1/*-
2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
| 1/*-
2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
|
28__FBSDID("$FreeBSD: head/sys/geom/eli/g_eli_crypto.c 173746 2007-11-19 08:59:32Z jb $");
| 28__FBSDID("$FreeBSD: head/sys/geom/eli/g_eli_crypto.c 213070 2010-09-23 11:58:36Z pjd $");
|
29
30#include <sys/param.h>
31#ifdef _KERNEL
32#include <sys/systm.h>
33#include <sys/kernel.h>
34#include <sys/malloc.h>
35#include <sys/uio.h>
36#else
37#include <stdint.h>
38#include <string.h>
39#include <strings.h>
40#include <errno.h>
41#include <assert.h>
42#include <openssl/evp.h>
43#define _OpenSSL_
44#endif
45#include <geom/eli/g_eli.h>
46
47#ifdef _KERNEL
48MALLOC_DECLARE(M_ELI);
49
50static int
51g_eli_crypto_done(struct cryptop *crp)
52{
53
54 crp->crp_opaque = (void *)crp;
55 wakeup(crp);
56 return (0);
57}
58
59static int
60g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61 const u_char *key, size_t keysize)
62{
63 struct cryptoini cri;
64 struct cryptop *crp;
65 struct cryptodesc *crd;
66 struct uio *uio;
67 struct iovec *iov;
68 uint64_t sid;
69 u_char *p;
70 int error;
71
| 29
30#include <sys/param.h>
31#ifdef _KERNEL
32#include <sys/systm.h>
33#include <sys/kernel.h>
34#include <sys/malloc.h>
35#include <sys/uio.h>
36#else
37#include <stdint.h>
38#include <string.h>
39#include <strings.h>
40#include <errno.h>
41#include <assert.h>
42#include <openssl/evp.h>
43#define _OpenSSL_
44#endif
45#include <geom/eli/g_eli.h>
46
47#ifdef _KERNEL
48MALLOC_DECLARE(M_ELI);
49
50static int
51g_eli_crypto_done(struct cryptop *crp)
52{
53
54 crp->crp_opaque = (void *)crp;
55 wakeup(crp);
56 return (0);
57}
58
59static int
60g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61 const u_char *key, size_t keysize)
62{
63 struct cryptoini cri;
64 struct cryptop *crp;
65 struct cryptodesc *crd;
66 struct uio *uio;
67 struct iovec *iov;
68 uint64_t sid;
69 u_char *p;
70 int error;
71
|
| 72 KASSERT(algo != CRYPTO_AES_XTS,
73 ("%s: CRYPTO_AES_XTS unexpected here", __func__));
74
|
72 bzero(&cri, sizeof(cri));
73 cri.cri_alg = algo;
74 cri.cri_key = __DECONST(void *, key);
75 cri.cri_klen = keysize;
76 error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
77 if (error != 0)
78 return (error);
79 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
80 M_ELI, M_NOWAIT | M_ZERO);
81 if (p == NULL) {
82 crypto_freesession(sid);
83 return (ENOMEM);
84 }
85 crp = (struct cryptop *)p; p += sizeof(*crp);
86 crd = (struct cryptodesc *)p; p += sizeof(*crd);
87 uio = (struct uio *)p; p += sizeof(*uio);
88 iov = (struct iovec *)p; p += sizeof(*iov);
89
90 iov->iov_len = datasize;
91 iov->iov_base = data;
92
93 uio->uio_iov = iov;
94 uio->uio_iovcnt = 1;
95 uio->uio_segflg = UIO_SYSSPACE;
96 uio->uio_resid = datasize;
97
98 crd->crd_skip = 0;
99 crd->crd_len = datasize;
100 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
101 if (enc)
102 crd->crd_flags |= CRD_F_ENCRYPT;
103 crd->crd_alg = algo;
104 crd->crd_key = __DECONST(void *, key);
105 crd->crd_klen = keysize;
106 bzero(crd->crd_iv, sizeof(crd->crd_iv));
107 crd->crd_next = NULL;
108
109 crp->crp_sid = sid;
110 crp->crp_ilen = datasize;
111 crp->crp_olen = datasize;
112 crp->crp_opaque = NULL;
113 crp->crp_callback = g_eli_crypto_done;
114 crp->crp_buf = (void *)uio;
115 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
116 crp->crp_desc = crd;
117
118 error = crypto_dispatch(crp);
119 if (error == 0) {
120 while (crp->crp_opaque == NULL)
121 tsleep(crp, PRIBIO, "geli", hz / 5);
122 error = crp->crp_etype;
123 }
124
125 free(crp, M_ELI);
126 crypto_freesession(sid);
127 return (error);
128}
129#else /* !_KERNEL */
130static int
131g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
132 const u_char *key, size_t keysize)
133{
134 EVP_CIPHER_CTX ctx;
135 const EVP_CIPHER *type;
136 u_char iv[keysize];
137 int outsize;
138
| 75 bzero(&cri, sizeof(cri));
76 cri.cri_alg = algo;
77 cri.cri_key = __DECONST(void *, key);
78 cri.cri_klen = keysize;
79 error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
80 if (error != 0)
81 return (error);
82 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
83 M_ELI, M_NOWAIT | M_ZERO);
84 if (p == NULL) {
85 crypto_freesession(sid);
86 return (ENOMEM);
87 }
88 crp = (struct cryptop *)p; p += sizeof(*crp);
89 crd = (struct cryptodesc *)p; p += sizeof(*crd);
90 uio = (struct uio *)p; p += sizeof(*uio);
91 iov = (struct iovec *)p; p += sizeof(*iov);
92
93 iov->iov_len = datasize;
94 iov->iov_base = data;
95
96 uio->uio_iov = iov;
97 uio->uio_iovcnt = 1;
98 uio->uio_segflg = UIO_SYSSPACE;
99 uio->uio_resid = datasize;
100
101 crd->crd_skip = 0;
102 crd->crd_len = datasize;
103 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
104 if (enc)
105 crd->crd_flags |= CRD_F_ENCRYPT;
106 crd->crd_alg = algo;
107 crd->crd_key = __DECONST(void *, key);
108 crd->crd_klen = keysize;
109 bzero(crd->crd_iv, sizeof(crd->crd_iv));
110 crd->crd_next = NULL;
111
112 crp->crp_sid = sid;
113 crp->crp_ilen = datasize;
114 crp->crp_olen = datasize;
115 crp->crp_opaque = NULL;
116 crp->crp_callback = g_eli_crypto_done;
117 crp->crp_buf = (void *)uio;
118 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
119 crp->crp_desc = crd;
120
121 error = crypto_dispatch(crp);
122 if (error == 0) {
123 while (crp->crp_opaque == NULL)
124 tsleep(crp, PRIBIO, "geli", hz / 5);
125 error = crp->crp_etype;
126 }
127
128 free(crp, M_ELI);
129 crypto_freesession(sid);
130 return (error);
131}
132#else /* !_KERNEL */
133static int
134g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
135 const u_char *key, size_t keysize)
136{
137 EVP_CIPHER_CTX ctx;
138 const EVP_CIPHER *type;
139 u_char iv[keysize];
140 int outsize;
141
|
| 142 assert(algo != CRYPTO_AES_XTS);
143
|
139 switch (algo) {
140 case CRYPTO_NULL_CBC:
141 type = EVP_enc_null();
142 break;
143 case CRYPTO_AES_CBC:
144 switch (keysize) {
145 case 128:
146 type = EVP_aes_128_cbc();
147 break;
148 case 192:
149 type = EVP_aes_192_cbc();
150 break;
151 case 256:
152 type = EVP_aes_256_cbc();
153 break;
154 default:
155 return (EINVAL);
156 }
157 break;
158 case CRYPTO_BLF_CBC:
159 type = EVP_bf_cbc();
160 break;
161#ifndef OPENSSL_NO_CAMELLIA
162 case CRYPTO_CAMELLIA_CBC:
163 switch (keysize) {
164 case 128:
165 type = EVP_camellia_128_cbc();
166 break;
167 case 192:
168 type = EVP_camellia_192_cbc();
169 break;
170 case 256:
171 type = EVP_camellia_256_cbc();
172 break;
173 default:
174 return (EINVAL);
175 }
176 break;
177#endif
178 case CRYPTO_3DES_CBC:
179 type = EVP_des_ede3_cbc();
180 break;
181 default:
182 return (EINVAL);
183 }
184
185 EVP_CIPHER_CTX_init(&ctx);
186
187 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
188 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
189 EVP_CIPHER_CTX_set_padding(&ctx, 0);
190 bzero(iv, sizeof(iv));
191 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
192
193 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
194 EVP_CIPHER_CTX_cleanup(&ctx);
195 return (EINVAL);
196 }
197 assert(outsize == (int)datasize);
198
199 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
200 EVP_CIPHER_CTX_cleanup(&ctx);
201 return (EINVAL);
202 }
203 assert(outsize == 0);
204
205 EVP_CIPHER_CTX_cleanup(&ctx);
206 return (0);
207}
208#endif /* !_KERNEL */
209
210int
211g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
212 const u_char *key, size_t keysize)
213{
214
| 144 switch (algo) {
145 case CRYPTO_NULL_CBC:
146 type = EVP_enc_null();
147 break;
148 case CRYPTO_AES_CBC:
149 switch (keysize) {
150 case 128:
151 type = EVP_aes_128_cbc();
152 break;
153 case 192:
154 type = EVP_aes_192_cbc();
155 break;
156 case 256:
157 type = EVP_aes_256_cbc();
158 break;
159 default:
160 return (EINVAL);
161 }
162 break;
163 case CRYPTO_BLF_CBC:
164 type = EVP_bf_cbc();
165 break;
166#ifndef OPENSSL_NO_CAMELLIA
167 case CRYPTO_CAMELLIA_CBC:
168 switch (keysize) {
169 case 128:
170 type = EVP_camellia_128_cbc();
171 break;
172 case 192:
173 type = EVP_camellia_192_cbc();
174 break;
175 case 256:
176 type = EVP_camellia_256_cbc();
177 break;
178 default:
179 return (EINVAL);
180 }
181 break;
182#endif
183 case CRYPTO_3DES_CBC:
184 type = EVP_des_ede3_cbc();
185 break;
186 default:
187 return (EINVAL);
188 }
189
190 EVP_CIPHER_CTX_init(&ctx);
191
192 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
193 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
194 EVP_CIPHER_CTX_set_padding(&ctx, 0);
195 bzero(iv, sizeof(iv));
196 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
197
198 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
199 EVP_CIPHER_CTX_cleanup(&ctx);
200 return (EINVAL);
201 }
202 assert(outsize == (int)datasize);
203
204 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
205 EVP_CIPHER_CTX_cleanup(&ctx);
206 return (EINVAL);
207 }
208 assert(outsize == 0);
209
210 EVP_CIPHER_CTX_cleanup(&ctx);
211 return (0);
212}
213#endif /* !_KERNEL */
214
215int
216g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
217 const u_char *key, size_t keysize)
218{
219
|
| 220 /* We prefer AES-CBC for metadata protection. */
221 if (algo == CRYPTO_AES_XTS)
222 algo = CRYPTO_AES_CBC;
223
|
215 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
216}
217
218int
219g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
220 const u_char *key, size_t keysize)
221{
222
| 224 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
225}
226
227int
228g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
229 const u_char *key, size_t keysize)
230{
231
|
| 232 /* We prefer AES-CBC for metadata protection. */
233 if (algo == CRYPTO_AES_XTS)
234 algo = CRYPTO_AES_CBC;
235
|
223 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
224}
225
226void
227g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
228 size_t hkeylen)
229{
230 u_char k_ipad[128], key[128];
231 SHA512_CTX lctx;
232 u_int i;
233
234 bzero(key, sizeof(key));
235 if (hkeylen == 0)
236 ; /* do nothing */
237 else if (hkeylen <= 128)
238 bcopy(hkey, key, hkeylen);
239 else {
240 /* If key is longer than 128 bytes reset it to key = SHA512(key). */
241 SHA512_Init(&lctx);
242 SHA512_Update(&lctx, hkey, hkeylen);
243 SHA512_Final(key, &lctx);
244 }
245
246 /* XOR key with ipad and opad values. */
247 for (i = 0; i < sizeof(key); i++) {
248 k_ipad[i] = key[i] ^ 0x36;
249 ctx->k_opad[i] = key[i] ^ 0x5c;
250 }
251 bzero(key, sizeof(key));
252 /* Perform inner SHA512. */
253 SHA512_Init(&ctx->shactx);
254 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
255}
256
257void
258g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
259 size_t datasize)
260{
261
262 SHA512_Update(&ctx->shactx, data, datasize);
263}
264
265void
266g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
267{
268 u_char digest[SHA512_MDLEN];
269 SHA512_CTX lctx;
270
271 SHA512_Final(digest, &ctx->shactx);
272 /* Perform outer SHA512. */
273 SHA512_Init(&lctx);
274 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
275 bzero(ctx, sizeof(*ctx));
276 SHA512_Update(&lctx, digest, sizeof(digest));
277 SHA512_Final(digest, &lctx);
278 /* mdsize == 0 means "Give me the whole hash!" */
279 if (mdsize == 0)
280 mdsize = SHA512_MDLEN;
281 bcopy(digest, md, mdsize);
282}
283
284void
285g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
286 size_t datasize, uint8_t *md, size_t mdsize)
287{
288 struct hmac_ctx ctx;
289
290 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
291 g_eli_crypto_hmac_update(&ctx, data, datasize);
292 g_eli_crypto_hmac_final(&ctx, md, mdsize);
293}
| 236 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
237}
238
239void
240g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
241 size_t hkeylen)
242{
243 u_char k_ipad[128], key[128];
244 SHA512_CTX lctx;
245 u_int i;
246
247 bzero(key, sizeof(key));
248 if (hkeylen == 0)
249 ; /* do nothing */
250 else if (hkeylen <= 128)
251 bcopy(hkey, key, hkeylen);
252 else {
253 /* If key is longer than 128 bytes reset it to key = SHA512(key). */
254 SHA512_Init(&lctx);
255 SHA512_Update(&lctx, hkey, hkeylen);
256 SHA512_Final(key, &lctx);
257 }
258
259 /* XOR key with ipad and opad values. */
260 for (i = 0; i < sizeof(key); i++) {
261 k_ipad[i] = key[i] ^ 0x36;
262 ctx->k_opad[i] = key[i] ^ 0x5c;
263 }
264 bzero(key, sizeof(key));
265 /* Perform inner SHA512. */
266 SHA512_Init(&ctx->shactx);
267 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
268}
269
270void
271g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
272 size_t datasize)
273{
274
275 SHA512_Update(&ctx->shactx, data, datasize);
276}
277
278void
279g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
280{
281 u_char digest[SHA512_MDLEN];
282 SHA512_CTX lctx;
283
284 SHA512_Final(digest, &ctx->shactx);
285 /* Perform outer SHA512. */
286 SHA512_Init(&lctx);
287 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
288 bzero(ctx, sizeof(*ctx));
289 SHA512_Update(&lctx, digest, sizeof(digest));
290 SHA512_Final(digest, &lctx);
291 /* mdsize == 0 means "Give me the whole hash!" */
292 if (mdsize == 0)
293 mdsize = SHA512_MDLEN;
294 bcopy(digest, md, mdsize);
295}
296
297void
298g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
299 size_t datasize, uint8_t *md, size_t mdsize)
300{
301 struct hmac_ctx ctx;
302
303 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
304 g_eli_crypto_hmac_update(&ctx, data, datasize);
305 g_eli_crypto_hmac_final(&ctx, md, mdsize);
306}
|