The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/geom/bde/g_bde_crypt.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2002 Poul-Henning Kamp
    3  * Copyright (c) 2002 Networks Associates Technology, Inc.
    4  * All rights reserved.
    5  *
    6  * This software was developed for the FreeBSD Project by Poul-Henning Kamp
    7  * and NAI Labs, the Security Research Division of Network Associates, Inc.
    8  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
    9  * DARPA CHATS research program.
   10  *
   11  * Redistribution and use in source and binary forms, with or without
   12  * modification, are permitted provided that the following conditions
   13  * are met:
   14  * 1. Redistributions of source code must retain the above copyright
   15  *    notice, this list of conditions and the following disclaimer.
   16  * 2. Redistributions in binary form must reproduce the above copyright
   17  *    notice, this list of conditions and the following disclaimer in the
   18  *    documentation and/or other materials provided with the distribution.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  *
   32  * $FreeBSD: releng/5.2/sys/geom/bde/g_bde_crypt.c 119891 2003-09-08 18:35:26Z phk $
   33  *
   34  * This source file contains the functions responsible for the crypto, keying
   35  * and mapping operations on the I/O requests.
   36  *
   37  */
   38 
   39 #include <sys/param.h>
   40 #include <sys/bio.h>
   41 #include <sys/lock.h>
   42 #include <sys/mutex.h>
   43 #include <sys/queue.h>
   44 #include <sys/malloc.h>
   45 #include <sys/libkern.h>
   46 #include <sys/endian.h>
   47 #include <sys/md5.h>
   48 
   49 #include <crypto/rijndael/rijndael.h>
   50 #include <crypto/sha2/sha2.h>
   51 
   52 #include <geom/geom.h>
   53 #include <geom/bde/g_bde.h>
   54 
   55 /*
   56  * XXX: Debugging DO NOT ENABLE
   57  */
   58 #undef MD5_KEY
   59 
   60 /*
   61  * Derive kkey from mkey + sector offset.
   62  *
   63  * Security objective: Derive a potentially very large number of distinct skeys
   64  * from the comparatively small key material in our mkey, in such a way that
   65  * if one, more or even many of the kkeys are compromised, this does not
   66  * significantly help an attack on other kkeys and in particular does not
   67  * weaken or compromised the mkey.
   68  *
   69  * First we MD5 hash the sectornumber with the salt from the lock sector.
   70  * The salt prevents the precalculation and statistical analysis of the MD5
   71  * output which would be possible if we only gave it the sectornumber.
   72  *
   73  * The MD5 hash is used to pick out 16 bytes from the masterkey, which
   74  * are then hashed with MD5 together with the sector number.
   75  *
   76  * The resulting MD5 hash is the kkey.
   77  */
   78 
   79 static void
   80 g_bde_kkey(struct g_bde_softc *sc, keyInstance *ki, int dir, off_t sector)
   81 {
   82         u_int t;
   83         MD5_CTX ct;
   84         u_char buf[16];
   85         u_char buf2[8];
   86 
   87         /* We have to be architecture neutral */
   88         le64enc(buf2, sector);
   89 
   90         MD5Init(&ct);
   91         MD5Update(&ct, sc->key.salt, 8);
   92         MD5Update(&ct, buf2, sizeof buf2);
   93         MD5Update(&ct, sc->key.salt + 8, 8);
   94         MD5Final(buf, &ct);
   95 
   96         MD5Init(&ct);
   97         for (t = 0; t < 16; t++) {
   98                 MD5Update(&ct, &sc->key.mkey[buf[t]], 1);
   99                 if (t == 8)
  100                         MD5Update(&ct, buf2, sizeof buf2);
  101         }
  102         bzero(buf2, sizeof buf2);
  103         MD5Final(buf, &ct);
  104         bzero(&ct, sizeof ct);
  105         AES_makekey(ki, dir, G_BDE_KKEYBITS, buf);
  106         bzero(buf, sizeof buf);
  107 }
  108 
  109 /*
  110  * Encryption work for read operation.
  111  *
  112  * Security objective: Find the kkey, find the skey, decrypt the sector data.
  113  */
  114 
  115 void
  116 g_bde_crypt_read(struct g_bde_work *wp)
  117 {
  118         struct g_bde_softc *sc;
  119         u_char *d;
  120         u_int n;
  121         off_t o;
  122         u_char skey[G_BDE_SKEYLEN];
  123         keyInstance ki;
  124         cipherInstance ci;
  125         
  126 
  127         AES_init(&ci);
  128         sc = wp->softc;
  129         o = 0;
  130         for (n = 0; o < wp->length; n++, o += sc->sectorsize) {
  131                 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN;
  132                 g_bde_kkey(sc, &ki, DIR_DECRYPT, wp->offset + o);
  133                 AES_decrypt(&ci, &ki, d, skey, sizeof skey);
  134                 d = (u_char *)wp->data + o;
  135 #ifdef MD5_KEY
  136                 {
  137                 MD5_CTX ct;
  138                 u_char rkey[16];
  139                 int i;
  140 
  141                 MD5Init(&ct);
  142                 MD5Update(&ct, d, sc->sectorsize);
  143                 MD5Final(rkey, &ct);
  144                 if (bcmp(rkey, skey, 16) != 0) {
  145 #if 0
  146                         printf("MD5_KEY failed at %jd (t=%d)\n",
  147                             (intmax_t)(wp->offset + o), time_second);
  148 #endif
  149                         for (i = 0; i < sc->sectorsize; i++)
  150                                 d[i] = 'A' + i % 26;
  151                         sprintf(d, "MD5_KEY failed at %jd (t=%d)", 
  152                             (intmax_t)(wp->offset + o), time_second);
  153                 }
  154                 }
  155 #else
  156                 AES_makekey(&ki, DIR_DECRYPT, G_BDE_SKEYBITS, skey);
  157                 AES_decrypt(&ci, &ki, d, d, sc->sectorsize);
  158 #endif
  159         }
  160         bzero(skey, sizeof skey);
  161         bzero(&ci, sizeof ci);
  162         bzero(&ki, sizeof ki);
  163 }
  164 
  165 /*
  166  * Encryption work for write operation.
  167  *
  168  * Security objective: Create random skey, encrypt sector data,
  169  * encrypt skey with the kkey.
  170  */
  171 
  172 void
  173 g_bde_crypt_write(struct g_bde_work *wp)
  174 {
  175         u_char *s, *d;
  176         struct g_bde_softc *sc;
  177         u_int n;
  178         off_t o;
  179         u_char skey[G_BDE_SKEYLEN];
  180         keyInstance ki;
  181         cipherInstance ci;
  182 
  183         sc = wp->softc;
  184         AES_init(&ci);
  185         o = 0;
  186         for (n = 0; o < wp->length; n++, o += sc->sectorsize) {
  187 
  188                 s = (u_char *)wp->data + o;
  189                 d = (u_char *)wp->sp->data + o;
  190 #ifdef MD5_KEY
  191                 {
  192                 MD5_CTX ct;
  193 
  194                 MD5Init(&ct);
  195                 MD5Update(&ct, s, sc->sectorsize);
  196                 MD5Final(skey, &ct);
  197                 bcopy(s, d, sc->sectorsize);
  198                 }
  199 #else
  200                 arc4rand(skey, sizeof skey, 0);
  201                 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey);
  202                 AES_encrypt(&ci, &ki, s, d, sc->sectorsize);
  203 #endif
  204 
  205                 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN;
  206                 g_bde_kkey(sc, &ki, DIR_ENCRYPT, wp->offset + o);
  207                 AES_encrypt(&ci, &ki, skey, d, sizeof skey);
  208                 bzero(skey, sizeof skey);
  209         }
  210         bzero(skey, sizeof skey);
  211         bzero(&ci, sizeof ci);
  212         bzero(&ki, sizeof ki);
  213 }
  214 
  215 /*
  216  * Encryption work for delete operation.
  217  *
  218  * Security objective: Write random data to the sectors.
  219  *
  220  * XXX: At a hit in performance we would trash the encrypted skey as well.
  221  * XXX: This would add frustration to the cleaning lady attack by making
  222  * XXX: deletes look like writes.
  223  */
  224 
  225 void
  226 g_bde_crypt_delete(struct g_bde_work *wp)
  227 {
  228         struct g_bde_softc *sc;
  229         u_char *d;
  230         off_t o;
  231         u_char skey[G_BDE_SKEYLEN];
  232         keyInstance ki;
  233         cipherInstance ci;
  234 
  235         sc = wp->softc;
  236         d = wp->sp->data;
  237         AES_init(&ci);
  238         /*
  239          * Do not unroll this loop!
  240          * Our zone may be significantly wider than the amount of random
  241          * bytes arc4rand likes to give in one reseeding, whereas our
  242          * sectorsize is far more likely to be in the same range.
  243          */
  244         for (o = 0; o < wp->length; o += sc->sectorsize) {
  245                 arc4rand(d, sc->sectorsize, 0);
  246                 arc4rand(skey, sizeof skey, 0);
  247                 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey);
  248                 AES_encrypt(&ci, &ki, d, d, sc->sectorsize);
  249                 d += sc->sectorsize;
  250         }
  251         /*
  252          * Having written a long random sequence to disk here, we want to
  253          * force a reseed, to avoid weakening the next time we use random
  254          * data for something important.
  255          */
  256         arc4rand(&o, sizeof o, 1);
  257 }
  258 
  259 /*
  260  * Calculate the total payload size of the encrypted device.
  261  *
  262  * Security objectives: none.
  263  *
  264  * This function needs to agree with g_bde_map_sector() about things.
  265  */
  266 
  267 uint64_t
  268 g_bde_max_sector(struct g_bde_key *kp)
  269 {
  270         uint64_t maxsect;
  271 
  272         maxsect = kp->media_width;
  273         maxsect /= kp->zone_width;
  274         maxsect *= kp->zone_cont;
  275         return (maxsect);
  276 }
  277 
  278 /*
  279  * Convert an unencrypted side offset to offsets on the encrypted side.
  280  *
  281  * Security objective:  Make it harder to identify what sectors contain what
  282  * on a "cold" disk image.
  283  *
  284  * We do this by adding the "keyoffset" from the lock to the physical sector
  285  * number modulus the available number of sectors.  Since all physical sectors
  286  * presumably look the same cold, this will do.
  287  *
  288  * As part of the mapping we have to skip the lock sectors which we know
  289  * the physical address off.  We also truncate the work packet, respecting
  290  * zone boundaries and lock sectors, so that we end up with a sequence of
  291  * sectors which are physically contiguous.
  292  *
  293  * Shuffling things further is an option, but the incremental frustration is
  294  * not currently deemed worth the run-time performance hit resulting from the
  295  * increased number of disk arm movements it would incur.
  296  *
  297  * This function offers nothing but a trivial diversion for an attacker able
  298  * to do "the cleaning lady attack" in its current static mapping form.
  299  */
  300 
  301 void
  302 g_bde_map_sector(struct g_bde_work *wp)
  303 {
  304 
  305         u_int   zone, zoff, u, len;
  306         uint64_t ko;
  307         struct g_bde_softc *sc;
  308         struct g_bde_key *kp;
  309 
  310         sc = wp->softc;
  311         kp = &sc->key;
  312 
  313         /* find which zone and the offset in it */
  314         zone = wp->offset / kp->zone_cont;
  315         zoff = wp->offset % kp->zone_cont;
  316 
  317         /* Calculate the offset of the key in the key sector */
  318         wp->ko = (zoff / kp->sectorsize) * G_BDE_SKEYLEN;
  319 
  320         /* restrict length to that zone */
  321         len = kp->zone_cont - zoff;
  322 
  323         /* ... and in general */
  324         if (len > DFLTPHYS)
  325                 len = DFLTPHYS;
  326 
  327         if (len < wp->length)
  328                 wp->length = len;
  329 
  330         /* Find physical sector address */
  331         wp->so = zone * kp->zone_width + zoff;
  332         wp->so += kp->keyoffset;
  333         wp->so %= kp->media_width;
  334         if (wp->so + wp->length > kp->media_width)
  335                 wp->length = kp->media_width - wp->so;
  336         wp->so += kp->sector0;
  337 
  338         /* The key sector is the last in this zone. */
  339         wp->kso = zone * kp->zone_width + kp->zone_cont;
  340         wp->kso += kp->keyoffset;
  341         wp->kso %= kp->media_width;
  342         wp->kso += kp->sector0; 
  343 
  344         /* Compensate for lock sectors */
  345         for (u = 0; u < G_BDE_MAXKEYS; u++) {
  346                 /* Find the start of this lock sector */
  347                 ko = kp->lsector[u] & ~(kp->sectorsize - 1);
  348 
  349                 if (wp->kso >= ko)
  350                         wp->kso += kp->sectorsize;
  351 
  352                 if (wp->so >= ko) {
  353                         /* lock sector before work packet */
  354                         wp->so += kp->sectorsize;
  355                 } else if ((wp->so + wp->length) > ko) {
  356                         /* lock sector in work packet, truncate */
  357                         wp->length = ko - wp->so;
  358                 }
  359         }
  360 
  361 #if 0
  362         printf("off %jd len %jd so %jd ko %jd kso %u\n",
  363             (intmax_t)wp->offset,
  364             (intmax_t)wp->length,
  365             (intmax_t)wp->so,
  366             (intmax_t)wp->kso,
  367             wp->ko);
  368 #endif
  369         KASSERT(wp->so + wp->length <= kp->sectorN,
  370             ("wp->so (%jd) + wp->length (%jd) > EOM (%jd), offset = %jd",
  371             (intmax_t)wp->so,
  372             (intmax_t)wp->length,
  373             (intmax_t)kp->sectorN,
  374             (intmax_t)wp->offset));
  375 
  376         KASSERT(wp->kso + kp->sectorsize <= kp->sectorN,
  377             ("wp->kso (%jd) + kp->sectorsize > EOM (%jd), offset = %jd",
  378             (intmax_t)wp->kso,
  379             (intmax_t)kp->sectorN,
  380             (intmax_t)wp->offset));
  381 
  382         KASSERT(wp->so >= kp->sector0,
  383             ("wp->so (%jd) < BOM (%jd), offset = %jd",
  384             (intmax_t)wp->so,
  385             (intmax_t)kp->sector0,
  386             (intmax_t)wp->offset));
  387 
  388         KASSERT(wp->kso >= kp->sector0,
  389             ("wp->kso (%jd) <BOM (%jd), offset = %jd",
  390             (intmax_t)wp->kso,
  391             (intmax_t)kp->sector0,
  392             (intmax_t)wp->offset));
  393 }

Cache object: 0ba932b43a6d00707e79aa2b3377e122


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.