blob: 23b60afe0ee8f866e1420f9bffd5eb7241c6e3ee [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -08001/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/hkdf.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/err.h>
21#include <openssl/hmac.h>
22
Robert Sloan69939df2017-01-09 10:53:07 -080023#include "../internal.h"
24
Adam Langleyd9e397b2015-01-22 14:27:53 -080025
David Benjamind316cba2016-06-02 16:17:39 -040026int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
27 const uint8_t *secret, size_t secret_len, const uint8_t *salt,
28 size_t salt_len, const uint8_t *info, size_t info_len) {
Robert Sloan8f860b12017-08-28 07:37:06 -070029 // https://tools.ietf.org/html/rfc5869#section-2
David Benjamind316cba2016-06-02 16:17:39 -040030 uint8_t prk[EVP_MAX_MD_SIZE];
31 size_t prk_len;
32
33 if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt,
34 salt_len) ||
35 !HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)) {
36 return 0;
37 }
38
39 return 1;
40}
41
42int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest,
43 const uint8_t *secret, size_t secret_len, const uint8_t *salt,
44 size_t salt_len) {
Robert Sloan8f860b12017-08-28 07:37:06 -070045 // https://tools.ietf.org/html/rfc5869#section-2.2
Adam Langleyd9e397b2015-01-22 14:27:53 -080046
Robert Sloan8f860b12017-08-28 07:37:06 -070047 // If salt is not given, HashLength zeros are used. However, HMAC does that
48 // internally already so we can ignore it.
David Benjamind316cba2016-06-02 16:17:39 -040049 unsigned len;
50 if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == NULL) {
51 OPENSSL_PUT_ERROR(HKDF, ERR_R_HMAC_LIB);
52 return 0;
53 }
54 *out_len = len;
55 assert(*out_len == EVP_MD_size(digest));
56 return 1;
57}
58
59int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
David Benjaminc895d6b2016-08-11 13:26:41 -040060 const uint8_t *prk, size_t prk_len, const uint8_t *info,
David Benjamind316cba2016-06-02 16:17:39 -040061 size_t info_len) {
Robert Sloan8f860b12017-08-28 07:37:06 -070062 // https://tools.ietf.org/html/rfc5869#section-2.3
David Benjamind316cba2016-06-02 16:17:39 -040063 const size_t digest_len = EVP_MD_size(digest);
64 uint8_t previous[EVP_MAX_MD_SIZE];
65 size_t n, done = 0;
66 unsigned i;
67 int ret = 0;
68 HMAC_CTX hmac;
Adam Langleyd9e397b2015-01-22 14:27:53 -080069
Robert Sloan8f860b12017-08-28 07:37:06 -070070 // Expand key material to desired length.
Adam Langleyd9e397b2015-01-22 14:27:53 -080071 n = (out_len + digest_len - 1) / digest_len;
72 if (out_len + digest_len < out_len || n > 255) {
Kenny Rootb8494592015-09-25 02:29:14 +000073 OPENSSL_PUT_ERROR(HKDF, HKDF_R_OUTPUT_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -080074 return 0;
75 }
76
77 HMAC_CTX_init(&hmac);
Adam Langleyd9e397b2015-01-22 14:27:53 -080078 if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL)) {
79 goto out;
80 }
81
82 for (i = 0; i < n; i++) {
83 uint8_t ctr = i + 1;
84 size_t todo;
85
86 if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) ||
87 !HMAC_Update(&hmac, previous, digest_len))) {
88 goto out;
89 }
90 if (!HMAC_Update(&hmac, info, info_len) ||
91 !HMAC_Update(&hmac, &ctr, 1) ||
92 !HMAC_Final(&hmac, previous, NULL)) {
93 goto out;
94 }
95
96 todo = digest_len;
97 if (done + todo > out_len) {
98 todo = out_len - done;
99 }
Robert Sloan69939df2017-01-09 10:53:07 -0800100 OPENSSL_memcpy(out_key + done, previous, todo);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800101 done += todo;
102 }
103
104 ret = 1;
105
106out:
107 HMAC_CTX_cleanup(&hmac);
108 if (ret != 1) {
Kenny Rootb8494592015-09-25 02:29:14 +0000109 OPENSSL_PUT_ERROR(HKDF, ERR_R_HMAC_LIB);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800110 }
111 return ret;
112}