302 lines
7.3 KiB
C
302 lines
7.3 KiB
C
/* $OpenBSD: softraid.c,v 1.7 2024/04/25 18:31:49 kn Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2012 Joel Sing <jsing@openbsd.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/queue.h>
|
|
|
|
#include <dev/biovar.h>
|
|
#include <dev/softraidvar.h>
|
|
|
|
#include <lib/libsa/bcrypt_pbkdf.h>
|
|
#include <lib/libsa/hmac_sha1.h>
|
|
#include <lib/libsa/pkcs5_pbkdf2.h>
|
|
#include <lib/libsa/rijndael.h>
|
|
|
|
#include "stand.h"
|
|
#include "softraid.h"
|
|
|
|
#define RIJNDAEL128_BLOCK_LEN 16
|
|
#define PASSPHRASE_LENGTH 1024
|
|
|
|
#define SR_CRYPTO_KEYBLOCK_BYTES SR_CRYPTO_MAXKEYS * SR_CRYPTO_KEYBYTES
|
|
|
|
/* List of softraid volumes. */
|
|
struct sr_boot_volume_head sr_volumes;
|
|
|
|
/* List of softraid keydisks. */
|
|
struct sr_boot_keydisk_head sr_keydisks;
|
|
|
|
#ifdef DEBUG
|
|
void
|
|
printhex(const char *s, const u_int8_t *buf, size_t len)
|
|
{
|
|
u_int8_t n1, n2;
|
|
size_t i;
|
|
|
|
printf("%s: ", s);
|
|
for (i = 0; i < len; i++) {
|
|
n1 = buf[i] & 0x0f;
|
|
n2 = buf[i] >> 4;
|
|
printf("%c", n2 > 9 ? n2 + 'a' - 10 : n2 + '0');
|
|
printf("%c", n1 > 9 ? n1 + 'a' - 10 : n1 + '0');
|
|
}
|
|
printf("\n");
|
|
}
|
|
#endif
|
|
|
|
void
|
|
sr_clear_keys(void)
|
|
{
|
|
struct sr_boot_volume *bv;
|
|
struct sr_boot_keydisk *kd, *nkd;
|
|
|
|
SLIST_FOREACH(bv, &sr_volumes, sbv_link) {
|
|
if (bv->sbv_level != 'C' && bv->sbv_level != 0x1C)
|
|
continue;
|
|
if (bv->sbv_keys != NULL) {
|
|
explicit_bzero(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES);
|
|
free(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES);
|
|
bv->sbv_keys = NULL;
|
|
}
|
|
if (bv->sbv_maskkey != NULL) {
|
|
explicit_bzero(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES);
|
|
free(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES);
|
|
bv->sbv_maskkey = NULL;
|
|
}
|
|
}
|
|
SLIST_FOREACH_SAFE(kd, &sr_keydisks, kd_link, nkd) {
|
|
explicit_bzero(kd, sizeof(*kd));
|
|
free(kd, sizeof(*kd));
|
|
}
|
|
}
|
|
|
|
void
|
|
sr_crypto_calculate_check_hmac_sha1(u_int8_t *maskkey, int maskkey_size,
|
|
u_int8_t *key, int key_size, u_char *check_digest)
|
|
{
|
|
u_int8_t check_key[SHA1_DIGEST_LENGTH];
|
|
SHA1_CTX shactx;
|
|
|
|
explicit_bzero(check_key, sizeof(check_key));
|
|
explicit_bzero(&shactx, sizeof(shactx));
|
|
|
|
/* k = SHA1(mask_key) */
|
|
SHA1Init(&shactx);
|
|
SHA1Update(&shactx, maskkey, maskkey_size);
|
|
SHA1Final(check_key, &shactx);
|
|
|
|
/* mac = HMAC_SHA1_k(unencrypted key) */
|
|
hmac_sha1(key, key_size, check_key, sizeof(check_key), check_digest);
|
|
|
|
explicit_bzero(check_key, sizeof(check_key));
|
|
explicit_bzero(&shactx, sizeof(shactx));
|
|
}
|
|
|
|
static int
|
|
sr_crypto_decrypt_keys(struct sr_meta_crypto *cm,
|
|
struct sr_crypto_kdfinfo *kdfinfo, u_int8_t *kp)
|
|
{
|
|
u_int8_t digest[SHA1_DIGEST_LENGTH];
|
|
rijndael_ctx ctx;
|
|
u_int8_t *cp;
|
|
int rv = -1;
|
|
int i;
|
|
|
|
if (rijndael_set_key(&ctx, kdfinfo->maskkey, 256) != 0)
|
|
goto done;
|
|
|
|
cp = (u_int8_t *)cm->scm_key;
|
|
for (i = 0; i < SR_CRYPTO_KEYBLOCK_BYTES; i += RIJNDAEL128_BLOCK_LEN)
|
|
rijndael_decrypt(&ctx, (u_char *)(cp + i), (u_char *)(kp + i));
|
|
|
|
/* Check that the key decrypted properly. */
|
|
sr_crypto_calculate_check_hmac_sha1(kdfinfo->maskkey,
|
|
sizeof(kdfinfo->maskkey), kp, SR_CRYPTO_KEYBLOCK_BYTES, digest);
|
|
|
|
if (bcmp(digest, cm->chk_hmac_sha1.sch_mac, sizeof(digest)) == 0)
|
|
rv = 0;
|
|
|
|
done:
|
|
explicit_bzero(digest, sizeof(digest));
|
|
|
|
return rv;
|
|
}
|
|
|
|
static int
|
|
sr_crypto_passphrase_decrypt(struct sr_meta_crypto *cm,
|
|
struct sr_crypto_kdfinfo *kdfinfo, u_int8_t *kp)
|
|
{
|
|
char passphrase[PASSPHRASE_LENGTH];
|
|
struct sr_crypto_pbkdf *kdfhint;
|
|
int rv = -1;
|
|
int c, i;
|
|
|
|
kdfhint = (struct sr_crypto_pbkdf *)&cm->scm_kdfhint;
|
|
|
|
for (;;) {
|
|
printf("Passphrase: ");
|
|
#ifdef IDLE_POWEROFF
|
|
extern int idle_poweroff(void);
|
|
idle_poweroff();
|
|
#endif /* IDLE_POWEROFF */
|
|
for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) {
|
|
c = cngetc();
|
|
if (c == '\r' || c == '\n') {
|
|
break;
|
|
} else if (c == '\b') {
|
|
i = i > 0 ? i - 2 : -1;
|
|
continue;
|
|
}
|
|
passphrase[i] = (c & 0xff);
|
|
}
|
|
passphrase[i] = 0;
|
|
printf("\n");
|
|
|
|
/* Abort on an empty passphrase. */
|
|
if (i == 0) {
|
|
printf("aborting...\n");
|
|
goto done;
|
|
}
|
|
|
|
#ifdef DEBUG
|
|
printf("Got passphrase: %s with len %d\n",
|
|
passphrase, strlen(passphrase));
|
|
#endif
|
|
|
|
switch (kdfhint->generic.type) {
|
|
case SR_CRYPTOKDFT_PKCS5_PBKDF2:
|
|
if (pkcs5_pbkdf2(passphrase, strlen(passphrase),
|
|
kdfhint->salt, sizeof(kdfhint->salt),
|
|
kdfinfo->maskkey, sizeof(kdfinfo->maskkey),
|
|
kdfhint->rounds) != 0) {
|
|
printf("pkcs5_pbkdf2 failed\n");
|
|
goto done;
|
|
}
|
|
break;
|
|
|
|
case SR_CRYPTOKDFT_BCRYPT_PBKDF:
|
|
if (bcrypt_pbkdf(passphrase, strlen(passphrase),
|
|
kdfhint->salt, sizeof(kdfhint->salt),
|
|
kdfinfo->maskkey, sizeof(kdfinfo->maskkey),
|
|
kdfhint->rounds) != 0) {
|
|
printf("bcrypt_pbkdf failed\n");
|
|
goto done;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
printf("unknown KDF type %u\n", kdfhint->generic.type);
|
|
goto done;
|
|
}
|
|
|
|
if (sr_crypto_decrypt_keys(cm, kdfinfo, kp) == 0) {
|
|
rv = 0;
|
|
goto done;
|
|
}
|
|
|
|
printf("incorrect passphrase\n");
|
|
}
|
|
|
|
done:
|
|
explicit_bzero(passphrase, PASSPHRASE_LENGTH);
|
|
|
|
return rv;
|
|
}
|
|
|
|
int
|
|
sr_crypto_unlock_volume(struct sr_boot_volume *bv)
|
|
{
|
|
struct sr_meta_crypto *cm;
|
|
struct sr_boot_keydisk *kd;
|
|
struct sr_meta_opt_item *omi;
|
|
struct sr_crypto_pbkdf *kdfhint;
|
|
struct sr_crypto_kdfinfo kdfinfo;
|
|
u_int8_t *keys = NULL;
|
|
int rv = -1;
|
|
|
|
SLIST_FOREACH(omi, &bv->sbv_meta_opt, omi_link)
|
|
if (omi->omi_som->som_type == SR_OPT_CRYPTO)
|
|
break;
|
|
|
|
if (omi == NULL) {
|
|
printf("crypto metadata not found!\n");
|
|
goto done;
|
|
}
|
|
|
|
cm = (struct sr_meta_crypto *)omi->omi_som;
|
|
kdfhint = (struct sr_crypto_pbkdf *)&cm->scm_kdfhint;
|
|
|
|
switch (cm->scm_mask_alg) {
|
|
case SR_CRYPTOM_AES_ECB_256:
|
|
break;
|
|
default:
|
|
printf("unsupported encryption algorithm %u\n",
|
|
cm->scm_mask_alg);
|
|
goto done;
|
|
}
|
|
|
|
keys = alloc(SR_CRYPTO_KEYBLOCK_BYTES);
|
|
bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES);
|
|
|
|
switch (kdfhint->generic.type) {
|
|
case SR_CRYPTOKDFT_KEYDISK:
|
|
SLIST_FOREACH(kd, &sr_keydisks, kd_link) {
|
|
if (bcmp(&kd->kd_uuid, &bv->sbv_uuid,
|
|
sizeof(kd->kd_uuid)) == 0)
|
|
break;
|
|
}
|
|
if (kd == NULL) {
|
|
printf("keydisk not found\n");
|
|
goto done;
|
|
}
|
|
bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey));
|
|
if (sr_crypto_decrypt_keys(cm, &kdfinfo, keys) != 0) {
|
|
printf("incorrect keydisk\n");
|
|
goto done;
|
|
}
|
|
break;
|
|
|
|
case SR_CRYPTOKDFT_BCRYPT_PBKDF:
|
|
case SR_CRYPTOKDFT_PKCS5_PBKDF2:
|
|
if (sr_crypto_passphrase_decrypt(cm, &kdfinfo, keys) != 0)
|
|
goto done;
|
|
break;
|
|
|
|
default:
|
|
printf("unknown KDF type %u\n", kdfhint->generic.type);
|
|
goto done;
|
|
}
|
|
|
|
/* Keys and keydisks will be cleared before boot and from _rtt. */
|
|
bv->sbv_keys = keys;
|
|
bv->sbv_maskkey = alloc(sizeof(kdfinfo.maskkey));
|
|
bcopy(&kdfinfo.maskkey, bv->sbv_maskkey, sizeof(kdfinfo.maskkey));
|
|
|
|
rv = 0;
|
|
|
|
done:
|
|
explicit_bzero(&kdfinfo, sizeof(kdfinfo));
|
|
|
|
if (keys != NULL && rv != 0) {
|
|
explicit_bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES);
|
|
free(keys, SR_CRYPTO_KEYBLOCK_BYTES);
|
|
}
|
|
|
|
return (rv);
|
|
}
|