From 43890b11759dd722db498b341b84bd2ebb18b7b9 Mon Sep 17 00:00:00 2001 From: Vincent Hanquez Date: Mon, 28 Dec 2015 14:32:07 +0000 Subject: [PATCH] Add support for HKDF (RFC 5869) --- Crypto/KDF/HKDF.hs | 77 ++++++++++++++++++++++++++++++++++++++++++++++ Crypto/MAC/HMAC.hs | 2 +- cryptonite.cabal | 3 +- tests/KAT_HKDF.hs | 54 ++++++++++++++++++++++++++++++++ tests/Tests.hs | 2 ++ 5 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 Crypto/KDF/HKDF.hs create mode 100644 tests/KAT_HKDF.hs diff --git a/Crypto/KDF/HKDF.hs b/Crypto/KDF/HKDF.hs new file mode 100644 index 0000000..6c73515 --- /dev/null +++ b/Crypto/KDF/HKDF.hs @@ -0,0 +1,77 @@ +-- | +-- Module : Crypto.KDF.HKDF +-- License : BSD-style +-- Maintainer : Vincent Hanquez +-- Stability : experimental +-- Portability : unknown +-- +-- Key Derivation Function based on HMAC +-- +-- See rfc5869 +-- +{-# LANGUAGE BangPatterns #-} +{-# LANGUAGE GeneralizedNewtypeDeriving #-} +module Crypto.KDF.HKDF + ( PRK + , extract + , extractSkip + , expand + ) where + +import Data.Word +import Crypto.Hash +import Crypto.MAC.HMAC +import Crypto.Internal.ByteArray (ScrubbedBytes, Bytes, ByteArray, ByteArrayAccess) +import qualified Crypto.Internal.ByteArray as B + +-- | Pseudo Random Key +data PRK a = PRK (HMAC a) | PRK_NoExpand ScrubbedBytes + deriving (Eq) + +-- | Extract a Pseudo Random Key using the parameter and the underlaying hash mechanism +extract :: (HashAlgorithm a, ByteArrayAccess salt, ByteArrayAccess ikm) + => salt -- ^ Salt + -> ikm -- ^ Input Keying Material + -> PRK a -- ^ Pseudo random key +extract salt ikm = PRK $ hmac salt ikm + +-- | Create a PRK directly from the input key material, skipping any hmacing +extractSkip :: (HashAlgorithm a, ByteArrayAccess ikm) + => ikm + -> PRK a +extractSkip ikm = PRK_NoExpand $ B.convert ikm + +-- | Expand key material of specific length out of the parameters +expand :: (HashAlgorithm a, ByteArrayAccess info, ByteArray out) + => PRK a -- ^ Pseudo Random Key + -> info -- ^ Optional context and application specific information + -> Int -- ^ Output length in bytes + -> out -- ^ Output data +expand prkAt infoAt outputLength = + let hF = hFGet prkAt + in B.concat $ loop hF B.empty outputLength 1 + where + hFGet :: (HashAlgorithm a, ByteArrayAccess b) => PRK a -> (b -> HMAC a) + hFGet prk = case prk of + PRK hmacKey -> hmac hmacKey + PRK_NoExpand ikm -> hmac ikm + + info :: ScrubbedBytes + info = B.convert infoAt + + loop :: HashAlgorithm a + => (ScrubbedBytes -> HMAC a) + -> ScrubbedBytes + -> Int + -> Word8 + -> [ScrubbedBytes] + loop hF tim1 n i + | n <= 0 = [] + | otherwise = + let input = B.concat [tim1,info,B.singleton i] :: ScrubbedBytes + ti = B.convert $ hF input + hashLen = B.length ti + r = n - hashLen + in (if n >= hashLen then ti else B.take n ti) + : loop hF ti r (i+1) + diff --git a/Crypto/MAC/HMAC.hs b/Crypto/MAC/HMAC.hs index 6686067..e4f5716 100644 --- a/Crypto/MAC/HMAC.hs +++ b/Crypto/MAC/HMAC.hs @@ -40,7 +40,7 @@ instance Eq (HMAC a) where (HMAC b1) == (HMAC b2) = B.constEq b1 b2 -- | compute a MAC using the supplied hashing function -hmac :: (ByteArrayAccess key, ByteArray message, HashAlgorithm a) +hmac :: (ByteArrayAccess key, ByteArrayAccess message, HashAlgorithm a) => key -- ^ Secret key -> message -- ^ Message to MAC -> HMAC a diff --git a/cryptonite.cabal b/cryptonite.cabal index 3d3fbeb..b9a3ec5 100644 --- a/cryptonite.cabal +++ b/cryptonite.cabal @@ -12,7 +12,7 @@ Description: . * Assymmetric crypto: DSA, RSA, DH, ECDH, ECDSA, ECC, Curve25519, Ed25519 . - * Key Derivation Function: PBKDF2, Scrypt + * Key Derivation Function: PBKDF2, Scrypt, HKDF . * Cryptographic Random generation: System Entropy, Deterministic Random Generator . @@ -106,6 +106,7 @@ Library Crypto.KDF.PBKDF2 Crypto.KDF.Scrypt Crypto.KDF.BCrypt + Crypto.KDF.HKDF Crypto.Hash Crypto.Hash.IO Crypto.Hash.Algorithms diff --git a/tests/KAT_HKDF.hs b/tests/KAT_HKDF.hs new file mode 100644 index 0000000..1593cf9 --- /dev/null +++ b/tests/KAT_HKDF.hs @@ -0,0 +1,54 @@ +{-# LANGUAGE OverloadedStrings #-} +module KAT_HKDF (tests) where + +import qualified Crypto.KDF.HKDF as HKDF +import Crypto.Hash (MD5(..), SHA1(..), SHA256(..) + , Keccak_224(..), Keccak_256(..), Keccak_384(..), Keccak_512(..) + , SHA3_224(..), SHA3_256(..), SHA3_384(..), SHA3_512(..) + , HashAlgorithm, digestFromByteString) +import qualified Data.ByteString as B + +import Imports + + +data KDFVector hash = KDFVector + { kdfIKM :: ByteString + , kdfSalt :: ByteString + , kdfInfo :: ByteString + , kdfResult :: ByteString + } + +sha256KDFVectors :: [KDFVector SHA256] +sha256KDFVectors = + [ KDFVector + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + (B.pack [0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c]) + "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" + "\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a\x90\x43\x4f\x64\xd0\x36\x2f\x2a\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf\x34\x00\x72\x08\xd5\xb8\x87\x18\x58\x65" + , KDFVector + (B.pack [0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f]) + (B.pack [0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6a,0x6b,0x6c,0x6d,0x6e,0x6f,0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7a,0x7b,0x7c,0x7d,0x7e,0x7f,0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f,0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f,0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf]) + (B.pack [0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf,0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf,0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf,0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff]) + (B.pack [0xb1,0x1e,0x39,0x8d,0xc8,0x03,0x27,0xa1,0xc8,0xe7,0xf7,0x8c,0x59,0x6a,0x49,0x34,0x4f,0x01,0x2e,0xda,0x2d,0x4e,0xfa,0xd8,0xa0,0x50,0xcc,0x4c,0x19,0xaf,0xa9,0x7c,0x59,0x04,0x5a,0x99,0xca,0xc7,0x82,0x72,0x71,0xcb,0x41,0xc6,0x5e,0x59,0x0e,0x09,0xda,0x32,0x75,0x60,0x0c,0x2f,0x09,0xb8,0x36,0x77,0x93,0xa9,0xac,0xa3,0xdb,0x71,0xcc,0x30,0xc5,0x81,0x79,0xec,0x3e,0x87,0xc1,0x4c,0x01,0xd5,0xc1,0xf3,0x43,0x4f,0x1d,0x87]) + ] + +kdfTests :: [TestTree] +kdfTests = + [ testGroup "sha256" $ concatMap toKDFTest $ zip is sha256KDFVectors + ] + where toKDFTest (i, kdfVector) = + [ testCase (show i) (t HKDF.extract kdfVector) + ] + + t :: HashAlgorithm a => (ByteString -> ByteString -> HKDF.PRK a) -> KDFVector a -> Assertion + t ext v = + let prk = ext (kdfSalt v) (kdfIKM v) + in kdfResult v @=? HKDF.expand prk (kdfInfo v) (B.length $ kdfResult v) + + is :: [Int] + is = [1..] + + +tests = testGroup "HKDF" + [ testGroup "KATs" kdfTests + ] diff --git a/tests/Tests.hs b/tests/Tests.hs index 6cc3e56..d16c0e3 100644 --- a/tests/Tests.hs +++ b/tests/Tests.hs @@ -11,6 +11,7 @@ import qualified Salsa import qualified ChaCha import qualified ChaChaPoly1305 import qualified KAT_HMAC +import qualified KAT_HKDF import qualified KAT_PBKDF2 import qualified KAT_Curve25519 import qualified KAT_Ed25519 @@ -42,6 +43,7 @@ tests = testGroup "cryptonite" [ KAT_PBKDF2.tests , KAT_Scrypt.tests , BCrypt.tests + , KAT_HKDF.tests ] , testGroup "block-cipher" [ KAT_AES.tests