From 550e798c1b45d3ab5a9d8308ef6dbb789556cf33 Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Mon, 26 Feb 2024 20:06:48 +0900 Subject: [PATCH] core/crypto/hkdf: Initial import --- core/crypto/hkdf/hkdf.odin | 103 ++++++++++++++++++++ examples/all/all_main.odin | 2 + tests/core/crypto/test_core_crypto_kdf.odin | 67 +++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 core/crypto/hkdf/hkdf.odin diff --git a/core/crypto/hkdf/hkdf.odin b/core/crypto/hkdf/hkdf.odin new file mode 100644 index 000000000..2ac67476e --- /dev/null +++ b/core/crypto/hkdf/hkdf.odin @@ -0,0 +1,103 @@ +/* +package hkdf implements the HKDF HMAC-based Extract-and-Expand Key +Derivation Function. + +See: https://www.rfc-editor.org/rfc/rfc5869 +*/ +package hkdf + +import "core:crypto/hash" +import "core:crypto/hmac" +import "core:mem" + +// extract_and_expand derives output keying material (OKM) via the +// HKDF-Extract and HKDF-Expand algorithms, with the specified has +// function, salt, input keying material (IKM), and optional info. +// The dst buffer must be less-than-or-equal to 255 HMAC tags. +extract_and_expand :: proc(algorithm: hash.Algorithm, salt, ikm, info, dst: []byte) { + h_len := hash.DIGEST_SIZES[algorithm] + + tmp: [hash.MAX_DIGEST_SIZE]byte + prk := tmp[:h_len] + defer mem.zero_explicit(raw_data(prk), h_len) + + extract(algorithm, salt, ikm, prk) + expand(algorithm, prk, info, dst) +} + +// extract derives a pseudorandom key (PRK) via the HKDF-Extract algorithm, +// with the specified hash function, salt, and input keying material (IKM). +// It requires that the dst buffer be the HMAC tag size for the specified +// hash function. +extract :: proc(algorithm: hash.Algorithm, salt, ikm, dst: []byte) { + // PRK = HMAC-Hash(salt, IKM) + hmac.sum(algorithm, dst, ikm, salt) +} + +// expand derives output keying material (OKM) via the HKDF-Expand algorithm, +// with the specified hash function, pseudorandom key (PRK), and optional +// info. The dst buffer must be less-than-or-equal to 255 HMAC tags. +expand :: proc(algorithm: hash.Algorithm, prk, info, dst: []byte) { + h_len := hash.DIGEST_SIZES[algorithm] + + // (<= 255*HashLen) + dk_len := len(dst) + switch { + case dk_len == 0: + return + case dk_len > h_len * 255: + panic("crypto/hkdf: derived key too long") + case: + } + + // The output OKM is calculated as follows: + // + // N = ceil(L/HashLen) + // T = T(1) | T(2) | T(3) | ... | T(N) + // OKM = first L octets of T + // + // where: + // T(0) = empty string (zero length) + // T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + // T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + // T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + // ... + + n := dk_len / h_len + r := dk_len % h_len + + base: hmac.Context + defer hmac.reset(&base) + + hmac.init(&base, algorithm, prk) + + dst_blk := dst + prev: []byte + + for i in 1 ..= n { + _F(&base, prev, info, i, dst_blk[:h_len]) + + prev = dst_blk[:h_len] + dst_blk = dst_blk[h_len:] + } + + if r > 0 { + tmp: [hash.MAX_DIGEST_SIZE]byte + blk := tmp[:h_len] + defer mem.zero_explicit(raw_data(blk), h_len) + + _F(&base, prev, info, n + 1, blk) + copy(dst_blk, blk) + } +} + +@(private) +_F :: proc(base: ^hmac.Context, prev, info: []byte, i: int, dst_blk: []byte) { + prf: hmac.Context + + hmac.clone(&prf, base) + hmac.update(&prf, prev) + hmac.update(&prf, info) + hmac.update(&prf, []byte{u8(i)}) + hmac.final(&prf, dst_blk) +} diff --git a/examples/all/all_main.odin b/examples/all/all_main.odin index cb7cd58a7..a0294d512 100644 --- a/examples/all/all_main.odin +++ b/examples/all/all_main.odin @@ -29,6 +29,7 @@ import blake2s "core:crypto/blake2s" import chacha20 "core:crypto/chacha20" import chacha20poly1305 "core:crypto/chacha20poly1305" import crypto_hash "core:crypto/hash" +import hkdf "core:crypto/hkdf" import hmac "core:crypto/hmac" import keccak "core:crypto/legacy/keccak" import md5 "core:crypto/legacy/md5" @@ -148,6 +149,7 @@ _ :: blake2s _ :: chacha20 _ :: chacha20poly1305 _ :: hmac +_ :: hkdf _ :: keccak _ :: md5 _ :: pbkdf2 diff --git a/tests/core/crypto/test_core_crypto_kdf.odin b/tests/core/crypto/test_core_crypto_kdf.odin index a1f2cbb9d..f5ebf57f1 100644 --- a/tests/core/crypto/test_core_crypto_kdf.odin +++ b/tests/core/crypto/test_core_crypto_kdf.odin @@ -5,15 +5,82 @@ import "core:fmt" import "core:testing" import "core:crypto/hash" +import "core:crypto/hkdf" import "core:crypto/pbkdf2" @(test) test_kdf :: proc(t: ^testing.T) { log(t, "Testing KDFs") + test_hkdf(t) test_pbkdf2(t) } +@(test) +test_hkdf :: proc(t: ^testing.T) { + log(t, "Testing HKDF") + + tmp: [128]byte // Good enough. + + test_vectors := []struct { + algo: hash.Algorithm, + ikm: string, + salt: string, + info: string, + okm: string, + } { + // SHA-256 + // - https://www.rfc-editor.org/rfc/rfc5869 + { + hash.Algorithm.SHA256, + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", + "000102030405060708090a0b0c", + "f0f1f2f3f4f5f6f7f8f9", + "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", + }, + { + hash.Algorithm.SHA256, + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f", + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf", + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", + "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87", + }, + { + hash.Algorithm.SHA256, + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", + "", + "", + "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8", + }, + } + for v, _ in test_vectors { + algo_name := hash.ALGORITHM_NAMES[v.algo] + dst := tmp[:len(v.okm) / 2] + + ikm, _ := hex.decode(transmute([]byte)(v.ikm), context.temp_allocator) + salt, _ := hex.decode(transmute([]byte)(v.salt), context.temp_allocator) + info, _ := hex.decode(transmute([]byte)(v.info), context.temp_allocator) + + hkdf.extract_and_expand(v.algo, salt, ikm, info, dst) + + dst_str := string(hex.encode(dst, context.temp_allocator)) + + expect( + t, + dst_str == v.okm, + fmt.tprintf( + "HKDF-%s: Expected: %s for input of (%s, %s, %s), but got %s instead", + algo_name, + v.okm, + v.ikm, + v.salt, + v.info, + dst_str, + ), + ) + } +} + @(test) test_pbkdf2 :: proc(t: ^testing.T) { log(t, "Testing PBKDF2")