1 /*
2    BAREOS® - Backup Archiving REcovery Open Sourced
3 
4    Copyright (C) 2005-2007 Free Software Foundation Europe e.V.
5    Copyright (C) 2016-2016 Bareos GmbH & Co. KG
6 
7    This program is Free Software; you can redistribute it and/or
8    modify it under the terms of version three of the GNU Affero General Public
9    License as published by the Free Software Foundation and included
10    in the file LICENSE.
11 
12    This program is distributed in the hope that it will be useful, but
13    WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15    Affero General Public License for more details.
16 
17    You should have received a copy of the GNU Affero General Public License
18    along with this program; if not, write to the Free Software
19    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20    02110-1301, USA.
21 */
22 /*
23  * Author: Landon Fuller <landonf@opendarwin.org>
24  */
25 /**
26  * @file
27  * crypto.h Encryption support functions
28  */
29 
30 #ifndef BAREOS_LIB_CRYPTO_H_
31 #define BAREOS_LIB_CRYPTO_H_
32 
33 class alist;
34 
35 /* Opaque X509 Public/Private Key Pair Structure */
36 typedef struct X509_Keypair X509_KEYPAIR;
37 
38 /* Opaque Message Digest Structure */
39 /* Digest is defined (twice) in crypto.c */
40 typedef struct Digest DIGEST;
41 
42 /* Opaque Message Signature Structure */
43 typedef struct Signature SIGNATURE;
44 
45 /* Opaque PKI Symmetric Key Data Structure */
46 typedef struct Crypto_Session CRYPTO_SESSION;
47 
48 /* Opaque Encryption/Decryption Context Structure */
49 typedef struct Cipher_Context CIPHER_CONTEXT;
50 
51 /* PEM Decryption Passphrase Callback */
52 typedef int(CRYPTO_PEM_PASSWD_CB)(char* buf, int size, const void* userdata);
53 
54 /** Server TLS-PSK callback */
55 typedef int(CRYPTO_TLS_PSK_SERVER_CB)(const char* identity,
56                                       unsigned char* psk,
57                                       unsigned int max_psk_len);
58 
59 /** Client TLS-PSK callback */
60 typedef int(CRYPTO_TLS_PSK_CLIENT_CB)(char* identity,
61                                       unsigned int max_identity_len,
62                                       unsigned char* psk,
63                                       unsigned int max_psk_len);
64 
65 /* Digest Types */
66 typedef enum
67 {
68   /* These are stored on disk and MUST NOT change */
69   CRYPTO_DIGEST_NONE = 0,
70   CRYPTO_DIGEST_MD5 = 1,
71   CRYPTO_DIGEST_SHA1 = 2,
72   CRYPTO_DIGEST_SHA256 = 3,
73   CRYPTO_DIGEST_SHA512 = 4
74 } crypto_digest_t;
75 
76 /* Cipher Types */
77 typedef enum
78 {
79   /* These are not stored on disk */
80   CRYPTO_CIPHER_NONE = 0,
81   CRYPTO_CIPHER_BLOWFISH_CBC = 1,
82   CRYPTO_CIPHER_3DES_CBC = 2,
83   CRYPTO_CIPHER_AES_128_CBC = 3,
84   CRYPTO_CIPHER_AES_192_CBC = 4,
85   CRYPTO_CIPHER_AES_256_CBC = 5,
86   CRYPTO_CIPHER_CAMELLIA_128_CBC = 6,
87   CRYPTO_CIPHER_CAMELLIA_192_CBC = 7,
88   CRYPTO_CIPHER_CAMELLIA_256_CBC = 8,
89   CRYPTO_CIPHER_AES_128_CBC_HMAC_SHA1 = 9,
90   CRYPTO_CIPHER_AES_256_CBC_HMAC_SHA1 = 10
91 } crypto_cipher_t;
92 
93 /* Crypto API Errors */
94 typedef enum
95 {
96   CRYPTO_ERROR_NONE = 0,           /* No error */
97   CRYPTO_ERROR_NOSIGNER = 1,       /* Signer not found */
98   CRYPTO_ERROR_NORECIPIENT = 2,    /* Recipient not found */
99   CRYPTO_ERROR_INVALID_DIGEST = 3, /* Unsupported digest algorithm */
100   CRYPTO_ERROR_INVALID_CRYPTO = 4, /* Unsupported encryption algorithm */
101   CRYPTO_ERROR_BAD_SIGNATURE = 5,  /* Signature is invalid */
102   CRYPTO_ERROR_DECRYPTION = 6,     /* Decryption error */
103   CRYPTO_ERROR_INTERNAL = 7        /* Internal Error */
104 } crypto_error_t;
105 
106 /* Message Digest Sizes */
107 #define CRYPTO_DIGEST_MD5_SIZE 16    /* 128 bits */
108 #define CRYPTO_DIGEST_SHA1_SIZE 20   /* 160 bits */
109 #define CRYPTO_DIGEST_SHA256_SIZE 32 /* 256 bits */
110 #define CRYPTO_DIGEST_SHA512_SIZE 64 /* 512 bits */
111 
112 /* Maximum Message Digest Size */
113 #ifdef HAVE_OPENSSL
114 
115 #define CRYPTO_DIGEST_MAX_SIZE 64
116 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 32
117 
118 #else /* HAVE_OPENSSL */
119 
120 /**
121  * This must be kept in sync with the available message digest algorithms.
122  * Just in case someone forgets, I've added assertions
123  * to CryptoDigestFinalize().
124  *      MD5: 128 bits
125  *      SHA-1: 160 bits
126  */
127 #ifndef HAVE_SHA2
128 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA1_SIZE
129 #else
130 #define CRYPTO_DIGEST_MAX_SIZE CRYPTO_DIGEST_SHA512_SIZE
131 #endif
132 
133 /* Dummy Value */
134 #define CRYPTO_CIPHER_MAX_BLOCK_SIZE 0
135 
136 #endif /* HAVE_OPENSSL */
137 
138 int InitCrypto(void);
139 int CleanupCrypto(void);
140 DIGEST* crypto_digest_new(JobControlRecord* jcr, crypto_digest_t type);
141 bool CryptoDigestUpdate(DIGEST* digest, const uint8_t* data, uint32_t length);
142 bool CryptoDigestFinalize(DIGEST* digest, uint8_t* dest, uint32_t* length);
143 void CryptoDigestFree(DIGEST* digest);
144 SIGNATURE* crypto_sign_new(JobControlRecord* jcr);
145 crypto_error_t CryptoSignGetDigest(SIGNATURE* sig,
146                                    X509_KEYPAIR* keypair,
147                                    crypto_digest_t& algorithm,
148                                    DIGEST** digest);
149 crypto_error_t CryptoSignVerify(SIGNATURE* sig,
150                                 X509_KEYPAIR* keypair,
151                                 DIGEST* digest);
152 int CryptoSignAddSigner(SIGNATURE* sig, DIGEST* digest, X509_KEYPAIR* keypair);
153 int CryptoSignEncode(SIGNATURE* sig, uint8_t* dest, uint32_t* length);
154 SIGNATURE* crypto_sign_decode(JobControlRecord* jcr,
155                               const uint8_t* sigData,
156                               uint32_t length);
157 void CryptoSignFree(SIGNATURE* sig);
158 CRYPTO_SESSION* crypto_session_new(crypto_cipher_t cipher, alist* pubkeys);
159 void CryptoSessionFree(CRYPTO_SESSION* cs);
160 bool CryptoSessionEncode(CRYPTO_SESSION* cs, uint8_t* dest, uint32_t* length);
161 crypto_error_t CryptoSessionDecode(const uint8_t* data,
162                                    uint32_t length,
163                                    alist* keypairs,
164                                    CRYPTO_SESSION** session);
165 CRYPTO_SESSION* CryptoSessionDecode(const uint8_t* data, uint32_t length);
166 CIPHER_CONTEXT* crypto_cipher_new(CRYPTO_SESSION* cs,
167                                   bool encrypt,
168                                   uint32_t* blocksize);
169 bool CryptoCipherUpdate(CIPHER_CONTEXT* cipher_ctx,
170                         const uint8_t* data,
171                         uint32_t length,
172                         const uint8_t* dest,
173                         uint32_t* written);
174 bool CryptoCipherFinalize(CIPHER_CONTEXT* cipher_ctx,
175                           uint8_t* dest,
176                           uint32_t* written);
177 void CryptoCipherFree(CIPHER_CONTEXT* cipher_ctx);
178 X509_KEYPAIR* crypto_keypair_new(void);
179 X509_KEYPAIR* crypto_keypair_dup(X509_KEYPAIR* keypair);
180 int CryptoKeypairLoadCert(X509_KEYPAIR* keypair, const char* file);
181 bool CryptoKeypairHasKey(const char* file);
182 int CryptoKeypairLoadKey(X509_KEYPAIR* keypair,
183                          const char* file,
184                          CRYPTO_PEM_PASSWD_CB* pem_callback,
185                          const void* pem_userdata);
186 void CryptoKeypairFree(X509_KEYPAIR* keypair);
187 int CryptoDefaultPemCallback(char* buf, int size, const void* userdata);
188 const char* crypto_digest_name(crypto_digest_t type);
189 const char* crypto_digest_name(DIGEST* digest);
190 crypto_digest_t CryptoDigestStreamType(int stream);
191 const char* crypto_strerror(crypto_error_t error);
192 
193 #endif /* BAREOS_LIB_CRYPTO_H_ */
194