1 /*- 2 * Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29 #ifndef _G_ELI_H_ 30 #define _G_ELI_H_ 31 32 #include <sys/endian.h> 33 #include <sys/errno.h> 34 #include <sys/malloc.h> 35 #include <crypto/sha2/sha2.h> 36 #include <opencrypto/cryptodev.h> 37 #ifdef _KERNEL 38 #include <sys/bio.h> 39 #include <sys/libkern.h> 40 #include <geom/geom.h> 41 #else 42 #include <stdio.h> 43 #include <string.h> 44 #include <strings.h> 45 #endif 46 #ifndef _OpenSSL_ 47 #include <sys/md5.h> 48 #endif 49 50 #define G_ELI_CLASS_NAME "ELI" 51 #define G_ELI_MAGIC "GEOM::ELI" 52 #define G_ELI_SUFFIX ".eli" 53 54 /* 55 * Version history: 56 * 0 - Initial version number. 57 * 1 - Added data authentication support (md_aalgo field and 58 * G_ELI_FLAG_AUTH flag). 59 * 2 - Added G_ELI_FLAG_READONLY. 60 * - IV is generated from offset converted to little-endian 61 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions). 62 * 3 - Added 'configure' subcommand. 63 */ 64 #define G_ELI_VERSION 3 65 66 /* ON DISK FLAGS. */ 67 /* Use random, onetime keys. */ 68 #define G_ELI_FLAG_ONETIME 0x00000001 69 /* Ask for the passphrase from the kernel, before mounting root. */ 70 #define G_ELI_FLAG_BOOT 0x00000002 71 /* Detach on last close, if we were open for writing. */ 72 #define G_ELI_FLAG_WO_DETACH 0x00000004 73 /* Detach on last close. */ 74 #define G_ELI_FLAG_RW_DETACH 0x00000008 75 /* Provide data authentication. */ 76 #define G_ELI_FLAG_AUTH 0x00000010 77 /* Provider is read-only, we should deny all write attempts. */ 78 #define G_ELI_FLAG_RO 0x00000020 79 /* RUNTIME FLAGS. */ 80 /* Provider was open for writing. */ 81 #define G_ELI_FLAG_WOPEN 0x00010000 82 /* Destroy device. */ 83 #define G_ELI_FLAG_DESTROY 0x00020000 84 /* Provider uses native byte-order for IV generation. */ 85 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 86 87 #define SHA512_MDLEN 64 88 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 89 90 #define G_ELI_MAXMKEYS 2 91 #define G_ELI_MAXKEYLEN 64 92 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 93 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 94 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 95 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 96 #define G_ELI_SALTLEN 64 97 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 98 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 99 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 100 101 #ifdef _KERNEL 102 extern u_int g_eli_debug; 103 extern u_int g_eli_overwrites; 104 extern u_int g_eli_batch; 105 106 #define G_ELI_CRYPTO_HW 1 107 #define G_ELI_CRYPTO_SW 2 108 109 #define G_ELI_DEBUG(lvl, ...) do { \ 110 if (g_eli_debug >= (lvl)) { \ 111 printf("GEOM_ELI"); \ 112 if (g_eli_debug > 0) \ 113 printf("[%u]", lvl); \ 114 printf(": "); \ 115 printf(__VA_ARGS__); \ 116 printf("\n"); \ 117 } \ 118 } while (0) 119 #define G_ELI_LOGREQ(lvl, bp, ...) do { \ 120 if (g_eli_debug >= (lvl)) { \ 121 printf("GEOM_ELI"); \ 122 if (g_eli_debug > 0) \ 123 printf("[%u]", lvl); \ 124 printf(": "); \ 125 printf(__VA_ARGS__); \ 126 printf(" "); \ 127 g_print_bio(bp); \ 128 printf("\n"); \ 129 } \ 130 } while (0) 131 132 struct g_eli_worker { 133 struct g_eli_softc *w_softc; 134 struct proc *w_proc; 135 u_int w_number; 136 uint64_t w_sid; 137 LIST_ENTRY(g_eli_worker) w_next; 138 }; 139 140 struct g_eli_softc { 141 struct g_geom *sc_geom; 142 u_int sc_crypto; 143 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 144 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 145 u_int sc_ealgo; 146 u_int sc_ekeylen; 147 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 148 u_int sc_aalgo; 149 u_int sc_akeylen; 150 u_int sc_alen; 151 SHA256_CTX sc_akeyctx; 152 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 153 SHA256_CTX sc_ivctx; 154 int sc_nkey; 155 uint32_t sc_flags; 156 u_int sc_bytes_per_sector; 157 u_int sc_data_per_sector; 158 159 /* Only for software cryptography. */ 160 struct bio_queue_head sc_queue; 161 struct mtx sc_queue_mtx; 162 LIST_HEAD(, g_eli_worker) sc_workers; 163 }; 164 #define sc_name sc_geom->name 165 #endif /* _KERNEL */ 166 167 struct g_eli_metadata { 168 char md_magic[16]; /* Magic value. */ 169 uint32_t md_version; /* Version number. */ 170 uint32_t md_flags; /* Additional flags. */ 171 uint16_t md_ealgo; /* Encryption algorithm. */ 172 uint16_t md_keylen; /* Key length. */ 173 uint16_t md_aalgo; /* Authentication algorithm. */ 174 uint64_t md_provsize; /* Provider's size. */ 175 uint32_t md_sectorsize; /* Sector size. */ 176 uint8_t md_keys; /* Available keys. */ 177 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 178 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 179 /* Encrypted master key (IV-key, Data-key, HMAC). */ 180 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 181 u_char md_hash[16]; /* MD5 hash. */ 182 } __packed; 183 #ifndef _OpenSSL_ 184 static __inline void 185 eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 186 { 187 MD5_CTX ctx; 188 u_char *p; 189 190 p = data; 191 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic); 192 le32enc(p, md->md_version); p += sizeof(md->md_version); 193 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 194 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 195 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 196 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 197 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 198 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 199 *p = md->md_keys; p += sizeof(md->md_keys); 200 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 201 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 202 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 203 MD5Init(&ctx); 204 MD5Update(&ctx, data, p - data); 205 MD5Final(md->md_hash, &ctx); 206 bcopy(md->md_hash, p, sizeof(md->md_hash)); 207 } 208 static __inline int 209 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 210 { 211 MD5_CTX ctx; 212 const u_char *p; 213 214 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 215 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 216 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 217 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 218 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 219 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 220 md->md_keys = *p; p += sizeof(md->md_keys); 221 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 222 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 223 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 224 MD5Init(&ctx); 225 MD5Update(&ctx, data, p - data); 226 MD5Final(md->md_hash, &ctx); 227 if (bcmp(md->md_hash, p, 16) != 0) 228 return (EINVAL); 229 return (0); 230 } 231 static __inline int 232 eli_metadata_decode_v1v2v3(const u_char *data, struct g_eli_metadata *md) 233 { 234 MD5_CTX ctx; 235 const u_char *p; 236 237 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 238 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 239 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 240 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 241 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 242 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 243 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 244 md->md_keys = *p; p += sizeof(md->md_keys); 245 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 246 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 247 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 248 MD5Init(&ctx); 249 MD5Update(&ctx, data, p - data); 250 MD5Final(md->md_hash, &ctx); 251 if (bcmp(md->md_hash, p, 16) != 0) 252 return (EINVAL); 253 return (0); 254 } 255 static __inline int 256 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 257 { 258 int error; 259 260 bcopy(data, md->md_magic, sizeof(md->md_magic)); 261 md->md_version = le32dec(data + sizeof(md->md_magic)); 262 switch (md->md_version) { 263 case 0: 264 error = eli_metadata_decode_v0(data, md); 265 break; 266 case 1: 267 case 2: 268 case 3: 269 error = eli_metadata_decode_v1v2v3(data, md); 270 break; 271 default: 272 error = EINVAL; 273 break; 274 } 275 return (error); 276 } 277 #endif /* !_OpenSSL */ 278 279 static __inline u_int 280 g_eli_str2ealgo(const char *name) 281 { 282 283 if (strcasecmp("null", name) == 0) 284 return (CRYPTO_NULL_CBC); 285 else if (strcasecmp("aes", name) == 0) 286 return (CRYPTO_AES_CBC); 287 else if (strcasecmp("blowfish", name) == 0) 288 return (CRYPTO_BLF_CBC); 289 else if (strcasecmp("camellia", name) == 0) 290 return (CRYPTO_CAMELLIA_CBC); 291 else if (strcasecmp("3des", name) == 0) 292 return (CRYPTO_3DES_CBC); 293 return (CRYPTO_ALGORITHM_MIN - 1); 294 } 295 296 static __inline u_int 297 g_eli_str2aalgo(const char *name) 298 { 299 300 if (strcasecmp("hmac/md5", name) == 0) 301 return (CRYPTO_MD5_HMAC); 302 else if (strcasecmp("hmac/sha1", name) == 0) 303 return (CRYPTO_SHA1_HMAC); 304 else if (strcasecmp("hmac/ripemd160", name) == 0) 305 return (CRYPTO_RIPEMD160_HMAC); 306 else if (strcasecmp("hmac/sha256", name) == 0) 307 return (CRYPTO_SHA2_256_HMAC); 308 else if (strcasecmp("hmac/sha384", name) == 0) 309 return (CRYPTO_SHA2_384_HMAC); 310 else if (strcasecmp("hmac/sha512", name) == 0) 311 return (CRYPTO_SHA2_512_HMAC); 312 return (CRYPTO_ALGORITHM_MIN - 1); 313 } 314 315 static __inline const char * 316 g_eli_algo2str(u_int algo) 317 { 318 319 switch (algo) { 320 case CRYPTO_NULL_CBC: 321 return ("NULL"); 322 case CRYPTO_AES_CBC: 323 return ("AES-CBC"); 324 case CRYPTO_BLF_CBC: 325 return ("Blowfish-CBC"); 326 case CRYPTO_CAMELLIA_CBC: 327 return ("CAMELLIA-CBC"); 328 case CRYPTO_3DES_CBC: 329 return ("3DES-CBC"); 330 case CRYPTO_MD5_HMAC: 331 return ("HMAC/MD5"); 332 case CRYPTO_SHA1_HMAC: 333 return ("HMAC/SHA1"); 334 case CRYPTO_RIPEMD160_HMAC: 335 return ("HMAC/RIPEMD160"); 336 case CRYPTO_SHA2_256_HMAC: 337 return ("HMAC/SHA256"); 338 case CRYPTO_SHA2_384_HMAC: 339 return ("HMAC/SHA384"); 340 case CRYPTO_SHA2_512_HMAC: 341 return ("HMAC/SHA512"); 342 } 343 return ("unknown"); 344 } 345 346 static __inline void 347 eli_metadata_dump(const struct g_eli_metadata *md) 348 { 349 static const char hex[] = "0123456789abcdef"; 350 char str[sizeof(md->md_mkeys) * 2 + 1]; 351 u_int i; 352 353 printf(" magic: %s\n", md->md_magic); 354 printf(" version: %u\n", (u_int)md->md_version); 355 printf(" flags: 0x%x\n", (u_int)md->md_flags); 356 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 357 printf(" keylen: %u\n", (u_int)md->md_keylen); 358 if (md->md_flags & G_ELI_FLAG_AUTH) 359 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 360 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 361 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 362 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 363 printf("iterations: %u\n", (u_int)md->md_iterations); 364 bzero(str, sizeof(str)); 365 for (i = 0; i < sizeof(md->md_salt); i++) { 366 str[i * 2] = hex[md->md_salt[i] >> 4]; 367 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 368 } 369 printf(" Salt: %s\n", str); 370 bzero(str, sizeof(str)); 371 for (i = 0; i < sizeof(md->md_mkeys); i++) { 372 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 373 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 374 } 375 printf("Master Key: %s\n", str); 376 bzero(str, sizeof(str)); 377 for (i = 0; i < 16; i++) { 378 str[i * 2] = hex[md->md_hash[i] >> 4]; 379 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 380 } 381 printf(" MD5 hash: %s\n", str); 382 } 383 384 static __inline u_int 385 g_eli_keylen(u_int algo, u_int keylen) 386 { 387 388 switch (algo) { 389 case CRYPTO_NULL_CBC: 390 if (keylen == 0) 391 keylen = 64 * 8; 392 else { 393 if (keylen > 64 * 8) 394 keylen = 0; 395 } 396 return (keylen); 397 case CRYPTO_AES_CBC: /* FALLTHROUGH */ 398 case CRYPTO_CAMELLIA_CBC: 399 switch (keylen) { 400 case 0: 401 return (128); 402 case 128: 403 case 192: 404 case 256: 405 return (keylen); 406 default: 407 return (0); 408 } 409 case CRYPTO_BLF_CBC: 410 if (keylen == 0) 411 return (128); 412 if (keylen < 128 || keylen > 448) 413 return (0); 414 if ((keylen % 32) != 0) 415 return (0); 416 return (keylen); 417 case CRYPTO_3DES_CBC: 418 if (keylen == 0 || keylen == 192) 419 return (192); 420 return (0); 421 default: 422 return (0); 423 } 424 } 425 426 static __inline u_int 427 g_eli_hashlen(u_int algo) 428 { 429 430 switch (algo) { 431 case CRYPTO_MD5_HMAC: 432 return (16); 433 case CRYPTO_SHA1_HMAC: 434 return (20); 435 case CRYPTO_RIPEMD160_HMAC: 436 return (20); 437 case CRYPTO_SHA2_256_HMAC: 438 return (32); 439 case CRYPTO_SHA2_384_HMAC: 440 return (48); 441 case CRYPTO_SHA2_512_HMAC: 442 return (64); 443 } 444 return (0); 445 } 446 447 #ifdef _KERNEL 448 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 449 struct g_eli_metadata *md); 450 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 451 struct g_provider *bpp, const struct g_eli_metadata *md, 452 const u_char *mkey, int nkey); 453 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 454 455 int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 456 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 457 458 void g_eli_read_done(struct bio *bp); 459 void g_eli_write_done(struct bio *bp); 460 int g_eli_crypto_rerun(struct cryptop *crp); 461 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 462 size_t size); 463 464 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 465 466 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 467 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 468 #endif 469 470 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 471 int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 472 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 473 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 474 unsigned char *mkey); 475 #ifdef _KERNEL 476 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 477 #endif 478 479 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 480 const u_char *key, size_t keysize); 481 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 482 const u_char *key, size_t keysize); 483 484 struct hmac_ctx { 485 SHA512_CTX shactx; 486 u_char k_opad[128]; 487 }; 488 489 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 490 size_t hkeylen); 491 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 492 size_t datasize); 493 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 494 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 495 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 496 #endif /* !_G_ELI_H_ */ 497