2 * Copyright (c) 2016 Konrad Witaszczyk <def@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/types.h>
31 #include <sys/capsicum.h>
32 #include <sys/endian.h>
33 #include <sys/kerneldump.h>
34 #include <sys/sysctl.h>
38 #include <capsicum_helpers.h>
45 #include <openssl/evp.h>
46 #include <openssl/pem.h>
47 #include <openssl/rsa.h>
48 #include <openssl/engine.h>
52 #define DECRYPTCORE_CRASHDIR "/var/crash"
59 "usage: decryptcore [-fLv] -p privatekeyfile -k keyfile -e encryptedcore -c core\n"
60 " decryptcore [-fLv] [-d crashdir] -p privatekeyfile -n dumpnr");
64 wait_for_process(pid_t pid)
68 if (waitpid(pid, &status, WUNTRACED | WEXITED) == -1) {
69 pjdlog_errno(LOG_ERR, "Unable to wait for a child process");
73 if (WIFEXITED(status))
74 return (WEXITSTATUS(status));
79 static struct kerneldumpkey *
82 struct kerneldumpkey *kdk;
86 PJDLOG_ASSERT(kfd >= 0);
88 kdksize = sizeof(*kdk);
89 kdk = calloc(1, kdksize);
91 pjdlog_errno(LOG_ERR, "Unable to allocate kernel dump key");
95 size = read(kfd, kdk, kdksize);
96 if (size == (ssize_t)kdksize) {
97 kdk->kdk_encryptedkeysize = dtoh32(kdk->kdk_encryptedkeysize);
98 kdksize += (size_t)kdk->kdk_encryptedkeysize;
99 kdk = realloc(kdk, kdksize);
101 pjdlog_errno(LOG_ERR, "Unable to reallocate kernel dump key");
104 size += read(kfd, &kdk->kdk_encryptedkey,
105 kdk->kdk_encryptedkeysize);
107 if (size != (ssize_t)kdksize) {
108 pjdlog_errno(LOG_ERR, "Unable to read key");
119 decrypt(int ofd, const char *privkeyfile, const char *keyfile,
122 uint8_t buf[KERNELDUMP_BUFFER_SIZE], key[KERNELDUMP_KEY_MAX_SIZE],
125 const EVP_CIPHER *cipher;
127 struct kerneldumpkey *kdk;
129 int ifd, kfd, olen, privkeysize;
133 PJDLOG_ASSERT(ofd >= 0);
134 PJDLOG_ASSERT(privkeyfile != NULL);
135 PJDLOG_ASSERT(keyfile != NULL);
136 PJDLOG_ASSERT(input != NULL);
142 * Decrypt a core dump in a child process so we can unlink a partially
143 * decrypted core if the child process fails.
147 pjdlog_errno(LOG_ERR, "Unable to create child process");
154 return (wait_for_process(pid) == 0);
157 kfd = open(keyfile, O_RDONLY);
159 pjdlog_errno(LOG_ERR, "Unable to open %s", keyfile);
162 ifd = open(input, O_RDONLY);
164 pjdlog_errno(LOG_ERR, "Unable to open %s", input);
167 fp = fopen(privkeyfile, "r");
169 pjdlog_errno(LOG_ERR, "Unable to open %s", privkeyfile);
173 caph_cache_catpages();
174 if (caph_enter() < 0) {
175 pjdlog_errno(LOG_ERR, "Unable to enter capability mode");
180 if (privkey == NULL) {
181 pjdlog_error("Unable to allocate an RSA structure: %s",
182 ERR_error_string(ERR_get_error(), NULL));
185 ctx = EVP_CIPHER_CTX_new();
194 privkey = PEM_read_RSAPrivateKey(fp, &privkey, NULL, NULL);
196 if (privkey == NULL) {
197 pjdlog_error("Unable to read data from %s.", privkeyfile);
201 privkeysize = RSA_size(privkey);
202 if (privkeysize != (int)kdk->kdk_encryptedkeysize) {
203 pjdlog_error("RSA modulus size mismatch: equals %db and should be %ub.",
204 8 * privkeysize, 8 * kdk->kdk_encryptedkeysize);
208 switch (kdk->kdk_encryption) {
209 case KERNELDUMP_ENC_AES_256_CBC:
210 cipher = EVP_aes_256_cbc();
212 case KERNELDUMP_ENC_CHACHA20:
213 cipher = EVP_chacha20();
216 pjdlog_error("Invalid encryption algorithm.");
220 if (RSA_private_decrypt(kdk->kdk_encryptedkeysize,
221 kdk->kdk_encryptedkey, key, privkey,
222 RSA_PKCS1_OAEP_PADDING) != sizeof(key) &&
223 /* Fallback to deprecated, formerly-used PKCS 1.5 padding. */
224 RSA_private_decrypt(kdk->kdk_encryptedkeysize,
225 kdk->kdk_encryptedkey, key, privkey,
226 RSA_PKCS1_PADDING) != sizeof(key)) {
227 pjdlog_error("Unable to decrypt key: %s",
228 ERR_error_string(ERR_get_error(), NULL));
234 if (kdk->kdk_encryption == KERNELDUMP_ENC_CHACHA20) {
236 * OpenSSL treats the IV as 4 little-endian 32 bit integers.
238 * The first two represent a 64-bit counter, where the low half
239 * is the first 32-bit word.
241 * Start at counter block zero...
243 memset(chachaiv, 0, 4 * 2);
245 * And use the IV specified by the dump.
247 memcpy(&chachaiv[4 * 2], kdk->kdk_iv, 4 * 2);
248 EVP_DecryptInit_ex(ctx, cipher, NULL, key, chachaiv);
250 EVP_DecryptInit_ex(ctx, cipher, NULL, key, kdk->kdk_iv);
251 EVP_CIPHER_CTX_set_padding(ctx, 0);
253 explicit_bzero(key, sizeof(key));
256 bytes = read(ifd, buf, sizeof(buf));
258 pjdlog_errno(LOG_ERR, "Unable to read data from %s",
264 if (EVP_DecryptUpdate(ctx, buf, &olen, buf,
266 pjdlog_error("Unable to decrypt core.");
270 if (EVP_DecryptFinal_ex(ctx, buf, &olen) == 0) {
271 pjdlog_error("Unable to decrypt core.");
276 if (olen > 0 && write(ofd, buf, olen) != olen) {
277 pjdlog_errno(LOG_ERR, "Unable to write core");
282 explicit_bzero(buf, sizeof(buf));
283 EVP_CIPHER_CTX_free(ctx);
286 explicit_bzero(key, sizeof(key));
287 explicit_bzero(buf, sizeof(buf));
290 EVP_CIPHER_CTX_free(ctx);
295 main(int argc, char **argv)
297 char core[PATH_MAX], encryptedcore[PATH_MAX], keyfile[PATH_MAX];
298 const char *crashdir, *dumpnr, *privatekey;
299 int ch, debug, error, ofd;
301 bool force, usesyslog;
305 pjdlog_init(PJDLOG_MODE_STD);
306 pjdlog_prefix_set("(decryptcore) ");
312 *encryptedcore = '\0';
317 while ((ch = getopt(argc, argv, "Lc:d:e:fk:n:p:v")) != -1) {
323 if (strlcpy(core, optarg, sizeof(core)) >= sizeof(core))
324 pjdlog_exitx(1, "Core file path is too long.");
330 if (strlcpy(encryptedcore, optarg,
331 sizeof(encryptedcore)) >= sizeof(encryptedcore)) {
332 pjdlog_exitx(1, "Encrypted core file path is too long.");
339 if (strlcpy(keyfile, optarg, sizeof(keyfile)) >=
341 pjdlog_exitx(1, "Key file path is too long.");
363 /* Verify mutually exclusive options. */
364 if ((crashdir != NULL || dumpnr != NULL) &&
365 (*keyfile != '\0' || *encryptedcore != '\0' || *core != '\0')) {
370 * Set key, encryptedcore and core file names using crashdir and dumpnr.
372 if (dumpnr != NULL) {
373 for (ii = 0; ii < strnlen(dumpnr, PATH_MAX); ii++) {
374 if (isdigit((int)dumpnr[ii]) == 0)
378 if (crashdir == NULL)
379 crashdir = DECRYPTCORE_CRASHDIR;
380 PJDLOG_VERIFY(snprintf(keyfile, sizeof(keyfile),
381 "%s/key.%s", crashdir, dumpnr) > 0);
382 PJDLOG_VERIFY(snprintf(core, sizeof(core),
383 "%s/vmcore.%s", crashdir, dumpnr) > 0);
384 PJDLOG_VERIFY(snprintf(encryptedcore, sizeof(encryptedcore),
385 "%s/vmcore_encrypted.%s", crashdir, dumpnr) > 0);
388 if (privatekey == NULL || *keyfile == '\0' || *encryptedcore == '\0' ||
394 pjdlog_mode_set(PJDLOG_MODE_SYSLOG);
395 pjdlog_debug_set(debug);
397 if (force && unlink(core) == -1 && errno != ENOENT) {
398 pjdlog_errno(LOG_ERR, "Unable to remove old core");
401 ofd = open(core, O_WRONLY | O_CREAT | O_EXCL, 0600);
403 pjdlog_errno(LOG_ERR, "Unable to open %s", core);
407 if (!decrypt(ofd, privatekey, keyfile, encryptedcore)) {
408 if (unlink(core) == -1 && errno != ENOENT)
409 pjdlog_errno(LOG_ERR, "Unable to remove core");