| Message ID | 1772794.tdWV9SEqCh@positron.chronox.de |
|---|---|
| Headers | show |
| Series | Add KDF implementations to crypto API | expand |
On Sun, 24 Jan 2021 at 15:23, Ard Biesheuvel <ardb@kernel.org> wrote: > > On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > > > Hi, > > > > The key derviation functions are considered to be a cryptographic > > operation. As cryptographic operations are provided via the kernel > > crypto API, this patch set consolidates the KDF implementations into the > > crypto API. > > > > The KDF implementations are provided as service functions. Yet, the > > interface to the two provided KDFs are identical with the goal to allow > > them to be transformed into a crypto API template eventually. > > > > Why? There are typically two reasons to use the crypto API abstractions: > - the algorithm is not known at compile time, so we need the runtime > dispatch that the crypto API implements, > - the algorithm may be implemented by a h/w accelerator which is > discovered at runtime via the driver stack > > In other cases, a library API is much more suitable, even in the case > where we may provide arch-specific accelerated implementations of such > an algorithm. > Hmm, apologies if I got the wrong end of the stick here - this prose and the naming of some of the crypto_hkdf_xxx routines and function pointers in the test code made me think that this is more than it actually is. What we are talking about are basically library wrappers around shash instances to perform HKDF, right? > > > > The KDFs execute a power-on self test with test vectors from commonly > > known sources. > > > > Tbe SP800-108 KDF implementation is used to replace the implementation > > in the keys subsystem. The implementation was verified using the > > keyutils command line test code provided in > > tests/keyctl/dh_compute/valid. All tests show that the expected values > > are calculated with the new code. > > > > The HKDF addition is used to replace the implementation in the filesystem > > crypto extension. This code was tested by using an EXT4 encrypted file > > system that was created and contains files written to by the current > > implementation. Using the new implementation a successful read of the > > existing files was possible and new files / directories were created > > and read successfully. These newly added file system objects could be > > successfully read using the current code. Yet if there is a test suite > > to validate whether the invokcation of the HKDF calculates the same > > result as the existing implementation, I would be happy to validate > > the implementation accordingly. > > > > Changes v2: > > > > * change HKDF function names > > * change HKDF/SP800-108 KDF extract / seed function prototype > > * ensure clearing of memory of destination buffer in KDF implementation > > if KDF operation fails > > * security DH: split the removal of dead code into separate patch > > > > Stephan Mueller (7): > > crypto: Add key derivation self-test support code > > crypto: add SP800-108 counter key derivation function > > crypto: add RFC5869 HKDF > > security: DH - remove dead code for zero padding > > security: DH - use KDF implementation from crypto API > > fs: use HKDF implementation from kernel crypto API > > fs: HKDF - remove duplicate memory clearing > > > > crypto/Kconfig | 14 ++ > > crypto/Makefile | 6 + > > crypto/hkdf.c | 199 +++++++++++++++++++++++++ > > crypto/kdf_sp800108.c | 149 ++++++++++++++++++ > > fs/crypto/Kconfig | 2 +- > > fs/crypto/hkdf.c | 103 +++---------- > > include/crypto/hkdf.h | 48 ++++++ > > include/crypto/internal/kdf_selftest.h | 71 +++++++++ > > include/crypto/kdf_sp800108.h | 61 ++++++++ > > security/keys/Kconfig | 2 +- > > security/keys/dh.c | 118 ++------------- > > 11 files changed, 586 insertions(+), 187 deletions(-) > > create mode 100644 crypto/hkdf.c > > create mode 100644 crypto/kdf_sp800108.c > > create mode 100644 include/crypto/hkdf.h > > create mode 100644 include/crypto/internal/kdf_selftest.h > > create mode 100644 include/crypto/kdf_sp800108.h > > > > -- > > 2.26.2 > > > > > > > >
Am Sonntag, 24. Januar 2021, 15:32:59 CET schrieb Ard Biesheuvel: Hi Ard, > On Sun, 24 Jan 2021 at 15:23, Ard Biesheuvel <ardb@kernel.org> wrote: > > On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > > Hi, > > > > > > The key derviation functions are considered to be a cryptographic > > > operation. As cryptographic operations are provided via the kernel > > > crypto API, this patch set consolidates the KDF implementations into the > > > crypto API. > > > > > > The KDF implementations are provided as service functions. Yet, the > > > interface to the two provided KDFs are identical with the goal to allow > > > them to be transformed into a crypto API template eventually. > > > > Why? There are typically two reasons to use the crypto API abstractions: > > - the algorithm is not known at compile time, so we need the runtime > > dispatch that the crypto API implements, > > - the algorithm may be implemented by a h/w accelerator which is > > discovered at runtime via the driver stack > > > > In other cases, a library API is much more suitable, even in the case > > where we may provide arch-specific accelerated implementations of such > > an algorithm. > > Hmm, apologies if I got the wrong end of the stick here - this prose > and the naming of some of the crypto_hkdf_xxx routines and function > pointers in the test code made me think that this is more than it > actually is. > > What we are talking about are basically library wrappers around shash > instances to perform HKDF, right? Sorry, our emails just crossed each other. Yes, you are absolutely correct. The KDF implementations are wrappers around the SHASH API. Conceptually the provided API is what templates actually should do. As mentioned in the other email, however, adding a template was and is not considered appropriate at the time. Yet, I would like to keep the path open to transform the KDF implementations into a template. Ciao Stephan
On Sun, Jan 24, 2021 at 03:04:50PM +0100, Stephan Müller wrote: > The clearing of the OKM memory buffer in case of an error is already > performed by the HKDF implementation crypto_hkdf_expand. Thus, the > code clearing is not needed any more in the file system code base. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > fs/crypto/hkdf.c | 9 +++------ > 1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c > index ae236b42b1f0..c48dd8ca3a46 100644 > --- a/fs/crypto/hkdf.c > +++ b/fs/crypto/hkdf.c > @@ -102,13 +102,10 @@ int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, > .iov_base = (u8 *)info, > .iov_len = infolen, > } }; > - int err = crypto_hkdf_expand(hkdf->hmac_tfm, > - info_iov, ARRAY_SIZE(info_iov), > - okm, okmlen); > > - if (unlikely(err)) > - memzero_explicit(okm, okmlen); /* so caller doesn't need to */ > - return err; > + return crypto_hkdf_expand(hkdf->hmac_tfm, > + info_iov, ARRAY_SIZE(info_iov), > + okm, okmlen); > } > Shoudn't this just be folded into the previous patch, which converted fscrypt_hkdf_expand() to use crypto_hkdf_expand() in the first place? - Eric