Post-merge changes to SP 800-56A KDF (GH #1040)

Instead of using a template split the KDF into two different classes
that both call a template utility function to actually run the KDF algo.
Simplify the "empty salt" logic and avoid having to instantiate a hash
object just to get the hash block size.

1 files changed, 65 insertions, 65 deletions

diff --git a/src/lib/kdf/sp800_56a/sp800_56a.cpp b/src/lib/kdf/sp800_56a/sp800_56a.cpp
index 285cde193..8698e5bee 100644
--- a/src/lib/kdf/sp800_56a/sp800_56a.cpp
+++ b/src/lib/kdf/sp800_56a/sp800_56a.cpp
@@ -15,85 +15,85 @@ namespace Botan {
 
 namespace {
 
-const uint64_t kRepsUpperBound = (1ULL << 32);
-
-// Option1: auxiliary function is a hash function
-template<typename T>
-void Init(
-      T *t,
-      const uint8_t salt[],
-      const size_t salt_len)
-{
-   BOTAN_UNUSED(t, salt, salt_len);
-}
+template<class AuxiliaryFunction_t>
+size_t SP800_56A_kdf(
+   AuxiliaryFunction_t& auxfunc,
+   uint8_t key[], size_t key_len,
+   const uint8_t secret[], size_t secret_len,
+   const uint8_t label[], size_t label_len)
+   {
+   const uint64_t kRepsUpperBound = (1ULL << 32);
 
-// Option1: auxiliary function is a HMAC function
-template<>
-void Init<MessageAuthenticationCode>(
-      MessageAuthenticationCode *hmac_func,
-      const uint8_t salt[],
-      const size_t salt_len)
-{
-   const SCAN_Name req(hmac_func->name());
-   if(req.algo_name() != "HMAC") {
-      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
-   }
+   const size_t digest_len = auxfunc.output_length();
 
-   if (salt_len) {
-      hmac_func->set_key(salt, salt_len);
-   } else {
-      /* 5.8.1.1: Salt shall be an all-zero string whose bit length
-         equals that specified as the length of the input block for
-         the hash function  */
-      auto hash = HashFunction::create(req.arg(0));
-      if (!hash) {
-         // Should never happen
-         throw Algorithm_Not_Found(req.arg(0));
-      }
+   const size_t reps = key_len / digest_len + ((key_len % digest_len) ? 1 : 0);
 
-      secure_vector<uint8_t> s(hash->hash_block_size(), 0);
-      hmac_func->set_key(s.data(), s.size());
-   }
-}
-}
-
-template<class AuxiliaryFunction_t>
-size_t SP800_56A<AuxiliaryFunction_t>::kdf(
-      uint8_t key[], size_t key_len,
-      const uint8_t secret[], size_t secret_len,
-      const uint8_t salt[], size_t salt_len,
-      const uint8_t label[], size_t label_len) const
-{
-
-   Init<AuxiliaryFunction_t>(m_auxfunc.get(), salt, salt_len);
-   const size_t digest_len = m_auxfunc->output_length();
-
-   size_t reps = key_len / digest_len + !!(key_len % digest_len);
-   if (reps >= kRepsUpperBound) {
+   if (reps >= kRepsUpperBound)
+      {
       // See SP-800-56A, point 5.8.1
-      throw Invalid_Argument(
-            "key_len / digest output size "
-            "can't be bigger than 2^32 - 1");
-   }
+      throw Invalid_Argument("SP800-56A KDF requested output too large");
+      }
 
    uint32_t counter = 1;
    secure_vector<uint8_t> result;
-   for(size_t i = 0; i < reps; i++) {
-      m_auxfunc->update_be(counter++);
-      m_auxfunc->update(secret, secret_len);
-      m_auxfunc->update(label, label_len);
-      m_auxfunc->final(result);
+   for(size_t i = 0; i < reps; i++)
+      {
+      auxfunc.update_be(counter++);
+      auxfunc.update(secret, secret_len);
+      auxfunc.update(label, label_len);
+      auxfunc.final(result);
 
       const size_t offset = digest_len * i;
       const size_t len = std::min(result.size(), key_len - offset);
       copy_mem(&key[offset], result.data(), len);
-   }
+      }
 
    return key_len;
+   }
+
 }
 
-/* Template initialization */
-template class SP800_56A<MessageAuthenticationCode>;
-template class SP800_56A<HashFunction>;
+size_t SP800_56A_Hash::kdf(uint8_t key[], size_t key_len,
+                           const uint8_t secret[], size_t secret_len,
+                           const uint8_t salt[], size_t salt_len,
+                           const uint8_t label[], size_t label_len) const
+   {
+   /*
+   * TODO: should we reject a non-empty salt with an exception?
+   * Ignoring the salt seems quite dangerous to applications which
+   * don't expect it.
+   */
+   BOTAN_UNUSED(salt, salt_len);
+
+   return SP800_56A_kdf(*m_hash, key, key_len, secret, secret_len, label, label_len);
+   }
+
+SP800_56A_HMAC::SP800_56A_HMAC(MessageAuthenticationCode* mac) : m_mac(mac)
+   {
+   // TODO: we need a MessageAuthenticationCode::is_hmac
+   const SCAN_Name req(m_mac->name());
+   if(req.algo_name() != "HMAC")
+      {
+      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
+      }
+   }
+
+size_t SP800_56A_HMAC::kdf(uint8_t key[], size_t key_len,
+                           const uint8_t secret[], size_t secret_len,
+                           const uint8_t salt[], size_t salt_len,
+                           const uint8_t label[], size_t label_len) const
+   {
+   /*
+   * SP 800-56A specifies if the salt is empty then a block of zeros
+   * equal to the hash's underlying block size are used. However this
+   * is equivalent to setting a zero-length key, so the same call
+   * works for either case.
+   */
+   m_mac->set_key(salt, salt_len);
+
+   return SP800_56A_kdf(*m_mac, key, key_len, secret, secret_len, label, label_len);
+   }
+
+
 
 }