2 Copyright (c) 2010 Nils Durner
4 Permission is hereby granted, free of charge, to any person obtaining a copy
5 of this software and associated documentation files (the "Software"), to deal
6 in the Software without restriction, including without limitation the rights
7 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8 copies of the Software, and to permit persons to whom the Software is
9 furnished to do so, subject to the following conditions:
11 The above copyright notice and this permission notice shall be included in
12 all copies or substantial portions of the Software.
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * @file src/util/crypto_hkdf.c
25 * @brief Hash-based KDF as defined in RFC 5869
26 * @see http://www.rfc-editor.org/rfc/rfc5869.txt
27 * @todo remove GNUNET references
30 * The following list of people have reviewed this code and considered
31 * it correct on the date given (if you reviewed it, please
32 * have your name added to the list):
34 * - Christian Grothoff (08.10.2010)
35 * - Nathan Evans (08.10.2010)
36 * - Matthias Wachs (08.10.2010)
42 #include "gnunet_crypto_lib.h"
44 #define DEBUG_HKDF GNUNET_NO
47 * @brief Compute the HMAC
48 * @todo use chunked buffers
49 * @param mac gcrypt MAC handle
51 * @param key_len length of key
52 * @param buf message to be processed
53 * @param buf_len length of buf
54 * @return HMAC, freed by caller via gcry_md_close/_reset
57 doHMAC (gcry_md_hd_t mac,
58 const void *key, size_t key_len,
59 const void *buf, size_t buf_len)
61 gcry_md_setkey (mac, key, key_len);
62 gcry_md_write (mac, buf, buf_len);
64 return (const void *) gcry_md_read (mac, 0);
68 * @brief Generate pseudo-random key
69 * @param mac gcrypt HMAC handle
71 * @param xts_len length of the salt
72 * @param skm source key material
73 * @param skm_len length of skm
74 * @param prk result buffer (allocated by caller; at least gcry_md_dlen() bytes)
75 * @return GNUNET_YES on success
78 getPRK (gcry_md_hd_t mac,
79 const void *xts, size_t xts_len,
80 const void *skm, size_t skm_len,
85 ret = doHMAC (mac, xts, xts_len, skm, skm_len);
90 gcry_md_get_algo_dlen (gcry_md_get_algo (mac)));
104 printf("\n%s: ", src);
105 for (i = 0; i < l; i++)
107 printf("%2x", (int) ((const unsigned char *) p)[i]);
116 * @param result buffer for the derived key, allocated by caller
117 * @param out_len desired length of the derived key
118 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
119 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
121 * @param xts_len length of xts
122 * @param skm source key material
123 * @param skm_len length of skm
124 * @param argp va_list of void * & size_t pairs for context chunks
125 * @return GNUNET_YES on success
128 GNUNET_CRYPTO_hkdf_v (void *result, size_t out_len,
129 int xtr_algo, int prf_algo,
130 const void *xts, size_t xts_len,
131 const void *skm, size_t skm_len,
135 unsigned long i, t, d;
136 unsigned int k = gcry_md_get_algo_dlen (prf_algo);
137 unsigned int xtr_len = gcry_md_get_algo_dlen (xtr_algo);
140 gcry_md_hd_t xtr, prf;
145 return GNUNET_SYSERR;
147 // FIXME: what is the check for?
148 if (out_len > (2 ^ 32 * k))
149 return GNUNET_SYSERR;
151 if (gcry_md_open(&xtr, xtr_algo, GCRY_MD_FLAG_HMAC) != GPG_ERR_NO_ERROR)
152 return GNUNET_SYSERR;
154 if (gcry_md_open(&prf, prf_algo, GCRY_MD_FLAG_HMAC) != GPG_ERR_NO_ERROR)
157 return GNUNET_SYSERR;
160 va_copy (args, argp);
163 while (NULL != va_arg (args, void *))
164 ctx_len += va_arg (args, size_t);
167 memset (result, 0, out_len);
168 if (getPRK (xtr, xts, xts_len, skm, skm_len, prk)
172 dump("PRK", prk, xtr_len);
180 size_t plain_len = k + ctx_len + 1;
181 char plain[plain_len];
186 va_copy (args, argp);
187 while ((ctx = va_arg (args, void *)))
191 len = va_arg (args, size_t);
192 memcpy (dst, ctx, len);
199 memset (plain + k + ctx_len, 1, 1);
201 dump("K(1)", plain, plain_len);
205 xtr_len, &plain[k], ctx_len + 1);
208 memcpy (result, hc, k);
213 for (i = 1; i < t; i++)
215 memcpy (plain, result - k, k);
216 memset (plain + k + ctx_len, i + 1, 1);
219 dump("K(i+1)", plain, plain_len);
221 hc = doHMAC (prf, prk, xtr_len, plain, plain_len);
224 memcpy (result, hc, k);
232 memcpy (plain, result - k, k);
233 memset (plain + k + ctx_len, i + 1, 1);
236 dump("K(t):d", plain, plain_len);
239 hc = doHMAC (prf, prk, xtr_len, plain, plain_len);
241 hc = doHMAC (prf, prk, xtr_len, plain + k, plain_len - k);
244 memcpy (result, hc, d);
247 dump("result", result - k, out_len);
265 * @param result buffer for the derived key, allocated by caller
266 * @param out_len desired length of the derived key
267 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
268 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
270 * @param xts_len length of xts
271 * @param skm source key material
272 * @param skm_len length of skm
273 * @param ctx context info
274 * @param ctx_len length of ctx
275 * @return GNUNET_YES on success
278 GNUNET_CRYPTO_hkdf (void *result, size_t out_len,
279 int xtr_algo, int prf_algo,
280 const void *xts, size_t xts_len,
281 const void *skm, size_t skm_len,
287 va_start(argp, skm_len);
288 ret = GNUNET_CRYPTO_hkdf_v (result, out_len, xtr_algo, prf_algo, xts,
289 xts_len, skm, skm_len, argp);
295 /* end of crypto_hkdf.c */