module/os/freebsd/zfs/hkdf.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * This file and its contents are supplied under the terms of the
   5  * Common Development and Distribution License ("CDDL"), version 1.0.
   6  * You may only use this file in accordance with the terms of version
   7  * 1.0 of the CDDL.
   8  *
   9  * A full copy of the text of the CDDL should have accompanied this
  10  * source.  A copy of the CDDL is also available via the Internet at
  11  * http://www.illumos.org/license/CDDL.
  12  *
  13  * CDDL HEADER END
  14  */
  15
  16 /*
  17  * Copyright (c) 2017, Datto, Inc. All rights reserved.
  18  */
  19
  20 #include <sys/dmu.h>
  21 #include <sys/hkdf.h>
  22 #include <sys/freebsd_crypto.h>
  23 #include <sys/hkdf.h>
  24
  25 static int
  26 hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
  27     uint_t km_len, uint8_t *out_buf)
  28 {
  29         crypto_key_t key;
  30
  31         /* initialize the salt as a crypto key */
  32         key.ck_length = CRYPTO_BYTES2BITS(salt_len);
  33         key.ck_data = salt;
  34
  35         crypto_mac(&key, key_material, km_len, out_buf, SHA512_DIGEST_LENGTH);
  36
  37         return (0);
  38 }
  39
  40 static int
  41 hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
  42     uint8_t *out_buf, uint_t out_len)
  43 {
  44         struct hmac_ctx ctx;
  45         crypto_key_t key;
  46         uint_t i, T_len = 0, pos = 0;
  47         uint8_t c;
  48         uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
  49         uint8_t T[SHA512_DIGEST_LENGTH];
  50
  51         if (N > 255)
  52                 return (SET_ERROR(EINVAL));
  53
  54         /* initialize the salt as a crypto key */
  55         key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
  56         key.ck_data = extract_key;
  57
  58         for (i = 1; i <= N; i++) {
  59                 c = i;
  60
  61                 crypto_mac_init(&ctx, &key);
  62                 crypto_mac_update(&ctx, T, T_len);
  63                 crypto_mac_update(&ctx, info, info_len);
  64                 crypto_mac_update(&ctx, &c, 1);
  65                 crypto_mac_final(&ctx, T, SHA512_DIGEST_LENGTH);
  66                 memcpy(out_buf + pos, T,
  67                     (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
  68                 pos += SHA512_DIGEST_LENGTH;
  69         }
  70
  71         return (0);
  72 }
  73
  74 /*
  75  * HKDF is designed to be a relatively fast function for deriving keys from a
  76  * master key + a salt. We use this function to generate new encryption keys
  77  * so as to avoid hitting the cryptographic limits of the underlying
  78  * encryption modes. Note that, for the sake of deriving encryption keys, the
  79  * info parameter is called the "salt" everywhere else in the code.
  80  */
  81 int
  82 hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
  83     uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
  84     uint_t out_len)
  85 {
  86         int ret;
  87         uint8_t extract_key[SHA512_DIGEST_LENGTH];
  88
  89         ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
  90             extract_key);
  91         if (ret != 0)
  92                 return (ret);
  93
  94         ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
  95             out_len);
  96         if (ret != 0)
  97                 return (ret);
  98
  99         return (0);
 100 }