Add CKDF implementation.

Test: make ckdf_test.run Change-Id: Ia436694cc90fc9a8407525bd2b995c7cf37047c5
author: Shawn Willden <swillden@google.com> 2018-01-02 06:27:49 -0700
committer: Shawn Willden <swillden@google.com> 2018-01-04 21:06:36 -0700
commit: bdef0e6086b742d7a520741c4431a3e958206e51 (patch)
tree: 49fe54bc4c6b4ce35d3edfc1aab8901fe35fcd39 /km_openssl
parent: 4d4e832752e5d3ae2a67b40dd4ebe7828c1d419b (diff)
download: android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.tar.gz
android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.tar.bz2
android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.zip
1 files changed, 124 insertions, 0 deletions
diff --git a/km_openssl/ckdf.cpp b/km_openssl/ckdf.cpp
new file mode 100644
index 0000000..eaf636a
--- /dev/null
+++ b/km_openssl/ckdf.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <keymaster/km_openssl/ckdf.h>
+
+#include <assert.h>
+
+#include <openssl/aes.h>
+#include <openssl/cmac.h>
+
+#include <keymaster/km_openssl/openssl_err.h>
+#include <keymaster/km_openssl/openssl_utils.h>
+#include <keymaster/serializable.h>
+
+namespace keymaster {
+
+inline uint32_t div_round_up(uint32_t dividend, uint32_t divisor) {
+    return (dividend + divisor - 1) / divisor;
+}
+
+size_t min(size_t a, size_t b) {
+    return a < b ? a : b;
+}
+
+DEFINE_OPENSSL_OBJECT_POINTER(CMAC_CTX)
+
+keymaster_error_t ckdf(const KeymasterKeyBlob& key, const KeymasterBlob& label,
+                       const keymaster_blob_t* context_chunks, size_t num_chunks,
+                       KeymasterKeyBlob* output) {
+    // Note: the variables i and L correspond to i and L in the standard.  See page 12 of
+    // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf.
+
+    const uint32_t blocks = div_round_up(output->key_material_size, AES_BLOCK_SIZE);
+    const uint32_t L = output->key_material_size * 8;  // bits
+    const uint32_t net_order_L = hton(L);
+
+    CMAC_CTX_Ptr ctx(CMAC_CTX_new());
+    if (!ctx.get()) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    auto algo = EVP_aes_128_cbc();
+    switch (key.key_material_size) {
+    case AES_BLOCK_SIZE:
+        /* Already set */
+        break;
+    case AES_BLOCK_SIZE * 2:
+        algo = EVP_aes_256_cbc();
+        break;
+    default:
+        return KM_ERROR_UNSUPPORTED_KEY_SIZE;
+    }
+
+    if (!CMAC_Init(ctx.get(), key.key_material, key.key_material_size, algo,
+                   nullptr /* engine */)) {
+        return TranslateLastOpenSslError();
+    }
+
+    auto output_pos = const_cast<uint8_t*>(output->begin());
+    memset(output_pos, 0, output->key_material_size);
+    for (uint32_t i = 1; i <= blocks; ++i) {
+        // Data to mac is i || label || 0x00 || context || L, with i and L represented in 32 bits,
+        // in network order.
+
+        // i
+        uint32_t net_order_i = hton(i);
+        if (!CMAC_Update(ctx.get(), reinterpret_cast<uint8_t*>(&net_order_i),
+                         sizeof(net_order_i))) {
+            return TranslateLastOpenSslError();
+        }
+
+        // label
+        if (!CMAC_Update(ctx.get(), label.data, label.data_length)) {
+            return TranslateLastOpenSslError();
+        }
+
+        // 0x00
+        uint8_t zero = 0;
+        if (!CMAC_Update(ctx.get(), &zero, sizeof(zero))) return TranslateLastOpenSslError();
+
+        // context
+        for (size_t chunk = 0; chunk < num_chunks; ++chunk) {
+            if (!CMAC_Update(ctx.get(), context_chunks[chunk].data,
+                             context_chunks[chunk].data_length)) {
+                return TranslateLastOpenSslError();
+            }
+        }
+
+        // L
+        uint8_t buf[4];
+        memcpy(buf, &net_order_L, 4);
+        if (!CMAC_Update(ctx.get(), buf, sizeof(buf))) TranslateLastOpenSslError();
+
+        size_t out_len;
+        if (output_pos <= output->end() - AES_BLOCK_SIZE) {
+            if (!CMAC_Final(ctx.get(), output_pos, &out_len)) return TranslateLastOpenSslError();
+            output_pos += out_len;
+        } else {
+            uint8_t cmac[AES_BLOCK_SIZE];
+            if (!CMAC_Final(ctx.get(), cmac, &out_len)) return TranslateLastOpenSslError();
+            size_t to_copy = output->end() - output_pos;
+            memcpy(output_pos, cmac, to_copy);
+            output_pos += to_copy;
+        }
+
+        CMAC_Reset(ctx.get());
+    }
+    assert(output_pos == output->end());
+
+    return KM_ERROR_OK;
+}
+
+}  // namespace keymaster
author	Shawn Willden <swillden@google.com>	2018-01-02 06:27:49 -0700
committer	Shawn Willden <swillden@google.com>	2018-01-04 21:06:36 -0700
commit	bdef0e6086b742d7a520741c4431a3e958206e51 (patch)
tree	49fe54bc4c6b4ce35d3edfc1aab8901fe35fcd39 /km_openssl
parent	4d4e832752e5d3ae2a67b40dd4ebe7828c1d419b (diff)
download	android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.tar.gz android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.tar.bz2 android_system_keymaster-bdef0e6086b742d7a520741c4431a3e958206e51.zip