geom_aes.c revision 114532
197318Sphk/*- 297318Sphk * Copyright (c) 2002 Poul-Henning Kamp 397318Sphk * Copyright (c) 2002 Networks Associates Technology, Inc. 497318Sphk * All rights reserved. 597318Sphk * 697318Sphk * This software was developed for the FreeBSD Project by Poul-Henning Kamp 797318Sphk * and NAI Labs, the Security Research Division of Network Associates, Inc. 897318Sphk * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 997318Sphk * DARPA CHATS research program. 1097318Sphk * 1197318Sphk * Redistribution and use in source and binary forms, with or without 1297318Sphk * modification, are permitted provided that the following conditions 1397318Sphk * are met: 1497318Sphk * 1. Redistributions of source code must retain the above copyright 1597318Sphk * notice, this list of conditions and the following disclaimer. 1697318Sphk * 2. Redistributions in binary form must reproduce the above copyright 1797318Sphk * notice, this list of conditions and the following disclaimer in the 1897318Sphk * documentation and/or other materials provided with the distribution. 1997318Sphk * 3. The names of the authors may not be used to endorse or promote 2097318Sphk * products derived from this software without specific prior written 2197318Sphk * permission. 2297318Sphk * 2397318Sphk * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2497318Sphk * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2597318Sphk * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2697318Sphk * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2797318Sphk * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2897318Sphk * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2997318Sphk * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3097318Sphk * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3197318Sphk * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3297318Sphk * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3397318Sphk * SUCH DAMAGE. 3497318Sphk * 3597318Sphk * $FreeBSD: head/sys/geom/geom_aes.c 114532 2003-05-02 12:52:51Z phk $ 3697318Sphk * 3797318Sphk * This method provides AES encryption with a compiled in key (default 3897318Sphk * all zeroes). 3997318Sphk * 4097318Sphk * XXX: This could probably save a lot of code by pretending to be a slicer. 4197318Sphk */ 4297318Sphk 4397318Sphk#include <sys/param.h> 4497318Sphk#include <sys/systm.h> 4597318Sphk#include <sys/kernel.h> 4697318Sphk#include <sys/conf.h> 4797318Sphk#include <sys/bio.h> 4897318Sphk#include <sys/malloc.h> 4997318Sphk#include <sys/lock.h> 5097318Sphk#include <sys/mutex.h> 5198987Sphk#include <sys/libkern.h> 52104087Sphk#include <sys/endian.h> 5398987Sphk#include <sys/md5.h> 5497318Sphk#include <sys/errno.h> 5597318Sphk#include <geom/geom.h> 5697318Sphk 5797318Sphk#include <crypto/rijndael/rijndael.h> 5897318Sphk 5997318Sphk#include <crypto/rijndael/rijndael.h> 6097318Sphk 6197318Sphk#define AES_CLASS_NAME "AES" 6297318Sphk 6398987Sphk#define MASTER_KEY_LENGTH (1024/8) 6498987Sphk 65107953Sphkstatic const u_char *aes_magic = "<<FreeBSD-GEOM-AES>>"; 66107953Sphkstatic const u_char *aes_magic_random = "<<FreeBSD-GEOM-AES-RANDOM>>"; 67107953Sphkstatic const u_char *aes_magic_test = "<<FreeBSD-GEOM-AES-TEST>>"; 6897318Sphk 6997318Sphk 7097318Sphkstruct g_aes_softc { 7198987Sphk enum { 7298987Sphk KEY_ZERO, 7398987Sphk KEY_RANDOM, 7498987Sphk KEY_TEST 7598987Sphk } keying; 7697318Sphk u_int sectorsize; 7797318Sphk off_t mediasize; 7897318Sphk cipherInstance ci; 7998987Sphk u_char master_key[MASTER_KEY_LENGTH]; 8097318Sphk}; 8197318Sphk 8298987Sphk/* 8398987Sphk * Generate a sectorkey from the masterkey and the offset position. 8498987Sphk * 8598987Sphk * For KEY_ZERO we just return a key of all zeros. 8698987Sphk * 8798987Sphk * We feed the sector byte offset, 16 bytes of the master-key and 8898987Sphk * the sector byte offset once more to MD5. 8998987Sphk * The sector byte offset is converted to little-endian format first 9098987Sphk * to support multi-architecture operation. 9198987Sphk * We use 16 bytes from the master-key starting at the logical sector 9298987Sphk * number modulus he length of the master-key. If need be we wrap 9398987Sphk * around to the start of the master-key. 9498987Sphk */ 9598987Sphk 9697318Sphkstatic void 9798987Sphkg_aes_makekey(struct g_aes_softc *sc, off_t off, keyInstance *ki, int dir) 9898987Sphk{ 9998987Sphk MD5_CTX cx; 10098987Sphk u_int64_t u64; 10198987Sphk u_int u, u1; 10298987Sphk u_char *p, buf[16]; 10398987Sphk 10498987Sphk if (sc->keying == KEY_ZERO) { 10598987Sphk rijndael_makeKey(ki, dir, 128, sc->master_key); 10698987Sphk return; 10798987Sphk } 10898987Sphk MD5Init(&cx); 10998987Sphk u64 = htole64(off); 11098987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 11198987Sphk u = off / sc->sectorsize; 11298987Sphk u %= sizeof sc->master_key; 11398987Sphk p = sc->master_key + u; 11498987Sphk if (u + 16 <= sizeof(sc->master_key)) { 11598987Sphk MD5Update(&cx, p, 16); 11698987Sphk } else { 11798987Sphk u1 = sizeof sc->master_key - u; 11898987Sphk MD5Update(&cx, p, u1); 11998987Sphk MD5Update(&cx, sc->master_key, 16 - u1); 12098987Sphk u1 = 0; /* destroy evidence */ 12198987Sphk } 12298987Sphk u = 0; /* destroy evidence */ 12398987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 12498987Sphk u64 = 0; /* destroy evidence */ 12598987Sphk MD5Final(buf, &cx); 12698987Sphk bzero(&cx, sizeof cx); /* destroy evidence */ 12798987Sphk rijndael_makeKey(ki, dir, 128, buf); 12898987Sphk bzero(buf, sizeof buf); /* destroy evidence */ 12998987Sphk 13098987Sphk} 13198987Sphk 13298987Sphkstatic void 13397318Sphkg_aes_read_done(struct bio *bp) 13497318Sphk{ 13597318Sphk struct g_geom *gp; 13697318Sphk struct g_aes_softc *sc; 13797318Sphk u_char *p, *b, *e, *sb; 13898987Sphk keyInstance dkey; 13998987Sphk off_t o; 14097318Sphk 14197318Sphk gp = bp->bio_from->geom; 14297318Sphk sc = gp->softc; 143111119Simp sb = g_malloc(sc->sectorsize, M_WAITOK); 14497318Sphk b = bp->bio_data; 14597318Sphk e = bp->bio_data; 14697318Sphk e += bp->bio_length; 14798987Sphk o = bp->bio_offset - sc->sectorsize; 14897318Sphk for (p = b; p < e; p += sc->sectorsize) { 14998987Sphk g_aes_makekey(sc, o, &dkey, DIR_DECRYPT); 15098987Sphk rijndael_blockDecrypt(&sc->ci, &dkey, p, sc->sectorsize * 8, sb); 15197318Sphk bcopy(sb, p, sc->sectorsize); 15298987Sphk o += sc->sectorsize; 15397318Sphk } 15498987Sphk bzero(&dkey, sizeof dkey); /* destroy evidence */ 15598987Sphk bzero(sb, sc->sectorsize); /* destroy evidence */ 15698987Sphk g_free(sb); 15797318Sphk g_std_done(bp); 15897318Sphk} 15997318Sphk 16097318Sphkstatic void 16197318Sphkg_aes_write_done(struct bio *bp) 16297318Sphk{ 16398987Sphk struct g_aes_softc *sc; 16498987Sphk struct g_geom *gp; 16597318Sphk 16698987Sphk gp = bp->bio_to->geom; 16798987Sphk sc = gp->softc; 16898987Sphk bzero(bp->bio_data, bp->bio_length); /* destroy evidence */ 16997318Sphk g_free(bp->bio_data); 17097318Sphk g_std_done(bp); 17197318Sphk} 17297318Sphk 17397318Sphkstatic void 17497318Sphkg_aes_start(struct bio *bp) 17597318Sphk{ 17697318Sphk struct g_geom *gp; 17797318Sphk struct g_consumer *cp; 17897318Sphk struct g_aes_softc *sc; 17997318Sphk struct bio *bp2; 18097318Sphk u_char *p1, *p2, *b, *e; 18198987Sphk keyInstance ekey; 18298987Sphk off_t o; 18397318Sphk 18497318Sphk gp = bp->bio_to->geom; 18597318Sphk cp = LIST_FIRST(&gp->consumer); 18697318Sphk sc = gp->softc; 18797318Sphk switch (bp->bio_cmd) { 18897318Sphk case BIO_READ: 18997318Sphk bp2 = g_clone_bio(bp); 190104057Sphk if (bp2 == NULL) { 191104195Sphk g_io_deliver(bp, ENOMEM); 192104057Sphk return; 193104057Sphk } 19497318Sphk bp2->bio_done = g_aes_read_done; 19597318Sphk bp2->bio_offset += sc->sectorsize; 19697318Sphk g_io_request(bp2, cp); 19797318Sphk break; 19897318Sphk case BIO_WRITE: 19997318Sphk bp2 = g_clone_bio(bp); 200104057Sphk if (bp2 == NULL) { 201104195Sphk g_io_deliver(bp, ENOMEM); 202104057Sphk return; 203104057Sphk } 20497318Sphk bp2->bio_done = g_aes_write_done; 20597318Sphk bp2->bio_offset += sc->sectorsize; 206111119Simp bp2->bio_data = g_malloc(bp->bio_length, M_WAITOK); 20797318Sphk b = bp->bio_data; 20897318Sphk e = bp->bio_data; 20997318Sphk e += bp->bio_length; 21097318Sphk p2 = bp2->bio_data; 21198987Sphk o = bp->bio_offset; 21297318Sphk for (p1 = b; p1 < e; p1 += sc->sectorsize) { 21398987Sphk g_aes_makekey(sc, o, &ekey, DIR_ENCRYPT); 21498987Sphk rijndael_blockEncrypt(&sc->ci, &ekey, 21597318Sphk p1, sc->sectorsize * 8, p2); 21697318Sphk p2 += sc->sectorsize; 21798987Sphk o += sc->sectorsize; 21897318Sphk } 21998987Sphk bzero(&ekey, sizeof ekey); /* destroy evidence */ 22097318Sphk g_io_request(bp2, cp); 22197318Sphk break; 22297318Sphk case BIO_GETATTR: 22397318Sphk bp2 = g_clone_bio(bp); 224104057Sphk if (bp2 == NULL) { 225104195Sphk g_io_deliver(bp, ENOMEM); 226104057Sphk return; 227104057Sphk } 22897318Sphk bp2->bio_done = g_std_done; 22997318Sphk bp2->bio_offset += sc->sectorsize; 23097318Sphk g_io_request(bp2, cp); 23197318Sphk break; 23297318Sphk default: 233104195Sphk g_io_deliver(bp, EOPNOTSUPP); 23497318Sphk return; 23597318Sphk } 23697318Sphk return; 23797318Sphk} 23897318Sphk 23997318Sphkstatic void 24097318Sphkg_aes_orphan(struct g_consumer *cp) 24197318Sphk{ 24297318Sphk struct g_geom *gp; 24397318Sphk struct g_provider *pp; 24498987Sphk struct g_aes_softc *sc; 24597318Sphk int error; 24697318Sphk 24797318Sphk g_trace(G_T_TOPOLOGY, "g_aes_orphan(%p/%s)", cp, cp->provider->name); 24897318Sphk g_topology_assert(); 24997318Sphk KASSERT(cp->provider->error != 0, 25097318Sphk ("g_aes_orphan with error == 0")); 25197318Sphk 25297318Sphk gp = cp->geom; 25398987Sphk sc = gp->softc; 254114532Sphk g_wither_geom(gp, cp->provider->error); 25598987Sphk bzero(sc, sizeof(struct g_aes_softc)); /* destroy evidence */ 256114532Sphk g_free(sc); 25797318Sphk return; 25897318Sphk} 25997318Sphk 26097318Sphkstatic int 26197318Sphkg_aes_access(struct g_provider *pp, int dr, int dw, int de) 26297318Sphk{ 26397318Sphk struct g_geom *gp; 26497318Sphk struct g_consumer *cp; 26597318Sphk 26697318Sphk gp = pp->geom; 26797318Sphk cp = LIST_FIRST(&gp->consumer); 26897318Sphk /* On first open, grab an extra "exclusive" bit */ 26997318Sphk if (cp->acr == 0 && cp->acw == 0 && cp->ace == 0) 27097318Sphk de++; 27197318Sphk /* ... and let go of it on last close */ 27297318Sphk if ((cp->acr + dr) == 0 && (cp->acw + dw) == 0 && (cp->ace + de) == 1) 27397318Sphk de--; 27497318Sphk return (g_access_rel(cp, dr, dw, de)); 27597318Sphk} 27697318Sphk 27797318Sphkstatic struct g_geom * 27897318Sphkg_aes_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) 27997318Sphk{ 28097318Sphk struct g_geom *gp; 28197318Sphk struct g_consumer *cp; 28297318Sphk struct g_aes_softc *sc; 28397318Sphk int error; 28497318Sphk u_int sectorsize; 28597318Sphk off_t mediasize; 28697318Sphk u_char *buf; 28797318Sphk 28897318Sphk g_trace(G_T_TOPOLOGY, "aes_taste(%s,%s)", mp->name, pp->name); 28997318Sphk g_topology_assert(); 29097318Sphk gp = g_new_geomf(mp, "%s.aes", pp->name); 29197318Sphk gp->start = g_aes_start; 29297318Sphk gp->orphan = g_aes_orphan; 29397318Sphk gp->spoiled = g_std_spoiled; 29497318Sphk cp = g_new_consumer(gp); 29597318Sphk g_attach(cp, pp); 29697318Sphk error = g_access_rel(cp, 1, 0, 0); 29797318Sphk if (error) { 29898066Sphk g_detach(cp); 29997318Sphk g_destroy_consumer(cp); 30097318Sphk g_destroy_geom(gp); 30197318Sphk return (NULL); 30297318Sphk } 30397318Sphk buf = NULL; 304104064Sphk g_topology_unlock(); 305114491Sphk do { 30697318Sphk if (gp->rank != 2) 30797318Sphk break; 308105551Sphk sectorsize = cp->provider->sectorsize; 309105551Sphk mediasize = cp->provider->mediasize; 31097318Sphk buf = g_read_data(cp, 0, sectorsize, &error); 31197318Sphk if (buf == NULL || error != 0) { 31297318Sphk break; 31397318Sphk } 314111119Simp sc = g_malloc(sizeof(struct g_aes_softc), M_WAITOK | M_ZERO); 31598987Sphk if (!memcmp(buf, aes_magic, strlen(aes_magic))) { 31698987Sphk sc->keying = KEY_ZERO; 31798987Sphk } else if (!memcmp(buf, aes_magic_random, 31898987Sphk strlen(aes_magic_random))) { 31998987Sphk sc->keying = KEY_RANDOM; 32098987Sphk } else if (!memcmp(buf, aes_magic_test, 32198987Sphk strlen(aes_magic_test))) { 32298987Sphk sc->keying = KEY_TEST; 32398987Sphk } else { 324114532Sphk g_free(buf); 32598987Sphk g_free(sc); 32697318Sphk break; 32798987Sphk } 328114532Sphk g_free(buf); 32997318Sphk gp->softc = sc; 33097318Sphk gp->access = g_aes_access; 33197318Sphk sc->sectorsize = sectorsize; 33297318Sphk sc->mediasize = mediasize - sectorsize; 33397318Sphk rijndael_cipherInit(&sc->ci, MODE_CBC, NULL); 33498987Sphk if (sc->keying == KEY_TEST) { 33598987Sphk int i; 33698987Sphk u_char *p; 33798987Sphk 33898987Sphk p = sc->master_key; 339104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i ++) 34098987Sphk *p++ = i; 34198987Sphk } 34298987Sphk if (sc->keying == KEY_RANDOM) { 34398987Sphk int i; 34498987Sphk u_int32_t u; 34598987Sphk u_char *p; 34698987Sphk 34798987Sphk p = sc->master_key; 348104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i += sizeof u) { 34998987Sphk u = arc4random(); 35098987Sphk *p++ = u; 35198987Sphk *p++ = u >> 8; 35298987Sphk *p++ = u >> 16; 35398987Sphk *p++ = u >> 24; 35498987Sphk } 35598987Sphk } 356104064Sphk g_topology_lock(); 35797318Sphk pp = g_new_providerf(gp, gp->name); 35897318Sphk pp->mediasize = mediasize - sectorsize; 359105551Sphk pp->sectorsize = sectorsize; 36097318Sphk g_error_provider(pp, 0); 361104064Sphk g_topology_unlock(); 362114491Sphk } while(0); 363104064Sphk g_topology_lock(); 36497318Sphk if (buf) 36597318Sphk g_free(buf); 36697318Sphk g_access_rel(cp, -1, 0, 0); 36797318Sphk if (gp->softc != NULL) 36897318Sphk return (gp); 36998066Sphk g_detach(cp); 37097318Sphk g_destroy_consumer(cp); 37197318Sphk g_destroy_geom(gp); 37297318Sphk return (NULL); 37397318Sphk} 37497318Sphk 37597318Sphkstatic struct g_class g_aes_class = { 376112552Sphk .name = AES_CLASS_NAME, 377112552Sphk .taste = g_aes_taste, 37898066Sphk G_CLASS_INITIALIZER 37997318Sphk}; 38097318Sphk 38197318SphkDECLARE_GEOM_CLASS(g_aes_class, g_aes); 382