wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-04 04:25:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

cmac kdf: add NIST SP 800-108, and NIST SP 800-56C two-step.

Browse Source
This commit is contained in:
jordan
2025-10-20 08:20:23 -05:00
parent aba9ee4015
commit 525c212d1c
11 changed files with 790 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
wolfcrypt/src/cryptocb.c
View File

@@ -174,12 +174,14 @@ static const char* GetCryptoCbCmdTypeStr(int type)
}
#endif
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || defined(HAVE_CMAC_KDF)
static const char* GetKdfTypeStr(int type)
{
switch (type) {
case WC_KDF_TYPE_HKDF:
return "HKDF";
case WC_KDF_TYPE_TWOSTEP_CMAC:
return "TWOSTEP_CMAC";
}
return NULL;
}
@@ -251,7 +253,8 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info)
GetCryptoCbCmdTypeStr(info->cmd.type), info->cmd.type);
}
#endif
#if defined(HAVE_HKDF) && !defined(NO_HMAC)
#if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || \
defined(HAVE_CMAC_KDF)
else if (info->algo_type == WC_ALGO_TYPE_KDF) {
printf("Crypto CB: %s %s (%d)\n", GetAlgoTypeStr(info->algo_type),
GetKdfTypeStr(info->kdf.type), info->kdf.type);
@@ -2025,4 +2028,42 @@ int wc_CryptoCb_Hkdf(int hashType, const byte* inKey, word32 inKeySz,
}
#endif /* HAVE_HKDF && !NO_HMAC */
#if defined(HAVE_CMAC_KDF)
/* Crypto callback for NIST SP 800 56C two-step CMAC KDF. See software
* implementation in wc_KDA_KDF_twostep_cmac for more comments.
* */
int wc_CryptoCb_Kdf_TwostepCmac(const byte * salt, word32 saltSz,
const byte* z, word32 zSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* output, word32 outputSz, int devId)
{
int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
CryptoCb* dev;
/* Find registered callback device */
dev = wc_CryptoCb_FindDevice(devId, WC_ALGO_TYPE_KDF);
if (dev && dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_KDF;
cryptoInfo.kdf.type = WC_KDF_TYPE_TWOSTEP_CMAC;
cryptoInfo.kdf.twostep_cmac.salt = salt;
cryptoInfo.kdf.twostep_cmac.saltSz = saltSz;
cryptoInfo.kdf.twostep_cmac.z = z;
cryptoInfo.kdf.twostep_cmac.zSz = zSz;
cryptoInfo.kdf.twostep_cmac.fixedInfo = fixedInfo;
cryptoInfo.kdf.twostep_cmac.fixedInfoSz = fixedInfoSz;
cryptoInfo.kdf.twostep_cmac.out = output;
cryptoInfo.kdf.twostep_cmac.outSz = outputSz;
ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
}
return wc_CryptoCb_TranslateErrorCode(ret);
}
#endif /* HAVE_CMAC_KDF */
#endif /* WOLF_CRYPTO_CB */

293
wolfcrypt/src/kdf.c
View File

@@ -43,8 +43,11 @@
#include <wolfssl/wolfcrypt/hmac.h>
#include <wolfssl/wolfcrypt/kdf.h>
#ifdef WC_SRTP_KDF
#include <wolfssl/wolfcrypt/aes.h>
#if defined(WC_SRTP_KDF) || defined(HAVE_CMAC_KDF)
#include <wolfssl/wolfcrypt/aes.h>
#endif
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
#if FIPS_VERSION3_GE(6,0,0)
@@ -299,7 +302,6 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
WOLFSSL_BUFFER(seed, seedLen);
#endif
if (useAtLeastSha256) {
WC_DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, 0);
@@ -1351,7 +1353,7 @@ static int wc_KDA_KDF_iteration(const byte* z, word32 zSz, word32 counter,
/**
* \brief Performs the single-step key derivation function (KDF) as specified in
* SP800-56C option 1.
* SP800-56C option 1. This implementation uses a 32 bit counter.
*
* \param [in] z The input keying material.
* \param [in] zSz The size of the input keying material.
@@ -1390,19 +1392,19 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
* depends on the HASH algo. The smaller value in the table is (2**64-1)/8.
* This is larger than the possible length using word32 integers. */
counter = 1;
counter = 1; /* init counter to 1, from SP800-56C section 4.1 */
outIdx = 0;
ret = 0;
/* According to SP800_56C the number of iterations shall not be greater than
* 2**32-1. This is not possible using word32 integers.*/
while (outIdx + hashOutSz <= derivedSecretSz) {
while (outIdx + (word32) hashOutSz <= derivedSecretSz) {
ret = wc_KDA_KDF_iteration(z, zSz, counter, fixedInfo, fixedInfoSz,
hashType, output + outIdx);
if (ret != 0)
break;
counter++;
outIdx += hashOutSz;
outIdx += (word32) hashOutSz;
}
if (ret == 0 && outIdx < derivedSecretSz) {
@@ -1411,7 +1413,7 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
if (ret == 0) {
XMEMCPY(output + outIdx, hashTempBuf, derivedSecretSz - outIdx);
}
ForceZero(hashTempBuf, hashOutSz);
ForceZero(hashTempBuf, (word32) hashOutSz);
}
if (ret != 0) {
@@ -1422,4 +1424,279 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
}
#endif /* WC_KDF_NIST_SP_800_56C */
#ifdef HAVE_CMAC_KDF
/**
* \brief Performs the two-step cmac key derivation function (KDF) as
* specified in SP800-56C, section 5.1, in counter mode.
*
* Z fixedInfo
* ____|_________________________________|___________
* | | | |
* | ________________ ___________ |
* salt--|-> | Randomness | | Key | |
* | | Extract | --Key_kdk--> | Expansion | -|-output-->
* | ---------------- ----------- |
* --------------------------------------------------
*
* \param [in] salt The input keying material for cmac.
* \param [in] salt_len The size of the input keying material.
* \param [in] z The input shared secret (message to cmac).
* \param [in] zSz The size of the input shared secret.
* \param [in] fixedInfo The fixed information in the KDF.
* \param [in] fixedInfoSz The size of the fixed information.
* \param [out] output The buffer to store the derived secret.
* \param [in] outputSz The desired size of the output secret.
* \param [in] heap The heap hint.
* \param [in] devId The device id.
*
* \return 0 if the KDF operation is successful.
* \return BAD_FUNC_ARG if the input parameters are invalid.
* \return negative error code if the KDF operation fails.
*/
int wc_KDA_KDF_twostep_cmac(const byte * salt, word32 salt_len,
const byte* z, word32 zSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* output, word32 outputSz,
void * heap, int devId)
{
byte Key_kdk[WC_AES_BLOCK_SIZE]; /* key derivation key*/
word32 kdk_len = sizeof(Key_kdk);
word32 tag_len = WC_AES_BLOCK_SIZE;
#ifdef WOLFSSL_SMALL_STACK
Cmac * cmac = NULL;
#else
Cmac cmac[1];
#endif /* WOLFSSL_SMALL_STACK */
int ret = 0;
/* screen out bad args. */
switch (salt_len) {
case AES_128_KEY_SIZE:
case AES_192_KEY_SIZE:
case AES_256_KEY_SIZE:
break; /* salt ok */
default:
WOLFSSL_MSG_EX("KDF twostep cmac: bad salt len: %d", salt_len);
return BAD_FUNC_ARG;
}
if (zSz == 0 || outputSz == 0) {
return BAD_FUNC_ARG;
}
if (fixedInfoSz > 0 && fixedInfo == NULL) {
return BAD_FUNC_ARG;
}
if (salt == NULL || z == NULL || output == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
/* Try crypto callback first for complete operation */
if (devId != INVALID_DEVID) {
ret = wc_CryptoCb_Kdf_TwostepCmac(salt, salt_len, z, zSz,
fixedInfo, fixedInfoSz,
output, outputSz, devId);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
}
/* fall-through when unavailable */
}
#endif
XMEMSET(Key_kdk, 0, kdk_len);
#ifdef WOLFSSL_SMALL_STACK
cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC);
if (cmac == NULL) {
return MEMORY_E;
}
#endif
/* step 1: cmac extract */
ret = wc_AesCmacGenerate_ex(cmac, Key_kdk, &tag_len, z, zSz, salt, salt_len,
heap, devId);
if (ret == 0) {
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("KDF twostep cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
#ifdef WOLFSSL_SMALL_STACK
if (cmac) {
XFREE(cmac, heap, DYNAMIC_TYPE_CMAC);
cmac = NULL;
}
#endif /* WOLFSSL_SMALL_STACK */
/* step 2: cmac expand with SP 800-108 PRF.
* If AES-128-CMAC, AES-192-CMAC, or AES-256-CMAC is used in the
* randomness extraction step, then only AES-128-CMAC is used in the
* key-expansion step.*/
if (ret == 0) {
ret = wc_KDA_KDF_PRF_cmac(Key_kdk, kdk_len, fixedInfo, fixedInfoSz,
output, outputSz, WC_CMAC_AES,
heap, devId);
}
/* always force zero the intermediate key derivation key. */
ForceZero(Key_kdk, sizeof(Key_kdk));
return ret;
}
/**
* \brief Performs the KDF PRF as specified in SP800-108r1.
* At the moment, only AES-CMAC counter mode (section 4.1) is
* implemented. This implementation uses a 32 bit counter.
*
* \param [in] Kin The input keying material.
* \param [in] KinSz The size of the input keying material.
* \param [in] fixedInfo The fixed information to be included in the KDF.
* \param [in] fixedInfo Sz The size of the fixed information.
* \param [out] Kout The output keying material.
* \param [in] KoutSz The desired size of the output key.
* \param [in] type The type of cmac.
* \param [in] heap The heap hint.
* \param [in] devId The device id.
*
* \return 0 if the KDF operation is successful.
* \return BAD_FUNC_ARG if the input parameters are invalid.
* \return negative error code if the KDF operation fails.
*/
int wc_KDA_KDF_PRF_cmac(const byte* Kin, word32 KinSz,
const byte* fixedInfo, word32 fixedInfoSz,
byte* Kout, word32 KoutSz, CmacType type,
void * heap, int devId)
{
word32 len_rem = KoutSz;
word32 tag_len = WC_AES_BLOCK_SIZE;
word32 counter = 1; /* init counter to 1, from SP800-108r1 section 4.1 */
#ifdef WOLFSSL_SMALL_STACK
Cmac * cmac = NULL;
#else
Cmac cmac[1];
#endif /* WOLFSSL_SMALL_STACK */
byte counterBuf[4];
int ret = 0;
/* screen out bad args. */
if (Kin == NULL || Kout == NULL) {
return BAD_FUNC_ARG;
}
if (fixedInfoSz > 0 && fixedInfo == NULL) {
return BAD_FUNC_ARG;
}
if (KoutSz == 0) {
return BAD_FUNC_ARG;
}
/* Only AES-CMAC PRF supported at this time. */
if (type != WC_CMAC_AES) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_SMALL_STACK
cmac = (Cmac*)XMALLOC(sizeof(Cmac), heap, DYNAMIC_TYPE_CMAC);
if (cmac == NULL) {
return MEMORY_E;
}
#endif
while (ret == 0 && len_rem >= WC_AES_BLOCK_SIZE) {
/* cmac in place in block size increments */
c32toa(counter, counterBuf);
#ifdef WOLFSSL_DEBUG_KDF
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: in place: "
"len_rem = %d, i = %d", len_rem, counter);
#endif /* WOLFSSL_DEBUG_KDF */
ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId);
if (ret == 0) {
ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf));
}
if (ret == 0 && fixedInfoSz > 0) {
ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz);
}
if (ret == 0) {
ret = wc_CmacFinalNoFree(cmac, &Kout[KoutSz - len_rem], &tag_len);
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
(void)wc_CmacFree(cmac);
if (ret != 0) { break; }
len_rem -= WC_AES_BLOCK_SIZE;
++counter;
}
if (ret == 0 && len_rem) {
/* cmac the last little bit that wouldn't fit in a block size. */
byte rem[WC_AES_BLOCK_SIZE];
XMEMSET(rem, 0, sizeof(rem));
c32toa(counter, counterBuf);
#ifdef WOLFSSL_DEBUG_KDF
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: last little bit: "
"len_rem = %d, i = %d", len_rem, counter);
#endif /* WOLFSSL_DEBUG_KDF */
ret = wc_InitCmac_ex(cmac, Kin, KinSz, WC_CMAC_AES, NULL, heap, devId);
if (ret == 0) {
ret = wc_CmacUpdate(cmac, counterBuf, sizeof(counterBuf));
}
if (ret == 0 && fixedInfoSz > 0) {
ret = wc_CmacUpdate(cmac, fixedInfo, fixedInfoSz);
}
if (ret == 0) {
ret = wc_CmacFinalNoFree(cmac, rem, &tag_len);
if (tag_len != WC_AES_BLOCK_SIZE) {
WOLFSSL_MSG_EX("wc_KDA_KDF_PRF_cmac: got %d, expected %d\n",
tag_len, WC_AES_BLOCK_SIZE);
ret = BUFFER_E;
}
}
if (ret == 0) {
XMEMCPY(&Kout[KoutSz - len_rem], rem, len_rem);
}
ForceZero(rem, sizeof(rem));
(void)wc_CmacFree(cmac);
}
#ifdef WOLFSSL_SMALL_STACK
if (cmac) {
XFREE(cmac, heap, DYNAMIC_TYPE_CMAC);
cmac = NULL;
}
#endif /* WOLFSSL_SMALL_STACK */
if (ret != 0) {
ForceZero(Kout, KoutSz);
}
return ret;
}
#endif /* HAVE_CMAC_KDF */
#endif /* NO_KDF */