| 1 |
root |
1.1 |
/* |
| 2 |
|
|
hkdf.C -- RFC 5869 HKDF implementation |
| 3 |
|
|
Copyright (C) 2013 Marc Lehmann <gvpe@schmorp.de> |
| 4 |
|
|
|
| 5 |
|
|
This file is part of GVPE. |
| 6 |
|
|
|
| 7 |
|
|
GVPE is free software; you can redistribute it and/or modify it |
| 8 |
|
|
under the terms of the GNU General Public License as published by the |
| 9 |
|
|
Free Software Foundation; either version 3 of the License, or (at your |
| 10 |
|
|
option) any later version. |
| 11 |
|
|
|
| 12 |
|
|
This program is distributed in the hope that it will be useful, but |
| 13 |
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 |
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
| 15 |
|
|
Public License for more details. |
| 16 |
|
|
|
| 17 |
|
|
You should have received a copy of the GNU General Public License along |
| 18 |
|
|
with this program; if not, see <http://www.gnu.org/licenses/>. |
| 19 |
|
|
|
| 20 |
|
|
Additional permission under GNU GPL version 3 section 7 |
| 21 |
|
|
|
| 22 |
|
|
If you modify this Program, or any covered work, by linking or |
| 23 |
|
|
combining it with the OpenSSL project's OpenSSL library (or a modified |
| 24 |
|
|
version of that library), containing parts covered by the terms of the |
| 25 |
|
|
OpenSSL or SSLeay licenses, the licensors of this Program grant you |
| 26 |
|
|
additional permission to convey the resulting work. Corresponding |
| 27 |
|
|
Source for a non-source form of such a combination shall include the |
| 28 |
|
|
source code for the parts of OpenSSL used as well as that of the |
| 29 |
|
|
covered work. |
| 30 |
|
|
*/ |
| 31 |
|
|
|
| 32 |
|
|
#include "config.h" |
| 33 |
|
|
|
| 34 |
|
|
#include <cstring> |
| 35 |
|
|
|
| 36 |
|
|
#include <openssl/rand.h> |
| 37 |
|
|
#include <openssl/hmac.h> |
| 38 |
|
|
|
| 39 |
|
|
#include "util.h" |
| 40 |
|
|
#include "hkdf.h" |
| 41 |
|
|
|
| 42 |
root |
1.2 |
hkdf::hkdf (const void *salt, int len, const EVP_MD *xtr_hash) |
| 43 |
root |
1.1 |
{ |
| 44 |
|
|
HMAC_CTX_init (&ctx); |
| 45 |
|
|
|
| 46 |
|
|
if (!salt) |
| 47 |
|
|
{ |
| 48 |
|
|
memset (prk, 0, sizeof prk); |
| 49 |
|
|
salt = prk; |
| 50 |
root |
1.2 |
len = EVP_MD_size (xtr_hash); |
| 51 |
root |
1.1 |
} |
| 52 |
|
|
|
| 53 |
root |
1.2 |
require (HMAC_Init_ex (&ctx, salt, len, xtr_hash, 0)); |
| 54 |
root |
1.1 |
} |
| 55 |
|
|
|
| 56 |
|
|
hkdf::~hkdf () |
| 57 |
|
|
{ |
| 58 |
|
|
HMAC_CTX_cleanup (&ctx); |
| 59 |
|
|
} |
| 60 |
|
|
|
| 61 |
|
|
void |
| 62 |
|
|
hkdf::extract (const void *ikm, int len) |
| 63 |
|
|
{ |
| 64 |
|
|
require (HMAC_Update (&ctx, (u8 *)ikm, len)); |
| 65 |
|
|
} |
| 66 |
|
|
|
| 67 |
|
|
void |
| 68 |
root |
1.2 |
hkdf::extract_done (const EVP_MD *prf_hash) |
| 69 |
root |
1.1 |
{ |
| 70 |
|
|
require (HMAC_Final (&ctx, prk, 0)); |
| 71 |
root |
1.2 |
require (HMAC_Init_ex (&ctx, 0, 0, prf_hash, 0)); |
| 72 |
root |
1.1 |
} |
| 73 |
|
|
|
| 74 |
|
|
void |
| 75 |
|
|
hkdf::expand (void *okm, int len, const void *info, int infolen) |
| 76 |
|
|
{ |
| 77 |
|
|
u8 tn[sizeof prk]; |
| 78 |
|
|
u8 iter = 0; |
| 79 |
|
|
int md_size = HMAC_size (&ctx); |
| 80 |
|
|
|
| 81 |
|
|
while (len) |
| 82 |
|
|
{ |
| 83 |
|
|
require (HMAC_Init_ex (&ctx, prk, md_size, 0, 0)); |
| 84 |
|
|
|
| 85 |
|
|
if (iter) |
| 86 |
|
|
require (HMAC_Update (&ctx, tn, md_size)); |
| 87 |
|
|
|
| 88 |
|
|
require (HMAC_Update (&ctx, (u8 *)info, infolen)); |
| 89 |
|
|
|
| 90 |
|
|
|
| 91 |
|
|
++iter; |
| 92 |
|
|
require (iter); |
| 93 |
|
|
|
| 94 |
|
|
require (HMAC_Update (&ctx, &iter, 1)); |
| 95 |
|
|
|
| 96 |
|
|
require (HMAC_Final (&ctx, tn, 0)); |
| 97 |
|
|
|
| 98 |
|
|
int ol = len > md_size ? md_size : len; |
| 99 |
|
|
|
| 100 |
|
|
memcpy (okm, tn, ol); |
| 101 |
|
|
|
| 102 |
|
|
okm = (void *)(ol + (char *)okm); |
| 103 |
|
|
len -= ol; |
| 104 |
|
|
} |
| 105 |
|
|
} |
| 106 |
|
|
|
| 107 |
|
|
// try to verify all test vectors from the RFC |
| 108 |
|
|
// since I implemented the hkdf myself, and I am no crypto expert, |
| 109 |
|
|
// we run verification on every startup. |
| 110 |
|
|
void |
| 111 |
|
|
hkdf::verify () |
| 112 |
|
|
{ |
| 113 |
|
|
struct unhex |
| 114 |
|
|
{ |
| 115 |
|
|
u8 *p; |
| 116 |
|
|
int l; |
| 117 |
|
|
|
| 118 |
|
|
u8 s[256]; |
| 119 |
|
|
|
| 120 |
|
|
unhex (const char *hs) |
| 121 |
|
|
{ |
| 122 |
|
|
l = 0; |
| 123 |
|
|
p = 0; |
| 124 |
|
|
|
| 125 |
|
|
if (!hs) |
| 126 |
|
|
return; |
| 127 |
|
|
|
| 128 |
|
|
p = s; |
| 129 |
|
|
|
| 130 |
|
|
while (*hs) |
| 131 |
|
|
{ |
| 132 |
|
|
int d1 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
| 133 |
|
|
int d2 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
| 134 |
|
|
|
| 135 |
|
|
*p++ = d1 * 16 + d2; |
| 136 |
|
|
++l; |
| 137 |
|
|
} |
| 138 |
|
|
|
| 139 |
|
|
p = s; |
| 140 |
|
|
} |
| 141 |
|
|
}; |
| 142 |
|
|
|
| 143 |
|
|
const struct hkdf_test |
| 144 |
|
|
{ |
| 145 |
|
|
int hash; |
| 146 |
|
|
const char *IKM, *salt, *info; |
| 147 |
|
|
const char *PRK, *OKM; |
| 148 |
|
|
} tests[] = { |
| 149 |
|
|
{ // 0 |
| 150 |
|
|
256, |
| 151 |
|
|
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
| 152 |
|
|
"000102030405060708090a0b0c", |
| 153 |
|
|
"f0f1f2f3f4f5f6f7f8f9", |
| 154 |
|
|
"077709362c2e32df0ddc3f0dc47bba63" |
| 155 |
|
|
"90b6c73bb50f9c3122ec844ad7c2b3e5", |
| 156 |
|
|
"3cb25f25faacd57a90434f64d0362f2a" |
| 157 |
|
|
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf" |
| 158 |
|
|
"34007208d5b887185865" |
| 159 |
|
|
}, { // 1 |
| 160 |
|
|
256, |
| 161 |
|
|
"000102030405060708090a0b0c0d0e0f" |
| 162 |
|
|
"101112131415161718191a1b1c1d1e1f" |
| 163 |
|
|
"202122232425262728292a2b2c2d2e2f" |
| 164 |
|
|
"303132333435363738393a3b3c3d3e3f" |
| 165 |
|
|
"404142434445464748494a4b4c4d4e4f", |
| 166 |
|
|
"606162636465666768696a6b6c6d6e6f" |
| 167 |
|
|
"707172737475767778797a7b7c7d7e7f" |
| 168 |
|
|
"808182838485868788898a8b8c8d8e8f" |
| 169 |
|
|
"909192939495969798999a9b9c9d9e9f" |
| 170 |
|
|
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
| 171 |
|
|
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
| 172 |
|
|
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
| 173 |
|
|
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
| 174 |
|
|
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
| 175 |
|
|
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
| 176 |
|
|
"06a6b88c5853361a06104c9ceb35b45c" |
| 177 |
|
|
"ef760014904671014a193f40c15fc244", |
| 178 |
|
|
"b11e398dc80327a1c8e7f78c596a4934" |
| 179 |
|
|
"4f012eda2d4efad8a050cc4c19afa97c" |
| 180 |
|
|
"59045a99cac7827271cb41c65e590e09" |
| 181 |
|
|
"da3275600c2f09b8367793a9aca3db71" |
| 182 |
|
|
"cc30c58179ec3e87c14c01d5c1f3434f" |
| 183 |
|
|
"1d87" |
| 184 |
|
|
}, { // 2 |
| 185 |
|
|
256, |
| 186 |
|
|
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
| 187 |
|
|
"", |
| 188 |
|
|
"", |
| 189 |
|
|
"19ef24a32c717b167f33a91d6f648bdf" |
| 190 |
|
|
"96596776afdb6377ac434c1c293ccb04", |
| 191 |
|
|
"8da4e775a563c18f715f802a063c5a31" |
| 192 |
|
|
"b8a11f5c5ee1879ec3454e5f3c738d2d" |
| 193 |
|
|
"9d201395faa4b61a96c8" |
| 194 |
|
|
}, { // 3 |
| 195 |
|
|
1, |
| 196 |
|
|
"0b0b0b0b0b0b0b0b0b0b0b", |
| 197 |
|
|
"000102030405060708090a0b0c", |
| 198 |
|
|
"f0f1f2f3f4f5f6f7f8f9", |
| 199 |
|
|
"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243", |
| 200 |
|
|
"085a01ea1b10f36933068b56efa5ad81" |
| 201 |
|
|
"a4f14b822f5b091568a9cdd4f155fda2" |
| 202 |
|
|
"c22e422478d305f3f896" |
| 203 |
|
|
}, { // 4 |
| 204 |
|
|
1, |
| 205 |
|
|
"000102030405060708090a0b0c0d0e0f" |
| 206 |
|
|
"101112131415161718191a1b1c1d1e1f" |
| 207 |
|
|
"202122232425262728292a2b2c2d2e2f" |
| 208 |
|
|
"303132333435363738393a3b3c3d3e3f" |
| 209 |
|
|
"404142434445464748494a4b4c4d4e4f", |
| 210 |
|
|
"606162636465666768696a6b6c6d6e6f" |
| 211 |
|
|
"707172737475767778797a7b7c7d7e7f" |
| 212 |
|
|
"808182838485868788898a8b8c8d8e8f" |
| 213 |
|
|
"909192939495969798999a9b9c9d9e9f" |
| 214 |
|
|
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
| 215 |
|
|
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
| 216 |
|
|
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
| 217 |
|
|
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
| 218 |
|
|
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
| 219 |
|
|
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
| 220 |
|
|
"8adae09a2a307059478d309b26c4115a224cfaf6", |
| 221 |
|
|
"0bd770a74d1160f7c9f12cd5912a06eb" |
| 222 |
|
|
"ff6adcae899d92191fe4305673ba2ffe" |
| 223 |
|
|
"8fa3f1a4e5ad79f3f334b3b202b2173c" |
| 224 |
|
|
"486ea37ce3d397ed034c7f9dfeb15c5e" |
| 225 |
|
|
"927336d0441f4c4300e2cff0d0900b52" |
| 226 |
|
|
"d3b4" |
| 227 |
|
|
}, { // 5 |
| 228 |
|
|
1, |
| 229 |
|
|
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
| 230 |
|
|
"", |
| 231 |
|
|
"", |
| 232 |
|
|
"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01", |
| 233 |
|
|
"0ac1af7002b3d761d1e55298da9d0506" |
| 234 |
|
|
"b9ae52057220a306e07b6b87e8df21d0" |
| 235 |
|
|
"ea00033de03984d34918" |
| 236 |
|
|
}, { // 6 |
| 237 |
|
|
1, |
| 238 |
|
|
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c", |
| 239 |
|
|
0, |
| 240 |
|
|
"", |
| 241 |
|
|
"2adccada18779e7c2077ad2eb19d3f3e731385dd", |
| 242 |
|
|
"2c91117204d745f3500d636a62f64f0a" |
| 243 |
|
|
"b3bae548aa53d423b0d1f27ebba6f5e5" |
| 244 |
|
|
"673a081d70cce7acfc48" |
| 245 |
|
|
} |
| 246 |
|
|
}; |
| 247 |
|
|
|
| 248 |
|
|
for (int i = 0; i < sizeof (tests) / sizeof (tests[0]); ++i) |
| 249 |
|
|
{ |
| 250 |
|
|
const hkdf_test &test = tests[i]; |
| 251 |
|
|
|
| 252 |
|
|
unhex salt (test.salt); |
| 253 |
|
|
unhex ikm (test.IKM); |
| 254 |
|
|
unhex info (test.info); |
| 255 |
|
|
unhex prk_correct (test.PRK); |
| 256 |
|
|
unhex okm_correct (test.OKM); |
| 257 |
|
|
|
| 258 |
|
|
char okm[256]; |
| 259 |
|
|
|
| 260 |
|
|
hkdf h (salt.p, salt.l, test.hash == 1 ? EVP_sha1 () : EVP_sha256 ()); |
| 261 |
|
|
h.extract (ikm.p, ikm.l); |
| 262 |
|
|
h.extract_done (); |
| 263 |
|
|
h.expand (okm, okm_correct.l, info.p, info.l); |
| 264 |
|
|
|
| 265 |
|
|
require (!memcmp (h.prk, prk_correct.p, prk_correct.l)); |
| 266 |
|
|
require (!memcmp (okm , okm_correct.p, okm_correct.l)); |
| 267 |
|
|
} |
| 268 |
|
|
} |
| 269 |
|
|
|
