From owner-p4-projects@FreeBSD.ORG  Thu Oct 22 10:33:30 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 9A83E1065679; Thu, 22 Oct 2009 10:33:30 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 46DA8106568D
	for <perforce@FreeBSD.org>; Thu, 22 Oct 2009 10:33:30 +0000 (UTC)
	(envelope-from gk@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 33EAA8FC13
	for <perforce@FreeBSD.org>; Thu, 22 Oct 2009 10:33:30 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n9MAXTmD095897
	for <perforce@FreeBSD.org>; Thu, 22 Oct 2009 10:33:29 GMT
	(envelope-from gk@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n9MAXTLd095895
	for perforce@freebsd.org; Thu, 22 Oct 2009 10:33:29 GMT
	(envelope-from gk@FreeBSD.org)
Date: Thu, 22 Oct 2009 10:33:29 GMT
Message-Id: <200910221033.n9MAXTLd095895@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	gk@FreeBSD.org using -f
From: Gleb Kurtsou <gk@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 169676 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 10:33:30 -0000

http://p4web.freebsd.org/chv.cgi?CH=169676

Change 169676 by gk@gk_h1 on 2009/10/22 10:33:29

	more strictly follow hkdf and vmac specifications
	commit breaks compatibility
	remove random magic constants
	reuse first encrypted name block as a nonce for vmac
	handle name alignment
	add 'salsa20' alias for 'salsa20-256'

Affected files ...

.. //depot/projects/soc2009/gk_pefs/sbin/pefs/pefs_key.c#10 edit
.. //depot/projects/soc2009/gk_pefs/sys/fs/pefs/pefs_crypto.c#18 edit

Differences ...

==== //depot/projects/soc2009/gk_pefs/sbin/pefs/pefs_key.c#10 (text+ko) ====

@@ -72,6 +72,7 @@
 	{ "camellia256-ctr", PEFS_ALG_CAMELLIA_CTR, 256 },
 	{ "camellia256", PEFS_ALG_CAMELLIA_CTR, 256 },
 	{ "salsa20-256", PEFS_ALG_SALSA20, 256 },
+	{ "salsa20", PEFS_ALG_SALSA20, 256 },
 	{ NULL, 0, 0 },
 };
 

==== //depot/projects/soc2009/gk_pefs/sys/fs/pefs/pefs_crypto.c#18 (text+ko) ====

@@ -52,8 +52,12 @@
 
 CTASSERT(PEFS_KEY_SIZE <= SHA512_DIGEST_LENGTH);
 CTASSERT(PEFS_TWEAK_SIZE == 64/8);
+CTASSERT(PEFS_NAME_CSUM_SIZE <= sizeof(uint64_t));
+CTASSERT(MAXNAMLEN >= PEFS_NAME_PTON_SIZE(MAXNAMLEN) + PEFS_NAME_BLOCK_SIZE);
 CTASSERT(CAMELLIA_BLOCK_SIZE == PEFS_CTR_BLOCK_SIZE);
 
+static const char magic_keyinfo[] = "PEFSKEY";
+
 typedef void algop_keysetup_t(struct pefs_ctx *ctx, const uint8_t *key,
     uint32_t keybits);
 typedef void algop_ivsetup_t(struct pefs_ctx *ctx, const uint8_t *iv,
@@ -117,24 +121,6 @@
 	pefs_camellia_crypt
 };
 
-/* vmac requirement: first bit of the nonce buffer n must be 0 */
-static const char magic_name_csum_nonce[VMAC_NHBYTES] = {
-	0x00, 0xb1, 0xad, 0xd5, 0x5b, 0xf9, 0x10, 0xe1,
-	0x0a, 0x25, 0x8a, 0xd3, 0x33, 0x91, 0x8a, 0x1a,
-};
-
-static const char magic_ctxinfo_name_key[PEFS_TWEAK_SIZE] = {
-	0xc8, 0x27, 0xa3, 0x7e, 0xcf, 0x86, 0x3d, 0x0d,
-};
-
-static const char magic_ctxinfo_name_csum_key[PEFS_TWEAK_SIZE] = {
-	0x21, 0xe2, 0x71, 0x0a, 0x4a, 0xe6, 0xfd, 0x64,
-};
-
-static const char magic_ctxinfo_data_key[PEFS_TWEAK_SIZE] = {
-	0xe3, 0x74, 0xdc, 0x7f, 0x10, 0x23, 0x55, 0x16,
-};
-
 static uma_zone_t pefs_ctx_zone;
 static uma_zone_t pefs_key_zone;
 
@@ -195,8 +181,8 @@
 	bzero(key, PEFS_KEY_SIZE);
 	hmac_sha512_init(&ctx->o.pctx_hmac, masterkey, PEFS_KEY_SIZE);
 	hmac_sha512_update(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
-	hmac_sha512_update(&ctx->o.pctx_hmac, magic_ctxinfo_data_key,
-	    PEFS_TWEAK_SIZE);
+	hmac_sha512_update(&ctx->o.pctx_hmac, magic_keyinfo,
+	    sizeof(magic_keyinfo));
 	hmac_sha512_update(&ctx->o.pctx_hmac, &idx, sizeof(idx));
 	hmac_sha512_final(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
 	pk->pk_alg->pa_keysetup(pk->pk_data_ctx, key, pk->pk_keybits);
@@ -204,8 +190,8 @@
 	idx = 2;
 	hmac_sha512_init(&ctx->o.pctx_hmac, masterkey, PEFS_KEY_SIZE);
 	hmac_sha512_update(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
-	hmac_sha512_update(&ctx->o.pctx_hmac, magic_ctxinfo_name_key,
-	    PEFS_TWEAK_SIZE);
+	hmac_sha512_update(&ctx->o.pctx_hmac, magic_keyinfo,
+	    sizeof(magic_keyinfo));
 	hmac_sha512_update(&ctx->o.pctx_hmac, &idx, sizeof(idx));
 	hmac_sha512_final(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
 	pefs_aes_keysetup(pk->pk_name_ctx, key, 128);
@@ -213,12 +199,13 @@
 	idx = 3;
 	hmac_sha512_init(&ctx->o.pctx_hmac, masterkey, PEFS_KEY_SIZE);
 	hmac_sha512_update(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
-	hmac_sha512_update(&ctx->o.pctx_hmac, magic_ctxinfo_name_key,
-	    PEFS_TWEAK_SIZE);
+	hmac_sha512_update(&ctx->o.pctx_hmac, magic_keyinfo,
+	    sizeof(magic_keyinfo));
 	hmac_sha512_update(&ctx->o.pctx_hmac, &idx, sizeof(idx));
 	hmac_sha512_final(&ctx->o.pctx_hmac, key, PEFS_KEY_SIZE);
 	vmac_set_key(key, &pk->pk_name_csum_ctx->o.pctx_vmac);
 
+	bzero(key, PEFS_KEY_SIZE);
 	pefs_ctx_free(ctx);
 
 }
@@ -471,18 +458,35 @@
 pefs_name_checksum(struct pefs_ctx *ctx, struct pefs_key *pk, char *csum,
     char *name, size_t size)
 {
-	CTASSERT(PEFS_NAME_CSUM_SIZE <= sizeof(uint64_t));
+	uint64_t buf[howmany(MAXNAMLEN + 1, sizeof(uint64_t))];
+	uint64_t nonce[2];
 	uint64_t csum_int;
+	char *data;
 
-	MPASS(size > PEFS_NAME_CSUM_SIZE &&
+	MPASS(size >= PEFS_NAME_CSUM_SIZE + (PEFS_TWEAK_SIZE * 2) &&
 	    size <= MAXNAMLEN &&
 	    (size - PEFS_NAME_CSUM_SIZE) % PEFS_NAME_BLOCK_SIZE == 0);
 
+	/*
+	 * First block of encrypted name contains 64bit random tweak.
+	 * Considering AES strong cipher reuse it as a nonce. It's rather far
+	 * from what VMAC specification suggests, but storing additional random
+	 * data in file name is too expensive and decrypting before running vmac
+	 * degrades performance dramatically.
+	 * Use separate key for name checksum.
+	 */
+	memcpy(nonce, name + PEFS_NAME_CSUM_SIZE, PEFS_TWEAK_SIZE * 2);
+	((char *)nonce)[15] &= 0xfe; /* VMAC requirement */
+
+	size -= PEFS_NAME_CSUM_SIZE;
+	data = name + PEFS_NAME_CSUM_SIZE;
+	if (((uintptr_t)data & (__alignof__(uint64_t) - 1)) != 0) {
+		memcpy(buf, data, size);
+		data = (char *)buf;
+	}
+
 	pefs_ctx_cpy(ctx, pk->pk_name_csum_ctx);
-	csum_int = vmac(name + PEFS_NAME_CSUM_SIZE,
-	    size - PEFS_NAME_CSUM_SIZE,
-	    magic_name_csum_nonce,
-	    NULL, &ctx->o.pctx_vmac);
+	csum_int = vmac(data, size, (char *)nonce, NULL, &ctx->o.pctx_vmac);
 	memcpy(csum, &csum_int, PEFS_NAME_CSUM_SIZE);
 }
 
@@ -541,8 +545,6 @@
 pefs_name_encrypt(struct pefs_ctx *ctx, struct pefs_tkey *ptk,
     const char *plain, size_t plain_len, char *enc, size_t enc_size)
 {
-	CTASSERT(MAXNAMLEN >=
-	    PEFS_NAME_PTON_SIZE(MAXNAMLEN) + PEFS_NAME_BLOCK_SIZE);
 	char buf[MAXNAMLEN + 1];
 	size_t size;
 	int free_ctx = 0;