1 /*- 2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #ifdef _KERNEL 32 #include <sys/systm.h> 33 #include <sys/kernel.h> 34 #include <sys/malloc.h> 35 #include <sys/uio.h> 36 #else 37 #include <stdint.h> 38 #include <string.h> 39 #include <strings.h> 40 #include <errno.h> 41 #include <assert.h> 42 #include <openssl/evp.h> 43 #define _OpenSSL_ 44 #endif 45 #include <geom/eli/g_eli.h> 46 47 #ifdef _KERNEL 48 MALLOC_DECLARE(M_ELI); 49 50 static int 51 g_eli_crypto_done(struct cryptop *crp) 52 { 53 54 crp->crp_opaque = (void *)crp; 55 wakeup(crp); 56 return (0); 57 } 58 59 static int 60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 61 const u_char *key, size_t keysize) 62 { 63 struct cryptoini cri; 64 struct cryptop *crp; 65 struct cryptodesc *crd; 66 struct uio *uio; 67 struct iovec *iov; 68 uint64_t sid; 69 u_char *p; 70 int error; 71 72 bzero(&cri, sizeof(cri)); 73 cri.cri_alg = algo; 74 cri.cri_key = __DECONST(void *, key); 75 cri.cri_klen = keysize; 76 error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE); 77 if (error != 0) 78 return (error); 79 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov), 80 M_ELI, M_NOWAIT | M_ZERO); 81 if (p == NULL) { 82 crypto_freesession(sid); 83 return (ENOMEM); 84 } 85 crp = (struct cryptop *)p; p += sizeof(*crp); 86 crd = (struct cryptodesc *)p; p += sizeof(*crd); 87 uio = (struct uio *)p; p += sizeof(*uio); 88 iov = (struct iovec *)p; p += sizeof(*iov); 89 90 iov->iov_len = datasize; 91 iov->iov_base = data; 92 93 uio->uio_iov = iov; 94 uio->uio_iovcnt = 1; 95 uio->uio_segflg = UIO_SYSSPACE; 96 uio->uio_resid = datasize; 97 98 crd->crd_skip = 0; 99 crd->crd_len = datasize; 100 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; 101 if (enc) 102 crd->crd_flags |= CRD_F_ENCRYPT; 103 crd->crd_alg = algo; 104 crd->crd_key = __DECONST(void *, key); 105 crd->crd_klen = keysize; 106 bzero(crd->crd_iv, sizeof(crd->crd_iv)); 107 crd->crd_next = NULL; 108 109 crp->crp_sid = sid; 110 crp->crp_ilen = datasize; 111 crp->crp_olen = datasize; 112 crp->crp_opaque = NULL; 113 crp->crp_callback = g_eli_crypto_done; 114 crp->crp_buf = (void *)uio; 115 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL; 116 crp->crp_desc = crd; 117 118 error = crypto_dispatch(crp); 119 if (error == 0) { 120 while (crp->crp_opaque == NULL) 121 tsleep(crp, PRIBIO, "geli", hz / 5); 122 error = crp->crp_etype; 123 } 124 125 free(crp, M_ELI); 126 crypto_freesession(sid); 127 return (error); 128 } 129 #else /* !_KERNEL */ 130 static int 131 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 132 const u_char *key, size_t keysize) 133 { 134 EVP_CIPHER_CTX ctx; 135 const EVP_CIPHER *type; 136 u_char iv[keysize]; 137 int outsize; 138 139 switch (algo) { 140 case CRYPTO_NULL_CBC: 141 type = EVP_enc_null(); 142 break; 143 case CRYPTO_AES_CBC: 144 switch (keysize) { 145 case 128: 146 type = EVP_aes_128_cbc(); 147 break; 148 case 192: 149 type = EVP_aes_192_cbc(); 150 break; 151 case 256: 152 type = EVP_aes_256_cbc(); 153 break; 154 default: 155 return (EINVAL); 156 } 157 break; 158 case CRYPTO_BLF_CBC: 159 type = EVP_bf_cbc(); 160 break; 161 #ifndef OPENSSL_NO_CAMELLIA 162 case CRYPTO_CAMELLIA_CBC: 163 switch (keysize) { 164 case 128: 165 type = EVP_camellia_128_cbc(); 166 break; 167 case 192: 168 type = EVP_camellia_192_cbc(); 169 break; 170 case 256: 171 type = EVP_camellia_256_cbc(); 172 break; 173 default: 174 return (EINVAL); 175 } 176 break; 177 #endif 178 case CRYPTO_3DES_CBC: 179 type = EVP_des_ede3_cbc(); 180 break; 181 default: 182 return (EINVAL); 183 } 184 185 EVP_CIPHER_CTX_init(&ctx); 186 187 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc); 188 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8); 189 EVP_CIPHER_CTX_set_padding(&ctx, 0); 190 bzero(iv, sizeof(iv)); 191 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc); 192 193 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) { 194 EVP_CIPHER_CTX_cleanup(&ctx); 195 return (EINVAL); 196 } 197 assert(outsize == (int)datasize); 198 199 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) { 200 EVP_CIPHER_CTX_cleanup(&ctx); 201 return (EINVAL); 202 } 203 assert(outsize == 0); 204 205 EVP_CIPHER_CTX_cleanup(&ctx); 206 return (0); 207 } 208 #endif /* !_KERNEL */ 209 210 int 211 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 212 const u_char *key, size_t keysize) 213 { 214 215 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize)); 216 } 217 218 int 219 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 220 const u_char *key, size_t keysize) 221 { 222 223 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize)); 224 } 225 226 void 227 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 228 size_t hkeylen) 229 { 230 u_char k_ipad[128], key[128]; 231 SHA512_CTX lctx; 232 u_int i; 233 234 bzero(key, sizeof(key)); 235 if (hkeylen == 0) 236 ; /* do nothing */ 237 else if (hkeylen <= 128) 238 bcopy(hkey, key, hkeylen); 239 else { 240 /* If key is longer than 128 bytes reset it to key = SHA512(key). */ 241 SHA512_Init(&lctx); 242 SHA512_Update(&lctx, hkey, hkeylen); 243 SHA512_Final(key, &lctx); 244 } 245 246 /* XOR key with ipad and opad values. */ 247 for (i = 0; i < sizeof(key); i++) { 248 k_ipad[i] = key[i] ^ 0x36; 249 ctx->k_opad[i] = key[i] ^ 0x5c; 250 } 251 bzero(key, sizeof(key)); 252 /* Perform inner SHA512. */ 253 SHA512_Init(&ctx->shactx); 254 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); 255 } 256 257 void 258 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 259 size_t datasize) 260 { 261 262 SHA512_Update(&ctx->shactx, data, datasize); 263 } 264 265 void 266 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) 267 { 268 u_char digest[SHA512_MDLEN]; 269 SHA512_CTX lctx; 270 271 SHA512_Final(digest, &ctx->shactx); 272 /* Perform outer SHA512. */ 273 SHA512_Init(&lctx); 274 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); 275 bzero(ctx, sizeof(*ctx)); 276 SHA512_Update(&lctx, digest, sizeof(digest)); 277 SHA512_Final(digest, &lctx); 278 /* mdsize == 0 means "Give me the whole hash!" */ 279 if (mdsize == 0) 280 mdsize = SHA512_MDLEN; 281 bcopy(digest, md, mdsize); 282 } 283 284 void 285 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, 286 size_t datasize, uint8_t *md, size_t mdsize) 287 { 288 struct hmac_ctx ctx; 289 290 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); 291 g_eli_crypto_hmac_update(&ctx, data, datasize); 292 g_eli_crypto_hmac_final(&ctx, md, mdsize); 293 } 294