xref: /freebsd/sys/geom/eli/g_eli_crypto.c (revision 4232f826683298e85d469c0ef17259cecd13b2c7)
1 /*-
2  * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/param.h>
31 #ifdef _KERNEL
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/malloc.h>
35 #else
36 #include <stdint.h>
37 #include <string.h>
38 #include <strings.h>
39 #include <errno.h>
40 #include <assert.h>
41 #include <openssl/evp.h>
42 #define	_OpenSSL_
43 #endif
44 #include <geom/eli/g_eli.h>
45 
46 #ifdef _KERNEL
47 MALLOC_DECLARE(M_ELI);
48 
49 static int
50 g_eli_crypto_done(struct cryptop *crp)
51 {
52 
53 	crp->crp_opaque = (void *)crp;
54 	wakeup(crp);
55 	return (0);
56 }
57 
58 static int
59 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
60     const u_char *key, size_t keysize)
61 {
62 	struct cryptoini cri;
63 	struct cryptop *crp;
64 	struct cryptodesc *crd;
65 	uint64_t sid;
66 	u_char *p;
67 	int error;
68 
69 	KASSERT(algo != CRYPTO_AES_XTS,
70 	    ("%s: CRYPTO_AES_XTS unexpected here", __func__));
71 
72 	bzero(&cri, sizeof(cri));
73 	cri.cri_alg = algo;
74 	cri.cri_key = __DECONST(void *, key);
75 	cri.cri_klen = keysize;
76 	error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
77 	if (error != 0)
78 		return (error);
79 	p = malloc(sizeof(*crp) + sizeof(*crd), M_ELI, M_NOWAIT | M_ZERO);
80 	if (p == NULL) {
81 		crypto_freesession(sid);
82 		return (ENOMEM);
83 	}
84 	crp = (struct cryptop *)p;	p += sizeof(*crp);
85 	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
86 
87 	crd->crd_skip = 0;
88 	crd->crd_len = datasize;
89 	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
90 	if (enc)
91 		crd->crd_flags |= CRD_F_ENCRYPT;
92 	crd->crd_alg = algo;
93 	crd->crd_key = __DECONST(void *, key);
94 	crd->crd_klen = keysize;
95 	bzero(crd->crd_iv, sizeof(crd->crd_iv));
96 	crd->crd_next = NULL;
97 
98 	crp->crp_sid = sid;
99 	crp->crp_ilen = datasize;
100 	crp->crp_olen = datasize;
101 	crp->crp_opaque = NULL;
102 	crp->crp_callback = g_eli_crypto_done;
103 	crp->crp_buf = (void *)data;
104 	crp->crp_flags = CRYPTO_F_CBIFSYNC;
105 	crp->crp_desc = crd;
106 
107 	error = crypto_dispatch(crp);
108 	if (error == 0) {
109 		while (crp->crp_opaque == NULL)
110 			tsleep(crp, PRIBIO, "geli", hz / 5);
111 		error = crp->crp_etype;
112 	}
113 
114 	free(crp, M_ELI);
115 	crypto_freesession(sid);
116 	return (error);
117 }
118 #else	/* !_KERNEL */
119 static int
120 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
121     const u_char *key, size_t keysize)
122 {
123 	EVP_CIPHER_CTX ctx;
124 	const EVP_CIPHER *type;
125 	u_char iv[keysize];
126 	int outsize;
127 
128 	assert(algo != CRYPTO_AES_XTS);
129 
130 	switch (algo) {
131 	case CRYPTO_NULL_CBC:
132 		type = EVP_enc_null();
133 		break;
134 	case CRYPTO_AES_CBC:
135 		switch (keysize) {
136 		case 128:
137 			type = EVP_aes_128_cbc();
138 			break;
139 		case 192:
140 			type = EVP_aes_192_cbc();
141 			break;
142 		case 256:
143 			type = EVP_aes_256_cbc();
144 			break;
145 		default:
146 			return (EINVAL);
147 		}
148 		break;
149 	case CRYPTO_BLF_CBC:
150 		type = EVP_bf_cbc();
151 		break;
152 #ifndef OPENSSL_NO_CAMELLIA
153 	case CRYPTO_CAMELLIA_CBC:
154 		switch (keysize) {
155 		case 128:
156 			type = EVP_camellia_128_cbc();
157 			break;
158 		case 192:
159 			type = EVP_camellia_192_cbc();
160 			break;
161 		case 256:
162 			type = EVP_camellia_256_cbc();
163 			break;
164 		default:
165 			return (EINVAL);
166 		}
167 		break;
168 #endif
169 	case CRYPTO_3DES_CBC:
170 		type = EVP_des_ede3_cbc();
171 		break;
172 	default:
173 		return (EINVAL);
174 	}
175 
176 	EVP_CIPHER_CTX_init(&ctx);
177 
178 	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
179 	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
180 	EVP_CIPHER_CTX_set_padding(&ctx, 0);
181 	bzero(iv, sizeof(iv));
182 	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
183 
184 	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
185 		EVP_CIPHER_CTX_cleanup(&ctx);
186 		return (EINVAL);
187 	}
188 	assert(outsize == (int)datasize);
189 
190 	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
191 		EVP_CIPHER_CTX_cleanup(&ctx);
192 		return (EINVAL);
193 	}
194 	assert(outsize == 0);
195 
196 	EVP_CIPHER_CTX_cleanup(&ctx);
197 	return (0);
198 }
199 #endif	/* !_KERNEL */
200 
201 int
202 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
203     const u_char *key, size_t keysize)
204 {
205 
206 	/* We prefer AES-CBC for metadata protection. */
207 	if (algo == CRYPTO_AES_XTS)
208 		algo = CRYPTO_AES_CBC;
209 
210 	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
211 }
212 
213 int
214 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
215     const u_char *key, size_t keysize)
216 {
217 
218 	/* We prefer AES-CBC for metadata protection. */
219 	if (algo == CRYPTO_AES_XTS)
220 		algo = CRYPTO_AES_CBC;
221 
222 	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
223 }
224 
225 void
226 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
227     size_t hkeylen)
228 {
229 	u_char k_ipad[128], key[128];
230 	SHA512_CTX lctx;
231 	u_int i;
232 
233 	bzero(key, sizeof(key));
234 	if (hkeylen == 0)
235 		; /* do nothing */
236 	else if (hkeylen <= 128)
237 		bcopy(hkey, key, hkeylen);
238 	else {
239 		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
240 		SHA512_Init(&lctx);
241 		SHA512_Update(&lctx, hkey, hkeylen);
242 		SHA512_Final(key, &lctx);
243 	}
244 
245 	/* XOR key with ipad and opad values. */
246 	for (i = 0; i < sizeof(key); i++) {
247 		k_ipad[i] = key[i] ^ 0x36;
248 		ctx->k_opad[i] = key[i] ^ 0x5c;
249 	}
250 	bzero(key, sizeof(key));
251 	/* Perform inner SHA512. */
252 	SHA512_Init(&ctx->shactx);
253 	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
254 	bzero(k_ipad, sizeof(k_ipad));
255 }
256 
257 void
258 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
259     size_t datasize)
260 {
261 
262 	SHA512_Update(&ctx->shactx, data, datasize);
263 }
264 
265 void
266 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
267 {
268 	u_char digest[SHA512_MDLEN];
269 	SHA512_CTX lctx;
270 
271 	SHA512_Final(digest, &ctx->shactx);
272 	/* Perform outer SHA512. */
273 	SHA512_Init(&lctx);
274 	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
275 	bzero(ctx, sizeof(*ctx));
276 	SHA512_Update(&lctx, digest, sizeof(digest));
277 	SHA512_Final(digest, &lctx);
278 	bzero(&lctx, sizeof(lctx));
279 	/* mdsize == 0 means "Give me the whole hash!" */
280 	if (mdsize == 0)
281 		mdsize = SHA512_MDLEN;
282 	bcopy(digest, md, mdsize);
283 	bzero(digest, sizeof(digest));
284 }
285 
286 void
287 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
288     size_t datasize, uint8_t *md, size_t mdsize)
289 {
290 	struct hmac_ctx ctx;
291 
292 	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
293 	g_eli_crypto_hmac_update(&ctx, data, datasize);
294 	g_eli_crypto_hmac_final(&ctx, md, mdsize);
295 }
296