2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/malloc.h>
42 #include <openssl/evp.h>
45 #include <geom/eli/g_eli.h>
48 MALLOC_DECLARE(M_ELI);
51 g_eli_crypto_done(struct cryptop *crp)
54 crp->crp_opaque = (void *)crp;
60 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
61 const u_char *key, size_t keysize)
65 struct cryptodesc *crd;
72 bzero(&cri, sizeof(cri));
74 cri.cri_key = __DECONST(void *, key);
75 cri.cri_klen = keysize;
76 error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
79 p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
80 M_ELI, M_NOWAIT | M_ZERO);
82 crypto_freesession(sid);
85 crp = (struct cryptop *)p; p += sizeof(*crp);
86 crd = (struct cryptodesc *)p; p += sizeof(*crd);
87 uio = (struct uio *)p; p += sizeof(*uio);
88 iov = (struct iovec *)p; p += sizeof(*iov);
90 iov->iov_len = datasize;
95 uio->uio_segflg = UIO_SYSSPACE;
96 uio->uio_resid = datasize;
99 crd->crd_len = datasize;
100 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
102 crd->crd_flags |= CRD_F_ENCRYPT;
104 crd->crd_key = __DECONST(void *, key);
105 crd->crd_klen = keysize;
106 bzero(crd->crd_iv, sizeof(crd->crd_iv));
107 crd->crd_next = NULL;
110 crp->crp_ilen = datasize;
111 crp->crp_olen = datasize;
112 crp->crp_opaque = NULL;
113 crp->crp_callback = g_eli_crypto_done;
114 crp->crp_buf = (void *)uio;
115 crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
118 error = crypto_dispatch(crp);
120 while (crp->crp_opaque == NULL)
121 tsleep(crp, PRIBIO, "geli", hz / 5);
122 error = crp->crp_etype;
126 crypto_freesession(sid);
131 g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
132 const u_char *key, size_t keysize)
135 const EVP_CIPHER *type;
140 case CRYPTO_NULL_CBC:
141 type = EVP_enc_null();
146 type = EVP_aes_128_cbc();
149 type = EVP_aes_192_cbc();
152 type = EVP_aes_256_cbc();
161 #ifndef OPENSSL_NO_CAMELLIA
162 case CRYPTO_CAMELLIA_CBC:
165 type = EVP_camellia_128_cbc();
168 type = EVP_camellia_192_cbc();
171 type = EVP_camellia_256_cbc();
178 case CRYPTO_3DES_CBC:
179 type = EVP_des_ede3_cbc();
185 EVP_CIPHER_CTX_init(&ctx);
187 EVP_CipherInit_ex(&ctx, type, NULL, NULL, NULL, enc);
188 EVP_CIPHER_CTX_set_key_length(&ctx, keysize / 8);
189 EVP_CIPHER_CTX_set_padding(&ctx, 0);
190 bzero(iv, sizeof(iv));
191 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, enc);
193 if (EVP_CipherUpdate(&ctx, data, &outsize, data, datasize) == 0) {
194 EVP_CIPHER_CTX_cleanup(&ctx);
197 assert(outsize == (int)datasize);
199 if (EVP_CipherFinal_ex(&ctx, data + outsize, &outsize) == 0) {
200 EVP_CIPHER_CTX_cleanup(&ctx);
203 assert(outsize == 0);
205 EVP_CIPHER_CTX_cleanup(&ctx);
208 #endif /* !_KERNEL */
211 g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
212 const u_char *key, size_t keysize)
215 return (g_eli_crypto_cipher(algo, 1, data, datasize, key, keysize));
219 g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
220 const u_char *key, size_t keysize)
223 return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize));
227 g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
230 u_char k_ipad[128], key[128];
234 bzero(key, sizeof(key));
237 else if (hkeylen <= 128)
238 bcopy(hkey, key, hkeylen);
240 /* If key is longer than 128 bytes reset it to key = SHA512(key). */
242 SHA512_Update(&lctx, hkey, hkeylen);
243 SHA512_Final(key, &lctx);
246 /* XOR key with ipad and opad values. */
247 for (i = 0; i < sizeof(key); i++) {
248 k_ipad[i] = key[i] ^ 0x36;
249 ctx->k_opad[i] = key[i] ^ 0x5c;
251 bzero(key, sizeof(key));
252 /* Perform inner SHA512. */
253 SHA512_Init(&ctx->shactx);
254 SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad));
258 g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
262 SHA512_Update(&ctx->shactx, data, datasize);
266 g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
268 u_char digest[SHA512_MDLEN];
271 SHA512_Final(digest, &ctx->shactx);
272 /* Perform outer SHA512. */
274 SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad));
275 bzero(ctx, sizeof(*ctx));
276 SHA512_Update(&lctx, digest, sizeof(digest));
277 SHA512_Final(digest, &lctx);
278 /* mdsize == 0 means "Give me the whole hash!" */
280 mdsize = SHA512_MDLEN;
281 bcopy(digest, md, mdsize);
285 g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
286 size_t datasize, uint8_t *md, size_t mdsize)
290 g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
291 g_eli_crypto_hmac_update(&ctx, data, datasize);
292 g_eli_crypto_hmac_final(&ctx, md, mdsize);