crypto/hkdf_sha256: new module.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

diff --git a/ccan/crypto/hkdf_sha256/LICENSE b/ccan/crypto/hkdf_sha256/LICENSE
new file mode 120000 (symlink)
index 0000000..2b1feca
--- /dev/null
+++ b/ccan/crypto/hkdf_sha256/LICENSE
@@ -0,0 +1 @@
+../../../licenses/BSD-MIT
\ No newline at end of file

diff --git a/ccan/crypto/hkdf_sha256/_info b/ccan/crypto/hkdf_sha256/_info
new file mode 100644 (file)
index 0000000..b8b3cb6
--- /dev/null
+++ b/ccan/crypto/hkdf_sha256/_info
@@ -0,0 +1,30 @@
+#include "config.h"
+#include <stdio.h>
+#include <string.h>
+
+/**
+ * crypto/hkdf_sha256 - RFC5869 Hardened Key Derivation Functions using SHA256
+ *
+ * This code implements the hkdf described in RFC5869.
+ *
+ * License: BSD-MIT
+ * Maintainer: Rusty Russell <rusty@rustcorp.com.au>
+ */
+int main(int argc, char *argv[])
+{
+       /* Expect exactly one argument */
+       if (argc != 2)
+               return 1;
+
+       if (strcmp(argv[1], "depends") == 0) {
+               printf("ccan/crypto/hmac_sha256\n");
+               return 0;
+       }
+
+       if (strcmp(argv[1], "testdepends") == 0) {
+               printf("ccan/str/hex\n");
+               return 0;
+       }
+
+       return 1;
+}

diff --git a/ccan/crypto/hkdf_sha256/hkdf_sha256.c b/ccan/crypto/hkdf_sha256/hkdf_sha256.c
new file mode 100644 (file)
index 0000000..0f26485
--- /dev/null
+++ b/ccan/crypto/hkdf_sha256/hkdf_sha256.c
@@ -0,0 +1,97 @@
+/* MIT (BSD) license - see LICENSE file for details */
+#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
+#include <ccan/crypto/hmac_sha256/hmac_sha256.h>
+#include <assert.h>
+#include <string.h>
+
+void hkdf_sha256(unsigned char *okm, size_t okm_size,
+                const void *s, size_t ssize,
+                const void *k, size_t ksize,
+                const void *info, size_t isize)
+{
+       struct hmac_sha256 prk, t;
+       struct hmac_sha256_ctx ctx;
+       unsigned char c;
+
+       assert(okm_size < 255 * sizeof(t));
+
+       /* RFC 5869:
+        *
+        * 2.2.  Step 1: Extract
+        *
+        *   HKDF-Extract(salt, IKM) -> PRK
+        *
+        *    Options:
+        *       Hash     a hash function; HashLen denotes the length of the
+        *                hash function output in octets
+        *
+        *    Inputs:
+        *       salt     optional salt value (a non-secret random value);
+        *                if not provided, it is set to a string of HashLen zeros.
+        *       IKM      input keying material
+        *
+        *    Output:
+        *       PRK      a pseudorandom key (of HashLen octets)
+        *
+        *    The output PRK is calculated as follows:
+        *
+        *    PRK = HMAC-Hash(salt, IKM)
+        */
+       hmac_sha256(&prk, s, ssize, k, ksize);
+
+       /*
+        * 2.3.  Step 2: Expand
+        *
+        *    HKDF-Expand(PRK, info, L) -> OKM
+        *
+        *    Options:
+        *       Hash     a hash function; HashLen denotes the length of the
+        *                hash function output in octets
+        *
+        *    Inputs:
+        *       PRK      a pseudorandom key of at least HashLen octets
+        *                (usually, the output from the extract step)
+        *       info     optional context and application specific information
+        *                (can be a zero-length string)
+        *       L        length of output keying material in octets
+        *                (<= 255*HashLen)
+        *
+        *    Output:
+        *       OKM      output keying material (of L octets)
+        *
+        *    The output OKM is calculated as follows:
+        *
+        *    N = ceil(L/HashLen)
+        *    T = T(1) | T(2) | T(3) | ... | T(N)
+        *    OKM = first L octets of T
+        *
+        *    where:
+        *    T(0) = empty string (zero length)
+        *    T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
+        *    T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
+        *    T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
+        *    ...
+        *
+        *    (where the constant concatenated to the end of each T(n) is a
+        *    single octet.)
+        */
+       c = 1;
+       hmac_sha256_init(&ctx, &prk, sizeof(prk));
+       hmac_sha256_update(&ctx, info, isize);
+       hmac_sha256_update(&ctx, &c, 1);
+       hmac_sha256_done(&ctx, &t);
+
+       while (okm_size > sizeof(t)) {
+               memcpy(okm, &t, sizeof(t));
+               okm += sizeof(t);
+               okm_size -= sizeof(t);
+
+               c++;
+               hmac_sha256_init(&ctx, &prk, sizeof(prk));
+               hmac_sha256_update(&ctx, &t, sizeof(t));
+               hmac_sha256_update(&ctx, info, isize);
+               hmac_sha256_update(&ctx, &c, 1);
+               hmac_sha256_done(&ctx, &t);
+       }
+       memcpy(okm, &t, okm_size);
+}

diff --git a/ccan/crypto/hkdf_sha256/hkdf_sha256.h b/ccan/crypto/hkdf_sha256/hkdf_sha256.h
new file mode 100644 (file)
index 0000000..cb29502
--- /dev/null
+++ b/ccan/crypto/hkdf_sha256/hkdf_sha256.h
@@ -0,0 +1,22 @@
+#ifndef CCAN_CRYPTO_HKDF_SHA256_H
+#define CCAN_CRYPTO_HKDF_SHA256_H
+/* BSD-MIT - see LICENSE file for details */
+#include "config.h"
+#include <stdlib.h>
+
+/**
+ * hkdf_sha256 - generate a derived key
+ * @okm: where to output the key
+ * @okm_size: the number of bytes pointed to by @okm (must be less than 255*32)
+ * @s: salt
+ * @ssize: the number of bytes pointed to by @s
+ * @k: pointer to input key
+ * @ksize: the number of bytes pointed to by @k
+ * @info: pointer to info
+ * @isize: the number of bytes pointed to by @info
+ */
+void hkdf_sha256(unsigned char *okm, size_t okm_size,
+                const void *s, size_t ssize,
+                const void *k, size_t ksize,
+                const void *info, size_t isize);
+#endif /* CCAN_CRYPTO_HKDF_SHA256_H */

diff --git a/ccan/crypto/hkdf_sha256/test/api-rfc5869.c b/ccan/crypto/hkdf_sha256/test/api-rfc5869.c
new file mode 100644 (file)
index 0000000..3e3bdbf
--- /dev/null
+++ b/ccan/crypto/hkdf_sha256/test/api-rfc5869.c
@@ -0,0 +1,101 @@
+/* From RFC5869 Appendix A
+ *
+ * https://tools.ietf.org/html/rfc5869
+ */
+#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
+#include <ccan/tap/tap.h>
+#include <ccan/str/hex/hex.h>
+#include <string.h>
+#include <assert.h>
+
+struct test {
+       const char *ikm, *salt, *info, *okm;
+};
+
+static struct test tests[] = { {
+       /* Test Case 1
+          Basic test case with SHA-256
+       */
+       "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */
+       "000102030405060708090a0b0c", /* (13 octets) */
+       "f0f1f2f3f4f5f6f7f8f9", /* (10 octets) */
+       "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", /* (42 octets) */
+       },
+       {
+       /* Test Case 2
+        *
+        * Test with SHA-256 and longer inputs/outputs */
+       "000102030405060708090a0b0c0d0e0f"
+       "101112131415161718191a1b1c1d1e1f"
+       "202122232425262728292a2b2c2d2e2f"
+       "303132333435363738393a3b3c3d3e3f"
+       "404142434445464748494a4b4c4d4e4f", /* (80 octets) */
+       "606162636465666768696a6b6c6d6e6f"
+       "707172737475767778797a7b7c7d7e7f"
+       "808182838485868788898a8b8c8d8e8f"
+       "909192939495969798999a9b9c9d9e9f"
+       "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", /* (80 octets )*/
+       "b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+       "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+       "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+       "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+       "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", /* (80 octets) */
+       "b11e398dc80327a1c8e7f78c596a4934"
+       "4f012eda2d4efad8a050cc4c19afa97c"
+       "59045a99cac7827271cb41c65e590e09"
+       "da3275600c2f09b8367793a9aca3db71"
+       "cc30c58179ec3e87c14c01d5c1f3434f"
+       "1d87" /* (82 octets) */
+       },
+       {
+       /*  Test Case 3
+        *
+        * Test with SHA-256 and zero-length salt/info
+        */
+       "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */
+       "", /* (0 octets) */
+       "", /* (0 octets) */
+       "8da4e775a563c18f715f802a063c5a31"
+       "b8a11f5c5ee1879ec3454e5f3c738d2d"
+       "9d201395faa4b61a96c8" /* (42 octets) */
+       }
+};
+
+static void *fromhex(const char *str, size_t *len)
+{
+       void *p;
+
+       *len = hex_data_size(strlen(str));
+       p = malloc(*len);
+       if (!hex_decode(str, strlen(str), p, *len))
+               abort();
+       return p;
+}
+
+int main(void)
+{
+       size_t i;
+
+       plan_tests(sizeof(tests) / sizeof(tests[0]));
+
+       for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+               size_t ksize, ssize, isize, okmsize;
+               void *k, *s, *info, *expect, *okm;
+
+               k = fromhex(tests[i].ikm, &ksize);
+               s = fromhex(tests[i].salt, &ssize);
+               info = fromhex(tests[i].info, &isize);
+               expect = fromhex(tests[i].okm, &okmsize);
+               okm = malloc(okmsize);
+               hkdf_sha256(okm, okmsize, s, ssize, k, ksize, info, isize);
+               ok1(memcmp(okm, expect, okmsize) == 0);
+
+               free(k);
+               free(s);
+               free(info);
+               free(expect);
+               free(okm);
+       }
+
+       return exit_status();
+}