xref: /freebsd/sys/contrib/openzfs/module/zfs/hkdf.c (revision 3e8eb5c7f4909209c042403ddee340b2ee7003a5)
1 /*
2  * CDDL HEADER START
3  *
4  * This file and its contents are supplied under the terms of the
5  * Common Development and Distribution License ("CDDL"), version 1.0.
6  * You may only use this file in accordance with the terms of version
7  * 1.0 of the CDDL.
8  *
9  * A full copy of the text of the CDDL should have accompanied this
10  * source.  A copy of the CDDL is also available via the Internet at
11  * http://www.illumos.org/license/CDDL.
12  *
13  * CDDL HEADER END
14  */
15 
16 /*
17  * Copyright (c) 2017, Datto, Inc. All rights reserved.
18  */
19 
20 #include <sys/crypto/api.h>
21 #include <sys/sha2.h>
22 #include <sys/hkdf.h>
23 
24 static int
25 hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
26     uint_t km_len, uint8_t *out_buf)
27 {
28 	int ret;
29 	crypto_mechanism_t mech;
30 	crypto_key_t key;
31 	crypto_data_t input_cd, output_cd;
32 
33 	/* initialize HMAC mechanism */
34 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
35 	mech.cm_param = NULL;
36 	mech.cm_param_len = 0;
37 
38 	/* initialize the salt as a crypto key */
39 	key.ck_length = CRYPTO_BYTES2BITS(salt_len);
40 	key.ck_data = salt;
41 
42 	/* initialize crypto data for the input and output data */
43 	input_cd.cd_format = CRYPTO_DATA_RAW;
44 	input_cd.cd_offset = 0;
45 	input_cd.cd_length = km_len;
46 	input_cd.cd_raw.iov_base = (char *)key_material;
47 	input_cd.cd_raw.iov_len = input_cd.cd_length;
48 
49 	output_cd.cd_format = CRYPTO_DATA_RAW;
50 	output_cd.cd_offset = 0;
51 	output_cd.cd_length = SHA512_DIGEST_LENGTH;
52 	output_cd.cd_raw.iov_base = (char *)out_buf;
53 	output_cd.cd_raw.iov_len = output_cd.cd_length;
54 
55 	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd);
56 	if (ret != CRYPTO_SUCCESS)
57 		return (SET_ERROR(EIO));
58 
59 	return (0);
60 }
61 
62 static int
63 hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
64     uint8_t *out_buf, uint_t out_len)
65 {
66 	int ret;
67 	crypto_mechanism_t mech;
68 	crypto_context_t ctx;
69 	crypto_key_t key;
70 	crypto_data_t T_cd, info_cd, c_cd;
71 	uint_t i, T_len = 0, pos = 0;
72 	uint8_t c;
73 	uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
74 	uint8_t T[SHA512_DIGEST_LENGTH];
75 
76 	if (N > 255)
77 		return (SET_ERROR(EINVAL));
78 
79 	/* initialize HMAC mechanism */
80 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
81 	mech.cm_param = NULL;
82 	mech.cm_param_len = 0;
83 
84 	/* initialize the salt as a crypto key */
85 	key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
86 	key.ck_data = extract_key;
87 
88 	/* initialize crypto data for the input and output data */
89 	T_cd.cd_format = CRYPTO_DATA_RAW;
90 	T_cd.cd_offset = 0;
91 	T_cd.cd_raw.iov_base = (char *)T;
92 
93 	c_cd.cd_format = CRYPTO_DATA_RAW;
94 	c_cd.cd_offset = 0;
95 	c_cd.cd_length = 1;
96 	c_cd.cd_raw.iov_base = (char *)&c;
97 	c_cd.cd_raw.iov_len = c_cd.cd_length;
98 
99 	info_cd.cd_format = CRYPTO_DATA_RAW;
100 	info_cd.cd_offset = 0;
101 	info_cd.cd_length = info_len;
102 	info_cd.cd_raw.iov_base = (char *)info;
103 	info_cd.cd_raw.iov_len = info_cd.cd_length;
104 
105 	for (i = 1; i <= N; i++) {
106 		c = i;
107 
108 		T_cd.cd_length = T_len;
109 		T_cd.cd_raw.iov_len = T_cd.cd_length;
110 
111 		ret = crypto_mac_init(&mech, &key, NULL, &ctx);
112 		if (ret != CRYPTO_SUCCESS)
113 			return (SET_ERROR(EIO));
114 
115 		ret = crypto_mac_update(ctx, &T_cd);
116 		if (ret != CRYPTO_SUCCESS)
117 			return (SET_ERROR(EIO));
118 
119 		ret = crypto_mac_update(ctx, &info_cd);
120 		if (ret != CRYPTO_SUCCESS)
121 			return (SET_ERROR(EIO));
122 
123 		ret = crypto_mac_update(ctx, &c_cd);
124 		if (ret != CRYPTO_SUCCESS)
125 			return (SET_ERROR(EIO));
126 
127 		T_len = SHA512_DIGEST_LENGTH;
128 		T_cd.cd_length = T_len;
129 		T_cd.cd_raw.iov_len = T_cd.cd_length;
130 
131 		ret = crypto_mac_final(ctx, &T_cd);
132 		if (ret != CRYPTO_SUCCESS)
133 			return (SET_ERROR(EIO));
134 
135 		memcpy(out_buf + pos, T,
136 		    (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
137 		pos += SHA512_DIGEST_LENGTH;
138 	}
139 
140 	return (0);
141 }
142 
143 /*
144  * HKDF is designed to be a relatively fast function for deriving keys from a
145  * master key + a salt. We use this function to generate new encryption keys
146  * so as to avoid hitting the cryptographic limits of the underlying
147  * encryption modes. Note that, for the sake of deriving encryption keys, the
148  * info parameter is called the "salt" everywhere else in the code.
149  */
150 int
151 hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
152     uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
153     uint_t out_len)
154 {
155 	int ret;
156 	uint8_t extract_key[SHA512_DIGEST_LENGTH];
157 
158 	ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
159 	    extract_key);
160 	if (ret != 0)
161 		return (ret);
162 
163 	ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
164 	    out_len);
165 	if (ret != 0)
166 		return (ret);
167 
168 	return (0);
169 }
170