From nobody Wed Feb 08 18:29:28 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PBpS906h9z3nlhY;
	Wed,  8 Feb 2023 18:29:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PBpS86X1bz3wJv;
	Wed,  8 Feb 2023 18:29:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1675880968;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JUkrEDONHfyiAiuqhF27+tCzHVtshyfNCbTkL8OhUcE=;
	b=tTSJu8HlPaEgUuZI9d1//IYsQNq9EN0vNwEp5AIAK5WERv8IwbKIAFb5EouAsIOiu29iVz
	38FlK3ljI2l0e4huWm4tg03PVUUxwM+UuKDDCAN3RmHlFz9S/VH5qPMSsw6YBx3VWYfWuu
	g7TkJGLkkVTzWJk07ehwGsNc1IS3ZL9w5QMX+qcK2Pa57/1zDpNK/vQA30xSNYF93dBytB
	PZkNakxutCOIMouqpgFoGQ0eaaellh8rtPCROXbvRJtTZ0B90yBULAcqfrTB12QBrJ9vBn
	CtuI6ZBhBzEqUDtS2PWDJKIwXUv7qKzjYJQb4EDbPwKWPrBMCeSsBUyXhBU1wA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1675880968;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JUkrEDONHfyiAiuqhF27+tCzHVtshyfNCbTkL8OhUcE=;
	b=iHSsswBQM8rtV/fn9232nirE33jyRfuVKRKxAO7/YsELPS0r2fg/1WZVbJootr4XZ8wgKn
	4bm6+gPuJI8lu8k4G7q8SowSI2SP6g8CwuAOMcsjyzAbFO5NO2lEV7Enh/ozeNGwln5+z8
	Dee7Ba3wOchARr9Buo+3+z0MPQKwXumxKI5wGXqHXXG3ieUA9VkJhZFK5tiQ90pqaNteN5
	iePoOtPdLMtElECFS57KEln252Ukjyp+oEns548NbREha8WRHFRx+EDBm3SRY7Iw8GKN4Z
	ci7XSV5B6F2W/hOqn2VyGpyHKHMdxxHfGXH+4QPCvNKE9YYvn/gAcYTG6ZM7ww==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675880968; a=rsa-sha256; cv=none;
	b=JqS78OwqNlOY9N/aPSJp+butkOm7n/ZwIlBYzv7CEQTMLf/sHhEIsljbykq43oQCV80IV7
	QMOJPEhxY7j5Qd2IHwWmboaJRQrs8OSG2RJZY7oBFELd5R8w5WJZc6n9tgMUAhFznjQyJR
	R9t0WjXIjqqltyLnOsOhUOworRDrlJP2dU8qZrNpmUSLEbHuqfWl/QiGgKKnW2snIM4v89
	OO8pDVPLiCBZW+ZWHbfqOHQWpZ6ySsEp22RDFVVj2AR8Hvvm9kulxoBmXsjLFGscdFTz2L
	C4qL7dcA9kSkogUDaM+oXaQBezg+E6ZQiBhm8WFQiccjKjdHFvnHmnqkhjM1Lw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PBpS85d5wz16bT;
	Wed,  8 Feb 2023 18:29:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 318ITS2f037494;
	Wed, 8 Feb 2023 18:29:28 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 318ITS0o037493;
	Wed, 8 Feb 2023 18:29:28 GMT
	(envelope-from git)
Date: Wed, 8 Feb 2023 18:29:28 GMT
Message-Id: <202302081829.318ITS0o037493@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Gordon Tetlow <gordon@FreeBSD.org>
Subject: git: 256e92061356 - releng/12.4 - geli: split the initalization of HMAC
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gordon
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/12.4
X-Git-Reftype: branch
X-Git-Commit: 256e920613565f8c0572376ad21a7f37f2c26972
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch releng/12.4 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=256e920613565f8c0572376ad21a7f37f2c26972

commit 256e920613565f8c0572376ad21a7f37f2c26972
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2023-02-08 16:41:06 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-02-08 18:09:30 +0000

    geli: split the initalization of HMAC
    
    GELI allows to read a user key from a standard input.
    However if user initialize multiple providers at once, the standard
    input will be empty for the second and next providers.
    This caused GELI to encrypt a master key with an empty key file.
    
    This commits initialize the HMAC with the key file, and then reuse the
    finalized structure to generate different encryption keys for different
    providers.
    
    Reported by:    Nathan Dorfman
    Tested by:      philip
    Approved by:    so
    Security:       FreeBSD-SA-23:01.geli
    Security:       CVE-2023-0751
    
    (cherry picked from commit 5fff09660e06a66bed6482da9c70df328e16bbb6)
    (cherry picked from commit a5afaf4e9abd8d5e6cce5d6c433d2276bf9b8721)
---
 lib/geom/eli/geom_eli.c | 72 ++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 54 insertions(+), 18 deletions(-)

diff --git a/lib/geom/eli/geom_eli.c b/lib/geom/eli/geom_eli.c
index a89ac69cf338..147807c46416 100644
--- a/lib/geom/eli/geom_eli.c
+++ b/lib/geom/eli/geom_eli.c
@@ -565,27 +565,35 @@ eli_genkey_passphrase(struct gctl_req *req, struct g_eli_metadata *md, bool new,
 	return (0);
 }
 
-static unsigned char *
-eli_genkey(struct gctl_req *req, struct g_eli_metadata *md, unsigned char *key,
-    bool new)
+static bool
+eli_init_key_hmac_ctx(struct gctl_req *req, struct hmac_ctx *ctx, bool new)
 {
-	struct hmac_ctx ctx;
-	bool nopassphrase;
 	int nfiles;
+	bool nopassphrase;
 
 	nopassphrase =
 	    gctl_get_int(req, new ? "nonewpassphrase" : "nopassphrase");
 
-	g_eli_crypto_hmac_init(&ctx, NULL, 0);
-
-	nfiles = eli_genkey_files(req, new, "keyfile", &ctx, NULL, 0);
-	if (nfiles == -1)
-		return (NULL);
-	else if (nfiles == 0 && nopassphrase) {
+	g_eli_crypto_hmac_init(ctx, NULL, 0);
+	nfiles = eli_genkey_files(req, new, "keyfile", ctx, NULL, 0);
+	if (nfiles == -1) {
+		return (false);
+	} else if (nfiles == 0 && nopassphrase) {
 		gctl_error(req, "No key components given.");
-		return (NULL);
+		return (false);
 	}
 
+	return (true);
+}
+
+static unsigned char *
+eli_genkey(struct gctl_req *req, const struct hmac_ctx *ctxtemplate,
+    struct g_eli_metadata *md, unsigned char *key, bool new)
+{
+	struct hmac_ctx ctx;
+
+	memcpy(&ctx, ctxtemplate, sizeof(ctx));
+
 	if (eli_genkey_passphrase(req, md, new, &ctx) == -1)
 		return (NULL);
 
@@ -594,6 +602,22 @@ eli_genkey(struct gctl_req *req, struct g_eli_metadata *md, unsigned char *key,
 	return (key);
 }
 
+static unsigned char *
+eli_genkey_single(struct gctl_req *req, struct g_eli_metadata *md,
+		  unsigned char *key, bool new)
+{
+	struct hmac_ctx ctx;
+	unsigned char *rkey;
+
+	if (!eli_init_key_hmac_ctx(req, &ctx, new)) {
+		return (NULL);
+	}
+	rkey = eli_genkey(req, &ctx, md, key, new);
+	explicit_bzero(&ctx, sizeof(ctx));
+
+	return (rkey);
+}
+
 static int
 eli_metadata_read(struct gctl_req *req, const char *prov,
     struct g_eli_metadata *md)
@@ -705,6 +729,7 @@ eli_init(struct gctl_req *req)
 	intmax_t val;
 	int error, i, nargs, nparams, param;
 	const int one = 1;
+	struct hmac_ctx ctxtemplate;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs <= 0) {
@@ -852,6 +877,10 @@ eli_init(struct gctl_req *req)
 	 */
 	nparams = req->narg - nargs - 1;
 
+	/* Generate HMAC context template. */
+	if (!eli_init_key_hmac_ctx(req, &ctxtemplate, true))
+		return;
+
 	/* Create new child request for each provider and issue to kernel */
 	for (i = 0; i < nargs; i++) {
 		r = gctl_get_handle();
@@ -893,7 +922,7 @@ eli_init(struct gctl_req *req)
 		arc4random_buf(md.md_mkeys, sizeof(md.md_mkeys));
 
 		/* Generate user key. */
-		if (eli_genkey(r, &md, key, true) == NULL) {
+		if (eli_genkey(r, &ctxtemplate, &md, key, true) == NULL) {
 			/*
 			 * Error generating key - details added to geom request
 			 * by eli_genkey().
@@ -1017,6 +1046,7 @@ out:
 
 	/* Clear the cached metadata, including keys. */
 	explicit_bzero(&md, sizeof(md));
+	explicit_bzero(&ctxtemplate, sizeof(ctxtemplate));
 }
 
 static void
@@ -1028,6 +1058,7 @@ eli_attach(struct gctl_req *req)
 	off_t mediasize;
 	int i, nargs, nparams, param;
 	const int one = 1;
+	struct hmac_ctx ctxtemplate;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs <= 0) {
@@ -1043,6 +1074,10 @@ eli_attach(struct gctl_req *req)
 	 */
 	nparams = req->narg - nargs - 1;
 
+	/* Generate HMAC context template. */
+	if (!eli_init_key_hmac_ctx(req, &ctxtemplate, false))
+		return;
+
 	/* Create new child request for each provider and issue to kernel */
 	for (i = 0; i < nargs; i++) {
 		r = gctl_get_handle();
@@ -1072,7 +1107,7 @@ eli_attach(struct gctl_req *req)
 			goto out;
 		}
 
-		if (eli_genkey(r, &md, key, false) == NULL) {
+		if (eli_genkey(r, &ctxtemplate, &md, key, false) == NULL) {
 			/*
 			 * Error generating key - details added to geom request
 			 * by eli_genkey().
@@ -1106,6 +1141,7 @@ out:
 
 	/* Clear sensitive data from memory. */
 	explicit_bzero(cached_passphrase, sizeof(cached_passphrase));
+	explicit_bzero(&ctxtemplate, sizeof(ctxtemplate));
 }
 
 static void
@@ -1277,7 +1313,7 @@ eli_setkey_attached(struct gctl_req *req, struct g_eli_metadata *md)
 		old = md->md_iterations;
 
 	/* Generate key for Master Key encryption. */
-	if (eli_genkey(req, md, key, true) == NULL) {
+	if (eli_genkey_single(req, md, key, true) == NULL) {
 		explicit_bzero(key, sizeof(key));
 		return;
 	}
@@ -1312,7 +1348,7 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
 	}
 
 	/* Generate key for Master Key decryption. */
-	if (eli_genkey(req, md, key, false) == NULL) {
+	if (eli_genkey_single(req, md, key, false) == NULL) {
 		explicit_bzero(key, sizeof(key));
 		return;
 	}
@@ -1370,7 +1406,7 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
 	explicit_bzero(mkey, sizeof(mkey));
 
 	/* Generate key for Master Key encryption. */
-	if (eli_genkey(req, md, key, true) == NULL) {
+	if (eli_genkey_single(req, md, key, true) == NULL) {
 		explicit_bzero(key, sizeof(key));
 		explicit_bzero(md, sizeof(*md));
 		return;
@@ -1516,7 +1552,7 @@ eli_resume(struct gctl_req *req)
 		return;
 	}
 
-	if (eli_genkey(req, &md, key, false) == NULL) {
+	if (eli_genkey_single(req, &md, key, false) == NULL) {
 		explicit_bzero(key, sizeof(key));
 		return;
 	}