/* * zcrypt_key_lookup * * This function looks up the key we need based on the bookmark. * It returns a reference to the key that the caller should NOT free. * The caller should use zcrypt_key_hold/release() * On failure it returns NULL; */ zcrypt_key_t * zcrypt_key_lookup(spa_t *spa, uint64_t objset, uint64_t txg) { zcrypt_keystore_node_t *skn; zcrypt_keychain_node_t *dkn; crypto_mechanism_t mech = { 0 }; zcrypt_key_t *key; #if _KERNEL printk("zcrypt_key_lookup enter\n"); #endif skn = zcrypt_keystore_find_node(spa, objset, B_FALSE); if (skn == NULL) return (NULL); /* ZIL writes use txg 0 but we want the latest key */ if (txg == 0) txg = -1UL; mutex_enter(&skn->skn_lock); dkn = zcrypt_keychain_find(skn->skn_keychain, txg); if (dkn == NULL) { mutex_exit(&skn->skn_lock); return (NULL); } key = dkn->dkn_key; if (key != NULL && !key->zk_ctx_tmpl_valid) { mech.cm_type = crypto_mech2id( zio_crypt_table[key->zk_crypt].ci_mechname); if (crypto_create_ctx_template(&mech, &key->zk_key, &key->zk_ctx_tmpl, KM_SLEEP) == CRYPTO_SUCCESS) key->zk_ctx_tmpl_valid = B_TRUE; } if (key != NULL && !key->zk_mac_ctx_tmpl_valid) { mech.cm_type = crypto_mech2id(SUN_CKM_SHA256_HMAC_GENERAL); if (crypto_create_ctx_template(&mech, &key->zk_mackey, &key->zk_mac_ctx_tmpl, KM_SLEEP) == CRYPTO_SUCCESS) key->zk_mac_ctx_tmpl_valid = B_TRUE; } mutex_exit(&skn->skn_lock); #if _KERNEL printk("zcrypt_key_lookup exit: key %p\n", key); #endif return (key); }
static int pbkdf2(uint8_t *passphrase, size_t passphraselen, uint8_t *salt, size_t saltlen, uint64_t iterations, uint8_t *output, size_t outputlen) { int ret; uint64_t iter; uint32_t blockptr, i; uint16_t hmac_key_len; uint8_t *hmac_key; uint8_t block[SHA1_DIGEST_LEN * 2]; uint8_t *hmacresult = block + SHA1_DIGEST_LEN; crypto_mechanism_t mech; crypto_key_t key; crypto_data_t in_data, out_data; crypto_ctx_template_t tmpl = NULL; /* initialize output */ memset(output, 0, outputlen); /* initialize icp for use */ thread_init(); icp_init(); /* HMAC key size is max(sizeof(uint32_t) + salt len, sha 256 len) */ if (saltlen > SHA1_DIGEST_LEN) { hmac_key_len = saltlen + sizeof (uint32_t); } else { hmac_key_len = SHA1_DIGEST_LEN; } hmac_key = calloc(hmac_key_len, 1); if (!hmac_key) { ret = ENOMEM; goto error; } /* initialize sha 256 hmac mechanism */ mech.cm_type = crypto_mech2id(SUN_CKM_SHA1_HMAC); mech.cm_param = NULL; mech.cm_param_len = 0; /* initialize passphrase as a crypto key */ key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(passphraselen); key.ck_data = passphrase; /* * initialize crypto data for the input data. length will change * after the first iteration, so we will initialize it in the loop. */ in_data.cd_format = CRYPTO_DATA_RAW; in_data.cd_offset = 0; in_data.cd_raw.iov_base = (char *)hmac_key; /* initialize crypto data for the output data */ out_data.cd_format = CRYPTO_DATA_RAW; out_data.cd_offset = 0; out_data.cd_length = SHA1_DIGEST_LEN; out_data.cd_raw.iov_base = (char *)hmacresult; out_data.cd_raw.iov_len = out_data.cd_length; /* initialize the context template */ ret = crypto_create_ctx_template(&mech, &key, &tmpl, KM_SLEEP); if (ret != CRYPTO_SUCCESS) { ret = EIO; goto error; } /* main loop */ for (blockptr = 0; blockptr < outputlen; blockptr += SHA1_DIGEST_LEN) { /* * for the first iteration, the HMAC key is the user-provided * salt concatenated with the block index (1-indexed) */ i = htobe32(1 + (blockptr / SHA1_DIGEST_LEN)); memmove(hmac_key, salt, saltlen); memmove(hmac_key + saltlen, (uint8_t *)(&i), sizeof (uint32_t)); /* block initializes to zeroes (no XOR) */ memset(block, 0, SHA1_DIGEST_LEN); for (iter = 0; iter < iterations; iter++) { if (iter > 0) { in_data.cd_length = SHA1_DIGEST_LEN; in_data.cd_raw.iov_len = in_data.cd_length; } else { in_data.cd_length = saltlen + sizeof (uint32_t); in_data.cd_raw.iov_len = in_data.cd_length; } ret = crypto_mac(&mech, &in_data, &key, tmpl, &out_data, NULL); if (ret != CRYPTO_SUCCESS) { ret = EIO; goto error; } /* HMAC key now becomes the output of this iteration */ memmove(hmac_key, hmacresult, SHA1_DIGEST_LEN); /* XOR this iteration's result with the current block */ for (i = 0; i < SHA1_DIGEST_LEN; i++) { block[i] ^= hmacresult[i]; } } /* * compute length of this block, make sure we don't write * beyond the end of the output, truncating if necessary */ if (blockptr + SHA1_DIGEST_LEN > outputlen) { memmove(output + blockptr, block, outputlen - blockptr); } else { memmove(output + blockptr, block, SHA1_DIGEST_LEN); } } crypto_destroy_ctx_template(tmpl); free(hmac_key); icp_fini(); thread_fini(); return (0); error: crypto_destroy_ctx_template(tmpl); if (hmac_key != NULL) free(hmac_key); icp_fini(); thread_fini(); return (ret); }