mirror of
https://github.com/FreeRTOS/FreeRTOS-Kernel.git
synced 2025-04-23 15:01:56 -04:00
826 lines
20 KiB
C
826 lines
20 KiB
C
/* hmac.c
|
|
*
|
|
* Copyright (C) 2006-2014 wolfSSL Inc.
|
|
*
|
|
* This file is part of CyaSSL.
|
|
*
|
|
* CyaSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* CyaSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include <config.h>
|
|
#endif
|
|
|
|
#include <cyassl/ctaocrypt/settings.h>
|
|
|
|
#ifndef NO_HMAC
|
|
|
|
#ifdef CYASSL_PIC32MZ_HASH
|
|
|
|
#define InitMd5 InitMd5_sw
|
|
#define Md5Update Md5Update_sw
|
|
#define Md5Final Md5Final_sw
|
|
|
|
#define InitSha InitSha_sw
|
|
#define ShaUpdate ShaUpdate_sw
|
|
#define ShaFinal ShaFinal_sw
|
|
|
|
#define InitSha256 InitSha256_sw
|
|
#define Sha256Update Sha256Update_sw
|
|
#define Sha256Final Sha256Final_sw
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_FIPS
|
|
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
|
#define FIPS_NO_WRAPPERS
|
|
#endif
|
|
|
|
#include <cyassl/ctaocrypt/hmac.h>
|
|
#include <cyassl/ctaocrypt/error-crypt.h>
|
|
|
|
|
|
#ifdef HAVE_CAVIUM
|
|
static void HmacCaviumFinal(Hmac* hmac, byte* hash);
|
|
static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length);
|
|
static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
|
|
word32 length);
|
|
#endif
|
|
|
|
static int InitHmac(Hmac* hmac, int type)
|
|
{
|
|
int ret = 0;
|
|
|
|
hmac->innerHashKeyed = 0;
|
|
hmac->macType = (byte)type;
|
|
|
|
if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384
|
|
|| type == SHA512 || type == BLAKE2B_ID))
|
|
return BAD_FUNC_ARG;
|
|
|
|
switch (type) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
InitMd5(&hmac->hash.md5);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
ret = InitSha(&hmac->hash.sha);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
ret = InitSha256(&hmac->hash.sha256);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
ret = InitSha384(&hmac->hash.sha384);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
ret = InitSha512(&hmac->hash.sha512);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
ret = InitBlake2b(&hmac->hash.blake2b, BLAKE2B_256);
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
return BAD_FUNC_ARG;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
|
|
{
|
|
byte* ip = (byte*) hmac->ipad;
|
|
byte* op = (byte*) hmac->opad;
|
|
word32 i, hmac_block_size = 0;
|
|
int ret;
|
|
|
|
#ifdef HAVE_CAVIUM
|
|
if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
|
|
return HmacCaviumSetKey(hmac, type, key, length);
|
|
#endif
|
|
|
|
ret = InitHmac(hmac, type);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
#ifdef HAVE_FIPS
|
|
if (length < HMAC_FIPS_MIN_KEY)
|
|
return HMAC_MIN_KEYLEN_E;
|
|
#endif
|
|
|
|
switch (hmac->macType) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
{
|
|
hmac_block_size = MD5_BLOCK_SIZE;
|
|
if (length <= MD5_BLOCK_SIZE) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
Md5Update(&hmac->hash.md5, key, length);
|
|
Md5Final(&hmac->hash.md5, ip);
|
|
length = MD5_DIGEST_SIZE;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
{
|
|
hmac_block_size = SHA_BLOCK_SIZE;
|
|
if (length <= SHA_BLOCK_SIZE) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
ShaUpdate(&hmac->hash.sha, key, length);
|
|
ShaFinal(&hmac->hash.sha, ip);
|
|
length = SHA_DIGEST_SIZE;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
{
|
|
hmac_block_size = SHA256_BLOCK_SIZE;
|
|
if (length <= SHA256_BLOCK_SIZE) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
ret = Sha256Update(&hmac->hash.sha256, key, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha256Final(&hmac->hash.sha256, ip);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
length = SHA256_DIGEST_SIZE;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
{
|
|
hmac_block_size = SHA384_BLOCK_SIZE;
|
|
if (length <= SHA384_BLOCK_SIZE) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
ret = Sha384Update(&hmac->hash.sha384, key, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha384Final(&hmac->hash.sha384, ip);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
length = SHA384_DIGEST_SIZE;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
{
|
|
hmac_block_size = SHA512_BLOCK_SIZE;
|
|
if (length <= SHA512_BLOCK_SIZE) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
ret = Sha512Update(&hmac->hash.sha512, key, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha512Final(&hmac->hash.sha512, ip);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
length = SHA512_DIGEST_SIZE;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
{
|
|
hmac_block_size = BLAKE2B_BLOCKBYTES;
|
|
if (length <= BLAKE2B_BLOCKBYTES) {
|
|
XMEMCPY(ip, key, length);
|
|
}
|
|
else {
|
|
ret = Blake2bUpdate(&hmac->hash.blake2b, key, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
length = BLAKE2B_256;
|
|
}
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
return BAD_FUNC_ARG;
|
|
}
|
|
if (length < hmac_block_size)
|
|
XMEMSET(ip + length, 0, hmac_block_size - length);
|
|
|
|
for(i = 0; i < hmac_block_size; i++) {
|
|
op[i] = ip[i] ^ OPAD;
|
|
ip[i] ^= IPAD;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int HmacKeyInnerHash(Hmac* hmac)
|
|
{
|
|
int ret = 0;
|
|
|
|
switch (hmac->macType) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, MD5_BLOCK_SIZE);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
ret = Sha256Update(&hmac->hash.sha256,
|
|
(byte*) hmac->ipad, SHA256_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
ret = Sha384Update(&hmac->hash.sha384,
|
|
(byte*) hmac->ipad, SHA384_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
ret = Sha512Update(&hmac->hash.sha512,
|
|
(byte*) hmac->ipad, SHA512_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
ret = Blake2bUpdate(&hmac->hash.blake2b,
|
|
(byte*) hmac->ipad,BLAKE2B_BLOCKBYTES);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
hmac->innerHashKeyed = 1;
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
int HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
|
|
{
|
|
int ret;
|
|
|
|
#ifdef HAVE_CAVIUM
|
|
if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
|
|
return HmacCaviumUpdate(hmac, msg, length);
|
|
#endif
|
|
|
|
if (!hmac->innerHashKeyed) {
|
|
ret = HmacKeyInnerHash(hmac);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
|
|
switch (hmac->macType) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
Md5Update(&hmac->hash.md5, msg, length);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
ShaUpdate(&hmac->hash.sha, msg, length);
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
ret = Sha256Update(&hmac->hash.sha256, msg, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
ret = Sha384Update(&hmac->hash.sha384, msg, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
ret = Sha512Update(&hmac->hash.sha512, msg, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
ret = Blake2bUpdate(&hmac->hash.blake2b, msg, length);
|
|
if (ret != 0)
|
|
return ret;
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
int HmacFinal(Hmac* hmac, byte* hash)
|
|
{
|
|
int ret;
|
|
|
|
#ifdef HAVE_CAVIUM
|
|
if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
|
|
return HmacCaviumFinal(hmac, hash);
|
|
#endif
|
|
|
|
if (!hmac->innerHashKeyed) {
|
|
ret = HmacKeyInnerHash(hmac);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
|
|
switch (hmac->macType) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
{
|
|
Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash);
|
|
|
|
Md5Update(&hmac->hash.md5, (byte*) hmac->opad, MD5_BLOCK_SIZE);
|
|
Md5Update(&hmac->hash.md5,
|
|
(byte*) hmac->innerHash, MD5_DIGEST_SIZE);
|
|
|
|
Md5Final(&hmac->hash.md5, hash);
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
{
|
|
ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash);
|
|
|
|
ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, SHA_BLOCK_SIZE);
|
|
ShaUpdate(&hmac->hash.sha,
|
|
(byte*) hmac->innerHash, SHA_DIGEST_SIZE);
|
|
|
|
ShaFinal(&hmac->hash.sha, hash);
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
{
|
|
ret = Sha256Final(&hmac->hash.sha256, (byte*) hmac->innerHash);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha256Update(&hmac->hash.sha256,
|
|
(byte*) hmac->opad, SHA256_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha256Update(&hmac->hash.sha256,
|
|
(byte*) hmac->innerHash, SHA256_DIGEST_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha256Final(&hmac->hash.sha256, hash);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
{
|
|
ret = Sha384Final(&hmac->hash.sha384, (byte*) hmac->innerHash);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha384Update(&hmac->hash.sha384,
|
|
(byte*) hmac->opad, SHA384_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha384Update(&hmac->hash.sha384,
|
|
(byte*) hmac->innerHash, SHA384_DIGEST_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha384Final(&hmac->hash.sha384, hash);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
{
|
|
ret = Sha512Final(&hmac->hash.sha512, (byte*) hmac->innerHash);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha512Update(&hmac->hash.sha512,
|
|
(byte*) hmac->opad, SHA512_BLOCK_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha512Update(&hmac->hash.sha512,
|
|
(byte*) hmac->innerHash, SHA512_DIGEST_SIZE);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Sha512Final(&hmac->hash.sha512, hash);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
{
|
|
ret = Blake2bFinal(&hmac->hash.blake2b, (byte*) hmac->innerHash,
|
|
BLAKE2B_256);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Blake2bUpdate(&hmac->hash.blake2b,
|
|
(byte*) hmac->opad, BLAKE2B_BLOCKBYTES);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Blake2bUpdate(&hmac->hash.blake2b,
|
|
(byte*) hmac->innerHash, BLAKE2B_256);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ret = Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256);
|
|
if (ret != 0)
|
|
return ret;
|
|
}
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
hmac->innerHashKeyed = 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
#ifdef HAVE_CAVIUM
|
|
|
|
/* Initiliaze Hmac for use with Nitrox device */
|
|
int HmacInitCavium(Hmac* hmac, int devId)
|
|
{
|
|
if (hmac == NULL)
|
|
return -1;
|
|
|
|
if (CspAllocContext(CONTEXT_SSL, &hmac->contextHandle, devId) != 0)
|
|
return -1;
|
|
|
|
hmac->keyLen = 0;
|
|
hmac->dataLen = 0;
|
|
hmac->type = 0;
|
|
hmac->devId = devId;
|
|
hmac->magic = CYASSL_HMAC_CAVIUM_MAGIC;
|
|
hmac->data = NULL; /* buffered input data */
|
|
|
|
hmac->innerHashKeyed = 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Free Hmac from use with Nitrox device */
|
|
void HmacFreeCavium(Hmac* hmac)
|
|
{
|
|
if (hmac == NULL)
|
|
return;
|
|
|
|
CspFreeContext(CONTEXT_SSL, hmac->contextHandle, hmac->devId);
|
|
hmac->magic = 0;
|
|
XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
|
|
hmac->data = NULL;
|
|
}
|
|
|
|
|
|
static void HmacCaviumFinal(Hmac* hmac, byte* hash)
|
|
{
|
|
word32 requestId;
|
|
|
|
if (CspHmac(CAVIUM_BLOCKING, hmac->type, NULL, hmac->keyLen,
|
|
(byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId,
|
|
hmac->devId) != 0) {
|
|
CYASSL_MSG("Cavium Hmac failed");
|
|
}
|
|
hmac->innerHashKeyed = 0; /* tell update to start over if used again */
|
|
}
|
|
|
|
|
|
static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
|
|
{
|
|
word16 add = (word16)length;
|
|
word32 total;
|
|
byte* tmp;
|
|
|
|
if (length > CYASSL_MAX_16BIT) {
|
|
CYASSL_MSG("Too big msg for cavium hmac");
|
|
return;
|
|
}
|
|
|
|
if (hmac->innerHashKeyed == 0) { /* starting new */
|
|
hmac->dataLen = 0;
|
|
hmac->innerHashKeyed = 1;
|
|
}
|
|
|
|
total = add + hmac->dataLen;
|
|
if (total > CYASSL_MAX_16BIT) {
|
|
CYASSL_MSG("Too big msg for cavium hmac");
|
|
return;
|
|
}
|
|
|
|
tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP);
|
|
if (tmp == NULL) {
|
|
CYASSL_MSG("Out of memory for cavium update");
|
|
return;
|
|
}
|
|
if (hmac->dataLen)
|
|
XMEMCPY(tmp, hmac->data, hmac->dataLen);
|
|
XMEMCPY(tmp + hmac->dataLen, msg, add);
|
|
|
|
hmac->dataLen += add;
|
|
XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
|
|
hmac->data = tmp;
|
|
}
|
|
|
|
|
|
static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
|
|
word32 length)
|
|
{
|
|
hmac->macType = (byte)type;
|
|
if (type == MD5)
|
|
hmac->type = MD5_TYPE;
|
|
else if (type == SHA)
|
|
hmac->type = SHA1_TYPE;
|
|
else if (type == SHA256)
|
|
hmac->type = SHA256_TYPE;
|
|
else {
|
|
CYASSL_MSG("unsupported cavium hmac type");
|
|
}
|
|
|
|
hmac->innerHashKeyed = 0; /* should we key Startup flag */
|
|
|
|
hmac->keyLen = (word16)length;
|
|
/* store key in ipad */
|
|
XMEMCPY(hmac->ipad, key, length);
|
|
}
|
|
|
|
#endif /* HAVE_CAVIUM */
|
|
|
|
int CyaSSL_GetHmacMaxSize(void)
|
|
{
|
|
return MAX_DIGEST_SIZE;
|
|
}
|
|
|
|
#ifdef HAVE_HKDF
|
|
|
|
#ifndef min
|
|
|
|
static INLINE word32 min(word32 a, word32 b)
|
|
{
|
|
return a > b ? b : a;
|
|
}
|
|
|
|
#endif /* min */
|
|
|
|
|
|
static INLINE int GetHashSizeByType(int type)
|
|
{
|
|
if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384
|
|
|| type == SHA512 || type == BLAKE2B_ID))
|
|
return BAD_FUNC_ARG;
|
|
|
|
switch (type) {
|
|
#ifndef NO_MD5
|
|
case MD5:
|
|
return MD5_DIGEST_SIZE;
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA
|
|
case SHA:
|
|
return SHA_DIGEST_SIZE;
|
|
break;
|
|
#endif
|
|
|
|
#ifndef NO_SHA256
|
|
case SHA256:
|
|
return SHA256_DIGEST_SIZE;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA384
|
|
case SHA384:
|
|
return SHA384_DIGEST_SIZE;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef CYASSL_SHA512
|
|
case SHA512:
|
|
return SHA512_DIGEST_SIZE;
|
|
break;
|
|
#endif
|
|
|
|
#ifdef HAVE_BLAKE2
|
|
case BLAKE2B_ID:
|
|
return BLAKE2B_OUTBYTES;
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
return BAD_FUNC_ARG;
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
/* HMAC-KDF with hash type, optional salt and info, return 0 on success */
|
|
int HKDF(int type, const byte* inKey, word32 inKeySz,
|
|
const byte* salt, word32 saltSz,
|
|
const byte* info, word32 infoSz,
|
|
byte* out, word32 outSz)
|
|
{
|
|
Hmac myHmac;
|
|
#ifdef CYASSL_SMALL_STACK
|
|
byte* tmp;
|
|
byte* prk;
|
|
#else
|
|
byte tmp[MAX_DIGEST_SIZE]; /* localSalt helper and T */
|
|
byte prk[MAX_DIGEST_SIZE];
|
|
#endif
|
|
const byte* localSalt; /* either points to user input or tmp */
|
|
int hashSz = GetHashSizeByType(type);
|
|
word32 outIdx = 0;
|
|
byte n = 0x1;
|
|
int ret;
|
|
|
|
if (hashSz < 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
#ifdef CYASSL_SMALL_STACK
|
|
tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (tmp == NULL)
|
|
return MEMORY_E;
|
|
|
|
prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (prk == NULL) {
|
|
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
return MEMORY_E;
|
|
}
|
|
#endif
|
|
|
|
localSalt = salt;
|
|
if (localSalt == NULL) {
|
|
XMEMSET(tmp, 0, hashSz);
|
|
localSalt = tmp;
|
|
saltSz = hashSz;
|
|
}
|
|
|
|
do {
|
|
ret = HmacSetKey(&myHmac, type, localSalt, saltSz);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacUpdate(&myHmac, inKey, inKeySz);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacFinal(&myHmac, prk);
|
|
} while (0);
|
|
|
|
if (ret == 0) {
|
|
while (outIdx < outSz) {
|
|
int tmpSz = (n == 1) ? 0 : hashSz;
|
|
word32 left = outSz - outIdx;
|
|
|
|
ret = HmacSetKey(&myHmac, type, prk, hashSz);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacUpdate(&myHmac, tmp, tmpSz);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacUpdate(&myHmac, info, infoSz);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacUpdate(&myHmac, &n, 1);
|
|
if (ret != 0)
|
|
break;
|
|
ret = HmacFinal(&myHmac, tmp);
|
|
if (ret != 0)
|
|
break;
|
|
|
|
left = min(left, (word32)hashSz);
|
|
XMEMCPY(out+outIdx, tmp, left);
|
|
|
|
outIdx += hashSz;
|
|
n++;
|
|
}
|
|
}
|
|
|
|
#ifdef CYASSL_SMALL_STACK
|
|
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(prk, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
#endif
|
|
|
|
return ret;
|
|
}
|
|
|
|
#endif /* HAVE_HKDF */
|
|
|
|
#endif /* NO_HMAC */
|
|
|