Re: [PATCH v4 7/8] lib: mbedtls: sha256: add support of key derivation

Mon, 16 Dec 2024 07:27:35 -0800 

Hi Raymond,


Le 13/12/2024 à 17:58, Raymond Mao a écrit :
*This Mail comes from Outside of SoftAtHome: *Do not answer, click links or open attachments unless you recognize the sender and know the content is safe.** 

Hi Philippe,
On Thu, 12 Dec 2024 at 08:37, Philippe Reynes <philippe.rey...@softathome.com> wrote: 

    Adds the support of key derivation using the scheme hkdf.
    This scheme is defined in rfc5869.

    Signed-off-by: Philippe Reynes <philippe.rey...@softathome.com>
    ---
     include/u-boot/sha256.h | 20 ++++++++++++++++++++
     lib/mbedtls/sha256.c    | 22 ++++++++++++++++++++++
     2 files changed, 42 insertions(+)

    diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
    index 2f12275b703..f21173305a6 100644
    --- a/include/u-boot/sha256.h
    +++ b/include/u-boot/sha256.h
    @@ -1,6 +1,8 @@
     #ifndef _SHA256_H
     #define _SHA256_H

    +#include <linux/compiler_attributes.h>
    +#include <linux/errno.h>
     #include <linux/kconfig.h>
     #include <linux/types.h>

    @@ -49,4 +51,22 @@ void sha256_hmac(const unsigned char *key, int
    keylen,
                     const unsigned char *input, unsigned int ilen,
                     unsigned char *output);

    +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
    +int sha256_hkdf(const unsigned char *salt, int saltlen,
    +               const unsigned char *ikm, int ikmlen,
    +               const unsigned char *info, int infolen,
    +               unsigned char *output, int outputlen);
    +#else
    +static inline int sha256_hkdf(const unsigned char __always_unused
    *salt,
    +                             int __always_unused saltlen,
    +                             const unsigned char __always_unused
    *ikm,
    +                             int __always_unused ikmlen,
    +                             const unsigned char __always_unused
    *info,
    +                             int __always_unused infolen,
    +                             unsigned char __always_unused *output,
    +                             int __always_unused outputlen) {
    +       return -EOPNOTSUPP;
    +}
    +#endif
    +
     #endif /* _SHA256_H */
    diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c
    index 2128e598834..b8bc43b612e 100644
    --- a/lib/mbedtls/sha256.c
    +++ b/lib/mbedtls/sha256.c
    @@ -10,6 +10,11 @@
     #endif /* USE_HOSTCC */
     #include <u-boot/sha256.h>

    +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
    +#include <mbedtls/md.h>
    +#include <mbedtls/hkdf.h>
    +#endif
    +
     const u8 sha256_der_prefix[SHA256_DER_LEN] = {
            0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
            0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
    @@ -33,3 +38,20 @@ void sha256_finish(sha256_context *ctx, uint8_t
    digest[SHA256_SUM_LEN])
            mbedtls_sha256_finish(ctx, digest);
            mbedtls_sha256_free(ctx);
     }
    +
    +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
    +int sha256_hkdf(const unsigned char *salt, int saltlen,
    +               const unsigned char *ikm, int ikmlen,
    +               const unsigned char *info, int infolen,
    +               unsigned char *output, int outputlen)
    +{
    +       const mbedtls_md_info_t *md;
    +
    +       md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);


Please check if the return is not NULL.



I have added check in v5




    +
    +       return mbedtls_hkdf(md, salt, saltlen,
    +                           ikm, ikmlen,
    +                           info, infolen,
    +                           output, outputlen);
    +}
    +#endif
-- 2.25.1 


Regards,
Raymond



Regards,
Philippe

Reply via email to