3
* (C) 2013,2015,2017 Jack Lloyd
4
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
6
* Botan is released under the Simplified BSD License (see license.txt)
9
#include <botan/hkdf.h>
13
size_t HKDF::kdf(uint8_t key[], size_t key_len,
14
const uint8_t secret[], size_t secret_len,
15
const uint8_t salt[], size_t salt_len,
16
const uint8_t label[], size_t label_len) const
18
HKDF_Extract extract(m_prf->clone());
19
HKDF_Expand expand(m_prf->clone());
20
secure_vector<uint8_t> prk(m_prf->output_length());
22
extract.kdf(prk.data(), prk.size(), secret, secret_len, salt, salt_len, nullptr, 0);
23
return expand.kdf(key, key_len, prk.data(), prk.size(), nullptr, 0, label, label_len);
26
size_t HKDF_Extract::kdf(uint8_t key[], size_t key_len,
27
const uint8_t secret[], size_t secret_len,
28
const uint8_t salt[], size_t salt_len,
29
const uint8_t[], size_t) const
31
secure_vector<uint8_t> prk;
34
m_prf->set_key(std::vector<uint8_t>(m_prf->output_length()));
38
m_prf->set_key(salt, salt_len);
41
m_prf->update(secret, secret_len);
44
const size_t written = std::min(prk.size(), key_len);
45
copy_mem(&key[0], prk.data(), written);
49
size_t HKDF_Expand::kdf(uint8_t key[], size_t key_len,
50
const uint8_t secret[], size_t secret_len,
51
const uint8_t salt[], size_t salt_len,
52
const uint8_t label[], size_t label_len) const
54
m_prf->set_key(secret, secret_len);
57
secure_vector<uint8_t> h;
60
while(offset != key_len && counter != 0)
63
m_prf->update(label, label_len);
64
m_prf->update(salt, salt_len);
65
m_prf->update(counter++);
68
const size_t written = std::min(h.size(), key_len - offset);
69
copy_mem(&key[offset], h.data(), written);
76
secure_vector<uint8_t>
77
hkdf_expand_label(const std::string& hash_fn,
78
const uint8_t secret[], size_t secret_len,
79
const std::string& label,
80
const uint8_t hash_val[], size_t hash_val_len,
84
throw Invalid_Argument("HKDF-Expand-Label requested output too large");
85
if(label.size() > 0xFF)
86
throw Invalid_Argument("HKDF-Expand-Label label too long");
87
if(hash_val_len > 0xFF)
88
throw Invalid_Argument("HKDF-Expand-Label hash too long");
90
const uint16_t length16 = static_cast<uint16_t>(length);
92
auto mac = MessageAuthenticationCode::create("HMAC(" + hash_fn + ")");
94
throw Invalid_Argument("HKDF-Expand-Label with HMAC(" + hash_fn + ") not available");
96
HKDF_Expand hkdf(mac.release());
98
secure_vector<uint8_t> output(length16);
99
std::vector<uint8_t> prefix(3 + label.size() + 1);
101
prefix[0] = get_byte(0, length16);
102
prefix[1] = get_byte(1, length16);
103
prefix[2] = static_cast<uint8_t>(label.size());
105
copy_mem(prefix.data() + 3,
106
cast_char_ptr_to_uint8(label.data()),
109
prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
112
* We do something a little dirty here to avoid copying the hash_val,
113
* making use of the fact that Botan's KDF interface supports label+salt,
114
* and knowing that our HKDF hashes first param label then param salt.
116
hkdf.kdf(output.data(), output.size(),
118
hash_val, hash_val_len,
119
prefix.data(), prefix.size());