2 * Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/endian.h>
33 #include <sys/errno.h>
34 #include <sys/malloc.h>
35 #include <crypto/sha2/sha2.h>
36 #include <opencrypto/cryptodev.h>
39 #include <sys/libkern.h>
40 #include <geom/geom.h>
50 #define G_ELI_CLASS_NAME "ELI"
51 #define G_ELI_MAGIC "GEOM::ELI"
52 #define G_ELI_SUFFIX ".eli"
56 * 0 - Initial version number.
57 * 1 - Added data authentication support (md_aalgo field and
58 * G_ELI_FLAG_AUTH flag).
59 * 2 - Added G_ELI_FLAG_READONLY.
60 * - IV is generated from offset converted to little-endian
61 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
62 * 3 - Added 'configure' subcommand.
64 #define G_ELI_VERSION 3
67 /* Use random, onetime keys. */
68 #define G_ELI_FLAG_ONETIME 0x00000001
69 /* Ask for the passphrase from the kernel, before mounting root. */
70 #define G_ELI_FLAG_BOOT 0x00000002
71 /* Detach on last close, if we were open for writing. */
72 #define G_ELI_FLAG_WO_DETACH 0x00000004
73 /* Detach on last close. */
74 #define G_ELI_FLAG_RW_DETACH 0x00000008
75 /* Provide data authentication. */
76 #define G_ELI_FLAG_AUTH 0x00000010
77 /* Provider is read-only, we should deny all write attempts. */
78 #define G_ELI_FLAG_RO 0x00000020
80 /* Provider was open for writing. */
81 #define G_ELI_FLAG_WOPEN 0x00010000
83 #define G_ELI_FLAG_DESTROY 0x00020000
84 /* Provider uses native byte-order for IV generation. */
85 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
87 #define SHA512_MDLEN 64
88 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
90 #define G_ELI_MAXMKEYS 2
91 #define G_ELI_MAXKEYLEN 64
92 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
93 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
94 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
95 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
96 #define G_ELI_SALTLEN 64
97 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
98 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
99 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
102 extern u_int g_eli_debug;
103 extern u_int g_eli_overwrites;
104 extern u_int g_eli_batch;
106 #define G_ELI_CRYPTO_HW 1
107 #define G_ELI_CRYPTO_SW 2
109 #define G_ELI_DEBUG(lvl, ...) do { \
110 if (g_eli_debug >= (lvl)) { \
111 printf("GEOM_ELI"); \
112 if (g_eli_debug > 0) \
113 printf("[%u]", lvl); \
115 printf(__VA_ARGS__); \
119 #define G_ELI_LOGREQ(lvl, bp, ...) do { \
120 if (g_eli_debug >= (lvl)) { \
121 printf("GEOM_ELI"); \
122 if (g_eli_debug > 0) \
123 printf("[%u]", lvl); \
125 printf(__VA_ARGS__); \
132 struct g_eli_worker {
133 struct g_eli_softc *w_softc;
137 LIST_ENTRY(g_eli_worker) w_next;
141 struct g_geom *sc_geom;
143 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
144 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
147 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
151 SHA256_CTX sc_akeyctx;
152 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
156 u_int sc_bytes_per_sector;
157 u_int sc_data_per_sector;
159 /* Only for software cryptography. */
160 struct bio_queue_head sc_queue;
161 struct mtx sc_queue_mtx;
162 LIST_HEAD(, g_eli_worker) sc_workers;
164 #define sc_name sc_geom->name
167 struct g_eli_metadata {
168 char md_magic[16]; /* Magic value. */
169 uint32_t md_version; /* Version number. */
170 uint32_t md_flags; /* Additional flags. */
171 uint16_t md_ealgo; /* Encryption algorithm. */
172 uint16_t md_keylen; /* Key length. */
173 uint16_t md_aalgo; /* Authentication algorithm. */
174 uint64_t md_provsize; /* Provider's size. */
175 uint32_t md_sectorsize; /* Sector size. */
176 uint8_t md_keys; /* Available keys. */
177 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
178 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
179 /* Encrypted master key (IV-key, Data-key, HMAC). */
180 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
181 u_char md_hash[16]; /* MD5 hash. */
185 eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
191 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic);
192 le32enc(p, md->md_version); p += sizeof(md->md_version);
193 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
194 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
195 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
196 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
197 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
198 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
199 *p = md->md_keys; p += sizeof(md->md_keys);
200 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
201 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
202 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
204 MD5Update(&ctx, data, p - data);
205 MD5Final(md->md_hash, &ctx);
206 bcopy(md->md_hash, p, sizeof(md->md_hash));
209 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
214 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
215 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
216 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
217 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
218 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
219 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
220 md->md_keys = *p; p += sizeof(md->md_keys);
221 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
222 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
223 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
225 MD5Update(&ctx, data, p - data);
226 MD5Final(md->md_hash, &ctx);
227 if (bcmp(md->md_hash, p, 16) != 0)
232 eli_metadata_decode_v1v2v3(const u_char *data, struct g_eli_metadata *md)
237 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
238 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
239 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
240 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
241 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
242 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
243 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
244 md->md_keys = *p; p += sizeof(md->md_keys);
245 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
246 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
247 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
249 MD5Update(&ctx, data, p - data);
250 MD5Final(md->md_hash, &ctx);
251 if (bcmp(md->md_hash, p, 16) != 0)
256 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
260 bcopy(data, md->md_magic, sizeof(md->md_magic));
261 md->md_version = le32dec(data + sizeof(md->md_magic));
262 switch (md->md_version) {
264 error = eli_metadata_decode_v0(data, md);
269 error = eli_metadata_decode_v1v2v3(data, md);
277 #endif /* !_OpenSSL */
279 static __inline u_int
280 g_eli_str2ealgo(const char *name)
283 if (strcasecmp("null", name) == 0)
284 return (CRYPTO_NULL_CBC);
285 else if (strcasecmp("aes", name) == 0)
286 return (CRYPTO_AES_CBC);
287 else if (strcasecmp("blowfish", name) == 0)
288 return (CRYPTO_BLF_CBC);
289 else if (strcasecmp("3des", name) == 0)
290 return (CRYPTO_3DES_CBC);
291 return (CRYPTO_ALGORITHM_MIN - 1);
294 static __inline u_int
295 g_eli_str2aalgo(const char *name)
298 if (strcasecmp("hmac/md5", name) == 0)
299 return (CRYPTO_MD5_HMAC);
300 else if (strcasecmp("hmac/sha1", name) == 0)
301 return (CRYPTO_SHA1_HMAC);
302 else if (strcasecmp("hmac/ripemd160", name) == 0)
303 return (CRYPTO_RIPEMD160_HMAC);
304 else if (strcasecmp("hmac/sha256", name) == 0)
305 return (CRYPTO_SHA2_256_HMAC);
306 else if (strcasecmp("hmac/sha384", name) == 0)
307 return (CRYPTO_SHA2_384_HMAC);
308 else if (strcasecmp("hmac/sha512", name) == 0)
309 return (CRYPTO_SHA2_512_HMAC);
310 return (CRYPTO_ALGORITHM_MIN - 1);
313 static __inline const char *
314 g_eli_algo2str(u_int algo)
318 case CRYPTO_NULL_CBC:
323 return ("Blowfish-CBC");
324 case CRYPTO_3DES_CBC:
326 case CRYPTO_MD5_HMAC:
328 case CRYPTO_SHA1_HMAC:
329 return ("HMAC/SHA1");
330 case CRYPTO_RIPEMD160_HMAC:
331 return ("HMAC/RIPEMD160");
332 case CRYPTO_SHA2_256_HMAC:
333 return ("HMAC/SHA256");
334 case CRYPTO_SHA2_384_HMAC:
335 return ("HMAC/SHA384");
336 case CRYPTO_SHA2_512_HMAC:
337 return ("HMAC/SHA512");
343 eli_metadata_dump(const struct g_eli_metadata *md)
345 static const char hex[] = "0123456789abcdef";
346 char str[sizeof(md->md_mkeys) * 2 + 1];
349 printf(" magic: %s\n", md->md_magic);
350 printf(" version: %u\n", (u_int)md->md_version);
351 printf(" flags: 0x%x\n", (u_int)md->md_flags);
352 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
353 printf(" keylen: %u\n", (u_int)md->md_keylen);
354 if (md->md_flags & G_ELI_FLAG_AUTH)
355 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
356 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
357 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
358 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
359 printf("iterations: %u\n", (u_int)md->md_iterations);
360 bzero(str, sizeof(str));
361 for (i = 0; i < sizeof(md->md_salt); i++) {
362 str[i * 2] = hex[md->md_salt[i] >> 4];
363 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
365 printf(" Salt: %s\n", str);
366 bzero(str, sizeof(str));
367 for (i = 0; i < sizeof(md->md_mkeys); i++) {
368 str[i * 2] = hex[md->md_mkeys[i] >> 4];
369 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
371 printf("Master Key: %s\n", str);
372 bzero(str, sizeof(str));
373 for (i = 0; i < 16; i++) {
374 str[i * 2] = hex[md->md_hash[i] >> 4];
375 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
377 printf(" MD5 hash: %s\n", str);
380 static __inline u_int
381 g_eli_keylen(u_int algo, u_int keylen)
385 case CRYPTO_NULL_CBC:
407 if (keylen < 128 || keylen > 448)
409 if ((keylen % 32) != 0)
412 case CRYPTO_3DES_CBC:
413 if (keylen == 0 || keylen == 192)
421 static __inline u_int
422 g_eli_hashlen(u_int algo)
426 case CRYPTO_MD5_HMAC:
428 case CRYPTO_SHA1_HMAC:
430 case CRYPTO_RIPEMD160_HMAC:
432 case CRYPTO_SHA2_256_HMAC:
434 case CRYPTO_SHA2_384_HMAC:
436 case CRYPTO_SHA2_512_HMAC:
443 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
444 struct g_eli_metadata *md);
445 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
446 struct g_provider *bpp, const struct g_eli_metadata *md,
447 const u_char *mkey, int nkey);
448 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
450 int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
451 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
453 void g_eli_read_done(struct bio *bp);
454 void g_eli_write_done(struct bio *bp);
455 int g_eli_crypto_rerun(struct cryptop *crp);
456 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
459 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
461 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
462 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
465 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
466 int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
467 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
468 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
469 unsigned char *mkey);
471 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
474 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
475 const u_char *key, size_t keysize);
476 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
477 const u_char *key, size_t keysize);
484 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
486 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
488 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
489 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
490 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
491 #endif /* !_G_ELI_H_ */