/src/botan/src/lib/kdf/hkdf/hkdf.cpp

Source
/*
* HKDF
* (C) 2013,2015,2017 Jack Lloyd
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
* (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/hkdf.h>

#include <botan/exceptn.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/stl_util.h>

namespace Botan {

std::unique_ptr<KDF> HKDF::new_object() const {
   return std::make_unique<HKDF>(m_prf->new_object());
}

std::string HKDF::name() const {
   return fmt("HKDF({})", m_prf->name());
}

void HKDF::perform_kdf(std::span<uint8_t> key,
                       std::span<const uint8_t> secret,
                       std::span<const uint8_t> salt,
                       std::span<const uint8_t> label) const {
   HKDF_Extract extract(m_prf->new_object());
   HKDF_Expand expand(m_prf->new_object());
   secure_vector<uint8_t> prk(m_prf->output_length());

   extract.derive_key(prk, secret, salt, {});
   expand.derive_key(key, prk, {}, label);
}

std::unique_ptr<KDF> HKDF_Extract::new_object() const {
   return std::make_unique<HKDF_Extract>(m_prf->new_object());
}

std::string HKDF_Extract::name() const {
   return fmt("HKDF-Extract({})", m_prf->name());
}

void HKDF_Extract::perform_kdf(std::span<uint8_t> key,
                               std::span<const uint8_t> secret,
                               std::span<const uint8_t> salt,
                               std::span<const uint8_t> label) const {
   const size_t prf_output_len = m_prf->output_length();
   BOTAN_ARG_CHECK(key.size() <= prf_output_len, "HKDF-Extract maximum output length exceeeded");
   BOTAN_ARG_CHECK(label.empty(), "HKDF-Extract does not support a label input");

   if(key.empty()) {
      return;
   }

   if(salt.empty()) {
      m_prf->set_key(std::vector<uint8_t>(prf_output_len));
   } else {
      m_prf->set_key(salt);
   }

   m_prf->update(secret);

   if(key.size() == prf_output_len) {
      m_prf->final(key);
   } else {
      const auto prk = m_prf->final();
      copy_mem(key, std::span{prk}.first(key.size()));
   }
}

std::unique_ptr<KDF> HKDF_Expand::new_object() const {
   return std::make_unique<HKDF_Expand>(m_prf->new_object());
}

std::string HKDF_Expand::name() const {
   return fmt("HKDF-Expand({})", m_prf->name());
}

void HKDF_Expand::perform_kdf(std::span<uint8_t> key,
                              std::span<const uint8_t> secret,
                              std::span<const uint8_t> salt,
                              std::span<const uint8_t> label) const {
   const auto prf_output_length = m_prf->output_length();
   BOTAN_ARG_CHECK(key.size() <= prf_output_length * 255, "HKDF-Expand maximum output length exceeeded");

   if(key.empty()) {
      return;
   }

   // Keep a reference to the previous PRF output (empty by default).
   std::span<uint8_t> h = {};

   BufferStuffer k(key);
   m_prf->set_key(secret);
   for(uint8_t counter = 1; !k.full(); ++counter) {
      m_prf->update(h);
      m_prf->update(label);
      m_prf->update(salt);
      m_prf->update(counter);

      // Write straight into the output buffer, except if the PRF output needs
      // a truncation in the final iteration.
      if(k.remaining_capacity() >= prf_output_length) {
         h = k.next(prf_output_length);
         m_prf->final(h);
      } else {
         const auto full_prf_output = m_prf->final();
         h = {};  // this is the final iteration!
         k.append(std::span{full_prf_output}.first(k.remaining_capacity()));
      }
   }
}

secure_vector<uint8_t> hkdf_expand_label(std::string_view hash_fn,
                                         std::span<const uint8_t> secret,
                                         std::string_view label,
                                         std::span<const uint8_t> hash_val,
                                         size_t length) {
   BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
   BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
   BOTAN_ARG_CHECK(hash_val.size() <= 0xFF, "HKDF-Expand-Label hash too long");

   HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash_fn)));

   const auto prefix = concat<std::vector<uint8_t>>(store_be(static_cast<uint16_t>(length)),
                                                    store_be(static_cast<uint8_t>(label.size())),
                                                    std::span{cast_char_ptr_to_uint8(label.data()), label.size()},
                                                    store_be(static_cast<uint8_t>(hash_val.size())));

   /*
   * We do something a little dirty here to avoid copying the hash_val,
   * making use of the fact that Botan's KDF interface supports label+salt,
   * and knowing that our HKDF hashes first param label then param salt.
   */
   return hkdf.derive_key(length, secret, hash_val, prefix);
}

}  // namespace Botan

Line	Count	Source
1		/*
2		* HKDF
3		* (C) 2013,2015,2017 Jack Lloyd
4		* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5		* (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity
6		*
7		* Botan is released under the Simplified BSD License (see license.txt)
8		*/
9
10		#include <botan/internal/hkdf.h>
11
12		#include <botan/exceptn.h>
13		#include <botan/internal/fmt.h>
14		#include <botan/internal/loadstor.h>
15		#include <botan/internal/stl_util.h>
16
17		namespace Botan {
18
19	0	std::unique_ptr<KDF> HKDF::new_object() const {
20	0	return std::make_unique<HKDF>(m_prf->new_object());
21	0	}
22
23	0	std::string HKDF::name() const {
24	0	return fmt("HKDF({})", m_prf->name());
25	0	}
26
27		void HKDF::perform_kdf(std::span<uint8_t> key,
28		std::span<const uint8_t> secret,
29		std::span<const uint8_t> salt,
30	0	std::span<const uint8_t> label) const {
31	0	HKDF_Extract extract(m_prf->new_object());
32	0	HKDF_Expand expand(m_prf->new_object());
33	0	secure_vector<uint8_t> prk(m_prf->output_length());
34
35	0	extract.derive_key(prk, secret, salt, {});
36	0	expand.derive_key(key, prk, {}, label);
37	0	}
38
39	0	std::unique_ptr<KDF> HKDF_Extract::new_object() const {
40	0	return std::make_unique<HKDF_Extract>(m_prf->new_object());
41	0	}
42
43	0	std::string HKDF_Extract::name() const {
44	0	return fmt("HKDF-Extract({})", m_prf->name());
45	0	}
46
47		void HKDF_Extract::perform_kdf(std::span<uint8_t> key,
48		std::span<const uint8_t> secret,
49		std::span<const uint8_t> salt,
50	0	std::span<const uint8_t> label) const {
51	0	const size_t prf_output_len = m_prf->output_length();
52	0	BOTAN_ARG_CHECK(key.size() <= prf_output_len, "HKDF-Extract maximum output length exceeeded");
53	0	BOTAN_ARG_CHECK(label.empty(), "HKDF-Extract does not support a label input");
54
55	0	if(key.empty()) {
56	0	return;
57	0	}
58
59	0	if(salt.empty()) {
60	0	m_prf->set_key(std::vector<uint8_t>(prf_output_len));
61	0	} else {
62	0	m_prf->set_key(salt);
63	0	}
64
65	0	m_prf->update(secret);
66
67	0	if(key.size() == prf_output_len) {
68	0	m_prf->final(key);
69	0	} else {
70	0	const auto prk = m_prf->final();
71	0	copy_mem(key, std::span{prk}.first(key.size()));
72	0	}
73	0	}
74
75	0	std::unique_ptr<KDF> HKDF_Expand::new_object() const {
76	0	return std::make_unique<HKDF_Expand>(m_prf->new_object());
77	0	}
78
79	0	std::string HKDF_Expand::name() const {
80	0	return fmt("HKDF-Expand({})", m_prf->name());
81	0	}
82
83		void HKDF_Expand::perform_kdf(std::span<uint8_t> key,
84		std::span<const uint8_t> secret,
85		std::span<const uint8_t> salt,
86	0	std::span<const uint8_t> label) const {
87	0	const auto prf_output_length = m_prf->output_length();
88	0	BOTAN_ARG_CHECK(key.size() <= prf_output_length * 255, "HKDF-Expand maximum output length exceeeded");
89
90	0	if(key.empty()) {
91	0	return;
92	0	}
93
94		// Keep a reference to the previous PRF output (empty by default).
95	0	std::span<uint8_t> h = {};
96
97	0	BufferStuffer k(key);
98	0	m_prf->set_key(secret);
99	0	for(uint8_t counter = 1; !k.full(); ++counter) {
100	0	m_prf->update(h);
101	0	m_prf->update(label);
102	0	m_prf->update(salt);
103	0	m_prf->update(counter);
104
105		// Write straight into the output buffer, except if the PRF output needs
106		// a truncation in the final iteration.
107	0	if(k.remaining_capacity() >= prf_output_length) {
108	0	h = k.next(prf_output_length);
109	0	m_prf->final(h);
110	0	} else {
111	0	const auto full_prf_output = m_prf->final();
112	0	h = {}; // this is the final iteration!
113	0	k.append(std::span{full_prf_output}.first(k.remaining_capacity()));
114	0	}
115	0	}
116	0	}
117
118		secure_vector<uint8_t> hkdf_expand_label(std::string_view hash_fn,
119		std::span<const uint8_t> secret,
120		std::string_view label,
121		std::span<const uint8_t> hash_val,
122	0	size_t length) {
123	0	BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
124	0	BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
125	0	BOTAN_ARG_CHECK(hash_val.size() <= 0xFF, "HKDF-Expand-Label hash too long");
126
127	0	HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash_fn)));
128
129	0	const auto prefix = concat<std::vector<uint8_t>>(store_be(static_cast<uint16_t>(length)),
130	0	store_be(static_cast<uint8_t>(label.size())),
131	0	std::span{cast_char_ptr_to_uint8(label.data()), label.size()},
132	0	store_be(static_cast<uint8_t>(hash_val.size())));
133
134		/*
135		* We do something a little dirty here to avoid copying the hash_val,
136		* making use of the fact that Botan's KDF interface supports label+salt,
137		* and knowing that our HKDF hashes first param label then param salt.
138		*/
139	0	return hkdf.derive_key(length, secret, hash_val, prefix);
140	0	}
141
142		} // namespace Botan

Coverage Report

Created: 2026-04-01 07:07