/src/botan/src/lib/kdf/hkdf/hkdf.cpp

Source (jump to first uncovered line)
/*
* HKDF
* (C) 2013,2015,2017 Jack Lloyd
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/hkdf.h>
#include <botan/internal/loadstor.h>
#include <botan/exceptn.h>

namespace Botan {

void HKDF::kdf(uint8_t key[], size_t key_len,
               const uint8_t secret[], size_t secret_len,
               const uint8_t salt[], size_t salt_len,
               const uint8_t label[], size_t label_len) const
   {
   HKDF_Extract extract(m_prf->clone());
   HKDF_Expand expand(m_prf->clone());
   secure_vector<uint8_t> prk(m_prf->output_length());

   extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
   expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
   }

void HKDF_Extract::kdf(uint8_t key[], size_t key_len,
                       const uint8_t secret[], size_t secret_len,
                       const uint8_t salt[], size_t salt_len,
                       const uint8_t[], size_t) const
   {
   if(key_len == 0)
      return;

   const size_t prf_output_len = m_prf->output_length();

   if(key_len > prf_output_len)
      throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");

   if(salt_len == 0)
      {
      m_prf->set_key(std::vector<uint8_t>(prf_output_len));
      }
   else
      {
      m_prf->set_key(salt, salt_len);
      }

   m_prf->update(secret, secret_len);

   if(key_len == prf_output_len)
      {
      m_prf->final(key);
      }
   else
      {
      secure_vector<uint8_t> prk;
      m_prf->final(prk);
      copy_mem(&key[0], prk.data(), key_len);
      }
   }

void HKDF_Expand::kdf(uint8_t key[], size_t key_len,
                      const uint8_t secret[], size_t secret_len,
                      const uint8_t salt[], size_t salt_len,
                      const uint8_t label[], size_t label_len) const
   {
   if(key_len == 0)
      return;

   const size_t blocks_required = key_len / m_prf->output_length();

   if(blocks_required >= 0xFF)
      throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");

   m_prf->set_key(secret, secret_len);

   uint8_t counter = 1;
   secure_vector<uint8_t> h;
   size_t offset = 0;

   while(offset != key_len)
      {
      m_prf->update(h);
      m_prf->update(label, label_len);
      m_prf->update(salt, salt_len);
      m_prf->update(counter++);
      m_prf->final(h);

      const size_t written = std::min(h.size(), key_len - offset);
      copy_mem(&key[offset], h.data(), written);
      offset += written;
      }
   }

secure_vector<uint8_t>
hkdf_expand_label(const std::string& hash_fn,
                  const uint8_t secret[], size_t secret_len,
                  const std::string& label,
                  const uint8_t hash_val[], size_t hash_val_len,
                  size_t length)
   {
   BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
   BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
   BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");

   const uint16_t length16 = static_cast<uint16_t>(length);

   auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");

   HKDF_Expand hkdf(mac.release());

   secure_vector<uint8_t> output(length16);
   std::vector<uint8_t> prefix(3 + label.size() + 1);

   prefix[0] = get_byte(0, length16);
   prefix[1] = get_byte(1, length16);
   prefix[2] = static_cast<uint8_t>(label.size());

   copy_mem(prefix.data() + 3,
            cast_char_ptr_to_uint8(label.data()),
            label.size());

   prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);

   /*
   * We do something a little dirty here to avoid copying the hash_val,
   * making use of the fact that Botan's KDF interface supports label+salt,
   * and knowing that our HKDF hashes first param label then param salt.
   */
   hkdf.kdf(output.data(), output.size(),
            secret, secret_len,
            hash_val, hash_val_len,
            prefix.data(), prefix.size());

   return output;
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* HKDF
3		* (C) 2013,2015,2017 Jack Lloyd
4		* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/internal/hkdf.h>
10		#include <botan/internal/loadstor.h>
11		#include <botan/exceptn.h>
12
13		namespace Botan {
14
15		void HKDF::kdf(uint8_t key[], size_t key_len,
16		const uint8_t secret[], size_t secret_len,
17		const uint8_t salt[], size_t salt_len,
18		const uint8_t label[], size_t label_len) const
19	0	{
20	0	HKDF_Extract extract(m_prf->clone());
21	0	HKDF_Expand expand(m_prf->clone());
22	0	secure_vector<uint8_t> prk(m_prf->output_length());
23
24	0	extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
25	0	expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
26	0	}
27
28		void HKDF_Extract::kdf(uint8_t key[], size_t key_len,
29		const uint8_t secret[], size_t secret_len,
30		const uint8_t salt[], size_t salt_len,
31		const uint8_t[], size_t) const
32	0	{
33	0	if(key_len == 0)
34	0	return;
35
36	0	const size_t prf_output_len = m_prf->output_length();
37
38	0	if(key_len > prf_output_len)
39	0	throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");
40
41	0	if(salt_len == 0)
42	0	{
43	0	m_prf->set_key(std::vector<uint8_t>(prf_output_len));
44	0	}
45	0	else
46	0	{
47	0	m_prf->set_key(salt, salt_len);
48	0	}
49
50	0	m_prf->update(secret, secret_len);
51
52	0	if(key_len == prf_output_len)
53	0	{
54	0	m_prf->final(key);
55	0	}
56	0	else
57	0	{
58	0	secure_vector<uint8_t> prk;
59	0	m_prf->final(prk);
60	0	copy_mem(&key[0], prk.data(), key_len);
61	0	}
62	0	}
63
64		void HKDF_Expand::kdf(uint8_t key[], size_t key_len,
65		const uint8_t secret[], size_t secret_len,
66		const uint8_t salt[], size_t salt_len,
67		const uint8_t label[], size_t label_len) const
68	0	{
69	0	if(key_len == 0)
70	0	return;
71
72	0	const size_t blocks_required = key_len / m_prf->output_length();
73
74	0	if(blocks_required >= 0xFF)
75	0	throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");
76
77	0	m_prf->set_key(secret, secret_len);
78
79	0	uint8_t counter = 1;
80	0	secure_vector<uint8_t> h;
81	0	size_t offset = 0;
82
83	0	while(offset != key_len)
84	0	{
85	0	m_prf->update(h);
86	0	m_prf->update(label, label_len);
87	0	m_prf->update(salt, salt_len);
88	0	m_prf->update(counter++);
89	0	m_prf->final(h);
90
91	0	const size_t written = std::min(h.size(), key_len - offset);
92	0	copy_mem(&key[offset], h.data(), written);
93	0	offset += written;
94	0	}
95	0	}
96
97		secure_vector<uint8_t>
98		hkdf_expand_label(const std::string& hash_fn,
99		const uint8_t secret[], size_t secret_len,
100		const std::string& label,
101		const uint8_t hash_val[], size_t hash_val_len,
102		size_t length)
103	0	{
104	0	BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
105	0	BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
106	0	BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
107
108	0	const uint16_t length16 = static_cast<uint16_t>(length);
109
110	0	auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");
111
112	0	HKDF_Expand hkdf(mac.release());
113
114	0	secure_vector<uint8_t> output(length16);
115	0	std::vector<uint8_t> prefix(3 + label.size() + 1);
116
117	0	prefix[0] = get_byte(0, length16);
118	0	prefix[1] = get_byte(1, length16);
119	0	prefix[2] = static_cast<uint8_t>(label.size());
120
121	0	copy_mem(prefix.data() + 3,
122	0	cast_char_ptr_to_uint8(label.data()),
123	0	label.size());
124
125	0	prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
126
127		/*
128		* We do something a little dirty here to avoid copying the hash_val,
129		* making use of the fact that Botan's KDF interface supports label+salt,
130		* and knowing that our HKDF hashes first param label then param salt.
131		*/
132	0	hkdf.kdf(output.data(), output.size(),
133	0	secret, secret_len,
134	0	hash_val, hash_val_len,
135	0	prefix.data(), prefix.size());
136
137	0	return output;
138	0	}
139
140		}

Coverage Report

Created: 2021-01-13 07:05