x59, 0xae, 0x58, 0xef, 0x90, 0x09,
1185           0xa9, 0x9a, 0xbf, 0x4e, 0xac, 0x2c, 0xa5, 0xfa,
1186           0x87, 0xe6, 0x92, 0xc4, 0x40, 0xeb, 0x40, 0x02,
1187           0x3e, 0x7b, 0xab, 0xb2, 0x06, 0xd6, 0x1d, 0xe7,
1188           0xb9, 0x2f, 0x41, 0x52, 0x90, 0x92, 0xb8, 0xfc
1189 };
1190 
1191 
1192 static const u8 key2[] =
1193 {
1194           0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1195           0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1196           0xaa, 0xaa, 0xaa, 0xaa
1197 };
1198 static const u8 data2[] =
1199 {
1200           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1201           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1202           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1203           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1204           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1205           0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1206           0xdd, 0xdd
1207 };
1208 static const u8 prf2[] =
1209 {
1210           0xe1, 0xac, 0x54, 0x6e, 0xc4, 0xcb, 0x63, 0x6f,
1211           0x99, 0x76, 0x48, 0x7b, 0xe5, 0xc8, 0x6b, 0xe1,
1212           0x7a, 0x02, 0x52, 0xca, 0x5d, 0x8d, 0x8d, 0xf1,
1213           0x2c, 0xfb, 0x04, 0x73, 0x52, 0x52, 0x49, 0xce,
1214           0x9d, 0xd8, 0xd1, 0x77, 0xea, 0xd7, 0x10, 0xbc,
1215           0x9b, 0x59, 0x05, 0x47, 0x23, 0x91, 0x07, 0xae,
1216           0xf7, 0xb4, 0xab, 0xd4, 0x3d, 0x87, 0xf0, 0xa6,
1217           0x8f, 0x1c, 0xbd, 0x9e, 0x2b, 0x6f, 0x76, 0x07
1218 };
1219 
1220 
1221 struct passphrase_test {
1222           char *passphrase;
1223           char *ssid;
1224           char psk[32];
1225 };
1226 
1227 static const struct passphrase_test passphrase_tests[] =
1228 {
1229           {
1230                     "password",
1231                     "IEEE",
1232                     {
1233                               0xf4, 0x2c, 0x6f, 0xc5, 0x2d, 0xf0, 0xeb, 0xef,
1234                               0x9e, 0xbb, 0x4b, 0x90, 0xb3, 0x8a, 0x5f, 0x90,
1235                               0x2e, 0x83, 0xfe, 0x1b, 0x13, 0x5a, 0x70, 0xe2,
1236                               0x3a, 0xed, 0x76, 0x2e, 0x97, 0x10, 0xa1, 0x2e
1237                     }
1238           },
1239           {
1240                     "ThisIsAPassword",
1241                     "ThisIsASSID",
1242                     {
1243                               0x0d, 0xc0, 0xd6, 0xeb, 0x90, 0x55, 0x5e, 0xd6,
1244                               0x41, 0x97, 0x56, 0xb9, 0xa1, 0x5e, 0xc3, 0xe3,
1245                               0x20, 0x9b, 0x63, 0xdf, 0x70, 0x7d, 0xd5, 0x08,
1246                               0xd1, 0x45, 0x81, 0xf8, 0x98, 0x27, 0x21, 0xaf
1247                     }
1248           },
1249           {
1250                     "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
1251                     "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
1252                     {
1253                               0xbe, 0xcb, 0x93, 0x86, 0x6b, 0xb8, 0xc3, 0x83,
1254                               0x2c, 0xb7, 0x77, 0xc2, 0xf5, 0x59, 0x80, 0x7c,
1255                               0x8c, 0x59, 0xaf, 0xcb, 0x6e, 0xae, 0x73, 0x48,
1256                               0x85, 0x00, 0x13, 0x00, 0xa9, 0x81, 0xcc, 0x62
1257                     }
1258           },
1259 };
1260 
1261 #define NUM_PASSPHRASE_TESTS ARRAY_SIZE(passphrase_tests)
1262 
1263 
1264 struct rfc6070_test {
1265           char *p;
1266           char *s;
1267           int c;
1268           char dk[32];
1269           size_t dk_len;
1270 };
1271 
1272 static const struct rfc6070_test rfc6070_tests[] =
1273 {
1274           {
1275                     "password",
1276                     "salt",
1277                     1,
1278                     {
1279                               0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
1280                               0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
1281                               0x2f, 0xe0, 0x37, 0xa6
1282                     },
1283                     20
1284           },
1285           {
1286                     "password",
1287                     "salt",
1288                     2,
1289                     {
1290                               0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
1291                               0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
1292                               0xd8, 0xde, 0x89, 0x57
1293                     },
1294                     20
1295           },
1296           {
1297                     "password",
1298                     "salt",
1299                     4096,
1300                     {
1301                               0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
1302                               0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
1303                               0x65, 0xa4, 0x29, 0xc1
1304                     },
1305                     20
1306           },
1307 #if 0 /* This takes quite long to derive.. */
1308           {
1309                     "password",
1310                     "salt",
1311                     16777216,
1312                     {
1313                               0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
1314                               0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
1315                               0x26, 0x34, 0xe9, 0x84
1316                     },
1317                     20
1318           },
1319 #endif
1320           {
1321                     "passwordPASSWORDpassword",
1322                     "saltSALTsaltSALTsaltSALTsaltSALTsalt",
1323                     4096,
1324                     {
1325                               0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
1326                               0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
1327                               0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
1328                               0x38
1329                     },
1330                     25
1331           },
1332 #if 0 /* \0 not currently supported in passphrase parameters.. */
1333           {
1334                     "pass\0word",
1335                     "sa\0lt",
1336                     4096,
1337                     {
1338                               0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
1339                               0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3
1340                     },
1341                     16
1342           },
1343 #endif
1344 };
1345 
1346 #define NUM_RFC6070_TESTS ARRAY_SIZE(rfc6070_tests)
1347 
1348 
test_sha1(void)1349 static int test_sha1(void)
1350 {
1351           u8 res[512];
1352           int ret = 0;
1353           unsigned int i;
1354 
1355           wpa_printf(MSG_INFO, "PRF-SHA1 test cases:");
1356 
1357           if (sha1_prf(key0, sizeof(key0), "prefix", data0, sizeof(data0) - 1,
1358                          res, sizeof(prf0)) == 0 &&
1359               os_memcmp(res, prf0, sizeof(prf0)) == 0)
1360                     wpa_printf(MSG_INFO, "Test case 0 - OK");
1361           else {
1362                     wpa_printf(MSG_INFO, "Test case 0 - FAILED!");
1363                     ret++;
1364           }
1365 
1366           if (sha1_prf(key1, sizeof(key1) - 1, "prefix", data1, sizeof(data1) - 1,
1367                          res, sizeof(prf1)) == 0 &&
1368               os_memcmp(res, prf1, sizeof(prf1)) == 0)
1369                     wpa_printf(MSG_INFO, "Test case 1 - OK");
1370           else {
1371                     wpa_printf(MSG_INFO, "Test case 1 - FAILED!");
1372                     ret++;
1373           }
1374 
1375           if (sha1_prf(key2, sizeof(key2), "prefix", data2, sizeof(data2),
1376                          res, sizeof(prf2)) == 0 &&
1377               os_memcmp(res, prf2, sizeof(prf2)) == 0)
1378                     wpa_printf(MSG_INFO, "Test case 2 - OK");
1379           else {
1380                     wpa_printf(MSG_INFO, "Test case 2 - FAILED!");
1381                     ret++;
1382           }
1383 
1384           ret += test_eap_fast();
1385 
1386           wpa_printf(MSG_INFO, "PBKDF2-SHA1 Passphrase test cases:");
1387           for (i = 0; i < NUM_PASSPHRASE_TESTS; i++) {
1388                     u8 psk[32];
1389                     const struct passphrase_test *test = &passphrase_tests[i];
1390 
1391                     if (pbkdf2_sha1(test->passphrase,
1392                                         (const u8 *) test->ssid, strlen(test->ssid),
1393                                         4096, psk, 32) == 0 &&
1394                         os_memcmp(psk, test->psk, 32) == 0)
1395                               wpa_printf(MSG_INFO, "Test case %d - OK", i);
1396                     else {
1397                               wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1398                               ret++;
1399                     }
1400           }
1401 
1402           wpa_printf(MSG_INFO, "PBKDF2-SHA1 test cases (RFC 6070):");
1403           for (i = 0; i < NUM_RFC6070_TESTS; i++) {
1404                     u8 dk[25];
1405                     const struct rfc6070_test *test = &rfc6070_tests[i];
1406 
1407                     if (pbkdf2_sha1(test->p, (const u8 *) test->s, strlen(test->s),
1408                                         test->c, dk, test->dk_len) == 0 &&
1409                         os_memcmp(dk, test->dk, test->dk_len) == 0)
1410                               wpa_printf(MSG_INFO, "Test case %d - OK", i);
1411                     else {
1412                               wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1413                               ret++;
1414                     }
1415           }
1416 
1417           if (!ret)
1418                     wpa_printf(MSG_INFO, "SHA1 test cases passed");
1419           return ret;
1420 }
1421 
1422 
1423 static const struct {
1424           char *data;
1425           u8 hash[32];
1426 } tests[] = {
1427           {
1428                     "abc",
1429                     {
1430                               0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
1431                               0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
1432                               0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
1433                               0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
1434                     }
1435           },
1436           {
1437                     "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1438                     {
1439                               0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8,
1440                               0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39,
1441                               0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67,
1442                               0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1
1443                     }
1444           }
1445 };
1446 
1447 static const struct hmac_test {
1448           u8 key[150];
1449           size_t key_len;
1450           u8 data[160];
1451           size_t data_len;
1452           u8 hash[32]; /* HMAC-SHA-256 */
1453           u8 hash384[48]; /* HMAC-SHA-384 */
1454 } hmac_tests[] = {
1455           /* draft-ietf-ipsec-ciph-sha-256-01.txt; RFC 4231 */
1456           {
1457                     {
1458                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1459                               0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1460                               0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1461                               0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1462                     },
1463                     32,
1464                     "abc", 3,
1465                     {
1466                               0xa2, 0x1b, 0x1f, 0x5d, 0x4c, 0xf4, 0xf7, 0x3a,
1467                               0x4d, 0xd9, 0x39, 0x75, 0x0f, 0x7a, 0x06, 0x6a,
1468                               0x7f, 0x98, 0xcc, 0x13, 0x1c, 0xb1, 0x6a, 0x66,
1469                               0x92, 0x75, 0x90, 0x21, 0xcf, 0xab, 0x81, 0x81
1470                     },
1471                     { }
1472           },
1473           {
1474                     {
1475                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1476                               0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1477                               0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1478                               0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1479                     },
1480                     32,
1481                     "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1482                     56,
1483                     {
1484                               0x10, 0x4f, 0xdc, 0x12, 0x57, 0x32, 0x8f, 0x08,
1485                               0x18, 0x4b, 0xa7, 0x31, 0x31, 0xc5, 0x3c, 0xae,
1486                               0xe6, 0x98, 0xe3, 0x61, 0x19, 0x42, 0x11, 0x49,
1487                               0xea, 0x8c, 0x71, 0x24, 0x56, 0x69, 0x7d, 0x30
1488                     },
1489                     { }
1490           },
1491           {
1492                     {
1493                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1494                               0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1495                               0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1496                               0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1497                     },
1498                     32,
1499                     "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
1500                     "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1501                     112,
1502                     {
1503                               0x47, 0x03, 0x05, 0xfc, 0x7e, 0x40, 0xfe, 0x34,
1504                               0xd3, 0xee, 0xb3, 0xe7, 0x73, 0xd9, 0x5a, 0xab,
1505                               0x73, 0xac, 0xf0, 0xfd, 0x06, 0x04, 0x47, 0xa5,
1506                               0xeb, 0x45, 0x95, 0xbf, 0x33, 0xa9, 0xd1, 0xa3
1507                     },
1508                     { }
1509           },
1510           {
1511                     {
1512                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1513                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1514                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1515                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
1516                     },
1517                     32,
1518                     "Hi There",
1519                     8,
1520                     {
1521                               0x19, 0x8a, 0x60, 0x7e, 0xb4, 0x4b, 0xfb, 0xc6,
1522                               0x99, 0x03, 0xa0, 0xf1, 0xcf, 0x2b, 0xbd, 0xc5,
1523                               0xba, 0x0a, 0xa3, 0xf3, 0xd9, 0xae, 0x3c, 0x1c,
1524                               0x7a, 0x3b, 0x16, 0x96, 0xa0, 0xb6, 0x8c, 0xf7
1525                     },
1526                     { }
1527           },
1528           { /* RFC 4231 - Test Case 1 */
1529                     {
1530                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1531                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1532                               0x0b, 0x0b, 0x0b, 0x0b
1533                     },
1534                     20,
1535                     "Hi There",
1536                     8,
1537                     {
1538                               0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53,
1539                               0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b,
1540                               0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7,
1541                               0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7
1542                     },
1543                     {
1544                               0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62,
1545                               0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f,
1546                               0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
1547                               0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c,
1548                               0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f,
1549                               0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6
1550                     }
1551           },
1552           { /* RFC 4231 - Test Case 2 */
1553                     "Jefe",
1554                     4,
1555                     "what do ya want for nothing?",
1556                     28,
1557                     {
1558                               0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e,
1559                               0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7,
1560                               0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
1561                               0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43
1562                     },
1563                     {
1564                               0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31,
1565                               0x61, 0x7f, 0x78, 0xd2, 0xb5, 0x8a, 0x6b, 0x1b,
1566                               0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
1567                               0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e,
1568                               0x8e, 0x22, 0x40, 0xca, 0x5e, 0x69, 0xe2, 0xc7,
1569                               0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49
1570                     }
1571           },
1572           {
1573                     {
1574                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1575                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1576                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1577                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1578                     },
1579                     32,
1580                     {
1581                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1582                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1583                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1584                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1585                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1586                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1587                               0xdd, 0xdd
1588                     },
1589                     50,
1590                     {
1591                               0xcd, 0xcb, 0x12, 0x20, 0xd1, 0xec, 0xcc, 0xea,
1592                               0x91, 0xe5, 0x3a, 0xba, 0x30, 0x92, 0xf9, 0x62,
1593                               0xe5, 0x49, 0xfe, 0x6c, 0xe9, 0xed, 0x7f, 0xdc,
1594                               0x43, 0x19, 0x1f, 0xbd, 0xe4, 0x5c, 0x30, 0xb0
1595                     },
1596                     { }
1597           },
1598           { /* RFC 4231 - Test Case 3 */
1599                     {
1600                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1601                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1602                               0xaa, 0xaa, 0xaa, 0xaa
1603                     },
1604                     20,
1605                     {
1606                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1607                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1608                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1609                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1610                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1611                               0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1612                               0xdd, 0xdd
1613                     },
1614                     50,
1615                     {
1616                               0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46,
1617                               0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7,
1618                               0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22,
1619                               0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe
1620                     },
1621                     {
1622                               0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a,
1623                               0x0a, 0xa2, 0xac, 0xe0, 0x14, 0xc8, 0xa8, 0x6f,
1624                               0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1625                               0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b,
1626                               0x2a, 0x5a, 0xb3, 0x9d, 0xc1, 0x38, 0x14, 0xb9,
1627                               0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27
1628                     }
1629           },
1630           {
1631                     {
1632                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1633                               0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1634                               0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1635                               0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1636                               0x21, 0x22, 0x23, 0x24, 0x25
1637                     },
1638                     37,
1639                     {
1640                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1641                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1642                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1643                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1644                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1645                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1646                               0xcd, 0xcd
1647                     },
1648                     50,
1649                     {
1650                               0xd4, 0x63, 0x3c, 0x17, 0xf6, 0xfb, 0x8d, 0x74,
1651                               0x4c, 0x66, 0xde, 0xe0, 0xf8, 0xf0, 0x74, 0x55,
1652                               0x6e, 0xc4, 0xaf, 0x55, 0xef, 0x07, 0x99, 0x85,
1653                               0x41, 0x46, 0x8e, 0xb4, 0x9b, 0xd2, 0xe9, 0x17
1654                     },
1655                     { }
1656           },
1657           { /* RFC 4231 - Test Case 4 */
1658                     {
1659                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1660                               0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1661                               0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1662                               0x19,
1663                     },
1664                     25,
1665                     {
1666                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1667                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1668                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1669                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1670                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1671                               0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1672                               0xcd, 0xcd
1673                     },
1674                     50,
1675                     {
1676                               0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e,
1677                               0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a,
1678                               0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07,
1679                               0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b
1680                     },
1681                     {
1682                               0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85,
1683                               0x19, 0x33, 0xab, 0x62, 0x90, 0xaf, 0x6c, 0xa7,
1684                               0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
1685                               0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e,
1686                               0x68, 0x01, 0xdd, 0x23, 0xc4, 0xa7, 0xd6, 0x79,
1687                               0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb
1688                     }
1689           },
1690           {
1691                     {
1692                               0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1693                               0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1694                               0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1695                               0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c
1696                     },
1697                     32,
1698                     "Test With Truncation",
1699                     20,
1700                     {
1701                               0x75, 0x46, 0xaf, 0x01, 0x84, 0x1f, 0xc0, 0x9b,
1702                               0x1a, 0xb9, 0xc3, 0x74, 0x9a, 0x5f, 0x1c, 0x17,
1703                               0xd4, 0xf5, 0x89, 0x66, 0x8a, 0x58, 0x7b, 0x27,
1704                               0x00, 0xa9, 0xc9, 0x7c, 0x11, 0x93, 0xcf, 0x42
1705                     },
1706                     { }
1707           },
1708           {
1709                     {
1710                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1711                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1712                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1713                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1714                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1715                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1716                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1717                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1718                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1719                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1720                     },
1721                     80,
1722                     "Test Using Larger Than Block-Size Key - Hash Key First",
1723                     54,
1724                     {
1725                               0x69, 0x53, 0x02, 0x5e, 0xd9, 0x6f, 0x0c, 0x09,
1726                               0xf8, 0x0a, 0x96, 0xf7, 0x8e, 0x65, 0x38, 0xdb,
1727                               0xe2, 0xe7, 0xb8, 0x20, 0xe3, 0xdd, 0x97, 0x0e,
1728                               0x7d, 0xdd, 0x39, 0x09, 0x1b, 0x32, 0x35, 0x2f
1729                     },
1730                     { }
1731           },
1732           { /* RFC 4231 - Test Case 6 */
1733                     {
1734                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1735                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1736                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1737                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1738                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1739                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1740                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1741                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1742                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1743                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1744                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1745                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1746                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1747                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1748                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1749                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1750                               0xaa, 0xaa, 0xaa
1751                     },
1752                     131,
1753                     "Test Using Larger Than Block-Size Key - Hash Key First",
1754                     54,
1755                     {
1756                               0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f,
1757                               0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f,
1758                               0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14,
1759                               0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54
1760                     },
1761                     {
1762                               0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90,
1763                               0x88, 0xd2, 0xc6, 0x3a, 0x04, 0x1b, 0xc5, 0xb4,
1764                               0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1765                               0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6,
1766                               0x0c, 0x2e, 0xf6, 0xab, 0x40, 0x30, 0xfe, 0x82,
1767                               0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52
1768                     }
1769           },
1770           {
1771                     {
1772                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1773                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1774                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1775                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1776                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1777                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1778                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1779                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1780                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1781                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1782                     },
1783                     80,
1784                     "Test Using Larger Than Block-Size Key and Larger Than One "
1785                     "Block-Size Data",
1786                     73,
1787                     {
1788                               0x63, 0x55, 0xac, 0x22, 0xe8, 0x90, 0xd0, 0xa3,
1789                               0xc8, 0x48, 0x1a, 0x5c, 0xa4, 0x82, 0x5b, 0xc8,
1790                               0x84, 0xd3, 0xe7, 0xa1, 0xff, 0x98, 0xa2, 0xfc,
1791                               0x2a, 0xc7, 0xd8, 0xe0, 0x64, 0xc3, 0xb2, 0xe6
1792                     },
1793                     { }
1794           },
1795           { /* RFC 4231 - Test Case 7 */
1796                     {
1797                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1798                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1799                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1800                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1801                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1802                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1803                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1804                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1805                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1806                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1807                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1808                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1809                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1810                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1811                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1812                               0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1813                               0xaa, 0xaa, 0xaa
1814                     },
1815                     131,
1816                     "This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.",
1817                     152,
1818                     {
1819                               0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb,
1820                               0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44,
1821                               0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93,
1822                               0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2
1823                     },
1824                     {
1825                               0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d,
1826                               0x35, 0x1e, 0x2f, 0x25, 0x4e, 0x8f, 0xd3, 0x2c,
1827                               0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1828                               0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5,
1829                               0xa6, 0x78, 0xcc, 0x31, 0xe7, 0x99, 0x17, 0x6d,
1830                               0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e
1831                     }
1832           }
1833 };
1834 
1835 
test_sha256(void)1836 static int test_sha256(void)
1837 {
1838           unsigned int i;
1839           u8 hash[32];
1840           const u8 *addr[2];
1841           size_t len[2];
1842           int errors = 0;
1843           u8 *key;
1844 
1845           for (i = 0; i < ARRAY_SIZE(tests); i++) {
1846                     wpa_printf(MSG_INFO, "SHA256 test case %d:", i + 1);
1847 
1848                     addr[0] = (u8 *) tests[i].data;
1849                     len[0] = strlen(tests[i].data);
1850                     sha256_vector(1, addr, len, hash);
1851                     if (memcmp(hash, tests[i].hash, 32) != 0) {
1852                               wpa_printf(MSG_INFO, " FAIL");
1853                               errors++;
1854                     } else
1855                               wpa_printf(MSG_INFO, " OK");
1856 
1857                     if (len[0]) {
1858                               addr[0] = (u8 *) tests[i].data;
1859                               len[0] = 1;
1860                               addr[1] = (u8 *) tests[i].data + 1;
1861                               len[1] = strlen(tests[i].data) - 1;
1862                               sha256_vector(2, addr, len, hash);
1863                               if (memcmp(hash, tests[i].hash, 32) != 0) {
1864                                         wpa_printf(MSG_INFO, " FAIL");
1865                                         errors++;
1866                               } else
1867                                         wpa_printf(MSG_INFO, " OK");
1868                     }
1869           }
1870 
1871           for (i = 0; i < ARRAY_SIZE(hmac_tests); i++) {
1872                     const struct hmac_test *t = &hmac_tests[i];
1873 
1874                     wpa_printf(MSG_INFO, "HMAC-SHA256 test case %d:", i + 1);
1875 
1876                     if (hmac_sha256(t->key, t->key_len, t->data, t->data_len,
1877                                         hash) < 0 ||
1878                         os_memcmp(hash, t->hash, 32) != 0) {
1879                               wpa_printf(MSG_INFO, " FAIL");
1880                               errors++;
1881                     } else
1882                               wpa_printf(MSG_INFO, " OK");
1883 
1884                     addr[0] = t->data;
1885                     len[0] = t->data_len;
1886                     if (hmac_sha256_vector(t->key, t->key_len, 1, addr, len,
1887                                                hash) < 0 ||
1888                         os_memcmp(hash, t->hash, 32) != 0) {
1889                               wpa_printf(MSG_INFO, " FAIL");
1890                               errors++;
1891                     } else
1892                               wpa_printf(MSG_INFO, " OK");
1893 
1894                     if (len[0]) {
1895                               addr[0] = t->data;
1896                               len[0] = 1;
1897                               addr[1] = t->data + 1;
1898                               len[1] = t->data_len - 1;
1899                               if (hmac_sha256_vector(t->key, t->key_len, 2, addr, len,
1900                                                          hash) < 0 ||
1901                                   os_memcmp(hash, t->hash, 32) != 0) {
1902                                         wpa_printf(MSG_INFO, " FAIL");
1903                                         errors++;
1904                               } else
1905                                         wpa_printf(MSG_INFO, " OK");
1906                     }
1907           }
1908 
1909           wpa_printf(MSG_INFO, "Test IEEE 802.11r KDF");
1910           sha256_prf((u8 *) "abc", 3, "KDF test", (u8 *) "data", 4,
1911                        hash, sizeof(hash));
1912           /* TODO: add proper test case for this */
1913 
1914           key = os_malloc(8161);
1915           if (key) {
1916 #ifdef CONFIG_HMAC_SHA256_KDF
1917                     int res;
1918 
1919                     res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1920                                               (u8 *) "seed", 4, key, 8160);
1921                     if (res) {
1922                               wpa_printf(MSG_INFO,
1923                                            "Unexpected hmac_sha256_kdf(outlen=8160) failure");
1924                               errors++;
1925                     }
1926 
1927                     res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1928                                               (u8 *) "seed", 4, key, 8161);
1929                     if (res == 0) {
1930                               wpa_printf(MSG_INFO,
1931                                            "Unexpected hmac_sha256_kdf(outlen=8161) success");
1932                               errors++;
1933                     }
1934 #endif /* CONFIG_HMAC_SHA256_KDF */
1935 
1936                     os_free(key);
1937           }
1938 
1939           if (!errors)
1940                     wpa_printf(MSG_INFO, "SHA256 test cases passed");
1941           return errors;
1942 }
1943 
1944 
test_sha384(void)1945 static int test_sha384(void)
1946 {
1947 #ifdef CONFIG_SHA384
1948           unsigned int i;
1949           u8 hash[48];
1950           const u8 *addr[2];
1951           size_t len[2];
1952           int errors = 0;
1953           const char *data = "hello";
1954           const u8 hash_res[] = {
1955                     0x59, 0xe1, 0x74, 0x87, 0x77, 0x44, 0x8c, 0x69,
1956                     0xde, 0x6b, 0x80, 0x0d, 0x7a, 0x33, 0xbb, 0xfb,
1957                     0x9f, 0xf1, 0xb4, 0x63, 0xe4, 0x43, 0x54, 0xc3,
1958                     0x55, 0x3b, 0xcd, 0xb9, 0xc6, 0x66, 0xfa, 0x90,
1959                     0x12, 0x5a, 0x3c, 0x79, 0xf9, 0x03, 0x97, 0xbd,
1960                     0xf5, 0xf6, 0xa1, 0x3d, 0xe8, 0x28, 0x68, 0x4f
1961           };
1962 
1963           addr[0] = (const u8 *) data;
1964           len[0] = 5;
1965           if (sha384_vector(1, addr, len, hash) < 0 ||
1966               os_memcmp(hash, hash_res, 48) != 0) {
1967                     wpa_printf(MSG_INFO, "SHA384 test case 1: FAIL");
1968                     errors++;
1969           } else {
1970                     wpa_printf(MSG_INFO, "SHA384 test case 1: OK");
1971           }
1972 
1973           addr[0] = (const u8 *) data;
1974           len[0] = 4;
1975           addr[1] = (const u8 *) data + 4;
1976           len[1] = 1;
1977           if (sha384_vector(2, addr, len, hash) < 0 ||
1978               os_memcmp(hash, hash_res, 48) != 0) {
1979                     wpa_printf(MSG_INFO, "SHA384 test case 2: FAIL");
1980                     errors++;
1981           } else {
1982                     wpa_printf(MSG_INFO, "SHA384 test case 2: OK");
1983           }
1984 
1985           for (i = 0; i < ARRAY_SIZE(hmac_tests); i++) {
1986                     const struct hmac_test *t = &hmac_tests[i];
1987 
1988                     if (t->hash384[0] == 0 && t->hash384[1] == 0 &&
1989                         t->hash384[2] == 0 && t->hash384[3] == 0)
1990                               continue;
1991                     wpa_printf(MSG_INFO, "HMAC-SHA384 test case %d:", i + 1);
1992 
1993                     if (hmac_sha384(t->key, t->key_len, t->data, t->data_len,
1994                                         hash) < 0 ||
1995                         os_memcmp(hash, t->hash384, 48) != 0) {
1996                               wpa_printf(MSG_INFO, " FAIL");
1997                               errors++;
1998                     } else
1999                               wpa_printf(MSG_INFO, " OK");
2000 
2001                     addr[0] = t->data;
2002                     len[0] = t->data_len;
2003                     if (hmac_sha384_vector(t->key, t->key_len, 1, addr, len,
2004                                                hash) < 0 ||
2005                         os_memcmp(hash, t->hash384, 48) != 0) {
2006                               wpa_printf(MSG_INFO, " FAIL");
2007                               errors++;
2008                     } else
2009                               wpa_printf(MSG_INFO, " OK");
2010 
2011                     if (len[0]) {
2012                               addr[0] = t->data;
2013                               len[0] = 1;
2014                               addr[1] = t->data + 1;
2015                               len[1] = t->data_len - 1;
2016                               if (hmac_sha384_vector(t->key, t->key_len, 2, addr, len,
2017                                                          hash) < 0 ||
2018                                   os_memcmp(hash, t->hash384, 48) != 0) {
2019                                         wpa_printf(MSG_INFO, " FAIL");
2020                                         errors++;
2021                               } else
2022                                         wpa_printf(MSG_INFO, " OK");
2023                     }
2024           }
2025 
2026           if (!errors)
2027                     wpa_printf(MSG_INFO, "SHA384 test cases passed");
2028           return errors;
2029 #else /* CONFIG_SHA384 */
2030           return 0;
2031 #endif /* CONFIG_SHA384 */
2032 }
2033 
2034 
test_fips186_2_prf(void)2035 static int test_fips186_2_prf(void)
2036 {
2037           /* http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf */
2038           u8 xkey[] = {
2039                     0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
2040                     0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
2041                     0xeb, 0x5a, 0x38, 0xb6
2042           };
2043           u8 w[] = {
2044                     0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
2045                     0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
2046                     0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
2047                     0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
2048                     0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
2049           };
2050           u8 buf[40];
2051 
2052           wpa_printf(MSG_INFO,
2053                        "Testing EAP-SIM PRF (FIPS 186-2 + change notice 1)");
2054           if (fips186_2_prf(xkey, sizeof(xkey), buf, sizeof(buf)) < 0 ||
2055               os_memcmp(w, buf, sizeof(w)) != 0) {
2056                     wpa_printf(MSG_INFO, "fips186_2_prf failed");
2057                     return 1;
2058           }
2059 
2060           return 0;
2061 }
2062 
2063 
test_extract_expand_hkdf(void)2064 static int test_extract_expand_hkdf(void)
2065 {
2066           u8 prk[SHA256_MAC_LEN];
2067           u8 okm[82];
2068 
2069           /* RFC 5869, A.1 */
2070           u8 ikm1[22] = {
2071                     0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
2072                     0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
2073                     0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
2074           };
2075           u8 salt1[13] = {
2076                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2077                     0x08, 0x09, 0x0a, 0x0b, 0x0c
2078           };
2079           u8 info1[10] = {
2080                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2081                     0xf8, 0xf9
2082           };
2083           u8 prk1[32] = {
2084                     0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
2085                     0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
2086                     0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
2087                     0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5
2088           };
2089           u8 okm1[42] = {
2090                     0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
2091                     0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
2092                     0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
2093                     0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
2094                     0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
2095                     0x58, 0x65
2096           };
2097 
2098           /* RFC 5869, A.2 */
2099           u8 ikm2[80] = {
2100                     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2101                     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
2102                     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2103                     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
2104                     0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
2105                     0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
2106                     0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2107                     0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
2108                     0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
2109                     0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
2110           };
2111           u8 salt2[80] = {
2112                     0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
2113                     0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
2114                     0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
2115                     0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
2116                     0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
2117                     0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
2118                     0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
2119                     0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
2120                     0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
2121                     0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf
2122           };
2123           u8 info2[80] = {
2124                     0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
2125                     0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
2126                     0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
2127                     0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
2128                     0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
2129                     0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
2130                     0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
2131                     0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
2132                     0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2133                     0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
2134           };
2135           u8 prk2[32] = {
2136                     0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
2137                     0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
2138                     0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
2139                     0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44
2140           };
2141           u8 okm2[82] = {
2142                     0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
2143                     0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
2144                     0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
2145                     0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
2146                     0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
2147                     0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
2148                     0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
2149                     0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
2150                     0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
2151                     0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
2152                     0x1d, 0x87
2153           };
2154 
2155           wpa_printf(MSG_INFO, "Testing Extract-and-Expand HKDF (RFC 5869)");
2156 
2157           wpa_printf(MSG_INFO, "RFC 5869 - Test Case 1");
2158           if (hmac_sha256(salt1, sizeof(salt1), ikm1, sizeof(ikm1), prk) < 0)
2159                     return -1;
2160           if (os_memcmp(prk, prk1, SHA256_MAC_LEN) != 0) {
2161                     wpa_printf(MSG_INFO, "HKDF-Extract mismatch in PRK");
2162                     return -1;
2163           }
2164           if (hmac_sha256_kdf(prk1, sizeof(prk1), NULL, info1, sizeof(info1),
2165                                   okm, sizeof(okm1)) < 0)
2166                     return -1;
2167           if (os_memcmp(okm, okm1, sizeof(okm1)) != 0) {
2168                     wpa_printf(MSG_INFO, "HKDF-Expand mismatch in OKM");
2169                     return -1;
2170           }
2171 
2172           wpa_printf(MSG_INFO, "RFC 5869 - Test Case 2");
2173           if (hmac_sha256(salt2, sizeof(salt2), ikm2, sizeof(ikm2), prk) < 0)
2174                     return -1;
2175           if (os_memcmp(prk, prk2, SHA256_MAC_LEN) != 0) {
2176                     wpa_printf(MSG_INFO, "HKDF-Extract mismatch in PRK");
2177                     return -1;
2178           }
2179           if (hmac_sha256_kdf(prk2, sizeof(prk2), NULL, info2, sizeof(info2),
2180                                   okm, sizeof(okm2)) < 0)
2181                     return -1;
2182           if (os_memcmp(okm, okm2, sizeof(okm2)) != 0) {
2183                     wpa_printf(MSG_INFO, "HKDF-Expand mismatch in OKM");
2184                     return -1;
2185           }
2186 
2187           wpa_printf(MSG_INFO, "Extract-and-Expand HKDF test cases passed");
2188 
2189           return 0;
2190 }
2191 
2192 
2193 #ifdef CONFIG_DPP3
2194 
2195 static const struct hpke_test {
2196           const char *name;
2197           enum hpke_mode mode;
2198           enum hpke_kem_id kem_id;
2199           enum hpke_kdf_id kdf_id;
2200           enum hpke_aead_id aead_id;
2201           const char *info;
2202           int sk_r_group;
2203           const char *pk_r;
2204           const char *sk_r;
2205           const char *enc;
2206           const char *pt;
2207           const char *aad;
2208           const char *ct;
2209 } hpke_tests[] = {
2210           {
2211                     .name = "A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM",
2212                     .mode = HPKE_MODE_BASE,
2213                     .kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2214                     .kdf_id = HPKE_KDF_HKDF_SHA256,
2215                     .aead_id = HPKE_AEAD_AES_128_GCM,
2216                     .info = "4f6465206f6e2061204772656369616e2055726e",
2217                     .sk_r_group = 19,
2218                     .pk_r = "04fe8c19ce0905191ebc298a9245792531f26f0cece2460639e8bc39cb7f706a826a779b4cf969b8a0e539c7f62fb3d30ad6aa8f80e30f1d128aafd68a2ce72ea0",
2219                     .sk_r = "f3ce7fdae57e1a310d87f1ebbde6f328be0a99cdbcadf4d6589cf29de4b8ffd2",
2220                     .enc = "04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4",
2221                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2222                     .aad = "436f756e742d30",
2223                     .ct = "5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f9076ac232e3ab2523f39513434",
2224           },
2225           {
2226                     .name = "A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM",
2227                     .mode = HPKE_MODE_BASE,
2228                     .kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2229                     .kdf_id = HPKE_KDF_HKDF_SHA512,
2230                     .aead_id = HPKE_AEAD_AES_128_GCM,
2231                     .info = "4f6465206f6e2061204772656369616e2055726e",
2232                     .sk_r_group = 19,
2233                     .pk_r = "04085aa5b665dc3826f9650ccbcc471be268c8ada866422f739e2d531d4a8818a9466bc6b449357096232919ec4fe9070ccbac4aac30f4a1a53efcf7af90610edd",
2234                     .sk_r = "3ac8530ad1b01885960fab38cf3cdc4f7aef121eaa239f222623614b4079fb38",
2235                     .enc = "0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580",
2236                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2237                     .aad = "436f756e742d30",
2238                     .ct = "d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c88907200b332003543754eb51917ba",
2239           },
2240           {
2241                     .name = "A.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM",
2242                     .mode = HPKE_MODE_BASE,
2243                     .kem_id = HPKE_DHKEM_P521_HKDF_SHA512,
2244                     .kdf_id = HPKE_KDF_HKDF_SHA512,
2245                     .aead_id = HPKE_AEAD_AES_256_GCM,
2246                     .info = "4f6465206f6e2061204772656369616e2055726e",
2247                     .sk_r_group = 21,
2248                     .pk_r = "0401b45498c1714e2dce167d3caf162e45e0642afc7ed435df7902ccae0e84ba0f7d373f646b7738bbbdca11ed91bdeae3cdcba3301f2457be452f271fa6837580e661012af49583a62e48d44bed350c7118c0d8dc861c238c72a2bda17f64704f464b57338e7f40b60959480c0e58e6559b190d81663ed816e523b6b6a418f66d2451ec64",
2249                     .sk_r = "01462680369ae375e4b3791070a7458ed527842f6a98a79ff5e0d4cbde83c27196a3916956655523a6a2556a7af62c5cadabe2ef9da3760bb21e005202f7b2462847",
2250                     .enc = "040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0",
2251                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2252                     .aad = "436f756e742d30",
2253                     .ct = "170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b200aafcc6d80ea4c795a7c5b841a",
2254           },
2255           { /* self-generated test vector for P-384 */
2256                     .name = "custom DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM",
2257                     .mode = HPKE_MODE_BASE,
2258                     .kem_id = HPKE_DHKEM_P384_HKDF_SHA384,
2259                     .kdf_id = HPKE_KDF_HKDF_SHA384,
2260                     .aead_id = HPKE_AEAD_AES_256_GCM,
2261                     .info = "4f6465206f6e2061204772656369616e2055726e",
2262                     .sk_r_group = 20,
2263                     .pk_r = "049c0e4dcbbb3c80715cafaa1839d0bc3c3adcc95eb8062f84175f9c3cec115e6b799061c65a0605907785c25b3571564706a8ba6a204452b38c7c205db17d328f2353df05d5f1c568e7503331178c36c2d37bbed48401295407face3f8dae5ed8",
2264                     .sk_r = "cabffb07d20ffcfdaa043e1de49e1654659e0f0aba5de56523e8b73dc80c579a9e5c89ed3810ec21c4bafcf74ad2a245",
2265                     .enc = "04b30bea96d0e51582033b02a4d676d0464a5eb2d858be86cda1c4e6f8b2aa9fb80f5365483f781b1b3a8b3b8efd50b0f7bca16f06d0435fa3da1d671ea0a318b40fe170a074923c651e5dc824966b7b98d0e36bdf932875dae7130369a793cecc",
2266                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2267                     .aad = "436f756e742d30",
2268                     .ct = "ae7feccfea0f8fcd620d15369a28db8701cdc90d55c20efff6296bd441697b0da34671d1f3c4864183e86d27fc",
2269           },
2270           { /* self-generated test vector for BP-256 */
2271                     .name = "custom PB-256 using DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM",
2272                     .mode = HPKE_MODE_BASE,
2273                     .kem_id = HPKE_DHKEM_P256_HKDF_SHA256,
2274                     .kdf_id = HPKE_KDF_HKDF_SHA256,
2275                     .aead_id = HPKE_AEAD_AES_128_GCM,
2276                     .info = "4f6465206f6e2061204772656369616e2055726e",
2277                     .sk_r_group = 28,
2278                     .pk_r = "04a2cb9c4cae90cdc1c27516e9f84b6b166e4b1dcc517286268239ddb0bf74cca6390fed092ac4423ab2192b8bb41a4824d908d2053b93fc813830bebac5ce19b9",
2279                     .sk_r = "11d9db41c4341166ca52f5a1775595c0bdb4934350daeb7bce659c4b7a40e314",
2280                     .enc = "047a25e309c7ee50ec27f13d44734a3ccd8c703e3affcc728513df416511ef9bf02f5e7750e7415de8b5f306ebd3fc88ea9b9368523eb1733a8d82c1a877e5a0f4",
2281                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2282                     .aad = "436f756e742d30",
2283                     .ct = "17c84b3f07f6ffe08ff2be45c709ea782229504aa5b2253876725c6c39f8d8c992304fc5877994f79d6c10d462",
2284           },
2285           { /* self-generated test vector for BP-384 */
2286                     .name = "custom PB-384 using DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM",
2287                     .mode = HPKE_MODE_BASE,
2288                     .kem_id = HPKE_DHKEM_P384_HKDF_SHA384,
2289                     .kdf_id = HPKE_KDF_HKDF_SHA384,
2290                     .aead_id = HPKE_AEAD_AES_256_GCM,
2291                     .info = "4f6465206f6e2061204772656369616e2055726e",
2292                     .sk_r_group = 29,
2293                     .pk_r = "041f4199ad28835908079c45d165d55630098be53eb4beede9921f5b2204fa396111f99ac54c56411f7cb2c43ec18d8e604d895027228cf975f5a4b598f189d8fb03e3fefe020258c40d4d1b15fd7587d209925d67a41f9659a8ed6f662fb441e4",
2294                     .sk_r = "7017cf8a5a9a81ad4e0d755ccbea27a378b787561f8d5662639850805fefcbaab6b9a15729872abb7dc53d19a6cf77e4",
2295                     .enc = "0415d49dedc5bc1ffe9f8de9022c266bb605ec6cd7b77b6ce68974095398856f8aefa4b7abbfbd496b99a2dda3a9c65f1a71b9d40255aa1c7c4205a8b4ef611b96ed29fd2d7b0cde4c0e82058805e6276025cc4fc606f6e5771c31bd9704e9ba0b",
2296                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2297                     .aad = "436f756e742d30",
2298                     .ct = "5f5e9f82bedadec0e9b01a1b304cb48b05c0d6d397b1c8a95ed541218ec54f634a41cbc4066910a409e47b254e",
2299           },
2300           { /* self-generated test vector for BP-512 */
2301                     .name = "custom PB-512 using DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM",
2302                     .mode = HPKE_MODE_BASE,
2303                     .kem_id = HPKE_DHKEM_P521_HKDF_SHA512,
2304                     .kdf_id = HPKE_KDF_HKDF_SHA512,
2305                     .aead_id = HPKE_AEAD_AES_256_GCM,
2306                     .info = "4f6465206f6e2061204772656369616e2055726e",
2307                     .sk_r_group = 30,
2308                     .pk_r = "049e81046a531365a3b5215ac37e7b38f5fa34f86c4eb2e03113b197390a26c555bb007596e131c2541f336eb24a45f44283b5b53fedddfa5642675602fdec17d34120a35efffb44952e32dee7732f2f3245c3314269996b610703a63fb8555a75ca5092690a1125ae8712c1e31fd77aee42bd052e71f9f9459814d6f4065bcea0",
2309                     .sk_r = "483b6882608182b296843fa7dfffbdd61ed0372574d4aa32a035c8e33a493927aaf00d42bd9124ebe4df26010b38124668c02b35a749e74845d565734310cfe9",
2310                     .enc = "04158d18473aeb3b283d3345b1a87d3de2b192ff9e41b5a98f91daacfb24be72e698cbc04c33078681e507bf346c0ea70c927083a22ca9ea027f420067ee42285b798d95fea51002d097ce28371883202bfd300fb64943669e32c6f1a348087368bb480b757892ebd199a9389978c92cbc44076626d705a771fbbd90c030a6767e",
2311                     .pt = "4265617574792069732074727574682c20747275746820626561757479",
2312                     .aad = "436f756e742d30",
2313                     .ct = "033d91c4514857da5b833635180c1acc09f175cbf44777a7b71e177705cfd17437b1c85d671dd767bb4fe20e2e",
2314           },
2315 };
2316 
2317 
run_hpke_test(const struct hpke_test * test)2318 static int run_hpke_test(const struct hpke_test *test)
2319 {
2320           struct wpabuf *info, *pk_r, *sk_r, *enc, *pt, *aad, *ct;
2321           struct wpabuf *res_pt = NULL, *enc_ct = NULL, *res_ct = NULL;
2322           struct crypto_ec_key *own_priv = NULL, *peer_pub = NULL;
2323           int res = -1;
2324           size_t coord_len;
2325 
2326           wpa_printf(MSG_INFO, "- %s", test->name);
2327 
2328           info = wpabuf_parse_bin(test->info);
2329           pk_r = wpabuf_parse_bin(test->pk_r);
2330           sk_r = wpabuf_parse_bin(test->sk_r);
2331           enc = wpabuf_parse_bin(test->enc);
2332           pt = wpabuf_parse_bin(test->pt);
2333           aad = wpabuf_parse_bin(test->aad);
2334           ct = wpabuf_parse_bin(test->ct);
2335           if (!info || !pk_r || !sk_r || !enc || !pt || !aad || !ct) {
2336                     wpa_printf(MSG_ERROR, "Could not parse test data");
2337                     goto fail;
2338           }
2339 
2340           /* Receiver - decryption against the test vector */
2341 
2342           enc_ct = wpabuf_concat(enc, ct);
2343           enc = NULL;
2344           ct = NULL;
2345           if (!enc_ct)
2346                     goto fail;
2347 
2348           own_priv = crypto_ec_key_set_priv(test->sk_r_group, wpabuf_head(sk_r),
2349                                                     wpabuf_len(sk_r));
2350           if (!own_priv) {
2351                     wpa_printf(MSG_ERROR,
2352                                  "HPKE base open - failed to set private key");
2353                     goto fail;
2354           }
2355 
2356           res_pt = hpke_base_open(test->kem_id, test->kdf_id, test->aead_id,
2357                                         own_priv,
2358                                         wpabuf_head(info), wpabuf_len(info),
2359                                         wpabuf_head(aad), wpabuf_len(aad),
2360                                         wpabuf_head(enc_ct), wpabuf_len(enc_ct));
2361           if (!res_pt) {
2362                     wpa_printf(MSG_ERROR, "HPKE base open - failed to decrypt");
2363                     wpa_hexdump_buf(MSG_INFO, "pt", res_pt);
2364                     goto fail;
2365           }
2366           if (wpabuf_len(res_pt) != wpabuf_len(pt) ||
2367               os_memcmp(wpabuf_head(res_pt), wpabuf_head(pt),
2368                           wpabuf_len(pt)) != 0) {
2369                     wpa_printf(MSG_ERROR,
2370                                  "HPKE base open - failed - decryption mismatch");
2371                     goto fail;
2372           }
2373 
2374           /* Sender - encryption (randomized algorithm) */
2375 
2376           if (test->sk_r_group == 19)
2377                     coord_len = 32;
2378           else if (test->sk_r_group == 20)
2379                     coord_len = 48;
2380           else if (test->sk_r_group == 21)
2381                     coord_len = 66;
2382           else if (test->sk_r_group == 28)
2383                     coord_len = 32;
2384           else if (test->sk_r_group == 29)
2385                     coord_len = 48;
2386           else if (test->sk_r_group == 30)
2387                     coord_len = 64;
2388           else
2389                     goto fail;
2390           if (wpabuf_len(pk_r) != 1 + 2 * coord_len) {
2391                     wpa_printf(MSG_ERROR, "Unexpected pkR length (%zu != %zu)",
2392                                  wpabuf_len(pk_r), 1 + 2 * coord_len);
2393                     goto fail;
2394           }
2395           peer_pub = crypto_ec_key_set_pub(test->sk_r_group,
2396                                                    wpabuf_head_u8(pk_r) + 1,
2397                                                    wpabuf_head_u8(pk_r) + 1 + coord_len,
2398                                                    coord_len);
2399           if (!peer_pub) {
2400                     wpa_printf(MSG_ERROR,
2401                                  "HPKE base open - failed to set public key");
2402                     goto fail;
2403           }
2404 
2405           res_ct = hpke_base_seal(test->kem_id, test->kdf_id, test->aead_id,
2406                                         peer_pub,
2407                                         wpabuf_head(info), wpabuf_len(info),
2408                                         wpabuf_head(aad), wpabuf_len(aad),
2409                                         wpabuf_head(pt), wpabuf_len(pt));
2410           if (!res_ct) {
2411                     wpa_printf(MSG_ERROR, "HPKE base open - failed to encrypt");
2412                     goto fail;
2413           }
2414 
2415           /* Receiver - decryption (to verify own encryption) */
2416 
2417           wpabuf_free(res_pt);
2418           res_pt = hpke_base_open(test->kem_id, test->kdf_id, test->aead_id,
2419                                         own_priv,
2420                                         wpabuf_head(info), wpabuf_len(info),
2421                                         wpabuf_head(aad), wpabuf_len(aad),
2422                                         wpabuf_head(res_ct), wpabuf_len(res_ct));
2423           if (!res_pt) {
2424                     wpa_printf(MSG_ERROR, "HPKE base open - failed to decrypt own encrypted version");
2425                     goto fail;
2426           }
2427           if (wpabuf_len(res_pt) != wpabuf_len(pt) ||
2428               os_memcmp(wpabuf_head(res_pt), wpabuf_head(pt),
2429                           wpabuf_len(pt)) != 0) {
2430                     wpa_printf(MSG_ERROR,
2431                                  "HPKE base open - failed - decryption mismatch for own encrypted version");
2432                     wpa_hexdump_buf(MSG_INFO, "pt", res_pt);
2433                     goto fail;
2434           }
2435 
2436           res = 0;
2437 fail:
2438           wpabuf_free(info);
2439           wpabuf_free(pk_r);
2440           wpabuf_free(sk_r);
2441           wpabuf_free(enc);
2442           wpabuf_free(pt);
2443           wpabuf_free(aad);
2444           wpabuf_free(ct);
2445           wpabuf_free(enc_ct);
2446           wpabuf_free(res_pt);
2447           wpabuf_free(res_ct);
2448           crypto_ec_key_deinit(own_priv);
2449           crypto_ec_key_deinit(peer_pub);
2450           return res;
2451 }
2452 
2453 #endif /* CONFIG_DPP3 */
2454 
2455 
test_hpke(void)2456 static int test_hpke(void)
2457 {
2458 #ifdef CONFIG_DPP3
2459           unsigned int i;
2460 
2461           wpa_printf(MSG_INFO, "RFC 9180 - HPKE");
2462           for (i = 0; i < ARRAY_SIZE(hpke_tests); i++) {
2463                     if (run_hpke_test(&hpke_tests[i]) < 0)
2464                               return -1;
2465           }
2466 
2467           wpa_printf(MSG_INFO, "HPKE base open test cases passed");
2468 #endif /* CONFIG_DPP3 */
2469           return 0;
2470 }
2471 
2472 
test_ms_funcs(void)2473 static int test_ms_funcs(void)
2474 {
2475 #ifndef CONFIG_FIPS
2476           /* Test vector from RFC2759 example */
2477           char *username = "User";
2478           char *password = "clientPass";
2479           u8 auth_challenge[] = {
2480                     0x5B, 0x5D, 0x7C, 0x7D, 0x7B, 0x3F, 0x2F, 0x3E,
2481                     0x3C, 0x2C, 0x60, 0x21, 0x32, 0x26, 0x26, 0x28
2482           };
2483           u8 peer_challenge[] = {
2484                     0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A,
2485                     0x28, 0x29, 0x5F, 0x2B, 0x3A, 0x33, 0x7C, 0x7E
2486           };
2487           u8 password_hash[] = {
2488                     0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
2489                     0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
2490           };
2491           u8 nt_response[] = {
2492                     0x82, 0x30, 0x9E, 0xCD, 0x8D, 0x70, 0x8B, 0x5E,
2493                     0xA0, 0x8F, 0xAA, 0x39, 0x81, 0xCD, 0x83, 0x54,
2494                     0x42, 0x33, 0x11, 0x4A, 0x3D, 0x85, 0xD6, 0xDF
2495           };
2496           u8 password_hash_hash[] = {
2497                     0x41, 0xC0, 0x0C, 0x58, 0x4B, 0xD2, 0xD9, 0x1C,
2498                     0x40, 0x17, 0xA2, 0xA1, 0x2F, 0xA5, 0x9F, 0x3F
2499           };
2500           u8 authenticator_response[] = {
2501                     0x40, 0x7A, 0x55, 0x89, 0x11, 0x5F, 0xD0, 0xD6,
2502                     0x20, 0x9F, 0x51, 0x0F, 0xE9, 0xC0, 0x45, 0x66,
2503                     0x93, 0x2C, 0xDA, 0x56
2504           };
2505           u8 master_key[] = {
2506                     0xFD, 0xEC, 0xE3, 0x71, 0x7A, 0x8C, 0x83, 0x8C,
2507                     0xB3, 0x88, 0xE5, 0x27, 0xAE, 0x3C, 0xDD, 0x31
2508           };
2509           u8 send_start_key[] = {
2510                     0x8B, 0x7C, 0xDC, 0x14, 0x9B, 0x99, 0x3A, 0x1B,
2511                     0xA1, 0x18, 0xCB, 0x15, 0x3F, 0x56, 0xDC, 0xCB
2512           };
2513           u8 buf[32];
2514           int errors = 0;
2515 
2516           if (nt_password_hash((u8 *) password, os_strlen(password), buf) ||
2517               os_memcmp(password_hash, buf, sizeof(password_hash)) != 0) {
2518                     wpa_printf(MSG_ERROR, "nt_password_hash failed");
2519                     errors++;
2520           }
2521 
2522           if (generate_nt_response(auth_challenge, peer_challenge,
2523                                          (u8 *) username, os_strlen(username),
2524                                          (u8 *) password, os_strlen(password), buf) ||
2525               os_memcmp(nt_response, buf, sizeof(nt_response)) != 0) {
2526                     wpa_printf(MSG_ERROR, "generate_nt_response failed");
2527                     errors++;
2528           }
2529 
2530           if (hash_nt_password_hash(password_hash, buf) ||
2531               os_memcmp(password_hash_hash, buf,
2532                           sizeof(password_hash_hash)) != 0) {
2533                     wpa_printf(MSG_ERROR, "hash_nt_password_hash failed");
2534                     errors++;
2535           }
2536 
2537           if (generate_authenticator_response((u8 *) password,
2538                                                       os_strlen(password),
2539                                                       peer_challenge, auth_challenge,
2540                                                       (u8 *) username,
2541                                                       os_strlen(username),
2542                                                       nt_response, buf) ||
2543               os_memcmp(authenticator_response, buf,
2544                           sizeof(authenticator_response)) != 0) {
2545                     wpa_printf(MSG_ERROR, "generate_authenticator_response failed");
2546                     errors++;
2547           }
2548 
2549           if (get_master_key(password_hash_hash, nt_response, buf) ||
2550               os_memcmp(master_key, buf, sizeof(master_key)) != 0) {
2551                     wpa_printf(MSG_ERROR, "get_master_key failed");
2552                     errors++;
2553           }
2554 
2555           if (get_asymetric_start_key(master_key, buf, sizeof(send_start_key),
2556                                             1, 1) ||
2557               os_memcmp(send_start_key, buf, sizeof(send_start_key)) != 0) {
2558                     wpa_printf(MSG_ERROR, "get_asymetric_start_key failed");
2559                     errors++;
2560           }
2561 
2562           if (errors)
2563                     wpa_printf(MSG_ERROR, "ms_funcs: %d errors", errors);
2564           else
2565                     wpa_printf(MSG_INFO, "ms_funcs test cases passed");
2566 
2567           return errors;
2568 #else /* CONFIG_FIPS */
2569           wpa_printf(MSG_INFO, "ms_funcs test cases skipped due to CONFIG_FIPS");
2570           return 0;
2571 #endif /* CONFIG_FIPS */
2572 }
2573 
2574 
crypto_module_tests(void)2575 int crypto_module_tests(void)
2576 {
2577           int ret = 0;
2578 
2579           wpa_printf(MSG_INFO, "crypto module tests");
2580           if (test_siv() ||
2581               test_omac1() ||
2582               test_eax() ||
2583               test_cbc() ||
2584               test_ecb() ||
2585               test_key_wrap() ||
2586               test_aes_ctr() ||
2587               test_md5() ||
2588               test_sha1() ||
2589               test_sha256() ||
2590               test_sha384() ||
2591               test_fips186_2_prf() ||
2592               test_extract_expand_hkdf() ||
2593               test_hpke() ||
2594               test_ms_funcs())
2595                     ret = -1;
2596 
2597           return ret;
2598 }
2599