Index: head/sbin/geom/class/eli/Makefile =================================================================== --- head/sbin/geom/class/eli/Makefile +++ head/sbin/geom/class/eli/Makefile @@ -4,6 +4,7 @@ GEOM_CLASS= eli SRCS= g_eli_crypto.c +SRCS+= g_eli_hmac.c SRCS+= g_eli_key.c SRCS+= pkcs5v2.c SRCS+= sha256c.c Index: head/sys/conf/files =================================================================== --- head/sys/conf/files +++ head/sys/conf/files @@ -2994,6 +2994,7 @@ geom/eli/g_eli.c optional geom_eli geom/eli/g_eli_crypto.c optional geom_eli geom/eli/g_eli_ctl.c optional geom_eli +geom/eli/g_eli_hmac.c optional geom_eli geom/eli/g_eli_integrity.c optional geom_eli geom/eli/g_eli_key.c optional geom_eli geom/eli/g_eli_key_cache.c optional geom_eli Index: head/sys/geom/eli/g_eli.h =================================================================== --- head/sys/geom/eli/g_eli.h +++ head/sys/geom/eli/g_eli.h @@ -40,8 +40,6 @@ #include #include #include -#include -#include #include #else #include @@ -49,6 +47,8 @@ #include #include #endif +#include +#include #ifndef _OpenSSL_ #include #endif @@ -132,15 +132,15 @@ /* Switch data encryption key every 2^20 blocks. */ #define G_ELI_KEY_SHIFT 20 +#define G_ELI_CRYPTO_UNKNOWN 0 +#define G_ELI_CRYPTO_HW 1 +#define G_ELI_CRYPTO_SW 2 + #ifdef _KERNEL extern int g_eli_debug; extern u_int g_eli_overwrites; extern u_int g_eli_batch; -#define G_ELI_CRYPTO_UNKNOWN 0 -#define G_ELI_CRYPTO_HW 1 -#define G_ELI_CRYPTO_SW 2 - #define G_ELI_DEBUG(lvl, ...) do { \ if (g_eli_debug >= (lvl)) { \ printf("GEOM_ELI"); \ @@ -173,6 +173,8 @@ LIST_ENTRY(g_eli_worker) w_next; }; +#endif /* _KERNEL */ + struct g_eli_softc { struct g_geom *sc_geom; u_int sc_version; @@ -200,15 +202,35 @@ size_t sc_sectorsize; u_int sc_bytes_per_sector; u_int sc_data_per_sector; +#ifndef _KERNEL + int sc_cpubind; +#else /* _KERNEL */ boolean_t sc_cpubind; /* Only for software cryptography. */ struct bio_queue_head sc_queue; struct mtx sc_queue_mtx; LIST_HEAD(, g_eli_worker) sc_workers; +#endif /* _KERNEL */ }; #define sc_name sc_geom->name -#endif /* _KERNEL */ + +#define G_ELI_KEY_MAGIC 0xe11341c + +struct g_eli_key { + /* Key value, must be first in the structure. */ + uint8_t gek_key[G_ELI_DATAKEYLEN]; + /* Magic. */ + int gek_magic; + /* Key number. */ + uint64_t gek_keyno; + /* Reference counter. */ + int gek_count; + /* Keeps keys sorted by most recent use. */ + TAILQ_ENTRY(g_eli_key) gek_next; + /* Keeps keys sorted by number. */ + RB_ENTRY(g_eli_key) gek_link; +}; struct g_eli_metadata { char md_magic[16]; /* Magic value. */ @@ -569,6 +591,60 @@ return (0); } +static __inline void +eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, + u_int sectorsize, off_t mediasize) +{ + + sc->sc_version = md->md_version; + sc->sc_inflight = 0; + sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; + sc->sc_flags = md->md_flags; + /* Backward compatibility. */ + if (md->md_version < G_ELI_VERSION_04) + sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; + if (md->md_version < G_ELI_VERSION_05) + sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; + if (md->md_version < G_ELI_VERSION_06 && + (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { + sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; + } + if (md->md_version < G_ELI_VERSION_07) + sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; + sc->sc_ealgo = md->md_ealgo; + + if (sc->sc_flags & G_ELI_FLAG_AUTH) { + sc->sc_akeylen = sizeof(sc->sc_akey) * 8; + sc->sc_aalgo = md->md_aalgo; + sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); + + sc->sc_data_per_sector = sectorsize - sc->sc_alen; + /* + * Some hash functions (like SHA1 and RIPEMD160) generates hash + * which length is not multiple of 128 bits, but we want data + * length to be multiple of 128, so we can encrypt without + * padding. The line below rounds down data length to multiple + * of 128 bits. + */ + sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; + + sc->sc_bytes_per_sector = + (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; + sc->sc_bytes_per_sector *= sectorsize; + } + sc->sc_sectorsize = md->md_sectorsize; + sc->sc_mediasize = mediasize; + if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) + sc->sc_mediasize -= sectorsize; + if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) + sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); + else { + sc->sc_mediasize /= sc->sc_bytes_per_sector; + sc->sc_mediasize *= sc->sc_sectorsize; + } + sc->sc_ekeylen = md->md_keylen; +} + #ifdef _KERNEL int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, struct g_eli_metadata *md); @@ -583,8 +659,6 @@ void g_eli_read_done(struct bio *bp); void g_eli_write_done(struct bio *bp); int g_eli_crypto_rerun(struct cryptop *crp); -void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, - size_t size); void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); @@ -592,6 +666,8 @@ void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); #endif +void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, + size_t size); void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); int g_eli_mkey_decrypt(const struct g_eli_metadata *md, @@ -620,6 +696,8 @@ void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); +void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, + uint64_t keyno); #ifdef _KERNEL void g_eli_key_init(struct g_eli_softc *sc); void g_eli_key_destroy(struct g_eli_softc *sc); Index: head/sys/geom/eli/g_eli.c =================================================================== --- head/sys/geom/eli/g_eli.c +++ head/sys/geom/eli/g_eli.c @@ -571,40 +571,6 @@ } } -/* - * Here we generate IV. It is unique for every sector. - */ -void -g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, - size_t size) -{ - uint8_t off[8]; - - if ((sc->sc_flags & G_ELI_FLAG_NATIVE_BYTE_ORDER) != 0) - bcopy(&offset, off, sizeof(off)); - else - le64enc(off, (uint64_t)offset); - - switch (sc->sc_ealgo) { - case CRYPTO_AES_XTS: - bcopy(off, iv, sizeof(off)); - bzero(iv + sizeof(off), size - sizeof(off)); - break; - default: - { - u_char hash[SHA256_DIGEST_LENGTH]; - SHA256_CTX ctx; - - /* Copy precalculated SHA256 context for IV-Key. */ - bcopy(&sc->sc_ivctx, &ctx, sizeof(ctx)); - SHA256_Update(&ctx, off, sizeof(off)); - SHA256_Final(hash, &ctx); - bcopy(hash, iv, MIN(sizeof(hash), size)); - break; - } - } -} - int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, struct g_eli_metadata *md) @@ -751,44 +717,9 @@ else gp->access = g_std_access; - sc->sc_version = md->md_version; - sc->sc_inflight = 0; - sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; - sc->sc_flags = md->md_flags; - /* Backward compatibility. */ - if (md->md_version < G_ELI_VERSION_04) - sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; - if (md->md_version < G_ELI_VERSION_05) - sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; - if (md->md_version < G_ELI_VERSION_06 && - (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { - sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; - } - if (md->md_version < G_ELI_VERSION_07) - sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; - sc->sc_ealgo = md->md_ealgo; + eli_metadata_softc(sc, md, bpp->sectorsize, bpp->mediasize); sc->sc_nkey = nkey; - if (sc->sc_flags & G_ELI_FLAG_AUTH) { - sc->sc_akeylen = sizeof(sc->sc_akey) * 8; - sc->sc_aalgo = md->md_aalgo; - sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); - - sc->sc_data_per_sector = bpp->sectorsize - sc->sc_alen; - /* - * Some hash functions (like SHA1 and RIPEMD160) generates hash - * which length is not multiple of 128 bits, but we want data - * length to be multiple of 128, so we can encrypt without - * padding. The line below rounds down data length to multiple - * of 128 bits. - */ - sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; - - sc->sc_bytes_per_sector = - (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; - sc->sc_bytes_per_sector *= bpp->sectorsize; - } - gp->softc = sc; sc->sc_geom = gp; @@ -831,22 +762,10 @@ goto failed; } - sc->sc_sectorsize = md->md_sectorsize; - sc->sc_mediasize = bpp->mediasize; - if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) - sc->sc_mediasize -= bpp->sectorsize; - if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) - sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); - else { - sc->sc_mediasize /= sc->sc_bytes_per_sector; - sc->sc_mediasize *= sc->sc_sectorsize; - } - /* * Remember the keys in our softc structure. */ g_eli_mkey_propagate(sc, mkey); - sc->sc_ekeylen = md->md_keylen; LIST_INIT(&sc->sc_workers); Index: head/sys/geom/eli/g_eli_crypto.c =================================================================== --- head/sys/geom/eli/g_eli_crypto.c +++ head/sys/geom/eli/g_eli_crypto.c @@ -221,75 +221,3 @@ return (g_eli_crypto_cipher(algo, 0, data, datasize, key, keysize)); } - -void -g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, - size_t hkeylen) -{ - u_char k_ipad[128], key[128]; - SHA512_CTX lctx; - u_int i; - - bzero(key, sizeof(key)); - if (hkeylen == 0) - ; /* do nothing */ - else if (hkeylen <= 128) - bcopy(hkey, key, hkeylen); - else { - /* If key is longer than 128 bytes reset it to key = SHA512(key). */ - SHA512_Init(&lctx); - SHA512_Update(&lctx, hkey, hkeylen); - SHA512_Final(key, &lctx); - } - - /* XOR key with ipad and opad values. */ - for (i = 0; i < sizeof(key); i++) { - k_ipad[i] = key[i] ^ 0x36; - ctx->k_opad[i] = key[i] ^ 0x5c; - } - bzero(key, sizeof(key)); - /* Perform inner SHA512. */ - SHA512_Init(&ctx->shactx); - SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); - bzero(k_ipad, sizeof(k_ipad)); -} - -void -g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, - size_t datasize) -{ - - SHA512_Update(&ctx->shactx, data, datasize); -} - -void -g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) -{ - u_char digest[SHA512_MDLEN]; - SHA512_CTX lctx; - - SHA512_Final(digest, &ctx->shactx); - /* Perform outer SHA512. */ - SHA512_Init(&lctx); - SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); - bzero(ctx, sizeof(*ctx)); - SHA512_Update(&lctx, digest, sizeof(digest)); - SHA512_Final(digest, &lctx); - bzero(&lctx, sizeof(lctx)); - /* mdsize == 0 means "Give me the whole hash!" */ - if (mdsize == 0) - mdsize = SHA512_MDLEN; - bcopy(digest, md, mdsize); - bzero(digest, sizeof(digest)); -} - -void -g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, - size_t datasize, uint8_t *md, size_t mdsize) -{ - struct hmac_ctx ctx; - - g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); - g_eli_crypto_hmac_update(&ctx, data, datasize); - g_eli_crypto_hmac_final(&ctx, md, mdsize); -} Index: head/sys/geom/eli/g_eli_hmac.c =================================================================== --- head/sys/geom/eli/g_eli_hmac.c +++ head/sys/geom/eli/g_eli_hmac.c @@ -0,0 +1,150 @@ +/*- + * Copyright (c) 2005-2010 Pawel Jakub Dawidek + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#ifdef _KERNEL +#include +#include +#include +#else +#include +#include +#include +#include +#include +#include +#define _OpenSSL_ +#endif +#include + +void +g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, + size_t hkeylen) +{ + u_char k_ipad[128], key[128]; + SHA512_CTX lctx; + u_int i; + + bzero(key, sizeof(key)); + if (hkeylen == 0) + ; /* do nothing */ + else if (hkeylen <= 128) + bcopy(hkey, key, hkeylen); + else { + /* If key is longer than 128 bytes reset it to key = SHA512(key). */ + SHA512_Init(&lctx); + SHA512_Update(&lctx, hkey, hkeylen); + SHA512_Final(key, &lctx); + } + + /* XOR key with ipad and opad values. */ + for (i = 0; i < sizeof(key); i++) { + k_ipad[i] = key[i] ^ 0x36; + ctx->k_opad[i] = key[i] ^ 0x5c; + } + bzero(key, sizeof(key)); + /* Perform inner SHA512. */ + SHA512_Init(&ctx->shactx); + SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); + bzero(k_ipad, sizeof(k_ipad)); +} + +void +g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, + size_t datasize) +{ + + SHA512_Update(&ctx->shactx, data, datasize); +} + +void +g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize) +{ + u_char digest[SHA512_MDLEN]; + SHA512_CTX lctx; + + SHA512_Final(digest, &ctx->shactx); + /* Perform outer SHA512. */ + SHA512_Init(&lctx); + SHA512_Update(&lctx, ctx->k_opad, sizeof(ctx->k_opad)); + bzero(ctx, sizeof(*ctx)); + SHA512_Update(&lctx, digest, sizeof(digest)); + SHA512_Final(digest, &lctx); + bzero(&lctx, sizeof(lctx)); + /* mdsize == 0 means "Give me the whole hash!" */ + if (mdsize == 0) + mdsize = SHA512_MDLEN; + bcopy(digest, md, mdsize); + bzero(digest, sizeof(digest)); +} + +void +g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, + size_t datasize, uint8_t *md, size_t mdsize) +{ + struct hmac_ctx ctx; + + g_eli_crypto_hmac_init(&ctx, hkey, hkeysize); + g_eli_crypto_hmac_update(&ctx, data, datasize); + g_eli_crypto_hmac_final(&ctx, md, mdsize); +} + +/* + * Here we generate IV. It is unique for every sector. + */ +void +g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, + size_t size) +{ + uint8_t off[8]; + + if ((sc->sc_flags & G_ELI_FLAG_NATIVE_BYTE_ORDER) != 0) + bcopy(&offset, off, sizeof(off)); + else + le64enc(off, (uint64_t)offset); + + switch (sc->sc_ealgo) { + case CRYPTO_AES_XTS: + bcopy(off, iv, sizeof(off)); + bzero(iv + sizeof(off), size - sizeof(off)); + break; + default: + { + u_char hash[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + + /* Copy precalculated SHA256 context for IV-Key. */ + bcopy(&sc->sc_ivctx, &ctx, sizeof(ctx)); + SHA256_Update(&ctx, off, sizeof(off)); + SHA256_Final(hash, &ctx); + bcopy(hash, iv, MIN(sizeof(hash), size)); + break; + } + } +} Index: head/sys/geom/eli/g_eli_key_cache.c =================================================================== --- head/sys/geom/eli/g_eli_key_cache.c +++ head/sys/geom/eli/g_eli_key_cache.c @@ -28,17 +28,20 @@ __FBSDID("$FreeBSD$"); #include +#ifdef _KERNEL #include #include -#include #include #include +#endif /* _KERNEL */ +#include #include #include #include +#ifdef _KERNEL MALLOC_DECLARE(M_ELI); SYSCTL_DECL(_kern_geom_eli); @@ -56,22 +59,7 @@ SYSCTL_UQUAD(_kern_geom_eli, OID_AUTO, key_cache_misses, CTLFLAG_RW, &g_eli_key_cache_misses, 0, "Key cache misses"); -#define G_ELI_KEY_MAGIC 0xe11341c - -struct g_eli_key { - /* Key value, must be first in the structure. */ - uint8_t gek_key[G_ELI_DATAKEYLEN]; - /* Magic. */ - int gek_magic; - /* Key number. */ - uint64_t gek_keyno; - /* Reference counter. */ - int gek_count; - /* Keeps keys sorted by most recent use. */ - TAILQ_ENTRY(g_eli_key) gek_next; - /* Keeps keys sorted by number. */ - RB_ENTRY(g_eli_key) gek_link; -}; +#endif /* _KERNEL */ static int g_eli_key_cmp(const struct g_eli_key *a, const struct g_eli_key *b) @@ -84,10 +72,7 @@ return (0); } -RB_PROTOTYPE(g_eli_key_tree, g_eli_key, gek_link, g_eli_key_cmp); -RB_GENERATE(g_eli_key_tree, g_eli_key, gek_link, g_eli_key_cmp); - -static void +void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, uint64_t keyno) { const uint8_t *ekey; @@ -110,6 +95,10 @@ key->gek_magic = G_ELI_KEY_MAGIC; } +#ifdef _KERNEL +RB_PROTOTYPE(g_eli_key_tree, g_eli_key, gek_link, g_eli_key_cmp); +RB_GENERATE(g_eli_key_tree, g_eli_key, gek_link, g_eli_key_cmp); + static struct g_eli_key * g_eli_key_allocate(struct g_eli_softc *sc, uint64_t keyno) { @@ -350,3 +339,4 @@ } mtx_unlock(&sc->sc_ekeys_lock); } +#endif /* _KERNEL */ Index: head/sys/geom/eli/pkcs5v2.c =================================================================== --- head/sys/geom/eli/pkcs5v2.c +++ head/sys/geom/eli/pkcs5v2.c @@ -83,6 +83,7 @@ } #ifndef _KERNEL +#ifndef _STAND /* * Return the number of microseconds needed for 'interations' iterations. */ @@ -120,4 +121,5 @@ } return (((intmax_t)iterations * (intmax_t)usecs) / v); } +#endif /* !_STAND */ #endif /* !_KERNEL */ Index: head/sys/modules/geom/geom_eli/Makefile =================================================================== --- head/sys/modules/geom/geom_eli/Makefile +++ head/sys/modules/geom/geom_eli/Makefile @@ -6,6 +6,7 @@ SRCS= g_eli.c SRCS+= g_eli_crypto.c SRCS+= g_eli_ctl.c +SRCS+= g_eli_hmac.c SRCS+= g_eli_integrity.c SRCS+= g_eli_key.c SRCS+= g_eli_key_cache.c