Add CKDF implementation.

Test: make ckdf_test.run
Change-Id: Ia436694cc90fc9a8407525bd2b995c7cf37047c5

4 files changed, 286 insertions, 3 deletions

diff --git a/Makefile b/Makefile
index 3ffed52..24ce3f6 100644
--- a/Makefile
+++ b/Makefile
@@ -42,8 +42,8 @@ ifdef USE_GCC
 CXXFLAGS +=-std=c++14 -fprofile-arcs -ftest-coverage
 CFLAGS += -fprofile-arcs -ftest-coverage
 else
-CC=$(BASE)/prebuilts/clang/host/linux-x86/clang-stable/bin/clang
-CXX=$(BASE)/prebuilts/clang/host/linux-x86/clang-stable/bin/clang++
+CC=$(BASE)/prebuilts/clang/host/linux-x86/clang-4053586/bin/clang
+CXX=$(BASE)/prebuilts/clang/host/linux-x86/clang-4053586/bin/clang++
 CXXFLAGS +=-std=c++14 -DKEYMASTER_CLANG_TEST_BUILD
 CFLAGS += -DKEYMASTER_CLANG_TEST_BUILD
 endif
@@ -85,6 +85,8 @@ CPPSRCS=\
 	km_openssl/ecies_kem.cpp \
 	tests/ecies_kem_test.cpp \
 	tests/gtest_main.cpp \
+	km_openssl/ckdf.cpp \
+	tests/hkdf_test.cpp \
 	km_openssl/hkdf.cpp \
 	tests/hkdf_test.cpp \
 	km_openssl/hmac.cpp \
@@ -141,6 +143,7 @@ BINARIES = \
 	tests/attestation_record_test \
 	tests/authorization_set_test \
 	tests/ecies_kem_test \
+	tests/ckdf_test \
 	tests/hkdf_test \
 	tests/hmac_test \
 	tests/kdf1_test \
@@ -215,6 +218,17 @@ tests/hmac_test: tests/hmac_test.o \
 	android_keymaster/serializable.o \
 	$(GTEST_OBJS)
 
+tests/ckdf_test: tests/ckdf_test.o \
+	tests/android_keymaster_test_utils.o \
+	android_keymaster/android_keymaster_utils.o \
+	android_keymaster/authorization_set.o \
+	android_keymaster/keymaster_tags.o \
+	android_keymaster/logger.o \
+	android_keymaster/serializable.o \
+	km_openssl/ckdf.o \
+	km_openssl/openssl_err.o \
+	$(GTEST_OBJS)
+
 tests/hkdf_test: tests/hkdf_test.o \
 	tests/android_keymaster_test_utils.o \
 	android_keymaster/android_keymaster_utils.o \
@@ -362,7 +376,6 @@ tests/android_keymaster_test: tests/android_keymaster_test.o \
 	contexts/soft_attestation_cert.o \
 	km_openssl/attestation_utils.o \
 	key_blob_utils/software_keyblobs.o \
-	$(BASE)/system/security/softkeymaster/keymaster_openssl.o \
 	$(BASE)/system/security/keystore/keyblob_utils.o \
 	$(GTEST_OBJS)
 
diff --git a/include/keymaster/km_openssl/ckdf.h b/include/keymaster/km_openssl/ckdf.h
new file mode 100644
index 0000000..7585929
--- /dev/null
+++ b/include/keymaster/km_openssl/ckdf.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SYSTEM_KEYMASTER_CKDF_H_
+#define SYSTEM_KEYMASTER_CKDF_H_
+
+#include <keymaster/android_keymaster_utils.h>
+
+namespace keymaster {
+
+/**
+ * Implementation of CKDF, aka AES-CMAC KDF, from NIST SP 800-108.  Uses 32-bit i and L, and
+ * prefixes with i.  This version takes the context in an array of keymaster_blob_ts.
+ */
+keymaster_error_t ckdf(const KeymasterKeyBlob& key, const KeymasterBlob& label,
+                       const keymaster_blob_t* context_chunks, size_t num_chunks,
+                       KeymasterKeyBlob* output);
+
+/**
+ * Implementation of CKDF, aka AES-CMAC KDF, from NIST SP 800-108.  Uses 32-bit i and L, and
+ * prefixes with i.  This version takes the context as a single keymaster_blob_t&.
+ */
+inline keymaster_error_t ckdf(const KeymasterKeyBlob& key, const KeymasterBlob& label,
+                              const keymaster_blob_t& context_chunks, KeymasterKeyBlob* output) {
+    return ckdf(key, label, &context_chunks, 1 /* num_chunks */, output);
+}
+
+}  // namespace keymaster
+
+#endif  // SYSTEM_KEYMASTER_KDF_H_
diff --git a/km_openssl/ckdf.cpp b/km_openssl/ckdf.cpp
new file mode 100644
index 0000000..eaf636a
--- /dev/null
+++ b/km_openssl/ckdf.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <keymaster/km_openssl/ckdf.h>
+
+#include <assert.h>
+
+#include <openssl/aes.h>
+#include <openssl/cmac.h>
+
+#include <keymaster/km_openssl/openssl_err.h>
+#include <keymaster/km_openssl/openssl_utils.h>
+#include <keymaster/serializable.h>
+
+namespace keymaster {
+
+inline uint32_t div_round_up(uint32_t dividend, uint32_t divisor) {
+    return (dividend + divisor - 1) / divisor;
+}
+
+size_t min(size_t a, size_t b) {
+    return a < b ? a : b;
+}
+
+DEFINE_OPENSSL_OBJECT_POINTER(CMAC_CTX)
+
+keymaster_error_t ckdf(const KeymasterKeyBlob& key, const KeymasterBlob& label,
+                       const keymaster_blob_t* context_chunks, size_t num_chunks,
+                       KeymasterKeyBlob* output) {
+    // Note: the variables i and L correspond to i and L in the standard.  See page 12 of
+    // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf.
+
+    const uint32_t blocks = div_round_up(output->key_material_size, AES_BLOCK_SIZE);
+    const uint32_t L = output->key_material_size * 8;  // bits
+    const uint32_t net_order_L = hton(L);
+
+    CMAC_CTX_Ptr ctx(CMAC_CTX_new());
+    if (!ctx.get()) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    auto algo = EVP_aes_128_cbc();
+    switch (key.key_material_size) {
+    case AES_BLOCK_SIZE:
+        /* Already set */
+        break;
+    case AES_BLOCK_SIZE * 2:
+        algo = EVP_aes_256_cbc();
+        break;
+    default:
+        return KM_ERROR_UNSUPPORTED_KEY_SIZE;
+    }
+
+    if (!CMAC_Init(ctx.get(), key.key_material, key.key_material_size, algo,
+                   nullptr /* engine */)) {
+        return TranslateLastOpenSslError();
+    }
+
+    auto output_pos = const_cast<uint8_t*>(output->begin());
+    memset(output_pos, 0, output->key_material_size);
+    for (uint32_t i = 1; i <= blocks; ++i) {
+        // Data to mac is i || label || 0x00 || context || L, with i and L represented in 32 bits,
+        // in network order.
+
+        // i
+        uint32_t net_order_i = hton(i);
+        if (!CMAC_Update(ctx.get(), reinterpret_cast<uint8_t*>(&net_order_i),
+                         sizeof(net_order_i))) {
+            return TranslateLastOpenSslError();
+        }
+
+        // label
+        if (!CMAC_Update(ctx.get(), label.data, label.data_length)) {
+            return TranslateLastOpenSslError();
+        }
+
+        // 0x00
+        uint8_t zero = 0;
+        if (!CMAC_Update(ctx.get(), &zero, sizeof(zero))) return TranslateLastOpenSslError();
+
+        // context
+        for (size_t chunk = 0; chunk < num_chunks; ++chunk) {
+            if (!CMAC_Update(ctx.get(), context_chunks[chunk].data,
+                             context_chunks[chunk].data_length)) {
+                return TranslateLastOpenSslError();
+            }
+        }
+
+        // L
+        uint8_t buf[4];
+        memcpy(buf, &net_order_L, 4);
+        if (!CMAC_Update(ctx.get(), buf, sizeof(buf))) TranslateLastOpenSslError();
+
+        size_t out_len;
+        if (output_pos <= output->end() - AES_BLOCK_SIZE) {
+            if (!CMAC_Final(ctx.get(), output_pos, &out_len)) return TranslateLastOpenSslError();
+            output_pos += out_len;
+        } else {
+            uint8_t cmac[AES_BLOCK_SIZE];
+            if (!CMAC_Final(ctx.get(), cmac, &out_len)) return TranslateLastOpenSslError();
+            size_t to_copy = output->end() - output_pos;
+            memcpy(output_pos, cmac, to_copy);
+            output_pos += to_copy;
+        }
+
+        CMAC_Reset(ctx.get());
+    }
+    assert(output_pos == output->end());
+
+    return KM_ERROR_OK;
+}
+
+}  // namespace keymaster
diff --git a/tests/ckdf_test.cpp b/tests/ckdf_test.cpp
new file mode 100644
index 0000000..118a320
--- /dev/null
+++ b/tests/ckdf_test.cpp
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <keymaster/km_openssl/ckdf.h>
+
+#include <gtest/gtest.h>
+#include <string.h>
+
+#include "android_keymaster_test_utils.h"
+
+using std::string;
+
+namespace keymaster {
+namespace test {
+
+struct CkdfTest {
+    const char* key;
+    const char* label;
+    const char* context;
+    const char* output;
+};
+
+static const CkdfTest kCkdfTests[] = {{"80583f389dd797a3d18abd7b9399da02"
+                                       "6fecb1eade7bc2f0ef091ad39e613c35",
+                                       "c16e6e02c5a3dcc8d78b9ac1306877761310455b4e41469951d9e6",
+                                       "c2245a064b33fd8c3b01203a7824485bf0a64060c4648b707d260793",
+                                       "5d42a1941670917d746c7278e75f4879"
+                                       "750469dcb59c129e42edb7a3273f38d4"
+                                       "ea6fbcba9f422f735fc2db23603c63e5"
+                                       "86ff39cc048f4bc18690e478dd1108fa"
+                                       "fc635b29acb6b29784fdf8184296fa7f"
+                                       "772b62cdd1a8bd1a2d073830fac0409b"
+                                       "45acedf53a70676de96d7cb7e337cec4"
+                                       "08d5e3d626ac6c775baf71368b1d5851"
+                                       "47585f06b305ad5f547cb40644d2e048"
+                                       "7a9ded9778ddbfac15a6a7aee399fc7d"
+                                       "92610b028c624fd68cb573b830d842c2"
+                                       "ceb34da13efd50db13165a4f19d38cea"
+                                       "3293a073ba2d1bb31642297764b0fc17"
+                                       "e941ba73d703ba77455f30f9293a41fe"
+                                       "2915358c99f95a55075811d57ddff3d3"
+                                       "67d0a59e5b2f4e1c697b1e9955aa972c"
+                                       "f43d5b81c242a2b8eda917b25dc689be"
+                                       "f514b39979b7181eb5db62eb39cd0c3a"
+                                       "3dcb8013b19bdb262a890fce3360a351"
+                                       "cb3ddf76c13606177479b6e1345a2705"
+                                       "eaf97715af161b17b715ab6ef006e697"
+                                       "a1a779ea879a10c258069c4d9522d411"
+                                       "70aa69132d6e5cecb7ada5d16973d77f"
+                                       "3d7cc647175604d7151480473e61e73f"
+                                       "36227324058f38f578198a19e083db2b"
+                                       "8454ee2a00b527a99e3ec9addbfbd3a6"
+                                       "8c51cab16a720b7f47fe6fbfb4ca541c"
+                                       "2ec4683588ce2106fc907d987620ee48"
+                                       "aa506b8a246a18e2fa156d66b5add15c"
+                                       "2305615bb1c7c76d95aa679545eac38b"
+                                       "806cd02e5ef89897e278a536c25553f4"
+                                       "05d12474"}};
+
+template <class Blob> Blob hex2span(const char* hex) {
+    string bytes = hex2str(hex);
+    Blob retval(reinterpret_cast<const uint8_t*>(bytes.data()), bytes.size());
+    return std::move(retval);
+}
+
+KeymasterKeyBlob hex2key(const char* hex) {
+    return hex2span<KeymasterKeyBlob>(hex);
+}
+
+KeymasterBlob hex2blob(const char* hex) {
+    return hex2span<KeymasterBlob>(hex);
+}
+
+TEST(CkdfTest, Ckdf) {
+    for (auto& test : kCkdfTests) {
+        auto key = hex2key(test.key);
+        auto label = hex2blob(test.label);
+        auto context = hex2blob(test.context);
+        auto expected = hex2blob(test.output);
+
+        KeymasterKeyBlob output;
+        output.Reset(expected.data_length);
+
+        ASSERT_EQ(KM_ERROR_OK, ckdf(key, label, context, &output));
+        EXPECT_TRUE(std::equal(output.begin(), output.end(), expected.begin()));
+    }
+}
+
+}  // namespace test
+}  // namespace keymaster