2 * HKDF implementation -- RFC 5869
\r
4 * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
\r
5 * SPDX-License-Identifier: Apache-2.0
\r
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
8 * not use this file except in compliance with the License.
\r
9 * You may obtain a copy of the License at
\r
11 * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * Unless required by applicable law or agreed to in writing, software
\r
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * See the License for the specific language governing permissions and
\r
17 * limitations under the License.
\r
19 * This file is part of mbed TLS (https://tls.mbed.org)
\r
21 #if !defined(MBEDTLS_CONFIG_FILE)
\r
22 #include "mbedtls/config.h"
\r
24 #include MBEDTLS_CONFIG_FILE
\r
27 #if defined(MBEDTLS_HKDF_C)
\r
30 #include "mbedtls/hkdf.h"
\r
31 #include "mbedtls/platform_util.h"
\r
33 int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
\r
34 size_t salt_len, const unsigned char *ikm, size_t ikm_len,
\r
35 const unsigned char *info, size_t info_len,
\r
36 unsigned char *okm, size_t okm_len )
\r
39 unsigned char prk[MBEDTLS_MD_MAX_SIZE];
\r
41 ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
\r
45 ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
\r
46 info, info_len, okm, okm_len );
\r
49 mbedtls_platform_zeroize( prk, sizeof( prk ) );
\r
54 int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
\r
55 const unsigned char *salt, size_t salt_len,
\r
56 const unsigned char *ikm, size_t ikm_len,
\r
57 unsigned char *prk )
\r
59 unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
\r
67 return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
\r
70 hash_len = mbedtls_md_get_size( md );
\r
74 return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
\r
78 salt_len = hash_len;
\r
81 return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
\r
84 int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
\r
85 size_t prk_len, const unsigned char *info,
\r
86 size_t info_len, unsigned char *okm, size_t okm_len )
\r
94 mbedtls_md_context_t ctx;
\r
95 unsigned char t[MBEDTLS_MD_MAX_SIZE];
\r
99 return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
\r
102 hash_len = mbedtls_md_get_size( md );
\r
104 if( prk_len < hash_len || hash_len == 0 )
\r
106 return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
\r
111 info = (const unsigned char *) "";
\r
115 n = okm_len / hash_len;
\r
117 if( (okm_len % hash_len) != 0 )
\r
123 * Per RFC 5869 Section 2.3, okm_len must not exceed
\r
124 * 255 times the hash length
\r
128 return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
\r
131 mbedtls_md_init( &ctx );
\r
133 if( (ret = mbedtls_md_setup( &ctx, md, 1) ) != 0 )
\r
139 * Compute T = T(1) | T(2) | T(3) | ... | T(N)
\r
140 * Where T(N) is defined in RFC 5869 Section 2.3
\r
142 for( i = 1; i <= n; i++ )
\r
144 size_t num_to_copy;
\r
145 unsigned char c = i & 0xff;
\r
147 ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
\r
153 ret = mbedtls_md_hmac_update( &ctx, t, t_len );
\r
159 ret = mbedtls_md_hmac_update( &ctx, info, info_len );
\r
165 /* The constant concatenated to the end of each T(n) is a single octet.
\r
167 ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
\r
173 ret = mbedtls_md_hmac_finish( &ctx, t );
\r
179 num_to_copy = i != n ? hash_len : okm_len - where;
\r
180 memcpy( okm + where, t, num_to_copy );
\r
186 mbedtls_md_free( &ctx );
\r
187 mbedtls_platform_zeroize( t, sizeof( t ) );
\r
192 #endif /* MBEDTLS_HKDF_C */
\r