feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Restore the HKDF code to hmac.c. For compatibility between FIPS builds.

Browse Source
This commit is contained in:
John Safranek
2021-04-02 13:57:52 -07:00
parent 0a210bcc1d
commit d40e9f78cd
8 changed files with 213 additions and 338 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/include.am
View File

@ -218,6 +218,8 @@ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/random.c \
wolfcrypt/src/sha256.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/kdf.c
if BUILD_RSA
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
endif
@ -275,7 +277,6 @@ if BUILD_CMAC
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
endif
src_libwolfssl_la_SOURCES += wolfcrypt/src/kdf.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
wolfcrypt/src/fips_test.c
@ -294,7 +295,6 @@ if !BUILD_FIPS_RAND
# CtaoCrypt files included above.
if !BUILD_FIPS_CURRENT
src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/kdf.c
endif !BUILD_FIPS_CURRENT
# CAVP self test
@ -310,6 +310,10 @@ src_libwolfssl_la_SOURCES += \
if !BUILD_FIPS_RAND
if !BUILD_FIPS_V5
src_libwolfssl_la_SOURCES += wolfcrypt/src/kdf.c
endif !BUILD_FIPS_V5
if !BUILD_FIPS_CURRENT
if BUILD_RNG
src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c

141
src/tls13.c
View File

@ -140,147 +140,6 @@
*/
#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
#if (defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || \
defined(HAVE_SELFTEST)
enum {
/*
MAX_HKDF_LABEL_SZ = OPAQUE16_LEN +
OPAQUE8_LEN + PROTOCOL_LABEL_SZ + MAX_LABEL_SZ +
OPAQUE8_LEN + WC_MAX_DIGEST_SIZE
*/
MAX_TLS13_HKDF_LABEL_SZ = 47 + WC_MAX_DIGEST_SIZE
};
/* Extract data using HMAC, salt and input.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
*
* prk The generated pseudorandom key.
* salt The salt.
* saltLen The length of the salt.
* ikm The input keying material.
* ikmLen The length of the input keying material.
* digest The type of digest to use.
* returns 0 on success, otherwise failure.
*/
static int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
byte* ikm, int ikmLen, int digest)
{
int ret;
int len = 0;
switch (digest) {
#ifndef NO_SHA256
case WC_SHA256:
len = WC_SHA256_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA384
case WC_SHA384:
len = WC_SHA384_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case WC_SHA512:
len = WC_SHA512_DIGEST_SIZE;
break;
#endif
default:
return BAD_FUNC_ARG;
}
/* When length is 0 then use zeroed data of digest length. */
if (ikmLen == 0) {
ikmLen = len;
XMEMSET(ikm, 0, len);
}
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" Salt");
WOLFSSL_BUFFER(salt, saltLen);
WOLFSSL_MSG(" IKM");
WOLFSSL_BUFFER(ikm, ikmLen);
#endif
ret = wc_HKDF_Extract(digest, salt, saltLen, ikm, ikmLen, prk);
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" PRK");
WOLFSSL_BUFFER(prk, len);
#endif
return ret;
}
/* Expand data using HMAC, salt and label and info.
* TLS v1.3 defines this function.
*
* okm The generated pseudorandom key - output key material.
* okmLen The length of generated pseudorandom key - output key material.
* prk The salt - pseudo-random key.
* prkLen The length of the salt - pseudo-random key.
* protocol The TLS protocol label.
* protocolLen The length of the TLS protocol label.
* info The information to expand.
* infoLen The length of the information.
* digest The type of digest to use.
* returns 0 on success, otherwise failure.
*/
static int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen,
const byte* prk, word32 prkLen,
const byte* protocol, word32 protocolLen,
const byte* label, word32 labelLen,
const byte* info, word32 infoLen,
int digest)
{
int ret = 0;
int idx = 0;
byte data[MAX_TLS13_HKDF_LABEL_SZ];
/* Output length. */
data[idx++] = (byte)(okmLen >> 8);
data[idx++] = (byte)okmLen;
/* Length of protocol | label. */
data[idx++] = (byte)(protocolLen + labelLen);
/* Protocol */
XMEMCPY(&data[idx], protocol, protocolLen);
idx += protocolLen;
/* Label */
XMEMCPY(&data[idx], label, labelLen);
idx += labelLen;
/* Length of hash of messages */
data[idx++] = (byte)infoLen;
/* Hash of messages */
if (info != NULL && infoLen > 0) {
XMEMCPY(&data[idx], info, infoLen);
idx += infoLen;
}
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" PRK");
WOLFSSL_BUFFER(prk, prkLen);
WOLFSSL_MSG(" Info");
WOLFSSL_BUFFER(data, idx);
#endif
ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" OKM");
WOLFSSL_BUFFER(okm, okmLen);
#endif
ForceZero(data, idx);
return ret;
}
#endif /* HAVE_FIPS */
/* Size of the TLS v1.3 label use when deriving keys. */
#define TLS13_PROTOCOL_LABEL_SZ 6
/* The protocol label for TLS v1.3. */

9
wolfcrypt/src/ecc.c
View File

@ -1208,7 +1208,7 @@ static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
mp_int* prime, mp_int* order);
#endif
static int _ecc_validate_public_key(ecc_key* key, int partial, int priv);
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
static int _ecc_pairwise_consistency_test(ecc_key* key);
#endif
@ -7618,8 +7618,10 @@ static int ecc_check_privkey_gen_helper(ecc_key* key)
return err;
}
#endif /* WOLFSSL_VALIDATE_ECC_IMPORT */
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
/* Performs a Pairwise Consistency Test on an ECC key pair. */
static int _ecc_pairwise_consistency_test(ecc_key* key)
{
@ -7630,9 +7632,8 @@ static int _ecc_pairwise_consistency_test(ecc_key* key)
return err;
}
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || WOLFSSL_VALIDATE_ECC_IMPORT */
#endif /* WOLFSSL_VALIDATE_ECC_IMPORT */
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)
/* validate order * pubkey = point at infinity, 0 on success */

153
wolfcrypt/src/hmac.c
View File

@ -108,6 +108,17 @@
HmacFree(hmac); */
}
#ifdef HAVE_HKDF
int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz)
{
return HKDF(type, inKey, inKeySz, salt, saltSz,
info, infoSz, out, outSz);
}
#endif /* HAVE_HKDF */
#else /* else build without fips, or for new fips */
@ -1167,7 +1178,149 @@ int wolfSSL_GetHmacMaxSize(void)
return WC_MAX_DIGEST_SIZE;
}
#ifdef HAVE_HKDF
/* HMAC-KDF-Extract.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* salt The optional salt value.
* saltSz The size of the salt.
* inKey The input keying material.
* inKeySz The size of the input keying material.
* out The pseudorandom key with the length that of the hash.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
const byte* inKey, word32 inKeySz, byte* out)
{
byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */
Hmac myHmac;
int ret;
const byte* localSalt; /* either points to user input or tmp */
int hashSz;
ret = wc_HmacSizeByType(type);
if (ret < 0)
return ret;
hashSz = ret;
localSalt = salt;
if (localSalt == NULL) {
XMEMSET(tmp, 0, hashSz);
localSalt = tmp;
saltSz = hashSz;
}
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret == 0) {
ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz);
if (ret == 0)
ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
if (ret == 0)
ret = wc_HmacFinal(&myHmac, out);
wc_HmacFree(&myHmac);
}
return ret;
}
/* HMAC-KDF-Expand.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* inKey The input key.
* inKeySz The size of the input key.
* info The application specific information.
* infoSz The size of the application specific information.
* out The output keying material.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
const byte* info, word32 infoSz, byte* out, word32 outSz)
{
byte tmp[WC_MAX_DIGEST_SIZE];
Hmac myHmac;
int ret = 0;
word32 outIdx = 0;
word32 hashSz = wc_HmacSizeByType(type);
byte n = 0x1;
/* RFC 5869 states that the length of output keying material in
octets must be L <= 255*HashLen or N = ceil(L/HashLen) */
if (out == NULL || ((outSz/hashSz) + ((outSz % hashSz) != 0)) > 255)
return BAD_FUNC_ARG;
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret != 0)
return ret;
while (outIdx < outSz) {
int tmpSz = (n == 1) ? 0 : hashSz;
word32 left = outSz - outIdx;
ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, tmp, tmpSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, info, infoSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, &n, 1);
if (ret != 0)
break;
ret = wc_HmacFinal(&myHmac, tmp);
if (ret != 0)
break;
left = min(left, hashSz);
XMEMCPY(out+outIdx, tmp, left);
outIdx += hashSz;
n++;
}
wc_HmacFree(&myHmac);
return ret;
}
/* HMAC-KDF.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* inKey The input keying material.
* inKeySz The size of the input keying material.
* salt The optional salt value.
* saltSz The size of the salt.
* info The application specific information.
* infoSz The size of the application specific information.
* out The output keying material.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz)
{
byte prk[WC_MAX_DIGEST_SIZE];
int hashSz = wc_HmacSizeByType(type);
int ret;
if (hashSz < 0)
return BAD_FUNC_ARG;
ret = wc_HKDF_Extract(type, salt, saltSz, inKey, inKeySz, prk);
if (ret != 0)
return ret;
return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz);
}
#endif /* HAVE_HKDF */
#endif /* HAVE_FIPS */
#endif /* NO_HMAC */

180
wolfcrypt/src/kdf.c
View File

@ -41,7 +41,6 @@
#endif
#endif
#include <wolfssl/wolfcrypt/hmac.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
@ -50,6 +49,7 @@
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/wolfcrypt/hmac.h>
#include <wolfssl/wolfcrypt/kdf.h>
@ -334,148 +334,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
#endif /* WOLFSSL_HAVE_PRF */
#ifdef HAVE_HKDF
/* HMAC-KDF-Extract.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* salt The optional salt value.
* saltSz The size of the salt.
* inKey The input keying material.
* inKeySz The size of the input keying material.
* out The pseudorandom key with the length that of the hash.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
const byte* inKey, word32 inKeySz, byte* out)
{
byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */
Hmac myHmac;
int ret;
const byte* localSalt; /* either points to user input or tmp */
int hashSz;
ret = wc_HmacSizeByType(type);
if (ret < 0)
return ret;
hashSz = ret;
localSalt = salt;
if (localSalt == NULL) {
XMEMSET(tmp, 0, hashSz);
localSalt = tmp;
saltSz = hashSz;
}
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret == 0) {
ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz);
if (ret == 0)
ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
if (ret == 0)
ret = wc_HmacFinal(&myHmac, out);
wc_HmacFree(&myHmac);
}
return ret;
}
/* HMAC-KDF-Expand.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* inKey The input key.
* inKeySz The size of the input key.
* info The application specific information.
* infoSz The size of the application specific information.
* out The output keying material.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
const byte* info, word32 infoSz, byte* out, word32 outSz)
{
byte tmp[WC_MAX_DIGEST_SIZE];
Hmac myHmac;
int ret = 0;
word32 outIdx = 0;
word32 hashSz = wc_HmacSizeByType(type);
byte n = 0x1;
/* RFC 5869 states that the length of output keying material in
octets must be L <= 255*HashLen or N = ceil(L/HashLen) */
if (out == NULL || ((outSz/hashSz) + ((outSz % hashSz) != 0)) > 255)
return BAD_FUNC_ARG;
ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
if (ret != 0)
return ret;
while (outIdx < outSz) {
int tmpSz = (n == 1) ? 0 : hashSz;
word32 left = outSz - outIdx;
ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, tmp, tmpSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, info, infoSz);
if (ret != 0)
break;
ret = wc_HmacUpdate(&myHmac, &n, 1);
if (ret != 0)
break;
ret = wc_HmacFinal(&myHmac, tmp);
if (ret != 0)
break;
left = min(left, hashSz);
XMEMCPY(out+outIdx, tmp, left);
outIdx += hashSz;
n++;
}
wc_HmacFree(&myHmac);
return ret;
}
/* HMAC-KDF.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
*
* type The hash algorithm type.
* inKey The input keying material.
* inKeySz The size of the input keying material.
* salt The optional salt value.
* saltSz The size of the salt.
* info The application specific information.
* infoSz The size of the application specific information.
* out The output keying material.
* returns 0 on success, otherwise failure.
*/
int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz)
{
byte prk[WC_MAX_DIGEST_SIZE];
int hashSz = wc_HmacSizeByType(type);
int ret;
if (hashSz < 0)
return BAD_FUNC_ARG;
ret = wc_HKDF_Extract(type, salt, saltSz, inKey, inKeySz, prk);
if (ret != 0)
return ret;
return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz);
}
#if defined(HAVE_HKDF)
/* Extract data using HMAC, salt and input.
* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
@ -606,8 +465,33 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
#ifdef WOLFSSL_WOLFSSH
/* hash union */
typedef union {
#ifndef NO_MD5
wc_Md5 md5;
#endif
#ifndef NO_SHA
wc_Sha sha;
#endif
#ifdef WOLFSSL_SHA224
wc_Sha224 sha224;
#endif
#ifndef NO_SHA256
wc_Sha256 sha256;
#endif
#ifdef WOLFSSL_SHA384
wc_Sha384 sha384;
#endif
#ifdef WOLFSSL_SHA512
wc_Sha512 sha512;
#endif
#ifdef WOLFSSL_SHA3
wc_Sha3 sha3;
#endif
} _hash;
static
int _HashInit(byte hashId, wc_Hmac_Hash* hash)
int _HashInit(byte hashId, _hash* hash)
{
int ret = BAD_FUNC_ARG;
@ -640,7 +524,7 @@ int _HashInit(byte hashId, wc_Hmac_Hash* hash)
}
static
int _HashUpdate(byte hashId, wc_Hmac_Hash* hash,
int _HashUpdate(byte hashId, _hash* hash,
const byte* data, word32 dataSz)
{
int ret = BAD_FUNC_ARG;
@ -674,7 +558,7 @@ int _HashUpdate(byte hashId, wc_Hmac_Hash* hash,
}
static
int _HashFinal(byte hashId, wc_Hmac_Hash* hash, byte* digest)
int _HashFinal(byte hashId, _hash* hash, byte* digest)
{
int ret = BAD_FUNC_ARG;
@ -707,7 +591,7 @@ int _HashFinal(byte hashId, wc_Hmac_Hash* hash, byte* digest)
}
static
void _HashFree(byte hashId, wc_Hmac_Hash* hash)
void _HashFree(byte hashId, _hash* hash)
{
switch (hashId) {
#ifndef NO_SHA
@ -743,7 +627,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
const byte* sessionId, word32 sessionIdSz)
{
word32 blocks, remainder;
wc_Hmac_Hash hash;
_hash hash;
enum wc_HashType enmhashId = (enum wc_HashType)hashId;
byte kPad = 0;
byte pad = 0;

32
wolfssl/wolfcrypt/hash.h
View File

@ -220,38 +220,6 @@ WOLFSSL_API int wc_Shake256Hash(const byte*, word32, byte*, word32);
#endif /* !NO_HASH_WRAPPER */
#if (defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || \
defined(HAVE_SELFTEST)
enum max_prf {
#ifdef HAVE_FFDHE_8192
MAX_PRF_HALF = 516, /* Maximum half secret len */
#elif defined(HAVE_FFDHE_6144)
MAX_PRF_HALF = 388, /* Maximum half secret len */
#else
MAX_PRF_HALF = 260, /* Maximum half secret len */
#endif
MAX_PRF_LABSEED = 128, /* Maximum label + seed len */
MAX_PRF_DIG = 224 /* Maximum digest len */
};
#endif
#if defined(WOLFSSL_HAVE_PRF) && ((defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || defined(HAVE_SELFTEST))
WOLFSSL_API int wc_PRF(byte* result, word32 resLen, const byte* secret,
word32 secLen, const byte* seed, word32 seedLen, int hash,
void* heap, int devId);
WOLFSSL_API int wc_PRF_TLSv1(byte* digest, word32 digLen, const byte* secret,
word32 secLen, const byte* label, word32 labLen,
const byte* seed, word32 seedLen, void* heap, int devId);
WOLFSSL_API int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret,
word32 secLen, const byte* label, word32 labLen,
const byte* seed, word32 seedLen, int useAtLeastSha256,
int hash_type, void* heap, int devId);
#endif /* WOLFSSL_HAVE_PRF */
#ifdef __cplusplus
} /* extern "C" */
#endif

15
wolfssl/wolfcrypt/hmac.h
View File

@ -189,6 +189,21 @@ WOLFSSL_API int wolfSSL_GetHmacMaxSize(void);
WOLFSSL_LOCAL int _InitHmac(Hmac* hmac, int type, void* heap);
#ifdef HAVE_HKDF
WOLFSSL_API int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
const byte* inKey, word32 inKeySz, byte* out);
WOLFSSL_API int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
const byte* info, word32 infoSz,
byte* out, word32 outSz);
WOLFSSL_API int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz);
#endif /* HAVE_HKDF */
#ifdef __cplusplus
} /* extern "C" */
#endif

13
wolfssl/wolfcrypt/kdf.h
View File

@ -33,6 +33,8 @@
#include <wolfssl/wolfcrypt/fips.h>
#endif
#include <wolfssl/wolfcrypt/hmac.h>
#ifdef __cplusplus
extern "C" {
#endif
@ -65,17 +67,6 @@ WOLFSSL_API int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret,
#ifdef HAVE_HKDF
WOLFSSL_API int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
const byte* inKey, word32 inKeySz, byte* out);
WOLFSSL_API int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
const byte* info, word32 infoSz,
byte* out, word32 outSz);
WOLFSSL_API int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz);
enum {
/*
MAX_HKDF_LABEL_SZ = OPAQUE16_LEN +