Implement HKDF for transport encryption security.
This is to hash the results of the DH key agreement, since the generated key size rarely matches the size of our bulk encryption key size. * Add PKCS#11 algorithm CKM_G_HKDF_SHA256_DERIVE * Change DH code so it always generates keys of prime size. * Change CKM_DH_PKCS11_DERIVE mechanism to support truncating or expanding keys on its own (without help from underlying implementation) in accordance with PKCS#11. Although we no longer use this. * Add support for CKK_GENERIC_SECRET keys. * Update prompt code to use HKDF in key negotiation. * Add secret service dh-ietf1024-sha256-aes128-cbc-pkcs7 algo which replaces the previous.
parent
49044063
Please register or sign in to comment