cose: add libsodium HKDF support

Co-authored-by: chrysn <chrysn@fsfe.org> Co-authored-by: Marco vR <marcovr@live.de>
bergzand · Feb 24, 2022 · 31bafa8 · 31bafa8
1 parent fb7f0d4
commit 31bafa8
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/include/cose/crypto/selectors.h b/include/cose/crypto/selectors.h
@@ -48,6 +48,15 @@
 #define CRYPTO_HACL_INCLUDE_CHACHAPOLY
 #endif
 /** @} */
+
+/**
+ *
+ * @name HKDF SHA256 selector
+ */
+#if defined(CRYPTO_SODIUM)
+#define CRYPTO_SODIUM_INCLUDE_HKDFSHA256
+#endif
+
 #endif /* COSE_CRYPTO_SELECTORS_H */
 
 #if defined(HAVE_ALGO_AES128GCM) || \

diff --git a/include/cose/crypto/sodium.h b/include/cose/crypto/sodium.h
@@ -34,6 +34,7 @@ extern "C" {
  */
 #define HAVE_ALGO_CHACHA20POLY1305
 #define HAVE_ALGO_EDDSA
+#define HAVE_ALGO_HMAC256
 /** @} */
 
 #ifdef __cplusplus

diff --git a/src/crypt/sodium.c b/src/crypt/sodium.c
@@ -17,6 +17,7 @@
 #include <sodium/crypto_aead_chacha20poly1305.h>
 #include <sodium/crypto_sign.h>
 #include <sodium/randombytes.h>
+#include <sodium/crypto_auth_hmacsha256.h>
 #include <stdint.h>
 #include <stdlib.h>
 
@@ -92,3 +93,57 @@ size_t cose_crypto_sig_size_ed25519(void)
     return crypto_sign_BYTES;
 }
 #endif /* CRYPTO_SODIUM_INCLUDE_ED25519 */
+
+#ifdef CRYPTO_SODIUM_INCLUDE_HKDFSHA256
+int cose_crypto_hkdf_derive_sha256(const uint8_t *salt, size_t salt_len,
+                                   const uint8_t *ikm, size_t ikm_length,
+                                   const uint8_t *info, size_t info_length,
+                                   uint8_t *out, size_t out_length)
+{
+    uint8_t prk[crypto_auth_hmacsha256_KEYBYTES];
+
+    if (salt_len == crypto_auth_hmacsha256_KEYBYTES) {
+        crypto_auth_hmacsha256(prk, ikm, ikm_length, salt);
+    }
+    else if (salt_len < crypto_auth_hmacsha256_KEYBYTES) {
+        uint8_t padding[crypto_auth_hmacsha256_KEYBYTES];
+        memset(padding, 0, crypto_auth_hmacsha256_KEYBYTES);
+        if (salt) {
+            memcpy(padding, salt, salt_len);
+        }
+        crypto_auth_hmacsha256(prk, ikm, ikm_length, padding);
+    }
+    else {
+        return COSE_ERR_INVALID_PARAM;
+    }
+
+    uint8_t slice[crypto_auth_hmacsha256_BYTES];
+    size_t slice_len = crypto_auth_hmacsha256_BYTES;
+    uint8_t counter[1] = { 0x01 };
+    crypto_auth_hmacsha256_state state;
+    size_t rounds = out_length / crypto_auth_hmacsha256_BYTES;
+
+    if (out_length % crypto_auth_hmacsha256_BYTES > 0) {
+        rounds++;
+    }
+    for (size_t i = 0; i < rounds; ++i) {
+        size_t offset = i * crypto_auth_hmacsha256_BYTES;
+        *counter = i + 1;
+        crypto_auth_hmacsha256_init(&state, prk, crypto_auth_hmacsha256_KEYBYTES);
+        if (i > 0) {
+            crypto_auth_hmacsha256_update(&state, slice, slice_len);
+        }
+        if (info) {
+            crypto_auth_hmacsha256_update(&state, info, info_length);
+        }
+        crypto_auth_hmacsha256_update(&state, counter, 1);
+        crypto_auth_hmacsha256_final(&state, slice);
+        if (i + 1 == rounds) {
+            slice_len = out_length - offset;
+        }
+        memcpy(out + offset, slice, slice_len);
+    }
+
+    return COSE_OK;
+}
+#endif /* CRYPTO_SODIUM_INCLUDE_HKDFSHA256 */