CryptHKDF.php

Go to the documentation of this file.

<?php
class CryptHKDF {
 
    protected $cache = null;
 
    protected $cacheKey = null;
 
    protected $algorithm = null;
 
    protected $salt = '';
 
    private $prk = '';
 
    private $skm;
 
    protected $lastK;
 
    protected $context = [];
 
    public static $hashLength = [
        'md5' => 16,
        'sha1' => 20,
        'sha224' => 28,
        'sha256' => 32,
        'sha384' => 48,
        'sha512' => 64,
        'ripemd128' => 16,
        'ripemd160' => 20,
        'ripemd256' => 32,
        'ripemd320' => 40,
        'whirlpool' => 64,
    ];
 
    public function __construct( $secretKeyMaterial, $algorithm, BagOStuff $cache, $context ) {
        if ( strlen( $secretKeyMaterial ) < 16 ) {
            throw new InvalidArgumentException( "secret was too short." );
        }
        $this->skm = $secretKeyMaterial;
        $this->algorithm = $algorithm;
        $this->cache = $cache;
        $this->context = is_array( $context ) ? $context : [ $context ];
 
        // To prevent every call from hitting the same memcache server, pick
        // from a set of keys to use. mt_rand is only use to pick a random
        // server, and does not affect the security of the process.
        $this->cacheKey = $cache->makeKey( 'HKDF', mt_rand( 0, 16 ) );
    }
 
    function __destruct() {
        if ( $this->lastK ) {
            $this->cache->set( $this->cacheKey, $this->lastK );
        }
    }
 
    protected function getSaltUsingCache() {
        if ( $this->salt == '' ) {
            $lastSalt = $this->cache->get( $this->cacheKey );
            if ( $lastSalt === false ) {
                // If we don't have a previous value to use as our salt, we use
                // 16 bytes from random_bytes(), which will use a small amount of
                // entropy from our pool. Note, "XTR may be deterministic or keyed
                // via an optional “salt value”  (i.e., a non-secret random
                // value)..." - http://eprint.iacr.org/2010/264.pdf. However, we
                // use a strongly random value since we can.
                $lastSalt = random_bytes( 16 );
            }
            // Get a binary string that is hashLen long
            $this->salt = hash( $this->algorithm, $lastSalt, true );
        }
        return $this->salt;
    }
 
    public function generate( $bytes, $context = '' ) {
        if ( $this->prk === '' ) {
            $salt = $this->getSaltUsingCache();
            $this->prk = self::HKDFExtract(
                $this->algorithm,
                $salt,
                $this->skm
            );
        }
 
        $CTXinfo = implode( ':', array_merge( $this->context, [ $context ] ) );
 
        return self::HKDFExpand(
            $this->algorithm,
            $this->prk,
            $CTXinfo,
            $bytes,
            $this->lastK
        );
    }
 
    public static function HKDF( $hash, $ikm, $salt, $info, $L ) {
        $prk = self::HKDFExtract( $hash, $salt, $ikm );
        $okm = self::HKDFExpand( $hash, $prk, $info, $L );
        return $okm;
    }
 
    private static function HKDFExtract( $hash, $salt, $ikm ) {
        return hash_hmac( $hash, $ikm, $salt, true );
    }
 
    private static function HKDFExpand( $hash, $prk, $info, $bytes, &$lastK = '' ) {
        $hashLen = self::$hashLength[$hash];
        $rounds = ceil( $bytes / $hashLen );
        $output = '';
 
        if ( $bytes > 255 * $hashLen ) {
            throw new InvalidArgumentException( 'Too many bytes requested from HDKFExpand' );
        }
 
        // K(1) = HMAC(PRK, CTXinfo || 1);
        // K(i) = HMAC(PRK, K(i-1) || CTXinfo || i); 1 < i <= t;
        for ( $counter = 1; $counter <= $rounds; ++$counter ) {
            $lastK = hash_hmac(
                $hash,
                $lastK . $info . chr( $counter ),
                $prk,
                true
            );
            $output .= $lastK;
        }
 
        return substr( $output, 0, $bytes );
    }
}