| Message ID | 1772794.tdWV9SEqCh@positron.chronox.de (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add KDF implementations to crypto API | expand |
On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > Hi, > > The key derviation functions are considered to be a cryptographic > operation. As cryptographic operations are provided via the kernel > crypto API, this patch set consolidates the KDF implementations into the > crypto API. > > The KDF implementations are provided as service functions. Yet, the > interface to the two provided KDFs are identical with the goal to allow > them to be transformed into a crypto API template eventually. > Why? There are typically two reasons to use the crypto API abstractions: - the algorithm is not known at compile time, so we need the runtime dispatch that the crypto API implements, - the algorithm may be implemented by a h/w accelerator which is discovered at runtime via the driver stack In other cases, a library API is much more suitable, even in the case where we may provide arch-specific accelerated implementations of such an algorithm. > The KDFs execute a power-on self test with test vectors from commonly > known sources. > > Tbe SP800-108 KDF implementation is used to replace the implementation > in the keys subsystem. The implementation was verified using the > keyutils command line test code provided in > tests/keyctl/dh_compute/valid. All tests show that the expected values > are calculated with the new code. > > The HKDF addition is used to replace the implementation in the filesystem > crypto extension. This code was tested by using an EXT4 encrypted file > system that was created and contains files written to by the current > implementation. Using the new implementation a successful read of the > existing files was possible and new files / directories were created > and read successfully. These newly added file system objects could be > successfully read using the current code. Yet if there is a test suite > to validate whether the invokcation of the HKDF calculates the same > result as the existing implementation, I would be happy to validate > the implementation accordingly. > > Changes v2: > > * change HKDF function names > * change HKDF/SP800-108 KDF extract / seed function prototype > * ensure clearing of memory of destination buffer in KDF implementation > if KDF operation fails > * security DH: split the removal of dead code into separate patch > > Stephan Mueller (7): > crypto: Add key derivation self-test support code > crypto: add SP800-108 counter key derivation function > crypto: add RFC5869 HKDF > security: DH - remove dead code for zero padding > security: DH - use KDF implementation from crypto API > fs: use HKDF implementation from kernel crypto API > fs: HKDF - remove duplicate memory clearing > > crypto/Kconfig | 14 ++ > crypto/Makefile | 6 + > crypto/hkdf.c | 199 +++++++++++++++++++++++++ > crypto/kdf_sp800108.c | 149 ++++++++++++++++++ > fs/crypto/Kconfig | 2 +- > fs/crypto/hkdf.c | 103 +++---------- > include/crypto/hkdf.h | 48 ++++++ > include/crypto/internal/kdf_selftest.h | 71 +++++++++ > include/crypto/kdf_sp800108.h | 61 ++++++++ > security/keys/Kconfig | 2 +- > security/keys/dh.c | 118 ++------------- > 11 files changed, 586 insertions(+), 187 deletions(-) > create mode 100644 crypto/hkdf.c > create mode 100644 crypto/kdf_sp800108.c > create mode 100644 include/crypto/hkdf.h > create mode 100644 include/crypto/internal/kdf_selftest.h > create mode 100644 include/crypto/kdf_sp800108.h > > -- > 2.26.2 > > > >
On Sun, 24 Jan 2021 at 15:23, Ard Biesheuvel <ardb@kernel.org> wrote: > > On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > > > Hi, > > > > The key derviation functions are considered to be a cryptographic > > operation. As cryptographic operations are provided via the kernel > > crypto API, this patch set consolidates the KDF implementations into the > > crypto API. > > > > The KDF implementations are provided as service functions. Yet, the > > interface to the two provided KDFs are identical with the goal to allow > > them to be transformed into a crypto API template eventually. > > > > Why? There are typically two reasons to use the crypto API abstractions: > - the algorithm is not known at compile time, so we need the runtime > dispatch that the crypto API implements, > - the algorithm may be implemented by a h/w accelerator which is > discovered at runtime via the driver stack > > In other cases, a library API is much more suitable, even in the case > where we may provide arch-specific accelerated implementations of such > an algorithm. > Hmm, apologies if I got the wrong end of the stick here - this prose and the naming of some of the crypto_hkdf_xxx routines and function pointers in the test code made me think that this is more than it actually is. What we are talking about are basically library wrappers around shash instances to perform HKDF, right? > > > > The KDFs execute a power-on self test with test vectors from commonly > > known sources. > > > > Tbe SP800-108 KDF implementation is used to replace the implementation > > in the keys subsystem. The implementation was verified using the > > keyutils command line test code provided in > > tests/keyctl/dh_compute/valid. All tests show that the expected values > > are calculated with the new code. > > > > The HKDF addition is used to replace the implementation in the filesystem > > crypto extension. This code was tested by using an EXT4 encrypted file > > system that was created and contains files written to by the current > > implementation. Using the new implementation a successful read of the > > existing files was possible and new files / directories were created > > and read successfully. These newly added file system objects could be > > successfully read using the current code. Yet if there is a test suite > > to validate whether the invokcation of the HKDF calculates the same > > result as the existing implementation, I would be happy to validate > > the implementation accordingly. > > > > Changes v2: > > > > * change HKDF function names > > * change HKDF/SP800-108 KDF extract / seed function prototype > > * ensure clearing of memory of destination buffer in KDF implementation > > if KDF operation fails > > * security DH: split the removal of dead code into separate patch > > > > Stephan Mueller (7): > > crypto: Add key derivation self-test support code > > crypto: add SP800-108 counter key derivation function > > crypto: add RFC5869 HKDF > > security: DH - remove dead code for zero padding > > security: DH - use KDF implementation from crypto API > > fs: use HKDF implementation from kernel crypto API > > fs: HKDF - remove duplicate memory clearing > > > > crypto/Kconfig | 14 ++ > > crypto/Makefile | 6 + > > crypto/hkdf.c | 199 +++++++++++++++++++++++++ > > crypto/kdf_sp800108.c | 149 ++++++++++++++++++ > > fs/crypto/Kconfig | 2 +- > > fs/crypto/hkdf.c | 103 +++---------- > > include/crypto/hkdf.h | 48 ++++++ > > include/crypto/internal/kdf_selftest.h | 71 +++++++++ > > include/crypto/kdf_sp800108.h | 61 ++++++++ > > security/keys/Kconfig | 2 +- > > security/keys/dh.c | 118 ++------------- > > 11 files changed, 586 insertions(+), 187 deletions(-) > > create mode 100644 crypto/hkdf.c > > create mode 100644 crypto/kdf_sp800108.c > > create mode 100644 include/crypto/hkdf.h > > create mode 100644 include/crypto/internal/kdf_selftest.h > > create mode 100644 include/crypto/kdf_sp800108.h > > > > -- > > 2.26.2 > > > > > > > >
Am Sonntag, 24. Januar 2021, 15:23:29 CET schrieb Ard Biesheuvel: Hi Ard, > On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > Hi, > > > > The key derviation functions are considered to be a cryptographic > > operation. As cryptographic operations are provided via the kernel > > crypto API, this patch set consolidates the KDF implementations into the > > crypto API. > > > > The KDF implementations are provided as service functions. Yet, the > > interface to the two provided KDFs are identical with the goal to allow > > them to be transformed into a crypto API template eventually. > > Why? There are typically two reasons to use the crypto API abstractions: > - the algorithm is not known at compile time, so we need the runtime > dispatch that the crypto API implements, > - the algorithm may be implemented by a h/w accelerator which is > discovered at runtime via the driver stack > > In other cases, a library API is much more suitable, even in the case > where we may provide arch-specific accelerated implementations of such > an algorithm. In case your "why" refers to why I stated that the KDF implementations are similar to eventually consolidate them into a template eventually: A KDF is conceptually a logic on top of a (hash) algorithm like a block chaining mode on top of a block cipher or a deterministic RNG on top of an underlying cipher. So, conceptually with the kernel crypto API, we would have a KDF template that can be used like hkdf(sha256) or hkdf(sha256-avx2). The behavior of a KDF is identical to a deterministic RNG. Thus, a long time ago, I had a patch developed that adds a very small addition to the existing RNG API to allow the KDFs to be used. See [1]. Yet, that was not desired at the time due to different reasons. Yet, the crypto API as it stands today knows of templates and basic algorithms. Having a separate library API providing a crypto algorithm is new to the crypto API. You see that with the test manager which works well with the templates / algorithms but does not provide any helpers for some "library APIs". In case your "why" refers to whether I am not using a template to begin with: Some time back I provided the patch using a template (see [1] for example). At that time, Herbert wanted to have a service API instead. [1] http://www.chronox.de/kdf.html Ciao Stephan
Am Sonntag, 24. Januar 2021, 15:32:59 CET schrieb Ard Biesheuvel: Hi Ard, > On Sun, 24 Jan 2021 at 15:23, Ard Biesheuvel <ardb@kernel.org> wrote: > > On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smueller@chronox.de> wrote: > > > Hi, > > > > > > The key derviation functions are considered to be a cryptographic > > > operation. As cryptographic operations are provided via the kernel > > > crypto API, this patch set consolidates the KDF implementations into the > > > crypto API. > > > > > > The KDF implementations are provided as service functions. Yet, the > > > interface to the two provided KDFs are identical with the goal to allow > > > them to be transformed into a crypto API template eventually. > > > > Why? There are typically two reasons to use the crypto API abstractions: > > - the algorithm is not known at compile time, so we need the runtime > > dispatch that the crypto API implements, > > - the algorithm may be implemented by a h/w accelerator which is > > discovered at runtime via the driver stack > > > > In other cases, a library API is much more suitable, even in the case > > where we may provide arch-specific accelerated implementations of such > > an algorithm. > > Hmm, apologies if I got the wrong end of the stick here - this prose > and the naming of some of the crypto_hkdf_xxx routines and function > pointers in the test code made me think that this is more than it > actually is. > > What we are talking about are basically library wrappers around shash > instances to perform HKDF, right? Sorry, our emails just crossed each other. Yes, you are absolutely correct. The KDF implementations are wrappers around the SHASH API. Conceptually the provided API is what templates actually should do. As mentioned in the other email, however, adding a template was and is not considered appropriate at the time. Yet, I would like to keep the path open to transform the KDF implementations into a template. Ciao Stephan