xref: /openbsd/lib/libcrypto/hkdf/hkdf.c (revision 274d7c50) 
1 /* $OpenBSD: hkdf.c,v 1.4 2019/11/21 20:02:20 tim Exp $ */
2 /* Copyright (c) 2014, Google Inc.
3  *
4  * Permission to use, copy, modify, and/or distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
11  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
13  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
14  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <openssl/hkdf.h>
18 
19 #include <assert.h>
20 #include <string.h>
21 
22 #include <openssl/err.h>
23 #include <openssl/hmac.h>
24 
25 /* https://tools.ietf.org/html/rfc5869#section-2 */
26 int
27 HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
28     const uint8_t *secret, size_t secret_len, const uint8_t *salt,
29     size_t salt_len, const uint8_t *info, size_t info_len)
30 {
31 	uint8_t prk[EVP_MAX_MD_SIZE];
32 	size_t prk_len;
33 
34 	if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt,
35 	    salt_len))
36 		return 0;
37 	if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info,
38 	    info_len))
39 		return 0;
40 
41 	return 1;
42 }
43 
44 /* https://tools.ietf.org/html/rfc5869#section-2.2 */
45 int
46 HKDF_extract(uint8_t *out_key, size_t *out_len,
47     const EVP_MD *digest, const uint8_t *secret, size_t secret_len,
48     const uint8_t *salt, size_t salt_len)
49 {
50 	unsigned int len;
51 
52 	/*
53 	 * If salt is not given, HashLength zeros are used. However, HMAC does
54 	 * that internally already so we can ignore it.
55 	 */
56 	if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) ==
57 	    NULL) {
58 		CRYPTOerror(ERR_R_CRYPTO_LIB);
59 		return 0;
60 	}
61 	*out_len = len;
62 	return 1;
63 }
64 
65 /* https://tools.ietf.org/html/rfc5869#section-2.3 */
66 int
67 HKDF_expand(uint8_t *out_key, size_t out_len,
68     const EVP_MD *digest, const uint8_t *prk, size_t prk_len,
69     const uint8_t *info, size_t info_len)
70 {
71 	const size_t digest_len = EVP_MD_size(digest);
72 	uint8_t previous[EVP_MAX_MD_SIZE];
73 	size_t n, done = 0;
74 	unsigned int i;
75 	int ret = 0;
76 	HMAC_CTX hmac;
77 
78 	/* Expand key material to desired length. */
79 	n = (out_len + digest_len - 1) / digest_len;
80 	if (out_len + digest_len < out_len || n > 255) {
81 		CRYPTOerror(EVP_R_TOO_LARGE);
82 		return 0;
83 	}
84 
85 	HMAC_CTX_init(&hmac);
86 	if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL))
87 		goto out;
88 
89 	for (i = 0; i < n; i++) {
90 		uint8_t ctr = i + 1;
91 		size_t todo;
92 
93 		if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) ||
94 		    !HMAC_Update(&hmac, previous, digest_len)))
95 			goto out;
96 
97 		if (!HMAC_Update(&hmac, info, info_len) ||
98 		    !HMAC_Update(&hmac, &ctr, 1) ||
99 		    !HMAC_Final(&hmac, previous, NULL))
100 			goto out;
101 
102 		todo = digest_len;
103 		if (done + todo > out_len)
104 			todo = out_len - done;
105 
106 		memcpy(out_key + done, previous, todo);
107 		done += todo;
108 	}
109 
110 	ret = 1;
111 
112  out:
113 	HMAC_CTX_cleanup(&hmac);
114 	explicit_bzero(previous, sizeof(previous));
115 	if (ret != 1)
116 		CRYPTOerror(ERR_R_CRYPTO_LIB);
117 	return ret;
118 }
119