Lines Matching +full:sha +full:- +full:256

1 // SPDX-License-Identifier: GPL-2.0
3  * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation
9  * the case that the fscrypt master keys are hardware-wrapped keys).
18  * SHA-512 because it is well-established, secure, and reasonably efficient.
20  * HKDF-SHA256 was also considered, as its 256-bit security strength would be
21  * sufficient here.  A 512-bit security strength is "nice to have", though.
22  * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256.  In the
23  * common case of deriving an AES-256-XTS key (512 bits), that can result in
24  * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
25  * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
32  * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
34  * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
35  *    any length, parameterized by an application-specific info string.
37  * HKDF-Extract can be skipped if the input is already a pseudorandom key of
38  * length HKDF_HASHLEN bytes.  However, cipher modes other than AES-256-XTS take
40  * unnecessarily long master keys.  Thus fscrypt still does HKDF-Extract.  No
46  * Compute HKDF-Extract using 'master_key' as the input keying material, and
48  * HKDF-Expand many times without having to recompute HKDF-Extract each time.
63  * HKDF-Expand (RFC 5869 section 2.3).  Expand the HMAC key 'hkdf' into 'okmlen'
64  * bytes of output keying material parameterized by the application-specific
66  * byte.  This is thread-safe and may be called by multiple threads in parallel.
69  * adds to its application-specific info strings to guarantee that it doesn't
85 			hmac_sha512_update(&ctx, &okm[i - HKDF_HASHLEN],  in fscrypt_hkdf_expand()
91 		if (okmlen - i < HKDF_HASHLEN) {  in fscrypt_hkdf_expand()
93 			memcpy(&okm[i], tmp, okmlen - i);  in fscrypt_hkdf_expand()