Merge pull request #6888 from SparkiDev/srtp_kdf

SRTP/SRTCP KDF: add implementation

Author: JacobBarthelmeh

configure.ac

@@ -3547,6 +3547,22 @@ then
   AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
 fi
 
+# SRTP-KDF
+AC_ARG_ENABLE([srtp-kdf],
+    [AS_HELP_STRING([--enable-srtp-kdf],[Enable SRTP-KDF support (default: disabled)])],
+    [ ENABLED_SRTP_KDF=$enableval ],
+    [ ENABLED_SRTP_KDF=no ]
+    )
+if test "$ENABLED_SRTP" = "yes"
+then
+  ENABLED_SRTP_KDF="yes"
+fi
+if test "$ENABLED_SRTP_KDF" = "yes"
+then
+  AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
+fi
+
+
 # DSA
 AC_ARG_ENABLE([dsa],
     [AS_HELP_STRING([--enable-dsa],[Enable DSA (default: disabled)])],
@@ -9583,6 +9599,7 @@ echo "   * wolfCrypt Only:             $ENABLED_CRYPTONLY"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * HPKE:                       $ENABLED_HPKE"
 echo "   * X9.63 KDF:                  $ENABLED_X963KDF"
+echo "   * SRTP-KDF:                   $ENABLED_SRTP_KDF"
 echo "   * PSK:                        $ENABLED_PSK"
 echo "   * Poly1305:                   $ENABLED_POLY1305"
 echo "   * LEANPSK:                    $ENABLED_LEANPSK"

doc/dox_comments/header_files/doxygen_groups.h

@@ -206,6 +206,7 @@
     \defgroup RSA Algorithms - RSA
     \defgroup SHA Algorithms - SHA 128/224/256/384/512
     \defgroup SipHash Algorithm - SipHash
+    \defgroup SrtpKdf Algorithm - SRTP KDF
     \defgroup SRP Algorithms - SRP
 
     \defgroup ASN ASN.1

doc/dox_comments/header_files/doxygen_pages.h

@@ -57,6 +57,7 @@
         <li>\ref RSA</li>
         <li>\ref SHA</li>
         <li>\ref SipHash</li>
+        <li>\ref SrtpKdf</li>
         <li>\ref SRP</li>
     </ul>
 */

doc/dox_comments/header_files/kdf.h

@@ -0,0 +1,126 @@
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function derives keys using SRTP KDF algorithm.
+
+    \return 0 Returned upon successful key derviation.
+    \return BAD_FUNC_ARG Returned when key or salt is NULL
+    \return BAD_FUNC_ARG Returned when key length is not 16, 24 or 32.
+    \return BAD_FUNC_ARG Returned when saltSz is larger than 14.
+    \return BAD_FUNC_ARG Returned when kdrIdx is less than -1 or larger than 24.
+    \return MEMORY_E on dynamic memory allocation failure.
+
+    \param [in] key Key to use with encryption.
+    \param [in] keySz Size of key in bytes.
+    \param [in] salt Random non-secret value.
+    \param [in] saltSz Size of random in bytes.
+    \param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise kdr = 2^kdrIdx.
+    \param [in] index Index value to XOR in.
+    \param [out] key1 First key. Label value of 0x00.
+    \param [in] key1Sz Size of first key in bytes.
+    \param [out] key2 Second key. Label value of 0x01.
+    \param [in] key2Sz Size of second key in bytes.
+    \param [out] key3 Third key. Label value of 0x02.
+    \param [in] key3Sz Size of third key in bytes.
+
+
+    _Example_
+    \code
+    unsigned char key[16] = { ... };
+    unsigned char salt[14] = { ... };
+    unsigned char index[6] = { ... };
+    unsigned char keyE[16];
+    unsigned char keyA[20];
+    unsigned char keyS[14];
+    int kdrIdx = 0; // Use all of index
+    int ret;
+
+    ret = wc_SRTP_KDF(key, sizeof(key), salt, sizeof(salt), kdrIdx, index,
+        keyE, sizeof(keyE), keyA, sizeof(keyA), keyS, sizeof(keyS));
+    if (ret != 0) {
+        WOLFSSL_MSG("wc_SRTP_KDF failed");
+    }
+    \endcode
+
+    \sa wc_SRTCP_KDF
+    \sa wc_SRTP_KDF_kdr_to_idx
+*/
+int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz);
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function derives keys using SRTCP KDF algorithm.
+
+    \return 0 Returned upon successful key derviation.
+    \return BAD_FUNC_ARG Returned when key or salt is NULL
+    \return BAD_FUNC_ARG Returned when key length is not 16, 24 or 32.
+    \return BAD_FUNC_ARG Returned when saltSz is larger than 14.
+    \return BAD_FUNC_ARG Returned when kdrIdx is less than -1 or larger than 24.
+    \return MEMORY_E on dynamic memory allocation failure.
+
+    \param [in] key Key to use with encryption.
+    \param [in] keySz Size of key in bytes.
+    \param [in] salt Random non-secret value.
+    \param [in] saltSz Size of random in bytes.
+    \param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise kdr = 2^kdrIdx.
+    \param [in] index Index value to XOR in.
+    \param [out] key1 First key. Label value of 0x00.
+    \param [in] key1Sz Size of first key in bytes.
+    \param [out] key2 Second key. Label value of 0x01.
+    \param [in] key2Sz Size of second key in bytes.
+    \param [out] key3 Third key. Label value of 0x02.
+    \param [in] key3Sz Size of third key in bytes.
+
+
+    _Example_
+    \code
+    unsigned char key[16] = { ... };
+    unsigned char salt[14] = { ... };
+    unsigned char index[4] = { ... };
+    unsigned char keyE[16];
+    unsigned char keyA[20];
+    unsigned char keyS[14];
+    int kdrIdx = 0; // Use all of index
+    int ret;
+
+    ret = wc_SRTCP_KDF(key, sizeof(key), salt, sizeof(salt), kdrIdx, index,
+        keyE, sizeof(keyE), keyA, sizeof(keyA), keyS, sizeof(keyS));
+    if (ret != 0) {
+        WOLFSSL_MSG("wc_SRTP_KDF failed");
+    }
+    \endcode
+
+    \sa wc_SRTP_KDF
+    \sa wc_SRTP_KDF_kdr_to_idx
+*/
+int wc_SRTCP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz);
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function converts a kdr value to an index to use in SRTP/SRTCP KDF API.
+
+    \return Key derivation rate as an index.
+
+    \param [in] kdr Key derivation rate to convert.
+
+    _Example_
+    \code
+    word32 kdr = 0x00000010;
+    int kdrIdx;
+    int ret;
+
+    kdrIdx = wc_SRTP_KDF_kdr_to_idx(kdr);
+    \endcode
+
+    \sa wc_SRTP_KDF
+    \sa wc_SRTCP_KDF
+*/
+int wc_SRTP_KDF_kdr_to_idx(word32 kdr);
+

wolfcrypt/benchmark/benchmark.c

@@ -127,6 +127,7 @@
 #ifdef WOLFSSL_SIPHASH
     #include <wolfssl/wolfcrypt/siphash.h>
 #endif
+  #include <wolfssl/wolfcrypt/kdf.h>
 #ifndef NO_PWDBASED
     #include <wolfssl/wolfcrypt/pwdbased.h>
 #endif
@@ -534,6 +535,9 @@
 #define BENCH_PBKDF2             0x00000100
 #define BENCH_SIPHASH            0x00000200
 
+/* KDF algorithms */
+#define BENCH_SRTP_KDF           0x00000001
+
 /* Asymmetric algorithms. */
 #define BENCH_RSA_KEYGEN         0x00000001
 #define BENCH_RSA                0x00000002
@@ -619,6 +623,8 @@ static word32 bench_cipher_algs = 0;
 static word32 bench_digest_algs = 0;
 /* MAC algorithms to benchmark. */
 static word32 bench_mac_algs = 0;
+/* KDF algorithms to benchmark. */
+static word32 bench_kdf_algs = 0;
 /* Asymmetric algorithms to benchmark. */
 static word32 bench_asym_algs = 0;
 /* Post-Quantum Asymmetric algorithms to benchmark. */
@@ -797,9 +803,18 @@ static const bench_alg bench_mac_opt[] = {
     #ifndef NO_PWDBASED
     { "-pbkdf2",             BENCH_PBKDF2            },
     #endif
+#endif
     #ifdef WOLFSSL_SIPHASH
     { "-siphash",            BENCH_SIPHASH           },
     #endif
+    { NULL, 0 }
+};
+
+/* All recognized KDF algorithm choosing command line options. */
+static const bench_alg bench_kdf_opt[] = {
+    { "-kdf",                0xffffffff              },
+#ifdef WC_SRTP_KDF
+    { "-srtp-kdf",           BENCH_SRTP_KDF          },
 #endif
     { NULL, 0 }
 };
@@ -1646,6 +1661,7 @@ static void benchmark_static_init(int force)
         bench_cipher_algs = 0;
         bench_digest_algs = 0;
         bench_mac_algs = 0;
+        bench_kdf_algs = 0;
         bench_asym_algs = 0;
         bench_pq_asym_algs = 0;
         bench_other_algs = 0;
@@ -2785,12 +2801,18 @@ static void* benchmarks_do(void* args)
             bench_pbkdf2();
         }
     #endif
-    #ifdef WOLFSSL_SIPHASH
-        if (bench_all || (bench_mac_algs & BENCH_SIPHASH)) {
-            bench_siphash();
-        }
-    #endif
 #endif /* NO_HMAC */
+#ifdef WOLFSSL_SIPHASH
+    if (bench_all || (bench_mac_algs & BENCH_SIPHASH)) {
+        bench_siphash();
+    }
+#endif
+
+#ifdef WC_SRTP_KDF
+    if (bench_all || (bench_kdf_algs & BENCH_SRTP_KDF)) {
+        bench_srtpkdf();
+    }
+#endif
 
 #ifdef HAVE_SCRYPT
     if (bench_all || (bench_other_algs & BENCH_SCRYPT))
@@ -6721,6 +6743,68 @@ void bench_siphash(void)
 }
 #endif
 
+#ifdef WC_SRTP_KDF
+void bench_srtpkdf(void)
+{
+    double start;
+    int count;
+    int ret = 0;
+    byte keyE[32];
+    byte keyA[20];
+    byte keyS[14];
+    const byte *key = bench_key_buf;
+    const byte salt[14] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                           0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e };
+    const byte index[6] = { 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA };
+    int kdrIdx = 0;
+    int i;
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTP_KDF(key, AES_128_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_128_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 128, "SRTP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTP_KDF(key, AES_256_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_256_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 256, "SRTP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTCP_KDF(key, AES_128_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_128_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 128, "SRTCP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTCP_KDF(key, AES_256_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_256_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 256, "SRTCP", 0, count, start, ret);
+}
+#endif
+
 #ifndef NO_RSA
 
 #if defined(WOLFSSL_KEY_GEN)
@@ -10661,6 +10745,8 @@ static void Usage(void)
         print_alg(bench_digest_opt[i].str, &line);
     for (i=0; bench_mac_opt[i].str != NULL; i++)
         print_alg(bench_mac_opt[i].str, &line);
+    for (i=0; bench_kdf_opt[i].str != NULL; i++)
+        print_alg(bench_kdf_opt[i].str, &line);
     for (i=0; bench_asym_opt[i].str != NULL; i++)
         print_alg(bench_asym_opt[i].str, &line);
     for (i=0; bench_other_opt[i].str != NULL; i++)
@@ -10895,6 +10981,14 @@ int wolfcrypt_benchmark_main(int argc, char** argv)
                     optMatched = 1;
                 }
             }
+            /* Known KDF algorithms */
+            for (i=0; !optMatched && bench_kdf_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_kdf_opt[i].str)) {
+                    bench_kdf_algs |= bench_kdf_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
             /* Known asymmetric algorithms */
             for (i=0; !optMatched && bench_asym_opt[i].str != NULL; i++) {
                 if (string_matches(argv[1], bench_asym_opt[i].str)) {

wolfcrypt/benchmark/benchmark.h

@@ -95,6 +95,7 @@ void bench_hmac_sha256(int useDeviceID);
 void bench_hmac_sha384(int useDeviceID);
 void bench_hmac_sha512(int useDeviceID);
 void bench_siphash(void);
+void bench_srtpkdf(void);
 void bench_rsaKeyGen(int useDeviceID);
 void bench_rsaKeyGen_size(int useDeviceID, word32 keySz);
 void bench_rsa(int useDeviceID);