1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation
4 * Function"), aka RFC 5869. See also the original paper (Krawczyk 2010):
5 * "Cryptographic Extraction and Key Derivation: The HKDF Scheme".
7 * This is used to derive keys from the fscrypt master keys.
9 * Copyright 2019 Google LLC
12 #include <crypto/hash.h>
13 #include <crypto/sha2.h>
15 #include "fscrypt_private.h"
18 * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
19 * SHA-512 because it is reasonably secure and efficient; and since it produces
20 * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of
21 * entropy from the master key and requires only one iteration of HKDF-Expand.
23 #define HKDF_HMAC_ALG "hmac(sha512)"
24 #define HKDF_HASHLEN SHA512_DIGEST_SIZE
27 * HKDF consists of two steps:
29 * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
30 * the input keying material and optional salt.
31 * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
32 * any length, parameterized by an application-specific info string.
34 * HKDF-Extract can be skipped if the input is already a pseudorandom key of
35 * length HKDF_HASHLEN bytes. However, cipher modes other than AES-256-XTS take
36 * shorter keys, and we don't want to force users of those modes to provide
37 * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
38 * salt is used, since fscrypt master keys should already be pseudorandom and
39 * there's no way to persist a random salt per master key from kernel mode.
42 /* HKDF-Extract (RFC 5869 section 2.2), unsalted */
43 static int hkdf_extract(struct crypto_shash
*hmac_tfm
, const u8
*ikm
,
44 unsigned int ikmlen
, u8 prk
[HKDF_HASHLEN
])
46 static const u8 default_salt
[HKDF_HASHLEN
];
49 err
= crypto_shash_setkey(hmac_tfm
, default_salt
, HKDF_HASHLEN
);
53 return crypto_shash_tfm_digest(hmac_tfm
, ikm
, ikmlen
, prk
);
57 * Compute HKDF-Extract using the given master key as the input keying material,
58 * and prepare an HMAC transform object keyed by the resulting pseudorandom key.
60 * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
61 * times without having to recompute HKDF-Extract each time.
63 int fscrypt_init_hkdf(struct fscrypt_hkdf
*hkdf
, const u8
*master_key
,
64 unsigned int master_key_size
)
66 struct crypto_shash
*hmac_tfm
;
70 hmac_tfm
= crypto_alloc_shash(HKDF_HMAC_ALG
, 0, 0);
71 if (IS_ERR(hmac_tfm
)) {
72 fscrypt_err(NULL
, "Error allocating " HKDF_HMAC_ALG
": %ld",
74 return PTR_ERR(hmac_tfm
);
77 if (WARN_ON(crypto_shash_digestsize(hmac_tfm
) != sizeof(prk
))) {
82 err
= hkdf_extract(hmac_tfm
, master_key
, master_key_size
, prk
);
86 err
= crypto_shash_setkey(hmac_tfm
, prk
, sizeof(prk
));
90 hkdf
->hmac_tfm
= hmac_tfm
;
94 crypto_free_shash(hmac_tfm
);
96 memzero_explicit(prk
, sizeof(prk
));
101 * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which
102 * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
103 * bytes of output keying material parameterized by the application-specific
104 * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context'
105 * byte. This is thread-safe and may be called by multiple threads in parallel.
107 * ('context' isn't part of the HKDF specification; it's just a prefix fscrypt
108 * adds to its application-specific info strings to guarantee that it doesn't
109 * accidentally repeat an info string when using HKDF for different purposes.)
111 int fscrypt_hkdf_expand(const struct fscrypt_hkdf
*hkdf
, u8 context
,
112 const u8
*info
, unsigned int infolen
,
113 u8
*okm
, unsigned int okmlen
)
115 SHASH_DESC_ON_STACK(desc
, hkdf
->hmac_tfm
);
119 const u8
*prev
= NULL
;
121 u8 tmp
[HKDF_HASHLEN
];
123 if (WARN_ON(okmlen
> 255 * HKDF_HASHLEN
))
126 desc
->tfm
= hkdf
->hmac_tfm
;
128 memcpy(prefix
, "fscrypt\0", 8);
131 for (i
= 0; i
< okmlen
; i
+= HKDF_HASHLEN
) {
133 err
= crypto_shash_init(desc
);
138 err
= crypto_shash_update(desc
, prev
, HKDF_HASHLEN
);
143 err
= crypto_shash_update(desc
, prefix
, sizeof(prefix
));
147 err
= crypto_shash_update(desc
, info
, infolen
);
151 BUILD_BUG_ON(sizeof(counter
) != 1);
152 if (okmlen
- i
< HKDF_HASHLEN
) {
153 err
= crypto_shash_finup(desc
, &counter
, 1, tmp
);
156 memcpy(&okm
[i
], tmp
, okmlen
- i
);
157 memzero_explicit(tmp
, sizeof(tmp
));
159 err
= crypto_shash_finup(desc
, &counter
, 1, &okm
[i
]);
169 memzero_explicit(okm
, okmlen
); /* so caller doesn't need to */
170 shash_desc_zero(desc
);
174 void fscrypt_destroy_hkdf(struct fscrypt_hkdf
*hkdf
)
176 crypto_free_shash(hkdf
->hmac_tfm
);