|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Extract-and-Expand Key Derivation Function (HKDF). A cryptographicly |
|
4
|
|
|
* secure key expansion function based on RFC 5869. |
|
5
|
|
|
* |
|
6
|
|
|
* This relies on the secrecy of $wgSecretKey (by default), or $wgHKDFSecret. |
|
7
|
|
|
* By default, sha256 is used as the underlying hashing algorithm, but any other |
|
8
|
|
|
* algorithm can be used. Finding the secret key from the output would require |
|
9
|
|
|
* an attacker to discover the input key (the PRK) to the hmac that generated |
|
10
|
|
|
* the output, and discover the particular data, hmac'ed with an evolving key |
|
11
|
|
|
* (salt), to produce the PRK. Even with md5, no publicly known attacks make |
|
12
|
|
|
* this currently feasible. |
|
13
|
|
|
* |
|
14
|
|
|
* This program is free software; you can redistribute it and/or modify |
|
15
|
|
|
* it under the terms of the GNU General Public License as published by |
|
16
|
|
|
* the Free Software Foundation; either version 2 of the License, or |
|
17
|
|
|
* (at your option) any later version. |
|
18
|
|
|
* |
|
19
|
|
|
* This program is distributed in the hope that it will be useful, |
|
20
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
21
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
22
|
|
|
* GNU General Public License for more details. |
|
23
|
|
|
* |
|
24
|
|
|
* You should have received a copy of the GNU General Public License along |
|
25
|
|
|
* with this program; if not, write to the Free Software Foundation, Inc., |
|
26
|
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
|
27
|
|
|
* http://www.gnu.org/copyleft/gpl.html |
|
28
|
|
|
* |
|
29
|
|
|
* @author Chris Steipp |
|
30
|
|
|
* @file |
|
31
|
|
|
*/ |
|
32
|
|
|
|
|
33
|
|
|
class CryptHKDF { |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* @var BagOStuff The persistent cache |
|
37
|
|
|
*/ |
|
38
|
|
|
protected $cache = null; |
|
39
|
|
|
|
|
40
|
|
|
/** |
|
41
|
|
|
* @var string Cache key we'll use for our salt |
|
42
|
|
|
*/ |
|
43
|
|
|
protected $cacheKey = null; |
|
44
|
|
|
|
|
45
|
|
|
/** |
|
46
|
|
|
* @var string The hash algorithm being used |
|
47
|
|
|
*/ |
|
48
|
|
|
protected $algorithm = null; |
|
49
|
|
|
|
|
50
|
|
|
/** |
|
51
|
|
|
* @var string binary string, the salt for the HKDF |
|
52
|
|
|
* @see getSaltUsingCache |
|
53
|
|
|
*/ |
|
54
|
|
|
protected $salt = ''; |
|
55
|
|
|
|
|
56
|
|
|
/** |
|
57
|
|
|
* @var string The pseudorandom key |
|
58
|
|
|
*/ |
|
59
|
|
|
private $prk = ''; |
|
60
|
|
|
|
|
61
|
|
|
/** |
|
62
|
|
|
* The secret key material. This must be kept secret to preserve |
|
63
|
|
|
* the security properties of this RNG. |
|
64
|
|
|
* |
|
65
|
|
|
* @var string |
|
66
|
|
|
*/ |
|
67
|
|
|
private $skm; |
|
68
|
|
|
|
|
69
|
|
|
/** |
|
70
|
|
|
* @var string The last block (K(i)) of the most recent expanded key |
|
71
|
|
|
*/ |
|
72
|
|
|
protected $lastK; |
|
73
|
|
|
|
|
74
|
|
|
/** |
|
75
|
|
|
* a "context information" string CTXinfo (which may be null) |
|
76
|
|
|
* See http://eprint.iacr.org/2010/264.pdf Section 4.1 |
|
77
|
|
|
* |
|
78
|
|
|
* @var array |
|
79
|
|
|
*/ |
|
80
|
|
|
protected $context = []; |
|
81
|
|
|
|
|
82
|
|
|
/** |
|
83
|
|
|
* Round count is computed based on the hash'es output length, |
|
84
|
|
|
* which neither php nor openssl seem to provide easily. |
|
85
|
|
|
* |
|
86
|
|
|
* @var int[] |
|
87
|
|
|
*/ |
|
88
|
|
|
public static $hashLength = [ |
|
89
|
|
|
'md5' => 16, |
|
90
|
|
|
'sha1' => 20, |
|
91
|
|
|
'sha224' => 28, |
|
92
|
|
|
'sha256' => 32, |
|
93
|
|
|
'sha384' => 48, |
|
94
|
|
|
'sha512' => 64, |
|
95
|
|
|
'ripemd128' => 16, |
|
96
|
|
|
'ripemd160' => 20, |
|
97
|
|
|
'ripemd256' => 32, |
|
98
|
|
|
'ripemd320' => 40, |
|
99
|
|
|
'whirlpool' => 64, |
|
100
|
|
|
]; |
|
101
|
|
|
|
|
102
|
|
|
/** |
|
103
|
|
|
* @var CryptRand |
|
104
|
|
|
*/ |
|
105
|
|
|
private $cryptRand; |
|
106
|
|
|
|
|
107
|
|
|
/** |
|
108
|
|
|
* @param string $secretKeyMaterial |
|
109
|
|
|
* @param string $algorithm Name of hashing algorithm |
|
110
|
|
|
* @param BagOStuff $cache |
|
111
|
|
|
* @param string|array $context Context to mix into HKDF context |
|
112
|
|
|
* @param CryptRand $cryptRand |
|
113
|
|
|
* @throws InvalidArgumentException if secret key material is too short |
|
114
|
|
|
*/ |
|
115
|
|
|
public function __construct( $secretKeyMaterial, $algorithm, BagOStuff $cache, $context, |
|
116
|
|
|
CryptRand $cryptRand |
|
117
|
|
|
) { |
|
118
|
|
|
if ( strlen( $secretKeyMaterial ) < 16 ) { |
|
119
|
|
|
throw new InvalidArgumentException( "secret was too short." ); |
|
120
|
|
|
} |
|
121
|
|
|
$this->skm = $secretKeyMaterial; |
|
122
|
|
|
$this->algorithm = $algorithm; |
|
123
|
|
|
$this->cache = $cache; |
|
124
|
|
|
$this->context = is_array( $context ) ? $context : [ $context ]; |
|
125
|
|
|
$this->cryptRand = $cryptRand; |
|
126
|
|
|
|
|
127
|
|
|
// To prevent every call from hitting the same memcache server, pick |
|
128
|
|
|
// from a set of keys to use. mt_rand is only use to pick a random |
|
129
|
|
|
// server, and does not affect the security of the process. |
|
130
|
|
|
$this->cacheKey = $cache->makeKey( 'HKDF', mt_rand( 0, 16 ) ); |
|
131
|
|
|
} |
|
132
|
|
|
|
|
133
|
|
|
/** |
|
134
|
|
|
* Save the last block generated, so the next user will compute a different PRK |
|
135
|
|
|
* from the same SKM. This should keep things unpredictable even if an attacker |
|
136
|
|
|
* is able to influence CTXinfo. |
|
137
|
|
|
*/ |
|
138
|
|
|
function __destruct() { |
|
139
|
|
|
if ( $this->lastK ) { |
|
140
|
|
|
$this->cache->set( $this->cacheKey, $this->lastK ); |
|
141
|
|
|
} |
|
142
|
|
|
} |
|
143
|
|
|
|
|
144
|
|
|
/** |
|
145
|
|
|
* MW specific salt, cached from last run |
|
146
|
|
|
* @return string Binary string |
|
147
|
|
|
*/ |
|
148
|
|
|
protected function getSaltUsingCache() { |
|
149
|
|
|
if ( $this->salt == '' ) { |
|
150
|
|
|
$lastSalt = $this->cache->get( $this->cacheKey ); |
|
151
|
|
|
if ( $lastSalt === false ) { |
|
152
|
|
|
// If we don't have a previous value to use as our salt, we use |
|
153
|
|
|
// 16 bytes from CryptRand, which will use a small amount of |
|
154
|
|
|
// entropy from our pool. Note, "XTR may be deterministic or keyed |
|
155
|
|
|
// via an optional “salt value” (i.e., a non-secret random |
|
156
|
|
|
// value)..." - http://eprint.iacr.org/2010/264.pdf. However, we |
|
157
|
|
|
// use a strongly random value since we can. |
|
158
|
|
|
$lastSalt = $this->cryptRand->generate( 16 ); |
|
159
|
|
|
} |
|
160
|
|
|
// Get a binary string that is hashLen long |
|
161
|
|
|
$this->salt = hash( $this->algorithm, $lastSalt, true ); |
|
162
|
|
|
} |
|
163
|
|
|
return $this->salt; |
|
164
|
|
|
} |
|
165
|
|
|
|
|
166
|
|
|
/** |
|
167
|
|
|
* Produce $bytes of secure random data. As a side-effect, |
|
168
|
|
|
* $this->lastK is set to the last hashLen block of key material. |
|
169
|
|
|
* |
|
170
|
|
|
* @param int $bytes Number of bytes of data |
|
171
|
|
|
* @param string $context Context to mix into CTXinfo |
|
172
|
|
|
* @return string Binary string of length $bytes |
|
173
|
|
|
*/ |
|
174
|
|
|
public function generate( $bytes, $context = '' ) { |
|
175
|
|
|
if ( $this->prk === '' ) { |
|
176
|
|
|
$salt = $this->getSaltUsingCache(); |
|
177
|
|
|
$this->prk = self::HKDFExtract( |
|
178
|
|
|
$this->algorithm, |
|
179
|
|
|
$salt, |
|
180
|
|
|
$this->skm |
|
181
|
|
|
); |
|
182
|
|
|
} |
|
183
|
|
|
|
|
184
|
|
|
$CTXinfo = implode( ':', array_merge( $this->context, [ $context ] ) ); |
|
185
|
|
|
|
|
186
|
|
|
return self::HKDFExpand( |
|
187
|
|
|
$this->algorithm, |
|
188
|
|
|
$this->prk, |
|
189
|
|
|
$CTXinfo, |
|
190
|
|
|
$bytes, |
|
191
|
|
|
$this->lastK |
|
192
|
|
|
); |
|
193
|
|
|
} |
|
194
|
|
|
|
|
195
|
|
|
/** |
|
196
|
|
|
* RFC5869 defines HKDF in 2 steps, extraction and expansion. |
|
197
|
|
|
* From http://eprint.iacr.org/2010/264.pdf: |
|
198
|
|
|
* |
|
199
|
|
|
* The scheme HKDF is specifed as: |
|
200
|
|
|
* HKDF(XTS, SKM, CTXinfo, L) = K(1) || K(2) || ... || K(t) |
|
201
|
|
|
* where the values K(i) are defined as follows: |
|
202
|
|
|
* PRK = HMAC(XTS, SKM) |
|
203
|
|
|
* K(1) = HMAC(PRK, CTXinfo || 0); |
|
204
|
|
|
* K(i+1) = HMAC(PRK, K(i) || CTXinfo || i), 1 <= i < t; |
|
205
|
|
|
* where t = [L/k] and the value K(t) is truncated to its first d = L mod k bits; |
|
206
|
|
|
* the counter i is non-wrapping and of a given fixed size, e.g., a single byte. |
|
207
|
|
|
* Note that the length of the HMAC output is the same as its key length and therefore |
|
208
|
|
|
* the scheme is well defined. |
|
209
|
|
|
* |
|
210
|
|
|
* XTS is the "extractor salt" |
|
211
|
|
|
* SKM is the "secret keying material" |
|
212
|
|
|
* |
|
213
|
|
|
* N.B. http://eprint.iacr.org/2010/264.pdf seems to differ from RFC 5869 in that the test |
|
214
|
|
|
* vectors from RFC 5869 only work if K(0) = '' and K(1) = HMAC(PRK, K(0) || CTXinfo || 1) |
|
215
|
|
|
* |
|
216
|
|
|
* @param string $hash The hashing function to use (e.g., sha256) |
|
217
|
|
|
* @param string $ikm The input keying material |
|
218
|
|
|
* @param string $salt The salt to add to the ikm, to get the prk |
|
219
|
|
|
* @param string $info Optional context (change the output without affecting |
|
220
|
|
|
* the randomness properties of the output) |
|
221
|
|
|
* @param int $L Number of bytes to return |
|
222
|
|
|
* @return string Cryptographically secure pseudorandom binary string |
|
223
|
|
|
*/ |
|
224
|
|
|
public static function HKDF( $hash, $ikm, $salt, $info, $L ) { |
|
225
|
|
|
$prk = self::HKDFExtract( $hash, $salt, $ikm ); |
|
226
|
|
|
$okm = self::HKDFExpand( $hash, $prk, $info, $L ); |
|
227
|
|
|
return $okm; |
|
228
|
|
|
} |
|
229
|
|
|
|
|
230
|
|
|
/** |
|
231
|
|
|
* Extract the PRK, PRK = HMAC(XTS, SKM) |
|
232
|
|
|
* Note that the hmac is keyed with XTS (the salt), |
|
233
|
|
|
* and the SKM (source key material) is the "data". |
|
234
|
|
|
* |
|
235
|
|
|
* @param string $hash The hashing function to use (e.g., sha256) |
|
236
|
|
|
* @param string $salt The salt to add to the ikm, to get the prk |
|
237
|
|
|
* @param string $ikm The input keying material |
|
238
|
|
|
* @return string Binary string (pseudorandm key) used as input to HKDFExpand |
|
239
|
|
|
*/ |
|
240
|
|
|
private static function HKDFExtract( $hash, $salt, $ikm ) { |
|
241
|
|
|
return hash_hmac( $hash, $ikm, $salt, true ); |
|
242
|
|
|
} |
|
243
|
|
|
|
|
244
|
|
|
/** |
|
245
|
|
|
* Expand the key with the given context |
|
246
|
|
|
* |
|
247
|
|
|
* @param string $hash Hashing Algorithm |
|
248
|
|
|
* @param string $prk A pseudorandom key of at least HashLen octets |
|
249
|
|
|
* (usually, the output from the extract step) |
|
250
|
|
|
* @param string $info Optional context and application specific information |
|
251
|
|
|
* (can be a zero-length string) |
|
252
|
|
|
* @param int $bytes Length of output keying material in bytes |
|
253
|
|
|
* (<= 255*HashLen) |
|
254
|
|
|
* @param string &$lastK Set by this function to the last block of the expansion. |
|
255
|
|
|
* In MediaWiki, this is used to seed future Extractions. |
|
256
|
|
|
* @return string Cryptographically secure random string $bytes long |
|
257
|
|
|
* @throws InvalidArgumentException |
|
258
|
|
|
*/ |
|
259
|
|
|
private static function HKDFExpand( $hash, $prk, $info, $bytes, &$lastK = '' ) { |
|
260
|
|
|
$hashLen = self::$hashLength[$hash]; |
|
261
|
|
|
$rounds = ceil( $bytes / $hashLen ); |
|
262
|
|
|
$output = ''; |
|
263
|
|
|
|
|
264
|
|
|
if ( $bytes > 255 * $hashLen ) { |
|
265
|
|
|
throw new InvalidArgumentException( 'Too many bytes requested from HDKFExpand' ); |
|
266
|
|
|
} |
|
267
|
|
|
|
|
268
|
|
|
// K(1) = HMAC(PRK, CTXinfo || 1); |
|
269
|
|
|
// K(i) = HMAC(PRK, K(i-1) || CTXinfo || i); 1 < i <= t; |
|
270
|
|
|
for ( $counter = 1; $counter <= $rounds; ++$counter ) { |
|
271
|
|
|
$lastK = hash_hmac( |
|
272
|
|
|
$hash, |
|
273
|
|
|
$lastK . $info . chr( $counter ), |
|
274
|
|
|
$prk, |
|
275
|
|
|
true |
|
276
|
|
|
); |
|
277
|
|
|
$output .= $lastK; |
|
278
|
|
|
} |
|
279
|
|
|
|
|
280
|
|
|
return substr( $output, 0, $bytes ); |
|
281
|
|
|
} |
|
282
|
|
|
} |
|
283
|
|
|
|
wikimedia /
mediawiki
