1 /*- 2 * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #ifdef _KERNEL 32 #include <sys/systm.h> 33 #include <sys/kernel.h> 34 #include <sys/malloc.h> 35 #include <sys/uio.h> 36 #else 37 #include <stdint.h> 38 #include <string.h> 39 #include <strings.h> 40 #include <errno.h> 41 #include <assert.h> 42 #include <openssl/evp.h> 43 #define _OpenSSL_ 44 #endif 45 #include <geom/eli/g_eli.h> 46 47 #ifdef _KERNEL 48 MALLOC_DECLARE(M_ELI); 49 50 static int 51 g_eli_crypto_done(struct cryptop *crp) 52 { 53 54 crp->crp_opaque = (void *)crp; 55 wakeup(crp); 56 return (0); 57 } 58 59 static int 60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 61 const u_char *key, size_t keysize) 62 { 63 struct cryptoini cri; 64 struct cryptop *crp; 65 struct cryptodesc *crd; 66 struct uio *uio; 67 struct iovec *iov; 68 uint64_t sid; 69 u_char *p; 70 int error; 71 72 KASSERT(algo != CRYPTO_AES_XTS, 73 ("%s: CRYPTO_AES_XTS unexpected here", __func__)); 74 75 bzero(&cri, sizeof(cri)); 76 cri.cri_alg = algo; 77 cri.cri_key = __DECONST(void *, key); 78 cri.cri_klen = keysize; 79 error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE); 80 if (error != 0) 81 return (error); 82 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov), 83 M_ELI, M_NOWAIT | M_ZERO); 84 if (p == NULL) { 85 crypto_freesession(sid); 86 return (ENOMEM); 87 } 88 crp = (struct cryptop *)p; p += sizeof(*crp); 89 crd = (struct cryptodesc *)p; p += sizeof(*crd); 90 uio = (struct uio *)p; p += sizeof(*uio); 91 iov = (struct iovec *)p; p += sizeof(*iov); 92 93 iov->iov_len = datasize; 94 iov->iov_base = data; 95 96 uio->uio_iov = iov; 97 uio->uio_iovcnt = 1; 98 uio->uio_segflg = UIO_SYSSPACE; 99 uio->uio_resid = datasize; 100 101 crd->crd_skip = 0; 102 crd->crd_len = datasize; 103 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; 104 if (enc) 105 crd->crd_flags |= CRD_F_ENCRYPT; 106 crd->crd_alg = algo; 107 crd->crd_key = __DECONST(void *, key); 108 crd->crd_klen = keysize; 109 bzero(crd->crd_iv, sizeof(crd->crd_iv)); 110 crd->crd_next = NULL; 111 112 crp->crp_sid = sid; 113 crp->crp_ilen = datasize; 114 crp->crp_olen = datasize; 115 crp->crp_opaque = NULL; 116 crp->crp_callback = g_eli_crypto_done; 117 crp->crp_buf = (void *)uio; 118 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL; 119 crp->crp_desc = crd; 120 121 error = crypto_dispatch(crp); 122 if (error == 0) { 123 while (crp->crp_opaque == NULL) 124 tsleep(crp, PRIBIO, "geli", hz / 5); 125 error = crp->crp_etype; 126 } 127 128 free(crp, M_ELI); 129 crypto_freesession(sid); 130 return (error); 131 } 132 #else /* !_KERNEL */ 133 static int 134 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 135 const u_char *key, size_t keysize) 136 { 137 EVP_CIPHER_CTX ctx; 138 const EVP_CIPHER *type; 139 u_char iv[keysize]; 140 int outsize; 141 142 assert(algo != CRYPTO_AES_XTS); 143 144 switch (algo) { 145 case CRYPTO_NULL_CBC: 146 type = EVP_enc_null(); 147 break; 148 case CRYPTO_AES_CBC: 149 switch (keysize) { 150 case 128: 151 type = EVP_aes_128_cbc(); 152 break; 153 case 192: 154 type = EVP_aes_192_cbc(); 155 break; 156 case 256: 157 type = EVP_aes_256_cbc(); 158 break; 159 default: 160 return (EINVAL); 161 } 162 break; 163 case CRYPTO_BLF_CBC: 164 type = EVP_bf_cbc(); 165 break; 166 #ifndef OPENSSL_NO_CAMELLIA 167 case CRYPTO_CAMELLIA_CBC: 168 switch (keysize) { 169 case 128: 170 type = EVP_camellia_128_cbc(); 171 break; 172 case 192: 173 type = EVP_camellia_192_cbc(); 174 break; 175 case 256: 176 type = EVP_camellia_256_cbc(); 177 break; 178 default: 179 return (EINVAL); 180 } 181 break; 182 #endif 183 case CRYPTO_3DES_CBC: 184 type = EVP_des_ede3_cbc(); 185 break; 186 default: 187 return (EINVAL); 188 } 189 190 EVP_CIPHER_CTX_init(&ctx); 191 192 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc); 193 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8); 194 EVP_CIPHER_CTX_set_padding(&ctx, 0); 195 bzero(iv, sizeof(iv)); 196 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc); 197 198 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) { 199 EVP_CIPHER_CTX_cleanup(&ctx); 200 return (EINVAL); 201 } 202 assert(outsize == (int)datasize); 203 204 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) { 205 EVP_CIPHER_CTX_cleanup(&ctx); 206 return (EINVAL); 207 } 208 assert(outsize == 0); 209 210 EVP_CIPHER_CTX_cleanup(&ctx); 211 return (0); 212 } 213 #endif /* !_KERNEL */ 214 215 int 216 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 217 const u_char *key, size_t keysize) 218 { 219 220 /* We prefer AES-CBC for metadata protection. */ 221 if (algo == CRYPTO_AES_XTS) 222 algo = CRYPTO_AES_CBC; 223 224 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize)); 225 } 226 227 int 228 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 229 const u_char *key, size_t keysize) 230 { 231 232 /* We prefer AES-CBC for metadata protection. */ 233 if (algo == CRYPTO_AES_XTS) 234 algo = CRYPTO_AES_CBC; 235 236 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize)); 237 } 238 239 void 240 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 241 size_t hkeylen) 242 { 243 u_char k_ipad[128], key[128]; 244 SHA512_CTX lctx; 245 u_int i; 246 247 bzero(key, sizeof(key)); 248 if (hkeylen == 0) 249 ; /* do nothing */ 250 else if (hkeylen <= 128) 251 bcopy(hkey, key, hkeylen); 252 else { 253 /* If key is longer than 128 bytes reset it to key = SHA512(key). */ 254 SHA512_Init(&lctx); 255 SHA512_Update(&lctx, hkey, hkeylen); 256 SHA512_Final(key, &lctx); 257 } 258 259 /* XOR key with ipad and opad values. */ 260 for (i = 0; i < sizeof(key); i++) { 261 k_ipad[i] = key[i] ^ 0x36; 262 ctx->k_opad[i] = key[i] ^ 0x5c; 263 } 264 bzero(key, sizeof(key)); 265 /* Perform inner SHA512. */ 266 SHA512_Init(&ctx->shactx); 267 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); 268 bzero(k_ipad, sizeof(k_ipad)); 269 } 270 271 void 272 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 273 size_t datasize) 274 { 275 276 SHA512_Update(&ctx->shactx, data, datasize); 277 } 278 279 void 280 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) 281 { 282 u_char digest[SHA512_MDLEN]; 283 SHA512_CTX lctx; 284 285 SHA512_Final(digest, &ctx->shactx); 286 /* Perform outer SHA512. */ 287 SHA512_Init(&lctx); 288 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); 289 bzero(ctx, sizeof(*ctx)); 290 SHA512_Update(&lctx, digest, sizeof(digest)); 291 SHA512_Final(digest, &lctx); 292 bzero(&lctx, sizeof(lctx)); 293 /* mdsize == 0 means "Give me the whole hash!" */ 294 if (mdsize == 0) 295 mdsize = SHA512_MDLEN; 296 bcopy(digest, md, mdsize); 297 bzero(digest, sizeof(digest)); 298 } 299 300 void 301 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, 302 size_t datasize, uint8_t *md, size_t mdsize) 303 { 304 struct hmac_ctx ctx; 305 306 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); 307 g_eli_crypto_hmac_update(&ctx, data, datasize); 308 g_eli_crypto_hmac_final(&ctx, md, mdsize); 309 } 310