2 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
3 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include "geliboot_internal.h"
33 SLIST_HEAD(geli_list, geli_entry) geli_head = SLIST_HEAD_INITIALIZER(geli_head);
34 struct geli_list *geli_headp;
36 typedef u_char geli_ukey[G_ELI_USERKEYLEN];
38 static geli_ukey saved_keys[GELI_MAX_KEYS];
39 static unsigned int nsaved_keys = 0;
42 * Copy keys from local storage to the keybuf struct.
43 * Destroy the local storage when finished.
46 geli_fill_keybuf(struct keybuf *fkeybuf)
50 for (i = 0; i < nsaved_keys; i++) {
51 fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI;
52 memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i],
55 fkeybuf->kb_nents = nsaved_keys;
56 explicit_bzero(saved_keys, sizeof(saved_keys));
60 * Copy keys from a keybuf struct into local storage.
61 * Zero out the keybuf.
64 geli_save_keybuf(struct keybuf *skeybuf)
68 for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) {
69 memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data,
71 explicit_bzero(skeybuf->kb_ents[i].ke_data,
73 skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE;
75 nsaved_keys = skeybuf->kb_nents;
76 skeybuf->kb_nents = 0;
80 save_key(geli_ukey key)
84 * If we run out of key space, the worst that will happen is
85 * it will ask the user for the password again.
87 if (nsaved_keys < GELI_MAX_KEYS) {
88 memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN);
94 geli_same_device(struct geli_entry *ge, struct dsk *dskp)
97 if (ge->dsk->drive == dskp->drive &&
98 dskp->part == 255 && ge->dsk->part == dskp->slice) {
100 * Sometimes slice = slice, and sometimes part = slice
101 * If the incoming struct dsk has part=255, it means look at
102 * the slice instead of the part number
107 /* Is this the same device? */
108 if (ge->dsk->drive != dskp->drive ||
109 ge->dsk->slice != dskp->slice ||
110 ge->dsk->part != dskp->part) {
118 geli_findkey(struct geli_entry *ge, struct dsk *dskp, u_char *mkey)
123 if (ge->keybuf_slot >= 0) {
124 if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[ge->keybuf_slot],
125 mkey, &keynum) == 0) {
130 for (i = 0; i < nsaved_keys; i++) {
131 if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[i], mkey,
146 SLIST_INIT(&geli_head);
150 * Read the last sector of the drive or partition pointed to by dsk and see
151 * if it is GELI encrypted
154 geli_taste(int read_func(void *vdev, void *priv, off_t off, void *buf,
155 size_t bytes), struct dsk *dskp, daddr_t lastsector)
157 struct g_eli_metadata md;
158 u_char buf[DEV_GELIBOOT_BSIZE];
162 alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE);
163 if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) {
164 /* Don't read past the end of the disk */
165 alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE
166 - DEV_GELIBOOT_BSIZE;
168 error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE);
172 /* Extract the last 4k sector of the disk. */
173 error = eli_metadata_decode(buf, &md);
175 /* Try the last 512 byte sector instead. */
176 error = eli_metadata_decode(buf +
177 (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md);
183 if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) {
184 /* The GELIBOOT feature is not activated */
187 if ((md.md_flags & G_ELI_FLAG_ONETIME)) {
188 /* Swap device, skip it. */
191 if (md.md_iterations < 0) {
192 /* XXX TODO: Support loading key files. */
193 /* Disk does not have a passphrase, skip it. */
196 geli_e = malloc(sizeof(struct geli_entry));
200 geli_e->dsk = malloc(sizeof(struct dsk));
201 if (geli_e->dsk == NULL)
203 memcpy(geli_e->dsk, dskp, sizeof(struct dsk));
204 geli_e->part_end = lastsector;
205 if (dskp->part == 255) {
206 geli_e->dsk->part = dskp->slice;
208 geli_e->keybuf_slot = -1;
211 eli_metadata_softc(&geli_e->sc, &md, DEV_BSIZE,
212 (lastsector + DEV_BSIZE) * DEV_BSIZE);
214 SLIST_INSERT_HEAD(&geli_head, geli_e, entries);
221 * Attempt to decrypt the device
224 geli_attach(struct geli_entry *ge, struct dsk *dskp, const char *passphrase,
227 u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp;
233 memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN);
234 explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN);
237 if (mkeyp != NULL || geli_findkey(ge, dskp, mkey) == 0) {
241 g_eli_crypto_hmac_init(&ctx, NULL, 0);
243 * Prepare Derived-Key from the user passphrase.
245 if (geli_e->md.md_iterations < 0) {
246 /* XXX TODO: Support loading key files. */
248 } else if (geli_e->md.md_iterations == 0) {
249 g_eli_crypto_hmac_update(&ctx, geli_e->md.md_salt,
250 sizeof(geli_e->md.md_salt));
251 g_eli_crypto_hmac_update(&ctx, (const uint8_t *)passphrase,
253 } else if (geli_e->md.md_iterations > 0) {
254 printf("Calculating GELI Decryption Key disk%dp%d @ %d"
255 " iterations...\n", dskp->unit,
256 (dskp->slice > 0 ? dskp->slice : dskp->part),
257 geli_e->md.md_iterations);
258 u_char dkey[G_ELI_USERKEYLEN];
260 pkcs5v2_genkey(dkey, sizeof(dkey), geli_e->md.md_salt,
261 sizeof(geli_e->md.md_salt), passphrase,
262 geli_e->md.md_iterations);
263 g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey));
264 explicit_bzero(dkey, sizeof(dkey));
267 g_eli_crypto_hmac_final(&ctx, key, 0);
269 error = g_eli_mkey_decrypt_any(&geli_e->md, key, mkey, &keynum);
271 explicit_bzero(mkey, sizeof(mkey));
272 explicit_bzero(key, sizeof(key));
273 printf("Bad GELI key: bad password?\n");
275 } else if (error != 0) {
276 explicit_bzero(mkey, sizeof(mkey));
277 explicit_bzero(key, sizeof(key));
278 printf("Failed to decrypt GELI master key: %d\n", error);
281 /* Add key to keychain */
283 explicit_bzero(&key, sizeof(key));
288 bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mkey));
289 bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_ivkey));
290 mkp = mkey + sizeof(geli_e->sc.sc_ivkey);
291 if ((geli_e->sc.sc_flags & G_ELI_FLAG_AUTH) == 0) {
292 bcopy(mkp, geli_e->sc.sc_ekey, G_ELI_DATAKEYLEN);
295 * The encryption key is: ekey = HMAC_SHA512(Data-Key, 0x10)
297 g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, (const uint8_t *)"\x10", 1,
298 geli_e->sc.sc_ekey, 0);
300 explicit_bzero(mkey, sizeof(mkey));
302 /* Initialize the per-sector IV. */
303 switch (geli_e->sc.sc_ealgo) {
307 SHA256_Init(&geli_e->sc.sc_ivctx);
308 SHA256_Update(&geli_e->sc.sc_ivctx, geli_e->sc.sc_ivkey,
309 sizeof(geli_e->sc.sc_ivkey));
317 is_geli(struct dsk *dskp)
319 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
320 if (geli_same_device(geli_e, dskp) == 0) {
329 geli_read(struct dsk *dskp, off_t offset, u_char *buf, size_t bytes)
331 u_char iv[G_ELI_IVKEYLEN];
336 size_t n, nsec, secsize;
337 struct g_eli_key gkey;
340 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
341 if (geli_same_device(geli_e, dskp) != 0) {
345 secsize = geli_e->sc.sc_sectorsize;
346 nsec = bytes / secsize;
349 * A read of less than the GELI sector size has been
350 * requested. The caller provided destination buffer may
351 * not be big enough to boost the read to a full sector,
352 * so just attempt to decrypt the truncated sector.
358 for (n = 0, dstoff = offset; n < nsec; n++, dstoff += secsize) {
360 g_eli_crypto_ivgen(&geli_e->sc, dstoff, iv,
363 /* Get the key that corresponds to this offset. */
364 keyno = (dstoff >> G_ELI_KEY_SHIFT) / secsize;
365 g_eli_key_fill(&geli_e->sc, &gkey, keyno);
367 error = geliboot_crypt(geli_e->sc.sc_ealgo, 0, pbuf,
368 secsize, gkey.gek_key,
369 geli_e->sc.sc_ekeylen, iv);
372 explicit_bzero(&gkey, sizeof(gkey));
373 printf("Failed to decrypt in geli_read()!");
378 explicit_bzero(&gkey, sizeof(gkey));
382 printf("GELI provider not found\n");
387 geli_havekey(struct dsk *dskp)
389 u_char mkey[G_ELI_DATAIVKEYLEN];
391 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
392 if (geli_same_device(geli_e, dskp) != 0) {
396 if (geli_findkey(geli_e, dskp, mkey) == 0) {
397 if (geli_attach(geli_e, dskp, NULL, mkey) == 0) {
402 explicit_bzero(mkey, sizeof(mkey));
408 geli_passphrase(char *pw, int disk, int parttype, int part, struct dsk *dskp)
412 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
413 if (geli_same_device(geli_e, dskp) != 0) {
417 /* TODO: Implement GELI keyfile(s) support */
418 for (i = 0; i < 3; i++) {
419 /* Try cached passphrase */
420 if (i == 0 && pw[0] != '\0') {
421 if (geli_attach(geli_e, dskp, pw, NULL) == 0) {
425 printf("GELI Passphrase for disk%d%c%d: ", disk,
427 pwgets(pw, GELI_PW_MAXLEN,
428 (geli_e->md.md_flags & G_ELI_FLAG_GELIDISPLAYPASS) == 0);
430 if (geli_attach(geli_e, dskp, pw, NULL) == 0) {