2 * Copyright (c) 2002 Poul-Henning Kamp
3 * Copyright (c) 2002 Networks Associates Technology, Inc.
6 * This software was developed for the FreeBSD Project by Poul-Henning Kamp
7 * and NAI Labs, the Security Research Division of Network Associates, Inc.
8 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 * DARPA CHATS research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * Replace the template file options (-i & -f) with command-line variables
39 * Introduce -e, extra entropy source (XOR with /dev/random)
41 * Introduce -E, alternate entropy source (instead of /dev/random)
43 * Introduce -i take IV from keyboard or
45 * Introduce -I take IV from file/cmd
47 * Introduce -m/-M store encrypted+encoded masterkey in file
49 * Introduce -k/-K get pass-phrase part from file/cmd
51 * Introduce -d add more dest-devices to worklist.
53 * Add key-option: selfdestruct bit.
56 * "onetime" attach with onetime nonstored locksector
57 * "key"/"unkey" to blast memory copy of key without orphaning
58 * "nuke" blow away everything attached, crash/halt/power-off if possible.
59 * "blast" destroy all copies of the masterkey
60 * "destroy" destroy one copy of the masterkey
61 * "backup"/"restore" of masterkey sectors.
63 * Make all verbs work on both attached/detached devices.
67 #include <sys/types.h>
68 #include <sys/queue.h>
69 #include <sys/mutex.h>
71 #include <readpassphrase.h>
83 #include <sys/errno.h>
86 #include <crypto/rijndael/rijndael.h>
87 #include <crypto/sha2/sha2.h>
88 #include <sys/param.h>
89 #include <sys/linker.h>
91 #define GBDEMOD "geom_bde"
92 #define KASSERT(foo, bar) do { if(!(foo)) { warn bar ; exit (1); } } while (0)
94 #include <geom/geom.h>
95 #include <geom/bde/g_bde.h>
97 extern const char template[];
102 g_hexdump(void *ptr, int length)
108 for (i = 0; i < length; i+= 16) {
110 for (j = 0; j < 16; j++) {
113 printf(" %02x", cp[k]);
118 for (j = 0; j < 16; j++) {
122 else if (cp[k] >= ' ' && cp[k] <= '~')
133 usage(const char *reason)
138 fprintf(stderr, "Usage error: %s", reason);
139 fprintf(stderr, "Usage:\n");
140 fprintf(stderr, "\t%s attach dest [-l lockfile]\n", p);
141 fprintf(stderr, "\t%s detach dest\n", p);
142 fprintf(stderr, "\t%s init /dev/dest [-i] [-f filename] [-L lockfile]\n", p);
143 fprintf(stderr, "\t%s setkey dest [-n key] [-l lockfile] [-L lockfile]\n", p);
144 fprintf(stderr, "\t%s destroy dest [-n key] [-l lockfile] [-L lockfile]\n", p);
149 g_read_data(struct g_consumer *cp, off_t offset, off_t length, int *error)
159 o2 = lseek(fd, offset, SEEK_SET);
162 i = read(fd, p, length);
171 random_bits(void *p, u_int len)
177 fdr = open("/dev/urandom", O_RDONLY);
179 err(1, "/dev/urandom");
182 i = read(fdr, p, len);
184 err(1, "read from /dev/urandom");
188 static u_char sha2[SHA512_DIGEST_LENGTH];
191 reset_passphrase(struct g_bde_softc *sc)
194 memcpy(sc->sha2, sha2, SHA512_DIGEST_LENGTH);
198 setup_passphrase(struct g_bde_softc *sc, int sure, const char *input)
200 char buf1[BUFSIZ], buf2[BUFSIZ], *p;
203 g_bde_hash_pass(sc, input, strlen(input));
204 memcpy(sha2, sc->sha2, SHA512_DIGEST_LENGTH);
209 sure ? "Enter new passphrase:" : "Enter passphrase: ",
211 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
213 err(1, "readpassphrase");
216 p = readpassphrase("Reenter new passphrase: ",
218 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
220 err(1, "readpassphrase");
222 if (strcmp(buf1, buf2)) {
223 printf("They didn't match.\n");
227 if (strlen(buf1) < 3) {
228 printf("Too short passphrase.\n");
233 g_bde_hash_pass(sc, buf1, strlen(buf1));
234 memcpy(sha2, sc->sha2, SHA512_DIGEST_LENGTH);
238 encrypt_sector(void *d, int len, int klen, void *key)
244 error = rijndael_cipherInit(&ci, MODE_CBC, NULL);
246 errx(1, "rijndael_cipherInit=%d", error);
247 error = rijndael_makeKey(&ki, DIR_ENCRYPT, klen, key);
249 errx(1, "rijndael_makeKeY=%d", error);
250 error = rijndael_blockEncrypt(&ci, &ki, d, len * 8, d);
252 errx(1, "rijndael_blockEncrypt=%d", error);
256 cmd_attach(const struct g_bde_softc *sc, const char *dest, const char *lfile)
263 r = gctl_get_handle();
264 gctl_ro_param(r, "verb", -1, "create geom");
265 gctl_ro_param(r, "class", -1, "BDE");
266 gctl_ro_param(r, "provider", -1, dest);
267 gctl_ro_param(r, "pass", SHA512_DIGEST_LENGTH, sc->sha2);
269 ffd = open(lfile, O_RDONLY, 0);
273 gctl_ro_param(r, "key", 16, buf);
276 /* gctl_dump(r, stdout); */
277 errstr = gctl_issue(r);
279 errx(1, "Attach to %s failed: %s", dest, errstr);
285 cmd_detach(const char *dest)
291 r = gctl_get_handle();
292 gctl_ro_param(r, "verb", -1, "destroy geom");
293 gctl_ro_param(r, "class", -1, "BDE");
294 sprintf(buf, "%s.bde", dest);
295 gctl_ro_param(r, "geom", -1, buf);
296 /* gctl_dump(r, stdout); */
297 errstr = gctl_issue(r);
299 errx(1, "Detach of %s failed: %s", dest, errstr);
304 cmd_open(struct g_bde_softc *sc, int dfd , const char *l_opt, u_int *nkey)
313 error = ioctl(dfd, DIOCGSECTORSIZE, §orsize);
316 error = ioctl(dfd, DIOCGMEDIASIZE, &mediasize);
318 error = fstat(dfd, &st);
319 if (error == 0 && S_ISREG(st.st_mode))
320 mediasize = st.st_size;
325 mediasize = (off_t)-1;
327 ffd = open(l_opt, O_RDONLY, 0);
330 read(ffd, keyloc, sizeof keyloc);
333 memset(keyloc, 0, sizeof keyloc);
336 error = g_bde_decrypt_lock(sc, sc->sha2, keyloc, mediasize,
339 errx(1, "Lock was destroyed.");
341 errx(1, "Lock was nuked.");
342 if (error == ENOTDIR)
343 errx(1, "Lock not found");
345 errx(1, "Error %d decrypting lock", error);
347 printf("Opened with key %u\n", *nkey);
352 cmd_nuke(struct g_bde_key *gl, int dfd , int key)
356 off_t offset, offset2;
358 sbuf = malloc(gl->sectorsize);
359 memset(sbuf, 0, gl->sectorsize);
360 offset = (gl->lsector[key] & ~(gl->sectorsize - 1));
361 offset2 = lseek(dfd, offset, SEEK_SET);
362 if (offset2 != offset)
364 i = write(dfd, sbuf, gl->sectorsize);
366 if (i != (int)gl->sectorsize)
368 printf("Nuked key %d\n", key);
372 cmd_write(struct g_bde_key *gl, struct g_bde_softc *sc, int dfd , int key, const char *l_opt)
378 off_t offset, offset2;
380 sbuf = malloc(gl->sectorsize);
382 * Find the byte-offset in the lock sector where we will put the lock
383 * data structure. We can put it any random place as long as the
387 random_bits(off, sizeof off);
388 off[0] &= (gl->sectorsize - 1);
389 if (off[0] + G_BDE_LOCKSIZE > gl->sectorsize)
394 /* Add the sector offset in bytes */
395 off[0] += (gl->lsector[key] & ~(gl->sectorsize - 1));
396 gl->lsector[key] = off[0];
398 i = g_bde_keyloc_encrypt(sc->sha2, off[0], off[1], keyloc);
400 errx(1, "g_bde_keyloc_encrypt()");
402 ffd = open(l_opt, O_WRONLY | O_CREAT | O_TRUNC, 0600);
405 write(ffd, keyloc, sizeof keyloc);
407 } else if (gl->flags & GBDE_F_SECT0) {
408 offset2 = lseek(dfd, 0, SEEK_SET);
411 i = read(dfd, sbuf, gl->sectorsize);
412 if (i != (int)gl->sectorsize)
414 memcpy(sbuf + key * 16, keyloc, sizeof keyloc);
415 offset2 = lseek(dfd, 0, SEEK_SET);
418 i = write(dfd, sbuf, gl->sectorsize);
419 if (i != (int)gl->sectorsize)
422 errx(1, "No -L option and no space in sector 0 for lockfile");
425 /* Allocate a sectorbuffer and fill it with random junk */
428 random_bits(sbuf, gl->sectorsize);
430 /* Fill random bits in the spare field */
431 random_bits(gl->spare, sizeof(gl->spare));
433 /* Encode the structure where we want it */
434 q = sbuf + (off[0] % gl->sectorsize);
435 i = g_bde_encode_lock(sc->sha2, gl, q);
437 errx(1, "programming error encoding lock");
439 encrypt_sector(q, G_BDE_LOCKSIZE, 256, sc->sha2 + 16);
440 offset = gl->lsector[key] & ~(gl->sectorsize - 1);
441 offset2 = lseek(dfd, offset, SEEK_SET);
442 if (offset2 != offset)
444 i = write(dfd, sbuf, gl->sectorsize);
445 if (i != (int)gl->sectorsize)
449 printf("Wrote key %d at %jd\n", key, (intmax_t)offset);
450 printf("s0 = %jd\n", (intmax_t)gl->sector0);
451 printf("sN = %jd\n", (intmax_t)gl->sectorN);
452 printf("l[0] = %jd\n", (intmax_t)gl->lsector[0]);
453 printf("l[1] = %jd\n", (intmax_t)gl->lsector[1]);
454 printf("l[2] = %jd\n", (intmax_t)gl->lsector[2]);
455 printf("l[3] = %jd\n", (intmax_t)gl->lsector[3]);
456 printf("k = %jd\n", (intmax_t)gl->keyoffset);
457 printf("ss = %jd\n", (intmax_t)gl->sectorsize);
462 cmd_destroy(struct g_bde_key *gl, int nkey)
466 bzero(&gl->sector0, sizeof gl->sector0);
467 bzero(&gl->sectorN, sizeof gl->sectorN);
468 bzero(&gl->keyoffset, sizeof gl->keyoffset);
469 bzero(&gl->flags, sizeof gl->flags);
470 bzero(gl->mkey, sizeof gl->mkey);
471 for (i = 0; i < G_BDE_MAXKEYS; i++)
477 sorthelp(const void *a, const void *b)
479 const uint64_t *oa, *ob;
491 cmd_init(struct g_bde_key *gl, int dfd, const char *f_opt, int i_opt, const char *l_opt)
495 unsigned sector_size;
496 uint64_t first_sector;
497 uint64_t last_sector;
498 uint64_t total_sectors;
502 char *q, cbuf[BUFSIZ];
507 bzero(gl, sizeof *gl);
509 i = open(f_opt, O_RDONLY);
512 params = properties_read(i);
516 asprintf(&q, "%stemp.XXXXXXXXXX", _PATH_TMP);
522 write(i, template, strlen(template));
524 p = getenv("EDITOR");
527 if (snprintf(cbuf, sizeof(cbuf), "%s %s\n", p, q) >=
528 (ssize_t)sizeof(cbuf)) {
530 errx(1, "EDITOR is too long");
533 i = open(q, O_RDONLY);
536 params = properties_read(i);
542 i = open(_PATH_DEVNULL, O_RDONLY);
544 err(1, "%s", _PATH_DEVNULL);
545 params = properties_read(i);
550 p = property_find(params, "sector_size");
551 i = ioctl(dfd, DIOCGSECTORSIZE, &u);
553 sector_size = strtoul(p, &q, 0);
555 errx(1, "sector_size not a proper number");
559 errx(1, "Missing sector_size property");
561 if (sector_size & (sector_size - 1))
562 errx(1, "sector_size not a power of 2");
563 if (sector_size < 512)
564 errx(1, "sector_size is smaller than 512");
565 buf = malloc(sector_size);
567 err(1, "Failed to malloc sector buffer");
568 gl->sectorsize = sector_size;
570 i = ioctl(dfd, DIOCGMEDIASIZE, &off);
573 total_sectors = off / sector_size;
574 last_sector = total_sectors - 1;
582 p = property_find(params, "first_sector");
584 first_sector = strtoul(p, &q, 0);
586 errx(1, "first_sector not a proper number");
590 p = property_find(params, "last_sector");
592 last_sector = strtoul(p, &q, 0);
594 errx(1, "last_sector not a proper number");
595 if (last_sector <= first_sector)
596 errx(1, "last_sector not larger than first_sector");
597 total_sectors = last_sector + 1;
600 /* <total_sectors> */
601 p = property_find(params, "total_sectors");
603 total_sectors = strtoul(p, &q, 0);
605 errx(1, "total_sectors not a proper number");
606 if (last_sector == 0)
607 last_sector = first_sector + total_sectors - 1;
610 if (l_opt == NULL && first_sector != 0)
611 errx(1, "No -L new-lockfile argument and first_sector != 0");
612 else if (l_opt == NULL) {
615 gl->flags |= GBDE_F_SECT0;
617 gl->sector0 = first_sector * gl->sectorsize;
619 if (total_sectors != (last_sector - first_sector) + 1)
620 errx(1, "total_sectors disagree with first_sector and last_sector");
621 if (total_sectors == 0)
622 errx(1, "missing last_sector or total_sectors");
624 gl->sectorN = (last_sector + 1) * gl->sectorsize;
626 /* Find a random keyoffset */
627 random_bits(&o, sizeof o);
628 o %= (gl->sectorN - gl->sector0);
629 o &= ~(gl->sectorsize - 1);
632 /* <number_of_keys> */
633 p = property_find(params, "number_of_keys");
635 nkeys = strtoul(p, &q, 0);
637 errx(1, "number_of_keys not a proper number");
638 if (nkeys < 1 || nkeys > G_BDE_MAXKEYS)
639 errx(1, "number_of_keys out of range");
643 for (u = 0; u < nkeys; u++) {
646 random_bits(&o, sizeof o);
648 o &= ~(gl->sectorsize - 1);
649 } while(o < gl->sector0);
650 for (u2 = 0; u2 < u; u2++)
651 if (o == gl->lsector[u2])
659 for (; u < G_BDE_MAXKEYS; u++) {
661 random_bits(&o, sizeof o);
662 while (o < gl->sectorN);
665 qsort(gl->lsector, G_BDE_MAXKEYS, sizeof gl->lsector[0], sorthelp);
667 /* Flush sector zero if we use it for lockfile data */
668 if (gl->flags & GBDE_F_SECT0) {
669 off2 = lseek(dfd, 0, SEEK_SET);
671 err(1, "lseek(2) to sector 0");
672 random_bits(buf, sector_size);
673 i = write(dfd, buf, sector_size);
674 if (i != (int)sector_size)
675 err(1, "write sector 0");
679 p = property_find(params, "random_flush");
681 off = first_sector * sector_size;
682 off2 = lseek(dfd, off, SEEK_SET);
684 err(1, "lseek(2) to first_sector");
685 off2 = last_sector * sector_size;
686 while (off <= off2) {
687 random_bits(buf, sector_size);
688 i = write(dfd, buf, sector_size);
689 if (i != (int)sector_size)
690 err(1, "write to $device_name");
695 random_bits(gl->mkey, sizeof gl->mkey);
696 random_bits(gl->salt, sizeof gl->salt);
703 ACT_ATTACH, ACT_DETACH,
704 ACT_INIT, ACT_SETKEY, ACT_DESTROY, ACT_NUKE
708 main(int argc, char **argv)
711 const char *l_opt, *L_opt;
712 const char *p_opt, *P_opt;
715 int i_opt, n_opt, ch, dfd, doopen;
718 char *q, buf[BUFSIZ];
719 struct g_bde_key *gl;
720 struct g_bde_softc sc;
723 usage("Too few arguments\n");
725 if ((i = modfind("g_bde")) < 0) {
726 /* need to load the gbde module */
727 if (kldload(GBDEMOD) < 0 || modfind("g_bde") < 0) {
728 usage(GBDEMOD ": Kernel module not available\n");
732 if (!strcmp(argv[1], "attach")) {
735 } else if (!strcmp(argv[1], "detach")) {
738 } else if (!strcmp(argv[1], "init")) {
742 } else if (!strcmp(argv[1], "setkey")) {
746 } else if (!strcmp(argv[1], "destroy")) {
747 action = ACT_DESTROY;
750 } else if (!strcmp(argv[1], "nuke")) {
755 usage("Unknown sub command\n");
760 dest = strdup(argv[1]);
772 while((ch = getopt(argc, argv, opts)) != -1)
792 n_opt = strtoul(optarg, &q, 0);
794 usage("-n argument not numeric\n");
795 if (n_opt < -1 || n_opt > G_BDE_MAXKEYS)
796 usage("-n argument out of range\n"); break;
798 usage("Invalid option\n");
802 dfd = open(dest, O_RDWR | O_CREAT, 0644);
804 if (snprintf(buf, sizeof(buf), "%s%s",
805 _PATH_DEV, dest) >= (ssize_t)sizeof(buf))
806 errno = ENAMETOOLONG;
808 dfd = open(buf, O_RDWR | O_CREAT, 0644);
813 if (!memcmp(dest, _PATH_DEV, strlen(_PATH_DEV)))
814 strcpy(dest, dest + strlen(_PATH_DEV));
817 memset(&sc, 0, sizeof sc);
818 sc.consumer = (void *)&dfd;
822 setup_passphrase(&sc, 0, p_opt);
823 cmd_attach(&sc, dest, l_opt);
829 cmd_init(gl, dfd, f_opt, i_opt, L_opt);
830 setup_passphrase(&sc, 1, P_opt);
831 cmd_write(gl, &sc, dfd, 0, L_opt);
834 setup_passphrase(&sc, 0, p_opt);
835 cmd_open(&sc, dfd, l_opt, &nkey);
838 setup_passphrase(&sc, 1, P_opt);
839 cmd_write(gl, &sc, dfd, n_opt - 1, L_opt);
842 setup_passphrase(&sc, 0, p_opt);
843 cmd_open(&sc, dfd, l_opt, &nkey);
844 cmd_destroy(gl, nkey);
845 reset_passphrase(&sc);
846 cmd_write(gl, &sc, dfd, nkey, l_opt);
849 setup_passphrase(&sc, 0, p_opt);
850 cmd_open(&sc, dfd, l_opt, &nkey);
854 for(i = 0; i < G_BDE_MAXKEYS; i++)
855 cmd_nuke(gl, dfd, i);
857 cmd_nuke(gl, dfd, n_opt - 1);
861 usage("Internal error\n");