xref: /freebsd/sys/contrib/openzfs/module/zfs/hkdf.c (revision da5137abdf463bb5fee85061958a14dd12bc043e) 
1eda14cbcSMatt Macy /*
2eda14cbcSMatt Macy  * CDDL HEADER START
3eda14cbcSMatt Macy  *
4eda14cbcSMatt Macy  * This file and its contents are supplied under the terms of the
5eda14cbcSMatt Macy  * Common Development and Distribution License ("CDDL"), version 1.0.
6eda14cbcSMatt Macy  * You may only use this file in accordance with the terms of version
7eda14cbcSMatt Macy  * 1.0 of the CDDL.
8eda14cbcSMatt Macy  *
9eda14cbcSMatt Macy  * A full copy of the text of the CDDL should have accompanied this
10eda14cbcSMatt Macy  * source.  A copy of the CDDL is also available via the Internet at
11eda14cbcSMatt Macy  * http://www.illumos.org/license/CDDL.
12eda14cbcSMatt Macy  *
13eda14cbcSMatt Macy  * CDDL HEADER END
14eda14cbcSMatt Macy  */
15eda14cbcSMatt Macy 
16eda14cbcSMatt Macy /*
17eda14cbcSMatt Macy  * Copyright (c) 2017, Datto, Inc. All rights reserved.
18eda14cbcSMatt Macy  */
19eda14cbcSMatt Macy 
20eda14cbcSMatt Macy #include <sys/crypto/api.h>
21eda14cbcSMatt Macy #include <sys/sha2.h>
22eda14cbcSMatt Macy #include <sys/hkdf.h>
23eda14cbcSMatt Macy 
24eda14cbcSMatt Macy static int
hkdf_sha512_extract(uint8_t * salt,uint_t salt_len,uint8_t * key_material,uint_t km_len,uint8_t * out_buf)25eda14cbcSMatt Macy hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
26eda14cbcSMatt Macy     uint_t km_len, uint8_t *out_buf)
27eda14cbcSMatt Macy {
28eda14cbcSMatt Macy 	int ret;
29eda14cbcSMatt Macy 	crypto_mechanism_t mech;
30eda14cbcSMatt Macy 	crypto_key_t key;
31eda14cbcSMatt Macy 	crypto_data_t input_cd, output_cd;
32eda14cbcSMatt Macy 
33eda14cbcSMatt Macy 	/* initialize HMAC mechanism */
34eda14cbcSMatt Macy 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
35eda14cbcSMatt Macy 	mech.cm_param = NULL;
36eda14cbcSMatt Macy 	mech.cm_param_len = 0;
37eda14cbcSMatt Macy 
38eda14cbcSMatt Macy 	/* initialize the salt as a crypto key */
39eda14cbcSMatt Macy 	key.ck_length = CRYPTO_BYTES2BITS(salt_len);
40eda14cbcSMatt Macy 	key.ck_data = salt;
41eda14cbcSMatt Macy 
42eda14cbcSMatt Macy 	/* initialize crypto data for the input and output data */
43eda14cbcSMatt Macy 	input_cd.cd_format = CRYPTO_DATA_RAW;
44eda14cbcSMatt Macy 	input_cd.cd_offset = 0;
45eda14cbcSMatt Macy 	input_cd.cd_length = km_len;
46eda14cbcSMatt Macy 	input_cd.cd_raw.iov_base = (char *)key_material;
47eda14cbcSMatt Macy 	input_cd.cd_raw.iov_len = input_cd.cd_length;
48eda14cbcSMatt Macy 
49eda14cbcSMatt Macy 	output_cd.cd_format = CRYPTO_DATA_RAW;
50eda14cbcSMatt Macy 	output_cd.cd_offset = 0;
51eda14cbcSMatt Macy 	output_cd.cd_length = SHA512_DIGEST_LENGTH;
52eda14cbcSMatt Macy 	output_cd.cd_raw.iov_base = (char *)out_buf;
53eda14cbcSMatt Macy 	output_cd.cd_raw.iov_len = output_cd.cd_length;
54eda14cbcSMatt Macy 
55c03c5b1cSMartin Matuska 	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd);
56eda14cbcSMatt Macy 	if (ret != CRYPTO_SUCCESS)
57eda14cbcSMatt Macy 		return (SET_ERROR(EIO));
58eda14cbcSMatt Macy 
59eda14cbcSMatt Macy 	return (0);
60eda14cbcSMatt Macy }
61eda14cbcSMatt Macy 
62eda14cbcSMatt Macy static int
hkdf_sha512_expand(uint8_t * extract_key,uint8_t * info,uint_t info_len,uint8_t * out_buf,uint_t out_len)63eda14cbcSMatt Macy hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
64eda14cbcSMatt Macy     uint8_t *out_buf, uint_t out_len)
65eda14cbcSMatt Macy {
66eda14cbcSMatt Macy 	int ret;
67eda14cbcSMatt Macy 	crypto_mechanism_t mech;
68eda14cbcSMatt Macy 	crypto_context_t ctx;
69eda14cbcSMatt Macy 	crypto_key_t key;
70eda14cbcSMatt Macy 	crypto_data_t T_cd, info_cd, c_cd;
71eda14cbcSMatt Macy 	uint_t i, T_len = 0, pos = 0;
72eda14cbcSMatt Macy 	uint8_t c;
73eda14cbcSMatt Macy 	uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
74eda14cbcSMatt Macy 	uint8_t T[SHA512_DIGEST_LENGTH];
75eda14cbcSMatt Macy 
76eda14cbcSMatt Macy 	if (N > 255)
77eda14cbcSMatt Macy 		return (SET_ERROR(EINVAL));
78eda14cbcSMatt Macy 
79eda14cbcSMatt Macy 	/* initialize HMAC mechanism */
80eda14cbcSMatt Macy 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
81eda14cbcSMatt Macy 	mech.cm_param = NULL;
82eda14cbcSMatt Macy 	mech.cm_param_len = 0;
83eda14cbcSMatt Macy 
84eda14cbcSMatt Macy 	/* initialize the salt as a crypto key */
85eda14cbcSMatt Macy 	key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
86eda14cbcSMatt Macy 	key.ck_data = extract_key;
87eda14cbcSMatt Macy 
88eda14cbcSMatt Macy 	/* initialize crypto data for the input and output data */
89eda14cbcSMatt Macy 	T_cd.cd_format = CRYPTO_DATA_RAW;
90eda14cbcSMatt Macy 	T_cd.cd_offset = 0;
91eda14cbcSMatt Macy 	T_cd.cd_raw.iov_base = (char *)T;
92eda14cbcSMatt Macy 
93eda14cbcSMatt Macy 	c_cd.cd_format = CRYPTO_DATA_RAW;
94eda14cbcSMatt Macy 	c_cd.cd_offset = 0;
95eda14cbcSMatt Macy 	c_cd.cd_length = 1;
96eda14cbcSMatt Macy 	c_cd.cd_raw.iov_base = (char *)&c;
97eda14cbcSMatt Macy 	c_cd.cd_raw.iov_len = c_cd.cd_length;
98eda14cbcSMatt Macy 
99eda14cbcSMatt Macy 	info_cd.cd_format = CRYPTO_DATA_RAW;
100eda14cbcSMatt Macy 	info_cd.cd_offset = 0;
101eda14cbcSMatt Macy 	info_cd.cd_length = info_len;
102eda14cbcSMatt Macy 	info_cd.cd_raw.iov_base = (char *)info;
103eda14cbcSMatt Macy 	info_cd.cd_raw.iov_len = info_cd.cd_length;
104eda14cbcSMatt Macy 
105eda14cbcSMatt Macy 	for (i = 1; i <= N; i++) {
106eda14cbcSMatt Macy 		c = i;
107eda14cbcSMatt Macy 
108eda14cbcSMatt Macy 		T_cd.cd_length = T_len;
109eda14cbcSMatt Macy 		T_cd.cd_raw.iov_len = T_cd.cd_length;
110eda14cbcSMatt Macy 
111c03c5b1cSMartin Matuska 		ret = crypto_mac_init(&mech, &key, NULL, &ctx);
112eda14cbcSMatt Macy 		if (ret != CRYPTO_SUCCESS)
113eda14cbcSMatt Macy 			return (SET_ERROR(EIO));
114eda14cbcSMatt Macy 
115c03c5b1cSMartin Matuska 		ret = crypto_mac_update(ctx, &T_cd);
116eda14cbcSMatt Macy 		if (ret != CRYPTO_SUCCESS)
117eda14cbcSMatt Macy 			return (SET_ERROR(EIO));
118eda14cbcSMatt Macy 
119c03c5b1cSMartin Matuska 		ret = crypto_mac_update(ctx, &info_cd);
120eda14cbcSMatt Macy 		if (ret != CRYPTO_SUCCESS)
121eda14cbcSMatt Macy 			return (SET_ERROR(EIO));
122eda14cbcSMatt Macy 
123c03c5b1cSMartin Matuska 		ret = crypto_mac_update(ctx, &c_cd);
124eda14cbcSMatt Macy 		if (ret != CRYPTO_SUCCESS)
125eda14cbcSMatt Macy 			return (SET_ERROR(EIO));
126eda14cbcSMatt Macy 
127eda14cbcSMatt Macy 		T_len = SHA512_DIGEST_LENGTH;
128eda14cbcSMatt Macy 		T_cd.cd_length = T_len;
129eda14cbcSMatt Macy 		T_cd.cd_raw.iov_len = T_cd.cd_length;
130eda14cbcSMatt Macy 
131c03c5b1cSMartin Matuska 		ret = crypto_mac_final(ctx, &T_cd);
132eda14cbcSMatt Macy 		if (ret != CRYPTO_SUCCESS)
133eda14cbcSMatt Macy 			return (SET_ERROR(EIO));
134eda14cbcSMatt Macy 
135*da5137abSMartin Matuska 		memcpy(out_buf + pos, T,
136eda14cbcSMatt Macy 		    (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
137eda14cbcSMatt Macy 		pos += SHA512_DIGEST_LENGTH;
138eda14cbcSMatt Macy 	}
139eda14cbcSMatt Macy 
140eda14cbcSMatt Macy 	return (0);
141eda14cbcSMatt Macy }
142eda14cbcSMatt Macy 
143eda14cbcSMatt Macy /*
144eda14cbcSMatt Macy  * HKDF is designed to be a relatively fast function for deriving keys from a
145eda14cbcSMatt Macy  * master key + a salt. We use this function to generate new encryption keys
146eda14cbcSMatt Macy  * so as to avoid hitting the cryptographic limits of the underlying
147eda14cbcSMatt Macy  * encryption modes. Note that, for the sake of deriving encryption keys, the
148eda14cbcSMatt Macy  * info parameter is called the "salt" everywhere else in the code.
149eda14cbcSMatt Macy  */
150eda14cbcSMatt Macy int
hkdf_sha512(uint8_t * key_material,uint_t km_len,uint8_t * salt,uint_t salt_len,uint8_t * info,uint_t info_len,uint8_t * output_key,uint_t out_len)151eda14cbcSMatt Macy hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
152eda14cbcSMatt Macy     uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
153eda14cbcSMatt Macy     uint_t out_len)
154eda14cbcSMatt Macy {
155eda14cbcSMatt Macy 	int ret;
156eda14cbcSMatt Macy 	uint8_t extract_key[SHA512_DIGEST_LENGTH];
157eda14cbcSMatt Macy 
158eda14cbcSMatt Macy 	ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
159eda14cbcSMatt Macy 	    extract_key);
160eda14cbcSMatt Macy 	if (ret != 0)
161eda14cbcSMatt Macy 		return (ret);
162eda14cbcSMatt Macy 
163eda14cbcSMatt Macy 	ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
164eda14cbcSMatt Macy 	    out_len);
165eda14cbcSMatt Macy 	if (ret != 0)
166eda14cbcSMatt Macy 		return (ret);
167eda14cbcSMatt Macy 
168eda14cbcSMatt Macy 	return (0);
169eda14cbcSMatt Macy }
170