gvpe/src/hkdf.C

/*
    hkdf.C -- RFC 5869 HKDF implementation
    Copyright (C) 2013      Marc Lehmann <gvpe@schmorp.de>
 
    This file is part of GVPE.

    GVPE is free software; you can redistribute it and/or modify it
    under the terms of the GNU General Public License as published by the
    Free Software Foundation; either version 3 of the License, or (at your
    option) any later version.
   
    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
    Public License for more details.
   
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/>.
   
    Additional permission under GNU GPL version 3 section 7
   
    If you modify this Program, or any covered work, by linking or
    combining it with the OpenSSL project's OpenSSL library (or a modified
    version of that library), containing parts covered by the terms of the
    OpenSSL or SSLeay licenses, the licensors of this Program grant you
    additional permission to convey the resulting work.  Corresponding
    Source for a non-source form of such a combination shall include the
    source code for the parts of OpenSSL used as well as that of the
    covered work.
*/

#include "config.h"

#include <cstring>

#include <openssl/rand.h>
#include <openssl/hmac.h>

#include "util.h"
#include "hkdf.h"

hkdf::hkdf (const void *salt, int len, const EVP_MD *xtr_hash)
{
  HMAC_CTX_init (&ctx);

  if (!salt)
    {
      memset (prk, 0, sizeof prk);
      salt = prk;
      len  = EVP_MD_size (xtr_hash);
    }

  require (HMAC_Init_ex (&ctx, salt, len, xtr_hash, 0));
}

hkdf::~hkdf ()
{
  HMAC_CTX_cleanup (&ctx);
}

void
hkdf::extract (const void *ikm, int len)
{
  require (HMAC_Update (&ctx, (u8 *)ikm, len));
}

void
hkdf::extract_done (const EVP_MD *prf_hash)
{
  require (HMAC_Final (&ctx, prk, 0));
  require (HMAC_Init_ex (&ctx, 0, 0, prf_hash, 0));
}

void
hkdf::expand (void *okm, int len, const void *info, int infolen)
{
  u8 tn[sizeof prk];
  u8 iter = 0;
  int md_size = HMAC_size (&ctx);

  while (len)
    {
      require (HMAC_Init_ex (&ctx, prk, md_size, 0, 0));

      if (iter)
        require (HMAC_Update (&ctx, tn, md_size));

      require (HMAC_Update (&ctx, (u8 *)info, infolen));


      ++iter;
      require (iter);

      require (HMAC_Update (&ctx, &iter, 1));

      require (HMAC_Final (&ctx, tn, 0));

      int ol = len > md_size ? md_size : len;

      memcpy (okm, tn, ol);

      okm = (void *)(ol + (char *)okm);
      len -= ol;
    }
}

// try to verify all test vectors from the RFC
// since I implemented the hkdf myself, and I am no crypto expert,
// we run verification on every startup.
void
hkdf::verify ()
{
  struct unhex
  {
    u8 *p;
    int l;

    u8 s[256];

    unhex (const char *hs)
    {
      l = 0;
      p = 0;

      if (!hs)
        return;

      p = s;

      while (*hs)
        {
          int d1 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs;
          int d2 = *hs >= '0' && *hs <= '9' ? *hs - '0' : *hs - 'a' + 10; ++hs;

          *p++ = d1 * 16 + d2;
          ++l;
        }

      p = s;
    }
  };

  const struct hkdf_test
  {
     int hash;
     const char *IKM, *salt, *info;
     const char *PRK, *OKM;
  } tests[] = {
    { // 0
      256,
      "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
      "000102030405060708090a0b0c",
      "f0f1f2f3f4f5f6f7f8f9",
      "077709362c2e32df0ddc3f0dc47bba63"
      "90b6c73bb50f9c3122ec844ad7c2b3e5",
      "3cb25f25faacd57a90434f64d0362f2a"
      "2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
      "34007208d5b887185865"
    }, { // 1
      256,
      "000102030405060708090a0b0c0d0e0f"
      "101112131415161718191a1b1c1d1e1f"
      "202122232425262728292a2b2c2d2e2f"
      "303132333435363738393a3b3c3d3e3f"
      "404142434445464748494a4b4c4d4e4f",
      "606162636465666768696a6b6c6d6e6f"
      "707172737475767778797a7b7c7d7e7f"
      "808182838485868788898a8b8c8d8e8f"
      "909192939495969798999a9b9c9d9e9f"
      "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
      "b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
      "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
      "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
      "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
      "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
      "06a6b88c5853361a06104c9ceb35b45c"
      "ef760014904671014a193f40c15fc244",
      "b11e398dc80327a1c8e7f78c596a4934"
      "4f012eda2d4efad8a050cc4c19afa97c"
      "59045a99cac7827271cb41c65e590e09"
      "da3275600c2f09b8367793a9aca3db71"
      "cc30c58179ec3e87c14c01d5c1f3434f"
      "1d87"
    }, { // 2
      256,
      "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
      "",
      "",
      "19ef24a32c717b167f33a91d6f648bdf"
      "96596776afdb6377ac434c1c293ccb04",
      "8da4e775a563c18f715f802a063c5a31"
      "b8a11f5c5ee1879ec3454e5f3c738d2d"
      "9d201395faa4b61a96c8"
    }, { // 3
      1,
      "0b0b0b0b0b0b0b0b0b0b0b",
      "000102030405060708090a0b0c",
      "f0f1f2f3f4f5f6f7f8f9",
      "9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243",
      "085a01ea1b10f36933068b56efa5ad81"
      "a4f14b822f5b091568a9cdd4f155fda2"
      "c22e422478d305f3f896"
    }, { // 4
      1,
      "000102030405060708090a0b0c0d0e0f"
      "101112131415161718191a1b1c1d1e1f"
      "202122232425262728292a2b2c2d2e2f"
      "303132333435363738393a3b3c3d3e3f"
      "404142434445464748494a4b4c4d4e4f",
      "606162636465666768696a6b6c6d6e6f"
      "707172737475767778797a7b7c7d7e7f"
      "808182838485868788898a8b8c8d8e8f"
      "909192939495969798999a9b9c9d9e9f"
      "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
      "b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
      "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
      "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
      "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
      "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
      "8adae09a2a307059478d309b26c4115a224cfaf6",
      "0bd770a74d1160f7c9f12cd5912a06eb"
      "ff6adcae899d92191fe4305673ba2ffe"
      "8fa3f1a4e5ad79f3f334b3b202b2173c"
      "486ea37ce3d397ed034c7f9dfeb15c5e"
      "927336d0441f4c4300e2cff0d0900b52"
      "d3b4"
    }, { // 5
      1,
      "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
      "",
      "",
      "da8c8a73c7fa77288ec6f5e7c297786aa0d32d01",
      "0ac1af7002b3d761d1e55298da9d0506"
      "b9ae52057220a306e07b6b87e8df21d0"
      "ea00033de03984d34918"
    }, { // 6
      1,
      "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
      0,
      "",
      "2adccada18779e7c2077ad2eb19d3f3e731385dd",
      "2c91117204d745f3500d636a62f64f0a"
      "b3bae548aa53d423b0d1f27ebba6f5e5"
      "673a081d70cce7acfc48"
    }
  };

  for (int i = 0; i < sizeof (tests) / sizeof (tests[0]); ++i)
    {
      const hkdf_test &test = tests[i];

      unhex salt (test.salt);
      unhex ikm (test.IKM);
      unhex info (test.info);
      unhex prk_correct (test.PRK);
      unhex okm_correct (test.OKM);

      char okm[256];

      hkdf h (salt.p, salt.l, test.hash == 1 ? EVP_sha1 () : EVP_sha256 ());
      h.extract (ikm.p, ikm.l);
      h.extract_done ();
      h.expand (okm, okm_correct.l, info.p, info.l);

      require (!memcmp (h.prk, prk_correct.p, prk_correct.l));
      require (!memcmp (okm  , okm_correct.p, okm_correct.l));
    }
}

Revision:	1.2
Committed:	Wed Jul 17 04:36:03 2013 UTC (10 years, 10 months ago) by root
Content type:	text/plain
Branch:	MAIN
Changes since 1.1:	+5 -4 lines
Log Message:	* empty log message *
#	Content
1	/*
2	hkdf.C -- RFC 5869 HKDF implementation
3	Copyright (C) 2013 Marc Lehmann <gvpe@schmorp.de>
4
5	This file is part of GVPE.
6
7	GVPE is free software; you can redistribute it and/or modify it
8	under the terms of the GNU General Public License as published by the
9	Free Software Foundation; either version 3 of the License, or (at your
10	option) any later version.
11
12	This program is distributed in the hope that it will be useful, but
13	WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15	Public License for more details.
16
17	You should have received a copy of the GNU General Public License along
18	with this program; if not, see <http://www.gnu.org/licenses/>.
19
20	Additional permission under GNU GPL version 3 section 7
21
22	If you modify this Program, or any covered work, by linking or
23	combining it with the OpenSSL project's OpenSSL library (or a modified
24	version of that library), containing parts covered by the terms of the
25	OpenSSL or SSLeay licenses, the licensors of this Program grant you
26	additional permission to convey the resulting work. Corresponding
27	Source for a non-source form of such a combination shall include the
28	source code for the parts of OpenSSL used as well as that of the
29	covered work.
30	*/
31
32	#include "config.h"
33
34	#include <cstring>
35
36	#include <openssl/rand.h>
37	#include <openssl/hmac.h>
38
39	#include "util.h"
40	#include "hkdf.h"
41
42	hkdf::hkdf (const void salt, int len, const EVP_MD xtr_hash)
43	{
44	HMAC_CTX_init (&ctx);
45
46	if (!salt)
47	{
48	memset (prk, 0, sizeof prk);
49	salt = prk;
50	len = EVP_MD_size (xtr_hash);
51	}
52
53	require (HMAC_Init_ex (&ctx, salt, len, xtr_hash, 0));
54	}
55
56	hkdf::~hkdf ()
57	{
58	HMAC_CTX_cleanup (&ctx);
59	}
60
61	void
62	hkdf::extract (const void *ikm, int len)
63	{
64	require (HMAC_Update (&ctx, (u8 *)ikm, len));
65	}
66
67	void
68	hkdf::extract_done (const EVP_MD *prf_hash)
69	{
70	require (HMAC_Final (&ctx, prk, 0));
71	require (HMAC_Init_ex (&ctx, 0, 0, prf_hash, 0));
72	}
73
74	void
75	hkdf::expand (void okm, int len, const void info, int infolen)
76	{
77	u8 tn[sizeof prk];
78	u8 iter = 0;
79	int md_size = HMAC_size (&ctx);
80
81	while (len)
82	{
83	require (HMAC_Init_ex (&ctx, prk, md_size, 0, 0));
84
85	if (iter)
86	require (HMAC_Update (&ctx, tn, md_size));
87
88	require (HMAC_Update (&ctx, (u8 *)info, infolen));
89
90
91	++iter;
92	require (iter);
93
94	require (HMAC_Update (&ctx, &iter, 1));
95
96	require (HMAC_Final (&ctx, tn, 0));
97
98	int ol = len > md_size ? md_size : len;
99
100	memcpy (okm, tn, ol);
101
102	okm = (void )(ol + (char )okm);
103	len -= ol;
104	}
105	}
106
107	// try to verify all test vectors from the RFC
108	// since I implemented the hkdf myself, and I am no crypto expert,
109	// we run verification on every startup.
110	void
111	hkdf::verify ()
112	{
113	struct unhex
114	{
115	u8 *p;
116	int l;
117
118	u8 s[256];
119
120	unhex (const char *hs)
121	{
122	l = 0;
123	p = 0;
124
125	if (!hs)
126	return;
127
128	p = s;
129
130	while (*hs)
131	{
132	int d1 = hs >= '0' && hs <= '9' ? hs - '0' : hs - 'a' + 10; ++hs;
133	int d2 = hs >= '0' && hs <= '9' ? hs - '0' : hs - 'a' + 10; ++hs;
134
135	p++ = d1 16 + d2;
136	++l;
137	}
138
139	p = s;
140	}
141	};
142
143	const struct hkdf_test
144	{
145	int hash;
146	const char IKM, salt, *info;
147	const char PRK, OKM;
148	} tests[] = {
149	{ // 0
150	256,
151	"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
152	"000102030405060708090a0b0c",
153	"f0f1f2f3f4f5f6f7f8f9",
154	"077709362c2e32df0ddc3f0dc47bba63"
155	"90b6c73bb50f9c3122ec844ad7c2b3e5",
156	"3cb25f25faacd57a90434f64d0362f2a"
157	"2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
158	"34007208d5b887185865"
159	}, { // 1
160	256,
161	"000102030405060708090a0b0c0d0e0f"
162	"101112131415161718191a1b1c1d1e1f"
163	"202122232425262728292a2b2c2d2e2f"
164	"303132333435363738393a3b3c3d3e3f"
165	"404142434445464748494a4b4c4d4e4f",
166	"606162636465666768696a6b6c6d6e6f"
167	"707172737475767778797a7b7c7d7e7f"
168	"808182838485868788898a8b8c8d8e8f"
169	"909192939495969798999a9b9c9d9e9f"
170	"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
171	"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
172	"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
173	"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
174	"e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
175	"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
176	"06a6b88c5853361a06104c9ceb35b45c"
177	"ef760014904671014a193f40c15fc244",
178	"b11e398dc80327a1c8e7f78c596a4934"
179	"4f012eda2d4efad8a050cc4c19afa97c"
180	"59045a99cac7827271cb41c65e590e09"
181	"da3275600c2f09b8367793a9aca3db71"
182	"cc30c58179ec3e87c14c01d5c1f3434f"
183	"1d87"
184	}, { // 2
185	256,
186	"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
187	"",
188	"",
189	"19ef24a32c717b167f33a91d6f648bdf"
190	"96596776afdb6377ac434c1c293ccb04",
191	"8da4e775a563c18f715f802a063c5a31"
192	"b8a11f5c5ee1879ec3454e5f3c738d2d"
193	"9d201395faa4b61a96c8"
194	}, { // 3
195	1,
196	"0b0b0b0b0b0b0b0b0b0b0b",
197	"000102030405060708090a0b0c",
198	"f0f1f2f3f4f5f6f7f8f9",
199	"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243",
200	"085a01ea1b10f36933068b56efa5ad81"
201	"a4f14b822f5b091568a9cdd4f155fda2"
202	"c22e422478d305f3f896"
203	}, { // 4
204	1,
205	"000102030405060708090a0b0c0d0e0f"
206	"101112131415161718191a1b1c1d1e1f"
207	"202122232425262728292a2b2c2d2e2f"
208	"303132333435363738393a3b3c3d3e3f"
209	"404142434445464748494a4b4c4d4e4f",
210	"606162636465666768696a6b6c6d6e6f"
211	"707172737475767778797a7b7c7d7e7f"
212	"808182838485868788898a8b8c8d8e8f"
213	"909192939495969798999a9b9c9d9e9f"
214	"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
215	"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
216	"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
217	"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
218	"e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
219	"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
220	"8adae09a2a307059478d309b26c4115a224cfaf6",
221	"0bd770a74d1160f7c9f12cd5912a06eb"
222	"ff6adcae899d92191fe4305673ba2ffe"
223	"8fa3f1a4e5ad79f3f334b3b202b2173c"
224	"486ea37ce3d397ed034c7f9dfeb15c5e"
225	"927336d0441f4c4300e2cff0d0900b52"
226	"d3b4"
227	}, { // 5
228	1,
229	"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
230	"",
231	"",
232	"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01",
233	"0ac1af7002b3d761d1e55298da9d0506"
234	"b9ae52057220a306e07b6b87e8df21d0"
235	"ea00033de03984d34918"
236	}, { // 6
237	1,
238	"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
239	0,
240	"",
241	"2adccada18779e7c2077ad2eb19d3f3e731385dd",
242	"2c91117204d745f3500d636a62f64f0a"
243	"b3bae548aa53d423b0d1f27ebba6f5e5"
244	"673a081d70cce7acfc48"
245	}
246	};
247
248	for (int i = 0; i < sizeof (tests) / sizeof (tests[0]); ++i)
249	{
250	const hkdf_test &test = tests[i];
251
252	unhex salt (test.salt);
253	unhex ikm (test.IKM);
254	unhex info (test.info);
255	unhex prk_correct (test.PRK);
256	unhex okm_correct (test.OKM);
257
258	char okm[256];
259
260	hkdf h (salt.p, salt.l, test.hash == 1 ? EVP_sha1 () : EVP_sha256 ());
261	h.extract (ikm.p, ikm.l);
262	h.extract_done ();
263	h.expand (okm, okm_correct.l, info.p, info.l);
264
265	require (!memcmp (h.prk, prk_correct.p, prk_correct.l));
266	require (!memcmp (okm , okm_correct.p, okm_correct.l));
267	}
268	}
269