crypto_module_tests.c revision 337817 
1/*
2 * crypto module tests
3 * Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/module_tests.h"
13#include "crypto/aes_siv.h"
14#include "crypto/aes_wrap.h"
15#include "crypto/aes.h"
16#include "crypto/ms_funcs.h"
17#include "crypto/crypto.h"
18#include "crypto/sha1.h"
19#include "crypto/sha256.h"
20
21
22static int test_siv(void)
23{
24#ifdef CONFIG_MESH
25	/* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
26	u8 key[] = {
27		0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
28		0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
29		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
30		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
31	};
32	u8 ad[] = {
33		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
34		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
35		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27
36	};
37	u8 plaintext[] = {
38		0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
39		0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee
40	};
41	u8 iv_c[] = {
42		0x85, 0x63, 0x2d, 0x07, 0xc6, 0xe8, 0xf3, 0x7f,
43		0x95, 0x0a, 0xcd, 0x32, 0x0a, 0x2e, 0xcc, 0x93,
44		0x40, 0xc0, 0x2b, 0x96, 0x90, 0xc4, 0xdc, 0x04,
45		0xda, 0xef, 0x7f, 0x6a, 0xfe, 0x5c
46	};
47	/* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
48	u8 key_2[] = {
49		0x7f, 0x7e, 0x7d, 0x7c, 0x7b, 0x7a, 0x79, 0x78,
50		0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70,
51		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
52		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
53	};
54	u8 ad1_2[] = {
55		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
56		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
57		0xde, 0xad, 0xda, 0xda, 0xde, 0xad, 0xda, 0xda,
58		0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
59		0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00
60	};
61	u8 ad2_2[] = {
62		0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
63		0x90, 0xa0
64	};
65	u8 nonce_2[] = {
66		0x09, 0xf9, 0x11, 0x02, 0x9d, 0x74, 0xe3, 0x5b,
67		0xd8, 0x41, 0x56, 0xc5, 0x63, 0x56, 0x88, 0xc0
68	};
69	u8 plaintext_2[] = {
70		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
71		0x73, 0x6f, 0x6d, 0x65, 0x20, 0x70, 0x6c, 0x61,
72		0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x20, 0x74,
73		0x6f, 0x20, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
74		0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20,
75		0x53, 0x49, 0x56, 0x2d, 0x41, 0x45, 0x53
76	};
77	u8 iv_c_2[] = {
78		0x7b, 0xdb, 0x6e, 0x3b, 0x43, 0x26, 0x67, 0xeb,
79		0x06, 0xf4, 0xd1, 0x4b, 0xff, 0x2f, 0xbd, 0x0f,
80		0xcb, 0x90, 0x0f, 0x2f, 0xdd, 0xbe, 0x40, 0x43,
81		0x26, 0x60, 0x19, 0x65, 0xc8, 0x89, 0xbf, 0x17,
82		0xdb, 0xa7, 0x7c, 0xeb, 0x09, 0x4f, 0xa6, 0x63,
83		0xb7, 0xa3, 0xf7, 0x48, 0xba, 0x8a, 0xf8, 0x29,
84		0xea, 0x64, 0xad, 0x54, 0x4a, 0x27, 0x2e, 0x9c,
85		0x48, 0x5b, 0x62, 0xa3, 0xfd, 0x5c, 0x0d
86	};
87	u8 out[2 * AES_BLOCK_SIZE + sizeof(plaintext_2)];
88	const u8 *addr[3];
89	size_t len[3];
90
91	/* RFC 5297, A.1. Deterministic Authenticated Encryption Example */
92	addr[0] = ad;
93	len[0] = sizeof(ad);
94
95	if (aes_siv_encrypt(key, plaintext, sizeof(plaintext),
96			    1, addr, len, out)) {
97		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
98		return 1;
99	}
100	if (os_memcmp(out, iv_c, sizeof(iv_c)) != 0) {
101		wpa_printf(MSG_ERROR,
102			   "AES-SIV mode encryption returned invalid cipher text");
103		return 1;
104	}
105
106	if (aes_siv_decrypt(key, iv_c, sizeof(iv_c), 1, addr, len, out)) {
107		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
108		return 1;
109	}
110	if (os_memcmp(out, plaintext, sizeof(plaintext)) != 0) {
111		wpa_printf(MSG_ERROR,
112			   "AES-SIV mode decryption returned invalid plain text");
113		return 1;
114	}
115
116	/* RFC 5297, A.2. Nonce-Based Authenticated Encryption Example */
117	addr[0] = ad1_2;
118	len[0] = sizeof(ad1_2);
119	addr[1] = ad2_2;
120	len[1] = sizeof(ad2_2);
121	addr[2] = nonce_2;
122	len[2] = sizeof(nonce_2);
123
124	if (aes_siv_encrypt(key_2, plaintext_2, sizeof(plaintext_2),
125			    3, addr, len, out)) {
126		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
127		return 1;
128	}
129	if (os_memcmp(out, iv_c_2, sizeof(iv_c_2)) != 0) {
130		wpa_printf(MSG_ERROR,
131			   "AES-SIV mode encryption returned invalid cipher text");
132		return 1;
133	}
134
135	if (aes_siv_decrypt(key_2, iv_c_2, sizeof(iv_c_2), 3, addr, len, out)) {
136		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
137		return 1;
138	}
139	if (os_memcmp(out, plaintext_2, sizeof(plaintext_2)) != 0) {
140		wpa_printf(MSG_ERROR,
141			   "AES-SIV mode decryption returned invalid plain text");
142		return 1;
143	}
144
145	wpa_printf(MSG_INFO, "AES-SIV test cases passed");
146#endif /* CONFIG_MESH */
147
148	return 0;
149}
150
151
152/* OMAC1 AES-128 test vectors from
153 * http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/omac/omac-ad.pdf
154 * which are same as the examples from NIST SP800-38B
155 * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf
156 */
157
158struct omac1_test_vector {
159	u8 k[16];
160	u8 msg[64];
161	int msg_len;
162	u8 tag[16];
163};
164
165static const struct omac1_test_vector omac1_test_vectors[] =
166{
167	{
168		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
169		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
170		{ },
171		0,
172		{ 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
173		  0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 }
174	},
175	{
176		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
177		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
178		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
179		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a},
180		16,
181		{ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
182		  0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c }
183	},
184	{
185		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
186		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
187		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
188		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
189		  0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
190		  0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
191		  0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11 },
192		40,
193		{ 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
194		  0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27 }
195	},
196	{
197		{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
198		  0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
199		{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
200		  0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
201		  0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
202		  0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
203		  0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
204		  0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
205		  0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
206		  0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
207		64,
208		{ 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
209		  0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe }
210	},
211};
212
213
214static int test_omac1_vector(const struct omac1_test_vector *tv,
215			     unsigned int i)
216{
217	u8 key[] = {
218		0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
219		0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
220	};
221	u8 msg[] = { 0x12, 0x34, 0x56 };
222	u8 result[24], result2[24];
223	const u8 *addr[3];
224	size_t len[3];
225
226	if (omac1_aes_128(tv->k, tv->msg, tv->msg_len, result) ||
227	    os_memcmp(result, tv->tag, 16) != 0) {
228		wpa_printf(MSG_ERROR, "OMAC1-AES-128 test vector %u failed", i);
229		return 1;
230	}
231
232	if (tv->msg_len > 1) {
233
234		addr[0] = tv->msg;
235		len[0] = 1;
236		addr[1] = tv->msg + 1;
237		len[1] = tv->msg_len - 1;
238
239		if (omac1_aes_128_vector(tv->k, 2, addr, len, result) ||
240		    os_memcmp(result, tv->tag, 16) != 0) {
241			wpa_printf(MSG_ERROR,
242				   "OMAC1-AES-128(vector) test vector %u failed",
243				   i);
244			return 1;
245		}
246
247		addr[0] = tv->msg;
248		len[0] = tv->msg_len - 2;
249		addr[1] = tv->msg + tv->msg_len - 2;
250		len[1] = 1;
251		addr[2] = tv->msg + tv->msg_len - 1;
252		len[2] = 1;
253
254		if (omac1_aes_128_vector(tv->k, 3, addr, len, result) ||
255		    os_memcmp(result, tv->tag, 16) != 0) {
256			wpa_printf(MSG_ERROR,
257				   "OMAC1-AES-128(vector2) test vector %u failed",
258				   i);
259			return 1;
260		}
261	}
262
263	addr[0] = &msg[0];
264	len[0] = 1;
265	addr[1] = &msg[1];
266	len[1] = 1;
267	addr[2] = &msg[2];
268	len[2] = 1;
269	if (omac1_aes_128(key, msg, sizeof(msg), result) ||
270	    omac1_aes_128_vector(key, 3, addr, len, result2) ||
271	    os_memcmp(result, result2, 16) != 0) {
272		wpa_printf(MSG_ERROR, "OMAC1-AES-128 short test mismatch");
273		return 1;
274	}
275
276	return 0;
277}
278
279
280static int test_omac1(void)
281{
282	unsigned int i;
283
284	for (i = 0; i < ARRAY_SIZE(omac1_test_vectors); i++) {
285		if (test_omac1_vector(&omac1_test_vectors[i], i))
286			return 1;
287	}
288
289	wpa_printf(MSG_INFO, "OMAC1-AES-128 test cases passed");
290
291	return 0;
292}
293
294
295static int test_eax(void)
296{
297#ifdef EAP_PSK
298	u8 msg[] = { 0xF7, 0xFB };
299	u8 key[] = { 0x91, 0x94, 0x5D, 0x3F, 0x4D, 0xCB, 0xEE, 0x0B,
300		     0xF4, 0x5E, 0xF5, 0x22, 0x55, 0xF0, 0x95, 0xA4 };
301	u8 nonce[] = { 0xBE, 0xCA, 0xF0, 0x43, 0xB0, 0xA2, 0x3D, 0x84,
302		       0x31, 0x94, 0xBA, 0x97, 0x2C, 0x66, 0xDE, 0xBD };
303	u8 hdr[] = { 0xFA, 0x3B, 0xFD, 0x48, 0x06, 0xEB, 0x53, 0xFA };
304	u8 cipher[] = { 0x19, 0xDD, 0x5C, 0x4C, 0x93, 0x31, 0x04, 0x9D,
305			0x0B, 0xDA, 0xB0, 0x27, 0x74, 0x08, 0xF6, 0x79,
306			0x67, 0xE5 };
307	u8 data[sizeof(msg)], tag[AES_BLOCK_SIZE];
308
309	os_memcpy(data, msg, sizeof(msg));
310	if (aes_128_eax_encrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
311				data, sizeof(data), tag)) {
312		wpa_printf(MSG_ERROR, "AES-128 EAX mode encryption failed");
313		return 1;
314	}
315	if (os_memcmp(data, cipher, sizeof(data)) != 0) {
316		wpa_printf(MSG_ERROR,
317			   "AES-128 EAX mode encryption returned invalid cipher text");
318		return 1;
319	}
320	if (os_memcmp(tag, cipher + sizeof(data), AES_BLOCK_SIZE) != 0) {
321		wpa_printf(MSG_ERROR,
322			   "AES-128 EAX mode encryption returned invalid tag");
323		return 1;
324	}
325
326	if (aes_128_eax_decrypt(key, nonce, sizeof(nonce), hdr, sizeof(hdr),
327				data, sizeof(data), tag)) {
328		wpa_printf(MSG_ERROR, "AES-128 EAX mode decryption failed");
329		return 1;
330	}
331	if (os_memcmp(data, msg, sizeof(data)) != 0) {
332		wpa_printf(MSG_ERROR,
333			   "AES-128 EAX mode decryption returned invalid plain text");
334		return 1;
335	}
336
337	wpa_printf(MSG_INFO, "AES-128 EAX mode test cases passed");
338#endif /* EAP_PSK */
339
340	return 0;
341}
342
343
344static int test_cbc(void)
345{
346	struct cbc_test_vector {
347		u8 key[16];
348		u8 iv[16];
349		u8 plain[32];
350		u8 cipher[32];
351		size_t len;
352	} vectors[] = {
353		{
354			{ 0x06, 0xa9, 0x21, 0x40, 0x36, 0xb8, 0xa1, 0x5b,
355			  0x51, 0x2e, 0x03, 0xd5, 0x34, 0x12, 0x00, 0x06 },
356			{ 0x3d, 0xaf, 0xba, 0x42, 0x9d, 0x9e, 0xb4, 0x30,
357			  0xb4, 0x22, 0xda, 0x80, 0x2c, 0x9f, 0xac, 0x41 },
358			"Single block msg",
359			{ 0xe3, 0x53, 0x77, 0x9c, 0x10, 0x79, 0xae, 0xb8,
360			  0x27, 0x08, 0x94, 0x2d, 0xbe, 0x77, 0x18, 0x1a },
361			16
362		},
363		{
364			{ 0xc2, 0x86, 0x69, 0x6d, 0x88, 0x7c, 0x9a, 0xa0,
365			  0x61, 0x1b, 0xbb, 0x3e, 0x20, 0x25, 0xa4, 0x5a },
366			{ 0x56, 0x2e, 0x17, 0x99, 0x6d, 0x09, 0x3d, 0x28,
367			  0xdd, 0xb3, 0xba, 0x69, 0x5a, 0x2e, 0x6f, 0x58 },
368			{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
369			  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
370			  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
371			  0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
372			{ 0xd2, 0x96, 0xcd, 0x94, 0xc2, 0xcc, 0xcf, 0x8a,
373			  0x3a, 0x86, 0x30, 0x28, 0xb5, 0xe1, 0xdc, 0x0a,
374			  0x75, 0x86, 0x60, 0x2d, 0x25, 0x3c, 0xff, 0xf9,
375			  0x1b, 0x82, 0x66, 0xbe, 0xa6, 0xd6, 0x1a, 0xb1 },
376			32
377		}
378	};
379	int ret = 0;
380	u8 *buf;
381	unsigned int i;
382
383	for (i = 0; i < ARRAY_SIZE(vectors); i++) {
384		struct cbc_test_vector *tv = &vectors[i];
385
386		buf = os_malloc(tv->len);
387		if (buf == NULL) {
388			ret++;
389			break;
390		}
391
392		os_memcpy(buf, tv->plain, tv->len);
393		if (aes_128_cbc_encrypt(tv->key, tv->iv, buf, tv->len) ||
394		    os_memcmp(buf, tv->cipher, tv->len) != 0) {
395			wpa_printf(MSG_ERROR, "AES-CBC encrypt %d failed", i);
396			ret++;
397		}
398
399		os_memcpy(buf, tv->cipher, tv->len);
400		if (aes_128_cbc_decrypt(tv->key, tv->iv, buf, tv->len) ||
401		    os_memcmp(buf, tv->plain, tv->len) != 0) {
402			wpa_printf(MSG_ERROR, "AES-CBC decrypt %d failed", i);
403			ret++;
404		}
405
406		os_free(buf);
407	}
408
409	return ret;
410}
411
412
413static int test_ecb(void)
414{
415#ifdef EAP_PSK
416	struct ecb_test_vector {
417		char *key;
418		char *plaintext;
419		char *ciphertext;
420	} vectors[] = {
421		/* CAVS 11.1 - ECBGFSbox128.rsp */
422		{
423			"00000000000000000000000000000000",
424			"f34481ec3cc627bacd5dc3fb08f273e6",
425			"0336763e966d92595a567cc9ce537f5e"
426		},
427		{
428			"00000000000000000000000000000000",
429			"9798c4640bad75c7c3227db910174e72",
430			"a9a1631bf4996954ebc093957b234589"
431		},
432		{
433			"00000000000000000000000000000000",
434			"96ab5c2ff612d9dfaae8c31f30c42168",
435			"ff4f8391a6a40ca5b25d23bedd44a597"
436		},
437		{
438			"00000000000000000000000000000000",
439			"6a118a874519e64e9963798a503f1d35",
440			"dc43be40be0e53712f7e2bf5ca707209"
441		},
442		{
443			"00000000000000000000000000000000",
444			"cb9fceec81286ca3e989bd979b0cb284",
445			"92beedab1895a94faa69b632e5cc47ce"
446		},
447		{
448			"00000000000000000000000000000000",
449			"b26aeb1874e47ca8358ff22378f09144",
450			"459264f4798f6a78bacb89c15ed3d601"
451		},
452		{
453			"00000000000000000000000000000000",
454			"58c8e00b2631686d54eab84b91f0aca1",
455			"08a4e2efec8a8e3312ca7460b9040bbf"
456		},
457		/* CAVS 11.1 - ECBKeySbox128.rsp */
458		{
459			"10a58869d74be5a374cf867cfb473859",
460			"00000000000000000000000000000000",
461			"6d251e6944b051e04eaa6fb4dbf78465"
462		},
463		{
464			"caea65cdbb75e9169ecd22ebe6e54675",
465			"00000000000000000000000000000000",
466			"6e29201190152df4ee058139def610bb",
467		}
468	};
469	int ret = 0;
470	unsigned int i;
471	u8 key[16], plain[16], cipher[16], out[16];
472
473	for (i = 0; i < ARRAY_SIZE(vectors); i++) {
474		struct ecb_test_vector *tv = &vectors[i];
475
476		if (hexstr2bin(tv->key, key, sizeof(key)) ||
477		    hexstr2bin(tv->plaintext, plain, sizeof(plain)) ||
478		    hexstr2bin(tv->ciphertext, cipher, sizeof(cipher))) {
479			wpa_printf(MSG_ERROR, "Invalid AES-ECB test vector %u",
480				   i);
481			ret++;
482			continue;
483		}
484
485		if (aes_128_encrypt_block(key, plain, out) < 0 ||
486		    os_memcmp(out, cipher, 16) != 0) {
487			wpa_printf(MSG_ERROR, "AES-ECB encrypt %u failed", i);
488			ret++;
489		}
490	}
491
492	if (!ret)
493		wpa_printf(MSG_INFO, "AES ECB mode test cases passed");
494
495	return ret;
496#endif /* EAP_PSK */
497
498	return 0;
499}
500
501
502static int test_key_wrap(void)
503{
504	int ret = 0;
505
506	/* RFC 3394 - Test vector 4.1 */
507	u8 kek41[] = {
508		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
509		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
510	};
511	u8 plain41[] = {
512		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
513		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
514	};
515	u8 crypt41[] = {
516		0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
517		0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
518		0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
519	};
520#ifndef CONFIG_BORINGSSL
521	/* RFC 3394 - Test vector 4.2 */
522	u8 kek42[] = {
523		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
524		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
525		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
526	};
527	u8 plain42[] = {
528		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
529		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
530	};
531	u8 crypt42[] = {
532		0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
533		0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
534		0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
535	};
536#endif /* CONFIG_BORINGSSL */
537	/* RFC 3394 - Test vector 4.3 */
538	u8 kek43[] = {
539		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
540		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
541		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
542		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
543	};
544	u8 plain43[] = {
545		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
546		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
547	};
548	u8 crypt43[] = {
549		0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
550		0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
551		0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7,
552	};
553#ifndef CONFIG_BORINGSSL
554	/* RFC 3394 - Test vector 4.4 */
555	u8 kek44[] = {
556		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
557		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
558		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
559	};
560	u8 plain44[] = {
561		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
562		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
563		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
564	};
565	u8 crypt44[] = {
566		0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
567		0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
568		0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
569		0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
570	};
571#endif /* CONFIG_BORINGSSL */
572	/* RFC 3394 - Test vector 4.5 */
573	u8 kek45[] = {
574		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
575		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
576		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
577		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
578	};
579	u8 plain45[] = {
580		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
581		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
582		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
583	};
584	u8 crypt45[] = {
585		0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
586		0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
587		0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
588		0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1,
589	};
590	/* RFC 3394 - Test vector 4.6 */
591	u8 kek46[] = {
592		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
593		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
594		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
595		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
596	};
597	u8 plain46[] = {
598		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
599		0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
600		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
601		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
602	};
603	u8 crypt46[] = {
604		0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
605		0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
606		0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
607		0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
608		0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
609	};
610	u8 result[40];
611
612	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.1");
613	if (aes_wrap(kek41, sizeof(kek41), sizeof(plain41) / 8, plain41,
614		     result)) {
615		wpa_printf(MSG_ERROR, "AES-WRAP-128 reported failure");
616		ret++;
617	}
618	if (os_memcmp(result, crypt41, sizeof(crypt41)) != 0) {
619		wpa_printf(MSG_ERROR, "AES-WRAP-128 failed");
620		ret++;
621	}
622	if (aes_unwrap(kek41, sizeof(kek41), sizeof(plain41) / 8, crypt41,
623		       result)) {
624		wpa_printf(MSG_ERROR, "AES-UNWRAP-128 reported failure");
625		ret++;
626	}
627	if (os_memcmp(result, plain41, sizeof(plain41)) != 0) {
628		wpa_printf(MSG_ERROR, "AES-UNWRAP-128 failed");
629		ret++;
630	}
631
632#ifndef CONFIG_BORINGSSL
633	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.2");
634	if (aes_wrap(kek42, sizeof(kek42), sizeof(plain42) / 8, plain42,
635		     result)) {
636		wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
637		ret++;
638	}
639	if (os_memcmp(result, crypt42, sizeof(crypt42)) != 0) {
640		wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
641		ret++;
642	}
643	if (aes_unwrap(kek42, sizeof(kek42), sizeof(plain42) / 8, crypt42,
644		       result)) {
645		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
646		ret++;
647	}
648	if (os_memcmp(result, plain42, sizeof(plain42)) != 0) {
649		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
650		ret++;
651	}
652#endif /* CONFIG_BORINGSSL */
653
654	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.3");
655	if (aes_wrap(kek43, sizeof(kek43), sizeof(plain43) / 8, plain43,
656		     result)) {
657		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
658		ret++;
659	}
660	if (os_memcmp(result, crypt43, sizeof(crypt43)) != 0) {
661		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
662		ret++;
663	}
664	if (aes_unwrap(kek43, sizeof(kek43), sizeof(plain43) / 8, crypt43,
665		       result)) {
666		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
667		ret++;
668	}
669	if (os_memcmp(result, plain43, sizeof(plain43)) != 0) {
670		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
671		ret++;
672	}
673
674#ifndef CONFIG_BORINGSSL
675	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.4");
676	if (aes_wrap(kek44, sizeof(kek44), sizeof(plain44) / 8, plain44,
677		     result)) {
678		wpa_printf(MSG_ERROR, "AES-WRAP-192 reported failure");
679		ret++;
680	}
681	if (os_memcmp(result, crypt44, sizeof(crypt44)) != 0) {
682		wpa_printf(MSG_ERROR, "AES-WRAP-192 failed");
683		ret++;
684	}
685	if (aes_unwrap(kek44, sizeof(kek44), sizeof(plain44) / 8, crypt44,
686		       result)) {
687		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 reported failure");
688		ret++;
689	}
690	if (os_memcmp(result, plain44, sizeof(plain44)) != 0) {
691		wpa_printf(MSG_ERROR, "AES-UNWRAP-192 failed");
692		ret++;
693	}
694#endif /* CONFIG_BORINGSSL */
695
696	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.5");
697	if (aes_wrap(kek45, sizeof(kek45), sizeof(plain45) / 8, plain45,
698		     result)) {
699		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
700		ret++;
701	}
702	if (os_memcmp(result, crypt45, sizeof(crypt45)) != 0) {
703		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
704		ret++;
705	}
706	if (aes_unwrap(kek45, sizeof(kek45), sizeof(plain45) / 8, crypt45,
707		       result)) {
708		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
709		ret++;
710	}
711	if (os_memcmp(result, plain45, sizeof(plain45)) != 0) {
712		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
713		ret++;
714	}
715
716	wpa_printf(MSG_INFO, "RFC 3394 - Test vector 4.6");
717	if (aes_wrap(kek46, sizeof(kek46), sizeof(plain46) / 8, plain46,
718		     result)) {
719		wpa_printf(MSG_ERROR, "AES-WRAP-256 reported failure");
720		ret++;
721	}
722	if (os_memcmp(result, crypt46, sizeof(crypt46)) != 0) {
723		wpa_printf(MSG_ERROR, "AES-WRAP-256 failed");
724		ret++;
725	}
726	if (aes_unwrap(kek46, sizeof(kek46), sizeof(plain46) / 8, crypt46,
727		       result)) {
728		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 reported failure");
729		ret++;
730	}
731	if (os_memcmp(result, plain46, sizeof(plain46)) != 0) {
732		wpa_printf(MSG_ERROR, "AES-UNWRAP-256 failed");
733		ret++;
734	}
735
736	if (!ret)
737		wpa_printf(MSG_INFO, "AES key wrap/unwrap test cases passed");
738
739	return ret;
740}
741
742
743static int test_md5(void)
744{
745#ifndef CONFIG_FIPS
746	struct {
747		char *data;
748		char *hash;
749	} tests[] = {
750		{
751			"",
752			"\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04"
753			"\xe9\x80\x09\x98\xec\xf8\x42\x7e"
754		},
755		{
756			"a",
757			"\x0c\xc1\x75\xb9\xc0\xf1\xb6\xa8"
758			"\x31\xc3\x99\xe2\x69\x77\x26\x61"
759		},
760		{
761			"abc",
762			"\x90\x01\x50\x98\x3c\xd2\x4f\xb0"
763			"\xd6\x96\x3f\x7d\x28\xe1\x7f\x72"
764		},
765		{
766			"message digest",
767			"\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d"
768			"\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"
769		},
770		{
771			"abcdefghijklmnopqrstuvwxyz",
772			"\xc3\xfc\xd3\xd7\x61\x92\xe4\x00"
773			"\x7d\xfb\x49\x6c\xca\x67\xe1\x3b"
774		},
775		{
776			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
777			"0123456789",
778			"\xd1\x74\xab\x98\xd2\x77\xd9\xf5"
779			"\xa5\x61\x1c\x2c\x9f\x41\x9d\x9f"
780		},
781		{
782			"12345678901234567890123456789012345678901234567890"
783			"123456789012345678901234567890",
784			"\x57\xed\xf4\xa2\x2b\xe3\xc9\x55"
785			"\xac\x49\xda\x2e\x21\x07\xb6\x7a"
786		}
787	};
788	unsigned int i;
789	u8 hash[16];
790	const u8 *addr[2];
791	size_t len[2];
792	int errors = 0;
793
794	for (i = 0; i < ARRAY_SIZE(tests); i++) {
795		wpa_printf(MSG_INFO, "MD5 test case %d", i);
796
797		addr[0] = (u8 *) tests[i].data;
798		len[0] = strlen(tests[i].data);
799		if (md5_vector(1, addr, len, hash) < 0 ||
800		    os_memcmp(hash, tests[i].hash, 16) != 0) {
801			wpa_printf(MSG_INFO, " FAIL");
802			errors++;
803		} else
804			wpa_printf(MSG_INFO, " OK");
805
806		if (len[0]) {
807			addr[0] = (u8 *) tests[i].data;
808			len[0] = strlen(tests[i].data);
809			addr[1] = (u8 *) tests[i].data + 1;
810			len[1] = strlen(tests[i].data) - 1;
811			if (md5_vector(1, addr, len, hash) < 0 ||
812			    os_memcmp(hash, tests[i].hash, 16) != 0) {
813				wpa_printf(MSG_INFO, " FAIL");
814				errors++;
815			} else
816				wpa_printf(MSG_INFO, " OK");
817		}
818	}
819
820	if (!errors)
821		wpa_printf(MSG_INFO, "MD5 test cases passed");
822
823	return errors;
824#else /* CONFIG_FIPS */
825	wpa_printf(MSG_INFO, "MD5 test cases skipped due to CONFIG_FIPS");
826	return 0;
827#endif /* CONFIG_FIPS */
828}
829
830
831static int test_eap_fast(void)
832{
833#ifdef EAP_FAST
834	/* RFC 4851, Appendix B.1 */
835	const u8 pac_key[] = {
836		0x0B, 0x97, 0x39, 0x0F, 0x37, 0x51, 0x78, 0x09,
837		0x81, 0x1E, 0xFD, 0x9C, 0x6E, 0x65, 0x94, 0x2B,
838		0x63, 0x2C, 0xE9, 0x53, 0x89, 0x38, 0x08, 0xBA,
839		0x36, 0x0B, 0x03, 0x7C, 0xD1, 0x85, 0xE4, 0x14
840	};
841	const u8 seed[] = {
842		0x3F, 0xFB, 0x11, 0xC4, 0x6C, 0xBF, 0xA5, 0x7A,
843		0x54, 0x40, 0xDA, 0xE8, 0x22, 0xD3, 0x11, 0xD3,
844		0xF7, 0x6D, 0xE4, 0x1D, 0xD9, 0x33, 0xE5, 0x93,
845		0x70, 0x97, 0xEB, 0xA9, 0xB3, 0x66, 0xF4, 0x2A,
846		0x00, 0x00, 0x00, 0x02, 0x6A, 0x66, 0x43, 0x2A,
847		0x8D, 0x14, 0x43, 0x2C, 0xEC, 0x58, 0x2D, 0x2F,
848		0xC7, 0x9C, 0x33, 0x64, 0xBA, 0x04, 0xAD, 0x3A,
849		0x52, 0x54, 0xD6, 0xA5, 0x79, 0xAD, 0x1E, 0x00
850	};
851	const u8 master_secret[] = {
852		0x4A, 0x1A, 0x51, 0x2C, 0x01, 0x60, 0xBC, 0x02,
853		0x3C, 0xCF, 0xBC, 0x83, 0x3F, 0x03, 0xBC, 0x64,
854		0x88, 0xC1, 0x31, 0x2F, 0x0B, 0xA9, 0xA2, 0x77,
855		0x16, 0xA8, 0xD8, 0xE8, 0xBD, 0xC9, 0xD2, 0x29,
856		0x38, 0x4B, 0x7A, 0x85, 0xBE, 0x16, 0x4D, 0x27,
857		0x33, 0xD5, 0x24, 0x79, 0x87, 0xB1, 0xC5, 0xA2
858	};
859#ifndef CONFIG_FIPS
860	const u8 key_block[] = {
861		0x59, 0x59, 0xBE, 0x8E, 0x41, 0x3A, 0x77, 0x74,
862		0x8B, 0xB2, 0xE5, 0xD3, 0x60, 0xAC, 0x4D, 0x35,
863		0xDF, 0xFB, 0xC8, 0x1E, 0x9C, 0x24, 0x9C, 0x8B,
864		0x0E, 0xC3, 0x1D, 0x72, 0xC8, 0x84, 0x9D, 0x57,
865		0x48, 0x51, 0x2E, 0x45, 0x97, 0x6C, 0x88, 0x70,
866		0xBE, 0x5F, 0x01, 0xD3, 0x64, 0xE7, 0x4C, 0xBB,
867		0x11, 0x24, 0xE3, 0x49, 0xE2, 0x3B, 0xCD, 0xEF,
868		0x7A, 0xB3, 0x05, 0x39, 0x5D, 0x64, 0x8A, 0x44,
869		0x11, 0xB6, 0x69, 0x88, 0x34, 0x2E, 0x8E, 0x29,
870		0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
871		0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
872		0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
873		0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
874		0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
875	};
876#endif /* CONFIG_FIPS */
877	const u8 sks[] = {
878		0xD6, 0x4B, 0x7D, 0x72, 0x17, 0x59, 0x28, 0x05,
879		0xAF, 0xF9, 0xB7, 0xFF, 0x66, 0x6D, 0xA1, 0x96,
880		0x8F, 0x0B, 0x5E, 0x06, 0x46, 0x7A, 0x44, 0x84,
881		0x64, 0xC1, 0xC8, 0x0C, 0x96, 0x44, 0x09, 0x98,
882		0xFF, 0x92, 0xA8, 0xB4, 0xC6, 0x42, 0x28, 0x71
883	};
884	const u8 isk[] = {
885		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
886		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
887		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
888		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
889	};
890	const u8 imck[] = {
891		0x16, 0x15, 0x3C, 0x3F, 0x21, 0x55, 0xEF, 0xD9,
892		0x7F, 0x34, 0xAE, 0xC8, 0x1A, 0x4E, 0x66, 0x80,
893		0x4C, 0xC3, 0x76, 0xF2, 0x8A, 0xA9, 0x6F, 0x96,
894		0xC2, 0x54, 0x5F, 0x8C, 0xAB, 0x65, 0x02, 0xE1,
895		0x18, 0x40, 0x7B, 0x56, 0xBE, 0xEA, 0xA7, 0xC5,
896		0x76, 0x5D, 0x8F, 0x0B, 0xC5, 0x07, 0xC6, 0xB9,
897		0x04, 0xD0, 0x69, 0x56, 0x72, 0x8B, 0x6B, 0xB8,
898		0x15, 0xEC, 0x57, 0x7B
899	};
900	const u8 msk[] = {
901		0x4D, 0x83, 0xA9, 0xBE, 0x6F, 0x8A, 0x74, 0xED,
902		0x6A, 0x02, 0x66, 0x0A, 0x63, 0x4D, 0x2C, 0x33,
903		0xC2, 0xDA, 0x60, 0x15, 0xC6, 0x37, 0x04, 0x51,
904		0x90, 0x38, 0x63, 0xDA, 0x54, 0x3E, 0x14, 0xB9,
905		0x27, 0x99, 0x18, 0x1E, 0x07, 0xBF, 0x0F, 0x5A,
906		0x5E, 0x3C, 0x32, 0x93, 0x80, 0x8C, 0x6C, 0x49,
907		0x67, 0xED, 0x24, 0xFE, 0x45, 0x40, 0xA0, 0x59,
908		0x5E, 0x37, 0xC2, 0xE9, 0xD0, 0x5D, 0x0A, 0xE3
909	};
910	const u8 emsk[] = {
911		0x3A, 0xD4, 0xAB, 0xDB, 0x76, 0xB2, 0x7F, 0x3B,
912		0xEA, 0x32, 0x2C, 0x2B, 0x74, 0xF4, 0x28, 0x55,
913		0xEF, 0x2D, 0xBA, 0x78, 0xC9, 0x57, 0x2F, 0x0D,
914		0x06, 0xCD, 0x51, 0x7C, 0x20, 0x93, 0x98, 0xA9,
915		0x76, 0xEA, 0x70, 0x21, 0xD7, 0x0E, 0x25, 0x54,
916		0x97, 0xED, 0xB2, 0x8A, 0xF6, 0xED, 0xFD, 0x0A,
917		0x2A, 0xE7, 0xA1, 0x58, 0x90, 0x10, 0x50, 0x44,
918		0xB3, 0x82, 0x85, 0xDB, 0x06, 0x14, 0xD2, 0xF9
919	};
920	/* RFC 4851, Appendix B.2 */
921	u8 tlv[] = {
922		0x80, 0x0C, 0x00, 0x38, 0x00, 0x01, 0x01, 0x00,
923		0xD8, 0x6A, 0x8C, 0x68, 0x3C, 0x32, 0x31, 0xA8,
924		0x56, 0x63, 0xB6, 0x40, 0x21, 0xFE, 0x21, 0x14,
925		0x4E, 0xE7, 0x54, 0x20, 0x79, 0x2D, 0x42, 0x62,
926		0xC9, 0xBF, 0x53, 0x7F, 0x54, 0xFD, 0xAC, 0x58,
927		0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
928		0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
929		0x05, 0xC5, 0x5B, 0xB7
930	};
931	const u8 compound_mac[] = {
932		0x43, 0x24, 0x6E, 0x30, 0x92, 0x17, 0x6D, 0xCF,
933		0xE6, 0xE0, 0x69, 0xEB, 0x33, 0x61, 0x6A, 0xCC,
934		0x05, 0xC5, 0x5B, 0xB7
935	};
936	u8 buf[512];
937	const u8 *simck, *cmk;
938	int errors = 0;
939
940	wpa_printf(MSG_INFO, "EAP-FAST test cases");
941
942	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / master_secret");
943	if (sha1_t_prf(pac_key, sizeof(pac_key),
944		       "PAC to master secret label hash",
945		       seed, sizeof(seed), buf, sizeof(master_secret)) < 0 ||
946	    os_memcmp(master_secret, buf, sizeof(master_secret)) != 0) {
947		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
948		errors++;
949	}
950
951#ifndef CONFIG_FIPS
952	wpa_printf(MSG_INFO, "- PRF (TLS, SHA1/MD5) test case / key_block");
953	if (tls_prf_sha1_md5(master_secret, sizeof(master_secret),
954			     "key expansion", seed, sizeof(seed),
955			     buf, sizeof(key_block)) ||
956	    os_memcmp(key_block, buf, sizeof(key_block)) != 0) {
957		wpa_printf(MSG_INFO, "PRF test - FAILED!");
958		errors++;
959	}
960#endif /* CONFIG_FIPS */
961
962	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / IMCK");
963	if (sha1_t_prf(sks, sizeof(sks), "Inner Methods Compound Keys",
964		       isk, sizeof(isk), buf, sizeof(imck)) < 0 ||
965	    os_memcmp(imck, buf, sizeof(imck)) != 0) {
966		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
967		errors++;
968	}
969
970	simck = imck;
971	cmk = imck + 40;
972
973	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / MSK");
974	if (sha1_t_prf(simck, 40, "Session Key Generating Function",
975		       (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
976	    os_memcmp(msk, buf, sizeof(msk)) != 0) {
977		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
978		errors++;
979	}
980
981	wpa_printf(MSG_INFO, "- T-PRF (SHA1) test case / EMSK");
982	if (sha1_t_prf(simck, 40, "Extended Session Key Generating Function",
983		       (u8 *) "", 0, buf, sizeof(msk)) < 0 ||
984	    os_memcmp(emsk, buf, sizeof(emsk)) != 0) {
985		wpa_printf(MSG_INFO, "T-PRF test - FAILED!");
986		errors++;
987	}
988
989	wpa_printf(MSG_INFO, "- Compound MAC test case");
990	os_memset(tlv + sizeof(tlv) - 20, 0, 20);
991	if (hmac_sha1(cmk, 20, tlv, sizeof(tlv), tlv + sizeof(tlv) - 20) < 0 ||
992	    os_memcmp(tlv + sizeof(tlv) - 20, compound_mac,
993		      sizeof(compound_mac)) != 0) {
994		wpa_printf(MSG_INFO, "Compound MAC test - FAILED!");
995		errors++;
996	}
997
998	return errors;
999#else /* EAP_FAST */
1000	return 0;
1001#endif /* EAP_FAST */
1002}
1003
1004
1005static const u8 key0[] =
1006{
1007	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1008	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1009	0x0b, 0x0b, 0x0b, 0x0b
1010};
1011static const u8 data0[] = "Hi There";
1012static const u8 prf0[] =
1013{
1014	0xbc, 0xd4, 0xc6, 0x50, 0xb3, 0x0b, 0x96, 0x84,
1015	0x95, 0x18, 0x29, 0xe0, 0xd7, 0x5f, 0x9d, 0x54,
1016	0xb8, 0x62, 0x17, 0x5e, 0xd9, 0xf0, 0x06, 0x06,
1017	0xe1, 0x7d, 0x8d, 0xa3, 0x54, 0x02, 0xff, 0xee,
1018	0x75, 0xdf, 0x78, 0xc3, 0xd3, 0x1e, 0x0f, 0x88,
1019	0x9f, 0x01, 0x21, 0x20, 0xc0, 0x86, 0x2b, 0xeb,
1020	0x67, 0x75, 0x3e, 0x74, 0x39, 0xae, 0x24, 0x2e,
1021	0xdb, 0x83, 0x73, 0x69, 0x83, 0x56, 0xcf, 0x5a
1022};
1023
1024static const u8 key1[] = "Jefe";
1025static const u8 data1[] = "what do ya want for nothing?";
1026static const u8 prf1[] =
1027{
1028	0x51, 0xf4, 0xde, 0x5b, 0x33, 0xf2, 0x49, 0xad,
1029	0xf8, 0x1a, 0xeb, 0x71, 0x3a, 0x3c, 0x20, 0xf4,
1030	0xfe, 0x63, 0x14, 0x46, 0xfa, 0xbd, 0xfa, 0x58,
1031	0x24, 0x47, 0x59, 0xae, 0x58, 0xef, 0x90, 0x09,
1032	0xa9, 0x9a, 0xbf, 0x4e, 0xac, 0x2c, 0xa5, 0xfa,
1033	0x87, 0xe6, 0x92, 0xc4, 0x40, 0xeb, 0x40, 0x02,
1034	0x3e, 0x7b, 0xab, 0xb2, 0x06, 0xd6, 0x1d, 0xe7,
1035	0xb9, 0x2f, 0x41, 0x52, 0x90, 0x92, 0xb8, 0xfc
1036};
1037
1038
1039static const u8 key2[] =
1040{
1041	0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1042	0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1043	0xaa, 0xaa, 0xaa, 0xaa
1044};
1045static const u8 data2[] =
1046{
1047	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1048	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1049	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1050	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1051	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1052	0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1053	0xdd, 0xdd
1054};
1055static const u8 prf2[] =
1056{
1057	0xe1, 0xac, 0x54, 0x6e, 0xc4, 0xcb, 0x63, 0x6f,
1058	0x99, 0x76, 0x48, 0x7b, 0xe5, 0xc8, 0x6b, 0xe1,
1059	0x7a, 0x02, 0x52, 0xca, 0x5d, 0x8d, 0x8d, 0xf1,
1060	0x2c, 0xfb, 0x04, 0x73, 0x52, 0x52, 0x49, 0xce,
1061	0x9d, 0xd8, 0xd1, 0x77, 0xea, 0xd7, 0x10, 0xbc,
1062	0x9b, 0x59, 0x05, 0x47, 0x23, 0x91, 0x07, 0xae,
1063	0xf7, 0xb4, 0xab, 0xd4, 0x3d, 0x87, 0xf0, 0xa6,
1064	0x8f, 0x1c, 0xbd, 0x9e, 0x2b, 0x6f, 0x76, 0x07
1065};
1066
1067
1068struct passphrase_test {
1069	char *passphrase;
1070	char *ssid;
1071	char psk[32];
1072};
1073
1074static const struct passphrase_test passphrase_tests[] =
1075{
1076	{
1077		"password",
1078		"IEEE",
1079		{
1080			0xf4, 0x2c, 0x6f, 0xc5, 0x2d, 0xf0, 0xeb, 0xef,
1081			0x9e, 0xbb, 0x4b, 0x90, 0xb3, 0x8a, 0x5f, 0x90,
1082			0x2e, 0x83, 0xfe, 0x1b, 0x13, 0x5a, 0x70, 0xe2,
1083			0x3a, 0xed, 0x76, 0x2e, 0x97, 0x10, 0xa1, 0x2e
1084		}
1085	},
1086	{
1087		"ThisIsAPassword",
1088		"ThisIsASSID",
1089		{
1090			0x0d, 0xc0, 0xd6, 0xeb, 0x90, 0x55, 0x5e, 0xd6,
1091			0x41, 0x97, 0x56, 0xb9, 0xa1, 0x5e, 0xc3, 0xe3,
1092			0x20, 0x9b, 0x63, 0xdf, 0x70, 0x7d, 0xd5, 0x08,
1093			0xd1, 0x45, 0x81, 0xf8, 0x98, 0x27, 0x21, 0xaf
1094		}
1095	},
1096	{
1097		"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
1098		"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
1099		{
1100			0xbe, 0xcb, 0x93, 0x86, 0x6b, 0xb8, 0xc3, 0x83,
1101			0x2c, 0xb7, 0x77, 0xc2, 0xf5, 0x59, 0x80, 0x7c,
1102			0x8c, 0x59, 0xaf, 0xcb, 0x6e, 0xae, 0x73, 0x48,
1103			0x85, 0x00, 0x13, 0x00, 0xa9, 0x81, 0xcc, 0x62
1104		}
1105	},
1106};
1107
1108#define NUM_PASSPHRASE_TESTS ARRAY_SIZE(passphrase_tests)
1109
1110
1111struct rfc6070_test {
1112	char *p;
1113	char *s;
1114	int c;
1115	char dk[32];
1116	size_t dk_len;
1117};
1118
1119static const struct rfc6070_test rfc6070_tests[] =
1120{
1121	{
1122		"password",
1123		"salt",
1124		1,
1125		{
1126			0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
1127			0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
1128			0x2f, 0xe0, 0x37, 0xa6
1129		},
1130		20
1131	},
1132	{
1133		"password",
1134		"salt",
1135		2,
1136		{
1137			0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
1138			0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
1139			0xd8, 0xde, 0x89, 0x57
1140		},
1141		20
1142	},
1143	{
1144		"password",
1145		"salt",
1146		4096,
1147		{
1148			0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
1149			0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
1150			0x65, 0xa4, 0x29, 0xc1
1151		},
1152		20
1153	},
1154#if 0 /* This takes quite long to derive.. */
1155	{
1156		"password",
1157		"salt",
1158		16777216,
1159		{
1160			0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
1161			0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
1162			0x26, 0x34, 0xe9, 0x84
1163		},
1164		20
1165	},
1166#endif
1167	{
1168		"passwordPASSWORDpassword",
1169		"saltSALTsaltSALTsaltSALTsaltSALTsalt",
1170		4096,
1171		{
1172			0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
1173			0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
1174			0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
1175			0x38
1176		},
1177		25
1178	},
1179#if 0 /* \0 not currently supported in passphrase parameters.. */
1180	{
1181		"pass\0word",
1182		"sa\0lt",
1183		4096,
1184		{
1185			0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
1186			0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3
1187		},
1188		16
1189	},
1190#endif
1191};
1192
1193#define NUM_RFC6070_TESTS ARRAY_SIZE(rfc6070_tests)
1194
1195
1196static int test_sha1(void)
1197{
1198	u8 res[512];
1199	int ret = 0;
1200	unsigned int i;
1201
1202	wpa_printf(MSG_INFO, "PRF-SHA1 test cases:");
1203
1204	if (sha1_prf(key0, sizeof(key0), "prefix", data0, sizeof(data0) - 1,
1205		     res, sizeof(prf0)) == 0 &&
1206	    os_memcmp(res, prf0, sizeof(prf0)) == 0)
1207		wpa_printf(MSG_INFO, "Test case 0 - OK");
1208	else {
1209		wpa_printf(MSG_INFO, "Test case 0 - FAILED!");
1210		ret++;
1211	}
1212
1213	if (sha1_prf(key1, sizeof(key1) - 1, "prefix", data1, sizeof(data1) - 1,
1214		     res, sizeof(prf1)) == 0 &&
1215	    os_memcmp(res, prf1, sizeof(prf1)) == 0)
1216		wpa_printf(MSG_INFO, "Test case 1 - OK");
1217	else {
1218		wpa_printf(MSG_INFO, "Test case 1 - FAILED!");
1219		ret++;
1220	}
1221
1222	if (sha1_prf(key2, sizeof(key2), "prefix", data2, sizeof(data2),
1223		     res, sizeof(prf2)) == 0 &&
1224	    os_memcmp(res, prf2, sizeof(prf2)) == 0)
1225		wpa_printf(MSG_INFO, "Test case 2 - OK");
1226	else {
1227		wpa_printf(MSG_INFO, "Test case 2 - FAILED!");
1228		ret++;
1229	}
1230
1231	ret += test_eap_fast();
1232
1233	wpa_printf(MSG_INFO, "PBKDF2-SHA1 Passphrase test cases:");
1234	for (i = 0; i < NUM_PASSPHRASE_TESTS; i++) {
1235		u8 psk[32];
1236		const struct passphrase_test *test = &passphrase_tests[i];
1237
1238		if (pbkdf2_sha1(test->passphrase,
1239				(const u8 *) test->ssid, strlen(test->ssid),
1240				4096, psk, 32) == 0 &&
1241		    os_memcmp(psk, test->psk, 32) == 0)
1242			wpa_printf(MSG_INFO, "Test case %d - OK", i);
1243		else {
1244			wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1245			ret++;
1246		}
1247	}
1248
1249	wpa_printf(MSG_INFO, "PBKDF2-SHA1 test cases (RFC 6070):");
1250	for (i = 0; i < NUM_RFC6070_TESTS; i++) {
1251		u8 dk[25];
1252		const struct rfc6070_test *test = &rfc6070_tests[i];
1253
1254		if (pbkdf2_sha1(test->p, (const u8 *) test->s, strlen(test->s),
1255				test->c, dk, test->dk_len) == 0 &&
1256		    os_memcmp(dk, test->dk, test->dk_len) == 0)
1257			wpa_printf(MSG_INFO, "Test case %d - OK", i);
1258		else {
1259			wpa_printf(MSG_INFO, "Test case %d - FAILED!", i);
1260			ret++;
1261		}
1262	}
1263
1264	if (!ret)
1265		wpa_printf(MSG_INFO, "SHA1 test cases passed");
1266	return ret;
1267}
1268
1269
1270static const struct {
1271	char *data;
1272	u8 hash[32];
1273} tests[] = {
1274	{
1275		"abc",
1276		{
1277			0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
1278			0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
1279			0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
1280			0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
1281		}
1282	},
1283	{
1284		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1285		{
1286			0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8,
1287			0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39,
1288			0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67,
1289			0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1
1290		}
1291	}
1292};
1293
1294static const struct hmac_test {
1295	u8 key[80];
1296	size_t key_len;
1297	u8 data[128];
1298	size_t data_len;
1299	u8 hash[32];
1300} hmac_tests[] = {
1301	/* draft-ietf-ipsec-ciph-sha-256-01.txt */
1302	{
1303		{
1304			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1305			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1306			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1307			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1308		},
1309		32,
1310		"abc", 3,
1311		{
1312			0xa2, 0x1b, 0x1f, 0x5d, 0x4c, 0xf4, 0xf7, 0x3a,
1313			0x4d, 0xd9, 0x39, 0x75, 0x0f, 0x7a, 0x06, 0x6a,
1314			0x7f, 0x98, 0xcc, 0x13, 0x1c, 0xb1, 0x6a, 0x66,
1315			0x92, 0x75, 0x90, 0x21, 0xcf, 0xab, 0x81, 0x81
1316		}
1317	},
1318	{
1319		{
1320			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1321			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1322			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1323			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1324		},
1325		32,
1326		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1327		56,
1328		{
1329			0x10, 0x4f, 0xdc, 0x12, 0x57, 0x32, 0x8f, 0x08,
1330			0x18, 0x4b, 0xa7, 0x31, 0x31, 0xc5, 0x3c, 0xae,
1331			0xe6, 0x98, 0xe3, 0x61, 0x19, 0x42, 0x11, 0x49,
1332			0xea, 0x8c, 0x71, 0x24, 0x56, 0x69, 0x7d, 0x30
1333		}
1334	},
1335	{
1336		{
1337			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1338			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1339			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1340			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
1341		},
1342		32,
1343		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
1344		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
1345		112,
1346		{
1347			0x47, 0x03, 0x05, 0xfc, 0x7e, 0x40, 0xfe, 0x34,
1348			0xd3, 0xee, 0xb3, 0xe7, 0x73, 0xd9, 0x5a, 0xab,
1349			0x73, 0xac, 0xf0, 0xfd, 0x06, 0x04, 0x47, 0xa5,
1350			0xeb, 0x45, 0x95, 0xbf, 0x33, 0xa9, 0xd1, 0xa3
1351		}
1352	},
1353	{
1354		{
1355			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1356			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1357			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
1358			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
1359		},
1360		32,
1361		"Hi There",
1362		8,
1363		{
1364			0x19, 0x8a, 0x60, 0x7e, 0xb4, 0x4b, 0xfb, 0xc6,
1365			0x99, 0x03, 0xa0, 0xf1, 0xcf, 0x2b, 0xbd, 0xc5,
1366			0xba, 0x0a, 0xa3, 0xf3, 0xd9, 0xae, 0x3c, 0x1c,
1367			0x7a, 0x3b, 0x16, 0x96, 0xa0, 0xb6, 0x8c, 0xf7
1368		}
1369	},
1370	{
1371		"Jefe",
1372		4,
1373		"what do ya want for nothing?",
1374		28,
1375		{
1376			0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e,
1377			0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7,
1378			0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
1379			0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43
1380		}
1381	},
1382	{
1383		{
1384			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1385			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1386			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1387			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1388		},
1389		32,
1390		{
1391			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1392			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1393			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1394			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1395			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1396			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
1397			0xdd, 0xdd
1398		},
1399		50,
1400		{
1401			0xcd, 0xcb, 0x12, 0x20, 0xd1, 0xec, 0xcc, 0xea,
1402			0x91, 0xe5, 0x3a, 0xba, 0x30, 0x92, 0xf9, 0x62,
1403			0xe5, 0x49, 0xfe, 0x6c, 0xe9, 0xed, 0x7f, 0xdc,
1404			0x43, 0x19, 0x1f, 0xbd, 0xe4, 0x5c, 0x30, 0xb0
1405		}
1406	},
1407	{
1408		{
1409			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
1410			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
1411			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1412			0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1413			0x21, 0x22, 0x23, 0x24, 0x25
1414		},
1415		37,
1416		{
1417			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1418			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1419			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1420			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1421			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1422			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
1423			0xcd, 0xcd
1424		},
1425		50,
1426		{
1427			0xd4, 0x63, 0x3c, 0x17, 0xf6, 0xfb, 0x8d, 0x74,
1428			0x4c, 0x66, 0xde, 0xe0, 0xf8, 0xf0, 0x74, 0x55,
1429			0x6e, 0xc4, 0xaf, 0x55, 0xef, 0x07, 0x99, 0x85,
1430			0x41, 0x46, 0x8e, 0xb4, 0x9b, 0xd2, 0xe9, 0x17
1431		}
1432	},
1433	{
1434		{
1435			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1436			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1437			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
1438			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c
1439		},
1440		32,
1441		"Test With Truncation",
1442		20,
1443		{
1444			0x75, 0x46, 0xaf, 0x01, 0x84, 0x1f, 0xc0, 0x9b,
1445			0x1a, 0xb9, 0xc3, 0x74, 0x9a, 0x5f, 0x1c, 0x17,
1446			0xd4, 0xf5, 0x89, 0x66, 0x8a, 0x58, 0x7b, 0x27,
1447			0x00, 0xa9, 0xc9, 0x7c, 0x11, 0x93, 0xcf, 0x42
1448		}
1449	},
1450	{
1451		{
1452			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1453			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1454			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1455			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1456			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1457			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1458			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1459			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1460			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1461			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1462		},
1463		80,
1464		"Test Using Larger Than Block-Size Key - Hash Key First",
1465		54,
1466		{
1467			0x69, 0x53, 0x02, 0x5e, 0xd9, 0x6f, 0x0c, 0x09,
1468			0xf8, 0x0a, 0x96, 0xf7, 0x8e, 0x65, 0x38, 0xdb,
1469			0xe2, 0xe7, 0xb8, 0x20, 0xe3, 0xdd, 0x97, 0x0e,
1470			0x7d, 0xdd, 0x39, 0x09, 0x1b, 0x32, 0x35, 0x2f
1471		}
1472	},
1473	{
1474		{
1475			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1476			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1477			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1478			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1479			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1480			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1481			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1482			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1483			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
1484			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
1485		},
1486		80,
1487		"Test Using Larger Than Block-Size Key and Larger Than One "
1488		"Block-Size Data",
1489		73,
1490		{
1491			0x63, 0x55, 0xac, 0x22, 0xe8, 0x90, 0xd0, 0xa3,
1492			0xc8, 0x48, 0x1a, 0x5c, 0xa4, 0x82, 0x5b, 0xc8,
1493			0x84, 0xd3, 0xe7, 0xa1, 0xff, 0x98, 0xa2, 0xfc,
1494			0x2a, 0xc7, 0xd8, 0xe0, 0x64, 0xc3, 0xb2, 0xe6
1495		}
1496	}
1497};
1498
1499
1500static int test_sha256(void)
1501{
1502	unsigned int i;
1503	u8 hash[32];
1504	const u8 *addr[2];
1505	size_t len[2];
1506	int errors = 0;
1507	u8 *key;
1508
1509	for (i = 0; i < ARRAY_SIZE(tests); i++) {
1510		wpa_printf(MSG_INFO, "SHA256 test case %d:", i + 1);
1511
1512		addr[0] = (u8 *) tests[i].data;
1513		len[0] = strlen(tests[i].data);
1514		sha256_vector(1, addr, len, hash);
1515		if (memcmp(hash, tests[i].hash, 32) != 0) {
1516			wpa_printf(MSG_INFO, " FAIL");
1517			errors++;
1518		} else
1519			wpa_printf(MSG_INFO, " OK");
1520
1521		if (len[0]) {
1522			addr[0] = (u8 *) tests[i].data;
1523			len[0] = 1;
1524			addr[1] = (u8 *) tests[i].data + 1;
1525			len[1] = strlen(tests[i].data) - 1;
1526			sha256_vector(2, addr, len, hash);
1527			if (memcmp(hash, tests[i].hash, 32) != 0) {
1528				wpa_printf(MSG_INFO, " FAIL");
1529				errors++;
1530			} else
1531				wpa_printf(MSG_INFO, " OK");
1532		}
1533	}
1534
1535	for (i = 0; i < ARRAY_SIZE(hmac_tests); i++) {
1536		const struct hmac_test *t = &hmac_tests[i];
1537
1538		wpa_printf(MSG_INFO, "HMAC-SHA256 test case %d:", i + 1);
1539
1540		if (hmac_sha256(t->key, t->key_len, t->data, t->data_len,
1541				hash) < 0 ||
1542		    os_memcmp(hash, t->hash, 32) != 0) {
1543			wpa_printf(MSG_INFO, " FAIL");
1544			errors++;
1545		} else
1546			wpa_printf(MSG_INFO, " OK");
1547
1548		addr[0] = t->data;
1549		len[0] = t->data_len;
1550		if (hmac_sha256_vector(t->key, t->key_len, 1, addr, len,
1551				       hash) < 0 ||
1552		    os_memcmp(hash, t->hash, 32) != 0) {
1553			wpa_printf(MSG_INFO, " FAIL");
1554			errors++;
1555		} else
1556			wpa_printf(MSG_INFO, " OK");
1557
1558		if (len[0]) {
1559			addr[0] = t->data;
1560			len[0] = 1;
1561			addr[1] = t->data + 1;
1562			len[1] = t->data_len - 1;
1563			if (hmac_sha256_vector(t->key, t->key_len, 2, addr, len,
1564					       hash) < 0 ||
1565			    os_memcmp(hash, t->hash, 32) != 0) {
1566				wpa_printf(MSG_INFO, " FAIL");
1567				errors++;
1568			} else
1569				wpa_printf(MSG_INFO, " OK");
1570		}
1571	}
1572
1573	wpa_printf(MSG_INFO, "Test IEEE 802.11r KDF");
1574	sha256_prf((u8 *) "abc", 3, "KDF test", (u8 *) "data", 4,
1575		   hash, sizeof(hash));
1576	/* TODO: add proper test case for this */
1577
1578	key = os_malloc(8161);
1579	if (key) {
1580#ifdef CONFIG_HMAC_SHA256_KDF
1581		int res;
1582
1583		res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1584				      (u8 *) "seed", 4, key, 8160);
1585		if (res) {
1586			wpa_printf(MSG_INFO,
1587				   "Unexpected hmac_sha256_kdf(outlen=8160) failure");
1588			errors++;
1589		}
1590
1591		res = hmac_sha256_kdf((u8 *) "secret", 6, "label",
1592				      (u8 *) "seed", 4, key, 8161);
1593		if (res == 0) {
1594			wpa_printf(MSG_INFO,
1595				   "Unexpected hmac_sha256_kdf(outlen=8161) success");
1596			errors++;
1597		}
1598#endif /* CONFIG_HMAC_SHA256_KDF */
1599
1600		os_free(key);
1601	}
1602
1603	if (!errors)
1604		wpa_printf(MSG_INFO, "SHA256 test cases passed");
1605	return errors;
1606}
1607
1608
1609static int test_fips186_2_prf(void)
1610{
1611	/* http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf */
1612	u8 xkey[] = {
1613		0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
1614		0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
1615		0xeb, 0x5a, 0x38, 0xb6
1616	};
1617	u8 w[] = {
1618		0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
1619		0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
1620		0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
1621		0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
1622		0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
1623	};
1624	u8 buf[40];
1625
1626	wpa_printf(MSG_INFO,
1627		   "Testing EAP-SIM PRF (FIPS 186-2 + change notice 1)");
1628	if (fips186_2_prf(xkey, sizeof(xkey), buf, sizeof(buf)) < 0 ||
1629	    os_memcmp(w, buf, sizeof(w)) != 0) {
1630		wpa_printf(MSG_INFO, "fips186_2_prf failed");
1631		return 1;
1632	}
1633
1634	return 0;
1635}
1636
1637
1638static int test_ms_funcs(void)
1639{
1640#ifndef CONFIG_FIPS
1641	/* Test vector from RFC2759 example */
1642	char *username = "User";
1643	char *password = "clientPass";
1644	u8 auth_challenge[] = {
1645		0x5B, 0x5D, 0x7C, 0x7D, 0x7B, 0x3F, 0x2F, 0x3E,
1646		0x3C, 0x2C, 0x60, 0x21, 0x32, 0x26, 0x26, 0x28
1647	};
1648	u8 peer_challenge[] = {
1649		0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A,
1650		0x28, 0x29, 0x5F, 0x2B, 0x3A, 0x33, 0x7C, 0x7E
1651	};
1652	u8 password_hash[] = {
1653		0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
1654		0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
1655	};
1656	u8 nt_response[] = {
1657		0x82, 0x30, 0x9E, 0xCD, 0x8D, 0x70, 0x8B, 0x5E,
1658		0xA0, 0x8F, 0xAA, 0x39, 0x81, 0xCD, 0x83, 0x54,
1659		0x42, 0x33, 0x11, 0x4A, 0x3D, 0x85, 0xD6, 0xDF
1660	};
1661	u8 password_hash_hash[] = {
1662		0x41, 0xC0, 0x0C, 0x58, 0x4B, 0xD2, 0xD9, 0x1C,
1663		0x40, 0x17, 0xA2, 0xA1, 0x2F, 0xA5, 0x9F, 0x3F
1664	};
1665	u8 authenticator_response[] = {
1666		0x40, 0x7A, 0x55, 0x89, 0x11, 0x5F, 0xD0, 0xD6,
1667		0x20, 0x9F, 0x51, 0x0F, 0xE9, 0xC0, 0x45, 0x66,
1668		0x93, 0x2C, 0xDA, 0x56
1669	};
1670	u8 master_key[] = {
1671		0xFD, 0xEC, 0xE3, 0x71, 0x7A, 0x8C, 0x83, 0x8C,
1672		0xB3, 0x88, 0xE5, 0x27, 0xAE, 0x3C, 0xDD, 0x31
1673	};
1674	u8 send_start_key[] = {
1675		0x8B, 0x7C, 0xDC, 0x14, 0x9B, 0x99, 0x3A, 0x1B,
1676		0xA1, 0x18, 0xCB, 0x15, 0x3F, 0x56, 0xDC, 0xCB
1677	};
1678	u8 buf[32];
1679	int errors = 0;
1680
1681	if (nt_password_hash((u8 *) password, os_strlen(password), buf) ||
1682	    os_memcmp(password_hash, buf, sizeof(password_hash)) != 0) {
1683		wpa_printf(MSG_ERROR, "nt_password_hash failed");
1684		errors++;
1685	}
1686
1687	if (generate_nt_response(auth_challenge, peer_challenge,
1688				 (u8 *) username, os_strlen(username),
1689				 (u8 *) password, os_strlen(password), buf) ||
1690	    os_memcmp(nt_response, buf, sizeof(nt_response)) != 0) {
1691		wpa_printf(MSG_ERROR, "generate_nt_response failed");
1692		errors++;
1693	}
1694
1695	if (hash_nt_password_hash(password_hash, buf) ||
1696	    os_memcmp(password_hash_hash, buf,
1697		      sizeof(password_hash_hash)) != 0) {
1698		wpa_printf(MSG_ERROR, "hash_nt_password_hash failed");
1699		errors++;
1700	}
1701
1702	if (generate_authenticator_response((u8 *) password,
1703					    os_strlen(password),
1704					    peer_challenge, auth_challenge,
1705					    (u8 *) username,
1706					    os_strlen(username),
1707					    nt_response, buf) ||
1708	    os_memcmp(authenticator_response, buf,
1709		      sizeof(authenticator_response)) != 0) {
1710		wpa_printf(MSG_ERROR, "generate_authenticator_response failed");
1711		errors++;
1712	}
1713
1714	if (get_master_key(password_hash_hash, nt_response, buf) ||
1715	    os_memcmp(master_key, buf, sizeof(master_key)) != 0) {
1716		wpa_printf(MSG_ERROR, "get_master_key failed");
1717		errors++;
1718	}
1719
1720	if (get_asymetric_start_key(master_key, buf, sizeof(send_start_key),
1721				    1, 1) ||
1722	    os_memcmp(send_start_key, buf, sizeof(send_start_key)) != 0) {
1723		wpa_printf(MSG_ERROR, "get_asymetric_start_key failed");
1724		errors++;
1725	}
1726
1727	if (errors)
1728		wpa_printf(MSG_ERROR, "ms_funcs: %d errors", errors);
1729	else
1730		wpa_printf(MSG_INFO, "ms_funcs test cases passed");
1731
1732	return errors;
1733#else /* CONFIG_FIPS */
1734	wpa_printf(MSG_INFO, "ms_funcs test cases skipped due to CONFIG_FIPS");
1735	return 0;
1736#endif /* CONFIG_FIPS */
1737}
1738
1739
1740int crypto_module_tests(void)
1741{
1742	int ret = 0;
1743
1744	wpa_printf(MSG_INFO, "crypto module tests");
1745	if (test_siv() ||
1746	    test_omac1() ||
1747	    test_eax() ||
1748	    test_cbc() ||
1749	    test_ecb() ||
1750	    test_key_wrap() ||
1751	    test_md5() ||
1752	    test_sha1() ||
1753	    test_sha256() ||
1754	    test_fips186_2_prf() ||
1755	    test_ms_funcs())
1756		ret = -1;
1757
1758	return ret;
1759}
1760