1 /*- 2 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29 #ifndef _G_ELI_H_ 30 #define _G_ELI_H_ 31 32 #include <sys/endian.h> 33 #include <sys/errno.h> 34 #include <sys/malloc.h> 35 #include <crypto/sha2/sha256.h> 36 #include <crypto/sha2/sha512.h> 37 #include <opencrypto/cryptodev.h> 38 #ifdef _KERNEL 39 #include <sys/bio.h> 40 #include <sys/libkern.h> 41 #include <sys/lock.h> 42 #include <sys/mutex.h> 43 #include <geom/geom.h> 44 #else 45 #include <assert.h> 46 #include <stdio.h> 47 #include <string.h> 48 #include <strings.h> 49 #endif 50 #include <sys/queue.h> 51 #include <sys/tree.h> 52 #ifndef _OpenSSL_ 53 #include <sys/md5.h> 54 #endif 55 56 #define G_ELI_CLASS_NAME "ELI" 57 #define G_ELI_MAGIC "GEOM::ELI" 58 #define G_ELI_SUFFIX ".eli" 59 60 /* 61 * Version history: 62 * 0 - Initial version number. 63 * 1 - Added data authentication support (md_aalgo field and 64 * G_ELI_FLAG_AUTH flag). 65 * 2 - Added G_ELI_FLAG_READONLY. 66 * 3 - Added 'configure' subcommand. 67 * 4 - IV is generated from offset converted to little-endian 68 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). 69 * 5 - Added multiple encrypton keys and AES-XTS support. 70 * 6 - Fixed usage of multiple keys for authenticated providers (the 71 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). 72 * 7 - Encryption keys are now generated from the Data Key and not from the 73 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). 74 */ 75 #define G_ELI_VERSION_00 0 76 #define G_ELI_VERSION_01 1 77 #define G_ELI_VERSION_02 2 78 #define G_ELI_VERSION_03 3 79 #define G_ELI_VERSION_04 4 80 #define G_ELI_VERSION_05 5 81 #define G_ELI_VERSION_06 6 82 #define G_ELI_VERSION_07 7 83 #define G_ELI_VERSION G_ELI_VERSION_07 84 85 /* ON DISK FLAGS. */ 86 /* Use random, onetime keys. */ 87 #define G_ELI_FLAG_ONETIME 0x00000001 88 /* Ask for the passphrase from the kernel, before mounting root. */ 89 #define G_ELI_FLAG_BOOT 0x00000002 90 /* Detach on last close, if we were open for writing. */ 91 #define G_ELI_FLAG_WO_DETACH 0x00000004 92 /* Detach on last close. */ 93 #define G_ELI_FLAG_RW_DETACH 0x00000008 94 /* Provide data authentication. */ 95 #define G_ELI_FLAG_AUTH 0x00000010 96 /* Provider is read-only, we should deny all write attempts. */ 97 #define G_ELI_FLAG_RO 0x00000020 98 /* Don't pass through BIO_DELETE requests. */ 99 #define G_ELI_FLAG_NODELETE 0x00000040 100 /* This GELI supports GELIBoot */ 101 #define G_ELI_FLAG_GELIBOOT 0x00000080 102 /* RUNTIME FLAGS. */ 103 /* Provider was open for writing. */ 104 #define G_ELI_FLAG_WOPEN 0x00010000 105 /* Destroy device. */ 106 #define G_ELI_FLAG_DESTROY 0x00020000 107 /* Provider uses native byte-order for IV generation. */ 108 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 109 /* Provider uses single encryption key. */ 110 #define G_ELI_FLAG_SINGLE_KEY 0x00080000 111 /* Device suspended. */ 112 #define G_ELI_FLAG_SUSPEND 0x00100000 113 /* Provider uses first encryption key. */ 114 #define G_ELI_FLAG_FIRST_KEY 0x00200000 115 /* Provider uses IV-Key for encryption key generation. */ 116 #define G_ELI_FLAG_ENC_IVKEY 0x00400000 117 118 #define G_ELI_NEW_BIO 255 119 120 #define SHA512_MDLEN 64 121 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH 122 123 #define G_ELI_MAXMKEYS 2 124 #define G_ELI_MAXKEYLEN 64 125 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN 126 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN 127 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN 128 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN 129 #define G_ELI_SALTLEN 64 130 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) 131 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ 132 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) 133 #define G_ELI_OVERWRITES 5 134 /* Switch data encryption key every 2^20 blocks. */ 135 #define G_ELI_KEY_SHIFT 20 136 137 #define G_ELI_CRYPTO_UNKNOWN 0 138 #define G_ELI_CRYPTO_HW 1 139 #define G_ELI_CRYPTO_SW 2 140 141 #ifdef _KERNEL 142 extern int g_eli_debug; 143 extern u_int g_eli_overwrites; 144 extern u_int g_eli_batch; 145 146 #define G_ELI_DEBUG(lvl, ...) do { \ 147 if (g_eli_debug >= (lvl)) { \ 148 printf("GEOM_ELI"); \ 149 if (g_eli_debug > 0) \ 150 printf("[%u]", lvl); \ 151 printf(": "); \ 152 printf(__VA_ARGS__); \ 153 printf("\n"); \ 154 } \ 155 } while (0) 156 #define G_ELI_LOGREQ(lvl, bp, ...) do { \ 157 if (g_eli_debug >= (lvl)) { \ 158 printf("GEOM_ELI"); \ 159 if (g_eli_debug > 0) \ 160 printf("[%u]", lvl); \ 161 printf(": "); \ 162 printf(__VA_ARGS__); \ 163 printf(" "); \ 164 g_print_bio(bp); \ 165 printf("\n"); \ 166 } \ 167 } while (0) 168 169 struct g_eli_worker { 170 struct g_eli_softc *w_softc; 171 struct proc *w_proc; 172 u_int w_number; 173 uint64_t w_sid; 174 boolean_t w_active; 175 LIST_ENTRY(g_eli_worker) w_next; 176 }; 177 178 #endif /* _KERNEL */ 179 180 struct g_eli_softc { 181 struct g_geom *sc_geom; 182 u_int sc_version; 183 u_int sc_crypto; 184 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; 185 uint8_t sc_ekey[G_ELI_DATAKEYLEN]; 186 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; 187 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; 188 struct mtx sc_ekeys_lock; 189 uint64_t sc_ekeys_total; 190 uint64_t sc_ekeys_allocated; 191 u_int sc_ealgo; 192 u_int sc_ekeylen; 193 uint8_t sc_akey[G_ELI_AUTHKEYLEN]; 194 u_int sc_aalgo; 195 u_int sc_akeylen; 196 u_int sc_alen; 197 SHA256_CTX sc_akeyctx; 198 uint8_t sc_ivkey[G_ELI_IVKEYLEN]; 199 SHA256_CTX sc_ivctx; 200 int sc_nkey; 201 uint32_t sc_flags; 202 int sc_inflight; 203 off_t sc_mediasize; 204 size_t sc_sectorsize; 205 u_int sc_bytes_per_sector; 206 u_int sc_data_per_sector; 207 #ifndef _KERNEL 208 int sc_cpubind; 209 #else /* _KERNEL */ 210 boolean_t sc_cpubind; 211 212 /* Only for software cryptography. */ 213 struct bio_queue_head sc_queue; 214 struct mtx sc_queue_mtx; 215 LIST_HEAD(, g_eli_worker) sc_workers; 216 #endif /* _KERNEL */ 217 }; 218 #define sc_name sc_geom->name 219 220 #define G_ELI_KEY_MAGIC 0xe11341c 221 222 struct g_eli_key { 223 /* Key value, must be first in the structure. */ 224 uint8_t gek_key[G_ELI_DATAKEYLEN]; 225 /* Magic. */ 226 int gek_magic; 227 /* Key number. */ 228 uint64_t gek_keyno; 229 /* Reference counter. */ 230 int gek_count; 231 /* Keeps keys sorted by most recent use. */ 232 TAILQ_ENTRY(g_eli_key) gek_next; 233 /* Keeps keys sorted by number. */ 234 RB_ENTRY(g_eli_key) gek_link; 235 }; 236 237 struct g_eli_metadata { 238 char md_magic[16]; /* Magic value. */ 239 uint32_t md_version; /* Version number. */ 240 uint32_t md_flags; /* Additional flags. */ 241 uint16_t md_ealgo; /* Encryption algorithm. */ 242 uint16_t md_keylen; /* Key length. */ 243 uint16_t md_aalgo; /* Authentication algorithm. */ 244 uint64_t md_provsize; /* Provider's size. */ 245 uint32_t md_sectorsize; /* Sector size. */ 246 uint8_t md_keys; /* Available keys. */ 247 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ 248 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ 249 /* Encrypted master key (IV-key, Data-key, HMAC). */ 250 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; 251 u_char md_hash[16]; /* MD5 hash. */ 252 } __packed; 253 #ifndef _OpenSSL_ 254 static __inline void 255 eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) 256 { 257 u_char *p; 258 259 p = *datap; 260 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 261 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 262 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 263 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 264 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 265 *p = md->md_keys; p += sizeof(md->md_keys); 266 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 267 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 268 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 269 *datap = p; 270 } 271 static __inline void 272 eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) 273 { 274 u_char *p; 275 276 p = *datap; 277 le32enc(p, md->md_flags); p += sizeof(md->md_flags); 278 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); 279 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); 280 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); 281 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); 282 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); 283 *p = md->md_keys; p += sizeof(md->md_keys); 284 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); 285 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); 286 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 287 *datap = p; 288 } 289 static __inline void 290 eli_metadata_encode(struct g_eli_metadata *md, u_char *data) 291 { 292 MD5_CTX ctx; 293 u_char *p; 294 295 p = data; 296 bcopy(md->md_magic, p, sizeof(md->md_magic)); 297 p += sizeof(md->md_magic); 298 le32enc(p, md->md_version); 299 p += sizeof(md->md_version); 300 switch (md->md_version) { 301 case G_ELI_VERSION_00: 302 eli_metadata_encode_v0(md, &p); 303 break; 304 case G_ELI_VERSION_01: 305 case G_ELI_VERSION_02: 306 case G_ELI_VERSION_03: 307 case G_ELI_VERSION_04: 308 case G_ELI_VERSION_05: 309 case G_ELI_VERSION_06: 310 case G_ELI_VERSION_07: 311 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); 312 break; 313 default: 314 #ifdef _KERNEL 315 panic("%s: Unsupported version %u.", __func__, 316 (u_int)md->md_version); 317 #else 318 assert(!"Unsupported metadata version."); 319 #endif 320 } 321 MD5Init(&ctx); 322 MD5Update(&ctx, data, p - data); 323 MD5Final(md->md_hash, &ctx); 324 bcopy(md->md_hash, p, sizeof(md->md_hash)); 325 } 326 static __inline int 327 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) 328 { 329 MD5_CTX ctx; 330 const u_char *p; 331 332 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 333 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 334 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 335 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 336 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 337 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 338 md->md_keys = *p; p += sizeof(md->md_keys); 339 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 340 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 341 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 342 MD5Init(&ctx); 343 MD5Update(&ctx, data, p - data); 344 MD5Final(md->md_hash, &ctx); 345 if (bcmp(md->md_hash, p, 16) != 0) 346 return (EINVAL); 347 return (0); 348 } 349 350 static __inline int 351 eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) 352 { 353 MD5_CTX ctx; 354 const u_char *p; 355 356 p = data + sizeof(md->md_magic) + sizeof(md->md_version); 357 md->md_flags = le32dec(p); p += sizeof(md->md_flags); 358 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); 359 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); 360 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); 361 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); 362 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); 363 md->md_keys = *p; p += sizeof(md->md_keys); 364 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); 365 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); 366 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); 367 MD5Init(&ctx); 368 MD5Update(&ctx, data, p - data); 369 MD5Final(md->md_hash, &ctx); 370 if (bcmp(md->md_hash, p, 16) != 0) 371 return (EINVAL); 372 return (0); 373 } 374 static __inline int 375 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) 376 { 377 int error; 378 379 bcopy(data, md->md_magic, sizeof(md->md_magic)); 380 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) 381 return (EINVAL); 382 md->md_version = le32dec(data + sizeof(md->md_magic)); 383 switch (md->md_version) { 384 case G_ELI_VERSION_00: 385 error = eli_metadata_decode_v0(data, md); 386 break; 387 case G_ELI_VERSION_01: 388 case G_ELI_VERSION_02: 389 case G_ELI_VERSION_03: 390 case G_ELI_VERSION_04: 391 case G_ELI_VERSION_05: 392 case G_ELI_VERSION_06: 393 case G_ELI_VERSION_07: 394 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); 395 break; 396 default: 397 error = EOPNOTSUPP; 398 break; 399 } 400 return (error); 401 } 402 #endif /* !_OpenSSL */ 403 404 static __inline u_int 405 g_eli_str2ealgo(const char *name) 406 { 407 408 if (strcasecmp("null", name) == 0) 409 return (CRYPTO_NULL_CBC); 410 else if (strcasecmp("null-cbc", name) == 0) 411 return (CRYPTO_NULL_CBC); 412 else if (strcasecmp("aes", name) == 0) 413 return (CRYPTO_AES_XTS); 414 else if (strcasecmp("aes-cbc", name) == 0) 415 return (CRYPTO_AES_CBC); 416 else if (strcasecmp("aes-xts", name) == 0) 417 return (CRYPTO_AES_XTS); 418 else if (strcasecmp("blowfish", name) == 0) 419 return (CRYPTO_BLF_CBC); 420 else if (strcasecmp("blowfish-cbc", name) == 0) 421 return (CRYPTO_BLF_CBC); 422 else if (strcasecmp("camellia", name) == 0) 423 return (CRYPTO_CAMELLIA_CBC); 424 else if (strcasecmp("camellia-cbc", name) == 0) 425 return (CRYPTO_CAMELLIA_CBC); 426 else if (strcasecmp("3des", name) == 0) 427 return (CRYPTO_3DES_CBC); 428 else if (strcasecmp("3des-cbc", name) == 0) 429 return (CRYPTO_3DES_CBC); 430 return (CRYPTO_ALGORITHM_MIN - 1); 431 } 432 433 static __inline u_int 434 g_eli_str2aalgo(const char *name) 435 { 436 437 if (strcasecmp("hmac/md5", name) == 0) 438 return (CRYPTO_MD5_HMAC); 439 else if (strcasecmp("hmac/sha1", name) == 0) 440 return (CRYPTO_SHA1_HMAC); 441 else if (strcasecmp("hmac/ripemd160", name) == 0) 442 return (CRYPTO_RIPEMD160_HMAC); 443 else if (strcasecmp("hmac/sha256", name) == 0) 444 return (CRYPTO_SHA2_256_HMAC); 445 else if (strcasecmp("hmac/sha384", name) == 0) 446 return (CRYPTO_SHA2_384_HMAC); 447 else if (strcasecmp("hmac/sha512", name) == 0) 448 return (CRYPTO_SHA2_512_HMAC); 449 return (CRYPTO_ALGORITHM_MIN - 1); 450 } 451 452 static __inline const char * 453 g_eli_algo2str(u_int algo) 454 { 455 456 switch (algo) { 457 case CRYPTO_NULL_CBC: 458 return ("NULL"); 459 case CRYPTO_AES_CBC: 460 return ("AES-CBC"); 461 case CRYPTO_AES_XTS: 462 return ("AES-XTS"); 463 case CRYPTO_BLF_CBC: 464 return ("Blowfish-CBC"); 465 case CRYPTO_CAMELLIA_CBC: 466 return ("CAMELLIA-CBC"); 467 case CRYPTO_3DES_CBC: 468 return ("3DES-CBC"); 469 case CRYPTO_MD5_HMAC: 470 return ("HMAC/MD5"); 471 case CRYPTO_SHA1_HMAC: 472 return ("HMAC/SHA1"); 473 case CRYPTO_RIPEMD160_HMAC: 474 return ("HMAC/RIPEMD160"); 475 case CRYPTO_SHA2_256_HMAC: 476 return ("HMAC/SHA256"); 477 case CRYPTO_SHA2_384_HMAC: 478 return ("HMAC/SHA384"); 479 case CRYPTO_SHA2_512_HMAC: 480 return ("HMAC/SHA512"); 481 } 482 return ("unknown"); 483 } 484 485 static __inline void 486 eli_metadata_dump(const struct g_eli_metadata *md) 487 { 488 static const char hex[] = "0123456789abcdef"; 489 char str[sizeof(md->md_mkeys) * 2 + 1]; 490 u_int i; 491 492 printf(" magic: %s\n", md->md_magic); 493 printf(" version: %u\n", (u_int)md->md_version); 494 printf(" flags: 0x%x\n", (u_int)md->md_flags); 495 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); 496 printf(" keylen: %u\n", (u_int)md->md_keylen); 497 if (md->md_flags & G_ELI_FLAG_AUTH) 498 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); 499 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); 500 printf("sectorsize: %u\n", (u_int)md->md_sectorsize); 501 printf(" keys: 0x%02x\n", (u_int)md->md_keys); 502 printf("iterations: %u\n", (u_int)md->md_iterations); 503 bzero(str, sizeof(str)); 504 for (i = 0; i < sizeof(md->md_salt); i++) { 505 str[i * 2] = hex[md->md_salt[i] >> 4]; 506 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; 507 } 508 printf(" Salt: %s\n", str); 509 bzero(str, sizeof(str)); 510 for (i = 0; i < sizeof(md->md_mkeys); i++) { 511 str[i * 2] = hex[md->md_mkeys[i] >> 4]; 512 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; 513 } 514 printf("Master Key: %s\n", str); 515 bzero(str, sizeof(str)); 516 for (i = 0; i < 16; i++) { 517 str[i * 2] = hex[md->md_hash[i] >> 4]; 518 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; 519 } 520 printf(" MD5 hash: %s\n", str); 521 } 522 523 static __inline u_int 524 g_eli_keylen(u_int algo, u_int keylen) 525 { 526 527 switch (algo) { 528 case CRYPTO_NULL_CBC: 529 if (keylen == 0) 530 keylen = 64 * 8; 531 else { 532 if (keylen > 64 * 8) 533 keylen = 0; 534 } 535 return (keylen); 536 case CRYPTO_AES_CBC: 537 case CRYPTO_CAMELLIA_CBC: 538 switch (keylen) { 539 case 0: 540 return (128); 541 case 128: 542 case 192: 543 case 256: 544 return (keylen); 545 default: 546 return (0); 547 } 548 case CRYPTO_AES_XTS: 549 switch (keylen) { 550 case 0: 551 return (128); 552 case 128: 553 case 256: 554 return (keylen); 555 default: 556 return (0); 557 } 558 case CRYPTO_BLF_CBC: 559 if (keylen == 0) 560 return (128); 561 if (keylen < 128 || keylen > 448) 562 return (0); 563 if ((keylen % 32) != 0) 564 return (0); 565 return (keylen); 566 case CRYPTO_3DES_CBC: 567 if (keylen == 0 || keylen == 192) 568 return (192); 569 return (0); 570 default: 571 return (0); 572 } 573 } 574 575 static __inline u_int 576 g_eli_hashlen(u_int algo) 577 { 578 579 switch (algo) { 580 case CRYPTO_MD5_HMAC: 581 return (16); 582 case CRYPTO_SHA1_HMAC: 583 return (20); 584 case CRYPTO_RIPEMD160_HMAC: 585 return (20); 586 case CRYPTO_SHA2_256_HMAC: 587 return (32); 588 case CRYPTO_SHA2_384_HMAC: 589 return (48); 590 case CRYPTO_SHA2_512_HMAC: 591 return (64); 592 } 593 return (0); 594 } 595 596 static __inline void 597 eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, 598 u_int sectorsize, off_t mediasize) 599 { 600 601 sc->sc_version = md->md_version; 602 sc->sc_inflight = 0; 603 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; 604 sc->sc_flags = md->md_flags; 605 /* Backward compatibility. */ 606 if (md->md_version < G_ELI_VERSION_04) 607 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; 608 if (md->md_version < G_ELI_VERSION_05) 609 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; 610 if (md->md_version < G_ELI_VERSION_06 && 611 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 612 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; 613 } 614 if (md->md_version < G_ELI_VERSION_07) 615 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; 616 sc->sc_ealgo = md->md_ealgo; 617 618 if (sc->sc_flags & G_ELI_FLAG_AUTH) { 619 sc->sc_akeylen = sizeof(sc->sc_akey) * 8; 620 sc->sc_aalgo = md->md_aalgo; 621 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); 622 623 sc->sc_data_per_sector = sectorsize - sc->sc_alen; 624 /* 625 * Some hash functions (like SHA1 and RIPEMD160) generates hash 626 * which length is not multiple of 128 bits, but we want data 627 * length to be multiple of 128, so we can encrypt without 628 * padding. The line below rounds down data length to multiple 629 * of 128 bits. 630 */ 631 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; 632 633 sc->sc_bytes_per_sector = 634 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; 635 sc->sc_bytes_per_sector *= sectorsize; 636 } 637 sc->sc_sectorsize = md->md_sectorsize; 638 sc->sc_mediasize = mediasize; 639 if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) 640 sc->sc_mediasize -= sectorsize; 641 if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) 642 sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); 643 else { 644 sc->sc_mediasize /= sc->sc_bytes_per_sector; 645 sc->sc_mediasize *= sc->sc_sectorsize; 646 } 647 sc->sc_ekeylen = md->md_keylen; 648 } 649 650 #ifdef _KERNEL 651 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, 652 struct g_eli_metadata *md); 653 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, 654 struct g_provider *bpp, const struct g_eli_metadata *md, 655 const u_char *mkey, int nkey); 656 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); 657 658 int g_eli_access(struct g_provider *pp, int dr, int dw, int de); 659 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); 660 661 void g_eli_read_done(struct bio *bp); 662 void g_eli_write_done(struct bio *bp); 663 int g_eli_crypto_rerun(struct cryptop *crp); 664 665 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); 666 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); 667 668 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); 669 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); 670 #endif 671 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, 672 size_t size); 673 674 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); 675 int g_eli_mkey_decrypt(const struct g_eli_metadata *md, 676 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); 677 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 678 unsigned char *mkey); 679 #ifdef _KERNEL 680 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); 681 #endif 682 683 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, 684 const u_char *key, size_t keysize); 685 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, 686 const u_char *key, size_t keysize); 687 688 struct hmac_ctx { 689 SHA512_CTX shactx; 690 u_char k_opad[128]; 691 }; 692 693 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, 694 size_t hkeylen); 695 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, 696 size_t datasize); 697 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); 698 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, 699 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); 700 701 void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, 702 uint64_t keyno); 703 #ifdef _KERNEL 704 void g_eli_key_init(struct g_eli_softc *sc); 705 void g_eli_key_destroy(struct g_eli_softc *sc); 706 uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); 707 void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); 708 #endif 709 #endif /* !_G_ELI_H_ */ 710