1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 #include <sys/param.h> 33 #ifdef _KERNEL 34 #include <sys/malloc.h> 35 #include <sys/systm.h> 36 #include <geom/geom.h> 37 #else 38 #include <stdio.h> 39 #include <stdint.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <strings.h> 43 #include <errno.h> 44 #endif 45 46 #include <geom/eli/g_eli.h> 47 48 #ifdef _KERNEL 49 MALLOC_DECLARE(M_ELI); 50 #endif 51 52 /* 53 * Verify if the given 'key' is correct. 54 * Return 1 if it is correct and 0 otherwise. 55 */ 56 static int 57 g_eli_mkey_verify(const unsigned char *mkey, const unsigned char *key) 58 { 59 const unsigned char *odhmac; /* On-disk HMAC. */ 60 unsigned char chmac[SHA512_MDLEN]; /* Calculated HMAC. */ 61 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */ 62 63 /* 64 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0) 65 */ 66 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0); 67 68 odhmac = mkey + G_ELI_DATAIVKEYLEN; 69 70 /* Calculate HMAC from Data-Key and IV-Key. */ 71 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN, 72 chmac, 0); 73 74 explicit_bzero(hmkey, sizeof(hmkey)); 75 76 /* 77 * Compare calculated HMAC with HMAC from metadata. 78 * If two HMACs are equal, 'key' is correct. 79 */ 80 return (!bcmp(odhmac, chmac, SHA512_MDLEN)); 81 } 82 83 /* 84 * Calculate HMAC from Data-Key and IV-Key. 85 */ 86 void 87 g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key) 88 { 89 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */ 90 unsigned char *odhmac; /* On-disk HMAC. */ 91 92 /* 93 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0) 94 */ 95 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0); 96 97 odhmac = mkey + G_ELI_DATAIVKEYLEN; 98 /* Calculate HMAC from Data-Key and IV-Key. */ 99 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN, 100 odhmac, 0); 101 102 explicit_bzero(hmkey, sizeof(hmkey)); 103 } 104 105 /* 106 * Find and decrypt Master Key encrypted with 'key'. 107 * Return decrypted Master Key number in 'nkeyp' if not NULL. 108 * Return 0 on success, > 0 on failure, -1 on bad key. 109 */ 110 int 111 g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key, 112 unsigned char *mkey, unsigned *nkeyp) 113 { 114 unsigned char tmpmkey[G_ELI_MKEYLEN]; 115 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */ 116 const unsigned char *mmkey; 117 int bit, error, nkey; 118 119 if (nkeyp != NULL) 120 *nkeyp = -1; 121 122 /* 123 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1) 124 */ 125 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0); 126 127 mmkey = md->md_mkeys; 128 for (nkey = 0; nkey < G_ELI_MAXMKEYS; nkey++, mmkey += G_ELI_MKEYLEN) { 129 bit = (1 << nkey); 130 if (!(md->md_keys & bit)) 131 continue; 132 bcopy(mmkey, tmpmkey, G_ELI_MKEYLEN); 133 error = g_eli_crypto_decrypt(md->md_ealgo, tmpmkey, 134 G_ELI_MKEYLEN, enckey, md->md_keylen); 135 if (error != 0) { 136 explicit_bzero(tmpmkey, sizeof(tmpmkey)); 137 explicit_bzero(enckey, sizeof(enckey)); 138 return (error); 139 } 140 if (g_eli_mkey_verify(tmpmkey, key)) { 141 bcopy(tmpmkey, mkey, G_ELI_DATAIVKEYLEN); 142 explicit_bzero(tmpmkey, sizeof(tmpmkey)); 143 explicit_bzero(enckey, sizeof(enckey)); 144 if (nkeyp != NULL) 145 *nkeyp = nkey; 146 return (0); 147 } 148 } 149 explicit_bzero(enckey, sizeof(enckey)); 150 explicit_bzero(tmpmkey, sizeof(tmpmkey)); 151 return (-1); 152 } 153 154 /* 155 * Encrypt the Master-Key and calculate HMAC to be able to verify it in the 156 * future. 157 */ 158 int 159 g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, 160 unsigned char *mkey) 161 { 162 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */ 163 int error; 164 165 /* 166 * To calculate HMAC, the whole key (G_ELI_USERKEYLEN bytes long) will 167 * be used. 168 */ 169 g_eli_mkey_hmac(mkey, key); 170 /* 171 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1) 172 */ 173 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0); 174 /* 175 * Encrypt the Master-Key and HMAC() result with the given key (this 176 * time only 'keylen' bits from the key are used). 177 */ 178 error = g_eli_crypto_encrypt(algo, mkey, G_ELI_MKEYLEN, enckey, keylen); 179 180 explicit_bzero(enckey, sizeof(enckey)); 181 182 return (error); 183 } 184 185 #ifdef _KERNEL 186 /* 187 * When doing encryption only, copy IV key and encryption key. 188 * When doing encryption and authentication, copy IV key, generate encryption 189 * key and generate authentication key. 190 */ 191 void 192 g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey) 193 { 194 195 /* Remember the Master Key. */ 196 bcopy(mkey, sc->sc_mkey, sizeof(sc->sc_mkey)); 197 198 bcopy(mkey, sc->sc_ivkey, sizeof(sc->sc_ivkey)); 199 mkey += sizeof(sc->sc_ivkey); 200 201 /* 202 * The authentication key is: akey = HMAC_SHA512(Data-Key, 0x11) 203 */ 204 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 205 g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x11", 1, 206 sc->sc_akey, 0); 207 } else { 208 arc4rand(sc->sc_akey, sizeof(sc->sc_akey), 0); 209 } 210 211 /* Initialize encryption keys. */ 212 g_eli_key_init(sc); 213 214 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { 215 /* 216 * Precalculate SHA256 for HMAC key generation. 217 * This is expensive operation and we can do it only once now or 218 * for every access to sector, so now will be much better. 219 */ 220 SHA256_Init(&sc->sc_akeyctx); 221 SHA256_Update(&sc->sc_akeyctx, sc->sc_akey, 222 sizeof(sc->sc_akey)); 223 } 224 /* 225 * Precalculate SHA256 for IV generation. 226 * This is expensive operation and we can do it only once now or for 227 * every access to sector, so now will be much better. 228 */ 229 switch (sc->sc_ealgo) { 230 case CRYPTO_AES_XTS: 231 break; 232 default: 233 SHA256_Init(&sc->sc_ivctx); 234 SHA256_Update(&sc->sc_ivctx, sc->sc_ivkey, 235 sizeof(sc->sc_ivkey)); 236 break; 237 } 238 } 239 #endif 240