xref: /freebsd/sys/geom/eli/g_eli_crypto.c (revision aa77200569e397d6ff1fdb4d255d0fa254d0a128)
1 /*-
2  * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/param.h>
31 #ifdef _KERNEL
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/malloc.h>
35 #include <sys/uio.h>
36 #else
37 #include <stdint.h>
38 #include <string.h>
39 #include <strings.h>
40 #include <errno.h>
41 #include <assert.h>
42 #include <openssl/evp.h>
43 #define	_OpenSSL_
44 #endif
45 #include <geom/eli/g_eli.h>
46 
47 #ifdef _KERNEL
48 MALLOC_DECLARE(M_ELI);
49 
50 static int
51 g_eli_crypto_done(struct cryptop *crp)
52 {
53 
54 	crp->crp_opaque = (void *)crp;
55 	wakeup(crp);
56 	return (0);
57 }
58 
59 static int
60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61     const u_char *key, size_t keysize)
62 {
63 	struct cryptoini cri;
64 	struct cryptop *crp;
65 	struct cryptodesc *crd;
66 	struct uio *uio;
67 	struct iovec *iov;
68 	uint64_t sid;
69 	u_char *p;
70 	int error;
71 
72 	KASSERT(algo != CRYPTO_AES_XTS,
73 	    ("%s: CRYPTO_AES_XTS unexpected here", __func__));
74 
75 	bzero(&cri, sizeof(cri));
76 	cri.cri_alg = algo;
77 	cri.cri_key = __DECONST(void *, key);
78 	cri.cri_klen = keysize;
79 	error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
80 	if (error != 0)
81 		return (error);
82 	p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
83 	    M_ELI, M_NOWAIT | M_ZERO);
84 	if (p == NULL) {
85 		crypto_freesession(sid);
86 		return (ENOMEM);
87 	}
88 	crp = (struct cryptop *)p;	p += sizeof(*crp);
89 	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
90 	uio = (struct uio *)p;		p += sizeof(*uio);
91 	iov = (struct iovec *)p;	p += sizeof(*iov);
92 
93 	iov->iov_len = datasize;
94 	iov->iov_base = data;
95 
96 	uio->uio_iov = iov;
97 	uio->uio_iovcnt = 1;
98 	uio->uio_segflg = UIO_SYSSPACE;
99 	uio->uio_resid = datasize;
100 
101 	crd->crd_skip = 0;
102 	crd->crd_len = datasize;
103 	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
104 	if (enc)
105 		crd->crd_flags |= CRD_F_ENCRYPT;
106 	crd->crd_alg = algo;
107 	crd->crd_key = __DECONST(void *, key);
108 	crd->crd_klen = keysize;
109 	bzero(crd->crd_iv, sizeof(crd->crd_iv));
110 	crd->crd_next = NULL;
111 
112 	crp->crp_sid = sid;
113 	crp->crp_ilen = datasize;
114 	crp->crp_olen = datasize;
115 	crp->crp_opaque = NULL;
116 	crp->crp_callback = g_eli_crypto_done;
117 	crp->crp_buf = (void *)uio;
118 	crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
119 	crp->crp_desc = crd;
120 
121 	error = crypto_dispatch(crp);
122 	if (error == 0) {
123 		while (crp->crp_opaque == NULL)
124 			tsleep(crp, PRIBIO, "geli", hz / 5);
125 		error = crp->crp_etype;
126 	}
127 
128 	free(crp, M_ELI);
129 	crypto_freesession(sid);
130 	return (error);
131 }
132 #else	/* !_KERNEL */
133 static int
134 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
135     const u_char *key, size_t keysize)
136 {
137 	EVP_CIPHER_CTX ctx;
138 	const EVP_CIPHER *type;
139 	u_char iv[keysize];
140 	int outsize;
141 
142 	assert(algo != CRYPTO_AES_XTS);
143 
144 	switch (algo) {
145 	case CRYPTO_NULL_CBC:
146 		type = EVP_enc_null();
147 		break;
148 	case CRYPTO_AES_CBC:
149 		switch (keysize) {
150 		case 128:
151 			type = EVP_aes_128_cbc();
152 			break;
153 		case 192:
154 			type = EVP_aes_192_cbc();
155 			break;
156 		case 256:
157 			type = EVP_aes_256_cbc();
158 			break;
159 		default:
160 			return (EINVAL);
161 		}
162 		break;
163 	case CRYPTO_BLF_CBC:
164 		type = EVP_bf_cbc();
165 		break;
166 #ifndef OPENSSL_NO_CAMELLIA
167 	case CRYPTO_CAMELLIA_CBC:
168 		switch (keysize) {
169 		case 128:
170 			type = EVP_camellia_128_cbc();
171 			break;
172 		case 192:
173 			type = EVP_camellia_192_cbc();
174 			break;
175 		case 256:
176 			type = EVP_camellia_256_cbc();
177 			break;
178 		default:
179 			return (EINVAL);
180 		}
181 		break;
182 #endif
183 	case CRYPTO_3DES_CBC:
184 		type = EVP_des_ede3_cbc();
185 		break;
186 	default:
187 		return (EINVAL);
188 	}
189 
190 	EVP_CIPHER_CTX_init(&ctx);
191 
192 	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
193 	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
194 	EVP_CIPHER_CTX_set_padding(&ctx, 0);
195 	bzero(iv, sizeof(iv));
196 	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
197 
198 	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
199 		EVP_CIPHER_CTX_cleanup(&ctx);
200 		return (EINVAL);
201 	}
202 	assert(outsize == (int)datasize);
203 
204 	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
205 		EVP_CIPHER_CTX_cleanup(&ctx);
206 		return (EINVAL);
207 	}
208 	assert(outsize == 0);
209 
210 	EVP_CIPHER_CTX_cleanup(&ctx);
211 	return (0);
212 }
213 #endif	/* !_KERNEL */
214 
215 int
216 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
217     const u_char *key, size_t keysize)
218 {
219 
220 	/* We prefer AES-CBC for metadata protection. */
221 	if (algo == CRYPTO_AES_XTS)
222 		algo = CRYPTO_AES_CBC;
223 
224 	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
225 }
226 
227 int
228 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
229     const u_char *key, size_t keysize)
230 {
231 
232 	/* We prefer AES-CBC for metadata protection. */
233 	if (algo == CRYPTO_AES_XTS)
234 		algo = CRYPTO_AES_CBC;
235 
236 	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
237 }
238 
239 void
240 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
241     size_t hkeylen)
242 {
243 	u_char k_ipad[128], key[128];
244 	SHA512_CTX lctx;
245 	u_int i;
246 
247 	bzero(key, sizeof(key));
248 	if (hkeylen == 0)
249 		; /* do nothing */
250 	else if (hkeylen <= 128)
251 		bcopy(hkey, key, hkeylen);
252 	else {
253 		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
254 		SHA512_Init(&lctx);
255 		SHA512_Update(&lctx, hkey, hkeylen);
256 		SHA512_Final(key, &lctx);
257 	}
258 
259 	/* XOR key with ipad and opad values. */
260 	for (i = 0; i < sizeof(key); i++) {
261 		k_ipad[i] = key[i] ^ 0x36;
262 		ctx->k_opad[i] = key[i] ^ 0x5c;
263 	}
264 	bzero(key, sizeof(key));
265 	/* Perform inner SHA512. */
266 	SHA512_Init(&ctx->shactx);
267 	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
268 }
269 
270 void
271 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
272     size_t datasize)
273 {
274 
275 	SHA512_Update(&ctx->shactx, data, datasize);
276 }
277 
278 void
279 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
280 {
281 	u_char digest[SHA512_MDLEN];
282 	SHA512_CTX lctx;
283 
284 	SHA512_Final(digest, &ctx->shactx);
285 	/* Perform outer SHA512. */
286 	SHA512_Init(&lctx);
287 	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
288 	bzero(ctx, sizeof(*ctx));
289 	SHA512_Update(&lctx, digest, sizeof(digest));
290 	SHA512_Final(digest, &lctx);
291 	/* mdsize == 0 means "Give me the whole hash!" */
292 	if (mdsize == 0)
293 		mdsize = SHA512_MDLEN;
294 	bcopy(digest, md, mdsize);
295 }
296 
297 void
298 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
299     size_t datasize, uint8_t *md, size_t mdsize)
300 {
301 	struct hmac_ctx ctx;
302 
303 	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
304 	g_eli_crypto_hmac_update(&ctx, data, datasize);
305 	g_eli_crypto_hmac_final(&ctx, md, mdsize);
306 }
307