1 /*- 2 * Copyright (c) 2016 Konrad Witaszczyk <def@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/types.h> 31 #include <sys/capsicum.h> 32 #include <sys/endian.h> 33 #include <sys/kerneldump.h> 34 #include <sys/wait.h> 35 36 #include <ctype.h> 37 #include <capsicum_helpers.h> 38 #include <fcntl.h> 39 #include <stdbool.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <unistd.h> 43 44 #include <openssl/evp.h> 45 #include <openssl/pem.h> 46 #include <openssl/rsa.h> 47 #include <openssl/engine.h> 48 49 #include "pjdlog.h" 50 51 #define DECRYPTCORE_CRASHDIR "/var/crash" 52 53 static void 54 usage(void) 55 { 56 57 pjdlog_exitx(1, 58 "usage: decryptcore [-fLv] -p privatekeyfile -k keyfile -e encryptedcore -c core\n" 59 " decryptcore [-fLv] [-d crashdir] -p privatekeyfile -n dumpnr"); 60 } 61 62 static int 63 wait_for_process(pid_t pid) 64 { 65 int status; 66 67 if (waitpid(pid, &status, WUNTRACED | WEXITED) == -1) { 68 pjdlog_errno(LOG_ERR, "Unable to wait for a child process"); 69 return (1); 70 } 71 72 if (WIFEXITED(status)) 73 return (WEXITSTATUS(status)); 74 75 return (1); 76 } 77 78 static struct kerneldumpkey * 79 read_key(int kfd) 80 { 81 struct kerneldumpkey *kdk; 82 ssize_t size; 83 size_t kdksize; 84 85 PJDLOG_ASSERT(kfd >= 0); 86 87 kdksize = sizeof(*kdk); 88 kdk = calloc(1, kdksize); 89 if (kdk == NULL) { 90 pjdlog_errno(LOG_ERR, "Unable to allocate kernel dump key"); 91 goto failed; 92 } 93 94 size = read(kfd, kdk, kdksize); 95 if (size == (ssize_t)kdksize) { 96 kdk->kdk_encryptedkeysize = dtoh32(kdk->kdk_encryptedkeysize); 97 kdksize += (size_t)kdk->kdk_encryptedkeysize; 98 kdk = realloc(kdk, kdksize); 99 if (kdk == NULL) { 100 pjdlog_errno(LOG_ERR, "Unable to reallocate kernel dump key"); 101 goto failed; 102 } 103 size += read(kfd, &kdk->kdk_encryptedkey, 104 kdk->kdk_encryptedkeysize); 105 } 106 if (size != (ssize_t)kdksize) { 107 pjdlog_errno(LOG_ERR, "Unable to read key"); 108 goto failed; 109 } 110 111 return (kdk); 112 failed: 113 free(kdk); 114 return (NULL); 115 } 116 117 static bool 118 decrypt(int ofd, const char *privkeyfile, const char *keyfile, 119 const char *input) 120 { 121 uint8_t buf[KERNELDUMP_BUFFER_SIZE], key[KERNELDUMP_KEY_MAX_SIZE], 122 chachaiv[4 * 4]; 123 EVP_CIPHER_CTX *ctx; 124 const EVP_CIPHER *cipher; 125 FILE *fp; 126 struct kerneldumpkey *kdk; 127 RSA *privkey; 128 int ifd, kfd, olen, privkeysize; 129 ssize_t bytes; 130 pid_t pid; 131 132 PJDLOG_ASSERT(ofd >= 0); 133 PJDLOG_ASSERT(privkeyfile != NULL); 134 PJDLOG_ASSERT(keyfile != NULL); 135 PJDLOG_ASSERT(input != NULL); 136 137 ctx = NULL; 138 privkey = NULL; 139 140 /* 141 * Decrypt a core dump in a child process so we can unlink a partially 142 * decrypted core if the child process fails. 143 */ 144 pid = fork(); 145 if (pid == -1) { 146 pjdlog_errno(LOG_ERR, "Unable to create child process"); 147 close(ofd); 148 return (false); 149 } 150 151 if (pid > 0) { 152 close(ofd); 153 return (wait_for_process(pid) == 0); 154 } 155 156 kfd = open(keyfile, O_RDONLY); 157 if (kfd == -1) { 158 pjdlog_errno(LOG_ERR, "Unable to open %s", keyfile); 159 goto failed; 160 } 161 ifd = open(input, O_RDONLY); 162 if (ifd == -1) { 163 pjdlog_errno(LOG_ERR, "Unable to open %s", input); 164 goto failed; 165 } 166 fp = fopen(privkeyfile, "r"); 167 if (fp == NULL) { 168 pjdlog_errno(LOG_ERR, "Unable to open %s", privkeyfile); 169 goto failed; 170 } 171 172 /* 173 * Obsolescent OpenSSL only knows about /dev/random, and needs to 174 * pre-seed before entering cap mode. For whatever reason, 175 * RSA_pub_encrypt uses the internal PRNG. 176 */ 177 #if OPENSSL_VERSION_NUMBER < 0x10100000L 178 { 179 unsigned char c[1]; 180 RAND_bytes(c, 1); 181 } 182 #endif 183 ERR_load_crypto_strings(); 184 185 caph_cache_catpages(); 186 if (caph_enter() < 0) { 187 pjdlog_errno(LOG_ERR, "Unable to enter capability mode"); 188 goto failed; 189 } 190 191 privkey = RSA_new(); 192 if (privkey == NULL) { 193 pjdlog_error("Unable to allocate an RSA structure: %s", 194 ERR_error_string(ERR_get_error(), NULL)); 195 goto failed; 196 } 197 ctx = EVP_CIPHER_CTX_new(); 198 if (ctx == NULL) 199 goto failed; 200 201 kdk = read_key(kfd); 202 close(kfd); 203 if (kdk == NULL) 204 goto failed; 205 206 privkey = PEM_read_RSAPrivateKey(fp, &privkey, NULL, NULL); 207 fclose(fp); 208 if (privkey == NULL) { 209 pjdlog_error("Unable to read data from %s.", privkeyfile); 210 goto failed; 211 } 212 213 privkeysize = RSA_size(privkey); 214 if (privkeysize != (int)kdk->kdk_encryptedkeysize) { 215 pjdlog_error("RSA modulus size mismatch: equals %db and should be %ub.", 216 8 * privkeysize, 8 * kdk->kdk_encryptedkeysize); 217 goto failed; 218 } 219 220 switch (kdk->kdk_encryption) { 221 case KERNELDUMP_ENC_AES_256_CBC: 222 cipher = EVP_aes_256_cbc(); 223 break; 224 case KERNELDUMP_ENC_CHACHA20: 225 cipher = EVP_chacha20(); 226 break; 227 default: 228 pjdlog_error("Invalid encryption algorithm."); 229 goto failed; 230 } 231 232 if (RSA_private_decrypt(kdk->kdk_encryptedkeysize, 233 kdk->kdk_encryptedkey, key, privkey, 234 RSA_PKCS1_OAEP_PADDING) != sizeof(key) && 235 /* Fallback to deprecated, formerly-used PKCS 1.5 padding. */ 236 RSA_private_decrypt(kdk->kdk_encryptedkeysize, 237 kdk->kdk_encryptedkey, key, privkey, 238 RSA_PKCS1_PADDING) != sizeof(key)) { 239 pjdlog_error("Unable to decrypt key: %s", 240 ERR_error_string(ERR_get_error(), NULL)); 241 goto failed; 242 } 243 RSA_free(privkey); 244 privkey = NULL; 245 246 if (kdk->kdk_encryption == KERNELDUMP_ENC_CHACHA20) { 247 /* 248 * OpenSSL treats the IV as 4 little-endian 32 bit integers. 249 * 250 * The first two represent a 64-bit counter, where the low half 251 * is the first 32-bit word. 252 * 253 * Start at counter block zero... 254 */ 255 memset(chachaiv, 0, 4 * 2); 256 /* 257 * And use the IV specified by the dump. 258 */ 259 memcpy(&chachaiv[4 * 2], kdk->kdk_iv, 4 * 2); 260 EVP_DecryptInit_ex(ctx, cipher, NULL, key, chachaiv); 261 } else 262 EVP_DecryptInit_ex(ctx, cipher, NULL, key, kdk->kdk_iv); 263 EVP_CIPHER_CTX_set_padding(ctx, 0); 264 265 explicit_bzero(key, sizeof(key)); 266 267 do { 268 bytes = read(ifd, buf, sizeof(buf)); 269 if (bytes < 0) { 270 pjdlog_errno(LOG_ERR, "Unable to read data from %s", 271 input); 272 goto failed; 273 } 274 275 if (bytes > 0) { 276 if (EVP_DecryptUpdate(ctx, buf, &olen, buf, 277 bytes) == 0) { 278 pjdlog_error("Unable to decrypt core."); 279 goto failed; 280 } 281 } else { 282 if (EVP_DecryptFinal_ex(ctx, buf, &olen) == 0) { 283 pjdlog_error("Unable to decrypt core."); 284 goto failed; 285 } 286 } 287 288 if (olen > 0 && write(ofd, buf, olen) != olen) { 289 pjdlog_errno(LOG_ERR, "Unable to write core"); 290 goto failed; 291 } 292 } while (bytes > 0); 293 294 explicit_bzero(buf, sizeof(buf)); 295 EVP_CIPHER_CTX_free(ctx); 296 exit(0); 297 failed: 298 explicit_bzero(key, sizeof(key)); 299 explicit_bzero(buf, sizeof(buf)); 300 RSA_free(privkey); 301 if (ctx != NULL) 302 EVP_CIPHER_CTX_free(ctx); 303 exit(1); 304 } 305 306 int 307 main(int argc, char **argv) 308 { 309 char core[PATH_MAX], encryptedcore[PATH_MAX], keyfile[PATH_MAX]; 310 const char *crashdir, *dumpnr, *privatekey; 311 int ch, debug, error, ofd; 312 size_t ii; 313 bool force, usesyslog; 314 315 error = 1; 316 317 pjdlog_init(PJDLOG_MODE_STD); 318 pjdlog_prefix_set("(decryptcore) "); 319 320 debug = 0; 321 *core = '\0'; 322 crashdir = NULL; 323 dumpnr = NULL; 324 *encryptedcore = '\0'; 325 force = false; 326 *keyfile = '\0'; 327 privatekey = NULL; 328 usesyslog = false; 329 while ((ch = getopt(argc, argv, "Lc:d:e:fk:n:p:v")) != -1) { 330 switch (ch) { 331 case 'L': 332 usesyslog = true; 333 break; 334 case 'c': 335 if (strlcpy(core, optarg, sizeof(core)) >= sizeof(core)) 336 pjdlog_exitx(1, "Core file path is too long."); 337 break; 338 case 'd': 339 crashdir = optarg; 340 break; 341 case 'e': 342 if (strlcpy(encryptedcore, optarg, 343 sizeof(encryptedcore)) >= sizeof(encryptedcore)) { 344 pjdlog_exitx(1, "Encrypted core file path is too long."); 345 } 346 break; 347 case 'f': 348 force = true; 349 break; 350 case 'k': 351 if (strlcpy(keyfile, optarg, sizeof(keyfile)) >= 352 sizeof(keyfile)) { 353 pjdlog_exitx(1, "Key file path is too long."); 354 } 355 break; 356 case 'n': 357 dumpnr = optarg; 358 break; 359 case 'p': 360 privatekey = optarg; 361 break; 362 case 'v': 363 debug++; 364 break; 365 default: 366 usage(); 367 } 368 } 369 argc -= optind; 370 argv += optind; 371 372 if (argc != 0) 373 usage(); 374 375 /* Verify mutually exclusive options. */ 376 if ((crashdir != NULL || dumpnr != NULL) && 377 (*keyfile != '\0' || *encryptedcore != '\0' || *core != '\0')) { 378 usage(); 379 } 380 381 /* 382 * Set key, encryptedcore and core file names using crashdir and dumpnr. 383 */ 384 if (dumpnr != NULL) { 385 for (ii = 0; ii < strnlen(dumpnr, PATH_MAX); ii++) { 386 if (isdigit((int)dumpnr[ii]) == 0) 387 usage(); 388 } 389 390 if (crashdir == NULL) 391 crashdir = DECRYPTCORE_CRASHDIR; 392 PJDLOG_VERIFY(snprintf(keyfile, sizeof(keyfile), 393 "%s/key.%s", crashdir, dumpnr) > 0); 394 PJDLOG_VERIFY(snprintf(core, sizeof(core), 395 "%s/vmcore.%s", crashdir, dumpnr) > 0); 396 PJDLOG_VERIFY(snprintf(encryptedcore, sizeof(encryptedcore), 397 "%s/vmcore_encrypted.%s", crashdir, dumpnr) > 0); 398 } 399 400 if (privatekey == NULL || *keyfile == '\0' || *encryptedcore == '\0' || 401 *core == '\0') { 402 usage(); 403 } 404 405 if (usesyslog) 406 pjdlog_mode_set(PJDLOG_MODE_SYSLOG); 407 pjdlog_debug_set(debug); 408 409 if (force && unlink(core) == -1 && errno != ENOENT) { 410 pjdlog_errno(LOG_ERR, "Unable to remove old core"); 411 goto out; 412 } 413 ofd = open(core, O_WRONLY | O_CREAT | O_EXCL, 0600); 414 if (ofd == -1) { 415 pjdlog_errno(LOG_ERR, "Unable to open %s", core); 416 goto out; 417 } 418 419 if (!decrypt(ofd, privatekey, keyfile, encryptedcore)) { 420 if (unlink(core) == -1 && errno != ENOENT) 421 pjdlog_errno(LOG_ERR, "Unable to remove core"); 422 goto out; 423 } 424 425 error = 0; 426 out: 427 pjdlog_fini(); 428 exit(error); 429 } 430