Permalink
Browse files

separate out bits; implement gcrypt backend

 * NOTE: probably doesn't even compile yet
  • Loading branch information...
1 parent 74d8de8 commit 65808bd3587f6167a4d6fdd567ae9eb8804a2180 @bwalex committed Jul 20, 2011
Showing with 656 additions and 487 deletions.
  1. +37 −248 crypto-dev.c
  2. +140 −231 crypto-gcrypt.c
  3. +242 −0 crypto.c
  4. +175 −0 generic_xts.c
  5. +49 −0 generic_xts.h
  6. +2 −3 hdr.c
  7. +2 −3 tcplay.c
  8. +9 −2 tcplay.h
View
@@ -38,7 +38,6 @@
#include <string.h>
#include <openssl/evp.h>
-#include "crc32.h"
#include "tcplay.h"
static
@@ -73,13 +72,40 @@ setallowsoft(int new)
static
int
-syscrypt(int cipher, unsigned char *key, size_t klen, unsigned char *iv,
+get_cryptodev_cipher_id(struct tc_crypto_algo *cipher)
+{
+ if (strcmp(cipher->name, "AES-128-XTS") == 0)
+ return CRYPTO_AES_XTS;
+ else if (strcmp(cipher->name, "AES-256-XTS") == 0)
+ return CRYPTO_AES_XTS;
+ else if (strcmp(cipher->name, "TWOFISH-128-XTS") == 0)
+ return CRYPTO_TWOFISH_XTS;
+ else if (strcmp(cipher->name, "TWOFISH-256-XTS") == 0)
+ return CRYPTO_TWOFISH_XTS;
+ else if (strcmp(cipher->name, "SERPENT-128-XTS") == 0)
+ return CRYPTO_SERPENT_XTS;
+ else if (strcmp(cipher->name, "SERPENT-256-XTS") == 0)
+ return CRYPTO_SERPENT_XTS;
+ else
+ return -1;
+}
+
+int
+syscrypt(struct tc_crypto_algo *cipher, unsigned char *key, size_t klen, unsigned char *iv,
unsigned char *in, unsigned char *out, size_t len, int do_encrypt)
{
struct session_op session;
struct crypt_op cryp;
+ int cipher_id;
int cryptodev_fd = -1, fd = -1;
+ cipher_id = get_cryptodev_cipher_id(cipher);
+ if (cipher_id < 0) {
+ tc_log(1, "Cipher %s not found\n",
+ cipher->name);
+ return ENOENT;
+ }
+
if ((cryptodev_fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
perror("Could not open /dev/crypto");
goto err;
@@ -89,7 +115,7 @@ syscrypt(int cipher, unsigned char *key, size_t klen, unsigned char *iv,
goto err;
}
memset(&session, 0, sizeof(session));
- session.cipher = cipher;
+ session.cipher = cipher_id;
session.key = (caddr_t) key;
session.keylen = klen;
if (ioctl(fd, CIOCGSESSION, &session) == -1) {
@@ -125,26 +151,6 @@ syscrypt(int cipher, unsigned char *key, size_t klen, unsigned char *iv,
return (-1);
}
-static
-int
-get_cryptodev_cipher_id(struct tc_crypto_algo *cipher)
-{
- if (strcmp(cipher->name, "AES-128-XTS") == 0)
- return CRYPTO_AES_XTS;
- else if (strcmp(cipher->name, "AES-256-XTS") == 0)
- return CRYPTO_AES_XTS;
- else if (strcmp(cipher->name, "TWOFISH-128-XTS") == 0)
- return CRYPTO_TWOFISH_XTS;
- else if (strcmp(cipher->name, "TWOFISH-256-XTS") == 0)
- return CRYPTO_TWOFISH_XTS;
- else if (strcmp(cipher->name, "SERPENT-128-XTS") == 0)
- return CRYPTO_SERPENT_XTS;
- else if (strcmp(cipher->name, "SERPENT-256-XTS") == 0)
- return CRYPTO_SERPENT_XTS;
- else
- return -1;
-}
-
int
tc_crypto_init(void)
{
@@ -160,243 +166,26 @@ tc_crypto_init(void)
}
int
-tc_cipher_chain_populate_keys(struct tc_cipher_chain *cipher_chain,
- unsigned char *key)
-{
- int total_key_bytes, used_key_bytes;
- struct tc_cipher_chain *dummy_chain;
-
- /*
- * We need to determine the total key bytes as the key locations
- * depend on it.
- */
- total_key_bytes = 0;
- for (dummy_chain = cipher_chain;
- dummy_chain != NULL;
- dummy_chain = dummy_chain->next) {
- total_key_bytes += dummy_chain->cipher->klen;
- }
-
- /*
- * Now we need to get prepare the keys, as the keys are in
- * forward order with respect to the cipher cascade, but
- * the actual decryption is in reverse cipher cascade order.
- */
- used_key_bytes = 0;
- for (dummy_chain = cipher_chain;
- dummy_chain != NULL;
- dummy_chain = dummy_chain->next) {
- dummy_chain->key = alloc_safe_mem(dummy_chain->cipher->klen);
- if (dummy_chain->key == NULL) {
- tc_log(1, "tc_decrypt: Could not allocate key "
- "memory\n");
- return ENOMEM;
- }
-
- /* XXX: here we assume XTS operation! */
- memcpy(dummy_chain->key,
- key + used_key_bytes/2,
- dummy_chain->cipher->klen/2);
- memcpy(dummy_chain->key + dummy_chain->cipher->klen/2,
- key + (total_key_bytes/2) + used_key_bytes/2,
- dummy_chain->cipher->klen/2);
-
- /* Remember how many key bytes we've seen */
- used_key_bytes += dummy_chain->cipher->klen;
- }
-
- return 0;
-}
-
-int
-tc_encrypt(struct tc_cipher_chain *cipher_chain, unsigned char *key,
- unsigned char *iv,
- unsigned char *in, int in_len, unsigned char *out)
-{
- int cipher_id;
- int err;
-
- if ((err = tc_cipher_chain_populate_keys(cipher_chain, key)))
- return err;
-
-#ifdef DEBUG
- printf("tc_encrypt: starting chain\n");
-#endif
-
- /*
- * Now process the actual decryption, in forward cascade order.
- */
- for (;
- cipher_chain != NULL;
- cipher_chain = cipher_chain->next) {
- cipher_id = get_cryptodev_cipher_id(cipher_chain->cipher);
- if (cipher_id < 0) {
- tc_log(1, "Cipher %s not found\n",
- cipher_chain->cipher->name);
- return ENOENT;
- }
-
-#ifdef DEBUG
- printf("tc_encrypt: Currently using cipher %s\n",
- cipher_chain->cipher->name);
-#endif
-
- err = syscrypt(cipher_id, cipher_chain->key,
- cipher_chain->cipher->klen, iv, in, out, in_len, 1);
-
- /* Deallocate this key, since we won't need it anymore */
- free_safe_mem(cipher_chain->key);
-
- if (err != 0)
- return err;
-
- /* Set next input buffer as current output buffer */
- in = out;
- }
-
- return 0;
-}
-
-int
-tc_decrypt(struct tc_cipher_chain *cipher_chain, unsigned char *key,
- unsigned char *iv,
- unsigned char *in, int in_len, unsigned char *out)
-{
- int cipher_id;
- int err;
-
- if ((err = tc_cipher_chain_populate_keys(cipher_chain, key)))
- return err;
-
-#ifdef DEBUG
- printf("tc_decrypt: starting chain!\n");
-#endif
-
- /*
- * Now process the actual decryption, in reverse cascade order; so
- * first find the last element in the chain.
- */
- for (; cipher_chain->next != NULL; cipher_chain = cipher_chain->next)
- ;
- for (;
- cipher_chain != NULL;
- cipher_chain = cipher_chain->prev) {
- cipher_id = get_cryptodev_cipher_id(cipher_chain->cipher);
- if (cipher_id < 0) {
- tc_log(1, "Cipher %s not found\n",
- cipher_chain->cipher->name);
- return ENOENT;
- }
-
-#ifdef DEBUG
- printf("tc_decrypt: Currently using cipher %s\n",
- cipher_chain->cipher->name);
-#endif
-
- err = syscrypt(cipher_id, cipher_chain->key,
- cipher_chain->cipher->klen, iv, in, out, in_len, 0);
-
- /* Deallocate this key, since we won't need it anymore */
- free_safe_mem(cipher_chain->key);
-
- if (err != 0)
- return err;
-
- /* Set next input buffer as current output buffer */
- in = out;
- }
-
- return 0;
-}
-
-int
-pbkdf2(const char *pass, int passlen, const unsigned char *salt, int saltlen,
- int iter, const char *hash_name, int keylen, unsigned char *out)
+pbkdf2(struct pbkdf_prf_algo *hash, const char *pass, int passlen,
+ const unsigned char *salt, int saltlen,
+ int keylen, unsigned char *out)
{
const EVP_MD *md;
int r;
- md = EVP_get_digestbyname(hash_name);
+ md = EVP_get_digestbyname(hash->name);
if (md == NULL) {
- printf("Hash %s not found\n", hash_name);
+ tc_log(1, "Hash %s not found\n", hash_name);
return ENOENT;
}
- r = PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, md,
- keylen, out);
+ r = PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen,
+ hash->iteration_count, md, keylen, out);
if (r == 0) {
- printf("Error in PBKDF2\n");
+ tc_log(1, "Error in PBKDF2\n");
return EINVAL;
}
return 0;
}
-int
-apply_keyfiles(unsigned char *pass, size_t pass_memsz, const char *keyfiles[],
- int nkeyfiles)
-{
- int pl, k;
- unsigned char *kpool;
- unsigned char *kdata;
- int kpool_idx;
- size_t i, kdata_sz;
- uint32_t crc;
-
- if (pass_memsz < MAX_PASSSZ) {
- tc_log(1, "Not enough memory for password manipluation\n");
- return ENOMEM;
- }
-
- pl = strlen(pass);
- memset(pass+pl, 0, MAX_PASSSZ-pl);
-
- if ((kpool = alloc_safe_mem(KPOOL_SZ)) == NULL) {
- tc_log(1, "Error allocating memory for keyfile pool\n");
- return ENOMEM;
- }
-
- memset(kpool, 0, KPOOL_SZ);
-
- for (k = 0; k < nkeyfiles; k++) {
-#ifdef DEBUG
- printf("Loading keyfile %s into kpool\n", keyfiles[k]);
-#endif
- kpool_idx = 0;
- crc = ~0U;
- kdata_sz = MAX_KFILE_SZ;
-
- if ((kdata = read_to_safe_mem(keyfiles[k], 0, &kdata_sz)) == NULL) {
- tc_log(1, "Error reading keyfile %s content\n",
- keyfiles[k]);
- free_safe_mem(kpool);
- return EIO;
- }
-
- for (i = 0; i < kdata_sz; i++) {
- crc = crc32_intermediate(crc, kdata[i]);
-
- kpool[kpool_idx++] += (unsigned char)(crc >> 24);
- kpool[kpool_idx++] += (unsigned char)(crc >> 16);
- kpool[kpool_idx++] += (unsigned char)(crc >> 8);
- kpool[kpool_idx++] += (unsigned char)(crc);
-
- /* Wrap around */
- if (kpool_idx == KPOOL_SZ)
- kpool_idx = 0;
- }
-
- free_safe_mem(kdata);
- }
-
-#ifdef DEBUG
- printf("Applying kpool to passphrase\n");
-#endif
- /* Apply keyfile pool to passphrase */
- for (i = 0; i < KPOOL_SZ; i++)
- pass[i] += kpool[i];
-
- free_safe_mem(kpool);
-
- return 0;
-}
Oops, something went wrong.

0 comments on commit 65808bd

Please sign in to comment.