1 /*
2    BAREOS® - Backup Archiving REcovery Open Sourced
3 
4    Copyright (C) 2005-2007 Free Software Foundation Europe e.V.
5    Copyright (C) 2016-2016 Bareos GmbH & Co. KG
6 
7    This program is Free Software; you can redistribute it and/or
8    modify it under the terms of version three of the GNU Affero General Public
9    License as published by the Free Software Foundation and included
10    in the file LICENSE.
11 
12    This program is distributed in the hope that it will be useful, but
13    WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15    Affero General Public License for more details.
16 
17    You should have received a copy of the GNU Affero General Public License
18    along with this program; if not, write to the Free Software
19    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20    02110-1301, USA.
21 */
22 /*
23  * Author: Landon Fuller <landonf@opendarwin.org>
24  */
25 /**
26  * @file
27  * crypto.h Encryption support functions
28  */
29 
30 #ifndef BAREOS_LIB_CRYPTO_H_
31 #define BAREOS_LIB_CRYPTO_H_
32 
33 /* Opaque X509 Public/Private Key Pair Structure */
34 typedef struct X509_Keypair X509_KEYPAIR;
35 
36 /* Opaque Message Digest Structure */
37 /* Digest is defined (twice) in crypto.c */
38 typedef struct Digest DIGEST;
39 
40 /* Opaque Message Signature Structure */
41 typedef struct Signature SIGNATURE;
42 
43 /* Opaque PKI Symmetric Key Data Structure */
44 typedef struct Crypto_Session CRYPTO_SESSION;
45 
46 /* Opaque Encryption/Decryption Context Structure */
47 typedef struct Cipher_Context CIPHER_CONTEXT;
48 
49 /* PEM Decryption Passphrase Callback */
50 typedef int (CRYPTO_PEM_PASSWD_CB) (char *buf, int size, const void *userdata);
51 
52 /** Server TLS-PSK callback */
53 typedef int(CRYPTO_TLS_PSK_SERVER_CB)(const char *identity,
54                                       unsigned char *psk,
55                                       unsigned int max_psk_len);
56 
57 /** Client TLS-PSK callback */
58 typedef int(CRYPTO_TLS_PSK_CLIENT_CB)(char *identity,
59                                       unsigned int max_identity_len,
60                                       unsigned char *psk,
61                                       unsigned int max_psk_len);
62 
63 /* Digest Types */
64 typedef enum {
65    /* These are stored on disk and MUST NOT change */
66    CRYPTO_DIGEST_NONE = 0,
67    CRYPTO_DIGEST_MD5 = 1,
68    CRYPTO_DIGEST_SHA1 = 2,
69    CRYPTO_DIGEST_SHA256 = 3,
70    CRYPTO_DIGEST_SHA512 = 4
71 } crypto_digest_t;
72 
73 /* Cipher Types */
74 typedef enum {
75    /* These are not stored on disk */
76    CRYPTO_CIPHER_NONE = 0,
77    CRYPTO_CIPHER_BLOWFISH_CBC = 1,
78    CRYPTO_CIPHER_3DES_CBC = 2,
79    CRYPTO_CIPHER_AES_128_CBC = 3,
80    CRYPTO_CIPHER_AES_192_CBC = 4,
81    CRYPTO_CIPHER_AES_256_CBC = 5,
82    CRYPTO_CIPHER_CAMELLIA_128_CBC = 6,
83    CRYPTO_CIPHER_CAMELLIA_192_CBC = 7,
84    CRYPTO_CIPHER_CAMELLIA_256_CBC = 8,
85    CRYPTO_CIPHER_AES_128_CBC_HMAC_SHA1 = 9,
86    CRYPTO_CIPHER_AES_256_CBC_HMAC_SHA1 = 10
87 } crypto_cipher_t;
88 
89 /* Crypto API Errors */
90 typedef enum {
91    CRYPTO_ERROR_NONE = 0,           /* No error */
92    CRYPTO_ERROR_NOSIGNER = 1,       /* Signer not found */
93    CRYPTO_ERROR_NORECIPIENT = 2,    /* Recipient not found */
94    CRYPTO_ERROR_INVALID_DIGEST = 3, /* Unsupported digest algorithm */
95    CRYPTO_ERROR_INVALID_CRYPTO = 4, /* Unsupported encryption algorithm */
96    CRYPTO_ERROR_BAD_SIGNATURE = 5,  /* Signature is invalid */
97    CRYPTO_ERROR_DECRYPTION = 6,     /* Decryption error */
98    CRYPTO_ERROR_INTERNAL = 7        /* Internal Error */
99 } crypto_error_t;
100 
101 /* Message Digest Sizes */
102 #define CRYPTO_DIGEST_MD5_SIZE 16     /* 128 bits */
103 #define CRYPTO_DIGEST_SHA1_SIZE 20    /* 160 bits */
104 #define CRYPTO_DIGEST_SHA256_SIZE 32  /* 256 bits */
105 #define CRYPTO_DIGEST_SHA512_SIZE 64  /* 512 bits */
106 
107 /* Maximum Message Digest Size */
108 #ifdef HAVE_OPENSSL
109 
110 #define CRYPTO_DIGEST_MAX_SIZE 64
111 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 32
112 
113 #else /* HAVE_OPENSSL */
114 
115 /**
116  * This must be kept in sync with the available message digest algorithms.
117  * Just in case someone forgets, I've added assertions
118  * to CryptoDigestFinalize().
119  *      MD5: 128 bits
120  *      SHA-1: 160 bits
121  */
122 #ifndef HAVE_SHA2
123 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA1_SIZE
124 #else
125 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA512_SIZE
126 #endif
127 
128 /* Dummy Value */
129 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 0
130 
131 #endif /* HAVE_OPENSSL */
132 
133 int InitCrypto(void);
134 int CleanupCrypto(void);
135 DIGEST *crypto_digest_new(JobControlRecord *jcr, crypto_digest_t type);
136 bool CryptoDigestUpdate(DIGEST *digest, const uint8_t *data, uint32_t length);
137 bool CryptoDigestFinalize(DIGEST *digest, uint8_t *dest, uint32_t *length);
138 void CryptoDigestFree(DIGEST *digest);
139 SIGNATURE *crypto_sign_new(JobControlRecord *jcr);
140 crypto_error_t CryptoSignGetDigest(SIGNATURE *sig, X509_KEYPAIR *keypair,
141                                       crypto_digest_t &algorithm, DIGEST **digest);
142 crypto_error_t CryptoSignVerify(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest);
143 int CryptoSignAddSigner(SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair);
144 int CryptoSignEncode(SIGNATURE *sig, uint8_t *dest, uint32_t *length);
145 SIGNATURE *crypto_sign_decode(JobControlRecord *jcr, const uint8_t *sigData, uint32_t length);
146 void CryptoSignFree(SIGNATURE *sig);
147 CRYPTO_SESSION *crypto_session_new(crypto_cipher_t cipher, alist *pubkeys);
148 void CryptoSessionFree(CRYPTO_SESSION *cs);
149 bool CryptoSessionEncode(CRYPTO_SESSION *cs, uint8_t *dest, uint32_t *length);
150 crypto_error_t CryptoSessionDecode(const uint8_t *data, uint32_t length, alist *keypairs, CRYPTO_SESSION **session);
151 CRYPTO_SESSION *CryptoSessionDecode(const uint8_t *data, uint32_t length);
152 CIPHER_CONTEXT *crypto_cipher_new(CRYPTO_SESSION *cs, bool encrypt, uint32_t *blocksize);
153 bool CryptoCipherUpdate(CIPHER_CONTEXT *cipher_ctx, const uint8_t *data, uint32_t length, const uint8_t *dest, uint32_t *written);
154 bool CryptoCipherFinalize(CIPHER_CONTEXT *cipher_ctx, uint8_t *dest, uint32_t *written);
155 void CryptoCipherFree(CIPHER_CONTEXT *cipher_ctx);
156 X509_KEYPAIR *crypto_keypair_new(void);
157 X509_KEYPAIR *crypto_keypair_dup(X509_KEYPAIR *keypair);
158 int CryptoKeypairLoadCert(X509_KEYPAIR *keypair, const char *file);
159 bool CryptoKeypairHasKey(const char *file);
160 int CryptoKeypairLoadKey(X509_KEYPAIR *keypair, const char *file, CRYPTO_PEM_PASSWD_CB *pem_callback, const void *pem_userdata);
161 void CryptoKeypairFree(X509_KEYPAIR *keypair);
162 int CryptoDefaultPemCallback(char *buf, int size, const void *userdata);
163 const char *crypto_digest_name(crypto_digest_t type);
164 const char *crypto_digest_name(DIGEST *digest);
165 crypto_digest_t CryptoDigestStreamType(int stream);
166 const char *crypto_strerror(crypto_error_t error);
167 
168 #endif /* BAREOS_LIB_CRYPTO_H_ */
169