1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "hkdf.h"
18
19 #include <assert.h>
20
21 #include <new>
22
23 #include <keymaster/android_keymaster_utils.h>
24
25 #include "hmac.h"
26
27 namespace keymaster {
28
29 const size_t kSHA256HashLength = 32;
30
Rfc5869HmacSha256Kdf(Buffer & secret,Buffer & salt,Buffer & info,size_t key_bytes_to_generate,keymaster_error_t * error)31 Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(Buffer& secret, Buffer& salt, Buffer& info,
32 size_t key_bytes_to_generate, keymaster_error_t* error) {
33 Rfc5869HmacSha256Kdf(secret.peek_read(), secret.available_read(), salt.peek_read(),
34 salt.available_read(), info.peek_read(), info.available_read(),
35 key_bytes_to_generate, error);
36 }
37
Rfc5869HmacSha256Kdf(const uint8_t * secret,size_t secret_len,const uint8_t * salt,size_t salt_len,const uint8_t * info,size_t info_len,size_t key_bytes_to_generate,keymaster_error_t * error)38 Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(const uint8_t* secret, size_t secret_len,
39 const uint8_t* salt, size_t salt_len,
40 const uint8_t* info, size_t info_len,
41 size_t key_bytes_to_generate, keymaster_error_t* error) {
42 // Step 1. Extract: PRK = HMAC-SHA256(actual_salt, secret)
43 // https://tools.ietf.org/html/rfc5869#section-2.2
44 HmacSha256 prk_hmac;
45 bool result;
46 if (salt) {
47 result = prk_hmac.Init(salt, salt_len);
48 } else {
49 uint8_t zeros[kSHA256HashLength];
50 // If salt is not given, HashLength zeros are used.
51 memset(zeros, 0, sizeof(zeros));
52 result = prk_hmac.Init(zeros, sizeof(zeros));
53 }
54 assert(result);
55 // avoid the unused variable warning if asserts are disabled.
56 (void)result;
57
58 // |prk| is a pseudorandom key (of kSHA256HashLength octets).
59 uint8_t prk[kSHA256HashLength];
60 assert(sizeof(prk) == prk_hmac.DigestLength());
61 result = prk_hmac.Sign(secret, secret_len, prk, sizeof(prk));
62 assert(result);
63
64 // Step 2. Expand: OUTPUT = HKDF-Expand(PRK, info)
65 // https://tools.ietf.org/html/rfc5869#section-2.3
66 const size_t n = (key_bytes_to_generate + kSHA256HashLength - 1) / kSHA256HashLength;
67 assert(n < 256u);
68 output_.reset(new (std::nothrow) uint8_t[n * kSHA256HashLength]);
69 if (!output_.get()) {
70 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
71 return;
72 }
73
74 uint8_t buf[kSHA256HashLength + info_len + 1];
75 uint8_t digest[kSHA256HashLength];
76 HmacSha256 hmac;
77 result = hmac.Init(prk, sizeof(prk));
78 assert(result);
79
80 for (size_t i = 1; i <= n; i++) {
81 size_t j = 0;
82 if (i != 1) {
83 memcpy(buf, digest, sizeof(digest));
84 j = sizeof(digest);
85 }
86 memcpy(buf + j, info, info_len);
87 j += info_len;
88 buf[j++] = static_cast<uint8_t>(i);
89 result = hmac.Sign(buf, j, digest, sizeof(digest));
90 assert(result);
91 memcpy(output_.get() + (i - 1) * sizeof(digest), digest, sizeof(digest));
92 }
93
94 if (key_bytes_to_generate) {
95 secret_key_len_ = key_bytes_to_generate;
96 secret_key_.reset(dup_buffer(output_.get(), key_bytes_to_generate));
97 if (!secret_key_.get()) {
98 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
99 return;
100 }
101 }
102 *error = KM_ERROR_OK;
103 }
104
105 } // namespace keymaster
106