From: Eric Biggers <ebiggers@kernel.org>
To: "Stephan Müller" <smueller@chronox.de>
Cc: herbert@gondor.apana.org.au, Jarkko Sakkinen <jarkko@kernel.org>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
"dhowells@redhat.com" <dhowells@redhat.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings <keyrings@vger.kernel.org>,
simo@redhat.com
Subject: Re: [PATCH v3 2/4] crypto: add SP800-108 counter key derivation function
Date: Wed, 17 Nov 2021 11:11:03 -0800 [thread overview]
Message-ID: <YZVTx01YyvCsPc9i@gmail.com> (raw)
In-Reply-To: <3412396.dWV9SEqChM@positron.chronox.de>
On Mon, Nov 15, 2021 at 09:43:13AM +0100, Stephan Müller wrote:
> SP800-108 defines three KDFs - this patch provides the counter KDF
> implementation.
>
> The KDF is implemented as a service function where the caller has to
> maintain the hash / HMAC state. Apart from this hash/HMAC state, no
> additional state is required to be maintained by either the caller or
> the KDF implementation.
>
> The key for the KDF is set with the crypto_kdf108_setkey function which
> is intended to be invoked before the caller requests a key derivation
> operation via crypto_kdf108_ctr_generate.
>
> SP800-108 allows the use of either a HMAC or a hash as crypto primitive
> for the KDF. When a HMAC primtive is intended to be used,
> crypto_kdf108_setkey must be used to set the HMAC key. Otherwise, for a
> hash crypto primitve crypto_kdf108_ctr_generate can be used immediately
> after allocating the hash handle.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
> crypto/Kconfig | 7 ++
> crypto/Makefile | 5 ++
> crypto/kdf_sp800108.c | 149 ++++++++++++++++++++++++++++++++++
> include/crypto/kdf_sp800108.h | 61 ++++++++++++++
> 4 files changed, 222 insertions(+)
> create mode 100644 crypto/kdf_sp800108.c
> create mode 100644 include/crypto/kdf_sp800108.h
>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 285f82647d2b..09c393a57b58 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1845,6 +1845,13 @@ config CRYPTO_JITTERENTROPY
> random numbers. This Jitterentropy RNG registers with
> the kernel crypto API and can be used by any caller.
>
> +config CRYPTO_KDF800108_CTR
> + tristate "Counter KDF (SP800-108)"
> + select CRYPTO_HASH
> + help
> + Enable the key derivation function in counter mode compliant to
> + SP800-108.
These are just some library functions, so they shouldn't be user-selectable.
> +/*
> + * The seeding of the KDF
> + */
> +int crypto_kdf108_setkey(struct crypto_shash *kmd,
> + const u8 *key, size_t keylen,
> + const u8 *ikm, size_t ikmlen)
> +{
> + unsigned int ds = crypto_shash_digestsize(kmd);
> +
> + /* SP800-108 does not support IKM */
> + if (ikm || ikmlen)
> + return -EINVAL;
Why have the ikm parameter if it's not supported?
> + /*
> + * We require that we operate on a MAC -- if we do not operate on a
> + * MAC, this function returns an error.
> + */
> + return crypto_shash_setkey(kmd, key, keylen);
> +}
> +EXPORT_SYMBOL(crypto_kdf108_setkey);
Well, crypto_shash_setkey() will succeed if the hash algorithm takes a "key".
That doesn't necessarily mean that it's a MAC. It could be crc32 or xxhash64,
for example; those interpret the "key" as the initial value.
> +static int __init crypto_kdf108_init(void)
> +{
> + int ret = kdf_test(&kdf_ctr_hmac_sha256_tv_template[0], "hmac(sha256)",
> + crypto_kdf108_setkey, crypto_kdf108_ctr_generate);
> +
> + if (ret)
> + pr_warn("alg: self-tests for CTR-KDF (hmac(sha256)) failed (rc=%d)\n",
> + ret);
This should be a WARN() since it indicates a kernel bug.
- Eric
next prev parent reply other threads:[~2021-11-17 19:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-15 8:41 [PATCH v3 0/4] Add SP800-108 KDF implementation to crypto API Stephan Müller
2021-11-15 8:42 ` [PATCH v3 1/4] crypto: Add key derivation self-test support code Stephan Müller
2021-11-15 8:43 ` [PATCH v3 2/4] crypto: add SP800-108 counter key derivation function Stephan Müller
2021-11-17 19:11 ` Eric Biggers [this message]
2021-11-18 8:07 ` Stephan Mueller
2021-11-15 8:43 ` [PATCH v3 3/4] security: DH - remove dead code for zero padding Stephan Müller
2021-11-17 21:28 ` Mat Martineau
2021-11-18 8:37 ` Stephan Mueller
2021-11-15 8:44 ` [PATCH v3 4/4] security: DH - use KDF implementation from crypto API Stephan Müller
2021-11-17 21:45 ` Mat Martineau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YZVTx01YyvCsPc9i@gmail.com \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox