4807c0badb
* PBKDF2 implementation changed to OpenSSL implementation. * HKDF implementation moved to its own file and tests added to ensure correctness. * Removed libzfs's now unnecessary dependency on libzpool and libicp. * Ztest can now create and test encrypted datasets. This is currently disabled until issue #6526 is resolved, but otherwise functions as advertised. * Several small bug fixes discovered after enabling ztest to run on encrypted datasets. * Fixed coverity defects added by the encryption patch. * Updated man pages for encrypted send / receive behavior. * Fixed a bug where encrypted datasets could receive DRR_WRITE_EMBEDDED records. * Minor code cleanups / consolidation. Signed-off-by: Tom Caputi <tcaputi@datto.com>
172 lines
4.5 KiB
C
172 lines
4.5 KiB
C
/*
|
|
* CDDL HEADER START
|
|
*
|
|
* This file and its contents are supplied under the terms of the
|
|
* Common Development and Distribution License ("CDDL"), version 1.0.
|
|
* You may only use this file in accordance with the terms of version
|
|
* 1.0 of the CDDL.
|
|
*
|
|
* A full copy of the text of the CDDL should have accompanied this
|
|
* source. A copy of the CDDL is also available via the Internet at
|
|
* http://www.illumos.org/license/CDDL.
|
|
*
|
|
* CDDL HEADER END
|
|
*/
|
|
|
|
/*
|
|
* Copyright (c) 2017, Datto, Inc. All rights reserved.
|
|
*/
|
|
|
|
#include <sys/crypto/api.h>
|
|
#include <sys/sha2.h>
|
|
#include <sys/hkdf.h>
|
|
|
|
static int
|
|
hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
|
|
uint_t km_len, uint8_t *out_buf)
|
|
{
|
|
int ret;
|
|
crypto_mechanism_t mech;
|
|
crypto_key_t key;
|
|
crypto_data_t input_cd, output_cd;
|
|
|
|
/* initialize HMAC mechanism */
|
|
mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
|
|
mech.cm_param = NULL;
|
|
mech.cm_param_len = 0;
|
|
|
|
/* initialize the salt as a crypto key */
|
|
key.ck_format = CRYPTO_KEY_RAW;
|
|
key.ck_length = CRYPTO_BYTES2BITS(salt_len);
|
|
key.ck_data = salt;
|
|
|
|
/* initialize crypto data for the input and output data */
|
|
input_cd.cd_format = CRYPTO_DATA_RAW;
|
|
input_cd.cd_offset = 0;
|
|
input_cd.cd_length = km_len;
|
|
input_cd.cd_raw.iov_base = (char *)key_material;
|
|
input_cd.cd_raw.iov_len = input_cd.cd_length;
|
|
|
|
output_cd.cd_format = CRYPTO_DATA_RAW;
|
|
output_cd.cd_offset = 0;
|
|
output_cd.cd_length = SHA512_DIGEST_LENGTH;
|
|
output_cd.cd_raw.iov_base = (char *)out_buf;
|
|
output_cd.cd_raw.iov_len = output_cd.cd_length;
|
|
|
|
ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
return (0);
|
|
}
|
|
|
|
static int
|
|
hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
|
|
uint8_t *out_buf, uint_t out_len)
|
|
{
|
|
int ret;
|
|
crypto_mechanism_t mech;
|
|
crypto_context_t ctx;
|
|
crypto_key_t key;
|
|
crypto_data_t T_cd, info_cd, c_cd;
|
|
uint_t i, T_len = 0, pos = 0;
|
|
uint8_t c;
|
|
uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH;
|
|
uint8_t T[SHA512_DIGEST_LENGTH];
|
|
|
|
if (N > 255)
|
|
return (SET_ERROR(EINVAL));
|
|
|
|
/* initialize HMAC mechanism */
|
|
mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
|
|
mech.cm_param = NULL;
|
|
mech.cm_param_len = 0;
|
|
|
|
/* initialize the salt as a crypto key */
|
|
key.ck_format = CRYPTO_KEY_RAW;
|
|
key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
|
|
key.ck_data = extract_key;
|
|
|
|
/* initialize crypto data for the input and output data */
|
|
T_cd.cd_format = CRYPTO_DATA_RAW;
|
|
T_cd.cd_offset = 0;
|
|
T_cd.cd_raw.iov_base = (char *)T;
|
|
|
|
c_cd.cd_format = CRYPTO_DATA_RAW;
|
|
c_cd.cd_offset = 0;
|
|
c_cd.cd_length = 1;
|
|
c_cd.cd_raw.iov_base = (char *)&c;
|
|
c_cd.cd_raw.iov_len = c_cd.cd_length;
|
|
|
|
info_cd.cd_format = CRYPTO_DATA_RAW;
|
|
info_cd.cd_offset = 0;
|
|
info_cd.cd_length = info_len;
|
|
info_cd.cd_raw.iov_base = (char *)info;
|
|
info_cd.cd_raw.iov_len = info_cd.cd_length;
|
|
|
|
for (i = 1; i <= N; i++) {
|
|
c = i;
|
|
|
|
T_cd.cd_length = T_len;
|
|
T_cd.cd_raw.iov_len = T_cd.cd_length;
|
|
|
|
ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
ret = crypto_mac_update(ctx, &T_cd, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
ret = crypto_mac_update(ctx, &info_cd, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
ret = crypto_mac_update(ctx, &c_cd, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
T_len = SHA512_DIGEST_LENGTH;
|
|
T_cd.cd_length = T_len;
|
|
T_cd.cd_raw.iov_len = T_cd.cd_length;
|
|
|
|
ret = crypto_mac_final(ctx, &T_cd, NULL);
|
|
if (ret != CRYPTO_SUCCESS)
|
|
return (SET_ERROR(EIO));
|
|
|
|
bcopy(T, out_buf + pos,
|
|
(i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos));
|
|
pos += SHA512_DIGEST_LENGTH;
|
|
}
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* HKDF is designed to be a relatively fast function for deriving keys from a
|
|
* master key + a salt. We use this function to generate new encryption keys
|
|
* so as to avoid hitting the cryptographic limits of the underlying
|
|
* encryption modes. Note that, for the sake of deriving encryption keys, the
|
|
* info parameter is called the "salt" everywhere else in the code.
|
|
*/
|
|
int
|
|
hkdf_sha512(uint8_t *key_material, uint_t km_len, uint8_t *salt,
|
|
uint_t salt_len, uint8_t *info, uint_t info_len, uint8_t *output_key,
|
|
uint_t out_len)
|
|
{
|
|
int ret;
|
|
uint8_t extract_key[SHA512_DIGEST_LENGTH];
|
|
|
|
ret = hkdf_sha512_extract(salt, salt_len, key_material, km_len,
|
|
extract_key);
|
|
if (ret != 0)
|
|
return (ret);
|
|
|
|
ret = hkdf_sha512_expand(extract_key, info, info_len, output_key,
|
|
out_len);
|
|
if (ret != 0)
|
|
return (ret);
|
|
|
|
return (0);
|
|
}
|