/*1* Copyright (c) 2018 Thomas Pornin <[email protected]>2*3* Permission is hereby granted, free of charge, to any person obtaining4* a copy of this software and associated documentation files (the5* "Software"), to deal in the Software without restriction, including6* without limitation the rights to use, copy, modify, merge, publish,7* distribute, sublicense, and/or sell copies of the Software, and to8* permit persons to whom the Software is furnished to do so, subject to9* the following conditions:10*11* The above copyright notice and this permission notice shall be12* included in all copies or substantial portions of the Software.13*14* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,15* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF16* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND17* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS18* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN19* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN20* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE21* SOFTWARE.22*/2324#ifndef BR_BEARSSL_KDF_H__25#define BR_BEARSSL_KDF_H__2627#include <stddef.h>28#include <stdint.h>2930#include "bearssl_hash.h"31#include "bearssl_hmac.h"3233#ifdef __cplusplus34extern "C" {35#endif3637/** \file bearssl_kdf.h38*39* # Key Derivation Functions40*41* KDF are functions that takes a variable length input, and provide a42* variable length output, meant to be used to derive subkeys from a43* master key.44*45* ## HKDF46*47* HKDF is a KDF defined by [RFC 5869](https://tools.ietf.org/html/rfc5869).48* It is based on HMAC, itself using an underlying hash function. Any49* hash function can be used, as long as it is compatible with the rules50* for the HMAC implementation (i.e. output size is 64 bytes or less, hash51* internal state size is 64 bytes or less, and the internal block length is52* a power of 2 between 16 and 256 bytes). HKDF has two phases:53*54* - HKDF-Extract: the input data in ingested, along with a "salt" value.55*56* - HKDF-Expand: the output is produced, from the result of processing57* the input and salt, and using an extra non-secret parameter called58* "info".59*60* The "salt" and "info" strings are non-secret and can be empty. Their role61* is normally to bind the input and output, respectively, to conventional62* identifiers that qualifu them within the used protocol or application.63*64* The implementation defined in this file uses the following functions:65*66* - `br_hkdf_init()`: initialize an HKDF context, with a hash function,67* and the salt. This starts the HKDF-Extract process.68*69* - `br_hkdf_inject()`: inject more input bytes. This function may be70* called repeatedly if the input data is provided by chunks.71*72* - `br_hkdf_flip()`: end the HKDF-Extract process, and start the73* HKDF-Expand process.74*75* - `br_hkdf_produce()`: get the next bytes of output. This function76* may be called several times to obtain the full output by chunks.77* For correct HKDF processing, the same "info" string must be78* provided for each call.79*80* Note that the HKDF total output size (the number of bytes that81* HKDF-Expand is willing to produce) is limited: if the hash output size82* is _n_ bytes, then the maximum output size is _255*n_.83*84* ## SHAKE85*86* SHAKE is defined in87* [FIPS 202](https://csrc.nist.gov/publications/detail/fips/202/final)88* under two versions: SHAKE128 and SHAKE256, offering an alleged89* "security level" of 128 and 256 bits, respectively (SHAKE128 is90* about 20 to 25% faster than SHAKE256). SHAKE internally relies on91* the Keccak family of sponge functions, not on any externally provided92* hash function. Contrary to HKDF, SHAKE does not have a concept of93* either a "salt" or an "info" string. The API consists in four94* functions:95*96* - `br_shake_init()`: initialize a SHAKE context for a given97* security level.98*99* - `br_shake_inject()`: inject more input bytes. This function may be100* called repeatedly if the input data is provided by chunks.101*102* - `br_shake_flip()`: end the data injection process, and start the103* data production process.104*105* - `br_shake_produce()`: get the next bytes of output. This function106* may be called several times to obtain the full output by chunks.107*/108109/**110* \brief HKDF context.111*112* The HKDF context is initialized with a hash function implementation113* and a salt value. Contents are opaque (callers should not access them114* directly). The caller is responsible for allocating the context where115* appropriate. Context initialisation and usage incurs no dynamic116* allocation, so there is no release function.117*/118typedef struct {119#ifndef BR_DOXYGEN_IGNORE120union {121br_hmac_context hmac_ctx;122br_hmac_key_context prk_ctx;123} u;124unsigned char buf[64];125size_t ptr;126size_t dig_len;127unsigned chunk_num;128#endif129} br_hkdf_context;130131/**132* \brief HKDF context initialization.133*134* The underlying hash function and salt value are provided. Arbitrary135* salt lengths can be used.136*137* HKDF makes a difference between a salt of length zero, and an138* absent salt (the latter being equivalent to a salt consisting of139* bytes of value zero, of the same length as the hash function output).140* If `salt_len` is zero, then this function assumes that the salt is141* present but of length zero. To specify an _absent_ salt, use142* `BR_HKDF_NO_SALT` as `salt` parameter (`salt_len` is then ignored).143*144* \param hc HKDF context to initialise.145* \param digest_vtable pointer to the hash function implementation vtable.146* \param salt HKDF-Extract salt.147* \param salt_len HKDF-Extract salt length (in bytes).148*/149void br_hkdf_init(br_hkdf_context *hc, const br_hash_class *digest_vtable,150const void *salt, size_t salt_len);151152/**153* \brief The special "absent salt" value for HKDF.154*/155#define BR_HKDF_NO_SALT (&br_hkdf_no_salt)156157#ifndef BR_DOXYGEN_IGNORE158extern const unsigned char br_hkdf_no_salt;159#endif160161/**162* \brief HKDF input injection (HKDF-Extract).163*164* This function injects some more input bytes ("key material") into165* HKDF. This function may be called several times, after `br_hkdf_init()`166* but before `br_hkdf_flip()`.167*168* \param hc HKDF context.169* \param ikm extra input bytes.170* \param ikm_len number of extra input bytes.171*/172void br_hkdf_inject(br_hkdf_context *hc, const void *ikm, size_t ikm_len);173174/**175* \brief HKDF switch to the HKDF-Expand phase.176*177* This call terminates the HKDF-Extract process (input injection), and178* starts the HKDF-Expand process (output production).179*180* \param hc HKDF context.181*/182void br_hkdf_flip(br_hkdf_context *hc);183184/**185* \brief HKDF output production (HKDF-Expand).186*187* Produce more output bytes from the current state. This function may be188* called several times, but only after `br_hkdf_flip()`.189*190* Returned value is the number of actually produced bytes. The total191* output length is limited to 255 times the output length of the192* underlying hash function.193*194* \param hc HKDF context.195* \param info application specific information string.196* \param info_len application specific information string length (in bytes).197* \param out destination buffer for the HKDF output.198* \param out_len the length of the requested output (in bytes).199* \return the produced output length (in bytes).200*/201size_t br_hkdf_produce(br_hkdf_context *hc,202const void *info, size_t info_len, void *out, size_t out_len);203204/**205* \brief SHAKE context.206*207* The HKDF context is initialized with a "security level". The internal208* notion is called "capacity"; the capacity is twice the security level209* (for instance, SHAKE128 has capacity 256).210*211* The caller is responsible for allocating the context where212* appropriate. Context initialisation and usage incurs no dynamic213* allocation, so there is no release function.214*/215typedef struct {216#ifndef BR_DOXYGEN_IGNORE217unsigned char dbuf[200];218size_t dptr;219size_t rate;220uint64_t A[25];221#endif222} br_shake_context;223224/**225* \brief SHAKE context initialization.226*227* The context is initialized for the provided "security level".228* Internally, this sets the "capacity" to twice the security level;229* thus, for SHAKE128, the `security_level` parameter should be 128,230* which corresponds to a 256-bit capacity.231*232* Allowed security levels are all multiples of 32, from 32 to 768,233* inclusive. Larger security levels imply lower performance; levels234* beyond 256 bits don't make much sense. Standard levels are 128235* and 256 bits (for SHAKE128 and SHAKE256, respectively).236*237* \param sc SHAKE context to initialise.238* \param security_level security level (in bits).239*/240void br_shake_init(br_shake_context *sc, int security_level);241242/**243* \brief SHAKE input injection.244*245* This function injects some more input bytes ("key material") into246* SHAKE. This function may be called several times, after `br_shake_init()`247* but before `br_shake_flip()`.248*249* \param sc SHAKE context.250* \param data extra input bytes.251* \param len number of extra input bytes.252*/253void br_shake_inject(br_shake_context *sc, const void *data, size_t len);254255/**256* \brief SHAKE switch to production phase.257*258* This call terminates the input injection process, and starts the259* output production process.260*261* \param sc SHAKE context.262*/263void br_shake_flip(br_shake_context *hc);264265/**266* \brief SHAKE output production.267*268* Produce more output bytes from the current state. This function may be269* called several times, but only after `br_shake_flip()`.270*271* There is no practical limit to the number of bytes that may be produced.272*273* \param sc SHAKE context.274* \param out destination buffer for the SHAKE output.275* \param len the length of the requested output (in bytes).276*/277void br_shake_produce(br_shake_context *sc, void *out, size_t len);278279#ifdef __cplusplus280}281#endif282283#endif284285286