master
1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#ifndef _G_ELI_H_
30#define _G_ELI_H_
31
32#include <sys/endian.h>
33#include <sys/errno.h>
34#include <sys/malloc.h>
35#include <crypto/sha2/sha256.h>
36#include <crypto/sha2/sha512.h>
37#include <opencrypto/cryptodev.h>
38#ifdef _KERNEL
39#include <sys/bio.h>
40#include <sys/libkern.h>
41#include <sys/lock.h>
42#include <sys/mutex.h>
43#include <geom/geom.h>
44#include <crypto/intake.h>
45#else
46#include <assert.h>
47#include <stdio.h>
48#include <string.h>
49#include <strings.h>
50#endif
51#include <sys/queue.h>
52#include <sys/tree.h>
53#ifndef _OpenSSL_
54#include <sys/md5.h>
55#endif
56
57#define G_ELI_CLASS_NAME "ELI"
58#define G_ELI_MAGIC "GEOM::ELI"
59#define G_ELI_SUFFIX ".eli"
60
61/*
62 * Version history:
63 * 0 - Initial version number.
64 * 1 - Added data authentication support (md_aalgo field and
65 * G_ELI_FLAG_AUTH flag).
66 * 2 - Added G_ELI_FLAG_READONLY.
67 * 3 - Added 'configure' subcommand.
68 * 4 - IV is generated from offset converted to little-endian
69 * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions).
70 * 5 - Added multiple encrypton keys and AES-XTS support.
71 * 6 - Fixed usage of multiple keys for authenticated providers (the
72 * G_ELI_FLAG_FIRST_KEY flag will be set for older versions).
73 * 7 - Encryption keys are now generated from the Data Key and not from the
74 * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions).
75 */
76#define G_ELI_VERSION_00 0
77#define G_ELI_VERSION_01 1
78#define G_ELI_VERSION_02 2
79#define G_ELI_VERSION_03 3
80#define G_ELI_VERSION_04 4
81#define G_ELI_VERSION_05 5
82#define G_ELI_VERSION_06 6
83#define G_ELI_VERSION_07 7
84#define G_ELI_VERSION G_ELI_VERSION_07
85
86/* ON DISK FLAGS. */
87/* Use random, onetime keys. */
88#define G_ELI_FLAG_ONETIME 0x00000001
89/* Ask for the passphrase from the kernel, before mounting root. */
90#define G_ELI_FLAG_BOOT 0x00000002
91/* Detach on last close, if we were open for writing. */
92#define G_ELI_FLAG_WO_DETACH 0x00000004
93/* Detach on last close. */
94#define G_ELI_FLAG_RW_DETACH 0x00000008
95/* Provide data authentication. */
96#define G_ELI_FLAG_AUTH 0x00000010
97/* Provider is read-only, we should deny all write attempts. */
98#define G_ELI_FLAG_RO 0x00000020
99/* Don't pass through BIO_DELETE requests. */
100#define G_ELI_FLAG_NODELETE 0x00000040
101/* This GELI supports GELIBoot */
102#define G_ELI_FLAG_GELIBOOT 0x00000080
103/* Hide passphrase length in GELIboot. */
104#define G_ELI_FLAG_GELIDISPLAYPASS 0x00000100
105/* Expand provider automatically. */
106#define G_ELI_FLAG_AUTORESIZE 0x00000200
107
108/* RUNTIME FLAGS. */
109/* Provider was open for writing. */
110#define G_ELI_FLAG_WOPEN 0x00010000
111/* Destroy device. */
112#define G_ELI_FLAG_DESTROY 0x00020000
113/* Provider uses native byte-order for IV generation. */
114#define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000
115/* Provider uses single encryption key. */
116#define G_ELI_FLAG_SINGLE_KEY 0x00080000
117/* Device suspended. */
118#define G_ELI_FLAG_SUSPEND 0x00100000
119/* Provider uses first encryption key. */
120#define G_ELI_FLAG_FIRST_KEY 0x00200000
121/* Provider uses IV-Key for encryption key generation. */
122#define G_ELI_FLAG_ENC_IVKEY 0x00400000
123
124/* BIO pflag values. */
125#define G_ELI_WORKER(pflags) ((pflags) & 0xff)
126#define G_ELI_MAX_WORKERS 255
127#define G_ELI_NEW_BIO G_ELI_MAX_WORKERS
128#define G_ELI_SETWORKER(pflags, w) \
129 (pflags) = ((pflags) & 0xff00) | ((w) & 0xff)
130#define G_ELI_SET_NEW_BIO(pflags) G_ELI_SETWORKER((pflags), G_ELI_NEW_BIO)
131#define G_ELI_IS_NEW_BIO(pflags) (G_ELI_WORKER(pflags) == G_ELI_NEW_BIO)
132#define G_ELI_UMA_ALLOC 0x100 /* bio_driver2 alloc came from UMA */
133
134#define SHA512_MDLEN 64
135#define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH
136
137#define G_ELI_MAXMKEYS 2
138#define G_ELI_MAXKEYLEN 64
139#define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN
140#define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN
141#define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN
142#define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN
143#define G_ELI_SALTLEN 64
144#define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
145/* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
146#define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
147#define G_ELI_OVERWRITES 5
148/* Switch data encryption key every 2^20 blocks. */
149#define G_ELI_KEY_SHIFT 20
150
151#define G_ELI_CRYPTO_UNKNOWN 0
152#define G_ELI_CRYPTO_HW 1
153#define G_ELI_CRYPTO_SW 2
154#define G_ELI_CRYPTO_SW_ACCEL 3
155
156#ifdef _KERNEL
157#if (MAX_KEY_BYTES < G_ELI_DATAIVKEYLEN)
158#error "MAX_KEY_BYTES is less than G_ELI_DATAKEYLEN"
159#endif
160
161extern int g_eli_debug;
162extern u_int g_eli_overwrites;
163extern u_int g_eli_batch;
164
165#define G_ELI_DEBUG(lvl, ...) \
166 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), NULL, __VA_ARGS__)
167#define G_ELI_LOGREQ(lvl, bp, ...) \
168 _GEOM_DEBUG("GEOM_ELI", g_eli_debug, (lvl), (bp), __VA_ARGS__)
169
170struct g_eli_worker {
171 struct g_eli_softc *w_softc;
172 struct proc *w_proc;
173 void *w_first_key;
174 u_int w_number;
175 crypto_session_t w_sid;
176 boolean_t w_active;
177 LIST_ENTRY(g_eli_worker) w_next;
178};
179
180#endif /* _KERNEL */
181
182struct g_eli_softc {
183 struct g_geom *sc_geom;
184 u_int sc_version;
185 u_int sc_crypto;
186 uint8_t sc_mkey[G_ELI_DATAIVKEYLEN];
187 uint8_t sc_ekey[G_ELI_DATAKEYLEN];
188 TAILQ_HEAD(, g_eli_key) sc_ekeys_queue;
189 RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree;
190#ifndef _STANDALONE
191 struct mtx sc_ekeys_lock;
192#endif
193 uint64_t sc_ekeys_total;
194 uint64_t sc_ekeys_allocated;
195 u_int sc_ealgo;
196 u_int sc_ekeylen;
197 uint8_t sc_akey[G_ELI_AUTHKEYLEN];
198 u_int sc_aalgo;
199 u_int sc_akeylen;
200 u_int sc_alen;
201 SHA256_CTX sc_akeyctx;
202 uint8_t sc_ivkey[G_ELI_IVKEYLEN];
203 SHA256_CTX sc_ivctx;
204 int sc_nkey;
205 uint32_t sc_flags;
206 int sc_inflight;
207 off_t sc_mediasize;
208 size_t sc_sectorsize;
209 off_t sc_provsize;
210 u_int sc_bytes_per_sector;
211 u_int sc_data_per_sector;
212#ifndef _KERNEL
213 int sc_cpubind;
214#else /* _KERNEL */
215 boolean_t sc_cpubind;
216
217 /* Only for software cryptography. */
218 struct bio_queue_head sc_queue;
219 struct mtx sc_queue_mtx;
220 LIST_HEAD(, g_eli_worker) sc_workers;
221#endif /* _KERNEL */
222};
223#define sc_name sc_geom->name
224
225#define G_ELI_KEY_MAGIC 0xe11341c
226
227struct g_eli_key {
228 /* Key value, must be first in the structure. */
229 uint8_t gek_key[G_ELI_DATAKEYLEN];
230 /* Magic. */
231 int gek_magic;
232 /* Key number. */
233 uint64_t gek_keyno;
234 /* Reference counter. */
235 int gek_count;
236 /* Keeps keys sorted by most recent use. */
237 TAILQ_ENTRY(g_eli_key) gek_next;
238 /* Keeps keys sorted by number. */
239 RB_ENTRY(g_eli_key) gek_link;
240};
241
242struct g_eli_metadata {
243 char md_magic[16]; /* Magic value. */
244 uint32_t md_version; /* Version number. */
245 uint32_t md_flags; /* Additional flags. */
246 uint16_t md_ealgo; /* Encryption algorithm. */
247 uint16_t md_keylen; /* Key length. */
248 uint16_t md_aalgo; /* Authentication algorithm. */
249 uint64_t md_provsize; /* Provider's size. */
250 uint32_t md_sectorsize; /* Sector size. */
251 uint8_t md_keys; /* Available keys. */
252 int32_t md_iterations; /* Number of iterations for PKCS#5v2. */
253 uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */
254 /* Encrypted master key (IV-key, Data-key, HMAC). */
255 uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
256 u_char md_hash[16]; /* MD5 hash. */
257} __packed;
258#ifndef _OpenSSL_
259static __inline void
260eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap)
261{
262 u_char *p;
263
264 p = *datap;
265 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
266 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
267 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
268 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
269 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
270 *p = md->md_keys; p += sizeof(md->md_keys);
271 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
272 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
273 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
274 *datap = p;
275}
276static __inline void
277eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap)
278{
279 u_char *p;
280
281 p = *datap;
282 le32enc(p, md->md_flags); p += sizeof(md->md_flags);
283 le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo);
284 le16enc(p, md->md_keylen); p += sizeof(md->md_keylen);
285 le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo);
286 le64enc(p, md->md_provsize); p += sizeof(md->md_provsize);
287 le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize);
288 *p = md->md_keys; p += sizeof(md->md_keys);
289 le32enc(p, md->md_iterations); p += sizeof(md->md_iterations);
290 bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
291 bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
292 *datap = p;
293}
294static __inline void
295eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
296{
297 uint32_t hash[4];
298 MD5_CTX ctx;
299 u_char *p;
300
301 p = data;
302 bcopy(md->md_magic, p, sizeof(md->md_magic));
303 p += sizeof(md->md_magic);
304 le32enc(p, md->md_version);
305 p += sizeof(md->md_version);
306 switch (md->md_version) {
307 case G_ELI_VERSION_00:
308 eli_metadata_encode_v0(md, &p);
309 break;
310 case G_ELI_VERSION_01:
311 case G_ELI_VERSION_02:
312 case G_ELI_VERSION_03:
313 case G_ELI_VERSION_04:
314 case G_ELI_VERSION_05:
315 case G_ELI_VERSION_06:
316 case G_ELI_VERSION_07:
317 eli_metadata_encode_v1v2v3v4v5v6v7(md, &p);
318 break;
319 default:
320#ifdef _KERNEL
321 panic("%s: Unsupported version %u.", __func__,
322 (u_int)md->md_version);
323#else
324 assert(!"Unsupported metadata version.");
325#endif
326 }
327 MD5Init(&ctx);
328 MD5Update(&ctx, data, p - data);
329 MD5Final((void *)hash, &ctx);
330 bcopy(hash, md->md_hash, sizeof(md->md_hash));
331 bcopy(md->md_hash, p, sizeof(md->md_hash));
332}
333static __inline int
334eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
335{
336 uint32_t hash[4];
337 MD5_CTX ctx;
338 const u_char *p;
339
340 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
341 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
342 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
343 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
344 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
345 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
346 md->md_keys = *p; p += sizeof(md->md_keys);
347 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
348 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
349 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
350 MD5Init(&ctx);
351 MD5Update(&ctx, data, p - data);
352 MD5Final((void *)hash, &ctx);
353 bcopy(hash, md->md_hash, sizeof(md->md_hash));
354 if (bcmp(md->md_hash, p, 16) != 0)
355 return (EINVAL);
356 return (0);
357}
358
359static __inline int
360eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md)
361{
362 uint32_t hash[4];
363 MD5_CTX ctx;
364 const u_char *p;
365
366 p = data + sizeof(md->md_magic) + sizeof(md->md_version);
367 md->md_flags = le32dec(p); p += sizeof(md->md_flags);
368 md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo);
369 md->md_keylen = le16dec(p); p += sizeof(md->md_keylen);
370 md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo);
371 md->md_provsize = le64dec(p); p += sizeof(md->md_provsize);
372 md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize);
373 md->md_keys = *p; p += sizeof(md->md_keys);
374 md->md_iterations = le32dec(p); p += sizeof(md->md_iterations);
375 bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
376 bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
377 MD5Init(&ctx);
378 MD5Update(&ctx, data, p - data);
379 MD5Final((void *)hash, &ctx);
380 bcopy(hash, md->md_hash, sizeof(md->md_hash));
381 if (bcmp(md->md_hash, p, 16) != 0)
382 return (EINVAL);
383 return (0);
384}
385static __inline int
386eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
387{
388 int error;
389
390 bcopy(data, md->md_magic, sizeof(md->md_magic));
391 if (strcmp(md->md_magic, G_ELI_MAGIC) != 0)
392 return (EINVAL);
393 md->md_version = le32dec(data + sizeof(md->md_magic));
394 switch (md->md_version) {
395 case G_ELI_VERSION_00:
396 error = eli_metadata_decode_v0(data, md);
397 break;
398 case G_ELI_VERSION_01:
399 case G_ELI_VERSION_02:
400 case G_ELI_VERSION_03:
401 case G_ELI_VERSION_04:
402 case G_ELI_VERSION_05:
403 case G_ELI_VERSION_06:
404 case G_ELI_VERSION_07:
405 error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md);
406 break;
407 default:
408 error = EOPNOTSUPP;
409 break;
410 }
411 return (error);
412}
413#endif /* !_OpenSSL */
414
415static __inline u_int
416g_eli_str2ealgo(const char *name)
417{
418
419 if (strcasecmp("null", name) == 0)
420 return (CRYPTO_NULL_CBC);
421 else if (strcasecmp("null-cbc", name) == 0)
422 return (CRYPTO_NULL_CBC);
423 else if (strcasecmp("aes", name) == 0)
424 return (CRYPTO_AES_XTS);
425 else if (strcasecmp("aes-cbc", name) == 0)
426 return (CRYPTO_AES_CBC);
427 else if (strcasecmp("aes-xts", name) == 0)
428 return (CRYPTO_AES_XTS);
429 else if (strcasecmp("camellia", name) == 0)
430 return (CRYPTO_CAMELLIA_CBC);
431 else if (strcasecmp("camellia-cbc", name) == 0)
432 return (CRYPTO_CAMELLIA_CBC);
433 return (CRYPTO_ALGORITHM_MIN - 1);
434}
435
436static __inline u_int
437g_eli_str2aalgo(const char *name)
438{
439
440 if (strcasecmp("hmac/sha1", name) == 0)
441 return (CRYPTO_SHA1_HMAC);
442 else if (strcasecmp("hmac/ripemd160", name) == 0)
443 return (CRYPTO_RIPEMD160_HMAC);
444 else if (strcasecmp("hmac/sha256", name) == 0)
445 return (CRYPTO_SHA2_256_HMAC);
446 else if (strcasecmp("hmac/sha384", name) == 0)
447 return (CRYPTO_SHA2_384_HMAC);
448 else if (strcasecmp("hmac/sha512", name) == 0)
449 return (CRYPTO_SHA2_512_HMAC);
450 return (CRYPTO_ALGORITHM_MIN - 1);
451}
452
453static __inline const char *
454g_eli_algo2str(u_int algo)
455{
456
457 switch (algo) {
458 case CRYPTO_NULL_CBC:
459 return ("NULL");
460 case CRYPTO_AES_CBC:
461 return ("AES-CBC");
462 case CRYPTO_AES_XTS:
463 return ("AES-XTS");
464 case CRYPTO_CAMELLIA_CBC:
465 return ("CAMELLIA-CBC");
466 case CRYPTO_SHA1_HMAC:
467 return ("HMAC/SHA1");
468 case CRYPTO_RIPEMD160_HMAC:
469 return ("HMAC/RIPEMD160");
470 case CRYPTO_SHA2_256_HMAC:
471 return ("HMAC/SHA256");
472 case CRYPTO_SHA2_384_HMAC:
473 return ("HMAC/SHA384");
474 case CRYPTO_SHA2_512_HMAC:
475 return ("HMAC/SHA512");
476 }
477 return ("unknown");
478}
479
480static __inline void
481eli_metadata_dump(const struct g_eli_metadata *md)
482{
483 static const char hex[] = "0123456789abcdef";
484 char str[sizeof(md->md_mkeys) * 2 + 1];
485 u_int i;
486
487 printf(" magic: %s\n", md->md_magic);
488 printf(" version: %u\n", (u_int)md->md_version);
489 printf(" flags: 0x%x\n", (u_int)md->md_flags);
490 printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
491 printf(" keylen: %u\n", (u_int)md->md_keylen);
492 if (md->md_flags & G_ELI_FLAG_AUTH)
493 printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
494 printf(" provsize: %ju\n", (uintmax_t)md->md_provsize);
495 printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
496 printf(" keys: 0x%02x\n", (u_int)md->md_keys);
497 printf("iterations: %d\n", (int)md->md_iterations);
498 bzero(str, sizeof(str));
499 for (i = 0; i < sizeof(md->md_salt); i++) {
500 str[i * 2] = hex[md->md_salt[i] >> 4];
501 str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
502 }
503 printf(" Salt: %s\n", str);
504 bzero(str, sizeof(str));
505 for (i = 0; i < sizeof(md->md_mkeys); i++) {
506 str[i * 2] = hex[md->md_mkeys[i] >> 4];
507 str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
508 }
509 printf("Master Key: %s\n", str);
510 bzero(str, sizeof(str));
511 for (i = 0; i < 16; i++) {
512 str[i * 2] = hex[md->md_hash[i] >> 4];
513 str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
514 }
515 printf(" MD5 hash: %s\n", str);
516}
517
518#ifdef _KERNEL
519static __inline bool
520eli_metadata_crypto_supported(const struct g_eli_metadata *md)
521{
522
523 switch (md->md_ealgo) {
524 case CRYPTO_NULL_CBC:
525 case CRYPTO_AES_CBC:
526 case CRYPTO_CAMELLIA_CBC:
527 case CRYPTO_AES_XTS:
528 break;
529 default:
530 return (false);
531 }
532 if (md->md_flags & G_ELI_FLAG_AUTH) {
533 switch (md->md_aalgo) {
534 case CRYPTO_SHA1_HMAC:
535 case CRYPTO_RIPEMD160_HMAC:
536 case CRYPTO_SHA2_256_HMAC:
537 case CRYPTO_SHA2_384_HMAC:
538 case CRYPTO_SHA2_512_HMAC:
539 break;
540 default:
541 return (false);
542 }
543 }
544 return (true);
545}
546#endif
547
548static __inline u_int
549g_eli_keylen(u_int algo, u_int keylen)
550{
551
552 switch (algo) {
553 case CRYPTO_NULL_CBC:
554 if (keylen == 0)
555 keylen = 64 * 8;
556 else {
557 if (keylen > 64 * 8)
558 keylen = 0;
559 }
560 return (keylen);
561 case CRYPTO_AES_CBC:
562 case CRYPTO_CAMELLIA_CBC:
563 switch (keylen) {
564 case 0:
565 return (128);
566 case 128:
567 case 192:
568 case 256:
569 return (keylen);
570 default:
571 return (0);
572 }
573 case CRYPTO_AES_XTS:
574 switch (keylen) {
575 case 0:
576 return (128);
577 case 128:
578 case 256:
579 return (keylen);
580 default:
581 return (0);
582 }
583 default:
584 return (0);
585 }
586}
587
588static __inline u_int
589g_eli_ivlen(u_int algo)
590{
591
592 switch (algo) {
593 case CRYPTO_AES_XTS:
594 return (AES_XTS_IV_LEN);
595 case CRYPTO_AES_CBC:
596 return (AES_BLOCK_LEN);
597 case CRYPTO_CAMELLIA_CBC:
598 return (CAMELLIA_BLOCK_LEN);
599 }
600 return (0);
601}
602
603static __inline u_int
604g_eli_hashlen(u_int algo)
605{
606
607 switch (algo) {
608 case CRYPTO_SHA1_HMAC:
609 return (20);
610 case CRYPTO_RIPEMD160_HMAC:
611 return (20);
612 case CRYPTO_SHA2_256_HMAC:
613 return (32);
614 case CRYPTO_SHA2_384_HMAC:
615 return (48);
616 case CRYPTO_SHA2_512_HMAC:
617 return (64);
618 }
619 return (0);
620}
621
622static __inline off_t
623eli_mediasize(const struct g_eli_softc *sc, off_t mediasize, u_int sectorsize)
624{
625
626 if ((sc->sc_flags & G_ELI_FLAG_ONETIME) == 0) {
627 mediasize -= sectorsize;
628 }
629 if ((sc->sc_flags & G_ELI_FLAG_AUTH) == 0) {
630 mediasize -= (mediasize % sc->sc_sectorsize);
631 } else {
632 mediasize /= sc->sc_bytes_per_sector;
633 mediasize *= sc->sc_sectorsize;
634 }
635
636 return (mediasize);
637}
638
639static __inline void
640eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md,
641 u_int sectorsize, off_t mediasize)
642{
643
644 sc->sc_version = md->md_version;
645 sc->sc_inflight = 0;
646 sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN;
647 sc->sc_flags = md->md_flags;
648 /* Backward compatibility. */
649 if (md->md_version < G_ELI_VERSION_04)
650 sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER;
651 if (md->md_version < G_ELI_VERSION_05)
652 sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY;
653 if (md->md_version < G_ELI_VERSION_06 &&
654 (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
655 sc->sc_flags |= G_ELI_FLAG_FIRST_KEY;
656 }
657 if (md->md_version < G_ELI_VERSION_07)
658 sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY;
659 sc->sc_ealgo = md->md_ealgo;
660
661 if (sc->sc_flags & G_ELI_FLAG_AUTH) {
662 sc->sc_akeylen = sizeof(sc->sc_akey) * 8;
663 sc->sc_aalgo = md->md_aalgo;
664 sc->sc_alen = g_eli_hashlen(sc->sc_aalgo);
665
666 sc->sc_data_per_sector = sectorsize - sc->sc_alen;
667 /*
668 * Some hash functions (like SHA1 and RIPEMD160) generates hash
669 * which length is not multiple of 128 bits, but we want data
670 * length to be multiple of 128, so we can encrypt without
671 * padding. The line below rounds down data length to multiple
672 * of 128 bits.
673 */
674 sc->sc_data_per_sector -= sc->sc_data_per_sector % 16;
675
676 sc->sc_bytes_per_sector =
677 (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1;
678 sc->sc_bytes_per_sector *= sectorsize;
679 }
680 sc->sc_provsize = mediasize;
681 sc->sc_sectorsize = md->md_sectorsize;
682 sc->sc_mediasize = eli_mediasize(sc, mediasize, sectorsize);
683 sc->sc_ekeylen = md->md_keylen;
684}
685
686#ifdef _KERNEL
687int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
688 struct g_eli_metadata *md);
689struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
690 struct g_provider *bpp, const struct g_eli_metadata *md,
691 const u_char *mkey, int nkey);
692int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
693
694int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
695void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
696
697void g_eli_read_done(struct bio *bp);
698void g_eli_write_done(struct bio *bp);
699int g_eli_crypto_rerun(struct cryptop *crp);
700
701bool g_eli_alloc_data(struct bio *bp, int sz);
702void g_eli_free_data(struct bio *bp);
703
704void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker);
705void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
706
707void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
708void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
709#endif
710void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
711 size_t size);
712
713void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
714int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
715 const unsigned char *key, unsigned char *mkey, unsigned keyp);
716int g_eli_mkey_decrypt_any(const struct g_eli_metadata *md,
717 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
718int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
719 unsigned char *mkey);
720#ifdef _KERNEL
721void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
722#endif
723
724int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
725 const u_char *key, size_t keysize);
726int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
727 const u_char *key, size_t keysize);
728
729struct hmac_ctx {
730 SHA512_CTX innerctx;
731 SHA512_CTX outerctx;
732};
733
734void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const char *hkey,
735 size_t hkeylen);
736void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
737 size_t datasize);
738void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
739void g_eli_crypto_hmac(const char *hkey, size_t hkeysize,
740 const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
741
742void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key,
743 uint64_t keyno);
744#ifdef _KERNEL
745void g_eli_key_init(struct g_eli_softc *sc);
746void g_eli_key_destroy(struct g_eli_softc *sc);
747void g_eli_key_resize(struct g_eli_softc *sc);
748uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize);
749void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey);
750#endif
751#endif /* !_G_ELI_H_ */