export RK_PA3

hc

2024-02-19 151fecfb72a0d602dfe79790602ef64b4e241574

 kernel/fs/crypto/hkdf.c
..
..
@@ -16,9 +16,14 @@
16
16
 
17
17
 /*
18
18
  * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
19
- * SHA-512 because it is reasonably secure and efficient; and since it produces
20
- * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of
21
- * entropy from the master key and requires only one iteration of HKDF-Expand.
19
+ * SHA-512 because it is well-established, secure, and reasonably efficient.
20
+ *
21
+ * HKDF-SHA256 was also considered, as its 256-bit security strength would be
22
+ * sufficient here.  A 512-bit security strength is "nice to have", though.
23
+ * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256.  In the
24
+ * common case of deriving an AES-256-XTS key (512 bits), that can result in
25
+ * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
26
+ * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
22
27
  */
23
28
 #define HKDF_HMAC_ALG		"hmac(sha512)"
24
29
 #define HKDF_HASHLEN		SHA512_DIGEST_SIZE
..
..
@@ -44,18 +49,13 @@
44
49
 			unsigned int ikmlen, u8 prk[HKDF_HASHLEN])
45
50
 {
46
51
 	static const u8 default_salt[HKDF_HASHLEN];
47
-	SHASH_DESC_ON_STACK(desc, hmac_tfm);
48
52
 	int err;
49
53
 
50
54
 	err = crypto_shash_setkey(hmac_tfm, default_salt, HKDF_HASHLEN);
51
55
 	if (err)
52
56
 		return err;
53
57
 
54
-	desc->tfm = hmac_tfm;
55
-	desc->flags = 0;
56
-	err = crypto_shash_digest(desc, ikm, ikmlen, prk);
57
-	shash_desc_zero(desc);
58
-	return err;
58
+	return crypto_shash_tfm_digest(hmac_tfm, ikm, ikmlen, prk);
59
59
 }
60
60
 
61
61
 /*
..
..
@@ -129,7 +129,6 @@
129
129
 		return -EINVAL;
130
130
 
131
131
 	desc->tfm = hkdf->hmac_tfm;
132
-	desc->flags = 0;
133
132
 
134
133
 	memcpy(prefix, "fscrypt\0", 8);
135
134
 	prefix[8] = context;