[mirror_zfs.git] / module / zfs / hkdf.c

/*
 * CDDL HEADER START
 *
 * This file and its contents are supplied under the terms of the
 * Common Development and Distribution License ("CDDL"), version 1.0.
 * You may only use this file in accordance with the terms of version
 * 1.0 of the CDDL.
 *
 * A full copy of the text of the CDDL should have accompanied this
 * source.  A copy of the CDDL is also available via the Internet at
 * http://www.illumos.org/license/CDDL.
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2017, Datto, Inc. All rights reserved.
 */

#include <sys/crypto/api.h>
#include <sys/sha2.h>
#include <sys/hkdf.h>

static int
hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
    uint_t km_len, uint8_t *out_buf)
{
	int ret;
	crypto_mechanism_t mech;
	crypto_key_t key;
	crypto_data_t input_cd, output_cd;

	/* initialize HMAC mechanism */
	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	/* initialize the salt as a crypto key */
	key.ck_format = CRYPTO_KEY_RAW;
	key.ck_length = CRYPTO_BYTES2BITS(salt_len);
	key.ck_data = salt;

	/* initialize crypto data for the input and output data */
	input_cd.cd_format = CRYPTO_DATA_RAW;
	input_cd.cd_offset = 0;
	input_cd.cd_length = km_len;
	input_cd.cd_raw.iov_base = (char *)key_material;
	input_cd.cd_raw.iov_len = input_cd.cd_length;

	output_cd.cd_format = CRYPTO_DATA_RAW;
	output_cd.cd_offset = 0;
	output_cd.cd_length = SHA512_DIGEST_LENGTH;
	output_cd.cd_raw.iov_base = (char *)out_buf;
	output_cd.cd_raw.iov_len = output_cd.cd_length;

	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
	if (ret != CRYPTO_SUCCESS)
		return (SET_ERROR(EIO));

	return (0);
}

static int
hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
    uint8_t *out_buf, uint_t out_len)
{
	int ret;
	crypto_mechanism_t mech;
	crypto_context_t ctx;
	crypto_key_t key;
	crypto_data_t T_cd, info_cd, c_cd;
	uint_t i, T_len = 0, pos = 0;
	uint8_t c;
	uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
	uint8_t T[SHA512_DIGEST_LENGTH];

	if (N > 255)
		return (SET_ERROR(EINVAL));

	/* initialize HMAC mechanism */
	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	/* initialize the salt as a crypto key */
	key.ck_format = CRYPTO_KEY_RAW;
	key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
	key.ck_data = extract_key;

	/* initialize crypto data for the input and output data */
	T_cd.cd_format = CRYPTO_DATA_RAW;
	T_cd.cd_offset = 0;
	T_cd.cd_raw.iov_base = (char *)T;

	c_cd.cd_format = CRYPTO_DATA_RAW;
	c_cd.cd_offset = 0;
	c_cd.cd_length = 1;
	c_cd.cd_raw.iov_base = (char *)&c;
	c_cd.cd_raw.iov_len = c_cd.cd_length;

	info_cd.cd_format = CRYPTO_DATA_RAW;
	info_cd.cd_offset = 0;
	info_cd.cd_length = info_len;
	info_cd.cd_raw.iov_base = (char *)info;
	info_cd.cd_raw.iov_len = info_cd.cd_length;

	for (i = 1; i <= N; i++) {
		c = i;

		T_cd.cd_length = T_len;
		T_cd.cd_raw.iov_len = T_cd.cd_length;

		ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
		if (ret != CRYPTO_SUCCESS)
			return (SET_ERROR(EIO));

		ret = crypto_mac_update(ctx, &T_cd, NULL);
		if (ret != CRYPTO_SUCCESS)
			return (SET_ERROR(EIO));

		ret = crypto_mac_update(ctx, &info_cd, NULL);
		if (ret != CRYPTO_SUCCESS)
			return (SET_ERROR(EIO));

		ret = crypto_mac_update(ctx, &c_cd, NULL);
		if (ret != CRYPTO_SUCCESS)
			return (SET_ERROR(EIO));

		T_len = SHA512_DIGEST_LENGTH;
		T_cd.cd_length = T_len;
		T_cd.cd_raw.iov_len = T_cd.cd_length;

		ret = crypto_mac_final(ctx, &T_cd, NULL);
		if (ret != CRYPTO_SUCCESS)
			return (SET_ERROR(EIO));

		bcopy(T, out_buf + pos,
		    (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
		pos += SHA512_DIGEST_LENGTH;
	}

	return (0);
}

/*
 * HKDF is designed to be a relatively fast function for deriving keys from a
 * master key + a salt. We use this function to generate new encryption keys
 * so as to avoid hitting the cryptographic limits of the underlying
 * encryption modes. Note that, for the sake of deriving encryption keys, the
 * info parameter is called the "salt" everywhere else in the code.
 */
int
hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
    uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
    uint_t out_len)
{
	int ret;
	uint8_t extract_key[SHA512_DIGEST_LENGTH];

	ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
	    extract_key);
	if (ret != 0)
		return (ret);

	ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
	    out_len);
	if (ret != 0)
		return (ret);

	return (0);
}
Commit	Line	Data
4807c0ba TC	1	/*
	2	* CDDL HEADER START
	3	*
	4	* This file and its contents are supplied under the terms of the
	5	* Common Development and Distribution License ("CDDL"), version 1.0.
	6	* You may only use this file in accordance with the terms of version
	7	* 1.0 of the CDDL.
	8	*
	9	* A full copy of the text of the CDDL should have accompanied this
	10	* source. A copy of the CDDL is also available via the Internet at
	11	* http://www.illumos.org/license/CDDL.
	12	*
	13	* CDDL HEADER END
	14	*/
	15
	16	/*
	17	* Copyright (c) 2017, Datto, Inc. All rights reserved.
	18	*/
	19
	20	#include <sys/crypto/api.h>
	21	#include <sys/sha2.h>
	22	#include <sys/hkdf.h>
	23
	24	static int
	25	hkdf_sha512_extract(uint8_t salt, uint_t salt_len, uint8_t key_material,
	26	uint_t km_len, uint8_t *out_buf)
	27	{
	28	int ret;
	29	crypto_mechanism_t mech;
	30	crypto_key_t key;
	31	crypto_data_t input_cd, output_cd;
	32
	33	/* initialize HMAC mechanism */
	34	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
	35	mech.cm_param = NULL;
	36	mech.cm_param_len = 0;
	37
	38	/* initialize the salt as a crypto key */
	39	key.ck_format = CRYPTO_KEY_RAW;
	40	key.ck_length = CRYPTO_BYTES2BITS(salt_len);
	41	key.ck_data = salt;
	42
	43	/* initialize crypto data for the input and output data */
	44	input_cd.cd_format = CRYPTO_DATA_RAW;
	45	input_cd.cd_offset = 0;
	46	input_cd.cd_length = km_len;
	47	input_cd.cd_raw.iov_base = (char *)key_material;
	48	input_cd.cd_raw.iov_len = input_cd.cd_length;
	49
	50	output_cd.cd_format = CRYPTO_DATA_RAW;
	51	output_cd.cd_offset = 0;
	52	output_cd.cd_length = SHA512_DIGEST_LENGTH;
	53	output_cd.cd_raw.iov_base = (char *)out_buf;
	54	output_cd.cd_raw.iov_len = output_cd.cd_length;
	55
	56	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
	57	if (ret != CRYPTO_SUCCESS)
	58	return (SET_ERROR(EIO));
	59
	60	return (0);
	61	}
	62
	63	static int
	64	hkdf_sha512_expand(uint8_t extract_key, uint8_t info, uint_t info_len,
65	uint8_t *out_buf, uint_t out_len)
66	{
67	int ret;
68	crypto_mechanism_t mech;
69	crypto_context_t ctx;
70	crypto_key_t key;
71	crypto_data_t T_cd, info_cd, c_cd;
72	uint_t i, T_len = 0, pos = 0;
73	uint8_t c;
74	uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
75	uint8_t T[SHA512_DIGEST_LENGTH];
76
77	if (N > 255)
78	return (SET_ERROR(EINVAL));
79
80	/* initialize HMAC mechanism */
81	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
82	mech.cm_param = NULL;
83	mech.cm_param_len = 0;
84
85	/* initialize the salt as a crypto key */
86	key.ck_format = CRYPTO_KEY_RAW;
87	key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
88	key.ck_data = extract_key;
89
90	/* initialize crypto data for the input and output data */
91	T_cd.cd_format = CRYPTO_DATA_RAW;
92	T_cd.cd_offset = 0;
93	T_cd.cd_raw.iov_base = (char *)T;
94
95	c_cd.cd_format = CRYPTO_DATA_RAW;
96	c_cd.cd_offset = 0;
97	c_cd.cd_length = 1;
98	c_cd.cd_raw.iov_base = (char *)&c;
99	c_cd.cd_raw.iov_len = c_cd.cd_length;
100
101	info_cd.cd_format = CRYPTO_DATA_RAW;
102	info_cd.cd_offset = 0;
103	info_cd.cd_length = info_len;
104	info_cd.cd_raw.iov_base = (char *)info;
105	info_cd.cd_raw.iov_len = info_cd.cd_length;
106
107	for (i = 1; i <= N; i++) {
108	c = i;
109
110	T_cd.cd_length = T_len;
111	T_cd.cd_raw.iov_len = T_cd.cd_length;
112
113	ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
114	if (ret != CRYPTO_SUCCESS)
115	return (SET_ERROR(EIO));
116
117	ret = crypto_mac_update(ctx, &T_cd, NULL);
118	if (ret != CRYPTO_SUCCESS)
119	return (SET_ERROR(EIO));
120
121	ret = crypto_mac_update(ctx, &info_cd, NULL);
122	if (ret != CRYPTO_SUCCESS)
123	return (SET_ERROR(EIO));
124
125	ret = crypto_mac_update(ctx, &c_cd, NULL);
126	if (ret != CRYPTO_SUCCESS)
127	return (SET_ERROR(EIO));
128
129	T_len = SHA512_DIGEST_LENGTH;
130	T_cd.cd_length = T_len;
131	T_cd.cd_raw.iov_len = T_cd.cd_length;
132
133	ret = crypto_mac_final(ctx, &T_cd, NULL);
134	if (ret != CRYPTO_SUCCESS)
135	return (SET_ERROR(EIO));
136
137	bcopy(T, out_buf + pos,
138	(i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
139	pos += SHA512_DIGEST_LENGTH;
140	}
141
142	return (0);
143	}
144
145	/*
146	* HKDF is designed to be a relatively fast function for deriving keys from a
147	* master key + a salt. We use this function to generate new encryption keys
148	* so as to avoid hitting the cryptographic limits of the underlying
149	* encryption modes. Note that, for the sake of deriving encryption keys, the
150	* info parameter is called the "salt" everywhere else in the code.
151	*/
152	int
153	hkdf_sha512(uint8_t key_material, uint_t km_len, uint8_t salt,
154	uint_t salt_len, uint8_t info, uint_t info_len, uint8_t output_key,
155	uint_t out_len)
156	{
157	int ret;
158	uint8_t extract_key[SHA512_DIGEST_LENGTH];
159
160	ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
161	extract_key);
162	if (ret != 0)
163	return (ret);
164
165	ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
166	out_len);
167	if (ret != 0)
168	return (ret);
169
170	return (0);
171	}