1 /*
2 * CDDL HEADER START
3 *
4 * This file and its contents are supplied under the terms of the
5 * Common Development and Distribution License ("CDDL"), version 1.0.
6 * You may only use this file in accordance with the terms of version
7 * 1.0 of the CDDL.
8 *
9 * A full copy of the text of the CDDL should have accompanied this
10 * source. A copy of the CDDL is also available via the Internet at
11 * http://www.illumos.org/license/CDDL.
12 *
13 * CDDL HEADER END
14 */
15
16 /*
17 * Copyright (c) 2017, Datto, Inc. All rights reserved.
18 */
19
20 #include <sys/dmu.h>
21 #include <sys/hkdf.h>
22 #include <sys/freebsd_crypto.h>
23 #include <sys/hkdf.h>
24
25 static int
hkdf_sha512_extract(uint8_t * salt,uint_t salt_len,uint8_t * key_material,uint_t km_len,uint8_t * out_buf)26 hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
27 uint_t km_len, uint8_t *out_buf)
28 {
29 crypto_key_t key;
30
31 /* initialize the salt as a crypto key */
32 key.ck_length = CRYPTO_BYTES2BITS(salt_len);
33 key.ck_data = salt;
34
35 crypto_mac(&key, key_material, km_len, out_buf, SHA512_DIGEST_LENGTH);
36
37 return (0);
38 }
39
40 static int
hkdf_sha512_expand(uint8_t * extract_key,uint8_t * info,uint_t info_len,uint8_t * out_buf,uint_t out_len)41 hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
42 uint8_t *out_buf, uint_t out_len)
43 {
44 struct hmac_ctx ctx;
45 crypto_key_t key;
46 uint_t i, T_len = 0, pos = 0;
47 uint8_t c;
48 uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
49 uint8_t T[SHA512_DIGEST_LENGTH];
50
51 if (N > 255)
52 return (SET_ERROR(EINVAL));
53
54 /* initialize the salt as a crypto key */
55 key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
56 key.ck_data = extract_key;
57
58 for (i = 1; i <= N; i++) {
59 c = i;
60
61 crypto_mac_init(&ctx, &key);
62 crypto_mac_update(&ctx, T, T_len);
63 crypto_mac_update(&ctx, info, info_len);
64 crypto_mac_update(&ctx, &c, 1);
65 crypto_mac_final(&ctx, T, SHA512_DIGEST_LENGTH);
66 memcpy(out_buf + pos, T,
67 (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
68 pos += SHA512_DIGEST_LENGTH;
69 }
70
71 return (0);
72 }
73
74 /*
75 * HKDF is designed to be a relatively fast function for deriving keys from a
76 * master key + a salt. We use this function to generate new encryption keys
77 * so as to avoid hitting the cryptographic limits of the underlying
78 * encryption modes. Note that, for the sake of deriving encryption keys, the
79 * info parameter is called the "salt" everywhere else in the code.
80 */
81 int
hkdf_sha512(uint8_t * key_material,uint_t km_len,uint8_t * salt,uint_t salt_len,uint8_t * info,uint_t info_len,uint8_t * output_key,uint_t out_len)82 hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
83 uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
84 uint_t out_len)
85 {
86 int ret;
87 uint8_t extract_key[SHA512_DIGEST_LENGTH];
88
89 ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
90 extract_key);
91 if (ret != 0)
92 return (ret);
93
94 ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
95 out_len);
96 if (ret != 0)
97 return (ret);
98
99 return (0);
100 }
101