g_eli.h revision 213165
1/*- 2 * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/sys/geom/eli/g_eli.h 213165 2010-09-25 10:32:04Z pjd $ 27 */ 28 29#ifndef _G_ELI_H_ 30#define _G_ELI_H_ 31 32#include <sys/endian.h> 33#include <sys/errno.h> 34#include <sys/malloc.h> 35#include <crypto/sha2/sha2.h> 36#include <opencrypto/cryptodev.h> 37#ifdef _KERNEL 38#include <sys/bio.h> 39#include <sys/libkern.h> 40#include <geom/geom.h> 41#else 42#include <stdio.h> 43#include <string.h> 44#include <strings.h> 45#endif 46#ifndef _OpenSSL_ 47#include <sys/md5.h> 48#endif 49 50#define G_ELI_CLASS_NAME "ELI" 51#define G_ELI_MAGIC "GEOM::ELI" 52#define G_ELI_SUFFIX ".eli" 53 54/* 55 * Version history: 56 * 0 - Initial version number. 57 * 1 - Added data authentication support (md_aalgo field and 58 * G_ELI_FLAG_AUTH flag). 59 * 2 - Added G_ELI_FLAG_READONLY. 60 * 3 - Added 'configure' subcommand. 61 * 4 - IV is generated from offset converted to little-endian 62 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions). 63 * 5 - Added multiple encrypton keys and AES-XTS support. 64 */ 65#define G_ELI_VERSION 5 66 67/* ON DISK FLAGS. */ 68/* Use random, onetime keys. */ 69#define G_ELI_FLAG_ONETIME 0x00000001 70/* Ask for the passphrase from the kernel, before mounting root. */ 71#define G_ELI_FLAG_BOOT 0x00000002 72/* Detach on last close, if we were open for writing. */ 73#define G_ELI_FLAG_WO_DETACH 0x00000004 74/* Detach on last close. */ 75#define G_ELI_FLAG_RW_DETACH 0x00000008 76/* Provide data authentication. */ 77#define G_ELI_FLAG_AUTH 0x00000010 78/* Provider is read-only, we should deny all write attempts. */ 79#define G_ELI_FLAG_RO 0x00000020 80/* RUNTIME FLAGS. */ 81/* Provider was open for writing. */ 82#define G_ELI_FLAG_WOPEN 0x00010000 83/* Destroy device. */ 84#define G_ELI_FLAG_DESTROY 0x00020000 85/* Provider uses native byte-order for IV generation. */ 86#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 87/* Provider uses single encryption key. */ 88#define G_ELI_FLAG_SINGLE_KEY 0x00080000 89 90#define SHA512_MDLEN 64 91#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 92 93#define G_ELI_MAXMKEYS 2 94#define G_ELI_MAXKEYLEN 64 95#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 96#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 97#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 98#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 99#define G_ELI_SALTLEN 64 100#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 101/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 102#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 103#define G_ELI_OVERWRITES 5 104/* Switch data encryption key every 2^20 blocks. */ 105#define G_ELI_KEY_SHIFT 20 106 107#ifdef _KERNEL 108extern int g_eli_debug; 109extern u_int g_eli_overwrites; 110extern u_int g_eli_batch; 111 112#define G_ELI_CRYPTO_HW 1 113#define G_ELI_CRYPTO_SW 2 114 115#define G_ELI_DEBUG(lvl, ...) do { \ 116 if (g_eli_debug >= (lvl)) { \ 117 printf("GEOM_ELI"); \ 118 if (g_eli_debug > 0) \ 119 printf("[%u]", lvl); \ 120 printf(": "); \ 121 printf(__VA_ARGS__); \ 122 printf("\n"); \ 123 } \ 124} while (0) 125#define G_ELI_LOGREQ(lvl, bp, ...) do { \ 126 if (g_eli_debug >= (lvl)) { \ 127 printf("GEOM_ELI"); \ 128 if (g_eli_debug > 0) \ 129 printf("[%u]", lvl); \ 130 printf(": "); \ 131 printf(__VA_ARGS__); \ 132 printf(" "); \ 133 g_print_bio(bp); \ 134 printf("\n"); \ 135 } \ 136} while (0) 137 138struct g_eli_worker { 139 struct g_eli_softc *w_softc; 140 struct proc *w_proc; 141 u_int w_number; 142 uint64_t w_sid; 143 LIST_ENTRY(g_eli_worker) w_next; 144}; 145 146struct g_eli_softc { 147 struct g_geom *sc_geom; 148 u_int sc_crypto; 149 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 150 uint8_t **sc_ekeys; 151 u_int sc_nekeys; 152 u_int sc_ealgo; 153 u_int sc_ekeylen; 154 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 155 u_int sc_aalgo; 156 u_int sc_akeylen; 157 u_int sc_alen; 158 SHA256_CTX sc_akeyctx; 159 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 160 SHA256_CTX sc_ivctx; 161 int sc_nkey; 162 uint32_t sc_flags; 163 off_t sc_mediasize; 164 size_t sc_sectorsize; 165 u_int sc_bytes_per_sector; 166 u_int sc_data_per_sector; 167 168 /* Only for software cryptography. */ 169 struct bio_queue_head sc_queue; 170 struct mtx sc_queue_mtx; 171 LIST_HEAD(, g_eli_worker) sc_workers; 172}; 173#define sc_name sc_geom->name 174#endif /* _KERNEL */ 175 176struct g_eli_metadata { 177 char md_magic[16]; /* Magic value. */ 178 uint32_t md_version; /* Version number. */ 179 uint32_t md_flags; /* Additional flags. */ 180 uint16_t md_ealgo; /* Encryption algorithm. */ 181 uint16_t md_keylen; /* Key length. */ 182 uint16_t md_aalgo; /* Authentication algorithm. */ 183 uint64_t md_provsize; /* Provider's size. */ 184 uint32_t md_sectorsize; /* Sector size. */ 185 uint8_t md_keys; /* Available keys. */ 186 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 187 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 188 /* Encrypted master key (IV-key, Data-key, HMAC). */ 189 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 190 u_char md_hash[16]; /* MD5 hash. */ 191} __packed; 192#ifndef _OpenSSL_ 193static __inline void 194eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 195{ 196 MD5_CTX ctx; 197 u_char *p; 198 199 p = data; 200 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic); 201 le32enc(p, md->md_version); p += sizeof(md->md_version); 202 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 203 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 204 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 205 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 206 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 207 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 208 *p = md->md_keys; p += sizeof(md->md_keys); 209 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 210 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 211 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 212 MD5Init(&ctx); 213 MD5Update(&ctx, data, p - data); 214 MD5Final(md->md_hash, &ctx); 215 bcopy(md->md_hash, p, sizeof(md->md_hash)); 216} 217static __inline int 218eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 219{ 220 MD5_CTX ctx; 221 const u_char *p; 222 223 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 224 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 225 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 226 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 227 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 228 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 229 md->md_keys = *p; p += sizeof(md->md_keys); 230 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 231 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 232 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 233 MD5Init(&ctx); 234 MD5Update(&ctx, data, p - data); 235 MD5Final(md->md_hash, &ctx); 236 if (bcmp(md->md_hash, p, 16) != 0) 237 return (EINVAL); 238 return (0); 239} 240 241static __inline int 242eli_metadata_decode_v1v2v3v4v5(const u_char *data, struct g_eli_metadata *md) 243{ 244 MD5_CTX ctx; 245 const u_char *p; 246 247 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 248 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 249 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 250 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 251 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 252 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 253 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 254 md->md_keys = *p; p += sizeof(md->md_keys); 255 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 256 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 257 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 258 MD5Init(&ctx); 259 MD5Update(&ctx, data, p - data); 260 MD5Final(md->md_hash, &ctx); 261 if (bcmp(md->md_hash, p, 16) != 0) 262 return (EINVAL); 263 return (0); 264} 265static __inline int 266eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 267{ 268 int error; 269 270 bcopy(data, md->md_magic, sizeof(md->md_magic)); 271 md->md_version = le32dec(data + sizeof(md->md_magic)); 272 switch (md->md_version) { 273 case 0: 274 error = eli_metadata_decode_v0(data, md); 275 break; 276 case 1: 277 case 2: 278 case 3: 279 case 4: 280 case 5: 281 error = eli_metadata_decode_v1v2v3v4v5(data, md); 282 break; 283 default: 284 error = EINVAL; 285 break; 286 } 287 return (error); 288} 289#endif /* !_OpenSSL */ 290 291static __inline u_int 292g_eli_str2ealgo(const char *name) 293{ 294 295 if (strcasecmp("null", name) == 0) 296 return (CRYPTO_NULL_CBC); 297 else if (strcasecmp("null-cbc", name) == 0) 298 return (CRYPTO_NULL_CBC); 299 else if (strcasecmp("aes", name) == 0) 300 return (CRYPTO_AES_XTS); 301 else if (strcasecmp("aes-cbc", name) == 0) 302 return (CRYPTO_AES_CBC); 303 else if (strcasecmp("aes-xts", name) == 0) 304 return (CRYPTO_AES_XTS); 305 else if (strcasecmp("blowfish", name) == 0) 306 return (CRYPTO_BLF_CBC); 307 else if (strcasecmp("blowfish-cbc", name) == 0) 308 return (CRYPTO_BLF_CBC); 309 else if (strcasecmp("camellia", name) == 0) 310 return (CRYPTO_CAMELLIA_CBC); 311 else if (strcasecmp("camellia-cbc", name) == 0) 312 return (CRYPTO_CAMELLIA_CBC); 313 else if (strcasecmp("3des", name) == 0) 314 return (CRYPTO_3DES_CBC); 315 else if (strcasecmp("3des-cbc", name) == 0) 316 return (CRYPTO_3DES_CBC); 317 return (CRYPTO_ALGORITHM_MIN - 1); 318} 319 320static __inline u_int 321g_eli_str2aalgo(const char *name) 322{ 323 324 if (strcasecmp("hmac/md5", name) == 0) 325 return (CRYPTO_MD5_HMAC); 326 else if (strcasecmp("hmac/sha1", name) == 0) 327 return (CRYPTO_SHA1_HMAC); 328 else if (strcasecmp("hmac/ripemd160", name) == 0) 329 return (CRYPTO_RIPEMD160_HMAC); 330 else if (strcasecmp("hmac/sha256", name) == 0) 331 return (CRYPTO_SHA2_256_HMAC); 332 else if (strcasecmp("hmac/sha384", name) == 0) 333 return (CRYPTO_SHA2_384_HMAC); 334 else if (strcasecmp("hmac/sha512", name) == 0) 335 return (CRYPTO_SHA2_512_HMAC); 336 return (CRYPTO_ALGORITHM_MIN - 1); 337} 338 339static __inline const char * 340g_eli_algo2str(u_int algo) 341{ 342 343 switch (algo) { 344 case CRYPTO_NULL_CBC: 345 return ("NULL"); 346 case CRYPTO_AES_CBC: 347 return ("AES-CBC"); 348 case CRYPTO_AES_XTS: 349 return ("AES-XTS"); 350 case CRYPTO_BLF_CBC: 351 return ("Blowfish-CBC"); 352 case CRYPTO_CAMELLIA_CBC: 353 return ("CAMELLIA-CBC"); 354 case CRYPTO_3DES_CBC: 355 return ("3DES-CBC"); 356 case CRYPTO_MD5_HMAC: 357 return ("HMAC/MD5"); 358 case CRYPTO_SHA1_HMAC: 359 return ("HMAC/SHA1"); 360 case CRYPTO_RIPEMD160_HMAC: 361 return ("HMAC/RIPEMD160"); 362 case CRYPTO_SHA2_256_HMAC: 363 return ("HMAC/SHA256"); 364 case CRYPTO_SHA2_384_HMAC: 365 return ("HMAC/SHA384"); 366 case CRYPTO_SHA2_512_HMAC: 367 return ("HMAC/SHA512"); 368 } 369 return ("unknown"); 370} 371 372static __inline void 373eli_metadata_dump(const struct g_eli_metadata *md) 374{ 375 static const char hex[] = "0123456789abcdef"; 376 char str[sizeof(md->md_mkeys) * 2 + 1]; 377 u_int i; 378 379 printf(" magic: %s\n", md->md_magic); 380 printf(" version: %u\n", (u_int)md->md_version); 381 printf(" flags: 0x%x\n", (u_int)md->md_flags); 382 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 383 printf(" keylen: %u\n", (u_int)md->md_keylen); 384 if (md->md_flags & G_ELI_FLAG_AUTH) 385 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 386 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 387 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 388 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 389 printf("iterations: %u\n", (u_int)md->md_iterations); 390 bzero(str, sizeof(str)); 391 for (i = 0; i < sizeof(md->md_salt); i++) { 392 str[i * 2] = hex[md->md_salt[i] >> 4]; 393 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 394 } 395 printf(" Salt: %s\n", str); 396 bzero(str, sizeof(str)); 397 for (i = 0; i < sizeof(md->md_mkeys); i++) { 398 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 399 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 400 } 401 printf("Master Key: %s\n", str); 402 bzero(str, sizeof(str)); 403 for (i = 0; i < 16; i++) { 404 str[i * 2] = hex[md->md_hash[i] >> 4]; 405 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 406 } 407 printf(" MD5 hash: %s\n", str); 408} 409 410static __inline u_int 411g_eli_keylen(u_int algo, u_int keylen) 412{ 413 414 switch (algo) { 415 case CRYPTO_NULL_CBC: 416 if (keylen == 0) 417 keylen = 64 * 8; 418 else { 419 if (keylen > 64 * 8) 420 keylen = 0; 421 } 422 return (keylen); 423 case CRYPTO_AES_CBC: 424 case CRYPTO_CAMELLIA_CBC: 425 switch (keylen) { 426 case 0: 427 return (128); 428 case 128: 429 case 192: 430 case 256: 431 return (keylen); 432 default: 433 return (0); 434 } 435 case CRYPTO_AES_XTS: 436 switch (keylen) { 437 case 0: 438 return (128); 439 case 128: 440 case 256: 441 return (keylen); 442 default: 443 return (0); 444 } 445 case CRYPTO_BLF_CBC: 446 if (keylen == 0) 447 return (128); 448 if (keylen < 128 || keylen > 448) 449 return (0); 450 if ((keylen % 32) != 0) 451 return (0); 452 return (keylen); 453 case CRYPTO_3DES_CBC: 454 if (keylen == 0 || keylen == 192) 455 return (192); 456 return (0); 457 default: 458 return (0); 459 } 460} 461 462static __inline u_int 463g_eli_hashlen(u_int algo) 464{ 465 466 switch (algo) { 467 case CRYPTO_MD5_HMAC: 468 return (16); 469 case CRYPTO_SHA1_HMAC: 470 return (20); 471 case CRYPTO_RIPEMD160_HMAC: 472 return (20); 473 case CRYPTO_SHA2_256_HMAC: 474 return (32); 475 case CRYPTO_SHA2_384_HMAC: 476 return (48); 477 case CRYPTO_SHA2_512_HMAC: 478 return (64); 479 } 480 return (0); 481} 482 483#ifdef _KERNEL 484int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 485 struct g_eli_metadata *md); 486struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 487 struct g_provider *bpp, const struct g_eli_metadata *md, 488 const u_char *mkey, int nkey); 489int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 490 491int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 492void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 493 494void g_eli_read_done(struct bio *bp); 495void g_eli_write_done(struct bio *bp); 496int g_eli_crypto_rerun(struct cryptop *crp); 497uint8_t *g_eli_crypto_key(struct g_eli_softc *sc, off_t offset, 498 size_t blocksize); 499void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 500 size_t size); 501 502void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 503 504void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 505void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 506#endif 507 508void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 509int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 510 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 511int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 512 unsigned char *mkey); 513#ifdef _KERNEL 514void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 515#endif 516 517int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 518 const u_char *key, size_t keysize); 519int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 520 const u_char *key, size_t keysize); 521 522struct hmac_ctx { 523 SHA512_CTX shactx; 524 u_char k_opad[128]; 525}; 526 527void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 528 size_t hkeylen); 529void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 530 size_t datasize); 531void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 532void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 533 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 534#endif /* !_G_ELI_H_ */ 535