common/mbedtls/hkdf.c

   1 /*
   2  *  HKDF implementation -- RFC 5869
   3  *
   4  *  Copyright The Mbed TLS Contributors
   5  *  SPDX-License-Identifier: Apache-2.0
   6  *
   7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
   8  *  not use this file except in compliance with the License.
   9  *  You may obtain a copy of the License at
  10  *
  11  *  http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  *  Unless required by applicable law or agreed to in writing, software
  14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  *  See the License for the specific language governing permissions and
  17  *  limitations under the License.
  18  */
  19 #include "common.h"
  20
  21 #if defined(MBEDTLS_HKDF_C)
  22
  23 #include <string.h>
  24 #include "mbedtls/hkdf.h"
  25 #include "mbedtls/platform_util.h"
  26 #include "mbedtls/error.h"
  27
  28 int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
  29                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
  30                  const unsigned char *info, size_t info_len,
  31                  unsigned char *okm, size_t okm_len) {
  32     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  33     unsigned char prk[MBEDTLS_MD_MAX_SIZE];
  34
  35     ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
  36
  37     if (ret == 0) {
  38         ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md),
  39                                   info, info_len, okm, okm_len);
  40     }
  41
  42     mbedtls_platform_zeroize(prk, sizeof(prk));
  43
  44     return (ret);
  45 }
  46
  47 int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
  48                          const unsigned char *salt, size_t salt_len,
  49                          const unsigned char *ikm, size_t ikm_len,
  50                          unsigned char *prk) {
  51     unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
  52
  53     if (salt == NULL) {
  54         size_t hash_len;
  55
  56         if (salt_len != 0) {
  57             return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
  58         }
  59
  60         hash_len = mbedtls_md_get_size(md);
  61
  62         if (hash_len == 0) {
  63             return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
  64         }
  65
  66         salt = null_salt;
  67         salt_len = hash_len;
  68     }
  69
  70     return (mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk));
  71 }
  72
  73 int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
  74                         size_t prk_len, const unsigned char *info,
  75                         size_t info_len, unsigned char *okm, size_t okm_len) {
  76     size_t hash_len;
  77     size_t where = 0;
  78     size_t n;
  79     size_t t_len = 0;
  80     size_t i;
  81     int ret = 0;
  82     mbedtls_md_context_t ctx;
  83     unsigned char t[MBEDTLS_MD_MAX_SIZE];
  84
  85     if (okm == NULL) {
  86         return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
  87     }
  88
  89     hash_len = mbedtls_md_get_size(md);
  90
  91     if (prk_len < hash_len || hash_len == 0) {
  92         return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
  93     }
  94
  95     if (info == NULL) {
  96         info = (const unsigned char *) "";
  97         info_len = 0;
  98     }
  99
 100     n = okm_len / hash_len;
 101
 102     if (okm_len % hash_len != 0) {
 103         n++;
 104     }
 105
 106     /*
 107      * Per RFC 5869 Section 2.3, okm_len must not exceed
 108      * 255 times the hash length
 109      */
 110     if (n > 255) {
 111         return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
 112     }
 113
 114     mbedtls_md_init(&ctx);
 115
 116     if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0) {
 117         goto exit;
 118     }
 119
 120     memset(t, 0, hash_len);
 121
 122     /*
 123      * Compute T = T(1) | T(2) | T(3) | ... | T(N)
 124      * Where T(N) is defined in RFC 5869 Section 2.3
 125      */
 126     for (i = 1; i <= n; i++) {
 127         size_t num_to_copy;
 128         unsigned char c = i & 0xff;
 129
 130         ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
 131         if (ret != 0) {
 132             goto exit;
 133         }
 134
 135         ret = mbedtls_md_hmac_update(&ctx, t, t_len);
 136         if (ret != 0) {
 137             goto exit;
 138         }
 139
 140         ret = mbedtls_md_hmac_update(&ctx, info, info_len);
 141         if (ret != 0) {
 142             goto exit;
 143         }
 144
 145         /* The constant concatenated to the end of each T(n) is a single octet.
 146          * */
 147         ret = mbedtls_md_hmac_update(&ctx, &c, 1);
 148         if (ret != 0) {
 149             goto exit;
 150         }
 151
 152         ret = mbedtls_md_hmac_finish(&ctx, t);
 153         if (ret != 0) {
 154             goto exit;
 155         }
 156
 157         num_to_copy = i != n ? hash_len : okm_len - where;
 158         memcpy(okm + where, t, num_to_copy);
 159         where += hash_len;
 160         t_len = hash_len;
 161     }
 162
 163 exit:
 164     mbedtls_md_free(&ctx);
 165     mbedtls_platform_zeroize(t, sizeof(t));
 166
 167     return (ret);
 168 }
 169
 170 #endif /* MBEDTLS_HKDF_C */