1 /*- 2 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 3 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 * 27 * $FreeBSD$ 28 */ 29 30 #include <stand.h> 31 #include <stdarg.h> 32 #include "geliboot.h" 33 #include "geliboot_internal.h" 34 35 struct known_dev { 36 char name[GELIDEV_NAMELEN]; 37 struct geli_dev *gdev; 38 SLIST_ENTRY(known_dev) entries; 39 }; 40 41 SLIST_HEAD(known_dev_list, known_dev) known_devs_head = 42 SLIST_HEAD_INITIALIZER(known_devs_head); 43 44 static geli_ukey saved_keys[GELI_MAX_KEYS]; 45 static unsigned int nsaved_keys = 0; 46 47 /* 48 * Copy keys from local storage to the keybuf struct. 49 * Destroy the local storage when finished. 50 */ 51 void 52 geli_export_key_buffer(struct keybuf *fkeybuf) 53 { 54 unsigned int i; 55 56 for (i = 0; i < nsaved_keys; i++) { 57 fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI; 58 memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i], 59 G_ELI_USERKEYLEN); 60 } 61 fkeybuf->kb_nents = nsaved_keys; 62 explicit_bzero(saved_keys, sizeof(saved_keys)); 63 } 64 65 /* 66 * Copy keys from a keybuf struct into local storage. 67 * Zero out the keybuf. 68 */ 69 void 70 geli_import_key_buffer(struct keybuf *skeybuf) 71 { 72 unsigned int i; 73 74 for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) { 75 memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data, 76 G_ELI_USERKEYLEN); 77 explicit_bzero(skeybuf->kb_ents[i].ke_data, 78 G_ELI_USERKEYLEN); 79 skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE; 80 } 81 nsaved_keys = skeybuf->kb_nents; 82 skeybuf->kb_nents = 0; 83 } 84 85 void 86 geli_add_key(geli_ukey key) 87 { 88 89 /* 90 * If we run out of key space, the worst that will happen is 91 * it will ask the user for the password again. 92 */ 93 if (nsaved_keys < GELI_MAX_KEYS) { 94 memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN); 95 nsaved_keys++; 96 } 97 } 98 99 static int 100 geli_findkey(struct geli_dev *gdev, u_char *mkey) 101 { 102 u_int keynum; 103 int i; 104 105 if (gdev->keybuf_slot >= 0) { 106 if (g_eli_mkey_decrypt_any(&gdev->md, saved_keys[gdev->keybuf_slot], 107 mkey, &keynum) == 0) { 108 return (0); 109 } 110 } 111 112 for (i = 0; i < nsaved_keys; i++) { 113 if (g_eli_mkey_decrypt_any(&gdev->md, saved_keys[i], mkey, 114 &keynum) == 0) { 115 gdev->keybuf_slot = i; 116 return (0); 117 } 118 } 119 120 return (1); 121 } 122 123 /* 124 * Read the last sector of a drive or partition and see if it is GELI encrypted. 125 */ 126 struct geli_dev * 127 geli_taste(geli_readfunc readfunc, void *readpriv, daddr_t lastsector, 128 const char *namefmt, ...) 129 { 130 va_list args; 131 struct g_eli_metadata md; 132 struct known_dev *kdev; 133 struct geli_dev *gdev; 134 u_char *buf; 135 char devname[GELIDEV_NAMELEN]; 136 int error; 137 off_t alignsector; 138 139 /* 140 * Format the name into a temp buffer and use that to search for an 141 * existing known_dev instance. If not found, this has the side effect 142 * of initializing kdev to NULL. 143 */ 144 va_start(args, namefmt); 145 vsnprintf(devname, sizeof(devname), namefmt, args); 146 va_end(args); 147 SLIST_FOREACH(kdev, &known_devs_head, entries) { 148 if (strcmp(kdev->name, devname) == 0) 149 return (kdev->gdev); 150 } 151 152 /* Determine whether the new device is geli-encrypted... */ 153 if ((buf = malloc(DEV_GELIBOOT_BSIZE)) == NULL) 154 goto out; 155 alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE); 156 if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) { 157 /* Don't read past the end of the disk */ 158 alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE - 159 DEV_GELIBOOT_BSIZE; 160 } 161 error = readfunc(NULL, readpriv, alignsector, buf, DEV_GELIBOOT_BSIZE); 162 if (error != 0) { 163 goto out; 164 } 165 166 /* 167 * We have a new known_device. Whether it's geli-encrypted or not, 168 * record its existance so we can avoid doing IO to probe it next time. 169 */ 170 if ((kdev = malloc(sizeof(*kdev))) == NULL) 171 goto out; 172 strlcpy(kdev->name, devname, sizeof(kdev->name)); 173 kdev->gdev = NULL; 174 SLIST_INSERT_HEAD(&known_devs_head, kdev, entries); 175 176 /* Extract the last 4k sector of the disk. */ 177 error = eli_metadata_decode(buf, &md); 178 if (error != 0) { 179 /* Try the last 512 byte sector instead. */ 180 error = eli_metadata_decode(buf + 181 (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md); 182 if (error != 0) { 183 goto out; 184 } 185 } 186 187 if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) { 188 /* The GELIBOOT feature is not activated */ 189 goto out; 190 } 191 if ((md.md_flags & G_ELI_FLAG_ONETIME)) { 192 /* Swap device, skip it. */ 193 goto out; 194 } 195 196 /* 197 * It's geli-encrypted, create a geli_dev for it and link it into the 198 * known_dev instance. 199 */ 200 gdev = malloc(sizeof(struct geli_dev)); 201 if (gdev == NULL) 202 goto out; 203 gdev->part_end = lastsector; 204 gdev->keybuf_slot = -1; 205 gdev->md = md; 206 gdev->name = kdev->name; 207 eli_metadata_softc(&gdev->sc, &md, DEV_BSIZE, 208 (lastsector + DEV_BSIZE) * DEV_BSIZE); 209 kdev->gdev = gdev; 210 out: 211 free(buf); 212 if (kdev == NULL) 213 return (NULL); 214 return (kdev->gdev); 215 } 216 217 /* 218 * Attempt to decrypt the device. This will try existing keys first, then will 219 * prompt for a passphrase if there are no existing keys that work. 220 */ 221 static int 222 geli_probe(struct geli_dev *gdev, const char *passphrase, u_char *mkeyp) 223 { 224 u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp; 225 u_int keynum; 226 struct hmac_ctx ctx; 227 int error; 228 229 if (mkeyp != NULL) { 230 memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN); 231 explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN); 232 goto found_key; 233 } 234 235 if (geli_findkey(gdev, mkey) == 0) { 236 goto found_key; 237 } 238 239 g_eli_crypto_hmac_init(&ctx, NULL, 0); 240 /* 241 * Prepare Derived-Key from the user passphrase. 242 */ 243 if (gdev->md.md_iterations < 0) { 244 /* XXX TODO: Support loading key files. */ 245 return (1); 246 } else if (gdev->md.md_iterations == 0) { 247 g_eli_crypto_hmac_update(&ctx, gdev->md.md_salt, 248 sizeof(gdev->md.md_salt)); 249 g_eli_crypto_hmac_update(&ctx, (const uint8_t *)passphrase, 250 strlen(passphrase)); 251 } else if (gdev->md.md_iterations > 0) { 252 printf("Calculating GELI Decryption Key for %s %d" 253 " iterations...\n", gdev->name, gdev->md.md_iterations); 254 u_char dkey[G_ELI_USERKEYLEN]; 255 256 pkcs5v2_genkey(dkey, sizeof(dkey), gdev->md.md_salt, 257 sizeof(gdev->md.md_salt), passphrase, 258 gdev->md.md_iterations); 259 g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey)); 260 explicit_bzero(dkey, sizeof(dkey)); 261 } 262 263 g_eli_crypto_hmac_final(&ctx, key, 0); 264 265 error = g_eli_mkey_decrypt_any(&gdev->md, key, mkey, &keynum); 266 if (error == -1) { 267 explicit_bzero(mkey, sizeof(mkey)); 268 explicit_bzero(key, sizeof(key)); 269 printf("Bad GELI key: bad password?\n"); 270 return (error); 271 } else if (error != 0) { 272 explicit_bzero(mkey, sizeof(mkey)); 273 explicit_bzero(key, sizeof(key)); 274 printf("Failed to decrypt GELI master key: %d\n", error); 275 return (error); 276 } else { 277 /* Add key to keychain */ 278 geli_add_key(key); 279 explicit_bzero(&key, sizeof(key)); 280 } 281 282 found_key: 283 /* Store the keys */ 284 bcopy(mkey, gdev->sc.sc_mkey, sizeof(gdev->sc.sc_mkey)); 285 bcopy(mkey, gdev->sc.sc_ivkey, sizeof(gdev->sc.sc_ivkey)); 286 mkp = mkey + sizeof(gdev->sc.sc_ivkey); 287 if ((gdev->sc.sc_flags & G_ELI_FLAG_AUTH) == 0) { 288 bcopy(mkp, gdev->sc.sc_ekey, G_ELI_DATAKEYLEN); 289 } else { 290 /* 291 * The encryption key is: ekey = HMAC_SHA512(Data-Key, 0x10) 292 */ 293 g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, (const uint8_t *)"\x10", 1, 294 gdev->sc.sc_ekey, 0); 295 } 296 explicit_bzero(mkey, sizeof(mkey)); 297 298 /* Initialize the per-sector IV. */ 299 switch (gdev->sc.sc_ealgo) { 300 case CRYPTO_AES_XTS: 301 break; 302 default: 303 SHA256_Init(&gdev->sc.sc_ivctx); 304 SHA256_Update(&gdev->sc.sc_ivctx, gdev->sc.sc_ivkey, 305 sizeof(gdev->sc.sc_ivkey)); 306 break; 307 } 308 309 return (0); 310 } 311 312 int 313 geli_read(struct geli_dev *gdev, off_t offset, u_char *buf, size_t bytes) 314 { 315 u_char iv[G_ELI_IVKEYLEN]; 316 u_char *pbuf; 317 int error; 318 off_t dstoff; 319 uint64_t keyno; 320 size_t n, nsec, secsize; 321 struct g_eli_key gkey; 322 323 pbuf = buf; 324 325 secsize = gdev->sc.sc_sectorsize; 326 nsec = bytes / secsize; 327 if (nsec == 0) { 328 /* 329 * A read of less than the GELI sector size has been 330 * requested. The caller provided destination buffer may 331 * not be big enough to boost the read to a full sector, 332 * so just attempt to decrypt the truncated sector. 333 */ 334 secsize = bytes; 335 nsec = 1; 336 } 337 338 for (n = 0, dstoff = offset; n < nsec; n++, dstoff += secsize) { 339 340 g_eli_crypto_ivgen(&gdev->sc, dstoff, iv, G_ELI_IVKEYLEN); 341 342 /* Get the key that corresponds to this offset. */ 343 keyno = (dstoff >> G_ELI_KEY_SHIFT) / secsize; 344 g_eli_key_fill(&gdev->sc, &gkey, keyno); 345 346 error = geliboot_crypt(gdev->sc.sc_ealgo, 0, pbuf, secsize, 347 gkey.gek_key, gdev->sc.sc_ekeylen, iv); 348 349 if (error != 0) { 350 explicit_bzero(&gkey, sizeof(gkey)); 351 printf("Failed to decrypt in geli_read()!"); 352 return (error); 353 } 354 pbuf += secsize; 355 } 356 explicit_bzero(&gkey, sizeof(gkey)); 357 return (0); 358 } 359 360 int 361 geli_havekey(struct geli_dev *gdev) 362 { 363 u_char mkey[G_ELI_DATAIVKEYLEN]; 364 int err; 365 366 err = ENOENT; 367 if (geli_findkey(gdev, mkey) == 0) { 368 if (geli_probe(gdev, NULL, mkey) == 0) 369 err = 0; 370 explicit_bzero(mkey, sizeof(mkey)); 371 } 372 return (err); 373 } 374 375 int 376 geli_passphrase(struct geli_dev *gdev, char *pw) 377 { 378 int i; 379 380 /* TODO: Implement GELI keyfile(s) support */ 381 for (i = 0; i < 3; i++) { 382 /* Try cached passphrase */ 383 if (i == 0 && pw[0] != '\0') { 384 if (geli_probe(gdev, pw, NULL) == 0) { 385 return (0); 386 } 387 } 388 printf("GELI Passphrase for %s ", gdev->name); 389 pwgets(pw, GELI_PW_MAXLEN, 390 (gdev->md.md_flags & G_ELI_FLAG_GELIDISPLAYPASS) == 0); 391 printf("\n"); 392 if (geli_probe(gdev, pw, NULL) == 0) { 393 return (0); 394 } 395 } 396 397 return (1); 398 } 399