Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/kdf/hkdf/hkdf.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* HKDF
3
* (C) 2013,2015,2017 Jack Lloyd
4
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/hkdf.h>
10
#include <botan/internal/loadstor.h>
11
#include <botan/exceptn.h>
12
13
namespace Botan {
14
15
void HKDF::kdf(uint8_t key[], size_t key_len,
16
               const uint8_t secret[], size_t secret_len,
17
               const uint8_t salt[], size_t salt_len,
18
               const uint8_t label[], size_t label_len) const
19
0
   {
20
0
   HKDF_Extract extract(m_prf->clone());
21
0
   HKDF_Expand expand(m_prf->clone());
22
0
   secure_vector<uint8_t> prk(m_prf->output_length());
23
24
0
   extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
25
0
   expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
26
0
   }
27
28
void HKDF_Extract::kdf(uint8_t key[], size_t key_len,
29
                       const uint8_t secret[], size_t secret_len,
30
                       const uint8_t salt[], size_t salt_len,
31
                       const uint8_t[], size_t) const
32
0
   {
33
0
   if(key_len == 0)
34
0
      return;
35
36
0
   const size_t prf_output_len = m_prf->output_length();
37
38
0
   if(key_len > prf_output_len)
39
0
      throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");
40
41
0
   if(salt_len == 0)
42
0
      {
43
0
      m_prf->set_key(std::vector<uint8_t>(prf_output_len));
44
0
      }
45
0
   else
46
0
      {
47
0
      m_prf->set_key(salt, salt_len);
48
0
      }
49
50
0
   m_prf->update(secret, secret_len);
51
52
0
   if(key_len == prf_output_len)
53
0
      {
54
0
      m_prf->final(key);
55
0
      }
56
0
   else
57
0
      {
58
0
      secure_vector<uint8_t> prk;
59
0
      m_prf->final(prk);
60
0
      copy_mem(&key[0], prk.data(), key_len);
61
0
      }
62
0
   }
63
64
void HKDF_Expand::kdf(uint8_t key[], size_t key_len,
65
                      const uint8_t secret[], size_t secret_len,
66
                      const uint8_t salt[], size_t salt_len,
67
                      const uint8_t label[], size_t label_len) const
68
0
   {
69
0
   if(key_len == 0)
70
0
      return;
71
72
0
   const size_t blocks_required = key_len / m_prf->output_length();
73
74
0
   if(blocks_required >= 0xFF)
75
0
      throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");
76
77
0
   m_prf->set_key(secret, secret_len);
78
79
0
   uint8_t counter = 1;
80
0
   secure_vector<uint8_t> h;
81
0
   size_t offset = 0;
82
83
0
   while(offset != key_len)
84
0
      {
85
0
      m_prf->update(h);
86
0
      m_prf->update(label, label_len);
87
0
      m_prf->update(salt, salt_len);
88
0
      m_prf->update(counter++);
89
0
      m_prf->final(h);
90
91
0
      const size_t written = std::min(h.size(), key_len - offset);
92
0
      copy_mem(&key[offset], h.data(), written);
93
0
      offset += written;
94
0
      }
95
0
   }
96
97
secure_vector<uint8_t>
98
hkdf_expand_label(const std::string& hash_fn,
99
                  const uint8_t secret[], size_t secret_len,
100
                  const std::string& label,
101
                  const uint8_t hash_val[], size_t hash_val_len,
102
                  size_t length)
103
0
   {
104
0
   BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
105
0
   BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
106
0
   BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
107
108
0
   const uint16_t length16 = static_cast<uint16_t>(length);
109
110
0
   auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");
111
112
0
   HKDF_Expand hkdf(mac.release());
113
114
0
   secure_vector<uint8_t> output(length16);
115
0
   std::vector<uint8_t> prefix(3 + label.size() + 1);
116
117
0
   prefix[0] = get_byte(0, length16);
118
0
   prefix[1] = get_byte(1, length16);
119
0
   prefix[2] = static_cast<uint8_t>(label.size());
120
121
0
   copy_mem(prefix.data() + 3,
122
0
            cast_char_ptr_to_uint8(label.data()),
123
0
            label.size());
124
125
0
   prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
126
127
   /*
128
   * We do something a little dirty here to avoid copying the hash_val,
129
   * making use of the fact that Botan's KDF interface supports label+salt,
130
   * and knowing that our HKDF hashes first param label then param salt.
131
   */
132
0
   hkdf.kdf(output.data(), output.size(),
133
0
            secret, secret_len,
134
0
            hash_val, hash_val_len,
135
0
            prefix.data(), prefix.size());
136
137
0
   return output;
138
0
   }
139
140
}