Post-merge changes to SP 800-56A KDF (GH #1040)

Instead of using a template split the KDF into two different classes
that both call a template utility function to actually run the KDF algo.
Simplify the "empty salt" logic and avoid having to instantiate a hash
object just to get the hash block size.

3 files changed, 120 insertions, 77 deletions

diff --git a/src/lib/kdf/kdf.cpp b/src/lib/kdf/kdf.cpp
index 695523d8e..4b55b6962 100644
--- a/src/lib/kdf/kdf.cpp
+++ b/src/lib/kdf/kdf.cpp
@@ -193,9 +193,9 @@ std::unique_ptr<KDF> KDF::create(const std::string& algo_spec,
    if(req.algo_name() == "SP800-56A" && req.arg_count() == 1)
       {
       if(auto hash = HashFunction::create(req.arg(0)))
-         return std::unique_ptr<KDF>(new SP800_56A<HashFunction>(hash.release()));
+         return std::unique_ptr<KDF>(new SP800_56A_Hash(hash.release()));
       if(auto mac = MessageAuthenticationCode::create(req.arg(0)))
-         return std::unique_ptr<KDF>(new SP800_56A<MessageAuthenticationCode>(mac.release()));
+         return std::unique_ptr<KDF>(new SP800_56A_HMAC(mac.release()));
       }
 #endif
 
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.cpp b/src/lib/kdf/sp800_56a/sp800_56a.cpp
index 285cde193..8698e5bee 100644
--- a/src/lib/kdf/sp800_56a/sp800_56a.cpp
+++ b/src/lib/kdf/sp800_56a/sp800_56a.cpp
@@ -15,85 +15,85 @@ namespace Botan {
 
 namespace {
 
-const uint64_t kRepsUpperBound = (1ULL << 32);
-
-// Option1: auxiliary function is a hash function
-template<typename T>
-void Init(
-      T *t,
-      const uint8_t salt[],
-      const size_t salt_len)
-{
-   BOTAN_UNUSED(t, salt, salt_len);
-}
+template<class AuxiliaryFunction_t>
+size_t SP800_56A_kdf(
+   AuxiliaryFunction_t& auxfunc,
+   uint8_t key[], size_t key_len,
+   const uint8_t secret[], size_t secret_len,
+   const uint8_t label[], size_t label_len)
+   {
+   const uint64_t kRepsUpperBound = (1ULL << 32);
 
-// Option1: auxiliary function is a HMAC function
-template<>
-void Init<MessageAuthenticationCode>(
-      MessageAuthenticationCode *hmac_func,
-      const uint8_t salt[],
-      const size_t salt_len)
-{
-   const SCAN_Name req(hmac_func->name());
-   if(req.algo_name() != "HMAC") {
-      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
-   }
+   const size_t digest_len = auxfunc.output_length();
 
-   if (salt_len) {
-      hmac_func->set_key(salt, salt_len);
-   } else {
-      /* 5.8.1.1: Salt shall be an all-zero string whose bit length
-         equals that specified as the length of the input block for
-         the hash function  */
-      auto hash = HashFunction::create(req.arg(0));
-      if (!hash) {
-         // Should never happen
-         throw Algorithm_Not_Found(req.arg(0));
-      }
+   const size_t reps = key_len / digest_len + ((key_len % digest_len) ? 1 : 0);
 
-      secure_vector<uint8_t> s(hash->hash_block_size(), 0);
-      hmac_func->set_key(s.data(), s.size());
-   }
-}
-}
-
-template<class AuxiliaryFunction_t>
-size_t SP800_56A<AuxiliaryFunction_t>::kdf(
-      uint8_t key[], size_t key_len,
-      const uint8_t secret[], size_t secret_len,
-      const uint8_t salt[], size_t salt_len,
-      const uint8_t label[], size_t label_len) const
-{
-
-   Init<AuxiliaryFunction_t>(m_auxfunc.get(), salt, salt_len);
-   const size_t digest_len = m_auxfunc->output_length();
-
-   size_t reps = key_len / digest_len + !!(key_len % digest_len);
-   if (reps >= kRepsUpperBound) {
+   if (reps >= kRepsUpperBound)
+      {
       // See SP-800-56A, point 5.8.1
-      throw Invalid_Argument(
-            "key_len / digest output size "
-            "can't be bigger than 2^32 - 1");
-   }
+      throw Invalid_Argument("SP800-56A KDF requested output too large");
+      }
 
    uint32_t counter = 1;
    secure_vector<uint8_t> result;
-   for(size_t i = 0; i < reps; i++) {
-      m_auxfunc->update_be(counter++);
-      m_auxfunc->update(secret, secret_len);
-      m_auxfunc->update(label, label_len);
-      m_auxfunc->final(result);
+   for(size_t i = 0; i < reps; i++)
+      {
+      auxfunc.update_be(counter++);
+      auxfunc.update(secret, secret_len);
+      auxfunc.update(label, label_len);
+      auxfunc.final(result);
 
       const size_t offset = digest_len * i;
       const size_t len = std::min(result.size(), key_len - offset);
       copy_mem(&key[offset], result.data(), len);
-   }
+      }
 
    return key_len;
+   }
+
 }
 
-/* Template initialization */
-template class SP800_56A<MessageAuthenticationCode>;
-template class SP800_56A<HashFunction>;
+size_t SP800_56A_Hash::kdf(uint8_t key[], size_t key_len,
+                           const uint8_t secret[], size_t secret_len,
+                           const uint8_t salt[], size_t salt_len,
+                           const uint8_t label[], size_t label_len) const
+   {
+   /*
+   * TODO: should we reject a non-empty salt with an exception?
+   * Ignoring the salt seems quite dangerous to applications which
+   * don't expect it.
+   */
+   BOTAN_UNUSED(salt, salt_len);
+
+   return SP800_56A_kdf(*m_hash, key, key_len, secret, secret_len, label, label_len);
+   }
+
+SP800_56A_HMAC::SP800_56A_HMAC(MessageAuthenticationCode* mac) : m_mac(mac)
+   {
+   // TODO: we need a MessageAuthenticationCode::is_hmac
+   const SCAN_Name req(m_mac->name());
+   if(req.algo_name() != "HMAC")
+      {
+      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
+      }
+   }
+
+size_t SP800_56A_HMAC::kdf(uint8_t key[], size_t key_len,
+                           const uint8_t secret[], size_t secret_len,
+                           const uint8_t salt[], size_t salt_len,
+                           const uint8_t label[], size_t label_len) const
+   {
+   /*
+   * SP 800-56A specifies if the salt is empty then a block of zeros
+   * equal to the hash's underlying block size are used. However this
+   * is equivalent to setting a zero-length key, so the same call
+   * works for either case.
+   */
+   m_mac->set_key(salt, salt_len);
+
+   return SP800_56A_kdf(*m_mac, key, key_len, secret, secret_len, label, label_len);
+   }
+
+
 
 }
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.h b/src/lib/kdf/sp800_56a/sp800_56a.h
index 5f00ef0b8..68257fcd3 100644
--- a/src/lib/kdf/sp800_56a/sp800_56a.h
+++ b/src/lib/kdf/sp800_56a/sp800_56a.h
@@ -10,19 +10,21 @@
 #define BOTAN_SP800_56A_H__
 
 #include <botan/kdf.h>
+#include <botan/hash.h>
+#include <botan/mac.h>
 
 namespace Botan {
 
 /**
- * NIST SP 800-56A KDF
+ * NIST SP 800-56A KDF using hash function
+ * @warning This KDF ignores the provided salt value
  */
-template<class AuxiliaryFunction_t>
-class BOTAN_DLL SP800_56A final : public KDF
+class BOTAN_DLL SP800_56A_Hash final : public KDF
    {
    public:
-      std::string name() const override { return "SP800-56A(" + m_auxfunc->name() + ")"; }
+      std::string name() const override { return "SP800-56A(" + m_hash->name() + ")"; }
 
-      KDF* clone() const override { return new SP800_56A(m_auxfunc->clone()); }
+      KDF* clone() const override { return new SP800_56A_Hash(m_hash->clone()); }
 
       /**
       * Derive a key using the SP800-56A KDF.
@@ -34,8 +36,48 @@ class BOTAN_DLL SP800_56A final : public KDF
       * @param key_len the desired output length in bytes
       * @param secret shared secret Z
       * @param secret_len size of Z in bytes
-      * @param salt salt used only if HMAC is used as a hash function
-      * @param salt_len not used by an algorithm
+      * @param salt ignored
+      * @param salt_len ignored
+      * @param label label for the expansion step
+      * @param label_len size of label in bytes
+      *
+      * @throws Invalid_Argument key_len > 2^32
+      */
+      size_t kdf(uint8_t key[], size_t key_len,
+                 const uint8_t secret[], size_t secret_len,
+                 const uint8_t salt[], size_t salt_len,
+                 const uint8_t label[], size_t label_len) const override;
+
+      /**
+      * @param hash the hash function to use as the auxiliary function
+      */
+      explicit SP800_56A_Hash(HashFunction* hash) : m_hash(hash) {}
+   private:
+      std::unique_ptr<HashFunction> m_hash;
+   };
+
+/**
+ * NIST SP 800-56A KDF using HMAC
+ */
+class BOTAN_DLL SP800_56A_HMAC final : public KDF
+   {
+   public:
+      std::string name() const override { return "SP800-56A(" + m_mac->name() + ")"; }
+
+      KDF* clone() const override { return new SP800_56A_HMAC(m_mac->clone()); }
+
+      /**
+      * Derive a key using the SP800-56A KDF.
+      *
+      * The implementation hard codes the context value for the
+      * expansion step to the empty string.
+      *
+      * @param key derived keying material K_M
+      * @param key_len the desired output length in bytes
+      * @param secret shared secret Z
+      * @param secret_len size of Z in bytes
+      * @param salt ignored
+      * @param salt_len ignored
       * @param label label for the expansion step
       * @param label_len size of label in bytes
       *
@@ -47,12 +89,13 @@ class BOTAN_DLL SP800_56A final : public KDF
                  const uint8_t label[], size_t label_len) const override;
 
       /**
-      * @param auxfunc HASH or HMAC algorithm to be used as auxiliary function
+      * @param mac the HMAC to use as the auxiliary function
       */
-      explicit SP800_56A(AuxiliaryFunction_t* auxfunc) : m_auxfunc(auxfunc) {}
+      explicit SP800_56A_HMAC(MessageAuthenticationCode* mac);
    private:
-      std::unique_ptr<AuxiliaryFunction_t> m_auxfunc;
+      std::unique_ptr<MessageAuthenticationCode> m_mac;
    };
+
 }
 
 #endif