hkdf.c 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190
  1. /*
  2. * HKDF implementation -- RFC 5869
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. #include "common.h"
  20. #if defined(MBEDTLS_HKDF_C)
  21. #include <string.h>
  22. #include "mbedtls/hkdf.h"
  23. #include "mbedtls/platform_util.h"
  24. #include "mbedtls/error.h"
  25. int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
  26. size_t salt_len, const unsigned char *ikm, size_t ikm_len,
  27. const unsigned char *info, size_t info_len,
  28. unsigned char *okm, size_t okm_len )
  29. {
  30. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  31. unsigned char prk[MBEDTLS_MD_MAX_SIZE];
  32. ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
  33. if( ret == 0 )
  34. {
  35. ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
  36. info, info_len, okm, okm_len );
  37. }
  38. mbedtls_platform_zeroize( prk, sizeof( prk ) );
  39. return( ret );
  40. }
  41. int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
  42. const unsigned char *salt, size_t salt_len,
  43. const unsigned char *ikm, size_t ikm_len,
  44. unsigned char *prk )
  45. {
  46. unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
  47. if( salt == NULL )
  48. {
  49. size_t hash_len;
  50. if( salt_len != 0 )
  51. {
  52. return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
  53. }
  54. hash_len = mbedtls_md_get_size( md );
  55. if( hash_len == 0 )
  56. {
  57. return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
  58. }
  59. salt = null_salt;
  60. salt_len = hash_len;
  61. }
  62. return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
  63. }
  64. int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
  65. size_t prk_len, const unsigned char *info,
  66. size_t info_len, unsigned char *okm, size_t okm_len )
  67. {
  68. size_t hash_len;
  69. size_t where = 0;
  70. size_t n;
  71. size_t t_len = 0;
  72. size_t i;
  73. int ret = 0;
  74. mbedtls_md_context_t ctx;
  75. unsigned char t[MBEDTLS_MD_MAX_SIZE];
  76. if( okm == NULL )
  77. {
  78. return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
  79. }
  80. hash_len = mbedtls_md_get_size( md );
  81. if( prk_len < hash_len || hash_len == 0 )
  82. {
  83. return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
  84. }
  85. if( info == NULL )
  86. {
  87. info = (const unsigned char *) "";
  88. info_len = 0;
  89. }
  90. n = okm_len / hash_len;
  91. if( okm_len % hash_len != 0 )
  92. {
  93. n++;
  94. }
  95. /*
  96. * Per RFC 5869 Section 2.3, okm_len must not exceed
  97. * 255 times the hash length
  98. */
  99. if( n > 255 )
  100. {
  101. return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
  102. }
  103. mbedtls_md_init( &ctx );
  104. if( ( ret = mbedtls_md_setup( &ctx, md, 1 ) ) != 0 )
  105. {
  106. goto exit;
  107. }
  108. memset( t, 0, hash_len );
  109. /*
  110. * Compute T = T(1) | T(2) | T(3) | ... | T(N)
  111. * Where T(N) is defined in RFC 5869 Section 2.3
  112. */
  113. for( i = 1; i <= n; i++ )
  114. {
  115. size_t num_to_copy;
  116. unsigned char c = i & 0xff;
  117. ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
  118. if( ret != 0 )
  119. {
  120. goto exit;
  121. }
  122. ret = mbedtls_md_hmac_update( &ctx, t, t_len );
  123. if( ret != 0 )
  124. {
  125. goto exit;
  126. }
  127. ret = mbedtls_md_hmac_update( &ctx, info, info_len );
  128. if( ret != 0 )
  129. {
  130. goto exit;
  131. }
  132. /* The constant concatenated to the end of each T(n) is a single octet.
  133. * */
  134. ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
  135. if( ret != 0 )
  136. {
  137. goto exit;
  138. }
  139. ret = mbedtls_md_hmac_finish( &ctx, t );
  140. if( ret != 0 )
  141. {
  142. goto exit;
  143. }
  144. num_to_copy = i != n ? hash_len : okm_len - where;
  145. memcpy( okm + where, t, num_to_copy );
  146. where += hash_len;
  147. t_len = hash_len;
  148. }
  149. exit:
  150. mbedtls_md_free( &ctx );
  151. mbedtls_platform_zeroize( t, sizeof( t ) );
  152. return( ret );
  153. }
  154. #endif /* MBEDTLS_HKDF_C */