Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/contrib/openzfs/module/zfs/hkdf.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 */ 19 20 #include <sys/crypto/api.h> 21 #include <sys/sha2.h> 22 #include <sys/hkdf.h> 23 24 static int 25 hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, 26 uint_t km_len, uint8_t *out_buf) 27 { 28 int ret; 29 crypto_mechanism_t mech; 30 crypto_key_t key; 31 crypto_data_t input_cd, output_cd; 32 33 /* initialize HMAC mechanism */ 34 mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); 35 mech.cm_param = NULL; 36 mech.cm_param_len = 0; 37 38 /* initialize the salt as a crypto key */ 39 key.ck_length = CRYPTO_BYTES2BITS(salt_len); 40 key.ck_data = salt; 41 42 /* initialize crypto data for the input and output data */ 43 input_cd.cd_format = CRYPTO_DATA_RAW; 44 input_cd.cd_offset = 0; 45 input_cd.cd_length = km_len; 46 input_cd.cd_raw.iov_base = (char *)key_material; 47 input_cd.cd_raw.iov_len = input_cd.cd_length; 48 49 output_cd.cd_format = CRYPTO_DATA_RAW; 50 output_cd.cd_offset = 0; 51 output_cd.cd_length = SHA512_DIGEST_LENGTH; 52 output_cd.cd_raw.iov_base = (char *)out_buf; 53 output_cd.cd_raw.iov_len = output_cd.cd_length; 54 55 ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd); 56 if (ret != CRYPTO_SUCCESS) 57 return (SET_ERROR(EIO)); 58 59 return (0); 60 } 61 62 static int 63 hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, 64 uint8_t *out_buf, uint_t out_len) 65 { 66 int ret; 67 crypto_mechanism_t mech; 68 crypto_context_t ctx; 69 crypto_key_t key; 70 crypto_data_t T_cd, info_cd, c_cd; 71 uint_t i, T_len = 0, pos = 0; 72 uint8_t c; 73 uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH; 74 uint8_t T[SHA512_DIGEST_LENGTH]; 75 76 if (N > 255) 77 return (SET_ERROR(EINVAL)); 78 79 /* initialize HMAC mechanism */ 80 mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); 81 mech.cm_param = NULL; 82 mech.cm_param_len = 0; 83 84 /* initialize the salt as a crypto key */ 85 key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); 86 key.ck_data = extract_key; 87 88 /* initialize crypto data for the input and output data */ 89 T_cd.cd_format = CRYPTO_DATA_RAW; 90 T_cd.cd_offset = 0; 91 T_cd.cd_raw.iov_base = (char *)T; 92 93 c_cd.cd_format = CRYPTO_DATA_RAW; 94 c_cd.cd_offset = 0; 95 c_cd.cd_length = 1; 96 c_cd.cd_raw.iov_base = (char *)&c; 97 c_cd.cd_raw.iov_len = c_cd.cd_length; 98 99 info_cd.cd_format = CRYPTO_DATA_RAW; 100 info_cd.cd_offset = 0; 101 info_cd.cd_length = info_len; 102 info_cd.cd_raw.iov_base = (char *)info; 103 info_cd.cd_raw.iov_len = info_cd.cd_length; 104 105 for (i = 1; i <= N; i++) { 106 c = i; 107 108 T_cd.cd_length = T_len; 109 T_cd.cd_raw.iov_len = T_cd.cd_length; 110 111 ret = crypto_mac_init(&mech, &key, NULL, &ctx); 112 if (ret != CRYPTO_SUCCESS) 113 return (SET_ERROR(EIO)); 114 115 ret = crypto_mac_update(ctx, &T_cd); 116 if (ret != CRYPTO_SUCCESS) 117 return (SET_ERROR(EIO)); 118 119 ret = crypto_mac_update(ctx, &info_cd); 120 if (ret != CRYPTO_SUCCESS) 121 return (SET_ERROR(EIO)); 122 123 ret = crypto_mac_update(ctx, &c_cd); 124 if (ret != CRYPTO_SUCCESS) 125 return (SET_ERROR(EIO)); 126 127 T_len = SHA512_DIGEST_LENGTH; 128 T_cd.cd_length = T_len; 129 T_cd.cd_raw.iov_len = T_cd.cd_length; 130 131 ret = crypto_mac_final(ctx, &T_cd); 132 if (ret != CRYPTO_SUCCESS) 133 return (SET_ERROR(EIO)); 134 135 memcpy(out_buf + pos, T, 136 (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos)); 137 pos += SHA512_DIGEST_LENGTH; 138 } 139 140 return (0); 141 } 142 143 /* 144 * HKDF is designed to be a relatively fast function for deriving keys from a 145 * master key + a salt. We use this function to generate new encryption keys 146 * so as to avoid hitting the cryptographic limits of the underlying 147 * encryption modes. Note that, for the sake of deriving encryption keys, the 148 * info parameter is called the "salt" everywhere else in the code. 149 */ 150 int 151 hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt, 152 uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key, 153 uint_t out_len) 154 { 155 int ret; 156 uint8_t extract_key[SHA512_DIGEST_LENGTH]; 157 158 ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len, 159 extract_key); 160 if (ret != 0) 161 return (ret); 162 163 ret = hkdf_sha512_expand(extract_key, info, info_len, output_key, 164 out_len); 165 if (ret != 0) 166 return (ret); 167 168 return (0); 169 }
Cache object: e5bd4558a4a85780c10b690c6ba7504c
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]