xref: /dragonfly/crypto/libressl/crypto/hkdf/hkdf.c (revision 6f5ec8b5) 
1 /* $OpenBSD: hkdf.c,v 1.7 2021/12/12 21:30:14 tb Exp $ */
2 /* Copyright (c) 2014, Google Inc.
3  *
4  * Permission to use, copy, modify, and/or distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
11  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
13  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
14  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <openssl/hkdf.h>
18 
19 #include <string.h>
20 
21 #include <openssl/err.h>
22 #include <openssl/hmac.h>
23 
24 #include "evp_locl.h"
25 #include "hmac_local.h"
26 
27 /* https://tools.ietf.org/html/rfc5869#section-2 */
28 int
29 HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
30     const uint8_t *secret, size_t secret_len, const uint8_t *salt,
31     size_t salt_len, const uint8_t *info, size_t info_len)
32 {
33 	uint8_t prk[EVP_MAX_MD_SIZE];
34 	size_t prk_len;
35 
36 	if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt,
37 	    salt_len))
38 		return 0;
39 	if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info,
40 	    info_len))
41 		return 0;
42 
43 	return 1;
44 }
45 
46 /* https://tools.ietf.org/html/rfc5869#section-2.2 */
47 int
48 HKDF_extract(uint8_t *out_key, size_t *out_len,
49     const EVP_MD *digest, const uint8_t *secret, size_t secret_len,
50     const uint8_t *salt, size_t salt_len)
51 {
52 	unsigned int len;
53 
54 	/*
55 	 * If salt is not given, HashLength zeros are used. However, HMAC does
56 	 * that internally already so we can ignore it.
57 	 */
58 	if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) ==
59 	    NULL) {
60 		CRYPTOerror(ERR_R_CRYPTO_LIB);
61 		return 0;
62 	}
63 	*out_len = len;
64 	return 1;
65 }
66 
67 /* https://tools.ietf.org/html/rfc5869#section-2.3 */
68 int
69 HKDF_expand(uint8_t *out_key, size_t out_len,
70     const EVP_MD *digest, const uint8_t *prk, size_t prk_len,
71     const uint8_t *info, size_t info_len)
72 {
73 	const size_t digest_len = EVP_MD_size(digest);
74 	uint8_t previous[EVP_MAX_MD_SIZE];
75 	size_t n, done = 0;
76 	unsigned int i;
77 	int ret = 0;
78 	HMAC_CTX hmac;
79 
80 	/* Expand key material to desired length. */
81 	n = (out_len + digest_len - 1) / digest_len;
82 	if (out_len + digest_len < out_len || n > 255) {
83 		CRYPTOerror(EVP_R_TOO_LARGE);
84 		return 0;
85 	}
86 
87 	HMAC_CTX_init(&hmac);
88 	if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL))
89 		goto out;
90 
91 	for (i = 0; i < n; i++) {
92 		uint8_t ctr = i + 1;
93 		size_t todo;
94 
95 		if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) ||
96 		    !HMAC_Update(&hmac, previous, digest_len)))
97 			goto out;
98 
99 		if (!HMAC_Update(&hmac, info, info_len) ||
100 		    !HMAC_Update(&hmac, &ctr, 1) ||
101 		    !HMAC_Final(&hmac, previous, NULL))
102 			goto out;
103 
104 		todo = digest_len;
105 		if (done + todo > out_len)
106 			todo = out_len - done;
107 
108 		memcpy(out_key + done, previous, todo);
109 		done += todo;
110 	}
111 
112 	ret = 1;
113 
114  out:
115 	HMAC_CTX_cleanup(&hmac);
116 	explicit_bzero(previous, sizeof(previous));
117 	if (ret != 1)
118 		CRYPTOerror(ERR_R_CRYPTO_LIB);
119 	return ret;
120 }
121