Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1035816imu; Fri, 11 Jan 2019 13:48:01 -0800 (PST) X-Google-Smtp-Source: ALg8bN4cwuuDpiUzysaiXz6yzq07DRPOhAitQZVMwhQ62bI1CEBoc6D2Hk5DYU5kqMpNQOGMXk0v X-Received: by 2002:a65:6417:: with SMTP id a23mr14905232pgv.236.1547243281533; Fri, 11 Jan 2019 13:48:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547243281; cv=none; d=google.com; s=arc-20160816; b=RZOc3tqoYuNG7jh/egjbaV6wjoOfISH5KXuxDfA2eTPseiFQ5o3yHZOAMbWAm9eGrH HII+mXl9onaKZb0ihOQu6hU2ezXLectQecfDo1S/Wt+62DblYmefzuBqp2PZ5yLK+2B/ QZiaGyysTrsGgXlbRPn5C4A1E8H1khwlsBwwHu20QBKqYe+v+7CshotetfB8m5GUFq6s 1zIPRzzg3fP6T2xxg3PiYpVIL4Lj+3+7hJCT+xZuJlOS0HV3JvB293NRA9j6BMv3+P4t 01S1OErsRJ5/HPjt5dD1L7wj+N/lZQtdj9XkviyLovi/UUmJNtqJt0incMmd6b5aQGFl rbcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=4AYi+MkUrKf+lfwSEQQdfE9a2fKEILbeYVFC8+EZ1GY=; b=sJRMj5cXf1WiKMUWT2jUaPEpYxp/gckY6wi4AzsvNWkwM+xRuL4JZ1sTSfkfMuw42k tiWs8ns+PU5Fa0WtNtybQjwp6N6o2kb9EBmVDrpQH7rPdvP4pQlZuKdxgFfkSEp4xVuZ n53fWr89PCSaOu/XNLsO0kzyQPPcXaAJDJfKSIttG6sucXCeI3wR9JxvB7azMSI4yJfM lmjAENDuDyyq+IVjHKk3rRpb1tdJfboHm1Nuwipq/EeGa1RZBc02g+D79GVxnwp+K/+N MsM9A/5i4OMsgbfVByZaHevnysBH/sIH4xBtSvpk7JUHxJXfTdzgYgyBpXYHrFugT60m wGzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=n7SLib3x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8si13116320plo.259.2019.01.11.13.47.46; Fri, 11 Jan 2019 13:48:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=n7SLib3x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390417AbfAKTOH (ORCPT + 99 others); Fri, 11 Jan 2019 14:14:07 -0500 Received: from mo4-p03-ob.smtp.rzone.de ([81.169.146.174]:14454 "EHLO mo4-p03-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390318AbfAKTN6 (ORCPT ); Fri, 11 Jan 2019 14:13:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1547234033; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=4AYi+MkUrKf+lfwSEQQdfE9a2fKEILbeYVFC8+EZ1GY=; b=n7SLib3xWjsNanqT0jce6PpC5tZ72dCLOYHMxw1PKMsbdrsVMvXp1j25tF+M9wXzuT kwB4XDVg5l7kvE/2sI+7pno9qsy7Bz9KgzV0h70jyNAX67Bw4NnQXIrMvGvEjbK0dj8s KIXqP/4Ezx6pjxc7wM4tZtmljy+90/zLYbXazCN/NkcJMjq7xCtfbVUvxD17Ee0uJYy1 dDJlX4aWKo/nE9Po8YcQSkbNTd/yt5nxBf0iozEFLMDg/RYooSGMvQB2ZZmcsNI3YSd3 1NbO6/0F4kNZT8xgg951EWCKimy3fXQAqJbqZhWXJWfipxtX7rHGYjiLQfPB4kgiSABh zd1g== X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPaLvSbdkg=" X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 44.9 DYNA|AUTH) with ESMTPSA id 309bcfv0BJDXflE (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Fri, 11 Jan 2019 20:13:33 +0100 (CET) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: Eric Biggers , Herbert Xu Cc: James Bottomley , Andy Lutomirski , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn , Andy Lutomirski , linux-crypto@vger.kernel.org Subject: [PATCH 0/6] General Key Derivation Function Support Date: Fri, 11 Jan 2019 20:08:16 +0100 Message-ID: <9733066.Vrs4h5eWcW@positron.chronox.de> In-Reply-To: <20190109082103.GA8586@sol.localdomain> References: <20190103143227.9138-1-jlee@suse.com> <1894062.aDvIuj92vB@tauon.chronox.de> <20190109082103.GA8586@sol.localdomain> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Herbert, Eric, key derivation functions behave like a random number generator requiring a seed and can generate arbitrarily-sized bit sequences. As KDFs wrap ciphers, the first patch adds template support for the RNG part of the kernel crypto API. This allows the KDFs to be implemented as templates. The patches two through five add different KDFs. The immediate use in the kernel are: - SP800-108: security/keys/dh.c - HKDF: As Eric Biggers outlined, he wants to use HKDF for Ext4 FBE Other areas of the kernel implement KDFs which should be migrated to the common code base offered with this patch. The last patch adds the KDF invocation to tcrypt to allow an immediate test invocation of the KDFs which is at least needed for FIPS 140-2 compliance where the tcrypt module is insmod'ed during boot time to trigger the self tests. Eric, considering your request for supporting parallel use of HKDF, I instantiate the HMAC twice: once for the extract and once for the expand phase. The idea is that an extract operation does not collide too much with the expand operation (when using one instance of HMAC, the extract phase would invoke setkey with the salt and thus affect the expand phase). Though, the final extract phase setkey call with the PRK is non-atomic (at least in the software HMAC implementation). Thus, the caller would need to guarantee to invoke the extract phase while no expand phase operation is performed. So, maintaining two HMAC instances is not really required after all. What is your take on that? Stephan Mueller (6): crypto: add template handling for RNGs crypto: kdf - SP800-108 Key Derivation Function crypto: kdf - add known answer tests crypto: hkdf - RFC5869 Key Derivation Function crypto: hkdf - add known answer tests crypto: tcrypt - add KDF test invocation crypto/Kconfig | 13 + crypto/Makefile | 2 + crypto/hkdf.c | 290 ++++++++++++++++++++ crypto/kdf.c | 492 ++++++++++++++++++++++++++++++++++ crypto/rng.c | 44 +++ crypto/tcrypt.c | 8 + crypto/testmgr.c | 258 ++++++++++++++++++ crypto/testmgr.h | 225 ++++++++++++++++ include/crypto/internal/rng.h | 26 ++ 9 files changed, 1358 insertions(+) create mode 100644 crypto/hkdf.c create mode 100644 crypto/kdf.c -- 2.20.1