aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-05-06 16:54:58 -0400
committerJack Lloyd <[email protected]>2017-05-06 16:54:58 -0400
commit86cc9393f6a093a48f80c01481e9496220f02c33 (patch)
tree9a8436e7770567c559ea2b423811cf6013f0e408 /src
parent2a351e58a23cf3113342ce07b3d8baa8c235c94f (diff)
Post-merge changes to SP 800-56A KDF (GH #1040)
Instead of using a template split the KDF into two different classes that both call a template utility function to actually run the KDF algo. Simplify the "empty salt" logic and avoid having to instantiate a hash object just to get the hash block size.
Diffstat (limited to 'src')
-rw-r--r--src/lib/kdf/kdf.cpp4
-rw-r--r--src/lib/kdf/sp800_56a/sp800_56a.cpp130
-rw-r--r--src/lib/kdf/sp800_56a/sp800_56a.h63
3 files changed, 120 insertions, 77 deletions
diff --git a/src/lib/kdf/kdf.cpp b/src/lib/kdf/kdf.cpp
index 695523d8e..4b55b6962 100644
--- a/src/lib/kdf/kdf.cpp
+++ b/src/lib/kdf/kdf.cpp
@@ -193,9 +193,9 @@ std::unique_ptr<KDF> KDF::create(const std::string& algo_spec,
if(req.algo_name() == "SP800-56A" && req.arg_count() == 1)
{
if(auto hash = HashFunction::create(req.arg(0)))
- return std::unique_ptr<KDF>(new SP800_56A<HashFunction>(hash.release()));
+ return std::unique_ptr<KDF>(new SP800_56A_Hash(hash.release()));
if(auto mac = MessageAuthenticationCode::create(req.arg(0)))
- return std::unique_ptr<KDF>(new SP800_56A<MessageAuthenticationCode>(mac.release()));
+ return std::unique_ptr<KDF>(new SP800_56A_HMAC(mac.release()));
}
#endif
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.cpp b/src/lib/kdf/sp800_56a/sp800_56a.cpp
index 285cde193..8698e5bee 100644
--- a/src/lib/kdf/sp800_56a/sp800_56a.cpp
+++ b/src/lib/kdf/sp800_56a/sp800_56a.cpp
@@ -15,85 +15,85 @@ namespace Botan {
namespace {
-const uint64_t kRepsUpperBound = (1ULL << 32);
-
-// Option1: auxiliary function is a hash function
-template<typename T>
-void Init(
- T *t,
- const uint8_t salt[],
- const size_t salt_len)
-{
- BOTAN_UNUSED(t, salt, salt_len);
-}
+template<class AuxiliaryFunction_t>
+size_t SP800_56A_kdf(
+ AuxiliaryFunction_t& auxfunc,
+ uint8_t key[], size_t key_len,
+ const uint8_t secret[], size_t secret_len,
+ const uint8_t label[], size_t label_len)
+ {
+ const uint64_t kRepsUpperBound = (1ULL << 32);
-// Option1: auxiliary function is a HMAC function
-template<>
-void Init<MessageAuthenticationCode>(
- MessageAuthenticationCode *hmac_func,
- const uint8_t salt[],
- const size_t salt_len)
-{
- const SCAN_Name req(hmac_func->name());
- if(req.algo_name() != "HMAC") {
- throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
- }
+ const size_t digest_len = auxfunc.output_length();
- if (salt_len) {
- hmac_func->set_key(salt, salt_len);
- } else {
- /* 5.8.1.1: Salt shall be an all-zero string whose bit length
- equals that specified as the length of the input block for
- the hash function */
- auto hash = HashFunction::create(req.arg(0));
- if (!hash) {
- // Should never happen
- throw Algorithm_Not_Found(req.arg(0));
- }
+ const size_t reps = key_len / digest_len + ((key_len % digest_len) ? 1 : 0);
- secure_vector<uint8_t> s(hash->hash_block_size(), 0);
- hmac_func->set_key(s.data(), s.size());
- }
-}
-}
-
-template<class AuxiliaryFunction_t>
-size_t SP800_56A<AuxiliaryFunction_t>::kdf(
- uint8_t key[], size_t key_len,
- const uint8_t secret[], size_t secret_len,
- const uint8_t salt[], size_t salt_len,
- const uint8_t label[], size_t label_len) const
-{
-
- Init<AuxiliaryFunction_t>(m_auxfunc.get(), salt, salt_len);
- const size_t digest_len = m_auxfunc->output_length();
-
- size_t reps = key_len / digest_len + !!(key_len % digest_len);
- if (reps >= kRepsUpperBound) {
+ if (reps >= kRepsUpperBound)
+ {
// See SP-800-56A, point 5.8.1
- throw Invalid_Argument(
- "key_len / digest output size "
- "can't be bigger than 2^32 - 1");
- }
+ throw Invalid_Argument("SP800-56A KDF requested output too large");
+ }
uint32_t counter = 1;
secure_vector<uint8_t> result;
- for(size_t i = 0; i < reps; i++) {
- m_auxfunc->update_be(counter++);
- m_auxfunc->update(secret, secret_len);
- m_auxfunc->update(label, label_len);
- m_auxfunc->final(result);
+ for(size_t i = 0; i < reps; i++)
+ {
+ auxfunc.update_be(counter++);
+ auxfunc.update(secret, secret_len);
+ auxfunc.update(label, label_len);
+ auxfunc.final(result);
const size_t offset = digest_len * i;
const size_t len = std::min(result.size(), key_len - offset);
copy_mem(&key[offset], result.data(), len);
- }
+ }
return key_len;
+ }
+
}
-/* Template initialization */
-template class SP800_56A<MessageAuthenticationCode>;
-template class SP800_56A<HashFunction>;
+size_t SP800_56A_Hash::kdf(uint8_t key[], size_t key_len,
+ const uint8_t secret[], size_t secret_len,
+ const uint8_t salt[], size_t salt_len,
+ const uint8_t label[], size_t label_len) const
+ {
+ /*
+ * TODO: should we reject a non-empty salt with an exception?
+ * Ignoring the salt seems quite dangerous to applications which
+ * don't expect it.
+ */
+ BOTAN_UNUSED(salt, salt_len);
+
+ return SP800_56A_kdf(*m_hash, key, key_len, secret, secret_len, label, label_len);
+ }
+
+SP800_56A_HMAC::SP800_56A_HMAC(MessageAuthenticationCode* mac) : m_mac(mac)
+ {
+ // TODO: we need a MessageAuthenticationCode::is_hmac
+ const SCAN_Name req(m_mac->name());
+ if(req.algo_name() != "HMAC")
+ {
+ throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A");
+ }
+ }
+
+size_t SP800_56A_HMAC::kdf(uint8_t key[], size_t key_len,
+ const uint8_t secret[], size_t secret_len,
+ const uint8_t salt[], size_t salt_len,
+ const uint8_t label[], size_t label_len) const
+ {
+ /*
+ * SP 800-56A specifies if the salt is empty then a block of zeros
+ * equal to the hash's underlying block size are used. However this
+ * is equivalent to setting a zero-length key, so the same call
+ * works for either case.
+ */
+ m_mac->set_key(salt, salt_len);
+
+ return SP800_56A_kdf(*m_mac, key, key_len, secret, secret_len, label, label_len);
+ }
+
+
}
diff --git a/src/lib/kdf/sp800_56a/sp800_56a.h b/src/lib/kdf/sp800_56a/sp800_56a.h
index 5f00ef0b8..68257fcd3 100644
--- a/src/lib/kdf/sp800_56a/sp800_56a.h
+++ b/src/lib/kdf/sp800_56a/sp800_56a.h
@@ -10,19 +10,21 @@
#define BOTAN_SP800_56A_H__
#include <botan/kdf.h>
+#include <botan/hash.h>
+#include <botan/mac.h>
namespace Botan {
/**
- * NIST SP 800-56A KDF
+ * NIST SP 800-56A KDF using hash function
+ * @warning This KDF ignores the provided salt value
*/
-template<class AuxiliaryFunction_t>
-class BOTAN_DLL SP800_56A final : public KDF
+class BOTAN_DLL SP800_56A_Hash final : public KDF
{
public:
- std::string name() const override { return "SP800-56A(" + m_auxfunc->name() + ")"; }
+ std::string name() const override { return "SP800-56A(" + m_hash->name() + ")"; }
- KDF* clone() const override { return new SP800_56A(m_auxfunc->clone()); }
+ KDF* clone() const override { return new SP800_56A_Hash(m_hash->clone()); }
/**
* Derive a key using the SP800-56A KDF.
@@ -34,8 +36,48 @@ class BOTAN_DLL SP800_56A final : public KDF
* @param key_len the desired output length in bytes
* @param secret shared secret Z
* @param secret_len size of Z in bytes
- * @param salt salt used only if HMAC is used as a hash function
- * @param salt_len not used by an algorithm
+ * @param salt ignored
+ * @param salt_len ignored
+ * @param label label for the expansion step
+ * @param label_len size of label in bytes
+ *
+ * @throws Invalid_Argument key_len > 2^32
+ */
+ size_t kdf(uint8_t key[], size_t key_len,
+ const uint8_t secret[], size_t secret_len,
+ const uint8_t salt[], size_t salt_len,
+ const uint8_t label[], size_t label_len) const override;
+
+ /**
+ * @param hash the hash function to use as the auxiliary function
+ */
+ explicit SP800_56A_Hash(HashFunction* hash) : m_hash(hash) {}
+ private:
+ std::unique_ptr<HashFunction> m_hash;
+ };
+
+/**
+ * NIST SP 800-56A KDF using HMAC
+ */
+class BOTAN_DLL SP800_56A_HMAC final : public KDF
+ {
+ public:
+ std::string name() const override { return "SP800-56A(" + m_mac->name() + ")"; }
+
+ KDF* clone() const override { return new SP800_56A_HMAC(m_mac->clone()); }
+
+ /**
+ * Derive a key using the SP800-56A KDF.
+ *
+ * The implementation hard codes the context value for the
+ * expansion step to the empty string.
+ *
+ * @param key derived keying material K_M
+ * @param key_len the desired output length in bytes
+ * @param secret shared secret Z
+ * @param secret_len size of Z in bytes
+ * @param salt ignored
+ * @param salt_len ignored
* @param label label for the expansion step
* @param label_len size of label in bytes
*
@@ -47,12 +89,13 @@ class BOTAN_DLL SP800_56A final : public KDF
const uint8_t label[], size_t label_len) const override;
/**
- * @param auxfunc HASH or HMAC algorithm to be used as auxiliary function
+ * @param mac the HMAC to use as the auxiliary function
*/
- explicit SP800_56A(AuxiliaryFunction_t* auxfunc) : m_auxfunc(auxfunc) {}
+ explicit SP800_56A_HMAC(MessageAuthenticationCode* mac);
private:
- std::unique_ptr<AuxiliaryFunction_t> m_auxfunc;
+ std::unique_ptr<MessageAuthenticationCode> m_mac;
};
+
}
#endif