HKDF (does not work yet)

author: Nils Durner <durner@gnunet.org> 2010-06-29 15:58:34 +0000
committer: Nils Durner <durner@gnunet.org> 2010-06-29 15:58:34 +0000
commit: 0bd8cc55c82bedce06f65f52ea446f82427d2c0d (patch)
tree: 0b077ae3d52819ad5be412b94f678b71a4e5dcb9
parent: 4b6526cb3b6b9f323b3f9f4020db2f493d286939 (diff)
download: gnunet-0bd8cc55c82bedce06f65f52ea446f82427d2c0d.tar.gz
gnunet-0bd8cc55c82bedce06f65f52ea446f82427d2c0d.zip
4 files changed, 423 insertions, 0 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index d31dfcfa6..479e0e42d 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -512,6 +512,27 @@ int GNUNET_CRYPTO_hash_xorcmp (const GNUNET_HashCode * h1,
 /**
+ * @brief Derive key
+ * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
+ * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param ctx context info
+ * @param ctx_len length of ctx
+ * @param out_len desired length of the derived key
+ * @param result buffer for the derived key, allocated by caller
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_hkdf (int xtr_algo, int prf_algo, const void *xts,
+    const size_t xts_len, const void *skm, const size_t skm_len,
+    const void *ctx, const size_t ctx_len, const unsigned long long out_len,
+    void *result);
+/**
 * Create a new private key. Caller must free return value.
 *
 * @return fresh private key
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 9cc402fc5..0b878c673 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -40,6 +40,7 @@ libgnunetutil_la_SOURCES = \
  crypto_aes.c \
  crypto_crc.c \
  crypto_hash.c \
+  crypto_hkdf.c \
  crypto_ksk.c \
  crypto_random.c \
  crypto_rsa.c \
@@ -112,6 +113,7 @@ check_PROGRAMS = \
 test_crypto_aes_weak \
 test_crypto_crc \
 test_crypto_hash \
+# test_crypto_hkdf \
 test_crypto_ksk \
 test_crypto_random \
 test_crypto_rsa \
@@ -227,6 +229,11 @@ test_crypto_hash_SOURCES = \
 test_crypto_hash_LDADD = \
 $(top_builddir)/src/util/libgnunetutil.la  
+test_crypto_hkdf_SOURCES = \
+ test_crypto_hkdf.c
+test_crypto_hkdf_LDADD = \
+ $(top_builddir)/src/util/libgnunetutil.la  
 test_crypto_ksk_SOURCES = \
 test_crypto_ksk.c
 test_crypto_ksk_LDADD = \
diff --git a/src/util/crypto_hkdf.c b/src/util/crypto_hkdf.c
new file mode 100644
index 000000000..efde3b868
--- /dev/null
+++ b/src/util/crypto_hkdf.c
@@ -0,0 +1,192 @@
+/*
+    Copyright (c) 2010 Nils Durner
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+    The above copyright notice and this permission notice shall be included in
+    all copies or substantial portions of the Software.
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+    THE SOFTWARE.
+*/
+/**
+ * @file src/util/crypto_hkdf.c
+ * @brief Hash-based KDF as defined in draft-krawczyk-hkdf-01
+ * @see http://tools.ietf.org/html/draft-krawczyk-hkdf-01
+ * @author Nils Durner
+ */
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+/**
+ * @brief Compute the HMAC
+ * @param mac gcrypt MAC handle
+ * @param key HMAC key
+ * @param key_len length of key
+ * @param buf message to be processed
+ * @param buf_len length of buf
+ * @return HMAC, freed by caller via gcry_md_close/_reset
+ */
+static void *
+doHMAC (gcry_md_hd_t mac, const void *key, const size_t key_len,
+    const void *buf, const size_t buf_len)
+{
+  gcry_md_setkey (mac, key, key_len);
+  gcry_md_write (mac, buf, buf_len);
+  return (void *) gcry_md_read (mac, 0);
+}
+/**
+ * @brief Generate pseudo-random key
+ * @param mac gcrypt HMAC handle
+ * @param xts salt
+ * @param xts_len length of the salt
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param prk result buffer (allocated by caller; at least gcry_md_dlen() bytes)
+ * @return GNUNET_YES on success
+ */
+static int
+getPRK (gcry_md_hd_t mac, const void *xts, const unsigned long long xts_len,
+    const void *skm, const unsigned long long skm_len, void *prk)
+{
+  void *ret;
+  ret = doHMAC (mac, xts, xts_len, skm, skm_len);
+  if (ret == NULL)
+    return GNUNET_SYSERR;
+  memcpy (prk, ret, gcry_md_get_algo_dlen (gcry_md_get_algo (mac)));
+  return GNUNET_YES;
+}
+static void dump(void *p, unsigned int l)
+{
+  unsigned int i;
+  printf("\n");
+  for (i = 0; i < l; i++)
+    {
+      printf("%2x", ((char *) p)[i]);
+    }
+  printf("\n");
+}
+/**
+ * @brief Derive key
+ * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
+ * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param ctx context info
+ * @param ctx_len length of ctx
+ * @param out_len desired length of the derived key
+ * @param result buffer for the derived key, allocated by caller
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_hkdf (int xtr_algo, int prf_algo, const void *xts,
+    const size_t xts_len, const void *skm, const size_t skm_len,
+    const void *ctx, const size_t ctx_len, const unsigned long long out_len,
+    void *result)
+{
+  void *prk, *hc, *plain;
+  unsigned long long plain_len;
+  unsigned long i, t, d;
+  unsigned int k, xtr_len;
+  int ret;
+  gcry_md_hd_t xtr, prf;
+  prk = plain = NULL;
+  xtr_len = gcry_md_get_algo_dlen (xtr_algo);
+  k = gcry_md_get_algo_dlen (prf_algo);
+  gcry_md_open(&xtr, xtr_algo, GCRY_MD_FLAG_HMAC);
+  gcry_md_open(&prf, prf_algo, GCRY_MD_FLAG_HMAC);
+  if (out_len > (2 ^ 32 * k) || !xtr_algo || !prf_algo)
+    return GNUNET_SYSERR;
+  prk = GNUNET_malloc (xtr_len);
+  memset (result, 0, out_len);
+  gcry_md_reset (xtr);
+  if (getPRK (xtr, xts, xts_len, skm, skm_len, prk)
+      != GNUNET_YES)
+    goto hkdf_error;
+dump(prk, xtr_len);
+  /* K(1) */
+  plain_len = k + ctx_len + 4;
+  plain = GNUNET_malloc (plain_len);
+  memset (plain, 0, k);
+  memcpy (plain + k, ctx, ctx_len);
+  t = out_len / k;
+  if (t > 0)
+    {
+      memset (plain + k + ctx_len, 0, 4);
+      gcry_md_reset (prf);
+      hc = doHMAC (prf, prk, k, plain, plain_len);
+      if (hc == NULL)
+        goto hkdf_error;
+      memcpy (result, hc, k);
+      result += k;
+    }
+  /* K(i+1) */
+  for (i = 1; i < t; i++)
+    {
+      memcpy (plain, result - k, k);
+      memcpy (plain + k + ctx_len, &i, 4);
+      gcry_md_reset (prf);
+      hc = doHMAC (prf, prk, k, plain, plain_len);
+      if (hc == NULL)
+        goto hkdf_error;
+      memcpy (result, hc, k);
+      result += k;
+    }
+  /* K(t):d */
+  d = out_len % k;
+  if (d > 0)
+    {
+      if (t > 0)
+        memcpy (plain, result - k, k);
+      memcpy (plain + k + ctx_len, &i, 4);
+      gcry_md_reset (prf);
+      hc = doHMAC (prf, prk, k, plain, plain_len);
+      if (hc == NULL)
+        goto hkdf_error;
+      memcpy (result, hc, d);
+    }
+  ret = GNUNET_YES;
+  goto hkdf_ok;
+hkdf_error:
+  ret = GNUNET_SYSERR;
+hkdf_ok:
+  GNUNET_free (prk);
+  GNUNET_free_non_null (plain);
+  gcry_md_close (prf);
+  gcry_md_close (xtr);
+  return ret;
+}
+/* end of crypto_hkdf.c */
diff --git a/src/util/test_crypto_hkdf.c b/src/util/test_crypto_hkdf.c
new file mode 100644
index 000000000..d0078202d
--- /dev/null
+++ b/src/util/test_crypto_hkdf.c
@@ -0,0 +1,203 @@
+/*
+    Copyright (c) 2010 Nils Durner
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+    The above copyright notice and this permission notice shall be included in
+    all copies or substantial portions of the Software.
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+    THE SOFTWARE.
+*/
+/**
+ * @file src/util/test_crypt_hkdf.c
+ * @brief Testcases for HKDF
+ * @author Nils Durner
+ */
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+void
+tc1 ()
+{
+  char ikm[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+  char salt[13] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+      0x0a, 0x0b, 0x0c };
+  char
+      info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
+  char okm[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43,
+      0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
+      0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00,
+      0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 };
+  char result[44];
+  int l = 42;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+void
+tc2 ()
+{
+  char ikm[80] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+      0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+      0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21,
+      0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
+      0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,
+      0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45,
+      0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f };
+  char salt[80] = { 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
+      0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
+      0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81,
+      0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d,
+      0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
+      0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
+      0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf };
+  char info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9,
+      0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
+      0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1,
+      0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd,
+      0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
+      0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
+      0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
+  char okm[82] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7,
+      0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e,
+      0xfa, 0xd8, 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04,
+      0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59,
+      0x0e, 0x09, 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77,
+      0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec,
+      0x3e, 0x87, 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 };
+  char result[84];
+  int l = 82;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+void
+tc3 ()
+{
+  char ikm[80] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+  char okm[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f,
+      0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1,
+      0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, 0x20,
+      0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 };
+  char result[44];
+  int l = 42;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, NULL, 0, ikm, sizeof(ikm), NULL, 0,
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+void
+tc4 ()
+{
+  char ikm[11] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+      0x0b };
+  char salt[13] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+      0x0a, 0x0b, 0x0c };
+  char
+      info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
+  char okm[42] = { 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06,
+      0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b,
+      0x09, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, 0x2e,
+      0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96 };
+  char result[84];
+  int l = 42;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+void
+tc5 ()
+{
+  char ikm[80] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+      0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+      0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21,
+      0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
+      0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,
+      0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45,
+      0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f };
+  char salt[80] = { 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
+      0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
+      0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81,
+      0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d,
+      0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
+      0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
+      0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf };
+  char info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9,
+      0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
+      0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1,
+      0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd,
+      0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
+      0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
+      0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
+  char okm[82] = { 0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1,
+      0x2c, 0xd5, 0x91, 0x2a, 0x06, 0xeb, 0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d,
+      0x92, 0x19, 0x1f, 0xe4, 0x30, 0x56, 0x73, 0xba, 0x2f, 0xfe, 0x8f, 0xa3,
+      0xf1, 0xa4, 0xe5, 0xad, 0x79, 0xf3, 0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2,
+      0x17, 0x3c, 0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed, 0x03, 0x4c,
+      0x7f, 0x9d, 0xfe, 0xb1, 0x5c, 0x5e, 0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f,
+      0x4c, 0x43, 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4 };
+  char result[84];
+  int l = 82;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+void
+tc6 ()
+{
+  char ikm[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+  char okm[82] = { 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5,
+      0x52, 0x98, 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20,
+      0xa3, 0x06, 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, 0x00,
+      0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18 };
+  char result[84];
+  int l = 82;
+  GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, NULL, 0, ikm, sizeof(ikm), NULL, 0,
+          l, result) == GNUNET_YES);
+  GNUNET_assert (memcmp(result, okm, l) == 0);
+  GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
+}
+int
+main ()
+{
+  GNUNET_log_setup ("test-crypto-hkdf", "WARNING", NULL);
+  tc1();
+  tc2();
+  tc3();
+  tc4();
+  tc5();
+  tc6();
+  return 0;
+}
author	Nils Durner <durner@gnunet.org>	2010-06-29 15:58:34 +0000
committer	Nils Durner <durner@gnunet.org>	2010-06-29 15:58:34 +0000
commit	0bd8cc55c82bedce06f65f52ea446f82427d2c0d (patch)
tree	0b077ae3d52819ad5be412b94f678b71a4e5dcb9
parent	4b6526cb3b6b9f323b3f9f4020db2f493d286939 (diff)
download	gnunet-0bd8cc55c82bedce06f65f52ea446f82427d2c0d.tar.gz gnunet-0bd8cc55c82bedce06f65f52ea446f82427d2c0d.zip

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index d31dfcfa6..479e0e42d 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h
@@ -512,6 +512,27 @@ int GNUNET_CRYPTO_hash_xorcmp (const GNUNET_HashCode * h1,
512		512
513		513
514	/**	514	/**
		515	* @brief Derive key
		516	* @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
		517	* @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
		518	* @param xts salt
		519	* @param xts_len length of xts
		520	* @param skm source key material
		521	* @param skm_len length of skm
		522	* @param ctx context info
		523	* @param ctx_len length of ctx
		524	* @param out_len desired length of the derived key
		525	* @param result buffer for the derived key, allocated by caller
		526	* @return GNUNET_YES on success
		527	*/
		528	int
		529	GNUNET_CRYPTO_hkdf (int xtr_algo, int prf_algo, const void *xts,
		530	const size_t xts_len, const void *skm, const size_t skm_len,
		531	const void *ctx, const size_t ctx_len, const unsigned long long out_len,
		532	void *result);
		533
		534
		535	/**
515	* Create a new private key. Caller must free return value.	536	* Create a new private key. Caller must free return value.
516	*	537	*
517	* @return fresh private key	538	* @return fresh private key


diff --git a/src/util/Makefile.am b/src/util/Makefile.am index 9cc402fc5..0b878c673 100644 --- a/src/util/Makefile.am +++ b/src/util/Makefile.am
@@ -40,6 +40,7 @@ libgnunetutil_la_SOURCES = \
40	crypto_aes.c \	40	crypto_aes.c \
41	crypto_crc.c \	41	crypto_crc.c \
42	crypto_hash.c \	42	crypto_hash.c \
		43	crypto_hkdf.c \
43	crypto_ksk.c \	44	crypto_ksk.c \
44	crypto_random.c \	45	crypto_random.c \
45	crypto_rsa.c \	46	crypto_rsa.c \
@@ -112,6 +113,7 @@ check_PROGRAMS = \
112	test_crypto_aes_weak \	113	test_crypto_aes_weak \
113	test_crypto_crc \	114	test_crypto_crc \
114	test_crypto_hash \	115	test_crypto_hash \
		116	# test_crypto_hkdf \
115	test_crypto_ksk \	117	test_crypto_ksk \
116	test_crypto_random \	118	test_crypto_random \
117	test_crypto_rsa \	119	test_crypto_rsa \
@@ -227,6 +229,11 @@ test_crypto_hash_SOURCES = \
227	test_crypto_hash_LDADD = \	229	test_crypto_hash_LDADD = \
228	$(top_builddir)/src/util/libgnunetutil.la	230	$(top_builddir)/src/util/libgnunetutil.la
229		231
		232	test_crypto_hkdf_SOURCES = \
		233	test_crypto_hkdf.c
		234	test_crypto_hkdf_LDADD = \
		235	$(top_builddir)/src/util/libgnunetutil.la
		236
230	test_crypto_ksk_SOURCES = \	237	test_crypto_ksk_SOURCES = \
231	test_crypto_ksk.c	238	test_crypto_ksk.c
232	test_crypto_ksk_LDADD = \	239	test_crypto_ksk_LDADD = \


diff --git a/src/util/crypto_hkdf.c b/src/util/crypto_hkdf.c new file mode 100644 index 000000000..efde3b868 --- /dev/null +++ b/src/util/crypto_hkdf.c
@@ -0,0 +1,192 @@
		1	/*
		2	Copyright (c) 2010 Nils Durner
		3
		4	Permission is hereby granted, free of charge, to any person obtaining a copy
		5	of this software and associated documentation files (the "Software"), to deal
		6	in the Software without restriction, including without limitation the rights
		7	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
		8	copies of the Software, and to permit persons to whom the Software is
		9	furnished to do so, subject to the following conditions:
		10
		11	The above copyright notice and this permission notice shall be included in
		12	all copies or substantial portions of the Software.
		13
		14	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
		15	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
		16	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
		17	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
		18	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
		19	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
		20	THE SOFTWARE.
		21	*/
		22
		23	/**
		24	* @file src/util/crypto_hkdf.c
		25	* @brief Hash-based KDF as defined in draft-krawczyk-hkdf-01
		26	* @see http://tools.ietf.org/html/draft-krawczyk-hkdf-01
		27	* @author Nils Durner
		28	*/
		29
		30	#include "platform.h"
		31	#include "gnunet_crypto_lib.h"
		32
		33	/**
		34	* @brief Compute the HMAC
		35	* @param mac gcrypt MAC handle
		36	* @param key HMAC key
		37	* @param key_len length of key
		38	* @param buf message to be processed
		39	* @param buf_len length of buf
		40	* @return HMAC, freed by caller via gcry_md_close/_reset
		41	*/
		42	static void *
		43	doHMAC (gcry_md_hd_t mac, const void *key, const size_t key_len,
		44	const void *buf, const size_t buf_len)
		45	{
		46	gcry_md_setkey (mac, key, key_len);
		47	gcry_md_write (mac, buf, buf_len);
		48
		49	return (void *) gcry_md_read (mac, 0);
		50	}
		51
		52	/**
		53	* @brief Generate pseudo-random key
		54	* @param mac gcrypt HMAC handle
		55	* @param xts salt
		56	* @param xts_len length of the salt
		57	* @param skm source key material
		58	* @param skm_len length of skm
		59	* @param prk result buffer (allocated by caller; at least gcry_md_dlen() bytes)
		60	* @return GNUNET_YES on success
		61	*/
		62	static int
		63	getPRK (gcry_md_hd_t mac, const void *xts, const unsigned long long xts_len,
		64	const void skm, const unsigned long long skm_len, void prk)
		65	{
		66	void *ret;
		67
		68	ret = doHMAC (mac, xts, xts_len, skm, skm_len);
		69	if (ret == NULL)
		70	return GNUNET_SYSERR;
		71	memcpy (prk, ret, gcry_md_get_algo_dlen (gcry_md_get_algo (mac)));
		72
		73	return GNUNET_YES;
		74	}
		75
		76	static void dump(void *p, unsigned int l)
		77	{
		78	unsigned int i;
		79
		80	printf("\n");
		81	for (i = 0; i < l; i++)
		82	{
		83	printf("%2x", ((char *) p)[i]);
		84	}
		85	printf("\n");
		86	}
		87
		88	/**
		89	* @brief Derive key
		90	* @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
		91	* @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
		92	* @param xts salt
		93	* @param xts_len length of xts
		94	* @param skm source key material
		95	* @param skm_len length of skm
		96	* @param ctx context info
		97	* @param ctx_len length of ctx
		98	* @param out_len desired length of the derived key
		99	* @param result buffer for the derived key, allocated by caller
		100	* @return GNUNET_YES on success
		101	*/
		102	int
		103	GNUNET_CRYPTO_hkdf (int xtr_algo, int prf_algo, const void *xts,
		104	const size_t xts_len, const void *skm, const size_t skm_len,
		105	const void *ctx, const size_t ctx_len, const unsigned long long out_len,
		106	void *result)
		107	{
		108	void prk, hc, *plain;
		109	unsigned long long plain_len;
		110	unsigned long i, t, d;
		111	unsigned int k, xtr_len;
		112	int ret;
		113	gcry_md_hd_t xtr, prf;
		114
		115	prk = plain = NULL;
		116	xtr_len = gcry_md_get_algo_dlen (xtr_algo);
		117	k = gcry_md_get_algo_dlen (prf_algo);
		118	gcry_md_open(&xtr, xtr_algo, GCRY_MD_FLAG_HMAC);
		119	gcry_md_open(&prf, prf_algo, GCRY_MD_FLAG_HMAC);
		120
		121	if (out_len > (2 ^ 32 * k) \|\| !xtr_algo \|\| !prf_algo)
		122	return GNUNET_SYSERR;
		123
		124	prk = GNUNET_malloc (xtr_len);
		125
		126	memset (result, 0, out_len);
		127	gcry_md_reset (xtr);
		128	if (getPRK (xtr, xts, xts_len, skm, skm_len, prk)
		129	!= GNUNET_YES)
		130	goto hkdf_error;
		131	dump(prk, xtr_len);
		132
		133	/* K(1) */
		134	plain_len = k + ctx_len + 4;
		135	plain = GNUNET_malloc (plain_len);
		136	memset (plain, 0, k);
		137	memcpy (plain + k, ctx, ctx_len);
		138	t = out_len / k;
		139	if (t > 0)
		140	{
		141	memset (plain + k + ctx_len, 0, 4);
		142	gcry_md_reset (prf);
		143	hc = doHMAC (prf, prk, k, plain, plain_len);
		144	if (hc == NULL)
		145	goto hkdf_error;
		146	memcpy (result, hc, k);
		147	result += k;
		148	}
		149
		150	/* K(i+1) */
		151	for (i = 1; i < t; i++)
		152	{
		153	memcpy (plain, result - k, k);
		154	memcpy (plain + k + ctx_len, &i, 4);
		155	gcry_md_reset (prf);
		156	hc = doHMAC (prf, prk, k, plain, plain_len);
		157	if (hc == NULL)
		158	goto hkdf_error;
		159	memcpy (result, hc, k);
		160	result += k;
		161	}
		162
		163	/* K(t):d */
		164	d = out_len % k;
		165	if (d > 0)
		166	{
		167	if (t > 0)
		168	memcpy (plain, result - k, k);
		169	memcpy (plain + k + ctx_len, &i, 4);
		170	gcry_md_reset (prf);
		171	hc = doHMAC (prf, prk, k, plain, plain_len);
		172	if (hc == NULL)
		173	goto hkdf_error;
		174	memcpy (result, hc, d);
		175	}
		176
		177	ret = GNUNET_YES;
		178	goto hkdf_ok;
		179
		180	hkdf_error:
		181	ret = GNUNET_SYSERR;
		182	hkdf_ok:
		183	GNUNET_free (prk);
		184	GNUNET_free_non_null (plain);
		185	gcry_md_close (prf);
		186	gcry_md_close (xtr);
		187
		188	return ret;
		189	}
		190
		191
		192	/* end of crypto_hkdf.c */


diff --git a/src/util/test_crypto_hkdf.c b/src/util/test_crypto_hkdf.c new file mode 100644 index 000000000..d0078202d --- /dev/null +++ b/src/util/test_crypto_hkdf.c
@@ -0,0 +1,203 @@
		1	/*
		2	Copyright (c) 2010 Nils Durner
		3
		4	Permission is hereby granted, free of charge, to any person obtaining a copy
		5	of this software and associated documentation files (the "Software"), to deal
		6	in the Software without restriction, including without limitation the rights
		7	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
		8	copies of the Software, and to permit persons to whom the Software is
		9	furnished to do so, subject to the following conditions:
		10
		11	The above copyright notice and this permission notice shall be included in
		12	all copies or substantial portions of the Software.
		13
		14	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
		15	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
		16	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
		17	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
		18	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
		19	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
		20	THE SOFTWARE.
		21	*/
		22
		23	/**
		24	* @file src/util/test_crypt_hkdf.c
		25	* @brief Testcases for HKDF
		26	* @author Nils Durner
		27	*/
		28
		29	#include "platform.h"
		30	#include "gnunet_crypto_lib.h"
		31
		32	void
		33	tc1 ()
		34	{
		35	char ikm[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
		36	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
		37	char salt[13] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
		38	0x0a, 0x0b, 0x0c };
		39	char
		40	info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
		41	char okm[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43,
		42	0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
		43	0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00,
		44	0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 };
		45	char result[44];
		46	int l = 42;
		47
		48	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
		49	l, result) == GNUNET_YES);
		50	GNUNET_assert (memcmp(result, okm, l) == 0);
		51	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		52	}
		53
		54	void
		55	tc2 ()
		56	{
		57	char ikm[80] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
		58	0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
		59	0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21,
		60	0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
		61	0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,
		62	0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45,
		63	0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f };
		64	char salt[80] = { 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
		65	0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
		66	0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81,
		67	0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d,
		68	0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
		69	0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
		70	0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf };
		71	char info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9,
		72	0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
		73	0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1,
		74	0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd,
		75	0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
		76	0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
		77	0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
		78	char okm[82] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7,
		79	0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e,
		80	0xfa, 0xd8, 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04,
		81	0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59,
		82	0x0e, 0x09, 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77,
		83	0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec,
		84	0x3e, 0x87, 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 };
		85	char result[84];
		86	int l = 82;
		87
		88	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
		89	l, result) == GNUNET_YES);
		90	GNUNET_assert (memcmp(result, okm, l) == 0);
		91	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		92	}
		93
		94	void
		95	tc3 ()
		96	{
		97	char ikm[80] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
		98	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
		99	char okm[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f,
		100	0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1,
		101	0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, 0x20,
		102	0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 };
		103	char result[44];
		104	int l = 42;
		105
		106	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA256, GCRY_MD_SHA256, NULL, 0, ikm, sizeof(ikm), NULL, 0,
		107	l, result) == GNUNET_YES);
		108	GNUNET_assert (memcmp(result, okm, l) == 0);
		109	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		110	}
		111
		112	void
		113	tc4 ()
		114	{
		115	char ikm[11] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
		116	0x0b };
		117	char salt[13] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
		118	0x0a, 0x0b, 0x0c };
		119	char
		120	info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
		121	char okm[42] = { 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06,
		122	0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b,
		123	0x09, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, 0x2e,
		124	0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96 };
		125	char result[84];
		126	int l = 42;
		127
		128	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
		129	l, result) == GNUNET_YES);
		130	GNUNET_assert (memcmp(result, okm, l) == 0);
		131	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		132	}
		133
		134	void
		135	tc5 ()
		136	{
		137	char ikm[80] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
		138	0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
		139	0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21,
		140	0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
		141	0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,
		142	0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45,
		143	0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f };
		144	char salt[80] = { 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
		145	0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
		146	0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81,
		147	0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d,
		148	0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
		149	0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
		150	0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf };
		151	char info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9,
		152	0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5,
		153	0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1,
		154	0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd,
		155	0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
		156	0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
		157	0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
		158	char okm[82] = { 0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1,
		159	0x2c, 0xd5, 0x91, 0x2a, 0x06, 0xeb, 0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d,
		160	0x92, 0x19, 0x1f, 0xe4, 0x30, 0x56, 0x73, 0xba, 0x2f, 0xfe, 0x8f, 0xa3,
		161	0xf1, 0xa4, 0xe5, 0xad, 0x79, 0xf3, 0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2,
		162	0x17, 0x3c, 0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed, 0x03, 0x4c,
		163	0x7f, 0x9d, 0xfe, 0xb1, 0x5c, 0x5e, 0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f,
		164	0x4c, 0x43, 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4 };
		165	char result[84];
		166	int l = 82;
		167
		168	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, salt, sizeof(salt), ikm, sizeof(ikm), info, sizeof(info),
		169	l, result) == GNUNET_YES);
		170	GNUNET_assert (memcmp(result, okm, l) == 0);
		171	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		172	}
		173
		174	void
		175	tc6 ()
		176	{
		177	char ikm[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
		178	0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
		179	char okm[82] = { 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5,
		180	0x52, 0x98, 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20,
		181	0xa3, 0x06, 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, 0x00,
		182	0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18 };
		183	char result[84];
		184	int l = 82;
		185
		186	GNUNET_assert (GNUNET_CRYPTO_hkdf(GCRY_MD_SHA1, GCRY_MD_SHA1, NULL, 0, ikm, sizeof(ikm), NULL, 0,
		187	l, result) == GNUNET_YES);
		188	GNUNET_assert (memcmp(result, okm, l) == 0);
		189	GNUNET_assert (memcmp(result + l, "\0", 2) == 0);
		190	}
		191
		192	int
		193	main ()
		194	{
		195	GNUNET_log_setup ("test-crypto-hkdf", "WARNING", NULL);
		196	tc1();
		197	tc2();
		198	tc3();
		199	tc4();
		200	tc5();
		201	tc6();
		202	return 0;
		203	}