Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/kdf/sp800_56a/sp800_56a.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* KDF defined in NIST SP 800-56a (Approved Alternative 1)
3
*
4
* (C) 2017 Ribose Inc. Written by Krzysztof Kwiatkowski.
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/sp800_56a.h>
10
#include <botan/scan_name.h>
11
#include <botan/exceptn.h>
12
13
namespace Botan {
14
15
namespace {
16
17
template<class AuxiliaryFunction_t>
18
size_t SP800_56A_kdf(
19
   AuxiliaryFunction_t& auxfunc,
20
   uint8_t key[], size_t key_len,
21
   const uint8_t secret[], size_t secret_len,
22
   const uint8_t label[], size_t label_len)
23
0
   {
24
0
   const uint64_t kRepsUpperBound = (1ULL << 32);
25
0
26
0
   const size_t digest_len = auxfunc.output_length();
27
0
28
0
   const size_t reps = key_len / digest_len + ((key_len % digest_len) ? 1 : 0);
29
0
30
0
   if (reps >= kRepsUpperBound)
31
0
      {
32
0
      // See SP-800-56A, point 5.8.1
33
0
      throw Invalid_Argument("SP800-56A KDF requested output too large");
34
0
      }
35
0
36
0
   uint32_t counter = 1;
37
0
   secure_vector<uint8_t> result;
38
0
   for(size_t i = 0; i < reps; i++)
39
0
      {
40
0
      auxfunc.update_be(counter++);
41
0
      auxfunc.update(secret, secret_len);
42
0
      auxfunc.update(label, label_len);
43
0
      auxfunc.final(result);
44
0
45
0
      const size_t offset = digest_len * i;
46
0
      const size_t len = std::min(result.size(), key_len - offset);
47
0
      copy_mem(&key[offset], result.data(), len);
48
0
      }
49
0
50
0
   return key_len;
51
0
   }
Unexecuted instantiation: sp800_56a.cpp:unsigned long Botan::(anonymous namespace)::SP800_56A_kdf<Botan::HashFunction>(Botan::HashFunction&, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long)
Unexecuted instantiation: sp800_56a.cpp:unsigned long Botan::(anonymous namespace)::SP800_56A_kdf<Botan::MessageAuthenticationCode>(Botan::MessageAuthenticationCode&, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long)
52
53
}
54
55
size_t SP800_56A_Hash::kdf(uint8_t key[], size_t key_len,
56
                           const uint8_t secret[], size_t secret_len,
57
                           const uint8_t salt[], size_t salt_len,
58
                           const uint8_t label[], size_t label_len) const
59
0
   {
60
0
   /*
61
0
   * TODO: should we reject a non-empty salt with an exception?
62
0
   * Ignoring the salt seems quite dangerous to applications which
63
0
   * don't expect it.
64
0
   */
65
0
   BOTAN_UNUSED(salt, salt_len);
66
0
67
0
   return SP800_56A_kdf(*m_hash, key, key_len, secret, secret_len, label, label_len);
68
0
   }
69
70
SP800_56A_HMAC::SP800_56A_HMAC(MessageAuthenticationCode* mac) : m_mac(mac)
71
0
   {
72
0
   // TODO: we need a MessageAuthenticationCode::is_hmac
73
0
   const SCAN_Name req(m_mac->name());
74
0
   if(req.algo_name() != "HMAC")
75
0
      {
76
0
      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
77
0
      }
78
0
   }
79
80
size_t SP800_56A_HMAC::kdf(uint8_t key[], size_t key_len,
81
                           const uint8_t secret[], size_t secret_len,
82
                           const uint8_t salt[], size_t salt_len,
83
                           const uint8_t label[], size_t label_len) const
84
0
   {
85
0
   /*
86
0
   * SP 800-56A specifies if the salt is empty then a block of zeros
87
0
   * equal to the hash's underlying block size are used. However this
88
0
   * is equivalent to setting a zero-length key, so the same call
89
0
   * works for either case.
90
0
   */
91
0
   m_mac->set_key(salt, salt_len);
92
0
93
0
   return SP800_56A_kdf(*m_mac, key, key_len, secret, secret_len, label, label_len);
94
0
   }
95
96
97
98
}