| Thai Duong | 7689ed6 | 2015-03-20 16:50:18 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include "hmac.h" |
| 18 | #include "hkdf.h" |
| 19 | |
| 20 | #include <assert.h> |
| 21 | #include <keymaster/logger.h> |
| 22 | |
| 23 | namespace keymaster { |
| 24 | |
| 25 | const size_t kSHA256HashLength = 32; |
| 26 | |
| 27 | Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(Buffer& secret, Buffer& salt, Buffer& info, |
| 28 | size_t key_bytes_to_generate) { |
| 29 | Rfc5869HmacSha256Kdf(secret.peek_read(), secret.available_read(), salt.peek_read(), |
| 30 | salt.available_read(), info.peek_read(), info.available_read(), |
| 31 | key_bytes_to_generate); |
| 32 | } |
| 33 | |
| 34 | Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(const uint8_t* secret, size_t secret_len, |
| 35 | const uint8_t* salt, size_t salt_len, |
| 36 | const uint8_t* info, size_t info_len, |
| 37 | size_t key_bytes_to_generate) { |
| 38 | // https://tools.ietf.org/html/rfc5869#section-2.2 |
| 39 | Buffer actual_salt; |
| 40 | if (salt) { |
| 41 | actual_salt.Reinitialize(salt, salt_len); |
| 42 | } else { |
| 43 | char zeros[kSHA256HashLength]; |
| 44 | // If salt is not given, HashLength zeros are used. |
| 45 | memset(zeros, 0, sizeof(zeros)); |
| 46 | actual_salt.Reinitialize(zeros, sizeof(zeros)); |
| 47 | } |
| 48 | |
| 49 | // Step 1. Extract: PRK = HMAC-SHA256(actual_salt, secret) |
| 50 | // https://tools.ietf.org/html/rfc5869#section-2.2 |
| 51 | HmacSha256 prk_hmac; |
| 52 | bool result = prk_hmac.Init(actual_salt); |
| 53 | assert(result); |
| 54 | |
| 55 | // |prk| is a pseudorandom key (of kSHA256HashLength octets). |
| 56 | uint8_t prk[kSHA256HashLength]; |
| 57 | assert(sizeof(prk) == prk_hmac.DigestLength()); |
| 58 | result = prk_hmac.Sign(secret, secret_len, prk, sizeof(prk)); |
| 59 | assert(result); |
| 60 | |
| 61 | // Step 2. Expand: OUTPUT = HKDF-Expand(PRK, info) |
| 62 | // https://tools.ietf.org/html/rfc5869#section-2.3 |
| 63 | const size_t n = (key_bytes_to_generate + kSHA256HashLength - 1) / kSHA256HashLength; |
| 64 | assert(n < 256u); |
| 65 | |
| 66 | output_.Reinitialize(n * kSHA256HashLength); |
| 67 | uint8_t buf[kSHA256HashLength + info_len + 1]; |
| 68 | uint8_t digest[kSHA256HashLength]; |
| 69 | Buffer previous; |
| 70 | |
| 71 | HmacSha256 hmac; |
| 72 | result = hmac.Init(prk, sizeof(prk)); |
| 73 | assert(result); |
| 74 | |
| 75 | for (size_t i = 1; i <= n; i++) { |
| 76 | memcpy(buf, previous.peek_read(), previous.available_read()); |
| 77 | size_t j = previous.available_read(); |
| 78 | memcpy(buf + j, info, info_len); |
| 79 | j += info_len; |
| 80 | buf[j++] = static_cast<uint8_t>(i); |
| 81 | result = hmac.Sign(buf, j, digest, sizeof(digest)); |
| 82 | assert(result); |
| 83 | output_.write(digest, sizeof(digest)); |
| 84 | previous.Reinitialize(reinterpret_cast<uint8_t*>(digest), sizeof(digest)); |
| 85 | } |
| 86 | |
| 87 | if (key_bytes_to_generate) |
| 88 | secret_key_.Reinitialize(output_.peek_read(), key_bytes_to_generate); |
| 89 | } |
| 90 | |
| 91 | } // namespace keymaster |