1148456Spjd/*- 2213072Spjd * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3148456Spjd * All rights reserved. 4148456Spjd * 5148456Spjd * Redistribution and use in source and binary forms, with or without 6148456Spjd * modification, are permitted provided that the following conditions 7148456Spjd * are met: 8148456Spjd * 1. Redistributions of source code must retain the above copyright 9148456Spjd * notice, this list of conditions and the following disclaimer. 10148456Spjd * 2. Redistributions in binary form must reproduce the above copyright 11148456Spjd * notice, this list of conditions and the following disclaimer in the 12148456Spjd * documentation and/or other materials provided with the distribution. 13155174Spjd * 14148456Spjd * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15148456Spjd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16148456Spjd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17148456Spjd * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18148456Spjd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19148456Spjd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20148456Spjd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21148456Spjd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22148456Spjd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23148456Spjd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24148456Spjd * SUCH DAMAGE. 25148456Spjd */ 26148456Spjd 27148456Spjd#include <sys/cdefs.h> 28148456Spjd__FBSDID("$FreeBSD$"); 29148456Spjd 30148456Spjd#include <sys/param.h> 31148456Spjd#ifdef _KERNEL 32148456Spjd#include <sys/systm.h> 33148456Spjd#include <sys/kernel.h> 34148456Spjd#include <sys/malloc.h> 35148456Spjd#include <sys/uio.h> 36148456Spjd#else 37148456Spjd#include <stdint.h> 38148456Spjd#include <string.h> 39148456Spjd#include <strings.h> 40148456Spjd#include <errno.h> 41148456Spjd#include <assert.h> 42148456Spjd#include <openssl/evp.h> 43148456Spjd#define _OpenSSL_ 44148456Spjd#endif 45148456Spjd#include <geom/eli/g_eli.h> 46148456Spjd 47148456Spjd#ifdef _KERNEL 48148456SpjdMALLOC_DECLARE(M_ELI); 49148456Spjd 50148456Spjdstatic int 51148456Spjdg_eli_crypto_done(struct cryptop *crp) 52148456Spjd{ 53148456Spjd 54148456Spjd crp->crp_opaque = (void *)crp; 55148456Spjd wakeup(crp); 56148456Spjd return (0); 57148456Spjd} 58148456Spjd 59148456Spjdstatic int 60148456Spjdg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 61148456Spjd const u_char *key, size_t keysize) 62148456Spjd{ 63148456Spjd struct cryptoini cri; 64148456Spjd struct cryptop *crp; 65148456Spjd struct cryptodesc *crd; 66148456Spjd struct uio *uio; 67148456Spjd struct iovec *iov; 68148456Spjd uint64_t sid; 69148456Spjd u_char *p; 70148456Spjd int error; 71148456Spjd 72213070Spjd KASSERT(algo != CRYPTO_AES_XTS, 73213070Spjd ("%s: CRYPTO_AES_XTS unexpected here", __func__)); 74213070Spjd 75148456Spjd bzero(&cri, sizeof(cri)); 76148456Spjd cri.cri_alg = algo; 77148456Spjd cri.cri_key = __DECONST(void *, key); 78148456Spjd cri.cri_klen = keysize; 79167755Ssam error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE); 80148456Spjd if (error != 0) 81148456Spjd return (error); 82148456Spjd p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov), 83148456Spjd M_ELI, M_NOWAIT | M_ZERO); 84148456Spjd if (p == NULL) { 85148456Spjd crypto_freesession(sid); 86148456Spjd return (ENOMEM); 87148456Spjd } 88148456Spjd crp = (struct cryptop *)p; p += sizeof(*crp); 89148456Spjd crd = (struct cryptodesc *)p; p += sizeof(*crd); 90148456Spjd uio = (struct uio *)p; p += sizeof(*uio); 91148456Spjd iov = (struct iovec *)p; p += sizeof(*iov); 92148456Spjd 93148456Spjd iov->iov_len = datasize; 94148456Spjd iov->iov_base = data; 95148456Spjd 96148456Spjd uio->uio_iov = iov; 97148456Spjd uio->uio_iovcnt = 1; 98148456Spjd uio->uio_segflg = UIO_SYSSPACE; 99148456Spjd uio->uio_resid = datasize; 100148456Spjd 101148456Spjd crd->crd_skip = 0; 102148456Spjd crd->crd_len = datasize; 103157900Spjd crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; 104148456Spjd if (enc) 105148456Spjd crd->crd_flags |= CRD_F_ENCRYPT; 106148456Spjd crd->crd_alg = algo; 107148456Spjd crd->crd_key = __DECONST(void *, key); 108148456Spjd crd->crd_klen = keysize; 109148456Spjd bzero(crd->crd_iv, sizeof(crd->crd_iv)); 110148456Spjd crd->crd_next = NULL; 111148456Spjd 112148456Spjd crp->crp_sid = sid; 113148456Spjd crp->crp_ilen = datasize; 114148456Spjd crp->crp_olen = datasize; 115148456Spjd crp->crp_opaque = NULL; 116148456Spjd crp->crp_callback = g_eli_crypto_done; 117148456Spjd crp->crp_buf = (void *)uio; 118148456Spjd crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL; 119148456Spjd crp->crp_desc = crd; 120148456Spjd 121148456Spjd error = crypto_dispatch(crp); 122148456Spjd if (error == 0) { 123148456Spjd while (crp->crp_opaque == NULL) 124148456Spjd tsleep(crp, PRIBIO, "geli", hz / 5); 125148456Spjd error = crp->crp_etype; 126148456Spjd } 127148456Spjd 128148456Spjd free(crp, M_ELI); 129148456Spjd crypto_freesession(sid); 130148456Spjd return (error); 131148456Spjd} 132148456Spjd#else /* !_KERNEL */ 133148456Spjdstatic int 134148456Spjdg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, 135148456Spjd const u_char *key, size_t keysize) 136148456Spjd{ 137148456Spjd EVP_CIPHER_CTX ctx; 138148456Spjd const EVP_CIPHER *type; 139148456Spjd u_char iv[keysize]; 140148456Spjd int outsize; 141148456Spjd 142213070Spjd assert(algo != CRYPTO_AES_XTS); 143213070Spjd 144148456Spjd switch (algo) { 145148456Spjd case CRYPTO_NULL_CBC: 146148456Spjd type = EVP_enc_null(); 147148456Spjd break; 148148456Spjd case CRYPTO_AES_CBC: 149148456Spjd switch (keysize) { 150148456Spjd case 128: 151148456Spjd type = EVP_aes_128_cbc(); 152148456Spjd break; 153148456Spjd case 192: 154148456Spjd type = EVP_aes_192_cbc(); 155148456Spjd break; 156148456Spjd case 256: 157148456Spjd type = EVP_aes_256_cbc(); 158148456Spjd break; 159148456Spjd default: 160148456Spjd return (EINVAL); 161148456Spjd } 162148456Spjd break; 163148456Spjd case CRYPTO_BLF_CBC: 164148456Spjd type = EVP_bf_cbc(); 165148456Spjd break; 166173746Sjb#ifndef OPENSSL_NO_CAMELLIA 167172031Spjd case CRYPTO_CAMELLIA_CBC: 168172031Spjd switch (keysize) { 169172031Spjd case 128: 170172031Spjd type = EVP_camellia_128_cbc(); 171172031Spjd break; 172172031Spjd case 192: 173172031Spjd type = EVP_camellia_192_cbc(); 174172031Spjd break; 175172031Spjd case 256: 176172031Spjd type = EVP_camellia_256_cbc(); 177172031Spjd break; 178172031Spjd default: 179172031Spjd return (EINVAL); 180172031Spjd } 181172031Spjd break; 182173746Sjb#endif 183148456Spjd case CRYPTO_3DES_CBC: 184148456Spjd type = EVP_des_ede3_cbc(); 185148456Spjd break; 186148456Spjd default: 187148456Spjd return (EINVAL); 188148456Spjd } 189148456Spjd 190148456Spjd EVP_CIPHER_CTX_init(&ctx); 191148456Spjd 192148456Spjd EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc); 193148456Spjd EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8); 194148456Spjd EVP_CIPHER_CTX_set_padding(&ctx, 0); 195148456Spjd bzero(iv, sizeof(iv)); 196148456Spjd EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc); 197148456Spjd 198148456Spjd if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) { 199148456Spjd EVP_CIPHER_CTX_cleanup(&ctx); 200148456Spjd return (EINVAL); 201148456Spjd } 202148456Spjd assert(outsize == (int)datasize); 203148456Spjd 204148456Spjd if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) { 205148456Spjd EVP_CIPHER_CTX_cleanup(&ctx); 206148456Spjd return (EINVAL); 207148456Spjd } 208148456Spjd assert(outsize == 0); 209148456Spjd 210148456Spjd EVP_CIPHER_CTX_cleanup(&ctx); 211148456Spjd return (0); 212148456Spjd} 213148456Spjd#endif /* !_KERNEL */ 214148456Spjd 215148456Spjdint 216148456Spjdg_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 217148456Spjd const u_char *key, size_t keysize) 218148456Spjd{ 219148456Spjd 220213070Spjd /* We prefer AES-CBC for metadata protection. */ 221213070Spjd if (algo == CRYPTO_AES_XTS) 222213070Spjd algo = CRYPTO_AES_CBC; 223213070Spjd 224148456Spjd return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize)); 225148456Spjd} 226148456Spjd 227148456Spjdint 228148456Spjdg_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 229148456Spjd const u_char *key, size_t keysize) 230148456Spjd{ 231148456Spjd 232213070Spjd /* We prefer AES-CBC for metadata protection. */ 233213070Spjd if (algo == CRYPTO_AES_XTS) 234213070Spjd algo = CRYPTO_AES_CBC; 235213070Spjd 236148456Spjd return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize)); 237148456Spjd} 238148456Spjd 239148456Spjdvoid 240148456Spjdg_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 241148456Spjd size_t hkeylen) 242148456Spjd{ 243148456Spjd u_char k_ipad[128], key[128]; 244148456Spjd SHA512_CTX lctx; 245148456Spjd u_int i; 246148456Spjd 247148456Spjd bzero(key, sizeof(key)); 248148456Spjd if (hkeylen == 0) 249148456Spjd ; /* do nothing */ 250148456Spjd else if (hkeylen <= 128) 251148456Spjd bcopy(hkey, key, hkeylen); 252148456Spjd else { 253148456Spjd /* If key is longer than 128 bytes reset it to key = SHA512(key). */ 254148456Spjd SHA512_Init(&lctx); 255148456Spjd SHA512_Update(&lctx, hkey, hkeylen); 256148456Spjd SHA512_Final(key, &lctx); 257148456Spjd } 258148456Spjd 259148456Spjd /* XOR key with ipad and opad values. */ 260148456Spjd for (i = 0; i < sizeof(key); i++) { 261148456Spjd k_ipad[i] = key[i] ^ 0x36; 262148456Spjd ctx->k_opad[i] = key[i] ^ 0x5c; 263148456Spjd } 264148456Spjd bzero(key, sizeof(key)); 265148456Spjd /* Perform inner SHA512. */ 266148456Spjd SHA512_Init(&ctx->shactx); 267148456Spjd SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); 268262318Sdelphij bzero(k_ipad, sizeof(k_ipad)); 269148456Spjd} 270148456Spjd 271148456Spjdvoid 272148456Spjdg_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 273148456Spjd size_t datasize) 274148456Spjd{ 275148456Spjd 276148456Spjd SHA512_Update(&ctx->shactx, data, datasize); 277148456Spjd} 278148456Spjd 279148456Spjdvoid 280148456Spjdg_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) 281148456Spjd{ 282148456Spjd u_char digest[SHA512_MDLEN]; 283148456Spjd SHA512_CTX lctx; 284148456Spjd 285148456Spjd SHA512_Final(digest, &ctx->shactx); 286148456Spjd /* Perform outer SHA512. */ 287148456Spjd SHA512_Init(&lctx); 288148456Spjd SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); 289148456Spjd bzero(ctx, sizeof(*ctx)); 290148456Spjd SHA512_Update(&lctx, digest, sizeof(digest)); 291148456Spjd SHA512_Final(digest, &lctx); 292266749Smarius bzero(&lctx, sizeof(lctx)); 293148456Spjd /* mdsize == 0 means "Give me the whole hash!" */ 294148456Spjd if (mdsize == 0) 295148456Spjd mdsize = SHA512_MDLEN; 296148456Spjd bcopy(digest, md, mdsize); 297266749Smarius bzero(digest, sizeof(digest)); 298148456Spjd} 299148456Spjd 300148456Spjdvoid 301148456Spjdg_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, 302148456Spjd size_t datasize, uint8_t *md, size_t mdsize) 303148456Spjd{ 304148456Spjd struct hmac_ctx ctx; 305148456Spjd 306148456Spjd g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); 307148456Spjd g_eli_crypto_hmac_update(&ctx, data, datasize); 308148456Spjd g_eli_crypto_hmac_final(&ctx, md, mdsize); 309148456Spjd} 310