[RFC 2/2] network: add support for encrypted Passphrase/PSK

[James Prestwood <prestwoj at gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 7062 bytes --]

Two keys were added: PreSharedKeyEncrypted, PassphraseEncrypted which
are now automatically set/loaded if SystemdEncrypt=true.

When transitioning to this option any existing provisioning files will
be read in as plaintext but when synced the *Encrypted options will be
used instead. After that the file will no longer contain any plaintext
psk/passphrase values.

The encryption itself uses AES-CTR with a zero IV. This is to avoid
extra padding and dealing with block sizes. A magic 32 bit value is
prepended to the beginning of the plaintext data to serve as verification
that the decryption succeeded.

If decryption fails for whatever reason the behavior is no different
than if no PSK/Passphrase value was found at all, meaning an agent
request will be required to re-establish the PSK/passphrase or manually
providing the PreSharedKey/Passphrase in plaintext in the provisioning file.
---
 src/network.c | 183 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 177 insertions(+), 6 deletions(-)

diff --git a/src/network.c b/src/network.c
index 10937ab7..89d6b8e2 100644
--- a/src/network.c
+++ b/src/network.c
@@ -572,8 +572,108 @@ generate:
 	return -EIO;
 }
 
+static uint8_t *network_decrypt(const uint8_t *key, size_t key_len,
+				void *encrypted, size_t len, size_t *len_out)
+{
+	struct l_cipher *aes;
+	uint8_t iv[16] = { 0 };
+	uint32_t magic = 0x0abcdef0;
+	uint8_t *out;
+
+	aes = l_cipher_new(L_CIPHER_AES_CTR, key, key_len);
+	l_cipher_set_iv(aes, iv, sizeof(iv));
+
+	out = l_malloc(len);
+
+	l_cipher_decrypt(aes, encrypted, out, len);
+
+	if (memcmp(out, &magic, 4)) {
+		l_free(out);
+		return NULL;
+	}
+
+	memmove(out, out + 4, len - 4);
+
+	*len_out = len - 4;
+
+	return out;
+}
+
+static int network_decrypt_secrets(const uint8_t *key, size_t key_len,
+					struct network *network,
+					uint8_t **psk, size_t *psk_len,
+					char **passphrase)
+{
+	uint8_t *encrypted;
+	size_t elen, dlen;
+	uint8_t *psk_out = NULL;
+	size_t psk_len_out = 0;
+	char *passphrase_out = NULL;
+
+	if (*psk || *passphrase) {
+		/*
+		 * Likely the first time running IWD after SystemdEncrypt was
+		 * enabled. Let network_load_psk process the psk/passphrase in
+		 * plaintext but set sync_settings so they will be force written
+		 * to disk as the *Encrypted options.
+		 *
+		 * Someone could have manually added Passphrase/PreSharedKey
+		 * back into the file too but either way sync the settings.
+		 */
+		network->sync_settings = true;
+		return 0;
+	}
+
+	encrypted = l_settings_get_bytes(network->settings, "Security",
+					"PreSharedKeyEncrypted", &elen);
+	if (encrypted) {
+		psk_out = network_decrypt(key, key_len, encrypted,
+					elen, &psk_len_out);
+		if (!psk_out) {
+			l_error("Decryption failed for PreSharedKey");
+			l_free(encrypted);
+			return -ENOKEY;
+		}
+
+		l_free(encrypted);
+	}
+
+	encrypted = l_settings_get_bytes(network->settings, "Security",
+					"PassphraseEncrypted", &elen);
+	if (encrypted) {
+		uint8_t *p = network_decrypt(key, key_len, encrypted,
+						elen, &dlen);
+		if (!p) {
+			l_error("Decryption failed for Passphrase");
+			l_free(encrypted);
+			return -ENOKEY;
+		}
+
+		passphrase_out = l_malloc(dlen + 1);
+		memcpy(passphrase_out, p, dlen);
+		passphrase_out[dlen] = '\0';
+
+		l_free(p);
+		l_free(encrypted);
+	}
+
+	if (psk)
+		*psk = psk_out;
+
+	if (psk_len)
+		*psk_len = psk_len_out;
+
+	if (passphrase)
+		*passphrase = passphrase_out;
+
+	return 0;
+}
+
 static int network_load_psk(struct network *network, bool need_passphrase)
 {
+	size_t key_len;
+	const uint8_t *key = iwd_get_system_key(&key_len);
+	int ret;
 	const char *ssid = network_get_ssid(network);
 	enum security security = network_get_security(network);
 	size_t psk_len;
@@ -586,6 +686,13 @@ static int network_load_psk(struct network *network, bool need_passphrase)
 	_auto_(l_free) char *path =
 		storage_get_network_file_path(security, ssid);
 
+	if (key) {
+		ret = network_decrypt_secrets(key, key_len, network,
+						&psk, &psk_len, &passphrase);
+		if (ret < 0)
+			return ret;
+	}
+
 	if (psk && psk_len != 32) {
 		l_error("%s: invalid PreSharedKey format", path);
 		l_free(psk);
@@ -639,9 +746,69 @@ static void network_settings_save_sae_pt_ecc(struct l_settings *settings,
 	l_settings_set_bytes(settings, "Security", key, buf, len);
 }
 
+/*
+ * Using AES-CTR to with a zero IV to avoid dealing with padding as opposed to
+ * regular AES. 4 magic bytes are prepended to the plaintext bytes to act as
+ * verification when the data is decrypted.
+ */
+static uint8_t *network_encrypt(const uint8_t *key, size_t key_len,
+				void *decrypted, size_t len, size_t *len_out)
+{
+	struct l_cipher *aes;
+	uint8_t iv[16] = { 0 };
+	uint32_t magic = 0x0abcdef0;
+	uint8_t in[len + 4];
+	uint8_t *out;
+
+	aes = l_cipher_new(L_CIPHER_AES_CTR, key, key_len);
+	l_cipher_set_iv(aes, iv, sizeof(iv));
+
+	memcpy(in, &magic, 4);
+	memcpy(in + 4, decrypted, len);
+
+	out = l_malloc(len + 4);
+
+	l_cipher_encrypt(aes, in, out, len + 4);
+
+	*len_out = len + 4;
+
+	return out;
+}
+
+static void network_encrypt_secrets(const uint8_t *key, size_t len,
+					struct network *network,
+					struct l_settings *settings)
+{
+	uint8_t *enc;
+	size_t enc_len;
+
+	if (network->psk) {
+		enc = network_encrypt(key, len, network->psk, 32, &enc_len);
+
+		l_settings_set_bytes(settings, "Security",
+					"PreSharedKeyEncrypted", enc, enc_len);
+
+		l_free(enc);
+	}
+
+	if (network->passphrase) {
+		enc = network_encrypt(key, len, network->passphrase,
+					strlen(network->passphrase), &enc_len);;
+
+		l_settings_set_bytes(settings, "Security",
+					"PassphraseEncrypted", enc, enc_len);
+
+		l_free(enc);
+	}
+
+}
+
 static void network_settings_save(struct network *network,
 						struct l_settings *settings)
 {
+	size_t key_len;
+	const uint8_t *encrypt_key = iwd_get_system_key(&key_len);
+
 	if (network->have_transition_disable) {
 		char *modes[4];
 		unsigned int i = 0;
@@ -670,13 +837,17 @@ static void network_settings_save(struct network *network,
 	/* We only update the [Security] bits here, wipe the group first */
 	l_settings_remove_group(settings, "Security");
 
-	if (network->psk)
-		l_settings_set_bytes(settings, "Security", "PreSharedKey",
-					network->psk, 32);
+	if (!encrypt_key) {
+		if (network->psk)
+			l_settings_set_bytes(settings, "Security", "PreSharedKey",
+						network->psk, 32);
 
-	if (network->passphrase)
-		l_settings_set_string(settings, "Security", "Passphrase",
-					network->passphrase);
+		if (network->passphrase)
+			l_settings_set_string(settings, "Security", "Passphrase",
+						network->passphrase);
+	} else
+		network_encrypt_secrets(encrypt_key, key_len, network,
+						settings);
 
 	if (network->sae_pt_19)
 		network_settings_save_sae_pt_ecc(settings, network->sae_pt_19);
-- 
2.31.1