/* HMAC-KDF-Extract. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * salt The optional salt value. * saltSz The size of the salt. * inKey The input keying material. * inKeySz The size of the input keying material. * out The pseudorandom key with the length that of the hash. * returns 0 on success, otherwise failure. */ int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, const byte* inKey, word32 inKeySz, byte* out) { byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */ Hmac myHmac; int ret; const byte* localSalt; /* either points to user input or tmp */ int hashSz; ret = wc_HmacSizeByType(type); if (ret < 0) return ret; hashSz = ret; localSalt = salt; if (localSalt == NULL) { XMEMSET(tmp, 0, hashSz); localSalt = tmp; saltSz = hashSz; } ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID); if (ret == 0) { ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz); if (ret == 0) ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); if (ret == 0) ret = wc_HmacFinal(&myHmac, out); wc_HmacFree(&myHmac); } return ret; }
/* HMAC-KDF-Expand. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * inKey The input key. * inKeySz The size of the input key. * info The application specific information. * infoSz The size of the application specific information. * out The output keying material. * returns 0 on success, otherwise failure. */ int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, const byte* info, word32 infoSz, byte* out, word32 outSz) { byte tmp[WC_MAX_DIGEST_SIZE]; Hmac myHmac; int ret = 0; word32 outIdx = 0; word32 hashSz = wc_HmacSizeByType(type); byte n = 0x1; ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID); if (ret != 0) return ret; while (outIdx < outSz) { int tmpSz = (n == 1) ? 0 : hashSz; word32 left = outSz - outIdx; ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, tmp, tmpSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, info, infoSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, &n, 1); if (ret != 0) break; ret = wc_HmacFinal(&myHmac, tmp); if (ret != 0) break; left = min(left, hashSz); XMEMCPY(out+outIdx, tmp, left); outIdx += hashSz; n++; } wc_HmacFree(&myHmac); return ret; }
int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) { byte* ip; byte* op; word32 i, hmac_block_size = 0; int ret = 0; void* heap = NULL; if (hmac == NULL || (key == NULL && length != 0) || !(type == WC_MD5 || type == WC_SHA || type == WC_SHA224 || type == WC_SHA256 || type == WC_SHA384 || type == WC_SHA512 || type == WC_SHA3_224 || type == WC_SHA3_256 || type == WC_SHA3_384 || type == WC_SHA3_512 || type == BLAKE2B_ID)) { return BAD_FUNC_ARG; } /* if set key has already been run then make sure and free existing */ if (hmac->macType != 0) { wc_HmacFree(hmac); } hmac->innerHashKeyed = 0; hmac->macType = (byte)type; ret = _InitHmac(hmac, type, heap); if (ret != 0) return ret; #ifdef HAVE_FIPS if (length < HMAC_FIPS_MIN_KEY) return HMAC_MIN_KEYLEN_E; #endif #ifdef WOLF_CRYPTO_CB hmac->keyRaw = key; /* use buffer directly */ hmac->keyLen = length; #endif ip = (byte*)hmac->ipad; op = (byte*)hmac->opad; switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: hmac_block_size = WC_MD5_BLOCK_SIZE; if (length <= WC_MD5_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Md5Update(&hmac->hash.md5, key, length); if (ret != 0) break; ret = wc_Md5Final(&hmac->hash.md5, ip); if (ret != 0) break; length = WC_MD5_DIGEST_SIZE; } break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: hmac_block_size = WC_SHA_BLOCK_SIZE; if (length <= WC_SHA_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_ShaUpdate(&hmac->hash.sha, key, length); if (ret != 0) break; ret = wc_ShaFinal(&hmac->hash.sha, ip); if (ret != 0) break; length = WC_SHA_DIGEST_SIZE; } break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: { hmac_block_size = WC_SHA224_BLOCK_SIZE; if (length <= WC_SHA224_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha224Update(&hmac->hash.sha224, key, length); if (ret != 0) break; ret = wc_Sha224Final(&hmac->hash.sha224, ip); if (ret != 0) break; length = WC_SHA224_DIGEST_SIZE; } } break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: hmac_block_size = WC_SHA256_BLOCK_SIZE; if (length <= WC_SHA256_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha256Update(&hmac->hash.sha256, key, length); if (ret != 0) break; ret = wc_Sha256Final(&hmac->hash.sha256, ip); if (ret != 0) break; length = WC_SHA256_DIGEST_SIZE; } break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: hmac_block_size = WC_SHA384_BLOCK_SIZE; if (length <= WC_SHA384_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha384Update(&hmac->hash.sha384, key, length); if (ret != 0) break; ret = wc_Sha384Final(&hmac->hash.sha384, ip); if (ret != 0) break; length = WC_SHA384_DIGEST_SIZE; } break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: hmac_block_size = WC_SHA512_BLOCK_SIZE; if (length <= WC_SHA512_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha512Update(&hmac->hash.sha512, key, length); if (ret != 0) break; ret = wc_Sha512Final(&hmac->hash.sha512, ip); if (ret != 0) break; length = WC_SHA512_DIGEST_SIZE; } break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: hmac_block_size = BLAKE2B_BLOCKBYTES; if (length <= BLAKE2B_BLOCKBYTES) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Blake2bUpdate(&hmac->hash.blake2b, key, length); if (ret != 0) break; ret = wc_Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256); if (ret != 0) break; length = BLAKE2B_256; } break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 case WC_SHA3_224: hmac_block_size = WC_SHA3_224_BLOCK_SIZE; if (length <= WC_SHA3_224_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_224_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_224_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_224_DIGEST_SIZE; } break; #endif #ifndef WOLFSSL_NOSHA3_256 case WC_SHA3_256: hmac_block_size = WC_SHA3_256_BLOCK_SIZE; if (length <= WC_SHA3_256_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_256_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_256_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_256_DIGEST_SIZE; } break; #endif #ifndef WOLFSSL_NOSHA3_384 case WC_SHA3_384: hmac_block_size = WC_SHA3_384_BLOCK_SIZE; if (length <= WC_SHA3_384_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_384_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_384_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_384_DIGEST_SIZE; } break; #endif #ifndef WOLFSSL_NOSHA3_512 case WC_SHA3_512: hmac_block_size = WC_SHA3_512_BLOCK_SIZE; if (length <= WC_SHA3_512_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_512_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_512_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_512_DIGEST_SIZE; } break; #endif #endif /* WOLFSSL_SHA3 */ default: return BAD_FUNC_ARG; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { #if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM) #ifdef HAVE_INTEL_QA if (IntelQaHmacGetType(hmac->macType, NULL) == 0) #endif { if (length > hmac_block_size) length = hmac_block_size; /* update key length */ hmac->keyLen = (word16)length; return ret; } /* no need to pad below */ #endif } #endif if (ret == 0) { if (length < hmac_block_size) XMEMSET(ip + length, 0, hmac_block_size - length); for(i = 0; i < hmac_block_size; i++) { op[i] = ip[i] ^ OPAD; ip[i] ^= IPAD; } } return ret; }
int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt, int sLen, int iterations, int kLen, int hashType) { word32 i = 1; int hLen; int j, ret; Hmac hmac; #ifdef WOLFSSL_SMALL_STACK byte* buffer; #else byte buffer[MAX_DIGEST_SIZE]; #endif hLen = GetDigestSize(hashType); if (hLen < 0) return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK buffer = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (buffer == NULL) return MEMORY_E; #endif ret = wc_HmacInit(&hmac, NULL, INVALID_DEVID); if (ret == 0) { ret = wc_HmacSetKey(&hmac, hashType, passwd, pLen); while (ret == 0 && kLen) { int currentLen; ret = wc_HmacUpdate(&hmac, salt, sLen); if (ret != 0) break; /* encode i */ for (j = 0; j < 4; j++) { byte b = (byte)(i >> ((3-j) * 8)); ret = wc_HmacUpdate(&hmac, &b, 1); if (ret != 0) break; } /* check ret from inside for loop */ if (ret != 0) break; ret = wc_HmacFinal(&hmac, buffer); if (ret != 0) break; currentLen = min(kLen, hLen); XMEMCPY(output, buffer, currentLen); for (j = 1; j < iterations; j++) { ret = wc_HmacUpdate(&hmac, buffer, hLen); if (ret != 0) break; ret = wc_HmacFinal(&hmac, buffer); if (ret != 0) break; xorbuf(output, buffer, currentLen); } /* check ret from inside for loop */ if (ret != 0) break; output += currentLen; kLen -= currentLen; i++; } wc_HmacFree(&hmac); }