Bring in HKDF, from BoringSSL, with regress tests modified to be

in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

3 files changed, 186 insertions, 1 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 13f4ab0de5..6454d6b109 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.16 2017/04/30 04:44:58 jsing Exp $
+# $OpenBSD: Makefile,v 1.17 2017/05/06 20:42:57 beck Exp $
 
 LIB=    crypto
 
@@ -169,6 +169,9 @@ SRCS+= gost89imit_pmeth.c gost_asn1.c gost_err.c gostr341001.c
 SRCS+= gostr341001_ameth.c gostr341001_key.c gostr341001_params.c
 SRCS+= gostr341001_pmeth.c gostr341194.c streebog.c
 
+# hkdf/
+SRCS+= hkdf.c
+
 # hmac/
 SRCS+= hmac.c hm_ameth.c hm_pmeth.c
 
@@ -287,6 +290,7 @@ SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
         ${LCRYPTO_SRC}/err \
         ${LCRYPTO_SRC}/evp \
         ${LCRYPTO_SRC}/gost \
+        ${LCRYPTO_SRC}/hkdf \
         ${LCRYPTO_SRC}/hmac \
         ${LCRYPTO_SRC}/idea \
         ${LCRYPTO_SRC}/lhash \
@@ -344,6 +348,7 @@ HDRS=\
         ${LCRYPTO_SRC}/err/err.h \
         ${LCRYPTO_SRC}/evp/evp.h \
         ${LCRYPTO_SRC}/gost/gost.h \
+        ${LCRYPTO_SRC}/hkdf/hkdf.h \
         ${LCRYPTO_SRC}/hmac/hmac.h \
         ${LCRYPTO_SRC}/idea/idea.h \
         ${LCRYPTO_SRC}/lhash/lhash.h \
diff --git a/src/lib/libcrypto/hkdf/hkdf.c b/src/lib/libcrypto/hkdf/hkdf.c
new file mode 100644
index 0000000000..9fe587de13
--- /dev/null
+++ b/src/lib/libcrypto/hkdf/hkdf.c
@@ -0,0 +1,116 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/hkdf.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/hmac.h>
+
+/* https://tools.ietf.org/html/rfc5869#section-2 */
+int
+HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
+    const uint8_t *secret, size_t secret_len, const uint8_t *salt,
+    size_t salt_len, const uint8_t *info, size_t info_len)
+{
+        uint8_t prk[EVP_MAX_MD_SIZE];
+        size_t prk_len;
+
+        if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt,
+                salt_len))
+                return 0;
+        if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info,
+                info_len))
+                return 0;
+
+        return 1;
+}
+
+/* https://tools.ietf.org/html/rfc5869#section-2.2 */
+int
+HKDF_extract(uint8_t *out_key, size_t *out_len,
+    const EVP_MD *digest, const uint8_t *secret, size_t secret_len,
+    const uint8_t *salt, size_t salt_len)
+{
+        unsigned int len;
+
+        /*
+         * If salt is not given, HashLength zeros are used. However, HMAC does that
+         * internally already so we can ignore it.
+         */
+        if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) ==
+            NULL) {
+                CRYPTOerror(ERR_R_CRYPTO_LIB);
+                return 0;
+        }
+        *out_len = len;
+        return 1;
+}
+
+/* https://tools.ietf.org/html/rfc5869#section-2.3 */
+int
+HKDF_expand(uint8_t *out_key, size_t out_len,
+    const EVP_MD *digest, const uint8_t *prk, size_t prk_len,
+    const uint8_t *info, size_t info_len)
+{
+        const size_t digest_len = EVP_MD_size(digest);
+        uint8_t previous[EVP_MAX_MD_SIZE];
+        size_t n, done = 0;
+        unsigned int i;
+        int ret = 0;
+        HMAC_CTX hmac;
+
+        /* Expand key material to desired length. */
+        n = (out_len + digest_len - 1) / digest_len;
+        if (out_len + digest_len < out_len || n > 255) {
+                CRYPTOerror(EVP_R_TOO_LARGE);
+                return 0;
+        }
+
+        HMAC_CTX_init(&hmac);
+        if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL))
+                goto out;
+
+        for (i = 0; i < n; i++) {
+                uint8_t ctr = i + 1;
+                size_t todo;
+
+                if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) ||
+                        !HMAC_Update(&hmac, previous, digest_len)))
+                        goto out;
+
+                if (!HMAC_Update(&hmac, info, info_len) ||
+                    !HMAC_Update(&hmac, &ctr, 1) ||
+                    !HMAC_Final(&hmac, previous, NULL))
+                        goto out;
+
+                todo = digest_len;
+                if (done + todo > out_len)
+                        todo = out_len - done;
+
+                memcpy(out_key + done, previous, todo);
+                done += todo;
+        }
+
+        ret = 1;
+
+ out:
+        HMAC_CTX_cleanup(&hmac);
+        if (ret != 1)
+                CRYPTOerror(ERR_R_CRYPTO_LIB);
+        return ret;
+}
diff --git a/src/lib/libcrypto/hkdf/hkdf.h b/src/lib/libcrypto/hkdf/hkdf.h
new file mode 100644
index 0000000000..fb0fac37af
--- /dev/null
+++ b/src/lib/libcrypto/hkdf/hkdf.h
@@ -0,0 +1,64 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_HKDF_H
+#define OPENSSL_HEADER_HKDF_H
+
+#include <openssl/evp.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+/*
+ * HKDF computes HKDF (as specified by RFC 5869) of initial keying
+ * material |secret| with |salt| and |info| using |digest|, and
+ * outputs |out_len| bytes to |out_key|. It returns one on success and
+ * zero on error.
+ *
+ * HKDF is an Extract-and-Expand algorithm. It does not do any key
+ * stretching, and as such, is not suited to be used alone to generate
+ * a key from a password.
+ */
+
+int HKDF(uint8_t *out_key, size_t out_len, const struct env_md_st *digest,
+    const uint8_t *secret, size_t secret_len, const uint8_t *salt,
+    size_t salt_len, const uint8_t *info, size_t info_len);
+
+/*
+ * HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from
+ * initial keying material |secret| and salt |salt| using |digest|,
+ * and outputs |out_len| bytes to |out_key|. The maximum output size
+ * is |EVP_MAX_MD_SIZE|.  It returns one on success and zero on error.
+ */
+int HKDF_extract(uint8_t *out_key, size_t *out_len,
+    const struct env_md_st *digest, const uint8_t *secret,
+    size_t secret_len, const uint8_t *salt, size_t salt_len);
+
+/*
+ * HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of
+ * length |out_len| from the PRK |prk| and info |info| using |digest|,
+ * and outputs the result to |out_key|. It returns one on success and
+ * zero on error.
+ */
+int HKDF_expand(uint8_t *out_key, size_t out_len,
+    const EVP_MD *digest, const uint8_t *prk, size_t prk_len,
+    const uint8_t *info,  size_t info_len);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_HKDF_H */