| /* |
| * Copyright 2015 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "hkdf.h" |
| |
| #include <assert.h> |
| |
| #include <new> |
| |
| #include <keymaster/android_keymaster_utils.h> |
| |
| #include "hmac.h" |
| |
| namespace keymaster { |
| |
| const size_t kSHA256HashLength = 32; |
| |
| Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(Buffer& secret, Buffer& salt, Buffer& info, |
| size_t key_bytes_to_generate, keymaster_error_t* error) { |
| Rfc5869HmacSha256Kdf(secret.peek_read(), secret.available_read(), salt.peek_read(), |
| salt.available_read(), info.peek_read(), info.available_read(), |
| key_bytes_to_generate, error); |
| } |
| |
| Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(const uint8_t* secret, size_t secret_len, |
| const uint8_t* salt, size_t salt_len, |
| const uint8_t* info, size_t info_len, |
| size_t key_bytes_to_generate, keymaster_error_t* error) { |
| // Step 1. Extract: PRK = HMAC-SHA256(actual_salt, secret) |
| // https://tools.ietf.org/html/rfc5869#section-2.2 |
| HmacSha256 prk_hmac; |
| bool result; |
| if (salt) { |
| result = prk_hmac.Init(salt, salt_len); |
| } else { |
| uint8_t zeros[kSHA256HashLength]; |
| // If salt is not given, HashLength zeros are used. |
| memset(zeros, 0, sizeof(zeros)); |
| result = prk_hmac.Init(zeros, sizeof(zeros)); |
| } |
| assert(result); |
| // avoid the unused variable warning if asserts are disabled. |
| (void)result; |
| |
| // |prk| is a pseudorandom key (of kSHA256HashLength octets). |
| uint8_t prk[kSHA256HashLength]; |
| assert(sizeof(prk) == prk_hmac.DigestLength()); |
| result = prk_hmac.Sign(secret, secret_len, prk, sizeof(prk)); |
| assert(result); |
| |
| // Step 2. Expand: OUTPUT = HKDF-Expand(PRK, info) |
| // https://tools.ietf.org/html/rfc5869#section-2.3 |
| const size_t n = (key_bytes_to_generate + kSHA256HashLength - 1) / kSHA256HashLength; |
| assert(n < 256u); |
| output_.reset(new (std::nothrow) uint8_t[n * kSHA256HashLength]); |
| if (!output_.get()) { |
| *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| return; |
| } |
| |
| uint8_t buf[kSHA256HashLength + info_len + 1]; |
| uint8_t digest[kSHA256HashLength]; |
| HmacSha256 hmac; |
| result = hmac.Init(prk, sizeof(prk)); |
| assert(result); |
| |
| for (size_t i = 1; i <= n; i++) { |
| size_t j = 0; |
| if (i != 1) { |
| memcpy(buf, digest, sizeof(digest)); |
| j = sizeof(digest); |
| } |
| memcpy(buf + j, info, info_len); |
| j += info_len; |
| buf[j++] = static_cast<uint8_t>(i); |
| result = hmac.Sign(buf, j, digest, sizeof(digest)); |
| assert(result); |
| memcpy(output_.get() + (i - 1) * sizeof(digest), digest, sizeof(digest)); |
| } |
| |
| if (key_bytes_to_generate) { |
| secret_key_len_ = key_bytes_to_generate; |
| secret_key_.reset(dup_buffer(output_.get(), key_bytes_to_generate)); |
| if (!secret_key_.get()) { |
| *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| return; |
| } |
| } |
| *error = KM_ERROR_OK; |
| } |
| |
| } // namespace keymaster |