/src/botan/src/lib/kdf/hkdf/hkdf.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * HKDF |
3 | | * (C) 2013,2015,2017 Jack Lloyd |
4 | | * (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/hkdf.h> |
10 | | #include <botan/internal/loadstor.h> |
11 | | #include <botan/exceptn.h> |
12 | | |
13 | | namespace Botan { |
14 | | |
15 | | void HKDF::kdf(uint8_t key[], size_t key_len, |
16 | | const uint8_t secret[], size_t secret_len, |
17 | | const uint8_t salt[], size_t salt_len, |
18 | | const uint8_t label[], size_t label_len) const |
19 | 1.87k | { |
20 | 1.87k | HKDF_Extract extract(m_prf->new_object()); |
21 | 1.87k | HKDF_Expand expand(m_prf->new_object()); |
22 | 1.87k | secure_vector<uint8_t> prk(m_prf->output_length()); |
23 | | |
24 | 1.87k | extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0); |
25 | 1.87k | expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len); |
26 | 1.87k | } |
27 | | |
28 | | void HKDF_Extract::kdf(uint8_t key[], size_t key_len, |
29 | | const uint8_t secret[], size_t secret_len, |
30 | | const uint8_t salt[], size_t salt_len, |
31 | | const uint8_t /*label*/[], size_t label_len) const |
32 | 1.87k | { |
33 | 1.87k | if(key_len == 0) |
34 | 0 | return; |
35 | | |
36 | 1.87k | const size_t prf_output_len = m_prf->output_length(); |
37 | | |
38 | 1.87k | if(key_len > prf_output_len) |
39 | 0 | throw Invalid_Argument("HKDF-Extract maximum output length exceeeded"); |
40 | | |
41 | 1.87k | if(label_len > 0) |
42 | 0 | throw Invalid_Argument("HKDF-Extract does not support a label input"); |
43 | | |
44 | 1.87k | if(salt_len == 0) |
45 | 1.69k | { |
46 | 1.69k | m_prf->set_key(std::vector<uint8_t>(prf_output_len)); |
47 | 1.69k | } |
48 | 177 | else |
49 | 177 | { |
50 | 177 | m_prf->set_key(salt, salt_len); |
51 | 177 | } |
52 | | |
53 | 1.87k | m_prf->update(secret, secret_len); |
54 | | |
55 | 1.87k | if(key_len == prf_output_len) |
56 | 1.85k | { |
57 | 1.85k | m_prf->final(key); |
58 | 1.85k | } |
59 | 21 | else |
60 | 21 | { |
61 | 21 | secure_vector<uint8_t> prk; |
62 | 21 | m_prf->final(prk); |
63 | 21 | copy_mem(&key[0], prk.data(), key_len); |
64 | 21 | } |
65 | 1.87k | } |
66 | | |
67 | | void HKDF_Expand::kdf(uint8_t key[], size_t key_len, |
68 | | const uint8_t secret[], size_t secret_len, |
69 | | const uint8_t salt[], size_t salt_len, |
70 | | const uint8_t label[], size_t label_len) const |
71 | 1.85k | { |
72 | 1.85k | if(key_len == 0) |
73 | 116 | return; |
74 | | |
75 | 1.73k | if(key_len > m_prf->output_length() * 255) |
76 | 454 | throw Invalid_Argument("HKDF-Expand maximum output length exceeeded"); |
77 | | |
78 | 1.28k | m_prf->set_key(secret, secret_len); |
79 | | |
80 | 1.28k | uint8_t counter = 1; |
81 | 1.28k | secure_vector<uint8_t> h; |
82 | 1.28k | size_t offset = 0; |
83 | | |
84 | 145k | while(offset != key_len) |
85 | 144k | { |
86 | 144k | m_prf->update(h); |
87 | 144k | m_prf->update(label, label_len); |
88 | 144k | m_prf->update(salt, salt_len); |
89 | 144k | m_prf->update(counter++); |
90 | 144k | m_prf->final(h); |
91 | | |
92 | 144k | const size_t written = std::min(h.size(), key_len - offset); |
93 | 144k | copy_mem(&key[offset], h.data(), written); |
94 | 144k | offset += written; |
95 | 144k | } |
96 | 1.28k | } |
97 | | |
98 | | secure_vector<uint8_t> |
99 | | hkdf_expand_label(const std::string& hash_fn, |
100 | | const uint8_t secret[], size_t secret_len, |
101 | | const std::string& label, |
102 | | const uint8_t hash_val[], size_t hash_val_len, |
103 | | size_t length) |
104 | 0 | { |
105 | 0 | BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large"); |
106 | 0 | BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long"); |
107 | 0 | BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long"); |
108 | |
|
109 | 0 | const uint16_t length16 = static_cast<uint16_t>(length); |
110 | |
|
111 | 0 | HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")")); |
112 | |
|
113 | 0 | secure_vector<uint8_t> output(length16); |
114 | 0 | std::vector<uint8_t> prefix(3 + label.size() + 1); |
115 | |
|
116 | 0 | prefix[0] = get_byte<0>(length16); |
117 | 0 | prefix[1] = get_byte<1>(length16); |
118 | 0 | prefix[2] = static_cast<uint8_t>(label.size()); |
119 | |
|
120 | 0 | copy_mem(prefix.data() + 3, |
121 | 0 | cast_char_ptr_to_uint8(label.data()), |
122 | 0 | label.size()); |
123 | |
|
124 | 0 | prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len); |
125 | | |
126 | | /* |
127 | | * We do something a little dirty here to avoid copying the hash_val, |
128 | | * making use of the fact that Botan's KDF interface supports label+salt, |
129 | | * and knowing that our HKDF hashes first param label then param salt. |
130 | | */ |
131 | 0 | hkdf.kdf(output.data(), output.size(), |
132 | 0 | secret, secret_len, |
133 | 0 | hash_val, hash_val_len, |
134 | 0 | prefix.data(), prefix.size()); |
135 | |
|
136 | 0 | return output; |
137 | 0 | } |
138 | | |
139 | | } |