diff options
author | Kai Michaelis <[email protected]> | 2016-04-28 15:52:41 +0200 |
---|---|---|
committer | Kai Michaelis <[email protected]> | 2016-05-19 15:48:09 +0200 |
commit | 55cd86e31f94ed330c0c7a53a577750a92a2b533 (patch) | |
tree | c761b939e585471ca7d340271697edafa0fc1a11 /src/lib/kdf | |
parent | 8578e0fc758b81d176d0c5092417f4cc77676895 (diff) |
add label parameter to KDF::derive_key
Diffstat (limited to 'src/lib/kdf')
-rw-r--r-- | src/lib/kdf/hkdf/hkdf.cpp | 3 | ||||
-rw-r--r-- | src/lib/kdf/hkdf/hkdf.h | 3 | ||||
-rw-r--r-- | src/lib/kdf/kdf.h | 45 | ||||
-rw-r--r-- | src/lib/kdf/kdf1/kdf1.cpp | 3 | ||||
-rw-r--r-- | src/lib/kdf/kdf1/kdf1.h | 3 | ||||
-rw-r--r-- | src/lib/kdf/kdf2/kdf2.cpp | 3 | ||||
-rw-r--r-- | src/lib/kdf/kdf2/kdf2.h | 3 | ||||
-rw-r--r-- | src/lib/kdf/prf_tls/prf_tls.cpp | 6 | ||||
-rw-r--r-- | src/lib/kdf/prf_tls/prf_tls.h | 6 | ||||
-rw-r--r-- | src/lib/kdf/prf_x942/prf_x942.cpp | 3 | ||||
-rw-r--r-- | src/lib/kdf/prf_x942/prf_x942.h | 3 | ||||
-rw-r--r-- | src/lib/kdf/sp800_108/sp800_108.cpp | 43 | ||||
-rw-r--r-- | src/lib/kdf/sp800_108/sp800_108.h | 60 | ||||
-rw-r--r-- | src/lib/kdf/sp800_56c/sp800_56c.cpp | 7 | ||||
-rw-r--r-- | src/lib/kdf/sp800_56c/sp800_56c.h | 20 |
15 files changed, 175 insertions, 36 deletions
diff --git a/src/lib/kdf/hkdf/hkdf.cpp b/src/lib/kdf/hkdf/hkdf.cpp index 6f83853f9..b7e6db020 100644 --- a/src/lib/kdf/hkdf/hkdf.cpp +++ b/src/lib/kdf/hkdf/hkdf.cpp @@ -22,7 +22,8 @@ HKDF* HKDF::make(const Spec& spec) size_t HKDF::kdf(byte out[], size_t out_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { m_prf->set_key(secret, secret_len); diff --git a/src/lib/kdf/hkdf/hkdf.h b/src/lib/kdf/hkdf/hkdf.h index 3e3e2b73a..1dba82ee2 100644 --- a/src/lib/kdf/hkdf/hkdf.h +++ b/src/lib/kdf/hkdf/hkdf.h @@ -31,7 +31,8 @@ class BOTAN_DLL HKDF final : public KDF size_t kdf(byte out[], size_t out_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; private: std::unique_ptr<MessageAuthenticationCode> m_prf; diff --git a/src/lib/kdf/kdf.h b/src/lib/kdf/kdf.h index 88b50c8b8..3c8a7a013 100644 --- a/src/lib/kdf/kdf.h +++ b/src/lib/kdf/kdf.h @@ -40,7 +40,8 @@ class BOTAN_DLL KDF virtual size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const = 0; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const = 0; /** @@ -50,15 +51,19 @@ class BOTAN_DLL KDF * @param secret_len size of secret in bytes * @param salt a diversifier * @param salt_len size of salt in bytes + * @param label purpose for the derived keying material + * @param label_len size of label in bytes */ secure_vector<byte> derive_key(size_t key_len, const byte secret[], size_t secret_len, const byte salt[], - size_t salt_len) const + size_t salt_len, + const byte label[] = nullptr, + size_t label_len = 0) const { secure_vector<byte> key(key_len); - key.resize(kdf(key.data(), key.size(), secret, secret_len, salt, salt_len)); + key.resize(kdf(key.data(), key.size(), secret, secret_len, salt, salt_len, label, label_len)); return key; } @@ -67,14 +72,19 @@ class BOTAN_DLL KDF * @param key_len the desired output length in bytes * @param secret the secret input * @param salt a diversifier + * @param label purpose for the derived keying material */ secure_vector<byte> derive_key(size_t key_len, const secure_vector<byte>& secret, - const std::string& salt = "") const + const std::string& salt = "", + const std::string& label = "") const { return derive_key(key_len, secret.data(), secret.size(), reinterpret_cast<const byte*>(salt.data()), - salt.length()); + salt.length(), + reinterpret_cast<const byte*>(label.data()), + label.length()); + } /** @@ -82,15 +92,18 @@ class BOTAN_DLL KDF * @param key_len the desired output length in bytes * @param secret the secret input * @param salt a diversifier + * @param label purpose for the derived keying material */ - template<typename Alloc, typename Alloc2> + template<typename Alloc, typename Alloc2, typename Alloc3> secure_vector<byte> derive_key(size_t key_len, const std::vector<byte, Alloc>& secret, - const std::vector<byte, Alloc2>& salt) const + const std::vector<byte, Alloc2>& salt, + const std::vector<byte, Alloc3>& label) const { return derive_key(key_len, secret.data(), secret.size(), - salt.data(), salt.size()); + salt.data(), salt.size(), + label.data(), label.size()); } /** @@ -99,15 +112,19 @@ class BOTAN_DLL KDF * @param secret the secret input * @param salt a diversifier * @param salt_len size of salt in bytes + * @param label purpose for the derived keying material */ secure_vector<byte> derive_key(size_t key_len, const secure_vector<byte>& secret, const byte salt[], - size_t salt_len) const + size_t salt_len, + const std::string& label = "") const { return derive_key(key_len, secret.data(), secret.size(), - salt, salt_len); + salt, salt_len, + reinterpret_cast<const byte*>(label.data()), + label.size()); } /** @@ -116,15 +133,19 @@ class BOTAN_DLL KDF * @param secret the secret input * @param secret_len size of secret in bytes * @param salt a diversifier + * @param label purpose for the derived keying material */ secure_vector<byte> derive_key(size_t key_len, const byte secret[], size_t secret_len, - const std::string& salt = "") const + const std::string& salt = "", + const std::string& label = "") const { return derive_key(key_len, secret, secret_len, reinterpret_cast<const byte*>(salt.data()), - salt.length()); + salt.length(), + reinterpret_cast<const byte*>(label.data()), + label.length()); } virtual KDF* clone() const = 0; diff --git a/src/lib/kdf/kdf1/kdf1.cpp b/src/lib/kdf/kdf1/kdf1.cpp index c7ea3c37e..7d9ab7e3a 100644 --- a/src/lib/kdf/kdf1/kdf1.cpp +++ b/src/lib/kdf/kdf1/kdf1.cpp @@ -11,7 +11,8 @@ namespace Botan { size_t KDF1::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { m_hash->update(secret, secret_len); m_hash->update(salt, salt_len); diff --git a/src/lib/kdf/kdf1/kdf1.h b/src/lib/kdf/kdf1/kdf1.h index adaa84894..59bff4d8d 100644 --- a/src/lib/kdf/kdf1/kdf1.h +++ b/src/lib/kdf/kdf1/kdf1.h @@ -25,7 +25,8 @@ class BOTAN_DLL KDF1 final : public KDF size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; explicit KDF1(HashFunction* h) : m_hash(h) {} private: diff --git a/src/lib/kdf/kdf2/kdf2.cpp b/src/lib/kdf/kdf2/kdf2.cpp index df2b7a91c..32bf678f7 100644 --- a/src/lib/kdf/kdf2/kdf2.cpp +++ b/src/lib/kdf/kdf2/kdf2.cpp @@ -11,7 +11,8 @@ namespace Botan { size_t KDF2::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { u32bit counter = 1; secure_vector<byte> h; diff --git a/src/lib/kdf/kdf2/kdf2.h b/src/lib/kdf/kdf2/kdf2.h index 7403df21c..600f7c91c 100644 --- a/src/lib/kdf/kdf2/kdf2.h +++ b/src/lib/kdf/kdf2/kdf2.h @@ -25,7 +25,8 @@ class BOTAN_DLL KDF2 final : public KDF size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; explicit KDF2(HashFunction* h) : m_hash(h) {} private: diff --git a/src/lib/kdf/prf_tls/prf_tls.cpp b/src/lib/kdf/prf_tls/prf_tls.cpp index 547b0c9c8..f15688eba 100644 --- a/src/lib/kdf/prf_tls/prf_tls.cpp +++ b/src/lib/kdf/prf_tls/prf_tls.cpp @@ -73,7 +73,8 @@ void P_hash(byte out[], size_t out_len, size_t TLS_PRF::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { const size_t S1_len = (secret_len + 1) / 2, S2_len = (secret_len + 1) / 2; @@ -87,7 +88,8 @@ size_t TLS_PRF::kdf(byte key[], size_t key_len, size_t TLS_12_PRF::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { P_hash(key, key_len, *m_mac, secret, secret_len, salt, salt_len); return key_len; diff --git a/src/lib/kdf/prf_tls/prf_tls.h b/src/lib/kdf/prf_tls/prf_tls.h index a51006d88..37a517125 100644 --- a/src/lib/kdf/prf_tls/prf_tls.h +++ b/src/lib/kdf/prf_tls/prf_tls.h @@ -25,7 +25,8 @@ class BOTAN_DLL TLS_PRF final : public KDF size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; TLS_PRF(); private: @@ -45,7 +46,8 @@ class BOTAN_DLL TLS_12_PRF final : public KDF size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; explicit TLS_12_PRF(MessageAuthenticationCode* mac) : m_mac(mac) {} diff --git a/src/lib/kdf/prf_x942/prf_x942.cpp b/src/lib/kdf/prf_x942/prf_x942.cpp index fb8de1e85..3830c5775 100644 --- a/src/lib/kdf/prf_x942/prf_x942.cpp +++ b/src/lib/kdf/prf_x942/prf_x942.cpp @@ -30,7 +30,8 @@ std::vector<byte> encode_x942_int(u32bit n) size_t X942_PRF::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte[], size_t) const { std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-160")); const OID kek_algo(m_key_wrap_oid); diff --git a/src/lib/kdf/prf_x942/prf_x942.h b/src/lib/kdf/prf_x942/prf_x942.h index c15be9845..afe56de80 100644 --- a/src/lib/kdf/prf_x942/prf_x942.h +++ b/src/lib/kdf/prf_x942/prf_x942.h @@ -24,7 +24,8 @@ class BOTAN_DLL X942_PRF final : public KDF size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; explicit X942_PRF(const std::string& oid); private: diff --git a/src/lib/kdf/sp800_108/sp800_108.cpp b/src/lib/kdf/sp800_108/sp800_108.cpp index 873db814c..aafb349b2 100644 --- a/src/lib/kdf/sp800_108/sp800_108.cpp +++ b/src/lib/kdf/sp800_108/sp800_108.cpp @@ -8,6 +8,8 @@ #include <botan/sp800_108.h> #include <botan/hmac.h> +#include <iterator> + namespace Botan { SP800_108_Counter* SP800_108_Counter::make(const Spec& spec) @@ -23,13 +25,18 @@ SP800_108_Counter* SP800_108_Counter::make(const Spec& spec) size_t SP800_108_Counter::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const { const std::size_t prf_len = m_prf->output_length(); + const byte delim = 0; byte *p = key; uint32_t counter = 1; + uint32_t length = key_len * 8; + byte be_len[4] = { 0 }; secure_vector<byte> tmp; + store_be(length, be_len); m_prf->set_key(secret, secret_len); while(p < key + key_len && counter != 0) @@ -40,7 +47,10 @@ size_t SP800_108_Counter::kdf(byte key[], size_t key_len, store_be(counter, be_cnt); m_prf->update(be_cnt,4); - m_prf->update(salt, salt_len); + m_prf->update(label,label_len); + m_prf->update(delim); + m_prf->update(salt,salt_len); + m_prf->update(be_len,4); m_prf->final(tmp); std::move(tmp.begin(), tmp.begin() + to_copy, p); @@ -68,16 +78,21 @@ SP800_108_Feedback* SP800_108_Feedback::make(const Spec& spec) size_t SP800_108_Feedback::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const { const std::size_t prf_len = m_prf->output_length(); const std::size_t iv_len = (salt_len >= prf_len ? prf_len : 0); + const byte delim = 0; byte *p = key; uint32_t counter = 1; + uint32_t length = key_len * 8; + byte be_len[4] = { 0 }; secure_vector< byte > prev(salt, salt + iv_len); secure_vector< byte > ctx(salt + iv_len, salt + salt_len); + store_be(length, be_len); m_prf->set_key(secret, secret_len); while(p < key + key_len && counter != 0) @@ -89,7 +104,10 @@ size_t SP800_108_Feedback::kdf(byte key[], size_t key_len, m_prf->update(prev); m_prf->update(be_cnt,4); + m_prf->update(label,label_len); + m_prf->update(delim); m_prf->update(ctx); + m_prf->update(be_len,4); m_prf->final(prev); std::copy(prev.begin(), prev.begin() + to_copy, p); @@ -117,15 +135,27 @@ SP800_108_Pipeline* SP800_108_Pipeline::make(const Spec& spec) size_t SP800_108_Pipeline::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const { const std::size_t prf_len = m_prf->output_length(); + const byte delim = 0; + byte *p = key; uint32_t counter = 1; - secure_vector<byte> ai(salt, salt + salt_len), ki; + uint32_t length = key_len * 8; + byte be_len[4] = { 0 }; + secure_vector<byte> ai, ki; + store_be(length, be_len); m_prf->set_key(secret,secret_len); + // A(0) + std::copy(label,label + label_len,std::back_inserter(ai)); + ai.emplace_back(delim); + std::copy(salt,salt + salt_len,std::back_inserter(ai)); + std::copy(be_len,be_len + 4,std::back_inserter(ai)); + while(p < key + key_len && counter != 0) { // A(i) @@ -140,7 +170,10 @@ size_t SP800_108_Pipeline::kdf(byte key[], size_t key_len, m_prf->update(ai); m_prf->update(be_cnt,4); + m_prf->update(label, label_len); + m_prf->update(delim); m_prf->update(salt, salt_len); + m_prf->update(be_len,4); m_prf->final(ki); std::copy(ki.begin(), ki.begin() + to_copy, p); diff --git a/src/lib/kdf/sp800_108/sp800_108.h b/src/lib/kdf/sp800_108/sp800_108.h index 0acdfacf9..71a918c15 100644 --- a/src/lib/kdf/sp800_108/sp800_108.h +++ b/src/lib/kdf/sp800_108/sp800_108.h @@ -23,9 +23,27 @@ class BOTAN_DLL SP800_108_Counter : public KDF KDF* clone() const override { return new SP800_108_Counter(m_prf->clone()); } + /** + * Derive a key using the SP800-108 KDF in Counter mode. + * + * The implementation hard codes the length of [L]_2 + * and [i]_2 (the value r) to 32 bits. + * + * @param key resulting keying material + * @param key_len the desired output length in bytes + * @param secret K_I + * @param secret_len size of K_I in bytes + * @param salt Context + * @param salt_len size of Context in bytes + * @param label Label + * @param label_len size of Label in bytes + * + * @throws Invalid_Argument key_len > 2^32 + */ size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; SP800_108_Counter(MessageAuthenticationCode* mac) : m_prf(mac) {} @@ -44,9 +62,27 @@ class BOTAN_DLL SP800_108_Feedback : public KDF KDF* clone() const override { return new SP800_108_Feedback(m_prf->clone()); } + /** + * Derive a key using the SP800-108 KDF in Feedback mode. + * + * The implementation uses the optional counter i and hard + * codes the length of [L]_2 and [i]_2 (the value r) to 32 bits. + * + * @param key resulting keying material + * @param key_len the desired output length in bytes + * @param secret K_I + * @param secret_len size of K_I in bytes + * @param salt IV || Context + * @param salt_len size of Context plus IV in bytes + * @param label Label + * @param label_len size of Label in bytes + * + * @throws Invalid_Argument key_len > 2^32 + */ size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; SP800_108_Feedback(MessageAuthenticationCode* mac) : m_prf(mac) {} @@ -65,9 +101,27 @@ class BOTAN_DLL SP800_108_Pipeline : public KDF KDF* clone() const override { return new SP800_108_Pipeline(m_prf->clone()); } + /** + * Derive a key using the SP800-108 KDF in Double Pipeline mode. + * + * The implementation uses the optional counter i and hard + * codes the length of [L]_2 and [i]_2 (the value r) to 32 bits. + * + * @param key resulting keying material + * @param key_len the desired output length in bytes + * @param secret K_I + * @param secret_len size of K_I in bytes + * @param salt Context + * @param salt_len size of Context in bytes + * @param label Label + * @param label_len size of Label in bytes + * + * @throws Invalid_Argument key_len > 2^32 + */ size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; SP800_108_Pipeline(MessageAuthenticationCode* mac) : m_prf(mac) {} diff --git a/src/lib/kdf/sp800_56c/sp800_56c.cpp b/src/lib/kdf/sp800_56c/sp800_56c.cpp index 664d32b30..338feba2a 100644 --- a/src/lib/kdf/sp800_56c/sp800_56c.cpp +++ b/src/lib/kdf/sp800_56c/sp800_56c.cpp @@ -27,17 +27,18 @@ SP800_56C* SP800_56C::make(const Spec& spec) size_t SP800_56C::kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const { // Randomness Extraction - secure_vector< byte > k_dk, context; + secure_vector< byte > k_dk; m_prf->set_key(salt, salt_len); m_prf->update(secret, secret_len); m_prf->final(k_dk); // Key Expansion - m_exp->kdf(key, key_len, k_dk.data(), k_dk.size(), context.data(), context.size()); + m_exp->kdf(key, key_len, k_dk.data(), k_dk.size(), nullptr, 0, label, label_len); return key_len; } diff --git a/src/lib/kdf/sp800_56c/sp800_56c.h b/src/lib/kdf/sp800_56c/sp800_56c.h index d1b6f39b5..1281ed314 100644 --- a/src/lib/kdf/sp800_56c/sp800_56c.h +++ b/src/lib/kdf/sp800_56c/sp800_56c.h @@ -23,9 +23,27 @@ class BOTAN_DLL SP800_56C : public KDF KDF* clone() const override { return new SP800_56C(m_prf->clone(), m_exp->clone()); } + /** + * Derive a key using the SP800-56C KDF. + * + * The implementation hard codes the context value for the + * expansion step to the empty string. + * + * @param key derived keying material K_M + * @param key_len the desired output length in bytes + * @param secret shared secret Z + * @param secret_len size of Z in bytes + * @param salt salt s of the extraction step + * @param salt_len size of s in bytes + * @param label label for the expansion step + * @param label_len size of label in bytes + * + * @throws Invalid_Argument key_len > 2^32 + */ size_t kdf(byte key[], size_t key_len, const byte secret[], size_t secret_len, - const byte salt[], size_t salt_len) const override; + const byte salt[], size_t salt_len, + const byte label[], size_t label_len) const override; SP800_56C(MessageAuthenticationCode* mac, KDF* exp) : m_prf(mac), m_exp(exp) {} |