aboutsummaryrefslogtreecommitdiffstats
path: root/module
diff options
context:
space:
mode:
authorнаб <[email protected]>2021-12-25 03:23:07 +0100
committerBrian Behlendorf <[email protected]>2022-02-15 16:25:07 -0800
commit739afd9475494ef8443a7f8e251bf2aaff895f35 (patch)
treeb9b2dc7dbb6f8ca4cd38afbf2533cb93d340d857 /module
parent1018e81e30f030c9cf8dbc52508088ce1983e36e (diff)
module: icp: fold away all key formats except CRYPTO_KEY_RAW
It's the only one actually used Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Ahelenia Ziemiańska <[email protected]> Closes #12901
Diffstat (limited to 'module')
-rw-r--r--module/icp/api/kcf_mac.c3
-rw-r--r--module/icp/core/kcf_prov_lib.c44
-rw-r--r--module/icp/include/sys/crypto/impl.h2
-rw-r--r--module/icp/io/aes.c30
-rw-r--r--module/icp/io/sha2_mod.c15
-rw-r--r--module/icp/io/skein_mod.c2
-rw-r--r--module/os/freebsd/zfs/crypto_os.c12
-rw-r--r--module/os/freebsd/zfs/hkdf.c2
-rw-r--r--module/os/freebsd/zfs/zio_crypt.c7
-rw-r--r--module/os/linux/zfs/zio_crypt.c8
-rw-r--r--module/zfs/dsl_crypt.c1
-rw-r--r--module/zfs/hkdf.c2
12 files changed, 23 insertions, 105 deletions
diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c
index 11102cdea..7bf0c499e 100644
--- a/module/icp/api/kcf_mac.c
+++ b/module/icp/api/kcf_mac.c
@@ -164,13 +164,12 @@ retry:
* See comment in the beginning of the file.
*/
static int
-crypto_mac_init_prov(crypto_provider_t provider,
+crypto_mac_init_prov(kcf_provider_desc_t *pd,
crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl,
crypto_context_t *ctxp, crypto_call_req_t *crq)
{
int rv;
crypto_ctx_t *ctx;
- kcf_provider_desc_t *pd = provider;
kcf_provider_desc_t *real_provider = pd;
ASSERT(KCF_PROV_REFHELD(pd));
diff --git a/module/icp/core/kcf_prov_lib.c b/module/icp/core/kcf_prov_lib.c
index 6e8853c56..c65a9111a 100644
--- a/module/icp/core/kcf_prov_lib.c
+++ b/module/icp/core/kcf_prov_lib.c
@@ -33,14 +33,12 @@
*/
/*
- * Utility routine to apply the command, 'cmd', to the
+ * Utility routine to apply the command COPY_TO_DATA to the
* data in the uio structure.
*/
-int
-crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd,
- void *digest_ctx, void (*update)(void))
+static int
+crypto_uio_copy_to_data(crypto_data_t *data, uchar_t *buf, int len)
{
- (void) digest_ctx, (void) update;
zfs_uio_t *uiop = data->cd_uio;
off_t offset = data->cd_offset;
size_t length = len;
@@ -72,26 +70,8 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd,
offset, length);
datap = (uchar_t *)(zfs_uio_iovbase(uiop, vec_idx) + offset);
- switch (cmd) {
- case COPY_FROM_DATA:
- bcopy(datap, buf, cur_len);
- buf += cur_len;
- break;
- case COPY_TO_DATA:
- bcopy(buf, datap, cur_len);
- buf += cur_len;
- break;
- case COMPARE_TO_DATA:
- if (bcmp(datap, buf, cur_len))
- return (CRYPTO_SIGNATURE_INVALID);
- buf += cur_len;
- break;
- case MD5_DIGEST_DATA:
- case SHA1_DIGEST_DATA:
- case SHA2_DIGEST_DATA:
- case GHASH_DATA:
- return (CRYPTO_ARGUMENTS_BAD);
- }
+ bcopy(buf, datap, cur_len);
+ buf += cur_len;
length -= cur_len;
vec_idx++;
@@ -100,16 +80,11 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd,
if (vec_idx == zfs_uio_iovcnt(uiop) && length > 0) {
/*
- * The end of the specified iovec's was reached but
+ * The end of the specified iovecs was reached but
* the length requested could not be processed.
*/
- switch (cmd) {
- case COPY_TO_DATA:
- data->cd_length = len;
- return (CRYPTO_BUFFER_TOO_SMALL);
- default:
- return (CRYPTO_DATA_LEN_RANGE);
- }
+ data->cd_length = len;
+ return (CRYPTO_BUFFER_TOO_SMALL);
}
return (CRYPTO_SUCCESS);
@@ -129,8 +104,7 @@ crypto_put_output_data(uchar_t *buf, crypto_data_t *output, int len)
break;
case CRYPTO_DATA_UIO:
- return (crypto_uio_data(output, buf, len,
- COPY_TO_DATA, NULL, NULL));
+ return (crypto_uio_copy_to_data(output, buf, len));
default:
return (CRYPTO_ARGUMENTS_BAD);
}
diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h
index c4b9d7dca..da00c4001 100644
--- a/module/icp/include/sys/crypto/impl.h
+++ b/module/icp/include/sys/crypto/impl.h
@@ -479,8 +479,6 @@ extern kcf_provider_desc_t *kcf_alloc_provider_desc(void);
extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *);
extern void kcf_free_provider_desc(kcf_provider_desc_t *);
extern void undo_register_provider(kcf_provider_desc_t *, boolean_t);
-extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
- void *, void (*update)(void));
extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int);
extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *,
int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c
index 8fd64446a..be3ced6d9 100644
--- a/module/icp/io/aes.c
+++ b/module/icp/io/aes.c
@@ -242,24 +242,15 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
static int
init_keysched(crypto_key_t *key, void *newbie)
{
- /*
- * Only keys by value are supported by this module.
- */
- switch (key->ck_format) {
- case CRYPTO_KEY_RAW:
- if (key->ck_length < AES_MINBITS ||
- key->ck_length > AES_MAXBITS) {
- return (CRYPTO_KEY_SIZE_RANGE);
- }
-
- /* key length must be either 128, 192, or 256 */
- if ((key->ck_length & 63) != 0)
- return (CRYPTO_KEY_SIZE_RANGE);
- break;
- default:
- return (CRYPTO_KEY_TYPE_INCONSISTENT);
+ if (key->ck_length < AES_MINBITS ||
+ key->ck_length > AES_MAXBITS) {
+ return (CRYPTO_KEY_SIZE_RANGE);
}
+ /* key length must be either 128, 192, or 256 */
+ if ((key->ck_length & 63) != 0)
+ return (CRYPTO_KEY_SIZE_RANGE);
+
aes_init_keysched(key->ck_data, key->ck_length, newbie);
return (CRYPTO_SUCCESS);
}
@@ -294,13 +285,6 @@ aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
int rv;
int kmflag;
- /*
- * Only keys by value are supported by this module.
- */
- if (key->ck_format != CRYPTO_KEY_RAW) {
- return (CRYPTO_KEY_TYPE_INCONSISTENT);
- }
-
kmflag = crypto_kmflag(req);
if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
!= CRYPTO_SUCCESS)
diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c
index 2ac57ebe5..d5a8d5bb7 100644
--- a/module/icp/io/sha2_mod.c
+++ b/module/icp/io/sha2_mod.c
@@ -737,9 +737,6 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
return (CRYPTO_MECHANISM_INVALID);
}
- if (key->ck_format != CRYPTO_KEY_RAW)
- return (CRYPTO_ARGUMENTS_BAD);
-
ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
crypto_kmflag(req));
if (ctx->cc_provider_private == NULL)
@@ -971,10 +968,6 @@ sha2_mac_atomic(crypto_provider_handle_t provider,
return (CRYPTO_MECHANISM_INVALID);
}
- /* Add support for key by attributes (RFE 4706552) */
- if (key->ck_format != CRYPTO_KEY_RAW)
- return (CRYPTO_ARGUMENTS_BAD);
-
if (ctx_template != NULL) {
/* reuse context template */
bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
@@ -1109,10 +1102,6 @@ sha2_mac_verify_atomic(crypto_provider_handle_t provider,
return (CRYPTO_MECHANISM_INVALID);
}
- /* Add support for key by attributes (RFE 4706552) */
- if (key->ck_format != CRYPTO_KEY_RAW)
- return (CRYPTO_ARGUMENTS_BAD);
-
if (ctx_template != NULL) {
/* reuse context template */
bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
@@ -1287,10 +1276,6 @@ sha2_create_ctx_template(crypto_provider_handle_t provider,
return (CRYPTO_MECHANISM_INVALID);
}
- /* Add support for key by attributes (RFE 4706552) */
- if (key->ck_format != CRYPTO_KEY_RAW)
- return (CRYPTO_ARGUMENTS_BAD);
-
/*
* Allocate and initialize SHA2 context.
*/
diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c
index ab233e2b4..48e4358b8 100644
--- a/module/icp/io/skein_mod.c
+++ b/module/icp/io/skein_mod.c
@@ -530,8 +530,6 @@ skein_mac_ctx_build(skein_ctx_t *ctx, crypto_mechanism_t *mechanism,
if (!VALID_SKEIN_MAC_MECH(mechanism->cm_type))
return (CRYPTO_MECHANISM_INVALID);
- if (key->ck_format != CRYPTO_KEY_RAW)
- return (CRYPTO_ARGUMENTS_BAD);
ctx->sc_mech_type = mechanism->cm_type;
error = skein_get_digest_bitlen(mechanism, &ctx->sc_digest_bitlen);
if (error != CRYPTO_SUCCESS)
diff --git a/module/os/freebsd/zfs/crypto_os.c b/module/os/freebsd/zfs/crypto_os.c
index f971b62bd..73083f59f 100644
--- a/module/os/freebsd/zfs/crypto_os.c
+++ b/module/os/freebsd/zfs/crypto_os.c
@@ -210,12 +210,12 @@ freebsd_crypt_uio_debug_log(boolean_t encrypt,
uint8_t *p = NULL;
size_t total = 0;
- printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %d, %p, %u }, "
+ printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %p, %u }, "
"%p, %u, %u)\n",
__FUNCTION__, encrypt ? "encrypt" : "decrypt", input_sessionp,
c_info->ci_algname, c_info->ci_crypt_type,
(unsigned int)c_info->ci_keylen, c_info->ci_name,
- data_uio, key->ck_format, key->ck_data,
+ data_uio, key->ck_data,
(unsigned int)key->ck_length,
ivbuf, (unsigned int)datalen, (unsigned int)auth_len);
printf("\tkey = { ");
@@ -247,11 +247,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp,
int error = 0;
#ifdef FCRYPTO_DEBUG
- printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n",
+ printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n",
__FUNCTION__, sessp,
c_info->ci_algname, c_info->ci_crypt_type,
(unsigned int)c_info->ci_keylen, c_info->ci_name,
- key->ck_format, key->ck_data, (unsigned int)key->ck_length);
+ key->ck_data, (unsigned int)key->ck_length);
printf("\tkey = { ");
for (int i = 0; i < key->ck_length / 8; i++) {
uint8_t *b = (uint8_t *)key->ck_data;
@@ -391,11 +391,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp,
crypto_session_t sid;
#ifdef FCRYPTO_DEBUG
- printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n",
+ printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n",
__FUNCTION__, sessp,
c_info->ci_algname, c_info->ci_crypt_type,
(unsigned int)c_info->ci_keylen, c_info->ci_name,
- key->ck_format, key->ck_data, (unsigned int)key->ck_length);
+ key->ck_data, (unsigned int)key->ck_length);
printf("\tkey = { ");
for (int i = 0; i < key->ck_length / 8; i++) {
uint8_t *b = (uint8_t *)key->ck_data;
diff --git a/module/os/freebsd/zfs/hkdf.c b/module/os/freebsd/zfs/hkdf.c
index 8324ff231..ad5d67541 100644
--- a/module/os/freebsd/zfs/hkdf.c
+++ b/module/os/freebsd/zfs/hkdf.c
@@ -29,7 +29,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
crypto_key_t key;
/* initialize the salt as a crypto key */
- key.ck_format = CRYPTO_KEY_RAW;
key.ck_length = CRYPTO_BYTES2BITS(salt_len);
key.ck_data = salt;
@@ -53,7 +52,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
return (SET_ERROR(EINVAL));
/* initialize the salt as a crypto key */
- key.ck_format = CRYPTO_KEY_RAW;
key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
key.ck_data = extract_key;
diff --git a/module/os/freebsd/zfs/zio_crypt.c b/module/os/freebsd/zfs/zio_crypt.c
index fbde8063a..a50b8058a 100644
--- a/module/os/freebsd/zfs/zio_crypt.c
+++ b/module/os/freebsd/zfs/zio_crypt.c
@@ -270,11 +270,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key)
goto error;
/* initialize keys for the ICP */
- key->zk_current_key.ck_format = CRYPTO_KEY_RAW;
key->zk_current_key.ck_data = key->zk_current_keydata;
key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);
- key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW;
key->zk_hmac_key.ck_data = &key->zk_hmac_key;
key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);
@@ -437,7 +435,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv,
uint_t enc_len, keydata_len, aad_len;
ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
- ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW);
zfs_uio_init(&cuio, &cuio_s);
@@ -518,7 +515,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,
uint_t enc_len, keydata_len, aad_len;
ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
- ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW);
keydata_len = zio_crypt_table[crypt].ci_keylen;
rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL);
@@ -586,11 +582,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,
goto error;
/* initialize keys for ICP */
- key->zk_current_key.ck_format = CRYPTO_KEY_RAW;
key->zk_current_key.ck_data = key->zk_current_keydata;
key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);
- key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW;
key->zk_hmac_key.ck_data = key->zk_hmac_keydata;
key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);
@@ -1727,7 +1721,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key,
salt, ZIO_DATA_SALT_LEN, enc_keydata, keydata_len);
if (ret != 0)
goto error;
- tmp_ckey.ck_format = CRYPTO_KEY_RAW;
tmp_ckey.ck_data = enc_keydata;
tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len);
diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c
index 224fb84ba..909246f20 100644
--- a/module/os/linux/zfs/zio_crypt.c
+++ b/module/os/linux/zfs/zio_crypt.c
@@ -257,11 +257,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key)
goto error;
/* initialize keys for the ICP */
- key->zk_current_key.ck_format = CRYPTO_KEY_RAW;
key->zk_current_key.ck_data = key->zk_current_keydata;
key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);
- key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW;
key->zk_hmac_key.ck_data = &key->zk_hmac_key;
key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);
@@ -387,7 +385,6 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key,
uint_t plain_full_len, maclen;
ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
- ASSERT3U(key->ck_format, ==, CRYPTO_KEY_RAW);
/* lookup the encryption info */
crypt_info = zio_crypt_table[crypt];
@@ -486,7 +483,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv,
uint_t enc_len, keydata_len, aad_len;
ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
- ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW);
keydata_len = zio_crypt_table[crypt].ci_keylen;
@@ -557,7 +553,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,
int ret;
ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
- ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW);
rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL);
@@ -614,11 +609,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,
goto error;
/* initialize keys for ICP */
- key->zk_current_key.ck_format = CRYPTO_KEY_RAW;
key->zk_current_key.ck_data = key->zk_current_keydata;
key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);
- key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW;
key->zk_hmac_key.ck_data = key->zk_hmac_keydata;
key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);
@@ -1921,7 +1914,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key,
if (ret != 0)
goto error;
- tmp_ckey.ck_format = CRYPTO_KEY_RAW;
tmp_ckey.ck_data = enc_keydata;
tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len);
diff --git a/module/zfs/dsl_crypt.c b/module/zfs/dsl_crypt.c
index 1ea184de3..6330a44b4 100644
--- a/module/zfs/dsl_crypt.c
+++ b/module/zfs/dsl_crypt.c
@@ -119,7 +119,6 @@ dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat,
/* allocate and initialize the underlying crypto key */
wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP);
- wkey->wk_key.ck_format = CRYPTO_KEY_RAW;
wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN);
bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN);
diff --git a/module/zfs/hkdf.c b/module/zfs/hkdf.c
index 49ad0a9fb..901772768 100644
--- a/module/zfs/hkdf.c
+++ b/module/zfs/hkdf.c
@@ -36,7 +36,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
mech.cm_param_len = 0;
/* initialize the salt as a crypto key */
- key.ck_format = CRYPTO_KEY_RAW;
key.ck_length = CRYPTO_BYTES2BITS(salt_len);
key.ck_data = salt;
@@ -83,7 +82,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
mech.cm_param_len = 0;
/* initialize the salt as a crypto key */
- key.ck_format = CRYPTO_KEY_RAW;
key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH);
key.ck_data = extract_key;