diff options
author | Jack Lloyd <[email protected]> | 2017-05-06 16:54:58 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-05-06 16:54:58 -0400 |
commit | 86cc9393f6a093a48f80c01481e9496220f02c33 (patch) | |
tree | 9a8436e7770567c559ea2b423811cf6013f0e408 /src | |
parent | 2a351e58a23cf3113342ce07b3d8baa8c235c94f (diff) |
Post-merge changes to SP 800-56A KDF (GH #1040)
Instead of using a template split the KDF into two different classes
that both call a template utility function to actually run the KDF algo.
Simplify the "empty salt" logic and avoid having to instantiate a hash
object just to get the hash block size.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/kdf/kdf.cpp | 4 | ||||
-rw-r--r-- | src/lib/kdf/sp800_56a/sp800_56a.cpp | 130 | ||||
-rw-r--r-- | src/lib/kdf/sp800_56a/sp800_56a.h | 63 |
3 files changed, 120 insertions, 77 deletions
diff --git a/src/lib/kdf/kdf.cpp b/src/lib/kdf/kdf.cpp index 695523d8e..4b55b6962 100644 --- a/src/lib/kdf/kdf.cpp +++ b/src/lib/kdf/kdf.cpp @@ -193,9 +193,9 @@ std::unique_ptr<KDF> KDF::create(const std::string& algo_spec, if(req.algo_name() == "SP800-56A" && req.arg_count() == 1) { if(auto hash = HashFunction::create(req.arg(0))) - return std::unique_ptr<KDF>(new SP800_56A<HashFunction>(hash.release())); + return std::unique_ptr<KDF>(new SP800_56A_Hash(hash.release())); if(auto mac = MessageAuthenticationCode::create(req.arg(0))) - return std::unique_ptr<KDF>(new SP800_56A<MessageAuthenticationCode>(mac.release())); + return std::unique_ptr<KDF>(new SP800_56A_HMAC(mac.release())); } #endif diff --git a/src/lib/kdf/sp800_56a/sp800_56a.cpp b/src/lib/kdf/sp800_56a/sp800_56a.cpp index 285cde193..8698e5bee 100644 --- a/src/lib/kdf/sp800_56a/sp800_56a.cpp +++ b/src/lib/kdf/sp800_56a/sp800_56a.cpp @@ -15,85 +15,85 @@ namespace Botan { namespace { -const uint64_t kRepsUpperBound = (1ULL << 32); - -// Option1: auxiliary function is a hash function -template<typename T> -void Init( - T *t, - const uint8_t salt[], - const size_t salt_len) -{ - BOTAN_UNUSED(t, salt, salt_len); -} +template<class AuxiliaryFunction_t> +size_t SP800_56A_kdf( + AuxiliaryFunction_t& auxfunc, + uint8_t key[], size_t key_len, + const uint8_t secret[], size_t secret_len, + const uint8_t label[], size_t label_len) + { + const uint64_t kRepsUpperBound = (1ULL << 32); -// Option1: auxiliary function is a HMAC function -template<> -void Init<MessageAuthenticationCode>( - MessageAuthenticationCode *hmac_func, - const uint8_t salt[], - const size_t salt_len) -{ - const SCAN_Name req(hmac_func->name()); - if(req.algo_name() != "HMAC") { - throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A"); - } + const size_t digest_len = auxfunc.output_length(); - if (salt_len) { - hmac_func->set_key(salt, salt_len); - } else { - /* 5.8.1.1: Salt shall be an all-zero string whose bit length - equals that specified as the length of the input block for - the hash function */ - auto hash = HashFunction::create(req.arg(0)); - if (!hash) { - // Should never happen - throw Algorithm_Not_Found(req.arg(0)); - } + const size_t reps = key_len / digest_len + ((key_len % digest_len) ? 1 : 0); - secure_vector<uint8_t> s(hash->hash_block_size(), 0); - hmac_func->set_key(s.data(), s.size()); - } -} -} - -template<class AuxiliaryFunction_t> -size_t SP800_56A<AuxiliaryFunction_t>::kdf( - uint8_t key[], size_t key_len, - const uint8_t secret[], size_t secret_len, - const uint8_t salt[], size_t salt_len, - const uint8_t label[], size_t label_len) const -{ - - Init<AuxiliaryFunction_t>(m_auxfunc.get(), salt, salt_len); - const size_t digest_len = m_auxfunc->output_length(); - - size_t reps = key_len / digest_len + !!(key_len % digest_len); - if (reps >= kRepsUpperBound) { + if (reps >= kRepsUpperBound) + { // See SP-800-56A, point 5.8.1 - throw Invalid_Argument( - "key_len / digest output size " - "can't be bigger than 2^32 - 1"); - } + throw Invalid_Argument("SP800-56A KDF requested output too large"); + } uint32_t counter = 1; secure_vector<uint8_t> result; - for(size_t i = 0; i < reps; i++) { - m_auxfunc->update_be(counter++); - m_auxfunc->update(secret, secret_len); - m_auxfunc->update(label, label_len); - m_auxfunc->final(result); + for(size_t i = 0; i < reps; i++) + { + auxfunc.update_be(counter++); + auxfunc.update(secret, secret_len); + auxfunc.update(label, label_len); + auxfunc.final(result); const size_t offset = digest_len * i; const size_t len = std::min(result.size(), key_len - offset); copy_mem(&key[offset], result.data(), len); - } + } return key_len; + } + } -/* Template initialization */ -template class SP800_56A<MessageAuthenticationCode>; -template class SP800_56A<HashFunction>; +size_t SP800_56A_Hash::kdf(uint8_t key[], size_t key_len, + const uint8_t secret[], size_t secret_len, + const uint8_t salt[], size_t salt_len, + const uint8_t label[], size_t label_len) const + { + /* + * TODO: should we reject a non-empty salt with an exception? + * Ignoring the salt seems quite dangerous to applications which + * don't expect it. + */ + BOTAN_UNUSED(salt, salt_len); + + return SP800_56A_kdf(*m_hash, key, key_len, secret, secret_len, label, label_len); + } + +SP800_56A_HMAC::SP800_56A_HMAC(MessageAuthenticationCode* mac) : m_mac(mac) + { + // TODO: we need a MessageAuthenticationCode::is_hmac + const SCAN_Name req(m_mac->name()); + if(req.algo_name() != "HMAC") + { + throw Algorithm_Not_Found("Only HMAC can be used with KDF SP800-56A"); + } + } + +size_t SP800_56A_HMAC::kdf(uint8_t key[], size_t key_len, + const uint8_t secret[], size_t secret_len, + const uint8_t salt[], size_t salt_len, + const uint8_t label[], size_t label_len) const + { + /* + * SP 800-56A specifies if the salt is empty then a block of zeros + * equal to the hash's underlying block size are used. However this + * is equivalent to setting a zero-length key, so the same call + * works for either case. + */ + m_mac->set_key(salt, salt_len); + + return SP800_56A_kdf(*m_mac, key, key_len, secret, secret_len, label, label_len); + } + + } diff --git a/src/lib/kdf/sp800_56a/sp800_56a.h b/src/lib/kdf/sp800_56a/sp800_56a.h index 5f00ef0b8..68257fcd3 100644 --- a/src/lib/kdf/sp800_56a/sp800_56a.h +++ b/src/lib/kdf/sp800_56a/sp800_56a.h @@ -10,19 +10,21 @@ #define BOTAN_SP800_56A_H__ #include <botan/kdf.h> +#include <botan/hash.h> +#include <botan/mac.h> namespace Botan { /** - * NIST SP 800-56A KDF + * NIST SP 800-56A KDF using hash function + * @warning This KDF ignores the provided salt value */ -template<class AuxiliaryFunction_t> -class BOTAN_DLL SP800_56A final : public KDF +class BOTAN_DLL SP800_56A_Hash final : public KDF { public: - std::string name() const override { return "SP800-56A(" + m_auxfunc->name() + ")"; } + std::string name() const override { return "SP800-56A(" + m_hash->name() + ")"; } - KDF* clone() const override { return new SP800_56A(m_auxfunc->clone()); } + KDF* clone() const override { return new SP800_56A_Hash(m_hash->clone()); } /** * Derive a key using the SP800-56A KDF. @@ -34,8 +36,48 @@ class BOTAN_DLL SP800_56A final : public KDF * @param key_len the desired output length in bytes * @param secret shared secret Z * @param secret_len size of Z in bytes - * @param salt salt used only if HMAC is used as a hash function - * @param salt_len not used by an algorithm + * @param salt ignored + * @param salt_len ignored + * @param label label for the expansion step + * @param label_len size of label in bytes + * + * @throws Invalid_Argument key_len > 2^32 + */ + size_t kdf(uint8_t key[], size_t key_len, + const uint8_t secret[], size_t secret_len, + const uint8_t salt[], size_t salt_len, + const uint8_t label[], size_t label_len) const override; + + /** + * @param hash the hash function to use as the auxiliary function + */ + explicit SP800_56A_Hash(HashFunction* hash) : m_hash(hash) {} + private: + std::unique_ptr<HashFunction> m_hash; + }; + +/** + * NIST SP 800-56A KDF using HMAC + */ +class BOTAN_DLL SP800_56A_HMAC final : public KDF + { + public: + std::string name() const override { return "SP800-56A(" + m_mac->name() + ")"; } + + KDF* clone() const override { return new SP800_56A_HMAC(m_mac->clone()); } + + /** + * Derive a key using the SP800-56A KDF. + * + * The implementation hard codes the context value for the + * expansion step to the empty string. + * + * @param key derived keying material K_M + * @param key_len the desired output length in bytes + * @param secret shared secret Z + * @param secret_len size of Z in bytes + * @param salt ignored + * @param salt_len ignored * @param label label for the expansion step * @param label_len size of label in bytes * @@ -47,12 +89,13 @@ class BOTAN_DLL SP800_56A final : public KDF const uint8_t label[], size_t label_len) const override; /** - * @param auxfunc HASH or HMAC algorithm to be used as auxiliary function + * @param mac the HMAC to use as the auxiliary function */ - explicit SP800_56A(AuxiliaryFunction_t* auxfunc) : m_auxfunc(auxfunc) {} + explicit SP800_56A_HMAC(MessageAuthenticationCode* mac); private: - std::unique_ptr<AuxiliaryFunction_t> m_auxfunc; + std::unique_ptr<MessageAuthenticationCode> m_mac; }; + } #endif |