1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation
4 * Function"), aka RFC 5869. See also the original paper (Krawczyk 2010):
5 * "Cryptographic Extraction and Key Derivation: The HKDF Scheme".
7 * This is used to derive keys from the fscrypt master keys.
9 * Copyright 2019 Google LLC
12 #include <crypto/hash.h>
13 #include <crypto/sha.h>
15 #include "fscrypt_private.h"
18 * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
19 * SHA-512 because it is reasonably secure and efficient; and since it produces
20 * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of
21 * entropy from the master key and requires only one iteration of HKDF-Expand.
23 #define HKDF_HMAC_ALG "hmac(sha512)"
24 #define HKDF_HASHLEN SHA512_DIGEST_SIZE
27 * HKDF consists of two steps:
29 * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
30 * the input keying material and optional salt.
31 * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
32 * any length, parameterized by an application-specific info string.
34 * HKDF-Extract can be skipped if the input is already a pseudorandom key of
35 * length HKDF_HASHLEN bytes. However, cipher modes other than AES-256-XTS take
36 * shorter keys, and we don't want to force users of those modes to provide
37 * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
38 * salt is used, since fscrypt master keys should already be pseudorandom and
39 * there's no way to persist a random salt per master key from kernel mode.
42 /* HKDF-Extract (RFC 5869 section 2.2), unsalted */
43 static int hkdf_extract(struct crypto_shash
*hmac_tfm
, const u8
*ikm
,
44 unsigned int ikmlen
, u8 prk
[HKDF_HASHLEN
])
46 static const u8 default_salt
[HKDF_HASHLEN
];
47 SHASH_DESC_ON_STACK(desc
, hmac_tfm
);
50 err
= crypto_shash_setkey(hmac_tfm
, default_salt
, HKDF_HASHLEN
);
55 err
= crypto_shash_digest(desc
, ikm
, ikmlen
, prk
);
56 shash_desc_zero(desc
);
61 * Compute HKDF-Extract using the given master key as the input keying material,
62 * and prepare an HMAC transform object keyed by the resulting pseudorandom key.
64 * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
65 * times without having to recompute HKDF-Extract each time.
67 int fscrypt_init_hkdf(struct fscrypt_hkdf
*hkdf
, const u8
*master_key
,
68 unsigned int master_key_size
)
70 struct crypto_shash
*hmac_tfm
;
74 hmac_tfm
= crypto_alloc_shash(HKDF_HMAC_ALG
, 0, 0);
75 if (IS_ERR(hmac_tfm
)) {
76 fscrypt_err(NULL
, "Error allocating " HKDF_HMAC_ALG
": %ld",
78 return PTR_ERR(hmac_tfm
);
81 if (WARN_ON(crypto_shash_digestsize(hmac_tfm
) != sizeof(prk
))) {
86 err
= hkdf_extract(hmac_tfm
, master_key
, master_key_size
, prk
);
90 err
= crypto_shash_setkey(hmac_tfm
, prk
, sizeof(prk
));
94 hkdf
->hmac_tfm
= hmac_tfm
;
98 crypto_free_shash(hmac_tfm
);
100 memzero_explicit(prk
, sizeof(prk
));
105 * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which
106 * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
107 * bytes of output keying material parameterized by the application-specific
108 * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context'
109 * byte. This is thread-safe and may be called by multiple threads in parallel.
111 * ('context' isn't part of the HKDF specification; it's just a prefix fscrypt
112 * adds to its application-specific info strings to guarantee that it doesn't
113 * accidentally repeat an info string when using HKDF for different purposes.)
115 int fscrypt_hkdf_expand(const struct fscrypt_hkdf
*hkdf
, u8 context
,
116 const u8
*info
, unsigned int infolen
,
117 u8
*okm
, unsigned int okmlen
)
119 SHASH_DESC_ON_STACK(desc
, hkdf
->hmac_tfm
);
123 const u8
*prev
= NULL
;
125 u8 tmp
[HKDF_HASHLEN
];
127 if (WARN_ON(okmlen
> 255 * HKDF_HASHLEN
))
130 desc
->tfm
= hkdf
->hmac_tfm
;
132 memcpy(prefix
, "fscrypt\0", 8);
135 for (i
= 0; i
< okmlen
; i
+= HKDF_HASHLEN
) {
137 err
= crypto_shash_init(desc
);
142 err
= crypto_shash_update(desc
, prev
, HKDF_HASHLEN
);
147 err
= crypto_shash_update(desc
, prefix
, sizeof(prefix
));
151 err
= crypto_shash_update(desc
, info
, infolen
);
155 BUILD_BUG_ON(sizeof(counter
) != 1);
156 if (okmlen
- i
< HKDF_HASHLEN
) {
157 err
= crypto_shash_finup(desc
, &counter
, 1, tmp
);
160 memcpy(&okm
[i
], tmp
, okmlen
- i
);
161 memzero_explicit(tmp
, sizeof(tmp
));
163 err
= crypto_shash_finup(desc
, &counter
, 1, &okm
[i
]);
173 memzero_explicit(okm
, okmlen
); /* so caller doesn't need to */
174 shash_desc_zero(desc
);
178 void fscrypt_destroy_hkdf(struct fscrypt_hkdf
*hkdf
)
180 crypto_free_shash(hkdf
->hmac_tfm
);