/* hmac.c * * Copyright (C) 2006-2017 wolfSSL Inc. * * This file is part of wolfSSL. * * wolfSSL is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * wolfSSL is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ #ifdef HAVE_CONFIG_H #include #endif #include #include #ifndef NO_HMAC #if defined(HAVE_FIPS) && \ defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ #define FIPS_NO_WRAPPERS #ifdef USE_WINDOWS_API #pragma code_seg(".fipsA$b") #pragma const_seg(".fipsB$b") #endif #endif #include #ifdef NO_INLINE #include #else #define WOLFSSL_MISC_INCLUDED #include #endif /* fips wrapper calls, user can call direct */ /* If building for old FIPS. */ #if defined(HAVE_FIPS) && \ (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) /* does init */ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz) { if (hmac == NULL || (key == NULL && keySz != 0) || !(type == WC_MD5 || type == WC_SHA || type == WC_SHA256 || type == WC_SHA384 || type == WC_SHA512 || type == BLAKE2B_ID)) { return BAD_FUNC_ARG; } return HmacSetKey_fips(hmac, type, key, keySz); } int wc_HmacUpdate(Hmac* hmac, const byte* in, word32 sz) { if (hmac == NULL || (in == NULL && sz > 0)) { return BAD_FUNC_ARG; } return HmacUpdate_fips(hmac, in, sz); } int wc_HmacFinal(Hmac* hmac, byte* out) { if (hmac == NULL) { return BAD_FUNC_ARG; } return HmacFinal_fips(hmac, out); } int wolfSSL_GetHmacMaxSize(void) { return CyaSSL_GetHmacMaxSize(); } int wc_HmacInit(Hmac* hmac, void* heap, int devId) { (void)hmac; (void)heap; (void)devId; /* FIPS doesn't support: return HmacInit(hmac, heap, devId); */ return 0; } void wc_HmacFree(Hmac* hmac) { (void)hmac; /* FIPS doesn't support: HmacFree(hmac); */ } #ifdef HAVE_HKDF int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, const byte* info, word32 infoSz, byte* out, word32 outSz) { return HKDF(type, inKey, inKeySz, salt, saltSz, info, infoSz, out, outSz); } #endif /* HAVE_HKDF */ #else /* else build without fips, or for new fips */ int wc_HmacSizeByType(int type) { int ret; if (!(type == WC_MD5 || type == WC_SHA || type == WC_SHA224 || type == WC_SHA256 || type == WC_SHA384 || type == WC_SHA512 || type == WC_SHA3_224 || type == WC_SHA3_256 || type == WC_SHA3_384 || type == WC_SHA3_512 || type == BLAKE2B_ID)) { return BAD_FUNC_ARG; } switch (type) { #ifndef NO_MD5 case WC_MD5: ret = WC_MD5_DIGEST_SIZE; break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = WC_SHA_DIGEST_SIZE; break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: ret = WC_SHA224_DIGEST_SIZE; break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = WC_SHA256_DIGEST_SIZE; break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = WC_SHA384_DIGEST_SIZE; break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = WC_SHA512_DIGEST_SIZE; break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = BLAKE2B_OUTBYTES; break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: ret = WC_SHA3_224_DIGEST_SIZE; break; case WC_SHA3_256: ret = WC_SHA3_256_DIGEST_SIZE; break; case WC_SHA3_384: ret = WC_SHA3_384_DIGEST_SIZE; break; case WC_SHA3_512: ret = WC_SHA3_512_DIGEST_SIZE; break; #endif default: ret = BAD_FUNC_ARG; break; } return ret; } int _InitHmac(Hmac* hmac, int type, void* heap) { int ret = 0; switch (type) { #ifndef NO_MD5 case WC_MD5: ret = wc_InitMd5(&hmac->hash.md5); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = wc_InitSha(&hmac->hash.sha); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: ret = wc_InitSha224(&hmac->hash.sha224); break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = wc_InitSha256(&hmac->hash.sha256); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = wc_InitSha384(&hmac->hash.sha384); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = wc_InitSha512(&hmac->hash.sha512); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_InitBlake2b(&hmac->hash.blake2b, BLAKE2B_256); break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: ret = wc_InitSha3_224(&hmac->hash.sha3, heap, INVALID_DEVID); break; case WC_SHA3_256: ret = wc_InitSha3_256(&hmac->hash.sha3, heap, INVALID_DEVID); break; case WC_SHA3_384: ret = wc_InitSha3_384(&hmac->hash.sha3, heap, INVALID_DEVID); break; case WC_SHA3_512: ret = wc_InitSha3_512(&hmac->hash.sha3, heap, INVALID_DEVID); break; #endif default: ret = BAD_FUNC_ARG; break; } /* default to NULL heap hint or test value */ #ifdef WOLFSSL_HEAP_TEST hmac->heap = (void)WOLFSSL_HEAP_TEST; #else hmac->heap = heap; #endif /* WOLFSSL_HEAP_TEST */ return ret; } int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) { byte* ip; byte* op; word32 i, hmac_block_size = 0; int ret = 0; void* heap = NULL; if (hmac == NULL || (key == NULL && length != 0) || !(type == WC_MD5 || type == WC_SHA || type == WC_SHA224 || type == WC_SHA256 || type == WC_SHA384 || type == WC_SHA512 || type == WC_SHA3_224 || type == WC_SHA3_256 || type == WC_SHA3_384 || type == WC_SHA3_512 || type == BLAKE2B_ID)) { return BAD_FUNC_ARG; } /* if set key has already been run then make sure and free existing */ if (hmac->macType != 0) { wc_HmacFree(hmac); } hmac->innerHashKeyed = 0; hmac->macType = (byte)type; ret = _InitHmac(hmac, type, heap); if (ret != 0) return ret; #ifdef HAVE_FIPS if (length < HMAC_FIPS_MIN_KEY) return HMAC_MIN_KEYLEN_E; #endif ip = (byte*)hmac->ipad; op = (byte*)hmac->opad; switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: hmac_block_size = WC_MD5_BLOCK_SIZE; if (length <= WC_MD5_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Md5Update(&hmac->hash.md5, key, length); if (ret != 0) break; ret = wc_Md5Final(&hmac->hash.md5, ip); if (ret != 0) break; length = WC_MD5_DIGEST_SIZE; } break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: hmac_block_size = WC_SHA_BLOCK_SIZE; if (length <= WC_SHA_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_ShaUpdate(&hmac->hash.sha, key, length); if (ret != 0) break; ret = wc_ShaFinal(&hmac->hash.sha, ip); if (ret != 0) break; length = WC_SHA_DIGEST_SIZE; } break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: { hmac_block_size = WC_SHA224_BLOCK_SIZE; if (length <= WC_SHA224_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha224Update(&hmac->hash.sha224, key, length); if (ret != 0) break; ret = wc_Sha224Final(&hmac->hash.sha224, ip); if (ret != 0) break; length = WC_SHA224_DIGEST_SIZE; } } break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: hmac_block_size = WC_SHA256_BLOCK_SIZE; if (length <= WC_SHA256_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha256Update(&hmac->hash.sha256, key, length); if (ret != 0) break; ret = wc_Sha256Final(&hmac->hash.sha256, ip); if (ret != 0) break; length = WC_SHA256_DIGEST_SIZE; } break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: hmac_block_size = WC_SHA384_BLOCK_SIZE; if (length <= WC_SHA384_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha384Update(&hmac->hash.sha384, key, length); if (ret != 0) break; ret = wc_Sha384Final(&hmac->hash.sha384, ip); if (ret != 0) break; length = WC_SHA384_DIGEST_SIZE; } break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: hmac_block_size = WC_SHA512_BLOCK_SIZE; if (length <= WC_SHA512_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha512Update(&hmac->hash.sha512, key, length); if (ret != 0) break; ret = wc_Sha512Final(&hmac->hash.sha512, ip); if (ret != 0) break; length = WC_SHA512_DIGEST_SIZE; } break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: hmac_block_size = BLAKE2B_BLOCKBYTES; if (length <= BLAKE2B_BLOCKBYTES) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Blake2bUpdate(&hmac->hash.blake2b, key, length); if (ret != 0) break; ret = wc_Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256); if (ret != 0) break; length = BLAKE2B_256; } break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: hmac_block_size = WC_SHA3_224_BLOCK_SIZE; if (length <= WC_SHA3_224_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_224_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_224_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_224_DIGEST_SIZE; } break; case WC_SHA3_256: hmac_block_size = WC_SHA3_256_BLOCK_SIZE; if (length <= WC_SHA3_256_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_256_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_256_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_256_DIGEST_SIZE; } break; case WC_SHA3_384: hmac_block_size = WC_SHA3_384_BLOCK_SIZE; if (length <= WC_SHA3_384_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_384_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_384_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_384_DIGEST_SIZE; } break; case WC_SHA3_512: hmac_block_size = WC_SHA3_512_BLOCK_SIZE; if (length <= WC_SHA3_512_BLOCK_SIZE) { if (key != NULL) { XMEMCPY(ip, key, length); } } else { ret = wc_Sha3_512_Update(&hmac->hash.sha3, key, length); if (ret != 0) break; ret = wc_Sha3_512_Final(&hmac->hash.sha3, ip); if (ret != 0) break; length = WC_SHA3_512_DIGEST_SIZE; } break; #endif /* WOLFSSL_SHA3 */ default: return BAD_FUNC_ARG; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { #if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM) #ifdef HAVE_INTEL_QA if (IntelQaHmacGetType(hmac->macType, NULL) == 0) #endif { if (length > hmac_block_size) length = hmac_block_size; /* update key length */ hmac->keyLen = (word16)length; return ret; } /* no need to pad below */ #endif } #endif if (ret == 0) { if (length < hmac_block_size) XMEMSET(ip + length, 0, hmac_block_size - length); for(i = 0; i < hmac_block_size; i++) { op[i] = ip[i] ^ OPAD; ip[i] ^= IPAD; } } return ret; } static int HmacKeyInnerHash(Hmac* hmac) { int ret = 0; switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->ipad, WC_MD5_BLOCK_SIZE); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->ipad, WC_SHA_BLOCK_SIZE); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->ipad, WC_SHA224_BLOCK_SIZE); break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->ipad, WC_SHA256_BLOCK_SIZE); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->ipad, WC_SHA384_BLOCK_SIZE); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->ipad, WC_SHA512_BLOCK_SIZE); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->ipad, BLAKE2B_BLOCKBYTES); break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->ipad, WC_SHA3_224_BLOCK_SIZE); break; case WC_SHA3_256: ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->ipad, WC_SHA3_256_BLOCK_SIZE); break; case WC_SHA3_384: ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->ipad, WC_SHA3_384_BLOCK_SIZE); break; case WC_SHA3_512: ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->ipad, WC_SHA3_512_BLOCK_SIZE); break; #endif /* WOLFSSL_SHA3 */ default: break; } if (ret == 0) hmac->innerHashKeyed = 1; return ret; } int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length) { int ret = 0; if (hmac == NULL || (msg == NULL && length > 0)) { return BAD_FUNC_ARG; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { #if defined(HAVE_CAVIUM) return NitroxHmacUpdate(hmac, msg, length); #elif defined(HAVE_INTEL_QA) if (IntelQaHmacGetType(hmac->macType, NULL) == 0) { return IntelQaHmac(&hmac->asyncDev, hmac->macType, (byte*)hmac->ipad, hmac->keyLen, NULL, msg, length); } #endif } #endif /* WOLFSSL_ASYNC_CRYPT */ if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: ret = wc_Md5Update(&hmac->hash.md5, msg, length); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = wc_ShaUpdate(&hmac->hash.sha, msg, length); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: ret = wc_Sha224Update(&hmac->hash.sha224, msg, length); break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = wc_Sha256Update(&hmac->hash.sha256, msg, length); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = wc_Sha384Update(&hmac->hash.sha384, msg, length); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = wc_Sha512Update(&hmac->hash.sha512, msg, length); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bUpdate(&hmac->hash.blake2b, msg, length); break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: ret = wc_Sha3_224_Update(&hmac->hash.sha3, msg, length); break; case WC_SHA3_256: ret = wc_Sha3_256_Update(&hmac->hash.sha3, msg, length); break; case WC_SHA3_384: ret = wc_Sha3_384_Update(&hmac->hash.sha3, msg, length); break; case WC_SHA3_512: ret = wc_Sha3_512_Update(&hmac->hash.sha3, msg, length); break; #endif /* WOLFSSL_SHA3 */ default: break; } return ret; } int wc_HmacFinal(Hmac* hmac, byte* hash) { int ret; if (hmac == NULL || hash == NULL) { return BAD_FUNC_ARG; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) { int hashLen = wc_HmacSizeByType(hmac->macType); if (hashLen <= 0) return hashLen; #if defined(HAVE_CAVIUM) return NitroxHmacFinal(hmac, hash, hashLen); #elif defined(HAVE_INTEL_QA) if (IntelQaHmacGetType(hmac->macType, NULL) == 0) { return IntelQaHmac(&hmac->asyncDev, hmac->macType, (byte*)hmac->ipad, hmac->keyLen, hash, NULL, hashLen); } #endif } #endif /* WOLFSSL_ASYNC_CRYPT */ if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: ret = wc_Md5Final(&hmac->hash.md5, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->opad, WC_MD5_BLOCK_SIZE); if (ret != 0) break; ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->innerHash, WC_MD5_DIGEST_SIZE); if (ret != 0) break; ret = wc_Md5Final(&hmac->hash.md5, hash); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: ret = wc_ShaFinal(&hmac->hash.sha, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->opad, WC_SHA_BLOCK_SIZE); if (ret != 0) break; ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->innerHash, WC_SHA_DIGEST_SIZE); if (ret != 0) break; ret = wc_ShaFinal(&hmac->hash.sha, hash); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: { ret = wc_Sha224Final(&hmac->hash.sha224, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->opad, WC_SHA224_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->innerHash, WC_SHA224_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha224Final(&hmac->hash.sha224, hash); if (ret != 0) break; } break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: ret = wc_Sha256Final(&hmac->hash.sha256, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->opad, WC_SHA256_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->innerHash, WC_SHA256_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha256Final(&hmac->hash.sha256, hash); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: ret = wc_Sha384Final(&hmac->hash.sha384, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->opad, WC_SHA384_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->innerHash, WC_SHA384_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha384Final(&hmac->hash.sha384, hash); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: ret = wc_Sha512Final(&hmac->hash.sha512, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->opad, WC_SHA512_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->innerHash, WC_SHA512_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha512Final(&hmac->hash.sha512, hash); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bFinal(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->opad, BLAKE2B_BLOCKBYTES); if (ret != 0) break; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*)hmac->innerHash, BLAKE2B_256); if (ret != 0) break; ret = wc_Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256); break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: ret = wc_Sha3_224_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_224_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_224_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_224_Final(&hmac->hash.sha3, hash); break; case WC_SHA3_256: ret = wc_Sha3_256_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_256_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_256_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_256_Final(&hmac->hash.sha3, hash); break; case WC_SHA3_384: ret = wc_Sha3_384_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_384_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_384_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_384_Final(&hmac->hash.sha3, hash); break; case WC_SHA3_512: ret = wc_Sha3_512_Final(&hmac->hash.sha3, (byte*)hmac->innerHash); if (ret != 0) break; ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->opad, WC_SHA3_512_BLOCK_SIZE); if (ret != 0) break; ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->innerHash, WC_SHA3_512_DIGEST_SIZE); if (ret != 0) break; ret = wc_Sha3_512_Final(&hmac->hash.sha3, hash); break; #endif /* WOLFSSL_SHA3 */ default: ret = BAD_FUNC_ARG; break; } if (ret == 0) { hmac->innerHashKeyed = 0; } return ret; } /* Initialize Hmac for use with async device */ int wc_HmacInit(Hmac* hmac, void* heap, int devId) { int ret = 0; if (hmac == NULL) return BAD_FUNC_ARG; XMEMSET(hmac, 0, sizeof(Hmac)); hmac->heap = heap; #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) hmac->keyLen = 0; ret = wolfAsync_DevCtxInit(&hmac->asyncDev, WOLFSSL_ASYNC_MARKER_HMAC, hmac->heap, devId); #else (void)devId; #endif /* WOLFSSL_ASYNC_CRYPT */ return ret; } /* Free Hmac from use with async device */ void wc_HmacFree(Hmac* hmac) { if (hmac == NULL) return; switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: wc_Md5Free(&hmac->hash.md5); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: wc_ShaFree(&hmac->hash.sha); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: wc_Sha224Free(&hmac->hash.sha224); break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: wc_Sha256Free(&hmac->hash.sha256); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA384 case WC_SHA384: wc_Sha384Free(&hmac->hash.sha384); break; #endif /* WOLFSSL_SHA384 */ #ifdef WOLFSSL_SHA512 case WC_SHA512: wc_Sha512Free(&hmac->hash.sha512); break; #endif /* WOLFSSL_SHA512 */ #ifdef HAVE_BLAKE2 case BLAKE2B_ID: break; #endif /* HAVE_BLAKE2 */ #ifdef WOLFSSL_SHA3 case WC_SHA3_224: wc_Sha3_224_Free(&hmac->hash.sha3); break; case WC_SHA3_256: wc_Sha3_256_Free(&hmac->hash.sha3); break; case WC_SHA3_384: wc_Sha3_384_Free(&hmac->hash.sha3); break; case WC_SHA3_512: wc_Sha3_512_Free(&hmac->hash.sha3); break; #endif /* WOLFSSL_SHA3 */ default: break; } #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) wolfAsync_DevCtxFree(&hmac->asyncDev, WOLFSSL_ASYNC_MARKER_HMAC); #endif /* WOLFSSL_ASYNC_CRYPT */ switch (hmac->macType) { #ifndef NO_MD5 case WC_MD5: wc_Md5Free(&hmac->hash.md5); break; #endif /* !NO_MD5 */ #ifndef NO_SHA case WC_SHA: wc_ShaFree(&hmac->hash.sha); break; #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 case WC_SHA224: wc_Sha224Free(&hmac->hash.sha224); break; #endif /* WOLFSSL_SHA224 */ #ifndef NO_SHA256 case WC_SHA256: wc_Sha256Free(&hmac->hash.sha256); break; #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA384 case WC_SHA384: wc_Sha384Free(&hmac->hash.sha384); break; #endif /* WOLFSSL_SHA384 */ case WC_SHA512: wc_Sha512Free(&hmac->hash.sha512); break; #endif /* WOLFSSL_SHA512 */ } } int wolfSSL_GetHmacMaxSize(void) { return WC_MAX_DIGEST_SIZE; } #ifdef HAVE_HKDF /* HMAC-KDF-Extract. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * salt The optional salt value. * saltSz The size of the salt. * inKey The input keying material. * inKeySz The size of the input keying material. * out The pseudorandom key with the length that of the hash. * returns 0 on success, otherwise failure. */ int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, const byte* inKey, word32 inKeySz, byte* out) { byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */ Hmac myHmac; int ret; const byte* localSalt; /* either points to user input or tmp */ int hashSz; ret = wc_HmacSizeByType(type); if (ret < 0) return ret; hashSz = ret; localSalt = salt; if (localSalt == NULL) { XMEMSET(tmp, 0, hashSz); localSalt = tmp; saltSz = hashSz; } ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID); if (ret == 0) { ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz); if (ret == 0) ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); if (ret == 0) ret = wc_HmacFinal(&myHmac, out); wc_HmacFree(&myHmac); } return ret; } /* HMAC-KDF-Expand. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * inKey The input key. * inKeySz The size of the input key. * info The application specific information. * infoSz The size of the application specific information. * out The output keying material. * returns 0 on success, otherwise failure. */ int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, const byte* info, word32 infoSz, byte* out, word32 outSz) { byte tmp[WC_MAX_DIGEST_SIZE]; Hmac myHmac; int ret = 0; word32 outIdx = 0; word32 hashSz = wc_HmacSizeByType(type); byte n = 0x1; ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID); if (ret != 0) return ret; while (outIdx < outSz) { int tmpSz = (n == 1) ? 0 : hashSz; word32 left = outSz - outIdx; ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, tmp, tmpSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, info, infoSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, &n, 1); if (ret != 0) break; ret = wc_HmacFinal(&myHmac, tmp); if (ret != 0) break; left = min(left, hashSz); XMEMCPY(out+outIdx, tmp, left); outIdx += hashSz; n++; } wc_HmacFree(&myHmac); return ret; } /* HMAC-KDF. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * * type The hash algorithm type. * inKey The input keying material. * inKeySz The size of the input keying material. * salt The optional salt value. * saltSz The size of the salt. * info The application specific information. * infoSz The size of the application specific information. * out The output keying material. * returns 0 on success, otherwise failure. */ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, const byte* info, word32 infoSz, byte* out, word32 outSz) { byte prk[WC_MAX_DIGEST_SIZE]; int hashSz = wc_HmacSizeByType(type); int ret; if (hashSz < 0) return BAD_FUNC_ARG; ret = wc_HKDF_Extract(type, salt, saltSz, inKey, inKeySz, prk); if (ret != 0) return ret; return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz); } #endif /* HAVE_HKDF */ #endif /* HAVE_FIPS */ #endif /* NO_HMAC */