1 /* 2 BAREOS® - Backup Archiving REcovery Open Sourced 3 4 Copyright (C) 2005-2007 Free Software Foundation Europe e.V. 5 Copyright (C) 2016-2016 Bareos GmbH & Co. KG 6 7 This program is Free Software; you can redistribute it and/or 8 modify it under the terms of version three of the GNU Affero General Public 9 License as published by the Free Software Foundation and included 10 in the file LICENSE. 11 12 This program is distributed in the hope that it will be useful, but 13 WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 Affero General Public License for more details. 16 17 You should have received a copy of the GNU Affero General Public License 18 along with this program; if not, write to the Free Software 19 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 02110-1301, USA. 21 */ 22 /* 23 * Author: Landon Fuller <landonf@opendarwin.org> 24 */ 25 /** 26 * @file 27 * crypto.h Encryption support functions 28 */ 29 30 #ifndef BAREOS_LIB_CRYPTO_H_ 31 #define BAREOS_LIB_CRYPTO_H_ 32 33 /* Opaque X509 Public/Private Key Pair Structure */ 34 typedef struct X509_Keypair X509_KEYPAIR; 35 36 /* Opaque Message Digest Structure */ 37 /* Digest is defined (twice) in crypto.c */ 38 typedef struct Digest DIGEST; 39 40 /* Opaque Message Signature Structure */ 41 typedef struct Signature SIGNATURE; 42 43 /* Opaque PKI Symmetric Key Data Structure */ 44 typedef struct Crypto_Session CRYPTO_SESSION; 45 46 /* Opaque Encryption/Decryption Context Structure */ 47 typedef struct Cipher_Context CIPHER_CONTEXT; 48 49 /* PEM Decryption Passphrase Callback */ 50 typedef int (CRYPTO_PEM_PASSWD_CB) (char *buf, int size, const void *userdata); 51 52 /** Server TLS-PSK callback */ 53 typedef int(CRYPTO_TLS_PSK_SERVER_CB)(const char *identity, 54 unsigned char *psk, 55 unsigned int max_psk_len); 56 57 /** Client TLS-PSK callback */ 58 typedef int(CRYPTO_TLS_PSK_CLIENT_CB)(char *identity, 59 unsigned int max_identity_len, 60 unsigned char *psk, 61 unsigned int max_psk_len); 62 63 /* Digest Types */ 64 typedef enum { 65 /* These are stored on disk and MUST NOT change */ 66 CRYPTO_DIGEST_NONE = 0, 67 CRYPTO_DIGEST_MD5 = 1, 68 CRYPTO_DIGEST_SHA1 = 2, 69 CRYPTO_DIGEST_SHA256 = 3, 70 CRYPTO_DIGEST_SHA512 = 4 71 } crypto_digest_t; 72 73 /* Cipher Types */ 74 typedef enum { 75 /* These are not stored on disk */ 76 CRYPTO_CIPHER_NONE = 0, 77 CRYPTO_CIPHER_BLOWFISH_CBC = 1, 78 CRYPTO_CIPHER_3DES_CBC = 2, 79 CRYPTO_CIPHER_AES_128_CBC = 3, 80 CRYPTO_CIPHER_AES_192_CBC = 4, 81 CRYPTO_CIPHER_AES_256_CBC = 5, 82 CRYPTO_CIPHER_CAMELLIA_128_CBC = 6, 83 CRYPTO_CIPHER_CAMELLIA_192_CBC = 7, 84 CRYPTO_CIPHER_CAMELLIA_256_CBC = 8, 85 CRYPTO_CIPHER_AES_128_CBC_HMAC_SHA1 = 9, 86 CRYPTO_CIPHER_AES_256_CBC_HMAC_SHA1 = 10 87 } crypto_cipher_t; 88 89 /* Crypto API Errors */ 90 typedef enum { 91 CRYPTO_ERROR_NONE = 0, /* No error */ 92 CRYPTO_ERROR_NOSIGNER = 1, /* Signer not found */ 93 CRYPTO_ERROR_NORECIPIENT = 2, /* Recipient not found */ 94 CRYPTO_ERROR_INVALID_DIGEST = 3, /* Unsupported digest algorithm */ 95 CRYPTO_ERROR_INVALID_CRYPTO = 4, /* Unsupported encryption algorithm */ 96 CRYPTO_ERROR_BAD_SIGNATURE = 5, /* Signature is invalid */ 97 CRYPTO_ERROR_DECRYPTION = 6, /* Decryption error */ 98 CRYPTO_ERROR_INTERNAL = 7 /* Internal Error */ 99 } crypto_error_t; 100 101 /* Message Digest Sizes */ 102 #define CRYPTO_DIGEST_MD5_SIZE 16 /* 128 bits */ 103 #define CRYPTO_DIGEST_SHA1_SIZE 20 /* 160 bits */ 104 #define CRYPTO_DIGEST_SHA256_SIZE 32 /* 256 bits */ 105 #define CRYPTO_DIGEST_SHA512_SIZE 64 /* 512 bits */ 106 107 /* Maximum Message Digest Size */ 108 #ifdef HAVE_OPENSSL 109 110 #define CRYPTO_DIGEST_MAX_SIZE 64 111 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 32 112 113 #else /* HAVE_OPENSSL */ 114 115 /** 116 * This must be kept in sync with the available message digest algorithms. 117 * Just in case someone forgets, I've added assertions 118 * to CryptoDigestFinalize(). 119 * MD5: 128 bits 120 * SHA-1: 160 bits 121 */ 122 #ifndef HAVE_SHA2 123 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA1_SIZE 124 #else 125 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA512_SIZE 126 #endif 127 128 /* Dummy Value */ 129 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 0 130 131 #endif /* HAVE_OPENSSL */ 132 133 int InitCrypto(void); 134 int CleanupCrypto(void); 135 DIGEST *crypto_digest_new(JobControlRecord *jcr, crypto_digest_t type); 136 bool CryptoDigestUpdate(DIGEST *digest, const uint8_t *data, uint32_t length); 137 bool CryptoDigestFinalize(DIGEST *digest, uint8_t *dest, uint32_t *length); 138 void CryptoDigestFree(DIGEST *digest); 139 SIGNATURE *crypto_sign_new(JobControlRecord *jcr); 140 crypto_error_t CryptoSignGetDigest(SIGNATURE *sig, X509_KEYPAIR *keypair, 141 crypto_digest_t &algorithm, DIGEST **digest); 142 crypto_error_t CryptoSignVerify(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest); 143 int CryptoSignAddSigner(SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair); 144 int CryptoSignEncode(SIGNATURE *sig, uint8_t *dest, uint32_t *length); 145 SIGNATURE *crypto_sign_decode(JobControlRecord *jcr, const uint8_t *sigData, uint32_t length); 146 void CryptoSignFree(SIGNATURE *sig); 147 CRYPTO_SESSION *crypto_session_new(crypto_cipher_t cipher, alist *pubkeys); 148 void CryptoSessionFree(CRYPTO_SESSION *cs); 149 bool CryptoSessionEncode(CRYPTO_SESSION *cs, uint8_t *dest, uint32_t *length); 150 crypto_error_t CryptoSessionDecode(const uint8_t *data, uint32_t length, alist *keypairs, CRYPTO_SESSION **session); 151 CRYPTO_SESSION *CryptoSessionDecode(const uint8_t *data, uint32_t length); 152 CIPHER_CONTEXT *crypto_cipher_new(CRYPTO_SESSION *cs, bool encrypt, uint32_t *blocksize); 153 bool CryptoCipherUpdate(CIPHER_CONTEXT *cipher_ctx, const uint8_t *data, uint32_t length, const uint8_t *dest, uint32_t *written); 154 bool CryptoCipherFinalize(CIPHER_CONTEXT *cipher_ctx, uint8_t *dest, uint32_t *written); 155 void CryptoCipherFree(CIPHER_CONTEXT *cipher_ctx); 156 X509_KEYPAIR *crypto_keypair_new(void); 157 X509_KEYPAIR *crypto_keypair_dup(X509_KEYPAIR *keypair); 158 int CryptoKeypairLoadCert(X509_KEYPAIR *keypair, const char *file); 159 bool CryptoKeypairHasKey(const char *file); 160 int CryptoKeypairLoadKey(X509_KEYPAIR *keypair, const char *file, CRYPTO_PEM_PASSWD_CB *pem_callback, const void *pem_userdata); 161 void CryptoKeypairFree(X509_KEYPAIR *keypair); 162 int CryptoDefaultPemCallback(char *buf, int size, const void *userdata); 163 const char *crypto_digest_name(crypto_digest_t type); 164 const char *crypto_digest_name(DIGEST *digest); 165 crypto_digest_t CryptoDigestStreamType(int stream); 166 const char *crypto_strerror(crypto_error_t error); 167 168 #endif /* BAREOS_LIB_CRYPTO_H_ */ 169