Re: [PATCH v2 6/7] fs: use HKDF implementation from kernel crypto API
From: Eric Biggers
Date: Thu Jan 28 2021 - 15:18:08 EST
Please prefix the commit subject with "fscrypt: " rather than "fs: ".
On Sun, Jan 24, 2021 at 03:04:31PM +0100, Stephan Müller wrote:
> diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c
> index e0ec21055505..ae236b42b1f0 100644
> --- a/fs/crypto/hkdf.c
> +++ b/fs/crypto/hkdf.c
> @@ -9,7 +9,7 @@
> * Copyright 2019 Google LLC
> */
>
> -#include <crypto/hash.h>
> +#include <crypto/hkdf.h>
> #include <crypto/sha2.h>
>
> #include "fscrypt_private.h"
> @@ -37,23 +37,7 @@
> * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
> * salt is used, since fscrypt master keys should already be pseudorandom and
> * there's no way to persist a random salt per master key from kernel mode.
> - */
> -
> -/* HKDF-Extract (RFC 5869 section 2.2), unsalted */
> -static int hkdf_extract(struct crypto_shash *hmac_tfm, const u8 *ikm,
> - unsigned int ikmlen, u8 prk[HKDF_HASHLEN])
> -{
> - static const u8 default_salt[HKDF_HASHLEN];
> - int err;
> -
> - err = crypto_shash_setkey(hmac_tfm, default_salt, HKDF_HASHLEN);
> - if (err)
> - return err;
> -
> - return crypto_shash_tfm_digest(hmac_tfm, ikm, ikmlen, prk);
> -}
> -
> -/*
> + *
> * Compute HKDF-Extract using the given master key as the input keying material,
> * and prepare an HMAC transform object keyed by the resulting pseudorandom key.
> *
I don't think this comment should be joined with the one above it. The earlier
comment describes the general approach taken with fscrypt and HKDF (including
all steps), while the one beginning with "Compute HKDF-Extract" describes
fscrypt_init_hkdf() specifically.
- Eric