geom_aes.c revision 116196
197318Sphk/*- 297318Sphk * Copyright (c) 2002 Poul-Henning Kamp 397318Sphk * Copyright (c) 2002 Networks Associates Technology, Inc. 497318Sphk * All rights reserved. 597318Sphk * 697318Sphk * This software was developed for the FreeBSD Project by Poul-Henning Kamp 797318Sphk * and NAI Labs, the Security Research Division of Network Associates, Inc. 897318Sphk * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 997318Sphk * DARPA CHATS research program. 1097318Sphk * 1197318Sphk * Redistribution and use in source and binary forms, with or without 1297318Sphk * modification, are permitted provided that the following conditions 1397318Sphk * are met: 1497318Sphk * 1. Redistributions of source code must retain the above copyright 1597318Sphk * notice, this list of conditions and the following disclaimer. 1697318Sphk * 2. Redistributions in binary form must reproduce the above copyright 1797318Sphk * notice, this list of conditions and the following disclaimer in the 1897318Sphk * documentation and/or other materials provided with the distribution. 1997318Sphk * 3. The names of the authors may not be used to endorse or promote 2097318Sphk * products derived from this software without specific prior written 2197318Sphk * permission. 2297318Sphk * 2397318Sphk * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2497318Sphk * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2597318Sphk * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2697318Sphk * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2797318Sphk * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2897318Sphk * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2997318Sphk * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3097318Sphk * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3197318Sphk * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3297318Sphk * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3397318Sphk * SUCH DAMAGE. 3497318Sphk * 3597318Sphk * This method provides AES encryption with a compiled in key (default 3697318Sphk * all zeroes). 3797318Sphk * 3897318Sphk * XXX: This could probably save a lot of code by pretending to be a slicer. 3997318Sphk */ 4097318Sphk 41116196Sobrien#include <sys/cdefs.h> 42116196Sobrien__FBSDID("$FreeBSD: head/sys/geom/geom_aes.c 116196 2003-06-11 06:49:16Z obrien $"); 43116196Sobrien 4497318Sphk#include <sys/param.h> 4597318Sphk#include <sys/systm.h> 4697318Sphk#include <sys/kernel.h> 4797318Sphk#include <sys/conf.h> 4897318Sphk#include <sys/bio.h> 4997318Sphk#include <sys/malloc.h> 5097318Sphk#include <sys/lock.h> 5197318Sphk#include <sys/mutex.h> 5298987Sphk#include <sys/libkern.h> 53104087Sphk#include <sys/endian.h> 5498987Sphk#include <sys/md5.h> 5597318Sphk#include <sys/errno.h> 5697318Sphk#include <geom/geom.h> 5797318Sphk 5897318Sphk#include <crypto/rijndael/rijndael.h> 5997318Sphk 6097318Sphk#include <crypto/rijndael/rijndael.h> 6197318Sphk 6297318Sphk#define AES_CLASS_NAME "AES" 6397318Sphk 6498987Sphk#define MASTER_KEY_LENGTH (1024/8) 6598987Sphk 66107953Sphkstatic const u_char *aes_magic = "<<FreeBSD-GEOM-AES>>"; 67107953Sphkstatic const u_char *aes_magic_random = "<<FreeBSD-GEOM-AES-RANDOM>>"; 68107953Sphkstatic const u_char *aes_magic_test = "<<FreeBSD-GEOM-AES-TEST>>"; 6997318Sphk 7097318Sphk 7197318Sphkstruct g_aes_softc { 7298987Sphk enum { 7398987Sphk KEY_ZERO, 7498987Sphk KEY_RANDOM, 7598987Sphk KEY_TEST 7698987Sphk } keying; 7797318Sphk u_int sectorsize; 7897318Sphk off_t mediasize; 7997318Sphk cipherInstance ci; 8098987Sphk u_char master_key[MASTER_KEY_LENGTH]; 8197318Sphk}; 8297318Sphk 8398987Sphk/* 8498987Sphk * Generate a sectorkey from the masterkey and the offset position. 8598987Sphk * 8698987Sphk * For KEY_ZERO we just return a key of all zeros. 8798987Sphk * 8898987Sphk * We feed the sector byte offset, 16 bytes of the master-key and 8998987Sphk * the sector byte offset once more to MD5. 9098987Sphk * The sector byte offset is converted to little-endian format first 9198987Sphk * to support multi-architecture operation. 9298987Sphk * We use 16 bytes from the master-key starting at the logical sector 9398987Sphk * number modulus he length of the master-key. If need be we wrap 9498987Sphk * around to the start of the master-key. 9598987Sphk */ 9698987Sphk 9797318Sphkstatic void 9898987Sphkg_aes_makekey(struct g_aes_softc *sc, off_t off, keyInstance *ki, int dir) 9998987Sphk{ 10098987Sphk MD5_CTX cx; 10198987Sphk u_int64_t u64; 10298987Sphk u_int u, u1; 10398987Sphk u_char *p, buf[16]; 10498987Sphk 10598987Sphk if (sc->keying == KEY_ZERO) { 10698987Sphk rijndael_makeKey(ki, dir, 128, sc->master_key); 10798987Sphk return; 10898987Sphk } 10998987Sphk MD5Init(&cx); 11098987Sphk u64 = htole64(off); 11198987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 11298987Sphk u = off / sc->sectorsize; 11398987Sphk u %= sizeof sc->master_key; 11498987Sphk p = sc->master_key + u; 11598987Sphk if (u + 16 <= sizeof(sc->master_key)) { 11698987Sphk MD5Update(&cx, p, 16); 11798987Sphk } else { 11898987Sphk u1 = sizeof sc->master_key - u; 11998987Sphk MD5Update(&cx, p, u1); 12098987Sphk MD5Update(&cx, sc->master_key, 16 - u1); 12198987Sphk u1 = 0; /* destroy evidence */ 12298987Sphk } 12398987Sphk u = 0; /* destroy evidence */ 12498987Sphk MD5Update(&cx, (u_char *)&u64, sizeof(u64)); 12598987Sphk u64 = 0; /* destroy evidence */ 12698987Sphk MD5Final(buf, &cx); 12798987Sphk bzero(&cx, sizeof cx); /* destroy evidence */ 12898987Sphk rijndael_makeKey(ki, dir, 128, buf); 12998987Sphk bzero(buf, sizeof buf); /* destroy evidence */ 13098987Sphk 13198987Sphk} 13298987Sphk 13398987Sphkstatic void 13497318Sphkg_aes_read_done(struct bio *bp) 13597318Sphk{ 13697318Sphk struct g_geom *gp; 13797318Sphk struct g_aes_softc *sc; 13897318Sphk u_char *p, *b, *e, *sb; 13998987Sphk keyInstance dkey; 14098987Sphk off_t o; 14197318Sphk 14297318Sphk gp = bp->bio_from->geom; 14397318Sphk sc = gp->softc; 144111119Simp sb = g_malloc(sc->sectorsize, M_WAITOK); 14597318Sphk b = bp->bio_data; 14697318Sphk e = bp->bio_data; 14797318Sphk e += bp->bio_length; 14898987Sphk o = bp->bio_offset - sc->sectorsize; 14997318Sphk for (p = b; p < e; p += sc->sectorsize) { 15098987Sphk g_aes_makekey(sc, o, &dkey, DIR_DECRYPT); 15198987Sphk rijndael_blockDecrypt(&sc->ci, &dkey, p, sc->sectorsize * 8, sb); 15297318Sphk bcopy(sb, p, sc->sectorsize); 15398987Sphk o += sc->sectorsize; 15497318Sphk } 15598987Sphk bzero(&dkey, sizeof dkey); /* destroy evidence */ 15698987Sphk bzero(sb, sc->sectorsize); /* destroy evidence */ 15798987Sphk g_free(sb); 15897318Sphk g_std_done(bp); 15997318Sphk} 16097318Sphk 16197318Sphkstatic void 16297318Sphkg_aes_write_done(struct bio *bp) 16397318Sphk{ 16497318Sphk 16598987Sphk bzero(bp->bio_data, bp->bio_length); /* destroy evidence */ 16697318Sphk g_free(bp->bio_data); 16797318Sphk g_std_done(bp); 16897318Sphk} 16997318Sphk 17097318Sphkstatic void 17197318Sphkg_aes_start(struct bio *bp) 17297318Sphk{ 17397318Sphk struct g_geom *gp; 17497318Sphk struct g_consumer *cp; 17597318Sphk struct g_aes_softc *sc; 17697318Sphk struct bio *bp2; 17797318Sphk u_char *p1, *p2, *b, *e; 17898987Sphk keyInstance ekey; 17998987Sphk off_t o; 18097318Sphk 18197318Sphk gp = bp->bio_to->geom; 18297318Sphk cp = LIST_FIRST(&gp->consumer); 18397318Sphk sc = gp->softc; 18497318Sphk switch (bp->bio_cmd) { 18597318Sphk case BIO_READ: 18697318Sphk bp2 = g_clone_bio(bp); 187104057Sphk if (bp2 == NULL) { 188104195Sphk g_io_deliver(bp, ENOMEM); 189104057Sphk return; 190104057Sphk } 19197318Sphk bp2->bio_done = g_aes_read_done; 19297318Sphk bp2->bio_offset += sc->sectorsize; 19397318Sphk g_io_request(bp2, cp); 19497318Sphk break; 19597318Sphk case BIO_WRITE: 19697318Sphk bp2 = g_clone_bio(bp); 197104057Sphk if (bp2 == NULL) { 198104195Sphk g_io_deliver(bp, ENOMEM); 199104057Sphk return; 200104057Sphk } 20197318Sphk bp2->bio_done = g_aes_write_done; 20297318Sphk bp2->bio_offset += sc->sectorsize; 203111119Simp bp2->bio_data = g_malloc(bp->bio_length, M_WAITOK); 20497318Sphk b = bp->bio_data; 20597318Sphk e = bp->bio_data; 20697318Sphk e += bp->bio_length; 20797318Sphk p2 = bp2->bio_data; 20898987Sphk o = bp->bio_offset; 20997318Sphk for (p1 = b; p1 < e; p1 += sc->sectorsize) { 21098987Sphk g_aes_makekey(sc, o, &ekey, DIR_ENCRYPT); 21198987Sphk rijndael_blockEncrypt(&sc->ci, &ekey, 21297318Sphk p1, sc->sectorsize * 8, p2); 21397318Sphk p2 += sc->sectorsize; 21498987Sphk o += sc->sectorsize; 21597318Sphk } 21698987Sphk bzero(&ekey, sizeof ekey); /* destroy evidence */ 21797318Sphk g_io_request(bp2, cp); 21897318Sphk break; 21997318Sphk case BIO_GETATTR: 22097318Sphk bp2 = g_clone_bio(bp); 221104057Sphk if (bp2 == NULL) { 222104195Sphk g_io_deliver(bp, ENOMEM); 223104057Sphk return; 224104057Sphk } 22597318Sphk bp2->bio_done = g_std_done; 22697318Sphk bp2->bio_offset += sc->sectorsize; 22797318Sphk g_io_request(bp2, cp); 22897318Sphk break; 22997318Sphk default: 230104195Sphk g_io_deliver(bp, EOPNOTSUPP); 23197318Sphk return; 23297318Sphk } 23397318Sphk return; 23497318Sphk} 23597318Sphk 23697318Sphkstatic void 23797318Sphkg_aes_orphan(struct g_consumer *cp) 23897318Sphk{ 23997318Sphk struct g_geom *gp; 24098987Sphk struct g_aes_softc *sc; 24197318Sphk 24297318Sphk g_trace(G_T_TOPOLOGY, "g_aes_orphan(%p/%s)", cp, cp->provider->name); 24397318Sphk g_topology_assert(); 24497318Sphk KASSERT(cp->provider->error != 0, 24597318Sphk ("g_aes_orphan with error == 0")); 24697318Sphk 24797318Sphk gp = cp->geom; 24898987Sphk sc = gp->softc; 249114532Sphk g_wither_geom(gp, cp->provider->error); 25098987Sphk bzero(sc, sizeof(struct g_aes_softc)); /* destroy evidence */ 251114532Sphk g_free(sc); 25297318Sphk return; 25397318Sphk} 25497318Sphk 25597318Sphkstatic int 25697318Sphkg_aes_access(struct g_provider *pp, int dr, int dw, int de) 25797318Sphk{ 25897318Sphk struct g_geom *gp; 25997318Sphk struct g_consumer *cp; 26097318Sphk 26197318Sphk gp = pp->geom; 26297318Sphk cp = LIST_FIRST(&gp->consumer); 26397318Sphk /* On first open, grab an extra "exclusive" bit */ 26497318Sphk if (cp->acr == 0 && cp->acw == 0 && cp->ace == 0) 26597318Sphk de++; 26697318Sphk /* ... and let go of it on last close */ 26797318Sphk if ((cp->acr + dr) == 0 && (cp->acw + dw) == 0 && (cp->ace + de) == 1) 26897318Sphk de--; 26997318Sphk return (g_access_rel(cp, dr, dw, de)); 27097318Sphk} 27197318Sphk 27297318Sphkstatic struct g_geom * 27397318Sphkg_aes_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) 27497318Sphk{ 27597318Sphk struct g_geom *gp; 27697318Sphk struct g_consumer *cp; 27797318Sphk struct g_aes_softc *sc; 27897318Sphk int error; 27997318Sphk u_int sectorsize; 28097318Sphk off_t mediasize; 28197318Sphk u_char *buf; 28297318Sphk 28397318Sphk g_trace(G_T_TOPOLOGY, "aes_taste(%s,%s)", mp->name, pp->name); 28497318Sphk g_topology_assert(); 28597318Sphk gp = g_new_geomf(mp, "%s.aes", pp->name); 28697318Sphk gp->start = g_aes_start; 28797318Sphk gp->orphan = g_aes_orphan; 28897318Sphk gp->spoiled = g_std_spoiled; 28997318Sphk cp = g_new_consumer(gp); 29097318Sphk g_attach(cp, pp); 29197318Sphk error = g_access_rel(cp, 1, 0, 0); 29297318Sphk if (error) { 29398066Sphk g_detach(cp); 29497318Sphk g_destroy_consumer(cp); 29597318Sphk g_destroy_geom(gp); 29697318Sphk return (NULL); 29797318Sphk } 29897318Sphk buf = NULL; 299104064Sphk g_topology_unlock(); 300114491Sphk do { 30197318Sphk if (gp->rank != 2) 30297318Sphk break; 303105551Sphk sectorsize = cp->provider->sectorsize; 304105551Sphk mediasize = cp->provider->mediasize; 30597318Sphk buf = g_read_data(cp, 0, sectorsize, &error); 30697318Sphk if (buf == NULL || error != 0) { 30797318Sphk break; 30897318Sphk } 309111119Simp sc = g_malloc(sizeof(struct g_aes_softc), M_WAITOK | M_ZERO); 31098987Sphk if (!memcmp(buf, aes_magic, strlen(aes_magic))) { 31198987Sphk sc->keying = KEY_ZERO; 31298987Sphk } else if (!memcmp(buf, aes_magic_random, 31398987Sphk strlen(aes_magic_random))) { 31498987Sphk sc->keying = KEY_RANDOM; 31598987Sphk } else if (!memcmp(buf, aes_magic_test, 31698987Sphk strlen(aes_magic_test))) { 31798987Sphk sc->keying = KEY_TEST; 31898987Sphk } else { 31998987Sphk g_free(sc); 32097318Sphk break; 32198987Sphk } 322114532Sphk g_free(buf); 32397318Sphk gp->softc = sc; 32497318Sphk gp->access = g_aes_access; 32597318Sphk sc->sectorsize = sectorsize; 32697318Sphk sc->mediasize = mediasize - sectorsize; 32797318Sphk rijndael_cipherInit(&sc->ci, MODE_CBC, NULL); 32898987Sphk if (sc->keying == KEY_TEST) { 32998987Sphk int i; 33098987Sphk u_char *p; 33198987Sphk 33298987Sphk p = sc->master_key; 333104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i ++) 33498987Sphk *p++ = i; 33598987Sphk } 33698987Sphk if (sc->keying == KEY_RANDOM) { 33798987Sphk int i; 33898987Sphk u_int32_t u; 33998987Sphk u_char *p; 34098987Sphk 34198987Sphk p = sc->master_key; 342104087Sphk for (i = 0; i < (int)sizeof sc->master_key; i += sizeof u) { 34398987Sphk u = arc4random(); 34498987Sphk *p++ = u; 34598987Sphk *p++ = u >> 8; 34698987Sphk *p++ = u >> 16; 34798987Sphk *p++ = u >> 24; 34898987Sphk } 34998987Sphk } 350104064Sphk g_topology_lock(); 35197318Sphk pp = g_new_providerf(gp, gp->name); 35297318Sphk pp->mediasize = mediasize - sectorsize; 353105551Sphk pp->sectorsize = sectorsize; 35497318Sphk g_error_provider(pp, 0); 355104064Sphk g_topology_unlock(); 356114491Sphk } while(0); 357104064Sphk g_topology_lock(); 35897318Sphk if (buf) 35997318Sphk g_free(buf); 36097318Sphk g_access_rel(cp, -1, 0, 0); 36197318Sphk if (gp->softc != NULL) 36297318Sphk return (gp); 36398066Sphk g_detach(cp); 36497318Sphk g_destroy_consumer(cp); 36597318Sphk g_destroy_geom(gp); 36697318Sphk return (NULL); 36797318Sphk} 36897318Sphk 36997318Sphkstatic struct g_class g_aes_class = { 370112552Sphk .name = AES_CLASS_NAME, 371112552Sphk .taste = g_aes_taste, 37297318Sphk}; 37397318Sphk 37497318SphkDECLARE_GEOM_CLASS(g_aes_class, g_aes); 375