Different result than with WolfSSL about hkdf HOT 5 CLOSED

Hi Cmoin!

The HKDF spec isn't too sophisticated and this implementation is tested against the official test vectors - I guess WolfSSL is as well (of course that is no gurantees against bugs :))

So the first thing I would check, if the 2 HKDFs impls are feed the same way. The call

wc_HKDF(HashDefinitions_HashType__HASH_TYPE_SHA512, sharedSecret, sizeof(sharedSecret), salt, sizeof(salt), NULL, 0, derivedKey1, 32);

differs from the functions proposed in the spec https://tools.ietf.org/html/rfc5869 so I can only speculate here (but looks fine as far as I understand)

Some ideas:

• You use a 32 byte long salt and SHA-512; internally this salt is used as a key in HMAC which pads it to the block size of the hash, which is 128 byte. "// Keys shorter than blockSize are padded to blockSize by padding with zeros on the right" -> https://en.wikipedia.org/wiki/HMAC - this impl. uses the JCA, which should in theory correctly pad it to 128 bytes - you could try to omit the salt (the java expects null) - there is a defined behavior for this or pass a (exactly) 128 byte salt
• Maybe the null info-parameter is handled differently, try passing the same non-null value in both impls
• Maybe endianness is handled differently, try reverting the salt & shared secret byte arrays in the C impl (Java is always big-endian btw)
• Would be very strange, but make sure HashDefinitions_HashType__HASH_TYPE_SHA512 means "HMAC with SHA512"
• Typo? Are salt & secret really the same?
• Use my bytes lib for converting to hex: Bytes.wrap(someByteArray).encodeHex()

Hope this helps

from hkdf.

Hi Patrick,

thx a lot for your quick reply! I will investigate carefully your suggestion and will let you know!

from hkdf.

omg......... I wanted to check first if HashDefinitions_HashType__HASH_TYPE_SHA512 == SHA512 (defined in WoldSSL), and it is not 😡 😡 😡 (it is not my code, and it is generated, but anyway, not much a reason)

I feel really sorry I disturbed you for such a stupid mistake. But anyway, if someone has the same pb as me:
This library gives the same result as WolfSSL if you replace HashDefinitions_HashType__HASH_TYPE_SHA512 by SHA512. Both gives
1b01b30e3afb8369a7be2c3362dac46185ee7d0c4494a66770d49d424e6b8fa8

Great job thank you ! 👍 😎

from hkdf.

Not a problem, glad it worked out for you! Unfortunatly managing crypto code is usually way more complex as it should be, so dont feel bad (I can't count how many times I was in your situation)

Cheers!

from hkdf.

Yes so true. It seems that the mammouth Bouncy Castle didn't help simplify thinks unfortunatly :-(

from hkdf.