1 |
|
|
/* Copyright (c) 2014, Google Inc. |
2 |
|
|
* |
3 |
|
|
* Permission to use, copy, modify, and/or distribute this software for any |
4 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
5 |
|
|
* copyright notice and this permission notice appear in all copies. |
6 |
|
|
* |
7 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 |
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 |
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 |
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
14 |
|
|
*/ |
15 |
|
|
|
16 |
|
|
#include <openssl/hkdf.h> |
17 |
|
|
|
18 |
|
|
#include <assert.h> |
19 |
|
|
#include <string.h> |
20 |
|
|
|
21 |
|
|
#include <openssl/err.h> |
22 |
|
|
#include <openssl/hmac.h> |
23 |
|
|
|
24 |
|
|
/* https://tools.ietf.org/html/rfc5869#section-2 */ |
25 |
|
|
int |
26 |
|
|
HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, |
27 |
|
|
const uint8_t *secret, size_t secret_len, const uint8_t *salt, |
28 |
|
|
size_t salt_len, const uint8_t *info, size_t info_len) |
29 |
|
|
{ |
30 |
|
42 |
uint8_t prk[EVP_MAX_MD_SIZE]; |
31 |
|
21 |
size_t prk_len; |
32 |
|
|
|
33 |
✗✓ |
21 |
if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt, |
34 |
|
|
salt_len)) |
35 |
|
|
return 0; |
36 |
✗✓ |
21 |
if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info, |
37 |
|
|
info_len)) |
38 |
|
|
return 0; |
39 |
|
|
|
40 |
|
21 |
return 1; |
41 |
|
21 |
} |
42 |
|
|
|
43 |
|
|
/* https://tools.ietf.org/html/rfc5869#section-2.2 */ |
44 |
|
|
int |
45 |
|
|
HKDF_extract(uint8_t *out_key, size_t *out_len, |
46 |
|
|
const EVP_MD *digest, const uint8_t *secret, size_t secret_len, |
47 |
|
|
const uint8_t *salt, size_t salt_len) |
48 |
|
|
{ |
49 |
|
84 |
unsigned int len; |
50 |
|
|
|
51 |
|
|
/* |
52 |
|
|
* If salt is not given, HashLength zeros are used. However, HMAC does that |
53 |
|
|
* internally already so we can ignore it. |
54 |
|
|
*/ |
55 |
✗✓ |
42 |
if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == |
56 |
|
|
NULL) { |
57 |
|
|
CRYPTOerror(ERR_R_CRYPTO_LIB); |
58 |
|
|
return 0; |
59 |
|
|
} |
60 |
|
42 |
*out_len = len; |
61 |
|
42 |
return 1; |
62 |
|
42 |
} |
63 |
|
|
|
64 |
|
|
/* https://tools.ietf.org/html/rfc5869#section-2.3 */ |
65 |
|
|
int |
66 |
|
|
HKDF_expand(uint8_t *out_key, size_t out_len, |
67 |
|
|
const EVP_MD *digest, const uint8_t *prk, size_t prk_len, |
68 |
|
|
const uint8_t *info, size_t info_len) |
69 |
|
|
{ |
70 |
|
84 |
const size_t digest_len = EVP_MD_size(digest); |
71 |
|
42 |
uint8_t previous[EVP_MAX_MD_SIZE]; |
72 |
|
|
size_t n, done = 0; |
73 |
|
|
unsigned int i; |
74 |
|
|
int ret = 0; |
75 |
|
42 |
HMAC_CTX hmac; |
76 |
|
|
|
77 |
|
|
/* Expand key material to desired length. */ |
78 |
|
42 |
n = (out_len + digest_len - 1) / digest_len; |
79 |
✗✓ |
42 |
if (out_len + digest_len < out_len || n > 255) { |
80 |
|
|
CRYPTOerror(EVP_R_TOO_LARGE); |
81 |
|
|
return 0; |
82 |
|
|
} |
83 |
|
|
|
84 |
|
42 |
HMAC_CTX_init(&hmac); |
85 |
✓✗ |
42 |
if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL)) |
86 |
|
|
goto out; |
87 |
|
|
|
88 |
✓✓ |
336 |
for (i = 0; i < n; i++) { |
89 |
|
126 |
uint8_t ctr = i + 1; |
90 |
|
|
size_t todo; |
91 |
|
|
|
92 |
✓✓✓✗ ✗✓ |
294 |
if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) || |
93 |
|
84 |
!HMAC_Update(&hmac, previous, digest_len))) |
94 |
|
|
goto out; |
95 |
|
|
|
96 |
✓✗✗✓
|
252 |
if (!HMAC_Update(&hmac, info, info_len) || |
97 |
✓✗ |
126 |
!HMAC_Update(&hmac, &ctr, 1) || |
98 |
|
126 |
!HMAC_Final(&hmac, previous, NULL)) |
99 |
|
|
goto out; |
100 |
|
|
|
101 |
|
|
todo = digest_len; |
102 |
✓✓ |
126 |
if (done + todo > out_len) |
103 |
|
42 |
todo = out_len - done; |
104 |
|
|
|
105 |
|
126 |
memcpy(out_key + done, previous, todo); |
106 |
|
126 |
done += todo; |
107 |
✓✓✓ |
336 |
} |
108 |
|
|
|
109 |
|
42 |
ret = 1; |
110 |
|
|
|
111 |
|
|
out: |
112 |
|
42 |
HMAC_CTX_cleanup(&hmac); |
113 |
✗✓ |
42 |
if (ret != 1) |
114 |
|
|
CRYPTOerror(ERR_R_CRYPTO_LIB); |
115 |
|
42 |
return ret; |
116 |
|
42 |
} |