From: Rusty Russell Date: Wed, 30 Nov 2016 03:54:37 +0000 (+1030) Subject: crypto/hkdf_sha256: new module. X-Git-Url: http://git.ozlabs.org/?p=ccan;a=commitdiff_plain;h=33ba12adf082b9432ae0471b6bb742cde14254ed;ds=sidebyside crypto/hkdf_sha256: new module. Signed-off-by: Rusty Russell --- diff --git a/ccan/crypto/hkdf_sha256/LICENSE b/ccan/crypto/hkdf_sha256/LICENSE new file mode 120000 index 00000000..2b1feca5 --- /dev/null +++ b/ccan/crypto/hkdf_sha256/LICENSE @@ -0,0 +1 @@ +../../../licenses/BSD-MIT \ No newline at end of file diff --git a/ccan/crypto/hkdf_sha256/_info b/ccan/crypto/hkdf_sha256/_info new file mode 100644 index 00000000..b8b3cb67 --- /dev/null +++ b/ccan/crypto/hkdf_sha256/_info @@ -0,0 +1,30 @@ +#include "config.h" +#include +#include + +/** + * crypto/hkdf_sha256 - RFC5869 Hardened Key Derivation Functions using SHA256 + * + * This code implements the hkdf described in RFC5869. + * + * License: BSD-MIT + * Maintainer: Rusty Russell + */ +int main(int argc, char *argv[]) +{ + /* Expect exactly one argument */ + if (argc != 2) + return 1; + + if (strcmp(argv[1], "depends") == 0) { + printf("ccan/crypto/hmac_sha256\n"); + return 0; + } + + if (strcmp(argv[1], "testdepends") == 0) { + printf("ccan/str/hex\n"); + return 0; + } + + return 1; +} diff --git a/ccan/crypto/hkdf_sha256/hkdf_sha256.c b/ccan/crypto/hkdf_sha256/hkdf_sha256.c new file mode 100644 index 00000000..0f264857 --- /dev/null +++ b/ccan/crypto/hkdf_sha256/hkdf_sha256.c @@ -0,0 +1,97 @@ +/* MIT (BSD) license - see LICENSE file for details */ +#include +#include +#include +#include + +void hkdf_sha256(unsigned char *okm, size_t okm_size, + const void *s, size_t ssize, + const void *k, size_t ksize, + const void *info, size_t isize) +{ + struct hmac_sha256 prk, t; + struct hmac_sha256_ctx ctx; + unsigned char c; + + assert(okm_size < 255 * sizeof(t)); + + /* RFC 5869: + * + * 2.2. Step 1: Extract + * + * HKDF-Extract(salt, IKM) -> PRK + * + * Options: + * Hash a hash function; HashLen denotes the length of the + * hash function output in octets + * + * Inputs: + * salt optional salt value (a non-secret random value); + * if not provided, it is set to a string of HashLen zeros. + * IKM input keying material + * + * Output: + * PRK a pseudorandom key (of HashLen octets) + * + * The output PRK is calculated as follows: + * + * PRK = HMAC-Hash(salt, IKM) + */ + hmac_sha256(&prk, s, ssize, k, ksize); + + /* + * 2.3. Step 2: Expand + * + * HKDF-Expand(PRK, info, L) -> OKM + * + * Options: + * Hash a hash function; HashLen denotes the length of the + * hash function output in octets + * + * Inputs: + * PRK a pseudorandom key of at least HashLen octets + * (usually, the output from the extract step) + * info optional context and application specific information + * (can be a zero-length string) + * L length of output keying material in octets + * (<= 255*HashLen) + * + * Output: + * OKM output keying material (of L octets) + * + * The output OKM is calculated as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L octets of T + * + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + * (where the constant concatenated to the end of each T(n) is a + * single octet.) + */ + c = 1; + hmac_sha256_init(&ctx, &prk, sizeof(prk)); + hmac_sha256_update(&ctx, info, isize); + hmac_sha256_update(&ctx, &c, 1); + hmac_sha256_done(&ctx, &t); + + while (okm_size > sizeof(t)) { + memcpy(okm, &t, sizeof(t)); + okm += sizeof(t); + okm_size -= sizeof(t); + + c++; + hmac_sha256_init(&ctx, &prk, sizeof(prk)); + hmac_sha256_update(&ctx, &t, sizeof(t)); + hmac_sha256_update(&ctx, info, isize); + hmac_sha256_update(&ctx, &c, 1); + hmac_sha256_done(&ctx, &t); + } + memcpy(okm, &t, okm_size); +} diff --git a/ccan/crypto/hkdf_sha256/hkdf_sha256.h b/ccan/crypto/hkdf_sha256/hkdf_sha256.h new file mode 100644 index 00000000..cb295027 --- /dev/null +++ b/ccan/crypto/hkdf_sha256/hkdf_sha256.h @@ -0,0 +1,22 @@ +#ifndef CCAN_CRYPTO_HKDF_SHA256_H +#define CCAN_CRYPTO_HKDF_SHA256_H +/* BSD-MIT - see LICENSE file for details */ +#include "config.h" +#include + +/** + * hkdf_sha256 - generate a derived key + * @okm: where to output the key + * @okm_size: the number of bytes pointed to by @okm (must be less than 255*32) + * @s: salt + * @ssize: the number of bytes pointed to by @s + * @k: pointer to input key + * @ksize: the number of bytes pointed to by @k + * @info: pointer to info + * @isize: the number of bytes pointed to by @info + */ +void hkdf_sha256(unsigned char *okm, size_t okm_size, + const void *s, size_t ssize, + const void *k, size_t ksize, + const void *info, size_t isize); +#endif /* CCAN_CRYPTO_HKDF_SHA256_H */ diff --git a/ccan/crypto/hkdf_sha256/test/api-rfc5869.c b/ccan/crypto/hkdf_sha256/test/api-rfc5869.c new file mode 100644 index 00000000..3e3bdbfd --- /dev/null +++ b/ccan/crypto/hkdf_sha256/test/api-rfc5869.c @@ -0,0 +1,101 @@ +/* From RFC5869 Appendix A + * + * https://tools.ietf.org/html/rfc5869 + */ +#include +#include +#include +#include +#include + +struct test { + const char *ikm, *salt, *info, *okm; +}; + +static struct test tests[] = { { + /* Test Case 1 + Basic test case with SHA-256 + */ + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */ + "000102030405060708090a0b0c", /* (13 octets) */ + "f0f1f2f3f4f5f6f7f8f9", /* (10 octets) */ + "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", /* (42 octets) */ + }, + { + /* Test Case 2 + * + * Test with SHA-256 and longer inputs/outputs */ + "000102030405060708090a0b0c0d0e0f" + "101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f" + "303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f", /* (80 octets) */ + "606162636465666768696a6b6c6d6e6f" + "707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f" + "909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", /* (80 octets )*/ + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", /* (80 octets) */ + "b11e398dc80327a1c8e7f78c596a4934" + "4f012eda2d4efad8a050cc4c19afa97c" + "59045a99cac7827271cb41c65e590e09" + "da3275600c2f09b8367793a9aca3db71" + "cc30c58179ec3e87c14c01d5c1f3434f" + "1d87" /* (82 octets) */ + }, + { + /* Test Case 3 + * + * Test with SHA-256 and zero-length salt/info + */ + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", /* (22 octets) */ + "", /* (0 octets) */ + "", /* (0 octets) */ + "8da4e775a563c18f715f802a063c5a31" + "b8a11f5c5ee1879ec3454e5f3c738d2d" + "9d201395faa4b61a96c8" /* (42 octets) */ + } +}; + +static void *fromhex(const char *str, size_t *len) +{ + void *p; + + *len = hex_data_size(strlen(str)); + p = malloc(*len); + if (!hex_decode(str, strlen(str), p, *len)) + abort(); + return p; +} + +int main(void) +{ + size_t i; + + plan_tests(sizeof(tests) / sizeof(tests[0])); + + for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { + size_t ksize, ssize, isize, okmsize; + void *k, *s, *info, *expect, *okm; + + k = fromhex(tests[i].ikm, &ksize); + s = fromhex(tests[i].salt, &ssize); + info = fromhex(tests[i].info, &isize); + expect = fromhex(tests[i].okm, &okmsize); + okm = malloc(okmsize); + hkdf_sha256(okm, okmsize, s, ssize, k, ksize, info, isize); + ok1(memcmp(okm, expect, okmsize) == 0); + + free(k); + free(s); + free(info); + free(expect); + free(okm); + } + + return exit_status(); +}