// This hkdf implementation (RFC5869) is based upon source code retrieved from | |
// the following location on 2016-09-22 : | |
// https://github.com/openssl/openssl/blob/master/crypto/kdf/hkdf.c | |
/* | |
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
* | |
* Licensed under the OpenSSL license (the "License"). You may not use | |
* this file except in compliance with the License. You can obtain a copy | |
* in the file LICENSE in the source distribution or at | |
* https://www.openssl.org/source/license.html | |
*/ | |
#include <stdlib.h> | |
#include <string.h> | |
#include <openssl/hmac.h> | |
#include <openssl/evp.h> | |
#define HKDF_MAXBUF 1024 | |
unsigned char *HKDF(const EVP_MD *evp_md, | |
const unsigned char *salt, size_t salt_len, | |
const unsigned char *key, size_t key_len, | |
const unsigned char *info, size_t info_len, | |
unsigned char *okm, size_t okm_len); | |
unsigned char *HKDF_Extract(const EVP_MD *evp_md, | |
const unsigned char *salt, size_t salt_len, | |
const unsigned char *key, size_t key_len, | |
unsigned char *prk, size_t *prk_len); | |
unsigned char *HKDF_Expand(const EVP_MD *evp_md, | |
const unsigned char *prk, size_t prk_len, | |
const unsigned char *info, size_t info_len, | |
unsigned char *okm, size_t okm_len); | |
unsigned char *HKDF(const EVP_MD *evp_md, | |
const unsigned char *salt, size_t salt_len, | |
const unsigned char *key, size_t key_len, | |
const unsigned char *info, size_t info_len, | |
unsigned char *okm, size_t okm_len) | |
{ | |
unsigned char prk[EVP_MAX_MD_SIZE]; | |
size_t prk_len; | |
if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len)) | |
return NULL; | |
return HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); | |
} | |
unsigned char *HKDF_Extract(const EVP_MD *evp_md, | |
const unsigned char *salt, size_t salt_len, | |
const unsigned char *key, size_t key_len, | |
unsigned char *prk, size_t *prk_len) | |
{ | |
unsigned int tmp_len; | |
if (!HMAC(evp_md, salt, (int)salt_len, key, key_len, prk, &tmp_len)) | |
return NULL; | |
*prk_len = tmp_len; | |
return prk; | |
} | |
unsigned char *HKDF_Expand(const EVP_MD *evp_md, | |
const unsigned char *prk, size_t prk_len, | |
const unsigned char *info, size_t info_len, | |
unsigned char *okm, size_t okm_len) | |
{ | |
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
HMAC_CTX hmacCtx; | |
#else | |
HMAC_CTX *hmacCtx; | |
#endif | |
unsigned int i; | |
unsigned char prev[EVP_MAX_MD_SIZE]; | |
size_t done_len = 0, dig_len = EVP_MD_size(evp_md); | |
size_t n = okm_len / dig_len; | |
if (okm_len % dig_len) | |
n++; | |
if (n > 255) | |
return NULL; | |
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
HMAC_CTX_init(&hmacCtx); | |
#else | |
hmacCtx = HMAC_CTX_new(); | |
if (hmacCtx == NULL) { | |
return NULL; | |
} | |
#endif | |
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
if (!HMAC_Init_ex(&hmacCtx, prk, (int)prk_len, evp_md, NULL)) | |
goto err; | |
for (i = 1; i <= n; i++) | |
{ | |
size_t copy_len; | |
const unsigned char ctr = (unsigned char)i; | |
// T(0) bootstraps (first iteration) as the empty string | |
// T(n) = HMAC_SHA256(PRK, T(n-1) | info | n) | |
if (i > 1) | |
{ | |
// First clean HMAC's state, leave key and hash function selection in place | |
if (!HMAC_Init_ex(&hmacCtx, NULL, 0, NULL, NULL)) | |
goto err; | |
if (!HMAC_Update(&hmacCtx, prev, dig_len)) | |
goto err; | |
} | |
if (!HMAC_Update(&hmacCtx, info, info_len)) | |
goto err; | |
if (!HMAC_Update(&hmacCtx, &ctr, 1)) | |
goto err; | |
if (!HMAC_Final(&hmacCtx, prev, NULL)) | |
goto err; | |
copy_len = (done_len + dig_len > okm_len) ? | |
okm_len - done_len : | |
dig_len; | |
memcpy(okm + done_len, prev, copy_len); | |
done_len += copy_len; | |
} | |
HMAC_CTX_cleanup(&hmacCtx); | |
return okm; | |
#else | |
if (!HMAC_Init_ex(hmacCtx, prk, (int)prk_len, evp_md, NULL)) | |
goto err; | |
for (i = 1; i <= n; i++) | |
{ | |
size_t copy_len; | |
const unsigned char ctr = (unsigned char)i; | |
// T(0) bootstraps (first iteration) as the empty string | |
// T(n) = HMAC_SHA256(PRK, T(n-1) | info | n) | |
if (i > 1) | |
{ | |
// First clean HMAC's state, leave key and hash function selection in place | |
if (!HMAC_Init_ex(hmacCtx, NULL, 0, NULL, NULL)) | |
goto err; | |
if (!HMAC_Update(hmacCtx, prev, dig_len)) | |
goto err; | |
} | |
if (!HMAC_Update(hmacCtx, info, info_len)) | |
goto err; | |
if (!HMAC_Update(hmacCtx, &ctr, 1)) | |
goto err; | |
if (!HMAC_Final(hmacCtx, prev, NULL)) | |
goto err; | |
copy_len = (done_len + dig_len > okm_len) ? | |
okm_len - done_len : | |
dig_len; | |
memcpy(okm + done_len, prev, copy_len); | |
done_len += copy_len; | |
} | |
HMAC_CTX_free(hmacCtx); | |
return okm; | |
#endif | |
err: | |
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
HMAC_CTX_cleanup(&hmacCtx); | |
#else | |
HMAC_CTX_free(hmacCtx); | |
#endif | |
return NULL; | |
} |