static int hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, uint_t km_len, uint8_t *out_buf) { int ret; crypto_mechanism_t mech; crypto_key_t key; crypto_data_t input_cd, output_cd; /* initialize HMAC mechanism */ mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); mech.cm_param = NULL; mech.cm_param_len = 0; /* initialize the salt as a crypto key */ key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(salt_len); key.ck_data = salt; /* initialize crypto data for the input and output data */ input_cd.cd_format = CRYPTO_DATA_RAW; input_cd.cd_offset = 0; input_cd.cd_length = km_len; input_cd.cd_raw.iov_base = (char *)key_material; input_cd.cd_raw.iov_len = input_cd.cd_length; output_cd.cd_format = CRYPTO_DATA_RAW; output_cd.cd_offset = 0; output_cd.cd_length = SHA512_DIGEST_LENGTH; output_cd.cd_raw.iov_base = (char *)out_buf; output_cd.cd_raw.iov_len = output_cd.cd_length; ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); return (0); }
static int pbkdf2(uint8_t *passphrase, size_t passphraselen, uint8_t *salt, size_t saltlen, uint64_t iterations, uint8_t *output, size_t outputlen) { int ret; uint64_t iter; uint32_t blockptr, i; uint16_t hmac_key_len; uint8_t *hmac_key; uint8_t block[SHA1_DIGEST_LEN * 2]; uint8_t *hmacresult = block + SHA1_DIGEST_LEN; crypto_mechanism_t mech; crypto_key_t key; crypto_data_t in_data, out_data; crypto_ctx_template_t tmpl = NULL; /* initialize output */ memset(output, 0, outputlen); /* initialize icp for use */ thread_init(); icp_init(); /* HMAC key size is max(sizeof(uint32_t) + salt len, sha 256 len) */ if (saltlen > SHA1_DIGEST_LEN) { hmac_key_len = saltlen + sizeof (uint32_t); } else { hmac_key_len = SHA1_DIGEST_LEN; } hmac_key = calloc(hmac_key_len, 1); if (!hmac_key) { ret = ENOMEM; goto error; } /* initialize sha 256 hmac mechanism */ mech.cm_type = crypto_mech2id(SUN_CKM_SHA1_HMAC); mech.cm_param = NULL; mech.cm_param_len = 0; /* initialize passphrase as a crypto key */ key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(passphraselen); key.ck_data = passphrase; /* * initialize crypto data for the input data. length will change * after the first iteration, so we will initialize it in the loop. */ in_data.cd_format = CRYPTO_DATA_RAW; in_data.cd_offset = 0; in_data.cd_raw.iov_base = (char *)hmac_key; /* initialize crypto data for the output data */ out_data.cd_format = CRYPTO_DATA_RAW; out_data.cd_offset = 0; out_data.cd_length = SHA1_DIGEST_LEN; out_data.cd_raw.iov_base = (char *)hmacresult; out_data.cd_raw.iov_len = out_data.cd_length; /* initialize the context template */ ret = crypto_create_ctx_template(&mech, &key, &tmpl, KM_SLEEP); if (ret != CRYPTO_SUCCESS) { ret = EIO; goto error; } /* main loop */ for (blockptr = 0; blockptr < outputlen; blockptr += SHA1_DIGEST_LEN) { /* * for the first iteration, the HMAC key is the user-provided * salt concatenated with the block index (1-indexed) */ i = htobe32(1 + (blockptr / SHA1_DIGEST_LEN)); memmove(hmac_key, salt, saltlen); memmove(hmac_key + saltlen, (uint8_t *)(&i), sizeof (uint32_t)); /* block initializes to zeroes (no XOR) */ memset(block, 0, SHA1_DIGEST_LEN); for (iter = 0; iter < iterations; iter++) { if (iter > 0) { in_data.cd_length = SHA1_DIGEST_LEN; in_data.cd_raw.iov_len = in_data.cd_length; } else { in_data.cd_length = saltlen + sizeof (uint32_t); in_data.cd_raw.iov_len = in_data.cd_length; } ret = crypto_mac(&mech, &in_data, &key, tmpl, &out_data, NULL); if (ret != CRYPTO_SUCCESS) { ret = EIO; goto error; } /* HMAC key now becomes the output of this iteration */ memmove(hmac_key, hmacresult, SHA1_DIGEST_LEN); /* XOR this iteration's result with the current block */ for (i = 0; i < SHA1_DIGEST_LEN; i++) { block[i] ^= hmacresult[i]; } } /* * compute length of this block, make sure we don't write * beyond the end of the output, truncating if necessary */ if (blockptr + SHA1_DIGEST_LEN > outputlen) { memmove(output + blockptr, block, outputlen - blockptr); } else { memmove(output + blockptr, block, SHA1_DIGEST_LEN); } } crypto_destroy_ctx_template(tmpl); free(hmac_key); icp_fini(); thread_fini(); return (0); error: crypto_destroy_ctx_template(tmpl); if (hmac_key != NULL) free(hmac_key); icp_fini(); thread_fini(); return (ret); }
static int hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, uint8_t *out_buf, uint_t out_len) { int ret; crypto_mechanism_t mech; crypto_context_t ctx; crypto_key_t key; crypto_data_t T_cd, info_cd, c_cd; uint_t i, T_len = 0, pos = 0; uint8_t c; uint_t N = (out_len + SHA512_DIGEST_LENGTH) / SHA512_DIGEST_LENGTH; uint8_t T[SHA512_DIGEST_LENGTH]; if (N > 255) return (SET_ERROR(EINVAL)); /* initialize HMAC mechanism */ mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); mech.cm_param = NULL; mech.cm_param_len = 0; /* initialize the salt as a crypto key */ key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); key.ck_data = extract_key; /* initialize crypto data for the input and output data */ T_cd.cd_format = CRYPTO_DATA_RAW; T_cd.cd_offset = 0; T_cd.cd_raw.iov_base = (char *)T; c_cd.cd_format = CRYPTO_DATA_RAW; c_cd.cd_offset = 0; c_cd.cd_length = 1; c_cd.cd_raw.iov_base = (char *)&c; c_cd.cd_raw.iov_len = c_cd.cd_length; info_cd.cd_format = CRYPTO_DATA_RAW; info_cd.cd_offset = 0; info_cd.cd_length = info_len; info_cd.cd_raw.iov_base = (char *)info; info_cd.cd_raw.iov_len = info_cd.cd_length; for (i = 1; i <= N; i++) { c = i; T_cd.cd_length = T_len; T_cd.cd_raw.iov_len = T_cd.cd_length; ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); ret = crypto_mac_update(ctx, &T_cd, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); ret = crypto_mac_update(ctx, &info_cd, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); ret = crypto_mac_update(ctx, &c_cd, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); T_len = SHA512_DIGEST_LENGTH; T_cd.cd_length = T_len; T_cd.cd_raw.iov_len = T_cd.cd_length; ret = crypto_mac_final(ctx, &T_cd, NULL); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); bcopy(T, out_buf + pos, (i != N) ? SHA512_DIGEST_LENGTH : (out_len - pos)); pos += SHA512_DIGEST_LENGTH; } return (0); }