diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 8cf753ae5..ca514a928 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -606,7 +606,6 @@ WC_DISABLE_RADIX_ZERO_PAD WC_ECC_NONBLOCK_ONLY WC_FLAG_DONT_USE_AESNI WC_FORCE_LINUXKM_FORTIFY_SOURCE -WC_KDF_NIST_SP_800_56C WC_LMS_FULL_HASH WC_NO_RNG_SIMPLE WC_NO_STATIC_ASSERT diff --git a/configure.ac b/configure.ac index ea74b1317..2c026c91d 100644 --- a/configure.ac +++ b/configure.ac @@ -1334,6 +1334,7 @@ then test "$enable_eccencrypt" = "" && test "$enable_ecc" != "no" && enable_eccencrypt=yes test "$enable_psk" = "" && enable_psk=yes test "$enable_cmac" = "" && enable_cmac=yes + test "$enable_cmac_kdf" = "" && enable_cmac_kdf=yes test "$enable_siphash" = "" && enable_siphash=yes test "$enable_ocsp" = "" && enable_ocsp=yes test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes @@ -1441,6 +1442,9 @@ then # Store issuer name components when parsing certificates. AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES" + + # Enable onestep KDF from NIST SP 800 56c option 1. + AM_CFLAGS="$AM_CFLAGS -DWC_KDF_NIST_SP_800_56C" fi # wolfGuard @@ -5600,6 +5604,20 @@ AC_ARG_ENABLE([siphash], AS_IF([test "x$ENABLED_SIPHASH" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIPHASH"]) +AC_ARG_ENABLE([cmac-kdf], + [AS_HELP_STRING([--enable-cmac-kdf],[Enables cmac-kdf support (default: disabled)])], + [ ENABLED_CMAC_KDF=$enableval ], + [ ENABLED_CMAC_KDF=no ] + ) + +if test "$ENABLED_CMAC_KDF" = "yes" +then + if test "$ENABLED_KDF" != "yes" + then + AC_MSG_ERROR([enable-cmac-kdf requires --enable-kdf]) + fi + AM_CFLAGS="$AM_CFLAGS -DHAVE_CMAC_KDF" +fi # CMAC AC_ARG_ENABLE([cmac], @@ -5608,7 +5626,7 @@ AC_ARG_ENABLE([cmac], [ ENABLED_CMAC=no ] ) -if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes" +if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes" || test "$ENABLED_CMAC_KDF" = "yes" then ENABLED_CMAC=yes fi diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c index ec1a909e0..fdfeadcfb 100644 --- a/tests/api/test_aes.c +++ b/tests/api/test_aes.c @@ -2753,8 +2753,11 @@ int test_wc_AesEaxEncryptAuth(void) /* Test bad key lengths */ for (i = 0; i <= 32; i++) { int exp_ret; - if (i == AES_128_KEY_SIZE || i == AES_192_KEY_SIZE - || i == AES_256_KEY_SIZE) { + if (i == AES_128_KEY_SIZE + #if defined(WOLFSSL_AES_192) + || i == AES_192_KEY_SIZE + #endif /* WOLFSSL_AES_192 */ + || i == AES_256_KEY_SIZE) { exp_ret = 0; } else { @@ -2865,8 +2868,11 @@ int test_wc_AesEaxDecryptAuth(void) /* Test bad key lengths */ for (i = 0; i <= 32; i++) { int exp_ret; - if (i == AES_128_KEY_SIZE || i == AES_192_KEY_SIZE - || i == AES_256_KEY_SIZE) { + if (i == AES_128_KEY_SIZE + #if defined(WOLFSSL_AES_192) + || i == AES_192_KEY_SIZE + #endif /* WOLFSSL_AES_192 */ + || i == AES_256_KEY_SIZE) { exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E); } else { @@ -2896,7 +2902,7 @@ int test_wc_AesEaxDecryptAuth(void) return EXPECT_RESULT(); } /* END test_wc_AesEaxDecryptAuth() */ -#endif /* WOLFSSL_AES_EAX && +#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256 * (!HAVE_FIPS || FIPS_VERSION_GE(5, 3)) && !HAVE_SELFTEST */ diff --git a/tests/api/test_aes.h b/tests/api/test_aes.h index 3d3f8fd45..c99513a2e 100644 --- a/tests/api/test_aes.h +++ b/tests/api/test_aes.h @@ -40,7 +40,7 @@ int test_wc_AesCcmEncryptDecrypt(void); int test_wc_AesEaxVectors(void); int test_wc_AesEaxEncryptAuth(void); int test_wc_AesEaxDecryptAuth(void); -#endif /* WOLFSSL_AES_EAX */ +#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256*/ int test_wc_GmacSetKey(void); int test_wc_GmacUpdate(void); diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 1a2961e4b..15f86be5e 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -174,12 +174,14 @@ static const char* GetCryptoCbCmdTypeStr(int type) } #endif -#if defined(HAVE_HKDF) && !defined(NO_HMAC) +#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || defined(HAVE_CMAC_KDF) static const char* GetKdfTypeStr(int type) { switch (type) { case WC_KDF_TYPE_HKDF: return "HKDF"; + case WC_KDF_TYPE_TWOSTEP_CMAC: + return "TWOSTEP_CMAC"; } return NULL; } @@ -251,7 +253,8 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info) GetCryptoCbCmdTypeStr(info->cmd.type), info->cmd.type); } #endif -#if defined(HAVE_HKDF) && !defined(NO_HMAC) +#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || \ + defined(HAVE_CMAC_KDF) else if (info->algo_type == WC_ALGO_TYPE_KDF) { printf("Crypto CB: %s %s (%d)\n", GetAlgoTypeStr(info->algo_type), GetKdfTypeStr(info->kdf.type), info->kdf.type); @@ -2025,4 +2028,42 @@ int wc_CryptoCb_Hkdf(int hashType, const byte* inKey, word32 inKeySz, } #endif /* HAVE_HKDF && !NO_HMAC */ + +#if defined(HAVE_CMAC_KDF) +/* Crypto callback for NIST SP 800 56C two-step CMAC KDF. See software + * implementation in wc_KDA_KDF_twostep_cmac for more comments. + * */ +int wc_CryptoCb_Kdf_TwostepCmac(const byte * salt, word32 saltSz, + const byte* z, word32 zSz, + const byte* fixedInfo, word32 fixedInfoSz, + byte* output, word32 outputSz, int devId) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + /* Find registered callback device */ + dev = wc_CryptoCb_FindDevice(devId, WC_ALGO_TYPE_KDF); + + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + + cryptoInfo.algo_type = WC_ALGO_TYPE_KDF; + cryptoInfo.kdf.type = WC_KDF_TYPE_TWOSTEP_CMAC; + cryptoInfo.kdf.twostep_cmac.salt = salt; + cryptoInfo.kdf.twostep_cmac.saltSz = saltSz; + cryptoInfo.kdf.twostep_cmac.z = z; + cryptoInfo.kdf.twostep_cmac.zSz = zSz; + cryptoInfo.kdf.twostep_cmac.fixedInfo = fixedInfo; + cryptoInfo.kdf.twostep_cmac.fixedInfoSz = fixedInfoSz; + cryptoInfo.kdf.twostep_cmac.out = output; + cryptoInfo.kdf.twostep_cmac.outSz = outputSz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} +#endif /* HAVE_CMAC_KDF */ + #endif /* WOLF_CRYPTO_CB */ diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index 4568bdb21..5fc92604b 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -43,8 +43,11 @@ #include #include -#ifdef WC_SRTP_KDF -#include +#if defined(WC_SRTP_KDF) || defined(HAVE_CMAC_KDF) + #include +#endif +#ifdef WOLF_CRYPTO_CB + #include #endif #if FIPS_VERSION3_GE(6,0,0) @@ -299,7 +302,6 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, WOLFSSL_BUFFER(seed, seedLen); #endif - if (useAtLeastSha256) { WC_DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, 0); @@ -1351,7 +1353,7 @@ static int wc_KDA_KDF_iteration(const byte* z, word32 zSz, word32 counter, /** * \brief Performs the single-step key derivation function (KDF) as specified in - * SP800-56C option 1. + * SP800-56C option 1. This implementation uses a 32 bit counter. * * \param [in] z The input keying material. * \param [in] zSz The size of the input keying material. @@ -1390,19 +1392,19 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo, * depends on the HASH algo. The smaller value in the table is (2**64-1)/8. * This is larger than the possible length using word32 integers. */ - counter = 1; + counter = 1; /* init counter to 1, from SP800-56C section 4.1 */ outIdx = 0; ret = 0; /* According to SP800_56C the number of iterations shall not be greater than * 2**32-1. This is not possible using word32 integers.*/ - while (outIdx + hashOutSz <= derivedSecretSz) { + while (outIdx + (word32) hashOutSz <= derivedSecretSz) { ret = wc_KDA_KDF_iteration(z, zSz, counter, fixedInfo, fixedInfoSz, hashType, output + outIdx); if (ret != 0) break; counter++; - outIdx += hashOutSz; + outIdx += (word32) hashOutSz; } if (ret == 0 && outIdx < derivedSecretSz) { @@ -1411,7 +1413,7 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo, if (ret == 0) { XMEMCPY(output + outIdx, hashTempBuf, derivedSecretSz - outIdx); } - ForceZero(hashTempBuf, hashOutSz); + ForceZero(hashTempBuf, (word32) hashOutSz); } if (ret != 0) { @@ -1422,4 +1424,279 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo, } #endif /* WC_KDF_NIST_SP_800_56C */ +#ifdef HAVE_CMAC_KDF +/** + * \brief Performs the two-step cmac key derivation function (KDF) as + * specified in SP800-56C, section 5.1, in counter mode. + * + * Z fixedInfo + * ____|_________________________________|___________ + * | | | | + * | ________________ ___________ | + * salt--|-> | Randomness | | Key | | + * | | Extract | --Key_kdk--> | Expansion | -|-output--> + * | ---------------- ----------- | + * -------------------------------------------------- + * + * \param [in] salt The input keying material for cmac. + * \param [in] salt_len The size of the input keying material. + * \param [in] z The input shared secret (message to cmac). + * \param [in] zSz The size of the input shared secret. + * \param [in] fixedInfo The fixed information in the KDF. + * \param [in] fixedInfoSz The size of the fixed information. + * \param [out] output The buffer to store the derived secret. + * \param [in] outputSz The desired size of the output secret. + * \param [in] heap The heap hint. + * \param [in] devId The device id. + * + * \return 0 if the KDF operation is successful. + * \return BAD_FUNC_ARG if the input parameters are invalid. + * \return negative error code if the KDF operation fails. + */ +int wc_KDA_KDF_twostep_cmac(const byte * salt, word32 salt_len, + const byte* z, word32 zSz, + const byte* fixedInfo, word32 fixedInfoSz, + byte* output, word32 outputSz, + void * heap, int devId) +{ + byte Key_kdk[WC_AES_BLOCK_SIZE]; /* key derivation key*/ + word32 kdk_len = sizeof(Key_kdk); + word32 tag_len = WC_AES_BLOCK_SIZE; + #ifdef WOLFSSL_SMALL_STACK + Cmac * cmac = NULL; + #else + Cmac cmac[1]; + #endif /* WOLFSSL_SMALL_STACK */ + int ret = 0; + + /* screen out bad args. */ + switch (salt_len) { + case AES_128_KEY_SIZE: + case AES_192_KEY_SIZE: + case AES_256_KEY_SIZE: + break; /* salt ok */ + default: + WOLFSSL_MSG_EX("KDF twostep cmac: bad salt len: %d", salt_len); + return BAD_FUNC_ARG; + } + + if (zSz == 0 || outputSz == 0) { + return BAD_FUNC_ARG; + } + + if (fixedInfoSz > 0 && fixedInfo == NULL) { + return BAD_FUNC_ARG; + } + + if (salt == NULL || z == NULL || output == NULL) { + return BAD_FUNC_ARG; + } + + #ifdef WOLF_CRYPTO_CB + /* Try crypto callback first for complete operation */ + if (devId != INVALID_DEVID) { + ret = wc_CryptoCb_Kdf_TwostepCmac(salt, salt_len, z, zSz, + fixedInfo, fixedInfoSz, + output, outputSz, devId); + if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { + return ret; + } + /* fall-through when unavailable */ + } + #endif + + XMEMSET(Key_kdk, 0, kdk_len); + + #ifdef WOLFSSL_SMALL_STACK + cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC); + if (cmac == NULL) { + return MEMORY_E; + } + #endif + + /* step 1: cmac extract */ + ret = wc_AesCmacGenerate_ex(cmac, Key_kdk, &tag_len, z, zSz, salt, salt_len, + heap, devId); + + if (ret == 0) { + if (tag_len != WC_AES_BLOCK_SIZE) { + WOLFSSL_MSG_EX("KDF twostep cmac: got %d, expected %d\n", + tag_len, WC_AES_BLOCK_SIZE); + ret = BUFFER_E; + } + } + + #ifdef WOLFSSL_SMALL_STACK + if (cmac) { + XFREE(cmac, heap, DYNAMIC_TYPE_CMAC); + cmac = NULL; + } + #endif /* WOLFSSL_SMALL_STACK */ + + /* step 2: cmac expand with SP 800-108 PRF. + * If AES-128-CMAC, AES-192-CMAC, or AES-256-CMAC is used in the + * randomness extraction step, then only AES-128-CMAC is used in the + * key-expansion step.*/ + if (ret == 0) { + ret = wc_KDA_KDF_PRF_cmac(Key_kdk, kdk_len, fixedInfo, fixedInfoSz, + output, outputSz, WC_CMAC_AES, + heap, devId); + } + + /* always force zero the intermediate key derivation key. */ + ForceZero(Key_kdk, sizeof(Key_kdk)); + + return ret; +} + +/** + * \brief Performs the KDF PRF as specified in SP800-108r1. + * At the moment, only AES-CMAC counter mode (section 4.1) is + * implemented. This implementation uses a 32 bit counter. + * + * \param [in] Kin The input keying material. + * \param [in] KinSz The size of the input keying material. + * \param [in] fixedInfo The fixed information to be included in the KDF. + * \param [in] fixedInfo Sz The size of the fixed information. + * \param [out] Kout The output keying material. + * \param [in] KoutSz The desired size of the output key. + * \param [in] type The type of cmac. + * \param [in] heap The heap hint. + * \param [in] devId The device id. + * + * \return 0 if the KDF operation is successful. + * \return BAD_FUNC_ARG if the input parameters are invalid. + * \return negative error code if the KDF operation fails. + */ +int wc_KDA_KDF_PRF_cmac(const byte* Kin, word32 KinSz, + const byte* fixedInfo, word32 fixedInfoSz, + byte* Kout, word32 KoutSz, CmacType type, + void * heap, int devId) +{ + word32 len_rem = KoutSz; + word32 tag_len = WC_AES_BLOCK_SIZE; + word32 counter = 1; /* init counter to 1, from SP800-108r1 section 4.1 */ + #ifdef WOLFSSL_SMALL_STACK + Cmac * cmac = NULL; + #else + Cmac cmac[1]; + #endif /* WOLFSSL_SMALL_STACK */ + byte counterBuf[4]; + int ret = 0; + + /* screen out bad args. */ + if (Kin == NULL || Kout == NULL) { + return BAD_FUNC_ARG; + } + + if (fixedInfoSz > 0 && fixedInfo == NULL) { + return BAD_FUNC_ARG; + } + + if (KoutSz == 0) { + return BAD_FUNC_ARG; + } + + /* Only AES-CMAC PRF supported at this time. */ + if (type != WC_CMAC_AES) { + return BAD_FUNC_ARG; + } + + #ifdef WOLFSSL_SMALL_STACK + cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC); + if (cmac == NULL) { + return MEMORY_E; + } + #endif + + while (ret == 0 && len_rem >= WC_AES_BLOCK_SIZE) { + /* cmac in place in block size increments */ + c32toa(counter, counterBuf); + #ifdef WOLFSSL_DEBUG_KDF + WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: in place: " + "len_rem = %d, i = %d", len_rem, counter); + #endif /* WOLFSSL_DEBUG_KDF */ + + ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId); + + if (ret == 0) { + ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf)); + } + + if (ret == 0 && fixedInfoSz > 0) { + ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz); + } + + if (ret == 0) { + ret = wc_CmacFinalNoFree(cmac, &Kout[KoutSz - len_rem], &tag_len); + + if (tag_len != WC_AES_BLOCK_SIZE) { + WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n", + tag_len, WC_AES_BLOCK_SIZE); + ret = BUFFER_E; + } + } + + (void)wc_CmacFree(cmac); + + if (ret != 0) { break; } + + len_rem -= WC_AES_BLOCK_SIZE; + ++counter; + } + + if (ret == 0 && len_rem) { + /* cmac the last little bit that wouldn't fit in a block size. */ + byte rem[WC_AES_BLOCK_SIZE]; + XMEMSET(rem, 0, sizeof(rem)); + c32toa(counter, counterBuf); + + #ifdef WOLFSSL_DEBUG_KDF + WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: last little bit: " + "len_rem = %d, i = %d", len_rem, counter); + #endif /* WOLFSSL_DEBUG_KDF */ + + ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId); + + if (ret == 0) { + ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf)); + } + + if (ret == 0 && fixedInfoSz > 0) { + ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz); + } + + if (ret == 0) { + ret = wc_CmacFinalNoFree(cmac, rem, &tag_len); + + if (tag_len != WC_AES_BLOCK_SIZE) { + WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n", + tag_len, WC_AES_BLOCK_SIZE); + ret = BUFFER_E; + } + } + + if (ret == 0) { + XMEMCPY(&Kout[KoutSz - len_rem], rem, len_rem); + } + + ForceZero(rem, sizeof(rem)); + (void)wc_CmacFree(cmac); + } + + #ifdef WOLFSSL_SMALL_STACK + if (cmac) { + XFREE(cmac, heap, DYNAMIC_TYPE_CMAC); + cmac = NULL; + } + #endif /* WOLFSSL_SMALL_STACK */ + + if (ret != 0) { + ForceZero(Kout, KoutSz); + } + + return ret; +} +#endif /* HAVE_CMAC_KDF */ + #endif /* NO_KDF */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index a44310c45..6cc5dae7c 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -632,6 +632,14 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hpke_test(void); #ifdef WC_SRTP_KDF WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void); #endif + +#ifdef WC_KDF_NIST_SP_800_56C +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void); +#endif +#ifdef HAVE_CMAC_KDF +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp800108_cmac(void); +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_twostep_cmac(void); +#endif WOLFSSL_TEST_SUBROUTINE wc_test_ret_t arc4_test(void); #ifdef WC_RC2 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rc2_test(void); @@ -1138,15 +1146,15 @@ static int rng_crypto_cb(int thisDevId, wc_CryptoInfo* info, void* ctx) #if defined(WC_KDF_NIST_SP_800_56C) #define INIT_SP80056C_TEST_VECTOR(_z, _fixedInfo, _derivedKey, _hashType) \ { \ - .z = (const byte*)_z, .zSz = sizeof(_z) - 1, \ - .fixedInfo = (const byte*)_fixedInfo, \ + .z = (const byte*)(_z), .zSz = sizeof(_z) - 1, \ + .fixedInfo = (const byte*)(_fixedInfo), \ .fixedInfoSz = sizeof(_fixedInfo) - 1, \ - .derivedKey = (const byte*)_derivedKey, \ - .derivedKeySz = sizeof(_derivedKey) - 1, .hashType = _hashType, \ + .derivedKey = (const byte*)(_derivedKey), \ + .derivedKeySz = sizeof(_derivedKey) - 1, .hashType = (_hashType), \ } #define SP800_56C_MAX_OUT 128 -static WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void) +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void) { struct sp800_56c_test_vector { const byte* z; @@ -1469,6 +1477,322 @@ static WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void) } #endif /* WC_KDF_NIST_SP_800_56C */ +#if defined(HAVE_CMAC_KDF) +/* test vectors from: + * "SP 800-108 Key Derivation Using Pseudorandom Functions - Key-Based" + * - https://csrc.nist.rip/groups/STM/cavp/key-derivation.html + * - CounterMode/KDFCTR_gen.txt + * */ +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp800108_cmac(void) +{ + struct sp800_108_test_vector { + const byte Kin[32]; + word32 KinSz; + const byte fixedInfo[60]; + word32 fixedInfoSz; + const byte Kout[40]; + word32 KoutSz; + }; + struct sp800_108_test_vector * v = NULL; + struct sp800_108_test_vector vctors[] = { + #if !defined(NO_AES_128) + { + /* [PRF=CMAC_AES128] + * [CTRLOCATION=BEFORE_FIXED] + * [RLEN=32_BITS] + * COUNT=0 + * L = 128 + * */ + {0xc1, 0x0b, 0x15, 0x2e, 0x8c, 0x97, 0xb7, 0x7e, + 0x18, 0x70, 0x4e, 0x0f, 0x0b, 0xd3, 0x83, 0x05}, + 16, + {0x98, 0xcd, 0x4c, 0xbb, 0xbe, 0xbe, 0x15, 0xd1, + 0x7d, 0xc8, 0x6e, 0x6d, 0xba, 0xd8, 0x00, 0xa2, + 0xdc, 0xbd, 0x64, 0xf7, 0xc7, 0xad, 0x0e, 0x78, + 0xe9, 0xcf, 0x94, 0xff, 0xdb, 0xa8, 0x9d, 0x03, + 0xe9, 0x7e, 0xad, 0xf6, 0xc4, 0xf7, 0xb8, 0x06, + 0xca, 0xf5, 0x2a, 0xa3, 0x8f, 0x09, 0xd0, 0xeb, + 0x71, 0xd7, 0x1f, 0x49, 0x7b, 0xcc, 0x69, 0x06, + 0xb4, 0x8d, 0x36, 0xc4}, + 60, + {0x26, 0xfa, 0xf6, 0x19, 0x08, 0xad, 0x9e, 0xe8, + 0x81, 0xb8, 0x30, 0x5c, 0x22, 0x1d, 0xb5, 0x3f}, + 16 + }, + { + /* [PRF=CMAC_AES128] + * [CTRLOCATION=BEFORE_FIXED] + * [RLEN=32_BITS] + * COUNT=10 + * L = 256 + * */ + {0x69, 0x5f, 0x1b, 0x1a, 0x16, 0xc9, 0x49, 0xce, + 0xa5, 0x1c, 0xdf, 0x25, 0x54, 0xec, 0x9d, 0x42}, + 16, + {0x4f, 0xce, 0x59, 0x42, 0x83, 0x2a, 0x39, 0x0a, + 0xa1, 0xcb, 0xe8, 0xa0, 0xbf, 0x9d, 0x20, 0x2c, + 0xb7, 0x99, 0xe9, 0x86, 0xc9, 0xd6, 0xb5, 0x1f, + 0x45, 0xe4, 0xd5, 0x97, 0xa6, 0xb5, 0x7f, 0x06, + 0xa4, 0xeb, 0xfe, 0xc6, 0x46, 0x73, 0x35, 0xd1, + 0x16, 0xb7, 0xf5, 0xf9, 0xc5, 0xb9, 0x54, 0x06, + 0x2f, 0x66, 0x18, 0x20, 0xf5, 0xdb, 0x2a, 0x5b, + 0xbb, 0x3e, 0x06, 0x25}, + 60, + {0xd3, 0x4b, 0x60, 0x1e, 0xc1, 0x8c, 0x34, 0xdf, + 0xa0, 0xf9, 0xe0, 0xb7, 0x52, 0x3e, 0x21, 0x8b, + 0xdd, 0xdb, 0x9b, 0xef, 0xe8, 0xd0, 0x8b, 0x6c, + 0x02, 0x02, 0xd7, 0x5a, 0xce, 0x0d, 0xba, 0x89}, + 32 + }, + #endif /* !NO_AES_128 */ + + #if !defined(NO_AES_192) + { + /* [PRF=CMAC_AES192] + * [CTRLOCATION=BEFORE_FIXED] + * [RLEN=32_BITS] + * COUNT=39 + * L = 320 + * */ + {0x4c, 0x51, 0xbe, 0xa8, 0x97, 0x5b, 0xe9, 0xe5, + 0xa0, 0xe4, 0x29, 0xa7, 0xfa, 0xc4, 0x0b, 0x66, + 0x3f, 0x32, 0x99, 0x15, 0x7d, 0x1f, 0x5d, 0x67}, + 24, + {0xf8, 0x6e, 0x42, 0xc6, 0x6d, 0x49, 0xa8, 0xbe, + 0xda, 0x81, 0x8e, 0x54, 0xd7, 0xc5, 0xa8, 0x1d, + 0x00, 0xd0, 0x2f, 0xc8, 0x9d, 0x2a, 0x54, 0xe8, + 0x0f, 0x19, 0xa8, 0x03, 0x4a, 0xd5, 0xe7, 0x0b, + 0xb7, 0x3d, 0x03, 0x27, 0x54, 0x5a, 0xa5, 0xd5, + 0x38, 0x7d, 0xff, 0x0a, 0x60, 0x3e, 0x16, 0x09, + 0x33, 0xf8, 0x94, 0x82, 0x97, 0x71, 0x4d, 0x11, + 0x23, 0x58, 0x55, 0x8f}, + 60, + {0x03, 0xae, 0x7b, 0xa3, 0xd2, 0x05, 0x0b, 0x18, + 0x65, 0xfc, 0x4a, 0x77, 0x91, 0x8a, 0xd4, 0x90, + 0x3a, 0xd5, 0xba, 0xf2, 0x6c, 0x02, 0x29, 0xa4, + 0xda, 0xe4, 0xcc, 0x3b, 0xa6, 0x22, 0x32, 0x54, + 0x7d, 0xcf, 0xbe, 0x65, 0xc1, 0xa2, 0x1e, 0x89}, + 40 + }, + #endif /* !NO_AES_192 */ + + #if !defined(NO_AES_256) + { + /* [PRF=CMAC_AES256] + * [CTRLOCATION=BEFORE_FIXED] + * [RLEN=32_BITS] + * COUNT=39 + * L = 320 + * */ + {0x3a, 0x65, 0x76, 0xa1, 0x54, 0x1e, 0x07, 0xea, + 0xbd, 0x47, 0xc3, 0x53, 0x4a, 0x43, 0x46, 0xab, + 0x39, 0xf1, 0x5e, 0xb0, 0x1d, 0x83, 0xec, 0xf2, + 0x31, 0x90, 0x81, 0xf6, 0xe7, 0xad, 0xa7, 0xe9}, + 32, + {0xa2, 0x59, 0xca, 0xe2, 0xc4, 0xa3, 0x6b, 0x89, + 0x56, 0x3c, 0xb1, 0x48, 0xc7, 0x82, 0x51, 0x34, + 0x3b, 0xbf, 0xab, 0xdc, 0x13, 0xca, 0x7a, 0xc2, + 0x17, 0x1c, 0x2e, 0xb6, 0x02, 0x1f, 0x44, 0x77, + 0xfe, 0xa3, 0x3b, 0x28, 0x72, 0x4d, 0xa7, 0x21, + 0xee, 0x08, 0x7b, 0xff, 0xd7, 0x94, 0xa1, 0x56, + 0x37, 0x54, 0xb4, 0x25, 0xa8, 0xd0, 0x9b, 0x3e, + 0x0d, 0xa5, 0xff, 0xed}, + 60, + {0x99, 0xb7, 0x87, 0xef, 0x90, 0xa1, 0x33, 0xe5, + 0x73, 0x6f, 0xdc, 0xf1, 0x75, 0xc3, 0xa3, 0x80, + 0x50, 0x1f, 0x45, 0xde, 0xc8, 0xf0, 0x93, 0xec, + 0xdd, 0x40, 0x00, 0x65, 0x2f, 0x4f, 0xf1, 0xc6, + 0x57, 0x52, 0x48, 0xa3, 0x63, 0xd4, 0x5d, 0x18}, + 40 + }, + #endif /* !NO_AES_256 */ + }; + size_t i = 0; + int ret = 0; + size_t num_vctors = sizeof(vctors) / sizeof(vctors[0]); + + /* nist vectors tests */ + for (i = 0; i < num_vctors; ++i) { + byte test_Kout[40]; + int n_diff = 0; + + v = &vctors[i]; + XMEMSET(test_Kout, 0, sizeof(test_Kout)); + + ret = wc_KDA_KDF_PRF_cmac(v->Kin, v->KinSz, v->fixedInfo, v->fixedInfoSz, + test_Kout, v->KoutSz, WC_CMAC_AES, + HEAP_HINT, devId); + + if (ret) { + return WC_TEST_RET_ENC_EC(ret); + } + + n_diff = XMEMCMP(v->Kout, test_Kout, v->KoutSz); + if (n_diff) { + WOLFSSL_MSG_EX("error: nist_sp800108_cmac: %d", n_diff); + return WC_TEST_RET_ENC_NC; + } + } + + /* misc tests */ + { + byte dummy_var[WC_AES_BLOCK_SIZE]; + XMEMSET(dummy_var, 0, sizeof(dummy_var)); + + /* test invalid options */ + ret = wc_KDA_KDF_PRF_cmac(NULL, 0, NULL, 0, NULL, 0, + (enum CmacType)0, HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_PRF_cmac(dummy_var, 0, dummy_var, 0, dummy_var, 0, + (enum CmacType)0, HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_PRF_cmac(dummy_var, 15, dummy_var, 1, dummy_var, 15, + WC_CMAC_AES, HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, NULL, 1, dummy_var, 1, + WC_CMAC_AES, HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + /* test valid options */ + ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, dummy_var, 1, dummy_var, 1, + WC_CMAC_AES, HEAP_HINT, devId); + if (ret) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_PRF_cmac(dummy_var, 16, NULL, 0, dummy_var, 1, + WC_CMAC_AES, HEAP_HINT, devId); + if (ret) { + return WC_TEST_RET_ENC_NC; + } + } + + return 0; +} + +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_twostep_cmac(void) +{ + int ret = 0; + + #if !defined(NO_AES_192) + { + /* From CMACGenAES192.rsp + * https://csrc.nist.rip/groups/STM/cavp/block-cipher-modes.html + * Count = 40 + * Klen = 24 + * Mlen = 32 + * Tlen = 16 + * produces this intermediate + * K_kdk = {74f74608c04f0f4e47fa640433b6e6fb}, + * and this Kout. */ + const byte salt[AES_192_KEY_SIZE] = + {0x20, 0x51, 0xaf, 0x34, 0x76, 0x2e, 0xbe, 0x55, + 0x6f, 0x72, 0xa5, 0xc6, 0xed, 0xc7, 0x77, 0x1e, + 0xb9, 0x24, 0x5f, 0xad, 0x76, 0xf0, 0x34, 0xbe}; + const byte z[2 * WC_AES_BLOCK_SIZE] = + {0xae, 0x8e, 0x93, 0xc9, 0xc9, 0x91, 0xcf, 0x89, + 0x6a, 0x49, 0x1a, 0x89, 0x07, 0xdf, 0x4e, 0x4b, + 0xe5, 0x18, 0x6a, 0xe4, 0x96, 0xcd, 0x34, 0x0d, + 0xc1, 0x9b, 0x23, 0x78, 0x21, 0xdb, 0x7b, 0x60}; + const byte fixedInfo[60] = + {0xa2, 0x59, 0xca, 0xe2, 0xc4, 0xa3, 0x6b, 0x89, + 0x56, 0x3c, 0xb1, 0x48, 0xc7, 0x82, 0x51, 0x34, + 0x3b, 0xbf, 0xab, 0xdc, 0x13, 0xca, 0x7a, 0xc2, + 0x17, 0x1c, 0x2e, 0xb6, 0x02, 0x1f, 0x44, 0x77, + 0xfe, 0xa3, 0x3b, 0x28, 0x72, 0x4d, 0xa7, 0x21, + 0xee, 0x08, 0x7b, 0xff, 0xd7, 0x94, 0xa1, 0x56, + 0x37, 0x54, 0xb4, 0x25, 0xa8, 0xd0, 0x9b, 0x3e, + 0x0d, 0xa5, 0xff, 0xed}; + const byte Kout[40] = + {0xb4, 0x0c, 0x32, 0xbe, 0x01, 0x27, 0x93, 0xba, + 0xfd, 0xf7, 0x78, 0xc5, 0xf4, 0x54, 0x43, 0xf4, + 0xc9, 0x71, 0x23, 0x93, 0x17, 0x63, 0xd8, 0x3a, + 0x59, 0x27, 0x07, 0xbf, 0xf2, 0xd3, 0x60, 0x59, + 0x50, 0x27, 0x29, 0xca, 0xb8, 0x8b, 0x29, 0x38}; + byte test_Kout[40]; + int n_diff = 0; + + XMEMSET(test_Kout, 0, sizeof(Kout)); + + ret = wc_KDA_KDF_twostep_cmac(salt, sizeof(salt), z, sizeof(z), + fixedInfo, sizeof(fixedInfo), + test_Kout, sizeof(Kout), + HEAP_HINT, devId); + if (ret) { + return WC_TEST_RET_ENC_NC; + } + + n_diff = XMEMCMP(Kout, test_Kout, sizeof(Kout)); + if (n_diff) { + WOLFSSL_MSG_EX("error: nist_sp80056c_cmac: %d", n_diff); + return WC_TEST_RET_ENC_NC; + } + } + #endif /* !NO_AES_192 */ + + { + byte dummy_var[WC_AES_BLOCK_SIZE]; + XMEMSET(dummy_var, 0, sizeof(dummy_var)); + + /* test invalid options */ + ret = wc_KDA_KDF_twostep_cmac(NULL, 0, NULL, 0, NULL, 0, NULL, 0, + HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_twostep_cmac(dummy_var, 0, dummy_var, 0, + dummy_var, 0, dummy_var, 0, + HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_twostep_cmac(dummy_var, 15, dummy_var, 1, + dummy_var, 1, dummy_var, 1, + HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_twostep_cmac(dummy_var, 15, dummy_var, 1, + NULL, 1, dummy_var, 1, + HEAP_HINT, devId); + if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) { + return WC_TEST_RET_ENC_NC; + } + + /* test valid options */ + ret = wc_KDA_KDF_twostep_cmac(dummy_var, 16, dummy_var, 1, + dummy_var, 1, dummy_var, 1, + HEAP_HINT, devId); + if (ret) { + return WC_TEST_RET_ENC_NC; + } + + ret = wc_KDA_KDF_twostep_cmac(dummy_var, 16, dummy_var, 1, + NULL, 0, dummy_var, 1, + HEAP_HINT, devId); + if (ret) { + return WC_TEST_RET_ENC_NC; + } + } + + return 0; +} +#endif /* HAVE_CMAC_KDF */ + /* optional macro to add sleep between tests */ #ifndef TEST_SLEEP #define TEST_SLEEP() WC_DO_NOTHING @@ -1986,6 +2310,17 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ TEST_PASS("NIST SP 800-56C KDF test passed!\n"); #endif +#if defined(HAVE_CMAC_KDF) + if ( (ret = nist_sp800108_cmac()) != 0) + TEST_FAIL("NIST SP 800-108 KDF test failed!\n", ret); + else + TEST_PASS("NIST SP 800-108 KDF test passed!\n"); + if ( (ret = nist_sp80056c_twostep_cmac()) != 0) + TEST_FAIL("NIST SP 800-56C two-step KDF test failed!\n", ret); + else + TEST_PASS("NIST SP 800-56C two-step KDF test passed!\n"); +#endif /* HAVE_CMAC_KDF */ + #if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \ !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \ !defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY) @@ -14567,7 +14902,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void) #endif /* WOLFSSL_AES_128 */ #if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT) && \ - defined(WOLFSSL_AES_256) + defined(WOLFSSL_AES_192) && defined(WOLFSSL_AES_256) { WOLFSSL_SMALL_STACK_STATIC const byte bigMsg[] = { /* "All work and no play makes Jack a dull boy. " */ @@ -14748,7 +15083,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void) if (ret != 0) goto out; } -#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT && WOLFSSL_AES_256 */ +#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT && WOLFSSL_AES_192 && WOLFSSL_AES_256 */ /* Test of AES IV state with encrypt/decrypt */ #if defined(WOLFSSL_AES_128) && !defined(HAVE_RENESAS_SYNC) @@ -61027,28 +61362,40 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) info->cmac.cmac->devId = devIdArg; } #endif /* WOLFSSL_CMAC && !(NO_AES) && WOLFSSL_AES_DIRECT */ -#if defined(HAVE_HKDF) && !defined(NO_HMAC) else if (info->algo_type == WC_ALGO_TYPE_KDF) { + #if defined(HAVE_HKDF) && !defined(NO_HMAC) if (info->kdf.type == WC_KDF_TYPE_HKDF) { /* Redirect to software implementation for testing */ - -#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) + #if !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) ret = wc_HKDF_ex(info->kdf.hkdf.hashType, info->kdf.hkdf.inKey, info->kdf.hkdf.inKeySz, info->kdf.hkdf.salt, info->kdf.hkdf.saltSz, info->kdf.hkdf.info, info->kdf.hkdf.infoSz, info->kdf.hkdf.out, info->kdf.hkdf.outSz, NULL, INVALID_DEVID); -#else + #else ret = wc_HKDF(info->kdf.hkdf.hashType, info->kdf.hkdf.inKey, info->kdf.hkdf.inKeySz, info->kdf.hkdf.salt, info->kdf.hkdf.saltSz, info->kdf.hkdf.info, info->kdf.hkdf.infoSz, info->kdf.hkdf.out, info->kdf.hkdf.outSz); -#endif + #endif } + #endif /* HAVE_HKDF && !NO_HMAC */ + #if defined(HAVE_CMAC_KDF) + if (info->kdf.type == WC_KDF_TYPE_TWOSTEP_CMAC) { + /* Redirect to software implementation for testing */ + ret = wc_KDA_KDF_twostep_cmac( + info->kdf.twostep_cmac.salt, info->kdf.twostep_cmac.saltSz, + info->kdf.twostep_cmac.z, info->kdf.twostep_cmac.zSz, + info->kdf.twostep_cmac.fixedInfo, info->kdf.twostep_cmac.fixedInfoSz, + info->kdf.twostep_cmac.out, info->kdf.twostep_cmac.outSz, + NULL, INVALID_DEVID); + } + #endif /* HAVE_CMAC_KDF */ } -#endif /* HAVE_HKDF && !NO_HMAC */ + (void)devIdArg; (void)myCtx; @@ -61204,6 +61551,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void) if (ret == 0) ret = hkdf_test(); #endif +#if defined(HAVE_CMAC_KDF) + if (ret == 0) + ret = nist_sp80056c_twostep_cmac(); +#endif /* HAVE_CMAC_KDF */ #ifndef NO_PWDBASED #if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC) PRIVATE_KEY_UNLOCK(); diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index 05543eadc..3ab67e779 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -468,12 +468,13 @@ typedef struct wc_CryptoInfo { void *ctx; } cmd; #endif -#ifdef HAVE_HKDF +#if defined(HAVE_HKDF) || defined(HAVE_CMAC_KDF) struct { int type; /* enum wc_KdfType */ -#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES + #ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES union { -#endif + #endif + #ifdef HAVE_HKDF struct { /* HKDF one-shot */ int hashType; /* WC_SHA256, etc. */ const byte* inKey; /* Input keying material */ @@ -485,12 +486,25 @@ typedef struct wc_CryptoInfo { byte* out; /* Output key material */ word32 outSz; } hkdf; + #endif + #if defined(HAVE_CMAC_KDF) + struct { /* NIST.SP.800-56Cr2 two-step cmac KDF */ + const byte* salt; /* Input keying material for cmac. */ + word32 saltSz; + const byte* z; /* The input shared secret to cmac. */ + word32 zSz; + const byte* fixedInfo; /* The fixed information for kdf.*/ + word32 fixedInfoSz; + byte* out; /* Output key material */ + word32 outSz; /* Desired size of out key material. */ + } twostep_cmac; + #endif /* HAVE_CMAC_KDf */ /* Future KDF type structures here */ -#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES + #ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; -#endif + #endif } kdf; -#endif +#endif /* HAVE_HKDF || HAVE_CMAC_KDF */ #ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; #endif @@ -697,6 +711,15 @@ WOLFSSL_LOCAL int wc_CryptoCb_Hkdf(int hashType, const byte* inKey, int devId); #endif +#if defined(HAVE_CMAC_KDF) +WOLFSSL_LOCAL int wc_CryptoCb_Kdf_TwostepCmac(const byte * salt, word32 saltSz, + const byte* z, word32 zSz, + const byte* fixedInfo, + word32 fixedInfoSz, + byte* output, word32 outputSz, + int devId); +#endif /* HAVE_CMAC_KDF */ + #ifndef WC_NO_RNG WOLFSSL_LOCAL int wc_CryptoCb_RandomBlock(WC_RNG* rng, byte* out, word32 sz); WOLFSSL_LOCAL int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz); diff --git a/wolfssl/wolfcrypt/kdf.h b/wolfssl/wolfcrypt/kdf.h index 0421d8267..cca13a0fc 100644 --- a/wolfssl/wolfcrypt/kdf.h +++ b/wolfssl/wolfcrypt/kdf.h @@ -35,6 +35,10 @@ #include +#ifdef HAVE_CMAC_KDF + #include +#endif /* HAVE_CMAC_KDF */ + #ifdef __cplusplus extern "C" { #endif @@ -171,6 +175,20 @@ WOLFSSL_API int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo, word32 fixedInfoSz, word32 derivedSecretSz, enum wc_HashType hashType, byte* output, word32 outputSz); #endif + +#ifdef HAVE_CMAC_KDF +WOLFSSL_API int wc_KDA_KDF_twostep_cmac(const byte * salt, word32 salt_len, + const byte* z, word32 zSz, + const byte* fixedInfo, + word32 fixedInfoSz, + byte* output, word32 outputSz, + void* heap, int devId); +WOLFSSL_API int wc_KDA_KDF_PRF_cmac(const byte* Kin, word32 KinSz, + const byte* fixedInfo, word32 fixedInfoSz, + byte* Kout, word32 KoutSz, CmacType type, + void* heap, int devId); +#endif /* HAVE_CMAC_KDF */ + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 6eeb18e98..2eca305f7 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3260,7 +3260,23 @@ extern void uITRON4_free(void *p) ; #error "AES CTS requires AES CBC" #endif #endif -#endif +#endif /* !NO_AES */ + +/* cmac kdf */ +#if defined(HAVE_CMAC_KDF) + #if defined(NO_AES) + #error HAVE_CMAC_KDF and NO_AES are incompatible + #endif + + /* SP 800-56C cmac kdf two-step requires AES-128-cmac for expand step. */ + #if defined(NO_AES_128) + #error HAVE_CMAC_KDF and NO_AES_128 are incompatible + #endif + + #if !defined(WOLFSSL_CMAC) + #define WOLFSSL_CMAC + #endif +#endif /* HAVE_CMAC_KDF*/ #if (defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_TLS12)) || \ (!defined(HAVE_AES_CBC) && defined(NO_DES3) && defined(NO_RC4) && \ @@ -3481,7 +3497,6 @@ extern void uITRON4_free(void *p) ; #define HAVE_PBKDF2 #endif - #if !defined(WOLFCRYPT_ONLY) && !defined(NO_OLD_TLS) && \ (defined(NO_SHA) || defined(NO_MD5)) #error old TLS requires MD5 and SHA diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 08cfe6cc0..c5ecb168d 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1316,8 +1316,9 @@ enum wc_AlgoType { /* KDF types */ enum wc_KdfType { WC_KDF_TYPE_NONE = 0, - WC_KDF_TYPE_HKDF = 1 - /* Future: WC_KDF_TYPE_PBKDF2 = 2, WC_KDF_TYPE_SCRYPT = 3, etc. */ + WC_KDF_TYPE_HKDF = 1, + WC_KDF_TYPE_TWOSTEP_CMAC = 2 /* NIST SP 800-56C two-step cmac kdf. */ + /* Future: WC_KDF_TYPE_PBKDF2 = 3, WC_KDF_TYPE_SCRYPT = 4, etc. */ }; /* hash types */