diff --git a/ChangeLog b/ChangeLog
index 24bd92a9b91b783a5effdfe03b68327ef7ecdbc7..10167a7117d5ee70963d5a96fba0067d5aa84ada 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2017-09-06 Niels Möller <nisse@lysator.liu.se>
+
+ * hkdf.c (hkdf_expand): Eliminate a (signed) ssize_t variable, use
+ break rather than return at loop termination.
+
+2017-09-06 Niels Möller <nisse@lysator.liu.se>
+
+ HKDF implementation, contributed by Nikos Mavrogiannopoulos.
+ * hkdf.c (hkdf_extract, hkdf_expand): New file, new functions.
+ * hkdf.h: New file.
+ * Makefile.in (nettle_SOURCES): Add hkdf.c.
+ (HEADERS): Add hkdf.h.
+ * testsuite/hkdf-test.c: Tests for hkdf-sha256 and hkdf-sha1.
+ * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added hkdf-test.c.
+ * nettle.texinfo (Key derivation functions): Document HKDF.
+
2017-09-04 Andreas Schneider <asn@samba.org>
* fat-arm.c: Add missing define for _GNU_SOURCE.
diff --git a/Makefile.in b/Makefile.in
index d372c2331f81636b0c468de4b30516aca511b6bc..1aa2b29db7021e6f1c692ceace77b9cc75e894c4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -106,7 +106,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gosthash94.c gosthash94-meta.c \
hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \
hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \
- knuth-lfib.c \
+ knuth-lfib.c hkdf.c \
md2.c md2-meta.c md4.c md4-meta.c \
md5.c md5-compress.c md5-compat.c md5-meta.c \
memeql-sec.c memxor.c memxor3.c \
@@ -192,7 +192,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h \
ecc-curve.h ecc.h ecdsa.h eddsa.h \
gcm.h gosthash94.h hmac.h \
- knuth-lfib.h \
+ knuth-lfib.h hkdf.h \
macros.h \
md2.h md4.h \
md5.h md5-compat.h \
diff --git a/hkdf.c b/hkdf.c
new file mode 100644
index 0000000000000000000000000000000000000000..c55c42fd4a29d2c3b6525af30972d767611ca2e7
--- /dev/null
+++ b/hkdf.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+/* Functions for the HKDF handling.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+/* Needed for alloca on freebsd */
+#include <stdlib.h>
+#include <string.h>
+
+#include "hmac.h"
+
+#include "memxor.h"
+#include "nettle-internal.h"
+#include "hkdf.h"
+
+/* hkdf_extract: Outputs a PRK of digest_size
+ */
+void
+hkdf_extract(void *mac_ctx,
+ nettle_hash_update_func *update,
+ nettle_hash_digest_func *digest,
+ size_t digest_size,
+ size_t secret_size, const uint8_t *secret,
+ uint8_t *dst)
+{
+ update(mac_ctx, secret_size, secret);
+ digest(mac_ctx, digest_size, dst);
+}
+
+/* hkdf_expand: Outputs an arbitrary key of size specified by length
+ */
+void
+hkdf_expand(void *mac_ctx,
+ nettle_hash_update_func *update,
+ nettle_hash_digest_func *digest,
+ size_t digest_size,
+ size_t info_size, const uint8_t *info,
+ size_t length, uint8_t *dst)
+{
+ uint8_t i = 1;
+
+ if (!length)
+ return;
+
+ for (;; dst += digest_size, length -= digest_size, i++)
+ {
+ update(mac_ctx, info_size, info);
+ update(mac_ctx, 1, &i);
+ if (length <= digest_size)
+ break;
+
+ digest(mac_ctx, digest_size, dst);
+ update(mac_ctx, digest_size, dst);
+ }
+
+ digest(mac_ctx, length, dst);
+}
diff --git a/hkdf.h b/hkdf.h
new file mode 100644
index 0000000000000000000000000000000000000000..cf14fc09bb40f8e4ac171b3ae6ce9e66c4ed97aa
--- /dev/null
+++ b/hkdf.h
@@ -0,0 +1,67 @@
+/* hkdf.h
+
+ TLS PRF code (RFC-5246, RFC-2246).
+
+ Copyright (C) 2017 Red Hat, Inc.
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_HKDF_H_INCLUDED
+#define NETTLE_HKDF_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Namespace mangling */
+#define hkdf_extract nettle_hkdf_extract
+#define hkdf_expand nettle_hkdf_expand
+
+void
+hkdf_extract(void *mac_ctx,
+ nettle_hash_update_func *update,
+ nettle_hash_digest_func *digest,
+ size_t digest_size,
+ size_t secret_size, const uint8_t *secret,
+ uint8_t *dst);
+
+void
+hkdf_expand(void *mac_ctx,
+ nettle_hash_update_func *update,
+ nettle_hash_digest_func *digest,
+ size_t digest_size,
+ size_t info_size, const uint8_t *info,
+ size_t length, uint8_t *dst);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_HKDF_H_INCLUDED */
diff --git a/nettle.texinfo b/nettle.texinfo
index 1d7e4e3e7f6b0ada7f2af6d8add63f2c2ed1aa51..6eada3db11bafdd9954b6eaf298c6e4a1d01d615 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -3366,12 +3366,7 @@ processing a new message.
@node Key derivation functions, Public-key algorithms, Keyed hash functions, Reference
@comment node-name, next, previous, up
@section Key derivation Functions
-
@cindex Key Derivation Function
-@cindex Password Based Key Derivation Function
-@cindex PKCS #5
-@cindex KDF
-@cindex PBKDF
A @dfn{key derivation function} (@acronym{KDF}) is a function that from
a given symmetric key derives other symmetric keys. A sub-class of KDFs
@@ -3380,7 +3375,51 @@ which take as input a password or passphrase, and its purpose is
typically to strengthen it and protect against certain pre-computation
attacks by using salting and expensive computation.
+@subsection HKDF: HMAC-based Extract-and-Expand
+@cindex HKDF
+
+HKDF is a key derivation function used as a building block of
+higher-level protocols like TLS 1.3. It is a derivation function
+based on HMAC described in @cite{RFC 5869},
+and is split into two logical modules, called 'extract' and 'expand'.
+The extract module takes an initial secret and a random
+salt to "extract" a fixed-length pseudorandom key (PRK). The second stage
+takes as input the previous PRK and some informational data (e.g.,
+text) and expands them into multiple keys.
+
+Nettle's @acronym{HKDF} functions are defined in
+@file{<nettle/hkdf.h>}. There are two abstract functions for the extract
+and expand operations that operate on any HMAC implemented via the @code{nettle_hash_update_func},
+and @code{nettle_hash_digest_func} interfaces.
+
+@deftypefun void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst)
+Extract a Pseudorandom Key (PRK) from a secret and a salt according
+to HKDF. The HMAC must have been initialized, with its key being the
+salt for the Extract operation. This function will call the
+@var{update} and @var{digest} functions passing the @var{mac_ctx}
+context parameter as an argument in order to compute digest of size
+@var{digest_size}. Inputs are the secret @var{secret} of length
+@var{secret_length}. The output length is fixed to @var{digest_size} octets,
+thus the output buffer @var{dst} must have room for at least @var{digest_size} octets.
+@end deftypefun
+
+@deftypefun void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst)
+Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF.
+The HMAC must have been initialized, with its key being the
+PRK from the Extract operation. This function will call the
+@var{update} and @var{digest} functions passing the @var{mac_ctx}
+context parameter as an argument in order to compute digest of size
+@var{digest_size}. Inputs are the info @var{info} of length
+@var{info_length}, and the desired derived output length @var{length}.
+The output buffer is @var{dst} which must have room for at least @var{length} octets.
+@end deftypefun
+
+
@subsection @acronym{PBKDF2}
+@cindex Password Based Key Derivation Function
+@cindex PKCS #5
+@cindex KDF
+@cindex PBKDF
The most well known PBKDF is the @code{PKCS #5 PBKDF2} described in
@cite{RFC 2898} which uses a pseudo-random function such as
@acronym{HMAC-SHA1}.
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index 1b9c3faea279704b71524a1e5070e8966e3c54d2..a9732694a5f0542c47215d67f4e547b09e9263e5 100644
--- a/testsuite/.test-rules.make
+++ b/testsuite/.test-rules.make
@@ -58,6 +58,9 @@ gosthash94-test$(EXEEXT): gosthash94-test.$(OBJEXT)
ripemd160-test$(EXEEXT): ripemd160-test.$(OBJEXT)
$(LINK) ripemd160-test.$(OBJEXT) $(TEST_OBJS) -o ripemd160-test$(EXEEXT)
+hkdf-test$(EXEEXT): hkdf-test.$(OBJEXT)
+ $(LINK) hkdf-test.$(OBJEXT) $(TEST_OBJS) -o hkdf-test$(EXEEXT)
+
salsa20-test$(EXEEXT): salsa20-test.$(OBJEXT)
$(LINK) salsa20-test.$(OBJEXT) $(TEST_OBJS) -o salsa20-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index c1ac7d241f7fa92c75f28776b5b1dedbcff8da5b..6276043060f39091ce73e698dcd2a35f420aeb63 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -17,7 +17,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
des-test.c des3-test.c des-compat-test.c \
md2-test.c md4-test.c md5-test.c md5-compat-test.c \
memeql-test.c memxor-test.c gosthash94-test.c \
- ripemd160-test.c \
+ ripemd160-test.c hkdf-test.c \
salsa20-test.c \
sha1-test.c sha224-test.c sha256-test.c \
sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \
diff --git a/testsuite/hkdf-test.c b/testsuite/hkdf-test.c
new file mode 100644
index 0000000000000000000000000000000000000000..80f4c8132676b883f8adc421c8e5a223f0962b25
--- /dev/null
+++ b/testsuite/hkdf-test.c
@@ -0,0 +1,143 @@
+#include "testutils.h"
+#include "hkdf.h"
+#include "hmac.h"
+
+static void
+test_hkdf_sha256(const struct tstring *ikm,
+ const struct tstring *salt,
+ const struct tstring *info,
+ const struct tstring *extract_output,
+ const struct tstring *expand_output)
+{
+ struct hmac_sha256_ctx ctx;
+ uint8_t prk[SHA256_DIGEST_SIZE];
+ uint8_t *buffer = xalloc(expand_output->length);
+
+ hmac_sha256_set_key(&ctx, salt->length, salt->data);
+ hkdf_extract(&ctx,
+ (nettle_hash_update_func*) hmac_sha256_update,
+ (nettle_hash_digest_func*) hmac_sha256_digest,
+ SHA256_DIGEST_SIZE,
+ ikm->length, ikm->data, prk);
+
+ if (MEMEQ(SHA256_DIGEST_SIZE, prk, extract_output->data) == 0)
+ {
+ fprintf(stdout, "\nGot:\n");
+ print_hex(SHA256_DIGEST_SIZE, prk);
+ fprintf(stdout, "\nExpected:\n");
+ print_hex(extract_output->length, extract_output->data);
+ abort();
+ }
+
+ hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, prk);
+ hkdf_expand(&ctx,
+ (nettle_hash_update_func*) hmac_sha256_update,
+ (nettle_hash_digest_func*) hmac_sha256_digest,
+ SHA256_DIGEST_SIZE,
+ info->length, info->data,
+ expand_output->length, buffer);
+
+ if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0)
+ {
+ fprintf(stdout, "\nGot:\n");
+ print_hex(expand_output->length, buffer);
+ fprintf(stdout, "\nExpected:\n");
+ print_hex(expand_output->length, expand_output->data);
+ abort();
+ }
+ free(buffer);
+}
+
+static void
+test_hkdf_sha1(const struct tstring *ikm,
+ const struct tstring *salt,
+ const struct tstring *info,
+ const struct tstring *extract_output,
+ const struct tstring *expand_output)
+{
+ struct hmac_sha1_ctx ctx;
+ uint8_t prk[SHA1_DIGEST_SIZE];
+ uint8_t *buffer = xalloc(expand_output->length);
+
+ hmac_sha1_set_key(&ctx, salt->length, salt->data);
+ hkdf_extract(&ctx,
+ (nettle_hash_update_func*) hmac_sha1_update,
+ (nettle_hash_digest_func*) hmac_sha1_digest,
+ SHA1_DIGEST_SIZE,
+ ikm->length, ikm->data,
+ prk);
+
+ if (MEMEQ(SHA1_DIGEST_SIZE, prk, extract_output->data) == 0)
+ {
+ fprintf(stdout, "\nGot:\n");
+ print_hex(SHA1_DIGEST_SIZE, prk);
+ fprintf(stdout, "\nExpected:\n");
+ print_hex(extract_output->length, extract_output->data);
+ abort();
+ }
+
+ hmac_sha1_set_key(&ctx, SHA1_DIGEST_SIZE, prk);
+ hkdf_expand(&ctx,
+ (nettle_hash_update_func*) hmac_sha1_update,
+ (nettle_hash_digest_func*) hmac_sha1_digest,
+ SHA1_DIGEST_SIZE,
+ info->length, info->data,
+ expand_output->length, buffer);
+
+ if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0)
+ {
+ fprintf(stdout, "\nGot:\n");
+ print_hex(expand_output->length, buffer);
+ fprintf(stdout, "\nExpected:\n");
+ print_hex(expand_output->length, expand_output->data);
+ abort();
+ }
+ free(buffer);
+}
+
+void
+test_main(void)
+{
+ /* HKDF test vectors from RFC5869 */
+ test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"),
+ SHEX("000102030405060708090a0b0c"),
+ SHEX("f0f1f2f3f4f5f6f7f8f9"),
+ SHEX("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"),
+ SHEX("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"));
+
+ test_hkdf_sha256(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"),
+ SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"),
+ SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"),
+ SHEX("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"),
+ SHEX("b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"));
+
+ test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"),
+ SDATA(""),
+ SDATA(""),
+ SHEX("19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"),
+ SHEX("8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"));
+
+ test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b"),
+ SHEX("000102030405060708090a0b0c"),
+ SHEX("f0f1f2f3f4f5f6f7f8f9"),
+ SHEX("9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"),
+ SHEX("085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"));
+
+ test_hkdf_sha1(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"),
+ SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"),
+ SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"),
+ SHEX("8adae09a2a307059478d309b26c4115a224cfaf6"),
+ SHEX("0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"));
+
+ test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"),
+ SDATA(""),
+ SDATA(""),
+ SHEX("da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"),
+ SHEX("0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"));
+
+ test_hkdf_sha1(SHEX("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"),
+ SHEX(""),
+ SHEX(""),
+ SHEX("2adccada18779e7c2077ad2eb19d3f3e731385dd"),
+ SHEX("2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"));
+}