1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#ifndef _G_ELI_H_ 30#define _G_ELI_H_ 31 32#include <sys/endian.h> 33#include <sys/errno.h> 34#include <sys/malloc.h> 35#include <crypto/sha2/sha256.h> 36#include <crypto/sha2/sha512.h> 37#include <opencrypto/cryptodev.h> 38#ifdef _KERNEL 39#include <sys/bio.h> 40#include <sys/libkern.h> 41#include <sys/lock.h> 42#include <sys/mutex.h> 43#include <geom/geom.h> 44#include <crypto/intake.h> 45#else 46#include <assert.h> 47#include <stdio.h> 48#include <string.h> 49#include <strings.h> 50#endif 51#include <sys/queue.h> 52#include <sys/tree.h> 53#ifndef _OpenSSL_ 54#include <sys/md5.h> 55#endif 56 57#define G_ELI_CLASS_NAME "ELI" 58#define G_ELI_MAGIC "GEOM::ELI" 59#define G_ELI_SUFFIX ".eli" 60 61/* 62 * Version history: 63 * 0 - Initial version number. 64 * 1 - Added data authentication support (md_aalgo field and 65 * G_ELI_FLAG_AUTH flag). 66 * 2 - Added G_ELI_FLAG_READONLY. 67 * 3 - Added 'configure' subcommand. 68 * 4 - IV is generated from offset converted to little-endian 69 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). 70 * 5 - Added multiple encrypton keys and AES-XTS support. 71 * 6 - Fixed usage of multiple keys for authenticated providers (the 72 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). 73 * 7 - Encryption keys are now generated from the Data Key and not from the 74 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). 75 */ 76#define G_ELI_VERSION_00 0 77#define G_ELI_VERSION_01 1 78#define G_ELI_VERSION_02 2 79#define G_ELI_VERSION_03 3 80#define G_ELI_VERSION_04 4 81#define G_ELI_VERSION_05 5 82#define G_ELI_VERSION_06 6 83#define G_ELI_VERSION_07 7 84#define G_ELI_VERSION G_ELI_VERSION_07 85 86/* ON DISK FLAGS. */ 87/* Use random, onetime keys. */ 88#define G_ELI_FLAG_ONETIME 0x00000001 89/* Ask for the passphrase from the kernel, before mounting root. */ 90#define G_ELI_FLAG_BOOT 0x00000002 91/* Detach on last close, if we were open for writing. */ 92#define G_ELI_FLAG_WO_DETACH 0x00000004 93/* Detach on last close. */ 94#define G_ELI_FLAG_RW_DETACH 0x00000008 95/* Provide data authentication. */ 96#define G_ELI_FLAG_AUTH 0x00000010 97/* Provider is read-only, we should deny all write attempts. */ 98#define G_ELI_FLAG_RO 0x00000020 99/* Don't pass through BIO_DELETE requests. */ 100#define G_ELI_FLAG_NODELETE 0x00000040 101/* This GELI supports GELIBoot */ 102#define G_ELI_FLAG_GELIBOOT 0x00000080 103/* Hide passphrase length in GELIboot. */ 104#define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100 105/* Expand provider automatically. */ 106#define G_ELI_FLAG_AUTORESIZE 0x00000200 107 108/* RUNTIME FLAGS. */ 109/* Provider was open for writing. */ 110#define G_ELI_FLAG_WOPEN 0x00010000 111/* Destroy device. */ 112#define G_ELI_FLAG_DESTROY 0x00020000 113/* Provider uses native byte-order for IV generation. */ 114#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 115/* Provider uses single encryption key. */ 116#define G_ELI_FLAG_SINGLE_KEY 0x00080000 117/* Device suspended. */ 118#define G_ELI_FLAG_SUSPEND 0x00100000 119/* Provider uses first encryption key. */ 120#define G_ELI_FLAG_FIRST_KEY 0x00200000 121/* Provider uses IV-Key for encryption key generation. */ 122#define G_ELI_FLAG_ENC_IVKEY 0x00400000 123 124/* BIO pflag values. */ 125#define G_ELI_WORKER(pflags) ((pflags) & 0xff) 126#define G_ELI_MAX_WORKERS 255 127#define G_ELI_NEW_BIO G_ELI_MAX_WORKERS 128#define G_ELI_SETWORKER(pflags, w) \ 129 (pflags) = ((pflags) & 0xff00) | ((w) & 0xff) 130#define G_ELI_SET_NEW_BIO(pflags) G_ELI_SETWORKER((pflags), G_ELI_NEW_BIO) 131#define G_ELI_IS_NEW_BIO(pflags) (G_ELI_WORKER(pflags) == G_ELI_NEW_BIO) 132#define G_ELI_UMA_ALLOC 0x100 /* bio_driver2 alloc came from UMA */ 133 134#define SHA512_MDLEN 64 135#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 136 137#define G_ELI_MAXMKEYS 2 138#define G_ELI_MAXKEYLEN 64 139#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 140#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 141#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 142#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 143#define G_ELI_SALTLEN 64 144#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 145/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 146#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 147#define G_ELI_OVERWRITES 5 148/* Switch data encryption key every 2^20 blocks. */ 149#define G_ELI_KEY_SHIFT 20 150 151#define G_ELI_CRYPTO_UNKNOWN 0 152#define G_ELI_CRYPTO_HW 1 153#define G_ELI_CRYPTO_SW 2 154#define G_ELI_CRYPTO_SW_ACCEL 3 155 156#ifdef _KERNEL 157#if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN) 158#error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN" 159#endif 160 161extern int g_eli_debug; 162extern u_int g_eli_overwrites; 163extern u_int g_eli_batch; 164 165#define G_ELI_DEBUG(lvl, ...) \ 166 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), NULL, __VA_ARGS__) 167#define G_ELI_LOGREQ(lvl, bp, ...) \ 168 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), (bp), __VA_ARGS__) 169 170struct g_eli_worker { 171 struct g_eli_softc *w_softc; 172 struct proc *w_proc; 173 void *w_first_key; 174 u_int w_number; 175 crypto_session_t w_sid; 176 boolean_t w_active; 177 LIST_ENTRY(g_eli_worker) w_next; 178}; 179 180#endif /* _KERNEL */ 181 182struct g_eli_softc { 183 struct g_geom *sc_geom; 184 u_int sc_version; 185 u_int sc_crypto; 186 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 187 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 188 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; 189 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; 190#ifndef _STANDALONE 191 struct mtx sc_ekeys_lock; 192#endif 193 uint64_t sc_ekeys_total; 194 uint64_t sc_ekeys_allocated; 195 u_int sc_ealgo; 196 u_int sc_ekeylen; 197 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 198 u_int sc_aalgo; 199 u_int sc_akeylen; 200 u_int sc_alen; 201 SHA256_CTX sc_akeyctx; 202 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 203 SHA256_CTX sc_ivctx; 204 int sc_nkey; 205 uint32_t sc_flags; 206 int sc_inflight; 207 off_t sc_mediasize; 208 size_t sc_sectorsize; 209 off_t sc_provsize; 210 u_int sc_bytes_per_sector; 211 u_int sc_data_per_sector; 212#ifndef _KERNEL 213 int sc_cpubind; 214#else /* _KERNEL */ 215 boolean_t sc_cpubind; 216 217 /* Only for software cryptography. */ 218 struct bio_queue_head sc_queue; 219 struct mtx sc_queue_mtx; 220 LIST_HEAD(, g_eli_worker) sc_workers; 221#endif /* _KERNEL */ 222}; 223#define sc_name sc_geom->name 224 225#define G_ELI_KEY_MAGIC 0xe11341c 226 227struct g_eli_key { 228 /* Key value, must be first in the structure. */ 229 uint8_t gek_key[G_ELI_DATAKEYLEN]; 230 /* Magic. */ 231 int gek_magic; 232 /* Key number. */ 233 uint64_t gek_keyno; 234 /* Reference counter. */ 235 int gek_count; 236 /* Keeps keys sorted by most recent use. */ 237 TAILQ_ENTRY(g_eli_key) gek_next; 238 /* Keeps keys sorted by number. */ 239 RB_ENTRY(g_eli_key) gek_link; 240}; 241 242struct g_eli_metadata { 243 char md_magic[16]; /* Magic value. */ 244 uint32_t md_version; /* Version number. */ 245 uint32_t md_flags; /* Additional flags. */ 246 uint16_t md_ealgo; /* Encryption algorithm. */ 247 uint16_t md_keylen; /* Key length. */ 248 uint16_t md_aalgo; /* Authentication algorithm. */ 249 uint64_t md_provsize; /* Provider's size. */ 250 uint32_t md_sectorsize; /* Sector size. */ 251 uint8_t md_keys; /* Available keys. */ 252 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 253 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 254 /* Encrypted master key (IV-key, Data-key, HMAC). */ 255 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 256 u_char md_hash[16]; /* MD5 hash. */ 257} __packed; 258#ifndef _OpenSSL_ 259static __inline void 260eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) 261{ 262 u_char *p; 263 264 p = *datap; 265 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 266 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 267 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 268 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 269 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 270 *p = md->md_keys; p += sizeof(md->md_keys); 271 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 272 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 273 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 274 *datap = p; 275} 276static __inline void 277eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) 278{ 279 u_char *p; 280 281 p = *datap; 282 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 283 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 284 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 285 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 286 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 287 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 288 *p = md->md_keys; p += sizeof(md->md_keys); 289 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 290 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 291 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 292 *datap = p; 293} 294static __inline void 295eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 296{ 297 uint32_t hash[4]; 298 MD5_CTX ctx; 299 u_char *p; 300 301 p = data; 302 bcopy(md->md_magic, p, sizeof(md->md_magic)); 303 p += sizeof(md->md_magic); 304 le32enc(p, md->md_version); 305 p += sizeof(md->md_version); 306 switch (md->md_version) { 307 case G_ELI_VERSION_00: 308 eli_metadata_encode_v0(md, &p); 309 break; 310 case G_ELI_VERSION_01: 311 case G_ELI_VERSION_02: 312 case G_ELI_VERSION_03: 313 case G_ELI_VERSION_04: 314 case G_ELI_VERSION_05: 315 case G_ELI_VERSION_06: 316 case G_ELI_VERSION_07: 317 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); 318 break; 319 default: 320#ifdef _KERNEL 321 panic("%s: Unsupported version %u.", __func__, 322 (u_int)md->md_version); 323#else 324 assert(!"Unsupported metadata version."); 325#endif 326 } 327 MD5Init(&ctx); 328 MD5Update(&ctx, data, p - data); 329 MD5Final((void *)hash, &ctx); 330 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 331 bcopy(md->md_hash, p, sizeof(md->md_hash)); 332} 333static __inline int 334eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 335{ 336 uint32_t hash[4]; 337 MD5_CTX ctx; 338 const u_char *p; 339 340 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 341 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 342 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 343 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 344 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 345 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 346 md->md_keys = *p; p += sizeof(md->md_keys); 347 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 348 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 349 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 350 MD5Init(&ctx); 351 MD5Update(&ctx, data, p - data); 352 MD5Final((void *)hash, &ctx); 353 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 354 if (bcmp(md->md_hash, p, 16) != 0) 355 return (EINVAL); 356 return (0); 357} 358 359static __inline int 360eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) 361{ 362 uint32_t hash[4]; 363 MD5_CTX ctx; 364 const u_char *p; 365 366 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 367 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 368 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 369 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 370 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 371 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 372 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 373 md->md_keys = *p; p += sizeof(md->md_keys); 374 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 375 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 376 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 377 MD5Init(&ctx); 378 MD5Update(&ctx, data, p - data); 379 MD5Final((void *)hash, &ctx); 380 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 381 if (bcmp(md->md_hash, p, 16) != 0) 382 return (EINVAL); 383 return (0); 384} 385static __inline int 386eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 387{ 388 int error; 389 390 bcopy(data, md->md_magic, sizeof(md->md_magic)); 391 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) 392 return (EINVAL); 393 md->md_version = le32dec(data + sizeof(md->md_magic)); 394 switch (md->md_version) { 395 case G_ELI_VERSION_00: 396 error = eli_metadata_decode_v0(data, md); 397 break; 398 case G_ELI_VERSION_01: 399 case G_ELI_VERSION_02: 400 case G_ELI_VERSION_03: 401 case G_ELI_VERSION_04: 402 case G_ELI_VERSION_05: 403 case G_ELI_VERSION_06: 404 case G_ELI_VERSION_07: 405 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); 406 break; 407 default: 408 error = EOPNOTSUPP; 409 break; 410 } 411 return (error); 412} 413#endif /* !_OpenSSL */ 414 415static __inline u_int 416g_eli_str2ealgo(const char *name) 417{ 418 419 if (strcasecmp("null", name) == 0) 420 return (CRYPTO_NULL_CBC); 421 else if (strcasecmp("null-cbc", name) == 0) 422 return (CRYPTO_NULL_CBC); 423 else if (strcasecmp("aes", name) == 0) 424 return (CRYPTO_AES_XTS); 425 else if (strcasecmp("aes-cbc", name) == 0) 426 return (CRYPTO_AES_CBC); 427 else if (strcasecmp("aes-xts", name) == 0) 428 return (CRYPTO_AES_XTS); 429 else if (strcasecmp("camellia", name) == 0) 430 return (CRYPTO_CAMELLIA_CBC); 431 else if (strcasecmp("camellia-cbc", name) == 0) 432 return (CRYPTO_CAMELLIA_CBC); 433 return (CRYPTO_ALGORITHM_MIN - 1); 434} 435 436static __inline u_int 437g_eli_str2aalgo(const char *name) 438{ 439 440 if (strcasecmp("hmac/sha1", name) == 0) 441 return (CRYPTO_SHA1_HMAC); 442 else if (strcasecmp("hmac/ripemd160", name) == 0) 443 return (CRYPTO_RIPEMD160_HMAC); 444 else if (strcasecmp("hmac/sha256", name) == 0) 445 return (CRYPTO_SHA2_256_HMAC); 446 else if (strcasecmp("hmac/sha384", name) == 0) 447 return (CRYPTO_SHA2_384_HMAC); 448 else if (strcasecmp("hmac/sha512", name) == 0) 449 return (CRYPTO_SHA2_512_HMAC); 450 return (CRYPTO_ALGORITHM_MIN - 1); 451} 452 453static __inline const char * 454g_eli_algo2str(u_int algo) 455{ 456 457 switch (algo) { 458 case CRYPTO_NULL_CBC: 459 return ("NULL"); 460 case CRYPTO_AES_CBC: 461 return ("AES-CBC"); 462 case CRYPTO_AES_XTS: 463 return ("AES-XTS"); 464 case CRYPTO_CAMELLIA_CBC: 465 return ("CAMELLIA-CBC"); 466 case CRYPTO_SHA1_HMAC: 467 return ("HMAC/SHA1"); 468 case CRYPTO_RIPEMD160_HMAC: 469 return ("HMAC/RIPEMD160"); 470 case CRYPTO_SHA2_256_HMAC: 471 return ("HMAC/SHA256"); 472 case CRYPTO_SHA2_384_HMAC: 473 return ("HMAC/SHA384"); 474 case CRYPTO_SHA2_512_HMAC: 475 return ("HMAC/SHA512"); 476 } 477 return ("unknown"); 478} 479 480static __inline void 481eli_metadata_dump(const struct g_eli_metadata *md) 482{ 483 static const char hex[] = "0123456789abcdef"; 484 char str[sizeof(md->md_mkeys) * 2 + 1]; 485 u_int i; 486 487 printf(" magic: %s\n", md->md_magic); 488 printf(" version: %u\n", (u_int)md->md_version); 489 printf(" flags: 0x%x\n", (u_int)md->md_flags); 490 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 491 printf(" keylen: %u\n", (u_int)md->md_keylen); 492 if (md->md_flags & G_ELI_FLAG_AUTH) 493 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 494 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 495 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 496 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 497 printf("iterations: %d\n", (int)md->md_iterations); 498 bzero(str, sizeof(str)); 499 for (i = 0; i < sizeof(md->md_salt); i++) { 500 str[i * 2] = hex[md->md_salt[i] >> 4]; 501 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 502 } 503 printf(" Salt: %s\n", str); 504 bzero(str, sizeof(str)); 505 for (i = 0; i < sizeof(md->md_mkeys); i++) { 506 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 507 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 508 } 509 printf("Master Key: %s\n", str); 510 bzero(str, sizeof(str)); 511 for (i = 0; i < 16; i++) { 512 str[i * 2] = hex[md->md_hash[i] >> 4]; 513 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 514 } 515 printf(" MD5 hash: %s\n", str); 516} 517 518#ifdef _KERNEL 519static __inline bool 520eli_metadata_crypto_supported(const struct g_eli_metadata *md) 521{ 522 523 switch (md->md_ealgo) { 524 case CRYPTO_NULL_CBC: 525 case CRYPTO_AES_CBC: 526 case CRYPTO_CAMELLIA_CBC: 527 case CRYPTO_AES_XTS: 528 break; 529 default: 530 return (false); 531 } 532 if (md->md_flags & G_ELI_FLAG_AUTH) { 533 switch (md->md_aalgo) { 534 case CRYPTO_SHA1_HMAC: 535 case CRYPTO_RIPEMD160_HMAC: 536 case CRYPTO_SHA2_256_HMAC: 537 case CRYPTO_SHA2_384_HMAC: 538 case CRYPTO_SHA2_512_HMAC: 539 break; 540 default: 541 return (false); 542 } 543 } 544 return (true); 545} 546#endif 547 548static __inline u_int 549g_eli_keylen(u_int algo, u_int keylen) 550{ 551 552 switch (algo) { 553 case CRYPTO_NULL_CBC: 554 if (keylen == 0) 555 keylen = 64 * 8; 556 else { 557 if (keylen > 64 * 8) 558 keylen = 0; 559 } 560 return (keylen); 561 case CRYPTO_AES_CBC: 562 case CRYPTO_CAMELLIA_CBC: 563 switch (keylen) { 564 case 0: 565 return (128); 566 case 128: 567 case 192: 568 case 256: 569 return (keylen); 570 default: 571 return (0); 572 } 573 case CRYPTO_AES_XTS: 574 switch (keylen) { 575 case 0: 576 return (128); 577 case 128: 578 case 256: 579 return (keylen); 580 default: 581 return (0); 582 } 583 default: 584 return (0); 585 } 586} 587 588static __inline u_int 589g_eli_ivlen(u_int algo) 590{ 591 592 switch (algo) { 593 case CRYPTO_AES_XTS: 594 return (AES_XTS_IV_LEN); 595 case CRYPTO_AES_CBC: 596 return (AES_BLOCK_LEN); 597 case CRYPTO_CAMELLIA_CBC: 598 return (CAMELLIA_BLOCK_LEN); 599 } 600 return (0); 601} 602 603static __inline u_int 604g_eli_hashlen(u_int algo) 605{ 606 607 switch (algo) { 608 case CRYPTO_SHA1_HMAC: 609 return (20); 610 case CRYPTO_RIPEMD160_HMAC: 611 return (20); 612 case CRYPTO_SHA2_256_HMAC: 613 return (32); 614 case CRYPTO_SHA2_384_HMAC: 615 return (48); 616 case CRYPTO_SHA2_512_HMAC: 617 return (64); 618 } 619 return (0); 620} 621 622static __inline off_t 623eli_mediasize(const struct g_eli_softc *sc, off_t mediasize, u_int sectorsize) 624{ 625 626 if ((sc->sc_flags & G_ELI_FLAG_ONETIME) == 0) { 627 mediasize -= sectorsize; 628 } 629 if ((sc->sc_flags & G_ELI_FLAG_AUTH) == 0) { 630 mediasize -= (mediasize % sc->sc_sectorsize); 631 } else { 632 mediasize /= sc->sc_bytes_per_sector; 633 mediasize *= sc->sc_sectorsize; 634 } 635 636 return (mediasize); 637} 638 639static __inline void 640eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, 641 u_int sectorsize, off_t mediasize) 642{ 643 644 sc->sc_version = md->md_version; 645 sc->sc_inflight = 0; 646 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; 647 sc->sc_flags = md->md_flags; 648 /* Backward compatibility. */ 649 if (md->md_version < G_ELI_VERSION_04) 650 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; 651 if (md->md_version < G_ELI_VERSION_05) 652 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; 653 if (md->md_version < G_ELI_VERSION_06 && 654 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 655 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; 656 } 657 if (md->md_version < G_ELI_VERSION_07) 658 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; 659 sc->sc_ealgo = md->md_ealgo; 660 661 if (sc->sc_flags & G_ELI_FLAG_AUTH) { 662 sc->sc_akeylen = sizeof(sc->sc_akey) * 8; 663 sc->sc_aalgo = md->md_aalgo; 664 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); 665 666 sc->sc_data_per_sector = sectorsize - sc->sc_alen; 667 /* 668 * Some hash functions (like SHA1 and RIPEMD160) generates hash 669 * which length is not multiple of 128 bits, but we want data 670 * length to be multiple of 128, so we can encrypt without 671 * padding. The line below rounds down data length to multiple 672 * of 128 bits. 673 */ 674 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; 675 676 sc->sc_bytes_per_sector = 677 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; 678 sc->sc_bytes_per_sector *= sectorsize; 679 } 680 sc->sc_provsize = mediasize; 681 sc->sc_sectorsize = md->md_sectorsize; 682 sc->sc_mediasize = eli_mediasize(sc, mediasize, sectorsize); 683 sc->sc_ekeylen = md->md_keylen; 684} 685 686#ifdef _KERNEL 687int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 688 struct g_eli_metadata *md); 689struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 690 struct g_provider *bpp, const struct g_eli_metadata *md, 691 const u_char *mkey, int nkey); 692int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 693 694int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 695void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 696 697void g_eli_read_done(struct bio *bp); 698void g_eli_write_done(struct bio *bp); 699int g_eli_crypto_rerun(struct cryptop *crp); 700 701bool g_eli_alloc_data(struct bio *bp, int sz); 702void g_eli_free_data(struct bio *bp); 703 704void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 705void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 706 707void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 708void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 709#endif 710void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 711 size_t size); 712 713void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 714int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 715 const unsigned char *key, unsigned char *mkey, unsigned keyp); 716int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md, 717 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 718int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 719 unsigned char *mkey); 720#ifdef _KERNEL 721void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 722#endif 723 724int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 725 const u_char *key, size_t keysize); 726int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 727 const u_char *key, size_t keysize); 728 729struct hmac_ctx { 730 SHA512_CTX innerctx; 731 SHA512_CTX outerctx; 732}; 733 734void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const char *hkey, 735 size_t hkeylen); 736void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 737 size_t datasize); 738void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 739void g_eli_crypto_hmac(const char *hkey, size_t hkeysize, 740 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 741 742void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, 743 uint64_t keyno); 744#ifdef _KERNEL 745void g_eli_key_init(struct g_eli_softc *sc); 746void g_eli_key_destroy(struct g_eli_softc *sc); 747void g_eli_key_resize(struct g_eli_softc *sc); 748uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); 749void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); 750#endif 751#endif /* !_G_ELI_H_ */ 752