diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2000-05-27 21:06:09 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2000-05-27 21:06:09 +0000 |
| commit | c6a434dbf9e014e857d9c15cdb41d3cef68cb651 (patch) | |
| tree | 498dea7a50da714d85b77b39c94238d9414c36f2 | |
| parent | 538ef09e7275008f3e0bbb89e7585d94984b89d8 (diff) | |
use rijndael instead of blowfish because of faster key setup.
break swap paritions into sections, each section has own
encryption key. if a section's key becomes unreferenced, erase it.
| -rw-r--r-- | sys/conf/files | 5 | ||||
| -rw-r--r-- | sys/crypto/rijndael.c | 494 | ||||
| -rw-r--r-- | sys/crypto/rijndael.h | 31 | ||||
| -rw-r--r-- | sys/uvm/uvm.h | 3 | ||||
| -rw-r--r-- | sys/uvm/uvm_swap.c | 100 | ||||
| -rw-r--r-- | sys/uvm/uvm_swap_encrypt.c | 204 | ||||
| -rw-r--r-- | sys/uvm/uvm_swap_encrypt.h | 31 |
7 files changed, 762 insertions, 106 deletions
diff --git a/sys/conf/files b/sys/conf/files index 29f705c950a..86d87d896c5 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.162 2000/05/17 18:20:19 mickey Exp $ +# $OpenBSD: files,v 1.163 2000/05/27 21:06:07 provos Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -237,6 +237,7 @@ file adosfs/adlookup.c adosfs file adosfs/adutil.c adosfs file adosfs/advfsops.c adosfs file adosfs/advnops.c adosfs +file crypto/rijndael.c uvm_swap_encrypt file ddb/db_access.c ddb file ddb/db_aout.c ddb file ddb/db_break.c ddb @@ -532,7 +533,7 @@ file netinet/ip_esp.c inet & ipsec file netinet/ip_ah.c inet & ipsec file crypto/rmd160.c (inet & ipsec) | crypto file crypto/sha1.c (inet & ipsec) | crypto -file crypto/blf.c (inet & ipsec) | crypto | uvm_swap_encrypt +file crypto/blf.c (inet & ipsec) | crypto file crypto/cast.c (inet & ipsec) | crypto file crypto/skipjack.c (inet & ipsec) | crypto file crypto/ecb_enc.c (inet & ipsec) | crypto diff --git a/sys/crypto/rijndael.c b/sys/crypto/rijndael.c new file mode 100644 index 00000000000..242cba31d57 --- /dev/null +++ b/sys/crypto/rijndael.c @@ -0,0 +1,494 @@ + +/* This is an independent implementation of the encryption algorithm: */ +/* */ +/* RIJNDAEL by Joan Daemen and Vincent Rijmen */ +/* */ +/* which is a candidate algorithm in the Advanced Encryption Standard */ +/* programme of the US National Institute of Standards and Technology. */ +/* */ +/* Copyright in this implementation is held by Dr B R Gladman but I */ +/* hereby give permission for its free direct or derivative use subject */ +/* to acknowledgment of its origin and compliance with any conditions */ +/* that the originators of the algorithm place on its exploitation. */ +/* */ +/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */ + +/* Timing data for Rijndael (rijndael.c) + +Algorithm: rijndael (rijndael.c) + +128 bit key: +Key Setup: 305/1389 cycles (encrypt/decrypt) +Encrypt: 374 cycles = 68.4 mbits/sec +Decrypt: 352 cycles = 72.7 mbits/sec +Mean: 363 cycles = 70.5 mbits/sec + +192 bit key: +Key Setup: 277/1595 cycles (encrypt/decrypt) +Encrypt: 439 cycles = 58.3 mbits/sec +Decrypt: 425 cycles = 60.2 mbits/sec +Mean: 432 cycles = 59.3 mbits/sec + +256 bit key: +Key Setup: 374/1960 cycles (encrypt/decrypt) +Encrypt: 502 cycles = 51.0 mbits/sec +Decrypt: 498 cycles = 51.4 mbits/sec +Mean: 500 cycles = 51.2 mbits/sec + +*/ + +#include <sys/param.h> +#include <sys/systm.h> + +#include <crypto/rijndael.h> + +void gen_tabs __P((void)); + +/* 3. Basic macros for speeding up generic operations */ + +/* Circular rotate of 32 bit values */ + +#define rotr(x,n) (((x) >> ((int)(n))) | ((x) << (32 - (int)(n)))) +#define rotl(x,n) (((x) << ((int)(n))) | ((x) >> (32 - (int)(n)))) + +/* Invert byte order in a 32 bit variable */ + +#define bswap(x) (rotl(x, 8) & 0x00ff00ff | rotr(x, 8) & 0xff00ff00) + +/* Extract byte from a 32 bit quantity (little endian notation) */ + +#define byte(x,n) ((u1byte)((x) >> (8 * n))) + +#if BYTE_ORDER != LITTLE_ENDIAN +#define BLOCK_SWAP +#endif + +/* For inverting byte order in input/output 32 bit words if needed */ + +#ifdef BLOCK_SWAP +#define BYTE_SWAP +#define WORD_SWAP +#endif + +#ifdef BYTE_SWAP +#define io_swap(x) bswap(x) +#else +#define io_swap(x) (x) +#endif + +/* For inverting the byte order of input/output blocks if needed */ + +#ifdef WORD_SWAP + +#define get_block(x) \ + ((u4byte*)(x))[0] = io_swap(in_blk[3]); \ + ((u4byte*)(x))[1] = io_swap(in_blk[2]); \ + ((u4byte*)(x))[2] = io_swap(in_blk[1]); \ + ((u4byte*)(x))[3] = io_swap(in_blk[0]) + +#define put_block(x) \ + out_blk[3] = io_swap(((u4byte*)(x))[0]); \ + out_blk[2] = io_swap(((u4byte*)(x))[1]); \ + out_blk[1] = io_swap(((u4byte*)(x))[2]); \ + out_blk[0] = io_swap(((u4byte*)(x))[3]) + +#define get_key(x,len) \ + ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \ + ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \ + switch((((len) + 63) / 64)) { \ + case 2: \ + ((u4byte*)(x))[0] = io_swap(in_key[3]); \ + ((u4byte*)(x))[1] = io_swap(in_key[2]); \ + ((u4byte*)(x))[2] = io_swap(in_key[1]); \ + ((u4byte*)(x))[3] = io_swap(in_key[0]); \ + break; \ + case 3: \ + ((u4byte*)(x))[0] = io_swap(in_key[5]); \ + ((u4byte*)(x))[1] = io_swap(in_key[4]); \ + ((u4byte*)(x))[2] = io_swap(in_key[3]); \ + ((u4byte*)(x))[3] = io_swap(in_key[2]); \ + ((u4byte*)(x))[4] = io_swap(in_key[1]); \ + ((u4byte*)(x))[5] = io_swap(in_key[0]); \ + break; \ + case 4: \ + ((u4byte*)(x))[0] = io_swap(in_key[7]); \ + ((u4byte*)(x))[1] = io_swap(in_key[6]); \ + ((u4byte*)(x))[2] = io_swap(in_key[5]); \ + ((u4byte*)(x))[3] = io_swap(in_key[4]); \ + ((u4byte*)(x))[4] = io_swap(in_key[3]); \ + ((u4byte*)(x))[5] = io_swap(in_key[2]); \ + ((u4byte*)(x))[6] = io_swap(in_key[1]); \ + ((u4byte*)(x))[7] = io_swap(in_key[0]); \ + } + +#else + +#define get_block(x) \ + ((u4byte*)(x))[0] = io_swap(in_blk[0]); \ + ((u4byte*)(x))[1] = io_swap(in_blk[1]); \ + ((u4byte*)(x))[2] = io_swap(in_blk[2]); \ + ((u4byte*)(x))[3] = io_swap(in_blk[3]) + +#define put_block(x) \ + out_blk[0] = io_swap(((u4byte*)(x))[0]); \ + out_blk[1] = io_swap(((u4byte*)(x))[1]); \ + out_blk[2] = io_swap(((u4byte*)(x))[2]); \ + out_blk[3] = io_swap(((u4byte*)(x))[3]) + +#define get_key(x,len) \ + ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \ + ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \ + switch((((len) + 63) / 64)) { \ + case 4: \ + ((u4byte*)(x))[6] = io_swap(in_key[6]); \ + ((u4byte*)(x))[7] = io_swap(in_key[7]); \ + case 3: \ + ((u4byte*)(x))[4] = io_swap(in_key[4]); \ + ((u4byte*)(x))[5] = io_swap(in_key[5]); \ + case 2: \ + ((u4byte*)(x))[0] = io_swap(in_key[0]); \ + ((u4byte*)(x))[1] = io_swap(in_key[1]); \ + ((u4byte*)(x))[2] = io_swap(in_key[2]); \ + ((u4byte*)(x))[3] = io_swap(in_key[3]); \ + } + +#endif + +#define LARGE_TABLES + +u1byte pow_tab[256]; +u1byte log_tab[256]; +u1byte sbx_tab[256]; +u1byte isb_tab[256]; +u4byte rco_tab[ 10]; +u4byte ft_tab[4][256]; +u4byte it_tab[4][256]; + +#ifdef LARGE_TABLES + u4byte fl_tab[4][256]; + u4byte il_tab[4][256]; +#endif + +u4byte tab_gen = 0; + +#define ff_mult(a,b) (a && b ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0) + +#define f_rn(bo, bi, n, k) \ + bo[n] = ft_tab[0][byte(bi[n],0)] ^ \ + ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ + ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) + +#define i_rn(bo, bi, n, k) \ + bo[n] = it_tab[0][byte(bi[n],0)] ^ \ + it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ + it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) + +#ifdef LARGE_TABLES + +#define ls_box(x) \ + ( fl_tab[0][byte(x, 0)] ^ \ + fl_tab[1][byte(x, 1)] ^ \ + fl_tab[2][byte(x, 2)] ^ \ + fl_tab[3][byte(x, 3)] ) + +#define f_rl(bo, bi, n, k) \ + bo[n] = fl_tab[0][byte(bi[n],0)] ^ \ + fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ + fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) + +#define i_rl(bo, bi, n, k) \ + bo[n] = il_tab[0][byte(bi[n],0)] ^ \ + il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ + il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) + +#else + +#define ls_box(x) \ + ((u4byte)sbx_tab[byte(x, 0)] << 0) ^ \ + ((u4byte)sbx_tab[byte(x, 1)] << 8) ^ \ + ((u4byte)sbx_tab[byte(x, 2)] << 16) ^ \ + ((u4byte)sbx_tab[byte(x, 3)] << 24) + +#define f_rl(bo, bi, n, k) \ + bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^ \ + rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \ + rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ + rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n) + +#define i_rl(bo, bi, n, k) \ + bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^ \ + rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \ + rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ + rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n) + +#endif + +void +gen_tabs(void) +{ + u4byte i, t; + u1byte p, q; + + /* log and power tables for GF(2**8) finite field with */ + /* 0x11b as modular polynomial - the simplest prmitive */ + /* root is 0x11, used here to generate the tables */ + + for(i = 0,p = 1; i < 256; ++i) { + pow_tab[i] = (u1byte)p; log_tab[p] = (u1byte)i; + + p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0); + } + + log_tab[1] = 0; p = 1; + + for(i = 0; i < 10; ++i) { + rco_tab[i] = p; + + p = (p << 1) ^ (p & 0x80 ? 0x1b : 0); + } + + /* note that the affine byte transformation matrix in */ + /* rijndael specification is in big endian format with */ + /* bit 0 as the most significant bit. In the remainder */ + /* of the specification the bits are numbered from the */ + /* least significant end of a byte. */ + + for(i = 0; i < 256; ++i) { + p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q ^ 0x63; + sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i; + } + + for(i = 0; i < 256; ++i) { + p = sbx_tab[i]; + +#ifdef LARGE_TABLES + + t = p; fl_tab[0][i] = t; + fl_tab[1][i] = rotl(t, 8); + fl_tab[2][i] = rotl(t, 16); + fl_tab[3][i] = rotl(t, 24); +#endif + t = ((u4byte)ff_mult(2, p)) | + ((u4byte)p << 8) | + ((u4byte)p << 16) | + ((u4byte)ff_mult(3, p) << 24); + + ft_tab[0][i] = t; + ft_tab[1][i] = rotl(t, 8); + ft_tab[2][i] = rotl(t, 16); + ft_tab[3][i] = rotl(t, 24); + + p = isb_tab[i]; + +#ifdef LARGE_TABLES + + t = p; il_tab[0][i] = t; + il_tab[1][i] = rotl(t, 8); + il_tab[2][i] = rotl(t, 16); + il_tab[3][i] = rotl(t, 24); +#endif + t = ((u4byte)ff_mult(14, p)) | + ((u4byte)ff_mult( 9, p) << 8) | + ((u4byte)ff_mult(13, p) << 16) | + ((u4byte)ff_mult(11, p) << 24); + + it_tab[0][i] = t; + it_tab[1][i] = rotl(t, 8); + it_tab[2][i] = rotl(t, 16); + it_tab[3][i] = rotl(t, 24); + } + + tab_gen = 1; +}; + +#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b) + +#define imix_col(y,x) \ + u = star_x(x); \ + v = star_x(u); \ + w = star_x(v); \ + t = w ^ (x); \ + (y) = u ^ v ^ w; \ + (y) ^= rotr(u ^ t, 8) ^ \ + rotr(v ^ t, 16) ^ \ + rotr(t,24) + +/* initialise the key schedule from the user supplied key */ + +#define loop4(i) \ +{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \ + t ^= e_key[4 * i]; e_key[4 * i + 4] = t; \ + t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t; \ + t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t; \ + t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t; \ +} + +#define loop6(i) \ +{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \ + t ^= e_key[6 * i]; e_key[6 * i + 6] = t; \ + t ^= e_key[6 * i + 1]; e_key[6 * i + 7] = t; \ + t ^= e_key[6 * i + 2]; e_key[6 * i + 8] = t; \ + t ^= e_key[6 * i + 3]; e_key[6 * i + 9] = t; \ + t ^= e_key[6 * i + 4]; e_key[6 * i + 10] = t; \ + t ^= e_key[6 * i + 5]; e_key[6 * i + 11] = t; \ +} + +#define loop8(i) \ +{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \ + t ^= e_key[8 * i]; e_key[8 * i + 8] = t; \ + t ^= e_key[8 * i + 1]; e_key[8 * i + 9] = t; \ + t ^= e_key[8 * i + 2]; e_key[8 * i + 10] = t; \ + t ^= e_key[8 * i + 3]; e_key[8 * i + 11] = t; \ + t = e_key[8 * i + 4] ^ ls_box(t); \ + e_key[8 * i + 12] = t; \ + t ^= e_key[8 * i + 5]; e_key[8 * i + 13] = t; \ + t ^= e_key[8 * i + 6]; e_key[8 * i + 14] = t; \ + t ^= e_key[8 * i + 7]; e_key[8 * i + 15] = t; \ +} + +rijndael_ctx * +rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len, + int encrypt) +{ + u4byte i, t, u, v, w; + u4byte *e_key = ctx->e_key; + u4byte *d_key = ctx->d_key; + + ctx->decrypt = !encrypt; + + if(!tab_gen) + gen_tabs(); + + ctx->k_len = (key_len + 31) / 32; + + e_key[0] = in_key[0]; e_key[1] = in_key[1]; + e_key[2] = in_key[2]; e_key[3] = in_key[3]; + + switch(ctx->k_len) { + case 4: t = e_key[3]; + for(i = 0; i < 10; ++i) + loop4(i); + break; + + case 6: e_key[4] = in_key[4]; t = e_key[5] = in_key[5]; + for(i = 0; i < 8; ++i) + loop6(i); + break; + + case 8: e_key[4] = in_key[4]; e_key[5] = in_key[5]; + e_key[6] = in_key[6]; t = e_key[7] = in_key[7]; + for(i = 0; i < 7; ++i) + loop8(i); + break; + } + + if (!encrypt) { + d_key[0] = e_key[0]; d_key[1] = e_key[1]; + d_key[2] = e_key[2]; d_key[3] = e_key[3]; + + for(i = 4; i < 4 * ctx->k_len + 24; ++i) { + imix_col(d_key[i], e_key[i]); + } + } + + return ctx; +}; + +/* encrypt a block of text */ + +#define f_nround(bo, bi, k) \ + f_rn(bo, bi, 0, k); \ + f_rn(bo, bi, 1, k); \ + f_rn(bo, bi, 2, k); \ + f_rn(bo, bi, 3, k); \ + k += 4 + +#define f_lround(bo, bi, k) \ + f_rl(bo, bi, 0, k); \ + f_rl(bo, bi, 1, k); \ + f_rl(bo, bi, 2, k); \ + f_rl(bo, bi, 3, k) + +void +rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) +{ + u4byte k_len = ctx->k_len; + u4byte *e_key = ctx->e_key; + u4byte b0[4], b1[4], *kp; + + b0[0] = in_blk[0] ^ e_key[0]; b0[1] = in_blk[1] ^ e_key[1]; + b0[2] = in_blk[2] ^ e_key[2]; b0[3] = in_blk[3] ^ e_key[3]; + + kp = e_key + 4; + + if(k_len > 6) { + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + } + + if(k_len > 4) { + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + } + + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + f_nround(b1, b0, kp); f_nround(b0, b1, kp); + f_nround(b1, b0, kp); f_lround(b0, b1, kp); + + out_blk[0] = b0[0]; out_blk[1] = b0[1]; + out_blk[2] = b0[2]; out_blk[3] = b0[3]; +}; + +/* decrypt a block of text */ + +#define i_nround(bo, bi, k) \ + i_rn(bo, bi, 0, k); \ + i_rn(bo, bi, 1, k); \ + i_rn(bo, bi, 2, k); \ + i_rn(bo, bi, 3, k); \ + k -= 4 + +#define i_lround(bo, bi, k) \ + i_rl(bo, bi, 0, k); \ + i_rl(bo, bi, 1, k); \ + i_rl(bo, bi, 2, k); \ + i_rl(bo, bi, 3, k) + +void +rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) +{ + u4byte b0[4], b1[4], *kp; + u4byte k_len = ctx->k_len; + u4byte *e_key = ctx->e_key; + u4byte *d_key = ctx->d_key; + + b0[0] = in_blk[0] ^ e_key[4 * k_len + 24]; b0[1] = in_blk[1] ^ e_key[4 * k_len + 25]; + b0[2] = in_blk[2] ^ e_key[4 * k_len + 26]; b0[3] = in_blk[3] ^ e_key[4 * k_len + 27]; + + kp = d_key + 4 * (k_len + 5); + + if(k_len > 6) { + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + } + + if(k_len > 4) { + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + } + + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + i_nround(b1, b0, kp); i_nround(b0, b1, kp); + i_nround(b1, b0, kp); i_lround(b0, b1, kp); + + out_blk[0] = b0[0]; out_blk[1] = b0[1]; + out_blk[2] = b0[2]; out_blk[3] = b0[3]; +}; diff --git a/sys/crypto/rijndael.h b/sys/crypto/rijndael.h new file mode 100644 index 00000000000..c13f18c9590 --- /dev/null +++ b/sys/crypto/rijndael.h @@ -0,0 +1,31 @@ +#ifndef _RIJNDAEL_H_ +#define _RIJNDAEL_H_ + +/* 1. Standard types for AES cryptography source code */ + +typedef u_int8_t u1byte; /* an 8 bit unsigned character type */ +typedef u_int16_t u2byte; /* a 16 bit unsigned integer type */ +typedef u_int32_t u4byte; /* a 32 bit unsigned integer type */ + +typedef int8_t s1byte; /* an 8 bit signed character type */ +typedef int16_t s2byte; /* a 16 bit signed integer type */ +typedef int32_t s4byte; /* a 32 bit signed integer type */ + +typedef struct _rijndael_ctx { + u4byte k_len; + int decrypt; + u4byte e_key[64]; + u4byte d_key[64]; +} rijndael_ctx; + + +/* 2. Standard interface for AES cryptographic routines */ + +/* These are all based on 32 bit unsigned values and will therefore */ +/* require endian conversions for big-endian architectures */ + +rijndael_ctx *rijndael_set_key __P((rijndael_ctx *, const u4byte *, u4byte, int)); +void rijndael_encrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); +void rijndael_decrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); + +#endif /* _RIJNDAEL_H_ */ diff --git a/sys/uvm/uvm.h b/sys/uvm/uvm.h index 6cdb784715f..dde898ab7c2 100644 --- a/sys/uvm/uvm.h +++ b/sys/uvm/uvm.h @@ -57,6 +57,9 @@ #include <uvm/uvm_pager.h> #include <uvm/uvm_pdaemon.h> #include <uvm/uvm_swap.h> +#ifdef UVM_SWAP_ENCRYPT +#include <uvm/uvm_swap_encrypt.h> +#endif /* * pull in VM_NFREELIST diff --git a/sys/uvm/uvm_swap.c b/sys/uvm/uvm_swap.c index ae519285c46..00f8789b829 100644 --- a/sys/uvm/uvm_swap.c +++ b/sys/uvm/uvm_swap.c @@ -53,7 +53,7 @@ #include <uvm/uvm.h> #ifdef UVM_SWAP_ENCRYPT -#include <uvm/uvm_swap_encrypt.h> +#include <sys/syslog.h> #endif #include <miscfs/specfs/specdev.h> @@ -154,6 +154,9 @@ struct swapdev { struct ucred *swd_cred; /* cred for file access */ #endif #ifdef UVM_SWAP_ENCRYPT +#define SWD_KEY_SHIFT 7 /* One key per 0.5 MByte */ +#define SWD_KEY(x,y) &((x)->swd_keys[((y) - (x)->swd_drumoffset) >> SWD_KEY_SHIFT]) + #define SWD_DCRYPT_SHIFT 5 #define SWD_DCRYPT_BITS 32 #define SWD_DCRYPT_MASK (SWD_DCRYPT_BITS - 1) @@ -161,6 +164,8 @@ struct swapdev { #define SWD_DCRYPT_BIT(x) ((x) & SWD_DCRYPT_MASK) #define SWD_DCRYPT_SIZE(x) (SWD_DCRYPT_OFF((x) + SWD_DCRYPT_MASK) * sizeof(u_int32_t)) u_int32_t *swd_decrypt; /* bitmap for decryption */ + struct swap_key *swd_keys; /* keys for different parts */ + int swd_nkeys; /* active keys */ #endif }; @@ -390,6 +395,10 @@ uvm_swap_initcrypt(struct swapdev *sdp, int npages) */ sdp->swd_decrypt = malloc(SWD_DCRYPT_SIZE(npages), M_VMSWAP, M_WAITOK); bzero(sdp->swd_decrypt, SWD_DCRYPT_SIZE(npages)); + sdp->swd_keys = malloc((npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key), + M_VMSWAP, M_WAITOK); + bzero(sdp->swd_keys, (npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key)); + sdp->swd_nkeys = 0; } boolean_t @@ -1247,8 +1256,11 @@ swap_off(p, sdp) return ENODEV; #ifdef UVM_SWAP_ENCRYPT - if (sdp->swd_decrypt) + if (sdp->swd_decrypt) { free(sdp->swd_decrypt); + bzero(sdp->swd_keys, (sdp->swd_npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key)); + free(sdp->swd_keys); + } #endif extent_free(swapmap, sdp->swd_mapoffset, sdp->swd_mapsize, EX_WAITOK); name = sdp->swd_ex->ex_name; @@ -1826,6 +1838,20 @@ uvm_swap_free(startslot, nslots) if (sdp->swd_npginuse < 0) panic("uvm_swap_free: inuse < 0"); #endif +#ifdef UVM_SWAP_ENCRYPT + { + int i; + if (swap_encrypt_initalized) { + /* Dereference keys */ + for (i = 0; i < nslots; i++) + if (uvm_swap_needdecrypt(sdp, startslot + i)) + SWAP_KEY_PUT(sdp, SWD_KEY(sdp, startslot + i)); + + /* Mark range as not decrypt */ + uvm_swap_markdecrypt(sdp, startslot, nslots, 0); + } + } +#endif UVM_SWAP_ENCRYPT simple_unlock(&uvm.swap_data_lock); } @@ -1937,14 +1963,7 @@ uvm_swap_io(pps, startslot, npages, flags) return (VM_PAGER_AGAIN); #ifdef UVM_SWAP_ENCRYPT - /* - * encrypt to swap - */ if ((flags & B_READ) == 0) { - int i, opages; - caddr_t src, dst; - u_int64_t block; - /* * Check if we need to do swap encryption on old pages. * Later we need a different scheme, that swap encrypts @@ -1953,8 +1972,31 @@ uvm_swap_io(pps, startslot, npages, flags) * in the cluster, and avoid the memory overheard in * swapping. */ - if (!uvm_doswapencrypt) - goto noswapencrypt; + if (uvm_doswapencrypt) + encrypt = 1; + } + + if (swap_encrypt_initalized || encrypt) { + /* + * we need to know the swap device that we are swapping to/from + * to see if the pages need to be marked for decryption or + * actually need to be decrypted. + * XXX - does this information stay the same over the whole + * execution of this function? + */ + simple_lock(&uvm.swap_data_lock); + sdp = swapdrum_getsdp(startslot); + simple_unlock(&uvm.swap_data_lock); + } + + /* + * encrypt to swap + */ + if ((flags & B_READ) == 0 && encrypt) { + int i, opages; + caddr_t src, dst; + struct swap_key *key; + u_int64_t block; if (!uvm_swap_allocpages(tpps, npages)) { uvm_pagermapout(kva, npages); @@ -1972,9 +2014,12 @@ uvm_swap_io(pps, startslot, npages, flags) dst = (caddr_t) dstkva; block = startblk; for (i = 0; i < npages; i++) { + key = SWD_KEY(sdp, startslot + i); + SWAP_KEY_GET(sdp, key); /* add reference */ + /* mark for async writes */ tpps[i]->pqflags |= PQ_ENCRYPT; - swap_encrypt(src, dst, block, 1 << PAGE_SHIFT); + swap_encrypt(key, src, dst, block, 1 << PAGE_SHIFT); src += 1 << PAGE_SHIFT; dst += 1 << PAGE_SHIFT; block += btodb(1 << PAGE_SHIFT); @@ -1988,9 +2033,6 @@ uvm_swap_io(pps, startslot, npages, flags) PGO_PDFREECLUST, 0); kva = dstkva; - - encrypt = 1; - noswapencrypt: } #endif /* UVM_SWAP_ENCRYPT */ @@ -2011,7 +2053,12 @@ uvm_swap_io(pps, startslot, npages, flags) if (sbp == NULL) { #ifdef UVM_SWAP_ENCRYPT if ((flags & B_READ) == 0 && encrypt) { + int i; + /* swap encrypt needs cleanup */ + for (i = 0; i < npages; i++) + SWAP_KEY_PUT(sdp, SWD_KEY(sdp, startslot + i)); + uvm_pagermapout(kva, npages); uvm_swap_freepages(tpps, npages); } @@ -2050,21 +2097,6 @@ uvm_swap_io(pps, startslot, npages, flags) bp->b_dev = swapdev_vp->v_rdev; bp->b_bcount = npages << PAGE_SHIFT; -#ifdef UVM_SWAP_ENCRYPT - if (swap_encrypt_initalized) { - /* - * we need to know the swap device that we are swapping to/from - * to see if the pages need to be marked for decryption or - * actually need to be decrypted. - * XXX - does this information stay the same over the whole - * execution of this function? - */ - simple_lock(&uvm.swap_data_lock); - sdp = swapdrum_getsdp(startslot); - simple_unlock(&uvm.swap_data_lock); - } -#endif - /* * for pageouts we must set "dirtyoff" [NFS client code needs it]. * and we bump v_numoutput (counter of number of active outputs). @@ -2121,11 +2153,15 @@ uvm_swap_io(pps, startslot, npages, flags) int i; caddr_t data = bp->b_data; u_int64_t block = startblk; + struct swap_key *key = NULL; + for (i = 0; i < npages; i++) { /* Check if we need to decrypt */ - if (uvm_swap_needdecrypt(sdp, startslot + i)) - swap_decrypt(data, data, block, + if (uvm_swap_needdecrypt(sdp, startslot + i)) { + key = SWD_KEY(sdp, startslot + i); + swap_decrypt(key, data, data, block, 1 << PAGE_SHIFT); + } data += 1 << PAGE_SHIFT; block += btodb(1 << PAGE_SHIFT); } diff --git a/sys/uvm/uvm_swap_encrypt.c b/sys/uvm/uvm_swap_encrypt.c index c995bef8240..97fefd244f2 100644 --- a/sys/uvm/uvm_swap_encrypt.c +++ b/sys/uvm/uvm_swap_encrypt.c @@ -30,34 +30,47 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/malloc.h> +#include <sys/time.h> #include <dev/rndvar.h> -#include <crypto/blf.h> +#include <crypto/rijndael.h> -#include <uvm/uvm_swap_encrypt.h> +#include <vm/vm.h> +#include <vm/vm_conf.h> -blf_ctx swap_key; +#include <uvm/uvm.h> + +struct swap_key *kcur = NULL; +rijndael_ctx swap_key; int uvm_doswapencrypt = 0; -int swap_encrypt_initalized = 0; +u_int uvm_swpkeyscreated = 0; +u_int uvm_swpkeysdeleted = 0; -/* - * Initalize the key from the kernel random number generator. This is - * done once on startup. - */ +int swap_encrypt_initalized = 0; void -swap_encrypt_init(caddr_t data, size_t len) +swap_key_create(struct swap_key *key) { int i; - u_int32_t *key = (u_int32_t *)data; + u_int32_t *p = key->key; - if (swap_encrypt_initalized) - return; + key->refcount = 0; + for (i = 0; i < sizeof(key->key) / sizeof(u_int32_t); i++) + *p++ = arc4random(); + + uvm_swpkeyscreated++; +} - for (i = 0; i < len / sizeof(u_int32_t); i++) - *key++ = arc4random(); +void +swap_key_delete(struct swap_key *key) +{ + /* Make sure that this key gets removed if we just used it */ + swap_key_cleanup(key); - swap_encrypt_initalized = 1; + bzero(key, sizeof(*key)); + uvm_swpkeysdeleted++; } /* @@ -66,34 +79,43 @@ swap_encrypt_init(caddr_t data, size_t len) */ void -swap_encrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count) +swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst, + u_int64_t block, size_t count) { - u_int32_t *dsrc = (u_int32_t *)src; - u_int32_t *ddst = (u_int32_t *)dst; - u_int32_t iv[2]; - u_int32_t iv1, iv2; - - if (!swap_encrypt_initalized) - swap_encrypt_init((caddr_t)&swap_key, sizeof(swap_key)); - - count /= sizeof(u_int32_t); - - iv[0] = block >> 32; iv[1] = block; - Blowfish_encipher(&swap_key, iv); - iv1 = iv[0]; iv2 = iv[1]; - for (; count > 0; count -= 2) { - ddst[0] = dsrc[0] ^ iv1; - ddst[1] = dsrc[1] ^ iv2; - /* - * Do not worry about endianess, it only needs to decrypt on this machine - */ - Blowfish_encipher(&swap_key, ddst); - iv1 = ddst[0]; - iv2 = ddst[1]; - - dsrc += 2; - ddst += 2; - } + u_int32_t *dsrc = (u_int32_t *)src; + u_int32_t *ddst = (u_int32_t *)dst; + u_int32_t iv[4]; + u_int32_t iv1, iv2, iv3, iv4; + + if (!swap_encrypt_initalized) + swap_encrypt_initalized = 1; + + swap_key_prepare(key, 1); + + count /= sizeof(u_int32_t); + + iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; + rijndael_encrypt(&swap_key, iv, iv); + iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; + + for (; count > 0; count -= 4) { + ddst[0] = dsrc[0] ^ iv1; + ddst[1] = dsrc[1] ^ iv2; + ddst[2] = dsrc[2] ^ iv3; + ddst[3] = dsrc[3] ^ iv4; + /* + * Do not worry about endianess, it only needs to decrypt + * on this machine + */ + rijndael_encrypt(&swap_key, ddst, ddst); + iv1 = ddst[0]; + iv2 = ddst[1]; + iv3 = ddst[2]; + iv4 = ddst[3]; + + dsrc += 4; + ddst += 4; + } } /* @@ -102,32 +124,76 @@ swap_encrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count) */ void -swap_decrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count) +swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst, + u_int64_t block, size_t count) +{ + u_int32_t *dsrc = (u_int32_t *)src; + u_int32_t *ddst = (u_int32_t *)dst; + u_int32_t iv[4]; + u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4; + + if (!swap_encrypt_initalized) + panic("swap_decrypt: key not initalized"); + + swap_key_prepare(key, 0); + + count /= sizeof(u_int32_t); + + iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; + rijndael_encrypt(&swap_key, iv, iv); + iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; + + for (; count > 0; count -= 4) { + ddst[0] = niv1 = dsrc[0]; + ddst[1] = niv2 = dsrc[1]; + ddst[2] = niv3 = dsrc[2]; + ddst[3] = niv4 = dsrc[3]; + rijndael_decrypt(&swap_key, ddst, ddst); + ddst[0] ^= iv1; + ddst[1] ^= iv2; + ddst[2] ^= iv3; + ddst[3] ^= iv4; + + iv1 = niv1; + iv2 = niv2; + iv3 = niv3; + iv4 = niv4; + + dsrc += 4; + ddst += 4; + } +} + +void +swap_key_prepare(struct swap_key *key, int encrypt) { - u_int32_t *dsrc = (u_int32_t *)src; - u_int32_t *ddst = (u_int32_t *)dst; - u_int32_t iv[2]; - u_int32_t iv1, iv2, niv1, niv2; - - if (!swap_encrypt_initalized) - panic("swap_decrypt: key not initalized"); - - count /= sizeof(u_int32_t); - - iv[0] = block >> 32; iv[1] = block; - Blowfish_encipher(&swap_key, iv); - iv1 = iv[0]; iv2 = iv[1]; - for (; count > 0; count -= 2) { - ddst[0] = niv1 = dsrc[0]; - ddst[1] = niv2 = dsrc[1]; - Blowfish_decipher(&swap_key, ddst); - ddst[0] ^= iv1; - ddst[1] ^= iv2; - - iv1 = niv1; - iv2 = niv2; - - dsrc += 2; - ddst += 2; - } + /* Check if we have prepared for this key already, + * if we only have the encryption schedule, we have + * to recompute ang get the decryption schedule also + */ + if (kcur == key && (encrypt || swap_key.decrypt)) + return; + + rijndael_set_key(&swap_key, key->key, + sizeof(key->key) * 8, + encrypt); + + kcur = key; +} + +/* + * Make sure that a specific key is no longer available. + */ + +void +swap_key_cleanup(struct swap_key *key) +{ + /* Check if we have a key */ + if (kcur == NULL || kcur != key) + return; + + /* Zero out the subkeys */ + bzero(&swap_key, sizeof(swap_key)); + + kcur = NULL; } diff --git a/sys/uvm/uvm_swap_encrypt.h b/sys/uvm/uvm_swap_encrypt.h index 1eb03550158..842cfa5b381 100644 --- a/sys/uvm/uvm_swap_encrypt.h +++ b/sys/uvm/uvm_swap_encrypt.h @@ -31,11 +31,36 @@ #ifndef _UVM_SWAP_ENCRYPT_H #define _UVM_SWAP_ENCRYPT_H -void swap_encrypt_init __P((caddr_t, size_t)); -void swap_encrypt __P((caddr_t, caddr_t, u_int64_t, size_t)); -void swap_decrypt __P((caddr_t, caddr_t, u_int64_t, size_t)); +#define SWAP_KEY_EXPIRE (120 /*60 * 60*/) /* time after that keys expire */ +#define SWAP_KEY_SIZE 4 /* 128-bit keys */ + +struct swap_key { + u_int32_t key[SWAP_KEY_SIZE]; /* secret key for swap range */ + u_int16_t refcount; /* pages that still need it */ +}; + +void swap_encrypt __P((struct swap_key *,caddr_t, caddr_t, u_int64_t, size_t)); +void swap_decrypt __P((struct swap_key *,caddr_t, caddr_t, u_int64_t, size_t)); + +void swap_key_cleanup __P((struct swap_key *)); +void swap_key_prepare __P((struct swap_key *, int)); + +#define SWAP_KEY_GET(s,x) do { if ((x)->refcount == 0) {\ + swap_key_create(x); \ + } \ + (x)->refcount++; } while(0); +#define SWAP_KEY_PUT(s,x) do { (x)->refcount--; \ + if ((x)->refcount == 0) { \ + swap_key_delete(x); \ + } \ + } while(0); + +void swap_key_create __P((struct swap_key *)); +void swap_key_delete __P((struct swap_key *)); extern int uvm_doswapencrypt; /* swapencrypt enabled/disabled */ +extern int uvm_swprekeyprint; +extern u_int uvm_swpkeyexpire; /* expiry time for keys (tR) */ extern int swap_encrypt_initalized; #endif /* _UVM_SWAP_ENCRYPT_H */ |