2 * Copyright (c) 2002 Poul-Henning Kamp
3 * Copyright (c) 2002 Networks Associates Technology, Inc.
6 * This software was developed for the FreeBSD Project by Poul-Henning Kamp
7 * and NAI Labs, the Security Research Division of Network Associates, Inc.
8 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 * DARPA CHATS research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior written
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <sys/types.h>
39 #include <sys/queue.h>
40 #include <sys/mutex.h>
42 #include <readpassphrase.h>
52 #include <sys/errno.h>
54 #include <crypto/rijndael/rijndael.h>
56 #include <geom/geom.h>
57 #include <geom/bde/g_bde.h>
59 extern const char template[];
62 usage(const char *reason)
67 fprintf(stderr, "Usage error: %s", reason);
68 fprintf(stderr, "Usage:\n");
69 fprintf(stderr, "\t%s attach dest -l filename\n", p);
70 fprintf(stderr, "\t%s detach dest\n", p);
71 fprintf(stderr, "\t%s init dest [-i] [-f filename] -l filename\n", p);
72 fprintf(stderr, "\t%s setkey dest [-n key] -l filename\n", p);
73 fprintf(stderr, "\t%s destroy dest [-n key] -l filename\n", p);
78 g_read_data(struct g_consumer *cp, off_t offset, off_t length, int *error)
88 o2 = lseek(fd, offset, SEEK_SET);
91 i = read(fd, p, length);
100 random_bits(void *p, u_int len)
106 fdr = open("/dev/urandom", O_RDONLY);
108 err(1, "/dev/urandom");
111 i = read(fdr, p, len);
113 err(1, "read from /dev/urandom");
117 static u_char sbox[256];
120 reset_passphrase(struct g_bde_softc *sc)
123 memcpy(sc->arc4_sbox, sbox, 256);
124 sc->arc4_i = sc->arc4_j = 0;
128 setup_passphrase(struct g_bde_softc *sc, int sure, const char *input)
130 char buf1[BUFSIZ], buf2[BUFSIZ], *p;
133 g_bde_arc4_seed(sc, input, strlen(input));
134 memcpy(sbox, sc->arc4_sbox, 256);
139 sure ? "Enter new passphrase:" : "Enter passphrase: ",
141 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
143 err(1, "readpassphrase");
146 p = readpassphrase("Reenter new passphrase: ",
148 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
150 err(1, "readpassphrase");
152 if (strcmp(buf1, buf2)) {
153 printf("They didn't match.\n");
157 if (strlen(buf1) < 3) {
158 printf("Too short passphrase.\n");
163 g_bde_arc4_seed(sc, buf1, strlen(buf1));
164 memcpy(sbox, sc->arc4_sbox, 256);
168 encrypt_sector(void *d, int len, void *key)
174 error = rijndael_cipherInit(&ci, MODE_CBC, NULL);
176 errx(1, "rijndael_cipherInit=%d", error);
177 error = rijndael_makeKey(&ki, DIR_ENCRYPT, 128, key);
179 errx(1, "rijndael_makeKeY=%d", error);
180 error = rijndael_blockEncrypt(&ci, &ki, d, len * 8, d);
182 errx(1, "rijndael_blockEncrypt=%d", error);
186 cmd_attach(const struct g_bde_softc *sc, const char *dest, const char *lfile)
189 struct geomconfiggeom gcg;
190 u_char buf[256 + 16];
192 gfd = open("/dev/geom.ctl", O_RDWR);
194 err(1, "/dev/geom.ctl");
195 memset(&gcg, 0, sizeof gcg);
196 gcg.class.u.name = "BDE";
197 gcg.class.len = strlen(gcg.class.u.name);
198 gcg.provider.u.name = dest;
199 gcg.provider.len = strlen(gcg.provider.u.name);
201 gcg.len = sizeof buf;
205 ffd = open(lfile, O_RDONLY, 0);
208 read(ffd, buf + 256, 16);
211 memset(buf + 256, 0, 16);
213 memcpy(buf, sc->arc4_sbox, 256);
215 i = ioctl(gfd, GEOMCONFIGGEOM, &gcg);
217 err(1, "ioctl(GEOMCONFIGGEOM)");
222 cmd_detach(const char *dest)
225 struct geomconfiggeom gcg;
227 gfd = open("/dev/geom.ctl", O_RDWR);
229 err(1, "/dev/geom.ctl");
230 memset(&gcg, 0, sizeof gcg);
231 gcg.class.u.name = "BDE";
232 gcg.class.len = strlen(gcg.class.u.name);
233 gcg.provider.u.name = dest;
234 gcg.provider.len = strlen(gcg.provider.u.name);
237 i = ioctl(gfd, GEOMCONFIGGEOM, &gcg);
239 err(1, "ioctl(GEOMCONFIGGEOM)");
244 cmd_open(struct g_bde_softc *sc, int dfd __unused, const char *l_opt, u_int *nkey)
251 ffd = open(l_opt, O_RDONLY, 0);
254 read(ffd, keyloc, sizeof keyloc);
257 memset(keyloc, 0, sizeof keyloc);
260 error = g_bde_decrypt_lock(sc, sbox, keyloc, 0xffffffff,
263 errx(1, "Lock was destroyed.");
265 errx(1, "Lock was nuked.");
266 if (error == ENOTDIR)
267 errx(1, "Lock not found");
269 errx(1, "Error %d decrypting lock", error);
271 printf("Opened with key %u\n", *nkey);
276 cmd_nuke(struct g_bde_key *gl, int dfd , int key)
280 off_t offset, offset2;
282 sbuf = malloc(gl->sectorsize);
283 memset(sbuf, 0, gl->sectorsize);
284 offset = (gl->lsector[key] & ~(gl->sectorsize - 1));
285 offset2 = lseek(dfd, offset, SEEK_SET);
286 if (offset2 != offset)
288 i = write(dfd, sbuf, gl->sectorsize);
289 if (i != (int)gl->sectorsize)
291 printf("Nuked key %d\n", key);
295 cmd_write(struct g_bde_key *gl, struct g_bde_softc *sc, int dfd , int key, const char *l_opt)
303 off_t offset, offset2;
305 sbuf = malloc(gl->sectorsize);
307 * Find the byte-offset in the lock sector where we will put the lock
308 * data structure. We can put it any random place as long as the
312 random_bits(off, sizeof off);
313 off[0] &= (gl->sectorsize - 1);
314 if (off[0] + G_BDE_LOCKSIZE > gl->sectorsize)
319 /* Add the sector offset in bytes */
320 off[0] += (gl->lsector[key] & ~(gl->sectorsize - 1));
321 gl->lsector[key] = off[0];
323 i = g_bde_keyloc_encrypt(sc, off, keyloc);
325 errx(1, "g_bde_keyloc_encrypt()");
327 ffd = open(l_opt, O_WRONLY | O_CREAT | O_TRUNC, 0600);
330 write(ffd, keyloc, sizeof keyloc);
332 } else if (gl->flags & 1) {
333 offset2 = lseek(dfd, 0, SEEK_SET);
336 i = read(dfd, sbuf, gl->sectorsize);
337 if (i != (int)gl->sectorsize)
339 memcpy(sbuf + key * 16, keyloc, sizeof keyloc);
340 offset2 = lseek(dfd, 0, SEEK_SET);
343 i = write(dfd, sbuf, gl->sectorsize);
344 if (i != (int)gl->sectorsize)
347 errx(1, "No -L option and no space in sector 0 for lockfile");
350 /* Allocate a sectorbuffer and fill it with random junk */
353 random_bits(sbuf, gl->sectorsize);
355 /* Fill in the hash field with something we can recognize again */
356 g_bde_arc4_seq(sc, buf, 16);
358 MD5Update(&c, "0000", 4); /* XXX: for future versioning */
359 MD5Update(&c, buf, 16);
360 MD5Final(gl->hash, &c);
362 /* Fill random bits in the spare field */
363 random_bits(gl->spare, sizeof(gl->spare));
365 /* Encode the structure where we want it */
366 q = sbuf + (off[0] % gl->sectorsize);
367 g_bde_encode_lock(gl, q);
370 * The encoded structure likely contains long sequences of zeros
371 * which stick out as a sore thumb, so we XOR with key-material
372 * to make it harder to recognize in a brute-force attack
374 g_bde_arc4_seq(sc, buf, G_BDE_LOCKSIZE);
375 for (i = 0; i < G_BDE_LOCKSIZE; i++)
378 g_bde_arc4_seq(sc, buf, 16);
380 encrypt_sector(q, G_BDE_LOCKSIZE, buf);
381 offset = gl->lsector[key] & ~(gl->sectorsize - 1);
382 offset2 = lseek(dfd, offset, SEEK_SET);
383 if (offset2 != offset)
385 i = write(dfd, sbuf, gl->sectorsize);
386 if (i != (int)gl->sectorsize)
388 printf("Wrote key %d at %jd\n", key, (intmax_t)offset);
393 cmd_destroy(struct g_bde_key *gl, int nkey)
397 bzero(&gl->sector0, sizeof gl->sector0);
398 bzero(&gl->sectorN, sizeof gl->sectorN);
399 bzero(&gl->keyoffset, sizeof gl->keyoffset);
400 bzero(&gl->flags, sizeof gl->flags);
401 bzero(gl->key, sizeof gl->key);
402 for (i = 0; i < G_BDE_MAXKEYS; i++)
408 cmd_init(struct g_bde_key *gl, int dfd, const char *f_opt, int i_opt, const char *l_opt)
412 unsigned sector_size;
413 uint64_t first_sector;
414 uint64_t last_sector;
415 uint64_t total_sectors;
419 char *q, cbuf[BUFSIZ];
424 bzero(gl, sizeof *gl);
426 i = open(f_opt, O_RDONLY);
429 params = properties_read(i);
433 q = strdup("/tmp/temp.XXXXXXXXXX");
437 write(i, template, strlen(template));
440 p = getenv("EDITOR");
443 sprintf(cbuf, "%s %s\n", p, q);
446 i = open(q, O_RDONLY);
449 params = properties_read(i);
455 p = property_find(params, "sector_size");
456 i = ioctl(dfd, DIOCGSECTORSIZE, &u);
460 errx(1, "Missing sector_size property");
462 sector_size = strtoul(p, &q, 0);
464 errx(1, "sector_size not a proper number");
466 if (sector_size & (sector_size - 1))
467 errx(1, "sector_size not a power of 2");
468 if (sector_size < 512)
469 errx(1, "sector_size is smaller than 512");
470 buf = malloc(sector_size);
472 err(1, "Failed to malloc sector buffer");
473 gl->sectorsize = sector_size;
475 i = ioctl(dfd, DIOCGMEDIASIZE, &off);
478 total_sectors = off / sector_size;
479 last_sector = total_sectors - 1;
487 p = property_find(params, "first_sector");
489 first_sector = strtoul(p, &q, 0);
491 errx(1, "first_sector not a proper number");
493 gl->sector0 = first_sector * gl->sectorsize;
496 p = property_find(params, "last_sector");
498 last_sector = strtoul(p, &q, 0);
500 errx(1, "last_sector not a proper number");
501 if (last_sector <= first_sector)
502 errx(1, "last_sector not larger than first_sector");
503 total_sectors = last_sector + 1;
506 /* <total_sectors> */
507 p = property_find(params, "total_sectors");
509 total_sectors = strtoul(p, &q, 0);
511 errx(1, "total_sectors not a proper number");
512 if (last_sector == 0)
513 last_sector = first_sector + total_sectors - 1;
516 if (l_opt == NULL && first_sector != 0)
517 errx(1, "No -L new-lockfile argument and first_sector != 0");
518 else if (l_opt == NULL) {
524 if (total_sectors != (last_sector - first_sector) + 1)
525 errx(1, "total_sectors disagree with first_sector and last_sector");
526 if (total_sectors == 0)
527 errx(1, "missing last_sector or total_sectors");
529 gl->sectorN = (last_sector + 1) * gl->sectorsize;
531 /* Find a random keyoffset */
532 random_bits(&o, sizeof o);
533 o %= (gl->sectorN - gl->sector0);
534 o &= ~(gl->sectorsize - 1);
537 /* <number_of_keys> */
538 p = property_find(params, "number_of_keys");
540 errx(1, "Missing number_of_keys property");
541 nkeys = strtoul(p, &q, 0);
543 errx(1, "number_of_keys not a proper number");
544 if (nkeys < 1 || nkeys > G_BDE_MAXKEYS)
545 errx(1, "number_of_keys out of range");
546 for (u = 0; u < nkeys; u++) {
549 random_bits(&o, sizeof o);
551 o &= ~(gl->sectorsize - 1);
552 } while(o < gl->sector0);
553 for (u2 = 0; u2 < u; u2++)
554 if (o == gl->lsector[u2])
562 for (; u < G_BDE_MAXKEYS; u++) {
564 random_bits(&o, sizeof o);
565 while (o < gl->sectorN);
569 /* Flush sector zero if we use it for lockfile data */
571 off2 = lseek(dfd, 0, SEEK_SET);
573 err(1, "lseek(2) to sector 0");
574 random_bits(buf, sector_size);
575 i = write(dfd, buf, sector_size);
576 if (i != (int)sector_size)
577 err(1, "write sector 0");
581 p = property_find(params, "random_flush");
583 off = first_sector * sector_size;
584 off2 = lseek(dfd, off, SEEK_SET);
586 err(1, "lseek(2) to first_sector");
587 off2 = last_sector * sector_size;
588 while (off <= off2) {
589 random_bits(buf, sector_size);
590 i = write(dfd, buf, sector_size);
591 if (i != (int)sector_size)
592 err(1, "write to $device_name");
597 random_bits(gl->key, sizeof gl->key);
604 ACT_ATTACH, ACT_DETACH,
605 ACT_INIT, ACT_SETKEY, ACT_DESTROY, ACT_NUKE
609 main(int argc, char **argv)
612 const char *l_opt, *L_opt;
613 const char *p_opt, *P_opt;
616 int i_opt, n_opt, ch, dfd, nkey, doopen;
619 struct g_bde_key *gl;
620 struct g_bde_softc sc;
623 usage("Too few arguments\n");
626 if (!strcmp(argv[1], "attach")) {
629 } else if (!strcmp(argv[1], "detach")) {
632 } else if (!strcmp(argv[1], "init")) {
636 } else if (!strcmp(argv[1], "setkey")) {
640 } else if (!strcmp(argv[1], "destroy")) {
641 action = ACT_DESTROY;
644 } else if (!strcmp(argv[1], "nuke")) {
649 usage("Unknown sub command\n");
666 while((ch = getopt(argc, argv, opts)) != -1)
686 n_opt = strtoul(optarg, &q, 0);
688 usage("-n argument not numeric\n");
689 if (n_opt < -1 || n_opt > G_BDE_MAXKEYS)
690 usage("-n argument out of range\n");
693 usage("Invalid option\n");
697 dfd = open(dest, O_RDWR | O_CREAT, 0644);
702 memset(&sc, 0, sizeof sc);
703 sc.consumer = (struct g_consumer *)&dfd;
707 setup_passphrase(&sc, 0, p_opt);
708 cmd_attach(&sc, dest, l_opt);
714 cmd_init(gl, dfd, f_opt, i_opt, L_opt);
715 setup_passphrase(&sc, 1, P_opt);
716 cmd_write(gl, &sc, dfd, 0, L_opt);
719 setup_passphrase(&sc, 0, p_opt);
720 cmd_open(&sc, dfd, l_opt, &nkey);
723 setup_passphrase(&sc, 1, P_opt);
724 cmd_write(gl, &sc, dfd, n_opt - 1, L_opt);
727 setup_passphrase(&sc, 0, p_opt);
728 cmd_open(&sc, dfd, l_opt, &nkey);
729 cmd_destroy(gl, nkey);
730 reset_passphrase(&sc);
731 cmd_write(gl, &sc, dfd, nkey, l_opt);
734 setup_passphrase(&sc, 0, p_opt);
735 cmd_open(&sc, dfd, l_opt, &nkey);
739 for(i = 0; i < G_BDE_MAXKEYS; i++)
740 cmd_nuke(gl, dfd, i);
742 cmd_nuke(gl, dfd, n_opt - 1);
746 usage("Internal error\n");