Refactor HKDF implementation and update tests

bvdcode · bvdcode · commit 2b77f8ab852c · 2025-12-02T20:51:38.000-08:00
Refactored `KeyDerivation` to improve correctness, clarity, and security:
- Removed `lengthBytes` mixing into `info` to ensure consistent prefixes.
- Simplified `HkdfExpand` by removing `lengthTag` and improving memory management.
- Updated `DeriveSubkey` to use `ReadOnlySpan&lt;byte&gt;.Empty` for null salts.

Updated tests to reflect the design change:
- Renamed `Length32_Vs_Length64_Prefixes_Differ_By_Design` to `Length32_Vs_Length64_Prefixes_NotDiffer_By_Design`.
- Changed assertion to ensure derived subkeys for length 32 and the first 32 bytes of length 64 are equal.

Improved comments for clarity and ensured proper zeroing of sensitive data.
diff --git a/Sources/EasyExtensions.Crypto.Tests/KeyDerivationTests.cs b/Sources/EasyExtensions.Crypto.Tests/KeyDerivationTests.cs
@@ -59,13 +59,13 @@ public void Base64_Matches_Raw_Encoding()
     }
 
     [Test]
-    public void Length32_Vs_Length64_Prefixes_Differ_By_Design()
+    public void Length32_Vs_Length64_Prefixes_NotDiffer_By_Design()
     {
         // length 32 uses HMAC(purpose) directly
         var l32 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);
         // length 64 uses HMAC(purpose||1) + HMAC(purpose||2)
         var l64 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);
-        Assert.That(l32, Is.Not.EqualTo(l64.Take(32).ToArray()));
+        Assert.That(l32, Is.EqualTo(l64.Take(32).ToArray()));
     }
 
     [Test]
diff --git a/Sources/EasyExtensions.Crypto/KeyDerivation.cs b/Sources/EasyExtensions.Crypto/KeyDerivation.cs
@@ -7,36 +7,28 @@ namespace EasyExtensions.Crypto
     /// <summary>
     /// Key derivation using HKDF (RFC 5869) over HMAC-SHA256.
     /// Provides deterministic subkeys from a master key and context info (purpose), with optional salt.
+    /// Canonical implementation: Extract(PRK) then Expand: T(1)=HMAC(PRK, info || 0x01), T(i)=HMAC(PRK, T(i-1) || info || i).
     /// </summary>
     public static class KeyDerivation
     {
         private const int HmacOutputLength = 32; // HMAC-SHA256 output size
 
         /// <summary>
         /// HKDF (RFC 5869) over HMAC-SHA256: masterKey + info (+ optional salt) -> subkey.
-        /// Note: For compatibility with existing tests, the requested length is mixed into info,
-        /// making prefixes for different requested lengths intentionally differ.
         /// </summary>
         public static byte[] DeriveSubkey(
             ReadOnlySpan<byte> masterKey,
             ReadOnlySpan<byte> info,
             int lengthBytes,
             ReadOnlySpan<byte> salt = default)
         {
-            if (lengthBytes == 0)
-            {
-                return Array.Empty<byte>();
-            }
+            if (lengthBytes == 0) return Array.Empty<byte>();
             ArgumentOutOfRangeException.ThrowIfNegative(lengthBytes);
 
-            // RFC 5869: Extract
             var prk = HkdfExtract(masterKey, salt);
             try
             {
-                // RFC 5869: Expand (with lengthBytes mixed into info to differ across requested lengths)
-                Span<byte> lengthTag = stackalloc byte[4];
-                BitConverter.TryWriteBytes(lengthTag, lengthBytes);
-                return HkdfExpand(prk, info, lengthTag, lengthBytes);
+                return HkdfExpand(prk, info, lengthBytes);
             }
             finally
             {
@@ -51,7 +43,7 @@ private static byte[] HkdfExtract(ReadOnlySpan<byte> ikm, ReadOnlySpan<byte> sal
             try
             {
                 using var hmac = new HMACSHA256(saltKey);
-                // ComputeHash allocates; we pass a copy of ikm to avoid pinning external span
+                // ComputeHash allocates; pass a copy of ikm to avoid pinning external span
                 return hmac.ComputeHash(ikm.ToArray());
             }
             finally
@@ -60,7 +52,7 @@ private static byte[] HkdfExtract(ReadOnlySpan<byte> ikm, ReadOnlySpan<byte> sal
             }
         }
 
-        private static byte[] HkdfExpand(byte[] prk, ReadOnlySpan<byte> info, ReadOnlySpan<byte> lengthTag, int lengthBytes)
+        private static byte[] HkdfExpand(byte[] prk, ReadOnlySpan<byte> info, int lengthBytes)
         {
             int n = (int)Math.Ceiling(lengthBytes / (double)HmacOutputLength);
             if (n <= 0 || n > 255)
@@ -70,28 +62,39 @@ private static byte[] HkdfExpand(byte[] prk, ReadOnlySpan<byte> info, ReadOnlySp
 
             var okm = new byte[lengthBytes];
             var infoBytes = info.ToArray();
-            var t = Array.Empty<byte>();
+            byte[] tPrev = Array.Empty<byte>();
             int offset = 0;
 
             using var hmac = new HMACSHA256(prk);
 
             for (int i = 1; i <= n; i++)
             {
-                // T(i) = HMAC(PRK, T(i-1) || info || lengthTag || i)
-                var data = new byte[t.Length + infoBytes.Length + lengthTag.Length + 1];
-                Buffer.BlockCopy(t, 0, data, 0, t.Length);
-                Buffer.BlockCopy(infoBytes, 0, data, t.Length, infoBytes.Length);
-                Buffer.BlockCopy(lengthTag.ToArray(), 0, data, t.Length + infoBytes.Length, lengthTag.Length);
+                // T(i) = HMAC(PRK, T(i-1) || info || i)
+                var dataLen = tPrev.Length + infoBytes.Length + 1;
+                var data = new byte[dataLen];
+                if (tPrev.Length > 0)
+                {
+                    Buffer.BlockCopy(tPrev, 0, data, 0, tPrev.Length);
+                }
+                if (infoBytes.Length > 0)
+                {
+                    Buffer.BlockCopy(infoBytes, 0, data, tPrev.Length, infoBytes.Length);
+                }
                 data[^1] = (byte)i;
 
-                t = hmac.ComputeHash(data);
-
+                var t = hmac.ComputeHash(data);
                 int toCopy = Math.Min(HmacOutputLength, lengthBytes - offset);
                 Buffer.BlockCopy(t, 0, okm, offset, toCopy);
                 offset += toCopy;
+
+                // Zero and move T(i) -> T(i-1)
+                CryptographicOperations.ZeroMemory(tPrev);
+                tPrev = t;
+                CryptographicOperations.ZeroMemory(data);
             }
 
-            CryptographicOperations.ZeroMemory(t);
+            // Cleanup
+            CryptographicOperations.ZeroMemory(tPrev);
             CryptographicOperations.ZeroMemory(infoBytes);
             return okm;
         }
@@ -119,7 +122,7 @@ public static byte[] DeriveSubkey(
                     masterBytes,
                     infoBytes,
                     lengthBytes,
-                    saltBytes is null ? [] : saltBytes);
+                    saltBytes is null ? ReadOnlySpan<byte>.Empty : saltBytes);
             }
             finally
             {

Original file line number	Diff line number	Diff line change
`@@ -59,13 +59,13 @@ public void Base64_Matches_Raw_Encoding()`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`[Test]`
`62`		`- public void Length32_Vs_Length64_Prefixes_Differ_By_Design()`
	`62`	`+ public void Length32_Vs_Length64_Prefixes_NotDiffer_By_Design()`
`63`	`63`	`{`
`64`	`64`	`// length 32 uses HMAC(purpose) directly`
`65`	`65`	`var l32 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);`
`66`	`66`	`// length 64 uses HMAC(purpose\|\|1) + HMAC(purpose\|\|2)`
`67`	`67`	`var l64 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);`
`68`		`- Assert.That(l32, Is.Not.EqualTo(l64.Take(32).ToArray()));`
	`68`	`+ Assert.That(l32, Is.EqualTo(l64.Take(32).ToArray()));`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`[Test]`