FreeBSD/Linux Kernel Cross Reference
sys/geom/eli/g_eli.h
1 /*-
2 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: releng/11.2/sys/geom/eli/g_eli.h 332522 2018-04-16 00:42:45Z kevans $
27 */
28
29 #ifndef _G_ELI_H_
30 #define _G_ELI_H_
31
32 #include <sys/endian.h>
33 #include <sys/errno.h>
34 #include <sys/malloc.h>
35 #include <crypto/sha2/sha256.h>
36 #include <crypto/sha2/sha512.h>
37 #include <opencrypto/cryptodev.h>
38 #ifdef _KERNEL
39 #include <sys/bio.h>
40 #include <sys/libkern.h>
41 #include <sys/lock.h>
42 #include <sys/mutex.h>
43 #include <geom/geom.h>
44 #include <crypto/intake.h>
45 #else
46 #include <assert.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <strings.h>
50 #endif
51 #include <sys/queue.h>
52 #include <sys/tree.h>
53 #ifndef _OpenSSL_
54 #include <sys/md5.h>
55 #endif
56
57 #define G_ELI_CLASS_NAME "ELI"
58 #define G_ELI_MAGIC "GEOM::ELI"
59 #define G_ELI_SUFFIX ".eli"
60
61 /*
62 * Version history:
63 * 0 - Initial version number.
64 * 1 - Added data authentication support (md_aalgo field and
65 * G_ELI_FLAG_AUTH flag).
66 * 2 - Added G_ELI_FLAG_READONLY.
67 * 3 - Added 'configure' subcommand.
68 * 4 - IV is generated from offset converted to little-endian
69 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions).
70 * 5 - Added multiple encrypton keys and AES-XTS support.
71 * 6 - Fixed usage of multiple keys for authenticated providers (the
72 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions).
73 * 7 - Encryption keys are now generated from the Data Key and not from the
74 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions).
75 */
76 #define G_ELI_VERSION_00 0
77 #define G_ELI_VERSION_01 1
78 #define G_ELI_VERSION_02 2
79 #define G_ELI_VERSION_03 3
80 #define G_ELI_VERSION_04 4
81 #define G_ELI_VERSION_05 5
82 #define G_ELI_VERSION_06 6
83 #define G_ELI_VERSION_07 7
84 #define G_ELI_VERSION G_ELI_VERSION_07
85
86 /* ON DISK FLAGS. */
87 /* Use random, onetime keys. */
88 #define G_ELI_FLAG_ONETIME 0x00000001
89 /* Ask for the passphrase from the kernel, before mounting root. */
90 #define G_ELI_FLAG_BOOT 0x00000002
91 /* Detach on last close, if we were open for writing. */
92 #define G_ELI_FLAG_WO_DETACH 0x00000004
93 /* Detach on last close. */
94 #define G_ELI_FLAG_RW_DETACH 0x00000008
95 /* Provide data authentication. */
96 #define G_ELI_FLAG_AUTH 0x00000010
97 /* Provider is read-only, we should deny all write attempts. */
98 #define G_ELI_FLAG_RO 0x00000020
99 /* Don't pass through BIO_DELETE requests. */
100 #define G_ELI_FLAG_NODELETE 0x00000040
101 /* This GELI supports GELIBoot */
102 #define G_ELI_FLAG_GELIBOOT 0x00000080
103 /* Hide passphrase length in GELIboot. */
104 #define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100
105 /* RUNTIME FLAGS. */
106 /* Provider was open for writing. */
107 #define G_ELI_FLAG_WOPEN 0x00010000
108 /* Destroy device. */
109 #define G_ELI_FLAG_DESTROY 0x00020000
110 /* Provider uses native byte-order for IV generation. */
111 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
112 /* Provider uses single encryption key. */
113 #define G_ELI_FLAG_SINGLE_KEY 0x00080000
114 /* Device suspended. */
115 #define G_ELI_FLAG_SUSPEND 0x00100000
116 /* Provider uses first encryption key. */
117 #define G_ELI_FLAG_FIRST_KEY 0x00200000
118 /* Provider uses IV-Key for encryption key generation. */
119 #define G_ELI_FLAG_ENC_IVKEY 0x00400000
120
121 #define G_ELI_NEW_BIO 255
122
123 #define SHA512_MDLEN 64
124 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
125
126 #define G_ELI_MAXMKEYS 2
127 #define G_ELI_MAXKEYLEN 64
128 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
129 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
130 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
131 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
132 #define G_ELI_SALTLEN 64
133 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
134 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
135 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
136 #define G_ELI_OVERWRITES 5
137 /* Switch data encryption key every 2^20 blocks. */
138 #define G_ELI_KEY_SHIFT 20
139
140 #define G_ELI_CRYPTO_UNKNOWN 0
141 #define G_ELI_CRYPTO_HW 1
142 #define G_ELI_CRYPTO_SW 2
143
144 #ifdef _KERNEL
145 #if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN)
146 #error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN"
147 #endif
148
149 extern int g_eli_debug;
150 extern u_int g_eli_overwrites;
151 extern u_int g_eli_batch;
152
153 #define G_ELI_DEBUG(lvl, ...) do { \
154 if (g_eli_debug >= (lvl)) { \
155 printf("GEOM_ELI"); \
156 if (g_eli_debug > 0) \
157 printf("[%u]", lvl); \
158 printf(": "); \
159 printf(__VA_ARGS__); \
160 printf("\n"); \
161 } \
162 } while (0)
163 #define G_ELI_LOGREQ(lvl, bp, ...) do { \
164 if (g_eli_debug >= (lvl)) { \
165 printf("GEOM_ELI"); \
166 if (g_eli_debug > 0) \
167 printf("[%u]", lvl); \
168 printf(": "); \
169 printf(__VA_ARGS__); \
170 printf(" "); \
171 g_print_bio(bp); \
172 printf("\n"); \
173 } \
174 } while (0)
175
176 struct g_eli_worker {
177 struct g_eli_softc *w_softc;
178 struct proc *w_proc;
179 u_int w_number;
180 uint64_t w_sid;
181 boolean_t w_active;
182 LIST_ENTRY(g_eli_worker) w_next;
183 };
184
185 #endif /* _KERNEL */
186
187 struct g_eli_softc {
188 struct g_geom *sc_geom;
189 u_int sc_version;
190 u_int sc_crypto;
191 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
192 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
193 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue;
194 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree;
195 struct mtx sc_ekeys_lock;
196 uint64_t sc_ekeys_total;
197 uint64_t sc_ekeys_allocated;
198 u_int sc_ealgo;
199 u_int sc_ekeylen;
200 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
201 u_int sc_aalgo;
202 u_int sc_akeylen;
203 u_int sc_alen;
204 SHA256_CTX sc_akeyctx;
205 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
206 SHA256_CTX sc_ivctx;
207 int sc_nkey;
208 uint32_t sc_flags;
209 int sc_inflight;
210 off_t sc_mediasize;
211 size_t sc_sectorsize;
212 u_int sc_bytes_per_sector;
213 u_int sc_data_per_sector;
214 #ifndef _KERNEL
215 int sc_cpubind;
216 #else /* _KERNEL */
217 boolean_t sc_cpubind;
218
219 /* Only for software cryptography. */
220 struct bio_queue_head sc_queue;
221 struct mtx sc_queue_mtx;
222 LIST_HEAD(, g_eli_worker) sc_workers;
223 #endif /* _KERNEL */
224 };
225 #define sc_name sc_geom->name
226
227 #define G_ELI_KEY_MAGIC 0xe11341c
228
229 struct g_eli_key {
230 /* Key value, must be first in the structure. */
231 uint8_t gek_key[G_ELI_DATAKEYLEN];
232 /* Magic. */
233 int gek_magic;
234 /* Key number. */
235 uint64_t gek_keyno;
236 /* Reference counter. */
237 int gek_count;
238 /* Keeps keys sorted by most recent use. */
239 TAILQ_ENTRY(g_eli_key) gek_next;
240 /* Keeps keys sorted by number. */
241 RB_ENTRY(g_eli_key) gek_link;
242 };
243
244 struct g_eli_metadata {
245 char md_magic[16]; /* Magic value. */
246 uint32_t md_version; /* Version number. */
247 uint32_t md_flags; /* Additional flags. */
248 uint16_t md_ealgo; /* Encryption algorithm. */
249 uint16_t md_keylen; /* Key length. */
250 uint16_t md_aalgo; /* Authentication algorithm. */
251 uint64_t md_provsize; /* Provider's size. */
252 uint32_t md_sectorsize; /* Sector size. */
253 uint8_t md_keys; /* Available keys. */
254 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
255 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
256 /* Encrypted master key (IV-key, Data-key, HMAC). */
257 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
258 u_char md_hash[16]; /* MD5 hash. */
259 } __packed;
260 #ifndef _OpenSSL_
261 static __inline void
262 eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap)
263 {
264 u_char *p;
265
266 p = *datap;
267 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
268 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
269 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
270 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
271 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
272 *p = md->md_keys; p += sizeof(md->md_keys);
273 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
274 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
275 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
276 *datap = p;
277 }
278 static __inline void
279 eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap)
280 {
281 u_char *p;
282
283 p = *datap;
284 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
285 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
286 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
287 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
288 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
289 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
290 *p = md->md_keys; p += sizeof(md->md_keys);
291 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
292 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
293 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
294 *datap = p;
295 }
296 static __inline void
297 eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
298 {
299 uint32_t hash[4];
300 MD5_CTX ctx;
301 u_char *p;
302
303 p = data;
304 bcopy(md->md_magic, p, sizeof(md->md_magic));
305 p += sizeof(md->md_magic);
306 le32enc(p, md->md_version);
307 p += sizeof(md->md_version);
308 switch (md->md_version) {
309 case G_ELI_VERSION_00:
310 eli_metadata_encode_v0(md, &p);
311 break;
312 case G_ELI_VERSION_01:
313 case G_ELI_VERSION_02:
314 case G_ELI_VERSION_03:
315 case G_ELI_VERSION_04:
316 case G_ELI_VERSION_05:
317 case G_ELI_VERSION_06:
318 case G_ELI_VERSION_07:
319 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p);
320 break;
321 default:
322 #ifdef _KERNEL
323 panic("%s: Unsupported version %u.", __func__,
324 (u_int)md->md_version);
325 #else
326 assert(!"Unsupported metadata version.");
327 #endif
328 }
329 MD5Init(&ctx);
330 MD5Update(&ctx, data, p - data);
331 MD5Final((void *)hash, &ctx);
332 bcopy(hash, md->md_hash, sizeof(md->md_hash));
333 bcopy(md->md_hash, p, sizeof(md->md_hash));
334 }
335 static __inline int
336 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
337 {
338 uint32_t hash[4];
339 MD5_CTX ctx;
340 const u_char *p;
341
342 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
343 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
344 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
345 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
346 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
347 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
348 md->md_keys = *p; p += sizeof(md->md_keys);
349 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
350 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
351 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
352 MD5Init(&ctx);
353 MD5Update(&ctx, data, p - data);
354 MD5Final((void *)hash, &ctx);
355 bcopy(hash, md->md_hash, sizeof(md->md_hash));
356 if (bcmp(md->md_hash, p, 16) != 0)
357 return (EINVAL);
358 return (0);
359 }
360
361 static __inline int
362 eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md)
363 {
364 uint32_t hash[4];
365 MD5_CTX ctx;
366 const u_char *p;
367
368 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
369 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
370 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
371 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
372 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
373 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
374 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
375 md->md_keys = *p; p += sizeof(md->md_keys);
376 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
377 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
378 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
379 MD5Init(&ctx);
380 MD5Update(&ctx, data, p - data);
381 MD5Final((void *)hash, &ctx);
382 bcopy(hash, md->md_hash, sizeof(md->md_hash));
383 if (bcmp(md->md_hash, p, 16) != 0)
384 return (EINVAL);
385 return (0);
386 }
387 static __inline int
388 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
389 {
390 int error;
391
392 bcopy(data, md->md_magic, sizeof(md->md_magic));
393 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0)
394 return (EINVAL);
395 md->md_version = le32dec(data + sizeof(md->md_magic));
396 switch (md->md_version) {
397 case G_ELI_VERSION_00:
398 error = eli_metadata_decode_v0(data, md);
399 break;
400 case G_ELI_VERSION_01:
401 case G_ELI_VERSION_02:
402 case G_ELI_VERSION_03:
403 case G_ELI_VERSION_04:
404 case G_ELI_VERSION_05:
405 case G_ELI_VERSION_06:
406 case G_ELI_VERSION_07:
407 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md);
408 break;
409 default:
410 error = EOPNOTSUPP;
411 break;
412 }
413 return (error);
414 }
415 #endif /* !_OpenSSL */
416
417 static __inline u_int
418 g_eli_str2ealgo(const char *name)
419 {
420
421 if (strcasecmp("null", name) == 0)
422 return (CRYPTO_NULL_CBC);
423 else if (strcasecmp("null-cbc", name) == 0)
424 return (CRYPTO_NULL_CBC);
425 else if (strcasecmp("aes", name) == 0)
426 return (CRYPTO_AES_XTS);
427 else if (strcasecmp("aes-cbc", name) == 0)
428 return (CRYPTO_AES_CBC);
429 else if (strcasecmp("aes-xts", name) == 0)
430 return (CRYPTO_AES_XTS);
431 else if (strcasecmp("blowfish", name) == 0)
432 return (CRYPTO_BLF_CBC);
433 else if (strcasecmp("blowfish-cbc", name) == 0)
434 return (CRYPTO_BLF_CBC);
435 else if (strcasecmp("camellia", name) == 0)
436 return (CRYPTO_CAMELLIA_CBC);
437 else if (strcasecmp("camellia-cbc", name) == 0)
438 return (CRYPTO_CAMELLIA_CBC);
439 else if (strcasecmp("3des", name) == 0)
440 return (CRYPTO_3DES_CBC);
441 else if (strcasecmp("3des-cbc", name) == 0)
442 return (CRYPTO_3DES_CBC);
443 return (CRYPTO_ALGORITHM_MIN - 1);
444 }
445
446 static __inline u_int
447 g_eli_str2aalgo(const char *name)
448 {
449
450 if (strcasecmp("hmac/md5", name) == 0)
451 return (CRYPTO_MD5_HMAC);
452 else if (strcasecmp("hmac/sha1", name) == 0)
453 return (CRYPTO_SHA1_HMAC);
454 else if (strcasecmp("hmac/ripemd160", name) == 0)
455 return (CRYPTO_RIPEMD160_HMAC);
456 else if (strcasecmp("hmac/sha256", name) == 0)
457 return (CRYPTO_SHA2_256_HMAC);
458 else if (strcasecmp("hmac/sha384", name) == 0)
459 return (CRYPTO_SHA2_384_HMAC);
460 else if (strcasecmp("hmac/sha512", name) == 0)
461 return (CRYPTO_SHA2_512_HMAC);
462 return (CRYPTO_ALGORITHM_MIN - 1);
463 }
464
465 static __inline const char *
466 g_eli_algo2str(u_int algo)
467 {
468
469 switch (algo) {
470 case CRYPTO_NULL_CBC:
471 return ("NULL");
472 case CRYPTO_AES_CBC:
473 return ("AES-CBC");
474 case CRYPTO_AES_XTS:
475 return ("AES-XTS");
476 case CRYPTO_BLF_CBC:
477 return ("Blowfish-CBC");
478 case CRYPTO_CAMELLIA_CBC:
479 return ("CAMELLIA-CBC");
480 case CRYPTO_3DES_CBC:
481 return ("3DES-CBC");
482 case CRYPTO_MD5_HMAC:
483 return ("HMAC/MD5");
484 case CRYPTO_SHA1_HMAC:
485 return ("HMAC/SHA1");
486 case CRYPTO_RIPEMD160_HMAC:
487 return ("HMAC/RIPEMD160");
488 case CRYPTO_SHA2_256_HMAC:
489 return ("HMAC/SHA256");
490 case CRYPTO_SHA2_384_HMAC:
491 return ("HMAC/SHA384");
492 case CRYPTO_SHA2_512_HMAC:
493 return ("HMAC/SHA512");
494 }
495 return ("unknown");
496 }
497
498 static __inline void
499 eli_metadata_dump(const struct g_eli_metadata *md)
500 {
501 static const char hex[] = "0123456789abcdef";
502 char str[sizeof(md->md_mkeys) * 2 + 1];
503 u_int i;
504
505 printf(" magic: %s\n", md->md_magic);
506 printf(" version: %u\n", (u_int)md->md_version);
507 printf(" flags: 0x%x\n", (u_int)md->md_flags);
508 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
509 printf(" keylen: %u\n", (u_int)md->md_keylen);
510 if (md->md_flags & G_ELI_FLAG_AUTH)
511 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
512 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
513 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
514 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
515 printf("iterations: %d\n", (int)md->md_iterations);
516 bzero(str, sizeof(str));
517 for (i = 0; i < sizeof(md->md_salt); i++) {
518 str[i * 2] = hex[md->md_salt[i] >> 4];
519 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
520 }
521 printf(" Salt: %s\n", str);
522 bzero(str, sizeof(str));
523 for (i = 0; i < sizeof(md->md_mkeys); i++) {
524 str[i * 2] = hex[md->md_mkeys[i] >> 4];
525 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
526 }
527 printf("Master Key: %s\n", str);
528 bzero(str, sizeof(str));
529 for (i = 0; i < 16; i++) {
530 str[i * 2] = hex[md->md_hash[i] >> 4];
531 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
532 }
533 printf(" MD5 hash: %s\n", str);
534 }
535
536 static __inline u_int
537 g_eli_keylen(u_int algo, u_int keylen)
538 {
539
540 switch (algo) {
541 case CRYPTO_NULL_CBC:
542 if (keylen == 0)
543 keylen = 64 * 8;
544 else {
545 if (keylen > 64 * 8)
546 keylen = 0;
547 }
548 return (keylen);
549 case CRYPTO_AES_CBC:
550 case CRYPTO_CAMELLIA_CBC:
551 switch (keylen) {
552 case 0:
553 return (128);
554 case 128:
555 case 192:
556 case 256:
557 return (keylen);
558 default:
559 return (0);
560 }
561 case CRYPTO_AES_XTS:
562 switch (keylen) {
563 case 0:
564 return (128);
565 case 128:
566 case 256:
567 return (keylen);
568 default:
569 return (0);
570 }
571 case CRYPTO_BLF_CBC:
572 if (keylen == 0)
573 return (128);
574 if (keylen < 128 || keylen > 448)
575 return (0);
576 if ((keylen % 32) != 0)
577 return (0);
578 return (keylen);
579 case CRYPTO_3DES_CBC:
580 if (keylen == 0 || keylen == 192)
581 return (192);
582 return (0);
583 default:
584 return (0);
585 }
586 }
587
588 static __inline u_int
589 g_eli_hashlen(u_int algo)
590 {
591
592 switch (algo) {
593 case CRYPTO_MD5_HMAC:
594 return (16);
595 case CRYPTO_SHA1_HMAC:
596 return (20);
597 case CRYPTO_RIPEMD160_HMAC:
598 return (20);
599 case CRYPTO_SHA2_256_HMAC:
600 return (32);
601 case CRYPTO_SHA2_384_HMAC:
602 return (48);
603 case CRYPTO_SHA2_512_HMAC:
604 return (64);
605 }
606 return (0);
607 }
608
609 static __inline void
610 eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md,
611 u_int sectorsize, off_t mediasize)
612 {
613
614 sc->sc_version = md->md_version;
615 sc->sc_inflight = 0;
616 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN;
617 sc->sc_flags = md->md_flags;
618 /* Backward compatibility. */
619 if (md->md_version < G_ELI_VERSION_04)
620 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER;
621 if (md->md_version < G_ELI_VERSION_05)
622 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY;
623 if (md->md_version < G_ELI_VERSION_06 &&
624 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
625 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY;
626 }
627 if (md->md_version < G_ELI_VERSION_07)
628 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY;
629 sc->sc_ealgo = md->md_ealgo;
630
631 if (sc->sc_flags & G_ELI_FLAG_AUTH) {
632 sc->sc_akeylen = sizeof(sc->sc_akey) * 8;
633 sc->sc_aalgo = md->md_aalgo;
634 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo);
635
636 sc->sc_data_per_sector = sectorsize - sc->sc_alen;
637 /*
638 * Some hash functions (like SHA1 and RIPEMD160) generates hash
639 * which length is not multiple of 128 bits, but we want data
640 * length to be multiple of 128, so we can encrypt without
641 * padding. The line below rounds down data length to multiple
642 * of 128 bits.
643 */
644 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16;
645
646 sc->sc_bytes_per_sector =
647 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1;
648 sc->sc_bytes_per_sector *= sectorsize;
649 }
650 sc->sc_sectorsize = md->md_sectorsize;
651 sc->sc_mediasize = mediasize;
652 if (!(sc->sc_flags & G_ELI_FLAG_ONETIME))
653 sc->sc_mediasize -= sectorsize;
654 if (!(sc->sc_flags & G_ELI_FLAG_AUTH))
655 sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize);
656 else {
657 sc->sc_mediasize /= sc->sc_bytes_per_sector;
658 sc->sc_mediasize *= sc->sc_sectorsize;
659 }
660 sc->sc_ekeylen = md->md_keylen;
661 }
662
663 #ifdef _KERNEL
664 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
665 struct g_eli_metadata *md);
666 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
667 struct g_provider *bpp, const struct g_eli_metadata *md,
668 const u_char *mkey, int nkey);
669 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
670
671 int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
672 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
673
674 void g_eli_read_done(struct bio *bp);
675 void g_eli_write_done(struct bio *bp);
676 int g_eli_crypto_rerun(struct cryptop *crp);
677
678 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker);
679 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
680
681 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
682 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
683 #endif
684 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
685 size_t size);
686
687 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
688 int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
689 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
690 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
691 unsigned char *mkey);
692 #ifdef _KERNEL
693 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
694 #endif
695
696 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
697 const u_char *key, size_t keysize);
698 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
699 const u_char *key, size_t keysize);
700
701 struct hmac_ctx {
702 SHA512_CTX innerctx;
703 SHA512_CTX outerctx;
704 };
705
706 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
707 size_t hkeylen);
708 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
709 size_t datasize);
710 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
711 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
712 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
713
714 void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key,
715 uint64_t keyno);
716 #ifdef _KERNEL
717 void g_eli_key_init(struct g_eli_softc *sc);
718 void g_eli_key_destroy(struct g_eli_softc *sc);
719 uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize);
720 void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey);
721 #endif
722 #endif /* !_G_ELI_H_ */
Cache object: 5ce315b7823b287a65c11ffb9dcf66e4
|