Merge pull request #243 from geonnave/fix-hkdf-expand-psa-backend-242

Fixing hkdf_expand in crypto/psa
openwsn-berkeley · Mar 13, 2024 · 6555d88 · 6555d88
2 parents 95677a2 + 7b0d6cc
commit 6555d88
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 3 deletions.
diff --git a/crypto/Cargo.toml b/crypto/Cargo.toml
@@ -27,6 +27,10 @@ lakers-crypto-cryptocell310 = { workspace = true, optional = true }
 lakers-crypto-rustcrypto = { workspace = true, optional = true }
 rand_core = { version = "0.6.4", optional = true, default-features = false }
 
+[dev-dependencies]
+hexlit = "0.5.3"
+rstest = "0.11.0"
+
 [features]
 default = [  ]
 # hacspec = [ "lakers-crypto-hacspec" ]

diff --git a/crypto/lakers-crypto-psa/src/lib.rs b/crypto/lakers-crypto-psa/src/lib.rs
@@ -60,13 +60,13 @@ impl CryptoTrait for Crypto {
         let mut t_i = self.hmac_sha256(&message[..info_len + 1], prk);
         output[..SHA256_DIGEST_LEN].copy_from_slice(&t_i);
 
-        for i in 2..n {
+        for i in 2..=n {
             message[..SHA256_DIGEST_LEN].copy_from_slice(&t_i);
             message[SHA256_DIGEST_LEN..SHA256_DIGEST_LEN + info_len]
                 .copy_from_slice(&info[..info_len]);
             message[SHA256_DIGEST_LEN + info_len] = i as u8;
             t_i = self.hmac_sha256(&message[..SHA256_DIGEST_LEN + info_len + 1], prk);
-            output[i * SHA256_DIGEST_LEN..(i + 1) * SHA256_DIGEST_LEN].copy_from_slice(&t_i);
+            output[(i - 1) * SHA256_DIGEST_LEN..i * SHA256_DIGEST_LEN].copy_from_slice(&t_i);
         }
 
         output[length..].fill(0x00);

diff --git a/crypto/src/lib.rs b/crypto/src/lib.rs
@@ -4,7 +4,7 @@
 //! avoids the need for all lakers types to be generic over a back-end, which would then be
 //! provided by the user at initialization time. On the long run, its type may turn into a
 //! default associated type.
-#![no_std]
+#![cfg_attr(not(test), no_std)]
 
 /// Convenience re-export
 pub use lakers_shared::Crypto as CryptoTrait;
@@ -55,3 +55,43 @@ fn test_helper<T: CryptoTrait>() {}
 fn test_implements_crypto() {
     test_helper::<Crypto>()
 }
+
+#[cfg(test)]
+mod tests {
+    use hexlit::hex;
+    use lakers_shared::*;
+    use rstest::rstest;
+
+    use super::*;
+
+    // Test vectors from RFC 5869, covering Test Cases 1 and 2
+    #[rstest]
+    #[case(
+        &hex!("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"),
+        &hex!("f0f1f2f3f4f5f6f7f8f9"),
+        42,
+        &hex!("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865")
+    )]
+    #[case(
+        &hex!("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"),
+        &hex!("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"),
+        82,
+        &hex!("b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87")
+    )]
+    fn test_hkdf_expand(
+        #[case] prk_slice: &[u8],
+        #[case] info_slice: &[u8],
+        #[case] output_length: usize,
+        #[case] expected_okm_slice: &[u8],
+    ) {
+        let mut crypto = default_crypto();
+
+        let mut prk = [0; SHA256_DIGEST_LEN];
+        prk[..prk_slice.len()].copy_from_slice(prk_slice);
+        let mut info = [0; MAX_INFO_LEN];
+        info[..info_slice.len()].copy_from_slice(info_slice);
+
+        let okm = crypto.hkdf_expand(&prk, &info, info_slice.len(), output_length);
+        assert_eq!(okm[..output_length], expected_okm_slice[..]);
+    }
+}