sys/geom/geom_aes.c

168404Spjd/*-
168404Spjd * Copyright (c) 2002 Poul-Henning Kamp
168404Spjd * Copyright (c) 2002 Networks Associates Technology, Inc.
168404Spjd * All rights reserved.
168404Spjd *
168404Spjd * This software was developed for the FreeBSD Project by Poul-Henning Kamp
168404Spjd * and NAI Labs, the Security Research Division of Network Associates, Inc.
168404Spjd * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
168404Spjd * DARPA CHATS research program.
168404Spjd *
168404Spjd * Redistribution and use in source and binary forms, with or without
168404Spjd * modification, are permitted provided that the following conditions
168404Spjd * are met:
168404Spjd * 1. Redistributions of source code must retain the above copyright
168404Spjd *    notice, this list of conditions and the following disclaimer.
168404Spjd * 2. Redistributions in binary form must reproduce the above copyright
168404Spjd *    notice, this list of conditions and the following disclaimer in the
168404Spjd *    documentation and/or other materials provided with the distribution.
168404Spjd * 3. The names of the authors may not be used to endorse or promote
168404Spjd *    products derived from this software without specific prior written
168404Spjd *    permission.
219089Spjd *
247585Smm * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
246586Sdelphij * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
168404Spjd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
168404Spjd * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
219089Spjd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
219089Spjd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
168404Spjd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
168404Spjd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
185029Spjd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
168404Spjd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
168404Spjd * SUCH DAMAGE.
185029Spjd *
168404Spjd * $FreeBSD: head/sys/geom/geom_aes.c 98987 2002-06-28 21:25:15Z phk $
168404Spjd *
185029Spjd * This method provides AES encryption with a compiled in key (default
168404Spjd * all zeroes).
168404Spjd *
168404Spjd * XXX: This could probably save a lot of code by pretending to be a slicer.
168404Spjd */
168404Spjd
168404Spjd#include <sys/param.h>
168404Spjd#ifndef _KERNEL
168404Spjd#include <stdio.h>
168404Spjd#include <string.h>
185029Spjd#include <stdlib.h>
168404Spjd#include <signal.h>
209962Smm#include <err.h>
209962Smm#else
209962Smm#include <sys/systm.h>
209962Smm#include <sys/kernel.h>
209962Smm#include <sys/conf.h>
209962Smm#include <sys/bio.h>
209962Smm#include <sys/malloc.h>
209962Smm#include <sys/lock.h>
185029Spjd#include <sys/mutex.h>
185029Spjd#include <sys/libkern.h>
168404Spjd#include <sys/md5.h>
185029Spjd#include <sys/endian.h>
168404Spjd#endif
168404Spjd#include <sys/errno.h>
185029Spjd#include <geom/geom.h>
185029Spjd
168404Spjd#include <crypto/rijndael/rijndael.h>
185029Spjd
185029Spjd#include <crypto/rijndael/rijndael.h>
185029Spjd
185029Spjd#define AES_CLASS_NAME "AES"
185029Spjd
185029Spjd#define MASTER_KEY_LENGTH	(1024/8)
185029Spjd
185029Spjdstatic u_char *aes_magic = "<<FreeBSD-GEOM-AES>>";
168404Spjdstatic u_char *aes_magic_random = "<<FreeBSD-GEOM-AES-RANDOM>>";
219089Spjdstatic u_char *aes_magic_test = "<<FreeBSD-GEOM-AES-TEST>>";
219089Spjd
219089Spjd
219089Spjdstruct g_aes_softc {
219089Spjd	enum {
219089Spjd		KEY_ZERO,
219089Spjd		KEY_RANDOM,
219089Spjd		KEY_TEST
219089Spjd	} keying;
219089Spjd	u_int	sectorsize;
185029Spjd	off_t	mediasize;
185029Spjd	cipherInstance ci;
185029Spjd	u_char master_key[MASTER_KEY_LENGTH];
185029Spjd};
185029Spjd
185029Spjd/*
185029Spjd * Generate a sectorkey from the masterkey and the offset position.
185029Spjd *
185029Spjd * For KEY_ZERO we just return a key of all zeros.
185029Spjd *
185029Spjd * We feed the sector byte offset, 16 bytes of the master-key and
185029Spjd * the sector byte offset once more to MD5.
185029Spjd * The sector byte offset is converted to little-endian format first
185029Spjd * to support multi-architecture operation.
219089Spjd * We use 16 bytes from the master-key starting at the logical sector
246586Sdelphij * number modulus he length of the master-key.  If need be we wrap
185029Spjd * around to the start of the master-key.
185029Spjd */
168404Spjd
185029Spjdstatic void
185029Spjdg_aes_makekey(struct g_aes_softc *sc, off_t off, keyInstance *ki, int dir)
185029Spjd{
185029Spjd	MD5_CTX cx;
185029Spjd	u_int64_t u64;
168404Spjd	u_int u, u1;
224174Smm	u_char *p, buf[16];
224174Smm
224174Smm	if (sc->keying == KEY_ZERO) {
224174Smm		rijndael_makeKey(ki, dir, 128, sc->master_key);
243560Smm		return;
224174Smm	}
224174Smm	MD5Init(&cx);
224174Smm	u64 = htole64(off);
185029Spjd	MD5Update(&cx, (u_char *)&u64, sizeof(u64));
185029Spjd	u = off / sc->sectorsize;
185029Spjd	u %= sizeof sc->master_key;
185029Spjd	p = sc->master_key + u;
185029Spjd	if (u + 16 <= sizeof(sc->master_key)) {
185029Spjd		MD5Update(&cx, p, 16);
201143Sdelphij	} else {
185029Spjd		u1 = sizeof sc->master_key - u;
185029Spjd		MD5Update(&cx, p, u1);
168404Spjd		MD5Update(&cx, sc->master_key, 16 - u1);
185029Spjd		u1 = 0;				/* destroy evidence */
185029Spjd	}
185029Spjd	u = 0;					/* destroy evidence */
185029Spjd	MD5Update(&cx, (u_char *)&u64, sizeof(u64));
185029Spjd	u64 = 0;				/* destroy evidence */
185029Spjd	MD5Final(buf, &cx);
168404Spjd	bzero(&cx, sizeof cx);			/* destroy evidence */
185029Spjd	rijndael_makeKey(ki, dir, 128, buf);
185029Spjd	bzero(buf, sizeof buf);			/* destroy evidence */
185029Spjd
185029Spjd}
185029Spjd
185029Spjdstatic void
168404Spjdg_aes_read_done(struct bio *bp)
185029Spjd{
185029Spjd	struct g_geom *gp;
185029Spjd	struct g_aes_softc *sc;
185029Spjd	u_char *p, *b, *e, *sb;
185029Spjd	keyInstance dkey;
185029Spjd	off_t o;
185029Spjd
185029Spjd	gp = bp->bio_from->geom;
185029Spjd	sc = gp->softc;
185029Spjd	sb = g_malloc(sc->sectorsize, M_WAITOK);
185029Spjd	b = bp->bio_data;
185029Spjd	e = bp->bio_data;
185029Spjd	e += bp->bio_length;
168404Spjd	o = bp->bio_offset - sc->sectorsize;
185029Spjd	for (p = b; p < e; p += sc->sectorsize) {
185029Spjd		g_aes_makekey(sc, o, &dkey, DIR_DECRYPT);
185029Spjd		rijndael_blockDecrypt(&sc->ci, &dkey, p, sc->sectorsize * 8, sb);
185029Spjd		bcopy(sb, p, sc->sectorsize);
209962Smm		o += sc->sectorsize;
219089Spjd	}
185029Spjd	bzero(&dkey, sizeof dkey);		/* destroy evidence */
185029Spjd	bzero(sb, sc->sectorsize);		/* destroy evidence */
185029Spjd	g_free(sb);
168404Spjd	g_std_done(bp);
185029Spjd}
185029Spjd
185029Spjdstatic void
185029Spjdg_aes_write_done(struct bio *bp)
185029Spjd{
168404Spjd	struct g_aes_softc *sc;
219089Spjd	struct g_geom *gp;
219089Spjd
219089Spjd	gp = bp->bio_to->geom;
219089Spjd	sc = gp->softc;
219089Spjd	bzero(bp->bio_data, bp->bio_length);	/* destroy evidence */
219089Spjd	g_free(bp->bio_data);
185029Spjd	g_std_done(bp);
185029Spjd}
185029Spjd
185029Spjdstatic void
185029Spjdg_aes_start(struct bio *bp)
185029Spjd{
168404Spjd	struct g_geom *gp;
185029Spjd	struct g_consumer *cp;
185029Spjd	struct g_aes_softc *sc;
185029Spjd	struct bio *bp2;
185029Spjd	u_char *p1, *p2, *b, *e;
185029Spjd	keyInstance ekey;
185029Spjd	off_t o;
168404Spjd
219089Spjd	gp = bp->bio_to->geom;
219089Spjd	cp = LIST_FIRST(&gp->consumer);
219089Spjd	sc = gp->softc;
219089Spjd	switch (bp->bio_cmd) {
219089Spjd	case BIO_READ:
219089Spjd		bp2 = g_clone_bio(bp);
219089Spjd		bp2->bio_done = g_aes_read_done;
185029Spjd		bp2->bio_offset += sc->sectorsize;
219089Spjd		g_io_request(bp2, cp);
185029Spjd		break;
219089Spjd	case BIO_WRITE:
219089Spjd		bp2 = g_clone_bio(bp);
219089Spjd		bp2->bio_done = g_aes_write_done;
219089Spjd		bp2->bio_offset += sc->sectorsize;
219089Spjd		bp2->bio_data = g_malloc(bp->bio_length, M_WAITOK);
185029Spjd		b = bp->bio_data;
185029Spjd		e = bp->bio_data;
219089Spjd		e += bp->bio_length;
219089Spjd		p2 = bp2->bio_data;
219089Spjd		o = bp->bio_offset;
219089Spjd		for (p1 = b; p1 < e; p1 += sc->sectorsize) {
219089Spjd			g_aes_makekey(sc, o, &ekey, DIR_ENCRYPT);
185029Spjd			rijndael_blockEncrypt(&sc->ci, &ekey,
185029Spjd			    p1, sc->sectorsize * 8, p2);
246586Sdelphij			p2 += sc->sectorsize;
246586Sdelphij			o += sc->sectorsize;
219089Spjd		}
185029Spjd		bzero(&ekey, sizeof ekey);	/* destroy evidence */
185029Spjd		g_io_request(bp2, cp);
224174Smm		break;
224174Smm	case BIO_GETATTR:
243560Smm	case BIO_SETATTR:
243560Smm		if (g_handleattr_off_t(bp, "GEOM::mediasize", sc->mediasize))
219089Spjd			return;
219089Spjd		if (g_handleattr_int(bp, "GEOM::sectorsize", sc->sectorsize))
201143Sdelphij			return;
185029Spjd		bp2 = g_clone_bio(bp);
219089Spjd		bp2->bio_done = g_std_done;
219089Spjd		bp2->bio_offset += sc->sectorsize;
185029Spjd		g_io_request(bp2, cp);
219089Spjd		break;
185029Spjd	default:
185029Spjd		bp->bio_error = EOPNOTSUPP;
185029Spjd		g_io_deliver(bp);
219089Spjd		return;
185029Spjd	}
185029Spjd	return;
185029Spjd}
219089Spjd
219089Spjdstatic void
219089Spjdg_aes_orphan(struct g_consumer *cp)
168404Spjd{
185029Spjd	struct g_geom *gp;
219089Spjd	struct g_provider *pp;
185029Spjd	struct g_aes_softc *sc;
219089Spjd	int error;
185029Spjd
185029Spjd	g_trace(G_T_TOPOLOGY, "g_aes_orphan(%p/%s)", cp, cp->provider->name);
219089Spjd	g_topology_assert();
185029Spjd	KASSERT(cp->provider->error != 0,
185029Spjd		("g_aes_orphan with error == 0"));
219089Spjd
185029Spjd	gp = cp->geom;
185029Spjd	sc = gp->softc;
219089Spjd	gp->flags |= G_GEOM_WITHER;
185029Spjd	error = cp->provider->error;
185029Spjd	LIST_FOREACH(pp, &gp->provider, provider)
219089Spjd		g_orphan_provider(pp, error);
185029Spjd	bzero(sc, sizeof(struct g_aes_softc));	/* destroy evidence */
219089Spjd	return;
185029Spjd}
185029Spjd
219089Spjdstatic int
185029Spjdg_aes_access(struct g_provider *pp, int dr, int dw, int de)
185029Spjd{
219089Spjd	struct g_geom *gp;
185029Spjd	struct g_consumer *cp;
185029Spjd
168404Spjd	gp = pp->geom;
185029Spjd	cp = LIST_FIRST(&gp->consumer);
219089Spjd	/* On first open, grab an extra "exclusive" bit */
185029Spjd	if (cp->acr == 0 && cp->acw == 0 && cp->ace == 0)
228103Smm		de++;
219089Spjd	/* ... and let go of it on last close */
185029Spjd	if ((cp->acr + dr) == 0 && (cp->acw + dw) == 0 && (cp->ace + de) == 1)
185029Spjd		de--;
168404Spjd	return (g_access_rel(cp, dr, dw, de));
185029Spjd}
219089Spjd
185029Spjdstatic struct g_geom *
219089Spjdg_aes_taste(struct g_class *mp, struct g_provider *pp, int flags __unused)
219089Spjd{
219089Spjd	struct g_geom *gp;
185029Spjd	struct g_consumer *cp;
185029Spjd	struct g_aes_softc *sc;
219089Spjd	int error;
185029Spjd	u_int sectorsize;
185029Spjd	off_t mediasize;
185029Spjd	u_char *buf;
219089Spjd
219089Spjd	g_trace(G_T_TOPOLOGY, "aes_taste(%s,%s)", mp->name, pp->name);
219089Spjd	g_topology_assert();
185029Spjd	gp = g_new_geomf(mp, "%s.aes", pp->name);
185029Spjd	gp->start = g_aes_start;
185029Spjd	gp->orphan = g_aes_orphan;
219089Spjd	gp->spoiled = g_std_spoiled;
185029Spjd	cp = g_new_consumer(gp);
185029Spjd	g_attach(cp, pp);
185029Spjd	error = g_access_rel(cp, 1, 0, 0);
185029Spjd	if (error) {
219089Spjd		g_detach(cp);
185029Spjd		g_destroy_consumer(cp);
228103Smm		g_destroy_geom(gp);
228103Smm		return (NULL);
219089Spjd	}
219089Spjd	buf = NULL;
219089Spjd	while (1) {
219089Spjd		if (gp->rank != 2)
219089Spjd			break;
219089Spjd		error = g_getattr("GEOM::sectorsize", cp, &sectorsize);
219089Spjd		if (error)
185029Spjd			break;
219089Spjd		error = g_getattr("GEOM::mediasize", cp, &mediasize);
219089Spjd		if (error)
219089Spjd			break;
219089Spjd		buf = g_read_data(cp, 0, sectorsize, &error);
219089Spjd		if (buf == NULL || error != 0) {
219089Spjd			break;
185029Spjd		}
185029Spjd		sc = g_malloc(sizeof(struct g_aes_softc), M_WAITOK | M_ZERO);
219089Spjd		if (!memcmp(buf, aes_magic, strlen(aes_magic))) {
185029Spjd			sc->keying = KEY_ZERO;
219089Spjd		} else if (!memcmp(buf, aes_magic_random,
185029Spjd		    strlen(aes_magic_random))) {
219089Spjd			sc->keying = KEY_RANDOM;
219089Spjd		} else if (!memcmp(buf, aes_magic_test,
219089Spjd		    strlen(aes_magic_test))) {
185029Spjd			sc->keying = KEY_TEST;
185029Spjd		} else {
223623Smm			g_free(sc);
223623Smm			break;
223623Smm		}
219089Spjd		gp->softc = sc;
219089Spjd		gp->access = g_aes_access;
185029Spjd		sc->sectorsize = sectorsize;
219089Spjd		sc->mediasize = mediasize - sectorsize;
219089Spjd		rijndael_cipherInit(&sc->ci, MODE_CBC, NULL);
219089Spjd		if (sc->keying == KEY_TEST) {
219089Spjd			int i;
219089Spjd			u_char *p;
219089Spjd
219089Spjd			p = sc->master_key;
219089Spjd			for (i = 0; i < sizeof sc->master_key; i ++)
219089Spjd				*p++ = i;
219089Spjd		}
185029Spjd		if (sc->keying == KEY_RANDOM) {
185029Spjd			int i;
219089Spjd			u_int32_t u;
219089Spjd			u_char *p;
228103Smm
228103Smm			p = sc->master_key;
247585Smm			for (i = 0; i < sizeof sc->master_key; i += sizeof u) {
247585Smm				u = arc4random();
247585Smm				*p++ = u;
247585Smm				*p++ = u >> 8;
185029Spjd				*p++ = u >> 16;
185029Spjd				*p++ = u >> 24;
219089Spjd			}
185029Spjd		}
219089Spjd		pp = g_new_providerf(gp, gp->name);
219089Spjd		pp->mediasize = mediasize - sectorsize;
219089Spjd		g_error_provider(pp, 0);
219089Spjd		break;
185029Spjd	}
219089Spjd	if (buf)
185029Spjd		g_free(buf);
219089Spjd	g_access_rel(cp, -1, 0, 0);
185029Spjd	if (gp->softc != NULL)
185029Spjd		return (gp);
185029Spjd	g_detach(cp);
185029Spjd	g_destroy_consumer(cp);
219089Spjd	g_destroy_geom(gp);
219089Spjd	return (NULL);
185029Spjd}
185029Spjd
185029Spjdstatic struct g_class g_aes_class	= {
219089Spjd	AES_CLASS_NAME,
192240Skmacy	g_aes_taste,
219089Spjd	NULL,
219089Spjd	G_CLASS_INITIALIZER
219089Spjd};
185029Spjd
219089SpjdDECLARE_GEOM_CLASS(g_aes_class, g_aes);
219089Spjd