/* HMAC-KDF-Extract. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * salt The optional salt value. * saltSz The size of the salt. * inKey The input keying material. * inKeySz The size of the input keying material. * out The pseudorandom key with the length that of the hash. * returns 0 on success, otherwise failure. */ int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, const byte* inKey, word32 inKeySz, byte* out) { byte tmp[MAX_DIGEST_SIZE]; /* localSalt helper */ Hmac myHmac; int ret; const byte* localSalt; /* either points to user input or tmp */ int hashSz; ret = wc_HmacSizeByType(type); if (ret < 0) return ret; hashSz = ret; localSalt = salt; if (localSalt == NULL) { XMEMSET(tmp, 0, hashSz); localSalt = tmp; saltSz = hashSz; } ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz); if (ret == 0) ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); if (ret == 0) ret = wc_HmacFinal(&myHmac, out); return ret; }
/* HMAC-KDF-Expand. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * inKey The input key. * inKeySz The size of the input key. * info The application specific information. * infoSz The size of the application specific information. * out The output keying material. * returns 0 on success, otherwise failure. */ int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, const byte* info, word32 infoSz, byte* out, word32 outSz) { byte tmp[WC_MAX_DIGEST_SIZE]; Hmac myHmac; int ret = 0; word32 outIdx = 0; word32 hashSz = wc_HmacSizeByType(type); byte n = 0x1; ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID); if (ret != 0) return ret; while (outIdx < outSz) { int tmpSz = (n == 1) ? 0 : hashSz; word32 left = outSz - outIdx; ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, tmp, tmpSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, info, infoSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, &n, 1); if (ret != 0) break; ret = wc_HmacFinal(&myHmac, tmp); if (ret != 0) break; left = min(left, hashSz); XMEMCPY(out+outIdx, tmp, left); outIdx += hashSz; n++; } wc_HmacFree(&myHmac); return ret; }
/* HMAC-KDF. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * inKey The input keying material. * inKeySz The size of the input keying material. * salt The optional salt value. * saltSz The size of the salt. * info The application specific information. * infoSz The size of the application specific information. * out The output keying material. * returns 0 on success, otherwise failure. */ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, const byte* info, word32 infoSz, byte* out, word32 outSz) { byte prk[MAX_DIGEST_SIZE]; int hashSz = wc_HmacSizeByType(type); int ret; if (hashSz < 0) return BAD_FUNC_ARG; ret = wc_HKDF_Extract(type, salt, saltSz, inKey, inKeySz, prk); if (ret != 0) return ret; return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz); }
int wc_HmacFinal(Hmac* hmac, byte* hash) { int ret; if (hmac == NULL || hash == NULL) { return BAD_FUNC_ARG; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { int hashLen = wc_HmacSizeByType(hmac->macType); if (hashLen <= 0) return hashLen; #if defined(HAVE_CAVIUM) return NitroxHmacFinal(hmac, hmac->macType, hash, hashLen); #elif defined(HAVE_INTEL_QA) return IntelQaHmac(&hmac->asyncDev, hmac->macType, (byte*)hmac->ipad, hmac->keyLen, hash, NULL, hashLen); #endif } #endif /* WOLFSSL_ASYNC_CRYPT */ if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case MD5: ret = wc_Md5Final(&hmac->hash.md5, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->opad, MD5_BLOCK_SIZE); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->innerHash, MD5_DIGEST_SIZE); if (ret != 0) break; ret = wc_Md5Final(&hmac->hash.md5, hash); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case SHA: ret = wc_ShaFinal(&hmac->hash.sha, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->opad, SHA_BLOCK_SIZE); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->innerHash, SHA_DIGEST_SIZE); if (ret != 0) break; ret = wc_ShaFinal(&hmac->hash.sha, hash); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case SHA224: { ret = wc_Sha224Final(&hmac->hash.sha224, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->opad, SHA224_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->innerHash, SHA224_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha224Final(&hmac->hash.sha224, hash); if (ret != 0) break; } break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case SHA256: ret = wc_Sha256Final(&hmac->hash.sha256, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->opad, SHA256_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->innerHash, SHA256_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha256Final(&hmac->hash.sha256, hash); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA384 case SHA384: ret = wc_Sha384Final(&hmac->hash.sha384, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->opad, SHA384_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->innerHash, SHA384_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha384Final(&hmac->hash.sha384, hash); break; #endif /* WOLFSSL_SHA384 */ case SHA512: ret = wc_Sha512Final(&hmac->hash.sha512, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->opad, SHA512_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->innerHash, SHA512_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha512Final(&hmac->hash.sha512, hash); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bFinal(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->opad, BLAKE2B_BLOCKBYTES); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256); break; #endif /* HAVE_BLAKE2 */ default: ret = BAD_FUNC_ARG; break; } if (ret == 0) { hmac->innerHashKeyed = 0; } return ret; }
int wc_HmacFinal(Hmac* hmac, byte* hash) { int ret; if (hmac == NULL || hash == NULL) { return BAD_FUNC_ARG; } #ifdef WOLF_CRYPTO_CB if (hmac->devId != INVALID_DEVID) { ret = wc_CryptoCb_Hmac(hmac, hmac->macType, NULL, 0, hash); if (ret != CRYPTOCB_UNAVAILABLE) return ret; /* fall-through when unavailable */ ret = 0; /* reset error code */ } #endif #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { int hashLen = wc_HmacSizeByType(hmac->macType); if (hashLen <= 0) return hashLen; #if defined(HAVE_CAVIUM) return NitroxHmacFinal(hmac, hash, hashLen); #elif defined(HAVE_INTEL_QA) if (IntelQaHmacGetType(hmac->macType, NULL) == 0) { return IntelQaHmac(&hmac->asyncDev, hmac->macType, (byte*)hmac->ipad, hmac->keyLen, hash, NULL, hashLen); } #endif } #endif /* WOLFSSL_ASYNC_CRYPT */ if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: ret = wc_Md5Final(&hmac->hash.md5, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->opad, WC_MD5_BLOCK_SIZE); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->innerHash, WC_MD5_DIGEST_SIZE); if (ret != 0) break; ret = wc_Md5Final(&hmac->hash.md5, hash); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = wc_ShaFinal(&hmac->hash.sha, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->opad, WC_SHA_BLOCK_SIZE); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->innerHash, WC_SHA_DIGEST_SIZE); if (ret != 0) break; ret = wc_ShaFinal(&hmac->hash.sha, hash); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: { ret = wc_Sha224Final(&hmac->hash.sha224, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->opad, WC_SHA224_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->innerHash, WC_SHA224_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha224Final(&hmac->hash.sha224, hash); if (ret != 0) break; } break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = wc_Sha256Final(&hmac->hash.sha256, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->opad, WC_SHA256_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->innerHash, WC_SHA256_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha256Final(&hmac->hash.sha256, hash); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = wc_Sha384Final(&hmac->hash.sha384, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->opad, WC_SHA384_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->innerHash, WC_SHA384_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha384Final(&hmac->hash.sha384, hash); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = wc_Sha512Final(&hmac->hash.sha512, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->opad, WC_SHA512_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->innerHash, WC_SHA512_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha512Final(&hmac->hash.sha512, hash); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bFinal(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->opad, BLAKE2B_BLOCKBYTES); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256); break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 case WC_SHA3_224: ret = wc_Sha3_224_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_224_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_224_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_224_Final(&hmac->hash.sha3, hash); break; #endif #ifndef WOLFSSL_NOSHA3_256 case WC_SHA3_256: ret = wc_Sha3_256_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_256_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_256_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_256_Final(&hmac->hash.sha3, hash); break; #endif #ifndef WOLFSSL_NOSHA3_384 case WC_SHA3_384: ret = wc_Sha3_384_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_384_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_384_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_384_Final(&hmac->hash.sha3, hash); break; #endif #ifndef WOLFSSL_NOSHA3_512 case WC_SHA3_512: ret = wc_Sha3_512_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_512_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_512_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_512_Final(&hmac->hash.sha3, hash); break; #endif #endif /* WOLFSSL_SHA3 */ default: ret = BAD_FUNC_ARG; break; } if (ret == 0) { hmac->innerHashKeyed = 0; } return ret; }