Lines Matching +full:sha +full:- +full:256
1 // SPDX-License-Identifier: GPL-2.0
16 * SHA-512 because it is well-established, secure, and reasonably efficient.
18 * HKDF-SHA256 was also considered, as its 256-bit security strength would be
19 * sufficient here. A 512-bit security strength is "nice to have", though.
20 * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the
21 * common case of deriving an AES-256-XTS key (512 bits), that can result in
22 * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
23 * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
31 * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
33 * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
34 * any length, parameterized by an application-specific info string.
36 * HKDF-Extract can be skipped if the input is already a pseudorandom key of
37 * length HKDF_HASHLEN bytes. However, cipher modes other than AES-256-XTS take
39 * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
45 * Compute HKDF-Extract using the given master key as the input keying material,
48 * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
49 * times without having to recompute HKDF-Extract each time.
67 err = -EINVAL; in fscrypt_init_hkdf()
80 hkdf->hmac_tfm = hmac_tfm; in fscrypt_init_hkdf()
91 * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which
92 * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
93 * bytes of output keying material parameterized by the application-specific
95 * byte. This is thread-safe and may be called by multiple threads in parallel.
98 * adds to its application-specific info strings to guarantee that it doesn't
105 SHASH_DESC_ON_STACK(desc, hkdf->hmac_tfm); in fscrypt_hkdf_expand()
111 return -ENOMEM; in fscrypt_hkdf_expand()
112 desc->tfm = hkdf->hmac_tfm; in fscrypt_hkdf_expand()
118 err = hkdf_expand(hkdf->hmac_tfm, full_info, infolen + 9, in fscrypt_hkdf_expand()
126 crypto_free_shash(hkdf->hmac_tfm); in fscrypt_destroy_hkdf()