1 /* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2
3 /*
4 * Copyright (c) 2018, SICS, RISE AB
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Institute nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 */
32
33 /**
34 * @file oscore_crypto.c
35 * @brief An implementation of the Hash Based Key Derivation Function (RFC) and
36 * wrappers for AES-CCM*.
37 *
38 * \author
39 * Martin Gunnarsson <martin.gunnarsson@ri.se>
40 * extended for libcoap
41 * Peter van der Stok <consultancy@vanderstok.org>
42 * on request of Fairhair alliance
43 * adapted for libcoap integration
44 * Jon Shallow <supjps-libcoap@jpshallow.com>
45 */
46
47 #include "coap3/coap_internal.h"
48 #include <string.h>
49
50 #include <stdio.h>
51
52 /*
53 * return 0 fail
54 * 1 OK
55 */
56 int
oscore_hmac_hash(cose_hmac_alg_t hmac_alg,coap_bin_const_t * key,coap_bin_const_t * data,coap_bin_const_t ** hmac)57 oscore_hmac_hash(cose_hmac_alg_t hmac_alg,
58 coap_bin_const_t *key,
59 coap_bin_const_t *data,
60 coap_bin_const_t **hmac) {
61 if (!coap_crypto_hmac(hmac_alg, key, data, hmac)) {
62 coap_log_warn("oscore_hmac_hash: Failed hmac\n");
63 return 0;
64 }
65 return 1;
66 }
67
68 /*
69 * return 0 fail
70 * 1 OK
71 */
72 int
oscore_hkdf_extract(cose_hkdf_alg_t hkdf_alg,coap_bin_const_t * salt,coap_bin_const_t * ikm,coap_bin_const_t ** hkdf_extract)73 oscore_hkdf_extract(cose_hkdf_alg_t hkdf_alg,
74 coap_bin_const_t *salt,
75 coap_bin_const_t *ikm,
76 coap_bin_const_t **hkdf_extract) {
77 cose_hmac_alg_t hmac_alg;
78
79 assert(ikm);
80 if (!cose_get_hmac_alg_for_hkdf(hkdf_alg, &hmac_alg))
81 return 0;
82 if (salt == NULL || salt->s == NULL) {
83 uint8_t zeroes_data[32];
84 coap_bin_const_t zeroes;
85
86 memset(zeroes_data, 0, sizeof(zeroes_data));
87 zeroes.s = zeroes_data;
88 zeroes.length = sizeof(zeroes_data);
89
90 return oscore_hmac_hash(hmac_alg, &zeroes, ikm, hkdf_extract);
91 } else {
92 return oscore_hmac_hash(hmac_alg, salt, ikm, hkdf_extract);
93 }
94 }
95
96 /*
97 * return 0 fail
98 * 1 OK
99 */
100 int
oscore_hkdf_expand(cose_hkdf_alg_t hkdf_alg,coap_bin_const_t * prk,uint8_t * info,size_t info_len,uint8_t * okm,size_t okm_len)101 oscore_hkdf_expand(cose_hkdf_alg_t hkdf_alg,
102 coap_bin_const_t *prk,
103 uint8_t *info,
104 size_t info_len,
105 uint8_t *okm,
106 size_t okm_len) {
107 size_t N = (okm_len + 32 - 1) / 32; /* ceil(okm_len/32) */
108 uint8_t *aggregate_buffer = coap_malloc_type(COAP_STRING, 32 + info_len + 1);
109 uint8_t *out_buffer =
110 coap_malloc_type(COAP_STRING, (N + 1) * 32); /* 32 extra bytes to fit the last block */
111 size_t i;
112 coap_bin_const_t data;
113 coap_bin_const_t *hkdf = NULL;
114 cose_hmac_alg_t hmac_alg;
115
116 if (!cose_get_hmac_alg_for_hkdf(hkdf_alg, &hmac_alg))
117 goto fail;
118 /* Compose T(1) */
119 memcpy(aggregate_buffer, info, info_len);
120 aggregate_buffer[info_len] = 0x01;
121
122 data.s = aggregate_buffer;
123 data.length = info_len + 1;
124 if (!oscore_hmac_hash(hmac_alg, prk, &data, &hkdf))
125 goto fail;
126 memcpy(&out_buffer[0], hkdf->s, hkdf->length);
127 coap_delete_bin_const(hkdf);
128
129 /* Compose T(2) -> T(N) */
130 memcpy(aggregate_buffer, &(out_buffer[0]), 32);
131 for (i = 1; i < N; i++) {
132 memcpy(&(aggregate_buffer[32]), info, info_len);
133 aggregate_buffer[32 + info_len] = (uint8_t)(i + 1);
134 data.s = aggregate_buffer;
135 data.length = 32 + info_len + 1;
136 if (!oscore_hmac_hash(hmac_alg, prk, &data, &hkdf))
137 goto fail;
138 memcpy(&out_buffer[i * 32], hkdf->s, hkdf->length);
139 coap_delete_bin_const(hkdf);
140 memcpy(aggregate_buffer, &(out_buffer[i * 32]), 32);
141 }
142 memcpy(okm, out_buffer, okm_len);
143 coap_free_type(COAP_STRING, out_buffer);
144 coap_free_type(COAP_STRING, aggregate_buffer);
145 return 1;
146
147 fail:
148 coap_free_type(COAP_STRING, out_buffer);
149 coap_free_type(COAP_STRING, aggregate_buffer);
150 return 0;
151 }
152
153 /*
154 * return 0 fail
155 * 1 OK
156 */
157 int
oscore_hkdf(cose_hkdf_alg_t hkdf_alg,coap_bin_const_t * salt,coap_bin_const_t * ikm,uint8_t * info,size_t info_len,uint8_t * okm,size_t okm_len)158 oscore_hkdf(cose_hkdf_alg_t hkdf_alg,
159 coap_bin_const_t *salt,
160 coap_bin_const_t *ikm,
161 uint8_t *info,
162 size_t info_len,
163 uint8_t *okm,
164 size_t okm_len) {
165 int ret;
166 coap_bin_const_t *hkdf_extract = NULL;
167 if (!oscore_hkdf_extract(hkdf_alg, salt, ikm, &hkdf_extract))
168 return 0;
169 ret =
170 oscore_hkdf_expand(hkdf_alg, hkdf_extract, info, info_len, okm, okm_len);
171 coap_delete_bin_const(hkdf_extract);
172 return ret;
173 }
174