geom/eli/g_eli_crypto.c

193323Sed/*-
193323Sed * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
193323Sed * All rights reserved.
193323Sed *
193323Sed * Redistribution and use in source and binary forms, with or without
193323Sed * modification, are permitted provided that the following conditions
193323Sed * are met:
193323Sed * 1. Redistributions of source code must retain the above copyright
193323Sed *    notice, this list of conditions and the following disclaimer.
193323Sed * 2. Redistributions in binary form must reproduce the above copyright
249423Sdim *    notice, this list of conditions and the following disclaimer in the
193323Sed *    documentation and/or other materials provided with the distribution.
193323Sed *
193323Sed * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
263508Sdim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
202878Srdivacky * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
193323Sed * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
249423Sdim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
198090Srdivacky * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
202878Srdivacky * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
202878Srdivacky * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
206083Srdivacky * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
201360Srdivacky * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
198090Srdivacky * SUCH DAMAGE.
198090Srdivacky */
202878Srdivacky
263508Sdim#include <sys/cdefs.h>
193323Sed__FBSDID("$FreeBSD: head/sys/geom/eli/g_eli_crypto.c 157900 2006-04-20 06:33:46Z pjd $");
193323Sed
193323Sed#include <sys/param.h>
193323Sed#ifdef _KERNEL
193323Sed#include <sys/systm.h>
193323Sed#include <sys/kernel.h>
193323Sed#include <sys/malloc.h>
193323Sed#include <sys/uio.h>
193323Sed#else
263508Sdim#include <stdint.h>
263508Sdim#include <string.h>
263508Sdim#include <strings.h>
263508Sdim#include <errno.h>
193323Sed#include <assert.h>
193323Sed#include <openssl/evp.h>
193323Sed#define	_OpenSSL_
193323Sed#endif
193323Sed#include <geom/eli/g_eli.h>
193323Sed
193323Sed#ifdef _KERNEL
193323SedMALLOC_DECLARE(M_ELI);
193323Sed
263508Sdimstatic int
193323Sedg_eli_crypto_done(struct cryptop *crp)
193323Sed{
193323Sed
193323Sed	crp->crp_opaque = (void *)crp;
193323Sed	wakeup(crp);
193323Sed	return (0);
193323Sed}
193323Sed
193323Sedstatic int
206274Srdivackyg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
193323Sed    const u_char *key, size_t keysize)
206274Srdivacky{
193323Sed	struct cryptoini cri;
193323Sed	struct cryptop *crp;
206274Srdivacky	struct cryptodesc *crd;
193323Sed	struct uio *uio;
193323Sed	struct iovec *iov;
193323Sed	uint64_t sid;
193323Sed	u_char *p;
193323Sed	int error;
193323Sed
206274Srdivacky	bzero(&cri, sizeof(cri));
226633Sdim	cri.cri_alg = algo;
193323Sed	cri.cri_key = __DECONST(void *, key);
193323Sed	cri.cri_klen = keysize;
206274Srdivacky	error = crypto_newsession(&sid, &cri, 0);
202878Srdivacky	if (error != 0)
193323Sed		return (error);
193323Sed	p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
193323Sed	    M_ELI, M_NOWAIT | M_ZERO);
206274Srdivacky	if (p == NULL) {
206274Srdivacky		crypto_freesession(sid);
193323Sed		return (ENOMEM);
193323Sed	}
193323Sed	crp = (struct cryptop *)p;	p += sizeof(*crp);
198090Srdivacky	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
193323Sed	uio = (struct uio *)p;		p += sizeof(*uio);
198090Srdivacky	iov = (struct iovec *)p;	p += sizeof(*iov);
193323Sed
193323Sed	iov->iov_len = datasize;
193323Sed	iov->iov_base = data;
193323Sed
198090Srdivacky	uio->uio_iov = iov;
193323Sed	uio->uio_iovcnt = 1;
193323Sed	uio->uio_segflg = UIO_SYSSPACE;
193323Sed	uio->uio_resid = datasize;
193323Sed
193323Sed	crd->crd_skip = 0;
193323Sed	crd->crd_len = datasize;
198090Srdivacky	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
193323Sed	if (enc)
193323Sed		crd->crd_flags |= CRD_F_ENCRYPT;
201360Srdivacky	crd->crd_alg = algo;
193323Sed	crd->crd_key = __DECONST(void *, key);
193323Sed	crd->crd_klen = keysize;
193323Sed	bzero(crd->crd_iv, sizeof(crd->crd_iv));
193323Sed	crd->crd_next = NULL;
193323Sed
193323Sed	crp->crp_sid = sid;
193323Sed	crp->crp_ilen = datasize;
193323Sed	crp->crp_olen = datasize;
193323Sed	crp->crp_opaque = NULL;
193323Sed	crp->crp_callback = g_eli_crypto_done;
193323Sed	crp->crp_buf = (void *)uio;
251662Sdim	crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
251662Sdim	crp->crp_desc = crd;
263508Sdim
263508Sdim	error = crypto_dispatch(crp);
263508Sdim	if (error == 0) {
263508Sdim		while (crp->crp_opaque == NULL)
263508Sdim			tsleep(crp, PRIBIO, "geli", hz / 5);
263508Sdim		error = crp->crp_etype;
263508Sdim	}
263508Sdim
263508Sdim	free(crp, M_ELI);
263508Sdim	crypto_freesession(sid);
249423Sdim	return (error);
249423Sdim}
249423Sdim#else	/* !_KERNEL */
249423Sdimstatic int
249423Sdimg_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
263508Sdim    const u_char *key, size_t keysize)
249423Sdim{
249423Sdim	EVP_CIPHER_CTX ctx;
263508Sdim	const EVP_CIPHER *type;
263508Sdim	u_char iv[keysize];
263508Sdim	int outsize;
263508Sdim
263508Sdim	switch (algo) {
263508Sdim	case CRYPTO_NULL_CBC:
263508Sdim		type = EVP_enc_null();
263508Sdim		break;
263508Sdim	case CRYPTO_AES_CBC:
263508Sdim		switch (keysize) {
263508Sdim		case 128:
263508Sdim			type = EVP_aes_128_cbc();
193323Sed			break;
251662Sdim		case 192:
193323Sed			type = EVP_aes_192_cbc();
193323Sed			break;
193323Sed		case 256:
193323Sed			type = EVP_aes_256_cbc();
193323Sed			break;
193323Sed		default:
198090Srdivacky			return (EINVAL);
193323Sed		}
204961Srdivacky		break;
193323Sed	case CRYPTO_BLF_CBC:
193323Sed		type = EVP_bf_cbc();
193323Sed		break;
193323Sed	case CRYPTO_3DES_CBC:
204961Srdivacky		type = EVP_des_ede3_cbc();
193323Sed		break;
204961Srdivacky	default:
193323Sed		return (EINVAL);
193323Sed	}
249423Sdim
193323Sed	EVP_CIPHER_CTX_init(&ctx);
193323Sed
193323Sed	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
193323Sed	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
193323Sed	EVP_CIPHER_CTX_set_padding(&ctx, 0);
193323Sed	bzero(iv, sizeof(iv));
193323Sed	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
193323Sed
193323Sed	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
193323Sed		EVP_CIPHER_CTX_cleanup(&ctx);
193323Sed		return (EINVAL);
193323Sed	}
193323Sed	assert(outsize == (int)datasize);
193323Sed
193323Sed	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
193323Sed		EVP_CIPHER_CTX_cleanup(&ctx);
193323Sed		return (EINVAL);
193323Sed	}
193323Sed	assert(outsize == 0);
251662Sdim
193323Sed	EVP_CIPHER_CTX_cleanup(&ctx);
193323Sed	return (0);
193323Sed}
193323Sed#endif	/* !_KERNEL */
193323Sed
193323Sedint
201360Srdivackyg_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
193323Sed    const u_char *key, size_t keysize)
193323Sed{
193323Sed
234353Sdim	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
193323Sed}
193323Sed
263508Sdimint
201360Srdivackyg_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
193323Sed    const u_char *key, size_t keysize)
193323Sed{
193323Sed
193323Sed	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
193323Sed}
193323Sed
193323Sedvoid
193323Sedg_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
193323Sed    size_t hkeylen)
263508Sdim{
202878Srdivacky	u_char k_ipad[128], key[128];
193323Sed	SHA512_CTX lctx;
243830Sdim	u_int i;
243830Sdim
243830Sdim	bzero(key, sizeof(key));
243830Sdim	if (hkeylen == 0)
263508Sdim		; /* do nothing */
243830Sdim	else if (hkeylen <= 128)
193323Sed		bcopy(hkey, key, hkeylen);
193323Sed	else {
202878Srdivacky		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
193323Sed		SHA512_Init(&lctx);
202878Srdivacky		SHA512_Update(&lctx, hkey, hkeylen);
249423Sdim		SHA512_Final(key, &lctx);
193323Sed	}
202878Srdivacky
193323Sed	/* XOR key with ipad and opad values. */
202878Srdivacky	for (i = 0; i < sizeof(key); i++) {
249423Sdim		k_ipad[i] = key[i] ^ 0x36;
249423Sdim		ctx->k_opad[i] = key[i] ^ 0x5c;
206274Srdivacky	}
206274Srdivacky	bzero(key, sizeof(key));
243830Sdim	/* Perform inner SHA512. */
243830Sdim	SHA512_Init(&ctx->shactx);
198090Srdivacky	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
193323Sed}
249423Sdim
193323Sedvoid
193323Sedg_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
193323Sed    size_t datasize)
193323Sed{
263508Sdim
193323Sed	SHA512_Update(&ctx->shactx, data, datasize);
243830Sdim}
193323Sed
193323Sedvoid
193323Sedg_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
193323Sed{
193323Sed	u_char digest[SHA512_MDLEN];
249423Sdim	SHA512_CTX lctx;
193323Sed
193323Sed	SHA512_Final(digest, &ctx->shactx);
193323Sed	/* Perform outer SHA512. */
193323Sed	SHA512_Init(&lctx);
249423Sdim	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
249423Sdim	bzero(ctx, sizeof(*ctx));
198090Srdivacky	SHA512_Update(&lctx, digest, sizeof(digest));
198090Srdivacky	SHA512_Final(digest, &lctx);
243830Sdim	/* mdsize == 0 means "Give me the whole hash!" */
234353Sdim	if (mdsize == 0)
193323Sed		mdsize = SHA512_MDLEN;
193323Sed	bcopy(digest, md, mdsize);
193323Sed}
193323Sed
263508Sdimvoid
234353Sdimg_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
234353Sdim    size_t datasize, uint8_t *md, size_t mdsize)
193323Sed{
193323Sed	struct hmac_ctx ctx;
193323Sed
193323Sed	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
263508Sdim	g_eli_crypto_hmac_update(&ctx, data, datasize);
263508Sdim	g_eli_crypto_hmac_final(&ctx, md, mdsize);
263508Sdim}
263508Sdim