/* HMAC-KDF-Extract.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* salt The optional salt value.
* saltSz The size of the salt.
* inKey The input keying material.
* inKeySz The size of the input keying material.
* out The pseudorandom key with the length that of the hash.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
const byte* inKey, word32 inKeySz, byte* out)
{
byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */
Hmac myHmac;
int ret;
const byte* localSalt; /* either points to user input or tmp */
int hashSz;
ret = wc_HmacSizeByType(type);
if (ret < 0)
return ret;
hashSz = ret;
localSalt = salt;
if (localSalt == NULL) {
XMEMSET(tmp, 0, hashSz);
localSalt = tmp;
saltSz = hashSz;
}
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret == 0) {
ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz);
if (ret == 0)
ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
if (ret == 0)
ret = wc_HmacFinal(&myHmac, out);
wc_HmacFree(&myHmac);
}
return ret;
}
/* HMAC-KDF-Expand.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* inKey The input key.
* inKeySz The size of the input key.
* info The application specific information.
* infoSz The size of the application specific information.
* out The output keying material.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
const byte* info, word32 infoSz, byte* out, word32 outSz)
{
byte tmp[WC_MAX_DIGEST_SIZE];
Hmac myHmac;
int ret = 0;
word32 outIdx = 0;
word32 hashSz = wc_HmacSizeByType(type);
byte n = 0x1;
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret != 0)
return ret;
while (outIdx < outSz) {
int tmpSz = (n == 1) ? 0 : hashSz;
word32 left = outSz - outIdx;
ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, tmp, tmpSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, info, infoSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, &n, 1);
if (ret != 0)
break;
ret = wc_HmacFinal(&myHmac, tmp);
if (ret != 0)
break;
left = min(left, hashSz);
XMEMCPY(out+outIdx, tmp, left);
outIdx += hashSz;
n++;
}
wc_HmacFree(&myHmac);
return ret;
}
int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
{
byte* ip;
byte* op;
word32 i, hmac_block_size = 0;
int ret = 0;
void* heap = NULL;
if (hmac == NULL || (key == NULL && length != 0) ||
!(type == WC_MD5 || type == WC_SHA ||
type == WC_SHA224 || type == WC_SHA256 ||
type == WC_SHA384 || type == WC_SHA512 ||
type == WC_SHA3_224 || type == WC_SHA3_256 ||
type == WC_SHA3_384 || type == WC_SHA3_512 ||
type == BLAKE2B_ID)) {
return BAD_FUNC_ARG;
}
/* if set key has already been run then make sure and free existing */
if (hmac->macType != 0) {
wc_HmacFree(hmac);
}
hmac->innerHashKeyed = 0;
hmac->macType = (byte)type;
ret = _InitHmac(hmac, type, heap);
if (ret != 0)
return ret;
#ifdef HAVE_FIPS
if (length < HMAC_FIPS_MIN_KEY)
return HMAC_MIN_KEYLEN_E;
#endif
#ifdef WOLF_CRYPTO_CB
hmac->keyRaw = key; /* use buffer directly */
hmac->keyLen = length;
#endif
ip = (byte*)hmac->ipad;
op = (byte*)hmac->opad;
switch (hmac->macType) {
#ifndef NO_MD5
case WC_MD5:
hmac_block_size = WC_MD5_BLOCK_SIZE;
if (length <= WC_MD5_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Md5Update(&hmac->hash.md5, key, length);
if (ret != 0)
break;
ret = wc_Md5Final(&hmac->hash.md5, ip);
if (ret != 0)
break;
length = WC_MD5_DIGEST_SIZE;
}
break;
#endif /* !NO_MD5 */
#ifndef NO_SHA
case WC_SHA:
hmac_block_size = WC_SHA_BLOCK_SIZE;
if (length <= WC_SHA_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_ShaUpdate(&hmac->hash.sha, key, length);
if (ret != 0)
break;
ret = wc_ShaFinal(&hmac->hash.sha, ip);
if (ret != 0)
break;
length = WC_SHA_DIGEST_SIZE;
}
break;
#endif /* !NO_SHA */
#ifdef WOLFSSL_SHA224
case WC_SHA224:
{
hmac_block_size = WC_SHA224_BLOCK_SIZE;
if (length <= WC_SHA224_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha224Update(&hmac->hash.sha224, key, length);
if (ret != 0)
break;
ret = wc_Sha224Final(&hmac->hash.sha224, ip);
if (ret != 0)
break;
length = WC_SHA224_DIGEST_SIZE;
}
}
break;
#endif /* WOLFSSL_SHA224 */
#ifndef NO_SHA256
case WC_SHA256:
hmac_block_size = WC_SHA256_BLOCK_SIZE;
if (length <= WC_SHA256_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha256Update(&hmac->hash.sha256, key, length);
if (ret != 0)
break;
ret = wc_Sha256Final(&hmac->hash.sha256, ip);
if (ret != 0)
break;
length = WC_SHA256_DIGEST_SIZE;
}
break;
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SHA384
case WC_SHA384:
hmac_block_size = WC_SHA384_BLOCK_SIZE;
if (length <= WC_SHA384_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha384Update(&hmac->hash.sha384, key, length);
if (ret != 0)
break;
ret = wc_Sha384Final(&hmac->hash.sha384, ip);
if (ret != 0)
break;
length = WC_SHA384_DIGEST_SIZE;
}
break;
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_SHA512
case WC_SHA512:
hmac_block_size = WC_SHA512_BLOCK_SIZE;
if (length <= WC_SHA512_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha512Update(&hmac->hash.sha512, key, length);
if (ret != 0)
break;
ret = wc_Sha512Final(&hmac->hash.sha512, ip);
if (ret != 0)
break;
length = WC_SHA512_DIGEST_SIZE;
}
break;
#endif /* WOLFSSL_SHA512 */
#ifdef HAVE_BLAKE2
case BLAKE2B_ID:
hmac_block_size = BLAKE2B_BLOCKBYTES;
if (length <= BLAKE2B_BLOCKBYTES) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Blake2bUpdate(&hmac->hash.blake2b, key, length);
if (ret != 0)
break;
ret = wc_Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256);
if (ret != 0)
break;
length = BLAKE2B_256;
}
break;
#endif /* HAVE_BLAKE2 */
#ifdef WOLFSSL_SHA3
#ifndef WOLFSSL_NOSHA3_224
case WC_SHA3_224:
hmac_block_size = WC_SHA3_224_BLOCK_SIZE;
if (length <= WC_SHA3_224_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha3_224_Update(&hmac->hash.sha3, key, length);
if (ret != 0)
break;
ret = wc_Sha3_224_Final(&hmac->hash.sha3, ip);
if (ret != 0)
break;
length = WC_SHA3_224_DIGEST_SIZE;
}
break;
#endif
#ifndef WOLFSSL_NOSHA3_256
case WC_SHA3_256:
hmac_block_size = WC_SHA3_256_BLOCK_SIZE;
if (length <= WC_SHA3_256_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha3_256_Update(&hmac->hash.sha3, key, length);
if (ret != 0)
break;
ret = wc_Sha3_256_Final(&hmac->hash.sha3, ip);
if (ret != 0)
break;
length = WC_SHA3_256_DIGEST_SIZE;
}
break;
#endif
#ifndef WOLFSSL_NOSHA3_384
case WC_SHA3_384:
hmac_block_size = WC_SHA3_384_BLOCK_SIZE;
if (length <= WC_SHA3_384_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha3_384_Update(&hmac->hash.sha3, key, length);
if (ret != 0)
break;
ret = wc_Sha3_384_Final(&hmac->hash.sha3, ip);
if (ret != 0)
break;
length = WC_SHA3_384_DIGEST_SIZE;
}
break;
#endif
#ifndef WOLFSSL_NOSHA3_512
case WC_SHA3_512:
hmac_block_size = WC_SHA3_512_BLOCK_SIZE;
if (length <= WC_SHA3_512_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha3_512_Update(&hmac->hash.sha3, key, length);
if (ret != 0)
break;
ret = wc_Sha3_512_Final(&hmac->hash.sha3, ip);
if (ret != 0)
break;
length = WC_SHA3_512_DIGEST_SIZE;
}
break;
#endif
#endif /* WOLFSSL_SHA3 */
default:
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) {
#if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM)
#ifdef HAVE_INTEL_QA
if (IntelQaHmacGetType(hmac->macType, NULL) == 0)
#endif
{
if (length > hmac_block_size)
length = hmac_block_size;
/* update key length */
hmac->keyLen = (word16)length;
return ret;
}
/* no need to pad below */
#endif
}
#endif
if (ret == 0) {
if (length < hmac_block_size)
XMEMSET(ip + length, 0, hmac_block_size - length);
for(i = 0; i < hmac_block_size; i++) {
op[i] = ip[i] ^ OPAD;
ip[i] ^= IPAD;
}
}
return ret;
}
int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
int sLen, int iterations, int kLen, int hashType)
{
word32 i = 1;
int hLen;
int j, ret;
Hmac hmac;
#ifdef WOLFSSL_SMALL_STACK
byte* buffer;
#else
byte buffer[MAX_DIGEST_SIZE];
#endif
hLen = GetDigestSize(hashType);
if (hLen < 0)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_SMALL_STACK
buffer = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (buffer == NULL)
return MEMORY_E;
#endif
ret = wc_HmacInit(&hmac, NULL, INVALID_DEVID);
if (ret == 0) {
ret = wc_HmacSetKey(&hmac, hashType, passwd, pLen);
while (ret == 0 && kLen) {
int currentLen;
ret = wc_HmacUpdate(&hmac, salt, sLen);
if (ret != 0)
break;
/* encode i */
for (j = 0; j < 4; j++) {
byte b = (byte)(i >> ((3-j) * 8));
ret = wc_HmacUpdate(&hmac, &b, 1);
if (ret != 0)
break;
}
/* check ret from inside for loop */
if (ret != 0)
break;
ret = wc_HmacFinal(&hmac, buffer);
if (ret != 0)
break;
currentLen = min(kLen, hLen);
XMEMCPY(output, buffer, currentLen);
for (j = 1; j < iterations; j++) {
ret = wc_HmacUpdate(&hmac, buffer, hLen);
if (ret != 0)
break;
ret = wc_HmacFinal(&hmac, buffer);
if (ret != 0)
break;
xorbuf(output, buffer, currentLen);
}
/* check ret from inside for loop */
if (ret != 0)
break;
output += currentLen;
kLen -= currentLen;
i++;
}
wc_HmacFree(&hmac);
}
