1 |
/* |
2 |
hkdf.C -- RFC 5869 HKDF implementation |
3 |
Copyright (C) 2013 Marc Lehmann <gvpe@schmorp.de> |
4 |
|
5 |
This file is part of GVPE. |
6 |
|
7 |
GVPE is free software; you can redistribute it and/or modify it |
8 |
under the terms of the GNU General Public License as published by the |
9 |
Free Software Foundation; either version 3 of the License, or (at your |
10 |
option) any later version. |
11 |
|
12 |
This program is distributed in the hope that it will be useful, but |
13 |
WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
15 |
Public License for more details. |
16 |
|
17 |
You should have received a copy of the GNU General Public License along |
18 |
with this program; if not, see <http://www.gnu.org/licenses/>. |
19 |
|
20 |
Additional permission under GNU GPL version 3 section 7 |
21 |
|
22 |
If you modify this Program, or any covered work, by linking or |
23 |
combining it with the OpenSSL project's OpenSSL library (or a modified |
24 |
version of that library), containing parts covered by the terms of the |
25 |
OpenSSL or SSLeay licenses, the licensors of this Program grant you |
26 |
additional permission to convey the resulting work. Corresponding |
27 |
Source for a non-source form of such a combination shall include the |
28 |
source code for the parts of OpenSSL used as well as that of the |
29 |
covered work. |
30 |
*/ |
31 |
|
32 |
#include "config.h" |
33 |
|
34 |
#include <cstring> |
35 |
|
36 |
#include <openssl/rand.h> |
37 |
#include <openssl/hmac.h> |
38 |
|
39 |
#include "util.h" |
40 |
#include "hkdf.h" |
41 |
|
42 |
hkdf::hkdf (const void *salt, int len, const EVP_MD *xtr_hash) |
43 |
{ |
44 |
HMAC_CTX_init (&ctx); |
45 |
|
46 |
if (!salt) |
47 |
{ |
48 |
memset (prk, 0, sizeof prk); |
49 |
salt = prk; |
50 |
len = EVP_MD_size (xtr_hash); |
51 |
} |
52 |
|
53 |
require (HMAC_Init_ex (&ctx, salt, len, xtr_hash, 0)); |
54 |
} |
55 |
|
56 |
hkdf::~hkdf () |
57 |
{ |
58 |
HMAC_CTX_cleanup (&ctx); |
59 |
} |
60 |
|
61 |
void |
62 |
hkdf::extract (const void *ikm, int len) |
63 |
{ |
64 |
require (HMAC_Update (&ctx, (u8 *)ikm, len)); |
65 |
} |
66 |
|
67 |
void |
68 |
hkdf::extract_done (const EVP_MD *prf_hash) |
69 |
{ |
70 |
require (HMAC_Final (&ctx, prk, 0)); |
71 |
require (HMAC_Init_ex (&ctx, 0, 0, prf_hash, 0)); |
72 |
} |
73 |
|
74 |
void |
75 |
hkdf::expand (void *okm, int len, const void *info, int infolen) |
76 |
{ |
77 |
u8 tn[sizeof prk]; |
78 |
u8 iter = 0; |
79 |
int md_size = HMAC_size (&ctx); |
80 |
|
81 |
while (len) |
82 |
{ |
83 |
require (HMAC_Init_ex (&ctx, prk, md_size, 0, 0)); |
84 |
|
85 |
if (iter) |
86 |
require (HMAC_Update (&ctx, tn, md_size)); |
87 |
|
88 |
require (HMAC_Update (&ctx, (u8 *)info, infolen)); |
89 |
|
90 |
|
91 |
++iter; |
92 |
require (iter); |
93 |
|
94 |
require (HMAC_Update (&ctx, &iter, 1)); |
95 |
|
96 |
require (HMAC_Final (&ctx, tn, 0)); |
97 |
|
98 |
int ol = len > md_size ? md_size : len; |
99 |
|
100 |
memcpy (okm, tn, ol); |
101 |
|
102 |
okm = (void *)(ol + (char *)okm); |
103 |
len -= ol; |
104 |
} |
105 |
} |
106 |
|
107 |
// try to verify all test vectors from the RFC |
108 |
// since I implemented the hkdf myself, and I am no crypto expert, |
109 |
// we run verification on every startup. |
110 |
void |
111 |
hkdf::verify () |
112 |
{ |
113 |
struct unhex |
114 |
{ |
115 |
u8 *p; |
116 |
int l; |
117 |
|
118 |
u8 s[256]; |
119 |
|
120 |
unhex (const char *hs) |
121 |
{ |
122 |
l = 0; |
123 |
p = 0; |
124 |
|
125 |
if (!hs) |
126 |
return; |
127 |
|
128 |
p = s; |
129 |
|
130 |
while (*hs) |
131 |
{ |
132 |
int d1 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
133 |
int d2 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs; |
134 |
|
135 |
*p++ = d1 * 16 + d2; |
136 |
++l; |
137 |
} |
138 |
|
139 |
p = s; |
140 |
} |
141 |
}; |
142 |
|
143 |
const struct hkdf_test |
144 |
{ |
145 |
int hash; |
146 |
const char *IKM, *salt, *info; |
147 |
const char *PRK, *OKM; |
148 |
} tests[] = { |
149 |
{ // 0 |
150 |
256, |
151 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
152 |
"000102030405060708090a0b0c", |
153 |
"f0f1f2f3f4f5f6f7f8f9", |
154 |
"077709362c2e32df0ddc3f0dc47bba63" |
155 |
"90b6c73bb50f9c3122ec844ad7c2b3e5", |
156 |
"3cb25f25faacd57a90434f64d0362f2a" |
157 |
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf" |
158 |
"34007208d5b887185865" |
159 |
}, { // 1 |
160 |
256, |
161 |
"000102030405060708090a0b0c0d0e0f" |
162 |
"101112131415161718191a1b1c1d1e1f" |
163 |
"202122232425262728292a2b2c2d2e2f" |
164 |
"303132333435363738393a3b3c3d3e3f" |
165 |
"404142434445464748494a4b4c4d4e4f", |
166 |
"606162636465666768696a6b6c6d6e6f" |
167 |
"707172737475767778797a7b7c7d7e7f" |
168 |
"808182838485868788898a8b8c8d8e8f" |
169 |
"909192939495969798999a9b9c9d9e9f" |
170 |
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
171 |
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
172 |
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
173 |
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
174 |
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
175 |
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
176 |
"06a6b88c5853361a06104c9ceb35b45c" |
177 |
"ef760014904671014a193f40c15fc244", |
178 |
"b11e398dc80327a1c8e7f78c596a4934" |
179 |
"4f012eda2d4efad8a050cc4c19afa97c" |
180 |
"59045a99cac7827271cb41c65e590e09" |
181 |
"da3275600c2f09b8367793a9aca3db71" |
182 |
"cc30c58179ec3e87c14c01d5c1f3434f" |
183 |
"1d87" |
184 |
}, { // 2 |
185 |
256, |
186 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
187 |
"", |
188 |
"", |
189 |
"19ef24a32c717b167f33a91d6f648bdf" |
190 |
"96596776afdb6377ac434c1c293ccb04", |
191 |
"8da4e775a563c18f715f802a063c5a31" |
192 |
"b8a11f5c5ee1879ec3454e5f3c738d2d" |
193 |
"9d201395faa4b61a96c8" |
194 |
}, { // 3 |
195 |
1, |
196 |
"0b0b0b0b0b0b0b0b0b0b0b", |
197 |
"000102030405060708090a0b0c", |
198 |
"f0f1f2f3f4f5f6f7f8f9", |
199 |
"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243", |
200 |
"085a01ea1b10f36933068b56efa5ad81" |
201 |
"a4f14b822f5b091568a9cdd4f155fda2" |
202 |
"c22e422478d305f3f896" |
203 |
}, { // 4 |
204 |
1, |
205 |
"000102030405060708090a0b0c0d0e0f" |
206 |
"101112131415161718191a1b1c1d1e1f" |
207 |
"202122232425262728292a2b2c2d2e2f" |
208 |
"303132333435363738393a3b3c3d3e3f" |
209 |
"404142434445464748494a4b4c4d4e4f", |
210 |
"606162636465666768696a6b6c6d6e6f" |
211 |
"707172737475767778797a7b7c7d7e7f" |
212 |
"808182838485868788898a8b8c8d8e8f" |
213 |
"909192939495969798999a9b9c9d9e9f" |
214 |
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", |
215 |
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" |
216 |
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" |
217 |
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" |
218 |
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef" |
219 |
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
220 |
"8adae09a2a307059478d309b26c4115a224cfaf6", |
221 |
"0bd770a74d1160f7c9f12cd5912a06eb" |
222 |
"ff6adcae899d92191fe4305673ba2ffe" |
223 |
"8fa3f1a4e5ad79f3f334b3b202b2173c" |
224 |
"486ea37ce3d397ed034c7f9dfeb15c5e" |
225 |
"927336d0441f4c4300e2cff0d0900b52" |
226 |
"d3b4" |
227 |
}, { // 5 |
228 |
1, |
229 |
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", |
230 |
"", |
231 |
"", |
232 |
"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01", |
233 |
"0ac1af7002b3d761d1e55298da9d0506" |
234 |
"b9ae52057220a306e07b6b87e8df21d0" |
235 |
"ea00033de03984d34918" |
236 |
}, { // 6 |
237 |
1, |
238 |
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c", |
239 |
0, |
240 |
"", |
241 |
"2adccada18779e7c2077ad2eb19d3f3e731385dd", |
242 |
"2c91117204d745f3500d636a62f64f0a" |
243 |
"b3bae548aa53d423b0d1f27ebba6f5e5" |
244 |
"673a081d70cce7acfc48" |
245 |
} |
246 |
}; |
247 |
|
248 |
for (int i = 0; i < sizeof (tests) / sizeof (tests[0]); ++i) |
249 |
{ |
250 |
const hkdf_test &test = tests[i]; |
251 |
|
252 |
unhex salt (test.salt); |
253 |
unhex ikm (test.IKM); |
254 |
unhex info (test.info); |
255 |
unhex prk_correct (test.PRK); |
256 |
unhex okm_correct (test.OKM); |
257 |
|
258 |
char okm[256]; |
259 |
|
260 |
hkdf h (salt.p, salt.l, test.hash == 1 ? EVP_sha1 () : EVP_sha256 ()); |
261 |
h.extract (ikm.p, ikm.l); |
262 |
h.extract_done (); |
263 |
h.expand (okm, okm_correct.l, info.p, info.l); |
264 |
|
265 |
require (!memcmp (h.prk, prk_correct.p, prk_correct.l)); |
266 |
require (!memcmp (okm , okm_correct.p, okm_correct.l)); |
267 |
} |
268 |
} |
269 |
|