1 /*- 2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #ifdef _KERNEL 32 #include <sys/systm.h> 33 #include <sys/kernel.h> 34 #include <sys/malloc.h> 35 #include <sys/uio.h> 36 #else 37 #include <stdint.h> 38 #include <string.h> 39 #include <strings.h> 40 #include <errno.h> 41 #include <assert.h> 42 #include <openssl/evp.h> 43 #define _OpenSSL_ 44 #endif 45 #include <geom/eli/g_eli.h> 46 47 #ifdef _KERNEL 48 MALLOC_DECLARE(M_ELI); 49 50 static int 51 g_eli_crypto_done(struct cryptop *crp) 52 { 53 54 crp->crp_opaque = (void *)crp; 55 wakeup(crp); 56 return (0); 57 } 58 59 static int 60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 61 const u_char *key, size_t keysize) 62 { 63 struct cryptoini cri; 64 struct cryptop *crp; 65 struct cryptodesc *crd; 66 struct uio *uio; 67 struct iovec *iov; 68 uint64_t sid; 69 u_char *p; 70 int error; 71 72 bzero(&cri, sizeof(cri)); 73 cri.cri_alg = algo; 74 cri.cri_key = __DECONST(void *, key); 75 cri.cri_klen = keysize; 76 error = crypto_newsession(&sid, &cri, 0); 77 if (error != 0) 78 return (error); 79 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov), 80 M_ELI, M_NOWAIT | M_ZERO); 81 if (p == NULL) { 82 crypto_freesession(sid); 83 return (ENOMEM); 84 } 85 crp = (struct cryptop *)p; p += sizeof(*crp); 86 crd = (struct cryptodesc *)p; p += sizeof(*crd); 87 uio = (struct uio *)p; p += sizeof(*uio); 88 iov = (struct iovec *)p; p += sizeof(*iov); 89 90 iov->iov_len = datasize; 91 iov->iov_base = data; 92 93 uio->uio_iov = iov; 94 uio->uio_iovcnt = 1; 95 uio->uio_segflg = UIO_SYSSPACE; 96 uio->uio_resid = datasize; 97 98 crd->crd_skip = 0; 99 crd->crd_len = datasize; 100 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | CRD_F_KEY_EXPLICIT; 101 if (enc) 102 crd->crd_flags |= CRD_F_ENCRYPT; 103 crd->crd_alg = algo; 104 crd->crd_key = __DECONST(void *, key); 105 crd->crd_klen = keysize; 106 bzero(crd->crd_iv, sizeof(crd->crd_iv)); 107 crd->crd_next = NULL; 108 109 crp->crp_sid = sid; 110 crp->crp_ilen = datasize; 111 crp->crp_olen = datasize; 112 crp->crp_opaque = NULL; 113 crp->crp_callback = g_eli_crypto_done; 114 crp->crp_buf = (void *)uio; 115 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL; 116 crp->crp_desc = crd; 117 118 error = crypto_dispatch(crp); 119 if (error == 0) { 120 while (crp->crp_opaque == NULL) 121 tsleep(crp, PRIBIO, "geli", hz / 5); 122 error = crp->crp_etype; 123 } 124 125 free(crp, M_ELI); 126 crypto_freesession(sid); 127 return (error); 128 } 129 #else /* !_KERNEL */ 130 static int 131 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 132 const u_char *key, size_t keysize) 133 { 134 EVP_CIPHER_CTX ctx; 135 const EVP_CIPHER *type; 136 u_char iv[keysize]; 137 int outsize; 138 139 switch (algo) { 140 case CRYPTO_NULL_CBC: 141 type = EVP_enc_null(); 142 break; 143 case CRYPTO_AES_CBC: 144 switch (keysize) { 145 case 128: 146 type = EVP_aes_128_cbc(); 147 break; 148 case 192: 149 type = EVP_aes_192_cbc(); 150 break; 151 case 256: 152 type = EVP_aes_256_cbc(); 153 break; 154 default: 155 return (EINVAL); 156 } 157 break; 158 case CRYPTO_BLF_CBC: 159 type = EVP_bf_cbc(); 160 break; 161 case CRYPTO_3DES_CBC: 162 type = EVP_des_ede3_cbc(); 163 break; 164 default: 165 return (EINVAL); 166 } 167 168 EVP_CIPHER_CTX_init(&ctx); 169 170 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc); 171 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8); 172 EVP_CIPHER_CTX_set_padding(&ctx, 0); 173 bzero(iv, sizeof(iv)); 174 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc); 175 176 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) { 177 EVP_CIPHER_CTX_cleanup(&ctx); 178 return (EINVAL); 179 } 180 assert(outsize == (int)datasize); 181 182 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) { 183 EVP_CIPHER_CTX_cleanup(&ctx); 184 return (EINVAL); 185 } 186 assert(outsize == 0); 187 188 EVP_CIPHER_CTX_cleanup(&ctx); 189 return (0); 190 } 191 #endif /* !_KERNEL */ 192 193 int 194 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 195 const u_char *key, size_t keysize) 196 { 197 198 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize)); 199 } 200 201 int 202 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 203 const u_char *key, size_t keysize) 204 { 205 206 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize)); 207 } 208 209 void 210 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 211 size_t hkeylen) 212 { 213 u_char k_ipad[128], key[128]; 214 SHA512_CTX lctx; 215 u_int i; 216 217 bzero(key, sizeof(key)); 218 if (hkeylen == 0) 219 ; /* do nothing */ 220 else if (hkeylen <= 128) 221 bcopy(hkey, key, hkeylen); 222 else { 223 /* If key is longer than 128 bytes reset it to key = SHA512(key). */ 224 SHA512_Init(&lctx); 225 SHA512_Update(&lctx, hkey, hkeylen); 226 SHA512_Final(key, &lctx); 227 } 228 229 /* XOR key with ipad and opad values. */ 230 for (i = 0; i < sizeof(key); i++) { 231 k_ipad[i] = key[i] ^ 0x36; 232 ctx->k_opad[i] = key[i] ^ 0x5c; 233 } 234 bzero(key, sizeof(key)); 235 /* Perform inner SHA512. */ 236 SHA512_Init(&ctx->shactx); 237 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); 238 } 239 240 void 241 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 242 size_t datasize) 243 { 244 245 SHA512_Update(&ctx->shactx, data, datasize); 246 } 247 248 void 249 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) 250 { 251 u_char digest[SHA512_MDLEN]; 252 SHA512_CTX lctx; 253 254 SHA512_Final(digest, &ctx->shactx); 255 /* Perform outer SHA512. */ 256 SHA512_Init(&lctx); 257 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); 258 bzero(ctx, sizeof(*ctx)); 259 SHA512_Update(&lctx, digest, sizeof(digest)); 260 SHA512_Final(digest, &lctx); 261 /* mdsize == 0 means "Give me the whole hash!" */ 262 if (mdsize == 0) 263 mdsize = SHA512_MDLEN; 264 bcopy(digest, md, mdsize); 265 } 266 267 void 268 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, 269 size_t datasize, uint8_t *md, size_t mdsize) 270 { 271 struct hmac_ctx ctx; 272 273 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); 274 g_eli_crypto_hmac_update(&ctx, data, datasize); 275 g_eli_crypto_hmac_final(&ctx, md, mdsize); 276 } 277