g_bde_lock.c revision 106226
1/*- 2 * Copyright (c) 2002 Poul-Henning Kamp 3 * Copyright (c) 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed for the FreeBSD Project by Poul-Henning Kamp 7 * and NAI Labs, the Security Research Division of Network Associates, Inc. 8 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 9 * DARPA CHATS research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The names of the authors may not be used to endorse or promote 20 * products derived from this software without specific prior written 21 * permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * $FreeBSD: head/sys/geom/bde/g_bde_lock.c 106226 2002-10-30 22:13:54Z phk $ 36 * 37 * This souce file contains routines which operates on the lock sectors, both 38 * for the kernel and the userland program gbde(1). 39 * 40 */ 41 42#include <sys/param.h> 43#include <sys/queue.h> 44#include <sys/stdint.h> 45#include <sys/lock.h> 46#include <sys/mutex.h> 47#include <sys/md5.h> 48 49#ifdef _KERNEL 50#include <sys/malloc.h> 51#include <sys/systm.h> 52#else 53#include <errno.h> 54#include <string.h> 55#include <stdlib.h> 56#include <stdio.h> 57#define g_free(foo) free(foo) 58#endif 59 60#include <geom/geom.h> 61#include <geom/bde/g_bde.h> 62 63#include <crypto/rijndael/rijndael.h> 64 65/* 66 * Encode/Decode the lock structure in byte-sequence format. 67 * 68 * Security objectives: none. 69 * 70 * C-structure packing and byte-endianess depends on architecture, compiler 71 * and compiler options. We therefore explicitly encode and decode struct 72 * g_bde_key using an invariant byte-sequence format. 73 * 74 */ 75 76void 77g_bde_encode_lock(struct g_bde_key *gl, u_char *ptr) 78{ 79 80 bcopy(gl->hash, ptr + 0, sizeof gl->hash); 81 g_enc_le8(ptr + 16, gl->sector0); 82 g_enc_le8(ptr + 24, gl->sectorN); 83 g_enc_le8(ptr + 32, gl->keyoffset); 84 g_enc_le4(ptr + 40, gl->sectorsize); 85 g_enc_le4(ptr + 44, gl->flags); 86 g_enc_le8(ptr + 48, gl->lsector[0]); 87 g_enc_le8(ptr + 56, gl->lsector[1]); 88 g_enc_le8(ptr + 64, gl->lsector[2]); 89 g_enc_le8(ptr + 72, gl->lsector[3]); 90 bcopy(gl->spare, ptr + 80, sizeof gl->spare); 91 bcopy(gl->salt, ptr + 112, sizeof gl->salt); 92 bcopy(gl->mkey, ptr + 128, sizeof gl->mkey); 93} 94 95void 96g_bde_decode_lock(struct g_bde_key *gl, u_char *ptr) 97{ 98 bcopy(ptr + 0, gl->hash, sizeof gl->hash); 99 gl->sector0 = g_dec_le8(ptr + 16); 100 gl->sectorN = g_dec_le8(ptr + 24); 101 gl->keyoffset = g_dec_le8(ptr + 32); 102 gl->sectorsize = g_dec_le4(ptr + 40); 103 gl->flags = g_dec_le4(ptr + 44); 104 gl->lsector[0] = g_dec_le8(ptr + 48); 105 gl->lsector[1] = g_dec_le8(ptr + 56); 106 gl->lsector[2] = g_dec_le8(ptr + 64); 107 gl->lsector[3] = g_dec_le8(ptr + 72); 108 bcopy(ptr + 80, gl->spare, sizeof gl->spare); 109 bcopy(ptr + 112, gl->salt, sizeof gl->salt); 110 bcopy(ptr + 128, gl->mkey, sizeof gl->mkey); 111} 112 113/* 114 * Generate key-material used for protecting lock sectors. 115 * 116 * Security objectives: from the pass-phrase provide by the user, produce a 117 * reproducible stream of bits/bytes which resemeble pseudo-random bits. 118 * 119 * This is the stream-cipher algorithm called ARC4. See for instance the 120 * description in "Applied Cryptography" by Bruce Scneier. 121 */ 122 123u_char 124g_bde_arc4(struct g_bde_softc *sc) 125{ 126 u_char c; 127 128 sc->arc4_j += sc->arc4_sbox[++sc->arc4_i]; 129 c = sc->arc4_sbox[sc->arc4_i]; 130 sc->arc4_sbox[sc->arc4_i] = sc->arc4_sbox[sc->arc4_j]; 131 sc->arc4_sbox[sc->arc4_j] = c; 132 c = sc->arc4_sbox[sc->arc4_i] + sc->arc4_sbox[sc->arc4_j]; 133 c = sc->arc4_sbox[c]; 134 return (c); 135} 136 137void 138g_bde_arc4_seq(struct g_bde_softc *sc, void *ptr, u_int len) 139{ 140 u_char *p; 141 142 p = ptr; 143 while (len--) 144 *p++ = g_bde_arc4(sc); 145} 146 147void 148g_bde_arc4_seed(struct g_bde_softc *sc, const void *ptr, u_int len) 149{ 150 u_char k[256], c; 151 const u_char *p; 152 u_int i; 153 154 p = ptr; 155 sc->arc4_i = 0; 156 bzero(k, sizeof k); 157 while(len--) 158 k[sc->arc4_i++] ^= *p++; 159 160 sc->arc4_j = 0; 161 for (i = 0; i < 256; i++) 162 sc->arc4_sbox[i] = i; 163 for (i = 0; i < 256; i++) { 164 sc->arc4_j += sc->arc4_sbox[i] + k[i]; 165 c = sc->arc4_sbox[i]; 166 sc->arc4_sbox[i] = sc->arc4_sbox[sc->arc4_j]; 167 sc->arc4_sbox[sc->arc4_j] = c; 168 } 169 sc->arc4_i = 0; 170 sc->arc4_j = 0; 171} 172 173/* 174 * Encrypt/Decrypt the metadata address with key-material. 175 */ 176 177int 178g_bde_keyloc_encrypt(struct g_bde_softc *sc, void *input, void *output) 179{ 180 u_char *p; 181 u_char buf[16], buf1[16]; 182 u_int i; 183 keyInstance ki; 184 cipherInstance ci; 185 186 bcopy(input, output, 16); 187 return 0; 188 rijndael_cipherInit(&ci, MODE_CBC, NULL); 189 p = input; 190 g_bde_arc4_seq(sc, buf, sizeof buf); 191 for (i = 0; i < sizeof buf; i++) 192 buf1[i] = p[i] ^ buf[i]; 193 g_bde_arc4_seq(sc, buf, sizeof buf); 194 rijndael_makeKey(&ki, DIR_ENCRYPT, G_BDE_KKEYBITS, buf); 195 rijndael_blockEncrypt(&ci, &ki, buf1, 16 * 8, output); 196 bzero(&ci, sizeof ci); 197 bzero(&ki, sizeof ki); 198 return (0); 199} 200 201int 202g_bde_keyloc_decrypt(struct g_bde_softc *sc, void *input, void *output) 203{ 204 u_char *p; 205 u_char buf1[16], buf2[16]; 206 u_int i; 207 keyInstance ki; 208 cipherInstance ci; 209 210 bcopy(input, output, 16); 211 return 0; 212 rijndael_cipherInit(&ci, MODE_CBC, NULL); 213 g_bde_arc4_seq(sc, buf1, sizeof buf1); 214 g_bde_arc4_seq(sc, buf2, sizeof buf2); 215 rijndael_makeKey(&ki, DIR_DECRYPT, G_BDE_KKEYBITS, buf2); 216 rijndael_blockDecrypt(&ci, &ki, input, 16 * 8, output); 217 p = output; 218 for (i = 0; i < sizeof buf1; i++) 219 p[i] ^= buf1[i]; 220 bzero(&ci, sizeof ci); 221 bzero(&ki, sizeof ki); 222 return (0); 223} 224 225/* 226 * Encode/Decode lock sectors, do the real work. 227 */ 228 229static int 230g_bde_decrypt_lockx(struct g_bde_softc *sc, u_char *sbox, u_char *meta, off_t mediasize, u_int sectorsize, u_int *nkey) 231{ 232 u_char *buf, k1buf[16], k2buf[G_BDE_LOCKSIZE], k3buf[16], *q; 233 struct g_bde_key *gl; 234 uint64_t off[2]; 235 int error, m, i; 236 MD5_CTX c; 237 keyInstance ki; 238 cipherInstance ci; 239 240 rijndael_cipherInit(&ci, MODE_CBC, NULL); 241 bcopy(sbox, sc->arc4_sbox, 256); 242 sc->arc4_i = 0; 243 sc->arc4_j = 0; 244 gl = &sc->key; 245 error = g_bde_keyloc_decrypt(sc, meta, off); 246 if (error) 247 return(error); 248 249 if (off[0] + G_BDE_LOCKSIZE > (uint64_t)mediasize) { 250 bzero(off, sizeof off); 251 return (EINVAL); 252 } 253 off[1] = 0; 254 m = 1; 255 if (off[0] % sectorsize > sectorsize - G_BDE_LOCKSIZE) 256 m++; 257 buf = g_read_data(sc->consumer, 258 off[0] - (off[0] % sectorsize), 259 m * sectorsize, &error); 260 if (buf == NULL) { 261 off[0] = 0; 262 return(error); 263 } 264 265 q = buf + off[0] % sectorsize; 266 267 off[1] = 0; 268 for (i = 0; i < G_BDE_LOCKSIZE; i++) 269 off[1] += q[i]; 270 271 if (off[1] == 0) { 272 off[0] = 0; 273 g_free(buf); 274 return (ESRCH); 275 } 276 277 g_bde_arc4_seq(sc, k1buf, sizeof k1buf); 278 g_bde_arc4_seq(sc, k2buf, sizeof k2buf); 279 g_bde_arc4_seq(sc, k3buf, sizeof k3buf); 280 281 MD5Init(&c); 282 MD5Update(&c, "0000", 4); /* XXX: for future versioning */ 283 MD5Update(&c, k1buf, 16); 284 MD5Final(k1buf, &c); 285 286 rijndael_makeKey(&ki, DIR_DECRYPT, 128, k3buf); 287 bzero(k3buf, sizeof k3buf); 288 rijndael_blockDecrypt(&ci, &ki, q, G_BDE_LOCKSIZE * 8, q); 289 290 for (i = 0; i < G_BDE_LOCKSIZE; i++) 291 q[i] ^= k2buf[i]; 292 bzero(k2buf, sizeof k2buf); 293 294 if (bcmp(q, k1buf, sizeof k1buf)) { 295 bzero(k1buf, sizeof k1buf); 296 bzero(buf, sectorsize * m); 297 g_free(buf); 298 off[0] = 0; 299 return (ENOTDIR); 300 } 301 bzero(k1buf, sizeof k1buf); 302 303 g_bde_decode_lock(gl, q); 304 bzero(buf, sectorsize * m); 305 g_free(buf); 306 307 off[1] = 0; 308 for (i = 0; i < (int)sizeof(gl->mkey); i++) 309 off[1] += gl->mkey[i]; 310 311 if (off[1] == 0) { 312 off[0] = 0; 313 return (ENOENT); 314 } 315 for (i = 0; i < G_BDE_MAXKEYS; i++) 316 if (nkey != NULL && off[0] == gl->lsector[i]) 317 *nkey = i; 318 319 return (0); 320} 321 322/* 323 * Encode/Decode lock sectors. 324 */ 325 326int 327g_bde_decrypt_lock(struct g_bde_softc *sc, u_char *sbox, u_char *meta, off_t mediasize, u_int sectorsize, u_int *nkey) 328{ 329 u_char *buf, buf1[16]; 330 int error, e, i; 331 332 bzero(buf1, sizeof buf1); 333 if (bcmp(buf1, meta, sizeof buf1)) 334 return (g_bde_decrypt_lockx(sc, sbox, meta, mediasize, 335 sectorsize, nkey)); 336 337 buf = g_read_data(sc->consumer, 0, sectorsize, &error); 338 if (buf == NULL) 339 return(error); 340 error = 0; 341 for (i = 0; i < G_BDE_MAXKEYS; i++) { 342 e = g_bde_decrypt_lockx(sc, sbox, buf + i * 16, mediasize, 343 sectorsize, nkey); 344 if (e == 0 || e == ENOENT) { 345 error = e; 346 break; 347 } 348 if (e == ESRCH) 349 error = ENOTDIR; 350 else if (e != 0) 351 error = e; 352 } 353 g_free(buf); 354 return (error); 355} 356