Merge GH #1040 Add SP800-56A KDF

3 files changed, 164 insertions, 0 deletions

diff --git a/src/lib/kdf/sp800_56a/info.txt b/src/lib/kdf/sp800_56a/info.txt
new file mode 100644
index 000000000..d8ef51673
--- /dev/null
+++ b/src/lib/kdf/sp800_56a/info.txt
@@ -0,0 +1,7 @@
+<defines>
+SP800_56A -> 20170501
+</defines>
+
+<requires>
+hmac
+</requires>
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.cpp b/src/lib/kdf/sp800_56a/sp800_56a.cpp
new file mode 100644
index 000000000..285cde193
--- /dev/null
+++ b/src/lib/kdf/sp800_56a/sp800_56a.cpp
@@ -0,0 +1,99 @@
+/*
+* KDF defined in NIST SP 800-56a (Approved Alternative 1)
+*
+* (C) 2017 Ribose Inc. Written by Krzysztof Kwiatkowski.
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/sp800_56a.h>
+#include <botan/hmac.h>
+#include <botan/scan_name.h>
+#include <botan/exceptn.h>
+
+namespace Botan {
+
+namespace {
+
+const uint64_t kRepsUpperBound = (1ULL << 32);
+
+// Option1: auxiliary function is a hash function
+template<typename T>
+void Init(
+      T *t,
+      const uint8_t salt[],
+      const size_t salt_len)
+{
+   BOTAN_UNUSED(t, salt, salt_len);
+}
+
+// Option1: auxiliary function is a HMAC function
+template<>
+void Init<MessageAuthenticationCode>(
+      MessageAuthenticationCode *hmac_func,
+      const uint8_t salt[],
+      const size_t salt_len)
+{
+   const SCAN_Name req(hmac_func->name());
+   if(req.algo_name() != "HMAC") {
+      throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
+   }
+
+   if (salt_len) {
+      hmac_func->set_key(salt, salt_len);
+   } else {
+      /* 5.8.1.1: Salt shall be an all-zero string whose bit length
+         equals that specified as the length of the input block for
+         the hash function  */
+      auto hash = HashFunction::create(req.arg(0));
+      if (!hash) {
+         // Should never happen
+         throw Algorithm_Not_Found(req.arg(0));
+      }
+
+      secure_vector<uint8_t> s(hash->hash_block_size(), 0);
+      hmac_func->set_key(s.data(), s.size());
+   }
+}
+}
+
+template<class AuxiliaryFunction_t>
+size_t SP800_56A<AuxiliaryFunction_t>::kdf(
+      uint8_t key[], size_t key_len,
+      const uint8_t secret[], size_t secret_len,
+      const uint8_t salt[], size_t salt_len,
+      const uint8_t label[], size_t label_len) const
+{
+
+   Init<AuxiliaryFunction_t>(m_auxfunc.get(), salt, salt_len);
+   const size_t digest_len = m_auxfunc->output_length();
+
+   size_t reps = key_len / digest_len + !!(key_len % digest_len);
+   if (reps >= kRepsUpperBound) {
+      // See SP-800-56A, point 5.8.1
+      throw Invalid_Argument(
+            "key_len / digest output size "
+            "can't be bigger than 2^32 - 1");
+   }
+
+   uint32_t counter = 1;
+   secure_vector<uint8_t> result;
+   for(size_t i = 0; i < reps; i++) {
+      m_auxfunc->update_be(counter++);
+      m_auxfunc->update(secret, secret_len);
+      m_auxfunc->update(label, label_len);
+      m_auxfunc->final(result);
+
+      const size_t offset = digest_len * i;
+      const size_t len = std::min(result.size(), key_len - offset);
+      copy_mem(&key[offset], result.data(), len);
+   }
+
+   return key_len;
+}
+
+/* Template initialization */
+template class SP800_56A<MessageAuthenticationCode>;
+template class SP800_56A<HashFunction>;
+
+}
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.h b/src/lib/kdf/sp800_56a/sp800_56a.h
new file mode 100644
index 000000000..5f00ef0b8
--- /dev/null
+++ b/src/lib/kdf/sp800_56a/sp800_56a.h
@@ -0,0 +1,58 @@
+/*
+* KDF defined in NIST SP 800-56a revision 2 (Single-step key-derivation function)
+*
+* (C) 2017 Ribose Inc. Written by Krzysztof Kwiatkowski.
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_SP800_56A_H__
+#define BOTAN_SP800_56A_H__
+
+#include <botan/kdf.h>
+
+namespace Botan {
+
+/**
+ * NIST SP 800-56A KDF
+ */
+template<class AuxiliaryFunction_t>
+class BOTAN_DLL SP800_56A final : public KDF
+   {
+   public:
+      std::string name() const override { return "SP800-56A(" + m_auxfunc->name() + ")"; }
+
+      KDF* clone() const override { return new SP800_56A(m_auxfunc->clone()); }
+
+      /**
+      * Derive a key using the SP800-56A KDF.
+      *
+      * The implementation hard codes the context value for the
+      * expansion step to the empty string.
+      *
+      * @param key derived keying material K_M
+      * @param key_len the desired output length in bytes
+      * @param secret shared secret Z
+      * @param secret_len size of Z in bytes
+      * @param salt salt used only if HMAC is used as a hash function
+      * @param salt_len not used by an algorithm
+      * @param label label for the expansion step
+      * @param label_len size of label in bytes
+      *
+      * @throws Invalid_Argument key_len > 2^32 or MAC is not a HMAC
+      */
+      size_t kdf(uint8_t key[], size_t key_len,
+                 const uint8_t secret[], size_t secret_len,
+                 const uint8_t salt[], size_t salt_len,
+                 const uint8_t label[], size_t label_len) const override;
+
+      /**
+      * @param auxfunc HASH or HMAC algorithm to be used as auxiliary function
+      */
+      explicit SP800_56A(AuxiliaryFunction_t* auxfunc) : m_auxfunc(auxfunc) {}
+   private:
+      std::unique_ptr<AuxiliaryFunction_t> m_auxfunc;
+   };
+}
+
+#endif