1148456Spjd/*-
2213072Spjd * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3148456Spjd * All rights reserved.
4148456Spjd *
5148456Spjd * Redistribution and use in source and binary forms, with or without
6148456Spjd * modification, are permitted provided that the following conditions
7148456Spjd * are met:
8148456Spjd * 1. Redistributions of source code must retain the above copyright
9148456Spjd *    notice, this list of conditions and the following disclaimer.
10148456Spjd * 2. Redistributions in binary form must reproduce the above copyright
11148456Spjd *    notice, this list of conditions and the following disclaimer in the
12148456Spjd *    documentation and/or other materials provided with the distribution.
13155174Spjd *
14148456Spjd * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15148456Spjd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16148456Spjd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17148456Spjd * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18148456Spjd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19148456Spjd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20148456Spjd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21148456Spjd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22148456Spjd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23148456Spjd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24148456Spjd * SUCH DAMAGE.
25148456Spjd */
26148456Spjd
27148456Spjd#include <sys/cdefs.h>
28148456Spjd__FBSDID("$FreeBSD$");
29148456Spjd
30148456Spjd#include <sys/param.h>
31148456Spjd#ifdef _KERNEL
32148456Spjd#include <sys/systm.h>
33148456Spjd#include <sys/kernel.h>
34148456Spjd#include <sys/malloc.h>
35148456Spjd#include <sys/uio.h>
36148456Spjd#else
37148456Spjd#include <stdint.h>
38148456Spjd#include <string.h>
39148456Spjd#include <strings.h>
40148456Spjd#include <errno.h>
41148456Spjd#include <assert.h>
42148456Spjd#include <openssl/evp.h>
43148456Spjd#define	_OpenSSL_
44148456Spjd#endif
45148456Spjd#include <geom/eli/g_eli.h>
46148456Spjd
47148456Spjd#ifdef _KERNEL
48148456SpjdMALLOC_DECLARE(M_ELI);
49148456Spjd
50148456Spjdstatic int
51148456Spjdg_eli_crypto_done(struct cryptop *crp)
52148456Spjd{
53148456Spjd
54148456Spjd	crp->crp_opaque = (void *)crp;
55148456Spjd	wakeup(crp);
56148456Spjd	return (0);
57148456Spjd}
58148456Spjd
59148456Spjdstatic int
60148456Spjdg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61148456Spjd    const u_char *key, size_t keysize)
62148456Spjd{
63148456Spjd	struct cryptoini cri;
64148456Spjd	struct cryptop *crp;
65148456Spjd	struct cryptodesc *crd;
66148456Spjd	struct uio *uio;
67148456Spjd	struct iovec *iov;
68148456Spjd	uint64_t sid;
69148456Spjd	u_char *p;
70148456Spjd	int error;
71148456Spjd
72213070Spjd	KASSERT(algo != CRYPTO_AES_XTS,
73213070Spjd	    ("%s: CRYPTO_AES_XTS unexpected here", __func__));
74213070Spjd
75148456Spjd	bzero(&cri, sizeof(cri));
76148456Spjd	cri.cri_alg = algo;
77148456Spjd	cri.cri_key = __DECONST(void *, key);
78148456Spjd	cri.cri_klen = keysize;
79167755Ssam	error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
80148456Spjd	if (error != 0)
81148456Spjd		return (error);
82148456Spjd	p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
83148456Spjd	    M_ELI, M_NOWAIT | M_ZERO);
84148456Spjd	if (p == NULL) {
85148456Spjd		crypto_freesession(sid);
86148456Spjd		return (ENOMEM);
87148456Spjd	}
88148456Spjd	crp = (struct cryptop *)p;	p += sizeof(*crp);
89148456Spjd	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
90148456Spjd	uio = (struct uio *)p;		p += sizeof(*uio);
91148456Spjd	iov = (struct iovec *)p;	p += sizeof(*iov);
92148456Spjd
93148456Spjd	iov->iov_len = datasize;
94148456Spjd	iov->iov_base = data;
95148456Spjd
96148456Spjd	uio->uio_iov = iov;
97148456Spjd	uio->uio_iovcnt = 1;
98148456Spjd	uio->uio_segflg = UIO_SYSSPACE;
99148456Spjd	uio->uio_resid = datasize;
100148456Spjd
101148456Spjd	crd->crd_skip = 0;
102148456Spjd	crd->crd_len = datasize;
103157900Spjd	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
104148456Spjd	if (enc)
105148456Spjd		crd->crd_flags |= CRD_F_ENCRYPT;
106148456Spjd	crd->crd_alg = algo;
107148456Spjd	crd->crd_key = __DECONST(void *, key);
108148456Spjd	crd->crd_klen = keysize;
109148456Spjd	bzero(crd->crd_iv, sizeof(crd->crd_iv));
110148456Spjd	crd->crd_next = NULL;
111148456Spjd
112148456Spjd	crp->crp_sid = sid;
113148456Spjd	crp->crp_ilen = datasize;
114148456Spjd	crp->crp_olen = datasize;
115148456Spjd	crp->crp_opaque = NULL;
116148456Spjd	crp->crp_callback = g_eli_crypto_done;
117148456Spjd	crp->crp_buf = (void *)uio;
118148456Spjd	crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
119148456Spjd	crp->crp_desc = crd;
120148456Spjd
121148456Spjd	error = crypto_dispatch(crp);
122148456Spjd	if (error == 0) {
123148456Spjd		while (crp->crp_opaque == NULL)
124148456Spjd			tsleep(crp, PRIBIO, "geli", hz / 5);
125148456Spjd		error = crp->crp_etype;
126148456Spjd	}
127148456Spjd
128148456Spjd	free(crp, M_ELI);
129148456Spjd	crypto_freesession(sid);
130148456Spjd	return (error);
131148456Spjd}
132148456Spjd#else	/* !_KERNEL */
133148456Spjdstatic int
134148456Spjdg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
135148456Spjd    const u_char *key, size_t keysize)
136148456Spjd{
137148456Spjd	EVP_CIPHER_CTX ctx;
138148456Spjd	const EVP_CIPHER *type;
139148456Spjd	u_char iv[keysize];
140148456Spjd	int outsize;
141148456Spjd
142213070Spjd	assert(algo != CRYPTO_AES_XTS);
143213070Spjd
144148456Spjd	switch (algo) {
145148456Spjd	case CRYPTO_NULL_CBC:
146148456Spjd		type = EVP_enc_null();
147148456Spjd		break;
148148456Spjd	case CRYPTO_AES_CBC:
149148456Spjd		switch (keysize) {
150148456Spjd		case 128:
151148456Spjd			type = EVP_aes_128_cbc();
152148456Spjd			break;
153148456Spjd		case 192:
154148456Spjd			type = EVP_aes_192_cbc();
155148456Spjd			break;
156148456Spjd		case 256:
157148456Spjd			type = EVP_aes_256_cbc();
158148456Spjd			break;
159148456Spjd		default:
160148456Spjd			return (EINVAL);
161148456Spjd		}
162148456Spjd		break;
163148456Spjd	case CRYPTO_BLF_CBC:
164148456Spjd		type = EVP_bf_cbc();
165148456Spjd		break;
166173746Sjb#ifndef OPENSSL_NO_CAMELLIA
167172031Spjd	case CRYPTO_CAMELLIA_CBC:
168172031Spjd		switch (keysize) {
169172031Spjd		case 128:
170172031Spjd			type = EVP_camellia_128_cbc();
171172031Spjd			break;
172172031Spjd		case 192:
173172031Spjd			type = EVP_camellia_192_cbc();
174172031Spjd			break;
175172031Spjd		case 256:
176172031Spjd			type = EVP_camellia_256_cbc();
177172031Spjd			break;
178172031Spjd		default:
179172031Spjd			return (EINVAL);
180172031Spjd		}
181172031Spjd		break;
182173746Sjb#endif
183148456Spjd	case CRYPTO_3DES_CBC:
184148456Spjd		type = EVP_des_ede3_cbc();
185148456Spjd		break;
186148456Spjd	default:
187148456Spjd		return (EINVAL);
188148456Spjd	}
189148456Spjd
190148456Spjd	EVP_CIPHER_CTX_init(&ctx);
191148456Spjd
192148456Spjd	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
193148456Spjd	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
194148456Spjd	EVP_CIPHER_CTX_set_padding(&ctx, 0);
195148456Spjd	bzero(iv, sizeof(iv));
196148456Spjd	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
197148456Spjd
198148456Spjd	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
199148456Spjd		EVP_CIPHER_CTX_cleanup(&ctx);
200148456Spjd		return (EINVAL);
201148456Spjd	}
202148456Spjd	assert(outsize == (int)datasize);
203148456Spjd
204148456Spjd	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
205148456Spjd		EVP_CIPHER_CTX_cleanup(&ctx);
206148456Spjd		return (EINVAL);
207148456Spjd	}
208148456Spjd	assert(outsize == 0);
209148456Spjd
210148456Spjd	EVP_CIPHER_CTX_cleanup(&ctx);
211148456Spjd	return (0);
212148456Spjd}
213148456Spjd#endif	/* !_KERNEL */
214148456Spjd
215148456Spjdint
216148456Spjdg_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
217148456Spjd    const u_char *key, size_t keysize)
218148456Spjd{
219148456Spjd
220213070Spjd	/* We prefer AES-CBC for metadata protection. */
221213070Spjd	if (algo == CRYPTO_AES_XTS)
222213070Spjd		algo = CRYPTO_AES_CBC;
223213070Spjd
224148456Spjd	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
225148456Spjd}
226148456Spjd
227148456Spjdint
228148456Spjdg_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
229148456Spjd    const u_char *key, size_t keysize)
230148456Spjd{
231148456Spjd
232213070Spjd	/* We prefer AES-CBC for metadata protection. */
233213070Spjd	if (algo == CRYPTO_AES_XTS)
234213070Spjd		algo = CRYPTO_AES_CBC;
235213070Spjd
236148456Spjd	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
237148456Spjd}
238148456Spjd
239148456Spjdvoid
240148456Spjdg_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
241148456Spjd    size_t hkeylen)
242148456Spjd{
243148456Spjd	u_char k_ipad[128], key[128];
244148456Spjd	SHA512_CTX lctx;
245148456Spjd	u_int i;
246148456Spjd
247148456Spjd	bzero(key, sizeof(key));
248148456Spjd	if (hkeylen == 0)
249148456Spjd		; /* do nothing */
250148456Spjd	else if (hkeylen <= 128)
251148456Spjd		bcopy(hkey, key, hkeylen);
252148456Spjd	else {
253148456Spjd		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
254148456Spjd		SHA512_Init(&lctx);
255148456Spjd		SHA512_Update(&lctx, hkey, hkeylen);
256148456Spjd		SHA512_Final(key, &lctx);
257148456Spjd	}
258148456Spjd
259148456Spjd	/* XOR key with ipad and opad values. */
260148456Spjd	for (i = 0; i < sizeof(key); i++) {
261148456Spjd		k_ipad[i] = key[i] ^ 0x36;
262148456Spjd		ctx->k_opad[i] = key[i] ^ 0x5c;
263148456Spjd	}
264148456Spjd	bzero(key, sizeof(key));
265148456Spjd	/* Perform inner SHA512. */
266148456Spjd	SHA512_Init(&ctx->shactx);
267148456Spjd	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
268262318Sdelphij	bzero(k_ipad, sizeof(k_ipad));
269148456Spjd}
270148456Spjd
271148456Spjdvoid
272148456Spjdg_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
273148456Spjd    size_t datasize)
274148456Spjd{
275148456Spjd
276148456Spjd	SHA512_Update(&ctx->shactx, data, datasize);
277148456Spjd}
278148456Spjd
279148456Spjdvoid
280148456Spjdg_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
281148456Spjd{
282148456Spjd	u_char digest[SHA512_MDLEN];
283148456Spjd	SHA512_CTX lctx;
284148456Spjd
285148456Spjd	SHA512_Final(digest, &ctx->shactx);
286148456Spjd	/* Perform outer SHA512. */
287148456Spjd	SHA512_Init(&lctx);
288148456Spjd	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
289148456Spjd	bzero(ctx, sizeof(*ctx));
290148456Spjd	SHA512_Update(&lctx, digest, sizeof(digest));
291148456Spjd	SHA512_Final(digest, &lctx);
292266749Smarius	bzero(&lctx, sizeof(lctx));
293148456Spjd	/* mdsize == 0 means "Give me the whole hash!" */
294148456Spjd	if (mdsize == 0)
295148456Spjd		mdsize = SHA512_MDLEN;
296148456Spjd	bcopy(digest, md, mdsize);
297266749Smarius	bzero(digest, sizeof(digest));
298148456Spjd}
299148456Spjd
300148456Spjdvoid
301148456Spjdg_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
302148456Spjd    size_t datasize, uint8_t *md, size_t mdsize)
303148456Spjd{
304148456Spjd	struct hmac_ctx ctx;
305148456Spjd
306148456Spjd	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
307148456Spjd	g_eli_crypto_hmac_update(&ctx, data, datasize);
308148456Spjd	g_eli_crypto_hmac_final(&ctx, md, mdsize);
309148456Spjd}
310