fscrypt/
hkdf.rs

1// Copyright 2025 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4use hmac::Mac;
5
6// Fscrypt tacks a prefix onto the 'info' field in HKDF used for different purposes.
7// This prefix is built from one of the following context.
8pub const HKDF_CONTEXT_PER_FILE_ENC_KEY: u8 = 2;
9pub const HKDF_CONTEXT_DIRHASH_KEY: u8 = 5;
10pub const HKDF_CONTEXT_IV_INO_LBLK_32_KEY: u8 = 6;
11pub const HKDF_CONTEXT_INODE_HASH_KEY: u8 = 7;
12
13/// An fscrypt compatible implementation of HKDF (HKDF-extract + HKDF-expand)
14/// This is just regular HKDF but with 'info' prefixed.
15/// `context` is an fscrypt special.
16pub fn fscrypt_hkdf<const L: usize>(
17    initial_key_material: &[u8],
18    info: &[u8],
19    context: u8,
20) -> [u8; L] {
21    let mut out = [0u8; L];
22    let mut fscrypt_info = Vec::with_capacity(9 + info.len());
23    fscrypt_info.extend_from_slice(b"fscrypt\0");
24    fscrypt_info.push(context);
25    debug_assert_eq!(fscrypt_info.len(), 9);
26    fscrypt_info.extend_from_slice(info);
27    hkdf::<L>(initial_key_material, &fscrypt_info, &mut out);
28    out
29}
30
31/// Standard HKDF implementation. See https://datatracker.ietf.org/doc/html/rfc5869
32/// Note that we assume an all-zero seed for PRK.
33/// `initial_key_material` is the data being hashed.
34/// `info` is optional context (can be zero length string)
35/// `out` is populated with the result.
36fn hkdf<const L: usize>(initial_key_material: &[u8], info: &[u8], out: &mut [u8; L]) {
37    const HASH_LEN: usize = 64;
38    // HKDF-extract
39    let mut hmac = hmac::Hmac::<sha2::Sha512>::new_from_slice(&[0; HASH_LEN]).unwrap();
40    hmac.update(initial_key_material);
41    let prk = hmac.finalize().into_bytes();
42    // HKDF-expand
43    let mut last = [].as_slice();
44    let mut out = out.as_mut_slice();
45    let mut i = 1;
46    loop {
47        let mut hmac = hmac::Hmac::<sha2::Sha512>::new_from_slice(&prk).unwrap();
48        hmac.update(&last);
49        hmac.update(&info);
50        hmac.update(&[i as u8]);
51        let val = hmac.finalize().into_bytes();
52        if out.len() < HASH_LEN {
53            out.copy_from_slice(&val.as_slice()[..out.len()]);
54            break;
55        }
56        out[..HASH_LEN].copy_from_slice(&val.as_slice());
57        (last, out) = out.split_at_mut(HASH_LEN);
58        i += 1;
59    }
60}