Botan 2.19.3
Crypto and TLS for C&
hkdf.cpp
Go to the documentation of this file.
1/*
2* HKDF
3* (C) 2013,2015,2017 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/hkdf.h>
10#include <botan/loadstor.h>
11
12namespace Botan {
13
14size_t HKDF::kdf(uint8_t key[], size_t key_len,
15 const uint8_t secret[], size_t secret_len,
16 const uint8_t salt[], size_t salt_len,
17 const uint8_t label[], size_t label_len) const
18 {
19 HKDF_Extract extract(m_prf->clone());
20 HKDF_Expand expand(m_prf->clone());
21 secure_vector<uint8_t> prk(m_prf->output_length());
22
23 extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
24 return expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
25 }
26
27size_t HKDF_Extract::kdf(uint8_t key[], size_t key_len,
28 const uint8_t secret[], size_t secret_len,
29 const uint8_t salt[], size_t salt_len,
30 const uint8_t[], size_t) const
31 {
33 if(salt_len == 0)
34 {
35 m_prf->set_key(std::vector<uint8_t>(m_prf->output_length()));
36 }
37 else
38 {
39 m_prf->set_key(salt, salt_len);
40 }
41
42 m_prf->update(secret, secret_len);
43 m_prf->final(prk);
44
45 const size_t written = std::min(prk.size(), key_len);
46 copy_mem(&key[0], prk.data(), written);
47 // FIXME: returns truncated output
48 return written;
49 }
50
51size_t HKDF_Expand::kdf(uint8_t key[], size_t key_len,
52 const uint8_t secret[], size_t secret_len,
53 const uint8_t salt[], size_t salt_len,
54 const uint8_t label[], size_t label_len) const
55 {
56 m_prf->set_key(secret, secret_len);
57
58 uint8_t counter = 1;
60 size_t offset = 0;
61
62 while(offset != key_len && counter != 0)
63 {
64 m_prf->update(h);
65 m_prf->update(label, label_len);
66 m_prf->update(salt, salt_len);
67 m_prf->update(counter++);
68 m_prf->final(h);
69
70 const size_t written = std::min(h.size(), key_len - offset);
71 copy_mem(&key[offset], h.data(), written);
72 offset += written;
73 }
74
75 // FIXME: returns truncated output
76 return offset;
77 }
78
80hkdf_expand_label(const std::string& hash_fn,
81 const uint8_t secret[], size_t secret_len,
82 const std::string& label,
83 const uint8_t hash_val[], size_t hash_val_len,
84 size_t length)
85 {
86 BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
87 BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
88 BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
89
90 const uint16_t length16 = static_cast<uint16_t>(length);
91
92 auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");
93
94 HKDF_Expand hkdf(mac.release());
95
96 secure_vector<uint8_t> output(length16);
97 std::vector<uint8_t> prefix(3 + label.size() + 1);
98
99 prefix[0] = get_byte(0, length16);
100 prefix[1] = get_byte(1, length16);
101 prefix[2] = static_cast<uint8_t>(label.size());
102
103 copy_mem(prefix.data() + 3,
104 cast_char_ptr_to_uint8(label.data()),
105 label.size());
106
107 prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
108
109 /*
110 * We do something a little dirty here to avoid copying the hash_val,
111 * making use of the fact that Botan's KDF interface supports label+salt,
112 * and knowing that our HKDF hashes first param label then param salt.
113 */
114 hkdf.kdf(output.data(), output.size(),
115 secret, secret_len,
116 hash_val, hash_val_len,
117 prefix.data(), prefix.size());
118
119 return output;
120 }
121
122}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:37
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:51
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:27
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:14
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition mac.cpp:139
secure_vector< uint8_t > hkdf_expand_label(const std::string &hash_fn, const uint8_t secret[], size_t secret_len, const std::string &label, const uint8_t hash_val[], size_t hash_val_len, size_t length)
Definition hkdf.cpp:80
void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:133
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition loadstor.h:41
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:190
size_t salt_len
Definition x509_obj.cpp:25