1 /*
2  *  Copyright (c) 2020, The OpenThread Authors.
3  *  All rights reserved.
4  *
5  *  Redistribution and use in source and binary forms, with or without
6  *  modification, are permitted provided that the following conditions are met:
7  *  1. Redistributions of source code must retain the above copyright
8  *     notice, this list of conditions and the following disclaimer.
9  *  2. Redistributions in binary form must reproduce the above copyright
10  *     notice, this list of conditions and the following disclaimer in the
11  *     documentation and/or other materials provided with the distribution.
12  *  3. Neither the name of the copyright holder nor the
13  *     names of its contributors may be used to endorse or promote products
14  *     derived from this software without specific prior written permission.
15  *
16  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  *  POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /**
30  * @file
31  *   This file implements HMAC-based Extract-and-Expand Key Derivation Function (HKDF) using SHA-256.
32  */
33 
34 #include "hkdf_sha256.hpp"
35 
36 #include <string.h>
37 
38 namespace ot {
39 namespace Crypto {
40 
Extract(const uint8_t * aSalt,uint16_t aSaltLength,const uint8_t * aInputKey,uint16_t aInputKeyLength)41 void HkdfSha256::Extract(const uint8_t *aSalt, uint16_t aSaltLength, const uint8_t *aInputKey, uint16_t aInputKeyLength)
42 {
43     HmacSha256 hmac;
44 
45     // PRK is calculated as HMAC-Hash(aSalt, aInputKey)
46 
47     hmac.Start(aSalt, aSaltLength);
48     hmac.Update(aInputKey, aInputKeyLength);
49     hmac.Finish(mPrk);
50 }
51 
Expand(const uint8_t * aInfo,uint16_t aInfoLength,uint8_t * aOutputKey,uint16_t aOutputKeyLength)52 void HkdfSha256::Expand(const uint8_t *aInfo, uint16_t aInfoLength, uint8_t *aOutputKey, uint16_t aOutputKeyLength)
53 {
54     HmacSha256       hmac;
55     HmacSha256::Hash hash;
56     uint8_t          iter = 0;
57     uint16_t         copyLength;
58 
59     // The aOutputKey is calculated as follows [RFC5889]:
60     //
61     //   N = ceil( aOutputKeyLength / HashSize)
62     //   T = T(1) | T(2) | T(3) | ... | T(N)
63     //   aOutputKey is first aOutputKeyLength of T
64     //
65     // Where:
66     //   T(0) = empty string (zero length)
67     //   T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
68     //   T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
69     //   T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
70     //   ...
71 
72     while (aOutputKeyLength > 0)
73     {
74         hmac.Start(mPrk.GetBytes(), sizeof(mPrk));
75 
76         if (iter != 0)
77         {
78             hmac.Update(hash);
79         }
80 
81         hmac.Update(aInfo, aInfoLength);
82 
83         iter++;
84         hmac.Update(iter);
85         hmac.Finish(hash);
86 
87         copyLength = (aOutputKeyLength > sizeof(hash)) ? sizeof(hash) : aOutputKeyLength;
88 
89         memcpy(aOutputKey, hash.GetBytes(), copyLength);
90         aOutputKey += copyLength;
91         aOutputKeyLength -= copyLength;
92     }
93 }
94 
95 } // namespace Crypto
96 } // namespace ot
97