diff options
author | наб <[email protected]> | 2021-12-25 03:23:07 +0100 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2022-02-15 16:25:07 -0800 |
commit | 739afd9475494ef8443a7f8e251bf2aaff895f35 (patch) | |
tree | b9b2dc7dbb6f8ca4cd38afbf2533cb93d340d857 /module | |
parent | 1018e81e30f030c9cf8dbc52508088ce1983e36e (diff) |
module: icp: fold away all key formats except CRYPTO_KEY_RAW
It's the only one actually used
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Ahelenia Ziemiańska <[email protected]>
Closes #12901
Diffstat (limited to 'module')
-rw-r--r-- | module/icp/api/kcf_mac.c | 3 | ||||
-rw-r--r-- | module/icp/core/kcf_prov_lib.c | 44 | ||||
-rw-r--r-- | module/icp/include/sys/crypto/impl.h | 2 | ||||
-rw-r--r-- | module/icp/io/aes.c | 30 | ||||
-rw-r--r-- | module/icp/io/sha2_mod.c | 15 | ||||
-rw-r--r-- | module/icp/io/skein_mod.c | 2 | ||||
-rw-r--r-- | module/os/freebsd/zfs/crypto_os.c | 12 | ||||
-rw-r--r-- | module/os/freebsd/zfs/hkdf.c | 2 | ||||
-rw-r--r-- | module/os/freebsd/zfs/zio_crypt.c | 7 | ||||
-rw-r--r-- | module/os/linux/zfs/zio_crypt.c | 8 | ||||
-rw-r--r-- | module/zfs/dsl_crypt.c | 1 | ||||
-rw-r--r-- | module/zfs/hkdf.c | 2 |
12 files changed, 23 insertions, 105 deletions
diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 11102cdea..7bf0c499e 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -164,13 +164,12 @@ retry: * See comment in the beginning of the file. */ static int -crypto_mac_init_prov(crypto_provider_t provider, +crypto_mac_init_prov(kcf_provider_desc_t *pd, crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *crq) { int rv; crypto_ctx_t *ctx; - kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; ASSERT(KCF_PROV_REFHELD(pd)); diff --git a/module/icp/core/kcf_prov_lib.c b/module/icp/core/kcf_prov_lib.c index 6e8853c56..c65a9111a 100644 --- a/module/icp/core/kcf_prov_lib.c +++ b/module/icp/core/kcf_prov_lib.c @@ -33,14 +33,12 @@ */ /* - * Utility routine to apply the command, 'cmd', to the + * Utility routine to apply the command COPY_TO_DATA to the * data in the uio structure. */ -int -crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, - void *digest_ctx, void (*update)(void)) +static int +crypto_uio_copy_to_data(crypto_data_t *data, uchar_t *buf, int len) { - (void) digest_ctx, (void) update; zfs_uio_t *uiop = data->cd_uio; off_t offset = data->cd_offset; size_t length = len; @@ -72,26 +70,8 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, offset, length); datap = (uchar_t *)(zfs_uio_iovbase(uiop, vec_idx) + offset); - switch (cmd) { - case COPY_FROM_DATA: - bcopy(datap, buf, cur_len); - buf += cur_len; - break; - case COPY_TO_DATA: - bcopy(buf, datap, cur_len); - buf += cur_len; - break; - case COMPARE_TO_DATA: - if (bcmp(datap, buf, cur_len)) - return (CRYPTO_SIGNATURE_INVALID); - buf += cur_len; - break; - case MD5_DIGEST_DATA: - case SHA1_DIGEST_DATA: - case SHA2_DIGEST_DATA: - case GHASH_DATA: - return (CRYPTO_ARGUMENTS_BAD); - } + bcopy(buf, datap, cur_len); + buf += cur_len; length -= cur_len; vec_idx++; @@ -100,16 +80,11 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, if (vec_idx == zfs_uio_iovcnt(uiop) && length > 0) { /* - * The end of the specified iovec's was reached but + * The end of the specified iovecs was reached but * the length requested could not be processed. */ - switch (cmd) { - case COPY_TO_DATA: - data->cd_length = len; - return (CRYPTO_BUFFER_TOO_SMALL); - default: - return (CRYPTO_DATA_LEN_RANGE); - } + data->cd_length = len; + return (CRYPTO_BUFFER_TOO_SMALL); } return (CRYPTO_SUCCESS); @@ -129,8 +104,7 @@ crypto_put_output_data(uchar_t *buf, crypto_data_t *output, int len) break; case CRYPTO_DATA_UIO: - return (crypto_uio_data(output, buf, len, - COPY_TO_DATA, NULL, NULL)); + return (crypto_uio_copy_to_data(output, buf, len)); default: return (CRYPTO_ARGUMENTS_BAD); } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index c4b9d7dca..da00c4001 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -479,8 +479,6 @@ extern kcf_provider_desc_t *kcf_alloc_provider_desc(void); extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); extern void kcf_free_provider_desc(kcf_provider_desc_t *); extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); -extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t, - void *, void (*update)(void)); extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int); extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *, int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 8fd64446a..be3ced6d9 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -242,24 +242,15 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) static int init_keysched(crypto_key_t *key, void *newbie) { - /* - * Only keys by value are supported by this module. - */ - switch (key->ck_format) { - case CRYPTO_KEY_RAW: - if (key->ck_length < AES_MINBITS || - key->ck_length > AES_MAXBITS) { - return (CRYPTO_KEY_SIZE_RANGE); - } - - /* key length must be either 128, 192, or 256 */ - if ((key->ck_length & 63) != 0) - return (CRYPTO_KEY_SIZE_RANGE); - break; - default: - return (CRYPTO_KEY_TYPE_INCONSISTENT); + if (key->ck_length < AES_MINBITS || + key->ck_length > AES_MAXBITS) { + return (CRYPTO_KEY_SIZE_RANGE); } + /* key length must be either 128, 192, or 256 */ + if ((key->ck_length & 63) != 0) + return (CRYPTO_KEY_SIZE_RANGE); + aes_init_keysched(key->ck_data, key->ck_length, newbie); return (CRYPTO_SUCCESS); } @@ -294,13 +285,6 @@ aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, int rv; int kmflag; - /* - * Only keys by value are supported by this module. - */ - if (key->ck_format != CRYPTO_KEY_RAW) { - return (CRYPTO_KEY_TYPE_INCONSISTENT); - } - kmflag = crypto_kmflag(req); if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag)) != CRYPTO_SUCCESS) diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 2ac57ebe5..d5a8d5bb7 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -737,9 +737,6 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, return (CRYPTO_MECHANISM_INVALID); } - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t), crypto_kmflag(req)); if (ctx->cc_provider_private == NULL) @@ -971,10 +968,6 @@ sha2_mac_atomic(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - if (ctx_template != NULL) { /* reuse context template */ bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); @@ -1109,10 +1102,6 @@ sha2_mac_verify_atomic(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - if (ctx_template != NULL) { /* reuse context template */ bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); @@ -1287,10 +1276,6 @@ sha2_create_ctx_template(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - /* * Allocate and initialize SHA2 context. */ diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index ab233e2b4..48e4358b8 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -530,8 +530,6 @@ skein_mac_ctx_build(skein_ctx_t *ctx, crypto_mechanism_t *mechanism, if (!VALID_SKEIN_MAC_MECH(mechanism->cm_type)) return (CRYPTO_MECHANISM_INVALID); - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); ctx->sc_mech_type = mechanism->cm_type; error = skein_get_digest_bitlen(mechanism, &ctx->sc_digest_bitlen); if (error != CRYPTO_SUCCESS) diff --git a/module/os/freebsd/zfs/crypto_os.c b/module/os/freebsd/zfs/crypto_os.c index f971b62bd..73083f59f 100644 --- a/module/os/freebsd/zfs/crypto_os.c +++ b/module/os/freebsd/zfs/crypto_os.c @@ -210,12 +210,12 @@ freebsd_crypt_uio_debug_log(boolean_t encrypt, uint8_t *p = NULL; size_t total = 0; - printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %d, %p, %u }, " + printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %p, %u }, " "%p, %u, %u)\n", __FUNCTION__, encrypt ? "encrypt" : "decrypt", input_sessionp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - data_uio, key->ck_format, key->ck_data, + data_uio, key->ck_data, (unsigned int)key->ck_length, ivbuf, (unsigned int)datalen, (unsigned int)auth_len); printf("\tkey = { "); @@ -247,11 +247,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp, int error = 0; #ifdef FCRYPTO_DEBUG - printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n", + printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n", __FUNCTION__, sessp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - key->ck_format, key->ck_data, (unsigned int)key->ck_length); + key->ck_data, (unsigned int)key->ck_length); printf("\tkey = { "); for (int i = 0; i < key->ck_length / 8; i++) { uint8_t *b = (uint8_t *)key->ck_data; @@ -391,11 +391,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp, crypto_session_t sid; #ifdef FCRYPTO_DEBUG - printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n", + printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n", __FUNCTION__, sessp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - key->ck_format, key->ck_data, (unsigned int)key->ck_length); + key->ck_data, (unsigned int)key->ck_length); printf("\tkey = { "); for (int i = 0; i < key->ck_length / 8; i++) { uint8_t *b = (uint8_t *)key->ck_data; diff --git a/module/os/freebsd/zfs/hkdf.c b/module/os/freebsd/zfs/hkdf.c index 8324ff231..ad5d67541 100644 --- a/module/os/freebsd/zfs/hkdf.c +++ b/module/os/freebsd/zfs/hkdf.c @@ -29,7 +29,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, crypto_key_t key; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(salt_len); key.ck_data = salt; @@ -53,7 +52,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, return (SET_ERROR(EINVAL)); /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); key.ck_data = extract_key; diff --git a/module/os/freebsd/zfs/zio_crypt.c b/module/os/freebsd/zfs/zio_crypt.c index fbde8063a..a50b8058a 100644 --- a/module/os/freebsd/zfs/zio_crypt.c +++ b/module/os/freebsd/zfs/zio_crypt.c @@ -270,11 +270,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key) goto error; /* initialize keys for the ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = &key->zk_hmac_key; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -437,7 +435,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); zfs_uio_init(&cuio, &cuio_s); @@ -518,7 +515,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); keydata_len = zio_crypt_table[crypt].ci_keylen; rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL); @@ -586,11 +582,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, goto error; /* initialize keys for ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = key->zk_hmac_keydata; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -1727,7 +1721,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key, salt, ZIO_DATA_SALT_LEN, enc_keydata, keydata_len); if (ret != 0) goto error; - tmp_ckey.ck_format = CRYPTO_KEY_RAW; tmp_ckey.ck_data = enc_keydata; tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len); diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c index 224fb84ba..909246f20 100644 --- a/module/os/linux/zfs/zio_crypt.c +++ b/module/os/linux/zfs/zio_crypt.c @@ -257,11 +257,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key) goto error; /* initialize keys for the ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = &key->zk_hmac_key; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -387,7 +385,6 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key, uint_t plain_full_len, maclen; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(key->ck_format, ==, CRYPTO_KEY_RAW); /* lookup the encryption info */ crypt_info = zio_crypt_table[crypt]; @@ -486,7 +483,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); keydata_len = zio_crypt_table[crypt].ci_keylen; @@ -557,7 +553,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, int ret; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL); @@ -614,11 +609,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, goto error; /* initialize keys for ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = key->zk_hmac_keydata; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -1921,7 +1914,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key, if (ret != 0) goto error; - tmp_ckey.ck_format = CRYPTO_KEY_RAW; tmp_ckey.ck_data = enc_keydata; tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len); diff --git a/module/zfs/dsl_crypt.c b/module/zfs/dsl_crypt.c index 1ea184de3..6330a44b4 100644 --- a/module/zfs/dsl_crypt.c +++ b/module/zfs/dsl_crypt.c @@ -119,7 +119,6 @@ dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, /* allocate and initialize the underlying crypto key */ wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); - wkey->wk_key.ck_format = CRYPTO_KEY_RAW; wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); diff --git a/module/zfs/hkdf.c b/module/zfs/hkdf.c index 49ad0a9fb..901772768 100644 --- a/module/zfs/hkdf.c +++ b/module/zfs/hkdf.c @@ -36,7 +36,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, mech.cm_param_len = 0; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(salt_len); key.ck_data = salt; @@ -83,7 +82,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, mech.cm_param_len = 0; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); key.ck_data = extract_key; |