1 /*- 2 * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29 #ifndef _G_ELI_H_ 30 #define _G_ELI_H_ 31 32 #include <sys/endian.h> 33 #include <sys/errno.h> 34 #include <sys/malloc.h> 35 #include <crypto/sha2/sha2.h> 36 #include <opencrypto/cryptodev.h> 37 #ifdef _KERNEL 38 #include <sys/bio.h> 39 #include <sys/libkern.h> 40 #include <geom/geom.h> 41 #else 42 #include <stdio.h> 43 #include <string.h> 44 #include <strings.h> 45 #endif 46 #ifndef _OpenSSL_ 47 #include <sys/md5.h> 48 #endif 49 50 #define G_ELI_CLASS_NAME "ELI" 51 #define G_ELI_MAGIC "GEOM::ELI" 52 #define G_ELI_SUFFIX ".eli" 53 54 /* 55 * Version history: 56 * 0 - Initial version number. 57 * 1 - Added data authentication support (md_aalgo field and 58 * G_ELI_FLAG_AUTH flag). 59 * 2 - Added G_ELI_FLAG_READONLY. 60 * 3 - Added 'configure' subcommand. 61 * 4 - IV is generated from offset converted to little-endian 62 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions). 63 * 5 - Added multiple encrypton keys and AES-XTS support. 64 */ 65 #define G_ELI_VERSION 5 66 67 /* ON DISK FLAGS. */ 68 /* Use random, onetime keys. */ 69 #define G_ELI_FLAG_ONETIME 0x00000001 70 /* Ask for the passphrase from the kernel, before mounting root. */ 71 #define G_ELI_FLAG_BOOT 0x00000002 72 /* Detach on last close, if we were open for writing. */ 73 #define G_ELI_FLAG_WO_DETACH 0x00000004 74 /* Detach on last close. */ 75 #define G_ELI_FLAG_RW_DETACH 0x00000008 76 /* Provide data authentication. */ 77 #define G_ELI_FLAG_AUTH 0x00000010 78 /* Provider is read-only, we should deny all write attempts. */ 79 #define G_ELI_FLAG_RO 0x00000020 80 /* RUNTIME FLAGS. */ 81 /* Provider was open for writing. */ 82 #define G_ELI_FLAG_WOPEN 0x00010000 83 /* Destroy device. */ 84 #define G_ELI_FLAG_DESTROY 0x00020000 85 /* Provider uses native byte-order for IV generation. */ 86 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 87 /* Provider uses single encryption key. */ 88 #define G_ELI_FLAG_SINGLE_KEY 0x00080000 89 /* Device suspended. */ 90 #define G_ELI_FLAG_SUSPEND 0x00100000 91 92 #define G_ELI_NEW_BIO 255 93 94 #define SHA512_MDLEN 64 95 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 96 97 #define G_ELI_MAXMKEYS 2 98 #define G_ELI_MAXKEYLEN 64 99 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 100 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 101 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 102 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 103 #define G_ELI_SALTLEN 64 104 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 105 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 106 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 107 #define G_ELI_OVERWRITES 5 108 /* Switch data encryption key every 2^20 blocks. */ 109 #define G_ELI_KEY_SHIFT 20 110 111 #ifdef _KERNEL 112 extern int g_eli_debug; 113 extern u_int g_eli_overwrites; 114 extern u_int g_eli_batch; 115 116 #define G_ELI_CRYPTO_UNKNOWN 0 117 #define G_ELI_CRYPTO_HW 1 118 #define G_ELI_CRYPTO_SW 2 119 120 #define G_ELI_DEBUG(lvl, ...) do { \ 121 if (g_eli_debug >= (lvl)) { \ 122 printf("GEOM_ELI"); \ 123 if (g_eli_debug > 0) \ 124 printf("[%u]", lvl); \ 125 printf(": "); \ 126 printf(__VA_ARGS__); \ 127 printf("\n"); \ 128 } \ 129 } while (0) 130 #define G_ELI_LOGREQ(lvl, bp, ...) do { \ 131 if (g_eli_debug >= (lvl)) { \ 132 printf("GEOM_ELI"); \ 133 if (g_eli_debug > 0) \ 134 printf("[%u]", lvl); \ 135 printf(": "); \ 136 printf(__VA_ARGS__); \ 137 printf(" "); \ 138 g_print_bio(bp); \ 139 printf("\n"); \ 140 } \ 141 } while (0) 142 143 struct g_eli_worker { 144 struct g_eli_softc *w_softc; 145 struct proc *w_proc; 146 u_int w_number; 147 uint64_t w_sid; 148 boolean_t w_active; 149 LIST_ENTRY(g_eli_worker) w_next; 150 }; 151 152 struct g_eli_softc { 153 struct g_geom *sc_geom; 154 u_int sc_crypto; 155 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 156 uint8_t **sc_ekeys; 157 u_int sc_nekeys; 158 u_int sc_ealgo; 159 u_int sc_ekeylen; 160 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 161 u_int sc_aalgo; 162 u_int sc_akeylen; 163 u_int sc_alen; 164 SHA256_CTX sc_akeyctx; 165 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 166 SHA256_CTX sc_ivctx; 167 int sc_nkey; 168 uint32_t sc_flags; 169 int sc_inflight; 170 off_t sc_mediasize; 171 size_t sc_sectorsize; 172 u_int sc_bytes_per_sector; 173 u_int sc_data_per_sector; 174 175 /* Only for software cryptography. */ 176 struct bio_queue_head sc_queue; 177 struct mtx sc_queue_mtx; 178 LIST_HEAD(, g_eli_worker) sc_workers; 179 }; 180 #define sc_name sc_geom->name 181 #endif /* _KERNEL */ 182 183 struct g_eli_metadata { 184 char md_magic[16]; /* Magic value. */ 185 uint32_t md_version; /* Version number. */ 186 uint32_t md_flags; /* Additional flags. */ 187 uint16_t md_ealgo; /* Encryption algorithm. */ 188 uint16_t md_keylen; /* Key length. */ 189 uint16_t md_aalgo; /* Authentication algorithm. */ 190 uint64_t md_provsize; /* Provider's size. */ 191 uint32_t md_sectorsize; /* Sector size. */ 192 uint8_t md_keys; /* Available keys. */ 193 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 194 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 195 /* Encrypted master key (IV-key, Data-key, HMAC). */ 196 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 197 u_char md_hash[16]; /* MD5 hash. */ 198 } __packed; 199 #ifndef _OpenSSL_ 200 static __inline void 201 eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 202 { 203 MD5_CTX ctx; 204 u_char *p; 205 206 p = data; 207 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic); 208 le32enc(p, md->md_version); p += sizeof(md->md_version); 209 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 210 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 211 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 212 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 213 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 214 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 215 *p = md->md_keys; p += sizeof(md->md_keys); 216 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 217 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 218 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 219 MD5Init(&ctx); 220 MD5Update(&ctx, data, p - data); 221 MD5Final(md->md_hash, &ctx); 222 bcopy(md->md_hash, p, sizeof(md->md_hash)); 223 } 224 static __inline int 225 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 226 { 227 MD5_CTX ctx; 228 const u_char *p; 229 230 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 231 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 232 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 233 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 234 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 235 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 236 md->md_keys = *p; p += sizeof(md->md_keys); 237 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 238 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 239 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 240 MD5Init(&ctx); 241 MD5Update(&ctx, data, p - data); 242 MD5Final(md->md_hash, &ctx); 243 if (bcmp(md->md_hash, p, 16) != 0) 244 return (EINVAL); 245 return (0); 246 } 247 248 static __inline int 249 eli_metadata_decode_v1v2v3v4v5(const u_char *data, struct g_eli_metadata *md) 250 { 251 MD5_CTX ctx; 252 const u_char *p; 253 254 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 255 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 256 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 257 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 258 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 259 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 260 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 261 md->md_keys = *p; p += sizeof(md->md_keys); 262 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 263 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 264 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 265 MD5Init(&ctx); 266 MD5Update(&ctx, data, p - data); 267 MD5Final(md->md_hash, &ctx); 268 if (bcmp(md->md_hash, p, 16) != 0) 269 return (EINVAL); 270 return (0); 271 } 272 static __inline int 273 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 274 { 275 int error; 276 277 bcopy(data, md->md_magic, sizeof(md->md_magic)); 278 md->md_version = le32dec(data + sizeof(md->md_magic)); 279 switch (md->md_version) { 280 case 0: 281 error = eli_metadata_decode_v0(data, md); 282 break; 283 case 1: 284 case 2: 285 case 3: 286 case 4: 287 case 5: 288 error = eli_metadata_decode_v1v2v3v4v5(data, md); 289 break; 290 default: 291 error = EINVAL; 292 break; 293 } 294 return (error); 295 } 296 #endif /* !_OpenSSL */ 297 298 static __inline u_int 299 g_eli_str2ealgo(const char *name) 300 { 301 302 if (strcasecmp("null", name) == 0) 303 return (CRYPTO_NULL_CBC); 304 else if (strcasecmp("null-cbc", name) == 0) 305 return (CRYPTO_NULL_CBC); 306 else if (strcasecmp("aes", name) == 0) 307 return (CRYPTO_AES_XTS); 308 else if (strcasecmp("aes-cbc", name) == 0) 309 return (CRYPTO_AES_CBC); 310 else if (strcasecmp("aes-xts", name) == 0) 311 return (CRYPTO_AES_XTS); 312 else if (strcasecmp("blowfish", name) == 0) 313 return (CRYPTO_BLF_CBC); 314 else if (strcasecmp("blowfish-cbc", name) == 0) 315 return (CRYPTO_BLF_CBC); 316 else if (strcasecmp("camellia", name) == 0) 317 return (CRYPTO_CAMELLIA_CBC); 318 else if (strcasecmp("camellia-cbc", name) == 0) 319 return (CRYPTO_CAMELLIA_CBC); 320 else if (strcasecmp("3des", name) == 0) 321 return (CRYPTO_3DES_CBC); 322 else if (strcasecmp("3des-cbc", name) == 0) 323 return (CRYPTO_3DES_CBC); 324 return (CRYPTO_ALGORITHM_MIN - 1); 325 } 326 327 static __inline u_int 328 g_eli_str2aalgo(const char *name) 329 { 330 331 if (strcasecmp("hmac/md5", name) == 0) 332 return (CRYPTO_MD5_HMAC); 333 else if (strcasecmp("hmac/sha1", name) == 0) 334 return (CRYPTO_SHA1_HMAC); 335 else if (strcasecmp("hmac/ripemd160", name) == 0) 336 return (CRYPTO_RIPEMD160_HMAC); 337 else if (strcasecmp("hmac/sha256", name) == 0) 338 return (CRYPTO_SHA2_256_HMAC); 339 else if (strcasecmp("hmac/sha384", name) == 0) 340 return (CRYPTO_SHA2_384_HMAC); 341 else if (strcasecmp("hmac/sha512", name) == 0) 342 return (CRYPTO_SHA2_512_HMAC); 343 return (CRYPTO_ALGORITHM_MIN - 1); 344 } 345 346 static __inline const char * 347 g_eli_algo2str(u_int algo) 348 { 349 350 switch (algo) { 351 case CRYPTO_NULL_CBC: 352 return ("NULL"); 353 case CRYPTO_AES_CBC: 354 return ("AES-CBC"); 355 case CRYPTO_AES_XTS: 356 return ("AES-XTS"); 357 case CRYPTO_BLF_CBC: 358 return ("Blowfish-CBC"); 359 case CRYPTO_CAMELLIA_CBC: 360 return ("CAMELLIA-CBC"); 361 case CRYPTO_3DES_CBC: 362 return ("3DES-CBC"); 363 case CRYPTO_MD5_HMAC: 364 return ("HMAC/MD5"); 365 case CRYPTO_SHA1_HMAC: 366 return ("HMAC/SHA1"); 367 case CRYPTO_RIPEMD160_HMAC: 368 return ("HMAC/RIPEMD160"); 369 case CRYPTO_SHA2_256_HMAC: 370 return ("HMAC/SHA256"); 371 case CRYPTO_SHA2_384_HMAC: 372 return ("HMAC/SHA384"); 373 case CRYPTO_SHA2_512_HMAC: 374 return ("HMAC/SHA512"); 375 } 376 return ("unknown"); 377 } 378 379 static __inline void 380 eli_metadata_dump(const struct g_eli_metadata *md) 381 { 382 static const char hex[] = "0123456789abcdef"; 383 char str[sizeof(md->md_mkeys) * 2 + 1]; 384 u_int i; 385 386 printf(" magic: %s\n", md->md_magic); 387 printf(" version: %u\n", (u_int)md->md_version); 388 printf(" flags: 0x%x\n", (u_int)md->md_flags); 389 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 390 printf(" keylen: %u\n", (u_int)md->md_keylen); 391 if (md->md_flags & G_ELI_FLAG_AUTH) 392 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 393 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 394 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 395 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 396 printf("iterations: %u\n", (u_int)md->md_iterations); 397 bzero(str, sizeof(str)); 398 for (i = 0; i < sizeof(md->md_salt); i++) { 399 str[i * 2] = hex[md->md_salt[i] >> 4]; 400 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 401 } 402 printf(" Salt: %s\n", str); 403 bzero(str, sizeof(str)); 404 for (i = 0; i < sizeof(md->md_mkeys); i++) { 405 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 406 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 407 } 408 printf("Master Key: %s\n", str); 409 bzero(str, sizeof(str)); 410 for (i = 0; i < 16; i++) { 411 str[i * 2] = hex[md->md_hash[i] >> 4]; 412 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 413 } 414 printf(" MD5 hash: %s\n", str); 415 } 416 417 static __inline u_int 418 g_eli_keylen(u_int algo, u_int keylen) 419 { 420 421 switch (algo) { 422 case CRYPTO_NULL_CBC: 423 if (keylen == 0) 424 keylen = 64 * 8; 425 else { 426 if (keylen > 64 * 8) 427 keylen = 0; 428 } 429 return (keylen); 430 case CRYPTO_AES_CBC: 431 case CRYPTO_CAMELLIA_CBC: 432 switch (keylen) { 433 case 0: 434 return (128); 435 case 128: 436 case 192: 437 case 256: 438 return (keylen); 439 default: 440 return (0); 441 } 442 case CRYPTO_AES_XTS: 443 switch (keylen) { 444 case 0: 445 return (128); 446 case 128: 447 case 256: 448 return (keylen); 449 default: 450 return (0); 451 } 452 case CRYPTO_BLF_CBC: 453 if (keylen == 0) 454 return (128); 455 if (keylen < 128 || keylen > 448) 456 return (0); 457 if ((keylen % 32) != 0) 458 return (0); 459 return (keylen); 460 case CRYPTO_3DES_CBC: 461 if (keylen == 0 || keylen == 192) 462 return (192); 463 return (0); 464 default: 465 return (0); 466 } 467 } 468 469 static __inline u_int 470 g_eli_hashlen(u_int algo) 471 { 472 473 switch (algo) { 474 case CRYPTO_MD5_HMAC: 475 return (16); 476 case CRYPTO_SHA1_HMAC: 477 return (20); 478 case CRYPTO_RIPEMD160_HMAC: 479 return (20); 480 case CRYPTO_SHA2_256_HMAC: 481 return (32); 482 case CRYPTO_SHA2_384_HMAC: 483 return (48); 484 case CRYPTO_SHA2_512_HMAC: 485 return (64); 486 } 487 return (0); 488 } 489 490 #ifdef _KERNEL 491 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 492 struct g_eli_metadata *md); 493 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 494 struct g_provider *bpp, const struct g_eli_metadata *md, 495 const u_char *mkey, int nkey); 496 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 497 498 int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 499 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 500 501 void g_eli_read_done(struct bio *bp); 502 void g_eli_write_done(struct bio *bp); 503 int g_eli_crypto_rerun(struct cryptop *crp); 504 uint8_t *g_eli_crypto_key(struct g_eli_softc *sc, off_t offset, 505 size_t blocksize); 506 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 507 size_t size); 508 509 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 510 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 511 512 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 513 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 514 #endif 515 516 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 517 int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 518 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 519 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 520 unsigned char *mkey); 521 #ifdef _KERNEL 522 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 523 #endif 524 525 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 526 const u_char *key, size_t keysize); 527 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 528 const u_char *key, size_t keysize); 529 530 struct hmac_ctx { 531 SHA512_CTX shactx; 532 u_char k_opad[128]; 533 }; 534 535 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 536 size_t hkeylen); 537 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 538 size_t datasize); 539 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 540 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 541 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 542 #endif /* !_G_ELI_H_ */ 543