From 270fd63e5d8c3683472108ff30860e5f0eb33ef1 Mon Sep 17 00:00:00 2001 From: beck <> Date: Sat, 6 May 2017 20:42:57 +0000 Subject: Bring in HKDF, from BoringSSL, with regress tests modified to be in C. Ride previous minor bump ok tom@ inoguchi@ jsing@ --- src/lib/libcrypto/Makefile | 7 ++- src/lib/libcrypto/hkdf/hkdf.c | 116 ++++++++++++++++++++++++++++++++++++++++++ src/lib/libcrypto/hkdf/hkdf.h | 64 +++++++++++++++++++++++ 3 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 src/lib/libcrypto/hkdf/hkdf.c create mode 100644 src/lib/libcrypto/hkdf/hkdf.h (limited to 'src/lib') diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile index 13f4ab0de5..6454d6b109 100644 --- a/src/lib/libcrypto/Makefile +++ b/src/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.16 2017/04/30 04:44:58 jsing Exp $ +# $OpenBSD: Makefile,v 1.17 2017/05/06 20:42:57 beck Exp $ LIB= crypto @@ -169,6 +169,9 @@ SRCS+= gost89imit_pmeth.c gost_asn1.c gost_err.c gostr341001.c SRCS+= gostr341001_ameth.c gostr341001_key.c gostr341001_params.c SRCS+= gostr341001_pmeth.c gostr341194.c streebog.c +# hkdf/ +SRCS+= hkdf.c + # hmac/ SRCS+= hmac.c hm_ameth.c hm_pmeth.c @@ -287,6 +290,7 @@ SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c ${LCRYPTO_SRC}/err \ ${LCRYPTO_SRC}/evp \ ${LCRYPTO_SRC}/gost \ + ${LCRYPTO_SRC}/hkdf \ ${LCRYPTO_SRC}/hmac \ ${LCRYPTO_SRC}/idea \ ${LCRYPTO_SRC}/lhash \ @@ -344,6 +348,7 @@ HDRS=\ ${LCRYPTO_SRC}/err/err.h \ ${LCRYPTO_SRC}/evp/evp.h \ ${LCRYPTO_SRC}/gost/gost.h \ + ${LCRYPTO_SRC}/hkdf/hkdf.h \ ${LCRYPTO_SRC}/hmac/hmac.h \ ${LCRYPTO_SRC}/idea/idea.h \ ${LCRYPTO_SRC}/lhash/lhash.h \ diff --git a/src/lib/libcrypto/hkdf/hkdf.c b/src/lib/libcrypto/hkdf/hkdf.c new file mode 100644 index 0000000000..9fe587de13 --- /dev/null +++ b/src/lib/libcrypto/hkdf/hkdf.c @@ -0,0 +1,116 @@ +/* Copyright (c) 2014, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include + +#include +#include + +/* https://tools.ietf.org/html/rfc5869#section-2 */ +int +HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, + const uint8_t *secret, size_t secret_len, const uint8_t *salt, + size_t salt_len, const uint8_t *info, size_t info_len) +{ + uint8_t prk[EVP_MAX_MD_SIZE]; + size_t prk_len; + + if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt, + salt_len)) + return 0; + if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info, + info_len)) + return 0; + + return 1; +} + +/* https://tools.ietf.org/html/rfc5869#section-2.2 */ +int +HKDF_extract(uint8_t *out_key, size_t *out_len, + const EVP_MD *digest, const uint8_t *secret, size_t secret_len, + const uint8_t *salt, size_t salt_len) +{ + unsigned int len; + + /* + * If salt is not given, HashLength zeros are used. However, HMAC does that + * internally already so we can ignore it. + */ + if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == + NULL) { + CRYPTOerror(ERR_R_CRYPTO_LIB); + return 0; + } + *out_len = len; + return 1; +} + +/* https://tools.ietf.org/html/rfc5869#section-2.3 */ +int +HKDF_expand(uint8_t *out_key, size_t out_len, + const EVP_MD *digest, const uint8_t *prk, size_t prk_len, + const uint8_t *info, size_t info_len) +{ + const size_t digest_len = EVP_MD_size(digest); + uint8_t previous[EVP_MAX_MD_SIZE]; + size_t n, done = 0; + unsigned int i; + int ret = 0; + HMAC_CTX hmac; + + /* Expand key material to desired length. */ + n = (out_len + digest_len - 1) / digest_len; + if (out_len + digest_len < out_len || n > 255) { + CRYPTOerror(EVP_R_TOO_LARGE); + return 0; + } + + HMAC_CTX_init(&hmac); + if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL)) + goto out; + + for (i = 0; i < n; i++) { + uint8_t ctr = i + 1; + size_t todo; + + if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) || + !HMAC_Update(&hmac, previous, digest_len))) + goto out; + + if (!HMAC_Update(&hmac, info, info_len) || + !HMAC_Update(&hmac, &ctr, 1) || + !HMAC_Final(&hmac, previous, NULL)) + goto out; + + todo = digest_len; + if (done + todo > out_len) + todo = out_len - done; + + memcpy(out_key + done, previous, todo); + done += todo; + } + + ret = 1; + + out: + HMAC_CTX_cleanup(&hmac); + if (ret != 1) + CRYPTOerror(ERR_R_CRYPTO_LIB); + return ret; +} diff --git a/src/lib/libcrypto/hkdf/hkdf.h b/src/lib/libcrypto/hkdf/hkdf.h new file mode 100644 index 0000000000..fb0fac37af --- /dev/null +++ b/src/lib/libcrypto/hkdf/hkdf.h @@ -0,0 +1,64 @@ +/* Copyright (c) 2014, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_HKDF_H +#define OPENSSL_HEADER_HKDF_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +/* + * HKDF computes HKDF (as specified by RFC 5869) of initial keying + * material |secret| with |salt| and |info| using |digest|, and + * outputs |out_len| bytes to |out_key|. It returns one on success and + * zero on error. + * + * HKDF is an Extract-and-Expand algorithm. It does not do any key + * stretching, and as such, is not suited to be used alone to generate + * a key from a password. + */ + +int HKDF(uint8_t *out_key, size_t out_len, const struct env_md_st *digest, + const uint8_t *secret, size_t secret_len, const uint8_t *salt, + size_t salt_len, const uint8_t *info, size_t info_len); + +/* + * HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from + * initial keying material |secret| and salt |salt| using |digest|, + * and outputs |out_len| bytes to |out_key|. The maximum output size + * is |EVP_MAX_MD_SIZE|. It returns one on success and zero on error. + */ +int HKDF_extract(uint8_t *out_key, size_t *out_len, + const struct env_md_st *digest, const uint8_t *secret, + size_t secret_len, const uint8_t *salt, size_t salt_len); + +/* + * HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of + * length |out_len| from the PRK |prk| and info |info| using |digest|, + * and outputs the result to |out_key|. It returns one on success and + * zero on error. + */ +int HKDF_expand(uint8_t *out_key, size_t out_len, + const EVP_MD *digest, const uint8_t *prk, size_t prk_len, + const uint8_t *info, size_t info_len); + + +#if defined(__cplusplus) +} /* extern C */ +#endif + +#endif /* OPENSSL_HEADER_HKDF_H */ -- cgit v1.2.3-55-g6feb