[PATCH 1/4] lib: sha256: add feature sha256_hmac

Philippe REYNES philippe.reynes at softathome.com
Wed Jul 17 19:08:27 CEST 2024


Hi Peter,

Le 16/07/2024 à 18:56, Peter Robinson a écrit :
> This Mail comes from Outside of SoftAtHome: Do not answer, click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Philippe,
>
> It might be useful to have a cover letter explaining what the plans
> for this code are, great that there are tests but adding code in
> without it being used isn't always a feature so a cover letter with
> some details often helps with the context.

You right, I should have added a cover letter.
My goal was to add key derivation and use this feature to fill a key 
manager,
and then provide those  keys (or some of them) to the kernel. So the kernel
may (for example) add them in the KRS.

Do you know if there are some work or interest in a key manager for 
u-boot please ?

>
> Also if you're not aware there's work to integrate MBedTLS [1] and I'm
> not sure if that also may provide the functionality.

Good point, I miss it. MBedTLS has the feature of key derivation.
https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/#deriving-a-new-key-from-an-existing-key
So unless someone wants to use key derivation without all MBedTLS,
this serie is not very useful.

>
> Peter
Regards,
Philippe
>
> [1] https://lists.denx.de/pipermail/u-boot/2024-July/557832.html
>
> On Tue, 16 Jul 2024 at 16:16, Philippe Reynes
> <philippe.reynes at softathome.com> wrote:
>> Adds the support of the hmac based on sha256.
>> This implementation is based on rfc2104.
>>
>> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
>> ---
>>   include/u-boot/sha256.h |  4 ++++
>>   lib/sha256.c            | 40 ++++++++++++++++++++++++++++++++++++++++
>>   2 files changed, 44 insertions(+)
>>
>> diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
>> index a4fe176c0b4..7aa4c54d0d4 100644
>> --- a/include/u-boot/sha256.h
>> +++ b/include/u-boot/sha256.h
>> @@ -24,4 +24,8 @@ void sha256_finish(sha256_context * ctx, uint8_t digest[SHA256_SUM_LEN]);
>>   void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
>>                  unsigned char *output, unsigned int chunk_sz);
>>
>> +void sha256_hmac(const unsigned char *key, int keylen,
>> +                const unsigned char *input, unsigned int ilen,
>> +                unsigned char *output);
>> +
>>   #endif /* _SHA256_H */
>> diff --git a/lib/sha256.c b/lib/sha256.c
>> index 665ba6f152e..64f6b48974b 100644
>> --- a/lib/sha256.c
>> +++ b/lib/sha256.c
>> @@ -298,3 +298,43 @@ void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
>>
>>          sha256_finish(&ctx, output);
>>   }
>> +
>> +/*
>> + * Output = HMAC-SHA-256( input buffer, hmac key )
>> + */
>> +void sha256_hmac(const unsigned char *key, int keylen,
>> +                const unsigned char *input, unsigned int ilen,
>> +                unsigned char *output)
>> +{
>> +       int i;
>> +       sha256_context ctx;
>> +       unsigned char k_ipad[64];
>> +       unsigned char k_opad[64];
>> +       unsigned char tmpbuf[32];
>> +
>> +       memset(k_ipad, 0x36, 64);
>> +       memset(k_opad, 0x5C, 64);
>> +
>> +       for (i = 0; i < keylen; i++) {
>> +               if (i >= 64)
>> +                       break;
>> +
>> +               k_ipad[i] ^= key[i];
>> +               k_opad[i] ^= key[i];
>> +       }
>> +
>> +       sha256_starts(&ctx);
>> +       sha256_update(&ctx, k_ipad, 64);
>> +       sha256_update(&ctx, input, ilen);
>> +       sha256_finish(&ctx, tmpbuf);
>> +
>> +       sha256_starts(&ctx);
>> +       sha256_update(&ctx, k_opad, 64);
>> +       sha256_update(&ctx, tmpbuf, 32);
>> +       sha256_finish(&ctx, output);
>> +
>> +       memset(k_ipad, 0, 64);
>> +       memset(k_opad, 0, 64);
>> +       memset(tmpbuf, 0, 32);
>> +       memset(&ctx, 0, sizeof(sha256_context));
>> +}
>> --
>> 2.25.1
>>


More information about the U-Boot mailing list