Commit 33ba12ad authored by Rusty Russell's avatar Rusty Russell

crypto/hkdf_sha256: new module.

Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent ce907a7f
../../../licenses/BSD-MIT
\ No newline at end of file
#include "config.h"
#include <stdio.h>
#include <string.h>
/**
* crypto/hkdf_sha256 - RFC5869 Hardened Key Derivation Functions using SHA256
*
* This code implements the hkdf described in RFC5869.
*
* License: BSD-MIT
* Maintainer: Rusty Russell <rusty@rustcorp.com.au>
*/
int main(int argc, char *argv[])
{
/* Expect exactly one argument */
if (argc != 2)
return 1;
if (strcmp(argv[1], "depends") == 0) {
printf("ccan/crypto/hmac_sha256\n");
return 0;
}
if (strcmp(argv[1], "testdepends") == 0) {
printf("ccan/str/hex\n");
return 0;
}
return 1;
}
/* MIT (BSD) license - see LICENSE file for details */
#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
#include <ccan/crypto/hmac_sha256/hmac_sha256.h>
#include <assert.h>
#include <string.h>
void hkdf_sha256(unsigned char *okm, size_t okm_size,
const void *s, size_t ssize,
const void *k, size_t ksize,
const void *info, size_t isize)
{
struct hmac_sha256 prk, t;
struct hmac_sha256_ctx ctx;
unsigned char c;
assert(okm_size < 255 * sizeof(t));
/* RFC 5869:
*
* 2.2. Step 1: Extract
*
* HKDF-Extract(salt, IKM) -> PRK
*
* Options:
* Hash a hash function; HashLen denotes the length of the
* hash function output in octets
*
* Inputs:
* salt optional salt value (a non-secret random value);
* if not provided, it is set to a string of HashLen zeros.
* IKM input keying material
*
* Output:
* PRK a pseudorandom key (of HashLen octets)
*
* The output PRK is calculated as follows:
*
* PRK = HMAC-Hash(salt, IKM)
*/
hmac_sha256(&prk, s, ssize, k, ksize);
/*
* 2.3. Step 2: Expand
*
* HKDF-Expand(PRK, info, L) -> OKM
*
* Options:
* Hash a hash function; HashLen denotes the length of the
* hash function output in octets
*
* Inputs:
* PRK a pseudorandom key of at least HashLen octets
* (usually, the output from the extract step)
* info optional context and application specific information
* (can be a zero-length string)
* L length of output keying material in octets
* (<= 255*HashLen)
*
* Output:
* OKM output keying material (of L octets)
*
* The output OKM is calculated as follows:
*
* N = ceil(L/HashLen)
* T = T(1) | T(2) | T(3) | ... | T(N)
* OKM = first L octets of T
*
* where:
* T(0) = empty string (zero length)
* T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
* T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
* T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
* ...
*
* (where the constant concatenated to the end of each T(n) is a
* single octet.)
*/
c = 1;
hmac_sha256_init(&ctx, &prk, sizeof(prk));
hmac_sha256_update(&ctx, info, isize);
hmac_sha256_update(&ctx, &c, 1);
hmac_sha256_done(&ctx, &t);
while (okm_size > sizeof(t)) {
memcpy(okm, &t, sizeof(t));
okm += sizeof(t);
okm_size -= sizeof(t);
c++;
hmac_sha256_init(&ctx, &prk, sizeof(prk));
hmac_sha256_update(&ctx, &t, sizeof(t));
hmac_sha256_update(&ctx, info, isize);
hmac_sha256_update(&ctx, &c, 1);
hmac_sha256_done(&ctx, &t);
}
memcpy(okm, &t, okm_size);
}
#ifndef CCAN_CRYPTO_HKDF_SHA256_H
#define CCAN_CRYPTO_HKDF_SHA256_H
/* BSD-MIT - see LICENSE file for details */
#include "config.h"
#include <stdlib.h>
/**
* hkdf_sha256 - generate a derived key
* @okm: where to output the key
* @okm_size: the number of bytes pointed to by @okm (must be less than 255*32)
* @s: salt
* @ssize: the number of bytes pointed to by @s
* @k: pointer to input key
* @ksize: the number of bytes pointed to by @k
* @info: pointer to info
* @isize: the number of bytes pointed to by @info
*/
void hkdf_sha256(unsigned char *okm, size_t okm_size,
const void *s, size_t ssize,
const void *k, size_t ksize,
const void *info, size_t isize);
#endif /* CCAN_CRYPTO_HKDF_SHA256_H */
/* From RFC5869 Appendix A
*
* https://tools.ietf.org/html/rfc5869
*/
#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
#include <ccan/tap/tap.h>
#include <ccan/str/hex/hex.h>
#include <string.h>
#include <assert.h>
struct test {
const char *ikm, *salt, *info, *okm;
};
static struct test tests[] = { {
/* Test Case 1
Basic test case with SHA-256
*/
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */
"000102030405060708090a0b0c", /* (13 octets) */
"f0f1f2f3f4f5f6f7f8f9", /* (10 octets) */
"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", /* (42 octets) */
},
{
/* Test Case 2
*
* Test with SHA-256 and longer inputs/outputs */
"000102030405060708090a0b0c0d0e0f"
"101112131415161718191a1b1c1d1e1f"
"202122232425262728292a2b2c2d2e2f"
"303132333435363738393a3b3c3d3e3f"
"404142434445464748494a4b4c4d4e4f", /* (80 octets) */
"606162636465666768696a6b6c6d6e6f"
"707172737475767778797a7b7c7d7e7f"
"808182838485868788898a8b8c8d8e8f"
"909192939495969798999a9b9c9d9e9f"
"a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", /* (80 octets )*/
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
"c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
"d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
"e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", /* (80 octets) */
"b11e398dc80327a1c8e7f78c596a4934"
"4f012eda2d4efad8a050cc4c19afa97c"
"59045a99cac7827271cb41c65e590e09"
"da3275600c2f09b8367793a9aca3db71"
"cc30c58179ec3e87c14c01d5c1f3434f"
"1d87" /* (82 octets) */
},
{
/* Test Case 3
*
* Test with SHA-256 and zero-length salt/info
*/
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */
"", /* (0 octets) */
"", /* (0 octets) */
"8da4e775a563c18f715f802a063c5a31"
"b8a11f5c5ee1879ec3454e5f3c738d2d"
"9d201395faa4b61a96c8" /* (42 octets) */
}
};
static void *fromhex(const char *str, size_t *len)
{
void *p;
*len = hex_data_size(strlen(str));
p = malloc(*len);
if (!hex_decode(str, strlen(str), p, *len))
abort();
return p;
}
int main(void)
{
size_t i;
plan_tests(sizeof(tests) / sizeof(tests[0]));
for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
size_t ksize, ssize, isize, okmsize;
void *k, *s, *info, *expect, *okm;
k = fromhex(tests[i].ikm, &ksize);
s = fromhex(tests[i].salt, &ssize);
info = fromhex(tests[i].info, &isize);
expect = fromhex(tests[i].okm, &okmsize);
okm = malloc(okmsize);
hkdf_sha256(okm, okmsize, s, ssize, k, ksize, info, isize);
ok1(memcmp(okm, expect, okmsize) == 0);
free(k);
free(s);
free(info);
free(expect);
free(okm);
}
return exit_status();
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment