~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/fs/crypto/hkdf.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /fs/crypto/hkdf.c (Version linux-6.11.5) and /fs/crypto/hkdf.c (Version linux-4.11.12)


  1 // SPDX-License-Identifier: GPL-2.0                 1 
  2 /*                                                
  3  * Implementation of HKDF ("HMAC-based Extract    
  4  * Function"), aka RFC 5869.  See also the ori    
  5  * "Cryptographic Extraction and Key Derivatio    
  6  *                                                
  7  * This is used to derive keys from the fscryp    
  8  *                                                
  9  * Copyright 2019 Google LLC                      
 10  */                                               
 11                                                   
 12 #include <crypto/hash.h>                          
 13 #include <crypto/sha2.h>                          
 14                                                   
 15 #include "fscrypt_private.h"                      
 16                                                   
 17 /*                                                
 18  * HKDF supports any unkeyed cryptographic has    
 19  * SHA-512 because it is well-established, sec    
 20  *                                                
 21  * HKDF-SHA256 was also considered, as its 256    
 22  * sufficient here.  A 512-bit security streng    
 23  * Also, on 64-bit CPUs, SHA-512 is usually ju    
 24  * common case of deriving an AES-256-XTS key     
 25  * HKDF-SHA512 being much faster than HKDF-SHA    
 26  * SHA-512 causes HKDF-Expand to only need to     
 27  */                                               
 28 #define HKDF_HMAC_ALG           "hmac(sha512)"    
 29 #define HKDF_HASHLEN            SHA512_DIGEST_    
 30                                                   
 31 /*                                                
 32  * HKDF consists of two steps:                    
 33  *                                                
 34  * 1. HKDF-Extract: extract a pseudorandom key    
 35  *    the input keying material and optional s    
 36  * 2. HKDF-Expand: expand the pseudorandom key    
 37  *    any length, parameterized by an applicat    
 38  *                                                
 39  * HKDF-Extract can be skipped if the input is    
 40  * length HKDF_HASHLEN bytes.  However, cipher    
 41  * shorter keys, and we don't want to force us    
 42  * unnecessarily long master keys.  Thus fscry    
 43  * salt is used, since fscrypt master keys sho    
 44  * there's no way to persist a random salt per    
 45  */                                               
 46                                                   
 47 /* HKDF-Extract (RFC 5869 section 2.2), unsalt    
 48 static int hkdf_extract(struct crypto_shash *h    
 49                         unsigned int ikmlen, u    
 50 {                                                 
 51         static const u8 default_salt[HKDF_HASH    
 52         int err;                                  
 53                                                   
 54         err = crypto_shash_setkey(hmac_tfm, de    
 55         if (err)                                  
 56                 return err;                       
 57                                                   
 58         return crypto_shash_tfm_digest(hmac_tf    
 59 }                                                 
 60                                                   
 61 /*                                                
 62  * Compute HKDF-Extract using the given master    
 63  * and prepare an HMAC transform object keyed     
 64  *                                                
 65  * Afterwards, the keyed HMAC transform object    
 66  * times without having to recompute HKDF-Extr    
 67  */                                               
 68 int fscrypt_init_hkdf(struct fscrypt_hkdf *hkd    
 69                       unsigned int master_key_    
 70 {                                                 
 71         struct crypto_shash *hmac_tfm;            
 72         u8 prk[HKDF_HASHLEN];                     
 73         int err;                                  
 74                                                   
 75         hmac_tfm = crypto_alloc_shash(HKDF_HMA    
 76         if (IS_ERR(hmac_tfm)) {                   
 77                 fscrypt_err(NULL, "Error alloc    
 78                             PTR_ERR(hmac_tfm))    
 79                 return PTR_ERR(hmac_tfm);         
 80         }                                         
 81                                                   
 82         if (WARN_ON_ONCE(crypto_shash_digestsi    
 83                 err = -EINVAL;                    
 84                 goto err_free_tfm;                
 85         }                                         
 86                                                   
 87         err = hkdf_extract(hmac_tfm, master_ke    
 88         if (err)                                  
 89                 goto err_free_tfm;                
 90                                                   
 91         err = crypto_shash_setkey(hmac_tfm, pr    
 92         if (err)                                  
 93                 goto err_free_tfm;                
 94                                                   
 95         hkdf->hmac_tfm = hmac_tfm;                
 96         goto out;                                 
 97                                                   
 98 err_free_tfm:                                     
 99         crypto_free_shash(hmac_tfm);              
100 out:                                              
101         memzero_explicit(prk, sizeof(prk));       
102         return err;                               
103 }                                                 
104                                                   
105 /*                                                
106  * HKDF-Expand (RFC 5869 section 2.3).  This e    
107  * was already keyed into 'hkdf->hmac_tfm' by     
108  * bytes of output keying material parameteriz    
109  * 'info' of length 'infolen' bytes, prefixed     
110  * byte.  This is thread-safe and may be calle    
111  *                                                
112  * ('context' isn't part of the HKDF specifica    
113  * adds to its application-specific info strin    
114  * accidentally repeat an info string when usi    
115  */                                               
116 int fscrypt_hkdf_expand(const struct fscrypt_h    
117                         const u8 *info, unsign    
118                         u8 *okm, unsigned int     
119 {                                                 
120         SHASH_DESC_ON_STACK(desc, hkdf->hmac_t    
121         u8 prefix[9];                             
122         unsigned int i;                           
123         int err;                                  
124         const u8 *prev = NULL;                    
125         u8 counter = 1;                           
126         u8 tmp[HKDF_HASHLEN];                     
127                                                   
128         if (WARN_ON_ONCE(okmlen > 255 * HKDF_H    
129                 return -EINVAL;                   
130                                                   
131         desc->tfm = hkdf->hmac_tfm;               
132                                                   
133         memcpy(prefix, "fscrypt\0", 8);           
134         prefix[8] = context;                      
135                                                   
136         for (i = 0; i < okmlen; i += HKDF_HASH    
137                                                   
138                 err = crypto_shash_init(desc);    
139                 if (err)                          
140                         goto out;                 
141                                                   
142                 if (prev) {                       
143                         err = crypto_shash_upd    
144                         if (err)                  
145                                 goto out;         
146                 }                                 
147                                                   
148                 err = crypto_shash_update(desc    
149                 if (err)                          
150                         goto out;                 
151                                                   
152                 err = crypto_shash_update(desc    
153                 if (err)                          
154                         goto out;                 
155                                                   
156                 BUILD_BUG_ON(sizeof(counter) !    
157                 if (okmlen - i < HKDF_HASHLEN)    
158                         err = crypto_shash_fin    
159                         if (err)                  
160                                 goto out;         
161                         memcpy(&okm[i], tmp, o    
162                         memzero_explicit(tmp,     
163                 } else {                          
164                         err = crypto_shash_fin    
165                         if (err)                  
166                                 goto out;         
167                 }                                 
168                 counter++;                        
169                 prev = &okm[i];                   
170         }                                         
171         err = 0;                                  
172 out:                                              
173         if (unlikely(err))                        
174                 memzero_explicit(okm, okmlen);    
175         shash_desc_zero(desc);                    
176         return err;                               
177 }                                                 
178                                                   
179 void fscrypt_destroy_hkdf(struct fscrypt_hkdf     
180 {                                                 
181         crypto_free_shash(hkdf->hmac_tfm);        
182 }                                                 
183                                                   

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php