Update for primary commit obgm#3 (to be squashed later)

Addresses issue with HKDF and HMAC usage by clearly setting out what is happening as TLS libraries only support HMAC.
mrdeep1 · Dec 13, 2022 · b0b6946 · b0b6946
1 parent af5e596
commit b0b6946
Show file tree

Hide file tree

Showing 16 changed files with 187 additions and 94 deletions.
diff --git a/include/coap3/coap_crypto_internal.h b/include/coap3/coap_crypto_internal.h
@@ -78,11 +78,11 @@ int coap_crypto_check_cipher_alg(cose_alg_t alg);
  * Check whether the defined hkdf algorithm is supported by the underlying
  * crypto library.
  *
- * @param alg The COSE algorithm to check.
+ * @param hkdf_alg The COSE HKDF algorithm to check.
  *
  * @return @c 1 if there is support, else @c 0.
  */
-int coap_crypto_check_hkdf_alg(cose_alg_t alg);
+int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg);
 
 /**
  * Encrypt the provided plaintext data
@@ -123,7 +123,7 @@ int coap_crypto_aead_decrypt(const coap_crypto_param_t *params,
 /**
  * Create a HMAC hash of the provided data.
  *
- * @param alg The COSE algorithm to use.
+ * @param hmac_alg The COSE HMAC algorithm to use.
  * @param key The key to use for the hash.
  * @param data The data to hash.
  * @param hmac Where to put the created hmac result if successful.
@@ -132,7 +132,7 @@ int coap_crypto_aead_decrypt(const coap_crypto_param_t *params,
  *         It is the responsibility of the caller to release the
  *         created hmac.
  */
-int coap_crypto_hmac(cose_alg_t alg,
+int coap_crypto_hmac(cose_hmac_alg_t hmac_alg,
                      coap_bin_const_t *key,
                      coap_bin_const_t *data,
                      coap_bin_const_t **hmac);

diff --git a/include/coap3/coap_oscore_internal.h b/include/coap3/coap_oscore_internal.h
@@ -45,7 +45,7 @@ struct coap_oscore_conf_t {
                                         Use COAP_OSCORE_DEFAULT_REPLAY_WINDOW */
   uint32_t ssn_freq;               /**< Sender Seq Num update frequency */
   cose_alg_t aead_alg;             /**< Set to one of COSE_Algorithm_AES* */
-  cose_alg_t hkdf_alg;             /**< Set to one of COSE_Algorithm_HMAC* */
+  cose_hkdf_alg_t hkdf_alg;        /**< Set to one of COSE_HKDF_Alg_* */
   uint32_t rfc8613_b_1_2;          /**< 1 if rfc8613 B.1.2 enabled else 0 */
   uint32_t rfc8613_b_2;            /**< 1 if rfc8613 B.2 protocol else 0 */
 

diff --git a/include/oscore/oscore_context.h b/include/oscore/oscore_context.h
@@ -90,7 +90,7 @@ struct oscore_ctx_t {
   oscore_sender_ctx_t *sender_context;
   oscore_recipient_ctx_t *recipient_chain;
   cose_alg_t aead_alg;
-  cose_alg_t hkdf_alg;
+  cose_hkdf_alg_t hkdf_alg;
   oscore_mode_t mode;
   uint8_t rfc8613_b_1_2; /**< 1 if rfc8613 B.1.2 enabled else 0 */
   uint8_t rfc8613_b_2;   /**< 1 if rfc8613 B.2 protocol else 0 */

diff --git a/include/oscore/oscore_cose.h b/include/oscore/oscore_cose.h
@@ -148,12 +148,32 @@ typedef enum {
   COSE_Algorithm_AES_CCM_64_128_256 = 33,
 } cose_alg_t;
 
+/* cose HMAC specific algorithms */
+typedef enum {
+  COSE_HMAC_Alg_HMAC256_64 = 4, /* truncated to 64 bits */
+  COSE_HMAC_Alg_HMAC256_256 = 5,
+  COSE_HMAC_Alg_HMAC384_384 = 6,
+  COSE_HMAC_Alg_HMAC512_512 = 7,
+} cose_hmac_alg_t;
+
+/* cose HKDF specific algorithms */
+typedef enum {
+  COSE_HKDF_Alg_HKDF_SHA_512 = -11,
+  COSE_HKDF_Alg_HKDF_SHA_256 = -10,
+} cose_hkdf_alg_t;
+
 const char* cose_get_curve_name(cose_curve_t id, char* buffer, size_t buflen);
 cose_curve_t cose_get_curve_id(const char *name);
 
 const char* cose_get_alg_name(cose_alg_t id, char* buffer, size_t buflen);
 cose_alg_t cose_get_alg_id(const char *name);
 
+const char* cose_get_hkdf_alg_name(cose_hkdf_alg_t id, char* buffer,
+                                   size_t buflen);
+
+int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg,
+                               cose_hmac_alg_t *hmac_alg);
+
 /* parameter value functions */
 
 /* return tag length belonging to cose algorithm */

diff --git a/include/oscore/oscore_crypto.h b/include/oscore/oscore_crypto.h
@@ -64,17 +64,17 @@
 #define AEAD_PLAINTEXT_MAXLEN COAP_MAX_CHUNK_SIZE
 #define AEAD_TAG_MAXLEN       COAP_MAX_CHUNK_SIZE
 
-int oscore_hmac_shaX(cose_alg_t alg,
+int oscore_hmac_shaX(cose_hmac_alg_t hmac_alg,
                      coap_bin_const_t *key,
                      coap_bin_const_t *data,
                      coap_bin_const_t **hmac);
 
-int oscore_hkdf_extract(cose_alg_t alg,
+int oscore_hkdf_extract(cose_hkdf_alg_t hkdf_alg,
                         coap_bin_const_t *salt,
                         coap_bin_const_t *ikm,
                         coap_bin_const_t **hkdf_extract);
 
-int oscore_hkdf_expand(cose_alg_t alg,
+int oscore_hkdf_expand(cose_hkdf_alg_t hkdf_alg,
                        coap_bin_const_t *prk,
                        uint8_t *info,
                        size_t info_len,
@@ -85,7 +85,7 @@ int oscore_hkdf_expand(cose_alg_t alg,
  * key length are derived fron ed25519 values. No check is done to ensure that
  * buffers are of the correct length. */
 
-int oscore_hkdf(cose_alg_t alg,
+int oscore_hkdf(cose_hkdf_alg_t hkdf_alg,
                 coap_bin_const_t *salt,
                 coap_bin_const_t *ikm,
                 uint8_t *info,

diff --git a/man/coap-oscore-conf.txt.in b/man/coap-oscore-conf.txt.in
@@ -105,13 +105,13 @@ The valid keywords are:
     (*integer* or *text*) (*Optional*) (Default is 10 or "AES-CCM-16-64-128") +
     https://www.rfc-editor.org/rfc/rfc8613#section-3.1[RFC8613 Section 3.1].
     AEAD Algorithm. Only the mandatory and a small subset of the algorithms
-    are supported.
+    are supported depending on the TLS library.
 
 *hkdf_alg* ::
-    (*integer* or *text*) (*Optional*) (Default is 5 or "HMAC 256/256") +
+    (*integer* or *text*) (*Optional*) (Default is -10 or "direct+HKDF-SHA-256") +
     https://www.rfc-editor.org/rfc/rfc8613#section-3.1[RFC8613 Section 3.1].
     HDKF Algorithm. Only the mandatory and a small subset of the algorithms
-    are supported.
+    are supported depending on the TLS library.
 
 *rfc8613_b_1_2* ::
     (*bool*) (*Optional*) (Default is true) +
@@ -163,8 +163,8 @@ replay_window,integer,32
 # AEAD COSE Cipher Algorithm (usually 10)
 aead_alg,integer,10
 
-# HKDF COSE hash Algorithm (usually 5)
-hkdf_alg,integer,5
+# HKDF COSE Algorithm (usually -10)
+hkdf_alg,integer,-10
 
 ----
 
@@ -192,8 +192,8 @@ replay_window,integer,32
 # AEAD COSE Cipher Algorithm (usually 10)
 aead_alg,integer,10
 
-# HKDF COSE hash Algorithm (usually 5)
-hkdf_alg,integer,5
+# HKDF COSE Algorithm (usually -10)
+hkdf_alg,integer,-10
 
 ----
 

diff --git a/man/coap_oscore.txt.in b/man/coap_oscore.txt.in
@@ -222,7 +222,7 @@ static uint8_t oscore_config[] =
   "recipient_id,ascii,\"server\"\n"
   "replay_window,integer,30\n"
   "aead_alg,integer,10\n"
-  "hkdf_alg,integer,5\n"
+  "hkdf_alg,integer,-10\n"
 ;
 static FILE *oscore_seq_num_fp = NULL;
 /* Not a particularily safe place to keep next Sender Sequence NUmber ... */
@@ -310,7 +310,7 @@ static uint8_t oscore_config[] =
   "recipient_id,ascii,\"client\"\n"
   "replay_window,integer,30\n"
   "aead_alg,integer,10\n"
-  "hkdf_alg,integer,5\n"
+  "hkdf_alg,integer,-10\n"
 ;
 static FILE *oscore_seq_num_fp = NULL;
 /* Not a particularily safe place to keep next Sender Sequence NUmber ... */

diff --git a/src/coap_gnutls.c b/src/coap_gnutls.c
@@ -3018,24 +3018,22 @@ get_cipher_alg(cose_alg_t alg) {
  * suite object.
  */
 static struct hmac_algs {
-  cose_alg_t alg;
+  cose_hmac_alg_t hmac_alg;
   gnutls_mac_algorithm_t hmac_type;
 } hmacs[] = {
-    {COSE_Algorithm_HKDF_SHA_256, GNUTLS_MAC_SHA256},
-    {COSE_Algorithm_HKDF_SHA_512, GNUTLS_MAC_SHA512},
-    {COSE_Algorithm_HMAC256_256, GNUTLS_MAC_SHA256},
-    {COSE_Algorithm_HMAC512_512, GNUTLS_MAC_SHA512},
+    {COSE_HMAC_Alg_HMAC256_256, GNUTLS_MAC_SHA256},
+    {COSE_HMAC_Alg_HMAC512_512, GNUTLS_MAC_SHA512},
 };
 
 static gnutls_mac_algorithm_t
-get_hmac_alg(cose_alg_t alg) {
+get_hmac_alg(cose_hmac_alg_t hmac_alg) {
   size_t idx;
 
   for (idx = 0; idx < sizeof(hmacs) / sizeof(struct hmac_algs); idx++) {
-    if (hmacs[idx].alg == alg)
+    if (hmacs[idx].hmac_alg == hmac_alg)
       return hmacs[idx].hmac_type;
   }
-  coap_log(LOG_DEBUG, "get_hmac_alg: COSE hkdf %d not supported\n", alg);
+  coap_log(LOG_DEBUG, "get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
   return 0;
 }
 
@@ -3045,8 +3043,12 @@ coap_crypto_check_cipher_alg(cose_alg_t alg) {
 }
 
 int
-coap_crypto_check_hkdf_alg(cose_alg_t alg) {
-  return get_hmac_alg(alg);
+coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg) {
+  cose_hmac_alg_t hmac_alg;
+
+  if (!cose_get_hmac_alg_for_hkdf(hkdf_alg, &hmac_alg))
+    return 0;
+  return get_hmac_alg(hmac_alg);
 }
 
 int
@@ -3179,7 +3181,7 @@ coap_crypto_aead_decrypt(const coap_crypto_param_t *params,
 }
 
 int
-coap_crypto_hmac(cose_alg_t alg,
+coap_crypto_hmac(cose_hmac_alg_t hmac_alg,
                  coap_bin_const_t *key,
                  coap_bin_const_t *data,
                  coap_bin_const_t **hmac) {
@@ -3192,8 +3194,8 @@ coap_crypto_hmac(cose_alg_t alg,
   if (data == NULL)
     return 0;
 
-  if ((mac_algo = get_hmac_alg(alg)) == 0) {
-    coap_log(LOG_DEBUG, "coap_crypto_hmac: algorithm %d not supported\n", alg);
+  if ((mac_algo = get_hmac_alg(hmac_alg)) == 0) {
+    coap_log(LOG_DEBUG, "coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
     return 0;
   }
   len = gnutls_hmac_get_len(mac_algo);

diff --git a/src/coap_mbedtls.c b/src/coap_mbedtls.c
@@ -2644,25 +2644,23 @@ get_cipher_alg(cose_alg_t alg) {
  * suite object.
  */
 static struct hmac_algs {
-  cose_alg_t alg;
+  cose_hmac_alg_t hmac_alg;
   mbedtls_md_type_t hmac_type;
 } hmacs[] = {
-    {COSE_Algorithm_HKDF_SHA_256, MBEDTLS_MD_SHA256},
-    {COSE_Algorithm_HKDF_SHA_512, MBEDTLS_MD_SHA512},
-    {COSE_Algorithm_HMAC256_256, MBEDTLS_MD_SHA256},
-    {COSE_Algorithm_HMAC384_384, MBEDTLS_MD_SHA384},
-    {COSE_Algorithm_HMAC512_512, MBEDTLS_MD_SHA512},
+    {COSE_HMAC_Alg_HMAC256_256, MBEDTLS_MD_SHA256},
+    {COSE_HMAC_Alg_HMAC384_384, MBEDTLS_MD_SHA384},
+    {COSE_HMAC_Alg_HMAC512_512, MBEDTLS_MD_SHA512},
 };
 
 static mbedtls_md_type_t
-get_hmac_alg(cose_alg_t alg) {
+get_hmac_alg(cose_hmac_alg_t hmac_alg) {
   size_t idx;
 
   for (idx = 0; idx < sizeof(hmacs) / sizeof(struct hmac_algs); idx++) {
-    if (hmacs[idx].alg == alg)
+    if (hmacs[idx].hmac_alg == hmac_alg)
       return hmacs[idx].hmac_type;
   }
-  coap_log(LOG_DEBUG, "get_hmac_alg: COSE hmac %d not supported\n", alg);
+  coap_log(LOG_DEBUG, "get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
   return 0;
 }
 
@@ -2672,8 +2670,12 @@ coap_crypto_check_cipher_alg(cose_alg_t alg) {
 }
 
 int
-coap_crypto_check_hkdf_alg(cose_alg_t alg) {
-  return get_hmac_alg(alg) != 0;
+coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg) {
+  cose_hmac_alg_t hmac_alg;
+
+  if (!cose_get_hmac_alg_for_hkdf(hkdf_alg, &hmac_alg))
+    return 0;
+  return get_hmac_alg(hmac_alg) != 0;
 }
 
 #ifdef MBEDTLS_ERROR_C
@@ -2876,7 +2878,7 @@ coap_crypto_aead_decrypt(const coap_crypto_param_t *params,
 }
 
 int
-coap_crypto_hmac(cose_alg_t alg,
+coap_crypto_hmac(cose_hmac_alg_t hmac_alg,
                  coap_bin_const_t *key,
                  coap_bin_const_t *data,
                  coap_bin_const_t **hmac) {
@@ -2892,8 +2894,8 @@ coap_crypto_hmac(cose_alg_t alg,
   assert(data);
   assert(hmac);
 
-  if ((mac_algo = get_hmac_alg(alg)) == 0) {
-    coap_log(LOG_DEBUG, "coap_crypto_hmac: algorithm %d not supported\n", alg);
+  if ((mac_algo = get_hmac_alg(hmac_alg)) == 0) {
+    coap_log(LOG_DEBUG, "coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
     return 0;
   }
   md_info = mbedtls_md_info_from_type(mac_algo);

diff --git a/src/coap_notls.c b/src/coap_notls.c
@@ -336,21 +336,21 @@ get_cipher_alg(cose_alg_t alg) {
  * suite object.
  */
 static struct hmac_algs {
-  cose_alg_t alg;
+  cose_hmac_alg_t hmac_alg;
   u_int hmac_type;
 } hmacs[] = {
-    {COSE_Algorithm_HMAC256_256, 1},
+    {COSE_HMAC_Alg_HMAC256_256, 1},
 };
 
 static u_int
-get_hmac_alg(cose_alg_t alg) {
+get_hmac_alg(cose_hmac_alg_t hmac_alg) {
   size_t idx;
 
   for (idx = 0; idx < sizeof(hmacs) / sizeof(struct hmac_algs); idx++) {
-    if (hmacs[idx].alg == alg)
+    if (hmacs[idx].hmac_alg == hmac_alg)
       return hmacs[idx].hmac_type;
   }
-  coap_log(LOG_DEBUG, "get_hmac_alg: COSE hkdf %d not supported\n", alg);
+  coap_log(LOG_DEBUG, "get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
   return 0;
 }
 
@@ -361,9 +361,13 @@ coap_crypto_check_cipher_alg(cose_alg_t alg) {
 }
 
 int
-coap_crypto_check_hkdf_alg(cose_alg_t alg) {
+coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg) {
+  cose_hmac_alg_t hmac_alg;
+
+  if (!cose_get_hmac_alg_for_hkdf(hkdf_alg, &hmac_alg))
+    return 0;
   return 0;
-  return get_hmac_alg(alg);
+  return get_hmac_alg(hmac_alg);
 }
 
 int
@@ -395,11 +399,11 @@ coap_crypto_aead_decrypt(const coap_crypto_param_t *params,
 }
 
 int
-coap_crypto_hmac(cose_alg_t alg,
+coap_crypto_hmac(cose_hmac_alg_t hmac_alg,
                  coap_bin_const_t *key,
                  coap_bin_const_t *data,
                  coap_bin_const_t **hmac) {
-  (void)alg;
+  (void)hmac_alg;
   (void)key;
   (void)data;
   (void)hmac;