1 /* Copyright (c) (2010-2012,2015-2017,2019,2021,2023) Apple Inc. All rights reserved.
2 *
3 * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
4 * is contained in the License.txt file distributed with corecrypto) and only to
5 * people who accept that license. IMPORTANT: Any license rights granted to you by
6 * Apple Inc. (if any) are limited to internal use within your organization only on
7 * devices and computers you own or control, for the sole purpose of verifying the
8 * security characteristics and correct functioning of the Apple Software. You may
9 * not, directly or indirectly, redistribute the Apple Software or any portions thereof.
10 *
11 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
12 *
13 * This file contains Original Code and/or Modifications of Original Code
14 * as defined in and that are subject to the Apple Public Source License
15 * Version 2.0 (the 'License'). You may not use this file except in
16 * compliance with the License. The rights granted to you under the License
17 * may not be used to create, or enable the creation or redistribution of,
18 * unlawful or unlicensed copies of an Apple operating system, or to
19 * circumvent, violate, or enable the circumvention or violation of, any
20 * terms of an Apple operating system software license agreement.
21 *
22 * Please obtain a copy of the License at
23 * http://www.opensource.apple.com/apsl/ and read it before using this file.
24 *
25 * The Original Code and all software distributed under the License are
26 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
27 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
28 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
29 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
30 * Please see the License for the specific language governing rights and
31 * limitations under the License.
32 *
33 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
34 */
35
36 #include "cc_internal.h"
37 #include <corecrypto/cchkdf.h>
38 #include <corecrypto/cchmac.h>
39 #include <corecrypto/cc.h>
40 #include <corecrypto/cc_priv.h>
41
42 int
cchkdf_extract(const struct ccdigest_info * di,size_t salt_nbytes,const void * salt,size_t ikm_nbytes,const void * ikm,void * prk)43 cchkdf_extract(const struct ccdigest_info *di,
44 size_t salt_nbytes,
45 const void *salt,
46 size_t ikm_nbytes,
47 const void *ikm,
48 void *prk)
49 {
50 CC_ENSURE_DIT_ENABLED
51
52 const uint8_t zeros[MAX_DIGEST_OUTPUT_SIZE] = { 0 };
53
54 if (salt_nbytes == 0) {
55 salt = zeros;
56 salt_nbytes = di->output_size;
57 }
58
59 cchmac(di, salt_nbytes, salt, ikm_nbytes, ikm, prk);
60 return CCERR_OK;
61 }
62
63 int
cchkdf_expand(const struct ccdigest_info * di,size_t prk_nbytes,const void * prk,size_t info_nbytes,const void * info,size_t dk_nbytes,void * dk)64 cchkdf_expand(const struct ccdigest_info *di,
65 size_t prk_nbytes,
66 const void *prk,
67 size_t info_nbytes,
68 const void *info,
69 size_t dk_nbytes,
70 void *dk)
71 {
72 CC_ENSURE_DIT_ENABLED
73
74 uint8_t T[MAX_DIGEST_OUTPUT_SIZE];
75
76 size_t n = cc_ceiling(dk_nbytes, di->output_size);
77 if (n > 255) {
78 return CCERR_PARAMETER;
79 }
80
81 if (prk_nbytes < di->output_size) {
82 return CCERR_PARAMETER;
83 }
84
85 cchmac_di_decl(di, hc);
86
87 // Initialize HMAC once and copy its state over for every loop iteration.
88 // That saves some cycles and allows passing prk == dk.
89 cchmac_di_decl(di, hci);
90 cchmac_init(di, hci, prk_nbytes, prk);
91
92 size_t Tlen = 0;
93 size_t offset = 0;
94 for (size_t i = 1; i <= n; ++i) {
95 // Copy initialized HMAC state.
96 cc_memcpy(hc, hci, cchmac_di_size(di));
97
98 cchmac_update(di, hc, Tlen, T);
99 cchmac_update(di, hc, info_nbytes, info);
100 uint8_t b = (uint8_t)i;
101 cchmac_update(di, hc, 1, &b);
102 cchmac_final(di, hc, T);
103
104 if (i == n) {
105 cc_memcpy((uint8_t *)dk + offset, T, dk_nbytes - offset);
106 } else {
107 cc_memcpy((uint8_t *)dk + offset, T, di->output_size);
108 }
109
110 offset += di->output_size;
111 Tlen = di->output_size;
112 }
113
114 cchmac_di_clear(di, hci);
115 cchmac_di_clear(di, hc);
116 cc_clear(di->output_size, T);
117 return CCERR_OK;
118 }
119
120 int
cchkdf(const struct ccdigest_info * di,size_t ikm_nbytes,const void * ikm,size_t salt_nbytes,const void * salt,size_t info_nbytes,const void * info,size_t dk_nbytes,void * dk)121 cchkdf(const struct ccdigest_info *di,
122 size_t ikm_nbytes,
123 const void *ikm,
124 size_t salt_nbytes,
125 const void *salt,
126 size_t info_nbytes,
127 const void *info,
128 size_t dk_nbytes,
129 void *dk)
130 {
131 CC_ENSURE_DIT_ENABLED
132
133 uint8_t prk[MAX_DIGEST_OUTPUT_SIZE];
134
135 int result = cchkdf_extract(di, salt_nbytes, salt, ikm_nbytes, ikm, prk);
136 if (result == CCERR_OK) {
137 result = cchkdf_expand(di, di->output_size, prk, info_nbytes, info, dk_nbytes, dk);
138 }
139
140 cc_clear(di->output_size, prk);
141 return result;
142 }
143