/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2005-2011 Pawel Jakub Dawidek * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #ifdef _KERNEL #include #include #include #else #include #include #include #include #include #include #endif #include #ifdef _KERNEL MALLOC_DECLARE(M_ELI); #endif /* * Verify if the given 'key' is correct. * Return 1 if it is correct and 0 otherwise. */ static int g_eli_mkey_verify(const unsigned char *mkey, const unsigned char *key) { const unsigned char *odhmac; /* On-disk HMAC. */ unsigned char chmac[SHA512_MDLEN]; /* Calculated HMAC. */ unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */ /* * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0) */ g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0); odhmac = mkey + G_ELI_DATAIVKEYLEN; /* Calculate HMAC from Data-Key and IV-Key. */ g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN, chmac, 0); explicit_bzero(hmkey, sizeof(hmkey)); /* * Compare calculated HMAC with HMAC from metadata. * If two HMACs are equal, 'key' is correct. */ return (!bcmp(odhmac, chmac, SHA512_MDLEN)); } /* * Calculate HMAC from Data-Key and IV-Key. */ void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key) { unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */ unsigned char *odhmac; /* On-disk HMAC. */ /* * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0) */ g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0); odhmac = mkey + G_ELI_DATAIVKEYLEN; /* Calculate HMAC from Data-Key and IV-Key. */ g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN, odhmac, 0); explicit_bzero(hmkey, sizeof(hmkey)); } /* * Find and decrypt Master Key encrypted with 'key' at slot 'nkey'. * Return 0 on success, > 0 on failure, -1 on bad key. */ int g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key, unsigned char *mkey, unsigned nkey) { unsigned char tmpmkey[G_ELI_MKEYLEN]; unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */ const unsigned char *mmkey; int bit, error; if (nkey > G_ELI_MKEYLEN) return (-1); /* * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1) */ g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0); mmkey = md->md_mkeys + G_ELI_MKEYLEN * nkey; bit = (1 << nkey); if (!(md->md_keys & bit)) return (-1); bcopy(mmkey, tmpmkey, G_ELI_MKEYLEN); error = g_eli_crypto_decrypt(md->md_ealgo, tmpmkey, G_ELI_MKEYLEN, enckey, md->md_keylen); if (error != 0) { explicit_bzero(tmpmkey, sizeof(tmpmkey)); explicit_bzero(enckey, sizeof(enckey)); return (error); } if (g_eli_mkey_verify(tmpmkey, key)) { bcopy(tmpmkey, mkey, G_ELI_DATAIVKEYLEN); explicit_bzero(tmpmkey, sizeof(tmpmkey)); explicit_bzero(enckey, sizeof(enckey)); return (0); } explicit_bzero(enckey, sizeof(enckey)); explicit_bzero(tmpmkey, sizeof(tmpmkey)); return (-1); } /* * Find and decrypt Master Key encrypted with 'key'. * Return decrypted Master Key number in 'nkeyp' if not NULL. * Return 0 on success, > 0 on failure, -1 on bad key. */ int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md, const unsigned char *key, unsigned char *mkey, unsigned *nkeyp) { int error, nkey; if (nkeyp != NULL) *nkeyp = -1; error = -1; for (nkey = 0; nkey < G_ELI_MAXMKEYS; nkey++) { error = g_eli_mkey_decrypt(md, key, mkey, nkey); if (error == 0) { if (nkeyp != NULL) *nkeyp = nkey; break; } else if (error > 0) { break; } } return (error); } /* * Encrypt the Master-Key and calculate HMAC to be able to verify it in the * future. */ int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, unsigned char *mkey) { unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */ int error; /* * To calculate HMAC, the whole key (G_ELI_USERKEYLEN bytes long) will * be used. */ g_eli_mkey_hmac(mkey, key); /* * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1) */ g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0); /* * Encrypt the Master-Key and HMAC() result with the given key (this * time only 'keylen' bits from the key are used). */ error = g_eli_crypto_encrypt(algo, mkey, G_ELI_MKEYLEN, enckey, keylen); explicit_bzero(enckey, sizeof(enckey)); return (error); } #ifdef _KERNEL /* * When doing encryption only, copy IV key and encryption key. * When doing encryption and authentication, copy IV key, generate encryption * key and generate authentication key. */ void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey) { /* Remember the Master Key. */ bcopy(mkey, sc->sc_mkey, sizeof(sc->sc_mkey)); bcopy(mkey, sc->sc_ivkey, sizeof(sc->sc_ivkey)); mkey += sizeof(sc->sc_ivkey); /* * The authentication key is: akey = HMAC_SHA512(Data-Key, 0x11) */ if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x11", 1, sc->sc_akey, 0); } else { arc4rand(sc->sc_akey, sizeof(sc->sc_akey), 0); } /* Initialize encryption keys. */ g_eli_key_init(sc); if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { /* * Precalculate SHA256 for HMAC key generation. * This is expensive operation and we can do it only once now or * for every access to sector, so now will be much better. */ SHA256_Init(&sc->sc_akeyctx); SHA256_Update(&sc->sc_akeyctx, sc->sc_akey, sizeof(sc->sc_akey)); } /* * Precalculate SHA256 for IV generation. * This is expensive operation and we can do it only once now or for * every access to sector, so now will be much better. */ switch (sc->sc_ealgo) { case CRYPTO_AES_XTS: break; default: SHA256_Init(&sc->sc_ivctx); SHA256_Update(&sc->sc_ivctx, sc->sc_ivkey, sizeof(sc->sc_ivkey)); break; } } #endif