1 /*-
2 * Copyright (c) 2015 Allan Jude <[email protected]>
3 * Copyright (c) 2005-2011 Pawel Jakub Dawidek <[email protected]>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 * $FreeBSD$
28 */
29
30 #include <stand.h>
31 #include <stdarg.h>
32 #include "geliboot.h"
33 #include "geliboot_internal.h"
34
35 struct known_dev {
36 char name[GELIDEV_NAMELEN];
37 struct geli_dev *gdev;
38 SLIST_ENTRY(known_dev) entries;
39 };
40
41 SLIST_HEAD(known_dev_list, known_dev) known_devs_head =
42 SLIST_HEAD_INITIALIZER(known_devs_head);
43
44 static geli_ukey saved_keys[GELI_MAX_KEYS];
45 static unsigned int nsaved_keys = 0;
46
47 /*
48 * Copy keys from local storage to the keybuf struct.
49 * Destroy the local storage when finished.
50 */
51 void
geli_export_key_buffer(struct keybuf * fkeybuf)52 geli_export_key_buffer(struct keybuf *fkeybuf)
53 {
54 unsigned int i;
55
56 for (i = 0; i < nsaved_keys; i++) {
57 fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI;
58 memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i],
59 G_ELI_USERKEYLEN);
60 }
61 fkeybuf->kb_nents = nsaved_keys;
62 explicit_bzero(saved_keys, sizeof(saved_keys));
63 }
64
65 /*
66 * Copy keys from a keybuf struct into local storage.
67 * Zero out the keybuf.
68 */
69 void
geli_import_key_buffer(struct keybuf * skeybuf)70 geli_import_key_buffer(struct keybuf *skeybuf)
71 {
72 unsigned int i;
73
74 for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) {
75 memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data,
76 G_ELI_USERKEYLEN);
77 explicit_bzero(skeybuf->kb_ents[i].ke_data,
78 G_ELI_USERKEYLEN);
79 skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE;
80 }
81 nsaved_keys = skeybuf->kb_nents;
82 skeybuf->kb_nents = 0;
83 }
84
85 void
geli_add_key(geli_ukey key)86 geli_add_key(geli_ukey key)
87 {
88
89 /*
90 * If we run out of key space, the worst that will happen is
91 * it will ask the user for the password again.
92 */
93 if (nsaved_keys < GELI_MAX_KEYS) {
94 memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN);
95 nsaved_keys++;
96 }
97 }
98
99 static int
geli_findkey(struct geli_dev * gdev,u_char * mkey)100 geli_findkey(struct geli_dev *gdev, u_char *mkey)
101 {
102 u_int keynum;
103 int i;
104
105 if (gdev->keybuf_slot >= 0) {
106 if (g_eli_mkey_decrypt_any(&gdev->md, saved_keys[gdev->keybuf_slot],
107 mkey, &keynum) == 0) {
108 return (0);
109 }
110 }
111
112 for (i = 0; i < nsaved_keys; i++) {
113 if (g_eli_mkey_decrypt_any(&gdev->md, saved_keys[i], mkey,
114 &keynum) == 0) {
115 gdev->keybuf_slot = i;
116 return (0);
117 }
118 }
119
120 return (1);
121 }
122
123 /*
124 * Read the last sector of a drive or partition and see if it is GELI encrypted.
125 */
126 struct geli_dev *
geli_taste(geli_readfunc readfunc,void * readpriv,daddr_t lastsector,const char * namefmt,...)127 geli_taste(geli_readfunc readfunc, void *readpriv, daddr_t lastsector,
128 const char *namefmt, ...)
129 {
130 va_list args;
131 struct g_eli_metadata md;
132 struct known_dev *kdev;
133 struct geli_dev *gdev;
134 u_char *buf;
135 char devname[GELIDEV_NAMELEN];
136 int error;
137 off_t alignsector;
138
139 /*
140 * Format the name into a temp buffer and use that to search for an
141 * existing known_dev instance. If not found, this has the side effect
142 * of initializing kdev to NULL.
143 */
144 va_start(args, namefmt);
145 vsnprintf(devname, sizeof(devname), namefmt, args);
146 va_end(args);
147 SLIST_FOREACH(kdev, &known_devs_head, entries) {
148 if (strcmp(kdev->name, devname) == 0)
149 return (kdev->gdev);
150 }
151
152 /* Determine whether the new device is geli-encrypted... */
153 if ((buf = malloc(DEV_GELIBOOT_BSIZE)) == NULL)
154 goto out;
155 alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE);
156 if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) {
157 /* Don't read past the end of the disk */
158 alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE -
159 DEV_GELIBOOT_BSIZE;
160 }
161 error = readfunc(NULL, readpriv, alignsector, buf, DEV_GELIBOOT_BSIZE);
162 if (error != 0) {
163 goto out;
164 }
165
166 /*
167 * We have a new known_device. Whether it's geli-encrypted or not,
168 * record its existance so we can avoid doing IO to probe it next time.
169 */
170 if ((kdev = malloc(sizeof(*kdev))) == NULL)
171 goto out;
172 strlcpy(kdev->name, devname, sizeof(kdev->name));
173 kdev->gdev = NULL;
174 SLIST_INSERT_HEAD(&known_devs_head, kdev, entries);
175
176 /* Extract the last 4k sector of the disk. */
177 error = eli_metadata_decode(buf, &md);
178 if (error != 0) {
179 /* Try the last 512 byte sector instead. */
180 error = eli_metadata_decode(buf +
181 (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md);
182 if (error != 0) {
183 goto out;
184 }
185 }
186
187 if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) {
188 /* The GELIBOOT feature is not activated */
189 goto out;
190 }
191 if ((md.md_flags & G_ELI_FLAG_ONETIME)) {
192 /* Swap device, skip it. */
193 goto out;
194 }
195
196 /*
197 * It's geli-encrypted, create a geli_dev for it and link it into the
198 * known_dev instance.
199 */
200 gdev = malloc(sizeof(struct geli_dev));
201 if (gdev == NULL)
202 goto out;
203 gdev->part_end = lastsector;
204 gdev->keybuf_slot = -1;
205 gdev->md = md;
206 gdev->name = kdev->name;
207 eli_metadata_softc(&gdev->sc, &md, DEV_BSIZE,
208 (lastsector + DEV_BSIZE) * DEV_BSIZE);
209 kdev->gdev = gdev;
210 out:
211 free(buf);
212 if (kdev == NULL)
213 return (NULL);
214 return (kdev->gdev);
215 }
216
217 /*
218 * Attempt to decrypt the device. This will try existing keys first, then will
219 * prompt for a passphrase if there are no existing keys that work.
220 */
221 static int
geli_probe(struct geli_dev * gdev,const char * passphrase,u_char * mkeyp)222 geli_probe(struct geli_dev *gdev, const char *passphrase, u_char *mkeyp)
223 {
224 u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp;
225 u_int keynum;
226 struct hmac_ctx ctx;
227 int error;
228
229 if (mkeyp != NULL) {
230 memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN);
231 explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN);
232 goto found_key;
233 }
234
235 if (geli_findkey(gdev, mkey) == 0) {
236 goto found_key;
237 }
238
239 g_eli_crypto_hmac_init(&ctx, NULL, 0);
240 /*
241 * Prepare Derived-Key from the user passphrase.
242 */
243 if (gdev->md.md_iterations < 0) {
244 /* XXX TODO: Support loading key files. */
245 return (1);
246 } else if (gdev->md.md_iterations == 0) {
247 g_eli_crypto_hmac_update(&ctx, gdev->md.md_salt,
248 sizeof(gdev->md.md_salt));
249 g_eli_crypto_hmac_update(&ctx, (const uint8_t *)passphrase,
250 strlen(passphrase));
251 } else if (gdev->md.md_iterations > 0) {
252 printf("Calculating GELI Decryption Key for %s %d"
253 " iterations...\n", gdev->name, gdev->md.md_iterations);
254 u_char dkey[G_ELI_USERKEYLEN];
255
256 pkcs5v2_genkey(dkey, sizeof(dkey), gdev->md.md_salt,
257 sizeof(gdev->md.md_salt), passphrase,
258 gdev->md.md_iterations);
259 g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey));
260 explicit_bzero(dkey, sizeof(dkey));
261 }
262
263 g_eli_crypto_hmac_final(&ctx, key, 0);
264
265 error = g_eli_mkey_decrypt_any(&gdev->md, key, mkey, &keynum);
266 if (error == -1) {
267 explicit_bzero(mkey, sizeof(mkey));
268 explicit_bzero(key, sizeof(key));
269 printf("Bad GELI key: bad password?\n");
270 return (error);
271 } else if (error != 0) {
272 explicit_bzero(mkey, sizeof(mkey));
273 explicit_bzero(key, sizeof(key));
274 printf("Failed to decrypt GELI master key: %d\n", error);
275 return (error);
276 } else {
277 /* Add key to keychain */
278 geli_add_key(key);
279 explicit_bzero(&key, sizeof(key));
280 }
281
282 found_key:
283 /* Store the keys */
284 bcopy(mkey, gdev->sc.sc_mkey, sizeof(gdev->sc.sc_mkey));
285 bcopy(mkey, gdev->sc.sc_ivkey, sizeof(gdev->sc.sc_ivkey));
286 mkp = mkey + sizeof(gdev->sc.sc_ivkey);
287 if ((gdev->sc.sc_flags & G_ELI_FLAG_AUTH) == 0) {
288 bcopy(mkp, gdev->sc.sc_ekey, G_ELI_DATAKEYLEN);
289 } else {
290 /*
291 * The encryption key is: ekey = HMAC_SHA512(Data-Key, 0x10)
292 */
293 g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, (const uint8_t *)"\x10", 1,
294 gdev->sc.sc_ekey, 0);
295 }
296 explicit_bzero(mkey, sizeof(mkey));
297
298 /* Initialize the per-sector IV. */
299 switch (gdev->sc.sc_ealgo) {
300 case CRYPTO_AES_XTS:
301 break;
302 default:
303 SHA256_Init(&gdev->sc.sc_ivctx);
304 SHA256_Update(&gdev->sc.sc_ivctx, gdev->sc.sc_ivkey,
305 sizeof(gdev->sc.sc_ivkey));
306 break;
307 }
308
309 return (0);
310 }
311
312 int
geli_read(struct geli_dev * gdev,off_t offset,u_char * buf,size_t bytes)313 geli_read(struct geli_dev *gdev, off_t offset, u_char *buf, size_t bytes)
314 {
315 u_char iv[G_ELI_IVKEYLEN];
316 u_char *pbuf;
317 int error;
318 off_t dstoff;
319 uint64_t keyno;
320 size_t n, nsec, secsize;
321 struct g_eli_key gkey;
322
323 pbuf = buf;
324
325 secsize = gdev->sc.sc_sectorsize;
326 nsec = bytes / secsize;
327 if (nsec == 0) {
328 /*
329 * A read of less than the GELI sector size has been
330 * requested. The caller provided destination buffer may
331 * not be big enough to boost the read to a full sector,
332 * so just attempt to decrypt the truncated sector.
333 */
334 secsize = bytes;
335 nsec = 1;
336 }
337
338 for (n = 0, dstoff = offset; n < nsec; n++, dstoff += secsize) {
339
340 g_eli_crypto_ivgen(&gdev->sc, dstoff, iv, G_ELI_IVKEYLEN);
341
342 /* Get the key that corresponds to this offset. */
343 keyno = (dstoff >> G_ELI_KEY_SHIFT) / secsize;
344 g_eli_key_fill(&gdev->sc, &gkey, keyno);
345
346 error = geliboot_crypt(gdev->sc.sc_ealgo, 0, pbuf, secsize,
347 gkey.gek_key, gdev->sc.sc_ekeylen, iv);
348
349 if (error != 0) {
350 explicit_bzero(&gkey, sizeof(gkey));
351 printf("Failed to decrypt in geli_read()!");
352 return (error);
353 }
354 pbuf += secsize;
355 }
356 explicit_bzero(&gkey, sizeof(gkey));
357 return (0);
358 }
359
360 int
geli_havekey(struct geli_dev * gdev)361 geli_havekey(struct geli_dev *gdev)
362 {
363 u_char mkey[G_ELI_DATAIVKEYLEN];
364 int err;
365
366 err = ENOENT;
367 if (geli_findkey(gdev, mkey) == 0) {
368 if (geli_probe(gdev, NULL, mkey) == 0)
369 err = 0;
370 explicit_bzero(mkey, sizeof(mkey));
371 }
372 return (err);
373 }
374
375 int
geli_passphrase(struct geli_dev * gdev,char * pw)376 geli_passphrase(struct geli_dev *gdev, char *pw)
377 {
378 int i;
379
380 /* TODO: Implement GELI keyfile(s) support */
381 for (i = 0; i < 3; i++) {
382 /* Try cached passphrase */
383 if (i == 0 && pw[0] != '\0') {
384 if (geli_probe(gdev, pw, NULL) == 0) {
385 return (0);
386 }
387 }
388 printf("GELI Passphrase for %s ", gdev->name);
389 pwgets(pw, GELI_PW_MAXLEN,
390 (gdev->md.md_flags & G_ELI_FLAG_GELIDISPLAYPASS) == 0);
391 printf("\n");
392 if (geli_probe(gdev, pw, NULL) == 0) {
393 return (0);
394 }
395 }
396
397 return (1);
398 }
399