Cross Reference: /freebsd-11.0-release/sys/geom/eli/g

Deleted Added

sdiff udiff text old ( 213062 ) new ( 213067 )

full compact

1/*-
2 * Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/sys/geom/eli/g_eli.h 213062 2010-09-23 11:19:48Z pjd $
27 */
28
29#ifndef _G_ELI_H_
30#define _G_ELI_H_
31
32#include <sys/endian.h>
33#include <sys/errno.h>
34#include <sys/malloc.h>
35#include <crypto/sha2/sha2.h>
36#include <opencrypto/cryptodev.h>
37#ifdef _KERNEL
38#include <sys/bio.h>
39#include <sys/libkern.h>
40#include <geom/geom.h>
41#else
42#include <stdio.h>
43#include <string.h>
44#include <strings.h>
45#endif
46#ifndef _OpenSSL_
47#include <sys/md5.h>
48#endif
49
50#define G_ELI_CLASS_NAME "ELI"
51#define G_ELI_MAGIC "GEOM::ELI"
52#define G_ELI_SUFFIX ".eli"
53
54/*
55 * Version history:
56 * 0 - Initial version number.
57 * 1 - Added data authentication support (md_aalgo field and
58 * G_ELI_FLAG_AUTH flag).
59 * 2 - Added G_ELI_FLAG_READONLY.
60 * 3 - Added 'configure' subcommand.
61 * 4 - IV is generated from offset converted to little-endian
62 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
63 */
64#define G_ELI_VERSION 4
65
66/* ON DISK FLAGS. */
67/* Use random, onetime keys. */
68#define G_ELI_FLAG_ONETIME 0x00000001
69/* Ask for the passphrase from the kernel, before mounting root. */
70#define G_ELI_FLAG_BOOT 0x00000002
71/* Detach on last close, if we were open for writing. */
72#define G_ELI_FLAG_WO_DETACH 0x00000004
73/* Detach on last close. */
74#define G_ELI_FLAG_RW_DETACH 0x00000008
75/* Provide data authentication. */
76#define G_ELI_FLAG_AUTH 0x00000010
77/* Provider is read-only, we should deny all write attempts. */
78#define G_ELI_FLAG_RO 0x00000020
79/* RUNTIME FLAGS. */
80/* Provider was open for writing. */
81#define G_ELI_FLAG_WOPEN 0x00010000
82/* Destroy device. */
83#define G_ELI_FLAG_DESTROY 0x00020000
84/* Provider uses native byte-order for IV generation. */
85#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
86
87#define SHA512_MDLEN 64
88#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
89
90#define G_ELI_MAXMKEYS 2
91#define G_ELI_MAXKEYLEN 64
92#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
93#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
94#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
95#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
96#define G_ELI_SALTLEN 64
97#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
98/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
99#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
100#define G_ELI_OVERWRITES 5
101
102#ifdef _KERNEL
103extern u_int g_eli_debug;
104extern u_int g_eli_overwrites;
105extern u_int g_eli_batch;
106
107#define G_ELI_CRYPTO_HW 1
108#define G_ELI_CRYPTO_SW 2
109
110#define G_ELI_DEBUG(lvl, ...) do { \
111 if (g_eli_debug >= (lvl)) { \
112 printf("GEOM_ELI"); \
113 if (g_eli_debug > 0) \
114 printf("[%u]", lvl); \
115 printf(": "); \
116 printf(__VA_ARGS__); \
117 printf("\n"); \
118 } \
119} while (0)
120#define G_ELI_LOGREQ(lvl, bp, ...) do { \
121 if (g_eli_debug >= (lvl)) { \
122 printf("GEOM_ELI"); \
123 if (g_eli_debug > 0) \
124 printf("[%u]", lvl); \
125 printf(": "); \
126 printf(__VA_ARGS__); \
127 printf(" "); \
128 g_print_bio(bp); \
129 printf("\n"); \
130 } \
131} while (0)
132
133struct g_eli_worker {
134 struct g_eli_softc *w_softc;
135 struct proc *w_proc;
136 u_int w_number;
137 uint64_t w_sid;
138 LIST_ENTRY(g_eli_worker) w_next;
139};
140
141struct g_eli_softc {
142 struct g_geom *sc_geom;
143 u_int sc_crypto;
144 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
145 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
146 u_int sc_ealgo;
147 u_int sc_ekeylen;
148 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
149 u_int sc_aalgo;
150 u_int sc_akeylen;
151 u_int sc_alen;
152 SHA256_CTX sc_akeyctx;
153 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
154 SHA256_CTX sc_ivctx;
155 int sc_nkey;
156 uint32_t sc_flags;
157 u_int sc_bytes_per_sector;
158 u_int sc_data_per_sector;
159
160 /* Only for software cryptography. */
161 struct bio_queue_head sc_queue;
162 struct mtx sc_queue_mtx;
163 LIST_HEAD(, g_eli_worker) sc_workers;
164};
165#define sc_name sc_geom->name
166#endif /* _KERNEL */
167
168struct g_eli_metadata {
169 char md_magic[16]; /* Magic value. */
170 uint32_t md_version; /* Version number. */
171 uint32_t md_flags; /* Additional flags. */
172 uint16_t md_ealgo; /* Encryption algorithm. */
173 uint16_t md_keylen; /* Key length. */
174 uint16_t md_aalgo; /* Authentication algorithm. */
175 uint64_t md_provsize; /* Provider's size. */
176 uint32_t md_sectorsize; /* Sector size. */
177 uint8_t md_keys; /* Available keys. */
178 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
179 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
180 /* Encrypted master key (IV-key, Data-key, HMAC). */
181 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
182 u_char md_hash[16]; /* MD5 hash. */
183} __packed;
184#ifndef _OpenSSL_
185static __inline void
186eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
187{
188 MD5_CTX ctx;
189 u_char *p;
190
191 p = data;
192 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic);
193 le32enc(p, md->md_version); p += sizeof(md->md_version);
194 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
195 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
196 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
197 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
198 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
199 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
200 *p = md->md_keys; p += sizeof(md->md_keys);
201 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
202 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
203 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
204 MD5Init(&ctx);
205 MD5Update(&ctx, data, p - data);
206 MD5Final(md->md_hash, &ctx);
207 bcopy(md->md_hash, p, sizeof(md->md_hash));
208}
209static __inline int
210eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
211{
212 MD5_CTX ctx;
213 const u_char *p;
214
215 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
216 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
217 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
218 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
219 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
220 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
221 md->md_keys = *p; p += sizeof(md->md_keys);
222 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
223 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
224 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
225 MD5Init(&ctx);
226 MD5Update(&ctx, data, p - data);
227 MD5Final(md->md_hash, &ctx);
228 if (bcmp(md->md_hash, p, 16) != 0)
229 return (EINVAL);
230 return (0);
231}
232
233static __inline int
234eli_metadata_decode_v1v2v3v4(const u_char *data, struct g_eli_metadata *md)
235{
236 MD5_CTX ctx;
237 const u_char *p;
238
239 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
240 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
241 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
242 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
243 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
244 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
245 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
246 md->md_keys = *p; p += sizeof(md->md_keys);
247 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
248 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
249 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
250 MD5Init(&ctx);
251 MD5Update(&ctx, data, p - data);
252 MD5Final(md->md_hash, &ctx);
253 if (bcmp(md->md_hash, p, 16) != 0)
254 return (EINVAL);
255 return (0);
256}
257static __inline int
258eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
259{
260 int error;
261
262 bcopy(data, md->md_magic, sizeof(md->md_magic));
263 md->md_version = le32dec(data + sizeof(md->md_magic));
264 switch (md->md_version) {
265 case 0:
266 error = eli_metadata_decode_v0(data, md);
267 break;
268 case 1:
269 case 2:
270 case 3:
271 case 4:
272 error = eli_metadata_decode_v1v2v3v4(data, md);
273 break;
274 default:
275 error = EINVAL;
276 break;
277 }
278 return (error);
279}
280#endif /* !_OpenSSL */
281
282static __inline u_int
283g_eli_str2ealgo(const char *name)
284{
285
286 if (strcasecmp("null", name) == 0)
287 return (CRYPTO_NULL_CBC);
288 else if (strcasecmp("aes", name) == 0)
289 return (CRYPTO_AES_CBC);
290 else if (strcasecmp("blowfish", name) == 0)
291 return (CRYPTO_BLF_CBC);
292 else if (strcasecmp("camellia", name) == 0)
293 return (CRYPTO_CAMELLIA_CBC);
294 else if (strcasecmp("3des", name) == 0)
295 return (CRYPTO_3DES_CBC);
296 return (CRYPTO_ALGORITHM_MIN - 1);
297}
298
299static __inline u_int
300g_eli_str2aalgo(const char *name)
301{
302
303 if (strcasecmp("hmac/md5", name) == 0)
304 return (CRYPTO_MD5_HMAC);
305 else if (strcasecmp("hmac/sha1", name) == 0)
306 return (CRYPTO_SHA1_HMAC);
307 else if (strcasecmp("hmac/ripemd160", name) == 0)
308 return (CRYPTO_RIPEMD160_HMAC);
309 else if (strcasecmp("hmac/sha256", name) == 0)
310 return (CRYPTO_SHA2_256_HMAC);
311 else if (strcasecmp("hmac/sha384", name) == 0)
312 return (CRYPTO_SHA2_384_HMAC);
313 else if (strcasecmp("hmac/sha512", name) == 0)
314 return (CRYPTO_SHA2_512_HMAC);
315 return (CRYPTO_ALGORITHM_MIN - 1);
316}
317
318static __inline const char *
319g_eli_algo2str(u_int algo)
320{
321
322 switch (algo) {
323 case CRYPTO_NULL_CBC:
324 return ("NULL");
325 case CRYPTO_AES_CBC:
326 return ("AES-CBC");
327 case CRYPTO_BLF_CBC:
328 return ("Blowfish-CBC");
329 case CRYPTO_CAMELLIA_CBC:
330 return ("CAMELLIA-CBC");
331 case CRYPTO_3DES_CBC:
332 return ("3DES-CBC");
333 case CRYPTO_MD5_HMAC:
334 return ("HMAC/MD5");
335 case CRYPTO_SHA1_HMAC:
336 return ("HMAC/SHA1");
337 case CRYPTO_RIPEMD160_HMAC:
338 return ("HMAC/RIPEMD160");
339 case CRYPTO_SHA2_256_HMAC:
340 return ("HMAC/SHA256");
341 case CRYPTO_SHA2_384_HMAC:
342 return ("HMAC/SHA384");
343 case CRYPTO_SHA2_512_HMAC:
344 return ("HMAC/SHA512");
345 }
346 return ("unknown");
347}
348
349static __inline void
350eli_metadata_dump(const struct g_eli_metadata *md)
351{
352 static const char hex[] = "0123456789abcdef";
353 char str[sizeof(md->md_mkeys) * 2 + 1];
354 u_int i;
355
356 printf(" magic: %s\n", md->md_magic);
357 printf(" version: %u\n", (u_int)md->md_version);
358 printf(" flags: 0x%x\n", (u_int)md->md_flags);
359 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
360 printf(" keylen: %u\n", (u_int)md->md_keylen);
361 if (md->md_flags & G_ELI_FLAG_AUTH)
362 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
363 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
364 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
365 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
366 printf("iterations: %u\n", (u_int)md->md_iterations);
367 bzero(str, sizeof(str));
368 for (i = 0; i < sizeof(md->md_salt); i++) {
369 str[i * 2] = hex[md->md_salt[i] >> 4];
370 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
371 }
372 printf(" Salt: %s\n", str);
373 bzero(str, sizeof(str));
374 for (i = 0; i < sizeof(md->md_mkeys); i++) {
375 str[i * 2] = hex[md->md_mkeys[i] >> 4];
376 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
377 }
378 printf("Master Key: %s\n", str);
379 bzero(str, sizeof(str));
380 for (i = 0; i < 16; i++) {
381 str[i * 2] = hex[md->md_hash[i] >> 4];
382 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
383 }
384 printf(" MD5 hash: %s\n", str);
385}
386
387static __inline u_int
388g_eli_keylen(u_int algo, u_int keylen)
389{
390
391 switch (algo) {
392 case CRYPTO_NULL_CBC:
393 if (keylen == 0)
394 keylen = 64 * 8;
395 else {
396 if (keylen > 64 * 8)
397 keylen = 0;
398 }
399 return (keylen);
400 case CRYPTO_AES_CBC:
401 case CRYPTO_CAMELLIA_CBC:
402 switch (keylen) {
403 case 0:
404 return (128);
405 case 128:
406 case 192:
407 case 256:
408 return (keylen);
409 default:
410 return (0);
411 }
412 case CRYPTO_BLF_CBC:
413 if (keylen == 0)
414 return (128);
415 if (keylen < 128 || keylen > 448)
416 return (0);
417 if ((keylen % 32) != 0)
418 return (0);
419 return (keylen);
420 case CRYPTO_3DES_CBC:
421 if (keylen == 0 || keylen == 192)
422 return (192);
423 return (0);
424 default:
425 return (0);
426 }
427}
428
429static __inline u_int
430g_eli_hashlen(u_int algo)
431{
432
433 switch (algo) {
434 case CRYPTO_MD5_HMAC:
435 return (16);
436 case CRYPTO_SHA1_HMAC:
437 return (20);
438 case CRYPTO_RIPEMD160_HMAC:
439 return (20);
440 case CRYPTO_SHA2_256_HMAC:
441 return (32);
442 case CRYPTO_SHA2_384_HMAC:
443 return (48);
444 case CRYPTO_SHA2_512_HMAC:
445 return (64);
446 }
447 return (0);
448}
449
450#ifdef _KERNEL
451int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
452 struct g_eli_metadata *md);
453struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
454 struct g_provider *bpp, const struct g_eli_metadata *md,
455 const u_char *mkey, int nkey);
456int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
457
458int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
459void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
460
461void g_eli_read_done(struct bio *bp);
462void g_eli_write_done(struct bio *bp);
463int g_eli_crypto_rerun(struct cryptop *crp);
464void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
465 size_t size);
466
467void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
468
469void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
470void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
471#endif
472
473void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
474int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
475 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
476int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
477 unsigned char *mkey);
478#ifdef _KERNEL
479void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
480#endif
481
482int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
483 const u_char *key, size_t keysize);
484int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
485 const u_char *key, size_t keysize);
486
487struct hmac_ctx {
488 SHA512_CTX shactx;
489 u_char k_opad[128];
490};
491
492void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
493 size_t hkeylen);
494void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
495 size_t datasize);
496void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
497void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
498 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
499#endif /* !_G_ELI_H_ */