2 Copyright (c) 2010 Nils Durner
4 Permission is hereby granted, free of charge, to any person obtaining a copy
5 of this software and associated documentation files (the "Software"), to deal
6 in the Software without restriction, including without limitation the rights
7 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8 copies of the Software, and to permit persons to whom the Software is
9 furnished to do so, subject to the following conditions:
11 The above copyright notice and this permission notice shall be included in
12 all copies or substantial portions of the Software.
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * @file src/util/crypto_hkdf.c
25 * @brief Hash-based KDF as defined in RFC 5869
26 * @see http://www.rfc-editor.org/rfc/rfc5869.txt
33 #include "gnunet_crypto_lib.h"
35 #define DEBUG_HKDF GNUNET_NO
38 * @brief Compute the HMAC
39 * @param mac gcrypt MAC handle
41 * @param key_len length of key
42 * @param buf message to be processed
43 * @param buf_len length of buf
44 * @return HMAC, freed by caller via gcry_md_close/_reset
47 doHMAC (gcry_md_hd_t mac, const void *key, const size_t key_len,
48 const void *buf, const size_t buf_len)
50 gcry_md_setkey (mac, key, key_len);
51 gcry_md_write (mac, buf, buf_len);
53 return (void *) gcry_md_read (mac, 0);
57 * @brief Generate pseudo-random key
58 * @param mac gcrypt HMAC handle
60 * @param xts_len length of the salt
61 * @param skm source key material
62 * @param skm_len length of skm
63 * @param prk result buffer (allocated by caller; at least gcry_md_dlen() bytes)
64 * @return GNUNET_YES on success
67 getPRK (gcry_md_hd_t mac, const void *xts, const unsigned long long xts_len,
68 const void *skm, const unsigned long long skm_len, void *prk)
72 ret = doHMAC (mac, xts, xts_len, skm, skm_len);
75 memcpy (prk, ret, gcry_md_get_algo_dlen (gcry_md_get_algo (mac)));
81 static void dump(char *src, void *p, unsigned int l)
85 printf("\n%s: ", src);
86 for (i = 0; i < l; i++)
88 printf("%2x", (int) ((unsigned char *) p)[i]);
96 * @param result buffer for the derived key, allocated by caller
97 * @param out_len desired length of the derived key
98 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
99 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
101 * @param xts_len length of xts
102 * @param skm source key material
103 * @param skm_len length of skm
104 * @param ctx context info
105 * @param ctx_len length of ctx
106 * @return GNUNET_YES on success
109 GNUNET_CRYPTO_hkdf (void *result, const unsigned long long out_len,
110 int xtr_algo, int prf_algo, const void *xts, const size_t xts_len,
111 const void *skm, const size_t skm_len, ...)
113 void *prk, *hc, *plain;
114 unsigned long long plain_len;
115 unsigned long i, t, d;
116 unsigned int k, xtr_len;
118 gcry_md_hd_t xtr, prf;
123 xtr_len = gcry_md_get_algo_dlen (xtr_algo);
124 k = gcry_md_get_algo_dlen (prf_algo);
125 gcry_md_open(&xtr, xtr_algo, GCRY_MD_FLAG_HMAC);
126 gcry_md_open(&prf, prf_algo, GCRY_MD_FLAG_HMAC);
128 if (out_len > (2 ^ 32 * k) || !xtr_algo || !prf_algo)
129 return GNUNET_SYSERR;
131 va_start(argp, skm_len);
132 for (ctx_len = 0; va_arg (argp, void *);)
133 ctx_len += va_arg (argp, size_t);
136 prk = GNUNET_malloc (xtr_len);
138 memset (result, 0, out_len);
140 if (getPRK (xtr, xts, xts_len, skm, skm_len, prk)
144 dump("PRK", prk, xtr_len);
151 plain_len = k + ctx_len + 1;
152 plain = GNUNET_malloc (plain_len);
158 va_start (argp, skm_len);
159 while ((ctx = va_arg (argp, void *)))
163 len = va_arg (argp, size_t);
164 memcpy (dst, ctx, len);
172 dump("K(1)", plain, plain_len);
174 hc = doHMAC (prf, prk, xtr_len, plain, ctx_len + 1);
177 memcpy (result, hc, k);
186 va_start(argp, skm_len);
187 while ((ctx = va_arg (argp, void *)))
188 memcpy (dst, ctx, va_arg (argp, size_t));
193 for (i = 1; i < t; i++)
195 memcpy (plain, result - k, k);
196 memset (plain + k + ctx_len, i + 1, 1);
199 dump("K(i+1)", plain, plain_len);
201 hc = doHMAC (prf, prk, xtr_len, plain, plain_len);
204 memcpy (result, hc, k);
212 memcpy (plain, result - k, k);
213 memset (plain + k + ctx_len, i + 1, 1);
216 dump("K(t):d", plain, plain_len);
218 hc = doHMAC (prf, prk, xtr_len, plain, plain_len);
221 memcpy (result, hc, d);
224 dump("result", result - k, out_len);
234 GNUNET_free_non_null (plain);
242 /* end of crypto_hkdf.c */