123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350 |
- /* kdf.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/wc_port.h>
- #include <wolfssl/wolfcrypt/error-crypt.h>
- #include <wolfssl/wolfcrypt/logging.h>
- #ifndef NO_KDF
- #if defined(HAVE_FIPS) && \
- defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)
- /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
- #define FIPS_NO_WRAPPERS
- #ifdef USE_WINDOWS_API
- #pragma code_seg(".fipsA$m")
- #pragma const_seg(".fipsB$m")
- #endif
- #endif
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #include <wolfssl/wolfcrypt/hmac.h>
- #include <wolfssl/wolfcrypt/kdf.h>
- #ifdef WC_SRTP_KDF
- #include <wolfssl/wolfcrypt/aes.h>
- #endif
- #if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC)
- #ifdef WOLFSSL_SHA512
- #define P_HASH_MAX_SIZE WC_SHA512_DIGEST_SIZE
- #elif defined(WOLFSSL_SHA384)
- #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE
- #else
- #define P_HASH_MAX_SIZE WC_SHA256_DIGEST_SIZE
- #endif
- /* Pseudo Random Function for MD5, SHA-1, SHA-256, SHA-384, or SHA-512 */
- int wc_PRF(byte* result, word32 resLen, const byte* secret,
- word32 secLen, const byte* seed, word32 seedLen, int hash,
- void* heap, int devId)
- {
- word32 len = P_HASH_MAX_SIZE;
- word32 times;
- word32 lastLen;
- word32 lastTime;
- int ret = 0;
- #ifdef WOLFSSL_SMALL_STACK
- byte* previous;
- byte* current;
- Hmac* hmac;
- #else
- byte previous[P_HASH_MAX_SIZE]; /* max size */
- byte current[P_HASH_MAX_SIZE]; /* max size */
- Hmac hmac[1];
- #endif
- switch (hash) {
- #ifndef NO_MD5
- case md5_mac:
- hash = WC_MD5;
- len = WC_MD5_DIGEST_SIZE;
- break;
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- hash = WC_SHA256;
- len = WC_SHA256_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- hash = WC_SHA384;
- len = WC_SHA384_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- hash = WC_SHA512;
- len = WC_SHA512_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- hash = WC_SM3;
- len = WC_SM3_DIGEST_SIZE;
- break;
- #endif
- #ifndef NO_SHA
- case sha_mac:
- hash = WC_SHA;
- len = WC_SHA_DIGEST_SIZE;
- break;
- #endif
- default:
- return HASH_TYPE_E;
- }
- times = resLen / len;
- lastLen = resLen % len;
- if (lastLen)
- times += 1;
- /* times == 0 if resLen == 0, but times == 0 abides clang static analyzer
- while resLen == 0 doesn't */
- if (times == 0)
- return BAD_FUNC_ARG;
- lastTime = times - 1;
- #ifdef WOLFSSL_SMALL_STACK
- previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
- current = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
- hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC);
- if (previous == NULL || current == NULL || hmac == NULL) {
- if (previous) XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
- if (current) XFREE(current, heap, DYNAMIC_TYPE_DIGEST);
- if (hmac) XFREE(hmac, heap, DYNAMIC_TYPE_HMAC);
- return MEMORY_E;
- }
- #endif
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- XMEMSET(previous, 0xff, P_HASH_MAX_SIZE);
- wc_MemZero_Add("wc_PRF previous", previous, P_HASH_MAX_SIZE);
- wc_MemZero_Add("wc_PRF current", current, P_HASH_MAX_SIZE);
- wc_MemZero_Add("wc_PRF hmac", hmac, sizeof(Hmac));
- #endif
- ret = wc_HmacInit(hmac, heap, devId);
- if (ret == 0) {
- ret = wc_HmacSetKey(hmac, hash, secret, secLen);
- if (ret == 0)
- ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */
- if (ret == 0)
- ret = wc_HmacFinal(hmac, previous); /* A1 */
- if (ret == 0) {
- word32 i;
- word32 idx = 0;
- for (i = 0; i < times; i++) {
- ret = wc_HmacUpdate(hmac, previous, len);
- if (ret != 0)
- break;
- ret = wc_HmacUpdate(hmac, seed, seedLen);
- if (ret != 0)
- break;
- ret = wc_HmacFinal(hmac, current);
- if (ret != 0)
- break;
- if ((i == lastTime) && lastLen)
- XMEMCPY(&result[idx], current,
- min(lastLen, P_HASH_MAX_SIZE));
- else {
- XMEMCPY(&result[idx], current, len);
- idx += len;
- ret = wc_HmacUpdate(hmac, previous, len);
- if (ret != 0)
- break;
- ret = wc_HmacFinal(hmac, previous);
- if (ret != 0)
- break;
- }
- }
- }
- wc_HmacFree(hmac);
- }
- ForceZero(previous, P_HASH_MAX_SIZE);
- ForceZero(current, P_HASH_MAX_SIZE);
- ForceZero(hmac, sizeof(Hmac));
- #if defined(WOLFSSL_CHECK_MEM_ZERO)
- wc_MemZero_Check(previous, P_HASH_MAX_SIZE);
- wc_MemZero_Check(current, P_HASH_MAX_SIZE);
- wc_MemZero_Check(hmac, sizeof(Hmac));
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
- XFREE(current, heap, DYNAMIC_TYPE_DIGEST);
- XFREE(hmac, heap, DYNAMIC_TYPE_HMAC);
- #endif
- return ret;
- }
- #undef P_HASH_MAX_SIZE
- /* compute PRF (pseudo random function) using SHA1 and MD5 for TLSv1 */
- int wc_PRF_TLSv1(byte* digest, word32 digLen, const byte* secret,
- word32 secLen, const byte* label, word32 labLen,
- const byte* seed, word32 seedLen, void* heap, int devId)
- {
- int ret = 0;
- word32 half = (secLen + 1) / 2;
- const byte* md5_half;
- const byte* sha_half;
- byte* md5_result;
- #ifdef WOLFSSL_SMALL_STACK
- byte* sha_result;
- byte* labelSeed;
- #else
- byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
- byte labelSeed[MAX_PRF_LABSEED];
- #endif
- if (half > MAX_PRF_HALF ||
- labLen + seedLen > MAX_PRF_LABSEED ||
- digLen > MAX_PRF_DIG)
- {
- return BUFFER_E;
- }
- #ifdef WOLFSSL_SMALL_STACK
- sha_result = (byte*)XMALLOC(MAX_PRF_DIG, heap, DYNAMIC_TYPE_DIGEST);
- labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, heap, DYNAMIC_TYPE_DIGEST);
- if (sha_result == NULL || labelSeed == NULL) {
- XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
- XFREE(labelSeed, heap, DYNAMIC_TYPE_DIGEST);
- return MEMORY_E;
- }
- #endif
- md5_half = secret;
- sha_half = secret + half - secLen % 2;
- md5_result = digest;
- XMEMCPY(labelSeed, label, labLen);
- XMEMCPY(labelSeed + labLen, seed, seedLen);
- if ((ret = wc_PRF(md5_result, digLen, md5_half, half, labelSeed,
- labLen + seedLen, md5_mac, heap, devId)) == 0) {
- if ((ret = wc_PRF(sha_result, digLen, sha_half, half, labelSeed,
- labLen + seedLen, sha_mac, heap, devId)) == 0) {
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("wc_PRF_TLSv1 sha_result", sha_result, digLen);
- #endif
- /* calculate XOR for TLSv1 PRF */
- /* md5 result is placed directly in digest */
- xorbuf(digest, sha_result, digLen);
- ForceZero(sha_result, digLen);
- }
- }
- #if defined(WOLFSSL_CHECK_MEM_ZERO)
- wc_MemZero_Check(sha_result, MAX_PRF_DIG);
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
- XFREE(labelSeed, heap, DYNAMIC_TYPE_DIGEST);
- #endif
- return ret;
- }
- /* Wrapper for TLS 1.2 and TLSv1 cases to calculate PRF */
- /* In TLS 1.2 case call straight thru to wc_PRF */
- int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
- const byte* label, word32 labLen, const byte* seed, word32 seedLen,
- int useAtLeastSha256, int hash_type, void* heap, int devId)
- {
- int ret = 0;
- if (useAtLeastSha256) {
- #ifdef WOLFSSL_SMALL_STACK
- byte* labelSeed;
- #else
- byte labelSeed[MAX_PRF_LABSEED];
- #endif
- if (labLen + seedLen > MAX_PRF_LABSEED) {
- return BUFFER_E;
- }
- #ifdef WOLFSSL_SMALL_STACK
- labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, heap, DYNAMIC_TYPE_DIGEST);
- if (labelSeed == NULL) {
- return MEMORY_E;
- }
- #endif
- XMEMCPY(labelSeed, label, labLen);
- XMEMCPY(labelSeed + labLen, seed, seedLen);
- /* If a cipher suite wants an algorithm better than sha256, it
- * should use better. */
- if (hash_type < sha256_mac || hash_type == blake2b_mac) {
- hash_type = sha256_mac;
- }
- /* compute PRF for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1.2 PRF */
- ret = wc_PRF(digest, digLen, secret, secLen, labelSeed,
- labLen + seedLen, hash_type, heap, devId);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(labelSeed, heap, DYNAMIC_TYPE_DIGEST);
- #endif
- }
- else {
- #ifndef NO_OLD_TLS
- /* compute TLSv1 PRF (pseudo random function using HMAC) */
- ret = wc_PRF_TLSv1(digest, digLen, secret, secLen, label, labLen, seed,
- seedLen, heap, devId);
- #else
- ret = BAD_FUNC_ARG;
- #endif
- }
- return ret;
- }
- #endif /* WOLFSSL_HAVE_PRF && !NO_HMAC */
- #if defined(HAVE_HKDF) && !defined(NO_HMAC)
- /* Extract data using HMAC, salt and input.
- * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
- *
- * prk The generated pseudorandom key.
- * salt The salt.
- * saltLen The length of the salt.
- * ikm The input keying material.
- * ikmLen The length of the input keying material.
- * digest The type of digest to use.
- * returns 0 on success, otherwise failure.
- */
- int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, word32 saltLen,
- byte* ikm, word32 ikmLen, int digest)
- {
- int ret;
- word32 len = 0;
- switch (digest) {
- #ifndef NO_SHA256
- case WC_SHA256:
- len = WC_SHA256_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case WC_SHA384:
- len = WC_SHA384_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case WC_SHA512:
- len = WC_SHA512_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case WC_SM3:
- len = WC_SM3_DIGEST_SIZE;
- break;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- /* When length is 0 then use zeroed data of digest length. */
- if (ikmLen == 0) {
- ikmLen = len;
- XMEMSET(ikm, 0, len);
- }
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" Salt");
- WOLFSSL_BUFFER(salt, saltLen);
- WOLFSSL_MSG(" IKM");
- WOLFSSL_BUFFER(ikm, ikmLen);
- #endif
- ret = wc_HKDF_Extract(digest, salt, saltLen, ikm, ikmLen, prk);
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" PRK");
- WOLFSSL_BUFFER(prk, len);
- #endif
- return ret;
- }
- /* Expand data using HMAC, salt and label and info.
- * TLS v1.3 defines this function.
- *
- * okm The generated pseudorandom key - output key material.
- * okmLen The length of generated pseudorandom key -
- * output key material.
- * prk The salt - pseudo-random key.
- * prkLen The length of the salt - pseudo-random key.
- * protocol The TLS protocol label.
- * protocolLen The length of the TLS protocol label.
- * info The information to expand.
- * infoLen The length of the information.
- * digest The type of digest to use.
- * returns 0 on success, otherwise failure.
- */
- int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen,
- const byte* prk, word32 prkLen,
- const byte* protocol, word32 protocolLen,
- const byte* label, word32 labelLen,
- const byte* info, word32 infoLen,
- int digest)
- {
- int ret = 0;
- word32 idx = 0;
- #ifdef WOLFSSL_SMALL_STACK
- byte* data;
- #else
- byte data[MAX_TLS13_HKDF_LABEL_SZ];
- #endif
- /* okmLen (2) + protocol|label len (1) + info len(1) + protocollen +
- * labellen + infolen */
- idx = 4 + protocolLen + labelLen + infoLen;
- if (idx > MAX_TLS13_HKDF_LABEL_SZ) {
- return BUFFER_E;
- }
- #ifdef WOLFSSL_SMALL_STACK
- data = (byte*)XMALLOC(idx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (data == NULL) {
- return MEMORY_E;
- }
- #endif
- idx = 0;
- /* Output length. */
- data[idx++] = (byte)(okmLen >> 8);
- data[idx++] = (byte)okmLen;
- /* Length of protocol | label. */
- data[idx++] = (byte)(protocolLen + labelLen);
- /* Protocol */
- XMEMCPY(&data[idx], protocol, protocolLen);
- idx += protocolLen;
- /* Label */
- XMEMCPY(&data[idx], label, labelLen);
- idx += labelLen;
- /* Length of hash of messages */
- data[idx++] = (byte)infoLen;
- /* Hash of messages */
- XMEMCPY(&data[idx], info, infoLen);
- idx += infoLen;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("wc_Tls13_HKDF_Expand_Label data", data, idx);
- #endif
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" PRK");
- WOLFSSL_BUFFER(prk, prkLen);
- WOLFSSL_MSG(" Info");
- WOLFSSL_BUFFER(data, idx);
- WOLFSSL_MSG_EX(" Digest %d", digest);
- #endif
- ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" OKM");
- WOLFSSL_BUFFER(okm, okmLen);
- #endif
- ForceZero(data, idx);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(data, idx);
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return ret;
- }
- #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
- /* Expand data using HMAC, salt and label and info.
- * TLS v1.3 defines this function.
- *
- * okm The generated pseudorandom key - output key material.
- * okmLen The length of generated pseudorandom key -
- * output key material.
- * prk The salt - pseudo-random key.
- * prkLen The length of the salt - pseudo-random key.
- * protocol The TLS protocol label.
- * protocolLen The length of the TLS protocol label.
- * info The information to expand.
- * infoLen The length of the information.
- * digest The type of digest to use.
- *
- * This functions is very similar to wc_Tls13_HKDF_Expand_Label() but it
- * allocate memory if the stack space usually used isn't enough.
- *
- * returns 0 on success, otherwise failure.
- */
- int wc_Tls13_HKDF_Expand_Label_Alloc(byte* okm, word32 okmLen,
- const byte* prk, word32 prkLen, const byte* protocol,
- word32 protocolLen, const byte* label, word32 labelLen,
- const byte* info, word32 infoLen, int digest, void* heap)
- {
- int ret = 0;
- int idx = 0;
- int len;
- byte *data;
- (void)heap;
- /* okmLen (2) + protocol|label len (1) + info len(1) + protocollen +
- * labellen + infolen */
- len = 4 + protocolLen + labelLen + infoLen;
- data = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (data == NULL)
- return BUFFER_E;
- /* Output length. */
- data[idx++] = (byte)(okmLen >> 8);
- data[idx++] = (byte)okmLen;
- /* Length of protocol | label. */
- data[idx++] = (byte)(protocolLen + labelLen);
- /* Protocol */
- XMEMCPY(&data[idx], protocol, protocolLen);
- idx += protocolLen;
- /* Label */
- XMEMCPY(&data[idx], label, labelLen);
- idx += labelLen;
- /* Length of hash of messages */
- data[idx++] = (byte)infoLen;
- /* Hash of messages */
- XMEMCPY(&data[idx], info, infoLen);
- idx += infoLen;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("wc_Tls13_HKDF_Expand_Label data", data, idx);
- #endif
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" PRK");
- WOLFSSL_BUFFER(prk, prkLen);
- WOLFSSL_MSG(" Info");
- WOLFSSL_BUFFER(data, idx);
- WOLFSSL_MSG_EX(" Digest %d", digest);
- #endif
- ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" OKM");
- WOLFSSL_BUFFER(okm, okmLen);
- #endif
- ForceZero(data, idx);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(data, len);
- #endif
- XFREE(data, heap, DYNAMIC_TYPE_TMP_BUFFER);
- return ret;
- }
- #endif
- /* defined(WOLFSSL_TICKET_NONCE_MALLOC) && (!defined(HAVE_FIPS) ||
- * FIPS_VERSION_GE(5,3)) */
- #endif /* HAVE_HKDF && !NO_HMAC */
- #ifdef WOLFSSL_WOLFSSH
- /* hash union */
- typedef union {
- #ifndef NO_MD5
- wc_Md5 md5;
- #endif
- #ifndef NO_SHA
- wc_Sha sha;
- #endif
- #ifdef WOLFSSL_SHA224
- wc_Sha224 sha224;
- #endif
- #ifndef NO_SHA256
- wc_Sha256 sha256;
- #endif
- #ifdef WOLFSSL_SHA384
- wc_Sha384 sha384;
- #endif
- #ifdef WOLFSSL_SHA512
- wc_Sha512 sha512;
- #endif
- #ifdef WOLFSSL_SHA3
- wc_Sha3 sha3;
- #endif
- } _hash;
- static
- int _HashInit(byte hashId, _hash* hash)
- {
- int ret = BAD_FUNC_ARG;
- switch (hashId) {
- #ifndef NO_SHA
- case WC_SHA:
- ret = wc_InitSha(&hash->sha);
- break;
- #endif /* !NO_SHA */
- #ifndef NO_SHA256
- case WC_SHA256:
- ret = wc_InitSha256(&hash->sha256);
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case WC_SHA384:
- ret = wc_InitSha384(&hash->sha384);
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_SHA512
- case WC_SHA512:
- ret = wc_InitSha512(&hash->sha512);
- break;
- #endif /* WOLFSSL_SHA512 */
- }
- return ret;
- }
- static
- int _HashUpdate(byte hashId, _hash* hash,
- const byte* data, word32 dataSz)
- {
- int ret = BAD_FUNC_ARG;
- switch (hashId) {
- #ifndef NO_SHA
- case WC_SHA:
- ret = wc_ShaUpdate(&hash->sha, data, dataSz);
- break;
- #endif /* !NO_SHA */
- #ifndef NO_SHA256
- case WC_SHA256:
- ret = wc_Sha256Update(&hash->sha256, data, dataSz);
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case WC_SHA384:
- ret = wc_Sha384Update(&hash->sha384, data, dataSz);
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_SHA512
- case WC_SHA512:
- ret = wc_Sha512Update(&hash->sha512, data, dataSz);
- break;
- #endif /* WOLFSSL_SHA512 */
- }
- return ret;
- }
- static
- int _HashFinal(byte hashId, _hash* hash, byte* digest)
- {
- int ret = BAD_FUNC_ARG;
- switch (hashId) {
- #ifndef NO_SHA
- case WC_SHA:
- ret = wc_ShaFinal(&hash->sha, digest);
- break;
- #endif /* !NO_SHA */
- #ifndef NO_SHA256
- case WC_SHA256:
- ret = wc_Sha256Final(&hash->sha256, digest);
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case WC_SHA384:
- ret = wc_Sha384Final(&hash->sha384, digest);
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_SHA512
- case WC_SHA512:
- ret = wc_Sha512Final(&hash->sha512, digest);
- break;
- #endif /* WOLFSSL_SHA512 */
- }
- return ret;
- }
- static
- void _HashFree(byte hashId, _hash* hash)
- {
- switch (hashId) {
- #ifndef NO_SHA
- case WC_SHA:
- wc_ShaFree(&hash->sha);
- break;
- #endif /* !NO_SHA */
- #ifndef NO_SHA256
- case WC_SHA256:
- wc_Sha256Free(&hash->sha256);
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case WC_SHA384:
- wc_Sha384Free(&hash->sha384);
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_SHA512
- case WC_SHA512:
- wc_Sha512Free(&hash->sha512);
- break;
- #endif /* WOLFSSL_SHA512 */
- }
- }
- #define LENGTH_SZ 4
- int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
- const byte* k, word32 kSz, const byte* h, word32 hSz,
- const byte* sessionId, word32 sessionIdSz)
- {
- word32 blocks, remainder;
- _hash hash;
- enum wc_HashType enmhashId = (enum wc_HashType)hashId;
- byte kPad = 0;
- byte pad = 0;
- byte kSzFlat[LENGTH_SZ];
- word32 digestSz;
- int ret;
- if (key == NULL || keySz == 0 ||
- k == NULL || kSz == 0 ||
- h == NULL || hSz == 0 ||
- sessionId == NULL || sessionIdSz == 0) {
- return BAD_FUNC_ARG;
- }
- ret = wc_HmacSizeByType(enmhashId);
- if (ret <= 0) {
- return BAD_FUNC_ARG;
- }
- digestSz = (word32)ret;
- if (k[0] & 0x80) kPad = 1;
- c32toa(kSz + kPad, kSzFlat);
- blocks = keySz / digestSz;
- remainder = keySz % digestSz;
- ret = _HashInit(enmhashId, &hash);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
- if (ret == 0 && kPad)
- ret = _HashUpdate(enmhashId, &hash, &pad, 1);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, k, kSz);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, h, hSz);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, &keyId, sizeof(keyId));
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, sessionId, sessionIdSz);
- if (ret == 0) {
- if (blocks == 0) {
- if (remainder > 0) {
- byte lastBlock[WC_MAX_DIGEST_SIZE];
- ret = _HashFinal(enmhashId, &hash, lastBlock);
- if (ret == 0)
- XMEMCPY(key, lastBlock, remainder);
- }
- }
- else {
- word32 runningKeySz, curBlock;
- runningKeySz = digestSz;
- ret = _HashFinal(enmhashId, &hash, key);
- for (curBlock = 1; curBlock < blocks; curBlock++) {
- ret = _HashInit(enmhashId, &hash);
- if (ret != 0) break;
- ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
- if (ret != 0) break;
- if (kPad)
- ret = _HashUpdate(enmhashId, &hash, &pad, 1);
- if (ret != 0) break;
- ret = _HashUpdate(enmhashId, &hash, k, kSz);
- if (ret != 0) break;
- ret = _HashUpdate(enmhashId, &hash, h, hSz);
- if (ret != 0) break;
- ret = _HashUpdate(enmhashId, &hash, key, runningKeySz);
- if (ret != 0) break;
- ret = _HashFinal(enmhashId, &hash, key + runningKeySz);
- if (ret != 0) break;
- runningKeySz += digestSz;
- }
- if (remainder > 0) {
- byte lastBlock[WC_MAX_DIGEST_SIZE];
- if (ret == 0)
- ret = _HashInit(enmhashId, &hash);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
- if (ret == 0 && kPad)
- ret = _HashUpdate(enmhashId, &hash, &pad, 1);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, k, kSz);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, h, hSz);
- if (ret == 0)
- ret = _HashUpdate(enmhashId, &hash, key, runningKeySz);
- if (ret == 0)
- ret = _HashFinal(enmhashId, &hash, lastBlock);
- if (ret == 0)
- XMEMCPY(key + runningKeySz, lastBlock, remainder);
- }
- }
- }
- _HashFree(enmhashId, &hash);
- return ret;
- }
- #endif /* WOLFSSL_WOLFSSH */
- #ifdef WC_SRTP_KDF
- /* Calculate first block to encrypt.
- *
- * @param [in] salt Random value to XOR in.
- * @param [in] saltSz Size of random value in bytes.
- * @param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise
- * kdr = 2^kdrIdx.
- * @param [in] index Index value to XOR in.
- * @param [in] indexSz Size of index value in bytes.
- * @param [out] block First block to encrypt.
- */
- static void wc_srtp_kdf_first_block(const byte* salt, word32 saltSz, int kdrIdx,
- const byte* index, byte indexSz, unsigned char* block)
- {
- word32 i;
- /* XOR salt into zeroized buffer. */
- for (i = 0; i < WC_SRTP_MAX_SALT - saltSz; i++) {
- block[i] = 0;
- }
- XMEMCPY(block + WC_SRTP_MAX_SALT - saltSz, salt, saltSz);
- block[WC_SRTP_MAX_SALT] = 0;
- /* block[15] is counter. */
- /* When kdrIdx is -1, don't XOR in index. */
- if (kdrIdx >= 0) {
- /* Get the number of bits to shift index by. */
- word32 bits = kdrIdx & 0x7;
- /* Reduce index size by number of bytes to remove. */
- indexSz -= kdrIdx >> 3;
- if ((kdrIdx & 0x7) == 0) {
- /* Just XOR in as no bit shifting. */
- for (i = 0; i < indexSz; i++) {
- block[i + WC_SRTP_MAX_SALT - indexSz] ^= index[i];
- }
- }
- else {
- /* XOR in as bit shifted index. */
- block[WC_SRTP_MAX_SALT - indexSz] ^= index[0] >> bits;
- for (i = 1; i < indexSz; i++) {
- block[i + WC_SRTP_MAX_SALT - indexSz] ^=
- (index[i-1] << (8 - bits)) |
- (index[i+0] >> bits );
- }
- }
- }
- }
- /* Derive a key given the first block.
- *
- * @param [in, out] block First block to encrypt. Need label XORed in.
- * @param [in] indexSz Size of index in bytes to calculate where label is
- * XORed into.
- * @param [in] label Label byte that differs for each key.
- * @param [out] key Derived key.
- * @param [in] keySz Size of key to derive in bytes.
- * @param [in] aes AES object to encrypt with.
- * @return 0 on success.
- */
- static int wc_srtp_kdf_derive_key(byte* block, byte indexSz, byte label,
- byte* key, word32 keySz, Aes* aes)
- {
- int i;
- int ret = 0;
- /* Calculate the number of full blocks needed for derived key. */
- int blocks = keySz / AES_BLOCK_SIZE;
- /* XOR in label. */
- block[WC_SRTP_MAX_SALT - indexSz - 1] ^= label;
- for (i = 0; (ret == 0) && (i < blocks); i++) {
- /* Set counter. */
- block[15] = i;
- /* Encrypt block into key buffer. */
- ret = wc_AesEcbEncrypt(aes, key, block, AES_BLOCK_SIZE);
- /* Reposition for more derived key. */
- key += AES_BLOCK_SIZE;
- /* Reduce the count of key bytes required. */
- keySz -= AES_BLOCK_SIZE;
- }
- /* Do any partial blocks. */
- if ((ret == 0) && (keySz > 0)) {
- byte enc[AES_BLOCK_SIZE];
- /* Set counter. */
- block[15] = i;
- /* Encrypt block into temporary. */
- ret = wc_AesEcbEncrypt(aes, enc, block, AES_BLOCK_SIZE);
- if (ret == 0) {
- /* Copy into key required amount. */
- XMEMCPY(key, enc, keySz);
- }
- }
- /* XOR out label. */
- block[WC_SRTP_MAX_SALT - indexSz - 1] ^= label;
- return ret;
- }
- /* Derive keys using SRTP KDF algorithm.
- *
- * SP 800-135 (RFC 3711).
- *
- * @param [in] key Key to use with encryption.
- * @param [in] keySz Size of key in bytes.
- * @param [in] salt Random non-secret value.
- * @param [in] saltSz Size of random in bytes.
- * @param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise
- * kdr = 2^kdrIdx.
- * @param [in] index Index value to XOR in.
- * @param [out] key1 First key. Label value of 0x00.
- * @param [in] key1Sz Size of first key in bytes.
- * @param [out] key2 Second key. Label value of 0x01.
- * @param [in] key2Sz Size of second key in bytes.
- * @param [out] key3 Third key. Label value of 0x02.
- * @param [in] key3Sz Size of third key in bytes.
- * @return BAD_FUNC_ARG when key or salt is NULL.
- * @return BAD_FUNC_ARG when key length is not 16, 24 or 32.
- * @return BAD_FUNC_ARG when saltSz is larger than 14.
- * @return BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
- * @return MEMORY_E on dynamic memory allocation failure.
- * @return 0 on success.
- */
- int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
- int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
- word32 key2Sz, byte* key3, word32 key3Sz)
- {
- int ret = 0;
- byte block[AES_BLOCK_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- Aes* aes = NULL;
- #else
- Aes aes[1];
- #endif
- int aes_inited = 0;
- /* Validate parameters. */
- if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
- (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
- ret = BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret == 0) {
- aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
- if (aes == NULL) {
- ret = MEMORY_E;
- }
- }
- if (aes != NULL)
- #endif
- {
- XMEMSET(aes, 0, sizeof(Aes));
- }
- /* Setup AES object. */
- if (ret == 0) {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- }
- if (ret == 0) {
- aes_inited = 1;
- ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
- }
- /* Calculate first block that can be used in each derivation. */
- if (ret == 0) {
- wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, WC_SRTP_INDEX_LEN,
- block);
- }
- /* Calculate first key if required. */
- if ((ret == 0) && (key1 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTP_INDEX_LEN,
- WC_SRTP_LABEL_ENCRYPTION, key1, key1Sz, aes);
- }
- /* Calculate second key if required. */
- if ((ret == 0) && (key2 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTP_INDEX_LEN,
- WC_SRTP_LABEL_MSG_AUTH, key2, key2Sz, aes);
- }
- /* Calculate third key if required. */
- if ((ret == 0) && (key3 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTP_INDEX_LEN,
- WC_SRTP_LABEL_SALT, key3, key3Sz, aes);
- }
- if (aes_inited)
- wc_AesFree(aes);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
- #endif
- return ret;
- }
- /* Derive keys using SRTCP KDF algorithm.
- *
- * SP 800-135 (RFC 3711).
- *
- * @param [in] key Key to use with encryption.
- * @param [in] keySz Size of key in bytes.
- * @param [in] salt Random non-secret value.
- * @param [in] saltSz Size of random in bytes.
- * @param [in] kdrIdx Key derivation rate index. kdr = 0 when -1, otherwise
- * kdr = 2^kdrIdx. See wc_SRTP_KDF_kdr_to_idx()
- * @param [in] index Index value to XOR in.
- * @param [out] key1 First key. Label value of 0x03.
- * @param [in] key1Sz Size of first key in bytes.
- * @param [out] key2 Second key. Label value of 0x04.
- * @param [in] key2Sz Size of second key in bytes.
- * @param [out] key3 Third key. Label value of 0x05.
- * @param [in] key3Sz Size of third key in bytes.
- * @return BAD_FUNC_ARG when key or salt is NULL.
- * @return BAD_FUNC_ARG when key length is not 16, 24 or 32.
- * @return BAD_FUNC_ARG when saltSz is larger than 14.
- * @return BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
- * @return MEMORY_E on dynamic memory allocation failure.
- * @return 0 on success.
- */
- int wc_SRTCP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
- int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
- word32 key2Sz, byte* key3, word32 key3Sz)
- {
- int ret = 0;
- byte block[AES_BLOCK_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- Aes* aes = NULL;
- #else
- Aes aes[1];
- #endif
- int aes_inited = 0;
- /* Validate parameters. */
- if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
- (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
- ret = BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret == 0) {
- aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
- if (aes == NULL) {
- ret = MEMORY_E;
- }
- }
- if (aes != NULL)
- #endif
- {
- XMEMSET(aes, 0, sizeof(Aes));
- }
- /* Setup AES object. */
- if (ret == 0) {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- }
- if (ret == 0) {
- aes_inited = 1;
- ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
- }
- /* Calculate first block that can be used in each derivation. */
- if (ret == 0) {
- wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, WC_SRTCP_INDEX_LEN,
- block);
- }
- /* Calculate first key if required. */
- if ((ret == 0) && (key1 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTCP_INDEX_LEN,
- WC_SRTCP_LABEL_ENCRYPTION, key1, key1Sz, aes);
- }
- /* Calculate second key if required. */
- if ((ret == 0) && (key2 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTCP_INDEX_LEN,
- WC_SRTCP_LABEL_MSG_AUTH, key2, key2Sz, aes);
- }
- /* Calculate third key if required. */
- if ((ret == 0) && (key3 != NULL)) {
- ret = wc_srtp_kdf_derive_key(block, WC_SRTCP_INDEX_LEN,
- WC_SRTCP_LABEL_SALT, key3, key3Sz, aes);
- }
- if (aes_inited)
- wc_AesFree(aes);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
- #endif
- return ret;
- }
- /* Derive key with label using SRTP KDF algorithm.
- *
- * SP 800-135 (RFC 3711).
- *
- * @param [in] key Key to use with encryption.
- * @param [in] keySz Size of key in bytes.
- * @param [in] salt Random non-secret value.
- * @param [in] saltSz Size of random in bytes.
- * @param [in] kdrIdx Key derivation rate index. kdr = 0 when -1, otherwise
- * kdr = 2^kdrIdx. See wc_SRTP_KDF_kdr_to_idx()
- * @param [in] index Index value to XOR in.
- * @param [in] label Label to use when deriving key.
- * @param [out] outKey Derived key.
- * @param [in] outKeySz Size of derived key in bytes.
- * @return BAD_FUNC_ARG when key, salt or outKey is NULL.
- * @return BAD_FUNC_ARG when key length is not 16, 24 or 32.
- * @return BAD_FUNC_ARG when saltSz is larger than 14.
- * @return BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
- * @return MEMORY_E on dynamic memory allocation failure.
- * @return 0 on success.
- */
- int wc_SRTP_KDF_label(const byte* key, word32 keySz, const byte* salt,
- word32 saltSz, int kdrIdx, const byte* index, byte label, byte* outKey,
- word32 outKeySz)
- {
- int ret = 0;
- byte block[AES_BLOCK_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- Aes* aes = NULL;
- #else
- Aes aes[1];
- #endif
- int aes_inited = 0;
- /* Validate parameters. */
- if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
- (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
- (outKey == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret == 0) {
- aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
- if (aes == NULL) {
- ret = MEMORY_E;
- }
- }
- if (aes != NULL)
- #endif
- {
- XMEMSET(aes, 0, sizeof(Aes));
- }
- /* Setup AES object. */
- if (ret == 0) {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- }
- if (ret == 0) {
- aes_inited = 1;
- ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
- }
- /* Calculate first block that can be used in each derivation. */
- if (ret == 0) {
- wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, WC_SRTP_INDEX_LEN,
- block);
- }
- if (ret == 0) {
- /* Calculate key. */
- ret = wc_srtp_kdf_derive_key(block, WC_SRTP_INDEX_LEN, label, outKey,
- outKeySz, aes);
- }
- if (aes_inited)
- wc_AesFree(aes);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
- #endif
- return ret;
- }
- /* Derive key with label using SRTCP KDF algorithm.
- *
- * SP 800-135 (RFC 3711).
- *
- * @param [in] key Key to use with encryption.
- * @param [in] keySz Size of key in bytes.
- * @param [in] salt Random non-secret value.
- * @param [in] saltSz Size of random in bytes.
- * @param [in] kdrIdx Key derivation rate index. kdr = 0 when -1, otherwise
- * kdr = 2^kdrIdx. See wc_SRTP_KDF_kdr_to_idx()
- * @param [in] index Index value to XOR in.
- * @param [in] label Label to use when deriving key.
- * @param [out] outKey Derived key.
- * @param [in] outKeySz Size of derived key in bytes.
- * @return BAD_FUNC_ARG when key, salt or outKey is NULL.
- * @return BAD_FUNC_ARG when key length is not 16, 24 or 32.
- * @return BAD_FUNC_ARG when saltSz is larger than 14.
- * @return BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
- * @return MEMORY_E on dynamic memory allocation failure.
- * @return 0 on success.
- */
- int wc_SRTCP_KDF_label(const byte* key, word32 keySz, const byte* salt,
- word32 saltSz, int kdrIdx, const byte* index, byte label, byte* outKey,
- word32 outKeySz)
- {
- int ret = 0;
- byte block[AES_BLOCK_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- Aes* aes = NULL;
- #else
- Aes aes[1];
- #endif
- int aes_inited = 0;
- /* Validate parameters. */
- if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
- (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
- (outKey == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret == 0) {
- aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
- if (aes == NULL) {
- ret = MEMORY_E;
- }
- }
- if (aes != NULL)
- #endif
- {
- XMEMSET(aes, 0, sizeof(Aes));
- }
- /* Setup AES object. */
- if (ret == 0) {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- }
- if (ret == 0) {
- aes_inited = 1;
- ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
- }
- /* Calculate first block that can be used in each derivation. */
- if (ret == 0) {
- wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, WC_SRTCP_INDEX_LEN,
- block);
- }
- if (ret == 0) {
- /* Calculate key. */
- ret = wc_srtp_kdf_derive_key(block, WC_SRTCP_INDEX_LEN, label, outKey,
- outKeySz, aes);
- }
- if (aes_inited)
- wc_AesFree(aes);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
- #endif
- return ret;
- }
- /* Converts a kdr value to an index to use in SRTP/SRTCP KDF API.
- *
- * @param [in] kdr Key derivation rate to convert.
- * @return Key derivation rate as an index.
- */
- int wc_SRTP_KDF_kdr_to_idx(word32 kdr)
- {
- int idx = -1;
- /* Keep shifting value down and incrementing index until top bit is gone. */
- while (kdr != 0) {
- kdr >>= 1;
- idx++;
- }
- /* Index of top bit set. */
- return idx;
- }
- #endif /* WC_SRTP_KDF */
- #endif /* NO_KDF */
|