Bug 171074

Summary: [GCrypt] HKDF bit derivation support
Product: WebKit Reporter: Zan Dobersek <zan>
Component: New BugsAssignee: Zan Dobersek <zan>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, jiewen_tan, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 133122    
Attachments:
Description Flags
Patch
none
Patch
none
Patch for landing
none
Patch
none
Patch for landing none

Zan Dobersek
Reported 2017-04-20 13:53:22 PDT
[GCrypt] HKDF bit derivation support
Attachments
Patch (9.21 KB, patch)
2017-04-20 14:00 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
Patch (9.47 KB, patch)
2017-04-21 00:54 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
Patch for landing (11.12 KB, patch)
2017-04-23 05:39 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
Patch (18.77 KB, patch)
2017-04-27 05:08 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
Patch for landing (19.05 KB, patch)
2017-05-01 22:45 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Zan Dobersek
Comment 1 2017-04-20 14:00:30 PDT
Created attachment 307634 [details] Patch
Michael Catanzaro
Comment 2 2017-04-20 14:34:44 PDT
Comment on attachment 307634 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307634&action=review Thanks. Would be good to ask Jiewen to look at this one, too. > Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:42 > +static std::optional<int> macAlgorithmForHashFunction(CryptoAlgorithmIdentifier identifier) This really isn't needed anywhere else, or isn't ever going to be needed anywhere else? Seems like it'd fit better in Utilities.[cpp,h]?
Jiewen Tan
Comment 3 2017-04-20 16:28:56 PDT
Comment on attachment 307634 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307634&action=review > Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:86 > + error = gcry_mac_setkey(handle, salt.data(), salt.size()); Does gcry_mac_setkey handle the case where salt is an empty vector? > Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:147 > + lastBlock.resize(blockSize); Feel weird that we need to resize every time. Even though only the first invocation takes effect, it still feels weird to write it this way.
Zan Dobersek
Comment 4 2017-04-21 00:47:39 PDT
Comment on attachment 307634 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307634&action=review >> Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:42 >> +static std::optional<int> macAlgorithmForHashFunction(CryptoAlgorithmIdentifier identifier) > > This really isn't needed anywhere else, or isn't ever going to be needed anywhere else? Seems like it'd fit better in Utilities.[cpp,h]? Yes, this should all be gathered in the Utilities header. I would maybe prefer doing that in later cleanups. >> Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:86 >> + error = gcry_mac_setkey(handle, salt.data(), salt.size()); > > Does gcry_mac_setkey handle the case where salt is an empty vector? It does, but on a second thought I'd prefer being explicit here and use a 0-filled array of bytes in case the salt Vector is empty. >> Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:147 >> + lastBlock.resize(blockSize); > > Feel weird that we need to resize every time. Even though only the first invocation takes effect, it still feels weird to write it this way. OK. It's easy to work around -- the lastBlock should just not be appended to the block data when in the first iteration.
Zan Dobersek
Comment 5 2017-04-21 00:54:31 PDT
Created attachment 307706 [details] Patch
Jiewen Tan
Comment 6 2017-04-21 12:51:17 PDT
Comment on attachment 307706 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307706&action=review Looks good otherwise. > Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:140 > + if (!i) Should it be just if (i) ?
Jiewen Tan
Comment 7 2017-04-21 13:02:13 PDT
Comment on attachment 307706 [details] Patch Forgot to mention. I suggest you should add some false tests for this gcrypt specific implementation as you implement HKDF by yourself.
Jiewen Tan
Comment 8 2017-04-21 13:02:51 PDT
(In reply to Jiewen Tan from comment #7) > Comment on attachment 307706 [details] > Patch > > Forgot to mention. I suggest you should add some false tests for this > gcrypt specific implementation as you implement HKDF by yourself. Just tests include false and pass ones.
Zan Dobersek
Comment 9 2017-04-23 05:26:32 PDT
Comment on attachment 307706 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307706&action=review >> Source/WebCore/crypto/gcrypt/CryptoAlgorithmHKDFGCrypt.cpp:140 >> + if (!i) > > Should it be just if (i) ? Correct, it's a typo.
Zan Dobersek
Comment 10 2017-04-23 05:39:40 PDT
Created attachment 307931 [details] Patch for landing
Zan Dobersek
Comment 11 2017-04-23 07:06:07 PDT
(In reply to Jiewen Tan from comment #7) > Comment on attachment 307706 [details] > Patch > > Forgot to mention. I suggest you should add some false tests for this > gcrypt specific implementation as you implement HKDF by yourself. I can put together a length limit test that checks the algorithm properly rejects lengths that go over the 255 * MAC-length limit. Is there anything else you'd suggest testing around this HKDF implementation?
Jiewen Tan
Comment 12 2017-04-24 11:21:04 PDT
(In reply to Zan Dobersek from comment #11) > (In reply to Jiewen Tan from comment #7) > > Comment on attachment 307706 [details] > > Patch > > > > Forgot to mention. I suggest you should add some false tests for this > > gcrypt specific implementation as you implement HKDF by yourself. > > I can put together a length limit test that checks the algorithm properly > rejects lengths that go over the 255 * MAC-length limit. > > Is there anything else you'd suggest testing around this HKDF implementation? I would suggest checking cases: length >|=|< macLength for positive tests.
Zan Dobersek
Comment 13 2017-04-27 05:08:47 PDT
Created attachment 308379 [details] Patch
Zan Dobersek
Comment 14 2017-04-27 05:10:28 PDT
(In reply to Zan Dobersek from comment #13) > Created attachment 308379 [details] > Patch This is the reviewed patch, plus a layout test that tests various length values. Please review.
Jiewen Tan
Comment 15 2017-04-27 12:55:50 PDT
Comment on attachment 308379 [details] Patch Looks good. I suggest you could file a bug to replace this customized HKDF implementation with gcrypt one once it is available. We should not implement crypto by ourselves if we don't have to.
Michael Catanzaro
Comment 16 2017-05-01 07:27:26 PDT
Comment on attachment 308379 [details] Patch rs=me
Zan Dobersek
Comment 17 2017-05-01 22:39:32 PDT
(In reply to Jiewen Tan from comment #15) > Comment on attachment 308379 [details] > Patch > > Looks good. I suggest you could file a bug to replace this customized HKDF > implementation with gcrypt one once it is available. We should not implement > crypto by ourselves if we don't have to. I'll add a comment linking to bug #171536.
Zan Dobersek
Comment 18 2017-05-01 22:45:31 PDT
Created attachment 308801 [details] Patch for landing
Zan Dobersek
Comment 19 2017-05-01 23:37:10 PDT
Committed r216061: <http://trac.webkit.org/changeset/216061>
Note You need to log in before you can comment on or make changes to this bug.