Run a revision on the GBDE encryption facility.

Replace ARC4 with SHA2-512.
Change lock-structure encoding to use random ordering rather for obscurity.
Encrypt lock-structure with AES/256 instead of AES/128.
Change kkey derivation to be MD5 hash based.
Watch for malloc(M_NOWAIT) failures and ditch our cache when they happen.
Remove clause 3 of the license with NAI Labs consent.

Many thanks to "Lucky Green" <shamrock@cypherpunks.to> and "David
Wagner" <daw@cs.berkeley.edu>, for code reading, inputs and
suggestions.

This code has still not been stared at for 10 years by a gang of
hard-core cryptographers.  Discretion advised.

NB: These changes result in the on-disk format changing: dump/restore needed.

Sponsored by:   DARPA & NAI Labs.

1 files changed, 77 insertions, 18 deletions

diff --git a/sys/geom/bde/g_bde.h b/sys/geom/bde/g_bde.h
index 6354411..c5f9bf5 100644
--- a/sys/geom/bde/g_bde.h
+++ b/sys/geom/bde/g_bde.h
@@ -16,9 +16,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. The names of the authors may not be used to endorse or promote
- *    products derived from this software without specific prior written
- *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -35,7 +32,17 @@
  * $FreeBSD$
  */
 
-/* These are quite, but not entirely unlike constants. */
+#ifndef _SYS_GEOM_BDE_G_BDE_H_
+#define _SYS_GEOM_BDE_G_BDE_H_ 1
+
+/*
+ * These are quite, but not entirely unlike constants.
+ *
+ * They are not commented in details here, to prevent unadvisable
+ * experimentation. Please consult the code where they are used before you
+ * even think about modifying these.
+ */
+
 #define G_BDE_MKEYLEN	(2048/8)
 #define G_BDE_SKEYBITS	128
 #define G_BDE_SKEYLEN	(G_BDE_SKEYBITS/8)
@@ -43,6 +50,8 @@
 #define G_BDE_KKEYLEN	(G_BDE_KKEYBITS/8)
 #define G_BDE_MAXKEYS	4
 #define G_BDE_LOCKSIZE	384
+#define NLOCK_FIELDS	13
+
 
 /* This just needs to be "large enough" */
 #define G_BDE_KEYBYTES	304
@@ -62,6 +71,7 @@ struct g_bde_sector {
 	u_char			malloc;
 	enum {JUNK, IO, VALID}	state;
 	int			error;
+	time_t			used;
 };
 
 struct g_bde_work {
@@ -81,21 +91,31 @@ struct g_bde_work {
 	int			error;
 };
 
+/*
+ * The decrypted contents of the lock sectors.  Notice that this is not
+ * the same as the on-disk layout.  The on-disk layout is dynamic and
+ * dependent on the pass-phrase.
+ */
 struct g_bde_key {
 	uint64_t		sector0;        
-			/* Physical byte offset of first byte used */
+				/* Physical byte offset of 1st byte used */
 	uint64_t		sectorN;
-			/* Physical byte offset of first byte not used */
+				/* Physical byte offset of 1st byte not used */
 	uint64_t		keyoffset;
+				/* Number of bytes the disk image is skewed. */
 	uint64_t		lsector[G_BDE_MAXKEYS];
-			/* Physical offsets */
+				/* Physical byte offsets of lock sectors */
 	uint32_t		sectorsize;
+				/* Our "logical" sector size */
 	uint32_t		flags;
 				/* 1 = lockfile in sector 0 */
-	uint8_t			hash[16];
 	uint8_t			salt[16];
+				/* Used to frustate the kkey generation */
 	uint8_t			spare[32];
+				/* For future use, random contents */
 	uint8_t			mkey[G_BDE_MKEYLEN];
+				/* Our masterkey. */
+
 	/* Non-stored help-fields */
 	uint64_t		zone_width;	/* On-disk width of zone */
 	uint64_t		zone_cont;	/* Payload width of zone */
@@ -114,12 +134,11 @@ struct g_bde_softc {
 	struct mtx		worklist_mutex;
 	struct proc		*thread;
 	struct g_bde_key	key;
-	u_char			arc4_sbox[256];
-	u_char			arc4_i, arc4_j;
 	int			dead;
 	u_int			nwork;
 	u_int			nsect;
 	u_int			ncache;
+	u_char			sha2[SHA512_DIGEST_LENGTH];
 };
 
 /* g_bde_crypt.c */
@@ -133,14 +152,12 @@ int g_bde_get_key(struct g_bde_softc *sc, void *ptr, int len);
 int g_bde_init_keybytes(struct g_bde_softc *sc, char *passp, int len);
 
 /* g_bde_lock .c */
-void g_bde_encode_lock(struct g_bde_key *gl, u_char *ptr);
-void g_bde_decode_lock(struct g_bde_key *gl, u_char *ptr);
-u_char g_bde_arc4(struct g_bde_softc *sc);
-void g_bde_arc4_seq(struct g_bde_softc *sc, void *ptr, u_int len);
-void g_bde_arc4_seed(struct g_bde_softc *sc, const void *ptr, u_int len);
-int g_bde_keyloc_encrypt(struct g_bde_softc *sc, void *input, void *output);
-int g_bde_keyloc_decrypt(struct g_bde_softc *sc, void *input, void *output);
-int g_bde_decrypt_lock(struct g_bde_softc *sc, u_char *sbox, u_char *meta, off_t mediasize, u_int sectorsize, u_int *nkey);
+int g_bde_encode_lock(struct g_bde_softc *sc, struct g_bde_key *gl, u_char *ptr);
+int g_bde_decode_lock(struct g_bde_softc *sc, struct g_bde_key *gl, u_char *ptr);
+int g_bde_keyloc_encrypt(struct g_bde_softc *sc, uint64_t *input, void *output);
+int g_bde_keyloc_decrypt(struct g_bde_softc *sc, void *input, uint64_t *output);
+int g_bde_decrypt_lock(struct g_bde_softc *sc, u_char *keymat, u_char *meta, off_t mediasize, u_int sectorsize, u_int *nkey);
+void g_bde_hash_pass(struct g_bde_softc *sc, const void *input, u_int len);
 
 /* g_bde_math .c */
 uint64_t g_bde_max_sector(struct g_bde_key *lp);
@@ -150,3 +167,45 @@ void g_bde_map_sector(struct g_bde_key *lp, uint64_t isector, uint64_t *osector,
 void g_bde_start1(struct bio *bp);
 void g_bde_worker(void *arg);
 
+/*
+ * These four functions wrap the raw Rijndael functions and make sure we
+ * explode if something fails which shouldn't.
+ */
+
+static __inline void
+AES_init(cipherInstance *ci)
+{
+	int error;
+
+	error = rijndael_cipherInit(ci, MODE_CBC, NULL);
+	KASSERT(error > 0, ("rijndael_cipherInit %d", error));
+}
+
+static __inline void
+AES_makekey(keyInstance *ki, int dir, u_int len, void *key)
+{
+	int error;
+
+	error = rijndael_makeKey(ki, dir, len, key);
+	KASSERT(error > 0, ("rijndael_makeKey %d", error));
+}
+
+static __inline void
+AES_encrypt(cipherInstance *ci, keyInstance *ki, void *in, void *out, u_int len)
+{
+	int error;
+
+	error = rijndael_blockEncrypt(ci, ki, in, len * 8, out);
+	KASSERT(error > 0, ("rijndael_blockEncrypt %d", error));
+}
+
+static __inline void
+AES_decrypt(cipherInstance *ci, keyInstance *ki, void *in, void *out, u_int len)
+{
+	int error;
+
+	error = rijndael_blockDecrypt(ci, ki, in, len * 8, out);
+	KASSERT(error > 0, ("rijndael_blockDecrypt %d", error));
+}
+
+#endif /* _SYS_GEOM_BDE_G_BDE_H_ */