summaryrefslogtreecommitdiffstats
path: root/lib/fvault2/fvault2.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--lib/fvault2/fvault2.c1057
1 files changed, 1057 insertions, 0 deletions
diff --git a/lib/fvault2/fvault2.c b/lib/fvault2/fvault2.c
new file mode 100644
index 0000000..0b0c9ce
--- /dev/null
+++ b/lib/fvault2/fvault2.c
@@ -0,0 +1,1057 @@
+/*
+ * FVAULT2 (FileVault2-compatible) volume handling
+ *
+ * Copyright (C) 2021-2022 Pavel Tobias
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <regex.h>
+#include <stdio.h>
+#include <uuid/uuid.h>
+
+#include "internal.h"
+#include "fvault2.h"
+
+/* Core Storage signature/magic; "CS" big-endian */
+#define FVAULT2_CORE_STORAGE_MAGIC 0x4353
+
+/* size of the physical volume header in bytes */
+#define FVAULT2_VOL_HEADER_SIZE 512
+
+/* size of a single metadata block in bytes */
+#define FVAULT2_MD_BLOCK_SIZE 8192
+
+/* maximal offset to read metadata block */
+#define FVAULT2_MAX_OFF 1024*1024*1024
+
+/* encrypted metadata parsing progress flags (see _read_encrypted_metadata) */
+#define FVAULT2_ENC_MD_PARSED_0x0019 0b001
+#define FVAULT2_ENC_MD_PARSED_0x001A 0b010
+#define FVAULT2_ENC_MD_PARSED_0x0305 0b100
+#define FVAULT2_ENC_MD_PARSED_NONE 0b000
+#define FVAULT2_ENC_MD_PARSED_ALL 0b111
+
+/* sizes of decoded PassphraseWrappedKEKStruct and KEKWrappedVolumeKeyStruct */
+#define FVAULT2_PWK_SIZE 284
+#define FVAULT2_KWVK_SIZE 256
+
+/* size of an AES-128 key */
+#define FVAULT2_AES_KEY_SIZE 16
+
+/* size of the volume key and the encrypted metadata decryption key */
+#define FVAULT2_XTS_KEY_SIZE (FVAULT2_AES_KEY_SIZE * 2)
+
+/* size of an XTS tweak value */
+#define FVAULT2_XTS_TWEAK_SIZE 16
+
+/* size of a binary representation of a UUID */
+#define FVAULT2_UUID_BIN_SIZE 16
+
+struct crc32_checksum {
+ uint32_t value;
+ uint32_t seed;
+} __attribute__((packed));
+
+struct volume_header {
+ struct crc32_checksum checksum;
+ uint16_t version;
+ uint16_t block_type;
+ uint8_t unknown1[52];
+ uint64_t ph_vol_size;
+ uint8_t unknown2[16];
+ uint16_t magic;
+ uint32_t checksum_algo;
+ uint8_t unknown3[2];
+ uint32_t block_size;
+ uint32_t metadata_size;
+ uint64_t disklbl_blkoff;
+ uint64_t other_md_blkoffs[3];
+ uint8_t unknown4[32];
+ uint32_t key_data_size;
+ uint32_t cipher;
+ uint8_t key_data[FVAULT2_AES_KEY_SIZE];
+ uint8_t unknown5[112];
+ uint8_t ph_vol_uuid[FVAULT2_UUID_BIN_SIZE];
+ uint8_t unknown6[192];
+} __attribute__((packed));
+
+struct volume_groups_descriptor {
+ uint8_t unknown1[8];
+ uint64_t enc_md_blocks_n;
+ uint8_t unknown2[16];
+ uint64_t enc_md_blkoff;
+} __attribute__((packed));
+
+struct metadata_block_header {
+ struct crc32_checksum checksum;
+ uint16_t version;
+ uint16_t block_type;
+ uint8_t unknown1[20];
+ uint64_t block_num;
+ uint8_t unknown2[8];
+ uint32_t block_size;
+ uint8_t unknown3[12];
+} __attribute__((packed));
+
+struct metadata_block_0x0011 {
+ struct metadata_block_header header;
+ uint32_t md_size;
+ uint8_t unknown1[4];
+ struct crc32_checksum checksum;
+ uint8_t unknown2[140];
+ uint32_t vol_gr_des_off;
+} __attribute__((packed));
+
+struct metadata_block_0x0019 {
+ struct metadata_block_header header;
+ uint8_t unknown1[40];
+ uint32_t xml_comp_size;
+ uint32_t xml_uncomp_size;
+ uint32_t xml_off;
+ uint32_t xml_size;
+} __attribute__((packed));
+
+struct metadata_block_0x001a {
+ struct metadata_block_header header;
+ uint8_t unknown1[64];
+ uint32_t xml_off;
+ uint32_t xml_size;
+} __attribute__((packed));
+
+struct metadata_block_0x0305 {
+ struct metadata_block_header header;
+ uint32_t entries_n;
+ uint8_t unknown1[36];
+ uint32_t log_vol_blkoff;
+} __attribute__((packed));
+
+struct passphrase_wrapped_kek {
+ uint32_t pbkdf2_salt_type;
+ uint32_t pbkdf2_salt_size;
+ uint8_t pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
+ uint32_t wrapped_kek_type;
+ uint32_t wrapped_kek_size;
+ uint8_t wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
+ uint8_t unknown1[112];
+ uint32_t pbkdf2_iters;
+} __attribute__((packed));
+
+struct kek_wrapped_volume_key {
+ uint32_t wrapped_vk_type;
+ uint32_t wrapped_vk_size;
+ uint8_t wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
+} __attribute__((packed));
+
+/**
+ * Test whether all bytes of a chunk of memory are equal to a constant value.
+ * @param[in] value the value all bytes should be equal to
+ * @param[in] data the tested chunk of memory
+ * @param[in] data_size byte-size of the chunk of memory
+ */
+static bool _filled_with(
+ uint8_t value,
+ const void *data,
+ size_t data_size)
+{
+ const uint8_t *data_bytes = data;
+ size_t i;
+
+ for (i = 0; i < data_size; i++)
+ if (data_bytes[i] != value)
+ return false;
+
+ return true;
+}
+
+/**
+ * Assert the validity of the CRC checksum of a chunk of memory.
+ * @param[in] data a chunk of memory starting with a crc32_checksum struct
+ * @param[in] data_size the size of the chunk of memory in bytes
+ */
+static int _check_crc(
+ const void *data,
+ size_t data_size)
+{
+ const size_t crc_size = sizeof(struct crc32_checksum);
+ uint32_t seed;
+ uint32_t value;
+
+ assert(data_size >= crc_size);
+
+ value = le32_to_cpu(((const struct crc32_checksum *)data)->value);
+ seed = le32_to_cpu(((const struct crc32_checksum *)data)->seed);
+ if (seed != 0xffffffff)
+ return -EINVAL;
+
+ if (crypt_crc32c(seed, (const uint8_t *)data + crc_size,
+ data_size - crc_size) != value)
+ return -EINVAL;
+
+ return 0;
+}
+
+/**
+ * Unwrap an AES-wrapped key.
+ * @param[in] kek the KEK with which the key has been wrapped
+ * @param[in] kek_size the size of the KEK in bytes
+ * @param[in] key_wrapped the wrapped key
+ * @param[in] key_wrapped_size the size of the wrapped key in bytes
+ * @param[out] key_buf key an output buffer for the unwrapped key
+ * @param[in] key_buf_size the size of the output buffer in bytes
+ */
+static int _unwrap_key(
+ const void *kek,
+ size_t kek_size,
+ const void *key_wrapped,
+ size_t key_wrapped_size,
+ void *key_buf,
+ size_t key_buf_size)
+{
+ /* Algorithm and notation taken from NIST Special Publication 800-38F:
+ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+
+ This implementation supports only 128-bit KEKs and wrapped keys. */
+
+ int r = 0;
+ struct crypt_cipher *cipher = NULL;
+ void *cipher_in = NULL;
+ void *cipher_out = NULL;
+ uint64_t a;
+ uint64_t r2;
+ uint64_t r3;
+ uint64_t t;
+ uint64_t r2_prev;
+
+ assert(kek_size == 16 && key_wrapped_size == 24 && key_buf_size == 16);
+
+ r = crypt_cipher_init(&cipher, "aes", "ecb", kek, kek_size);
+ if (r < 0)
+ goto out;
+
+ cipher_in = malloc(16);
+ if (cipher_in == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ cipher_out = malloc(16);
+ if (cipher_out == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ /* CHAPTER 6.1, ALGORITHM 2: W^-1(C) */
+
+ /* initialize variables */
+ a = ((const uint64_t *)key_wrapped)[0]; /* A = C_1 (see step 1c) */
+ r2 = ((const uint64_t *)key_wrapped)[1]; /* R_1 = C_2 (see step 1d) */
+ r3 = ((const uint64_t *)key_wrapped)[2]; /* R_2 = C_3 (see step 1d) */
+
+ /* calculate intermediate values for each t = s, ..., 1 (see step 2),
+ where s = 6 * (n - 1) (see step 1a) */
+ for (t = 6 * (3 - 1); t > 0; t--) {
+ /* store current R2 for later assignment (see step 2c) */
+ r2_prev = r2;
+
+ /* prepare input for CIPH^{-1}_K (see steps 2a, 2b) */
+ ((uint64_t *)cipher_in)[0] = a ^ cpu_to_be64(t);
+ ((uint64_t *)cipher_in)[1] = r3;
+
+ /* A||R2 = CIPH^{-1}_K(...) (see steps 2a, 2b) */
+ r = crypt_cipher_decrypt(cipher, cipher_in, cipher_out, 16, NULL, 0);
+ if (r < 0)
+ goto out;
+ a = ((uint64_t *)cipher_out)[0];
+ r2 = ((uint64_t *)cipher_out)[1];
+
+ /* assign previous R2 (see step 2c) */
+ r3 = r2_prev;
+ }
+
+ /* note that A||R_1||R_2 holds the result S (see step 3) */
+
+ /* CHAPTER 6.2, ALGORITHM 4: KW-AD(C) */
+
+ /* check whether MSB_{64}(S) (= A) matches ICV1 (see step 3) */
+ if (a != 0xA6A6A6A6A6A6A6A6) {
+ r = -EPERM;
+ goto out;
+ }
+
+ /* return LSB_{128}(S) (= R_1||R_2) (see step 4) */
+ ((uint64_t *)key_buf)[0] = r2;
+ ((uint64_t *)key_buf)[1] = r3;
+out:
+ free(cipher_in);
+ free(cipher_out);
+ if (cipher != NULL)
+ crypt_cipher_destroy(cipher);
+ return r;
+}
+
+/**
+ * Search XML plist data for a property and return its value.
+ * @param[in] xml a 0-terminated string containing the XML plist data
+ * @param[in] prop_key a 0-terminated string with the seeked property's key
+ * @param[in] prop_type a 0-terminated string with the seeked property's type
+ * @param[out] value a 0-terminated string with the found property's value
+ */
+static int _search_xml(
+ const char *xml,
+ const char *prop_key,
+ const char *prop_type,
+ char **value)
+{
+ int r = 0;
+ char *pattern = NULL;
+ bool regex_ready = false;
+ regex_t regex;
+ regmatch_t match[2];
+ const char *value_start;
+ size_t value_len;
+
+ if (asprintf(&pattern, "<key>%s</key><%s[^>]*>([^<]+)</%s>",
+ prop_key, prop_type, prop_type) < 0) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (regcomp(&regex, pattern, REG_EXTENDED) != 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ regex_ready = true;
+
+ if (regexec(&regex, xml, 2, match, 0) != 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ value_start = xml + match[1].rm_so;
+ value_len = match[1].rm_eo - match[1].rm_so;
+
+ *value = calloc(value_len + 1, 1);
+ if (*value == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ memcpy(*value, value_start, value_len);
+out:
+ free(pattern);
+ if (regex_ready)
+ regfree(&regex);
+ return r;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x0019.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] pbkdf2_iters number of PBKDF2 iterations
+ * @param[out] pbkdf2_salt PBKDF2 salt (intermt. key derivation from passphrase)
+ * @param[out] wrapped_kek KEK AES-wrapped with passphrase-derived key
+ * @param[out] wrapped_vk volume key AES-wrapped with KEK
+ */
+static int _parse_metadata_block_0x0019(
+ const struct metadata_block_0x0019 *md_block,
+ uint32_t *pbkdf2_iters,
+ uint8_t *pbkdf2_salt,
+ uint8_t *wrapped_kek,
+ uint8_t *wrapped_vk)
+{
+ int r = 0;
+ char *xml = NULL;
+ char *pwk_base64 = NULL;
+ char *kwvk_base64 = NULL;
+ struct passphrase_wrapped_kek *pwk = NULL;
+ struct kek_wrapped_volume_key *kwvk = NULL;
+ size_t decoded_size;
+ uint32_t xml_off = le32_to_cpu(md_block->xml_off);
+ uint32_t xml_size = le32_to_cpu(md_block->xml_size);
+
+ if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
+ return -EINVAL;
+
+ xml = strndup((const char *)md_block + xml_off, xml_size);
+ if (xml == NULL)
+ return -ENOMEM;
+
+ r = _search_xml(xml, "PassphraseWrappedKEKStruct", "data", &pwk_base64);
+ if (r < 0)
+ goto out;
+ r = crypt_base64_decode((char **)&pwk, &decoded_size, pwk_base64, strlen(pwk_base64));
+ if (r < 0)
+ goto out;
+ if (decoded_size != FVAULT2_PWK_SIZE) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = _search_xml(xml, "KEKWrappedVolumeKeyStruct", "data", &kwvk_base64);
+ if (r < 0)
+ goto out;
+ r = crypt_base64_decode((char **)&kwvk, &decoded_size, kwvk_base64, strlen(kwvk_base64));
+ if (r < 0)
+ goto out;
+ if (decoded_size != FVAULT2_KWVK_SIZE) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ *pbkdf2_iters = le32_to_cpu(pwk->pbkdf2_iters);
+ memcpy(pbkdf2_salt, pwk->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE);
+ memcpy(wrapped_kek, pwk->wrapped_kek, FVAULT2_WRAPPED_KEY_SIZE);
+ memcpy(wrapped_vk, kwvk->wrapped_vk, FVAULT2_WRAPPED_KEY_SIZE);
+out:
+ free(xml);
+ free(pwk_base64);
+ free(kwvk_base64);
+ free(pwk);
+ free(kwvk);
+ return r;
+}
+
+/**
+ * Validate a UUID string and reformat it to match system defaults.
+ * @param[in] uuid_in the original UUID string
+ * @param[out] uuid_out the reformatted UUID string
+ */
+static int _reformat_uuid(
+ const char *uuid_in,
+ char *uuid_out)
+{
+ uint8_t uuid_bin[FVAULT2_UUID_LEN];
+ int r;
+
+ r = uuid_parse(uuid_in, uuid_bin);
+ if (r < 0)
+ return -EINVAL;
+
+ uuid_unparse(uuid_bin, uuid_out);
+ return 0;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x001A.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] log_vol_size encrypted logical volume size in bytes
+ * @param[out] family_uuid logical volume family UUID
+ */
+static int _parse_metadata_block_0x001a(
+ const struct metadata_block_0x001a *md_block,
+ uint64_t *log_vol_size,
+ char *family_uuid)
+{
+ int r = 0;
+ char *xml = NULL;
+ char *log_vol_size_str = NULL;
+ char *family_uuid_str = NULL;
+ uint32_t xml_off = le32_to_cpu(md_block->xml_off);
+ uint32_t xml_size = le32_to_cpu(md_block->xml_size);
+
+ if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
+ return -EINVAL;
+
+ xml = strndup((const char *)md_block + xml_off, xml_size);
+ if (xml == NULL)
+ return -ENOMEM;
+
+ r = _search_xml(xml, "com.apple.corestorage.lv.size", "integer", &log_vol_size_str);
+ if (r < 0)
+ goto out;
+ *log_vol_size = strtoull(log_vol_size_str, NULL, 16);
+ if (*log_vol_size == 0 || *log_vol_size == ULLONG_MAX) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = _search_xml(xml, "com.apple.corestorage.lv.familyUUID", "string", &family_uuid_str);
+ if (r < 0)
+ goto out;
+ r = _reformat_uuid(family_uuid_str, family_uuid);
+ if (r < 0)
+ goto out;
+out:
+ free(xml);
+ free(log_vol_size_str);
+ free(family_uuid_str);
+ return r;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x0305.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] log_vol_blkoff block-offset of the encrypted logical volume
+ */
+static int _parse_metadata_block_0x0305(
+ const struct metadata_block_0x0305 *md_block,
+ uint32_t *log_vol_blkoff)
+{
+ *log_vol_blkoff = le32_to_cpu(md_block->log_vol_blkoff);
+ return 0;
+}
+
+/**
+ * Extract relevant info from the physical volume header.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[out] block_size used to compute byte-offsets from block-offsets
+ * @param[out] disklbl_blkoff block-offset of the disk label block
+ * @param[out] ph_vol_uuid physical volume UUID
+ * @param[out] enc_md_key AES-XTS key used to decrypt the encrypted metadata
+ */
+static int _read_volume_header(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t *block_size,
+ uint64_t *disklbl_blkoff,
+ char *ph_vol_uuid,
+ struct volume_key **enc_md_key)
+{
+ int r = 0;
+ struct device *dev = crypt_metadata_device(cd);
+ struct volume_header *vol_header = NULL;
+
+ assert(sizeof(*vol_header) == FVAULT2_VOL_HEADER_SIZE);
+
+ vol_header = malloc(FVAULT2_VOL_HEADER_SIZE);
+ if (vol_header == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ log_dbg(cd, "Reading FVAULT2 volume header of size %u bytes.", FVAULT2_VOL_HEADER_SIZE);
+ if (read_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), vol_header,
+ FVAULT2_VOL_HEADER_SIZE) != FVAULT2_VOL_HEADER_SIZE) {
+ log_err(cd, _("Could not read %u bytes of volume header."), FVAULT2_VOL_HEADER_SIZE);
+ r = -EIO;
+ goto out;
+ }
+
+ r = _check_crc(vol_header, FVAULT2_VOL_HEADER_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ if (le16_to_cpu(vol_header->version) != 1) {
+ log_err(cd, _("Unsupported FVAULT2 version %" PRIu16 "."),
+ le16_to_cpu(vol_header->version));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (be16_to_cpu(vol_header->magic) != FVAULT2_CORE_STORAGE_MAGIC) {
+ log_dbg(cd, "Invalid Core Storage magic bytes.");
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (le32_to_cpu(vol_header->key_data_size) != FVAULT2_AES_KEY_SIZE) {
+ log_dbg(cd, "Unsupported AES key size: %" PRIu32 " bytes.",
+ le32_to_cpu(vol_header->key_data_size));
+ r = -EINVAL;
+ goto out;
+ }
+
+ *enc_md_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
+ if (*enc_md_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ *block_size = le32_to_cpu(vol_header->block_size);
+ *disklbl_blkoff = le64_to_cpu(vol_header->disklbl_blkoff);
+ uuid_unparse(vol_header->ph_vol_uuid, ph_vol_uuid);
+ memcpy((*enc_md_key)->key, vol_header->key_data, FVAULT2_AES_KEY_SIZE);
+ memcpy((*enc_md_key)->key + FVAULT2_AES_KEY_SIZE,
+ vol_header->ph_vol_uuid, FVAULT2_AES_KEY_SIZE);
+out:
+ free(vol_header);
+ return r;
+}
+
+/**
+ * Extract info from the disk label block and the volume groups descriptor.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[in] block_size used to compute byte-offsets from block-offsets
+ * @param[in] disklbl_blkoff block-offset of the disk label block
+ * @param[out] enc_md_blkoff block-offset of the encrypted metadata
+ * @param[out] enc_md_blocks_n total count of encrypted metadata blocks
+ */
+static int _read_disklabel(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t block_size,
+ uint64_t disklbl_blkoff,
+ uint64_t *enc_md_blkoff,
+ uint64_t *enc_md_blocks_n)
+{
+ int r = 0;
+ uint64_t off;
+ ssize_t size;
+ void *md_block = NULL;
+ struct metadata_block_0x0011 *md_block_11;
+ struct volume_groups_descriptor *vol_gr_des = NULL;
+ struct device *dev = crypt_metadata_device(cd);
+
+ md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (uint64_mult_overflow(&off, disklbl_blkoff, block_size) ||
+ off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ size = FVAULT2_MD_BLOCK_SIZE;
+ log_dbg(cd, "Reading FVAULT2 disk label header of size %zu bytes.", size);
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), md_block, size, off) != size) {
+ r = -EIO;
+ goto out;
+ }
+
+ r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ vol_gr_des = malloc(sizeof(*vol_gr_des));
+ if (vol_gr_des == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block_11 = md_block;
+ off += le32_to_cpu(md_block_11->vol_gr_des_off);
+ if (off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ size = sizeof(struct volume_groups_descriptor);
+ log_dbg(cd, "Reading FVAULT2 volume groups descriptor of size %zu bytes.", size);
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), vol_gr_des, size, off) != size) {
+ r = -EIO;
+ goto out;
+ }
+
+ *enc_md_blkoff = le64_to_cpu(vol_gr_des->enc_md_blkoff);
+ *enc_md_blocks_n = le64_to_cpu(vol_gr_des->enc_md_blocks_n);
+out:
+ free(md_block);
+ free(vol_gr_des);
+ return r;
+}
+
+/**
+ * Extract info from relevant encrypted metadata blocks.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[in] block_size used to compute byte-offsets from block-offsets
+ * @param[in] start_blkoff block-offset of the start of the encrypted metadata
+ * @param[in] blocks_n total count of encrypted metadata blocks
+ * @param[in] key AES-XTS key for decryption
+ * @param[out] params decryption parameters struct to fill
+ */
+static int _read_encrypted_metadata(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t block_size,
+ uint64_t start_blkoff,
+ uint64_t blocks_n,
+ const struct volume_key *key,
+ struct fvault2_params *params)
+{
+ int r = 0;
+ int status = FVAULT2_ENC_MD_PARSED_NONE;
+ struct device *dev = crypt_metadata_device(cd);
+ struct crypt_cipher *cipher = NULL;
+ void *tweak;
+ void *md_block_enc = NULL;
+ void *md_block = NULL;
+ struct metadata_block_header *md_block_header;
+ uint32_t log_vol_blkoff;
+ uint64_t i, start_off;
+ off_t off;
+ unsigned int block_type;
+
+ tweak = calloc(FVAULT2_XTS_TWEAK_SIZE, 1);
+ if (tweak == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block_enc = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block_enc == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = crypt_cipher_init(&cipher, "aes", "xts", key->key, FVAULT2_XTS_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ if (uint64_mult_overflow(&start_off, start_blkoff, block_size) ||
+ start_off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+
+ log_dbg(cd, "Reading FVAULT2 encrypted metadata blocks.");
+ for (i = 0; i < blocks_n; i++) {
+ off = start_off + i * FVAULT2_MD_BLOCK_SIZE;
+ if (off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), md_block_enc,
+ FVAULT2_MD_BLOCK_SIZE, off)
+ != FVAULT2_MD_BLOCK_SIZE) {
+ r = -EIO;
+ goto out;
+ }
+
+ if (_filled_with(0, md_block_enc, FVAULT2_MD_BLOCK_SIZE))
+ break;
+
+ *(uint64_t *)tweak = cpu_to_le64(i);
+ r = crypt_cipher_decrypt(cipher, md_block_enc, md_block,
+ FVAULT2_MD_BLOCK_SIZE, tweak, FVAULT2_XTS_TWEAK_SIZE);
+ if (r < 0)
+ goto out;
+
+ r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ md_block_header = md_block;
+ block_type = le16_to_cpu(md_block_header->block_type);
+ switch (block_type) {
+ case 0x0019:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0019.", i);
+ r = _parse_metadata_block_0x0019(md_block,
+ &params->pbkdf2_iters,
+ (uint8_t *)params->pbkdf2_salt,
+ (uint8_t *)params->wrapped_kek,
+ (uint8_t *)params->wrapped_vk);
+ if (r < 0)
+ goto out;
+ status |= FVAULT2_ENC_MD_PARSED_0x0019;
+ break;
+
+ case 0x001A:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x001A.", i);
+ r = _parse_metadata_block_0x001a(md_block,
+ &params->log_vol_size,
+ params->family_uuid);
+ if (r < 0)
+ goto out;
+ status |= FVAULT2_ENC_MD_PARSED_0x001A;
+ break;
+
+ case 0x0305:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0305.", i);
+ r = _parse_metadata_block_0x0305(md_block,
+ &log_vol_blkoff);
+ if (r < 0)
+ goto out;
+ if (uint64_mult_overflow(&params->log_vol_off,
+ log_vol_blkoff, block_size)) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ status |= FVAULT2_ENC_MD_PARSED_0x0305;
+ break;
+ }
+ }
+
+ if (status != FVAULT2_ENC_MD_PARSED_ALL) {
+ log_dbg(cd, "Necessary FVAULT2 metadata blocks not found.");
+ r = -EINVAL;
+ goto out;
+ }
+out:
+ free(tweak);
+ free(md_block_enc);
+ free(md_block);
+ if (cipher != NULL)
+ crypt_cipher_destroy(cipher);
+ return r;
+}
+
+/**
+ * Activate device.
+ * @param[in] cd crypt_device struct passed into FVAULT2_activate_by_*
+ * @param[in] name name of the mapped device
+ * @param[in] vol_key the pre-derived AES-XTS volume key
+ * @param[in] params logical volume decryption parameters
+ * @param[in] flags flags assigned to the crypt_dm_active_device struct
+ */
+static int _activate(
+ struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vol_key,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r = 0;
+ char *cipher = NULL;
+ struct crypt_dm_active_device dm_dev = {
+ .flags = flags,
+ .size = params->log_vol_size / SECTOR_SIZE
+ };
+
+ r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
+ crypt_get_data_offset(cd), &dm_dev.size, &dm_dev.flags);
+ if (r)
+ return r;
+
+ if (asprintf(&cipher, "%s-%s", params->cipher, params->cipher_mode) < 0)
+ return -ENOMEM;
+
+ r = dm_crypt_target_set(&dm_dev.segment, 0, dm_dev.size,
+ crypt_data_device(cd), vol_key, cipher,
+ crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+ crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
+ crypt_get_sector_size(cd));
+
+ if (!r)
+ r = dm_create_device(cd, name, CRYPT_FVAULT2, &dm_dev);
+
+ dm_targets_free(cd, &dm_dev);
+ free(cipher);
+ return r;
+}
+
+int FVAULT2_read_metadata(
+ struct crypt_device *cd,
+ struct fvault2_params *params)
+{
+ int r = 0;
+ int devfd;
+ uint64_t block_size;
+ uint64_t disklbl_blkoff;
+ uint64_t enc_md_blkoff;
+ uint64_t enc_md_blocks_n;
+ struct volume_key *enc_md_key = NULL;
+ struct device *device = crypt_metadata_device(cd);
+
+ devfd = device_open(cd, device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(cd, _("Cannot open device %s."), device_path(device));
+ return -EIO;
+ }
+
+ r = _read_volume_header(devfd, cd, &block_size, &disklbl_blkoff,
+ params->ph_vol_uuid, &enc_md_key);
+ if (r < 0)
+ goto out;
+
+ r = _read_disklabel(devfd, cd, block_size, disklbl_blkoff,
+ &enc_md_blkoff, &enc_md_blocks_n);
+ if (r < 0)
+ goto out;
+
+ r = _read_encrypted_metadata(devfd, cd, block_size, enc_md_blkoff,
+ enc_md_blocks_n, enc_md_key, params);
+ if (r < 0)
+ goto out;
+
+ params->cipher = "aes";
+ params->cipher_mode = "xts-plain64";
+ params->key_size = FVAULT2_XTS_KEY_SIZE;
+out:
+ crypt_free_volume_key(enc_md_key);
+ return r;
+}
+
+int FVAULT2_get_volume_key(
+ struct crypt_device *cd,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ struct volume_key **vol_key)
+{
+ int r = 0;
+ uint8_t family_uuid_bin[FVAULT2_UUID_BIN_SIZE];
+ struct volume_key *passphrase_key = NULL;
+ struct volume_key *kek = NULL;
+ struct crypt_hash *hash = NULL;
+
+ *vol_key = NULL;
+
+ if (uuid_parse(params->family_uuid, family_uuid_bin) < 0) {
+ log_dbg(cd, "Could not parse logical volume family UUID: %s.",
+ params->family_uuid);
+ r = -EINVAL;
+ goto out;
+ }
+
+ passphrase_key = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+ if (passphrase_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = crypt_pbkdf("pbkdf2", "sha256", passphrase, passphrase_len,
+ params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, passphrase_key->key,
+ FVAULT2_AES_KEY_SIZE, params->pbkdf2_iters, 0, 0);
+ if (r < 0)
+ goto out;
+
+ kek = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+ if (kek == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = _unwrap_key(passphrase_key->key, FVAULT2_AES_KEY_SIZE, params->wrapped_kek,
+ FVAULT2_WRAPPED_KEY_SIZE, kek->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ *vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
+ if (*vol_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = _unwrap_key(kek->key, FVAULT2_AES_KEY_SIZE, params->wrapped_vk,
+ FVAULT2_WRAPPED_KEY_SIZE, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ r = crypt_hash_init(&hash, "sha256");
+ if (r < 0)
+ goto out;
+ r = crypt_hash_write(hash, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+ r = crypt_hash_write(hash, (char *)family_uuid_bin,
+ FVAULT2_UUID_BIN_SIZE);
+ if (r < 0)
+ goto out;
+ r = crypt_hash_final(hash, (*vol_key)->key + FVAULT2_AES_KEY_SIZE,
+ FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+out:
+ crypt_free_volume_key(passphrase_key);
+ crypt_free_volume_key(kek);
+ if (r < 0) {
+ crypt_free_volume_key(*vol_key);
+ *vol_key = NULL;
+ }
+ if (hash != NULL)
+ crypt_hash_destroy(hash);
+ return r;
+}
+
+int FVAULT2_dump(
+ struct crypt_device *cd,
+ struct device *device,
+ const struct fvault2_params *params)
+{
+ log_std(cd, "Header information for FVAULT2 device %s.\n", device_path(device));
+
+ log_std(cd, "Physical volume UUID: \t%s\n", params->ph_vol_uuid);
+ log_std(cd, "Family UUID: \t%s\n", params->family_uuid);
+
+ log_std(cd, "Logical volume offset:\t%" PRIu64 " [bytes]\n", params->log_vol_off);
+
+ log_std(cd, "Logical volume size: \t%" PRIu64 " [bytes]\n",
+ params->log_vol_size);
+
+ log_std(cd, "Cipher: \t%s\n", params->cipher);
+ log_std(cd, "Cipher mode: \t%s\n", params->cipher_mode);
+
+ log_std(cd, "PBKDF2 iterations: \t%" PRIu32 "\n", params->pbkdf2_iters);
+
+ log_std(cd, "PBKDF2 salt: \t");
+ crypt_log_hex(cd, params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, " ", 0, NULL);
+ log_std(cd, "\n");
+
+ return 0;
+}
+
+int FVAULT2_activate_by_passphrase(
+ struct crypt_device *cd,
+ const char *name,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r;
+ struct volume_key *vol_key = NULL;
+
+ r = FVAULT2_get_volume_key(cd, passphrase, passphrase_len, params, &vol_key);
+ if (r < 0)
+ return r;
+
+ if (name)
+ r = _activate(cd, name, vol_key, params, flags);
+
+ crypt_free_volume_key(vol_key);
+ return r;
+}
+
+int FVAULT2_activate_by_volume_key(
+ struct crypt_device *cd,
+ const char *name,
+ const char *key,
+ size_t key_size,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r = 0;
+ struct volume_key *vol_key = NULL;
+
+ if (key_size != FVAULT2_XTS_KEY_SIZE)
+ return -EINVAL;
+
+ vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, key);
+ if (vol_key == NULL)
+ return -ENOMEM;
+
+ r = _activate(cd, name, vol_key, params, flags);
+
+ crypt_free_volume_key(vol_key);
+ return r;
+}