Botan 3.7.1
Crypto and TLS for C&
sp800_56c_one_step.cpp
Go to the documentation of this file.
1/*
2* KDF defined in NIST SP 800-56a revision 2 (Single-step key-derivation function)
3* or in NIST SP 800-56C revision 2 (Section 4 - One-Step KDM)
4*
5* (C) 2017 Ribose Inc. Written by Krzysztof Kwiatkowski.
6* (C) 2024 Fabian Albert - Rohde & Schwarz Cybersecurity
7* (C) 2024 René Meusel - Rohde & Schwarz Cybersecurity
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/sp800_56c_one_step.h>
13
14#include <botan/exceptn.h>
15#include <botan/internal/bit_ops.h>
16#include <botan/internal/fmt.h>
17#include <botan/internal/kmac.h>
18
19#include <functional>
20
21namespace Botan {
22
23namespace {
24template <typename T>
25concept hash_or_mac_type = std::is_same_v<T, HashFunction> || std::is_same_v<T, MessageAuthenticationCode>;
26
27/**
28 * @brief One-Step Key Derivation as defined in SP800-56Cr2 Section 4
29 */
30template <hash_or_mac_type HashOrMacType>
31void kdm_internal(std::span<uint8_t> output_buffer,
32 std::span<const uint8_t> z,
33 std::span<const uint8_t> fixed_info,
34 HashOrMacType& hash_or_mac,
35 const std::function<void(HashOrMacType&)>& init_h_callback) {
36 size_t l = output_buffer.size() * 8;
37 // 1. If L > 0, then set reps = ceil(L / H_outputBits); otherwise,
38 // output an error indicator and exit this process without
39 // performing the remaining actions (i.e., omit steps 2 through 8).
40 BOTAN_ARG_CHECK(l > 0, "Zero KDM output length");
41 size_t reps = ceil_division(l, hash_or_mac.output_length() * 8);
42
43 // 2. If reps > (2^32 − 1), then output an error indicator and exit this
44 // process without performing the remaining actions
45 // (i.e., omit steps 3 through 8).
46 BOTAN_ARG_CHECK(reps <= 0xFFFFFFFF, "Too large KDM output length");
47
48 // 3. Initialize a big-endian 4-byte unsigned integer counter as
49 // 0x00000000, corresponding to a 32-bit binary representation of
50 // the number zero.
51 uint32_t counter = 0;
52
53 // 4. If counter || Z || FixedInfo is more than max_H_inputBits bits
54 // long, then output an error indicator and exit this process
55 // without performing any of the remaining actions (i.e., omit
56 // steps 5 through 8). => SHA3 and KMAC are unlimited
57
58 // 5. Initialize Result(0) as an empty bit string
59 // (i.e., the null string).
61
62 // 6. For i = 1 to reps, do the following:
63 for(size_t i = 1; i <= reps; i++) {
64 // 6.1. Increment counter by 1.
65 counter++;
66 // Reset the hash/MAC object. For MAC, also set the key (salt) and IV.
67 hash_or_mac.clear();
68 init_h_callback(hash_or_mac);
69
70 // 6.2 Compute K(i) = H(counter || Z || FixedInfo).
71 hash_or_mac.update_be(counter);
72 hash_or_mac.update(z);
73 hash_or_mac.update(fixed_info);
74 auto k_i = hash_or_mac.final();
75
76 // 6.3. Set Result(i) = Result(i−1) || K(i).
77 result.insert(result.end(), k_i.begin(), k_i.end());
78 }
79
80 // 7. Set DerivedKeyingMaterial equal to the leftmost L bits of Result(reps).
81 copy_mem(output_buffer, std::span(result).subspan(0, output_buffer.size()));
82}
83
84} // namespace
85
86void SP800_56C_One_Step_Hash::perform_kdf(std::span<uint8_t> key,
87 std::span<const uint8_t> secret,
88 std::span<const uint8_t> salt,
89 std::span<const uint8_t> label) const {
90 BOTAN_ARG_CHECK(salt.empty(), "SP800_56A_Hash does not support a non-empty salt");
91 kdm_internal<HashFunction>(key, secret, label, *m_hash, [](HashFunction&) { /* NOP */ });
92}
93
94std::string SP800_56C_One_Step_Hash::name() const {
95 return fmt("SP800-56A({})", m_hash->name());
96}
97
98std::unique_ptr<KDF> SP800_56C_One_Step_Hash::new_object() const {
99 return std::make_unique<SP800_56C_One_Step_Hash>(m_hash->new_object());
100}
101
102SP800_56C_One_Step_HMAC::SP800_56C_One_Step_HMAC(std::unique_ptr<MessageAuthenticationCode> mac) :
103 m_mac(std::move(mac)) {
104 // TODO: we need a MessageAuthenticationCode::is_hmac
105 if(!m_mac->name().starts_with("HMAC(")) {
106 throw Algorithm_Not_Found("Only HMAC can be used with SP800_56A_HMAC");
107 }
108}
109
110void SP800_56C_One_Step_HMAC::perform_kdf(std::span<uint8_t> key,
111 std::span<const uint8_t> secret,
112 std::span<const uint8_t> salt,
113 std::span<const uint8_t> label) const {
114 kdm_internal<MessageAuthenticationCode>(key, secret, label, *m_mac, [&](MessageAuthenticationCode& kdf_mac) {
115 // 4.1 Option 2 and 3 - An implementation dependent byte string, salt,
116 // whose (non-null) value may be optionally provided in
117 // OtherInput, serves as the HMAC# key ..
118
119 // SP 800-56Cr2 specifies if the salt is empty then a block of zeros
120 // equal to the hash's underlying block size are used. However for HMAC
121 // this is equivalent to setting a zero-length key, so the same call
122 // works for either case.
123 kdf_mac.set_key(salt);
124 });
125}
126
127std::string SP800_56C_One_Step_HMAC::name() const {
128 return fmt("SP800-56A({})", m_mac->name());
129}
130
131std::unique_ptr<KDF> SP800_56C_One_Step_HMAC::new_object() const {
132 return std::make_unique<SP800_56C_One_Step_HMAC>(m_mac->new_object());
133}
134
135// Option 3 - KMAC
136void SP800_56A_One_Step_KMAC_Abstract::perform_kdf(std::span<uint8_t> key,
137 std::span<const uint8_t> secret,
138 std::span<const uint8_t> salt,
139 std::span<const uint8_t> label) const {
140 auto mac = create_kmac_instance(key.size());
141 kdm_internal<MessageAuthenticationCode>(key, secret, label, *mac, [&](MessageAuthenticationCode& kdf_mac) {
142 // 4.1 Option 2 and 3 - An implementation dependent byte string, salt,
143 // whose (non-null) value may be optionally provided in
144 // OtherInput, serves as the KMAC# key ...
145 if(salt.empty()) {
146 // 4.1 Implementation-Dependent Parameters 3
147 // If H(x) = KMAC128[or 256](salt, x, H_outputBits, "KDF"),
148 // then – in the absence of an agreed-upon alternative –
149 // the default_salt shall be an all - zero string of
150 // 164 bytes [or 132 bytes]
151 kdf_mac.set_key(std::vector<uint8_t>(default_salt_length(), 0));
152 } else {
153 kdf_mac.set_key(salt);
154 }
155
156 // 4.1 Option 3 - The "customization string" S shall be the byte string
157 // 01001011 || 01000100 || 01000110, which represents the sequence
158 // of characters 'K', 'D', and 'F' in 8-bit ASCII.
159 kdf_mac.start(std::array<uint8_t, 3>{'K', 'D', 'F'});
160 });
161}
162
163std::unique_ptr<MessageAuthenticationCode> SP800_56C_One_Step_KMAC128::create_kmac_instance(
164 size_t output_byte_len) const {
165 return std::make_unique<KMAC128>(output_byte_len * 8);
166}
167
168std::unique_ptr<MessageAuthenticationCode> SP800_56C_One_Step_KMAC256::create_kmac_instance(
169 size_t output_byte_len) const {
170 return std::make_unique<KMAC256>(output_byte_len * 8);
171}
172
173} // namespace Botan
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
void start(std::span< const uint8_t > nonce)
Definition mac.h:65
virtual std::unique_ptr< MessageAuthenticationCode > create_kmac_instance(size_t output_byte_len) const =0
virtual size_t default_salt_length() const =0
See SP800-56C Section 4.1 - Implementation-Dependent Parameters 3.
SP800_56C_One_Step_HMAC(std::unique_ptr< MessageAuthenticationCode > mac)
std::string name() const override
std::unique_ptr< KDF > new_object() const override
std::string name() const override
std::unique_ptr< KDF > new_object() const override
void set_key(const SymmetricKey &key)
Definition sym_algo.h:113
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr T ceil_division(T a, T b)
Definition bit_ops.h:160
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147