1 /*- 2 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29 #ifndef _G_ELI_H_ 30 #define _G_ELI_H_ 31 32 #include <sys/endian.h> 33 #include <sys/errno.h> 34 #include <sys/malloc.h> 35 #include <crypto/sha2/sha256.h> 36 #include <crypto/sha2/sha512.h> 37 #include <opencrypto/cryptodev.h> 38 #ifdef _KERNEL 39 #include <sys/bio.h> 40 #include <sys/libkern.h> 41 #include <sys/lock.h> 42 #include <sys/mutex.h> 43 #include <geom/geom.h> 44 #include <crypto/intake.h> 45 #else 46 #include <assert.h> 47 #include <stdio.h> 48 #include <string.h> 49 #include <strings.h> 50 #endif 51 #include <sys/queue.h> 52 #include <sys/tree.h> 53 #ifndef _OpenSSL_ 54 #include <sys/md5.h> 55 #endif 56 57 #define G_ELI_CLASS_NAME "ELI" 58 #define G_ELI_MAGIC "GEOM::ELI" 59 #define G_ELI_SUFFIX ".eli" 60 61 /* 62 * Version history: 63 * 0 - Initial version number. 64 * 1 - Added data authentication support (md_aalgo field and 65 * G_ELI_FLAG_AUTH flag). 66 * 2 - Added G_ELI_FLAG_READONLY. 67 * 3 - Added 'configure' subcommand. 68 * 4 - IV is generated from offset converted to little-endian 69 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). 70 * 5 - Added multiple encrypton keys and AES-XTS support. 71 * 6 - Fixed usage of multiple keys for authenticated providers (the 72 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). 73 * 7 - Encryption keys are now generated from the Data Key and not from the 74 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). 75 */ 76 #define G_ELI_VERSION_00 0 77 #define G_ELI_VERSION_01 1 78 #define G_ELI_VERSION_02 2 79 #define G_ELI_VERSION_03 3 80 #define G_ELI_VERSION_04 4 81 #define G_ELI_VERSION_05 5 82 #define G_ELI_VERSION_06 6 83 #define G_ELI_VERSION_07 7 84 #define G_ELI_VERSION G_ELI_VERSION_07 85 86 /* ON DISK FLAGS. */ 87 /* Use random, onetime keys. */ 88 #define G_ELI_FLAG_ONETIME 0x00000001 89 /* Ask for the passphrase from the kernel, before mounting root. */ 90 #define G_ELI_FLAG_BOOT 0x00000002 91 /* Detach on last close, if we were open for writing. */ 92 #define G_ELI_FLAG_WO_DETACH 0x00000004 93 /* Detach on last close. */ 94 #define G_ELI_FLAG_RW_DETACH 0x00000008 95 /* Provide data authentication. */ 96 #define G_ELI_FLAG_AUTH 0x00000010 97 /* Provider is read-only, we should deny all write attempts. */ 98 #define G_ELI_FLAG_RO 0x00000020 99 /* Don't pass through BIO_DELETE requests. */ 100 #define G_ELI_FLAG_NODELETE 0x00000040 101 /* This GELI supports GELIBoot */ 102 #define G_ELI_FLAG_GELIBOOT 0x00000080 103 /* Hide passphrase length in GELIboot. */ 104 #define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100 105 /* RUNTIME FLAGS. */ 106 /* Provider was open for writing. */ 107 #define G_ELI_FLAG_WOPEN 0x00010000 108 /* Destroy device. */ 109 #define G_ELI_FLAG_DESTROY 0x00020000 110 /* Provider uses native byte-order for IV generation. */ 111 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 112 /* Provider uses single encryption key. */ 113 #define G_ELI_FLAG_SINGLE_KEY 0x00080000 114 /* Device suspended. */ 115 #define G_ELI_FLAG_SUSPEND 0x00100000 116 /* Provider uses first encryption key. */ 117 #define G_ELI_FLAG_FIRST_KEY 0x00200000 118 /* Provider uses IV-Key for encryption key generation. */ 119 #define G_ELI_FLAG_ENC_IVKEY 0x00400000 120 121 #define G_ELI_NEW_BIO 255 122 123 #define SHA512_MDLEN 64 124 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 125 126 #define G_ELI_MAXMKEYS 2 127 #define G_ELI_MAXKEYLEN 64 128 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 129 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 130 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 131 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 132 #define G_ELI_SALTLEN 64 133 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 134 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 135 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 136 #define G_ELI_OVERWRITES 5 137 /* Switch data encryption key every 2^20 blocks. */ 138 #define G_ELI_KEY_SHIFT 20 139 140 #define G_ELI_CRYPTO_UNKNOWN 0 141 #define G_ELI_CRYPTO_HW 1 142 #define G_ELI_CRYPTO_SW 2 143 144 #ifdef _KERNEL 145 #if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN) 146 #error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN" 147 #endif 148 149 extern int g_eli_debug; 150 extern u_int g_eli_overwrites; 151 extern u_int g_eli_batch; 152 153 #define G_ELI_DEBUG(lvl, ...) do { \ 154 if (g_eli_debug >= (lvl)) { \ 155 printf("GEOM_ELI"); \ 156 if (g_eli_debug > 0) \ 157 printf("[%u]", lvl); \ 158 printf(": "); \ 159 printf(__VA_ARGS__); \ 160 printf("\n"); \ 161 } \ 162 } while (0) 163 #define G_ELI_LOGREQ(lvl, bp, ...) do { \ 164 if (g_eli_debug >= (lvl)) { \ 165 printf("GEOM_ELI"); \ 166 if (g_eli_debug > 0) \ 167 printf("[%u]", lvl); \ 168 printf(": "); \ 169 printf(__VA_ARGS__); \ 170 printf(" "); \ 171 g_print_bio(bp); \ 172 printf("\n"); \ 173 } \ 174 } while (0) 175 176 struct g_eli_worker { 177 struct g_eli_softc *w_softc; 178 struct proc *w_proc; 179 u_int w_number; 180 uint64_t w_sid; 181 boolean_t w_active; 182 LIST_ENTRY(g_eli_worker) w_next; 183 }; 184 185 #endif /* _KERNEL */ 186 187 struct g_eli_softc { 188 struct g_geom *sc_geom; 189 u_int sc_version; 190 u_int sc_crypto; 191 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 192 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 193 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; 194 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; 195 struct mtx sc_ekeys_lock; 196 uint64_t sc_ekeys_total; 197 uint64_t sc_ekeys_allocated; 198 u_int sc_ealgo; 199 u_int sc_ekeylen; 200 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 201 u_int sc_aalgo; 202 u_int sc_akeylen; 203 u_int sc_alen; 204 SHA256_CTX sc_akeyctx; 205 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 206 SHA256_CTX sc_ivctx; 207 int sc_nkey; 208 uint32_t sc_flags; 209 int sc_inflight; 210 off_t sc_mediasize; 211 size_t sc_sectorsize; 212 u_int sc_bytes_per_sector; 213 u_int sc_data_per_sector; 214 #ifndef _KERNEL 215 int sc_cpubind; 216 #else /* _KERNEL */ 217 boolean_t sc_cpubind; 218 219 /* Only for software cryptography. */ 220 struct bio_queue_head sc_queue; 221 struct mtx sc_queue_mtx; 222 LIST_HEAD(, g_eli_worker) sc_workers; 223 #endif /* _KERNEL */ 224 }; 225 #define sc_name sc_geom->name 226 227 #define G_ELI_KEY_MAGIC 0xe11341c 228 229 struct g_eli_key { 230 /* Key value, must be first in the structure. */ 231 uint8_t gek_key[G_ELI_DATAKEYLEN]; 232 /* Magic. */ 233 int gek_magic; 234 /* Key number. */ 235 uint64_t gek_keyno; 236 /* Reference counter. */ 237 int gek_count; 238 /* Keeps keys sorted by most recent use. */ 239 TAILQ_ENTRY(g_eli_key) gek_next; 240 /* Keeps keys sorted by number. */ 241 RB_ENTRY(g_eli_key) gek_link; 242 }; 243 244 struct g_eli_metadata { 245 char md_magic[16]; /* Magic value. */ 246 uint32_t md_version; /* Version number. */ 247 uint32_t md_flags; /* Additional flags. */ 248 uint16_t md_ealgo; /* Encryption algorithm. */ 249 uint16_t md_keylen; /* Key length. */ 250 uint16_t md_aalgo; /* Authentication algorithm. */ 251 uint64_t md_provsize; /* Provider's size. */ 252 uint32_t md_sectorsize; /* Sector size. */ 253 uint8_t md_keys; /* Available keys. */ 254 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 255 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 256 /* Encrypted master key (IV-key, Data-key, HMAC). */ 257 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 258 u_char md_hash[16]; /* MD5 hash. */ 259 } __packed; 260 #ifndef _OpenSSL_ 261 static __inline void 262 eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) 263 { 264 u_char *p; 265 266 p = *datap; 267 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 268 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 269 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 270 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 271 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 272 *p = md->md_keys; p += sizeof(md->md_keys); 273 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 274 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 275 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 276 *datap = p; 277 } 278 static __inline void 279 eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) 280 { 281 u_char *p; 282 283 p = *datap; 284 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 285 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 286 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 287 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 288 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 289 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 290 *p = md->md_keys; p += sizeof(md->md_keys); 291 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 292 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 293 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 294 *datap = p; 295 } 296 static __inline void 297 eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 298 { 299 uint32_t hash[4]; 300 MD5_CTX ctx; 301 u_char *p; 302 303 p = data; 304 bcopy(md->md_magic, p, sizeof(md->md_magic)); 305 p += sizeof(md->md_magic); 306 le32enc(p, md->md_version); 307 p += sizeof(md->md_version); 308 switch (md->md_version) { 309 case G_ELI_VERSION_00: 310 eli_metadata_encode_v0(md, &p); 311 break; 312 case G_ELI_VERSION_01: 313 case G_ELI_VERSION_02: 314 case G_ELI_VERSION_03: 315 case G_ELI_VERSION_04: 316 case G_ELI_VERSION_05: 317 case G_ELI_VERSION_06: 318 case G_ELI_VERSION_07: 319 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); 320 break; 321 default: 322 #ifdef _KERNEL 323 panic("%s: Unsupported version %u.", __func__, 324 (u_int)md->md_version); 325 #else 326 assert(!"Unsupported metadata version."); 327 #endif 328 } 329 MD5Init(&ctx); 330 MD5Update(&ctx, data, p - data); 331 MD5Final((void *)hash, &ctx); 332 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 333 bcopy(md->md_hash, p, sizeof(md->md_hash)); 334 } 335 static __inline int 336 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 337 { 338 uint32_t hash[4]; 339 MD5_CTX ctx; 340 const u_char *p; 341 342 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 343 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 344 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 345 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 346 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 347 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 348 md->md_keys = *p; p += sizeof(md->md_keys); 349 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 350 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 351 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 352 MD5Init(&ctx); 353 MD5Update(&ctx, data, p - data); 354 MD5Final((void *)hash, &ctx); 355 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 356 if (bcmp(md->md_hash, p, 16) != 0) 357 return (EINVAL); 358 return (0); 359 } 360 361 static __inline int 362 eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) 363 { 364 uint32_t hash[4]; 365 MD5_CTX ctx; 366 const u_char *p; 367 368 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 369 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 370 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 371 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 372 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 373 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 374 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 375 md->md_keys = *p; p += sizeof(md->md_keys); 376 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 377 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 378 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 379 MD5Init(&ctx); 380 MD5Update(&ctx, data, p - data); 381 MD5Final((void *)hash, &ctx); 382 bcopy(hash, md->md_hash, sizeof(md->md_hash)); 383 if (bcmp(md->md_hash, p, 16) != 0) 384 return (EINVAL); 385 return (0); 386 } 387 static __inline int 388 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 389 { 390 int error; 391 392 bcopy(data, md->md_magic, sizeof(md->md_magic)); 393 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) 394 return (EINVAL); 395 md->md_version = le32dec(data + sizeof(md->md_magic)); 396 switch (md->md_version) { 397 case G_ELI_VERSION_00: 398 error = eli_metadata_decode_v0(data, md); 399 break; 400 case G_ELI_VERSION_01: 401 case G_ELI_VERSION_02: 402 case G_ELI_VERSION_03: 403 case G_ELI_VERSION_04: 404 case G_ELI_VERSION_05: 405 case G_ELI_VERSION_06: 406 case G_ELI_VERSION_07: 407 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); 408 break; 409 default: 410 error = EOPNOTSUPP; 411 break; 412 } 413 return (error); 414 } 415 #endif /* !_OpenSSL */ 416 417 static __inline u_int 418 g_eli_str2ealgo(const char *name) 419 { 420 421 if (strcasecmp("null", name) == 0) 422 return (CRYPTO_NULL_CBC); 423 else if (strcasecmp("null-cbc", name) == 0) 424 return (CRYPTO_NULL_CBC); 425 else if (strcasecmp("aes", name) == 0) 426 return (CRYPTO_AES_XTS); 427 else if (strcasecmp("aes-cbc", name) == 0) 428 return (CRYPTO_AES_CBC); 429 else if (strcasecmp("aes-xts", name) == 0) 430 return (CRYPTO_AES_XTS); 431 else if (strcasecmp("blowfish", name) == 0) 432 return (CRYPTO_BLF_CBC); 433 else if (strcasecmp("blowfish-cbc", name) == 0) 434 return (CRYPTO_BLF_CBC); 435 else if (strcasecmp("camellia", name) == 0) 436 return (CRYPTO_CAMELLIA_CBC); 437 else if (strcasecmp("camellia-cbc", name) == 0) 438 return (CRYPTO_CAMELLIA_CBC); 439 else if (strcasecmp("3des", name) == 0) 440 return (CRYPTO_3DES_CBC); 441 else if (strcasecmp("3des-cbc", name) == 0) 442 return (CRYPTO_3DES_CBC); 443 return (CRYPTO_ALGORITHM_MIN - 1); 444 } 445 446 static __inline u_int 447 g_eli_str2aalgo(const char *name) 448 { 449 450 if (strcasecmp("hmac/md5", name) == 0) 451 return (CRYPTO_MD5_HMAC); 452 else if (strcasecmp("hmac/sha1", name) == 0) 453 return (CRYPTO_SHA1_HMAC); 454 else if (strcasecmp("hmac/ripemd160", name) == 0) 455 return (CRYPTO_RIPEMD160_HMAC); 456 else if (strcasecmp("hmac/sha256", name) == 0) 457 return (CRYPTO_SHA2_256_HMAC); 458 else if (strcasecmp("hmac/sha384", name) == 0) 459 return (CRYPTO_SHA2_384_HMAC); 460 else if (strcasecmp("hmac/sha512", name) == 0) 461 return (CRYPTO_SHA2_512_HMAC); 462 return (CRYPTO_ALGORITHM_MIN - 1); 463 } 464 465 static __inline const char * 466 g_eli_algo2str(u_int algo) 467 { 468 469 switch (algo) { 470 case CRYPTO_NULL_CBC: 471 return ("NULL"); 472 case CRYPTO_AES_CBC: 473 return ("AES-CBC"); 474 case CRYPTO_AES_XTS: 475 return ("AES-XTS"); 476 case CRYPTO_BLF_CBC: 477 return ("Blowfish-CBC"); 478 case CRYPTO_CAMELLIA_CBC: 479 return ("CAMELLIA-CBC"); 480 case CRYPTO_3DES_CBC: 481 return ("3DES-CBC"); 482 case CRYPTO_MD5_HMAC: 483 return ("HMAC/MD5"); 484 case CRYPTO_SHA1_HMAC: 485 return ("HMAC/SHA1"); 486 case CRYPTO_RIPEMD160_HMAC: 487 return ("HMAC/RIPEMD160"); 488 case CRYPTO_SHA2_256_HMAC: 489 return ("HMAC/SHA256"); 490 case CRYPTO_SHA2_384_HMAC: 491 return ("HMAC/SHA384"); 492 case CRYPTO_SHA2_512_HMAC: 493 return ("HMAC/SHA512"); 494 } 495 return ("unknown"); 496 } 497 498 static __inline void 499 eli_metadata_dump(const struct g_eli_metadata *md) 500 { 501 static const char hex[] = "0123456789abcdef"; 502 char str[sizeof(md->md_mkeys) * 2 + 1]; 503 u_int i; 504 505 printf(" magic: %s\n", md->md_magic); 506 printf(" version: %u\n", (u_int)md->md_version); 507 printf(" flags: 0x%x\n", (u_int)md->md_flags); 508 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 509 printf(" keylen: %u\n", (u_int)md->md_keylen); 510 if (md->md_flags & G_ELI_FLAG_AUTH) 511 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 512 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 513 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 514 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 515 printf("iterations: %d\n", (int)md->md_iterations); 516 bzero(str, sizeof(str)); 517 for (i = 0; i < sizeof(md->md_salt); i++) { 518 str[i * 2] = hex[md->md_salt[i] >> 4]; 519 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 520 } 521 printf(" Salt: %s\n", str); 522 bzero(str, sizeof(str)); 523 for (i = 0; i < sizeof(md->md_mkeys); i++) { 524 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 525 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 526 } 527 printf("Master Key: %s\n", str); 528 bzero(str, sizeof(str)); 529 for (i = 0; i < 16; i++) { 530 str[i * 2] = hex[md->md_hash[i] >> 4]; 531 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 532 } 533 printf(" MD5 hash: %s\n", str); 534 } 535 536 static __inline u_int 537 g_eli_keylen(u_int algo, u_int keylen) 538 { 539 540 switch (algo) { 541 case CRYPTO_NULL_CBC: 542 if (keylen == 0) 543 keylen = 64 * 8; 544 else { 545 if (keylen > 64 * 8) 546 keylen = 0; 547 } 548 return (keylen); 549 case CRYPTO_AES_CBC: 550 case CRYPTO_CAMELLIA_CBC: 551 switch (keylen) { 552 case 0: 553 return (128); 554 case 128: 555 case 192: 556 case 256: 557 return (keylen); 558 default: 559 return (0); 560 } 561 case CRYPTO_AES_XTS: 562 switch (keylen) { 563 case 0: 564 return (128); 565 case 128: 566 case 256: 567 return (keylen); 568 default: 569 return (0); 570 } 571 case CRYPTO_BLF_CBC: 572 if (keylen == 0) 573 return (128); 574 if (keylen < 128 || keylen > 448) 575 return (0); 576 if ((keylen % 32) != 0) 577 return (0); 578 return (keylen); 579 case CRYPTO_3DES_CBC: 580 if (keylen == 0 || keylen == 192) 581 return (192); 582 return (0); 583 default: 584 return (0); 585 } 586 } 587 588 static __inline u_int 589 g_eli_hashlen(u_int algo) 590 { 591 592 switch (algo) { 593 case CRYPTO_MD5_HMAC: 594 return (16); 595 case CRYPTO_SHA1_HMAC: 596 return (20); 597 case CRYPTO_RIPEMD160_HMAC: 598 return (20); 599 case CRYPTO_SHA2_256_HMAC: 600 return (32); 601 case CRYPTO_SHA2_384_HMAC: 602 return (48); 603 case CRYPTO_SHA2_512_HMAC: 604 return (64); 605 } 606 return (0); 607 } 608 609 static __inline void 610 eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, 611 u_int sectorsize, off_t mediasize) 612 { 613 614 sc->sc_version = md->md_version; 615 sc->sc_inflight = 0; 616 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; 617 sc->sc_flags = md->md_flags; 618 /* Backward compatibility. */ 619 if (md->md_version < G_ELI_VERSION_04) 620 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; 621 if (md->md_version < G_ELI_VERSION_05) 622 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; 623 if (md->md_version < G_ELI_VERSION_06 && 624 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 625 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; 626 } 627 if (md->md_version < G_ELI_VERSION_07) 628 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; 629 sc->sc_ealgo = md->md_ealgo; 630 631 if (sc->sc_flags & G_ELI_FLAG_AUTH) { 632 sc->sc_akeylen = sizeof(sc->sc_akey) * 8; 633 sc->sc_aalgo = md->md_aalgo; 634 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); 635 636 sc->sc_data_per_sector = sectorsize - sc->sc_alen; 637 /* 638 * Some hash functions (like SHA1 and RIPEMD160) generates hash 639 * which length is not multiple of 128 bits, but we want data 640 * length to be multiple of 128, so we can encrypt without 641 * padding. The line below rounds down data length to multiple 642 * of 128 bits. 643 */ 644 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; 645 646 sc->sc_bytes_per_sector = 647 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; 648 sc->sc_bytes_per_sector *= sectorsize; 649 } 650 sc->sc_sectorsize = md->md_sectorsize; 651 sc->sc_mediasize = mediasize; 652 if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) 653 sc->sc_mediasize -= sectorsize; 654 if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) 655 sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); 656 else { 657 sc->sc_mediasize /= sc->sc_bytes_per_sector; 658 sc->sc_mediasize *= sc->sc_sectorsize; 659 } 660 sc->sc_ekeylen = md->md_keylen; 661 } 662 663 #ifdef _KERNEL 664 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 665 struct g_eli_metadata *md); 666 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 667 struct g_provider *bpp, const struct g_eli_metadata *md, 668 const u_char *mkey, int nkey); 669 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 670 671 int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 672 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 673 674 void g_eli_read_done(struct bio *bp); 675 void g_eli_write_done(struct bio *bp); 676 int g_eli_crypto_rerun(struct cryptop *crp); 677 678 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 679 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 680 681 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 682 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 683 #endif 684 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 685 size_t size); 686 687 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 688 int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 689 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 690 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 691 unsigned char *mkey); 692 #ifdef _KERNEL 693 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 694 #endif 695 696 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 697 const u_char *key, size_t keysize); 698 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 699 const u_char *key, size_t keysize); 700 701 struct hmac_ctx { 702 SHA512_CTX innerctx; 703 SHA512_CTX outerctx; 704 }; 705 706 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 707 size_t hkeylen); 708 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 709 size_t datasize); 710 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 711 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 712 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 713 714 void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, 715 uint64_t keyno); 716 #ifdef _KERNEL 717 void g_eli_key_init(struct g_eli_softc *sc); 718 void g_eli_key_destroy(struct g_eli_softc *sc); 719 uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); 720 void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); 721 #endif 722 #endif /* !_G_ELI_H_ */ 723