Re: [PATCH v8 1/6] storage: implement network profile encryption

[Denis Kenzior <denkenz at gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3098 bytes --]

On 2/15/22 15:41, James Prestwood wrote:
> Some users don't like the idea of storing network credentials in plaintext
> on the file system. As far as IWD goes the credential directory permissions
> should be set up such that nobody but the owner/root have access but
> nevertheless they are still plaintext.
> 
> For added security these credentials can be encrypted using a secret key.
> In this patch the origination of the key does not matter, but in this
> patch series IWD will support a systemd provided key.
> 
> The encryption itself will operate on the entire [Security] group as well
> as all embedded groups. Once encrypted the [Security] group will be replaced
> with two key/values:
> 
> EncryptedSalt - A random string of bytes used for the encryption
> EncryptedSecurity - A string of bytes containing the encrypted [Security]
>                      group, as well as all embedded groups.
> 
> After the profile has been encrypted these values should not be modified.
> Note that any values added to [Security] after encryption has no effect.
> Once the profile is encrypted there is no way to modify [Security] without
> manually decrypting first, or just removing it entirely which effectively
> treated a 'new' profile.
> 
> The encryption/decryption is done using AES-SIV with a salt value and the
> network SSID as the IV.
> 
> Once a key is set any profiles opened will automatically be encrypted and
> re-written to disk. Modules using network_storage_open will be provided
> the decrypted profile, and will be unaware it was ever encrypted in the
> first place. Similarly when network_storage_sync is called the profile
> will by automatically encrypted and written to disk without the caller
> needing to do anything special.
> 
> A few private storage.c helpers were added to serve several purposes:
> 
> storage_init/exit():
> This sets/cleans up the encryption key direct from systemd then uses extract
> and expand to create a new fixed length key to do encryption/decryption.
> 
> __storage_decrypt():
> Low level API to decrypt an l_settings object using a previously set key and
> the SSID/name for the network. This returns a 'changed' out parameter signifying
> that the settings need to be encrypted and re-written to disk. The purpose of
> exposing this is for a standalone decryption tool which does not re-write any
> settings.
> 
> __storage_open():
> Wrapper around __storage_decrypt() that handles re-writing a new profile to
> disk. This was exposed in order to support hotspot profiles.
> 
> __storage_encrypt():
> Encrypts an l_settings object and returns the full profile as data
> ---
>   Makefile.am   |   3 +-
>   src/storage.c | 315 ++++++++++++++++++++++++++++++++++++++++++++++++--
>   src/storage.h |  10 ++
>   3 files changed, 316 insertions(+), 12 deletions(-)
> 

I went ahead and applied everything in this set (except patch 4) with some 
slight modifications.  Mostly just small nitpick fixes, clarifying some comments 
and taking care of some >80 char lines.

Regards,
-Denis