Example #1
0
/*
 * zcrypt_key_lookup
 *
 * This function looks up the key we need based on the bookmark.
 * It returns a reference to the key that the caller should NOT free.
 * The caller should use zcrypt_key_hold/release()
 * On failure it returns NULL;
 */
zcrypt_key_t *
zcrypt_key_lookup(spa_t *spa, uint64_t objset, uint64_t txg)
{
	zcrypt_keystore_node_t *skn;
	zcrypt_keychain_node_t *dkn;
	crypto_mechanism_t mech = { 0 };
	zcrypt_key_t *key;

#if _KERNEL
    printk("zcrypt_key_lookup enter\n");
#endif

	skn = zcrypt_keystore_find_node(spa, objset, B_FALSE);
	if (skn == NULL)
		return (NULL);

	/* ZIL writes use txg 0 but we want the latest key */
	if (txg == 0)
		txg = -1UL;
	mutex_enter(&skn->skn_lock);
	dkn = zcrypt_keychain_find(skn->skn_keychain, txg);
	if (dkn == NULL) {
		mutex_exit(&skn->skn_lock);
		return (NULL);
	}
	key = dkn->dkn_key;
	if (key != NULL && !key->zk_ctx_tmpl_valid) {
		mech.cm_type = crypto_mech2id(
		    zio_crypt_table[key->zk_crypt].ci_mechname);
		if (crypto_create_ctx_template(&mech, &key->zk_key,
		    &key->zk_ctx_tmpl, KM_SLEEP) == CRYPTO_SUCCESS)
			key->zk_ctx_tmpl_valid = B_TRUE;
	}
	if (key != NULL && !key->zk_mac_ctx_tmpl_valid) {
		mech.cm_type = crypto_mech2id(SUN_CKM_SHA256_HMAC_GENERAL);
		if (crypto_create_ctx_template(&mech, &key->zk_mackey,
		    &key->zk_mac_ctx_tmpl, KM_SLEEP) == CRYPTO_SUCCESS)
			key->zk_mac_ctx_tmpl_valid = B_TRUE;
	}
	mutex_exit(&skn->skn_lock);

#if _KERNEL
    printk("zcrypt_key_lookup exit: key %p\n", key);
#endif
	return (key);
}
Example #2
0
static int
pbkdf2(uint8_t *passphrase, size_t passphraselen, uint8_t *salt,
    size_t saltlen, uint64_t iterations, uint8_t *output,
    size_t outputlen)
{
	int ret;
	uint64_t iter;
	uint32_t blockptr, i;
	uint16_t hmac_key_len;
	uint8_t *hmac_key;
	uint8_t block[SHA1_DIGEST_LEN * 2];
	uint8_t *hmacresult = block + SHA1_DIGEST_LEN;
	crypto_mechanism_t mech;
	crypto_key_t key;
	crypto_data_t in_data, out_data;
	crypto_ctx_template_t tmpl = NULL;

	/* initialize output */
	memset(output, 0, outputlen);

	/* initialize icp for use */
	thread_init();
	icp_init();

	/* HMAC key size is max(sizeof(uint32_t) + salt len, sha 256 len) */
	if (saltlen > SHA1_DIGEST_LEN) {
		hmac_key_len = saltlen + sizeof (uint32_t);
	} else {
		hmac_key_len = SHA1_DIGEST_LEN;
	}

	hmac_key = calloc(hmac_key_len, 1);
	if (!hmac_key) {
		ret = ENOMEM;
		goto error;
	}

	/* initialize sha 256 hmac mechanism */
	mech.cm_type = crypto_mech2id(SUN_CKM_SHA1_HMAC);
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	/* initialize passphrase as a crypto key */
	key.ck_format = CRYPTO_KEY_RAW;
	key.ck_length = CRYPTO_BYTES2BITS(passphraselen);
	key.ck_data = passphrase;

	/*
	 * initialize crypto data for the input data. length will change
	 * after the first iteration, so we will initialize it in the loop.
	 */
	in_data.cd_format = CRYPTO_DATA_RAW;
	in_data.cd_offset = 0;
	in_data.cd_raw.iov_base = (char *)hmac_key;

	/* initialize crypto data for the output data */
	out_data.cd_format = CRYPTO_DATA_RAW;
	out_data.cd_offset = 0;
	out_data.cd_length = SHA1_DIGEST_LEN;
	out_data.cd_raw.iov_base = (char *)hmacresult;
	out_data.cd_raw.iov_len = out_data.cd_length;

	/* initialize the context template */
	ret = crypto_create_ctx_template(&mech, &key, &tmpl, KM_SLEEP);
	if (ret != CRYPTO_SUCCESS) {
		ret = EIO;
		goto error;
	}

	/* main loop */
	for (blockptr = 0; blockptr < outputlen; blockptr += SHA1_DIGEST_LEN) {

		/*
		 * for the first iteration, the HMAC key is the user-provided
		 * salt concatenated with the block index (1-indexed)
		 */
		i = htobe32(1 + (blockptr / SHA1_DIGEST_LEN));
		memmove(hmac_key, salt, saltlen);
		memmove(hmac_key + saltlen, (uint8_t *)(&i), sizeof (uint32_t));

		/* block initializes to zeroes (no XOR) */
		memset(block, 0, SHA1_DIGEST_LEN);

		for (iter = 0; iter < iterations; iter++) {
			if (iter > 0) {
				in_data.cd_length = SHA1_DIGEST_LEN;
				in_data.cd_raw.iov_len = in_data.cd_length;
			} else {
				in_data.cd_length = saltlen + sizeof (uint32_t);
				in_data.cd_raw.iov_len = in_data.cd_length;
			}

			ret = crypto_mac(&mech, &in_data, &key, tmpl,
			    &out_data, NULL);
			if (ret != CRYPTO_SUCCESS) {
				ret = EIO;
				goto error;
			}

			/* HMAC key now becomes the output of this iteration */
			memmove(hmac_key, hmacresult, SHA1_DIGEST_LEN);

			/* XOR this iteration's result with the current block */
			for (i = 0; i < SHA1_DIGEST_LEN; i++) {
				block[i] ^= hmacresult[i];
			}
		}

		/*
		 * compute length of this block, make sure we don't write
		 * beyond the end of the output, truncating if necessary
		 */
		if (blockptr + SHA1_DIGEST_LEN > outputlen) {
			memmove(output + blockptr, block, outputlen - blockptr);
		} else {
			memmove(output + blockptr, block, SHA1_DIGEST_LEN);
		}
	}

	crypto_destroy_ctx_template(tmpl);
	free(hmac_key);
	icp_fini();
	thread_fini();

	return (0);

error:
	crypto_destroy_ctx_template(tmpl);
	if (hmac_key != NULL)
		free(hmac_key);
	icp_fini();
	thread_fini();

	return (ret);
}