Lines Matching +full:512 +full:- +full:bytes
1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation
19 * SHA-512 because it is well-established, secure, and reasonably efficient.
21 * HKDF-SHA256 was also considered, as its 256-bit security strength would be
22 * sufficient here. A 512-bit security strength is "nice to have", though.
23 * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the
24 * common case of deriving an AES-256-XTS key (512 bits), that can result in
25 * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
26 * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
34 * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
36 * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
37 * any length, parameterized by an application-specific info string.
39 * HKDF-Extract can be skipped if the input is already a pseudorandom key of
40 * length HKDF_HASHLEN bytes. However, cipher modes other than AES-256-XTS take
42 * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
47 /* HKDF-Extract (RFC 5869 section 2.2), unsalted */
62 * Compute HKDF-Extract using the given master key as the input keying material,
65 * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
66 * times without having to recompute HKDF-Extract each time.
83 err = -EINVAL; in fscrypt_init_hkdf()
95 hkdf->hmac_tfm = hmac_tfm; in fscrypt_init_hkdf()
106 * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which
107 * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
108 * bytes of output keying material parameterized by the application-specific
109 * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context'
110 * byte. This is thread-safe and may be called by multiple threads in parallel.
113 * adds to its application-specific info strings to guarantee that it doesn't
120 SHASH_DESC_ON_STACK(desc, hkdf->hmac_tfm); in fscrypt_hkdf_expand()
129 return -EINVAL; in fscrypt_hkdf_expand()
131 desc->tfm = hkdf->hmac_tfm; in fscrypt_hkdf_expand()
157 if (okmlen - i < HKDF_HASHLEN) { in fscrypt_hkdf_expand()
161 memcpy(&okm[i], tmp, okmlen - i); in fscrypt_hkdf_expand()
181 crypto_free_shash(hkdf->hmac_tfm); in fscrypt_destroy_hkdf()