1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD$ 29 */ 30 31#ifndef _G_ELI_H_ 32#define _G_ELI_H_ 33 34#include <sys/endian.h> 35#include <sys/errno.h> 36#include <sys/malloc.h> 37#include <crypto/sha2/sha256.h> 38#include <crypto/sha2/sha512.h> 39#include <opencrypto/cryptodev.h> 40#ifdef _KERNEL 41#include <sys/bio.h> 42#include <sys/libkern.h> 43#include <sys/lock.h> 44#include <sys/mutex.h> 45#include <geom/geom.h> 46#include <crypto/intake.h> 47#else 48#include <assert.h> 49#include <stdio.h> 50#include <string.h> 51#include <strings.h> 52#endif 53#include <sys/queue.h> 54#include <sys/tree.h> 55#ifndef _OpenSSL_ 56#include <sys/md5.h> 57#endif 58 59#define G_ELI_CLASS_NAME "ELI" 60#define G_ELI_MAGIC "GEOM::ELI" 61#define G_ELI_SUFFIX ".eli" 62 63/* 64 * Version history: 65 * 0 - Initial version number. 66 * 1 - Added data authentication support (md_aalgo field and 67 * G_ELI_FLAG_AUTH flag). 68 * 2 - Added G_ELI_FLAG_READONLY. 69 * 3 - Added 'configure' subcommand. 70 * 4 - IV is generated from offset converted to little-endian 71 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). 72 * 5 - Added multiple encrypton keys and AES-XTS support. 73 * 6 - Fixed usage of multiple keys for authenticated providers (the 74 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). 75 * 7 - Encryption keys are now generated from the Data Key and not from the 76 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). 77 */ 78#define G_ELI_VERSION_00 0 79#define G_ELI_VERSION_01 1 80#define G_ELI_VERSION_02 2 81#define G_ELI_VERSION_03 3 82#define G_ELI_VERSION_04 4 83#define G_ELI_VERSION_05 5 84#define G_ELI_VERSION_06 6 85#define G_ELI_VERSION_07 7 86#define G_ELI_VERSION G_ELI_VERSION_07 87 88/* ON DISK FLAGS. */ 89/* Use random, onetime keys. */ 90#define G_ELI_FLAG_ONETIME 0x00000001 91/* Ask for the passphrase from the kernel, before mounting root. */ 92#define G_ELI_FLAG_BOOT 0x00000002 93/* Detach on last close, if we were open for writing. */ 94#define G_ELI_FLAG_WO_DETACH 0x00000004 95/* Detach on last close. */ 96#define G_ELI_FLAG_RW_DETACH 0x00000008 97/* Provide data authentication. */ 98#define G_ELI_FLAG_AUTH 0x00000010 99/* Provider is read-only, we should deny all write attempts. */ 100#define G_ELI_FLAG_RO 0x00000020 101/* Don't pass through BIO_DELETE requests. */ 102#define G_ELI_FLAG_NODELETE 0x00000040 103/* This GELI supports GELIBoot */ 104#define G_ELI_FLAG_GELIBOOT 0x00000080 105/* Hide passphrase length in GELIboot. */ 106#define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100 107/* RUNTIME FLAGS. */ 108/* Provider was open for writing. */ 109#define G_ELI_FLAG_WOPEN 0x00010000 110/* Destroy device. */ 111#define G_ELI_FLAG_DESTROY 0x00020000 112/* Provider uses native byte-order for IV generation. */ 113#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 114/* Provider uses single encryption key. */ 115#define G_ELI_FLAG_SINGLE_KEY 0x00080000 116/* Device suspended. */ 117#define G_ELI_FLAG_SUSPEND 0x00100000 118/* Provider uses first encryption key. */ 119#define G_ELI_FLAG_FIRST_KEY 0x00200000 120/* Provider uses IV-Key for encryption key generation. */ 121#define G_ELI_FLAG_ENC_IVKEY 0x00400000 122 123#define G_ELI_NEW_BIO 255 124 125#define SHA512_MDLEN 64 126#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 127 128#define G_ELI_MAXMKEYS 2 129#define G_ELI_MAXKEYLEN 64 130#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 131#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 132#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 133#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 134#define G_ELI_SALTLEN 64 135#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 136/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 137#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 138#define G_ELI_OVERWRITES 5 139/* Switch data encryption key every 2^20 blocks. */ 140#define G_ELI_KEY_SHIFT 20 141 142#define G_ELI_CRYPTO_UNKNOWN 0 143#define G_ELI_CRYPTO_HW 1 144#define G_ELI_CRYPTO_SW 2 145 146#ifdef _KERNEL 147#if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN) 148#error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN" 149#endif 150 151extern int g_eli_debug; 152extern u_int g_eli_overwrites; 153extern u_int g_eli_batch; 154 155#define G_ELI_DEBUG(lvl, ...) do { \ 156 if (g_eli_debug >= (lvl)) { \ 157 printf("GEOM_ELI"); \ 158 if (g_eli_debug > 0) \ 159 printf("[%u]", lvl); \ 160 printf(": "); \ 161 printf(__VA_ARGS__); \ 162 printf("\n"); \ 163 } \ 164} while (0) 165#define G_ELI_LOGREQ(lvl, bp, ...) do { \ 166 if (g_eli_debug >= (lvl)) { \ 167 printf("GEOM_ELI"); \ 168 if (g_eli_debug > 0) \ 169 printf("[%u]", lvl); \ 170 printf(": "); \ 171 printf(__VA_ARGS__); \ 172 printf(" "); \ 173 g_print_bio(bp); \ 174 printf("\n"); \ 175 } \ 176} while (0) 177 178struct g_eli_worker { 179 struct g_eli_softc *w_softc; 180 struct proc *w_proc; 181 u_int w_number; 182 crypto_session_t w_sid; 183 boolean_t w_active; 184 LIST_ENTRY(g_eli_worker) w_next; 185}; 186 187#endif /* _KERNEL */ 188 189struct g_eli_softc { 190 struct g_geom *sc_geom; 191 u_int sc_version; 192 u_int sc_crypto; 193 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 194 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 195 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; 196 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; 197 struct mtx sc_ekeys_lock; 198 uint64_t sc_ekeys_total; 199 uint64_t sc_ekeys_allocated; 200 u_int sc_ealgo; 201 u_int sc_ekeylen; 202 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 203 u_int sc_aalgo; 204 u_int sc_akeylen; 205 u_int sc_alen; 206 SHA256_CTX sc_akeyctx; 207 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 208 SHA256_CTX sc_ivctx; 209 int sc_nkey; 210 uint32_t sc_flags; 211 int sc_inflight; 212 off_t sc_mediasize; 213 size_t sc_sectorsize; 214 u_int sc_bytes_per_sector; 215 u_int sc_data_per_sector; 216#ifndef _KERNEL 217 int sc_cpubind; 218#else /* _KERNEL */ 219 boolean_t sc_cpubind; 220 221 /* Only for software cryptography. */ 222 struct bio_queue_head sc_queue; 223 struct mtx sc_queue_mtx; 224 LIST_HEAD(, g_eli_worker) sc_workers; 225#endif /* _KERNEL */ 226}; 227#define sc_name sc_geom->name 228 229#define G_ELI_KEY_MAGIC 0xe11341c 230 231struct g_eli_key { 232 /* Key value, must be first in the structure. */ 233 uint8_t gek_key[G_ELI_DATAKEYLEN]; 234 /* Magic. */ 235 int gek_magic; 236 /* Key number. */ 237 uint64_t gek_keyno; 238 /* Reference counter. */ 239 int gek_count; 240 /* Keeps keys sorted by most recent use. */ 241 TAILQ_ENTRY(g_eli_key) gek_next; 242 /* Keeps keys sorted by number. */ 243 RB_ENTRY(g_eli_key) gek_link; 244}; 245 246struct g_eli_metadata { 247 char md_magic[16]; /* Magic value. */ 248 uint32_t md_version; /* Version number. */ 249 uint32_t md_flags; /* Additional flags. */ 250 uint16_t md_ealgo; /* Encryption algorithm. */ 251 uint16_t md_keylen; /* Key length. */ 252 uint16_t md_aalgo; /* Authentication algorithm. */ 253 uint64_t md_provsize; /* Provider's size. */ 254 uint32_t md_sectorsize; /* Sector size. */ 255 uint8_t md_keys; /* Available keys. */ 256 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 257 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 258 /* Encrypted master key (IV-key, Data-key, HMAC). */ 259 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 260 u_char md_hash[16]; /* MD5 hash. */ 261} __packed; 262#ifndef _OpenSSL_ 263static __inline void 264eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) 265{ 266 u_char *p; 267 268 p = *datap; 269 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 270 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 271 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 272 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 273 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 274 *p = md->md_keys; p += sizeof(md->md_keys); 275 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 276 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 277 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 278 *datap = p; 279} 280static __inline void 281eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) 282{ 283 u_char *p; 284 285 p = *datap; 286 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 287 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 288 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 289 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 290 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 291 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 292 *p = md->md_keys; p += sizeof(md->md_keys); 293 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 294 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 295 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 296 *datap = p; 297} 298static __inline void 299eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 300{ 301 uint32_t hash[4]; 302 MD5_CTX ctx; 303 u_char *p; 304 305 p = data; 306 bcopy(md->md_magic, p, sizeof(md->md_magic)); 307 p += sizeof(md->md_magic); 308 le32enc(p, md->md_version); 309 p += sizeof(md->md_version); 310 switch (md->md_version) { 311 case G_ELI_VERSION_00: 312 eli_metadata_encode_v0(md, &p); 313 break; 314 case G_ELI_VERSION_01: 315 case G_ELI_VERSION_02: 316 case G_ELI_VERSION_03: 317 case G_ELI_VERSION_04: 318 case G_ELI_VERSION_05: 319 case G_ELI_VERSION_06: 320 case G_ELI_VERSION_07: 321 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); 322 break; 323 default: 324#ifdef _KERNEL 325 panic("%s: Unsupported version %u.", __func__, 326 (u_int)md->md_version); 327#else 328 assert(!"Unsupported metadata version."); 329#endif 330 } 331 MD5Init(&ctx); 332 MD5Update(&ctx, data, p - data); 333 MD5Final((void *)hash, &ctx); 334 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 335 bcopy(md->md_hash, p, sizeof(md->md_hash)); 336} 337static __inline int 338eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 339{ 340 uint32_t hash[4]; 341 MD5_CTX ctx; 342 const u_char *p; 343 344 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 345 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 346 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 347 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 348 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 349 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 350 md->md_keys = *p; p += sizeof(md->md_keys); 351 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 352 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 353 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 354 MD5Init(&ctx); 355 MD5Update(&ctx, data, p - data); 356 MD5Final((void *)hash, &ctx); 357 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 358 if (bcmp(md->md_hash, p, 16) != 0) 359 return (EINVAL); 360 return (0); 361} 362 363static __inline int 364eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) 365{ 366 uint32_t hash[4]; 367 MD5_CTX ctx; 368 const u_char *p; 369 370 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 371 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 372 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 373 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 374 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 375 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 376 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 377 md->md_keys = *p; p += sizeof(md->md_keys); 378 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 379 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 380 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 381 MD5Init(&ctx); 382 MD5Update(&ctx, data, p - data); 383 MD5Final((void *)hash, &ctx); 384 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 385 if (bcmp(md->md_hash, p, 16) != 0) 386 return (EINVAL); 387 return (0); 388} 389static __inline int 390eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 391{ 392 int error; 393 394 bcopy(data, md->md_magic, sizeof(md->md_magic)); 395 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) 396 return (EINVAL); 397 md->md_version = le32dec(data + sizeof(md->md_magic)); 398 switch (md->md_version) { 399 case G_ELI_VERSION_00: 400 error = eli_metadata_decode_v0(data, md); 401 break; 402 case G_ELI_VERSION_01: 403 case G_ELI_VERSION_02: 404 case G_ELI_VERSION_03: 405 case G_ELI_VERSION_04: 406 case G_ELI_VERSION_05: 407 case G_ELI_VERSION_06: 408 case G_ELI_VERSION_07: 409 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); 410 break; 411 default: 412 error = EOPNOTSUPP; 413 break; 414 } 415 return (error); 416} 417#endif /* !_OpenSSL */ 418 419static __inline u_int 420g_eli_str2ealgo(const char *name) 421{ 422 423 if (strcasecmp("null", name) == 0) 424 return (CRYPTO_NULL_CBC); 425 else if (strcasecmp("null-cbc", name) == 0) 426 return (CRYPTO_NULL_CBC); 427 else if (strcasecmp("aes", name) == 0) 428 return (CRYPTO_AES_XTS); 429 else if (strcasecmp("aes-cbc", name) == 0) 430 return (CRYPTO_AES_CBC); 431 else if (strcasecmp("aes-xts", name) == 0) 432 return (CRYPTO_AES_XTS); 433 else if (strcasecmp("blowfish", name) == 0) 434 return (CRYPTO_BLF_CBC); 435 else if (strcasecmp("blowfish-cbc", name) == 0) 436 return (CRYPTO_BLF_CBC); 437 else if (strcasecmp("camellia", name) == 0) 438 return (CRYPTO_CAMELLIA_CBC); 439 else if (strcasecmp("camellia-cbc", name) == 0) 440 return (CRYPTO_CAMELLIA_CBC); 441 else if (strcasecmp("3des", name) == 0) 442 return (CRYPTO_3DES_CBC); 443 else if (strcasecmp("3des-cbc", name) == 0) 444 return (CRYPTO_3DES_CBC); 445 return (CRYPTO_ALGORITHM_MIN - 1); 446} 447 448static __inline u_int 449g_eli_str2aalgo(const char *name) 450{ 451 452 if (strcasecmp("hmac/md5", name) == 0) 453 return (CRYPTO_MD5_HMAC); 454 else if (strcasecmp("hmac/sha1", name) == 0) 455 return (CRYPTO_SHA1_HMAC); 456 else if (strcasecmp("hmac/ripemd160", name) == 0) 457 return (CRYPTO_RIPEMD160_HMAC); 458 else if (strcasecmp("hmac/sha256", name) == 0) 459 return (CRYPTO_SHA2_256_HMAC); 460 else if (strcasecmp("hmac/sha384", name) == 0) 461 return (CRYPTO_SHA2_384_HMAC); 462 else if (strcasecmp("hmac/sha512", name) == 0) 463 return (CRYPTO_SHA2_512_HMAC); 464 return (CRYPTO_ALGORITHM_MIN - 1); 465} 466 467static __inline const char * 468g_eli_algo2str(u_int algo) 469{ 470 471 switch (algo) { 472 case CRYPTO_NULL_CBC: 473 return ("NULL"); 474 case CRYPTO_AES_CBC: 475 return ("AES-CBC"); 476 case CRYPTO_AES_XTS: 477 return ("AES-XTS"); 478 case CRYPTO_BLF_CBC: 479 return ("Blowfish-CBC"); 480 case CRYPTO_CAMELLIA_CBC: 481 return ("CAMELLIA-CBC"); 482 case CRYPTO_3DES_CBC: 483 return ("3DES-CBC"); 484 case CRYPTO_MD5_HMAC: 485 return ("HMAC/MD5"); 486 case CRYPTO_SHA1_HMAC: 487 return ("HMAC/SHA1"); 488 case CRYPTO_RIPEMD160_HMAC: 489 return ("HMAC/RIPEMD160"); 490 case CRYPTO_SHA2_256_HMAC: 491 return ("HMAC/SHA256"); 492 case CRYPTO_SHA2_384_HMAC: 493 return ("HMAC/SHA384"); 494 case CRYPTO_SHA2_512_HMAC: 495 return ("HMAC/SHA512"); 496 } 497 return ("unknown"); 498} 499 500static __inline void 501eli_metadata_dump(const struct g_eli_metadata *md) 502{ 503 static const char hex[] = "0123456789abcdef"; 504 char str[sizeof(md->md_mkeys) * 2 + 1]; 505 u_int i; 506 507 printf(" magic: %s\n", md->md_magic); 508 printf(" version: %u\n", (u_int)md->md_version); 509 printf(" flags: 0x%x\n", (u_int)md->md_flags); 510 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 511 printf(" keylen: %u\n", (u_int)md->md_keylen); 512 if (md->md_flags & G_ELI_FLAG_AUTH) 513 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 514 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 515 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 516 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 517 printf("iterations: %d\n", (int)md->md_iterations); 518 bzero(str, sizeof(str)); 519 for (i = 0; i < sizeof(md->md_salt); i++) { 520 str[i * 2] = hex[md->md_salt[i] >> 4]; 521 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 522 } 523 printf(" Salt: %s\n", str); 524 bzero(str, sizeof(str)); 525 for (i = 0; i < sizeof(md->md_mkeys); i++) { 526 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 527 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 528 } 529 printf("Master Key: %s\n", str); 530 bzero(str, sizeof(str)); 531 for (i = 0; i < 16; i++) { 532 str[i * 2] = hex[md->md_hash[i] >> 4]; 533 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 534 } 535 printf(" MD5 hash: %s\n", str); 536} 537 538static __inline u_int 539g_eli_keylen(u_int algo, u_int keylen) 540{ 541 542 switch (algo) { 543 case CRYPTO_NULL_CBC: 544 if (keylen == 0) 545 keylen = 64 * 8; 546 else { 547 if (keylen > 64 * 8) 548 keylen = 0; 549 } 550 return (keylen); 551 case CRYPTO_AES_CBC: 552 case CRYPTO_CAMELLIA_CBC: 553 switch (keylen) { 554 case 0: 555 return (128); 556 case 128: 557 case 192: 558 case 256: 559 return (keylen); 560 default: 561 return (0); 562 } 563 case CRYPTO_AES_XTS: 564 switch (keylen) { 565 case 0: 566 return (128); 567 case 128: 568 case 256: 569 return (keylen); 570 default: 571 return (0); 572 } 573 case CRYPTO_BLF_CBC: 574 if (keylen == 0) 575 return (128); 576 if (keylen < 128 || keylen > 448) 577 return (0); 578 if ((keylen % 32) != 0) 579 return (0); 580 return (keylen); 581 case CRYPTO_3DES_CBC: 582 if (keylen == 0 || keylen == 192) 583 return (192); 584 return (0); 585 default: 586 return (0); 587 } 588} 589 590static __inline u_int 591g_eli_hashlen(u_int algo) 592{ 593 594 switch (algo) { 595 case CRYPTO_MD5_HMAC: 596 return (16); 597 case CRYPTO_SHA1_HMAC: 598 return (20); 599 case CRYPTO_RIPEMD160_HMAC: 600 return (20); 601 case CRYPTO_SHA2_256_HMAC: 602 return (32); 603 case CRYPTO_SHA2_384_HMAC: 604 return (48); 605 case CRYPTO_SHA2_512_HMAC: 606 return (64); 607 } 608 return (0); 609} 610 611static __inline void 612eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, 613 u_int sectorsize, off_t mediasize) 614{ 615 616 sc->sc_version = md->md_version; 617 sc->sc_inflight = 0; 618 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; 619 sc->sc_flags = md->md_flags; 620 /* Backward compatibility. */ 621 if (md->md_version < G_ELI_VERSION_04) 622 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; 623 if (md->md_version < G_ELI_VERSION_05) 624 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; 625 if (md->md_version < G_ELI_VERSION_06 && 626 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 627 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; 628 } 629 if (md->md_version < G_ELI_VERSION_07) 630 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; 631 sc->sc_ealgo = md->md_ealgo; 632 633 if (sc->sc_flags & G_ELI_FLAG_AUTH) { 634 sc->sc_akeylen = sizeof(sc->sc_akey) * 8; 635 sc->sc_aalgo = md->md_aalgo; 636 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); 637 638 sc->sc_data_per_sector = sectorsize - sc->sc_alen; 639 /* 640 * Some hash functions (like SHA1 and RIPEMD160) generates hash 641 * which length is not multiple of 128 bits, but we want data 642 * length to be multiple of 128, so we can encrypt without 643 * padding. The line below rounds down data length to multiple 644 * of 128 bits. 645 */ 646 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; 647 648 sc->sc_bytes_per_sector = 649 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; 650 sc->sc_bytes_per_sector *= sectorsize; 651 } 652 sc->sc_sectorsize = md->md_sectorsize; 653 sc->sc_mediasize = mediasize; 654 if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) 655 sc->sc_mediasize -= sectorsize; 656 if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) 657 sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); 658 else { 659 sc->sc_mediasize /= sc->sc_bytes_per_sector; 660 sc->sc_mediasize *= sc->sc_sectorsize; 661 } 662 sc->sc_ekeylen = md->md_keylen; 663} 664 665#ifdef _KERNEL 666int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 667 struct g_eli_metadata *md); 668struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 669 struct g_provider *bpp, const struct g_eli_metadata *md, 670 const u_char *mkey, int nkey); 671int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 672 673int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 674void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 675 676void g_eli_read_done(struct bio *bp); 677void g_eli_write_done(struct bio *bp); 678int g_eli_crypto_rerun(struct cryptop *crp); 679 680void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 681void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 682 683void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 684void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 685#endif 686void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 687 size_t size); 688 689void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 690int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 691 const unsigned char *key, unsigned char *mkey, unsigned keyp); 692int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md, 693 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 694int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 695 unsigned char *mkey); 696#ifdef _KERNEL 697void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 698#endif 699 700int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 701 const u_char *key, size_t keysize); 702int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 703 const u_char *key, size_t keysize); 704 705struct hmac_ctx { 706 SHA512_CTX innerctx; 707 SHA512_CTX outerctx; 708}; 709 710void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 711 size_t hkeylen); 712void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 713 size_t datasize); 714void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 715void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 716 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 717 718void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, 719 uint64_t keyno); 720#ifdef _KERNEL 721void g_eli_key_init(struct g_eli_softc *sc); 722void g_eli_key_destroy(struct g_eli_softc *sc); 723uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); 724void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); 725#endif 726#endif /* !_G_ELI_H_ */ 727