The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/geom/bde/g_bde_crypt.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2002 Poul-Henning Kamp
    3  * Copyright (c) 2002 Networks Associates Technology, Inc.
    4  * All rights reserved.
    5  *
    6  * This software was developed for the FreeBSD Project by Poul-Henning Kamp
    7  * and NAI Labs, the Security Research Division of Network Associates, Inc.
    8  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
    9  * DARPA CHATS research program.
   10  *
   11  * Redistribution and use in source and binary forms, with or without
   12  * modification, are permitted provided that the following conditions
   13  * are met:
   14  * 1. Redistributions of source code must retain the above copyright
   15  *    notice, this list of conditions and the following disclaimer.
   16  * 2. Redistributions in binary form must reproduce the above copyright
   17  *    notice, this list of conditions and the following disclaimer in the
   18  *    documentation and/or other materials provided with the distribution.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  *
   32  * $FreeBSD$
   33  */
   34 
   35 /*
   36  * This source file contains the functions responsible for the crypto, keying
   37  * and mapping operations on the I/O requests.
   38  *
   39  */
   40 
   41 #include <sys/param.h>
   42 #include <sys/bio.h>
   43 #include <sys/lock.h>
   44 #include <sys/mutex.h>
   45 #include <sys/queue.h>
   46 #include <sys/malloc.h>
   47 #include <sys/libkern.h>
   48 #include <sys/endian.h>
   49 #include <sys/md5.h>
   50 
   51 #include <crypto/rijndael/rijndael.h>
   52 #include <crypto/sha2/sha2.h>
   53 
   54 #include <geom/geom.h>
   55 #include <geom/bde/g_bde.h>
   56 
   57 /*
   58  * XXX: Debugging DO NOT ENABLE
   59  */
   60 #undef MD5_KEY
   61 
   62 /*
   63  * Derive kkey from mkey + sector offset.
   64  *
   65  * Security objective: Derive a potentially very large number of distinct skeys
   66  * from the comparatively small key material in our mkey, in such a way that
   67  * if one, more or even many of the kkeys are compromised, this does not
   68  * significantly help an attack on other kkeys and in particular does not
   69  * weaken or compromised the mkey.
   70  *
   71  * First we MD5 hash the sectornumber with the salt from the lock sector.
   72  * The salt prevents the precalculation and statistical analysis of the MD5
   73  * output which would be possible if we only gave it the sectornumber.
   74  *
   75  * The MD5 hash is used to pick out 16 bytes from the masterkey, which
   76  * are then hashed with MD5 together with the sector number.
   77  *
   78  * The resulting MD5 hash is the kkey.
   79  */
   80 
   81 static void
   82 g_bde_kkey(struct g_bde_softc *sc, keyInstance *ki, int dir, off_t sector)
   83 {
   84         u_int t;
   85         MD5_CTX ct;
   86         u_char buf[16];
   87         u_char buf2[8];
   88 
   89         /* We have to be architecture neutral */
   90         le64enc(buf2, sector);
   91 
   92         MD5Init(&ct);
   93         MD5Update(&ct, sc->key.salt, 8);
   94         MD5Update(&ct, buf2, sizeof buf2);
   95         MD5Update(&ct, sc->key.salt + 8, 8);
   96         MD5Final(buf, &ct);
   97 
   98         MD5Init(&ct);
   99         for (t = 0; t < 16; t++) {
  100                 MD5Update(&ct, &sc->key.mkey[buf[t]], 1);
  101                 if (t == 8)
  102                         MD5Update(&ct, buf2, sizeof buf2);
  103         }
  104         bzero(buf2, sizeof buf2);
  105         MD5Final(buf, &ct);
  106         bzero(&ct, sizeof ct);
  107         AES_makekey(ki, dir, G_BDE_KKEYBITS, buf);
  108         bzero(buf, sizeof buf);
  109 }
  110 
  111 /*
  112  * Encryption work for read operation.
  113  *
  114  * Security objective: Find the kkey, find the skey, decrypt the sector data.
  115  */
  116 
  117 void
  118 g_bde_crypt_read(struct g_bde_work *wp)
  119 {
  120         struct g_bde_softc *sc;
  121         u_char *d;
  122         u_int n;
  123         off_t o;
  124         u_char skey[G_BDE_SKEYLEN];
  125         keyInstance ki;
  126         cipherInstance ci;
  127         
  128 
  129         AES_init(&ci);
  130         sc = wp->softc;
  131         o = 0;
  132         for (n = 0; o < wp->length; n++, o += sc->sectorsize) {
  133                 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN;
  134                 g_bde_kkey(sc, &ki, DIR_DECRYPT, wp->offset + o);
  135                 AES_decrypt(&ci, &ki, d, skey, sizeof skey);
  136                 d = (u_char *)wp->data + o;
  137                 AES_makekey(&ki, DIR_DECRYPT, G_BDE_SKEYBITS, skey);
  138                 AES_decrypt(&ci, &ki, d, d, sc->sectorsize);
  139         }
  140         bzero(skey, sizeof skey);
  141         bzero(&ci, sizeof ci);
  142         bzero(&ki, sizeof ki);
  143 }
  144 
  145 /*
  146  * Encryption work for write operation.
  147  *
  148  * Security objective: Create random skey, encrypt sector data,
  149  * encrypt skey with the kkey.
  150  */
  151 
  152 void
  153 g_bde_crypt_write(struct g_bde_work *wp)
  154 {
  155         u_char *s, *d;
  156         struct g_bde_softc *sc;
  157         u_int n;
  158         off_t o;
  159         u_char skey[G_BDE_SKEYLEN];
  160         keyInstance ki;
  161         cipherInstance ci;
  162 
  163         sc = wp->softc;
  164         AES_init(&ci);
  165         o = 0;
  166         for (n = 0; o < wp->length; n++, o += sc->sectorsize) {
  167 
  168                 s = (u_char *)wp->data + o;
  169                 d = (u_char *)wp->sp->data + o;
  170                 arc4rand(skey, sizeof skey, 0);
  171                 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey);
  172                 AES_encrypt(&ci, &ki, s, d, sc->sectorsize);
  173 
  174                 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN;
  175                 g_bde_kkey(sc, &ki, DIR_ENCRYPT, wp->offset + o);
  176                 AES_encrypt(&ci, &ki, skey, d, sizeof skey);
  177                 bzero(skey, sizeof skey);
  178         }
  179         bzero(skey, sizeof skey);
  180         bzero(&ci, sizeof ci);
  181         bzero(&ki, sizeof ki);
  182 }
  183 
  184 /*
  185  * Encryption work for delete operation.
  186  *
  187  * Security objective: Write random data to the sectors.
  188  *
  189  * XXX: At a hit in performance we would trash the encrypted skey as well.
  190  * XXX: This would add frustration to the cleaning lady attack by making
  191  * XXX: deletes look like writes.
  192  */
  193 
  194 void
  195 g_bde_crypt_delete(struct g_bde_work *wp)
  196 {
  197         struct g_bde_softc *sc;
  198         u_char *d;
  199         off_t o;
  200         u_char skey[G_BDE_SKEYLEN];
  201         keyInstance ki;
  202         cipherInstance ci;
  203 
  204         sc = wp->softc;
  205         d = wp->sp->data;
  206         AES_init(&ci);
  207         /*
  208          * Do not unroll this loop!
  209          * Our zone may be significantly wider than the amount of random
  210          * bytes arc4rand likes to give in one reseeding, whereas our
  211          * sectorsize is far more likely to be in the same range.
  212          */
  213         for (o = 0; o < wp->length; o += sc->sectorsize) {
  214                 arc4rand(d, sc->sectorsize, 0);
  215                 arc4rand(skey, sizeof skey, 0);
  216                 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey);
  217                 AES_encrypt(&ci, &ki, d, d, sc->sectorsize);
  218                 d += sc->sectorsize;
  219         }
  220         /*
  221          * Having written a long random sequence to disk here, we want to
  222          * force a reseed, to avoid weakening the next time we use random
  223          * data for something important.
  224          */
  225         arc4rand(&o, sizeof o, 1);
  226 }
  227 
  228 /*
  229  * Calculate the total payload size of the encrypted device.
  230  *
  231  * Security objectives: none.
  232  *
  233  * This function needs to agree with g_bde_map_sector() about things.
  234  */
  235 
  236 uint64_t
  237 g_bde_max_sector(struct g_bde_key *kp)
  238 {
  239         uint64_t maxsect;
  240 
  241         maxsect = kp->media_width;
  242         maxsect /= kp->zone_width;
  243         maxsect *= kp->zone_cont;
  244         return (maxsect);
  245 }
  246 
  247 /*
  248  * Convert an unencrypted side offset to offsets on the encrypted side.
  249  *
  250  * Security objective:  Make it harder to identify what sectors contain what
  251  * on a "cold" disk image.
  252  *
  253  * We do this by adding the "keyoffset" from the lock to the physical sector
  254  * number modulus the available number of sectors.  Since all physical sectors
  255  * presumably look the same cold, this will do.
  256  *
  257  * As part of the mapping we have to skip the lock sectors which we know
  258  * the physical address off.  We also truncate the work packet, respecting
  259  * zone boundaries and lock sectors, so that we end up with a sequence of
  260  * sectors which are physically contiguous.
  261  *
  262  * Shuffling things further is an option, but the incremental frustration is
  263  * not currently deemed worth the run-time performance hit resulting from the
  264  * increased number of disk arm movements it would incur.
  265  *
  266  * This function offers nothing but a trivial diversion for an attacker able
  267  * to do "the cleaning lady attack" in its current static mapping form.
  268  */
  269 
  270 void
  271 g_bde_map_sector(struct g_bde_work *wp)
  272 {
  273 
  274         u_int   zone, zoff, u, len;
  275         uint64_t ko;
  276         struct g_bde_softc *sc;
  277         struct g_bde_key *kp;
  278 
  279         sc = wp->softc;
  280         kp = &sc->key;
  281 
  282         /* find which zone and the offset in it */
  283         zone = wp->offset / kp->zone_cont;
  284         zoff = wp->offset % kp->zone_cont;
  285 
  286         /* Calculate the offset of the key in the key sector */
  287         wp->ko = (zoff / kp->sectorsize) * G_BDE_SKEYLEN;
  288 
  289         /* restrict length to that zone */
  290         len = kp->zone_cont - zoff;
  291 
  292         /* ... and in general */
  293         if (len > DFLTPHYS)
  294                 len = DFLTPHYS;
  295 
  296         if (len < wp->length)
  297                 wp->length = len;
  298 
  299         /* Find physical sector address */
  300         wp->so = zone * kp->zone_width + zoff;
  301         wp->so += kp->keyoffset;
  302         wp->so %= kp->media_width;
  303         if (wp->so + wp->length > kp->media_width)
  304                 wp->length = kp->media_width - wp->so;
  305         wp->so += kp->sector0;
  306 
  307         /* The key sector is the last in this zone. */
  308         wp->kso = zone * kp->zone_width + kp->zone_cont;
  309         wp->kso += kp->keyoffset;
  310         wp->kso %= kp->media_width;
  311         wp->kso += kp->sector0; 
  312 
  313         /* Compensate for lock sectors */
  314         for (u = 0; u < G_BDE_MAXKEYS; u++) {
  315                 /* Find the start of this lock sector */
  316                 ko = kp->lsector[u] & ~((uint64_t)kp->sectorsize - 1);
  317 
  318                 if (wp->kso >= ko)
  319                         wp->kso += kp->sectorsize;
  320 
  321                 if (wp->so >= ko) {
  322                         /* lock sector before work packet */
  323                         wp->so += kp->sectorsize;
  324                 } else if ((wp->so + wp->length) > ko) {
  325                         /* lock sector in work packet, truncate */
  326                         wp->length = ko - wp->so;
  327                 }
  328         }
  329 
  330 #if 0
  331         printf("off %jd len %jd so %jd ko %jd kso %u\n",
  332             (intmax_t)wp->offset,
  333             (intmax_t)wp->length,
  334             (intmax_t)wp->so,
  335             (intmax_t)wp->kso,
  336             wp->ko);
  337 #endif
  338         KASSERT(wp->so + wp->length <= kp->sectorN,
  339             ("wp->so (%jd) + wp->length (%jd) > EOM (%jd), offset = %jd",
  340             (intmax_t)wp->so,
  341             (intmax_t)wp->length,
  342             (intmax_t)kp->sectorN,
  343             (intmax_t)wp->offset));
  344 
  345         KASSERT(wp->kso + kp->sectorsize <= kp->sectorN,
  346             ("wp->kso (%jd) + kp->sectorsize > EOM (%jd), offset = %jd",
  347             (intmax_t)wp->kso,
  348             (intmax_t)kp->sectorN,
  349             (intmax_t)wp->offset));
  350 
  351         KASSERT(wp->so >= kp->sector0,
  352             ("wp->so (%jd) < BOM (%jd), offset = %jd",
  353             (intmax_t)wp->so,
  354             (intmax_t)kp->sector0,
  355             (intmax_t)wp->offset));
  356 
  357         KASSERT(wp->kso >= kp->sector0,
  358             ("wp->kso (%jd) <BOM (%jd), offset = %jd",
  359             (intmax_t)wp->kso,
  360             (intmax_t)kp->sector0,
  361             (intmax_t)wp->offset));
  362 }

Cache object: 4de40a562b7a82c7d93a04efdecabe37


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.