/* * decrypt.c - Part of the Linux-NTFS project. * * Copyright (c) 2005 Yuval Fledel * * $EFS decryption routines. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program (in the main directory of the Linux-NTFS distribution * in the file COPYING); if not, write to the Free Software Foundation, * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "config.h" #include #include #include #include #include "decrypt.h" #ifdef __CYGWIN__ //#define USE_CRYPTOAPI_RSA 1 #define _WIN32_WINNT 0x501 #define WINVER 0x501 #include #include /* Missing cygwin macros */ #ifndef CERT_SYSTEM_STORE_CURRENT_USER #define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000 #endif #ifndef CERT_CLOSE_STORE_CHECK_FLAG #define CERT_CLOSE_STORE_CHECK_FLAG 2 #endif #ifndef CRYPT_ACQUIRE_CACHE_FLAG #define CRYPT_ACQUIRE_CACHE_FLAG 1 #endif /* windows 2k+ imports */ typedef BOOL (WINAPI *LPFN_CryptAcquireCertificatePrivateKey) (PCCERT_CONTEXT, DWORD, void *, HCRYPTPROV *, DWORD *, BOOL*); typedef BOOL (WINAPI *LPFN_CertCloseStore) (HCERTSTORE, DWORD); typedef PCCERT_CONTEXT (WINAPI *LPFN_CertFindCertificateInStore) (HCERTSTORE, DWORD, DWORD, DWORD, const void*, PCCERT_CONTEXT); typedef BOOL (WINAPI *LPFN_CertFreeCertificateContext) (PCCERT_CONTEXT); typedef HCERTSTORE (WINAPI *LPFN_CertOpenStore) (LPCSTR, DWORD, HCRYPTPROV, DWORD, const void*); // NT4SP3+ WINME or 95+ w/ IE5+ static LPFN_CryptAcquireCertificatePrivateKey fnCryptAcquireCertificatePrivateKey; // osr2+ NT4SP3+ or NT4 w/ IE3.02: static LPFN_CertCloseStore fnCertCloseStore; static LPFN_CertFindCertificateInStore fnCertFindCertificateInStore; static LPFN_CertFreeCertificateContext fnCertFreeCertificateContext; static LPFN_CertOpenStore fnCertOpenStore; /* global variable: handle to crypt32.dll */ static HMODULE hCrypt32 = INVALID_HANDLE_VALUE; #else /* defined(__CYGWIN__) */ #include #include /* If not one of the below three, use standard Des. */ #define CALG_3DES (0x6603) #define CALG_DESX (0x6604) #define CALG_AES_256 (0x6610) #endif /* defined(__CYGWIN__) */ /* This must be after windows.h include. */ #include "types.h" typedef struct { #ifdef __CYGWIN__ HCERTSTORE hSystemStore; #else int nothing; /* unused */ #endif /* defined(__CYGWIN__) */ } DECRYPT_SESSION; typedef struct { u64 desx_key[3]; u8 *key_data; u32 alg_id; gcry_cipher_hd_t gcry_cipher_hd; // handle to the decrypted FEK. gcry_sexp_t sexp_key; // the user's RSA key. #ifdef USE_CRYPTOAPI_RSA HCRYPTKEY hCryptKey; #endif /* defined(__CYGWIN__) */ } DECRYPT_KEY; #ifdef __CYGWIN__ static int cryptoAPI_init_imports(void) { if (hCrypt32 == INVALID_HANDLE_VALUE) hCrypt32 = LoadLibrary("crypt32.dll"); if (!fnCryptAcquireCertificatePrivateKey) fnCryptAcquireCertificatePrivateKey = (LPFN_CryptAcquireCertificatePrivateKey) GetProcAddress(hCrypt32, "CryptAcquireCertificatePrivateKey"); if (!fnCertCloseStore) fnCertCloseStore = (LPFN_CertCloseStore) GetProcAddress(hCrypt32, "CertCloseStore"); if (!fnCertFindCertificateInStore) fnCertFindCertificateInStore = (LPFN_CertFindCertificateInStore) GetProcAddress(hCrypt32, "CertFindCertificateInStore"); if (!fnCertFreeCertificateContext) fnCertFreeCertificateContext = (LPFN_CertFreeCertificateContext) GetProcAddress(hCrypt32, "CertFreeCertificateContext"); if (!fnCertOpenStore) fnCertOpenStore = (LPFN_CertOpenStore) GetProcAddress(hCrypt32, "CertOpenStore"); return fnCryptAcquireCertificatePrivateKey && fnCertCloseStore && fnCertFindCertificateInStore && fnCertFreeCertificateContext && fnCertOpenStore; } #endif /* defined(__CYGWIN__) */ decrypt_session *decrypt_open(void) { decrypt_session *session; gcry_control(GCRYCTL_DISABLE_SECMEM, 0); #ifdef __CYGWIN__ HCERTSTORE hSystemStore; if (!cryptoAPI_init_imports()) { fprintf(stderr, "Some imports do not exist.\n"); errno = -1; return NULL; } if (!(hSystemStore = fnCertOpenStore(((LPCSTR)CERT_STORE_PROV_SYSTEM), 0, (HCRYPTPROV)NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"MY"))) { fprintf(stderr, "Could not open system store.\n"); errno = -1; return NULL; } #endif /* defined(__CYGWIN__) */ session = (decrypt_session *)malloc(sizeof(DECRYPT_SESSION)); #ifdef __CYGWIN__ ((DECRYPT_SESSION *)session)->hSystemStore = hSystemStore; #endif /* defined(__CYGWIN__) */ return session; } void decrypt_close(decrypt_session *session) { #ifdef __CYGWIN__ if (((DECRYPT_SESSION *)session)->hSystemStore) fnCertCloseStore(((DECRYPT_SESSION *)session)->hSystemStore, CERT_CLOSE_STORE_CHECK_FLAG); /* fixme: racy */ FreeLibrary(hCrypt32); hCrypt32 = INVALID_HANDLE_VALUE; #endif /* defined(__CYGWIN__) */ free(session); } static inline void reverse_buffer(unsigned char *buf, unsigned int buf_size) { unsigned char t; unsigned int i; for (i=0; ihSystemStore, (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING), 0, CERT_FIND_HASH, &hash_blob, NULL))) { fprintf(stderr, "Could not find cert in store.\n"); goto decrypt_key_open_err; } dwKeySpec = AT_KEYEXCHANGE; if (!fnCryptAcquireCertificatePrivateKey(pCert, CRYPT_ACQUIRE_CACHE_FLAG, NULL, &hCryptProv, &dwKeySpec, &fCallerFreeProv)) { fprintf(stderr, "Could not aquire private key from cert.\n"); goto decrypt_key_open_err; } if (!CryptGetUserKey(hCryptProv, AT_KEYEXCHANGE, &hCryptKey)) { fprintf(stderr, "Could not aquire user key.\n"); goto decrypt_key_open_err; } key_size = sizeof(key_blob); if (!CryptExportKey(hCryptKey, 0, PRIVATEKEYBLOB, 0, key_blob, &key_size)) { fprintf(stderr, "Could not export key: Error 0x%x\n", (unsigned int)GetLastError()); errno = -1; return NULL; } if (!(key = (decrypt_key *)malloc(sizeof(DECRYPT_KEY)))) goto decrypt_key_open_err; #ifdef USE_CRYPTOAPI_RSA ((DECRYPT_KEY *)key)->hCryptKey = hCryptKey; #else RSAPUBKEY *rsa_pub_key = (RSAPUBKEY *)(key_blob + sizeof(PUBLICKEYSTRUC)); gcry_ac_handle_t gcry_handle; unsigned char *mpi_data; gcry_mpi_t n,e,d,p,q,u; gcry_sexp_t sexp_key; gcry_error_t err; size_t size; int rc; CryptDestroyKey(hCryptKey); if ((err = gcry_ac_open(&gcry_handle, GCRY_AC_RSA, 0))) { fprintf(stderr, "Could not init gcrypt handle\n"); errno = -1; return NULL; } e = gcry_mpi_set_ui(NULL, rsa_pub_key->pubexp); mpi_data = (key_blob + 0x14); size = rsa_pub_key->bitlen / 8; reverse_buffer(mpi_data, size); if ((rc = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, mpi_data, size, &size))) { fprintf(stderr, "error scanning n.\n"); } mpi_data += (rsa_pub_key->bitlen / 8); size = rsa_pub_key->bitlen / 16; reverse_buffer(mpi_data, size); if ((rc = gcry_mpi_scan(&q, GCRYMPI_FMT_USG, mpi_data, size, &size))) { fprintf(stderr, "error scanning p.\n"); } mpi_data += (rsa_pub_key->bitlen / 16); size = rsa_pub_key->bitlen / 16; reverse_buffer(mpi_data, size); if ((rc = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, mpi_data, size, &size))) { fprintf(stderr, "error scanning q.\n"); } mpi_data += (rsa_pub_key->bitlen / 16)*3; size = rsa_pub_key->bitlen / 16; reverse_buffer(mpi_data, size); if ((rc = gcry_mpi_scan(&u, GCRYMPI_FMT_USG, mpi_data, size, &size))) { fprintf(stderr, "error scanning u.\n"); } mpi_data += (rsa_pub_key->bitlen / 16); size = rsa_pub_key->bitlen / 8; reverse_buffer(mpi_data, size); if ((rc = gcry_mpi_scan(&d, GCRYMPI_FMT_USG, mpi_data, size, &size))) { fprintf(stderr, "error scanning d.\n"); } if ((rc = gcry_sexp_build(&sexp_key, NULL, "(private-key (rsa (n %m) (e %m) (d %m) (p %m) (q %m) (u %m)))", n, e, d, p, q, u))) { fprintf(stderr, "Could build sexp from data, (error = 0x%x)\n", rc); errno = -1; return FALSE; } ((DECRYPT_KEY *)key)->sexp_key = sexp_key; // todo: release all #endif return key; decrypt_key_open_err: if (hCryptKey) CryptDestroyKey(hCryptKey); if (pCert) fnCertFreeCertificateContext(pCert); #endif // defined(__CYGWIN__) errno = ENOTSUP; return NULL; } void decrypt_user_key_close(decrypt_key *key) { DECRYPT_KEY *dkey = (DECRYPT_KEY *)key; if (dkey->gcry_cipher_hd) gcry_cipher_close(dkey->gcry_cipher_hd); free(key); } /** * decrypt_decrypt * * warning: decrypting into the input buffer! */ unsigned int decrypt_decrypt(decrypt_key *key, unsigned int data_size, unsigned char *data) { #ifdef USE_CRYPTOAPI_RSA DWORD size = data_size; if (!CryptDecrypt(((DECRYPT_KEY *)key)->hCryptKey, 0, TRUE, 0, data, &size)) { errno = -1; return 0; } return size; #else gcry_sexp_t sexp_plain_data, sexp_enc_data; gcry_ac_handle_t gcry_handle; gcry_mpi_t mpi_buf; gcry_ac_data_t in; gcry_error_t err; unsigned int size, padding_length, i; int rc; if ((err = gcry_ac_open(&gcry_handle, GCRY_AC_RSA, 0))) { fprintf(stderr, "Could not init gcrypt handle\n"); errno = -1; return FALSE; } if ((rc = gcry_ac_data_new(&in))) { fprintf(stderr, "error allocating 'in'.\n"); } reverse_buffer(data, data_size); size = data_size; if ((rc = gcry_mpi_scan(&mpi_buf, GCRYMPI_FMT_USG, data, (size_t)data_size, &size))) { fprintf(stderr, "error scanning 'in'.\n"); } if ((rc = gcry_sexp_build(&sexp_enc_data, &size, "(enc-val (flags) (rsa (a %m)))", mpi_buf))) { fprintf(stderr, "Could build sexp from data, (error = 0x%x)\n", rc); errno = -1; return FALSE; } if ((rc = gcry_pk_decrypt(&sexp_plain_data, sexp_enc_data, ((DECRYPT_KEY *)key)->sexp_key))) { fprintf(stderr, "Could not decrypt fek via s-exp, (error = 0x%x)\n", rc); errno = -1; return FALSE; } sexp_plain_data = gcry_sexp_find_token(sexp_plain_data, "value", 0); if (!mpi_buf) { fprintf(stderr, "Could find value in s-exp, (error = 0x%x)\n", rc); errno = -1; return FALSE; } mpi_buf = gcry_sexp_nth_mpi(sexp_plain_data, 1, GCRYMPI_FMT_USG); if ((rc = gcry_mpi_print(GCRYMPI_FMT_USG, data, data_size, &size, mpi_buf))) { fprintf(stderr, "Could copy decrypted data back, (error = 0x%x)\n", rc); errno = -1; return FALSE; } // remove the pkcs1 padding for (padding_length = 1;(padding_lengthdata // todo: release all gcry_ac_data_destroy(in); return size - padding_length; #endif // USER_CRYPTOAPI_RSA (else) } static BOOL is_first = TRUE; unsigned int decrypt_decrypt_sector(decrypt_key *key, void *data, unsigned long long offset) { gcry_error_t gcry_error2; DECRYPT_KEY *dkey = (DECRYPT_KEY *)key; // FIXME: Why are we not calling gcry_cipher_setiv() here instead of // doing it by hand after the decryption? // It wants iv length 8 but we give it 16 for AES256 so it does not // like it... if (dkey->alg_id != CALG_DESX) { if ((gcry_error2 = gcry_cipher_reset(dkey->gcry_cipher_hd))) fprintf(stderr, "gcry_error2 is %u.\n", gcry_error2); if ((gcry_error2 = gcry_cipher_decrypt(dkey->gcry_cipher_hd, data, 512, NULL, 0))) fprintf(stderr, "gcry_error2 is %u.\n", gcry_error2); } else { u64 *pos; /* Set @pos to last eight bytes of sector @data. */ pos = (u64*)(data + 512 - 8); do { if ((gcry_error2 = gcry_cipher_reset( dkey->gcry_cipher_hd))) fprintf(stderr, "gcry_error2 is %u.\n", gcry_error2); if (is_first) { fprintf(stderr, "encrypted data = 0x%llx\n", *pos); fprintf(stderr, "in-whitening = 0x%llx\n", dkey->desx_key[1]); } /* Apply in-whitening. */ *pos ^= dkey->desx_key[1]; if (is_first) fprintf(stderr, "whitened data = 0x%llx\n", *pos); /* Apply DES decyption. */ if ((gcry_error2 = gcry_cipher_decrypt( dkey->gcry_cipher_hd, (u8*)pos, 8, NULL, 0))) fprintf(stderr, "gcry_error2 is %u.\n", gcry_error2); if (is_first) { fprintf(stderr, "data after des = 0x%llx\n", *pos); fprintf(stderr, "out-whitening = 0x%llx\n", dkey->desx_key[2]); } /* Apply out-whitening. */ *pos ^= dkey->desx_key[2]; if (is_first) fprintf(stderr, "out-whitened data = 0x%llx\n", *pos); if (pos == (u64*)data) break; if (is_first) fprintf(stderr, "next encrypted data = " "0x%llx\n", *(pos - 1)); *pos ^= *(pos - 1); if (is_first) fprintf(stderr, "decrypted data = 0x%llx\n", *pos); pos--; is_first = FALSE; } while (1); } /* Apply the IV. */ if (dkey->alg_id == CALG_AES_256) { ((u64*)data)[0] ^= 0x5816657be9161312LL + offset; ((u64*)data)[1] ^= 0x1989adbe44918961LL + offset; } else { /* All other algos (Des, 3Des, DesX) use the same IV. */ ((u64*)data)[0] ^= 0x169119629891ad13LL + offset; } return 512; } /** * desx_key_expand - expand a 128-bit desx key to the needed 192-bit key * @src: source buffer containing 128-bit key * @dst: destination buffer to write 192-bit key to * * Expands the on-disk 128-bit desx key to the needed full 192-bit desx key * required to perform desx {de,en}cryption. * * FIXME: Is this endianness safe? I think so but I may be wrong... */ static void desx_key_expand(const u8 *src, u8* dst) { static const int salt_len = 12; static const u8 *salt1 = "Dan Simon "; static const u8 *salt2 = "Scott Field"; u8 md[16]; MD5_CTX ctx1, ctx2; MD5_Init(&ctx1); /* Hash the on-disk key. */ MD5_Update(&ctx1, src, 128 / 8); memcpy(&ctx2, &ctx1, sizeof(ctx1)); /* Hash with the first salt and store the result. */ MD5_Update(&ctx1, salt1, salt_len); MD5_Final(md, &ctx1); ((u32*)dst)[0] = ((u32*)md)[0] ^ ((u32*)md)[1]; ((u32*)dst)[1] = ((u32*)md)[2] ^ ((u32*)md)[3]; /* Hash with the second salt and store the result. */ MD5_Update(&ctx2, salt2, salt_len); MD5_Final(md, &ctx2); memcpy(dst + 8, md, sizeof(md)); return; } #define DO_CRYPTO_TESTS 1 #ifdef DO_CRYPTO_TESTS /* Do not remove this test code from this file! AIA */ static BOOL desx_key_expand_test(void) { const u8 known_desx_on_disk_key[16] = { 0xa1, 0xf9, 0xe0, 0xb2, 0x53, 0x23, 0x9e, 0x8f, 0x0f, 0x91, 0x45, 0xd9, 0x8e, 0x20, 0xec, 0x30 }; const u8 known_desx_expanded_key[24] = { 0x27, 0xd1, 0x93, 0x09, 0xcb, 0x78, 0x93, 0x1f, 0xed, 0xda, 0x4c, 0x47, 0x60, 0x49, 0xdb, 0x8d, 0x75, 0xf6, 0xa0, 0x1a, 0xc0, 0xca, 0x28, 0x1e }; u8 test_desx_expanded_key[24]; int res; desx_key_expand(known_desx_on_disk_key, test_desx_expanded_key); res = !memcmp(test_desx_expanded_key, known_desx_expanded_key, sizeof(known_desx_expanded_key)); fprintf(stderr, "Testing whether desx_key_expand() works: %s\n", res ? "SUCCESS" : "FAILED"); return res; } static BOOL des_test(void) { const u8 known_des_key[8] = { 0x27, 0xd1, 0x93, 0x09, 0xcb, 0x78, 0x93, 0x1f }; const u8 known_des_encrypted_data[8] = { 0xdc, 0xf7, 0x68, 0x2a, 0xaf, 0x48, 0x53, 0x0f }; const u8 known_decrypted_data[8] = { 0xd8, 0xd9, 0x15, 0x23, 0x5b, 0x88, 0x0e, 0x09 }; u8 test_decrypted_data[8]; int res; gcry_error_t gcry_error2; gcry_cipher_hd_t gcry_cipher_hd; if ((gcry_error2 = gcry_cipher_open(&gcry_cipher_hd, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0)) != GPG_ERR_NO_ERROR) { fprintf(stderr, "Failed to open des cipher (gcry_error2 is " "%u).\n", gcry_error2); return FALSE; } if ((gcry_error2 = gcry_cipher_setkey(gcry_cipher_hd, known_des_key, sizeof(known_des_key)))) { fprintf(stderr, "Failed to set des key (gcry_error2 is %u).\n", gcry_error2); gcry_cipher_close(gcry_cipher_hd); return FALSE; } memcpy(test_decrypted_data, known_des_encrypted_data, sizeof(known_des_encrypted_data)); /* Apply DES decyption. */ gcry_error2 = gcry_cipher_decrypt(gcry_cipher_hd, test_decrypted_data, sizeof(test_decrypted_data), NULL, 0); gcry_cipher_close(gcry_cipher_hd); if (gcry_error2) { fprintf(stderr, "Failed to des decrypt test data (gcry_error2 " "is %u).\n", gcry_error2); return FALSE; } res = !memcmp(test_decrypted_data, known_decrypted_data, sizeof(known_decrypted_data)); fprintf(stderr, "Testing whether des decryption works: %s\n", res ? "SUCCESS" : "FAILED"); return res; } #else static inline BOOL desx_key_expand_test(void) { return TRUE; } static inline BOOL des_test(void) { return TRUE; } #endif decrypt_key *decrypt_make_key(decrypt_session *session __attribute__((unused)), unsigned int data_size __attribute__((unused)), unsigned char *data) { DECRYPT_KEY *key; unsigned int key_size, gcry_algo; int gcry_length, gcry_mode; gcry_error_t gcry_error2; key_size = *(u32*)data; if (!(key = (DECRYPT_KEY *)malloc(sizeof(DECRYPT_KEY)))) { errno = -1; return NULL; } key->alg_id = *(u32*)(data + 8); key->key_data = data + 16; gcry_mode = GCRY_CIPHER_MODE_CBC; switch (key->alg_id) { case CALG_DESX: if (!desx_key_expand_test()) { free(key); errno = -1; return NULL; } fprintf(stderr, "DESX key of %u bytes\n", key_size); fprintf(stderr, "on-disk key (hex) = 0x%llx, 0x%llx\n", *(u64*)key->key_data, *(u64*)(key->key_data+8)); desx_key_expand(key->key_data, (u8*)&key->desx_key); fprintf(stderr, "expanded keys (hex) =\n\t0x%llx (des)\n\t" "0x%llx (in-whitening)\n\t" "0x%llx (out-whitening)\n", key->desx_key[0], key->desx_key[1], key->desx_key[2]); if (!des_test()) { free(key); errno = -1; return NULL; } key->key_data = (u8*)&key->desx_key[0]; gcry_mode = GCRY_CIPHER_MODE_ECB; gcry_length = 8; gcry_algo = GCRY_CIPHER_DES; is_first = TRUE; break; case CALG_3DES: fprintf(stderr, "3DES Key of %u bytes\n", key_size); gcry_length = 24; gcry_algo = GCRY_CIPHER_3DES; break; case CALG_AES_256: fprintf(stderr, "AES Key of %u bytes\n", key_size); gcry_length = 32; gcry_algo = GCRY_CIPHER_AES256; break; default: fprintf(stderr, "DES key of %u bytes\n", key_size); if (!des_test()) { free(key); errno = -1; return NULL; } gcry_length = 8; gcry_algo = GCRY_CIPHER_DES; break; } if ((gcry_error2 = gcry_cipher_open(&key->gcry_cipher_hd, gcry_algo, gcry_mode, 0)) != GPG_ERR_NO_ERROR) { fprintf(stderr, "gcry_error1 is %u.\n", gcry_error2); errno = -1; return 0; } if ((gcry_error2 = gcry_cipher_setkey(key->gcry_cipher_hd, key->key_data, gcry_length))) { fprintf(stderr, "gcry_error2 is %u.\n", gcry_error2); } return (decrypt_key *)key; }