1 /* $OpenBSD: softraid.c,v 1.2 2016/09/18 16:34:59 jsing Exp $ */ 2 3 /* 4 * Copyright (c) 2012 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/queue.h> 21 22 #include <dev/biovar.h> 23 #include <dev/softraidvar.h> 24 25 #include <lib/libsa/bcrypt_pbkdf.h> 26 #include <lib/libsa/hmac_sha1.h> 27 #include <lib/libsa/pkcs5_pbkdf2.h> 28 #include <lib/libsa/rijndael.h> 29 30 #include "stand.h" 31 #include "softraid.h" 32 33 #define RIJNDAEL128_BLOCK_LEN 16 34 #define PASSPHRASE_LENGTH 1024 35 36 #define SR_CRYPTO_KEYBLOCK_BYTES SR_CRYPTO_MAXKEYS * SR_CRYPTO_KEYBYTES 37 38 /* List of softraid volumes. */ 39 struct sr_boot_volume_head sr_volumes; 40 41 /* List of softraid keydisks. */ 42 struct sr_boot_keydisk_head sr_keydisks; 43 44 #ifdef DEBUG 45 void 46 printhex(const char *s, const u_int8_t *buf, size_t len) 47 { 48 u_int8_t n1, n2; 49 size_t i; 50 51 printf("%s: ", s); 52 for (i = 0; i < len; i++) { 53 n1 = buf[i] & 0x0f; 54 n2 = buf[i] >> 4; 55 printf("%c", n2 > 9 ? n2 + 'a' - 10 : n2 + '0'); 56 printf("%c", n1 > 9 ? n1 + 'a' - 10 : n1 + '0'); 57 } 58 printf("\n"); 59 } 60 #endif 61 62 void 63 sr_clear_keys(void) 64 { 65 struct sr_boot_volume *bv; 66 struct sr_boot_keydisk *kd; 67 68 SLIST_FOREACH(bv, &sr_volumes, sbv_link) { 69 if (bv->sbv_level != 'C') 70 continue; 71 if (bv->sbv_keys != NULL) { 72 explicit_bzero(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES); 73 free(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES); 74 bv->sbv_keys = NULL; 75 } 76 if (bv->sbv_maskkey != NULL) { 77 explicit_bzero(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES); 78 free(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES); 79 bv->sbv_maskkey = NULL; 80 } 81 } 82 SLIST_FOREACH(kd, &sr_keydisks, kd_link) { 83 explicit_bzero(kd, sizeof(*kd)); 84 free(kd, sizeof(*kd)); 85 } 86 } 87 88 void 89 sr_crypto_calculate_check_hmac_sha1(u_int8_t *maskkey, int maskkey_size, 90 u_int8_t *key, int key_size, u_char *check_digest) 91 { 92 u_int8_t check_key[SHA1_DIGEST_LENGTH]; 93 SHA1_CTX shactx; 94 95 explicit_bzero(check_key, sizeof(check_key)); 96 explicit_bzero(&shactx, sizeof(shactx)); 97 98 /* k = SHA1(mask_key) */ 99 SHA1Init(&shactx); 100 SHA1Update(&shactx, maskkey, maskkey_size); 101 SHA1Final(check_key, &shactx); 102 103 /* mac = HMAC_SHA1_k(unencrypted key) */ 104 hmac_sha1(key, key_size, check_key, sizeof(check_key), check_digest); 105 106 explicit_bzero(check_key, sizeof(check_key)); 107 explicit_bzero(&shactx, sizeof(shactx)); 108 } 109 110 int 111 sr_crypto_decrypt_keys(struct sr_boot_volume *bv) 112 { 113 struct sr_meta_crypto *cm; 114 struct sr_boot_keydisk *kd; 115 struct sr_meta_opt_item *omi; 116 struct sr_crypto_pbkdf *kdfhint; 117 struct sr_crypto_kdfinfo kdfinfo; 118 char passphrase[PASSPHRASE_LENGTH]; 119 u_int8_t digest[SHA1_DIGEST_LENGTH]; 120 u_int8_t *keys = NULL; 121 u_int8_t *kp, *cp; 122 rijndael_ctx ctx; 123 u_int32_t type; 124 int rv = -1; 125 int c, i; 126 127 SLIST_FOREACH(omi, &bv->sbv_meta_opt, omi_link) 128 if (omi->omi_som->som_type == SR_OPT_CRYPTO) 129 break; 130 131 if (omi == NULL) { 132 printf("Crypto metadata not found!\n"); 133 goto done; 134 } 135 136 cm = (struct sr_meta_crypto *)omi->omi_som; 137 kdfhint = (struct sr_crypto_pbkdf *)&cm->scm_kdfhint; 138 139 switch (cm->scm_mask_alg) { 140 case SR_CRYPTOM_AES_ECB_256: 141 break; 142 default: 143 printf("unsupported encryption algorithm %u\n", 144 cm->scm_mask_alg); 145 goto done; 146 } 147 148 SLIST_FOREACH(kd, &sr_keydisks, kd_link) { 149 if (bcmp(&kd->kd_uuid, &bv->sbv_uuid, sizeof(kd->kd_uuid)) == 0) 150 break; 151 } 152 if (kd) { 153 bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey)); 154 } else { 155 if (kdfhint->generic.type != SR_CRYPTOKDFT_PKCS5_PBKDF2 && 156 kdfhint->generic.type != SR_CRYPTOKDFT_BCRYPT_PBKDF) { 157 printf("unknown KDF type %u\n", kdfhint->generic.type); 158 goto done; 159 } 160 161 printf("Passphrase: "); 162 for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) { 163 c = cngetc(); 164 if (c == '\r' || c == '\n') 165 break; 166 else if (c == '\b') { 167 i = i > 0 ? i - 2 : -1; 168 continue; 169 } 170 passphrase[i] = (c & 0xff); 171 } 172 passphrase[i] = 0; 173 printf("\n"); 174 175 #ifdef DEBUG 176 printf("Got passphrase: %s with len %d\n", 177 passphrase, strlen(passphrase)); 178 #endif 179 180 type = kdfhint->generic.type; 181 if (type == SR_CRYPTOKDFT_PKCS5_PBKDF2) { 182 if (pkcs5_pbkdf2(passphrase, strlen(passphrase), 183 kdfhint->salt, sizeof(kdfhint->salt), 184 kdfinfo.maskkey, sizeof(kdfinfo.maskkey), 185 kdfhint->rounds) != 0) { 186 printf("pkcs5_pbkdf2 failed\n"); 187 goto done; 188 } 189 } else if (type == SR_CRYPTOKDFT_BCRYPT_PBKDF) { 190 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 191 kdfhint->salt, sizeof(kdfhint->salt), 192 kdfinfo.maskkey, sizeof(kdfinfo.maskkey), 193 kdfhint->rounds) != 0) { 194 printf("bcrypt_pbkdf failed\n"); 195 goto done; 196 } 197 } else { 198 printf("unknown KDF type %u\n", kdfhint->generic.type); 199 goto done; 200 } 201 } 202 203 /* kdfinfo->maskkey now has key. */ 204 205 /* Decrypt disk keys. */ 206 keys = alloc(SR_CRYPTO_KEYBLOCK_BYTES); 207 bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES); 208 209 if (rijndael_set_key(&ctx, kdfinfo.maskkey, 256) != 0) 210 goto done; 211 212 cp = (u_int8_t *)cm->scm_key; 213 kp = keys; 214 for (i = 0; i < SR_CRYPTO_KEYBLOCK_BYTES; i += RIJNDAEL128_BLOCK_LEN) 215 rijndael_decrypt(&ctx, (u_char *)(cp + i), (u_char *)(kp + i)); 216 217 /* Check that the key decrypted properly. */ 218 sr_crypto_calculate_check_hmac_sha1(kdfinfo.maskkey, 219 sizeof(kdfinfo.maskkey), keys, SR_CRYPTO_KEYBLOCK_BYTES, digest); 220 221 if (bcmp(digest, cm->chk_hmac_sha1.sch_mac, sizeof(digest))) { 222 printf("incorrect passphrase or keydisk\n"); 223 goto done; 224 } 225 226 /* Keys and keydisks will be cleared before boot and from _rtt. */ 227 bv->sbv_keys = keys; 228 bv->sbv_maskkey = alloc(sizeof(kdfinfo.maskkey)); 229 bcopy(&kdfinfo.maskkey, bv->sbv_maskkey, sizeof(kdfinfo.maskkey)); 230 231 rv = 0; 232 233 done: 234 explicit_bzero(passphrase, PASSPHRASE_LENGTH); 235 explicit_bzero(&kdfinfo, sizeof(kdfinfo)); 236 explicit_bzero(digest, sizeof(digest)); 237 238 if (keys != NULL && rv != 0) { 239 explicit_bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES); 240 free(keys, SR_CRYPTO_KEYBLOCK_BYTES); 241 } 242 243 return (rv); 244 } 245