Make it simple to enter a null HMAC

[GoogleCodeExporter]

Because of the AES mode (CBC) and the filevault implementation, it is
possible to recover 4080 bytes out of each 4096 bytes in each block without
knowing anything beyond the AES key. This should be useful in certain
contexts where someone can recover an AES key.

This is done like so:
P_i = AES128-DECRYPT(C_i, K) XOR C_{i-1}
We know C_i and C_{i-1} (but not C_0). Because that's the IV which was
derived from the hmacsha1key.

Currently, with the AES key, it is possible to simply specify a full set of
zero bytes for the SHA-1 HMAC. Thus, given a proper AES key, 4080 bytes
should be properly decrypted and the remaining 16 bytes will be line noise.

Specifically:
16 bytes for the AES key (32 bytes of hex) and 20 bytes for the HMAC-SHA1
key (40 bytes of hex).

So an attempt to decrypted with a null HMAC would currently look like:
./vfdecrypt -i in-file -o out-file -k
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000000000000000000000000000000000000000

It would be much better if we could split the options up into -k aeskey and
-m hmac. Even better would be -k aeskey and -n as a flag for a null hmac.

Original issue reported on code.google.com by ioer...@gmail.com on 22 Jan 2008 at 10:08

[GoogleCodeExporter]

I'm adding two new flags, '-m' and '-n' which will be used for explicitly 
setting and
checking the SHA1-HMAC. '-m' will take a user supplied value and use it as the 
HMAC,
'-n' will override the value of any value passed by '-m' or simply set it to be 
null.

In the future, the '-k' option will only take an aes key.

Original comment by ioer...@gmail.com on 22 Jan 2008 at 7:53

[GoogleCodeExporter]

This is finished and in need of testing.

Original comment by ioer...@gmail.com on 23 Jan 2008 at 6:06

• Changed state: Fixed