[PATCH v2 4/5] lib: mbedtls: sha256: add support of key derivation

Philippe REYNES philippe.reynes at softathome.com
Fri Dec 6 15:00:31 CET 2024 

Hi Raymond,

Le 05/12/2024 à 18:18, Raymond Mao a écrit :
>
> *This Mail comes from Outside of SoftAtHome: *Do not answer, click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.**
>
> Hi Philippe,
>
> On Wed, 4 Dec 2024 at 12:54, Philippe Reynes 
> <philippe.reynes at softathome.com> wrote:
>
>     Adds the support of key derivation using the scheme hkdf.
>     This scheme is defined in rfc5869.
>
>     Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
>     ---
>      include/u-boot/sha256.h |  5 +++++
>      lib/mbedtls/sha256.c    | 18 ++++++++++++++++++
>      2 files changed, 23 insertions(+)
>
>     diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
>     index 77dbcd4553a..0a6e309e3ab 100644
>     --- a/include/u-boot/sha256.h
>     +++ b/include/u-boot/sha256.h
>     @@ -48,4 +48,9 @@ void sha256_hmac(const unsigned char *key, int
>     keylen,
>                      const unsigned char *input, unsigned int ilen,
>                      unsigned char *output);
>
>     +int sha256_hkdf(const unsigned char *salt, int saltlen,
>     +               const unsigned char *ikm, int ikmlen,
>     +               const unsigned char *info, int infolen,
>     +               unsigned char *output, int outputlen);
>     +
>
> An inline function is needed when the build options are not fulfilled.
Ah yes, I forgot to manage the case where sha256_hkdf is not provided.
I will be fixed in v3.


>      #endif /* _SHA256_H */
>     diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c
>     index 1b9fc1a8503..c38e3e5818c 100644
>     --- a/lib/mbedtls/sha256.c
>     +++ b/lib/mbedtls/sha256.c
>     @@ -11,6 +11,9 @@
>      #include <string.h>
>      #include <u-boot/sha256.h>
>
>     +#include <mbedtls/md.h>
>     +#include <mbedtls/hkdf.h>
>     +
>      const u8 sha256_der_prefix[SHA256_DER_LEN] = {
>             0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>             0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
>     @@ -98,3 +101,18 @@ void sha256_hmac(const unsigned char *key, int
>     keylen,
>             memset(tmpbuf, 0, sizeof(tmpbuf));
>             memset(&ctx, 0, sizeof(sha256_context));
>      }
>     +
>     +int sha256_hkdf(const unsigned char *salt, int saltlen,
>     +               const unsigned char *ikm, int ikmlen,
>     +               const unsigned char *info, int infolen,
>     +               unsigned char *output, int outputlen)
>     +{
>     +       const mbedtls_md_info_t *md;
>     +
>     +       md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
>     +
>     +       return mbedtls_hkdf(md, salt, saltlen,
>     +                           ikm, ikmlen,
>     +                           info, infolen,
>     +                           output, outputlen);
>     +}
>
> Missing `#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)`.


Again, you're right, I forgot this #if ...
I add it in the new version v3


>
> Regards,
> Raymond


Regards,
Philippe

More information about the U-Boot mailing list