1/*-
2 * Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/sys/geom/eli/g_eli.h 172031 2007-09-01 06:33:02Z pjd $
27 */
28
29#ifndef _G_ELI_H_
30#define _G_ELI_H_
31
32#include <sys/endian.h>
33#include <sys/errno.h>
34#include <sys/malloc.h>
35#include <crypto/sha2/sha2.h>
36#include <opencrypto/cryptodev.h>
37#ifdef _KERNEL
38#include <sys/bio.h>
39#include <sys/libkern.h>
40#include <geom/geom.h>
41#else
42#include <stdio.h>
43#include <string.h>
44#include <strings.h>
45#endif
46#ifndef _OpenSSL_
47#include <sys/md5.h>
48#endif
49
50#define G_ELI_CLASS_NAME "ELI"
51#define G_ELI_MAGIC "GEOM::ELI"
52#define G_ELI_SUFFIX ".eli"
53
54/*
55 * Version history:
56 * 0 - Initial version number.
57 * 1 - Added data authentication support (md_aalgo field and
58 * G_ELI_FLAG_AUTH flag).
59 * 2 - Added G_ELI_FLAG_READONLY.
60 * - IV is generated from offset converted to little-endian
61 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
62 * 3 - Added 'configure' subcommand.
63 */
64#define G_ELI_VERSION 3
65
66/* ON DISK FLAGS. */
67/* Use random, onetime keys. */
68#define G_ELI_FLAG_ONETIME 0x00000001
69/* Ask for the passphrase from the kernel, before mounting root. */
70#define G_ELI_FLAG_BOOT 0x00000002
71/* Detach on last close, if we were open for writing. */
72#define G_ELI_FLAG_WO_DETACH 0x00000004
73/* Detach on last close. */
74#define G_ELI_FLAG_RW_DETACH 0x00000008
75/* Provide data authentication. */
76#define G_ELI_FLAG_AUTH 0x00000010
77/* Provider is read-only, we should deny all write attempts. */
78#define G_ELI_FLAG_RO 0x00000020
79/* RUNTIME FLAGS. */
80/* Provider was open for writing. */
81#define G_ELI_FLAG_WOPEN 0x00010000
82/* Destroy device. */
83#define G_ELI_FLAG_DESTROY 0x00020000
84/* Provider uses native byte-order for IV generation. */
85#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
86
87#define SHA512_MDLEN 64
88#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
89
90#define G_ELI_MAXMKEYS 2
91#define G_ELI_MAXKEYLEN 64
92#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
93#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
94#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
95#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
96#define G_ELI_SALTLEN 64
97#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
98/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
99#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
100
101#ifdef _KERNEL
102extern u_int g_eli_debug;
103extern u_int g_eli_overwrites;
104extern u_int g_eli_batch;
105
106#define G_ELI_CRYPTO_HW 1
107#define G_ELI_CRYPTO_SW 2
108
109#define G_ELI_DEBUG(lvl, ...) do { \
110 if (g_eli_debug >= (lvl)) { \
111 printf("GEOM_ELI"); \
112 if (g_eli_debug > 0) \
113 printf("[%u]", lvl); \
114 printf(": "); \
115 printf(__VA_ARGS__); \
116 printf("\n"); \
117 } \
118} while (0)
119#define G_ELI_LOGREQ(lvl, bp, ...) do { \
120 if (g_eli_debug >= (lvl)) { \
121 printf("GEOM_ELI"); \
122 if (g_eli_debug > 0) \
123 printf("[%u]", lvl); \
124 printf(": "); \
125 printf(__VA_ARGS__); \
126 printf(" "); \
127 g_print_bio(bp); \
128 printf("\n"); \
129 } \
130} while (0)
131
132struct g_eli_worker {
133 struct g_eli_softc *w_softc;
134 struct proc *w_proc;
135 u_int w_number;
136 uint64_t w_sid;
137 LIST_ENTRY(g_eli_worker) w_next;
138};
139
140struct g_eli_softc {
141 struct g_geom *sc_geom;
142 u_int sc_crypto;
143 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
144 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
145 u_int sc_ealgo;
146 u_int sc_ekeylen;
147 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
148 u_int sc_aalgo;
149 u_int sc_akeylen;
150 u_int sc_alen;
151 SHA256_CTX sc_akeyctx;
152 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
153 SHA256_CTX sc_ivctx;
154 int sc_nkey;
155 uint32_t sc_flags;
156 u_int sc_bytes_per_sector;
157 u_int sc_data_per_sector;
158
159 /* Only for software cryptography. */
160 struct bio_queue_head sc_queue;
161 struct mtx sc_queue_mtx;
162 LIST_HEAD(, g_eli_worker) sc_workers;
163};
164#define sc_name sc_geom->name
165#endif /* _KERNEL */
166
167struct g_eli_metadata {
168 char md_magic[16]; /* Magic value. */
169 uint32_t md_version; /* Version number. */
170 uint32_t md_flags; /* Additional flags. */
171 uint16_t md_ealgo; /* Encryption algorithm. */
172 uint16_t md_keylen; /* Key length. */
173 uint16_t md_aalgo; /* Authentication algorithm. */
174 uint64_t md_provsize; /* Provider's size. */
175 uint32_t md_sectorsize; /* Sector size. */
176 uint8_t md_keys; /* Available keys. */
177 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
178 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
179 /* Encrypted master key (IV-key, Data-key, HMAC). */
180 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
181 u_char md_hash[16]; /* MD5 hash. */
182} __packed;
183#ifndef _OpenSSL_
184static __inline void
185eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
186{
187 MD5_CTX ctx;
188 u_char *p;
189
190 p = data;
191 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic);
192 le32enc(p, md->md_version); p += sizeof(md->md_version);
193 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
194 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
195 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
196 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
197 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
198 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
199 *p = md->md_keys; p += sizeof(md->md_keys);
200 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
201 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
202 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
203 MD5Init(&ctx);
204 MD5Update(&ctx, data, p - data);
205 MD5Final(md->md_hash, &ctx);
206 bcopy(md->md_hash, p, sizeof(md->md_hash));
207}
208static __inline int
209eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
210{
211 MD5_CTX ctx;
212 const u_char *p;
213
214 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
215 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
216 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
217 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
218 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
219 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
220 md->md_keys = *p; p += sizeof(md->md_keys);
221 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
222 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
223 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
224 MD5Init(&ctx);
225 MD5Update(&ctx, data, p - data);
226 MD5Final(md->md_hash, &ctx);
227 if (bcmp(md->md_hash, p, 16) != 0)
228 return (EINVAL);
229 return (0);
230}
231static __inline int
232eli_metadata_decode_v1v2v3(const u_char *data, struct g_eli_metadata *md)
233{
234 MD5_CTX ctx;
235 const u_char *p;
236
237 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
238 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
239 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
240 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
241 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
242 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
243 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
244 md->md_keys = *p; p += sizeof(md->md_keys);
245 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
246 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
247 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
248 MD5Init(&ctx);
249 MD5Update(&ctx, data, p - data);
250 MD5Final(md->md_hash, &ctx);
251 if (bcmp(md->md_hash, p, 16) != 0)
252 return (EINVAL);
253 return (0);
254}
255static __inline int
256eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
257{
258 int error;
259
260 bcopy(data, md->md_magic, sizeof(md->md_magic));
261 md->md_version = le32dec(data + sizeof(md->md_magic));
262 switch (md->md_version) {
263 case 0:
264 error = eli_metadata_decode_v0(data, md);
265 break;
266 case 1:
267 case 2:
268 case 3:
269 error = eli_metadata_decode_v1v2v3(data, md);
270 break;
271 default:
272 error = EINVAL;
273 break;
274 }
275 return (error);
276}
277#endif /* !_OpenSSL */
278
279static __inline u_int
280g_eli_str2ealgo(const char *name)
281{
282
283 if (strcasecmp("null", name) == 0)
284 return (CRYPTO_NULL_CBC);
285 else if (strcasecmp("aes", name) == 0)
286 return (CRYPTO_AES_CBC);
287 else if (strcasecmp("blowfish", name) == 0)
288 return (CRYPTO_BLF_CBC);
289 else if (strcasecmp("camellia", name) == 0)
290 return (CRYPTO_CAMELLIA_CBC);
291 else if (strcasecmp("3des", name) == 0)
292 return (CRYPTO_3DES_CBC);
293 return (CRYPTO_ALGORITHM_MIN - 1);
294}
295
296static __inline u_int
297g_eli_str2aalgo(const char *name)
298{
299
300 if (strcasecmp("hmac/md5", name) == 0)
301 return (CRYPTO_MD5_HMAC);
302 else if (strcasecmp("hmac/sha1", name) == 0)
303 return (CRYPTO_SHA1_HMAC);
304 else if (strcasecmp("hmac/ripemd160", name) == 0)
305 return (CRYPTO_RIPEMD160_HMAC);
306 else if (strcasecmp("hmac/sha256", name) == 0)
307 return (CRYPTO_SHA2_256_HMAC);
308 else if (strcasecmp("hmac/sha384", name) == 0)
309 return (CRYPTO_SHA2_384_HMAC);
310 else if (strcasecmp("hmac/sha512", name) == 0)
311 return (CRYPTO_SHA2_512_HMAC);
312 return (CRYPTO_ALGORITHM_MIN - 1);
313}
314
315static __inline const char *
316g_eli_algo2str(u_int algo)
317{
318
319 switch (algo) {
320 case CRYPTO_NULL_CBC:
321 return ("NULL");
322 case CRYPTO_AES_CBC:
323 return ("AES-CBC");
324 case CRYPTO_BLF_CBC:
325 return ("Blowfish-CBC");
326 case CRYPTO_CAMELLIA_CBC:
327 return ("CAMELLIA-CBC");
328 case CRYPTO_3DES_CBC:
329 return ("3DES-CBC");
330 case CRYPTO_MD5_HMAC:
331 return ("HMAC/MD5");
332 case CRYPTO_SHA1_HMAC:
333 return ("HMAC/SHA1");
334 case CRYPTO_RIPEMD160_HMAC:
335 return ("HMAC/RIPEMD160");
336 case CRYPTO_SHA2_256_HMAC:
337 return ("HMAC/SHA256");
338 case CRYPTO_SHA2_384_HMAC:
339 return ("HMAC/SHA384");
340 case CRYPTO_SHA2_512_HMAC:
341 return ("HMAC/SHA512");
342 }
343 return ("unknown");
344}
345
346static __inline void
347eli_metadata_dump(const struct g_eli_metadata *md)
348{
349 static const char hex[] = "0123456789abcdef";
350 char str[sizeof(md->md_mkeys) * 2 + 1];
351 u_int i;
352
353 printf(" magic: %s\n", md->md_magic);
354 printf(" version: %u\n", (u_int)md->md_version);
355 printf(" flags: 0x%x\n", (u_int)md->md_flags);
356 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
357 printf(" keylen: %u\n", (u_int)md->md_keylen);
358 if (md->md_flags & G_ELI_FLAG_AUTH)
359 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
360 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
361 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
362 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
363 printf("iterations: %u\n", (u_int)md->md_iterations);
364 bzero(str, sizeof(str));
365 for (i = 0; i < sizeof(md->md_salt); i++) {
366 str[i * 2] = hex[md->md_salt[i] >> 4];
367 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
368 }
369 printf(" Salt: %s\n", str);
370 bzero(str, sizeof(str));
371 for (i = 0; i < sizeof(md->md_mkeys); i++) {
372 str[i * 2] = hex[md->md_mkeys[i] >> 4];
373 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
374 }
375 printf("Master Key: %s\n", str);
376 bzero(str, sizeof(str));
377 for (i = 0; i < 16; i++) {
378 str[i * 2] = hex[md->md_hash[i] >> 4];
379 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
380 }
381 printf(" MD5 hash: %s\n", str);
382}
383
384static __inline u_int
385g_eli_keylen(u_int algo, u_int keylen)
386{
387
388 switch (algo) {
389 case CRYPTO_NULL_CBC:
390 if (keylen == 0)
391 keylen = 64 * 8;
392 else {
393 if (keylen > 64 * 8)
394 keylen = 0;
395 }
396 return (keylen);
397 case CRYPTO_AES_CBC: /* FALLTHROUGH */
398 case CRYPTO_CAMELLIA_CBC:
399 switch (keylen) {
400 case 0:
401 return (128);
402 case 128:
403 case 192:
404 case 256:
405 return (keylen);
406 default:
407 return (0);
408 }
409 case CRYPTO_BLF_CBC:
410 if (keylen == 0)
411 return (128);
412 if (keylen < 128 || keylen > 448)
413 return (0);
414 if ((keylen % 32) != 0)
415 return (0);
416 return (keylen);
417 case CRYPTO_3DES_CBC:
418 if (keylen == 0 || keylen == 192)
419 return (192);
420 return (0);
421 default:
422 return (0);
423 }
424}
425
426static __inline u_int
427g_eli_hashlen(u_int algo)
428{
429
430 switch (algo) {
431 case CRYPTO_MD5_HMAC:
432 return (16);
433 case CRYPTO_SHA1_HMAC:
434 return (20);
435 case CRYPTO_RIPEMD160_HMAC:
436 return (20);
437 case CRYPTO_SHA2_256_HMAC:
438 return (32);
439 case CRYPTO_SHA2_384_HMAC:
440 return (48);
441 case CRYPTO_SHA2_512_HMAC:
442 return (64);
443 }
444 return (0);
445}
446
447#ifdef _KERNEL
448int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
449 struct g_eli_metadata *md);
450struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
451 struct g_provider *bpp, const struct g_eli_metadata *md,
452 const u_char *mkey, int nkey);
453int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
454
455int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
456void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
457
458void g_eli_read_done(struct bio *bp);
459void g_eli_write_done(struct bio *bp);
460int g_eli_crypto_rerun(struct cryptop *crp);
461void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
462 size_t size);
463
464void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
465
466void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
467void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
468#endif
469
470void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
471int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
472 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
473int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
474 unsigned char *mkey);
475#ifdef _KERNEL
476void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
477#endif
478
479int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
480 const u_char *key, size_t keysize);
481int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
482 const u_char *key, size_t keysize);
483
484struct hmac_ctx {
485 SHA512_CTX shactx;
486 u_char k_opad[128];
487};
488
489void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
490 size_t hkeylen);
491void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
492 size_t datasize);
493void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
494void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
495 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
496#endif /* !_G_ELI_H_ */
2 * Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/sys/geom/eli/g_eli.h 172031 2007-09-01 06:33:02Z pjd $
27 */
28
29#ifndef _G_ELI_H_
30#define _G_ELI_H_
31
32#include <sys/endian.h>
33#include <sys/errno.h>
34#include <sys/malloc.h>
35#include <crypto/sha2/sha2.h>
36#include <opencrypto/cryptodev.h>
37#ifdef _KERNEL
38#include <sys/bio.h>
39#include <sys/libkern.h>
40#include <geom/geom.h>
41#else
42#include <stdio.h>
43#include <string.h>
44#include <strings.h>
45#endif
46#ifndef _OpenSSL_
47#include <sys/md5.h>
48#endif
49
50#define G_ELI_CLASS_NAME "ELI"
51#define G_ELI_MAGIC "GEOM::ELI"
52#define G_ELI_SUFFIX ".eli"
53
54/*
55 * Version history:
56 * 0 - Initial version number.
57 * 1 - Added data authentication support (md_aalgo field and
58 * G_ELI_FLAG_AUTH flag).
59 * 2 - Added G_ELI_FLAG_READONLY.
60 * - IV is generated from offset converted to little-endian
61 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
62 * 3 - Added 'configure' subcommand.
63 */
64#define G_ELI_VERSION 3
65
66/* ON DISK FLAGS. */
67/* Use random, onetime keys. */
68#define G_ELI_FLAG_ONETIME 0x00000001
69/* Ask for the passphrase from the kernel, before mounting root. */
70#define G_ELI_FLAG_BOOT 0x00000002
71/* Detach on last close, if we were open for writing. */
72#define G_ELI_FLAG_WO_DETACH 0x00000004
73/* Detach on last close. */
74#define G_ELI_FLAG_RW_DETACH 0x00000008
75/* Provide data authentication. */
76#define G_ELI_FLAG_AUTH 0x00000010
77/* Provider is read-only, we should deny all write attempts. */
78#define G_ELI_FLAG_RO 0x00000020
79/* RUNTIME FLAGS. */
80/* Provider was open for writing. */
81#define G_ELI_FLAG_WOPEN 0x00010000
82/* Destroy device. */
83#define G_ELI_FLAG_DESTROY 0x00020000
84/* Provider uses native byte-order for IV generation. */
85#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
86
87#define SHA512_MDLEN 64
88#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
89
90#define G_ELI_MAXMKEYS 2
91#define G_ELI_MAXKEYLEN 64
92#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
93#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
94#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
95#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
96#define G_ELI_SALTLEN 64
97#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
98/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
99#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
100
101#ifdef _KERNEL
102extern u_int g_eli_debug;
103extern u_int g_eli_overwrites;
104extern u_int g_eli_batch;
105
106#define G_ELI_CRYPTO_HW 1
107#define G_ELI_CRYPTO_SW 2
108
109#define G_ELI_DEBUG(lvl, ...) do { \
110 if (g_eli_debug >= (lvl)) { \
111 printf("GEOM_ELI"); \
112 if (g_eli_debug > 0) \
113 printf("[%u]", lvl); \
114 printf(": "); \
115 printf(__VA_ARGS__); \
116 printf("\n"); \
117 } \
118} while (0)
119#define G_ELI_LOGREQ(lvl, bp, ...) do { \
120 if (g_eli_debug >= (lvl)) { \
121 printf("GEOM_ELI"); \
122 if (g_eli_debug > 0) \
123 printf("[%u]", lvl); \
124 printf(": "); \
125 printf(__VA_ARGS__); \
126 printf(" "); \
127 g_print_bio(bp); \
128 printf("\n"); \
129 } \
130} while (0)
131
132struct g_eli_worker {
133 struct g_eli_softc *w_softc;
134 struct proc *w_proc;
135 u_int w_number;
136 uint64_t w_sid;
137 LIST_ENTRY(g_eli_worker) w_next;
138};
139
140struct g_eli_softc {
141 struct g_geom *sc_geom;
142 u_int sc_crypto;
143 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
144 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
145 u_int sc_ealgo;
146 u_int sc_ekeylen;
147 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
148 u_int sc_aalgo;
149 u_int sc_akeylen;
150 u_int sc_alen;
151 SHA256_CTX sc_akeyctx;
152 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
153 SHA256_CTX sc_ivctx;
154 int sc_nkey;
155 uint32_t sc_flags;
156 u_int sc_bytes_per_sector;
157 u_int sc_data_per_sector;
158
159 /* Only for software cryptography. */
160 struct bio_queue_head sc_queue;
161 struct mtx sc_queue_mtx;
162 LIST_HEAD(, g_eli_worker) sc_workers;
163};
164#define sc_name sc_geom->name
165#endif /* _KERNEL */
166
167struct g_eli_metadata {
168 char md_magic[16]; /* Magic value. */
169 uint32_t md_version; /* Version number. */
170 uint32_t md_flags; /* Additional flags. */
171 uint16_t md_ealgo; /* Encryption algorithm. */
172 uint16_t md_keylen; /* Key length. */
173 uint16_t md_aalgo; /* Authentication algorithm. */
174 uint64_t md_provsize; /* Provider's size. */
175 uint32_t md_sectorsize; /* Sector size. */
176 uint8_t md_keys; /* Available keys. */
177 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
178 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
179 /* Encrypted master key (IV-key, Data-key, HMAC). */
180 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
181 u_char md_hash[16]; /* MD5 hash. */
182} __packed;
183#ifndef _OpenSSL_
184static __inline void
185eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
186{
187 MD5_CTX ctx;
188 u_char *p;
189
190 p = data;
191 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic);
192 le32enc(p, md->md_version); p += sizeof(md->md_version);
193 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
194 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
195 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
196 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
197 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
198 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
199 *p = md->md_keys; p += sizeof(md->md_keys);
200 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
201 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
202 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
203 MD5Init(&ctx);
204 MD5Update(&ctx, data, p - data);
205 MD5Final(md->md_hash, &ctx);
206 bcopy(md->md_hash, p, sizeof(md->md_hash));
207}
208static __inline int
209eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
210{
211 MD5_CTX ctx;
212 const u_char *p;
213
214 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
215 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
216 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
217 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
218 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
219 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
220 md->md_keys = *p; p += sizeof(md->md_keys);
221 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
222 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
223 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
224 MD5Init(&ctx);
225 MD5Update(&ctx, data, p - data);
226 MD5Final(md->md_hash, &ctx);
227 if (bcmp(md->md_hash, p, 16) != 0)
228 return (EINVAL);
229 return (0);
230}
231static __inline int
232eli_metadata_decode_v1v2v3(const u_char *data, struct g_eli_metadata *md)
233{
234 MD5_CTX ctx;
235 const u_char *p;
236
237 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
238 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
239 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
240 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
241 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
242 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
243 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
244 md->md_keys = *p; p += sizeof(md->md_keys);
245 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
246 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
247 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
248 MD5Init(&ctx);
249 MD5Update(&ctx, data, p - data);
250 MD5Final(md->md_hash, &ctx);
251 if (bcmp(md->md_hash, p, 16) != 0)
252 return (EINVAL);
253 return (0);
254}
255static __inline int
256eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
257{
258 int error;
259
260 bcopy(data, md->md_magic, sizeof(md->md_magic));
261 md->md_version = le32dec(data + sizeof(md->md_magic));
262 switch (md->md_version) {
263 case 0:
264 error = eli_metadata_decode_v0(data, md);
265 break;
266 case 1:
267 case 2:
268 case 3:
269 error = eli_metadata_decode_v1v2v3(data, md);
270 break;
271 default:
272 error = EINVAL;
273 break;
274 }
275 return (error);
276}
277#endif /* !_OpenSSL */
278
279static __inline u_int
280g_eli_str2ealgo(const char *name)
281{
282
283 if (strcasecmp("null", name) == 0)
284 return (CRYPTO_NULL_CBC);
285 else if (strcasecmp("aes", name) == 0)
286 return (CRYPTO_AES_CBC);
287 else if (strcasecmp("blowfish", name) == 0)
288 return (CRYPTO_BLF_CBC);
289 else if (strcasecmp("camellia", name) == 0)
290 return (CRYPTO_CAMELLIA_CBC);
291 else if (strcasecmp("3des", name) == 0)
292 return (CRYPTO_3DES_CBC);
293 return (CRYPTO_ALGORITHM_MIN - 1);
294}
295
296static __inline u_int
297g_eli_str2aalgo(const char *name)
298{
299
300 if (strcasecmp("hmac/md5", name) == 0)
301 return (CRYPTO_MD5_HMAC);
302 else if (strcasecmp("hmac/sha1", name) == 0)
303 return (CRYPTO_SHA1_HMAC);
304 else if (strcasecmp("hmac/ripemd160", name) == 0)
305 return (CRYPTO_RIPEMD160_HMAC);
306 else if (strcasecmp("hmac/sha256", name) == 0)
307 return (CRYPTO_SHA2_256_HMAC);
308 else if (strcasecmp("hmac/sha384", name) == 0)
309 return (CRYPTO_SHA2_384_HMAC);
310 else if (strcasecmp("hmac/sha512", name) == 0)
311 return (CRYPTO_SHA2_512_HMAC);
312 return (CRYPTO_ALGORITHM_MIN - 1);
313}
314
315static __inline const char *
316g_eli_algo2str(u_int algo)
317{
318
319 switch (algo) {
320 case CRYPTO_NULL_CBC:
321 return ("NULL");
322 case CRYPTO_AES_CBC:
323 return ("AES-CBC");
324 case CRYPTO_BLF_CBC:
325 return ("Blowfish-CBC");
326 case CRYPTO_CAMELLIA_CBC:
327 return ("CAMELLIA-CBC");
328 case CRYPTO_3DES_CBC:
329 return ("3DES-CBC");
330 case CRYPTO_MD5_HMAC:
331 return ("HMAC/MD5");
332 case CRYPTO_SHA1_HMAC:
333 return ("HMAC/SHA1");
334 case CRYPTO_RIPEMD160_HMAC:
335 return ("HMAC/RIPEMD160");
336 case CRYPTO_SHA2_256_HMAC:
337 return ("HMAC/SHA256");
338 case CRYPTO_SHA2_384_HMAC:
339 return ("HMAC/SHA384");
340 case CRYPTO_SHA2_512_HMAC:
341 return ("HMAC/SHA512");
342 }
343 return ("unknown");
344}
345
346static __inline void
347eli_metadata_dump(const struct g_eli_metadata *md)
348{
349 static const char hex[] = "0123456789abcdef";
350 char str[sizeof(md->md_mkeys) * 2 + 1];
351 u_int i;
352
353 printf(" magic: %s\n", md->md_magic);
354 printf(" version: %u\n", (u_int)md->md_version);
355 printf(" flags: 0x%x\n", (u_int)md->md_flags);
356 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
357 printf(" keylen: %u\n", (u_int)md->md_keylen);
358 if (md->md_flags & G_ELI_FLAG_AUTH)
359 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
360 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
361 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
362 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
363 printf("iterations: %u\n", (u_int)md->md_iterations);
364 bzero(str, sizeof(str));
365 for (i = 0; i < sizeof(md->md_salt); i++) {
366 str[i * 2] = hex[md->md_salt[i] >> 4];
367 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
368 }
369 printf(" Salt: %s\n", str);
370 bzero(str, sizeof(str));
371 for (i = 0; i < sizeof(md->md_mkeys); i++) {
372 str[i * 2] = hex[md->md_mkeys[i] >> 4];
373 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
374 }
375 printf("Master Key: %s\n", str);
376 bzero(str, sizeof(str));
377 for (i = 0; i < 16; i++) {
378 str[i * 2] = hex[md->md_hash[i] >> 4];
379 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
380 }
381 printf(" MD5 hash: %s\n", str);
382}
383
384static __inline u_int
385g_eli_keylen(u_int algo, u_int keylen)
386{
387
388 switch (algo) {
389 case CRYPTO_NULL_CBC:
390 if (keylen == 0)
391 keylen = 64 * 8;
392 else {
393 if (keylen > 64 * 8)
394 keylen = 0;
395 }
396 return (keylen);
397 case CRYPTO_AES_CBC: /* FALLTHROUGH */
398 case CRYPTO_CAMELLIA_CBC:
399 switch (keylen) {
400 case 0:
401 return (128);
402 case 128:
403 case 192:
404 case 256:
405 return (keylen);
406 default:
407 return (0);
408 }
409 case CRYPTO_BLF_CBC:
410 if (keylen == 0)
411 return (128);
412 if (keylen < 128 || keylen > 448)
413 return (0);
414 if ((keylen % 32) != 0)
415 return (0);
416 return (keylen);
417 case CRYPTO_3DES_CBC:
418 if (keylen == 0 || keylen == 192)
419 return (192);
420 return (0);
421 default:
422 return (0);
423 }
424}
425
426static __inline u_int
427g_eli_hashlen(u_int algo)
428{
429
430 switch (algo) {
431 case CRYPTO_MD5_HMAC:
432 return (16);
433 case CRYPTO_SHA1_HMAC:
434 return (20);
435 case CRYPTO_RIPEMD160_HMAC:
436 return (20);
437 case CRYPTO_SHA2_256_HMAC:
438 return (32);
439 case CRYPTO_SHA2_384_HMAC:
440 return (48);
441 case CRYPTO_SHA2_512_HMAC:
442 return (64);
443 }
444 return (0);
445}
446
447#ifdef _KERNEL
448int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
449 struct g_eli_metadata *md);
450struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
451 struct g_provider *bpp, const struct g_eli_metadata *md,
452 const u_char *mkey, int nkey);
453int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
454
455int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
456void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
457
458void g_eli_read_done(struct bio *bp);
459void g_eli_write_done(struct bio *bp);
460int g_eli_crypto_rerun(struct cryptop *crp);
461void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
462 size_t size);
463
464void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
465
466void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
467void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
468#endif
469
470void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
471int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
472 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
473int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
474 unsigned char *mkey);
475#ifdef _KERNEL
476void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
477#endif
478
479int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
480 const u_char *key, size_t keysize);
481int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
482 const u_char *key, size_t keysize);
483
484struct hmac_ctx {
485 SHA512_CTX shactx;
486 u_char k_opad[128];
487};
488
489void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
490 size_t hkeylen);
491void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
492 size_t datasize);
493void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
494void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
495 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
496#endif /* !_G_ELI_H_ */