2 * Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/param.h>
32 #include <sys/malloc.h>
33 #include <sys/systm.h>
34 #include <geom/geom.h>
44 #include <geom/eli/g_eli.h>
48 * Verify if the given 'key' is correct.
49 * Return 1 if it is correct and 0 otherwise.
52 g_eli_mkey_verify(const unsigned char *mkey, const unsigned char *key)
54 const unsigned char *odhmac; /* On-disk HMAC. */
55 unsigned char chmac[SHA512_MDLEN]; /* Calculated HMAC. */
56 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
59 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
61 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
63 odhmac = mkey + G_ELI_DATAIVKEYLEN;
65 /* Calculate HMAC from Data-Key and IV-Key. */
66 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
69 bzero(hmkey, sizeof(hmkey));
72 * Compare calculated HMAC with HMAC from metadata.
73 * If two HMACs are equal, 'key' is correct.
75 return (!bcmp(odhmac, chmac, SHA512_MDLEN));
79 * Calculate HMAC from Data-Key and IV-Key.
82 g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key)
84 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
85 unsigned char *odhmac; /* On-disk HMAC. */
88 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
90 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
92 odhmac = mkey + G_ELI_DATAIVKEYLEN;
93 /* Calculate HMAC from Data-Key and IV-Key. */
94 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
97 bzero(hmkey, sizeof(hmkey));
101 * Find and decrypt Master Key encrypted with 'key'.
102 * Return decrypted Master Key number in 'nkeyp' if not NULL.
103 * Return 0 on success, > 0 on failure, -1 on bad key.
106 g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key,
107 unsigned char *mkey, unsigned *nkeyp)
109 unsigned char tmpmkey[G_ELI_MKEYLEN];
110 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
111 const unsigned char *mmkey;
112 int bit, error, nkey;
118 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
120 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
122 mmkey = md->md_mkeys;
124 for (nkey = 0; nkey < G_ELI_MAXMKEYS; nkey++, mmkey += G_ELI_MKEYLEN) {
126 if (!(md->md_keys & bit))
128 bcopy(mmkey, tmpmkey, G_ELI_MKEYLEN);
129 error = g_eli_crypto_decrypt(md->md_ealgo, tmpmkey,
130 G_ELI_MKEYLEN, enckey, md->md_keylen);
132 bzero(tmpmkey, sizeof(tmpmkey));
133 bzero(enckey, sizeof(enckey));
136 if (g_eli_mkey_verify(tmpmkey, key)) {
137 bcopy(tmpmkey, mkey, G_ELI_DATAIVKEYLEN);
138 bzero(tmpmkey, sizeof(tmpmkey));
139 bzero(enckey, sizeof(enckey));
145 bzero(enckey, sizeof(enckey));
146 bzero(tmpmkey, sizeof(tmpmkey));
151 * Encrypt the Master-Key and calculate HMAC to be able to verify it in the
155 g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
158 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
162 * To calculate HMAC, the whole key (G_ELI_USERKEYLEN bytes long) will
165 g_eli_mkey_hmac(mkey, key);
167 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
169 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
171 * Encrypt the Master-Key and HMAC() result with the given key (this
172 * time only 'keylen' bits from the key are used).
174 error = g_eli_crypto_encrypt(algo, mkey, G_ELI_MKEYLEN, enckey, keylen);
176 bzero(enckey, sizeof(enckey));
183 * When doing encryption only, copy IV key and encryption key.
184 * When doing encryption and authentication, copy IV key, generate encryption
185 * key and generate authentication key.
188 g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey)
191 /* Remember the Master Key. */
192 bcopy(mkey, sc->sc_mkey, sizeof(sc->sc_mkey));
194 bcopy(mkey, sc->sc_ivkey, sizeof(sc->sc_ivkey));
195 mkey += sizeof(sc->sc_ivkey);
197 if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) {
198 bcopy(mkey, sc->sc_ekey, sizeof(sc->sc_ekey));
201 * The encryption key is: ekey = HMAC_SHA512(Master-Key, 0x10)
202 * The authentication key is: akey = HMAC_SHA512(Master-Key, 0x11)
204 g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x10", 1, sc->sc_ekey, 0);
205 g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x11", 1, sc->sc_akey, 0);