search

sgan81 / apfs-fuse

FUSE driver for APFS (Apple File System)
GNU General Public License v2.0
1.78k stars 164 forks source link

KeyMgmt.cpp RFC3394_KeyUnwrap function failed to Unwrap of APFS Encrypted Volume #147

Closed Santosh123-creater closed 3 years ago

Santosh123-creater commented 3 years ago

Hi

I am facing issue in following code of KeyMgmt.cpp. rc = Rfc3394_KeyUnwrap(kek, kek_blob.wrapped_kek, 0x20, dk, AES::AES_256, &iv); Above function is not wrapping properly and always return false value. for my APFS Encrypted Volume. //return a == rfc_3394_default_iv; not match their value everytime.

// Check all KEKs for any valid KEK. for (k = 0; k < cnt; k++) { ke_kek = recs_bag.GetKey(k); if (!ke_kek) continue;

    if (ke_kek->ke_tag != KB_TAG_VOLUME_UNLOCK_RECORDS)
        continue;

    bd.data = ke_kek->ke_keydata;
    bd.size = ke_kek->ke_keylen;

    if (!VerifyBlob(bd, kek_data))
        continue;

    if (!DecodeKEKBlob(kek_blob, kek_data))
        continue;

    PBKDF2_HMAC_SHA256(reinterpret_cast<const uint8_t *>(password), strlen(password), kek_blob.salt, sizeof(kek_blob.salt), kek_blob.iterations, dk, sizeof(dk));

    switch (kek_blob.unk_82.unk_00)
    {
        case 0x00:
        case 0x10:
            rc = Rfc3394_KeyUnwrap(kek, kek_blob.wrapped_kek, 0x20, dk, AES::AES_256, &iv);
            kek_mode = AES::AES_256;
            break;
        case 0x02:
            rc = Rfc3394_KeyUnwrap(kek, kek_blob.wrapped_kek, 0x10, dk, AES::AES_128, &iv);
            kek_mode = AES::AES_128;
            break;
        default:
            std::cerr << "Unknown KEK key flags 82/00 = " << std::hex << kek_blob.unk_82.unk_00 << ". Please file a bug report." << std::endl;
            rc = false;
            break;
    }

    if (g_debug & Dbg_Crypto)
    {
        std::cout << "PW Key  : " << hexstr(dk, sizeof(dk)) << std::endl;
        std::cout << "KEK Wrpd: " << hexstr(kek_blob.wrapped_kek, sizeof(kek_blob.wrapped_kek)) << std::endl;
        std::cout << "KEK     : " << hexstr(kek, 0x20) << std::endl;
        std::cout << "KEK IV  : " << std::setw(16) << iv << std::endl;
        std::cout << std::endl;
    }

    if (rc)
        break;
}

After compilation it prompts following output: st_mode = 24992 Sector count = 30277632 Sector size = 512 Device /dev/disk2 opened. Size is 15502147584 Found valid GPT partition table. Looking for APFS partition. APFSEncryptedRecovery was compiled with optimization - stepping may behave oddly; variables may not be available. Mounting xid different from NXSB at 0 (xid = 64). xid = 65 Mounting xid 65 omap: oid=1027 xid=65 flags=0 size=0 paddr=1027 omap: oid=1028 xid=65 flags=0 size=0 paddr=1028 starting LoadKeybag @ 20005 all blocks verified Omap Lookup: oid=402 xid=41: oid=402 xid=41 => flags=0 size=1000 paddr=100a0 Volume Untitled is encrypted. Dumping Keybag (keys)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0003 [Keybag Ref] Length : 0010 Block : 0000000000020004 Count : 0000000000000001

Key 1: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0002 [VEK] Length : 007C [Blob Header] Unk 80 : 0 HMAC : 71AB3423E9B4971F646C00B64AEEDEB5925195B73E41BD8148E52F5CCB02AA29 Salt : F8E7F446834B091E

[VEK] Unk 80 : 0 UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Unk 82 : 00000000 0001 1E ED VEK Wrpd: 85BD643CC2A38C14568DFD4CD1F38F1720E106922CA32A8FE8D440F6BC6827B138A7C7BFE4367C1B

starting LoadKeybag @ 20004 all blocks verified Dumping Keybag (recs)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0003 [KEK] Length : 0094 [Blob Header] Unk 80 : 0 HMAC : 86E195EE0AB0F2D428F575112ED51ADCE1F67A04A8BA73F76B64A9DFDE4EA0F5 Salt : EE3F3F5FE4E53527

[KEK] Unk 80 : 0 UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Unk 82 : 00000000 0002 1E ED KEK Wrpd: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A Iterat's: 186082 Salt : 30985112E6235BBAAF029BD9460EDBF3

Key 1: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0004 [Password Hint] Length : 0003 Hint : 123

PW Key : 521C60E92418A5BFD4FF128B77160D0914695658E11D4BFEF5CEB18D5C7EDF4E KEK Wrpd: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A KEK : 8ED046186EAA1DE16C462F7B51010DEF1629B040E2DA40BB0B69C57772232D7F KEK IV : 59663655B3A90692

Password doesn't work for any key. starting LoadKeybag @ 20004 all blocks verified Hint: 123 Enter Password: Dumping Keybag (keys)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0003 [Keybag Ref] Length : 0010 Block : 0000000000020004 Count : 0000000000000001

Key 1: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0002 [VEK] Length : 007C [Blob Header] Unk 80 : 0 HMAC : 71AB3423E9B4971F646C00B64AEEDEB5925195B73E41BD8148E52F5CCB02AA29 Salt : F8E7F446834B091E

[VEK] Unk 80 : 0 UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Unk 82 : 00000000 0001 1E ED VEK Wrpd: 85BD643CC2A38C14568DFD4CD1F38F1720E106922CA32A8FE8D440F6BC6827B138A7C7BFE4367C1B

starting LoadKeybag @ 20004 all blocks verified Dumping Keybag (recs)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0003 [KEK] Length : 0094 [Blob Header] Unk 80 : 0 HMAC : 86E195EE0AB0F2D428F575112ED51ADCE1F67A04A8BA73F76B64A9DFDE4EA0F5 Salt : EE3F3F5FE4E53527

[KEK] Unk 80 : 0 UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Unk 82 : 00000000 0002 1E ED KEK Wrpd: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A Iterat's: 186082 Salt : 30985112E6235BBAAF029BD9460EDBF3

Key 1: UUID : 2322728E-036B-49FA-B83C-179DA76DB4B2 Type : 0004 [Password Hint] Length : 0003 Hint : 123

PW Key : 521C60E92418A5BFD4FF128B77160D0914695658E11D4BFEF5CEB18D5C7EDF4E KEK Wrpd: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A KEK : 8ED046186EAA1DE16C462F7B51010DEF1629B040E2DA40BB0B69C57772232D7F KEK IV : 59663655B3A90692

Password doesn't work for any key. Wrong password! Unable to get volume!

I am stuck at this point. Please tell us what I am doing mistake. I have created APFS Encrypted Volume in High Sierra 10.13 without T2 machine.

Please help me.

Santosh123-creater commented 3 years ago

constexpr uint64_t rfc_3394_default_iv = 0xA6A6A6A6A6A6A6A6ULL;

// TODO: Not tested on big-endian machines ... bool Rfc3394_KeyUnwrap(uint8_t plain, const uint8_t crypto, size_t size, const uint8_t key, AES::Mode aes_mode, uint64_t iv) { Rfc3394_Unit u; uint64_t a; uint64_t r[6]; int i; int j; int n = size / sizeof(uint64_t); uint64_t t; const uint64_t c = reinterpret_cast<const uint64_t >(crypto); uint64_t p = reinterpret_cast<uint64_t >(plain); AES aes;

aes.SetKey(key, aes_mode);
t = 6 * n;

a = c[0];
for (i = 0; i < n; i++)
    r[i] = c[i + 1];

for (j = 5; j >= 0; j--)
{
    for (i = n - 1; i >= 0; i--)
    {
        u.u64[0] = a ^ bswap_be(t);
        u.u64[1] = r[i];
        aes.Decrypt(u.u8, u.u8);
        a = u.u64[0];
        r[i] = u.u64[1];
        t--;
    }
}

for (i = 0; i < n; i++)
    p[i] = r[i];
if (iv)
    *iv = a;

return a == rfc_3394_default_iv;

}

Here a return value which is not equals to 0xA6A6A6A6A6A6A6A6. I am stuck at this point. Please help anyone.

Thanks Santosh

ydkhatri commented 3 years ago

I would double check the password, and if it is being passed correctly into the program. Sometimes passwords with special characters have issues. For example if you have ^ or \ (and a few other such specials) in your password, it may be interpreted incorrectly by the terminal as these have special meaning on the terminal. Try then to put double quotes around your password and try.

Santosh123-creater commented 3 years ago

First of all, thanks for the reply. I have keep the simple password: 123 I have created another APFS Encrypted Volume with password: stellar In all cases, this funstion PBKDF2_HMAC_SHA256(reinterpret_cast<const uint8_t *>(password), strlen(password), kek_blob.salt, sizeof(kek_blob.salt), kek_blob.iterations, dk, sizeof(dk)); returning DK, which I assumed that It may be correct or incorrect. I am unable to validate it. However, thid dk passes in following function: case 0x00: case 0x10: rc = Rfc3394_KeyUnwrap(kek, kek_blob.wrapped_kek, 0x20, dk, AES::AES_256, &iv); kek_mode = AES::AES_256; break;

I have debugged the function Rfc3394_KeyUnwrap, return a == rfc_3394_default_iv; is not matched with the default value 0xA6A6A6A6A6A6A6A6ULL;.

Rfc3394_KeyUnwrap's rc always return false both in case of KEK and VEK. I am confused that Unwrapped KEK and Unwrapped VEK is correct or not. However I have tried to Decrypt with this unwrapped VEK via m_aes.SetKey(vek,vek+0x10); m_aes.Decrypt(.......) but decrypted values is not correct.

Some output: PW Key : 521C60E92418A5BFD4FF128B77160D0914695658E11D4BFEF5CEB18D5C7EDF4E KEK Wrpd: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A KEK : 8ED046186EAA1DE16C462F7B51010DEF1629B040E2DA40BB0B69C57772232D7F KEK IV : 59663655B3A90692

Password doesn't work for any key. Wrong password!

I have not yet figure out that what is doing wrong by me. Please guide me, I have Taken code of APFSLib and some modified it and passed some value as hard code for e.g. Disk: /dev/disk2, password: 123 etc. Now I am able to compile and debug this code in High Sierra 10.13.6 using C++/ Qt/Xcode. Is their another dependency for this project. I want to decrypt data block of apfs encrypted volume in macos using correct unwrapped vek. I am new in this concept. It may be some concept not clear.

I will really appreciate for your help and response. Please reply.

Thanks Santosh

ydkhatri commented 3 years ago

It is likely that your hardcoding has problems. I suggest compiling the code as is (ie, the apfs-fuse project without modifications), you can run and debug to see how it works, then try to tinker with it.

sgan81 commented 3 years ago

Hmmm, a return value that is not 0xA6A6A6A6A6A6A6A6 usually means that the password is wrong. It could also mean that the password key was derived incorrectly.

sgan81 commented 3 years ago

Your password is "stellar", not "123" ...

Running this code:

void TestGithub147()
{
    const uint8_t kekw[0x28] = {
        0x5F, 0x40, 0xE7, 0x57, 0xA4, 0xB8, 0xB3, 0xD3, 0x9C, 0xE6, 0xDE, 0x06, 0xD3, 0x4D, 0x89, 0xA4,
        0x0F, 0x00, 0xBE, 0x67, 0xBF, 0x6D, 0x9D, 0x2E, 0x0A, 0x2D, 0xB6, 0xEA, 0x76, 0x1E, 0x5F, 0x10,
        0x19, 0xD8, 0xB0, 0x7E, 0x28, 0x6B, 0x4A, 0x7A
    };
    const uint8_t vekw[0x28] = {
        0x85, 0xBD, 0x64, 0x3C, 0xC2, 0xA3, 0x8C, 0x14, 0x56, 0x8D, 0xFD, 0x4C, 0xD1, 0xF3, 0x8F, 0x17,
        0x20, 0xE1, 0x06, 0x92, 0x2C, 0xA3, 0x2A, 0x8F, 0xE8, 0xD4, 0x40, 0xF6, 0xBC, 0x68, 0x27, 0xB1,
        0x38, 0xA7, 0xC7, 0xBF, 0xE4, 0x36, 0x7C, 0x1B
    };
    const uint8_t salt[0x10] = { 0x30, 0x98, 0x51, 0x12, 0xE6, 0x23, 0x5B, 0xBA, 0xAF, 0x02, 0x9B, 0xD9, 0x46, 0x0E, 0xDB, 0xF3 };
    uint8_t kek[0x20] = { 0 };
    uint8_t vek[0x20] = { 0 };
    uint8_t dkey[0x20] = { 0 };
    uint64_t kek_iv = 0;
    uint64_t vek_iv = 0;
    const char* pw = "stellar";
    const size_t pwlen = strlen(pw);

    PBKDF2_HMAC_SHA256(reinterpret_cast<const uint8_t *>(pw), pwlen, salt, 0x10, 186082, dkey, 0x20);
    Rfc3394_KeyUnwrap(kek, kekw, 0x20, dkey, AES::AES_256, &kek_iv);
    Rfc3394_KeyUnwrap(vek, vekw, 0x20, kek, AES::AES_256, &vek_iv);

    std::cout << "PWK:  " << hexstr(dkey, 0x20) << std::endl;
    std::cout << "KEKW: " << hexstr(kekw, 0x28) << std::endl;
    std::cout << "KEK:  " << hexstr(kek, 0x20) << std::endl;
    std::cout << "IV:   " << std::hex << std::uppercase << kek_iv << std::endl;
    std::cout << "VEKW: " << hexstr(vekw, 0x28) << std::endl;
    std::cout << "VEK:  " << hexstr(vek, 0x20) << std::endl;
    std::cout << "IV:   " << vek_iv << std::endl;
}

results in:

PWK:  4132F30B2A0792C8443BCEAB9677CC7B37ED1FFDCB05DF248E504B6ED01C3613
KEKW: 5F40E757A4B8B3D39CE6DE06D34D89A40F00BE67BF6D9D2E0A2DB6EA761E5F1019D8B07E286B4A7A
KEK:  C07DA03E2CDB1938B3C0446E1BE983EA7D83B5E23EB5B71A646EBD00C4B1B4CC
IV:   A6A6A6A6A6A6A6A6
VEKW: 85BD643CC2A38C14568DFD4CD1F38F1720E106922CA32A8FE8D440F6BC6827B138A7C7BFE4367C1B
VEK:  3BCA637F33AC7B5ECBD0388EDBE8AE0552DF388BB63AA2D4C1D8CDBFE7C38228
IV:   A6A6A6A6A6A6A6A6

So these are the correct values.

Santosh123-creater commented 3 years ago

Dear Sir, Thanks you so much. As per your guidance we found the issues - password key was derived incorrectly. Using void TestGithub147() function I was easily rectified it. Again thanks. Now, I have started testing on another APFS Encrypted drive (System Disk) and another External APFS Encrypted Drive. It will take some times to me to verify different-different scenario. If I will face any issue, I will get back soon. Thanks a lot.