intel · utzig · Mar 31, 2020
diff --git a/lib/include/tinycrypt/hkdf.h b/lib/include/tinycrypt/hkdf.h
@@ -0,0 +1,102 @@
+/* hkdf.h - TinyCrypt interface to an HKDF implementation */
+
+/*
+ *  Copyright (C) 2020 by JUUL Labs, All Rights Reserved.
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions are met:
+ *
+ *    - Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *
+ *    - Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ *    - Neither the name of Intel Corporation nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *  POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @file
+ * @brief Interface to an HKDF SHA-256 implementation.
+ *
+ *  Overview:   HKDF is a simple (HMAC)-based key derivation function (HKDF),
+ *              which can be used as a building block in various protocols and
+ *              applications. TinyCrypt uses HMAC with hard coded SHA-256 as
+ *              the hash function. HKDF is stateless, so no initialization
+ *              or context pointers are required for its use.
+ *
+ *  Requires:   HMAC
+ *
+ *  Usage:      1) call tc_hkdf_extract to create a new pseudorandom key. When
+ *                 a PRK with good random properties is already available by
+ *                 the HKDF client, calling this function might be skipped.
+ *
+ *              2) call tc_hkdf_expand to expand the given pseudorandom key
+ *                 into a given number of octets. Usually the PRK will come
+ *                 from the output of tc_hkdf_extract.
+ */
+
+#ifndef __TC_HKDF_H__
+#define __TC_HKDF_H__
+
+#include <tinycrypt/sha256.h>
+#include <tinycrypt/hmac.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ *  @brief HKDF extract
+ *  Outputs a pseudorandom key of size TC_SHA256_DIGEST_SIZE from input
+ *  keying material
+ *  @return returns TC_CRYPTO_SUCCCESS (1)
+ *          returns TC_CRYPTO_FAIL (0) if:
+ *                ikm == NULL or
+ *                ikmlen == 0 or
+ *                prk == NULL
+ *  @param ikm IN -- input keying material
+ *  @param ikmlen IN - size of keying material
+ *  @param salt IN - optional salt value
+ *  @param saltlen IN - size of salt (not used if salt == NULL)
+ *  @param prk OUT - output pseudorandom key for expand
+ */
+int tc_hkdf_extract(const void *ikm, size_t ikmlen, const void *salt,
+		    size_t saltlen, void *prk);
+
+/**
+ *  @brief HKDF expand
+ *  Expands a key into L number of bytes written on okm
+ *  @return returns TC_CRYPTO_SUCCESS (1)
+ *          returns TC_CRYPTO_FAIL (0) if:
+ *                prk == NULL or
+ *                okm == NULL
+ *  @param prk IN -- a pseudorandom key (can be generated with tc_hkdf_extract)
+ *  @param info IN -- an application specific information tag
+ *  @param infolen IN -- size of info in bytes
+ *  @param L IN -- number of bytes of the key to derive into okm
+ *  @param okm OUT -- buffer for the key derivation output
+ */
+int tc_hkdf_expand(const void *prk, const void *info, size_t infolen,
+		   size_t L, void *okm);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*__TC_HKDF_H__*/
diff --git a/lib/source/hkdf.c b/lib/source/hkdf.c
@@ -0,0 +1,141 @@
+/* hkdf.c - TinyCrypt implementation of HKDF-SHA256 */
+
+/*
+ *  Copyright (C) 2020 by JUUL Labs, All Rights Reserved.
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions are met:
+ *
+ *    - Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *
+ *    - Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ *    - Neither the name of Intel Corporation nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *  POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <tinycrypt/hkdf.h>
+#include <tinycrypt/sha256.h>
+#include <tinycrypt/constants.h>
+#include <tinycrypt/utils.h>
+
+int tc_hkdf_extract(const void *ikm, size_t ikmlen, const void *salt,
+		    size_t saltlen, void *prk)
+{
+	uint8_t _salt[TC_SHA256_DIGEST_SIZE];
+	struct tc_hmac_state_struct hmac_state;
+	unsigned int rc;
+
+	if (ikm == (const void *) 0 ||
+	    ikmlen == 0 ||
+	    prk == (void *) 0) {
+		return TC_CRYPTO_FAIL;
+	}
+
+	if (salt == (const void *) 0) {
+		_set(_salt, 0, TC_SHA256_DIGEST_SIZE);
+		rc = tc_hmac_set_key(&hmac_state, _salt, TC_SHA256_DIGEST_SIZE);
+	} else {
+		rc = tc_hmac_set_key(&hmac_state, salt, saltlen);
+	}
+
+	if (rc != TC_CRYPTO_SUCCESS) {
+		return TC_CRYPTO_FAIL;
+	}
+
+	rc = tc_hmac_init(&hmac_state);
+	if (rc != TC_CRYPTO_SUCCESS) {
+		return TC_CRYPTO_FAIL;
+	}
+
+	rc = tc_hmac_update(&hmac_state, ikm, ikmlen);
+	if (rc != TC_CRYPTO_SUCCESS) {
+		return TC_CRYPTO_FAIL;
+	}
+
+	return tc_hmac_final(prk, TC_SHA256_DIGEST_SIZE, &hmac_state);
+}
+
+int tc_hkdf_expand(const void *prk, const void *info, size_t infolen,
+		   size_t L, void *okm)
+{
+	uint8_t T[TC_SHA256_DIGEST_SIZE];
+	struct tc_hmac_state_struct hmac_state;
+	uint16_t off;
+	uint16_t len;
+	uint8_t counter;
+	uint8_t *u8okm;
+	bool first;
+	int rc;
+
+	if (prk == (const void *) 0 || okm == (void *) 0) {
+		return TC_CRYPTO_FAIL;
+	}
+
+	u8okm = (uint8_t *)okm;
+	len = L;
+	counter = 1;
+	first = true;
+	for (off = 0; len > 0; off += TC_SHA256_DIGEST_SIZE, ++counter) {
+		rc = tc_hmac_set_key(&hmac_state, prk, TC_SHA256_DIGEST_SIZE);
+		if (rc != TC_CRYPTO_SUCCESS) {
+			return TC_CRYPTO_FAIL;
+		}
+
+		rc = tc_hmac_init(&hmac_state);
+		if (rc != TC_CRYPTO_SUCCESS) {
+			return TC_CRYPTO_FAIL;
+		}
+
+		if (!first) {
+			rc = tc_hmac_update(&hmac_state, T,
+					    TC_SHA256_DIGEST_SIZE);
+			if (rc != TC_CRYPTO_SUCCESS) {
+				return TC_CRYPTO_FAIL;
+			}
+		} else {
+			first = false;
+		}
+
+		rc = tc_hmac_update(&hmac_state, info, infolen);
+		if (rc != TC_CRYPTO_SUCCESS) {
+			return TC_CRYPTO_FAIL;
+		}
+
+		rc = tc_hmac_update(&hmac_state, &counter, 1);
+		if (rc != TC_CRYPTO_SUCCESS) {
+			return TC_CRYPTO_FAIL;
+		}
+
+		rc = tc_hmac_final(T, TC_SHA256_DIGEST_SIZE, &hmac_state);
+		if (rc != TC_CRYPTO_SUCCESS) {
+			return TC_CRYPTO_FAIL;
+		}
+
+		if (len > TC_SHA256_DIGEST_SIZE) {
+			memcpy(&u8okm[off], T, TC_SHA256_DIGEST_SIZE);
+			len -= TC_SHA256_DIGEST_SIZE;
+		} else {
+			memcpy(&u8okm[off], T, len);
+			len = 0;
+		}
+	}
+
+	return TC_CRYPTO_SUCCESS;
+}
diff --git a/tests/Makefile b/tests/Makefile
@@ -53,6 +53,9 @@ test_hmac_prng$(DOTEXE): test_hmac_prng.o hmac_prng.o hmac.o \
 		sha256.o utils.o
 	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
 
+test_hkdf$(DOTEXE): test_hkdf.o hkdf.o hmac.o sha256.o utils.o
+	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
+
 test_sha256$(DOTEXE): test_sha256.o sha256.o utils.o
 	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@