g_eli.h revision 214118
1/*- 2 * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/sys/geom/eli/g_eli.h 214118 2010-10-20 20:50:55Z pjd $ 27 */ 28 29#ifndef _G_ELI_H_ 30#define _G_ELI_H_ 31 32#include <sys/endian.h> 33#include <sys/errno.h> 34#include <sys/malloc.h> 35#include <crypto/sha2/sha2.h> 36#include <opencrypto/cryptodev.h> 37#ifdef _KERNEL 38#include <sys/bio.h> 39#include <sys/libkern.h> 40#include <geom/geom.h> 41#else 42#include <stdio.h> 43#include <string.h> 44#include <strings.h> 45#endif 46#ifndef _OpenSSL_ 47#include <sys/md5.h> 48#endif 49 50#define G_ELI_CLASS_NAME "ELI" 51#define G_ELI_MAGIC "GEOM::ELI" 52#define G_ELI_SUFFIX ".eli" 53 54/* 55 * Version history: 56 * 0 - Initial version number. 57 * 1 - Added data authentication support (md_aalgo field and 58 * G_ELI_FLAG_AUTH flag). 59 * 2 - Added G_ELI_FLAG_READONLY. 60 * 3 - Added 'configure' subcommand. 61 * 4 - IV is generated from offset converted to little-endian 62 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions). 63 * 5 - Added multiple encrypton keys and AES-XTS support. 64 */ 65#define G_ELI_VERSION 5 66 67/* ON DISK FLAGS. */ 68/* Use random, onetime keys. */ 69#define G_ELI_FLAG_ONETIME 0x00000001 70/* Ask for the passphrase from the kernel, before mounting root. */ 71#define G_ELI_FLAG_BOOT 0x00000002 72/* Detach on last close, if we were open for writing. */ 73#define G_ELI_FLAG_WO_DETACH 0x00000004 74/* Detach on last close. */ 75#define G_ELI_FLAG_RW_DETACH 0x00000008 76/* Provide data authentication. */ 77#define G_ELI_FLAG_AUTH 0x00000010 78/* Provider is read-only, we should deny all write attempts. */ 79#define G_ELI_FLAG_RO 0x00000020 80/* RUNTIME FLAGS. */ 81/* Provider was open for writing. */ 82#define G_ELI_FLAG_WOPEN 0x00010000 83/* Destroy device. */ 84#define G_ELI_FLAG_DESTROY 0x00020000 85/* Provider uses native byte-order for IV generation. */ 86#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 87/* Provider uses single encryption key. */ 88#define G_ELI_FLAG_SINGLE_KEY 0x00080000 89/* Device suspended. */ 90#define G_ELI_FLAG_SUSPEND 0x00100000 91 92#define G_ELI_NEW_BIO 255 93 94#define SHA512_MDLEN 64 95#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 96 97#define G_ELI_MAXMKEYS 2 98#define G_ELI_MAXKEYLEN 64 99#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 100#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 101#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 102#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 103#define G_ELI_SALTLEN 64 104#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 105/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 106#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 107#define G_ELI_OVERWRITES 5 108/* Switch data encryption key every 2^20 blocks. */ 109#define G_ELI_KEY_SHIFT 20 110 111#ifdef _KERNEL 112extern int g_eli_debug; 113extern u_int g_eli_overwrites; 114extern u_int g_eli_batch; 115 116#define G_ELI_CRYPTO_HW 1 117#define G_ELI_CRYPTO_SW 2 118 119#define G_ELI_DEBUG(lvl, ...) do { \ 120 if (g_eli_debug >= (lvl)) { \ 121 printf("GEOM_ELI"); \ 122 if (g_eli_debug > 0) \ 123 printf("[%u]", lvl); \ 124 printf(": "); \ 125 printf(__VA_ARGS__); \ 126 printf("\n"); \ 127 } \ 128} while (0) 129#define G_ELI_LOGREQ(lvl, bp, ...) do { \ 130 if (g_eli_debug >= (lvl)) { \ 131 printf("GEOM_ELI"); \ 132 if (g_eli_debug > 0) \ 133 printf("[%u]", lvl); \ 134 printf(": "); \ 135 printf(__VA_ARGS__); \ 136 printf(" "); \ 137 g_print_bio(bp); \ 138 printf("\n"); \ 139 } \ 140} while (0) 141 142struct g_eli_worker { 143 struct g_eli_softc *w_softc; 144 struct proc *w_proc; 145 u_int w_number; 146 uint64_t w_sid; 147 boolean_t w_active; 148 LIST_ENTRY(g_eli_worker) w_next; 149}; 150 151struct g_eli_softc { 152 struct g_geom *sc_geom; 153 u_int sc_crypto; 154 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 155 uint8_t **sc_ekeys; 156 u_int sc_nekeys; 157 u_int sc_ealgo; 158 u_int sc_ekeylen; 159 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 160 u_int sc_aalgo; 161 u_int sc_akeylen; 162 u_int sc_alen; 163 SHA256_CTX sc_akeyctx; 164 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 165 SHA256_CTX sc_ivctx; 166 int sc_nkey; 167 uint32_t sc_flags; 168 int sc_inflight; 169 off_t sc_mediasize; 170 size_t sc_sectorsize; 171 u_int sc_bytes_per_sector; 172 u_int sc_data_per_sector; 173 174 /* Only for software cryptography. */ 175 struct bio_queue_head sc_queue; 176 struct mtx sc_queue_mtx; 177 LIST_HEAD(, g_eli_worker) sc_workers; 178}; 179#define sc_name sc_geom->name 180#endif /* _KERNEL */ 181 182struct g_eli_metadata { 183 char md_magic[16]; /* Magic value. */ 184 uint32_t md_version; /* Version number. */ 185 uint32_t md_flags; /* Additional flags. */ 186 uint16_t md_ealgo; /* Encryption algorithm. */ 187 uint16_t md_keylen; /* Key length. */ 188 uint16_t md_aalgo; /* Authentication algorithm. */ 189 uint64_t md_provsize; /* Provider's size. */ 190 uint32_t md_sectorsize; /* Sector size. */ 191 uint8_t md_keys; /* Available keys. */ 192 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 193 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 194 /* Encrypted master key (IV-key, Data-key, HMAC). */ 195 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 196 u_char md_hash[16]; /* MD5 hash. */ 197} __packed; 198#ifndef _OpenSSL_ 199static __inline void 200eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 201{ 202 MD5_CTX ctx; 203 u_char *p; 204 205 p = data; 206 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic); 207 le32enc(p, md->md_version); p += sizeof(md->md_version); 208 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 209 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 210 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 211 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 212 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 213 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 214 *p = md->md_keys; p += sizeof(md->md_keys); 215 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 216 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 217 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 218 MD5Init(&ctx); 219 MD5Update(&ctx, data, p - data); 220 MD5Final(md->md_hash, &ctx); 221 bcopy(md->md_hash, p, sizeof(md->md_hash)); 222} 223static __inline int 224eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 225{ 226 MD5_CTX ctx; 227 const u_char *p; 228 229 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 230 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 231 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 232 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 233 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 234 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 235 md->md_keys = *p; p += sizeof(md->md_keys); 236 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 237 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 238 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 239 MD5Init(&ctx); 240 MD5Update(&ctx, data, p - data); 241 MD5Final(md->md_hash, &ctx); 242 if (bcmp(md->md_hash, p, 16) != 0) 243 return (EINVAL); 244 return (0); 245} 246 247static __inline int 248eli_metadata_decode_v1v2v3v4v5(const u_char *data, struct g_eli_metadata *md) 249{ 250 MD5_CTX ctx; 251 const u_char *p; 252 253 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 254 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 255 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 256 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 257 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 258 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 259 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 260 md->md_keys = *p; p += sizeof(md->md_keys); 261 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 262 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 263 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 264 MD5Init(&ctx); 265 MD5Update(&ctx, data, p - data); 266 MD5Final(md->md_hash, &ctx); 267 if (bcmp(md->md_hash, p, 16) != 0) 268 return (EINVAL); 269 return (0); 270} 271static __inline int 272eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 273{ 274 int error; 275 276 bcopy(data, md->md_magic, sizeof(md->md_magic)); 277 md->md_version = le32dec(data + sizeof(md->md_magic)); 278 switch (md->md_version) { 279 case 0: 280 error = eli_metadata_decode_v0(data, md); 281 break; 282 case 1: 283 case 2: 284 case 3: 285 case 4: 286 case 5: 287 error = eli_metadata_decode_v1v2v3v4v5(data, md); 288 break; 289 default: 290 error = EINVAL; 291 break; 292 } 293 return (error); 294} 295#endif /* !_OpenSSL */ 296 297static __inline u_int 298g_eli_str2ealgo(const char *name) 299{ 300 301 if (strcasecmp("null", name) == 0) 302 return (CRYPTO_NULL_CBC); 303 else if (strcasecmp("null-cbc", name) == 0) 304 return (CRYPTO_NULL_CBC); 305 else if (strcasecmp("aes", name) == 0) 306 return (CRYPTO_AES_XTS); 307 else if (strcasecmp("aes-cbc", name) == 0) 308 return (CRYPTO_AES_CBC); 309 else if (strcasecmp("aes-xts", name) == 0) 310 return (CRYPTO_AES_XTS); 311 else if (strcasecmp("blowfish", name) == 0) 312 return (CRYPTO_BLF_CBC); 313 else if (strcasecmp("blowfish-cbc", name) == 0) 314 return (CRYPTO_BLF_CBC); 315 else if (strcasecmp("camellia", name) == 0) 316 return (CRYPTO_CAMELLIA_CBC); 317 else if (strcasecmp("camellia-cbc", name) == 0) 318 return (CRYPTO_CAMELLIA_CBC); 319 else if (strcasecmp("3des", name) == 0) 320 return (CRYPTO_3DES_CBC); 321 else if (strcasecmp("3des-cbc", name) == 0) 322 return (CRYPTO_3DES_CBC); 323 return (CRYPTO_ALGORITHM_MIN - 1); 324} 325 326static __inline u_int 327g_eli_str2aalgo(const char *name) 328{ 329 330 if (strcasecmp("hmac/md5", name) == 0) 331 return (CRYPTO_MD5_HMAC); 332 else if (strcasecmp("hmac/sha1", name) == 0) 333 return (CRYPTO_SHA1_HMAC); 334 else if (strcasecmp("hmac/ripemd160", name) == 0) 335 return (CRYPTO_RIPEMD160_HMAC); 336 else if (strcasecmp("hmac/sha256", name) == 0) 337 return (CRYPTO_SHA2_256_HMAC); 338 else if (strcasecmp("hmac/sha384", name) == 0) 339 return (CRYPTO_SHA2_384_HMAC); 340 else if (strcasecmp("hmac/sha512", name) == 0) 341 return (CRYPTO_SHA2_512_HMAC); 342 return (CRYPTO_ALGORITHM_MIN - 1); 343} 344 345static __inline const char * 346g_eli_algo2str(u_int algo) 347{ 348 349 switch (algo) { 350 case CRYPTO_NULL_CBC: 351 return ("NULL"); 352 case CRYPTO_AES_CBC: 353 return ("AES-CBC"); 354 case CRYPTO_AES_XTS: 355 return ("AES-XTS"); 356 case CRYPTO_BLF_CBC: 357 return ("Blowfish-CBC"); 358 case CRYPTO_CAMELLIA_CBC: 359 return ("CAMELLIA-CBC"); 360 case CRYPTO_3DES_CBC: 361 return ("3DES-CBC"); 362 case CRYPTO_MD5_HMAC: 363 return ("HMAC/MD5"); 364 case CRYPTO_SHA1_HMAC: 365 return ("HMAC/SHA1"); 366 case CRYPTO_RIPEMD160_HMAC: 367 return ("HMAC/RIPEMD160"); 368 case CRYPTO_SHA2_256_HMAC: 369 return ("HMAC/SHA256"); 370 case CRYPTO_SHA2_384_HMAC: 371 return ("HMAC/SHA384"); 372 case CRYPTO_SHA2_512_HMAC: 373 return ("HMAC/SHA512"); 374 } 375 return ("unknown"); 376} 377 378static __inline void 379eli_metadata_dump(const struct g_eli_metadata *md) 380{ 381 static const char hex[] = "0123456789abcdef"; 382 char str[sizeof(md->md_mkeys) * 2 + 1]; 383 u_int i; 384 385 printf(" magic: %s\n", md->md_magic); 386 printf(" version: %u\n", (u_int)md->md_version); 387 printf(" flags: 0x%x\n", (u_int)md->md_flags); 388 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 389 printf(" keylen: %u\n", (u_int)md->md_keylen); 390 if (md->md_flags & G_ELI_FLAG_AUTH) 391 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 392 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 393 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 394 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 395 printf("iterations: %u\n", (u_int)md->md_iterations); 396 bzero(str, sizeof(str)); 397 for (i = 0; i < sizeof(md->md_salt); i++) { 398 str[i * 2] = hex[md->md_salt[i] >> 4]; 399 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 400 } 401 printf(" Salt: %s\n", str); 402 bzero(str, sizeof(str)); 403 for (i = 0; i < sizeof(md->md_mkeys); i++) { 404 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 405 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 406 } 407 printf("Master Key: %s\n", str); 408 bzero(str, sizeof(str)); 409 for (i = 0; i < 16; i++) { 410 str[i * 2] = hex[md->md_hash[i] >> 4]; 411 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 412 } 413 printf(" MD5 hash: %s\n", str); 414} 415 416static __inline u_int 417g_eli_keylen(u_int algo, u_int keylen) 418{ 419 420 switch (algo) { 421 case CRYPTO_NULL_CBC: 422 if (keylen == 0) 423 keylen = 64 * 8; 424 else { 425 if (keylen > 64 * 8) 426 keylen = 0; 427 } 428 return (keylen); 429 case CRYPTO_AES_CBC: 430 case CRYPTO_CAMELLIA_CBC: 431 switch (keylen) { 432 case 0: 433 return (128); 434 case 128: 435 case 192: 436 case 256: 437 return (keylen); 438 default: 439 return (0); 440 } 441 case CRYPTO_AES_XTS: 442 switch (keylen) { 443 case 0: 444 return (128); 445 case 128: 446 case 256: 447 return (keylen); 448 default: 449 return (0); 450 } 451 case CRYPTO_BLF_CBC: 452 if (keylen == 0) 453 return (128); 454 if (keylen < 128 || keylen > 448) 455 return (0); 456 if ((keylen % 32) != 0) 457 return (0); 458 return (keylen); 459 case CRYPTO_3DES_CBC: 460 if (keylen == 0 || keylen == 192) 461 return (192); 462 return (0); 463 default: 464 return (0); 465 } 466} 467 468static __inline u_int 469g_eli_hashlen(u_int algo) 470{ 471 472 switch (algo) { 473 case CRYPTO_MD5_HMAC: 474 return (16); 475 case CRYPTO_SHA1_HMAC: 476 return (20); 477 case CRYPTO_RIPEMD160_HMAC: 478 return (20); 479 case CRYPTO_SHA2_256_HMAC: 480 return (32); 481 case CRYPTO_SHA2_384_HMAC: 482 return (48); 483 case CRYPTO_SHA2_512_HMAC: 484 return (64); 485 } 486 return (0); 487} 488 489#ifdef _KERNEL 490int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 491 struct g_eli_metadata *md); 492struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 493 struct g_provider *bpp, const struct g_eli_metadata *md, 494 const u_char *mkey, int nkey); 495int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 496 497int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 498void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 499 500void g_eli_read_done(struct bio *bp); 501void g_eli_write_done(struct bio *bp); 502int g_eli_crypto_rerun(struct cryptop *crp); 503uint8_t *g_eli_crypto_key(struct g_eli_softc *sc, off_t offset, 504 size_t blocksize); 505void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 506 size_t size); 507 508void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 509void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 510 511void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 512void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 513#endif 514 515void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 516int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 517 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 518int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 519 unsigned char *mkey); 520#ifdef _KERNEL 521void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 522#endif 523 524int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 525 const u_char *key, size_t keysize); 526int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 527 const u_char *key, size_t keysize); 528 529struct hmac_ctx { 530 SHA512_CTX shactx; 531 u_char k_opad[128]; 532}; 533 534void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 535 size_t hkeylen); 536void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 537 size_t datasize); 538void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 539void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 540 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 541#endif /* !_G_ELI_H_ */ 542