1 |
/* |
2 |
hkdf.C -- RFC 5869 HKDF implementation |
3 |
Copyright (C) 2013,2016 Marc Lehmann <gvpe@schmorp.de> |
4 |
|
5 |
This file is part of GVPE. |
6 |
|
7 |
GVPE is free software; you can redistribute it and/or modify it |
8 |
under the terms of the GNU General Public License as published by the |
9 |
Free Software Foundation; either version 3 of the License, or (at your |
10 |
option) any later version. |
11 |
|
12 |
This program is distributed in the hope that it will be useful, but |
13 |
WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
15 |
Public License for more details. |
16 |
|
17 |
You should have received a copy of the GNU General Public License along |
18 |
with this program; if not, see <http://www.gnu.org/licenses/>. |
19 |
|
20 |
Additional permission under GNU GPL version 3 section 7 |
21 |
|
22 |
If you modify this Program, or any covered work, by linking or |
23 |
combining it with the OpenSSL project's OpenSSL library (or a modified |
24 |
version of that library), containing parts covered by the terms of the |
25 |
OpenSSL or SSLeay licenses, the licensors of this Program grant you |
26 |
additional permission to convey the resulting work. Corresponding |
27 |
Source for a non-source form of such a combination shall include the |
28 |
source code for the parts of OpenSSL used as well as that of the |
29 |
covered work. |
30 |
*/ |
31 |
|
32 |
#include "config.h" |
33 |
|
34 |
#include <cstring> |
35 |
|
36 |
#include <openssl/opensslv.h> |
37 |
#include <openssl/rand.h> |
38 |
#include <openssl/hmac.h> |
39 |
|
40 |
#include "crypto.h" |
41 |
#include "util.h" |
42 |
#include "hkdf.h" |
43 |
|
44 |
hkdf::hkdf (const void *salt, int len, const EVP_MD *xtr_hash) |
45 |
: salt (salt), salt_len (len) |
46 |
{ |
47 |
ctx.init (salt, salt_len, xtr_hash); |
48 |
} |
49 |
|
50 |
void |
51 |
hkdf::extract (const void *ikm, int len) |
52 |
{ |
53 |
ctx.add (ikm, len); |
54 |
} |
55 |
|
56 |
void |
57 |
hkdf::extract_done (const EVP_MD *prf_hash) |
58 |
{ |
59 |
ctx.digest (prk); |
60 |
ctx.init (salt, salt_len, prf_hash); |
61 |
} |
62 |
|
63 |
void |
64 |
hkdf::expand (void *okm, int len, const void *info, int infolen) |
65 |
{ |
66 |
u8 tn[sizeof prk]; |
67 |
u8 iter = 0; |
68 |
int md_size = ctx.size (); |
69 |
|
70 |
while (len) |
71 |
{ |
72 |
ctx.init (prk, md_size); |
73 |
|
74 |
if (iter) |
75 |
ctx.add (tn, md_size); |
76 |
|
77 |
ctx.add (info, infolen); |
78 |
|
79 |
++iter; |
80 |
require (iter); |
81 |
|
82 |
ctx.add (&iter, 1); |
83 |
ctx.digest (tn); |
84 |
|
85 |
int ol = len > md_size ? md_size : len; |
86 |
|
87 |
memcpy (okm, tn, ol); |
88 |
|
89 |
okm = (void *)(ol + (char *)okm); |
90 |
len -= ol; |
91 |
} |
92 |
} |
93 |
|
94 |
// try to verify all test vectors from the RFC |
95 |
// since I implemented the hkdf myself, and I am no crypto expert, |
96 |
// we run verification on every startup. |
97 |
void |
98 |
hkdf::verify () |
99 |
{ |
100 |
struct unhex |
101 |
{ |
102 |
u8 *p; |
103 |
int l; |
104 |
|
105 |
u8 s[256]; |
106 |
|
107 |
unhex (const char *hs) |
108 |
{ |
109 |
l = 0; |
110 |
p = s; |
111 |
|
112 |
if (!hs) |
113 |
return; |
114 |
|
115 |
while (*hs) |
116 |
{ |
117 |
int d1 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
118 |
int d2 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
119 |
|
120 |
*p++ = d1 * 16 + d2; |
121 |
++l; |
122 |
} |
123 |
|
124 |
p = s; |
125 |
} |
126 |
}; |
127 |
|
128 |
const struct hkdf_test |
129 |
{ |
130 |
int hash; |
131 |
const char *IKM, *salt, *info; |
132 |
const char *PRK, *OKM; |
133 |
} tests[] = { |
134 |
{ // 0 |
135 |
256, |
136 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
137 |
"000102030405060708090a0b0c", |
138 |
"f0f1f2f3f4f5f6f7f8f9", |
139 |
"077709362c2e32df0ddc3f0dc47bba63" |
140 |
"90b6c73bb50f9c3122ec844ad7c2b3e5", |
141 |
"3cb25f25faacd57a90434f64d0362f2a" |
142 |
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf" |
143 |
"34007208d5b887185865" |
144 |
}, { // 1 |
145 |
256, |
146 |
"000102030405060708090a0b0c0d0e0f" |
147 |
"101112131415161718191a1b1c1d1e1f" |
148 |
"202122232425262728292a2b2c2d2e2f" |
149 |
"303132333435363738393a3b3c3d3e3f" |
150 |
"404142434445464748494a4b4c4d4e4f", |
151 |
"606162636465666768696a6b6c6d6e6f" |
152 |
"707172737475767778797a7b7c7d7e7f" |
153 |
"808182838485868788898a8b8c8d8e8f" |
154 |
"909192939495969798999a9b9c9d9e9f" |
155 |
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
156 |
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
157 |
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
158 |
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
159 |
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
160 |
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
161 |
"06a6b88c5853361a06104c9ceb35b45c" |
162 |
"ef760014904671014a193f40c15fc244", |
163 |
"b11e398dc80327a1c8e7f78c596a4934" |
164 |
"4f012eda2d4efad8a050cc4c19afa97c" |
165 |
"59045a99cac7827271cb41c65e590e09" |
166 |
"da3275600c2f09b8367793a9aca3db71" |
167 |
"cc30c58179ec3e87c14c01d5c1f3434f" |
168 |
"1d87" |
169 |
}, { // 2 |
170 |
256, |
171 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
172 |
"", |
173 |
"", |
174 |
"19ef24a32c717b167f33a91d6f648bdf" |
175 |
"96596776afdb6377ac434c1c293ccb04", |
176 |
"8da4e775a563c18f715f802a063c5a31" |
177 |
"b8a11f5c5ee1879ec3454e5f3c738d2d" |
178 |
"9d201395faa4b61a96c8" |
179 |
}, { // 3 |
180 |
1, |
181 |
"0b0b0b0b0b0b0b0b0b0b0b", |
182 |
"000102030405060708090a0b0c", |
183 |
"f0f1f2f3f4f5f6f7f8f9", |
184 |
"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243", |
185 |
"085a01ea1b10f36933068b56efa5ad81" |
186 |
"a4f14b822f5b091568a9cdd4f155fda2" |
187 |
"c22e422478d305f3f896" |
188 |
}, { // 4 |
189 |
1, |
190 |
"000102030405060708090a0b0c0d0e0f" |
191 |
"101112131415161718191a1b1c1d1e1f" |
192 |
"202122232425262728292a2b2c2d2e2f" |
193 |
"303132333435363738393a3b3c3d3e3f" |
194 |
"404142434445464748494a4b4c4d4e4f", |
195 |
"606162636465666768696a6b6c6d6e6f" |
196 |
"707172737475767778797a7b7c7d7e7f" |
197 |
"808182838485868788898a8b8c8d8e8f" |
198 |
"909192939495969798999a9b9c9d9e9f" |
199 |
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
200 |
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
201 |
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
202 |
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
203 |
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
204 |
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
205 |
"8adae09a2a307059478d309b26c4115a224cfaf6", |
206 |
"0bd770a74d1160f7c9f12cd5912a06eb" |
207 |
"ff6adcae899d92191fe4305673ba2ffe" |
208 |
"8fa3f1a4e5ad79f3f334b3b202b2173c" |
209 |
"486ea37ce3d397ed034c7f9dfeb15c5e" |
210 |
"927336d0441f4c4300e2cff0d0900b52" |
211 |
"d3b4" |
212 |
}, { // 5 |
213 |
1, |
214 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
215 |
"", |
216 |
"", |
217 |
"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01", |
218 |
"0ac1af7002b3d761d1e55298da9d0506" |
219 |
"b9ae52057220a306e07b6b87e8df21d0" |
220 |
"ea00033de03984d34918" |
221 |
}, { // 6 |
222 |
1, |
223 |
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c", |
224 |
0, |
225 |
"", |
226 |
"2adccada18779e7c2077ad2eb19d3f3e731385dd", |
227 |
"2c91117204d745f3500d636a62f64f0a" |
228 |
"b3bae548aa53d423b0d1f27ebba6f5e5" |
229 |
"673a081d70cce7acfc48" |
230 |
} |
231 |
}; |
232 |
|
233 |
for (int i = 0; i < sizeof (tests) / sizeof (tests[0]); ++i) |
234 |
{ |
235 |
const hkdf_test &test = tests[i]; |
236 |
|
237 |
unhex salt (test.salt); |
238 |
unhex ikm (test.IKM); |
239 |
unhex info (test.info); |
240 |
unhex prk_correct (test.PRK); |
241 |
unhex okm_correct (test.OKM); |
242 |
|
243 |
char okm[256]; |
244 |
|
245 |
hkdf h (salt.p, salt.l, test.hash == 1 ? EVP_sha1 () : EVP_sha256 ()); |
246 |
h.extract (ikm.p, ikm.l); |
247 |
h.extract_done (); |
248 |
h.expand (okm, okm_correct.l, info.p, info.l); |
249 |
|
250 |
require (!memcmp (h.prk, prk_correct.p, prk_correct.l)); |
251 |
require (!memcmp (okm , okm_correct.p, okm_correct.l)); |
252 |
} |
253 |
} |
254 |
|