Botan  2.12.1
Crypto and TLS for C++11
hkdf.cpp
Go to the documentation of this file.
1 /*
2 * HKDF
3 * (C) 2013,2015,2017 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/hkdf.h>
10 #include <botan/loadstor.h>
11 
12 namespace Botan {
13 
14 size_t HKDF::kdf(uint8_t key[], size_t key_len,
15  const uint8_t secret[], size_t secret_len,
16  const uint8_t salt[], size_t salt_len,
17  const uint8_t label[], size_t label_len) const
18  {
19  HKDF_Extract extract(m_prf->clone());
20  HKDF_Expand expand(m_prf->clone());
21  secure_vector<uint8_t> prk(m_prf->output_length());
22 
23  extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
24  return expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
25  }
26 
27 size_t HKDF_Extract::kdf(uint8_t key[], size_t key_len,
28  const uint8_t secret[], size_t secret_len,
29  const uint8_t salt[], size_t salt_len,
30  const uint8_t[], size_t) const
31  {
33  if(salt_len == 0)
34  {
35  m_prf->set_key(std::vector<uint8_t>(m_prf->output_length()));
36  }
37  else
38  {
39  m_prf->set_key(salt, salt_len);
40  }
41 
42  m_prf->update(secret, secret_len);
43  m_prf->final(prk);
44 
45  const size_t written = std::min(prk.size(), key_len);
46  copy_mem(&key[0], prk.data(), written);
47  return written;
48  }
49 
50 size_t HKDF_Expand::kdf(uint8_t key[], size_t key_len,
51  const uint8_t secret[], size_t secret_len,
52  const uint8_t salt[], size_t salt_len,
53  const uint8_t label[], size_t label_len) const
54  {
55  m_prf->set_key(secret, secret_len);
56 
57  uint8_t counter = 1;
59  size_t offset = 0;
60 
61  while(offset != key_len && counter != 0)
62  {
63  m_prf->update(h);
64  m_prf->update(label, label_len);
65  m_prf->update(salt, salt_len);
66  m_prf->update(counter++);
67  m_prf->final(h);
68 
69  const size_t written = std::min(h.size(), key_len - offset);
70  copy_mem(&key[offset], h.data(), written);
71  offset += written;
72  }
73 
74  return offset;
75  }
76 
78 hkdf_expand_label(const std::string& hash_fn,
79  const uint8_t secret[], size_t secret_len,
80  const std::string& label,
81  const uint8_t hash_val[], size_t hash_val_len,
82  size_t length)
83  {
84  BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
85  BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
86  BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
87 
88  const uint16_t length16 = static_cast<uint16_t>(length);
89 
90  auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");
91 
92  HKDF_Expand hkdf(mac.release());
93 
94  secure_vector<uint8_t> output(length16);
95  std::vector<uint8_t> prefix(3 + label.size() + 1);
96 
97  prefix[0] = get_byte(0, length16);
98  prefix[1] = get_byte(1, length16);
99  prefix[2] = static_cast<uint8_t>(label.size());
100 
101  copy_mem(prefix.data() + 3,
102  cast_char_ptr_to_uint8(label.data()),
103  label.size());
104 
105  prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
106 
107  /*
108  * We do something a little dirty here to avoid copying the hash_val,
109  * making use of the fact that Botan's KDF interface supports label+salt,
110  * and knowing that our HKDF hashes first param label then param salt.
111  */
112  hkdf.kdf(output.data(), output.size(),
113  secret, secret_len,
114  hash_val, hash_val_len,
115  prefix.data(), prefix.size());
116 
117  return output;
118  }
119 
120 }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:164
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition: hkdf.cpp:14
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition: hkdf.cpp:27
size_t salt_len
Definition: x509_obj.cpp:25
secure_vector< uint8_t > hkdf_expand_label(const std::string &hash_fn, const uint8_t secret[], size_t secret_len, const std::string &label, const uint8_t hash_val[], size_t hash_val_len, size_t length)
Definition: hkdf.cpp:78
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
size_t kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition: hkdf.cpp:50
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: mac.cpp:141
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65