FreeBSD/Linux Kernel Cross Reference
sys/geom/eli/g_eli.h
1 /*-
2 * Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: releng/8.3/sys/geom/eli/g_eli.h 214405 2010-10-26 23:06:53Z pjd $
27 */
28
29 #ifndef _G_ELI_H_
30 #define _G_ELI_H_
31
32 #include <sys/endian.h>
33 #include <sys/errno.h>
34 #include <sys/malloc.h>
35 #include <crypto/sha2/sha2.h>
36 #include <opencrypto/cryptodev.h>
37 #ifdef _KERNEL
38 #include <sys/bio.h>
39 #include <sys/libkern.h>
40 #include <geom/geom.h>
41 #else
42 #include <stdio.h>
43 #include <string.h>
44 #include <strings.h>
45 #endif
46 #ifndef _OpenSSL_
47 #include <sys/md5.h>
48 #endif
49
50 #define G_ELI_CLASS_NAME "ELI"
51 #define G_ELI_MAGIC "GEOM::ELI"
52 #define G_ELI_SUFFIX ".eli"
53
54 /*
55 * Version history:
56 * 0 - Initial version number.
57 * 1 - Added data authentication support (md_aalgo field and
58 * G_ELI_FLAG_AUTH flag).
59 * 2 - Added G_ELI_FLAG_READONLY.
60 * 3 - Added 'configure' subcommand.
61 * 4 - IV is generated from offset converted to little-endian
62 * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
63 * 5 - Added multiple encrypton keys and AES-XTS support.
64 */
65 #define G_ELI_VERSION 5
66
67 /* ON DISK FLAGS. */
68 /* Use random, onetime keys. */
69 #define G_ELI_FLAG_ONETIME 0x00000001
70 /* Ask for the passphrase from the kernel, before mounting root. */
71 #define G_ELI_FLAG_BOOT 0x00000002
72 /* Detach on last close, if we were open for writing. */
73 #define G_ELI_FLAG_WO_DETACH 0x00000004
74 /* Detach on last close. */
75 #define G_ELI_FLAG_RW_DETACH 0x00000008
76 /* Provide data authentication. */
77 #define G_ELI_FLAG_AUTH 0x00000010
78 /* Provider is read-only, we should deny all write attempts. */
79 #define G_ELI_FLAG_RO 0x00000020
80 /* RUNTIME FLAGS. */
81 /* Provider was open for writing. */
82 #define G_ELI_FLAG_WOPEN 0x00010000
83 /* Destroy device. */
84 #define G_ELI_FLAG_DESTROY 0x00020000
85 /* Provider uses native byte-order for IV generation. */
86 #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
87 /* Provider uses single encryption key. */
88 #define G_ELI_FLAG_SINGLE_KEY 0x00080000
89 /* Device suspended. */
90 #define G_ELI_FLAG_SUSPEND 0x00100000
91
92 #define G_ELI_NEW_BIO 255
93
94 #define SHA512_MDLEN 64
95 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
96
97 #define G_ELI_MAXMKEYS 2
98 #define G_ELI_MAXKEYLEN 64
99 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
100 #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
101 #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
102 #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
103 #define G_ELI_SALTLEN 64
104 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
105 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
106 #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
107 #define G_ELI_OVERWRITES 5
108 /* Switch data encryption key every 2^20 blocks. */
109 #define G_ELI_KEY_SHIFT 20
110
111 #ifdef _KERNEL
112 extern int g_eli_debug;
113 extern u_int g_eli_overwrites;
114 extern u_int g_eli_batch;
115
116 #define G_ELI_CRYPTO_UNKNOWN 0
117 #define G_ELI_CRYPTO_HW 1
118 #define G_ELI_CRYPTO_SW 2
119
120 #define G_ELI_DEBUG(lvl, ...) do { \
121 if (g_eli_debug >= (lvl)) { \
122 printf("GEOM_ELI"); \
123 if (g_eli_debug > 0) \
124 printf("[%u]", lvl); \
125 printf(": "); \
126 printf(__VA_ARGS__); \
127 printf("\n"); \
128 } \
129 } while (0)
130 #define G_ELI_LOGREQ(lvl, bp, ...) do { \
131 if (g_eli_debug >= (lvl)) { \
132 printf("GEOM_ELI"); \
133 if (g_eli_debug > 0) \
134 printf("[%u]", lvl); \
135 printf(": "); \
136 printf(__VA_ARGS__); \
137 printf(" "); \
138 g_print_bio(bp); \
139 printf("\n"); \
140 } \
141 } while (0)
142
143 struct g_eli_worker {
144 struct g_eli_softc *w_softc;
145 struct proc *w_proc;
146 u_int w_number;
147 uint64_t w_sid;
148 boolean_t w_active;
149 LIST_ENTRY(g_eli_worker) w_next;
150 };
151
152 struct g_eli_softc {
153 struct g_geom *sc_geom;
154 u_int sc_crypto;
155 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
156 uint8_t **sc_ekeys;
157 u_int sc_nekeys;
158 u_int sc_ealgo;
159 u_int sc_ekeylen;
160 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
161 u_int sc_aalgo;
162 u_int sc_akeylen;
163 u_int sc_alen;
164 SHA256_CTX sc_akeyctx;
165 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
166 SHA256_CTX sc_ivctx;
167 int sc_nkey;
168 uint32_t sc_flags;
169 int sc_inflight;
170 off_t sc_mediasize;
171 size_t sc_sectorsize;
172 u_int sc_bytes_per_sector;
173 u_int sc_data_per_sector;
174
175 /* Only for software cryptography. */
176 struct bio_queue_head sc_queue;
177 struct mtx sc_queue_mtx;
178 LIST_HEAD(, g_eli_worker) sc_workers;
179 };
180 #define sc_name sc_geom->name
181 #endif /* _KERNEL */
182
183 struct g_eli_metadata {
184 char md_magic[16]; /* Magic value. */
185 uint32_t md_version; /* Version number. */
186 uint32_t md_flags; /* Additional flags. */
187 uint16_t md_ealgo; /* Encryption algorithm. */
188 uint16_t md_keylen; /* Key length. */
189 uint16_t md_aalgo; /* Authentication algorithm. */
190 uint64_t md_provsize; /* Provider's size. */
191 uint32_t md_sectorsize; /* Sector size. */
192 uint8_t md_keys; /* Available keys. */
193 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
194 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
195 /* Encrypted master key (IV-key, Data-key, HMAC). */
196 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
197 u_char md_hash[16]; /* MD5 hash. */
198 } __packed;
199 #ifndef _OpenSSL_
200 static __inline void
201 eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
202 {
203 MD5_CTX ctx;
204 u_char *p;
205
206 p = data;
207 bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic);
208 le32enc(p, md->md_version); p += sizeof(md->md_version);
209 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
210 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
211 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
212 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
213 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
214 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
215 *p = md->md_keys; p += sizeof(md->md_keys);
216 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
217 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
218 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
219 MD5Init(&ctx);
220 MD5Update(&ctx, data, p - data);
221 MD5Final(md->md_hash, &ctx);
222 bcopy(md->md_hash, p, sizeof(md->md_hash));
223 }
224 static __inline int
225 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
226 {
227 MD5_CTX ctx;
228 const u_char *p;
229
230 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
231 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
232 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
233 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
234 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
235 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
236 md->md_keys = *p; p += sizeof(md->md_keys);
237 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
238 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
239 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
240 MD5Init(&ctx);
241 MD5Update(&ctx, data, p - data);
242 MD5Final(md->md_hash, &ctx);
243 if (bcmp(md->md_hash, p, 16) != 0)
244 return (EINVAL);
245 return (0);
246 }
247
248 static __inline int
249 eli_metadata_decode_v1v2v3v4v5(const u_char *data, struct g_eli_metadata *md)
250 {
251 MD5_CTX ctx;
252 const u_char *p;
253
254 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
255 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
256 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
257 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
258 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
259 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
260 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
261 md->md_keys = *p; p += sizeof(md->md_keys);
262 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
263 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
264 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
265 MD5Init(&ctx);
266 MD5Update(&ctx, data, p - data);
267 MD5Final(md->md_hash, &ctx);
268 if (bcmp(md->md_hash, p, 16) != 0)
269 return (EINVAL);
270 return (0);
271 }
272 static __inline int
273 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
274 {
275 int error;
276
277 bcopy(data, md->md_magic, sizeof(md->md_magic));
278 md->md_version = le32dec(data + sizeof(md->md_magic));
279 switch (md->md_version) {
280 case 0:
281 error = eli_metadata_decode_v0(data, md);
282 break;
283 case 1:
284 case 2:
285 case 3:
286 case 4:
287 case 5:
288 error = eli_metadata_decode_v1v2v3v4v5(data, md);
289 break;
290 default:
291 error = EINVAL;
292 break;
293 }
294 return (error);
295 }
296 #endif /* !_OpenSSL */
297
298 static __inline u_int
299 g_eli_str2ealgo(const char *name)
300 {
301
302 if (strcasecmp("null", name) == 0)
303 return (CRYPTO_NULL_CBC);
304 else if (strcasecmp("null-cbc", name) == 0)
305 return (CRYPTO_NULL_CBC);
306 else if (strcasecmp("aes", name) == 0)
307 return (CRYPTO_AES_XTS);
308 else if (strcasecmp("aes-cbc", name) == 0)
309 return (CRYPTO_AES_CBC);
310 else if (strcasecmp("aes-xts", name) == 0)
311 return (CRYPTO_AES_XTS);
312 else if (strcasecmp("blowfish", name) == 0)
313 return (CRYPTO_BLF_CBC);
314 else if (strcasecmp("blowfish-cbc", name) == 0)
315 return (CRYPTO_BLF_CBC);
316 else if (strcasecmp("camellia", name) == 0)
317 return (CRYPTO_CAMELLIA_CBC);
318 else if (strcasecmp("camellia-cbc", name) == 0)
319 return (CRYPTO_CAMELLIA_CBC);
320 else if (strcasecmp("3des", name) == 0)
321 return (CRYPTO_3DES_CBC);
322 else if (strcasecmp("3des-cbc", name) == 0)
323 return (CRYPTO_3DES_CBC);
324 return (CRYPTO_ALGORITHM_MIN - 1);
325 }
326
327 static __inline u_int
328 g_eli_str2aalgo(const char *name)
329 {
330
331 if (strcasecmp("hmac/md5", name) == 0)
332 return (CRYPTO_MD5_HMAC);
333 else if (strcasecmp("hmac/sha1", name) == 0)
334 return (CRYPTO_SHA1_HMAC);
335 else if (strcasecmp("hmac/ripemd160", name) == 0)
336 return (CRYPTO_RIPEMD160_HMAC);
337 else if (strcasecmp("hmac/sha256", name) == 0)
338 return (CRYPTO_SHA2_256_HMAC);
339 else if (strcasecmp("hmac/sha384", name) == 0)
340 return (CRYPTO_SHA2_384_HMAC);
341 else if (strcasecmp("hmac/sha512", name) == 0)
342 return (CRYPTO_SHA2_512_HMAC);
343 return (CRYPTO_ALGORITHM_MIN - 1);
344 }
345
346 static __inline const char *
347 g_eli_algo2str(u_int algo)
348 {
349
350 switch (algo) {
351 case CRYPTO_NULL_CBC:
352 return ("NULL");
353 case CRYPTO_AES_CBC:
354 return ("AES-CBC");
355 case CRYPTO_AES_XTS:
356 return ("AES-XTS");
357 case CRYPTO_BLF_CBC:
358 return ("Blowfish-CBC");
359 case CRYPTO_CAMELLIA_CBC:
360 return ("CAMELLIA-CBC");
361 case CRYPTO_3DES_CBC:
362 return ("3DES-CBC");
363 case CRYPTO_MD5_HMAC:
364 return ("HMAC/MD5");
365 case CRYPTO_SHA1_HMAC:
366 return ("HMAC/SHA1");
367 case CRYPTO_RIPEMD160_HMAC:
368 return ("HMAC/RIPEMD160");
369 case CRYPTO_SHA2_256_HMAC:
370 return ("HMAC/SHA256");
371 case CRYPTO_SHA2_384_HMAC:
372 return ("HMAC/SHA384");
373 case CRYPTO_SHA2_512_HMAC:
374 return ("HMAC/SHA512");
375 }
376 return ("unknown");
377 }
378
379 static __inline void
380 eli_metadata_dump(const struct g_eli_metadata *md)
381 {
382 static const char hex[] = "0123456789abcdef";
383 char str[sizeof(md->md_mkeys) * 2 + 1];
384 u_int i;
385
386 printf(" magic: %s\n", md->md_magic);
387 printf(" version: %u\n", (u_int)md->md_version);
388 printf(" flags: 0x%x\n", (u_int)md->md_flags);
389 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
390 printf(" keylen: %u\n", (u_int)md->md_keylen);
391 if (md->md_flags & G_ELI_FLAG_AUTH)
392 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
393 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
394 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
395 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
396 printf("iterations: %u\n", (u_int)md->md_iterations);
397 bzero(str, sizeof(str));
398 for (i = 0; i < sizeof(md->md_salt); i++) {
399 str[i * 2] = hex[md->md_salt[i] >> 4];
400 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
401 }
402 printf(" Salt: %s\n", str);
403 bzero(str, sizeof(str));
404 for (i = 0; i < sizeof(md->md_mkeys); i++) {
405 str[i * 2] = hex[md->md_mkeys[i] >> 4];
406 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
407 }
408 printf("Master Key: %s\n", str);
409 bzero(str, sizeof(str));
410 for (i = 0; i < 16; i++) {
411 str[i * 2] = hex[md->md_hash[i] >> 4];
412 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
413 }
414 printf(" MD5 hash: %s\n", str);
415 }
416
417 static __inline u_int
418 g_eli_keylen(u_int algo, u_int keylen)
419 {
420
421 switch (algo) {
422 case CRYPTO_NULL_CBC:
423 if (keylen == 0)
424 keylen = 64 * 8;
425 else {
426 if (keylen > 64 * 8)
427 keylen = 0;
428 }
429 return (keylen);
430 case CRYPTO_AES_CBC:
431 case CRYPTO_CAMELLIA_CBC:
432 switch (keylen) {
433 case 0:
434 return (128);
435 case 128:
436 case 192:
437 case 256:
438 return (keylen);
439 default:
440 return (0);
441 }
442 case CRYPTO_AES_XTS:
443 switch (keylen) {
444 case 0:
445 return (128);
446 case 128:
447 case 256:
448 return (keylen);
449 default:
450 return (0);
451 }
452 case CRYPTO_BLF_CBC:
453 if (keylen == 0)
454 return (128);
455 if (keylen < 128 || keylen > 448)
456 return (0);
457 if ((keylen % 32) != 0)
458 return (0);
459 return (keylen);
460 case CRYPTO_3DES_CBC:
461 if (keylen == 0 || keylen == 192)
462 return (192);
463 return (0);
464 default:
465 return (0);
466 }
467 }
468
469 static __inline u_int
470 g_eli_hashlen(u_int algo)
471 {
472
473 switch (algo) {
474 case CRYPTO_MD5_HMAC:
475 return (16);
476 case CRYPTO_SHA1_HMAC:
477 return (20);
478 case CRYPTO_RIPEMD160_HMAC:
479 return (20);
480 case CRYPTO_SHA2_256_HMAC:
481 return (32);
482 case CRYPTO_SHA2_384_HMAC:
483 return (48);
484 case CRYPTO_SHA2_512_HMAC:
485 return (64);
486 }
487 return (0);
488 }
489
490 #ifdef _KERNEL
491 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
492 struct g_eli_metadata *md);
493 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
494 struct g_provider *bpp, const struct g_eli_metadata *md,
495 const u_char *mkey, int nkey);
496 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
497
498 int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
499 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
500
501 void g_eli_read_done(struct bio *bp);
502 void g_eli_write_done(struct bio *bp);
503 int g_eli_crypto_rerun(struct cryptop *crp);
504 uint8_t *g_eli_crypto_key(struct g_eli_softc *sc, off_t offset,
505 size_t blocksize);
506 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
507 size_t size);
508
509 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker);
510 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
511
512 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
513 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
514 #endif
515
516 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
517 int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
518 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
519 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
520 unsigned char *mkey);
521 #ifdef _KERNEL
522 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
523 #endif
524
525 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
526 const u_char *key, size_t keysize);
527 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
528 const u_char *key, size_t keysize);
529
530 struct hmac_ctx {
531 SHA512_CTX shactx;
532 u_char k_opad[128];
533 };
534
535 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
536 size_t hkeylen);
537 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
538 size_t datasize);
539 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
540 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
541 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
542 #endif /* !_G_ELI_H_ */
Cache object: b33882be87583f25b1f965d93506de8c
|