Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/fs/crypto/hkdf.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  * Function"), aka RFC 5869.  See also the original paper (Krawczyk 2010):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * "Cryptographic Extraction and Key Derivation: The HKDF Scheme".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * This is used to derive keys from the fscrypt master keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  * Copyright 2019 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include <crypto/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include <crypto/sha.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include "fscrypt_private.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18)  * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19)  * SHA-512 because it is well-established, secure, and reasonably efficient.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21)  * HKDF-SHA256 was also considered, as its 256-bit security strength would be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22)  * sufficient here.  A 512-bit security strength is "nice to have", though.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23)  * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256.  In the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24)  * common case of deriving an AES-256-XTS key (512 bits), that can result in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25)  * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26)  * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) #define HKDF_HMAC_ALG		"hmac(sha512)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) #define HKDF_HASHLEN		SHA512_DIGEST_SIZE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32)  * HKDF consists of two steps:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34)  * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35)  *    the input keying material and optional salt.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36)  * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37)  *    any length, parameterized by an application-specific info string.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39)  * HKDF-Extract can be skipped if the input is already a pseudorandom key of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40)  * length HKDF_HASHLEN bytes.  However, cipher modes other than AES-256-XTS take
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41)  * shorter keys, and we don't want to force users of those modes to provide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42)  * unnecessarily long master keys.  Thus fscrypt still does HKDF-Extract.  No
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43)  * salt is used, since fscrypt master keys should already be pseudorandom and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44)  * there's no way to persist a random salt per master key from kernel mode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) /* HKDF-Extract (RFC 5869 section 2.2), unsalted */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) static int hkdf_extract(struct crypto_shash *hmac_tfm, const u8 *ikm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 			unsigned int ikmlen, u8 prk[HKDF_HASHLEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 	static const u8 default_salt[HKDF_HASHLEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	err = crypto_shash_setkey(hmac_tfm, default_salt, HKDF_HASHLEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	return crypto_shash_tfm_digest(hmac_tfm, ikm, ikmlen, prk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62)  * Compute HKDF-Extract using the given master key as the input keying material,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63)  * and prepare an HMAC transform object keyed by the resulting pseudorandom key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65)  * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66)  * times without having to recompute HKDF-Extract each time.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 		      unsigned int master_key_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 	struct crypto_shash *hmac_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 	u8 prk[HKDF_HASHLEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 	if (IS_ERR(hmac_tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 		fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 			    PTR_ERR(hmac_tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 		return PTR_ERR(hmac_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	if (WARN_ON(crypto_shash_digestsize(hmac_tfm) != sizeof(prk))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 		err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 		goto err_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	err = hkdf_extract(hmac_tfm, master_key, master_key_size, prk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 		goto err_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	err = crypto_shash_setkey(hmac_tfm, prk, sizeof(prk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 		goto err_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 	hkdf->hmac_tfm = hmac_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) err_free_tfm:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	crypto_free_shash(hmac_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	memzero_explicit(prk, sizeof(prk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)  * HKDF-Expand (RFC 5869 section 2.3).  This expands the pseudorandom key, which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)  * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108)  * bytes of output keying material parameterized by the application-specific
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)  * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)  * byte.  This is thread-safe and may be called by multiple threads in parallel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)  * ('context' isn't part of the HKDF specification; it's just a prefix fscrypt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)  * adds to its application-specific info strings to guarantee that it doesn't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)  * accidentally repeat an info string when using HKDF for different purposes.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 			const u8 *info, unsigned int infolen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 			u8 *okm, unsigned int okmlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 	SHASH_DESC_ON_STACK(desc, hkdf->hmac_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 	u8 prefix[9];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 	unsigned int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	const u8 *prev = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	u8 counter = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	u8 tmp[HKDF_HASHLEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 	if (WARN_ON(okmlen > 255 * HKDF_HASHLEN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	desc->tfm = hkdf->hmac_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	memcpy(prefix, "fscrypt\0", 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	prefix[8] = context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	for (i = 0; i < okmlen; i += HKDF_HASHLEN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 		err = crypto_shash_init(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 		if (prev) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 			err = crypto_shash_update(desc, prev, HKDF_HASHLEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 			if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 				goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 		err = crypto_shash_update(desc, prefix, sizeof(prefix));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 		err = crypto_shash_update(desc, info, infolen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 		BUILD_BUG_ON(sizeof(counter) != 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 		if (okmlen - i < HKDF_HASHLEN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 			err = crypto_shash_finup(desc, &counter, 1, tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 			if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 				goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 			memcpy(&okm[i], tmp, okmlen - i);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 			memzero_explicit(tmp, sizeof(tmp));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 		} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 			err = crypto_shash_finup(desc, &counter, 1, &okm[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 			if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 				goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 		counter++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 		prev = &okm[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 	err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 	if (unlikely(err))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 		memzero_explicit(okm, okmlen); /* so caller doesn't need to */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	shash_desc_zero(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 	crypto_free_shash(hkdf->hmac_tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.