1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 #include <sys/param.h>
31 #ifdef _KERNEL
32 #include <sys/malloc.h>
33 #include <sys/systm.h>
34 #include <geom/geom.h>
35 #else
36 #include <stdio.h>
37 #include <stdint.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <strings.h>
41 #include <errno.h>
42 #endif
43
44 #include <geom/eli/g_eli.h>
45
46 #ifdef _KERNEL
47 MALLOC_DECLARE(M_ELI);
48 #endif
49
50 /*
51 * Verify if the given 'key' is correct.
52 * Return 1 if it is correct and 0 otherwise.
53 */
54 static int
g_eli_mkey_verify(const unsigned char * mkey,const unsigned char * key)55 g_eli_mkey_verify(const unsigned char *mkey, const unsigned char *key)
56 {
57 const unsigned char *odhmac; /* On-disk HMAC. */
58 unsigned char chmac[SHA512_MDLEN]; /* Calculated HMAC. */
59 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
60
61 /*
62 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
63 */
64 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
65
66 odhmac = mkey + G_ELI_DATAIVKEYLEN;
67
68 /* Calculate HMAC from Data-Key and IV-Key. */
69 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
70 chmac, 0);
71
72 explicit_bzero(hmkey, sizeof(hmkey));
73
74 /*
75 * Compare calculated HMAC with HMAC from metadata.
76 * If two HMACs are equal, 'key' is correct.
77 */
78 return (!bcmp(odhmac, chmac, SHA512_MDLEN));
79 }
80
81 /*
82 * Calculate HMAC from Data-Key and IV-Key.
83 */
84 void
g_eli_mkey_hmac(unsigned char * mkey,const unsigned char * key)85 g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key)
86 {
87 unsigned char hmkey[SHA512_MDLEN]; /* Key for HMAC. */
88 unsigned char *odhmac; /* On-disk HMAC. */
89
90 /*
91 * The key for HMAC calculations is: hmkey = HMAC_SHA512(Derived-Key, 0)
92 */
93 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x00", 1, hmkey, 0);
94
95 odhmac = mkey + G_ELI_DATAIVKEYLEN;
96 /* Calculate HMAC from Data-Key and IV-Key. */
97 g_eli_crypto_hmac(hmkey, sizeof(hmkey), mkey, G_ELI_DATAIVKEYLEN,
98 odhmac, 0);
99
100 explicit_bzero(hmkey, sizeof(hmkey));
101 }
102
103 /*
104 * Find and decrypt Master Key encrypted with 'key' at slot 'nkey'.
105 * Return 0 on success, > 0 on failure, -1 on bad key.
106 */
107 int
g_eli_mkey_decrypt(const struct g_eli_metadata * md,const unsigned char * key,unsigned char * mkey,unsigned nkey)108 g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key,
109 unsigned char *mkey, unsigned nkey)
110 {
111 unsigned char tmpmkey[G_ELI_MKEYLEN];
112 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
113 const unsigned char *mmkey;
114 int bit, error;
115
116 if (nkey > G_ELI_MKEYLEN)
117 return (-1);
118
119 /*
120 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
121 */
122 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
123
124 mmkey = md->md_mkeys + G_ELI_MKEYLEN * nkey;
125 bit = (1 << nkey);
126 if (!(md->md_keys & bit))
127 return (-1);
128 bcopy(mmkey, tmpmkey, G_ELI_MKEYLEN);
129 error = g_eli_crypto_decrypt(md->md_ealgo, tmpmkey,
130 G_ELI_MKEYLEN, enckey, md->md_keylen);
131 if (error != 0) {
132 explicit_bzero(tmpmkey, sizeof(tmpmkey));
133 explicit_bzero(enckey, sizeof(enckey));
134 return (error);
135 }
136 if (g_eli_mkey_verify(tmpmkey, key)) {
137 bcopy(tmpmkey, mkey, G_ELI_DATAIVKEYLEN);
138 explicit_bzero(tmpmkey, sizeof(tmpmkey));
139 explicit_bzero(enckey, sizeof(enckey));
140 return (0);
141 }
142 explicit_bzero(enckey, sizeof(enckey));
143 explicit_bzero(tmpmkey, sizeof(tmpmkey));
144
145 return (-1);
146 }
147
148 /*
149 * Find and decrypt Master Key encrypted with 'key'.
150 * Return decrypted Master Key number in 'nkeyp' if not NULL.
151 * Return 0 on success, > 0 on failure, -1 on bad key.
152 */
153 int
g_eli_mkey_decrypt_any(const struct g_eli_metadata * md,const unsigned char * key,unsigned char * mkey,unsigned * nkeyp)154 g_eli_mkey_decrypt_any(const struct g_eli_metadata *md,
155 const unsigned char *key, unsigned char *mkey, unsigned *nkeyp)
156 {
157 int error, nkey;
158
159 if (nkeyp != NULL)
160 *nkeyp = -1;
161
162 error = -1;
163 for (nkey = 0; nkey < G_ELI_MAXMKEYS; nkey++) {
164 error = g_eli_mkey_decrypt(md, key, mkey, nkey);
165 if (error == 0) {
166 if (nkeyp != NULL)
167 *nkeyp = nkey;
168 break;
169 } else if (error > 0) {
170 break;
171 }
172 }
173
174 return (error);
175 }
176
177 /*
178 * Encrypt the Master-Key and calculate HMAC to be able to verify it in the
179 * future.
180 */
181 int
g_eli_mkey_encrypt(unsigned algo,const unsigned char * key,unsigned keylen,unsigned char * mkey)182 g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
183 unsigned char *mkey)
184 {
185 unsigned char enckey[SHA512_MDLEN]; /* Key for encryption. */
186 int error;
187
188 /*
189 * To calculate HMAC, the whole key (G_ELI_USERKEYLEN bytes long) will
190 * be used.
191 */
192 g_eli_mkey_hmac(mkey, key);
193 /*
194 * The key for encryption is: enckey = HMAC_SHA512(Derived-Key, 1)
195 */
196 g_eli_crypto_hmac(key, G_ELI_USERKEYLEN, "\x01", 1, enckey, 0);
197 /*
198 * Encrypt the Master-Key and HMAC() result with the given key (this
199 * time only 'keylen' bits from the key are used).
200 */
201 error = g_eli_crypto_encrypt(algo, mkey, G_ELI_MKEYLEN, enckey, keylen);
202
203 explicit_bzero(enckey, sizeof(enckey));
204
205 return (error);
206 }
207
208 #ifdef _KERNEL
209 /*
210 * When doing encryption only, copy IV key and encryption key.
211 * When doing encryption and authentication, copy IV key, generate encryption
212 * key and generate authentication key.
213 */
214 void
g_eli_mkey_propagate(struct g_eli_softc * sc,const unsigned char * mkey)215 g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey)
216 {
217
218 /* Remember the Master Key. */
219 bcopy(mkey, sc->sc_mkey, sizeof(sc->sc_mkey));
220
221 bcopy(mkey, sc->sc_ivkey, sizeof(sc->sc_ivkey));
222 mkey += sizeof(sc->sc_ivkey);
223
224 /*
225 * The authentication key is: akey = HMAC_SHA512(Data-Key, 0x11)
226 */
227 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
228 g_eli_crypto_hmac(mkey, G_ELI_MAXKEYLEN, "\x11", 1,
229 sc->sc_akey, 0);
230 } else {
231 arc4rand(sc->sc_akey, sizeof(sc->sc_akey), 0);
232 }
233
234 /* Initialize encryption keys. */
235 g_eli_key_init(sc);
236
237 if ((sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
238 /*
239 * Precalculate SHA256 for HMAC key generation.
240 * This is expensive operation and we can do it only once now or
241 * for every access to sector, so now will be much better.
242 */
243 SHA256_Init(&sc->sc_akeyctx);
244 SHA256_Update(&sc->sc_akeyctx, sc->sc_akey,
245 sizeof(sc->sc_akey));
246 }
247 /*
248 * Precalculate SHA256 for IV generation.
249 * This is expensive operation and we can do it only once now or for
250 * every access to sector, so now will be much better.
251 */
252 switch (sc->sc_ealgo) {
253 case CRYPTO_AES_XTS:
254 break;
255 default:
256 SHA256_Init(&sc->sc_ivctx);
257 SHA256_Update(&sc->sc_ivctx, sc->sc_ivkey,
258 sizeof(sc->sc_ivkey));
259 break;
260 }
261 }
262 #endif
263