1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2002 Poul-Henning Kamp
5  * Copyright (c) 2002 Networks Associates Technology, Inc.
6  * All rights reserved.
7  *
8  * This software was developed for the FreeBSD Project by Poul-Henning Kamp
9  * and NAI Labs, the Security Research Division of Network Associates, Inc.
10  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
11  * DARPA CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  * $FreeBSD: stable/12/sys/geom/bde/g_bde.h 326270 2017-11-27 15:17:37Z pfg $
35  */
36 
37 #ifndef _SYS_GEOM_BDE_G_BDE_H_
38 #define _SYS_GEOM_BDE_G_BDE_H_ 1
39 
40 /*
41  * These are quite, but not entirely unlike constants.
42  *
43  * They are not commented in details here, to prevent unadvisable
44  * experimentation. Please consult the code where they are used before you
45  * even think about modifying these.
46  */
47 
48 #define G_BDE_MKEYLEN	(2048/8)
49 #define G_BDE_SKEYBITS	128
50 #define G_BDE_SKEYLEN	(G_BDE_SKEYBITS/8)
51 #define G_BDE_KKEYBITS	128
52 #define G_BDE_KKEYLEN	(G_BDE_KKEYBITS/8)
53 #define G_BDE_MAXKEYS	4
54 #define G_BDE_LOCKSIZE	384
55 #define NLOCK_FIELDS	13
56 
57 
58 /* This just needs to be "large enough" */
59 #define G_BDE_KEYBYTES	304
60 
61 struct g_bde_work;
62 struct g_bde_softc;
63 
64 struct g_bde_sector {
65 	struct g_bde_work	*owner;
66 	struct g_bde_softc	*softc;
67 	off_t			offset;
68 	u_int			size;
69 	u_int			ref;
70 	void			*data;
71 	TAILQ_ENTRY(g_bde_sector) list;
72 	u_char			valid;
73 	u_char			malloc;
74 	enum {JUNK, IO, VALID}	state;
75 	int			error;
76 	time_t			used;
77 };
78 
79 struct g_bde_work {
80 	struct mtx		mutex;
81 	off_t			offset;
82 	off_t			length;
83 	void			*data;
84         struct bio      	*bp;
85 	struct g_bde_softc 	*softc;
86         off_t           	so;
87         off_t           	kso;
88         u_int           	ko;
89         struct g_bde_sector   	*sp;
90         struct g_bde_sector   	*ksp;
91 	TAILQ_ENTRY(g_bde_work) list;
92 	enum {SETUP, WAIT, FINISH} state;
93 	int			error;
94 };
95 
96 /*
97  * The decrypted contents of the lock sectors.  Notice that this is not
98  * the same as the on-disk layout.  The on-disk layout is dynamic and
99  * dependent on the pass-phrase.
100  */
101 struct g_bde_key {
102 	uint64_t		sector0;
103 				/* Physical byte offset of 1st byte used */
104 	uint64_t		sectorN;
105 				/* Physical byte offset of 1st byte not used */
106 	uint64_t		keyoffset;
107 				/* Number of bytes the disk image is skewed. */
108 	uint64_t		lsector[G_BDE_MAXKEYS];
109 				/* Physical byte offsets of lock sectors */
110 	uint32_t		sectorsize;
111 				/* Our "logical" sector size */
112 	uint32_t		flags;
113 #define	GBDE_F_SECT0		1
114 	uint8_t			salt[16];
115 				/* Used to frustate the kkey generation */
116 	uint8_t			spare[32];
117 				/* For future use, random contents */
118 	uint8_t			mkey[G_BDE_MKEYLEN];
119 				/* Our masterkey. */
120 
121 	/* Non-stored help-fields */
122 	uint64_t		zone_width;	/* On-disk width of zone */
123 	uint64_t		zone_cont;	/* Payload width of zone */
124 	uint64_t		media_width;	/* Non-magic width of zone */
125 	u_int			keys_per_sector;
126 };
127 
128 struct g_bde_softc {
129 	off_t			mediasize;
130 	u_int			sectorsize;
131 	uint64_t		zone_cont;
132 	struct g_geom		*geom;
133 	struct g_consumer	*consumer;
134 	TAILQ_HEAD(, g_bde_sector)	freelist;
135 	TAILQ_HEAD(, g_bde_work) 	worklist;
136 	struct mtx		worklist_mutex;
137 	struct proc		*thread;
138 	struct g_bde_key	key;
139 	int			dead;
140 	u_int			nwork;
141 	u_int			nsect;
142 	u_int			ncache;
143 	u_char			sha2[SHA512_DIGEST_LENGTH];
144 };
145 
146 /* g_bde_crypt.c */
147 void g_bde_crypt_delete(struct g_bde_work *wp);
148 void g_bde_crypt_read(struct g_bde_work *wp);
149 void g_bde_crypt_write(struct g_bde_work *wp);
150 
151 /* g_bde_key.c */
152 void g_bde_zap_key(struct g_bde_softc *sc);
153 int g_bde_get_key(struct g_bde_softc *sc, void *ptr, int len);
154 int g_bde_init_keybytes(struct g_bde_softc *sc, char *passp, int len);
155 
156 /* g_bde_lock .c */
157 int g_bde_encode_lock(u_char *sha2, struct g_bde_key *gl, u_char *ptr);
158 int g_bde_decode_lock(struct g_bde_softc *sc, struct g_bde_key *gl, u_char *ptr);
159 int g_bde_keyloc_encrypt(u_char *sha2, uint64_t v0, uint64_t v1, void *output);
160 int g_bde_keyloc_decrypt(u_char *sha2, void *input, uint64_t *output);
161 int g_bde_decrypt_lock(struct g_bde_softc *sc, u_char *keymat, u_char *meta, off_t mediasize, u_int sectorsize, u_int *nkey);
162 void g_bde_hash_pass(struct g_bde_softc *sc, const void *input, u_int len);
163 
164 /* g_bde_math .c */
165 uint64_t g_bde_max_sector(struct g_bde_key *lp);
166 void g_bde_map_sector(struct g_bde_work *wp);
167 
168 /* g_bde_work.c */
169 void g_bde_start1(struct bio *bp);
170 void g_bde_worker(void *arg);
171 
172 /*
173  * These four functions wrap the raw Rijndael functions and make sure we
174  * explode if something fails which shouldn't.
175  */
176 
177 static __inline void
AES_init(cipherInstance * ci)178 AES_init(cipherInstance *ci)
179 {
180 	int error;
181 
182 	error = rijndael_cipherInit(ci, MODE_CBC, NULL);
183 	KASSERT(error > 0, ("rijndael_cipherInit %d", error));
184 }
185 
186 static __inline void
AES_makekey(keyInstance * ki,int dir,u_int len,const void * key)187 AES_makekey(keyInstance *ki, int dir, u_int len, const void *key)
188 {
189 	int error;
190 
191 	error = rijndael_makeKey(ki, dir, len, key);
192 	KASSERT(error > 0, ("rijndael_makeKey %d", error));
193 }
194 
195 static __inline void
AES_encrypt(cipherInstance * ci,keyInstance * ki,const void * in,void * out,u_int len)196 AES_encrypt(cipherInstance *ci, keyInstance *ki, const void *in, void *out, u_int len)
197 {
198 	int error;
199 
200 	error = rijndael_blockEncrypt(ci, ki, in, len * 8, out);
201 	KASSERT(error > 0, ("rijndael_blockEncrypt %d", error));
202 }
203 
204 static __inline void
AES_decrypt(cipherInstance * ci,keyInstance * ki,const void * in,void * out,u_int len)205 AES_decrypt(cipherInstance *ci, keyInstance *ki, const void *in, void *out, u_int len)
206 {
207 	int error;
208 
209 	error = rijndael_blockDecrypt(ci, ki, in, len * 8, out);
210 	KASSERT(error > 0, ("rijndael_blockDecrypt %d", error));
211 }
212 
213 #endif /* _SYS_GEOM_BDE_G_BDE_H_ */
214