xref: /openbsd-src/sys/lib/libsa/softraid.c (revision aa997e528a848ca5596493c2a801bdd6fb26ae61) 
1 /*	$OpenBSD: softraid.c,v 1.3 2017/11/10 16:50:59 sunil Exp $	*/
2 
3 /*
4  * Copyright (c) 2012 Joel Sing <jsing@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <sys/param.h>
20 #include <sys/queue.h>
21 
22 #include <dev/biovar.h>
23 #include <dev/softraidvar.h>
24 
25 #include <lib/libsa/bcrypt_pbkdf.h>
26 #include <lib/libsa/hmac_sha1.h>
27 #include <lib/libsa/pkcs5_pbkdf2.h>
28 #include <lib/libsa/rijndael.h>
29 
30 #include "stand.h"
31 #include "softraid.h"
32 
33 #define RIJNDAEL128_BLOCK_LEN     16
34 #define PASSPHRASE_LENGTH 1024
35 
36 #define SR_CRYPTO_KEYBLOCK_BYTES SR_CRYPTO_MAXKEYS * SR_CRYPTO_KEYBYTES
37 
38 /* List of softraid volumes. */
39 struct sr_boot_volume_head sr_volumes;
40 
41 /* List of softraid keydisks. */
42 struct sr_boot_keydisk_head sr_keydisks;
43 
44 #ifdef DEBUG
45 void
46 printhex(const char *s, const u_int8_t *buf, size_t len)
47 {
48 	u_int8_t n1, n2;
49 	size_t i;
50 
51 	printf("%s: ", s);
52 	for (i = 0; i < len; i++) {
53 		n1 = buf[i] & 0x0f;
54 		n2 = buf[i] >> 4;
55 		printf("%c", n2 > 9 ? n2 + 'a' - 10 : n2 + '0');
56 		printf("%c", n1 > 9 ? n1 + 'a' - 10 : n1 + '0');
57 	}
58 	printf("\n");
59 }
60 #endif
61 
62 void
63 sr_clear_keys(void)
64 {
65 	struct sr_boot_volume *bv;
66 	struct sr_boot_keydisk *kd;
67 
68 	SLIST_FOREACH(bv, &sr_volumes, sbv_link) {
69 		if (bv->sbv_level != 'C')
70 			continue;
71 		if (bv->sbv_keys != NULL) {
72 			explicit_bzero(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES);
73 			free(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES);
74 			bv->sbv_keys = NULL;
75 		}
76 		if (bv->sbv_maskkey != NULL) {
77 			explicit_bzero(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES);
78 			free(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES);
79 			bv->sbv_maskkey = NULL;
80 		}
81 	}
82 	SLIST_FOREACH(kd, &sr_keydisks, kd_link) {
83 		explicit_bzero(kd, sizeof(*kd));
84 		free(kd, sizeof(*kd));
85 	}
86 }
87 
88 void
89 sr_crypto_calculate_check_hmac_sha1(u_int8_t *maskkey, int maskkey_size,
90     u_int8_t *key, int key_size, u_char *check_digest)
91 {
92 	u_int8_t check_key[SHA1_DIGEST_LENGTH];
93 	SHA1_CTX shactx;
94 
95 	explicit_bzero(check_key, sizeof(check_key));
96 	explicit_bzero(&shactx, sizeof(shactx));
97 
98 	/* k = SHA1(mask_key) */
99 	SHA1Init(&shactx);
100 	SHA1Update(&shactx, maskkey, maskkey_size);
101 	SHA1Final(check_key, &shactx);
102 
103 	/* mac = HMAC_SHA1_k(unencrypted key) */
104 	hmac_sha1(key, key_size, check_key, sizeof(check_key), check_digest);
105 
106 	explicit_bzero(check_key, sizeof(check_key));
107 	explicit_bzero(&shactx, sizeof(shactx));
108 }
109 
110 int
111 sr_crypto_decrypt_keys(struct sr_boot_volume *bv)
112 {
113 	struct sr_meta_crypto *cm;
114 	struct sr_boot_keydisk	*kd;
115 	struct sr_meta_opt_item *omi;
116 	struct sr_crypto_pbkdf *kdfhint;
117 	struct sr_crypto_kdfinfo kdfinfo;
118 	char passphrase[PASSPHRASE_LENGTH];
119 	u_int8_t digest[SHA1_DIGEST_LENGTH];
120 	u_int8_t *keys = NULL;
121 	u_int8_t *kp, *cp;
122 	rijndael_ctx ctx;
123 	u_int32_t type;
124 	int rv = -1;
125 	int c, i;
126 
127 	SLIST_FOREACH(omi, &bv->sbv_meta_opt, omi_link)
128 		if (omi->omi_som->som_type == SR_OPT_CRYPTO)
129 			break;
130 
131 	if (omi == NULL) {
132 		printf("Crypto metadata not found!\n");
133 		goto done;
134 	}
135 
136 	cm = (struct sr_meta_crypto *)omi->omi_som;
137 	kdfhint = (struct sr_crypto_pbkdf *)&cm->scm_kdfhint;
138 
139 	switch (cm->scm_mask_alg) {
140 	case SR_CRYPTOM_AES_ECB_256:
141 		break;
142 	default:
143 		printf("unsupported encryption algorithm %u\n",
144 		    cm->scm_mask_alg);
145 		goto done;
146 	}
147 
148 	SLIST_FOREACH(kd, &sr_keydisks, kd_link) {
149 		if (bcmp(&kd->kd_uuid, &bv->sbv_uuid, sizeof(kd->kd_uuid)) == 0)
150 			break;
151 	}
152 	if (kd) {
153 		bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey));
154 	} else if (kdfhint->generic.type == SR_CRYPTOKDFT_KEYDISK) {
155 		printf("keydisk not found\n");
156 		goto done;
157 	} else {
158 		if (kdfhint->generic.type != SR_CRYPTOKDFT_PKCS5_PBKDF2 &&
159 		    kdfhint->generic.type != SR_CRYPTOKDFT_BCRYPT_PBKDF) {
160 			printf("unknown KDF type %u\n", kdfhint->generic.type);
161 			goto done;
162 		}
163 
164 		printf("Passphrase: ");
165 		for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) {
166 			c = cngetc();
167 			if (c == '\r' || c == '\n')
168 				break;
169 			else if (c == '\b') {
170 				i = i > 0 ? i - 2 : -1;
171 				continue;
172 			}
173 			passphrase[i] = (c & 0xff);
174 		}
175 		passphrase[i] = 0;
176 		printf("\n");
177 
178 #ifdef DEBUG
179 		printf("Got passphrase: %s with len %d\n",
180 		    passphrase, strlen(passphrase));
181 #endif
182 
183 		type = kdfhint->generic.type;
184 		if (type == SR_CRYPTOKDFT_PKCS5_PBKDF2) {
185 			if (pkcs5_pbkdf2(passphrase, strlen(passphrase),
186 			    kdfhint->salt, sizeof(kdfhint->salt),
187 			    kdfinfo.maskkey, sizeof(kdfinfo.maskkey),
188 			    kdfhint->rounds) != 0) {
189 				printf("pkcs5_pbkdf2 failed\n");
190 				goto done;
191 			}
192 		} else if (type == SR_CRYPTOKDFT_BCRYPT_PBKDF) {
193 			if (bcrypt_pbkdf(passphrase, strlen(passphrase),
194 			    kdfhint->salt, sizeof(kdfhint->salt),
195 			    kdfinfo.maskkey, sizeof(kdfinfo.maskkey),
196 			    kdfhint->rounds) != 0) {
197 				printf("bcrypt_pbkdf failed\n");
198 				goto done;
199 			}
200 		} else {
201 			printf("unknown KDF type %u\n", kdfhint->generic.type);
202 			goto done;
203 		}
204 	}
205 
206 	/* kdfinfo->maskkey now has key. */
207 
208 	/* Decrypt disk keys. */
209 	keys = alloc(SR_CRYPTO_KEYBLOCK_BYTES);
210 	bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES);
211 
212 	if (rijndael_set_key(&ctx, kdfinfo.maskkey, 256) != 0)
213 		goto done;
214 
215 	cp = (u_int8_t *)cm->scm_key;
216 	kp = keys;
217 	for (i = 0; i < SR_CRYPTO_KEYBLOCK_BYTES; i += RIJNDAEL128_BLOCK_LEN)
218 		rijndael_decrypt(&ctx, (u_char *)(cp + i), (u_char *)(kp + i));
219 
220 	/* Check that the key decrypted properly. */
221 	sr_crypto_calculate_check_hmac_sha1(kdfinfo.maskkey,
222 	    sizeof(kdfinfo.maskkey), keys, SR_CRYPTO_KEYBLOCK_BYTES, digest);
223 
224 	if (bcmp(digest, cm->chk_hmac_sha1.sch_mac, sizeof(digest))) {
225 		printf("incorrect passphrase or keydisk\n");
226 		goto done;
227 	}
228 
229 	/* Keys and keydisks will be cleared before boot and from _rtt. */
230 	bv->sbv_keys = keys;
231 	bv->sbv_maskkey = alloc(sizeof(kdfinfo.maskkey));
232 	bcopy(&kdfinfo.maskkey, bv->sbv_maskkey, sizeof(kdfinfo.maskkey));
233 
234 	rv = 0;
235 
236 done:
237 	explicit_bzero(passphrase, PASSPHRASE_LENGTH);
238 	explicit_bzero(&kdfinfo, sizeof(kdfinfo));
239 	explicit_bzero(digest, sizeof(digest));
240 
241 	if (keys != NULL && rv != 0) {
242 		explicit_bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES);
243 		free(keys, SR_CRYPTO_KEYBLOCK_BYTES);
244 	}
245 
246 	return (rv);
247 }
248