Re: [PATCH v2 3/4] crypto: kdf - SP800-108 Key Derivation Function

2016-06-07 Thread Stephan Mueller 
Am Mittwoch, 8. Juni 2016, 11:13:34 schrieb Herbert Xu:

Hi Herbert,

> OK.  I don't think the RNG API really guarantees that you can do
> in-place generation anyway.  So don't even bother checking for
> src == dst.

Ok, I will remove the check.
> 
> When you submit this again can you please send it along with a
> user?

Yes, I will.

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 3/4] crypto: kdf - SP800-108 Key Derivation Function

2016-06-07 Thread Herbert Xu 
On Thu, Jun 02, 2016 at 05:12:20PM +0200, Stephan Mueller wrote:
>
> The KDFs are usually used for output sizes between one and 4 keys. So, 
> commonly it is expected that not more than 200 or 300 bytes are generated by 
> one call. But you cannot be sure how much data a user wants. The spec allows 
> that the user generates up to 2^50 or so bytes. The implementation I offer is 
> limited to unsigned int bytes.
> 
> Note, if one would implement a key ladder, it can be expected that many keys 
> are generated from one KDF seed.
> 
> I tried to avoid memcpy for speed purposes. And all the user needs to do is 
> to 
> not invoke an in-place crypto operation.
> 
> Maybe I should copy the input data into a private memory location so that the 
> KDF can be used like any other cipher: the caller uses a reference to the 
> instance to generate data where the caller does not need to ensure that some 
> initial data must be left at some specific place.

OK.  I don't think the RNG API really guarantees that you can do
in-place generation anyway.  So don't even bother checking for
src == dst.

When you submit this again can you please send it along with a
user?

Thanks,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 3/4] crypto: kdf - SP800-108 Key Derivation Function

2016-06-02 Thread Stephan Mueller 
Am Donnerstag, 2. Juni 2016, 16:55:26 schrieb Herbert Xu:

Hi Herbert,

> 
> Why don't you put the result in a temporary buffer and then copy
> it? These things are tiny, right?

The KDFs are usually used for output sizes between one and 4 keys. So, 
commonly it is expected that not more than 200 or 300 bytes are generated by 
one call. But you cannot be sure how much data a user wants. The spec allows 
that the user generates up to 2^50 or so bytes. The implementation I offer is 
limited to unsigned int bytes.

Note, if one would implement a key ladder, it can be expected that many keys 
are generated from one KDF seed.

I tried to avoid memcpy for speed purposes. And all the user needs to do is to 
not invoke an in-place crypto operation.

Maybe I should copy the input data into a private memory location so that the 
KDF can be used like any other cipher: the caller uses a reference to the 
instance to generate data where the caller does not need to ensure that some 
initial data must be left at some specific place.

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 3/4] crypto: kdf - SP800-108 Key Derivation Function

2016-06-02 Thread Herbert Xu 
On Tue, May 31, 2016 at 01:52:32PM +0200, Stephan Mueller wrote:
>
> + * NOTE: Technically you can use one buffer for holding the label_context and
> + *the outbuf in the example above. Howerver, multiple rounds of the
> + *KDF are to be expected with the input must always be the same.
> + *The first round would replace the input in case of one buffer, and the
> + *KDF would calculate a cryptographically strong result which, however,
> + *is not portable to other KDF implementations! Thus, always use
> + *different buffers for the label_context and the outbuf. A safe
> + *in-place operation can only be done when only one round of the KDF
> + *is executed (i.e. the size of the requested buffer is equal to the
> + *digestsize of the used MAC).

Why don't you put the result in a temporary buffer and then copy
it? These things are tiny, right?

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 3/4] crypto: kdf - SP800-108 Key Derivation Function

2016-05-31 Thread Stephan Mueller 
The SP800-108 compliant Key Derivation Function is implemented as a
random number generator considering that it behaves like a deterministic
RNG.

All three KDF types specified in SP800-108 are implemented.

The code comments provide details about how to invoke the different KDF
types.

Signed-off-by: Stephan Mueller 
---
 crypto/kdf.c | 514 +++
 1 file changed, 514 insertions(+)
 create mode 100644 crypto/kdf.c

diff --git a/crypto/kdf.c b/crypto/kdf.c
new file mode 100644
index 000..b39bddf
--- /dev/null
+++ b/crypto/kdf.c
@@ -0,0 +1,514 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller 
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, and the entire permission notice in its entirety,
+ *including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *products derived from this software without specific prior
+ *written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+/*
+ * For performing a KDF operation, the following input is required
+ * from the caller:
+ *
+ * * Keying material to be used to derive the new keys from
+ *   (denoted as Ko in SP800-108)
+ * * Label -- a free form binary string
+ * * Context -- a free form binary string
+ *
+ * The KDF is implemented as a random number generator.
+ *
+ * The Ko keying material is to be provided with the initialization of the KDF
+ * "random number generator", i.e. with the crypto_rng_reset function.
+ *
+ * The Label and Context concatenated string is provided when obtaining random
+ * numbers, i.e. with the crypto_rng_generate function. The caller must format
+ * the free-form Label || Context input as deemed necessary for the given
+ * purpose. Note, SP800-108 mandates that the Label and Context are separated
+ * by a 0x00 byte, i.e. the caller shall provide the input as
+ * Label || 0x00 || Context when trying to be compliant to SP800-108. For
+ * the feedback KDF, an IV is required as documented below.
+ *
+ * Example without proper error handling:
+ * char *keying_material = "\x00\x11\x22\x33\x44\x55\x66\x77";
+ * char *label_context = "\xde\xad\xbe\xef\x00\xde\xad\xbe\xef";
+ * kdf = crypto_alloc_rng(name, 0, 0);
+ * crypto_rng_reset(kdf, keying_material, 8);
+ * crypto_rng_generate(kdf, label_context, 9, outbuf, outbuflen);
+ *
+ * NOTE: Technically you can use one buffer for holding the label_context and
+ *  the outbuf in the example above. Howerver, multiple rounds of the
+ *  KDF are to be expected with the input must always be the same.
+ *  The first round would replace the input in case of one buffer, and the
+ *  KDF would calculate a cryptographically strong result which, however,
+ *  is not portable to other KDF implementations! Thus, always use
+ *  different buffers for the label_context and the outbuf. A safe
+ *  in-place operation can only be done when only one round of the KDF
+ *  is executed (i.e. the size of the requested buffer is equal to the
+ *  digestsize of the used MAC).
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+struct crypto_kdf_ctx {
+   struct shash_desc shash;
+   char ctx[];
+};
+
+/* convert 32 bit integer into its string representation */
+static inline void crypto_kw_cpu_to_be32(u32 val, u8 *buf)
+{
+   __be32 *a = (__be32 *)buf;
+
+   *a = cpu_to_be32(val);
+}
+
+/*
+ * Implementation of the KDF in double pipeline iteration