diff --git a/TestVectors/Readme.txt b/TestVectors/Readme.txt index ec7a761f..0c8e45cc 100644 --- a/TestVectors/Readme.txt +++ b/TestVectors/Readme.txt @@ -62,6 +62,7 @@ Plaintext - encoded string Ciphertext - encoded string Header - encoded string Footer - encoded string +Secret - encoded string, used by some key derivation functions DerivedKey - encoded string DerivedLength - encoded string Digest - encoded string diff --git a/TestVectors/hkdf.txt b/TestVectors/hkdf.txt index f66a9003..b83f8166 100644 --- a/TestVectors/hkdf.txt +++ b/TestVectors/hkdf.txt @@ -1,8 +1,8 @@ AlgorithmType: KDF Name: HKDF(SHA-1) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 4 -Key: 0x0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b Salt: 0x000102030405060708090a0b0c Info: 0xf0f1f2f3f4f5f6f7f8f9 DerivedKeyLength: 42 @@ -11,9 +11,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-1) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 5 -Key: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +Secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f Salt: 0x606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf Info: 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff DerivedKeyLength: 82 @@ -22,9 +22,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-1) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 6 -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: "" Info: "" DerivedKeyLength: 42 @@ -33,10 +33,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-1) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 7 -Key: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -Salt: "" +Secret: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c Info: "" DerivedKeyLength: 42 DerivedKey: 0x2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 @@ -44,9 +43,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-256) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 1 -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: 0x000102030405060708090a0b0c Info: 0xf0f1f2f3f4f5f6f7f8f9 DerivedKeyLength: 42 @@ -55,9 +54,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-256) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 2 -Key: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +Secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f Salt: 0x606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf Info: 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff DerivedKeyLength: 82 @@ -66,9 +65,9 @@ Test: Verify AlgorithmType: KDF Name: HKDF(SHA-256) -Source: RFC 5689 +Source: RFC 5869 Comment: Test Case 3 -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: "" Info: "" DerivedKeyLength: 42 @@ -79,7 +78,7 @@ AlgorithmType: KDF Name: HKDF(SHA-512) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 8 (Mirror Tests 1 and 4) -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: 0x000102030405060708090a0b0c Info: 0xf0f1f2f3f4f5f6f7f8f9 DerivedKeyLength: 42 @@ -90,7 +89,7 @@ AlgorithmType: KDF Name: HKDF(SHA-512) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 9 (Mirror Tests 2 and 5) -Key: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +Secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f Salt: 0x606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf Info: 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff DerivedKeyLength: 82 @@ -101,7 +100,7 @@ AlgorithmType: KDF Name: HKDF(SHA-512) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 10 (Mirror Test 3 and 6) -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: "" Info: "" DerivedKeyLength: 42 @@ -112,7 +111,7 @@ AlgorithmType: KDF Name: HKDF(SHA-512) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 11 -Key: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c +Secret: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c Salt: "" Info: DerivedKeyLength: 42 @@ -123,7 +122,7 @@ AlgorithmType: KDF Name: HKDF(SHA-512) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 12 (Mirror Tests 3 and 6) -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: "" Info: "" DerivedKeyLength: 42 @@ -134,7 +133,7 @@ AlgorithmType: KDF Name: HKDF(Whirlpool) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 13 (Mirror Tests 1 and 4) -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: 0x000102030405060708090a0b0c Info: 0xf0f1f2f3f4f5f6f7f8f9 DerivedKeyLength: 42 @@ -145,7 +144,7 @@ AlgorithmType: KDF Name: HKDF(Whirlpool) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 14 (Mirror Tests 2 and 5) -Key: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +Secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f Salt: 0x606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf Info: 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff DerivedKeyLength: 82 @@ -156,7 +155,7 @@ AlgorithmType: KDF Name: HKDF(Whirlpool) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 15 (Mirror Tests 3 and 6) -Key: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Secret: 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Salt: "" Info: "" DerivedKeyLength: 42 @@ -167,8 +166,7 @@ AlgorithmType: KDF Name: HKDF(Whirlpool) Source: Generated by Crypto++ 5.6.3 Comment: Test Case 16 (Mirror Test 7) -Key: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -Salt: r64 0x00 +Secret: 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c Info: "" DerivedKeyLength: 42 DerivedKey: 0x4089286EBFB23DD8A02F0C9DAA35D538EB09CD0A8CBAB203F39083AA3E0BD313E6F91E64F21A187510B0 diff --git a/cryptlib.cpp b/cryptlib.cpp index f7525d80..2c67cd74 100644 --- a/cryptlib.cpp +++ b/cryptlib.cpp @@ -333,6 +333,31 @@ void RandomNumberGenerator::GenerateIntoBufferedTransformation(BufferedTransform } } +const Algorithm & KeyDerivationFunction::GetAlgorithm() const +{ + return *this; +} + +size_t KeyDerivationFunction::MinDerivedLength() const +{ + return 0; +} + +size_t KeyDerivationFunction::MaxDerivedLength() const +{ + return static_cast(-1); +} + +void KeyDerivationFunction::ThrowIfInvalidDerivedLength(size_t length) const +{ + if (!IsValidDerivedLength(length)) + throw InvalidDerivedLength(GetAlgorithm().AlgorithmName(), length); +} + +void KeyDerivationFunction::SetParameters(const NameValuePairs& params) { + CRYPTOPP_UNUSED(params); +} + /// \brief Random Number Generator that does not produce random numbers /// \details ClassNullRNG can be used for functions that require a RandomNumberGenerator /// but don't actually use it. The class throws NotImplemented when a generation function is called. diff --git a/cryptlib.h b/cryptlib.h index 4c9a2339..35952ef9 100644 --- a/cryptlib.h +++ b/cryptlib.h @@ -632,8 +632,7 @@ public: /// \brief Sets or reset the key of this object /// \param key the key to use when keying the object /// \param length the size of the key, in bytes - /// \param params additional initialization parameters that cannot be passed - /// directly through the constructor + /// \param params additional initialization parameters to configure this object virtual void SetKey(const byte *key, size_t length, const NameValuePairs ¶ms = g_nullNameValuePairs); /// \brief Sets or reset the key of this object @@ -1325,8 +1324,10 @@ protected: }; /// \brief Interface for random number generators -/// \details The library provides a number of random number generators, from software based to hardware based generators. +/// \details The library provides a number of random number generators, from software based +/// to hardware based generators. /// \details All generated values are uniformly distributed over the range specified. +/// \since Crypto++ 3.1 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE RandomNumberGenerator : public Algorithm { public: @@ -1336,10 +1337,10 @@ public: /// \param input the entropy to add to the generator /// \param length the size of the input buffer /// \throws NotImplemented - /// \details A generator may or may not accept additional entropy. Call CanIncorporateEntropy() to test for the - /// ability to use additional entropy. - /// \details If a derived class does not override IncorporateEntropy(), then the base class throws - /// NotImplemented. + /// \details A generator may or may not accept additional entropy. Call CanIncorporateEntropy() + /// to test for the ability to use additional entropy. + /// \details If a derived class does not override IncorporateEntropy(), then the base class + /// throws NotImplemented. virtual void IncorporateEntropy(const byte *input, size_t length) { CRYPTOPP_UNUSED(input); CRYPTOPP_UNUSED(length); @@ -1411,6 +1412,70 @@ public: } }; +/// \brief Interface for key derivation functions +/// \since Crypto++ 6.2 +class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE KeyDerivationFunction : public Algorithm +{ +public: + virtual ~KeyDerivationFunction() {} + + virtual const Algorithm & GetAlgorithm() const =0; + + /// \brief Provides the name of this algorithm + /// \return the standard algorithm name + virtual std::string AlgorithmName() const =0; + + /// \brief Determine minimum number of bytes + /// \returns Minimum number of bytes which can be derived + virtual size_t MinDerivedLength() const; + + /// \brief Determine maximum number of bytes + /// \returns Maximum number of bytes which can be derived + virtual size_t MaxDerivedLength() const; + + /// \brief Returns a valid key length for the derivation function + /// \param keylength the size of the derived key, in bytes + /// \returns the valid key length, in bytes + virtual size_t GetValidDerivedLength(size_t keylength) const =0; + + /// \brief Returns whether keylength is a valid key length + /// \param keylength the requested keylength + /// \return true if the derived keylength is valid, false otherwise + /// \details Internally the function calls GetValidKeyLength() + virtual bool IsValidDerivedLength(size_t keylength) const { + return keylength == GetValidDerivedLength(keylength); + } + + /// \brief Derive a key from a seed + /// \param derived the derived output buffer + /// \param derivedLen the size of the derived buffer, in bytes + /// \param secret the seed input buffer + /// \param secretLen the size of the secret buffer, in bytes + /// \param params additional initialization parameters to configure this object + /// \returns the number of bytes derived + /// \throws InvalidDerivedLength if derivedLen is invalid for the scheme + /// \details DeriveKey() provides a standard interface to derive a key from + /// a secret seed and other parameters. Each class that derives from KeyDerivationFunction + /// provides an overload that accepts most parameters used by the derivation function. + /// \details the number of bytes derived by DeriveKey() may be less than the number + /// requested in derivedLen. For example, a scheme may be limited to a + /// certain amount of time for derivation. + virtual size_t DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, const NameValuePairs& params) const =0; + + /// \brief Set or change parameters + /// \param params additional initialization parameters to configure this object + /// \details SetParameters() is useful for setting common parameters when an object is + /// reused. Some derivation function classes may choose to implement it. + virtual void SetParameters(const NameValuePairs& params); + +protected: + + /// \brief Validates the derived key length + /// \param length the size of the derived key material, in bytes + /// \throws InvalidKeyLength if the key length is invalid + void ThrowIfInvalidDerivedLength(size_t length) const; +}; + /// \brief Random Number Generator that does not produce random numbers /// \return reference that can be passed to functions that require a RandomNumberGenerator /// \details NullRNG() returns a reference that can be passed to functions that require a @@ -2047,7 +2112,7 @@ public: /// \brief Request space which can be written into by the caller /// \param channel the channel to process the data /// \param size the requested size of the buffer - /// \return a pointer to a memroy block with length size + /// \return a pointer to a memory block with length size /// \details The purpose of this method is to help avoid extra memory allocations. /// \details size is an \a IN and \a OUT parameter and used as a hint. When the call is made, /// size is the requested size of the buffer. When the call returns, size is the size of diff --git a/datatest.cpp b/datatest.cpp index d3c58423..40eb7f86 100644 --- a/datatest.cpp +++ b/datatest.cpp @@ -15,7 +15,6 @@ #include "queue.h" #include "smartptr.h" #include "validate.h" -#include "hkdf.h" #include "stdcpp.h" #include #include @@ -150,13 +149,15 @@ void PutDecodedDatumInto(const TestData &data, const char *name, BufferedTransfo } else if (s1.substr(0, 2) == "0x") { - StringSource(s1.substr(2, s1.find(' ')), true, new HexDecoder(new StringSink(s2))); - s1 = s1.substr(STDMIN(s1.find(' '), s1.length())); + std::string::size_type pos = s1.find(' '); + StringSource(s1.substr(2, pos), true, new HexDecoder(new StringSink(s2))); + s1 = s1.substr(STDMIN(pos, s1.length())); } else { - StringSource(s1.substr(0, s1.find(' ')), true, new HexDecoder(new StringSink(s2))); - s1 = s1.substr(STDMIN(s1.find(' '), s1.length())); + std::string::size_type pos = s1.find(' '); + StringSource(s1.substr(0, pos), true, new HexDecoder(new StringSink(s2))); + s1 = s1.substr(STDMIN(pos, s1.length())); } while (repeat--) @@ -222,7 +223,7 @@ public: { m_temp.clear(); PutDecodedDatumInto(m_data, name, StringSink(m_temp).Ref()); - reinterpret_cast(pValue)->Assign((const byte *)m_temp.data(), m_temp.size(), false); + reinterpret_cast(pValue)->Assign((const byte *)&m_temp[0], m_temp.size(), false); } else throw ValueTypeMismatch(name, typeid(std::string), valueType); @@ -258,12 +259,12 @@ void TestSignatureScheme(TestData &v) member_ptr signer(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); member_ptr verifier(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); - TestDataNameValuePairs pairs(v); - // Code coverage (void)signer->AlgorithmName(); (void)verifier->AlgorithmName(); + TestDataNameValuePairs pairs(v); + if (test == "GenerateKey") { signer->AccessPrivateKey().GenerateRandom(Test::GlobalRNG(), pairs); @@ -329,11 +330,6 @@ void TestSignatureScheme(TestData &v) return; } - else if (test == "RandomSign") - { - SignalTestError(); - CRYPTOPP_ASSERT(false); // TODO: implement - } else { SignalTestError(); @@ -349,6 +345,10 @@ void TestAsymmetricCipher(TestData &v) member_ptr encryptor(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); member_ptr decryptor(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); + // Code coverage + (void)encryptor->AlgorithmName(); + (void)decryptor->AlgorithmName(); + std::string keyFormat = GetRequiredDatum(v, "KeyFormat"); if (keyFormat == "DER") @@ -363,10 +363,6 @@ void TestAsymmetricCipher(TestData &v) encryptor->AccessMaterial().AssignFrom(pairs); } - // Code coverage - (void)encryptor->AlgorithmName(); - (void)decryptor->AlgorithmName(); - if (test == "DecryptMatch") { std::string decrypted, expected = GetDecodedDatum(v, "Plaintext"); @@ -406,6 +402,16 @@ void TestSymmetricCipher(TestData &v, const NameValuePairs &overrideParameters) encryptor.reset(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); decryptor.reset(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); lastName = name; + + // Code coverage + (void)encryptor->AlgorithmName(); + (void)decryptor->AlgorithmName(); + (void)encryptor->MinKeyLength(); + (void)decryptor->MinKeyLength(); + (void)encryptor->MaxKeyLength(); + (void)decryptor->MaxKeyLength(); + (void)encryptor->DefaultKeyLength(); + (void)decryptor->DefaultKeyLength(); } // Most block ciphers don't specify BlockPaddingScheme. Kalyna uses it in test vectors. @@ -429,16 +435,6 @@ void TestSymmetricCipher(TestData &v, const NameValuePairs &overrideParameters) decryptor->SetKey((const byte *)key.data(), key.size(), pairs); } - // Code coverage - (void)encryptor->AlgorithmName(); - (void)decryptor->AlgorithmName(); - (void)encryptor->MinKeyLength(); - (void)decryptor->MinKeyLength(); - (void)encryptor->MaxKeyLength(); - (void)decryptor->MaxKeyLength(); - (void)encryptor->DefaultKeyLength(); - (void)decryptor->DefaultKeyLength(); - int seek = pairs.GetIntValueWithDefault("Seek", 0); if (seek) { @@ -681,26 +677,26 @@ void TestKeyDerivationFunction(TestData &v) if(test == "Skip") return; CRYPTOPP_ASSERT(test == "Verify"); - std::string key = GetDecodedDatum(v, "Key"); - std::string salt = GetDecodedDatum(v, "Salt"); - std::string info = GetDecodedDatum(v, "Info"); - std::string derived = GetDecodedDatum(v, "DerivedKey"); - std::string t = GetDecodedDatum(v, "DerivedKeyLength"); + std::string secret = GetDecodedDatum(v, "Secret"); + std::string expected = GetDecodedDatum(v, "DerivedKey"); TestDataNameValuePairs pairs(v); - unsigned int length = pairs.GetIntValueWithDefault(Name::DerivedKeyLength(), (int)derived.size()); member_ptr kdf; kdf.reset(ObjectFactoryRegistry::Registry().CreateObject(name.c_str())); - std::string calc; calc.resize(length); - unsigned int ret = kdf->DeriveKey(reinterpret_cast(&calc[0]), calc.size(), - reinterpret_cast(key.data()), key.size(), - reinterpret_cast(salt.data()), salt.size(), - reinterpret_cast(info.data()), info.size()); + std::string calculated; calculated.resize(expected.size()); + kdf->DeriveKey(reinterpret_cast(&calculated[0]), calculated.size(), + reinterpret_cast(&secret[0]), secret.size(), pairs); + + if(calculated != expected) + { + std::cerr << "Calculated: "; + StringSource(calculated, true, new HexEncoder(new FileSink(std::cerr))); + std::cerr << std::endl; - if(calc != derived || ret != length) SignalTestFailure(); + } } // GetField parses the name/value pairs. The tricky part is the insertion operator diff --git a/hkdf.h b/hkdf.h index 00217c98..0a09f2fa 100644 --- a/hkdf.h +++ b/hkdf.h @@ -4,29 +4,15 @@ /// \brief Classes for HKDF from RFC 5869 /// \since Crypto++ 5.6.3 -#ifndef CRYPTOPP_HASH_KEY_DERIVATION_FUNCTION_H -#define CRYPTOPP_HASH_KEY_DERIVATION_FUNCTION_H +#ifndef CRYPTOPP_HKDF_H +#define CRYPTOPP_HKDF_H #include "cryptlib.h" -#include "hrtimer.h" #include "secblock.h" #include "hmac.h" NAMESPACE_BEGIN(CryptoPP) -/// abstract base class for key derivation function -class KeyDerivationFunction -{ -public: - /// maximum number of bytes which can be produced under a secuirty context - virtual size_t MaxDerivedKeyLength() const =0; - virtual bool Usesinfo() const =0; - /// derive a key from secret - virtual unsigned int DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, const byte *salt, size_t saltLen, const byte* info=NULLPTR, size_t infoLen=0) const =0; - - virtual ~KeyDerivationFunction() {} -}; - /// \brief Extract-and-Expand Key Derivation Function (HKDF) /// \tparam T HashTransformation class /// \sa Cryptographic Extraction and Key Derivation: The HKDF Scheme @@ -36,20 +22,57 @@ template class HKDF : public KeyDerivationFunction { public: - CRYPTOPP_CONSTANT(DIGESTSIZE = T::DIGESTSIZE) - CRYPTOPP_CONSTANT(SALTSIZE = T::DIGESTSIZE) - static const char* StaticAlgorithmName () { - static const std::string name(std::string("HKDF(") + std::string(T::StaticAlgorithmName()) + std::string(")")); - return name.c_str(); + virtual ~HKDF() {} + + static std::string StaticAlgorithmName () { + const std::string name(std::string("HKDF(") + + std::string(T::StaticAlgorithmName()) + std::string(")")); + return name; } - size_t MaxDerivedKeyLength() const {return static_cast(T::DIGESTSIZE) * 255;} - bool Usesinfo() const {return true;} - unsigned int DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, const byte *salt, size_t saltLen, const byte* info, size_t infoLen) const; + + const Algorithm & GetAlgorithm() const { + return *this; + } + + std::string AlgorithmName() const { + return StaticAlgorithmName(); + } + + size_t MaxDerivedLength() const { + return static_cast(T::DIGESTSIZE) * 255; + } + + size_t GetValidDerivedLength(size_t keylength) const; + + // Base class override + size_t DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, + const NameValuePairs& params) const; + + /// \brief Derive a key from a seed + /// \param derived the derived output buffer + /// \param derivedLen the size of the derived buffer, in bytes + /// \param secret the seed input buffer + /// \param secretLen the size of the secret buffer, in bytes + /// \param salt the salt input buffer + /// \param saltLen the size of the salt buffer, in bytes + /// \param info the additional input buffer + /// \param infoLen the size of the info buffer, in bytes + /// \throws InvalidDerivedLength if derivedLen is invalid for the scheme + /// \details DeriveKey() provides a standard interface to derive a key from + /// a seed and other parameters. Each class that derives from KeyDerivationFunction + /// provides an overload that accepts most parameters used by the derivation function. + /// \details salt and info can be nullptr with 0 length. + /// HDF is unusual in that a non-NULL salt with length 0 is different than a + /// NULL salt. A NULL salt causes HDF to use a string of 0's + /// of length T::DIGESTSIZE for the salt. + size_t DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, + const byte *salt, size_t saltLen, const byte* info, size_t infoLen) const; protected: - // If salt is missing (NULLPTR), then use the NULL vector. Missing is different than EMPTY (0 length). The length - // of s_NullVector used depends on the Hash function. SHA-256 will use 32 bytes of s_NullVector. - typedef byte NullVectorType[SALTSIZE]; + // If salt is absent (NULL), then use the NULL vector. Missing is different than + // EMPTY (Non-NULL, 0 length). The length of s_NullVector used depends on the Hash + // function. SHA-256 will use 32 bytes of s_NullVector. + typedef byte NullVectorType[T::DIGESTSIZE]; static const NullVectorType& GetNullVector() { static const NullVectorType s_NullVector = {0}; return s_NullVector; @@ -57,53 +80,88 @@ protected: }; template -unsigned int HKDF::DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, const byte *salt, size_t saltLen, const byte* info, size_t infoLen) const +size_t HKDF::GetValidDerivedLength(size_t keylength) const { - static const size_t DIGEST_SIZE = static_cast(T::DIGESTSIZE); - const unsigned int req = static_cast(derivedLen); + if (keylength > MaxDerivedLength()) + return MaxDerivedLength(); + return keylength; +} +template +size_t HKDF::DeriveKey(byte *derived, size_t derivedLen, + const byte *secret, size_t secretLen, const NameValuePairs& params) const +{ CRYPTOPP_ASSERT(secret && secretLen); CRYPTOPP_ASSERT(derived && derivedLen); - CRYPTOPP_ASSERT(derivedLen <= MaxDerivedKeyLength()); + CRYPTOPP_ASSERT(derivedLen <= MaxDerivedLength()); - if (derivedLen > MaxDerivedKeyLength()) - throw InvalidArgument("HKDF: derivedLen must be less than or equal to MaxDerivedKeyLength"); + ThrowIfInvalidDerivedLength(derivedLen); + // Copy-out Salt to a temporary + ConstByteArrayParameter p; + if (!params.GetValue("Salt", p)) + p = ConstByteArrayParameter(GetNullVector(), T::DIGESTSIZE); + SecByteBlock salt(p.begin(), p.size()); + + // Warning: the 'params.GetValue' for Info blows away the data + // from the previous call to 'params.GetValue' for Salt. + // It is the reason we copy-out the data after Salt. + if (!params.GetValue("Info", p)) + p = ConstByteArrayParameter(GetNullVector(), 0); + SecByteBlock info(p.begin(), p.size()); + + // key is PRK from the RFC, salt is IKM from the RFC HMAC hmac; - FixedSizeSecBlock prk, buffer; + SecByteBlock key(T::DIGESTSIZE), buffer(T::DIGESTSIZE); // Extract - const byte* key = (salt ? salt : GetNullVector()); - const size_t klen = (salt ? saltLen : DIGEST_SIZE); + hmac.SetKey(salt.begin(), salt.size()); + hmac.CalculateDigest(key, secret, secretLen); - hmac.SetKey(key, klen); - hmac.CalculateDigest(prk, secret, secretLen); - - // Expand - hmac.SetKey(prk.data(), prk.size()); + // Key + hmac.SetKey(key.begin(), key.size()); byte block = 0; - while (derivedLen > 0) + size_t bytesRemaining = derivedLen; + size_t digestSize = static_cast(T::DIGESTSIZE); + + // Expand + while (bytesRemaining > 0) { if (block++) {hmac.Update(buffer, buffer.size());} - if (info && infoLen) {hmac.Update(info, infoLen);} + if (info.size()) {hmac.Update(info.begin(), info.size());} hmac.CalculateDigest(buffer, &block, 1); #if CRYPTOPP_MSC_VERSION - const size_t segmentLen = STDMIN(derivedLen, DIGEST_SIZE); + const size_t segmentLen = STDMIN(bytesRemaining, digestSize); memcpy_s(derived, segmentLen, buffer, segmentLen); #else - const size_t segmentLen = STDMIN(derivedLen, DIGEST_SIZE); + const size_t segmentLen = STDMIN(bytesRemaining, digestSize); std::memcpy(derived, buffer, segmentLen); #endif derived += segmentLen; - derivedLen -= segmentLen; + bytesRemaining -= segmentLen; } - return req; + return derivedLen; +} + +template +size_t HKDF::DeriveKey(byte *derived, size_t derivedLen, const byte *secret, size_t secretLen, + const byte *salt, size_t saltLen, const byte* info, size_t infoLen) const +{ + AlgorithmParameters params; + + if (salt != NULLPTR) // Non-NULL and 0 length is valid for HKDF salt + params.operator()(Name::Salt(), ConstByteArrayParameter(salt, saltLen)); + + if (info != NULLPTR) // Non-NULL and 0 length is valid for HKDF salt + params.operator()("Info", ConstByteArrayParameter(info, infoLen)); + + return DeriveKey(derived, derivedLen, secret, secretLen, params); } NAMESPACE_END -#endif // CRYPTOPP_HASH_KEY_DERIVATION_FUNCTION_H +#endif // CRYPTOPP_HKDF_H diff --git a/simple.h b/simple.h index a8c652c5..4ebe8d81 100644 --- a/simple.h +++ b/simple.h @@ -69,6 +69,13 @@ public: explicit InvalidBlockSize(const std::string &algorithm, size_t length) : InvalidArgument(algorithm + ": " + IntToString(length) + " is not a valid block size") {} }; +/// \brief Exception thrown when an invalid derived key length is encountered +class CRYPTOPP_DLL InvalidDerivedLength : public InvalidArgument +{ +public: + explicit InvalidDerivedLength(const std::string &algorithm, size_t length) : InvalidArgument(algorithm + ": " + IntToString(length) + " is not a valid derived key length") {} +}; + /// \brief Exception thrown when an invalid personalization string length is encountered class CRYPTOPP_DLL InvalidPersonalizationLength : public InvalidArgument { diff --git a/validat3.cpp b/validat3.cpp index 44b0dbef..dfd72c9e 100644 --- a/validat3.cpp +++ b/validat3.cpp @@ -662,15 +662,18 @@ bool TestHKDF(KeyDerivationFunction &kdf, const HKDF_TestTuple *testSet, unsigne StringSource(tuple.hexSalt ? tuple.hexSalt : "", true, new HexDecoder(new StringSink(salt))); StringSource(tuple.hexInfo ? tuple.hexInfo : "", true, new HexDecoder(new StringSink(info))); StringSource(tuple.hexExpected, true, new HexDecoder(new StringSink(expected))); - SecByteBlock derived(expected.size()); - unsigned int ret = kdf.DeriveKey(derived, derived.size(), - reinterpret_cast(secret.data()), secret.size(), - (tuple.hexSalt ? reinterpret_cast(salt.data()) : NULLPTR), salt.size(), - (tuple.hexInfo ? reinterpret_cast(info.data()) : NULLPTR), info.size()); - bool fail = !VerifyBufsEqual(derived, reinterpret_cast(expected.data()), derived.size()); - pass = pass && (ret == tuple.len) && !fail; + AlgorithmParameters params; + if (tuple.hexSalt) + params.operator()(Name::Salt(), ConstByteArrayParameter((const byte*)&salt[0], salt.size())); + if (tuple.hexSalt) + params.operator()("Info", ConstByteArrayParameter((const byte*)&info[0], info.size())); + + kdf.DeriveKey((byte*)&derived[0], derived.size(), (const byte*)&secret[0], secret.size(), params); + + bool fail = !VerifyBufsEqual(derived, (const byte*)&expected[0], derived.size()); + pass = pass && !fail; HexEncoder enc(new FileSink(std::cout)); std::cout << (fail ? "FAILED " : "passed "); @@ -748,8 +751,6 @@ bool ValidateHKDF() pass = TestHKDF(hkdf, testSet, COUNTOF(testSet)) && pass; } - - { // Whirlpool, Crypto++ generated, based on RFC 5869, https://tools.ietf.org/html/rfc5869 static const HKDF_TestTuple testSet[] =