1 /*
2 * CDDL HEADER START
3 *
4 * This file and its contents are supplied under the terms of the
5 * Common Development and Distribution License ("CDDL"), version 1.0.
6 * You may only use this file in accordance with the terms of version
7 * 1.0 of the CDDL.
8 *
9 * A full copy of the text of the CDDL should have accompanied this
10 * source. A copy of the CDDL is also available via the Internet at
11 * http://www.illumos.org/license/CDDL.
12 *
13 * CDDL HEADER END
14 */
15
16 /*
17 * Copyright (c) 2017, Datto, Inc. All rights reserved.
18 */
19
20 #include <sys/dmu.h>
21 #include <sys/hkdf.h>
22 #include <sys/crypto/api.h>
23 #include <sys/sha2.h>
24 #include <sys/hkdf.h>
25
26 static int
hkdf_sha512_extract(uint8_t * salt,uint_t salt_len,uint8_t * key_material,uint_t km_len,uint8_t * out_buf)27 hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
28 uint_t km_len, uint8_t *out_buf)
29 {
30 int ret;
31 crypto_mechanism_t mech;
32 crypto_key_t key;
33 crypto_data_t input_cd, output_cd;
34
35 /* initialize HMAC mechanism */
36 mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
37 mech.cm_param = NULL;
38 mech.cm_param_len = 0;
39
40 /* initialize the salt as a crypto key */
41 key.ck_format = CRYPTO_KEY_RAW;
42 key.ck_length = CRYPTO_BYTES2BITS(salt_len);
43 key.ck_data = salt;
44
45 /* initialize crypto data for the input and output data */
46 input_cd.cd_format = CRYPTO_DATA_RAW;
47 input_cd.cd_offset = 0;
48 input_cd.cd_length = km_len;
49 input_cd.cd_raw.iov_base = (char *)key_material;
50 input_cd.cd_raw.iov_len = input_cd.cd_length;
51
52 output_cd.cd_format = CRYPTO_DATA_RAW;
53 output_cd.cd_offset = 0;
54 output_cd.cd_length = SHA512_DIGEST_LENGTH;
55 output_cd.cd_raw.iov_base = (char *)out_buf;
56 output_cd.cd_raw.iov_len = output_cd.cd_length;
57
58 ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
59 if (ret != CRYPTO_SUCCESS)
60 return (SET_ERROR(EIO));
61
62 return (0);
63 }
64
65 static int
hkdf_sha512_expand(uint8_t * extract_key,uint8_t * info,uint_t info_len,uint8_t * out_buf,uint_t out_len)66 hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
67 uint8_t *out_buf, uint_t out_len)
68 {
69 int ret;
70 crypto_mechanism_t mech;
71 crypto_context_t ctx;
72 crypto_key_t key;
73 crypto_data_t T_cd, info_cd, c_cd;
74 uint_t i, T_len = 0, pos = 0;
75 uint8_t c;
76 uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
77 uint8_t T[SHA512_DIGEST_LENGTH];
78
79 if (N > 255)
80 return (SET_ERROR(EINVAL));
81
82 /* initialize HMAC mechanism */
83 mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
84 mech.cm_param = NULL;
85 mech.cm_param_len = 0;
86
87 /* initialize the salt as a crypto key */
88 key.ck_format = CRYPTO_KEY_RAW;
89 key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
90 key.ck_data = extract_key;
91
92 /* initialize crypto data for the input and output data */
93 T_cd.cd_format = CRYPTO_DATA_RAW;
94 T_cd.cd_offset = 0;
95 T_cd.cd_raw.iov_base = (char *)T;
96
97 c_cd.cd_format = CRYPTO_DATA_RAW;
98 c_cd.cd_offset = 0;
99 c_cd.cd_length = 1;
100 c_cd.cd_raw.iov_base = (char *)&c;
101 c_cd.cd_raw.iov_len = c_cd.cd_length;
102
103 info_cd.cd_format = CRYPTO_DATA_RAW;
104 info_cd.cd_offset = 0;
105 info_cd.cd_length = info_len;
106 info_cd.cd_raw.iov_base = (char *)info;
107 info_cd.cd_raw.iov_len = info_cd.cd_length;
108
109 for (i = 1; i <= N; i++) {
110 c = i;
111
112 T_cd.cd_length = T_len;
113 T_cd.cd_raw.iov_len = T_cd.cd_length;
114
115 ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
116 if (ret != CRYPTO_SUCCESS)
117 return (SET_ERROR(EIO));
118
119 ret = crypto_mac_update(ctx, &T_cd, NULL);
120 if (ret != CRYPTO_SUCCESS)
121 return (SET_ERROR(EIO));
122
123 ret = crypto_mac_update(ctx, &info_cd, NULL);
124 if (ret != CRYPTO_SUCCESS)
125 return (SET_ERROR(EIO));
126
127 ret = crypto_mac_update(ctx, &c_cd, NULL);
128 if (ret != CRYPTO_SUCCESS)
129 return (SET_ERROR(EIO));
130
131 T_len = SHA512_DIGEST_LENGTH;
132 T_cd.cd_length = T_len;
133 T_cd.cd_raw.iov_len = T_cd.cd_length;
134
135 ret = crypto_mac_final(ctx, &T_cd, NULL);
136 if (ret != CRYPTO_SUCCESS)
137 return (SET_ERROR(EIO));
138
139 bcopy(T, out_buf + pos,
140 (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
141 pos += SHA512_DIGEST_LENGTH;
142 }
143
144 return (0);
145 }
146
147 /*
148 * HKDF is designed to be a relatively fast function for deriving keys from a
149 * master key + a salt. We use this function to generate new encryption keys
150 * so as to avoid hitting the cryptographic limits of the underlying
151 * encryption modes. Note that, for the sake of deriving encryption keys, the
152 * info parameter is called the "salt" everywhere else in the code.
153 */
154 int
hkdf_sha512(uint8_t * key_material,uint_t km_len,uint8_t * salt,uint_t salt_len,uint8_t * info,uint_t info_len,uint8_t * output_key,uint_t out_len)155 hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
156 uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
157 uint_t out_len)
158 {
159 int ret;
160 uint8_t extract_key[SHA512_DIGEST_LENGTH];
161
162 ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
163 extract_key);
164 if (ret != 0)
165 return (ret);
166
167 ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
168 out_len);
169 if (ret != 0)
170 return (ret);
171
172 return (0);
173 }
174