Botan 3.3.0
Crypto and TLS for C&
hkdf.cpp
Go to the documentation of this file.
1/*
2* HKDF
3* (C) 2013,2015,2017 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/hkdf.h>
10
11#include <botan/exceptn.h>
12#include <botan/internal/fmt.h>
13#include <botan/internal/loadstor.h>
14
15namespace Botan {
16
17std::unique_ptr<KDF> HKDF::new_object() const {
18 return std::make_unique<HKDF>(m_prf->new_object());
19}
20
21std::string HKDF::name() const {
22 return fmt("HKDF({})", m_prf->name());
23}
24
25void HKDF::kdf(uint8_t key[],
26 size_t key_len,
27 const uint8_t secret[],
28 size_t secret_len,
29 const uint8_t salt[],
30 size_t salt_len,
31 const uint8_t label[],
32 size_t label_len) const {
33 HKDF_Extract extract(m_prf->new_object());
34 HKDF_Expand expand(m_prf->new_object());
35 secure_vector<uint8_t> prk(m_prf->output_length());
36
37 extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
38 expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
39}
40
41std::unique_ptr<KDF> HKDF_Extract::new_object() const {
42 return std::make_unique<HKDF_Extract>(m_prf->new_object());
43}
44
45std::string HKDF_Extract::name() const {
46 return fmt("HKDF-Extract({})", m_prf->name());
47}
48
49void HKDF_Extract::kdf(uint8_t key[],
50 size_t key_len,
51 const uint8_t secret[],
52 size_t secret_len,
53 const uint8_t salt[],
54 size_t salt_len,
55 const uint8_t /*label*/[],
56 size_t label_len) const {
57 if(key_len == 0) {
58 return;
59 }
60
61 const size_t prf_output_len = m_prf->output_length();
62
63 if(key_len > prf_output_len) {
64 throw Invalid_Argument("HKDF-Extract maximum output length exceeeded");
65 }
66
67 if(label_len > 0) {
68 throw Invalid_Argument("HKDF-Extract does not support a label input");
69 }
70
71 if(salt_len == 0) {
72 m_prf->set_key(std::vector<uint8_t>(prf_output_len));
73 } else {
74 m_prf->set_key(salt, salt_len);
75 }
76
77 m_prf->update(secret, secret_len);
78
79 if(key_len == prf_output_len) {
80 m_prf->final(key);
81 } else {
83 m_prf->final(prk);
84 copy_mem(&key[0], prk.data(), key_len);
85 }
86}
87
88std::unique_ptr<KDF> HKDF_Expand::new_object() const {
89 return std::make_unique<HKDF_Expand>(m_prf->new_object());
90}
91
92std::string HKDF_Expand::name() const {
93 return fmt("HKDF-Expand({})", m_prf->name());
94}
95
96void HKDF_Expand::kdf(uint8_t key[],
97 size_t key_len,
98 const uint8_t secret[],
99 size_t secret_len,
100 const uint8_t salt[],
101 size_t salt_len,
102 const uint8_t label[],
103 size_t label_len) const {
104 if(key_len == 0) {
105 return;
106 }
107
108 if(key_len > m_prf->output_length() * 255) {
109 throw Invalid_Argument("HKDF-Expand maximum output length exceeeded");
110 }
111
112 m_prf->set_key(secret, secret_len);
113
114 uint8_t counter = 1;
116 size_t offset = 0;
117
118 while(offset != key_len) {
119 m_prf->update(h);
120 m_prf->update(label, label_len);
121 m_prf->update(salt, salt_len);
122 m_prf->update(counter++);
123 m_prf->final(h);
124
125 const size_t written = std::min(h.size(), key_len - offset);
126 copy_mem(&key[offset], h.data(), written);
127 offset += written;
128 }
129}
130
132 const uint8_t secret[],
133 size_t secret_len,
134 std::string_view label,
135 const uint8_t hash_val[],
136 size_t hash_val_len,
137 size_t length) {
138 BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
139 BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
140 BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
141
142 const uint16_t length16 = static_cast<uint16_t>(length);
143
145
146 secure_vector<uint8_t> output(length16);
147 std::vector<uint8_t> prefix(3 + label.size() + 1);
148
149 prefix[0] = get_byte<0>(length16);
150 prefix[1] = get_byte<1>(length16);
151 prefix[2] = static_cast<uint8_t>(label.size());
152
153 copy_mem(prefix.data() + 3, cast_char_ptr_to_uint8(label.data()), label.size());
154
155 prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
156
157 /*
158 * We do something a little dirty here to avoid copying the hash_val,
159 * making use of the fact that Botan's KDF interface supports label+salt,
160 * and knowing that our HKDF hashes first param label then param salt.
161 */
162 hkdf.kdf(output.data(), output.size(), secret, secret_len, hash_val, hash_val_len, prefix.data(), prefix.size());
163
164 return output;
165}
166
167} // namespace Botan
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
std::string name() const override
Definition hkdf.cpp:92
std::unique_ptr< KDF > new_object() const override
Definition hkdf.cpp:88
void kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:96
std::unique_ptr< KDF > new_object() const override
Definition hkdf.cpp:41
std::string name() const override
Definition hkdf.cpp:45
void kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:49
std::string name() const override
Definition hkdf.cpp:21
std::unique_ptr< KDF > new_object() const override
Definition hkdf.cpp:17
void kdf(uint8_t key[], size_t key_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len) const override
Definition hkdf.cpp:25
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
secure_vector< uint8_t > hkdf_expand_label(std::string_view hash_fn, const uint8_t secret[], size_t secret_len, std::string_view label, const uint8_t hash_val[], size_t hash_val_len, size_t length)
Definition hkdf.cpp:131
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:272