Merge pull request #5481 from gabor-mezei-arm/5401_implement_hkdf_extract_based_on_psa_hmac

HKDF 1a: Implement Extract in TLS 1.3 based on PSA HMAC

library/ssl_tls13_invasive.h

@@ -28,6 +28,37 @@
 
 #if defined(MBEDTLS_PSA_CRYPTO_C)
 
+/**
+ *  \brief  Take the input keying material \p ikm and extract from it a
+ *          fixed-length pseudorandom key \p prk.
+ *
+ *  \param       alg       The HMAC algorithm to use
+ *                         (\c #PSA_ALG_HMAC( PSA_ALG_XXX ) value such that
+ *                         PSA_ALG_XXX is a hash algorithm and
+ *                         #PSA_ALG_IS_HMAC(\p alg) is true).
+ *  \param       salt      An optional salt value (a non-secret random value);
+ *                         if the salt is not provided, a string of all zeros
+ *                         of the length of the hash provided by \p alg is used
+ *                         as the salt.
+ *  \param       salt_len  The length in bytes of the optional \p salt.
+ *  \param       ikm       The input keying material.
+ *  \param       ikm_len   The length in bytes of \p ikm.
+ *  \param[out]  prk       A pseudorandom key of \p prk_len bytes.
+ *  \param       prk_size  Size of the \p prk buffer in bytes.
+ *  \param[out]  prk_len   On success, the length in bytes of the
+ *                         pseudorandom key in \p prk.
+ *
+ *  \return 0 on success.
+ *  \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid.
+ *  \return An PSA_ERROR_* error for errors returned from the underlying
+ *          PSA layer.
+ */
+psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg,
+                                       const unsigned char *salt, size_t salt_len,
+                                       const unsigned char *ikm, size_t ikm_len,
+                                       unsigned char *prk, size_t prk_size,
+                                       size_t *prk_len );
+
 /**
  *  \brief  Expand the supplied \p prk into several additional pseudorandom
  *          keys, which is the output of the HKDF.

library/ssl_tls13_keys.c

@@ -138,6 +138,59 @@ static void ssl_tls13_hkdf_encode_label(
 
 #if defined( MBEDTLS_TEST_HOOKS )
 
+MBEDTLS_STATIC_TESTABLE
+psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg,
+                                       const unsigned char *salt, size_t salt_len,
+                                       const unsigned char *ikm, size_t ikm_len,
+                                       unsigned char *prk, size_t prk_size,
+                                       size_t *prk_len )
+{
+    unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' };
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if( salt == NULL || salt_len == 0 )
+    {
+        size_t hash_len;
+
+        if( salt_len != 0 )
+        {
+            return( PSA_ERROR_INVALID_ARGUMENT );
+        }
+
+        hash_len = PSA_HASH_LENGTH( alg );
+
+        if( hash_len == 0 )
+        {
+            return( PSA_ERROR_INVALID_ARGUMENT );
+        }
+
+        /* salt_len <= sizeof( salt ) because
+           PSA_HASH_LENGTH( alg ) <= PSA_MAC_MAX_SIZE. */
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
+    psa_set_key_algorithm( &attributes, alg );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
+
+    status = psa_import_key( &attributes, salt, salt_len, &key );
+    if( status != PSA_SUCCESS )
+    {
+        goto cleanup;
+    }
+
+    status = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len );
+
+cleanup:
+    destroy_status = psa_destroy_key( key );
+
+    return( ( status == PSA_SUCCESS ) ? destroy_status : status );
+}
+
 MBEDTLS_STATIC_TESTABLE
 psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg,
                                       const unsigned char *prk, size_t prk_len,