[RFC,5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2

Message ID	20221118211624.19298-6-prestwoj@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEEE6A492 for <ell@lists.linux.dev>; Fri, 18 Nov 2022 21:16:42 +0000 (UTC) From: James Prestwood <prestwoj@gmail.com> To: ell@lists.linux.dev Cc: James Prestwood <prestwoj@gmail.com> Subject: [RFC 5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2 Date: Fri, 18 Nov 2022 13:16:21 -0800 Message-Id: <20221118211624.19298-6-prestwoj@gmail.com> In-Reply-To: <20221118211624.19298-1-prestwoj@gmail.com> References: <20221118211624.19298-1-prestwoj@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Crypto operations by key ID \| expand [RFC,0/8] Crypto operations by key ID [RFC,1/8] key: add l_key_search [RFC,2/8] unit: add key search test [RFC,3/8] checksum: commonize checksum creation [RFC,4/8] checksum: add l_checksum_new_hmac_from_key_id [RFC,5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2 [RFC,6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id [RFC,7/8] cert: add explicit length to l_cert_pkcs5_pbkdf2 [RFC,8/8] unit: update test-pbkdf2 with API change

Message ID

20221118211624.19298-6-prestwoj@gmail.com (mailing list archive)

State

New

Headers

From: James Prestwood <prestwoj@gmail.com>
To: ell@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [RFC 5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2
Date: Fri, 18 Nov 2022 13:16:21 -0800
Message-Id: <20221118211624.19298-6-prestwoj@gmail.com>
In-Reply-To: <20221118211624.19298-1-prestwoj@gmail.com>
References: <20221118211624.19298-1-prestwoj@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Crypto operations by key ID | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success

Context

Check

Description

tedd_an/pre-ci_am

success

Success

This makes the actual algorithm common to prepare for adding a new variant which uses a key ID rather than password. --- ell/cert-crypto.c | 67 +++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 26 deletions(-)

Comments

Denis Kenzior Nov. 22, 2022, 5 p.m. UTC | #1

Hi James,

On 11/18/22 15:16, James Prestwood wrote:
> This makes the actual algorithm common to prepare for adding a
> new variant which uses a key ID rather than password.
> ---
>   ell/cert-crypto.c | 67 +++++++++++++++++++++++++++++------------------
>   1 file changed, 41 insertions(+), 26 deletions(-)
> 
> diff --git a/ell/cert-crypto.c b/ell/cert-crypto.c
> index e6e8876..bf748b0 100644
> --- a/ell/cert-crypto.c
> +++ b/ell/cert-crypto.c
> @@ -103,44 +103,34 @@ LIB_EXPORT bool l_cert_pkcs5_pbkdf1(enum l_checksum_type type,
>   	return !iter_count;
>   }
>   
> -/* RFC8018 section 5.2 */
> -LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
> -					const char *password,
> -					const uint8_t *salt, size_t salt_len,
> -					unsigned int iter_count,
> -					uint8_t *out_dk, size_t dk_len)
> +static size_t cert_checksum_to_length(enum l_checksum_type type)

We already have l_checksum_digest_length().  Should we use that?

>   {
> -	size_t h_len;
> -	struct l_checksum *checksum;
> -	unsigned int i;
> -
>   	switch (type) {
>   	case L_CHECKSUM_SHA1:
> -		h_len = 20;
> -		break;
> +		return 20;
>   	case L_CHECKSUM_SHA224:
> -		h_len = 28;
> -		break;
> +		return 28;
>   	case L_CHECKSUM_SHA256:
> -		h_len = 32;
> -		break;
> +		return 32;
>   	case L_CHECKSUM_SHA384:
> -		h_len = 48;
> -		break;
> +		return 48;
>   	case L_CHECKSUM_SHA512:
> -		h_len = 64;
> -		break;
> +		return 64;
>   	case L_CHECKSUM_NONE:
>   	case L_CHECKSUM_MD4:
>   	case L_CHECKSUM_MD5:
> -		return false;
> +		return 0;
>   	default:
> -		return false;
> +		return 0;
>   	}
> +}
>   
> -	checksum = l_checksum_new_hmac(type, password, strlen(password));
> -	if (!checksum)
> -		return false;
> +static bool cert_pkcs5_pbkdf2(struct l_checksum *checksum, const uint8_t *salt,
> +				size_t salt_len, size_t h_len,
> +				unsigned int iter_count, uint8_t *out_dk,
> +				size_t dk_len)
> +{
> +	unsigned int i;
>   
>   	for (i = 1; dk_len; i++) {
>   		unsigned int j, k;

Regards,
-Denis

diff --git a/ell/cert-crypto.c b/ell/cert-crypto.c
index e6e8876..bf748b0 100644
--- a/ell/cert-crypto.c
+++ b/ell/cert-crypto.c
@@ -103,44 +103,34 @@  LIB_EXPORT bool l_cert_pkcs5_pbkdf1(enum l_checksum_type type,
 	return !iter_count;
 }
 
-/* RFC8018 section 5.2 */
-LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
-					const char *password,
-					const uint8_t *salt, size_t salt_len,
-					unsigned int iter_count,
-					uint8_t *out_dk, size_t dk_len)
+static size_t cert_checksum_to_length(enum l_checksum_type type)
 {
-	size_t h_len;
-	struct l_checksum *checksum;
-	unsigned int i;
-
 	switch (type) {
 	case L_CHECKSUM_SHA1:
-		h_len = 20;
-		break;
+		return 20;
 	case L_CHECKSUM_SHA224:
-		h_len = 28;
-		break;
+		return 28;
 	case L_CHECKSUM_SHA256:
-		h_len = 32;
-		break;
+		return 32;
 	case L_CHECKSUM_SHA384:
-		h_len = 48;
-		break;
+		return 48;
 	case L_CHECKSUM_SHA512:
-		h_len = 64;
-		break;
+		return 64;
 	case L_CHECKSUM_NONE:
 	case L_CHECKSUM_MD4:
 	case L_CHECKSUM_MD5:
-		return false;
+		return 0;
 	default:
-		return false;
+		return 0;
 	}
+}
 
-	checksum = l_checksum_new_hmac(type, password, strlen(password));
-	if (!checksum)
-		return false;
+static bool cert_pkcs5_pbkdf2(struct l_checksum *checksum, const uint8_t *salt,
+				size_t salt_len, size_t h_len,
+				unsigned int iter_count, uint8_t *out_dk,
+				size_t dk_len)
+{
+	unsigned int i;
 
 	for (i = 1; dk_len; i++) {
 		unsigned int j, k;
@@ -180,9 +170,34 @@  LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
 		dk_len -= block_len;
 	}
 
+	return !dk_len;
+}
+
+/* RFC8018 section 5.2 */
+LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
+					const char *password,
+					const uint8_t *salt, size_t salt_len,
+					unsigned int iter_count,
+					uint8_t *out_dk, size_t dk_len)
+{
+	size_t h_len;
+	struct l_checksum *checksum;
+	bool r;
+
+	h_len = cert_checksum_to_length(type);
+	if (!h_len)
+		return false;
+
+	checksum = l_checksum_new_hmac(type, password, strlen(password));
+	if (!checksum)
+		return false;
+
+	r = cert_pkcs5_pbkdf2(checksum, salt, salt_len, h_len, iter_count,
+				out_dk, dk_len);
+
 	l_checksum_free(checksum);
 
-	return !dk_len;
+	return r;
 }
 
 /* RFC7292 Appendix B */

[RFC,5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2

Checks

Commit Message

Comments

Patch