unbound: Vendor import 1.15.0

[FreeBSD/FreeBSD.git] / sys / contrib / openzfs / module / zfs / hkdf.c

/*
 * CDDL HEADER START
 *
 * This file and its contents are supplied under the terms of the
 * Common Development and Distribution License ("CDDL"), version 1.0.
 * You may only use this file in accordance with the terms of version
 * 1.0 of the CDDL.
 *
 * A full copy of the text of the CDDL should have accompanied this
 * source.  A copy of the CDDL is also available via the Internet at
 * http://www.illumos.org/license/CDDL.
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2017, Datto, Inc. All rights reserved.
 */

#include <sys/crypto/api.h>
#include <sys/sha2.h>
#include <sys/hkdf.h>

static int
hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
    uint_t km_len, uint8_t *out_buf)
{
        int ret;
        crypto_mechanism_t mech;
        crypto_key_t key;
        crypto_data_t input_cd, output_cd;

        /* initialize HMAC mechanism */
        mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
        mech.cm_param = NULL;
        mech.cm_param_len = 0;

        /* initialize the salt as a crypto key */
        key.ck_format = CRYPTO_KEY_RAW;
        key.ck_length = CRYPTO_BYTES2BITS(salt_len);
        key.ck_data = salt;

        /* initialize crypto data for the input and output data */
        input_cd.cd_format = CRYPTO_DATA_RAW;
        input_cd.cd_offset = 0;
        input_cd.cd_length = km_len;
        input_cd.cd_raw.iov_base = (char *)key_material;
        input_cd.cd_raw.iov_len = input_cd.cd_length;

        output_cd.cd_format = CRYPTO_DATA_RAW;
        output_cd.cd_offset = 0;
        output_cd.cd_length = SHA512_DIGEST_LENGTH;
        output_cd.cd_raw.iov_base = (char *)out_buf;
        output_cd.cd_raw.iov_len = output_cd.cd_length;

        ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
        if (ret != CRYPTO_SUCCESS)
                return (SET_ERROR(EIO));

        return (0);
}

static int
hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
    uint8_t *out_buf, uint_t out_len)
{
        int ret;
        crypto_mechanism_t mech;
        crypto_context_t ctx;
        crypto_key_t key;
        crypto_data_t T_cd, info_cd, c_cd;
        uint_t i, T_len = 0, pos = 0;
        uint8_t c;
        uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
        uint8_t T[SHA512_DIGEST_LENGTH];

        if (N > 255)
                return (SET_ERROR(EINVAL));

        /* initialize HMAC mechanism */
        mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
        mech.cm_param = NULL;
        mech.cm_param_len = 0;

        /* initialize the salt as a crypto key */
        key.ck_format = CRYPTO_KEY_RAW;
        key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
        key.ck_data = extract_key;

        /* initialize crypto data for the input and output data */
        T_cd.cd_format = CRYPTO_DATA_RAW;
        T_cd.cd_offset = 0;
        T_cd.cd_raw.iov_base = (char *)T;

        c_cd.cd_format = CRYPTO_DATA_RAW;
        c_cd.cd_offset = 0;
        c_cd.cd_length = 1;
        c_cd.cd_raw.iov_base = (char *)&c;
        c_cd.cd_raw.iov_len = c_cd.cd_length;

        info_cd.cd_format = CRYPTO_DATA_RAW;
        info_cd.cd_offset = 0;
        info_cd.cd_length = info_len;
        info_cd.cd_raw.iov_base = (char *)info;
        info_cd.cd_raw.iov_len = info_cd.cd_length;

        for (i = 1; i <= N; i++) {
                c = i;

                T_cd.cd_length = T_len;
                T_cd.cd_raw.iov_len = T_cd.cd_length;

                ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
                if (ret != CRYPTO_SUCCESS)
                        return (SET_ERROR(EIO));

                ret = crypto_mac_update(ctx, &T_cd, NULL);
                if (ret != CRYPTO_SUCCESS)
                        return (SET_ERROR(EIO));

                ret = crypto_mac_update(ctx, &info_cd, NULL);
                if (ret != CRYPTO_SUCCESS)
                        return (SET_ERROR(EIO));

                ret = crypto_mac_update(ctx, &c_cd, NULL);
                if (ret != CRYPTO_SUCCESS)
                        return (SET_ERROR(EIO));

                T_len = SHA512_DIGEST_LENGTH;
                T_cd.cd_length = T_len;
                T_cd.cd_raw.iov_len = T_cd.cd_length;

                ret = crypto_mac_final(ctx, &T_cd, NULL);
                if (ret != CRYPTO_SUCCESS)
                        return (SET_ERROR(EIO));

                bcopy(T, out_buf + pos,
                    (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
                pos += SHA512_DIGEST_LENGTH;
        }

        return (0);
}

/*
 * HKDF is designed to be a relatively fast function for deriving keys from a
 * master key + a salt. We use this function to generate new encryption keys
 * so as to avoid hitting the cryptographic limits of the underlying
 * encryption modes. Note that, for the sake of deriving encryption keys, the
 * info parameter is called the "salt" everywhere else in the code.
 */
int
hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
    uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
    uint_t out_len)
{
        int ret;
        uint8_t extract_key[SHA512_DIGEST_LENGTH];

        ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
            extract_key);
        if (ret != 0)
                return (ret);

        ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
            out_len);
        if (ret != 0)
                return (ret);

        return (0);
}