crypto/hkdf.cc - Issue 12326029: Porting of HKDF changes from server.

Side by Side Diff: crypto/hkdf.cc

Issue 12326029: Porting of HKDF changes from server. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Mac build fix# 2 Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "crypto/hkdf.h"

	6

	7 #include "base/logging.h"

	8 #include "crypto/hmac.h"

	9

	10 namespace crypto {

	11

	12 const size_t kSHA256HashLength = 32;

	13

	14 HKDF::HKDF(const base::StringPiece& secret,

	15 const base::StringPiece& salt,

	16 const base::StringPiece& info,

	17 size_t key_bytes_to_generate,

	18 size_t iv_bytes_to_generate) {

	19 // https://tools.ietf.org/html/rfc5869#section-2.2

	20 base::StringPiece actual_salt = salt;
	Ryan Sleevi 2013/02/21 17:48:31 BUG? You're not actually making a copy here - you' BUG? You're not actually making a copy here - you're mutating \|salt\| directly. agl 2013/02/21 18:16:11 I don't think that \|actual_salt\| / \|salt\| is ever Show quoted text On 2013/02/21 17:48:31, Ryan Sleevi wrote: > BUG? You're not actually making a copy here - you're mutating \|salt\| directly. I don't think that \|actual_salt\| / \|salt\| is ever mutated. \|actual_salt\| is just a fat pointer that either points to the argument, or to a zero block. Ryan Sleevi 2013/02/21 19:30:44 Ah right, parsing error on my part. Show quoted text On 2013/02/21 18:16:11, agl wrote: > On 2013/02/21 17:48:31, Ryan Sleevi wrote: > > BUG? You're not actually making a copy here - you're mutating \|salt\| directly. > > > I don't think that \|actual_salt\| / \|salt\| is ever mutated. \|actual_salt\| is just > a fat pointer that either points to the argument, or to a zero block. Ah right, parsing error on my part.
	21 char zeros[kSHA256HashLength];
	Ryan Sleevi 2013/02/21 17:48:31 Just do char zeros = {0}; Just do char zeros = {0}; agl 2013/02/21 18:16:11 I don't really care, but I try to avoid using thes Show quoted text On 2013/02/21 17:48:31, Ryan Sleevi wrote: > Just do > > char zeros = {0}; I don't really care, but I try to avoid using these odd corners of the language where possible. Ryan Sleevi 2013/02/21 19:30:44 fair enough Show quoted text On 2013/02/21 18:16:11, agl wrote: > On 2013/02/21 17:48:31, Ryan Sleevi wrote: > > Just do > > > > char zeros = {0}; > > I don't really care, but I try to avoid using these odd corners of the language > where possible. > fair enough
	22 if (actual_salt.empty()) {

	23 // If salt is not given, HashLength zeros are used.

	24 memset(zeros, 0, sizeof(zeros));

	25 actual_salt.set(zeros, sizeof(zeros));

	26 }

	27

	28 HMAC prk_hmac(HMAC::SHA256);
	Ryan Sleevi 2013/02/21 17:48:31 naming: prk (while used in RFC 5869 heavily), is n naming: prk (while used in RFC 5869 heavily), is not an obvious abbreviation (it's only expanded as "pseudorandom key" once in 5869) agl 2013/02/21 18:16:11 Any better suggestions than the RFC's naming? Show quoted text On 2013/02/21 17:48:31, Ryan Sleevi wrote: > naming: prk (while used in RFC 5869 heavily), is not an obvious abbreviation > (it's only expanded as "pseudorandom key" once in 5869) Any better suggestions than the RFC's naming? Ryan Sleevi 2013/02/21 19:30:44 We've used spec-related variable names before, but Show quoted text On 2013/02/21 18:16:11, agl wrote: > On 2013/02/21 17:48:31, Ryan Sleevi wrote: > > naming: prk (while used in RFC 5869 heavily), is not an obvious abbreviation > > (it's only expanded as "pseudorandom key" once in 5869) > > Any better suggestions than the RFC's naming? We've used spec-related variable names before, but we've made sure to spell out their meaning (and why they're named inconsistently) // Perform the Extract step to transform the input key and // salt into the pseudorandom key (PRK) used for Expand. HMAC prk_hmac(HMAC::SHA256); ramant (doing other things) 2013/02/21 22:46:59 Done. Show quoted text On 2013/02/21 19:30:44, Ryan Sleevi wrote: > On 2013/02/21 18:16:11, agl wrote: > > On 2013/02/21 17:48:31, Ryan Sleevi wrote: > > > naming: prk (while used in RFC 5869 heavily), is not an obvious abbreviation > > > (it's only expanded as "pseudorandom key" once in 5869) > > > > Any better suggestions than the RFC's naming? > > We've used spec-related variable names before, but we've made sure to spell out > their meaning (and why they're named inconsistently) > > // Perform the Extract step to transform the input key and > // salt into the pseudorandom key (PRK) used for Expand. > HMAC prk_hmac(HMAC::SHA256); Done.
	29 bool result = prk_hmac.Init(actual_salt);

	30 DCHECK(result);

	31

	32 uint8 prk[kSHA256HashLength];

	33 DCHECK_EQ(sizeof(prk), prk_hmac.DigestLength());

	34 result = prk_hmac.Sign(secret, prk, sizeof(prk));

	35 DCHECK(result);

	36

	37 // https://tools.ietf.org/html/rfc5869#section-2.3
	Ryan Sleevi 2013/02/21 19:30:44 // https://tools.ietf.org/html/rfc5869#section-2.3 // https://tools.ietf.org/html/rfc5869#section-2.3 // Perform the Expand phase to turn the pseudorandom key // and info into the output keying material. ramant (doing other things) 2013/02/21 22:46:59 Done. Show quoted text On 2013/02/21 19:30:44, Ryan Sleevi wrote: > // https://tools.ietf.org/html/rfc5869#section-2.3 > // Perform the Expand phase to turn the pseudorandom key > // and info into the output keying material. Done.
	38 const size_t material_length =

	39 2key_bytes_to_generate + 2iv_bytes_to_generate;

	40 const size_t n = (material_length + kSHA256HashLength-1) /

	41 kSHA256HashLength;

	42 DCHECK_LT(n, 256u);

	43

	44 output_.resize(n * kSHA256HashLength);

	45 base::StringPiece previous;

	46

	47 scoped_array<char> buf(new char[kSHA256HashLength + info.size() + 1]);
	Ryan Sleevi 2013/02/21 17:48:31 scoped_array is deprecated - use scoped_ptr with t scoped_array is deprecated - use scoped_ptr with the appropriate deleter ramant (doing other things) 2013/02/21 22:46:59 Done. Show quoted text On 2013/02/21 17:48:31, Ryan Sleevi wrote: > scoped_array is deprecated - use scoped_ptr with the appropriate deleter Done.
	48 uint8 digest[kSHA256HashLength];

	49

	50 HMAC hmac(HMAC::SHA256);

	51 result = hmac.Init(prk, sizeof(prk));

	52 DCHECK(result);

	53

	54 for (size_t i = 0; i < n; i++) {

	55 memcpy(buf.get(), previous.data(), previous.size());

	56 size_t j = previous.size();

	57 memcpy(buf.get() + j, info.data(), info.size());

	58 j += info.size();

	59 buf[j++] = i + 1;

	60

	61 result = hmac.Sign(base::StringPiece(buf.get(), j), digest, sizeof(digest));

	62 DCHECK(result);

	63

	64 memcpy(&output_[i*sizeof(digest)], digest, sizeof(digest));

	65 previous = base::StringPiece(reinterpret_cast<char*>(digest),

	66 sizeof(digest));

	67 }

	68

	69 size_t j = 0;

	70 client_write_key_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]),

	71 key_bytes_to_generate);

	72 j += key_bytes_to_generate;

	73 server_write_key_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]),

	74 key_bytes_to_generate);

	75 j += key_bytes_to_generate;

	76 client_write_iv_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]),

	77 iv_bytes_to_generate);

	78 j += iv_bytes_to_generate;

	79 server_write_iv_ = base::StringPiece(reinterpret_cast<char *>(&output_[j]),

	80 iv_bytes_to_generate);

	81 }

	82

	83 HKDF::~HKDF() {

	84 }

	85

	86 } // namespace crypto

OLD	NEW

« crypto/hkdf.h ('K') | « crypto/hkdf.h ('k') | crypto/hkdf_unittest.cc » ('j') | no next file with comments »