197318Sphk/*- 297318Sphk * Copyright (c) 2002 Poul-Henning Kamp 397318Sphk * Copyright (c) 2002 Networks Associates Technology, Inc. 497318Sphk * All rights reserved. 597318Sphk * 697318Sphk * This software was developed for the FreeBSD Project by Poul-Henning Kamp 797318Sphk * and NAI Labs, the Security Research Division of Network Associates, Inc. 897318Sphk * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 997318Sphk * DARPA CHATS research program. 1097318Sphk * 1197318Sphk * Redistribution and use in source and binary forms, with or without 1297318Sphk * modification, are permitted provided that the following conditions 1397318Sphk * are met: 1497318Sphk * 1. Redistributions of source code must retain the above copyright 1597318Sphk * notice, this list of conditions and the following disclaimer. 1697318Sphk * 2. Redistributions in binary form must reproduce the above copyright 1797318Sphk * notice, this list of conditions and the following disclaimer in the 1897318Sphk * documentation and/or other materials provided with the distribution. 1997318Sphk * 3. The names of the authors may not be used to endorse or promote 2097318Sphk * products derived from this software without specific prior written 2197318Sphk * permission. 2297318Sphk * 2397318Sphk * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2497318Sphk * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2597318Sphk * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2697318Sphk * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2797318Sphk * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2897318Sphk * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2997318Sphk * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3097318Sphk * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3197318Sphk * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3297318Sphk * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3397318Sphk * SUCH DAMAGE. 34139778Simp */ 35139778Simp 36139778Simp/* 3797318Sphk * This method provides AES encryption with a compiled in key (default 3897318Sphk * all zeroes). 3997318Sphk * 4097318Sphk * XXX: This could probably save a lot of code by pretending to be a slicer. 4197318Sphk */ 4297318Sphk 43116196Sobrien#include <sys/cdefs.h> 44116196Sobrien__FBSDID("$FreeBSD: releng/10.3/sys/geom/geom_aes.c 243333 2012-11-20 12:32:18Z jh $"); 45116196Sobrien 4697318Sphk#include <sys/param.h> 4797318Sphk#include <sys/systm.h> 4897318Sphk#include <sys/kernel.h> 4997318Sphk#include <sys/conf.h> 5097318Sphk#include <sys/bio.h> 5197318Sphk#include <sys/malloc.h> 5297318Sphk#include <sys/lock.h> 5397318Sphk#include <sys/mutex.h> 5498987Sphk#include <sys/libkern.h> 55104087Sphk#include <sys/endian.h> 5698987Sphk#include <sys/md5.h> 5797318Sphk#include <sys/errno.h> 5897318Sphk#include <geom/geom.h> 5997318Sphk 60143418Sume#include <crypto/rijndael/rijndael-api-fst.h> 6197318Sphk 6297318Sphk#define AES_CLASS_NAME "AES" 6397318Sphk 6498987Sphk#define MASTER_KEY_LENGTH (1024/8) 6598987Sphk 66107953Sphkstatic const u_char *aes_magic = "<<FreeBSD-GEOM-AES>>"; 67107953Sphkstatic const u_char *aes_magic_random = "<<FreeBSD-GEOM-AES-RANDOM>>"; 68107953Sphkstatic const u_char *aes_magic_test = "<<FreeBSD-GEOM-AES-TEST>>"; 6997318Sphk 7097318Sphk 7197318Sphkstruct g_aes_softc { 7298987Sphk enum { 7398987Sphk KEY_ZERO, 7498987Sphk KEY_RANDOM, 7598987Sphk KEY_TEST 7698987Sphk } keying; 7797318Sphk u_int sectorsize; 7897318Sphk off_t mediasize; 7997318Sphk cipherInstance ci; 8098987Sphk u_char master_key[MASTER_KEY_LENGTH]; 8197318Sphk}; 8297318Sphk 8398987Sphk/* 8498987Sphk * Generate a sectorkey from the masterkey and the offset position. 8598987Sphk * 8698987Sphk * For KEY_ZERO we just return a key of all zeros. 8798987Sphk * 8898987Sphk * We feed the sector byte offset, 16 bytes of the master-key and 8998987Sphk * the sector byte offset once more to MD5. 9098987Sphk * The sector byte offset is converted to little-endian format first 9198987Sphk * to support multi-architecture operation. 9298987Sphk * We use 16 bytes from the master-key starting at the logical sector 9398987Sphk * number modulus he length of the master-key. If need be we wrap 9498987Sphk * around to the start of the master-key. 9598987Sphk */ 9698987Sphk 9797318Sphkstatic void 9898987Sphkg_aes_makekey(struct g_aes_softc *sc, off_t off, keyInstance *ki, int dir) 9998987Sphk{ 10098987Sphk MD5_CTX cx; 10198987Sphk u_int64_t u64; 10298987Sphk u_int u, u1; 10398987Sphk u_char *p, buf[16]; 10498987Sphk 10598987Sphk if (sc->keying == KEY_ZERO) { 10698987Sphk rijndael_makeKey(ki, dir, 128, sc->master_key); 10798987Sphk return; 10898987Sphk } 10998987Sphk MD5Init(&cx); 11098987Sphk u64 = htole64(off); 11198987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 11298987Sphk u = off / sc->sectorsize; 11398987Sphk u %= sizeof sc->master_key; 11498987Sphk p = sc->master_key + u; 11598987Sphk if (u + 16 <= sizeof(sc->master_key)) { 11698987Sphk MD5Update(&cx, p, 16); 11798987Sphk } else { 11898987Sphk u1 = sizeof sc->master_key - u; 11998987Sphk MD5Update(&cx, p, u1); 12098987Sphk MD5Update(&cx, sc->master_key, 16 - u1); 12198987Sphk u1 = 0; /* destroy evidence */ 12298987Sphk } 12398987Sphk u = 0; /* destroy evidence */ 12498987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 12598987Sphk u64 = 0; /* destroy evidence */ 12698987Sphk MD5Final(buf, &cx); 12798987Sphk bzero(&cx, sizeof cx); /* destroy evidence */ 12898987Sphk rijndael_makeKey(ki, dir, 128, buf); 12998987Sphk bzero(buf, sizeof buf); /* destroy evidence */ 13098987Sphk 13198987Sphk} 13298987Sphk 13398987Sphkstatic void 13497318Sphkg_aes_read_done(struct bio *bp) 13597318Sphk{ 13697318Sphk struct g_geom *gp; 13797318Sphk struct g_aes_softc *sc; 13897318Sphk u_char *p, *b, *e, *sb; 13998987Sphk keyInstance dkey; 14098987Sphk off_t o; 14197318Sphk 14297318Sphk gp = bp->bio_from->geom; 14397318Sphk sc = gp->softc; 144111119Simp sb = g_malloc(sc->sectorsize, M_WAITOK); 14597318Sphk b = bp->bio_data; 14697318Sphk e = bp->bio_data; 14797318Sphk e += bp->bio_length; 14898987Sphk o = bp->bio_offset - sc->sectorsize; 14997318Sphk for (p = b; p < e; p += sc->sectorsize) { 15098987Sphk g_aes_makekey(sc, o, &dkey, DIR_DECRYPT); 15198987Sphk rijndael_blockDecrypt(&sc->ci, &dkey, p, sc->sectorsize * 8, sb); 15297318Sphk bcopy(sb, p, sc->sectorsize); 15398987Sphk o += sc->sectorsize; 15497318Sphk } 15598987Sphk bzero(&dkey, sizeof dkey); /* destroy evidence */ 15698987Sphk bzero(sb, sc->sectorsize); /* destroy evidence */ 15798987Sphk g_free(sb); 15897318Sphk g_std_done(bp); 15997318Sphk} 16097318Sphk 16197318Sphkstatic void 16297318Sphkg_aes_write_done(struct bio *bp) 16397318Sphk{ 16497318Sphk 16598987Sphk bzero(bp->bio_data, bp->bio_length); /* destroy evidence */ 16697318Sphk g_free(bp->bio_data); 16797318Sphk g_std_done(bp); 16897318Sphk} 16997318Sphk 17097318Sphkstatic void 17197318Sphkg_aes_start(struct bio *bp) 17297318Sphk{ 17397318Sphk struct g_geom *gp; 17497318Sphk struct g_consumer *cp; 17597318Sphk struct g_aes_softc *sc; 17697318Sphk struct bio *bp2; 17797318Sphk u_char *p1, *p2, *b, *e; 17898987Sphk keyInstance ekey; 17998987Sphk off_t o; 18097318Sphk 18197318Sphk gp = bp->bio_to->geom; 18297318Sphk cp = LIST_FIRST(&gp->consumer); 18397318Sphk sc = gp->softc; 18497318Sphk switch (bp->bio_cmd) { 18597318Sphk case BIO_READ: 18697318Sphk bp2 = g_clone_bio(bp); 187104057Sphk if (bp2 == NULL) { 188104195Sphk g_io_deliver(bp, ENOMEM); 189104057Sphk return; 190104057Sphk } 19197318Sphk bp2->bio_done = g_aes_read_done; 19297318Sphk bp2->bio_offset += sc->sectorsize; 19397318Sphk g_io_request(bp2, cp); 19497318Sphk break; 19597318Sphk case BIO_WRITE: 19697318Sphk bp2 = g_clone_bio(bp); 197104057Sphk if (bp2 == NULL) { 198104195Sphk g_io_deliver(bp, ENOMEM); 199104057Sphk return; 200104057Sphk } 20197318Sphk bp2->bio_done = g_aes_write_done; 20297318Sphk bp2->bio_offset += sc->sectorsize; 203111119Simp bp2->bio_data = g_malloc(bp->bio_length, M_WAITOK); 20497318Sphk b = bp->bio_data; 20597318Sphk e = bp->bio_data; 20697318Sphk e += bp->bio_length; 20797318Sphk p2 = bp2->bio_data; 20898987Sphk o = bp->bio_offset; 20997318Sphk for (p1 = b; p1 < e; p1 += sc->sectorsize) { 21098987Sphk g_aes_makekey(sc, o, &ekey, DIR_ENCRYPT); 21198987Sphk rijndael_blockEncrypt(&sc->ci, &ekey, 21297318Sphk p1, sc->sectorsize * 8, p2); 21397318Sphk p2 += sc->sectorsize; 21498987Sphk o += sc->sectorsize; 21597318Sphk } 21698987Sphk bzero(&ekey, sizeof ekey); /* destroy evidence */ 21797318Sphk g_io_request(bp2, cp); 21897318Sphk break; 21997318Sphk case BIO_GETATTR: 22097318Sphk bp2 = g_clone_bio(bp); 221104057Sphk if (bp2 == NULL) { 222104195Sphk g_io_deliver(bp, ENOMEM); 223104057Sphk return; 224104057Sphk } 22597318Sphk bp2->bio_done = g_std_done; 22697318Sphk bp2->bio_offset += sc->sectorsize; 22797318Sphk g_io_request(bp2, cp); 22897318Sphk break; 22997318Sphk default: 230104195Sphk g_io_deliver(bp, EOPNOTSUPP); 23197318Sphk return; 23297318Sphk } 23397318Sphk return; 23497318Sphk} 23597318Sphk 23697318Sphkstatic void 23797318Sphkg_aes_orphan(struct g_consumer *cp) 23897318Sphk{ 23997318Sphk struct g_geom *gp; 24098987Sphk struct g_aes_softc *sc; 24197318Sphk 24297318Sphk g_trace(G_T_TOPOLOGY, "g_aes_orphan(%p/%s)", cp, cp->provider->name); 24397318Sphk g_topology_assert(); 24497318Sphk 24597318Sphk gp = cp->geom; 24698987Sphk sc = gp->softc; 247238198Strasz g_wither_geom(gp, ENXIO); 24898987Sphk bzero(sc, sizeof(struct g_aes_softc)); /* destroy evidence */ 249114532Sphk g_free(sc); 25097318Sphk return; 25197318Sphk} 25297318Sphk 25397318Sphkstatic int 25497318Sphkg_aes_access(struct g_provider *pp, int dr, int dw, int de) 25597318Sphk{ 25697318Sphk struct g_geom *gp; 25797318Sphk struct g_consumer *cp; 25897318Sphk 25997318Sphk gp = pp->geom; 26097318Sphk cp = LIST_FIRST(&gp->consumer); 26197318Sphk /* On first open, grab an extra "exclusive" bit */ 26297318Sphk if (cp->acr == 0 && cp->acw == 0 && cp->ace == 0) 26397318Sphk de++; 26497318Sphk /* ... and let go of it on last close */ 26597318Sphk if ((cp->acr + dr) == 0 && (cp->acw + dw) == 0 && (cp->ace + de) == 1) 26697318Sphk de--; 267125755Sphk return (g_access(cp, dr, dw, de)); 26897318Sphk} 26997318Sphk 27097318Sphkstatic struct g_geom * 27197318Sphkg_aes_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) 27297318Sphk{ 27397318Sphk struct g_geom *gp; 27497318Sphk struct g_consumer *cp; 27597318Sphk struct g_aes_softc *sc; 27697318Sphk int error; 27797318Sphk u_int sectorsize; 27897318Sphk off_t mediasize; 27997318Sphk u_char *buf; 28097318Sphk 28197318Sphk g_trace(G_T_TOPOLOGY, "aes_taste(%s,%s)", mp->name, pp->name); 28297318Sphk g_topology_assert(); 28397318Sphk gp = g_new_geomf(mp, "%s.aes", pp->name); 28497318Sphk cp = g_new_consumer(gp); 28597318Sphk g_attach(cp, pp); 286125755Sphk error = g_access(cp, 1, 0, 0); 28797318Sphk if (error) { 28898066Sphk g_detach(cp); 28997318Sphk g_destroy_consumer(cp); 29097318Sphk g_destroy_geom(gp); 29197318Sphk return (NULL); 29297318Sphk } 29397318Sphk buf = NULL; 294104064Sphk g_topology_unlock(); 295114491Sphk do { 29697318Sphk if (gp->rank != 2) 29797318Sphk break; 298105551Sphk sectorsize = cp->provider->sectorsize; 299105551Sphk mediasize = cp->provider->mediasize; 300152971Ssobomax buf = g_read_data(cp, 0, sectorsize, NULL); 301152967Ssobomax if (buf == NULL) { 30297318Sphk break; 30397318Sphk } 304111119Simp sc = g_malloc(sizeof(struct g_aes_softc), M_WAITOK | M_ZERO); 30598987Sphk if (!memcmp(buf, aes_magic, strlen(aes_magic))) { 30698987Sphk sc->keying = KEY_ZERO; 30798987Sphk } else if (!memcmp(buf, aes_magic_random, 30898987Sphk strlen(aes_magic_random))) { 30998987Sphk sc->keying = KEY_RANDOM; 31098987Sphk } else if (!memcmp(buf, aes_magic_test, 31198987Sphk strlen(aes_magic_test))) { 31298987Sphk sc->keying = KEY_TEST; 31398987Sphk } else { 31498987Sphk g_free(sc); 31597318Sphk break; 31698987Sphk } 317114532Sphk g_free(buf); 31897318Sphk gp->softc = sc; 31997318Sphk sc->sectorsize = sectorsize; 32097318Sphk sc->mediasize = mediasize - sectorsize; 32197318Sphk rijndael_cipherInit(&sc->ci, MODE_CBC, NULL); 32298987Sphk if (sc->keying == KEY_TEST) { 32398987Sphk int i; 32498987Sphk u_char *p; 32598987Sphk 32698987Sphk p = sc->master_key; 327104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i ++) 32898987Sphk *p++ = i; 32998987Sphk } 33098987Sphk if (sc->keying == KEY_RANDOM) { 33198987Sphk int i; 33298987Sphk u_int32_t u; 33398987Sphk u_char *p; 33498987Sphk 33598987Sphk p = sc->master_key; 336104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i += sizeof u) { 33798987Sphk u = arc4random(); 33898987Sphk *p++ = u; 33998987Sphk *p++ = u >> 8; 34098987Sphk *p++ = u >> 16; 34198987Sphk *p++ = u >> 24; 34298987Sphk } 34398987Sphk } 344104064Sphk g_topology_lock(); 345243333Sjh pp = g_new_providerf(gp, "%s", gp->name); 34697318Sphk pp->mediasize = mediasize - sectorsize; 347105551Sphk pp->sectorsize = sectorsize; 34897318Sphk g_error_provider(pp, 0); 349104064Sphk g_topology_unlock(); 350114491Sphk } while(0); 351104064Sphk g_topology_lock(); 35297318Sphk if (buf) 35397318Sphk g_free(buf); 354125755Sphk g_access(cp, -1, 0, 0); 35597318Sphk if (gp->softc != NULL) 35697318Sphk return (gp); 35798066Sphk g_detach(cp); 35897318Sphk g_destroy_consumer(cp); 35997318Sphk g_destroy_geom(gp); 36097318Sphk return (NULL); 36197318Sphk} 36297318Sphk 36397318Sphkstatic struct g_class g_aes_class = { 364112552Sphk .name = AES_CLASS_NAME, 365133318Sphk .version = G_VERSION, 366112552Sphk .taste = g_aes_taste, 367133314Sphk .start = g_aes_start, 368133314Sphk .orphan = g_aes_orphan, 369133314Sphk .spoiled = g_std_spoiled, 370133314Sphk .access = g_aes_access, 37197318Sphk}; 37297318Sphk 37397318SphkDECLARE_GEOM_CLASS(g_aes_class, g_aes); 374