Commit b17298d4 authored by Johan Pascal's avatar Johan Pascal

add HKDF in crypto cpp API

+ use HKDF for randomSeed to randomKey derivation
instead of expansion round only
parent 7793b80d
......@@ -363,6 +363,7 @@ class bctbx_ECDH : public keyExchange<Curve> {
}
}; // class bctbx_ECDH
/* Factory functions */
template <typename Base>
std::shared_ptr<keyExchange<Base>> make_keyExchange() {
......@@ -374,6 +375,68 @@ std::shared_ptr<Signature<Base>> make_Signature() {
return std::make_shared<bctbx_EDDSA<Base>>();
}
/* HMAC templates */
template <typename hashAlgo>
void HMAC(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize);
template <typename hashAlgo>
void HMAC(const std::vector<uint8_t> &key, const std::vector<uint8_t> &input, std::array<uint8_t, hashAlgo::ssize()> &hash);
/* HMAC must use a specialized template */
template <typename hashAlgo>
void HMAC(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize) {
/* if this template is instanciated the static_assert will fail but will give us an error message with faulty Curve type */
static_assert(sizeof(hashAlgo) != sizeof(hashAlgo), "You must specialize HMAC_KDF function template");
}
template <typename hashAlgo>
void HMAC(const std::vector<uint8_t> &key, const std::vector<uint8_t> &input, std::array<uint8_t, hashAlgo::ssize()> &hash) {
/* if this template is instanciated the static_assert will fail but will give us an error message with faulty Curve type */
static_assert(sizeof(hashAlgo) != sizeof(hashAlgo), "You must specialize HMAC_KDF function template");
}
/* HMAC specialized template for SHA512 */
template <> void HMAC<SHA512>(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize) {
bctbx_hmacSha512(key, keySize, input, inputSize, std::min(SHA512::ssize(),hashSize), hash);
}
template <> void HMAC<SHA512>(const std::vector<uint8_t> &key, const std::vector<uint8_t> &input, std::array<uint8_t, SHA512::ssize()> &hash) {
bctbx_hmacSha512(key.data(), key.size(), input.data(), input.size(), SHA512::ssize(), hash.data());
}
/* generic implementation, of HKDF RFC-5869 */
template <typename hashAlgo, typename infoType>
void HMAC_KDF(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const infoType &info, uint8_t *output, size_t outputSize) {
std::array<uint8_t, hashAlgo::ssize()> prk; // hold the output of pre-computation, as we use SHA512 gets a 64 bytes
// extraction
HMAC<hashAlgo>(salt, saltSize, ikm, ikmSize, prk.data(), prk.size());
// expansion round 0
std::vector<uint8_t> T(info.cbegin(), info.cend());
T.push_back(0x01);
HMAC<hashAlgo>(prk.data(), prk.size(), T.data(), T.size(), output, outputSize);
// successives expansion rounds
size_t index = std::min(outputSize, hashAlgo::ssize());
for(uint8_t i=0x02; index < outputSize; i++) {
T.assign(output+(i-2)*hashAlgo::ssize(), output+(i-1)*hashAlgo::ssize());
T.insert(T.end(), info.cbegin(), info.cend());
T.push_back(i);
HMAC<hashAlgo>(prk.data(), prk.size(), T.data(), T.size(), output+index, outputSize-index);
index += hashAlgo::ssize();
}
cleanBuffer(prk.data(), prk.size());
cleanBuffer(T.data(), T.size());
}
template <typename hashAlgo, typename infoType>
void HMAC_KDF(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const infoType &info, uint8_t *output, size_t outputSize) {
HMAC_KDF<SHA512>(salt.data(), salt.size(), ikm.data(), ikm.size(), info, output, outputSize);
};
/* instanciate HMAC_KDF template with SHA512 and string or vector info */
template void HMAC<SHA512>(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize);
template void HMAC_KDF<SHA512, std::vector<uint8_t>>(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const std::vector<uint8_t> &info, uint8_t *output, size_t outputSize);
template void HMAC_KDF<SHA512, std::string>(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const std::string &info, uint8_t *output, size_t outputSize);
template void HMAC_KDF<SHA512, std::vector<uint8_t>>(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const std::vector<uint8_t> &info, uint8_t *output, size_t outputSize);
template void HMAC_KDF<SHA512, std::string>(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const std::string &info, uint8_t *output, size_t outputSize);
/* check buffer length are in sync with bctoolbox ones */
#ifdef EC25519_ENABLED
static_assert(BCTBX_ECDH_X25519_PUBLIC_SIZE == X<C255, Xtype::publicKey>::ssize(), "bctoolbox and local defines mismatch");
......
......@@ -197,6 +197,54 @@ class Signature {
virtual ~Signature() = default;
}; //class EdDSA
/**
* @brief templated HMAC
* template parameter is the hash algorithm used (SHA512 available for now)
*
* @parameter[in] key
* @parameter[in] keySize previous buffer size
* @parameter[in] input
* @parameter[in] inputSize previous buffer size
* @parameter[out] hash pointer to the output, this buffer must be able to hold as much data as requested
* @parameter[in] hashSize amount of expected data, if more than selected Hash algorithm can compute, silently ignored and maximum output size is generated
*
*/
template <typename hashAlgo>
void HMAC(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize);
/* declare template specialisations */
template <> void HMAC<SHA512>(const uint8_t *const key, const size_t keySize, const uint8_t *const input, const size_t inputSize, uint8_t *hash, size_t hashSize);
/**
* @brief HKDF as described in RFC5869
* template parameters:
* hashAlgo: the hash algorithm to use (SHA512 available for now)
* infoType: the info parameter can be passed as a string or a std::vector<uint8_t>
* Compute:
* PRK = HMAC-Hash(salt, IKM)
*
* N = ceil(L/HashLen)
* T = T(1) | T(2) | T(3) | ... | T(N)
* OKM = first L octets of T
*
* where:
* T(0) = empty string (zero length)
* T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
* T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
* T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
* ...
*
* @param[in] salt salt
* @param[in] ikm input key material
* @param[in] info a info string or buffer
* @param[out] okm output key material
* @param[in] okmSize requested amount of data, okm buffer must be able to hold it. (L in the RFC doc)
*
*/
template <typename hashAlgo, typename infoType>
void HMAC_KDF(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const infoType &info, uint8_t *okm, size_t okmSize);
template <typename hashAlgo, typename infoType>
void HMAC_KDF(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const infoType &info, uint8_t *output, size_t outputSize);
/*************************************************************************************************/
/********************** Factory Functions ********************************************************/
......@@ -210,11 +258,15 @@ std::shared_ptr<keyExchange<Base>> make_keyExchange();
template <typename Base>
std::shared_ptr<Signature<Base>> make_Signature();
/*************************************************************************************************/
/********************** Template Instanciation ***************************************************/
/*************************************************************************************************/
/* this templates are instanciated once in the lime_crypto_primitives.cpp file, explicitly tell anyone including this header that there is no need to re-instanciate them */
extern template void HMAC_KDF<SHA512, std::vector<uint8_t>>(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const std::vector<uint8_t> &info, uint8_t *output, size_t outputSize);
extern template void HMAC_KDF<SHA512, std::string>(const std::vector<uint8_t> &salt, const std::vector<uint8_t> &ikm, const std::string &info, uint8_t *output, size_t outputSize);
extern template void HMAC_KDF<SHA512, std::vector<uint8_t>>(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const std::vector<uint8_t> &info, uint8_t *output, size_t outputSize);
extern template void HMAC_KDF<SHA512, std::string>(const uint8_t *const salt, const size_t saltSize, const uint8_t *const ikm, const size_t ikmSize, const std::string &info, uint8_t *output, size_t outputSize);
#ifdef EC25519_ENABLED
extern template std::shared_ptr<keyExchange<C255>> make_keyExchange();
extern template std::shared_ptr<Signature<C255>> make_Signature();
......
......@@ -34,6 +34,7 @@ namespace settings {
// Sending, Receiving and Root key chain use 32 bytes keys (spec 3.2)
constexpr size_t DRChainKeySize=32;
const std::string hkdf_DRChainKey_info{"DR Root Chain Key Derivation"}; // String used as info in the root key derivation
// DR Message Key are composed of a 32 bytes key and 16 bytes of IV
constexpr size_t DRMessageKeySize=32;
......
......@@ -37,26 +37,13 @@ using namespace::std;
using namespace::lime;
namespace lime {
/* Set of constants used as input is several uses of HKDF like function */
/* They MUST be different */
const std::array<std::uint8_t,2> hkdf_rk_info{{0x03, 0x01}}; //it already includes the expansion index (0x01) used in kdf_rk
const std::array<std::uint8_t,1> hkdf_ck_info{{0x02}};
const std::array<std::uint8_t,1> hkdf_mk_info{{0x01}};
/****************************************************************************/
/* Helpers functions not part of DR class */
/****************************************************************************/
/* Key derivation functions : KDF_RK (root key derivation function, for DH ratchet) and KDF_CK(chain key derivation function, for symmetric ratchet) */
/**
* @Brief Key Derivation Function used in Root key/Diffie-Hellman Ratchet chain.
* HKDF impleted as described in RFC5869, using SHA512 as hash function according to recommendation in DR spec section 5.2
* Note: Output length requested by DH ratchet is 64 bytes. Using SHA512 we got it in one round of
* expansion (RFC5869 2.3), thus only one round is implemented here:
* PRK = HMAC-SHA512(salt, input)
* Output = HMAC-SHA512(PRK, info || 0x01)
*
* i.e: RK || CK = HMAC-SHA512(HMAC-SHA512(RK, dh_out), info || 0x01)
* info being a constant string HKDF_RK_INFO_STRING used only for this implementation of HKDF
* Use HKDF (see RFC5869) to derive CK and RK in one derivation
*
* @param[in/out] RK Input buffer used as salt also to store the 32 first byte of output key material
* @param[out] CK Output buffer, last 32 bytes of output key material
......@@ -64,33 +51,38 @@ namespace lime {
*/
template <typename Curve>
static void KDF_RK(DRChainKey &RK, DRChainKey &CK, const X<Curve, lime::Xtype::sharedSecret> &dh_out) noexcept {
uint8_t PRK[64]; // PRK size is the one of hmacSha512 maximum output
uint8_t tmp[2*lime::settings::DRChainKeySize]; // tmp will hold RK || CK
bctbx_hmacSha512(RK.data(), RK.size(), dh_out.data(), dh_out.size(), sizeof(PRK), PRK);
bctbx_hmacSha512(PRK, sizeof(PRK), hkdf_rk_info.data(), hkdf_rk_info.size(), sizeof(tmp), tmp);
std::copy_n(tmp, lime::settings::DRChainKeySize, RK.begin());
std::copy_n(tmp+lime::settings::DRChainKeySize, lime::settings::DRChainKeySize, CK.begin());
cleanBuffer(PRK, 64);
cleanBuffer(tmp, 2*lime::settings::DRChainKeySize);
// Ask for twice the size of a DRChainKey for HKDF output
std::array<uint8_t, 2*lime::settings::DRChainKeySize> HKDFoutput;
HMAC_KDF<SHA512>(RK.data(), RK.size(), dh_out.data(), dh_out.size(), lime::settings::hkdf_DRChainKey_info, HKDFoutput.data(), HKDFoutput.size());
// First half of the output goes to RootKey (RK)
std::copy_n(HKDFoutput.cbegin(), lime::settings::DRChainKeySize, RK.begin());
// Second half of the output goes to ChainKey (CK)
std::copy_n(HKDFoutput.cbegin()+lime::settings::DRChainKeySize, lime::settings::DRChainKeySize, CK.begin());
cleanBuffer(HKDFoutput.data(), HKDFoutput.size());
}
/* Set of constants used as input of HKDF like function, see double ratchet spec section 5.2 - KDF_CK */
const std::array<std::uint8_t,1> hkdf_ck_info{{0x02}};
const std::array<std::uint8_t,1> hkdf_mk_info{{0x01}};
/**
* @Brief Key Derivation Function used in Symmetric key ratchet chain.
* Impleted according to DR spec section 5.2 using HMAC-SHA256 for CK derivation and 512 for MK and IV derivation
* Implemented according to DR spec section 5.2 using HMAC-SHA512
* MK = HMAC-SHA512(CK, hkdf_mk_info) // get 48 bytes of it: first 32 to be key and last 16 to be IV
* CK = HMAC-SHA512(CK, hkdf_ck_info)
* hkdf_ck_info and hldf_mk_info being a distincts constant strings
* hkdf_ck_info and hldf_mk_info being a distincts constants (0x02 and 0x01 as suggested in double ratchet - section 5.2)
*
* @param[in/out] CK Input/output buffer used as key to compute MK and then next CK
* @param[out] MK Message Key(32 bytes) and IV(16 bytes) computed from HMAc_SHA512 keyed with CK
* @param[out] MK Message Key(32 bytes) and IV(16 bytes) computed from HMAC_SHA512 keyed with CK
*/
static void KDF_CK(DRChainKey &CK, DRMKey &MK) noexcept {
// derive MK and IV from CK and constant
bctbx_hmacSha512(CK.data(), CK.size(), hkdf_mk_info.data(), hkdf_mk_info.size(), MK.size(), MK.data());
HMAC<SHA512>(CK.data(), CK.size(), hkdf_mk_info.data(), hkdf_mk_info.size(), MK.data(), MK.size());
// use temporary buffer, not likely that output and key could be the same buffer
DRChainKey tmp;
bctbx_hmacSha512(CK.data(), CK.size(), hkdf_ck_info.data(), hkdf_ck_info.size(), tmp.size(), tmp.data());
HMAC<SHA512>(CK.data(), CK.size(), hkdf_ck_info.data(), hkdf_ck_info.size(), tmp.data(), tmp.size());
CK = tmp;
}
......@@ -420,12 +412,11 @@ namespace lime {
std::array<uint8_t,lime::settings::DRrandomSeedSize> randomSeed{}; // this seed is sent in DR message and used to derivate random key + IV to encrypt the actual message
RNG_context->randomize(randomSeed.data(), randomSeed.size());
// expansion of randomSeed to 48 bytes: 32 bytes random key + 16 bytes nonce
// use the expansion round of HKDF - RFC 5869
// expansion of randomSeed to 48 bytes: 32 bytes random key + 16 bytes nonce, use HKDF with empty salt
std::vector<uint8_t> emptySalt{};
emptySalt.clear();
std::array<uint8_t,lime::settings::DRMessageKeySize+lime::settings::DRMessageIVSize> randomKey{};
std::vector<uint8_t> expansionRoundInput{lime::settings::hkdf_randomSeed_info.cbegin(), lime::settings::hkdf_randomSeed_info.cend()};
expansionRoundInput.push_back(0x01);
bctbx_hmacSha512(randomSeed.data(), randomSeed.size(), expansionRoundInput.data(), expansionRoundInput.size(), randomKey.size(), randomKey.data());
HMAC_KDF<SHA512>(emptySalt.data(), emptySalt.size(), randomSeed.data(), randomSeed.size(), lime::settings::hkdf_randomSeed_info, randomKey.data(), randomKey.size());
// resize cipherMessage vector as it is adressed directly by C library: same as plain message + room for the authentication tag
cipherMessage.resize(plaintext.size()+lime::settings::DRMessageAuthTagSize);
......@@ -491,11 +482,11 @@ namespace lime {
plaintext.resize(cipherMessage.size()-lime::settings::DRMessageAuthTagSize);
// rebuild the random key and IV from given seed
// use the expansion round of HKDF - RFC 5869
// use HKDF - RFC 5869 with empty salt
std::vector<uint8_t> emptySalt{};
emptySalt.clear();
std::array<uint8_t,lime::settings::DRMessageKeySize+lime::settings::DRMessageIVSize> randomKey{};
std::vector<uint8_t> expansionRoundInput{lime::settings::hkdf_randomSeed_info.cbegin(), lime::settings::hkdf_randomSeed_info.cend()};
expansionRoundInput.push_back(0x01);
bctbx_hmacSha512(randomSeed.data(), randomSeed.size(), expansionRoundInput.data(), expansionRoundInput.size(), randomKey.size(), randomKey.data());
HMAC_KDF<SHA512>(emptySalt.data(), emptySalt.size(), randomSeed.data(), randomSeed.size(), lime::settings::hkdf_randomSeed_info, randomKey.data(), randomKey.size());
cleanBuffer(randomSeed.data(), randomSeed.size());
// use it to decipher message
......
......@@ -31,7 +31,7 @@ namespace lime {
enum class DSAtype {publicKey, privateKey, signature}; // Signature has public key, private key and signature
/* define needed constant for the curves: self identificatio(used in DB and as parameter from lib users, data structures sizes)*/
/* These structure are used as template argument to enable support for different Algorithms */
/* These structure are used as template argument to enable support for different key Exchznge and signature Algorithms */
struct C255 { // curve 25519, use a 4 chars to identify it to improve code readability
static constexpr lime::CurveId curveId() {return lime::CurveId::c25519;};
// for X25519, public, private and shared secret have the same length: 32 bytes
......@@ -47,6 +47,11 @@ namespace lime {
// for Ed448, public and private key have the same length 57 bytes, signature is 114 bytes long
static constexpr size_t DSAsize(lime::DSAtype dataType) {return (dataType != lime::DSAtype::signature)?57:114;};
};
// Hash function defines
struct SHA512 {
static constexpr size_t ssize() {return 64;} // maximum output size
};
}
#endif /* lime_keys_hpp */
......@@ -26,7 +26,6 @@
#include "lime/lime.hpp"
#include "lime_impl.hpp"
#include "lime_double_ratchet_protocol.hpp"
#include "bctoolbox/crypto.h"
#include "bctoolbox/exception.hh"
#include "lime_crypto_primitives.hpp"
......@@ -34,33 +33,6 @@ using namespace::std;
using namespace::lime;
namespace lime {
/**
* @Brief Key Derivation Function. Used to derive SK(DRChainKey) from DH computation and AD from initiator and receiver ids and key
* HKDF impleted as described in RFC5869, using SHA512 as hash function according to recommendation in X3DH spec section 2.2
* Note: Output length requested by X3DH is 32 bytes. Using SHA512 we got it in one round of
* expansion (RFC5869 2.3), thus only one round is implemented here:
* PRK = HMAC-SHA512(salt, input)
* Output = HMAC-SHA512(PRK, info || 0x01)
*
* with salt being a 0 filled buffer of SHA512 output length(64 bytes) X3DH spec section 2.2 KDF
*
* @param[in] input Input buffer holding F || DH1 || DH2 || DH3 [|| DH4] or Ik initiator || Ik receiver || Initiator device Id || Receiver device Id
* @param[in] info The string used as info
* @param[out] output Output buffer, shall not be longer than 64 bits as we used SHA512 to compute and implement one round only. Templated as we need DRChainKey or SharedADBuffer typed output
*/
template <typename T>
static void X3DH_HKDF(std::vector<uint8_t> &input, const std::string &info, T &output) noexcept {
std::array<uint8_t,64> prk; // hold the output of pre-computation, as we use SHA512 gets a 64 bytes
// expansion round input shall be info || 0x01
std::vector<uint8_t> expansionRoundInput{info.cbegin(), info.cend()};
expansionRoundInput.push_back(0x01);
std::array<uint8_t,64> zeroFilledSalt; zeroFilledSalt.fill(0);
bctbx_hmacSha512(zeroFilledSalt.data(), zeroFilledSalt.size(), input.data(), input.size(), prk.size(), prk.data());
bctbx_hmacSha512(prk.data(), prk.size(), expansionRoundInput.data(), expansionRoundInput.size(), output.size(), output.data());
cleanBuffer(prk.data(), prk.size());
}
/**
* @brief Get a vector of peer bundle and initiate a DR Session with it. Created sessions are stored in lime cache and db along the X3DH init packet
* as decribed in X3DH reference section 3.3
......@@ -81,12 +53,6 @@ namespace lime {
// throw an exception in case of failure, just let it flow up
long int peerDid = store_peerDevice(peerBundle.deviceId, peerBundle.Ik);
// Convert self Ik and peer Ik ED keys to X keys : Ek context to hold (Ek / peerIk) - will be then reused with other peer public keys, selfIk context to hold (self Ik / <no peer public key for now>)
//auto selfIk = make_keyExchange<Curve>();
// Start by peer as it is already stored in EDDSAContext, convert it directly to Ek context as peer public
//bctbx_EDDSA_ECDH_publicKeyConversion(EDDSAContext, Ek, BCTBX_ECDH_ISPEER);
// Set self Ik public and private to EDDSAContext key and convert them
// Initiate HKDF input : We will compute HKDF with a concat of F and all DH computed, see X3DH spec section 2.2 for what is F
std::vector<uint8_t> HKDF_input(DSA<Curve, lime::DSAtype::publicKey>::ssize(), 0xFF); // F has the same length DSA public key has
HKDF_input.reserve(DSA<Curve, lime::DSAtype::publicKey>::ssize() + X<Curve, lime::Xtype::sharedSecret>::ssize()*4); // reserve memory for DH4 anyway
......@@ -104,17 +70,17 @@ namespace lime {
// Generate Ephemeral key Exchange key pair: Ek, from now DH will hold Ek as private and self public key
DH->createKeyPair(m_RNG);
// Compute DH2 = DH(Ek, peer Ik)
DH->set_peerPublic(peerBundle.Ik); // peer Ik Signature key is converted to keyExchange format
// Compute DH3 = DH(Ek, peer SPk) - peer SPk was already set as peer Public
DH->computeSharedSecret();
DH_out = DH->get_sharedSecret();
HKDF_input.insert(HKDF_input.end(), DH_out.cbegin(), DH_out.cend()); // HKDF_input holds F || DH1 || DH2
auto DH2pos = HKDF_input.cend(); // remember current end of buffer so we will insert DH2 there
HKDF_input.insert(HKDF_input.end(), DH_out.cbegin(), DH_out.cend()); // HKDF_input holds F || DH1 || DH2 || DH3
// Compute DH3 = DH(Ek, peer SPk) - Set peer SPk as peer Public, Ek already in place
DH->set_peerPublic(peerBundle.SPk);
// Compute DH2 = DH(Ek, peer Ik)
DH->set_peerPublic(peerBundle.Ik); // peer Ik Signature key is converted to keyExchange format
DH->computeSharedSecret();
DH_out = DH->get_sharedSecret();
HKDF_input.insert(HKDF_input.end(), DH_out.cbegin(), DH_out.cend()); // HKDF_input holds F || DH1 || DH2 || DH3
HKDF_input.insert(DH2pos, DH_out.cbegin(), DH_out.cend()); // HKDF_input holds F || DH1 || DH2
// Compute DH4 = DH(Ek, peer OPk) (if any OPk in bundle)
if (peerBundle.haveOPk) {
......@@ -126,7 +92,9 @@ namespace lime {
// Compute SK = HKDF(F || DH1 || DH2 || DH3 || DH4)
DRChainKey SK;
X3DH_HKDF<DRChainKey>(HKDF_input, lime::settings::X3DH_SK_info, SK);
/* as specified in X3DH spec section 2.2, use a as salt a 0 filled buffer long as the hash function output */
std::vector<uint8_t> salt(SHA512::ssize(), 0);
HMAC_KDF<SHA512>(salt, HKDF_input, lime::settings::X3DH_SK_info, SK.data(), SK.size());
cleanBuffer(HKDF_input.data(), HKDF_input.size());
// Generate X3DH init message: as in X3DH spec section 3.3:
......@@ -141,7 +109,7 @@ namespace lime {
AD_input.insert(AD_input.end(), peerBundle.Ik.cbegin(), peerBundle.Ik.cend());
AD_input.insert(AD_input.end(), m_selfDeviceId.cbegin(), m_selfDeviceId.cend());
AD_input.insert(AD_input.end(), peerBundle.deviceId.cbegin(), peerBundle.deviceId.cend());
X3DH_HKDF<SharedADBuffer>(AD_input, lime::settings::X3DH_AD_info, AD);
HMAC_KDF<SHA512>(salt, AD_input, lime::settings::X3DH_AD_info, AD.data(), AD.size()); // use the same salt as for SK computation but a different info string
// Generate DR_Session and put it in cache(but not in localStorage yet, that would be done when first message generation will be complete)
// it could happend that we eventually already have a session for this peer device if we received an initial message from it while fetching its key bundle(very unlikely but...)
......@@ -222,7 +190,9 @@ namespace lime {
// Compute SK = HKDF(F || DH1 || DH2 || DH3 || DH4) (DH4 optionnal)
DRChainKey SK;
X3DH_HKDF<DRChainKey>(HKDF_input, lime::settings::X3DH_SK_info, SK);
/* as specified in X3DH spec section 2.2, use a as salt a 0 filled buffer long as the hash function output */
std::vector<uint8_t> salt(SHA512::ssize(), 0);
HMAC_KDF<SHA512>(salt, HKDF_input, lime::settings::X3DH_SK_info, SK.data(), SK.size());
cleanBuffer(HKDF_input.data(), HKDF_input.size());
// Generate the shared AD used in DR session
......@@ -231,7 +201,7 @@ namespace lime {
AD_input.insert(AD_input.end(), m_Ik.publicKey().cbegin(), m_Ik.publicKey().cend());
AD_input.insert(AD_input.end(), senderDeviceId.cbegin(), senderDeviceId.cend());
AD_input.insert(AD_input.end(), m_selfDeviceId.cbegin(), m_selfDeviceId.cend());
X3DH_HKDF<SharedADBuffer>(AD_input, lime::settings::X3DH_AD_info, AD);
HMAC_KDF<SHA512>(salt, AD_input, lime::settings::X3DH_AD_info, AD.data(), AD.size()); // use the same salt as for SK computation but a different info string
// insert the new peer device Id in Storage, keep the Id used in table to give it to DR_Session which will need it to save itself into DB.
long int peerDid=0;
......
......@@ -320,9 +320,107 @@ static void signAndVerify(void) {
#endif
}
static void hashMac_KDF_bench(uint64_t runTime_ms, size_t IKMsize) {
size_t batch_size = 500;
/* Generate random input and info */
auto rng_source = make_RNG();
/* input lenght is the same used by X3DH */
std::vector<uint8_t> IKM(IKMsize, 0);
rng_source->randomize(IKM.data(), IKM.size());
std::string info{"The lime tester info string"};
std::vector<uint8_t> salt(SHA512::ssize(), 0); // salt is the same used in X3DH
std::array<uint8_t, 64> output;
auto start = bctbx_get_cur_time_ms();
uint64_t span=0;
size_t runCount = 0;
while (span<runTime_ms) {
for (size_t i=0; i<batch_size; i++) {
/* Run the HKDF function asking for 64 bytes(no use of the HKDF function requests more than that in the lime library) */
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
}
span = bctbx_get_cur_time_ms() - start;
runCount += batch_size;
}
auto freq = 1000*runCount/static_cast<double>(span);
std::string freq_unit, period_unit;
snprintSI(freq_unit, freq, "derivations/s");
snprintSI(period_unit, 1/freq, "s/derivation");
std::cout<<"Derive "<<int(runCount)<<" key material in "<<int(span)<<" ms : "<<period_unit<<" "<<freq_unit<<endl<<endl;
}
static void hashMac_KDF(void) {
/* test patterns from RFC5869 generated for SHA512 using https://github.com/casebeer/python-hkdf */
/* test A.1 */
std::vector<uint8_t> IKM{0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b};
std::vector<uint8_t> salt{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c};
std::vector<uint8_t> info{0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9};
std::vector<uint8_t> OKM{0x83, 0x23, 0x90, 0x08, 0x6c, 0xda, 0x71, 0xfb, 0x47, 0x62, 0x5b, 0xb5, 0xce, 0xb1, 0x68, 0xe4, 0xc8, 0xe2, 0x6a, 0x1a, 0x16, 0xed, 0x34, 0xd9, 0xfc, 0x7f, 0xe9, 0x2c, 0x14, 0x81, 0x57, 0x93, 0x38, 0xda, 0x36, 0x2c, 0xb8, 0xd9, 0xf9, 0x25, 0xd7, 0xcb};
std::vector<uint8_t> output;
output.resize(OKM.size());
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
BC_ASSERT_TRUE(OKM==output);
/* test A.2 */
IKM.assign({0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f});
salt.assign({0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf});
info.assign({0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff});
OKM.assign({0xce, 0x6c, 0x97, 0x19, 0x28, 0x05, 0xb3, 0x46, 0xe6, 0x16, 0x1e, 0x82, 0x1e, 0xd1, 0x65, 0x67, 0x3b, 0x84, 0xf4, 0x00, 0xa2, 0xb5, 0x14, 0xb2, 0xfe, 0x23, 0xd8, 0x4c, 0xd1, 0x89, 0xdd, 0xf1, 0xb6, 0x95, 0xb4, 0x8c, 0xbd, 0x1c, 0x83, 0x88, 0x44, 0x11, 0x37, 0xb3, 0xce, 0x28, 0xf1, 0x6a, 0xa6, 0x4b, 0xa3, 0x3b, 0xa4, 0x66, 0xb2, 0x4d, 0xf6, 0xcf, 0xcb, 0x02, 0x1e, 0xcf, 0xf2, 0x35, 0xf6, 0xa2, 0x05, 0x6c, 0xe3, 0xaf, 0x1d, 0xe4, 0x4d, 0x57, 0x20, 0x97, 0xa8, 0x50, 0x5d, 0x9e, 0x7a, 0x93});
output.resize(OKM.size());
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
BC_ASSERT_TRUE(OKM==output);
/* test A.3 */
IKM.assign({0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b});
salt.clear();
info.clear();
OKM.assign({0xf5, 0xfa, 0x02, 0xb1, 0x82, 0x98, 0xa7, 0x2a, 0x8c, 0x23, 0x89, 0x8a, 0x87, 0x03, 0x47, 0x2c, 0x6e, 0xb1, 0x79, 0xdc, 0x20, 0x4c, 0x03, 0x42, 0x5c, 0x97, 0x0e, 0x3b, 0x16, 0x4b, 0xf9, 0x0f, 0xff, 0x22, 0xd0, 0x48, 0x36, 0xd0, 0xe2, 0x34, 0x3b, 0xac});
output.resize(OKM.size());
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
BC_ASSERT_TRUE(OKM==output);
/* test A.4 */
IKM.assign({0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b});
salt.assign({0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c});
info.assign({0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9});
OKM.assign({0x74, 0x13, 0xe8, 0x99, 0x7e, 0x02, 0x06, 0x10, 0xfb, 0xf6, 0x82, 0x3f, 0x2c, 0xe1, 0x4b, 0xff, 0x01, 0x87, 0x5d, 0xb1, 0xca, 0x55, 0xf6, 0x8c, 0xfc, 0xf3, 0x95, 0x4d, 0xc8, 0xaf, 0xf5, 0x35, 0x59, 0xbd, 0x5e, 0x30, 0x28, 0xb0, 0x80, 0xf7, 0xc0, 0x68});
output.resize(OKM.size());
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
BC_ASSERT_TRUE(OKM==output);
/* test A.7 */
IKM.assign({0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c});
salt.clear();
info.clear();
OKM.assign({0x14, 0x07, 0xd4, 0x60, 0x13, 0xd9, 0x8b, 0xc6, 0xde, 0xce, 0xfc, 0xfe, 0xe5, 0x5f, 0x0f, 0x90, 0xb0, 0xc7, 0xf6, 0x3d, 0x68, 0xeb, 0x1a, 0x80, 0xea, 0xf0, 0x7e, 0x95, 0x3c, 0xfc, 0x0a, 0x3a, 0x52, 0x40, 0xa1, 0x55, 0xd6, 0xe4, 0xda, 0xa9, 0x65, 0xbb});
output.resize(OKM.size());
HMAC_KDF<SHA512>(salt, IKM, info, output.data(), output.size());
BC_ASSERT_TRUE(OKM==output);
/* Run benchmarks */
if (bench) {
size_t IKMsize = 0;
#ifdef EC25519_ENABLED
IKMsize = DSA<C255, lime::DSAtype::publicKey>::ssize()+4*X<C255, lime::Xtype::sharedSecret>::ssize();
std::cout<<"Bench for SHA512 on Curve 25519 X3DH sized IKM("<<IKMsize<<" bytes)"<<endl;
hashMac_KDF_bench(BENCH_TIMING_MS, IKMsize);
#endif
#ifdef EC448_ENABLED
IKMsize = DSA<C448, lime::DSAtype::publicKey>::ssize()+4*X<C448, lime::Xtype::sharedSecret>::ssize();
std::cout<<"Bench for SHA512 on Curve 448 X3DH sized IKM("<<IKMsize<<" bytes)"<<endl;
hashMac_KDF_bench(BENCH_TIMING_MS, IKMsize);
#endif
}
}
static test_t tests[] = {
TEST_NO_TAG("Key Exchange", exchange),
TEST_NO_TAG("Signature", signAndVerify),
TEST_NO_TAG("HKDF", hashMac_KDF),
};
test_suite_t lime_crypto_test_suite = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment