/src/botan/src/lib/kdf/hkdf/hkdf.cpp

Source (jump to first uncovered line)
/*
* HKDF
* (C) 2013,2015,2017 Jack Lloyd
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/hkdf.h>

#include <botan/exceptn.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>

namespace Botan {

std::unique_ptr<KDF> HKDF::new_object() const {
   return std::make_unique<HKDF>(m_prf->new_object());
}

std::string HKDF::name() const {
   return fmt("HKDF({})", m_prf->name());
}

void HKDF::kdf(uint8_t key[],
               size_t key_len,
               const uint8_t secret[],
               size_t secret_len,
               const uint8_t salt[],
               size_t salt_len,
               const uint8_t label[],
               size_t label_len) const {
   HKDF_Extract extract(m_prf->new_object());
   HKDF_Expand expand(m_prf->new_object());
   secure_vector<uint8_t> prk(m_prf->output_length());

   extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
   expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
}

std::unique_ptr<KDF> HKDF_Extract::new_object() const {
   return std::make_unique<HKDF_Extract>(m_prf->new_object());
}

std::string HKDF_Extract::name() const {
   return fmt("HKDF-Extract({})", m_prf->name());
}

void HKDF_Extract::kdf(uint8_t key[],
                       size_t key_len,
                       const uint8_t secret[],
                       size_t secret_len,
                       const uint8_t salt[],
                       size_t salt_len,
                       const uint8_t /*label*/[],
                       size_t label_len) const {
   if(key_len == 0) {
      return;
   }

   const size_t prf_output_len = m_prf->output_length();

   if(key_len > prf_output_len) {
      throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");
   }

   if(label_len > 0) {
      throw Invalid_Argument("HKDF-Extract does not support a label input");
   }

   if(salt_len == 0) {
      m_prf->set_key(std::vector<uint8_t>(prf_output_len));
   } else {
      m_prf->set_key(salt, salt_len);
   }

   m_prf->update(secret, secret_len);

   if(key_len == prf_output_len) {
      m_prf->final(key);
   } else {
      secure_vector<uint8_t> prk;
      m_prf->final(prk);
      copy_mem(&key[0], prk.data(), key_len);
   }
}

std::unique_ptr<KDF> HKDF_Expand::new_object() const {
   return std::make_unique<HKDF_Expand>(m_prf->new_object());
}

std::string HKDF_Expand::name() const {
   return fmt("HKDF-Expand({})", m_prf->name());
}

void HKDF_Expand::kdf(uint8_t key[],
                      size_t key_len,
                      const uint8_t secret[],
                      size_t secret_len,
                      const uint8_t salt[],
                      size_t salt_len,
                      const uint8_t label[],
                      size_t label_len) const {
   if(key_len == 0) {
      return;
   }

   if(key_len > m_prf->output_length() * 255) {
      throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");
   }

   m_prf->set_key(secret, secret_len);

   uint8_t counter = 1;
   secure_vector<uint8_t> h;
   size_t offset = 0;

   while(offset != key_len) {
      m_prf->update(h);
      m_prf->update(label, label_len);
      m_prf->update(salt, salt_len);
      m_prf->update(counter++);
      m_prf->final(h);

      const size_t written = std::min(h.size(), key_len - offset);
      copy_mem(&key[offset], h.data(), written);
      offset += written;
   }
}

secure_vector<uint8_t> hkdf_expand_label(std::string_view hash_fn,
                                         const uint8_t secret[],
                                         size_t secret_len,
                                         std::string_view label,
                                         const uint8_t hash_val[],
                                         size_t hash_val_len,
                                         size_t length) {
   BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
   BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
   BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");

   const uint16_t length16 = static_cast<uint16_t>(length);

   HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash_fn)));

   secure_vector<uint8_t> output(length16);
   std::vector<uint8_t> prefix(3 + label.size() + 1);

   prefix[0] = get_byte<0>(length16);
   prefix[1] = get_byte<1>(length16);
   prefix[2] = static_cast<uint8_t>(label.size());

   copy_mem(prefix.data() + 3, cast_char_ptr_to_uint8(label.data()), label.size());

   prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);

   /*
   * We do something a little dirty here to avoid copying the hash_val,
   * making use of the fact that Botan's KDF interface supports label+salt,
   * and knowing that our HKDF hashes first param label then param salt.
   */
   hkdf.kdf(output.data(), output.size(), secret, secret_len, hash_val, hash_val_len, prefix.data(), prefix.size());

   return output;
}

}  // namespace Botan

Line	Count	Source (jump to first uncovered line)
1		/*
2		* HKDF
3		* (C) 2013,2015,2017 Jack Lloyd
4		* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/internal/hkdf.h>
10
11		#include <botan/exceptn.h>
12		#include <botan/internal/fmt.h>
13		#include <botan/internal/loadstor.h>
14
15		namespace Botan {
16
17	0	std::unique_ptr<KDF> HKDF::new_object() const {
18	0	return std::make_unique<HKDF>(m_prf->new_object());
19	0	}
20
21	0	std::string HKDF::name() const {
22	0	return fmt("HKDF({})", m_prf->name());
23	0	}
24
25		void HKDF::kdf(uint8_t key[],
26		size_t key_len,
27		const uint8_t secret[],
28		size_t secret_len,
29		const uint8_t salt[],
30		size_t salt_len,
31		const uint8_t label[],
32	0	size_t label_len) const {
33	0	HKDF_Extract extract(m_prf->new_object());
34	0	HKDF_Expand expand(m_prf->new_object());
35	0	secure_vector<uint8_t> prk(m_prf->output_length());
36
37	0	extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
38	0	expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
39	0	}
40
41	0	std::unique_ptr<KDF> HKDF_Extract::new_object() const {
42	0	return std::make_unique<HKDF_Extract>(m_prf->new_object());
43	0	}
44
45	0	std::string HKDF_Extract::name() const {
46	0	return fmt("HKDF-Extract({})", m_prf->name());
47	0	}
48
49		void HKDF_Extract::kdf(uint8_t key[],
50		size_t key_len,
51		const uint8_t secret[],
52		size_t secret_len,
53		const uint8_t salt[],
54		size_t salt_len,
55		const uint8_t /label/[],
56	0	size_t label_len) const {
57	0	if(key_len == 0) {
58	0	return;
59	0	}
60
61	0	const size_t prf_output_len = m_prf->output_length();
62
63	0	if(key_len > prf_output_len) {
64	0	throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");
65	0	}
66
67	0	if(label_len > 0) {
68	0	throw Invalid_Argument("HKDF-Extract does not support a label input");
69	0	}
70
71	0	if(salt_len == 0) {
72	0	m_prf->set_key(std::vector<uint8_t>(prf_output_len));
73	0	} else {
74	0	m_prf->set_key(salt, salt_len);
75	0	}
76
77	0	m_prf->update(secret, secret_len);
78
79	0	if(key_len == prf_output_len) {
80	0	m_prf->final(key);
81	0	} else {
82	0	secure_vector<uint8_t> prk;
83	0	m_prf->final(prk);
84	0	copy_mem(&key[0], prk.data(), key_len);
85	0	}
86	0	}
87
88	0	std::unique_ptr<KDF> HKDF_Expand::new_object() const {
89	0	return std::make_unique<HKDF_Expand>(m_prf->new_object());
90	0	}
91
92	0	std::string HKDF_Expand::name() const {
93	0	return fmt("HKDF-Expand({})", m_prf->name());
94	0	}
95
96		void HKDF_Expand::kdf(uint8_t key[],
97		size_t key_len,
98		const uint8_t secret[],
99		size_t secret_len,
100		const uint8_t salt[],
101		size_t salt_len,
102		const uint8_t label[],
103	0	size_t label_len) const {
104	0	if(key_len == 0) {
105	0	return;
106	0	}
107
108	0	if(key_len > m_prf->output_length() * 255) {
109	0	throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");
110	0	}
111
112	0	m_prf->set_key(secret, secret_len);
113
114	0	uint8_t counter = 1;
115	0	secure_vector<uint8_t> h;
116	0	size_t offset = 0;
117
118	0	while(offset != key_len) {
119	0	m_prf->update(h);
120	0	m_prf->update(label, label_len);
121	0	m_prf->update(salt, salt_len);
122	0	m_prf->update(counter++);
123	0	m_prf->final(h);
124
125	0	const size_t written = std::min(h.size(), key_len - offset);
126	0	copy_mem(&key[offset], h.data(), written);
127	0	offset += written;
128	0	}
129	0	}
130
131		secure_vector<uint8_t> hkdf_expand_label(std::string_view hash_fn,
132		const uint8_t secret[],
133		size_t secret_len,
134		std::string_view label,
135		const uint8_t hash_val[],
136		size_t hash_val_len,
137	0	size_t length) {
138	0	BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
139	0	BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
140	0	BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
141
142	0	const uint16_t length16 = static_cast<uint16_t>(length);
143
144	0	HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash_fn)));
145
146	0	secure_vector<uint8_t> output(length16);
147	0	std::vector<uint8_t> prefix(3 + label.size() + 1);
148
149	0	prefix[0] = get_byte<0>(length16);
150	0	prefix[1] = get_byte<1>(length16);
151	0	prefix[2] = static_cast<uint8_t>(label.size());
152
153	0	copy_mem(prefix.data() + 3, cast_char_ptr_to_uint8(label.data()), label.size());
154
155	0	prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
156
157		/*
158		* We do something a little dirty here to avoid copying the hash_val,
159		* making use of the fact that Botan's KDF interface supports label+salt,
160		* and knowing that our HKDF hashes first param label then param salt.
161		*/
162	0	hkdf.kdf(output.data(), output.size(), secret, secret_len, hash_val, hash_val_len, prefix.data(), prefix.size());
163
164	0	return output;
165	0	}
166
167		} // namespace Botan

Coverage Report

Created: 2024-11-29 06:10