2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include <sys/param.h>
34 #include <sys/malloc.h>
35 #include <sys/systm.h>
36 #include <geom/geom.h>
46 #include <geom/eli/g_eli.h>
49 MALLOC_DECLARE(M_ELI);
53 * Verify if the given 'key' is correct.
54 * Return 1 if it is correct and 0 otherwise.
57 g_eli_mkey_verify(const unsigned char *mkey, const unsigned char *key)
59 const unsigned char *odhmac; /* On-disk HMAC. */
60 unsigned char chmac[SHA512_MDLEN]; /* Calculated HMAC. */
61 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
64 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
66 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
68 odhmac = mkey + G_ELI_DATAIVKEYLEN;
70 /* Calculate HMAC from Data-Key and IV-Key. */
71 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
74 explicit_bzero(hmkey, sizeof(hmkey));
77 * Compare calculated HMAC with HMAC from metadata.
78 * If two HMACs are equal, 'key' is correct.
80 return (!bcmp(odhmac, chmac, SHA512_MDLEN));
84 * Calculate HMAC from Data-Key and IV-Key.
87 g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key)
89 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
90 unsigned char *odhmac; /* On-disk HMAC. */
93 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
95 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
97 odhmac = mkey + G_ELI_DATAIVKEYLEN;
98 /* Calculate HMAC from Data-Key and IV-Key. */
99 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
102 explicit_bzero(hmkey, sizeof(hmkey));
106 * Find and decrypt Master Key encrypted with 'key' at slot 'nkey'.
107 * Return 0 on success, > 0 on failure, -1 on bad key.
110 g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key,
111 unsigned char *mkey, unsigned nkey)
113 unsigned char tmpmkey[G_ELI_MKEYLEN];
114 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
115 const unsigned char *mmkey;
118 if (nkey > G_ELI_MKEYLEN)
122 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
124 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
126 mmkey = md->md_mkeys + G_ELI_MKEYLEN * nkey;
128 if (!(md->md_keys & bit))
130 bcopy(mmkey, tmpmkey, G_ELI_MKEYLEN);
131 error = g_eli_crypto_decrypt(md->md_ealgo, tmpmkey,
132 G_ELI_MKEYLEN, enckey, md->md_keylen);
134 explicit_bzero(tmpmkey, sizeof(tmpmkey));
135 explicit_bzero(enckey, sizeof(enckey));
138 if (g_eli_mkey_verify(tmpmkey, key)) {
139 bcopy(tmpmkey, mkey, G_ELI_DATAIVKEYLEN);
140 explicit_bzero(tmpmkey, sizeof(tmpmkey));
141 explicit_bzero(enckey, sizeof(enckey));
144 explicit_bzero(enckey, sizeof(enckey));
145 explicit_bzero(tmpmkey, sizeof(tmpmkey));
151 * Find and decrypt Master Key encrypted with 'key'.
152 * Return decrypted Master Key number in 'nkeyp' if not NULL.
153 * Return 0 on success, > 0 on failure, -1 on bad key.
156 g_eli_mkey_decrypt_any(const struct g_eli_metadata *md,
157 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp)
165 for (nkey = 0; nkey < G_ELI_MAXMKEYS; nkey++) {
166 error = g_eli_mkey_decrypt(md, key, mkey, nkey);
171 } else if (error > 0) {
180 * Encrypt the Master-Key and calculate HMAC to be able to verify it in the
184 g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
187 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
191 * To calculate HMAC, the whole key (G_ELI_USERKEYLEN bytes long) will
194 g_eli_mkey_hmac(mkey, key);
196 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
198 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
200 * Encrypt the Master-Key and HMAC() result with the given key (this
201 * time only 'keylen' bits from the key are used).
203 error = g_eli_crypto_encrypt(algo, mkey, G_ELI_MKEYLEN, enckey, keylen);
205 explicit_bzero(enckey, sizeof(enckey));
212 * When doing encryption only, copy IV key and encryption key.
213 * When doing encryption and authentication, copy IV key, generate encryption
214 * key and generate authentication key.
217 g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey)
220 /* Remember the Master Key. */
221 bcopy(mkey, sc->sc_mkey, sizeof(sc->sc_mkey));
223 bcopy(mkey, sc->sc_ivkey, sizeof(sc->sc_ivkey));
224 mkey += sizeof(sc->sc_ivkey);
227 * The authentication key is: akey = HMAC_SHA512(Data-Key, 0x11)
229 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
230 g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x11", 1,
233 arc4rand(sc->sc_akey, sizeof(sc->sc_akey), 0);
236 /* Initialize encryption keys. */
239 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
241 * Precalculate SHA256 for HMAC key generation.
242 * This is expensive operation and we can do it only once now or
243 * for every access to sector, so now will be much better.
245 SHA256_Init(&sc->sc_akeyctx);
246 SHA256_Update(&sc->sc_akeyctx, sc->sc_akey,
247 sizeof(sc->sc_akey));
250 * Precalculate SHA256 for IV generation.
251 * This is expensive operation and we can do it only once now or for
252 * every access to sector, so now will be much better.
254 switch (sc->sc_ealgo) {
258 SHA256_Init(&sc->sc_ivctx);
259 SHA256_Update(&sc->sc_ivctx, sc->sc_ivkey,
260 sizeof(sc->sc_ivkey));