g_eli_crypto.c revision 167755 
1/*-
2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: head/sys/geom/eli/g_eli_crypto.c 167755 2007-03-21 03:42:51Z sam $");
29
30#include <sys/param.h>
31#ifdef _KERNEL
32#include <sys/systm.h>
33#include <sys/kernel.h>
34#include <sys/malloc.h>
35#include <sys/uio.h>
36#else
37#include <stdint.h>
38#include <string.h>
39#include <strings.h>
40#include <errno.h>
41#include <assert.h>
42#include <openssl/evp.h>
43#define	_OpenSSL_
44#endif
45#include <geom/eli/g_eli.h>
46
47#ifdef _KERNEL
48MALLOC_DECLARE(M_ELI);
49
50static int
51g_eli_crypto_done(struct cryptop *crp)
52{
53
54	crp->crp_opaque = (void *)crp;
55	wakeup(crp);
56	return (0);
57}
58
59static int
60g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61    const u_char *key, size_t keysize)
62{
63	struct cryptoini cri;
64	struct cryptop *crp;
65	struct cryptodesc *crd;
66	struct uio *uio;
67	struct iovec *iov;
68	uint64_t sid;
69	u_char *p;
70	int error;
71
72	bzero(&cri, sizeof(cri));
73	cri.cri_alg = algo;
74	cri.cri_key = __DECONST(void *, key);
75	cri.cri_klen = keysize;
76	error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
77	if (error != 0)
78		return (error);
79	p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
80	    M_ELI, M_NOWAIT | M_ZERO);
81	if (p == NULL) {
82		crypto_freesession(sid);
83		return (ENOMEM);
84	}
85	crp = (struct cryptop *)p;	p += sizeof(*crp);
86	crd = (struct cryptodesc *)p;	p += sizeof(*crd);
87	uio = (struct uio *)p;		p += sizeof(*uio);
88	iov = (struct iovec *)p;	p += sizeof(*iov);
89
90	iov->iov_len = datasize;
91	iov->iov_base = data;
92
93	uio->uio_iov = iov;
94	uio->uio_iovcnt = 1;
95	uio->uio_segflg = UIO_SYSSPACE;
96	uio->uio_resid = datasize;
97
98	crd->crd_skip = 0;
99	crd->crd_len = datasize;
100	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
101	if (enc)
102		crd->crd_flags |= CRD_F_ENCRYPT;
103	crd->crd_alg = algo;
104	crd->crd_key = __DECONST(void *, key);
105	crd->crd_klen = keysize;
106	bzero(crd->crd_iv, sizeof(crd->crd_iv));
107	crd->crd_next = NULL;
108
109	crp->crp_sid = sid;
110	crp->crp_ilen = datasize;
111	crp->crp_olen = datasize;
112	crp->crp_opaque = NULL;
113	crp->crp_callback = g_eli_crypto_done;
114	crp->crp_buf = (void *)uio;
115	crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
116	crp->crp_desc = crd;
117
118	error = crypto_dispatch(crp);
119	if (error == 0) {
120		while (crp->crp_opaque == NULL)
121			tsleep(crp, PRIBIO, "geli", hz / 5);
122		error = crp->crp_etype;
123	}
124
125	free(crp, M_ELI);
126	crypto_freesession(sid);
127	return (error);
128}
129#else	/* !_KERNEL */
130static int
131g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
132    const u_char *key, size_t keysize)
133{
134	EVP_CIPHER_CTX ctx;
135	const EVP_CIPHER *type;
136	u_char iv[keysize];
137	int outsize;
138
139	switch (algo) {
140	case CRYPTO_NULL_CBC:
141		type = EVP_enc_null();
142		break;
143	case CRYPTO_AES_CBC:
144		switch (keysize) {
145		case 128:
146			type = EVP_aes_128_cbc();
147			break;
148		case 192:
149			type = EVP_aes_192_cbc();
150			break;
151		case 256:
152			type = EVP_aes_256_cbc();
153			break;
154		default:
155			return (EINVAL);
156		}
157		break;
158	case CRYPTO_BLF_CBC:
159		type = EVP_bf_cbc();
160		break;
161	case CRYPTO_3DES_CBC:
162		type = EVP_des_ede3_cbc();
163		break;
164	default:
165		return (EINVAL);
166	}
167
168	EVP_CIPHER_CTX_init(&ctx);
169
170	EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
171	EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
172	EVP_CIPHER_CTX_set_padding(&ctx, 0);
173	bzero(iv, sizeof(iv));
174	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
175
176	if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
177		EVP_CIPHER_CTX_cleanup(&ctx);
178		return (EINVAL);
179	}
180	assert(outsize == (int)datasize);
181
182	if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
183		EVP_CIPHER_CTX_cleanup(&ctx);
184		return (EINVAL);
185	}
186	assert(outsize == 0);
187
188	EVP_CIPHER_CTX_cleanup(&ctx);
189	return (0);
190}
191#endif	/* !_KERNEL */
192
193int
194g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
195    const u_char *key, size_t keysize)
196{
197
198	return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
199}
200
201int
202g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
203    const u_char *key, size_t keysize)
204{
205
206	return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
207}
208
209void
210g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
211    size_t hkeylen)
212{
213	u_char k_ipad[128], key[128];
214	SHA512_CTX lctx;
215	u_int i;
216
217	bzero(key, sizeof(key));
218	if (hkeylen == 0)
219		; /* do nothing */
220	else if (hkeylen <= 128)
221		bcopy(hkey, key, hkeylen);
222	else {
223		/* If key is longer than 128 bytes reset it to key = SHA512(key). */
224		SHA512_Init(&lctx);
225		SHA512_Update(&lctx, hkey, hkeylen);
226		SHA512_Final(key, &lctx);
227	}
228
229	/* XOR key with ipad and opad values. */
230	for (i = 0; i < sizeof(key); i++) {
231		k_ipad[i] = key[i] ^ 0x36;
232		ctx->k_opad[i] = key[i] ^ 0x5c;
233	}
234	bzero(key, sizeof(key));
235	/* Perform inner SHA512. */
236	SHA512_Init(&ctx->shactx);
237	SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
238}
239
240void
241g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
242    size_t datasize)
243{
244
245	SHA512_Update(&ctx->shactx, data, datasize);
246}
247
248void
249g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
250{
251	u_char digest[SHA512_MDLEN];
252	SHA512_CTX lctx;
253
254	SHA512_Final(digest, &ctx->shactx);
255	/* Perform outer SHA512. */
256	SHA512_Init(&lctx);
257	SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
258	bzero(ctx, sizeof(*ctx));
259	SHA512_Update(&lctx, digest, sizeof(digest));
260	SHA512_Final(digest, &lctx);
261	/* mdsize == 0 means "Give me the whole hash!" */
262	if (mdsize == 0)
263		mdsize = SHA512_MDLEN;
264	bcopy(digest, md, mdsize);
265}
266
267void
268g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
269    size_t datasize, uint8_t *md, size_t mdsize)
270{
271	struct hmac_ctx ctx;
272
273	g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
274	g_eli_crypto_hmac_update(&ctx, data, datasize);
275	g_eli_crypto_hmac_final(&ctx, md, mdsize);
276}
277