dissect.target 3.21.dev15__py3-none-any.whl → 3.21.dev16__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import gzip
 import hashlib
+import struct
 from base64 import b64decode
 from datetime import datetime
 from io import BytesIO
@@ -17,11 +18,17 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor, UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
-from dissect.target.plugins.os.unix.linux.fortios._keys import KERNEL_KEY_MAP
+from dissect.target.plugins.os.unix.linux.fortios._keys import (
+    KERNEL_KEY_MAP,
+    AesKey,
+    ChaCha20Key,
+    ChaCha20Seed,
+)
 from dissect.target.target import Target
 
 try:
     from Crypto.Cipher import AES, ChaCha20
+    from Crypto.Util import Counter
 
     HAS_CRYPTO = True
 except ImportError:
@@ -95,8 +102,11 @@ class FortiOSPlugin(LinuxPlugin):
             # The rootfs.gz file could be encrypted.
             try:
                 kernel_hash = get_kernel_hash(sysvol)
-                key, iv = key_iv_for_kernel_hash(kernel_hash)
-                rfs_fh = decrypt_rootfs(rootfs.open(), key, iv)
+                target.log.info("Kernel hash: %s", kernel_hash)
+                key = key_iv_for_kernel_hash(kernel_hash)
+                target.log.info("Trying to decrypt_rootfs using key: %r", key)
+                rfs_fh = decrypt_rootfs(rootfs.open(), key)
+                target.log.info("Decrypted fh: %r", rfs_fh)
                 vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
             except RuntimeError:
                 target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
@@ -471,7 +481,7 @@ def decrypt_password(input: str) -> str:
         return "ENC:" + input
 
 
-def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
+def key_iv_for_kernel_hash(kernel_hash: str) -> AesKey | ChaCha20Key:
     """Return decryption key and IV for a specific sha256 kernel hash.
 
     The decryption key and IV are used to decrypt the ``rootfs.gz`` file.
@@ -486,17 +496,96 @@ def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
         ValueError: When no decryption keys are available for the given kernel hash.
     """
 
-    key = bytes.fromhex(KERNEL_KEY_MAP.get(kernel_hash, ""))
-    if len(key) == 32:
+    key = KERNEL_KEY_MAP.get(kernel_hash)
+    if isinstance(key, ChaCha20Seed):
         # FortiOS 7.4.x uses a KDF to derive the key and IV
-        return _kdf_7_4_x(key)
-    elif len(key) == 48:
+        key, iv = _kdf_7_4_x(key.key)
+        return ChaCha20Key(key, iv)
+    elif isinstance(key, ChaCha20Key):
         # FortiOS 7.0.13 and 7.0.14 uses a static key and IV
-        return key[:32], key[32:]
+        return key
+    elif isinstance(key, AesKey):
+        # FortiOS 7.0.16, 7.2.9, 7.4.4, 7.6.0 and higher uses AES-CTR with a custom CTR increment
+        return key
     raise ValueError(f"No known decryption keys for kernel hash: {kernel_hash}")
 
 
-def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
+def chacha20_decrypt(fh: BinaryIO, key: ChaCha20Key) -> bytes:
+    """Decrypt file using ChaCha20 with given ChaCha20Key.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: ChaCha20Key.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    # First 8 bytes = counter, last 8 bytes = nonce
+    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
+    # We're interested in updating the position in the ChaCha20 internal state, so to make
+    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
+    cipher = ChaCha20.new(key=key.key, nonce=key.iv[8:])
+    cipher.seek(int.from_bytes(key.iv[:8], "little") * 64)
+    return cipher.decrypt(fh.read())
+
+
+def calculate_counter_increment(iv: bytes) -> int:
+    """Calculate the custom FortiGate CTR increment from IV.
+
+    Args:
+        iv: 16 bytes IV.
+
+    Returns:
+        Custom CTR increment.
+    """
+    increment = 0
+    for i in range(16):
+        increment ^= (iv[i] & 15) ^ ((iv[i] >> 4) & 0xFF)
+    return max(increment, 1)
+
+
+def aes_decrypt(fh: BinaryIO, key: AesKey) -> bytes:
+    """Decrypt file using a custom AES CTR increment with given AesKey.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: AesKey.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    data = bytearray(fh.read())
+
+    # Calculate custom CTR increment from IV
+    increment = calculate_counter_increment(key.iv)
+    advance_block = (b"\x69" * 16) * (increment - 1)
+
+    # AES counter is little-endian and has a prefix
+    prefix, counter = struct.unpack("<8sQ", key.iv)
+    ctr = Counter.new(
+        64,
+        prefix=prefix,
+        initial_value=counter,
+        little_endian=True,
+        allow_wraparound=True,
+    )
+    cipher = AES.new(key.key, mode=AES.MODE_CTR, counter=ctr)
+
+    nblocks, nleft = divmod(len(data), 16)
+    for i in range(nblocks):
+        offset = i * 16
+        data[offset : offset + 16] = cipher.decrypt(data[offset : offset + 16])
+        cipher.decrypt(advance_block)  # custom advance the counter
+
+    if nleft:
+        data[nblocks * 16 :] = cipher.decrypt(data[nblocks * 16 :])
+
+    return data
+
+
+def decrypt_rootfs(fh: BinaryIO, key: ChaCha20Key | AesKey) -> BinaryIO:
     """Attempt to decrypt an encrypted ``rootfs.gz`` file with given key and IV.
 
     FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
@@ -511,8 +600,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
 
     Args:
         fh: File-like object to the encrypted rootfs.gz file.
-        key: ChaCha20 key.
-        iv: ChaCha20 iv.
+        key: ChaCha20Key or AesKey.
 
     Returns:
         File-like object to the decrypted rootfs.gz file.
@@ -525,13 +613,12 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     if not HAS_CRYPTO:
         raise RuntimeError("Missing pycryptodome dependency")
 
-    # First 8 bytes = counter, last 8 bytes = nonce
-    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
-    # We're interested in updating the position in the ChaCha20 internal state, so to make
-    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
-    cipher = ChaCha20.new(key=key, nonce=iv[8:])
-    cipher.seek(int.from_bytes(iv[:8], "little") * 64)
-    result = cipher.decrypt(fh.read())
+    result = b""
+    if isinstance(key, ChaCha20Key):
+        result = chacha20_decrypt(fh, key)
+    elif isinstance(key, AesKey):
+        result = aes_decrypt(fh, key)
+        result = result[:-256]  # strip off the 256 byte footer
 
     if result[0:2] != b"\x1f\x8b":
         raise ValueError("Failed to decrypt: No gzip magic header found.")
@@ -539,7 +626,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     return BytesIO(result)
 
 
-def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
+def _kdf_7_4_x(key_data: str | bytes, offset_key: int = 4, offset_iv: int = 5) -> tuple[bytes, bytes]:
     """Derive 32 byte key and 16 byte IV from 32 byte seed.
 
     As the IV needs to be 16 bytes, we return the first 16 bytes of the sha256 hash.
@@ -548,8 +635,8 @@ def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
     if isinstance(key_data, str):
         key_data = bytes.fromhex(key_data)
 
-    key = hashlib.sha256(key_data[4:32] + key_data[:4]).digest()
-    iv = hashlib.sha256(key_data[5:32] + key_data[:5]).digest()[:16]
+    key = hashlib.sha256(key_data[offset_key:32] + key_data[:offset_key]).digest()
+    iv = hashlib.sha256(key_data[offset_iv:32] + key_data[:offset_iv]).digest()[:16]
     return key, iv
 
 

{dissect.target-3.21.dev15.dist-info → dissect.target-3.21.dev16.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.21.dev15
+Version: 3.21.dev16
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.21.dev15.dist-info → dissect.target-3.21.dev16.dist-info}/RECORD

@@ -252,8 +252,8 @@ dissect/target/plugins/os/unix/linux/debian/proxmox/vm.py,sha256=Z5IDA5Oot4P2hh6
 dissect/target/plugins/os/unix/linux/debian/vyos/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/debian/vyos/_os.py,sha256=TPjcfv1n68RCe3Er4aCVQwQDCZwJT-NLvje3kPjDfhk,1744
 dissect/target/plugins/os/unix/linux/fortios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/linux/fortios/_keys.py,sha256=PMOYIaA_Bn-WHXBKgl2xwwNFwMc0TxWBmLfxCSkSFVs,215099
-dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=7ZIwWFEfYwE924IvGfuinv1mEP6Uh28pl8VHSmsGKmM,20152
+dissect/target/plugins/os/unix/linux/fortios/_keys.py,sha256=XWB-a_x7TBCi12u6tLENbD3G5dIZNnChWsLwH9AyyvI,480147
+dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=VpG8IBEMluNOWug6X7q8TIP_bYjTEfBCGHluDPgx03Y,22669
 dissect/target/plugins/os/unix/linux/fortios/generic.py,sha256=dc6YTDLV-VZq9k8IWmY_PE0sTGkkp3yamR-cYNUCtes,1265
 dissect/target/plugins/os/unix/linux/fortios/locale.py,sha256=Pe7Bdj8UemCiktLeQnQ50TpY_skARAzRJA0ewAB4710,5243
 dissect/target/plugins/os/unix/linux/redhat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -383,10 +383,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.21.dev15.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.21.dev15.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.21.dev15.dist-info/METADATA,sha256=p2xaB0NEJpuBOXNn5kO1O5JudBJu7GqmzZZlFIYwO3A,13187
-dissect.target-3.21.dev15.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
-dissect.target-3.21.dev15.dist-info/entry_points.txt,sha256=yQwLCWUuzHgS6-sfCcRk66gAfoCfqXdCjqKjvhnQW8o,537
-dissect.target-3.21.dev15.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.21.dev15.dist-info/RECORD,,
+dissect.target-3.21.dev16.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.21.dev16.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.21.dev16.dist-info/METADATA,sha256=icMKSQBO0aOVzKaJDGemuCo9oGVLiGloPTThqJ0Us4M,13187
+dissect.target-3.21.dev16.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+dissect.target-3.21.dev16.dist-info/entry_points.txt,sha256=yQwLCWUuzHgS6-sfCcRk66gAfoCfqXdCjqKjvhnQW8o,537
+dissect.target-3.21.dev16.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.21.dev16.dist-info/RECORD,,