85c15ab853
The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be GELI's PBKDF2 uses a simple benchmark to determine a number of iterations that will takes approximately 2 seconds. The security provided is actually half what is expected, because an attacker could use the optimized algorithm to brute force the key in half the expected time. With this change, all newly generated GELI keys will be approximately 2x as strong. Previously generated keys will talk half as long to calculate, resulting in faster mounting of encrypted volumes. Users may choose to rekey, to generate a new key with the larger default number of iterations using the geli(8) setkey command. Security of existing data is not compromised, as ~1 second per brute force attempt is still a very high threshold. PR: 202365 Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/ Submitted by: Joe Pixton <jpixton@gmail.com> (Original Version), jmg (Later Version) Reviewed by: ed, pjd, delphij Approved by: secteam, pjd (maintainer) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D8236
154 lines
4.3 KiB
C
154 lines
4.3 KiB
C
/*-
|
|
* Copyright (c) 2005-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
#include <sys/param.h>
|
|
#ifdef _KERNEL
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/malloc.h>
|
|
#else
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <strings.h>
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
#include <openssl/evp.h>
|
|
#define _OpenSSL_
|
|
#endif
|
|
#include <geom/eli/g_eli.h>
|
|
|
|
void
|
|
g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
|
|
size_t hkeylen)
|
|
{
|
|
u_char k_ipad[128], k_opad[128], key[128];
|
|
SHA512_CTX lctx;
|
|
u_int i;
|
|
|
|
bzero(key, sizeof(key));
|
|
if (hkeylen == 0)
|
|
; /* do nothing */
|
|
else if (hkeylen <= 128)
|
|
bcopy(hkey, key, hkeylen);
|
|
else {
|
|
/* If key is longer than 128 bytes reset it to key = SHA512(key). */
|
|
SHA512_Init(&lctx);
|
|
SHA512_Update(&lctx, hkey, hkeylen);
|
|
SHA512_Final(key, &lctx);
|
|
}
|
|
|
|
/* XOR key with ipad and opad values. */
|
|
for (i = 0; i < sizeof(key); i++) {
|
|
k_ipad[i] = key[i] ^ 0x36;
|
|
k_opad[i] = key[i] ^ 0x5c;
|
|
}
|
|
explicit_bzero(key, sizeof(key));
|
|
/* Start inner SHA512. */
|
|
SHA512_Init(&ctx->innerctx);
|
|
SHA512_Update(&ctx->innerctx, k_ipad, sizeof(k_ipad));
|
|
explicit_bzero(k_ipad, sizeof(k_ipad));
|
|
/* Start outer SHA512. */
|
|
SHA512_Init(&ctx->outerctx);
|
|
SHA512_Update(&ctx->outerctx, k_opad, sizeof(k_opad));
|
|
explicit_bzero(k_opad, sizeof(k_opad));
|
|
}
|
|
|
|
void
|
|
g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
|
|
size_t datasize)
|
|
{
|
|
|
|
SHA512_Update(&ctx->innerctx, data, datasize);
|
|
}
|
|
|
|
void
|
|
g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize)
|
|
{
|
|
u_char digest[SHA512_MDLEN];
|
|
|
|
/* Complete inner hash */
|
|
SHA512_Final(digest, &ctx->innerctx);
|
|
|
|
/* Complete outer hash */
|
|
SHA512_Update(&ctx->outerctx, digest, sizeof(digest));
|
|
SHA512_Final(digest, &ctx->outerctx);
|
|
|
|
explicit_bzero(ctx, sizeof(*ctx));
|
|
/* mdsize == 0 means "Give me the whole hash!" */
|
|
if (mdsize == 0)
|
|
mdsize = SHA512_MDLEN;
|
|
bcopy(digest, md, mdsize);
|
|
explicit_bzero(digest, sizeof(digest));
|
|
}
|
|
|
|
void
|
|
g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data,
|
|
size_t datasize, uint8_t *md, size_t mdsize)
|
|
{
|
|
struct hmac_ctx ctx;
|
|
|
|
g_eli_crypto_hmac_init(&ctx, hkey, hkeysize);
|
|
g_eli_crypto_hmac_update(&ctx, data, datasize);
|
|
g_eli_crypto_hmac_final(&ctx, md, mdsize);
|
|
}
|
|
|
|
/*
|
|
* Here we generate IV. It is unique for every sector.
|
|
*/
|
|
void
|
|
g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
|
|
size_t size)
|
|
{
|
|
uint8_t off[8];
|
|
|
|
if ((sc->sc_flags & G_ELI_FLAG_NATIVE_BYTE_ORDER) != 0)
|
|
bcopy(&offset, off, sizeof(off));
|
|
else
|
|
le64enc(off, (uint64_t)offset);
|
|
|
|
switch (sc->sc_ealgo) {
|
|
case CRYPTO_AES_XTS:
|
|
bcopy(off, iv, sizeof(off));
|
|
bzero(iv + sizeof(off), size - sizeof(off));
|
|
break;
|
|
default:
|
|
{
|
|
u_char hash[SHA256_DIGEST_LENGTH];
|
|
SHA256_CTX ctx;
|
|
|
|
/* Copy precalculated SHA256 context for IV-Key. */
|
|
bcopy(&sc->sc_ivctx, &ctx, sizeof(ctx));
|
|
SHA256_Update(&ctx, off, sizeof(off));
|
|
SHA256_Final(hash, &ctx);
|
|
bcopy(hash, iv, MIN(sizeof(hash), size));
|
|
break;
|
|
}
|
|
}
|
|
}
|