1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
|
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
* Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#ifndef _G_ELI_H_
#define _G_ELI_H_
#include <sys/endian.h>
#include <sys/errno.h>
#include <sys/malloc.h>
#include <crypto/sha2/sha256.h>
#include <crypto/sha2/sha512.h>
#include <opencrypto/cryptodev.h>
#ifdef _KERNEL
#include <sys/bio.h>
#include <sys/libkern.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <geom/geom.h>
#include <crypto/intake.h>
#else
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <strings.h>
#endif
#include <sys/queue.h>
#include <sys/tree.h>
#ifndef _OpenSSL_
#include <sys/md5.h>
#endif
#define G_ELI_CLASS_NAME "ELI"
#define G_ELI_MAGIC "GEOM::ELI"
#define G_ELI_SUFFIX ".eli"
/*
* Version history:
* 0 - Initial version number.
* 1 - Added data authentication support (md_aalgo field and
* G_ELI_FLAG_AUTH flag).
* 2 - Added G_ELI_FLAG_READONLY.
* 3 - Added 'configure' subcommand.
* 4 - IV is generated from offset converted to little-endian
* (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions).
* 5 - Added multiple encrypton keys and AES-XTS support.
* 6 - Fixed usage of multiple keys for authenticated providers (the
* G_ELI_FLAG_FIRST_KEY flag will be set for older versions).
* 7 - Encryption keys are now generated from the Data Key and not from the
* IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions).
*/
#define G_ELI_VERSION_00 0
#define G_ELI_VERSION_01 1
#define G_ELI_VERSION_02 2
#define G_ELI_VERSION_03 3
#define G_ELI_VERSION_04 4
#define G_ELI_VERSION_05 5
#define G_ELI_VERSION_06 6
#define G_ELI_VERSION_07 7
#define G_ELI_VERSION G_ELI_VERSION_07
/* ON DISK FLAGS. */
/* Use random, onetime keys. */
#define G_ELI_FLAG_ONETIME 0x00000001
/* Ask for the passphrase from the kernel, before mounting root. */
#define G_ELI_FLAG_BOOT 0x00000002
/* Detach on last close, if we were open for writing. */
#define G_ELI_FLAG_WO_DETACH 0x00000004
/* Detach on last close. */
#define G_ELI_FLAG_RW_DETACH 0x00000008
/* Provide data authentication. */
#define G_ELI_FLAG_AUTH 0x00000010
/* Provider is read-only, we should deny all write attempts. */
#define G_ELI_FLAG_RO 0x00000020
/* Don't pass through BIO_DELETE requests. */
#define G_ELI_FLAG_NODELETE 0x00000040
/* This GELI supports GELIBoot */
#define G_ELI_FLAG_GELIBOOT 0x00000080
/* Hide passphrase length in GELIboot. */
#define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100
/* Expand provider automatically. */
#define G_ELI_FLAG_AUTORESIZE 0x00000200
/* RUNTIME FLAGS. */
/* Provider was open for writing. */
#define G_ELI_FLAG_WOPEN 0x00010000
/* Destroy device. */
#define G_ELI_FLAG_DESTROY 0x00020000
/* Provider uses native byte-order for IV generation. */
#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
/* Provider uses single encryption key. */
#define G_ELI_FLAG_SINGLE_KEY 0x00080000
/* Device suspended. */
#define G_ELI_FLAG_SUSPEND 0x00100000
/* Provider uses first encryption key. */
#define G_ELI_FLAG_FIRST_KEY 0x00200000
/* Provider uses IV-Key for encryption key generation. */
#define G_ELI_FLAG_ENC_IVKEY 0x00400000
#define G_ELI_NEW_BIO 255
#define SHA512_MDLEN 64
#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
#define G_ELI_MAXMKEYS 2
#define G_ELI_MAXKEYLEN 64
#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
#define G_ELI_SALTLEN 64
#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
#define G_ELI_OVERWRITES 5
/* Switch data encryption key every 2^20 blocks. */
#define G_ELI_KEY_SHIFT 20
#define G_ELI_CRYPTO_UNKNOWN 0
#define G_ELI_CRYPTO_HW 1
#define G_ELI_CRYPTO_SW 2
#ifdef _KERNEL
#if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN)
#error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN"
#endif
extern int g_eli_debug;
extern u_int g_eli_overwrites;
extern u_int g_eli_batch;
#define G_ELI_DEBUG(lvl, ...) \
_GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), NULL, __VA_ARGS__)
#define G_ELI_LOGREQ(lvl, bp, ...) \
_GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), (bp), __VA_ARGS__)
struct g_eli_worker {
struct g_eli_softc *w_softc;
struct proc *w_proc;
void *w_first_key;
u_int w_number;
crypto_session_t w_sid;
boolean_t w_active;
LIST_ENTRY(g_eli_worker) w_next;
};
#endif /* _KERNEL */
struct g_eli_softc {
struct g_geom *sc_geom;
u_int sc_version;
u_int sc_crypto;
uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
uint8_t sc_ekey[G_ELI_DATAKEYLEN];
TAILQ_HEAD(, g_eli_key) sc_ekeys_queue;
RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree;
struct mtx sc_ekeys_lock;
uint64_t sc_ekeys_total;
uint64_t sc_ekeys_allocated;
u_int sc_ealgo;
u_int sc_ekeylen;
uint8_t sc_akey[G_ELI_AUTHKEYLEN];
u_int sc_aalgo;
u_int sc_akeylen;
u_int sc_alen;
SHA256_CTX sc_akeyctx;
uint8_t sc_ivkey[G_ELI_IVKEYLEN];
SHA256_CTX sc_ivctx;
int sc_nkey;
uint32_t sc_flags;
int sc_inflight;
off_t sc_mediasize;
size_t sc_sectorsize;
off_t sc_provsize;
u_int sc_bytes_per_sector;
u_int sc_data_per_sector;
#ifndef _KERNEL
int sc_cpubind;
#else /* _KERNEL */
boolean_t sc_cpubind;
/* Only for software cryptography. */
struct bio_queue_head sc_queue;
struct mtx sc_queue_mtx;
LIST_HEAD(, g_eli_worker) sc_workers;
#endif /* _KERNEL */
};
#define sc_name sc_geom->name
#define G_ELI_KEY_MAGIC 0xe11341c
struct g_eli_key {
/* Key value, must be first in the structure. */
uint8_t gek_key[G_ELI_DATAKEYLEN];
/* Magic. */
int gek_magic;
/* Key number. */
uint64_t gek_keyno;
/* Reference counter. */
int gek_count;
/* Keeps keys sorted by most recent use. */
TAILQ_ENTRY(g_eli_key) gek_next;
/* Keeps keys sorted by number. */
RB_ENTRY(g_eli_key) gek_link;
};
struct g_eli_metadata {
char md_magic[16]; /* Magic value. */
uint32_t md_version; /* Version number. */
uint32_t md_flags; /* Additional flags. */
uint16_t md_ealgo; /* Encryption algorithm. */
uint16_t md_keylen; /* Key length. */
uint16_t md_aalgo; /* Authentication algorithm. */
uint64_t md_provsize; /* Provider's size. */
uint32_t md_sectorsize; /* Sector size. */
uint8_t md_keys; /* Available keys. */
int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
/* Encrypted master key (IV-key, Data-key, HMAC). */
uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
u_char md_hash[16]; /* MD5 hash. */
} __packed;
#ifndef _OpenSSL_
static __inline void
eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap)
{
u_char *p;
p = *datap;
le32enc(p, md->md_flags); p += sizeof(md->md_flags);
le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
*p = md->md_keys; p += sizeof(md->md_keys);
le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
*datap = p;
}
static __inline void
eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap)
{
u_char *p;
p = *datap;
le32enc(p, md->md_flags); p += sizeof(md->md_flags);
le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
*p = md->md_keys; p += sizeof(md->md_keys);
le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
*datap = p;
}
static __inline void
eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
{
uint32_t hash[4];
MD5_CTX ctx;
u_char *p;
p = data;
bcopy(md->md_magic, p, sizeof(md->md_magic));
p += sizeof(md->md_magic);
le32enc(p, md->md_version);
p += sizeof(md->md_version);
switch (md->md_version) {
case G_ELI_VERSION_00:
eli_metadata_encode_v0(md, &p);
break;
case G_ELI_VERSION_01:
case G_ELI_VERSION_02:
case G_ELI_VERSION_03:
case G_ELI_VERSION_04:
case G_ELI_VERSION_05:
case G_ELI_VERSION_06:
case G_ELI_VERSION_07:
eli_metadata_encode_v1v2v3v4v5v6v7(md, &p);
break;
default:
#ifdef _KERNEL
panic("%s: Unsupported version %u.", __func__,
(u_int)md->md_version);
#else
assert(!"Unsupported metadata version.");
#endif
}
MD5Init(&ctx);
MD5Update(&ctx, data, p - data);
MD5Final((void *)hash, &ctx);
bcopy(hash, md->md_hash, sizeof(md->md_hash));
bcopy(md->md_hash, p, sizeof(md->md_hash));
}
static __inline int
eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
{
uint32_t hash[4];
MD5_CTX ctx;
const u_char *p;
p = data + sizeof(md->md_magic) + sizeof(md->md_version);
md->md_flags = le32dec(p); p += sizeof(md->md_flags);
md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
md->md_keys = *p; p += sizeof(md->md_keys);
md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
MD5Init(&ctx);
MD5Update(&ctx, data, p - data);
MD5Final((void *)hash, &ctx);
bcopy(hash, md->md_hash, sizeof(md->md_hash));
if (bcmp(md->md_hash, p, 16) != 0)
return (EINVAL);
return (0);
}
static __inline int
eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md)
{
uint32_t hash[4];
MD5_CTX ctx;
const u_char *p;
p = data + sizeof(md->md_magic) + sizeof(md->md_version);
md->md_flags = le32dec(p); p += sizeof(md->md_flags);
md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
md->md_keys = *p; p += sizeof(md->md_keys);
md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
MD5Init(&ctx);
MD5Update(&ctx, data, p - data);
MD5Final((void *)hash, &ctx);
bcopy(hash, md->md_hash, sizeof(md->md_hash));
if (bcmp(md->md_hash, p, 16) != 0)
return (EINVAL);
return (0);
}
static __inline int
eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
{
int error;
bcopy(data, md->md_magic, sizeof(md->md_magic));
if (strcmp(md->md_magic, G_ELI_MAGIC) != 0)
return (EINVAL);
md->md_version = le32dec(data + sizeof(md->md_magic));
switch (md->md_version) {
case G_ELI_VERSION_00:
error = eli_metadata_decode_v0(data, md);
break;
case G_ELI_VERSION_01:
case G_ELI_VERSION_02:
case G_ELI_VERSION_03:
case G_ELI_VERSION_04:
case G_ELI_VERSION_05:
case G_ELI_VERSION_06:
case G_ELI_VERSION_07:
error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md);
break;
default:
error = EOPNOTSUPP;
break;
}
return (error);
}
#endif /* !_OpenSSL */
static __inline u_int
g_eli_str2ealgo(const char *name)
{
if (strcasecmp("null", name) == 0)
return (CRYPTO_NULL_CBC);
else if (strcasecmp("null-cbc", name) == 0)
return (CRYPTO_NULL_CBC);
else if (strcasecmp("aes", name) == 0)
return (CRYPTO_AES_XTS);
else if (strcasecmp("aes-cbc", name) == 0)
return (CRYPTO_AES_CBC);
else if (strcasecmp("aes-xts", name) == 0)
return (CRYPTO_AES_XTS);
else if (strcasecmp("blowfish", name) == 0)
return (CRYPTO_BLF_CBC);
else if (strcasecmp("blowfish-cbc", name) == 0)
return (CRYPTO_BLF_CBC);
else if (strcasecmp("camellia", name) == 0)
return (CRYPTO_CAMELLIA_CBC);
else if (strcasecmp("camellia-cbc", name) == 0)
return (CRYPTO_CAMELLIA_CBC);
else if (strcasecmp("3des", name) == 0)
return (CRYPTO_3DES_CBC);
else if (strcasecmp("3des-cbc", name) == 0)
return (CRYPTO_3DES_CBC);
return (CRYPTO_ALGORITHM_MIN - 1);
}
static __inline u_int
g_eli_str2aalgo(const char *name)
{
if (strcasecmp("hmac/md5", name) == 0)
return (CRYPTO_MD5_HMAC);
else if (strcasecmp("hmac/sha1", name) == 0)
return (CRYPTO_SHA1_HMAC);
else if (strcasecmp("hmac/ripemd160", name) == 0)
return (CRYPTO_RIPEMD160_HMAC);
else if (strcasecmp("hmac/sha256", name) == 0)
return (CRYPTO_SHA2_256_HMAC);
else if (strcasecmp("hmac/sha384", name) == 0)
return (CRYPTO_SHA2_384_HMAC);
else if (strcasecmp("hmac/sha512", name) == 0)
return (CRYPTO_SHA2_512_HMAC);
return (CRYPTO_ALGORITHM_MIN - 1);
}
static __inline const char *
g_eli_algo2str(u_int algo)
{
switch (algo) {
case CRYPTO_NULL_CBC:
return ("NULL");
case CRYPTO_AES_CBC:
return ("AES-CBC");
case CRYPTO_AES_XTS:
return ("AES-XTS");
case CRYPTO_BLF_CBC:
return ("Blowfish-CBC");
case CRYPTO_CAMELLIA_CBC:
return ("CAMELLIA-CBC");
case CRYPTO_3DES_CBC:
return ("3DES-CBC");
case CRYPTO_MD5_HMAC:
return ("HMAC/MD5");
case CRYPTO_SHA1_HMAC:
return ("HMAC/SHA1");
case CRYPTO_RIPEMD160_HMAC:
return ("HMAC/RIPEMD160");
case CRYPTO_SHA2_256_HMAC:
return ("HMAC/SHA256");
case CRYPTO_SHA2_384_HMAC:
return ("HMAC/SHA384");
case CRYPTO_SHA2_512_HMAC:
return ("HMAC/SHA512");
}
return ("unknown");
}
static __inline void
eli_metadata_dump(const struct g_eli_metadata *md)
{
static const char hex[] = "0123456789abcdef";
char str[sizeof(md->md_mkeys) * 2 + 1];
u_int i;
printf(" magic: %s\n", md->md_magic);
printf(" version: %u\n", (u_int)md->md_version);
printf(" flags: 0x%x\n", (u_int)md->md_flags);
printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
printf(" keylen: %u\n", (u_int)md->md_keylen);
if (md->md_flags & G_ELI_FLAG_AUTH)
printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
printf(" keys: 0x%02x\n", (u_int)md->md_keys);
printf("iterations: %d\n", (int)md->md_iterations);
bzero(str, sizeof(str));
for (i = 0; i < sizeof(md->md_salt); i++) {
str[i * 2] = hex[md->md_salt[i] >> 4];
str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
}
printf(" Salt: %s\n", str);
bzero(str, sizeof(str));
for (i = 0; i < sizeof(md->md_mkeys); i++) {
str[i * 2] = hex[md->md_mkeys[i] >> 4];
str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
}
printf("Master Key: %s\n", str);
bzero(str, sizeof(str));
for (i = 0; i < 16; i++) {
str[i * 2] = hex[md->md_hash[i] >> 4];
str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
}
printf(" MD5 hash: %s\n", str);
}
static __inline u_int
g_eli_keylen(u_int algo, u_int keylen)
{
switch (algo) {
case CRYPTO_NULL_CBC:
if (keylen == 0)
keylen = 64 * 8;
else {
if (keylen > 64 * 8)
keylen = 0;
}
return (keylen);
case CRYPTO_AES_CBC:
case CRYPTO_CAMELLIA_CBC:
switch (keylen) {
case 0:
return (128);
case 128:
case 192:
case 256:
return (keylen);
default:
return (0);
}
case CRYPTO_AES_XTS:
switch (keylen) {
case 0:
return (128);
case 128:
case 256:
return (keylen);
default:
return (0);
}
case CRYPTO_BLF_CBC:
if (keylen == 0)
return (128);
if (keylen < 128 || keylen > 448)
return (0);
if ((keylen % 32) != 0)
return (0);
return (keylen);
case CRYPTO_3DES_CBC:
if (keylen == 0 || keylen == 192)
return (192);
return (0);
default:
return (0);
}
}
static __inline u_int
g_eli_ivlen(u_int algo)
{
switch (algo) {
case CRYPTO_AES_XTS:
return (AES_XTS_IV_LEN);
case CRYPTO_AES_CBC:
return (AES_BLOCK_LEN);
case CRYPTO_BLF_CBC:
return (BLOWFISH_BLOCK_LEN);
case CRYPTO_CAMELLIA_CBC:
return (CAMELLIA_BLOCK_LEN);
case CRYPTO_3DES_CBC:
return (DES3_BLOCK_LEN);
}
return (0);
}
static __inline u_int
g_eli_hashlen(u_int algo)
{
switch (algo) {
case CRYPTO_MD5_HMAC:
return (16);
case CRYPTO_SHA1_HMAC:
return (20);
case CRYPTO_RIPEMD160_HMAC:
return (20);
case CRYPTO_SHA2_256_HMAC:
return (32);
case CRYPTO_SHA2_384_HMAC:
return (48);
case CRYPTO_SHA2_512_HMAC:
return (64);
}
return (0);
}
static __inline off_t
eli_mediasize(const struct g_eli_softc *sc, off_t mediasize, u_int sectorsize)
{
if ((sc->sc_flags & G_ELI_FLAG_ONETIME) == 0) {
mediasize -= sectorsize;
}
if ((sc->sc_flags & G_ELI_FLAG_AUTH) == 0) {
mediasize -= (mediasize % sc->sc_sectorsize);
} else {
mediasize /= sc->sc_bytes_per_sector;
mediasize *= sc->sc_sectorsize;
}
return (mediasize);
}
static __inline void
eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md,
u_int sectorsize, off_t mediasize)
{
sc->sc_version = md->md_version;
sc->sc_inflight = 0;
sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN;
sc->sc_flags = md->md_flags;
/* Backward compatibility. */
if (md->md_version < G_ELI_VERSION_04)
sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER;
if (md->md_version < G_ELI_VERSION_05)
sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY;
if (md->md_version < G_ELI_VERSION_06 &&
(sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
sc->sc_flags |= G_ELI_FLAG_FIRST_KEY;
}
if (md->md_version < G_ELI_VERSION_07)
sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY;
sc->sc_ealgo = md->md_ealgo;
if (sc->sc_flags & G_ELI_FLAG_AUTH) {
sc->sc_akeylen = sizeof(sc->sc_akey) * 8;
sc->sc_aalgo = md->md_aalgo;
sc->sc_alen = g_eli_hashlen(sc->sc_aalgo);
sc->sc_data_per_sector = sectorsize - sc->sc_alen;
/*
* Some hash functions (like SHA1 and RIPEMD160) generates hash
* which length is not multiple of 128 bits, but we want data
* length to be multiple of 128, so we can encrypt without
* padding. The line below rounds down data length to multiple
* of 128 bits.
*/
sc->sc_data_per_sector -= sc->sc_data_per_sector % 16;
sc->sc_bytes_per_sector =
(md->md_sectorsize - 1) / sc->sc_data_per_sector + 1;
sc->sc_bytes_per_sector *= sectorsize;
}
sc->sc_provsize = mediasize;
sc->sc_sectorsize = md->md_sectorsize;
sc->sc_mediasize = eli_mediasize(sc, mediasize, sectorsize);
sc->sc_ekeylen = md->md_keylen;
}
#ifdef _KERNEL
int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
struct g_eli_metadata *md);
struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
struct g_provider *bpp, const struct g_eli_metadata *md,
const u_char *mkey, int nkey);
int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
void g_eli_read_done(struct bio *bp);
void g_eli_write_done(struct bio *bp);
int g_eli_crypto_rerun(struct cryptop *crp);
void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker);
void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
#endif
void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
size_t size);
void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
const unsigned char *key, unsigned char *mkey, unsigned keyp);
int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md,
const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
unsigned char *mkey);
#ifdef _KERNEL
void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
#endif
int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
const u_char *key, size_t keysize);
int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
const u_char *key, size_t keysize);
struct hmac_ctx {
SHA512_CTX innerctx;
SHA512_CTX outerctx;
};
void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const char *hkey,
size_t hkeylen);
void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
size_t datasize);
void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
void g_eli_crypto_hmac(const char *hkey, size_t hkeysize,
const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key,
uint64_t keyno);
#ifdef _KERNEL
void g_eli_key_init(struct g_eli_softc *sc);
void g_eli_key_destroy(struct g_eli_softc *sc);
void g_eli_key_resize(struct g_eli_softc *sc);
uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize);
void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey);
#endif
#endif /* !_G_ELI_H_ */
|
