wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 09:22:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

cmac kdf: add NIST SP 800-108, and NIST SP 800-56C two-step.

Browse Source
This commit is contained in:
jordan
2025-10-20 08:20:23 -05:00
parent aba9ee4015
commit 525c212d1c
11 changed files with 790 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.wolfssl_known_macro_extras
View File

@@ -606,7 +606,6 @@ WC_DISABLE_RADIX_ZERO_PAD
WC_ECC_NONBLOCK_ONLY
WC_FLAG_DONT_USE_AESNI
WC_FORCE_LINUXKM_FORTIFY_SOURCE
WC_KDF_NIST_SP_800_56C
WC_LMS_FULL_HASH
WC_NO_RNG_SIMPLE
WC_NO_STATIC_ASSERT

20
configure.ac
View File

@@ -1334,6 +1334,7 @@ then
test "$enable_eccencrypt" = "" && test "$enable_ecc" != "no" && enable_eccencrypt=yes
test "$enable_psk" = "" && enable_psk=yes
test "$enable_cmac" = "" && enable_cmac=yes
test "$enable_cmac_kdf" = "" && enable_cmac_kdf=yes
test "$enable_siphash" = "" && enable_siphash=yes
test "$enable_ocsp" = "" && enable_ocsp=yes
test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes
@@ -1441,6 +1442,9 @@ then
# Store issuer name components when parsing certificates.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES"
# Enable onestep KDF from NIST SP 800 56c option 1.
AM_CFLAGS="$AM_CFLAGS -DWC_KDF_NIST_SP_800_56C"
fi
# wolfGuard
@@ -5600,6 +5604,20 @@ AC_ARG_ENABLE([siphash],
AS_IF([test "x$ENABLED_SIPHASH" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIPHASH"])
AC_ARG_ENABLE([cmac-kdf],
[AS_HELP_STRING([--enable-cmac-kdf],[Enables cmac-kdf support (default: disabled)])],
[ ENABLED_CMAC_KDF=$enableval ],
[ ENABLED_CMAC_KDF=no ]
)
if test "$ENABLED_CMAC_KDF" = "yes"
then
if test "$ENABLED_KDF" != "yes"
then
AC_MSG_ERROR([enable-cmac-kdf requires --enable-kdf])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_CMAC_KDF"
fi
# CMAC
AC_ARG_ENABLE([cmac],
@@ -5608,7 +5626,7 @@ AC_ARG_ENABLE([cmac],
[ ENABLED_CMAC=no ]
)
if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes"
if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes" || test "$ENABLED_CMAC_KDF" = "yes"
then
ENABLED_CMAC=yes
fi

16
tests/api/test_aes.c
View File

@@ -2753,8 +2753,11 @@ int test_wc_AesEaxEncryptAuth(void)
/* Test bad key lengths */
for (i = 0; i <= 32; i++) {
int exp_ret;
if (i == AES_128_KEY_SIZE || i == AES_192_KEY_SIZE
|| i == AES_256_KEY_SIZE) {
if (i == AES_128_KEY_SIZE
#if defined(WOLFSSL_AES_192)
|| i == AES_192_KEY_SIZE
#endif /* WOLFSSL_AES_192 */
|| i == AES_256_KEY_SIZE) {
exp_ret = 0;
}
else {
@@ -2865,8 +2868,11 @@ int test_wc_AesEaxDecryptAuth(void)
/* Test bad key lengths */
for (i = 0; i <= 32; i++) {
int exp_ret;
if (i == AES_128_KEY_SIZE || i == AES_192_KEY_SIZE
|| i == AES_256_KEY_SIZE) {
if (i == AES_128_KEY_SIZE
#if defined(WOLFSSL_AES_192)
|| i == AES_192_KEY_SIZE
#endif /* WOLFSSL_AES_192 */
|| i == AES_256_KEY_SIZE) {
exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
}
else {
@@ -2896,7 +2902,7 @@ int test_wc_AesEaxDecryptAuth(void)
return EXPECT_RESULT();
} /* END test_wc_AesEaxDecryptAuth() */
#endif /* WOLFSSL_AES_EAX &&
#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256
* (!HAVE_FIPS || FIPS_VERSION_GE(5, 3)) && !HAVE_SELFTEST
*/

2
tests/api/test_aes.h
View File

@@ -40,7 +40,7 @@ int test_wc_AesCcmEncryptDecrypt(void);
int test_wc_AesEaxVectors(void);
int test_wc_AesEaxEncryptAuth(void);
int test_wc_AesEaxDecryptAuth(void);
#endif /* WOLFSSL_AES_EAX */
#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256*/
int test_wc_GmacSetKey(void);
int test_wc_GmacUpdate(void);

45
wolfcrypt/src/cryptocb.c
View File

@@ -174,12 +174,14 @@ static const char* GetCryptoCbCmdTypeStr(int type)
}
#endif
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || defined(HAVE_CMAC_KDF)
static const char* GetKdfTypeStr(int type)
{
switch (type) {
case WC_KDF_TYPE_HKDF:
return "HKDF";
case WC_KDF_TYPE_TWOSTEP_CMAC:
return "TWOSTEP_CMAC";
}
return NULL;
}
@@ -251,7 +253,8 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info)
GetCryptoCbCmdTypeStr(info->cmd.type), info->cmd.type);
}
#endif
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || \
defined(HAVE_CMAC_KDF)
else if (info->algo_type == WC_ALGO_TYPE_KDF) {
printf("Crypto CB: %s %s (%d)\n", GetAlgoTypeStr(info->algo_type),
GetKdfTypeStr(info->kdf.type), info->kdf.type);
@@ -2025,4 +2028,42 @@ int wc_CryptoCb_Hkdf(int hashType, const byte* inKey, word32 inKeySz,
}
#endif /* HAVE_HKDF && !NO_HMAC */
#if defined(HAVE_CMAC_KDF)
/* Crypto callback for NIST SP 800 56C two-step CMAC KDF. See software
* implementation in wc_KDA_KDF_twostep_cmac for more comments.
* */
int wc_CryptoCb_Kdf_TwostepCmac(const byte * salt, word32 saltSz,
const byte* z, word32 zSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* output, word32 outputSz, int devId)
{
int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
CryptoCb* dev;
/* Find registered callback device */
dev = wc_CryptoCb_FindDevice(devId, WC_ALGO_TYPE_KDF);
if (dev && dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_KDF;
cryptoInfo.kdf.type = WC_KDF_TYPE_TWOSTEP_CMAC;
cryptoInfo.kdf.twostep_cmac.salt = salt;
cryptoInfo.kdf.twostep_cmac.saltSz = saltSz;
cryptoInfo.kdf.twostep_cmac.z = z;
cryptoInfo.kdf.twostep_cmac.zSz = zSz;
cryptoInfo.kdf.twostep_cmac.fixedInfo = fixedInfo;
cryptoInfo.kdf.twostep_cmac.fixedInfoSz = fixedInfoSz;
cryptoInfo.kdf.twostep_cmac.out = output;
cryptoInfo.kdf.twostep_cmac.outSz = outputSz;
ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
}
return wc_CryptoCb_TranslateErrorCode(ret);
}
#endif /* HAVE_CMAC_KDF */
#endif /* WOLF_CRYPTO_CB */

293
wolfcrypt/src/kdf.c
View File

@@ -43,8 +43,11 @@
#include <wolfssl/wolfcrypt/hmac.h>
#include <wolfssl/wolfcrypt/kdf.h>
#ifdef WC_SRTP_KDF
#include <wolfssl/wolfcrypt/aes.h>
#if defined(WC_SRTP_KDF) || defined(HAVE_CMAC_KDF)
#include <wolfssl/wolfcrypt/aes.h>
#endif
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
#if FIPS_VERSION3_GE(6,0,0)
@@ -299,7 +302,6 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
WOLFSSL_BUFFER(seed, seedLen);
#endif
if (useAtLeastSha256) {
WC_DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, 0);
@@ -1351,7 +1353,7 @@ static int wc_KDA_KDF_iteration(const byte* z, word32 zSz, word32 counter,
/**
* \brief Performs the single-step key derivation function (KDF) as specified in
* SP800-56C option 1.
* SP800-56C option 1. This implementation uses a 32 bit counter.
*
* \param [in] z The input keying material.
* \param [in] zSz The size of the input keying material.
@@ -1390,19 +1392,19 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
* depends on the HASH algo. The smaller value in the table is (2**64-1)/8.
* This is larger than the possible length using word32 integers. */
counter = 1;
counter = 1; /* init counter to 1, from SP800-56C section 4.1 */
outIdx = 0;
ret = 0;
/* According to SP800_56C the number of iterations shall not be greater than
* 2**32-1. This is not possible using word32 integers.*/
while (outIdx + hashOutSz <= derivedSecretSz) {
while (outIdx + (word32) hashOutSz <= derivedSecretSz) {
ret = wc_KDA_KDF_iteration(z, zSz, counter, fixedInfo, fixedInfoSz,
hashType, output + outIdx);
if (ret != 0)
break;
counter++;
outIdx += hashOutSz;
outIdx += (word32) hashOutSz;
}
if (ret == 0 && outIdx < derivedSecretSz) {
@@ -1411,7 +1413,7 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
if (ret == 0) {
XMEMCPY(output + outIdx, hashTempBuf, derivedSecretSz - outIdx);
}
ForceZero(hashTempBuf, hashOutSz);
ForceZero(hashTempBuf, (word32) hashOutSz);
}
if (ret != 0) {
@@ -1422,4 +1424,279 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
}
#endif /* WC_KDF_NIST_SP_800_56C */
#ifdef HAVE_CMAC_KDF
/**
* \brief Performs the two-step cmac key derivation function (KDF) as
* specified in SP800-56C, section 5.1, in counter mode.
*
* Z fixedInfo
* ____|_________________________________|___________
* | | | |
* | ________________ ___________ |
* salt--|-> | Randomness | | Key | |
* | | Extract | --Key_kdk--> | Expansion | -|-output-->
* | ---------------- ----------- |
* --------------------------------------------------
*
* \param [in] salt The input keying material for cmac.
* \param [in] salt_len The size of the input keying material.
* \param [in] z The input shared secret (message to cmac).
* \param [in] zSz The size of the input shared secret.
* \param [in] fixedInfo The fixed information in the KDF.
* \param [in] fixedInfoSz The size of the fixed information.
* \param [out] output The buffer to store the derived secret.
* \param [in] outputSz The desired size of the output secret.
* \param [in] heap The heap hint.
* \param [in] devId The device id.
*
* \return 0 if the KDF operation is successful.
* \return BAD_FUNC_ARG if the input parameters are invalid.
* \return negative error code if the KDF operation fails.
*/
int wc_KDA_KDF_twostep_cmac(const byte * salt, word32 salt_len,
const byte* z, word32 zSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* output, word32 outputSz,
void * heap, int devId)
{
byte Key_kdk[WC_AES_BLOCK_SIZE]; /* key derivation key*/
word32 kdk_len = sizeof(Key_kdk);
word32 tag_len = WC_AES_BLOCK_SIZE;
#ifdef WOLFSSL_SMALL_STACK
Cmac * cmac = NULL;
#else
Cmac cmac[1];
#endif /* WOLFSSL_SMALL_STACK */
int ret = 0;
/* screen out bad args. */
switch (salt_len) {
case AES_128_KEY_SIZE:
case AES_192_KEY_SIZE:
case AES_256_KEY_SIZE:
break; /* salt ok */
default:
WOLFSSL_MSG_EX("KDF twostep cmac: bad salt len: %d", salt_len);
return BAD_FUNC_ARG;
}
if (zSz == 0 || outputSz == 0) {
return BAD_FUNC_ARG;
}
if (fixedInfoSz > 0 && fixedInfo == NULL) {
return BAD_FUNC_ARG;
}
if (salt == NULL || z == NULL || output == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
/* Try crypto callback first for complete operation */
if (devId != INVALID_DEVID) {
ret = wc_CryptoCb_Kdf_TwostepCmac(salt, salt_len, z, zSz,
fixedInfo, fixedInfoSz,
output, outputSz, devId);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
}
/* fall-through when unavailable */
}
#endif
XMEMSET(Key_kdk, 0, kdk_len);
#ifdef WOLFSSL_SMALL_STACK
cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC);
if (cmac == NULL) {
return MEMORY_E;
}
#endif
/* step 1: cmac extract */
ret = wc_AesCmacGenerate_ex(cmac, Key_kdk, &tag_len, z, zSz, salt, salt_len,
heap, devId);
if (ret == 0) {
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("KDF twostep cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
#ifdef WOLFSSL_SMALL_STACK
if (cmac) {
XFREE(cmac, heap, DYNAMIC_TYPE_CMAC);
cmac = NULL;
}
#endif /* WOLFSSL_SMALL_STACK */
/* step 2: cmac expand with SP 800-108 PRF.
* If AES-128-CMAC, AES-192-CMAC, or AES-256-CMAC is used in the
* randomness extraction step, then only AES-128-CMAC is used in the
* key-expansion step.*/
if (ret == 0) {
ret = wc_KDA_KDF_PRF_cmac(Key_kdk, kdk_len, fixedInfo, fixedInfoSz,
output, outputSz, WC_CMAC_AES,
heap, devId);
}
/* always force zero the intermediate key derivation key. */
ForceZero(Key_kdk, sizeof(Key_kdk));
return ret;
}
/**
* \brief Performs the KDF PRF as specified in SP800-108r1.
* At the moment, only AES-CMAC counter mode (section 4.1) is
* implemented. This implementation uses a 32 bit counter.
*
* \param [in] Kin The input keying material.
* \param [in] KinSz The size of the input keying material.
* \param [in] fixedInfo The fixed information to be included in the KDF.
* \param [in] fixedInfo Sz The size of the fixed information.
* \param [out] Kout The output keying material.
* \param [in] KoutSz The desired size of the output key.
* \param [in] type The type of cmac.
* \param [in] heap The heap hint.
* \param [in] devId The device id.
*
* \return 0 if the KDF operation is successful.
* \return BAD_FUNC_ARG if the input parameters are invalid.
* \return negative error code if the KDF operation fails.
*/
int wc_KDA_KDF_PRF_cmac(const byte* Kin, word32 KinSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* Kout, word32 KoutSz, CmacType type,
void * heap, int devId)
{
word32 len_rem = KoutSz;
word32 tag_len = WC_AES_BLOCK_SIZE;
word32 counter = 1; /* init counter to 1, from SP800-108r1 section 4.1 */
#ifdef WOLFSSL_SMALL_STACK
Cmac * cmac = NULL;
#else
Cmac cmac[1];
#endif /* WOLFSSL_SMALL_STACK */
byte counterBuf[4];
int ret = 0;
/* screen out bad args. */
if (Kin == NULL || Kout == NULL) {
return BAD_FUNC_ARG;
}
if (fixedInfoSz > 0 && fixedInfo == NULL) {
return BAD_FUNC_ARG;
}
if (KoutSz == 0) {
return BAD_FUNC_ARG;
}
/* Only AES-CMAC PRF supported at this time. */
if (type != WC_CMAC_AES) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_SMALL_STACK
cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC);
if (cmac == NULL) {
return MEMORY_E;
}
#endif
while (ret == 0 && len_rem >= WC_AES_BLOCK_SIZE) {
/* cmac in place in block size increments */
c32toa(counter, counterBuf);
#ifdef WOLFSSL_DEBUG_KDF
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: in place: "
"len_rem = %d, i = %d", len_rem, counter);
#endif /* WOLFSSL_DEBUG_KDF */
ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId);
if (ret == 0) {
ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf));
}
if (ret == 0 && fixedInfoSz > 0) {
ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz);
}
if (ret == 0) {
ret = wc_CmacFinalNoFree(cmac, &Kout[KoutSz - len_rem], &tag_len);
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
(void)wc_CmacFree(cmac);
if (ret != 0) { break; }
len_rem -= WC_AES_BLOCK_SIZE;
++counter;
}
if (ret == 0 && len_rem) {
/* cmac the last little bit that wouldn't fit in a block size. */
byte rem[WC_AES_BLOCK_SIZE];
XMEMSET(rem, 0, sizeof(rem));
c32toa(counter, counterBuf);
#ifdef WOLFSSL_DEBUG_KDF
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: last little bit: "
"len_rem = %d, i = %d", len_rem, counter);
#endif /* WOLFSSL_DEBUG_KDF */
ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId);
if (ret == 0) {
ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf));
}
if (ret == 0 && fixedInfoSz > 0) {
ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz);
}
if (ret == 0) {
ret = wc_CmacFinalNoFree(cmac, rem, &tag_len);
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
if (ret == 0) {
XMEMCPY(&Kout[KoutSz - len_rem], rem, len_rem);
}
ForceZero(rem, sizeof(rem));
(void)wc_CmacFree(cmac);
}
#ifdef WOLFSSL_SMALL_STACK
if (cmac) {
XFREE(cmac, heap, DYNAMIC_TYPE_CMAC);
cmac = NULL;
}
#endif /* WOLFSSL_SMALL_STACK */
if (ret != 0) {
ForceZero(Kout, KoutSz);
}
return ret;
}
#endif /* HAVE_CMAC_KDF */
#endif /* NO_KDF */

377
wolfcrypt/test/test.c
View File

@@ -632,6 +632,14 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hpke_test(void);
#ifdef WC_SRTP_KDF
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void);
#endif
#ifdef WC_KDF_NIST_SP_800_56C
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void);
#endif
#ifdef HAVE_CMAC_KDF
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp800108_cmac(void);
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_twostep_cmac(void);
#endif
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t arc4_test(void);
#ifdef WC_RC2
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rc2_test(void);
@@ -1138,15 +1146,15 @@ static int rng_crypto_cb(int thisDevId, wc_CryptoInfo* info, void* ctx)
#if defined(WC_KDF_NIST_SP_800_56C)
#define INIT_SP80056C_TEST_VECTOR(_z, _fixedInfo, _derivedKey, _hashType) \
{ \
.z = (const byte*)_z, .zSz = sizeof(_z) - 1, \
.fixedInfo = (const byte*)_fixedInfo, \
.z = (const byte*)(_z), .zSz = sizeof(_z) - 1, \
.fixedInfo = (const byte*)(_fixedInfo), \
.fixedInfoSz = sizeof(_fixedInfo) - 1, \
.derivedKey = (const byte*)_derivedKey, \
.derivedKeySz = sizeof(_derivedKey) - 1, .hashType = _hashType, \
.derivedKey = (const byte*)(_derivedKey), \
.derivedKeySz = sizeof(_derivedKey) - 1, .hashType = (_hashType), \
}
#define SP800_56C_MAX_OUT 128
static WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void)
{
struct sp800_56c_test_vector {
const byte* z;
@@ -1469,6 +1477,322 @@ static WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void)
}
#endif /* WC_KDF_NIST_SP_800_56C */
#if defined(HAVE_CMAC_KDF)
/* test vectors from:
* "SP 800-108 Key Derivation Using Pseudorandom Functions - Key-Based"
* - https://csrc.nist.rip/groups/STM/cavp/key-derivation.html
* - CounterMode/KDFCTR_gen.txt
* */
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp800108_cmac(void)
{
struct sp800_108_test_vector {
const byte Kin[32];
word32 KinSz;
const byte fixedInfo[60];
word32 fixedInfoSz;
const byte Kout[40];
word32 KoutSz;
};
struct sp800_108_test_vector * v = NULL;
struct sp800_108_test_vector vctors[] = {
#if !defined(NO_AES_128)
{
/* [PRF=CMAC_AES128]
* [CTRLOCATION=BEFORE_FIXED]
* [RLEN=32_BITS]
* COUNT=0
* L = 128
* */
{0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e,
0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05},
16,
{0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1,
0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2,
0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78,
0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03,
0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06,
0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb,
0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06,
0xb4, 0x8d, 0x36, 0xc4},
60,
{0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8,
0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f},
16
},
{
/* [PRF=CMAC_AES128]
* [CTRLOCATION=BEFORE_FIXED]
* [RLEN=32_BITS]
* COUNT=10
* L = 256
* */
{0x69, 0x5f, 0x1b, 0x1a, 0x16, 0xc9, 0x49, 0xce,
0xa5, 0x1c, 0xdf, 0x25, 0x54, 0xec, 0x9d, 0x42},
16,
{0x4f, 0xce, 0x59, 0x42, 0x83, 0x2a, 0x39, 0x0a,
0xa1, 0xcb, 0xe8, 0xa0, 0xbf, 0x9d, 0x20, 0x2c,
0xb7, 0x99, 0xe9, 0x86, 0xc9, 0xd6, 0xb5, 0x1f,
0x45, 0xe4, 0xd5, 0x97, 0xa6, 0xb5, 0x7f, 0x06,
0xa4, 0xeb, 0xfe, 0xc6, 0x46, 0x73, 0x35, 0xd1,
0x16, 0xb7, 0xf5, 0xf9, 0xc5, 0xb9, 0x54, 0x06,
0x2f, 0x66, 0x18, 0x20, 0xf5, 0xdb, 0x2a, 0x5b,
0xbb, 0x3e, 0x06, 0x25},
60,
{0xd3, 0x4b, 0x60, 0x1e, 0xc1, 0x8c, 0x34, 0xdf,
0xa0, 0xf9, 0xe0, 0xb7, 0x52, 0x3e, 0x21, 0x8b,
0xdd, 0xdb, 0x9b, 0xef, 0xe8, 0xd0, 0x8b, 0x6c,
0x02, 0x02, 0xd7, 0x5a, 0xce, 0x0d, 0xba, 0x89},
32
},
#endif /* !NO_AES_128 */
#if !defined(NO_AES_192)
{
/* [PRF=CMAC_AES192]
* [CTRLOCATION=BEFORE_FIXED]
* [RLEN=32_BITS]
* COUNT=39
* L = 320
* */
{0x4c, 0x51, 0xbe, 0xa8, 0x97, 0x5b, 0xe9, 0xe5,
0xa0, 0xe4, 0x29, 0xa7, 0xfa, 0xc4, 0x0b, 0x66,
0x3f, 0x32, 0x99, 0x15, 0x7d, 0x1f, 0x5d, 0x67},
24,
{0xf8, 0x6e, 0x42, 0xc6, 0x6d, 0x49, 0xa8, 0xbe,
0xda, 0x81, 0x8e, 0x54, 0xd7, 0xc5, 0xa8, 0x1d,
0x00, 0xd0, 0x2f, 0xc8, 0x9d, 0x2a, 0x54, 0xe8,
0x0f, 0x19, 0xa8, 0x03, 0x4a, 0xd5, 0xe7, 0x0b,
0xb7, 0x3d, 0x03, 0x27, 0x54, 0x5a, 0xa5, 0xd5,
0x38, 0x7d, 0xff, 0x0a, 0x60, 0x3e, 0x16, 0x09,
0x33, 0xf8, 0x94, 0x82, 0x97, 0x71, 0x4d, 0x11,
0x23, 0x58, 0x55, 0x8f},
60,
{0x03, 0xae, 0x7b, 0xa3, 0xd2, 0x05, 0x0b, 0x18,
0x65, 0xfc, 0x4a, 0x77, 0x91, 0x8a, 0xd4, 0x90,
0x3a, 0xd5, 0xba, 0xf2, 0x6c, 0x02, 0x29, 0xa4,
0xda, 0xe4, 0xcc, 0x3b, 0xa6, 0x22, 0x32, 0x54,
0x7d, 0xcf, 0xbe, 0x65, 0xc1, 0xa2, 0x1e, 0x89},
40
},
#endif /* !NO_AES_192 */
#if !defined(NO_AES_256)
{
/* [PRF=CMAC_AES256]
* [CTRLOCATION=BEFORE_FIXED]
* [RLEN=32_BITS]
* COUNT=39
* L = 320
* */
{0x3a, 0x65, 0x76, 0xa1, 0x54, 0x1e, 0x07, 0xea,
0xbd, 0x47, 0xc3, 0x53, 0x4a, 0x43, 0x46, 0xab,
0x39, 0xf1, 0x5e, 0xb0, 0x1d, 0x83, 0xec, 0xf2,
0x31, 0x90, 0x81, 0xf6, 0xe7, 0xad, 0xa7, 0xe9},
32,
{0xa2, 0x59, 0xca, 0xe2, 0xc4, 0xa3, 0x6b, 0x89,
0x56, 0x3c, 0xb1, 0x48, 0xc7, 0x82, 0x51, 0x34,
0x3b, 0xbf, 0xab, 0xdc, 0x13, 0xca, 0x7a, 0xc2,
0x17, 0x1c, 0x2e, 0xb6, 0x02, 0x1f, 0x44, 0x77,
0xfe, 0xa3, 0x3b, 0x28, 0x72, 0x4d, 0xa7, 0x21,
0xee, 0x08, 0x7b, 0xff, 0xd7, 0x94, 0xa1, 0x56,
0x37, 0x54, 0xb4, 0x25, 0xa8, 0xd0, 0x9b, 0x3e,
0x0d, 0xa5, 0xff, 0xed},
60,
{0x99, 0xb7, 0x87, 0xef, 0x90, 0xa1, 0x33, 0xe5,
0x73, 0x6f, 0xdc, 0xf1, 0x75, 0xc3, 0xa3, 0x80,
0x50, 0x1f, 0x45, 0xde, 0xc8, 0xf0, 0x93, 0xec,
0xdd, 0x40, 0x00, 0x65, 0x2f, 0x4f, 0xf1, 0xc6,
0x57, 0x52, 0x48, 0xa3, 0x63, 0xd4, 0x5d, 0x18},
40
},
#endif /* !NO_AES_256 */
};
size_t i = 0;
int ret = 0;
size_t num_vctors = sizeof(vctors) / sizeof(vctors[0]);
/* nist vectors tests */
for (i = 0; i < num_vctors; ++i) {
byte test_Kout[40];
int n_diff = 0;
v = &vctors[i];
XMEMSET(test_Kout, 0, sizeof(test_Kout));
ret = wc_KDA_KDF_PRF_cmac(v->Kin, v->KinSz, v->fixedInfo, v->fixedInfoSz,
test_Kout, v->KoutSz, WC_CMAC_AES,
HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_EC(ret);
}
n_diff = XMEMCMP(v->Kout, test_Kout, v->KoutSz);
if (n_diff) {
WOLFSSL_MSG_EX("error: nist_sp800108_cmac: %d", n_diff);
return WC_TEST_RET_ENC_NC;
}
}
/* misc tests */
{
byte dummy_var[WC_AES_BLOCK_SIZE];
XMEMSET(dummy_var, 0, sizeof(dummy_var));
/* test invalid options */
ret = wc_KDA_KDF_PRF_cmac(NULL, 0, NULL, 0, NULL, 0,
(enum CmacType)0, HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_PRF_cmac(dummy_var, 0, dummy_var, 0, dummy_var, 0,
(enum CmacType)0, HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_PRF_cmac(dummy_var, 15, dummy_var, 1, dummy_var, 15,
WC_CMAC_AES, HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, NULL, 1, dummy_var, 1,
WC_CMAC_AES, HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
/* test valid options */
ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, dummy_var, 1, dummy_var, 1,
WC_CMAC_AES, HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, NULL, 0, dummy_var, 1,
WC_CMAC_AES, HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_NC;
}
}
return 0;
}
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_twostep_cmac(void)
{
int ret = 0;
#if !defined(NO_AES_192)
{
/* From CMACGenAES192.rsp
* https://csrc.nist.rip/groups/STM/cavp/block-cipher-modes.html
* Count = 40
* Klen = 24
* Mlen = 32
* Tlen = 16
* produces this intermediate
* K_kdk = {74f74608c04f0f4e47fa640433b6e6fb},
* and this Kout. */
const byte salt[AES_192_KEY_SIZE] =
{0x20, 0x51, 0xaf, 0x34, 0x76, 0x2e, 0xbe, 0x55,
0x6f, 0x72, 0xa5, 0xc6, 0xed, 0xc7, 0x77, 0x1e,
0xb9, 0x24, 0x5f, 0xad, 0x76, 0xf0, 0x34, 0xbe};
const byte z[2 * WC_AES_BLOCK_SIZE] =
{0xae, 0x8e, 0x93, 0xc9, 0xc9, 0x91, 0xcf, 0x89,
0x6a, 0x49, 0x1a, 0x89, 0x07, 0xdf, 0x4e, 0x4b,
0xe5, 0x18, 0x6a, 0xe4, 0x96, 0xcd, 0x34, 0x0d,
0xc1, 0x9b, 0x23, 0x78, 0x21, 0xdb, 0x7b, 0x60};
const byte fixedInfo[60] =
{0xa2, 0x59, 0xca, 0xe2, 0xc4, 0xa3, 0x6b, 0x89,
0x56, 0x3c, 0xb1, 0x48, 0xc7, 0x82, 0x51, 0x34,
0x3b, 0xbf, 0xab, 0xdc, 0x13, 0xca, 0x7a, 0xc2,
0x17, 0x1c, 0x2e, 0xb6, 0x02, 0x1f, 0x44, 0x77,
0xfe, 0xa3, 0x3b, 0x28, 0x72, 0x4d, 0xa7, 0x21,
0xee, 0x08, 0x7b, 0xff, 0xd7, 0x94, 0xa1, 0x56,
0x37, 0x54, 0xb4, 0x25, 0xa8, 0xd0, 0x9b, 0x3e,
0x0d, 0xa5, 0xff, 0xed};
const byte Kout[40] =
{0xb4, 0x0c, 0x32, 0xbe, 0x01, 0x27, 0x93, 0xba,
0xfd, 0xf7, 0x78, 0xc5, 0xf4, 0x54, 0x43, 0xf4,
0xc9, 0x71, 0x23, 0x93, 0x17, 0x63, 0xd8, 0x3a,
0x59, 0x27, 0x07, 0xbf, 0xf2, 0xd3, 0x60, 0x59,
0x50, 0x27, 0x29, 0xca, 0xb8, 0x8b, 0x29, 0x38};
byte test_Kout[40];
int n_diff = 0;
XMEMSET(test_Kout, 0, sizeof(Kout));
ret = wc_KDA_KDF_twostep_cmac(salt, sizeof(salt), z, sizeof(z),
fixedInfo, sizeof(fixedInfo),
test_Kout, sizeof(Kout),
HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_NC;
}
n_diff = XMEMCMP(Kout, test_Kout, sizeof(Kout));
if (n_diff) {
WOLFSSL_MSG_EX("error: nist_sp80056c_cmac: %d", n_diff);
return WC_TEST_RET_ENC_NC;
}
}
#endif /* !NO_AES_192 */
{
byte dummy_var[WC_AES_BLOCK_SIZE];
XMEMSET(dummy_var, 0, sizeof(dummy_var));
/* test invalid options */
ret = wc_KDA_KDF_twostep_cmac(NULL, 0, NULL, 0, NULL, 0, NULL, 0,
HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_twostep_cmac(dummy_var, 0, dummy_var, 0,
dummy_var, 0, dummy_var, 0,
HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_twostep_cmac(dummy_var, 15, dummy_var, 1,
dummy_var, 1, dummy_var, 1,
HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_twostep_cmac(dummy_var, 15, dummy_var, 1,
NULL, 1, dummy_var, 1,
HEAP_HINT, devId);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
return WC_TEST_RET_ENC_NC;
}
/* test valid options */
ret = wc_KDA_KDF_twostep_cmac(dummy_var, 16, dummy_var, 1,
dummy_var, 1, dummy_var, 1,
HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_NC;
}
ret = wc_KDA_KDF_twostep_cmac(dummy_var, 16, dummy_var, 1,
NULL, 0, dummy_var, 1,
HEAP_HINT, devId);
if (ret) {
return WC_TEST_RET_ENC_NC;
}
}
return 0;
}
#endif /* HAVE_CMAC_KDF */
/* optional macro to add sleep between tests */
#ifndef TEST_SLEEP
#define TEST_SLEEP() WC_DO_NOTHING
@@ -1986,6 +2310,17 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
TEST_PASS("NIST SP 800-56C KDF test passed!\n");
#endif
#if defined(HAVE_CMAC_KDF)
if ( (ret = nist_sp800108_cmac()) != 0)
TEST_FAIL("NIST SP 800-108 KDF test failed!\n", ret);
else
TEST_PASS("NIST SP 800-108 KDF test passed!\n");
if ( (ret = nist_sp80056c_twostep_cmac()) != 0)
TEST_FAIL("NIST SP 800-56C two-step KDF test failed!\n", ret);
else
TEST_PASS("NIST SP 800-56C two-step KDF test passed!\n");
#endif /* HAVE_CMAC_KDF */
#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
!defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
!defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY)
@@ -14567,7 +14902,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void)
#endif /* WOLFSSL_AES_128 */
#if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT) && \
defined(WOLFSSL_AES_256)
defined(WOLFSSL_AES_192) && defined(WOLFSSL_AES_256)
{
WOLFSSL_SMALL_STACK_STATIC const byte bigMsg[] = {
/* "All work and no play makes Jack a dull boy. " */
@@ -14748,7 +15083,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void)
if (ret != 0)
goto out;
}
#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT && WOLFSSL_AES_256 */
#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT && WOLFSSL_AES_192 && WOLFSSL_AES_256 */
/* Test of AES IV state with encrypt/decrypt */
#if defined(WOLFSSL_AES_128) && !defined(HAVE_RENESAS_SYNC)
@@ -61027,28 +61362,40 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
info->cmac.cmac->devId = devIdArg;
}
#endif /* WOLFSSL_CMAC && !(NO_AES) && WOLFSSL_AES_DIRECT */
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
else if (info->algo_type == WC_ALGO_TYPE_KDF) {
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
if (info->kdf.type == WC_KDF_TYPE_HKDF) {
/* Redirect to software implementation for testing */
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0))
#if !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0))
ret = wc_HKDF_ex(info->kdf.hkdf.hashType,
info->kdf.hkdf.inKey, info->kdf.hkdf.inKeySz,
info->kdf.hkdf.salt, info->kdf.hkdf.saltSz,
info->kdf.hkdf.info, info->kdf.hkdf.infoSz,
info->kdf.hkdf.out, info->kdf.hkdf.outSz,
NULL, INVALID_DEVID);
#else
#else
ret = wc_HKDF(info->kdf.hkdf.hashType,
info->kdf.hkdf.inKey, info->kdf.hkdf.inKeySz,
info->kdf.hkdf.salt, info->kdf.hkdf.saltSz,
info->kdf.hkdf.info, info->kdf.hkdf.infoSz,
info->kdf.hkdf.out, info->kdf.hkdf.outSz);
#endif
#endif
}
#endif /* HAVE_HKDF && !NO_HMAC */
#if defined(HAVE_CMAC_KDF)
if (info->kdf.type == WC_KDF_TYPE_TWOSTEP_CMAC) {
/* Redirect to software implementation for testing */
ret = wc_KDA_KDF_twostep_cmac(
info->kdf.twostep_cmac.salt, info->kdf.twostep_cmac.saltSz,
info->kdf.twostep_cmac.z, info->kdf.twostep_cmac.zSz,
info->kdf.twostep_cmac.fixedInfo, info->kdf.twostep_cmac.fixedInfoSz,
info->kdf.twostep_cmac.out, info->kdf.twostep_cmac.outSz,
NULL, INVALID_DEVID);
}
#endif /* HAVE_CMAC_KDF */
}
#endif /* HAVE_HKDF && !NO_HMAC */
(void)devIdArg;
(void)myCtx;
@@ -61204,6 +61551,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void)
if (ret == 0)
ret = hkdf_test();
#endif
#if defined(HAVE_CMAC_KDF)
if (ret == 0)
ret = nist_sp80056c_twostep_cmac();
#endif /* HAVE_CMAC_KDF */
#ifndef NO_PWDBASED
#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC)
PRIVATE_KEY_UNLOCK();

35
wolfssl/wolfcrypt/cryptocb.h
View File

@@ -468,12 +468,13 @@ typedef struct wc_CryptoInfo {
void *ctx;
} cmd;
#endif
#ifdef HAVE_HKDF
#if defined(HAVE_HKDF) || defined(HAVE_CMAC_KDF)
struct {
int type; /* enum wc_KdfType */
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
union {
#endif
#endif
#ifdef HAVE_HKDF
struct { /* HKDF one-shot */
int hashType; /* WC_SHA256, etc. */
const byte* inKey; /* Input keying material */
@@ -485,12 +486,25 @@ typedef struct wc_CryptoInfo {
byte* out; /* Output key material */
word32 outSz;
} hkdf;
#endif
#if defined(HAVE_CMAC_KDF)
struct { /* NIST.SP.800-56Cr2 two-step cmac KDF */
const byte* salt; /* Input keying material for cmac. */
word32 saltSz;
const byte* z; /* The input shared secret to cmac. */
word32 zSz;
const byte* fixedInfo; /* The fixed information for kdf.*/
word32 fixedInfoSz;
byte* out; /* Output key material */
word32 outSz; /* Desired size of out key material. */
} twostep_cmac;
#endif /* HAVE_CMAC_KDf */
/* Future KDF type structures here */
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
};
#endif
#endif
} kdf;
#endif
#endif /* HAVE_HKDF || HAVE_CMAC_KDF */
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
};
#endif
@@ -697,6 +711,15 @@ WOLFSSL_LOCAL int wc_CryptoCb_Hkdf(int hashType, const byte* inKey,
int devId);
#endif
#if defined(HAVE_CMAC_KDF)
WOLFSSL_LOCAL int wc_CryptoCb_Kdf_TwostepCmac(const byte * salt, word32 saltSz,
const byte* z, word32 zSz,
const byte* fixedInfo,
word32 fixedInfoSz,
byte* output, word32 outputSz,
int devId);
#endif /* HAVE_CMAC_KDF */
#ifndef WC_NO_RNG
WOLFSSL_LOCAL int wc_CryptoCb_RandomBlock(WC_RNG* rng, byte* out, word32 sz);
WOLFSSL_LOCAL int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz);

18
wolfssl/wolfcrypt/kdf.h
View File

@@ -35,6 +35,10 @@
#include <wolfssl/wolfcrypt/hmac.h>
#ifdef HAVE_CMAC_KDF
#include <wolfssl/wolfcrypt/cmac.h>
#endif /* HAVE_CMAC_KDF */
#ifdef __cplusplus
extern "C" {
#endif
@@ -171,6 +175,20 @@ WOLFSSL_API int wc_KDA_KDF_onestep(const byte* z, word32 zSz,
const byte* fixedInfo, word32 fixedInfoSz, word32 derivedSecretSz,
enum wc_HashType hashType, byte* output, word32 outputSz);
#endif
#ifdef HAVE_CMAC_KDF
WOLFSSL_API int wc_KDA_KDF_twostep_cmac(const byte * salt, word32 salt_len,
const byte* z, word32 zSz,
const byte* fixedInfo,
word32 fixedInfoSz,
byte* output, word32 outputSz,
void* heap, int devId);
WOLFSSL_API int wc_KDA_KDF_PRF_cmac(const byte* Kin, word32 KinSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* Kout, word32 KoutSz, CmacType type,
void* heap, int devId);
#endif /* HAVE_CMAC_KDF */
#ifdef __cplusplus
} /* extern "C" */
#endif

19
wolfssl/wolfcrypt/settings.h
View File

@@ -3260,7 +3260,23 @@ extern void uITRON4_free(void *p) ;
#error "AES CTS requires AES CBC"
#endif
#endif
#endif
#endif /* !NO_AES */
/* cmac kdf */
#if defined(HAVE_CMAC_KDF)
#if defined(NO_AES)
#error HAVE_CMAC_KDF and NO_AES are incompatible
#endif
/* SP 800-56C cmac kdf two-step requires AES-128-cmac for expand step. */
#if defined(NO_AES_128)
#error HAVE_CMAC_KDF and NO_AES_128 are incompatible
#endif
#if !defined(WOLFSSL_CMAC)
#define WOLFSSL_CMAC
#endif
#endif /* HAVE_CMAC_KDF*/
#if (defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_TLS12)) || \
(!defined(HAVE_AES_CBC) && defined(NO_DES3) && defined(NO_RC4) && \
@@ -3481,7 +3497,6 @@ extern void uITRON4_free(void *p) ;
#define HAVE_PBKDF2
#endif
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_OLD_TLS) && \
(defined(NO_SHA) || defined(NO_MD5))
#error old TLS requires MD5 and SHA

5
wolfssl/wolfcrypt/types.h
View File

@@ -1316,8 +1316,9 @@ enum wc_AlgoType {
/* KDF types */
enum wc_KdfType {
WC_KDF_TYPE_NONE = 0,
WC_KDF_TYPE_HKDF = 1
/* Future: WC_KDF_TYPE_PBKDF2 = 2, WC_KDF_TYPE_SCRYPT = 3, etc. */
WC_KDF_TYPE_HKDF = 1,
WC_KDF_TYPE_TWOSTEP_CMAC = 2 /* NIST SP 800-56C two-step cmac kdf. */
/* Future: WC_KDF_TYPE_PBKDF2 = 3, WC_KDF_TYPE_SCRYPT = 4, etc. */
};
/* hash types */