1use hmac::Mac;
5
6pub const HKDF_CONTEXT_PER_FILE_ENC_KEY: u8 = 2;
9pub const HKDF_CONTEXT_DIRHASH_KEY: u8 = 5;
10pub const HKDF_CONTEXT_IV_INO_LBLK_32_KEY: u8 = 6;
11pub const HKDF_CONTEXT_INODE_HASH_KEY: u8 = 7;
12
13pub fn fscrypt_hkdf<const L: usize>(
17 initial_key_material: &[u8],
18 info: &[u8],
19 context: u8,
20) -> [u8; L] {
21 let mut out = [0u8; L];
22 let mut fscrypt_info = Vec::with_capacity(9 + info.len());
23 fscrypt_info.extend_from_slice(b"fscrypt\0");
24 fscrypt_info.push(context);
25 debug_assert_eq!(fscrypt_info.len(), 9);
26 fscrypt_info.extend_from_slice(info);
27 hkdf::<L>(initial_key_material, &fscrypt_info, &mut out);
28 out
29}
30
31fn hkdf<const L: usize>(initial_key_material: &[u8], info: &[u8], out: &mut [u8; L]) {
37 const HASH_LEN: usize = 64;
38 let mut hmac = hmac::Hmac::<sha2::Sha512>::new_from_slice(&[0; HASH_LEN]).unwrap();
40 hmac.update(initial_key_material);
41 let prk = hmac.finalize().into_bytes();
42 let mut last = [].as_slice();
44 let mut out = out.as_mut_slice();
45 let mut i = 1;
46 loop {
47 let mut hmac = hmac::Hmac::<sha2::Sha512>::new_from_slice(&prk).unwrap();
48 hmac.update(&last);
49 hmac.update(&info);
50 hmac.update(&[i as u8]);
51 let val = hmac.finalize().into_bytes();
52 if out.len() < HASH_LEN {
53 out.copy_from_slice(&val.as_slice()[..out.len()]);
54 break;
55 }
56 out[..HASH_LEN].copy_from_slice(&val.as_slice());
57 (last, out) = out.split_at_mut(HASH_LEN);
58 i += 1;
59 }
60}