xref: /freebsd/sys/geom/eli/g_eli_crypto.c (revision 3642298923e528d795e3a30ec165d2b469e28b40)
1 /*-
2  * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/param.h>
31 #ifdef _KERNEL
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/malloc.h>
35 #include <sys/uio.h>
36 #else
37 #include <stdint.h>
38 #include <string.h>
39 #include <strings.h>
40 #include <errno.h>
41 #include <assert.h>
42 #include <openssl/evp.h>
43 #define	_OpenSSL_
44 #endif
45 #include <geom/eli/g_eli.h>
46 
47 #ifdef _KERNEL
48 MALLOC_DECLARE(M_ELI);
49 
50 static int
51 g_eli_crypto_done(struct cryptop *crp)
52 {
53 
54 	crp->crp_opaque = (void *)crp;
55 	wakeup(crp);
56 	return (0);
57 }
58 
59 static int
60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61     const u_char *key, size_t keysize)
62 {
63 	struct cryptoini cri;
64 	struct cryptop *crp;
65 	struct cryptodesc *crd;
66 	struct uio *uio;
67 	struct iovec *iov;
68 	uint64_t sid;
69 	u_char *p;
70 	int error;
71 
72 	bzero(&cri, sizeof(cri));
73 	cri.cri_alg = algo;
74 	cri.cri_key = __DECONST(void *, key);
75 	cri.cri_klen = keysize;
76 	error = crypto_newsession(&sid, &cri, 0);
77 	if (error != 0)
78 		return (error);
79 	p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
80 	    M_ELI, M_NOWAIT | M_ZERO);
81 	if (p == NULL) {
82 		crypto_freesession(sid);
83 		return (ENOMEM);
84 	}
85 	crp = (struct cryptop *)p;	p += sizeof(*crp);
86 	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
87 	uio = (struct uio *)p;		p += sizeof(*uio);
88 	iov = (struct iovec *)p;	p += sizeof(*iov);
89 
90 	iov->iov_len = datasize;
91 	iov->iov_base = data;
92 
93 	uio->uio_iov = iov;
94 	uio->uio_iovcnt = 1;
95 	uio->uio_segflg = UIO_SYSSPACE;
96 	uio->uio_resid = datasize;
97 
98 	crd->crd_skip = 0;
99 	crd->crd_len = datasize;
100 	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | CRD_F_KEY_EXPLICIT;
101 	if (enc)
102 		crd->crd_flags |= CRD_F_ENCRYPT;
103 	crd->crd_alg = algo;
104 	crd->crd_key = __DECONST(void *, key);
105 	crd->crd_klen = keysize;
106 	bzero(crd->crd_iv, sizeof(crd->crd_iv));
107 	crd->crd_next = NULL;
108 
109 	crp->crp_sid = sid;
110 	crp->crp_ilen = datasize;
111 	crp->crp_olen = datasize;
112 	crp->crp_opaque = NULL;
113 	crp->crp_callback = g_eli_crypto_done;
114 	crp->crp_buf = (void *)uio;
115 	crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
116 	crp->crp_desc = crd;
117 
118 	error = crypto_dispatch(crp);
119 	if (error == 0) {
120 		while (crp->crp_opaque == NULL)
121 			tsleep(crp, PRIBIO, "geli", hz / 5);
122 		error = crp->crp_etype;
123 	}
124 
125 	free(crp, M_ELI);
126 	crypto_freesession(sid);
127 	return (error);
128 }
129 #else	/* !_KERNEL */
130 static int
131 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
132     const u_char *key, size_t keysize)
133 {
134 	EVP_CIPHER_CTX ctx;
135 	const EVP_CIPHER *type;
136 	u_char iv[keysize];
137 	int outsize;
138 
139 	switch (algo) {
140 	case CRYPTO_NULL_CBC:
141 		type = EVP_enc_null();
142 		break;
143 	case CRYPTO_AES_CBC:
144 		switch (keysize) {
145 		case 128:
146 			type = EVP_aes_128_cbc();
147 			break;
148 		case 192:
149 			type = EVP_aes_192_cbc();
150 			break;
151 		case 256:
152 			type = EVP_aes_256_cbc();
153 			break;
154 		default:
155 			return (EINVAL);
156 		}
157 		break;
158 	case CRYPTO_BLF_CBC:
159 		type = EVP_bf_cbc();
160 		break;
161 	case CRYPTO_3DES_CBC:
162 		type = EVP_des_ede3_cbc();
163 		break;
164 	default:
165 		return (EINVAL);
166 	}
167 
168 	EVP_CIPHER_CTX_init(&ctx);
169 
170 	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
171 	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
172 	EVP_CIPHER_CTX_set_padding(&ctx, 0);
173 	bzero(iv, sizeof(iv));
174 	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
175 
176 	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
177 		EVP_CIPHER_CTX_cleanup(&ctx);
178 		return (EINVAL);
179 	}
180 	assert(outsize == (int)datasize);
181 
182 	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
183 		EVP_CIPHER_CTX_cleanup(&ctx);
184 		return (EINVAL);
185 	}
186 	assert(outsize == 0);
187 
188 	EVP_CIPHER_CTX_cleanup(&ctx);
189 	return (0);
190 }
191 #endif	/* !_KERNEL */
192 
193 int
194 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
195     const u_char *key, size_t keysize)
196 {
197 
198 	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
199 }
200 
201 int
202 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
203     const u_char *key, size_t keysize)
204 {
205 
206 	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
207 }
208 
209 void
210 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
211     size_t hkeylen)
212 {
213 	u_char k_ipad[128], key[128];
214 	SHA512_CTX lctx;
215 	u_int i;
216 
217 	bzero(key, sizeof(key));
218 	if (hkeylen == 0)
219 		; /* do nothing */
220 	else if (hkeylen <= 128)
221 		bcopy(hkey, key, hkeylen);
222 	else {
223 		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
224 		SHA512_Init(&lctx);
225 		SHA512_Update(&lctx, hkey, hkeylen);
226 		SHA512_Final(key, &lctx);
227 	}
228 
229 	/* XOR key with ipad and opad values. */
230 	for (i = 0; i < sizeof(key); i++) {
231 		k_ipad[i] = key[i] ^ 0x36;
232 		ctx->k_opad[i] = key[i] ^ 0x5c;
233 	}
234 	bzero(key, sizeof(key));
235 	/* Perform inner SHA512. */
236 	SHA512_Init(&ctx->shactx);
237 	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
238 }
239 
240 void
241 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
242     size_t datasize)
243 {
244 
245 	SHA512_Update(&ctx->shactx, data, datasize);
246 }
247 
248 void
249 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
250 {
251 	u_char digest[SHA512_MDLEN];
252 	SHA512_CTX lctx;
253 
254 	SHA512_Final(digest, &ctx->shactx);
255 	/* Perform outer SHA512. */
256 	SHA512_Init(&lctx);
257 	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
258 	bzero(ctx, sizeof(*ctx));
259 	SHA512_Update(&lctx, digest, sizeof(digest));
260 	SHA512_Final(digest, &lctx);
261 	/* mdsize == 0 means "Give me the whole hash!" */
262 	if (mdsize == 0)
263 		mdsize = SHA512_MDLEN;
264 	bcopy(digest, md, mdsize);
265 }
266 
267 void
268 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
269     size_t datasize, uint8_t *md, size_t mdsize)
270 {
271 	struct hmac_ctx ctx;
272 
273 	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
274 	g_eli_crypto_hmac_update(&ctx, data, datasize);
275 	g_eli_crypto_hmac_final(&ctx, md, mdsize);
276 }
277