diff options
Diffstat (limited to 'crypto/hkdf.cc')
-rw-r--r-- | crypto/hkdf.cc | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/crypto/hkdf.cc b/crypto/hkdf.cc new file mode 100644 index 0000000..18bba6a --- /dev/null +++ b/crypto/hkdf.cc @@ -0,0 +1,92 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "crypto/hkdf.h" + +#include "base/logging.h" +#include "crypto/hmac.h" + +namespace crypto { + +const size_t kSHA256HashLength = 32; + +HKDF::HKDF(const base::StringPiece& secret, + const base::StringPiece& salt, + const base::StringPiece& info, + size_t key_bytes_to_generate, + size_t iv_bytes_to_generate) { + // https://tools.ietf.org/html/rfc5869#section-2.2 + base::StringPiece actual_salt = salt; + char zeros[kSHA256HashLength]; + if (actual_salt.empty()) { + // If salt is not given, HashLength zeros are used. + memset(zeros, 0, sizeof(zeros)); + actual_salt.set(zeros, sizeof(zeros)); + } + + // Perform the Extract step to transform the input key and + // salt into the pseudorandom key (PRK) used for Expand. + HMAC prk_hmac(HMAC::SHA256); + bool result = prk_hmac.Init(actual_salt); + DCHECK(result); + + // |prk| is a pseudorandom key (of kSHA256HashLength octets). + uint8 prk[kSHA256HashLength]; + DCHECK_EQ(sizeof(prk), prk_hmac.DigestLength()); + result = prk_hmac.Sign(secret, prk, sizeof(prk)); + DCHECK(result); + + // https://tools.ietf.org/html/rfc5869#section-2.3 + // Perform the Expand phase to turn the pseudorandom key + // and info into the output keying material. + const size_t material_length = + 2*key_bytes_to_generate + 2*iv_bytes_to_generate; + const size_t n = (material_length + kSHA256HashLength-1) / + kSHA256HashLength; + DCHECK_LT(n, 256u); + + output_.resize(n * kSHA256HashLength); + base::StringPiece previous; + + char* buf = new char[kSHA256HashLength + info.size() + 1]; + uint8 digest[kSHA256HashLength]; + + HMAC hmac(HMAC::SHA256); + result = hmac.Init(prk, sizeof(prk)); + DCHECK(result); + + for (size_t i = 0; i < n; i++) { + memcpy(buf, previous.data(), previous.size()); + size_t j = previous.size(); + memcpy(buf + j, info.data(), info.size()); + j += info.size(); + buf[j++] = static_cast<char>((i + 1) & 0xFF); + + result = hmac.Sign(base::StringPiece(buf, j), digest, sizeof(digest)); + DCHECK(result); + + memcpy(&output_[i*sizeof(digest)], digest, sizeof(digest)); + previous = base::StringPiece(reinterpret_cast<char*>(digest), + sizeof(digest)); + } + + size_t j = 0; + client_write_key_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]), + key_bytes_to_generate); + j += key_bytes_to_generate; + server_write_key_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]), + key_bytes_to_generate); + j += key_bytes_to_generate; + client_write_iv_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]), + iv_bytes_to_generate); + j += iv_bytes_to_generate; + server_write_iv_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]), + iv_bytes_to_generate); + delete[] buf; +} + +HKDF::~HKDF() { +} + +} // namespace crypto |