Re: [PATCH v5 7/9] lib: mbedtls: sha256: add support of key derivation

Tue, 17 Dec 2024 07:06:44 -0800 

Hi Philippe,

On Tue, 17 Dec 2024 at 03:32, Philippe Reynes <
philippe.rey...@softathome.com> wrote:

> Adds the support of key derivation using the scheme hkdf.
> This scheme is defined in rfc5869.
>
> Signed-off-by: Philippe Reynes <philippe.rey...@softathome.com>
> ---
>  include/u-boot/sha256.h | 20 ++++++++++++++++++++
>  lib/mbedtls/sha256.c    | 23 +++++++++++++++++++++++
>  2 files changed, 43 insertions(+)
>
> diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
> index 99cf78e204c..d7a3403270b 100644
> --- a/include/u-boot/sha256.h
> +++ b/include/u-boot/sha256.h
> @@ -1,6 +1,8 @@
>  #ifndef _SHA256_H
>  #define _SHA256_H
>
> +#include <linux/compiler_attributes.h>
> +#include <linux/errno.h>
>  #include <linux/kconfig.h>
>  #include <linux/types.h>
>
> @@ -49,4 +51,22 @@ int sha256_hmac(const unsigned char *key, int keylen,
>                 const unsigned char *input, unsigned int ilen,
>                 unsigned char *output);
>
> +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
> +int sha256_hkdf(const unsigned char *salt, int saltlen,
> +               const unsigned char *ikm, int ikmlen,
> +               const unsigned char *info, int infolen,
> +               unsigned char *output, int outputlen);
> +#else
> +static inline int sha256_hkdf(const unsigned char __always_unused *salt,
> +                             int __always_unused saltlen,
> +                             const unsigned char __always_unused *ikm,
> +                             int __always_unused ikmlen,
> +                             const unsigned char __always_unused *info,
> +                             int __always_unused infolen,
> +                             unsigned char __always_unused *output,
> +                             int __always_unused outputlen) {
> +       return -EOPNOTSUPP;
> +}
> +#endif
> +
>  #endif /* _SHA256_H */
> diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c
> index 7d456a82017..59edcb517df 100644
> --- a/lib/mbedtls/sha256.c
> +++ b/lib/mbedtls/sha256.c
> @@ -12,6 +12,10 @@
>
>  #include <mbedtls/md.h>
>
> +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
> +#include <mbedtls/hkdf.h>
> +#endif
> +
>  const u8 sha256_der_prefix[SHA256_DER_LEN] = {
>         0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
> @@ -48,3 +52,22 @@ int sha256_hmac(const unsigned char *key, int keylen,
>
>         return mbedtls_md_hmac(md, key, keylen, input, ilen, output);
>  }
> +
> +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
> +int sha256_hkdf(const unsigned char *salt, int saltlen,
> +               const unsigned char *ikm, int ikmlen,
> +               const unsigned char *info, int infolen,
> +               unsigned char *output, int outputlen)
> +{
> +       const mbedtls_md_info_t *md;
> +
> +       md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
> +       if (!md)
> +               return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
> +
> +       return mbedtls_hkdf(md, salt, saltlen,
> +                           ikm, ikmlen,
> +                           info, infolen,
> +                           output, outputlen);
> +}
> +#endif
> --
> 2.25.1
>
>
Sounds good to me.
Reviewed-by: Raymond Mao <raymond....@linaro.org>

Regards,
Raymond

Reply via email to