2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002 Poul-Henning Kamp
5 * Copyright (c) 2002 Networks Associates Technology, Inc.
8 * This software was developed for the FreeBSD Project by Poul-Henning Kamp
9 * and NAI Labs, the Security Research Division of Network Associates, Inc.
10 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
11 * DARPA CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Replace the template file options (-i & -f) with command-line variables
41 * Introduce -e, extra entropy source (XOR with /dev/random)
43 * Introduce -E, alternate entropy source (instead of /dev/random)
45 * Introduce -i take IV from keyboard or
47 * Introduce -I take IV from file/cmd
49 * Introduce -m/-M store encrypted+encoded masterkey in file
51 * Introduce -k/-K get pass-phrase part from file/cmd
53 * Introduce -d add more dest-devices to worklist.
55 * Add key-option: selfdestruct bit.
58 * "onetime" attach with onetime nonstored locksector
59 * "key"/"unkey" to blast memory copy of key without orphaning
60 * "nuke" blow away everything attached, crash/halt/power-off if possible.
61 * "blast" destroy all copies of the masterkey
62 * "destroy" destroy one copy of the masterkey
63 * "backup"/"restore" of masterkey sectors.
65 * Make all verbs work on both attached/detached devices.
69 #include <sys/types.h>
70 #include <sys/queue.h>
71 #include <sys/mutex.h>
73 #include <readpassphrase.h>
85 #include <sys/errno.h>
88 #include <crypto/rijndael/rijndael-api-fst.h>
89 #include <crypto/sha2/sha512.h>
90 #include <sys/param.h>
91 #include <sys/linker.h>
93 #define GBDEMOD "geom_bde"
94 #define KASSERT(foo, bar) do { if(!(foo)) { warn bar ; exit (1); } } while (0)
96 #include <geom/geom.h>
97 #include <geom/bde/g_bde.h>
99 extern const char template[];
104 g_hexdump(void *ptr, int length)
110 for (i = 0; i < length; i+= 16) {
112 for (j = 0; j < 16; j++) {
115 printf(" %02x", cp[k]);
120 for (j = 0; j < 16; j++) {
124 else if (cp[k] >= ' ' && cp[k] <= '~')
138 (void)fprintf(stderr,
139 "usage: gbde attach destination [-k keyfile] [-l lockfile] [-p pass-phrase]\n"
140 " gbde detach destination\n"
141 " gbde init destination [-i] [-f filename] [-K new-keyfile]\n"
142 " [-L new-lockfile] [-P new-pass-phrase]\n"
143 " gbde setkey destination [-n key]\n"
144 " [-k keyfile] [-l lockfile] [-p pass-phrase]\n"
145 " [-K new-keyfile] [-L new-lockfile] [-P new-pass-phrase]\n"
146 " gbde nuke destination [-n key]\n"
147 " [-k keyfile] [-l lockfile] [-p pass-phrase]\n"
148 " gbde destroy destination [-k keyfile] [-l lockfile] [-p pass-phrase]\n");
153 g_read_data(struct g_consumer *cp, off_t offset, off_t length, int *error)
163 o2 = lseek(fd, offset, SEEK_SET);
166 i = read(fd, p, length);
175 random_bits(void *p, u_int len)
177 arc4random_buf(p, len);
181 static u_char sha2[SHA512_DIGEST_LENGTH];
184 reset_passphrase(struct g_bde_softc *sc)
187 memcpy(sc->sha2, sha2, SHA512_DIGEST_LENGTH);
191 setup_passphrase(struct g_bde_softc *sc, int sure, const char *input,
194 char buf1[BUFSIZ + SHA512_DIGEST_LENGTH];
195 char buf2[BUFSIZ + SHA512_DIGEST_LENGTH];
197 int kfd, klen, bpos = 0;
199 if (keyfile != NULL) {
200 /* Read up to BUFSIZ bytes from keyfile */
201 kfd = open(keyfile, O_RDONLY, 0);
203 err(1, "%s", keyfile);
204 klen = read(kfd, buf1, BUFSIZ);
206 err(1, "%s", keyfile);
209 /* Prepend the passphrase with the hash of the key read */
210 g_bde_hash_pass(sc, buf1, klen);
211 memcpy(buf1, sc->sha2, SHA512_DIGEST_LENGTH);
212 memcpy(buf2, sc->sha2, SHA512_DIGEST_LENGTH);
213 bpos = SHA512_DIGEST_LENGTH;
217 if (strlen(input) >= BUFSIZ)
218 errx(1, "Passphrase too long");
219 strcpy(buf1 + bpos, input);
221 g_bde_hash_pass(sc, buf1, strlen(buf1 + bpos) + bpos);
222 memcpy(sha2, sc->sha2, SHA512_DIGEST_LENGTH);
227 sure ? "Enter new passphrase:" : "Enter passphrase: ",
228 buf1 + bpos, sizeof buf1 - bpos,
229 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
231 err(1, "readpassphrase");
234 p = readpassphrase("Reenter new passphrase: ",
235 buf2 + bpos, sizeof buf2 - bpos,
236 RPP_ECHO_OFF | RPP_REQUIRE_TTY);
238 err(1, "readpassphrase");
240 if (strcmp(buf1 + bpos, buf2 + bpos)) {
241 printf("They didn't match.\n");
245 if (strlen(buf1 + bpos) < 3) {
246 printf("Too short passphrase.\n");
251 g_bde_hash_pass(sc, buf1, strlen(buf1 + bpos) + bpos);
252 memcpy(sha2, sc->sha2, SHA512_DIGEST_LENGTH);
256 encrypt_sector(void *d, int len, int klen, void *key)
262 error = rijndael_cipherInit(&ci, MODE_CBC, NULL);
264 errx(1, "rijndael_cipherInit=%d", error);
265 error = rijndael_makeKey(&ki, DIR_ENCRYPT, klen, key);
267 errx(1, "rijndael_makeKeY=%d", error);
268 error = rijndael_blockEncrypt(&ci, &ki, d, len * 8, d);
270 errx(1, "rijndael_blockEncrypt=%d", error);
274 cmd_attach(const struct g_bde_softc *sc, const char *dest, const char *lfile)
281 r = gctl_get_handle();
282 gctl_ro_param(r, "verb", -1, "create geom");
283 gctl_ro_param(r, "class", -1, "BDE");
284 gctl_ro_param(r, "provider", -1, dest);
285 gctl_ro_param(r, "pass", SHA512_DIGEST_LENGTH, sc->sha2);
287 ffd = open(lfile, O_RDONLY, 0);
291 gctl_ro_param(r, "key", 16, buf);
294 errstr = gctl_issue(r);
296 errx(1, "Attach to %s failed: %s", dest, errstr);
302 cmd_detach(const char *dest)
308 r = gctl_get_handle();
309 gctl_ro_param(r, "verb", -1, "destroy geom");
310 gctl_ro_param(r, "class", -1, "BDE");
311 sprintf(buf, "%s.bde", dest);
312 gctl_ro_param(r, "geom", -1, buf);
313 /* gctl_dump(r, stdout); */
314 errstr = gctl_issue(r);
316 errx(1, "Detach of %s failed: %s", dest, errstr);
321 cmd_open(struct g_bde_softc *sc, int dfd , const char *l_opt, u_int *nkey)
330 error = ioctl(dfd, DIOCGSECTORSIZE, §orsize);
333 error = ioctl(dfd, DIOCGMEDIASIZE, &mediasize);
335 error = fstat(dfd, &st);
336 if (error == 0 && S_ISREG(st.st_mode))
337 mediasize = st.st_size;
342 mediasize = (off_t)-1;
344 ffd = open(l_opt, O_RDONLY, 0);
347 read(ffd, keyloc, sizeof keyloc);
350 memset(keyloc, 0, sizeof keyloc);
353 error = g_bde_decrypt_lock(sc, sc->sha2, keyloc, mediasize,
356 errx(1, "Lock was destroyed.");
358 errx(1, "Lock was nuked.");
359 if (error == ENOTDIR)
360 errx(1, "Lock not found");
362 errx(1, "Error %d decrypting lock", error);
364 printf("Opened with key %u\n", 1 + *nkey);
369 cmd_nuke(struct g_bde_key *gl, int dfd , int key)
373 off_t offset, offset2;
375 sbuf = malloc(gl->sectorsize);
376 memset(sbuf, 0, gl->sectorsize);
377 offset = (gl->lsector[key] & ~(gl->sectorsize - 1));
378 offset2 = lseek(dfd, offset, SEEK_SET);
379 if (offset2 != offset)
381 i = write(dfd, sbuf, gl->sectorsize);
383 if (i != (int)gl->sectorsize)
385 printf("Nuked key %d\n", 1 + key);
389 cmd_write(struct g_bde_key *gl, struct g_bde_softc *sc, int dfd , int key, const char *l_opt)
395 off_t offset, offset2;
397 sbuf = malloc(gl->sectorsize);
399 * Find the byte-offset in the lock sector where we will put the lock
400 * data structure. We can put it any random place as long as the
404 random_bits(off, sizeof off);
405 off[0] &= (gl->sectorsize - 1);
406 if (off[0] + G_BDE_LOCKSIZE > gl->sectorsize)
411 /* Add the sector offset in bytes */
412 off[0] += (gl->lsector[key] & ~(gl->sectorsize - 1));
413 gl->lsector[key] = off[0];
415 i = g_bde_keyloc_encrypt(sc->sha2, off[0], off[1], keyloc);
417 errx(1, "g_bde_keyloc_encrypt()");
419 ffd = open(l_opt, O_WRONLY | O_CREAT | O_TRUNC, 0600);
422 write(ffd, keyloc, sizeof keyloc);
424 } else if (gl->flags & GBDE_F_SECT0) {
425 offset2 = lseek(dfd, 0, SEEK_SET);
428 i = read(dfd, sbuf, gl->sectorsize);
429 if (i != (int)gl->sectorsize)
431 memcpy(sbuf + key * 16, keyloc, sizeof keyloc);
432 offset2 = lseek(dfd, 0, SEEK_SET);
435 i = write(dfd, sbuf, gl->sectorsize);
436 if (i != (int)gl->sectorsize)
439 errx(1, "No -L option and no space in sector 0 for lockfile");
442 /* Allocate a sectorbuffer and fill it with random junk */
445 random_bits(sbuf, gl->sectorsize);
447 /* Fill random bits in the spare field */
448 random_bits(gl->spare, sizeof(gl->spare));
450 /* Encode the structure where we want it */
451 q = sbuf + (off[0] % gl->sectorsize);
452 i = g_bde_encode_lock(sc->sha2, gl, q);
454 errx(1, "programming error encoding lock");
456 encrypt_sector(q, G_BDE_LOCKSIZE, 256, sc->sha2 + 16);
457 offset = gl->lsector[key] & ~(gl->sectorsize - 1);
458 offset2 = lseek(dfd, offset, SEEK_SET);
459 if (offset2 != offset)
461 i = write(dfd, sbuf, gl->sectorsize);
462 if (i != (int)gl->sectorsize)
466 printf("Wrote key %d at %jd\n", key, (intmax_t)offset);
467 printf("s0 = %jd\n", (intmax_t)gl->sector0);
468 printf("sN = %jd\n", (intmax_t)gl->sectorN);
469 printf("l[0] = %jd\n", (intmax_t)gl->lsector[0]);
470 printf("l[1] = %jd\n", (intmax_t)gl->lsector[1]);
471 printf("l[2] = %jd\n", (intmax_t)gl->lsector[2]);
472 printf("l[3] = %jd\n", (intmax_t)gl->lsector[3]);
473 printf("k = %jd\n", (intmax_t)gl->keyoffset);
474 printf("ss = %jd\n", (intmax_t)gl->sectorsize);
479 cmd_destroy(struct g_bde_key *gl, int nkey)
483 bzero(&gl->sector0, sizeof gl->sector0);
484 bzero(&gl->sectorN, sizeof gl->sectorN);
485 bzero(&gl->keyoffset, sizeof gl->keyoffset);
486 gl->flags &= GBDE_F_SECT0;
487 bzero(gl->mkey, sizeof gl->mkey);
488 for (i = 0; i < G_BDE_MAXKEYS; i++)
494 sorthelp(const void *a, const void *b)
496 const uint64_t *oa, *ob;
508 cmd_init(struct g_bde_key *gl, int dfd, const char *f_opt, int i_opt, const char *l_opt)
512 unsigned sector_size;
513 uint64_t first_sector;
514 uint64_t last_sector;
515 uint64_t total_sectors;
519 char *q, cbuf[BUFSIZ];
524 bzero(gl, sizeof *gl);
526 i = open(f_opt, O_RDONLY);
529 params = properties_read(i);
533 asprintf(&q, "%stemp.XXXXXXXXXX", _PATH_TMP);
539 write(i, template, strlen(template));
541 p = getenv("EDITOR");
544 if (snprintf(cbuf, sizeof(cbuf), "%s %s\n", p, q) >=
545 (ssize_t)sizeof(cbuf)) {
547 errx(1, "EDITOR is too long");
550 i = open(q, O_RDONLY);
553 params = properties_read(i);
559 i = open(_PATH_DEVNULL, O_RDONLY);
561 err(1, "%s", _PATH_DEVNULL);
562 params = properties_read(i);
567 p = property_find(params, "sector_size");
568 i = ioctl(dfd, DIOCGSECTORSIZE, &u);
570 sector_size = strtoul(p, &q, 0);
572 errx(1, "sector_size not a proper number");
576 errx(1, "Missing sector_size property");
578 if (sector_size & (sector_size - 1))
579 errx(1, "sector_size not a power of 2");
580 if (sector_size < 512)
581 errx(1, "sector_size is smaller than 512");
582 buf = malloc(sector_size);
584 err(1, "Failed to malloc sector buffer");
585 gl->sectorsize = sector_size;
587 i = ioctl(dfd, DIOCGMEDIASIZE, &off);
590 total_sectors = off / sector_size;
591 last_sector = total_sectors - 1;
599 p = property_find(params, "first_sector");
601 first_sector = strtoul(p, &q, 0);
603 errx(1, "first_sector not a proper number");
607 p = property_find(params, "last_sector");
609 last_sector = strtoul(p, &q, 0);
611 errx(1, "last_sector not a proper number");
612 if (last_sector <= first_sector)
613 errx(1, "last_sector not larger than first_sector");
614 total_sectors = last_sector + 1;
617 /* <total_sectors> */
618 p = property_find(params, "total_sectors");
620 total_sectors = strtoul(p, &q, 0);
622 errx(1, "total_sectors not a proper number");
623 if (last_sector == 0)
624 last_sector = first_sector + total_sectors - 1;
627 if (l_opt == NULL && first_sector != 0)
628 errx(1, "No -L new-lockfile argument and first_sector != 0");
629 else if (l_opt == NULL) {
632 gl->flags |= GBDE_F_SECT0;
634 gl->sector0 = first_sector * gl->sectorsize;
636 if (total_sectors != (last_sector - first_sector) + 1)
637 errx(1, "total_sectors disagree with first_sector and last_sector");
638 if (total_sectors == 0)
639 errx(1, "missing last_sector or total_sectors");
641 gl->sectorN = (last_sector + 1) * gl->sectorsize;
643 /* Find a random keyoffset */
644 random_bits(&o, sizeof o);
645 o %= (gl->sectorN - gl->sector0);
646 o &= ~(gl->sectorsize - 1);
649 /* <number_of_keys> */
650 p = property_find(params, "number_of_keys");
652 nkeys = strtoul(p, &q, 0);
654 errx(1, "number_of_keys not a proper number");
655 if (nkeys < 1 || nkeys > G_BDE_MAXKEYS)
656 errx(1, "number_of_keys out of range");
660 for (u = 0; u < nkeys; u++) {
663 random_bits(&o, sizeof o);
665 o &= ~(gl->sectorsize - 1);
666 } while(o < gl->sector0);
667 for (u2 = 0; u2 < u; u2++)
668 if (o == gl->lsector[u2])
676 for (; u < G_BDE_MAXKEYS; u++) {
678 random_bits(&o, sizeof o);
679 while (o < gl->sectorN);
682 qsort(gl->lsector, G_BDE_MAXKEYS, sizeof gl->lsector[0], sorthelp);
684 /* Flush sector zero if we use it for lockfile data */
685 if (gl->flags & GBDE_F_SECT0) {
686 off2 = lseek(dfd, 0, SEEK_SET);
688 err(1, "lseek(2) to sector 0");
689 random_bits(buf, sector_size);
690 i = write(dfd, buf, sector_size);
691 if (i != (int)sector_size)
692 err(1, "write sector 0");
696 p = property_find(params, "random_flush");
698 off = first_sector * sector_size;
699 off2 = lseek(dfd, off, SEEK_SET);
701 err(1, "lseek(2) to first_sector");
702 off2 = last_sector * sector_size;
703 while (off <= off2) {
704 random_bits(buf, sector_size);
705 i = write(dfd, buf, sector_size);
706 if (i != (int)sector_size)
707 err(1, "write to $device_name");
712 random_bits(gl->mkey, sizeof gl->mkey);
713 random_bits(gl->salt, sizeof gl->salt);
720 ACT_ATTACH, ACT_DETACH,
721 ACT_INIT, ACT_SETKEY, ACT_DESTROY, ACT_NUKE
725 main(int argc, char **argv)
728 const char *k_opt, *K_opt;
729 const char *l_opt, *L_opt;
730 const char *p_opt, *P_opt;
733 int i_opt, n_opt, ch, dfd, doopen;
736 char *q, buf[BUFSIZ];
737 struct g_bde_key *gl;
738 struct g_bde_softc sc;
743 if (modfind("g_bde") < 0) {
744 /* need to load the gbde module */
745 if (kldload(GBDEMOD) < 0 || modfind("g_bde") < 0)
746 err(1, GBDEMOD ": Kernel module not available");
749 if (!strcmp(argv[1], "attach")) {
752 } else if (!strcmp(argv[1], "detach")) {
755 } else if (!strcmp(argv[1], "init")) {
759 } else if (!strcmp(argv[1], "setkey")) {
762 opts = "k:K:l:L:n:p:P:";
763 } else if (!strcmp(argv[1], "destroy")) {
764 action = ACT_DESTROY;
767 } else if (!strcmp(argv[1], "nuke")) {
777 dest = strdup(argv[1]);
791 while((ch = getopt(argc, argv, opts)) != -1)
812 n_opt = strtoul(optarg, &q, 0);
814 errx(1, "-n argument not numeric");
815 if (n_opt < -1 || n_opt > G_BDE_MAXKEYS)
816 errx(1, "-n argument out of range");
829 dfd = open(dest, O_RDWR);
830 if (dfd < 0 && dest[0] != '/') {
831 if (snprintf(buf, sizeof(buf), "%s%s",
832 _PATH_DEV, dest) >= (ssize_t)sizeof(buf))
833 errno = ENAMETOOLONG;
835 dfd = open(buf, O_RDWR);
840 if (!memcmp(dest, _PATH_DEV, strlen(_PATH_DEV)))
841 strcpy(dest, dest + strlen(_PATH_DEV));
844 memset(&sc, 0, sizeof sc);
845 sc.consumer = (void *)&dfd;
849 setup_passphrase(&sc, 0, p_opt, k_opt);
850 cmd_attach(&sc, dest, l_opt);
856 cmd_init(gl, dfd, f_opt, i_opt, L_opt);
857 setup_passphrase(&sc, 1, P_opt, K_opt);
858 cmd_write(gl, &sc, dfd, 0, L_opt);
861 setup_passphrase(&sc, 0, p_opt, k_opt);
862 cmd_open(&sc, dfd, l_opt, &nkey);
865 setup_passphrase(&sc, 1, P_opt, K_opt);
866 cmd_write(gl, &sc, dfd, n_opt - 1, L_opt);
869 setup_passphrase(&sc, 0, p_opt, k_opt);
870 cmd_open(&sc, dfd, l_opt, &nkey);
871 cmd_destroy(gl, nkey);
872 reset_passphrase(&sc);
873 cmd_write(gl, &sc, dfd, nkey, l_opt);
876 setup_passphrase(&sc, 0, p_opt, k_opt);
877 cmd_open(&sc, dfd, l_opt, &nkey);
881 for(i = 0; i < G_BDE_MAXKEYS; i++)
882 cmd_nuke(gl, dfd, i);
884 cmd_nuke(gl, dfd, n_opt - 1);
888 errx(1, "internal error");