Create individual crypto callbacks for hkdf extract and hkdf expand#10598
Create individual crypto callbacks for hkdf extract and hkdf expand#10598twcook86 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR refines the crypto-callback (WOLF_CRYPTO_CB) KDF interface by splitting HKDF into distinct callback operations for HKDF-Extract and HKDF-Expand, and updates library internals and tests accordingly.
Changes:
- Introduces new KDF callback types and
wc_CryptoInfopayloads for HKDF extract/expand. - Adds new internal crypto-callback dispatch helpers (
wc_CryptoCb_Hkdf_Extract/wc_CryptoCb_Hkdf_Expand) and wires them into HKDF code paths. - Expands HKDF tests to exercise extract+expand flows in addition to one-shot HKDF.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/types.h | Adds new wc_KdfType values for HKDF extract/expand. |
| wolfssl/wolfcrypt/cryptocb.h | Extends wc_CryptoInfo KDF union with HKDF extract/expand structs and declares new callback helpers. |
| wolfcrypt/src/hmac.c | Routes HKDF Extract/Expand through crypto callbacks when available. |
| wolfcrypt/src/cryptocb.c | Implements new crypto-callback helper functions and updates debug strings for KDF type. |
| wolfcrypt/test/test.c | Adds HKDF extract/expand test coverage and updates test crypto-device callback handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| WC_KDF_TYPE_NONE = 0, | ||
| WC_KDF_TYPE_HKDF = 1, | ||
| WC_KDF_TYPE_TWOSTEP_CMAC = 2 /* NIST SP 800-56C two-step cmac kdf. */ | ||
| /* Future: WC_KDF_TYPE_PBKDF2 = 3, WC_KDF_TYPE_SCRYPT = 4, etc. */ | ||
| WC_KDF_TYPE_HKDF_EXTRACT = 2, | ||
| WC_KDF_TYPE_HKDF_EXPAND = 3, | ||
| WC_KDF_TYPE_TWOSTEP_CMAC = 4 /* NIST SP 800-56C two-step cmac kdf. */ | ||
| /* Future: WC_KDF_TYPE_PBKDF2 = 5, WC_KDF_TYPE_SCRYPT = 6, etc. */ |
| #ifdef WOLF_CRYPTO_CB | ||
| /* Try crypto callback first for complete operation */ | ||
| if (devId != INVALID_DEVID) { | ||
| ret = wc_CryptoCb_Hkdf_Expand(type, inKey, inKeySz, info, infoSz, | ||
| out, outSz, devId); |
bigbrett
left a comment
bigbrett
left a comment
There was a problem hiding this comment.
Would prefer you append-only to public structs, but its fine as is since it is only used by CryptoCbs and those aren't ABI restricted
| WC_KDF_TYPE_HKDF_EXTRACT = 2, | ||
| WC_KDF_TYPE_HKDF_EXPAND = 3, |
There was a problem hiding this comment.
In general, I would try to not modify existing public enum values once they are declared, just in case they are used by customers.
In this case I think it is fine as I believe it is ONLY used internally. But something to keep in mind going forward
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10598
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| /* Future: WC_KDF_TYPE_PBKDF2 = 3, WC_KDF_TYPE_SCRYPT = 4, etc. */ | ||
| WC_KDF_TYPE_HKDF_EXTRACT = 2, | ||
| WC_KDF_TYPE_HKDF_EXPAND = 3, | ||
| WC_KDF_TYPE_TWOSTEP_CMAC = 4 /* NIST SP 800-56C two-step cmac kdf. */ |
There was a problem hiding this comment.
🟠 [Medium] Existing KDF enum value is renumbered · API contract violations
WC_KDF_TYPE_TWOSTEP_CMAC changes from value 2 to 4, so existing crypto callback implementations that dispatch on the public enum value stop recognizing two-step CMAC KDF requests.
Fix: Keep WC_KDF_TYPE_TWOSTEP_CMAC at 2 and assign the new HKDF split values after existing enum constants.
| #ifdef WOLF_CRYPTO_CB | ||
| /* Try crypto callback first for complete operation */ | ||
| if (devId != INVALID_DEVID) { | ||
| ret = wc_CryptoCb_Hkdf_Expand(type, inKey, inKeySz, info, infoSz, |
There was a problem hiding this comment.
🟠 [Medium] HKDF expand callback bypasses argument validation · Incorrect error handling
wc_HKDF_Expand_ex() dispatches to the new expand callback before the existing out == NULL and 255-block length checks, so invalid calls can bypass BAD_FUNC_ARG or reach a callback with invalid buffers.
Fix: Move the callback dispatch after wc_HmacSizeByType() and the out/length validation.
| /* Future: WC_KDF_TYPE_PBKDF2 = 3, WC_KDF_TYPE_SCRYPT = 4, etc. */ | ||
| WC_KDF_TYPE_HKDF_EXTRACT = 2, | ||
| WC_KDF_TYPE_HKDF_EXPAND = 3, | ||
| WC_KDF_TYPE_TWOSTEP_CMAC = 4 /* NIST SP 800-56C two-step cmac kdf. */ |
There was a problem hiding this comment.
🔵 [Low] Public CMAC KDF callback type value changed · API contract violations
WC_KDF_TYPE_TWOSTEP_CMAC changed from value 2 to 4, so existing crypto callbacks built against the public KDF enum no longer recognize CMAC KDF requests sent by wc_CryptoCb_Kdf_TwostepCmac.
Fix: Keep WC_KDF_TYPE_TWOSTEP_CMAC = 2 and assign the new HKDF split values after it.
billphipps
left a comment
billphipps
left a comment
There was a problem hiding this comment.
Please move the check for cryptocb into the hdkf functions, not in the side that is using it. Check on unit testing the interface as well. Looks like a great start!
| #ifdef WOLF_CRYPTO_CB | ||
| /* Try crypto callback first */ | ||
| if (devId != INVALID_DEVID) { | ||
| ret = wc_CryptoCb_Hkdf_Extract(type, salt, saltSz, inKey, inKeySz, | ||
| out, devId); | ||
| if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) | ||
| return ret; | ||
| } | ||
| #endif | ||
|
|
There was a problem hiding this comment.
This should be moved to the wc_Hkdf_Extract public function so ANY potential invocation will trigger this check/offload. This means that if someone invokes the one-shot, it will try to offload the one-shot. If the one-shot is not offloaded, then the each of the extract/expand will be subsequently attempted to be offloaded since the SW version of the one-shot invokes the Expand/Extract directly. This allows a customer to invoke the one-shot separately since it may optimize better.
| int wc_CryptoCb_Hkdf_Extract(int hashType, const byte* salt, word32 saltSz, | ||
| const byte* inKey, word32 inKeySz, byte* out, int devId) |
There was a problem hiding this comment.
Are all of these parameters necessary? Please confirm. Fill in NULL/0 as necessary in the shared cryptoInfo structure below.
| int wc_CryptoCb_Hkdf_Expand(int hashType, const byte* inKey, word32 inKeySz, | ||
| const byte* info, word32 infoSz, byte* out, word32 outSz, | ||
| int devId) |
There was a problem hiding this comment.
Samme comment about if all of these are necessary
There was a problem hiding this comment.
Consider looking at the test/swdev series of tests to support testing of the cryptocb plumbing.
Description
Fixes zd#21919
Testing
built-in test.c expanded
Checklist