master
1const std = @import("../std.zig");
2const assert = std.debug.assert;
3const hmac = std.crypto.auth.hmac;
4const mem = std.mem;
5
6/// HKDF-SHA256
7pub const HkdfSha256 = Hkdf(hmac.sha2.HmacSha256);
8
9/// HKDF-SHA512
10pub const HkdfSha512 = Hkdf(hmac.sha2.HmacSha512);
11
12/// The Hkdf construction takes some source of initial keying material and
13/// derives one or more uniform keys from it.
14pub fn Hkdf(comptime Hmac: type) type {
15 return struct {
16 /// Length of a master key, in bytes.
17 pub const prk_length = Hmac.mac_length;
18
19 /// Return a master key from a salt and initial keying material.
20 pub fn extract(salt: []const u8, ikm: []const u8) [prk_length]u8 {
21 var prk: [prk_length]u8 = undefined;
22 Hmac.create(&prk, ikm, salt);
23 return prk;
24 }
25
26 /// Initialize the creation of a master key from a salt
27 /// and keying material that can be added later, possibly in chunks.
28 /// Example:
29 /// ```
30 /// var prk: [hkdf.prk_length]u8 = undefined;
31 /// var hkdf = HkdfSha256.extractInit(salt);
32 /// hkdf.update(ikm1);
33 /// hkdf.update(ikm2);
34 /// hkdf.final(&prk);
35 /// ```
36 pub fn extractInit(salt: []const u8) Hmac {
37 return Hmac.init(salt);
38 }
39
40 /// Derive a subkey from a master key `prk` and a subkey description `ctx`.
41 pub fn expand(out: []u8, ctx: []const u8, prk: [prk_length]u8) void {
42 assert(out.len <= prk_length * 255); // output size is too large for the Hkdf construction
43 var i: usize = 0;
44 var counter = [1]u8{1};
45 while (i + prk_length <= out.len) : (i += prk_length) {
46 var st = Hmac.init(&prk);
47 if (i != 0) {
48 st.update(out[i - prk_length ..][0..prk_length]);
49 }
50 st.update(ctx);
51 st.update(&counter);
52 st.final(out[i..][0..prk_length]);
53 counter[0] +%= 1;
54 assert(counter[0] != 1);
55 }
56 const left = out.len % prk_length;
57 if (left > 0) {
58 var st = Hmac.init(&prk);
59 if (i != 0) {
60 st.update(out[i - prk_length ..][0..prk_length]);
61 }
62 st.update(ctx);
63 st.update(&counter);
64 var tmp: [prk_length]u8 = undefined;
65 st.final(tmp[0..prk_length]);
66 @memcpy(out[i..][0..left], tmp[0..left]);
67 }
68 }
69 };
70}
71
72const htest = @import("test.zig");
73
74test "Hkdf" {
75 const ikm = [_]u8{0x0b} ** 22;
76 const salt = [_]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c };
77 const context = [_]u8{ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
78 const kdf = HkdfSha256;
79 const prk = kdf.extract(&salt, &ikm);
80 try htest.assertEqual("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5", &prk);
81 var out: [42]u8 = undefined;
82 kdf.expand(&out, &context, prk);
83 try htest.assertEqual("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", &out);
84
85 var hkdf = kdf.extractInit(&salt);
86 hkdf.update(&ikm);
87 var prk2: [kdf.prk_length]u8 = undefined;
88 hkdf.final(&prk2);
89 try htest.assertEqual("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5", &prk2);
90}
91
92test "Hkdf Sha3-512" {
93 const sha3_512 = std.crypto.hash.sha3.Sha3_512;
94 const hmac_sha3_512 = hmac.Hmac(sha3_512);
95 const hkdf = Hkdf(hmac_sha3_512);
96 const prk = hkdf.extract("", "");
97 var out = [1]u8{0};
98 hkdf.expand(out[0..], "", prk);
99}