[PATCH v7 7/9] lib: mbedtls: sha256: add support of key derivation

Thu, 19 Dec 2024 05:06:36 -0800 

Adds the support of key derivation using the scheme hkdf.
This scheme is defined in rfc5869.

Signed-off-by: Philippe Reynes <philippe.rey...@softathome.com>
---
 include/u-boot/sha256.h | 20 ++++++++++++++++++++
 lib/mbedtls/sha256.c    | 23 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index 99cf78e204c..d7a3403270b 100644
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -1,6 +1,8 @@
 #ifndef _SHA256_H
 #define _SHA256_H
 
+#include <linux/compiler_attributes.h>
+#include <linux/errno.h>
 #include <linux/kconfig.h>
 #include <linux/types.h>
 
@@ -49,4 +51,22 @@ int sha256_hmac(const unsigned char *key, int keylen,
                const unsigned char *input, unsigned int ilen,
                unsigned char *output);
 
+#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
+int sha256_hkdf(const unsigned char *salt, int saltlen,
+               const unsigned char *ikm, int ikmlen,
+               const unsigned char *info, int infolen,
+               unsigned char *output, int outputlen);
+#else
+static inline int sha256_hkdf(const unsigned char __always_unused *salt,
+                             int __always_unused saltlen,
+                             const unsigned char __always_unused *ikm,
+                             int __always_unused ikmlen,
+                             const unsigned char __always_unused *info,
+                             int __always_unused infolen,
+                             unsigned char __always_unused *output,
+                             int __always_unused outputlen) {
+       return -EOPNOTSUPP;
+}
+#endif
+
 #endif /* _SHA256_H */
diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c
index 7d456a82017..59edcb517df 100644
--- a/lib/mbedtls/sha256.c
+++ b/lib/mbedtls/sha256.c
@@ -12,6 +12,10 @@
 
 #include <mbedtls/md.h>
 
+#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
+#include <mbedtls/hkdf.h>
+#endif
+
 const u8 sha256_der_prefix[SHA256_DER_LEN] = {
        0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
        0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
@@ -48,3 +52,22 @@ int sha256_hmac(const unsigned char *key, int keylen,
 
        return mbedtls_md_hmac(md, key, keylen, input, ilen, output);
 }
+
+#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
+int sha256_hkdf(const unsigned char *salt, int saltlen,
+               const unsigned char *ikm, int ikmlen,
+               const unsigned char *info, int infolen,
+               unsigned char *output, int outputlen)
+{
+       const mbedtls_md_info_t *md;
+
+       md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+       if (!md)
+               return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+
+       return mbedtls_hkdf(md, salt, saltlen,
+                           ikm, ikmlen,
+                           info, infolen,
+                           output, outputlen);
+}
+#endif
-- 
2.25.1

Reply via email to