]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/creds-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #30284 from YHNdnzj/fstab-wantedby-defaultdeps
[thirdparty/systemd.git] / src / shared / creds-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/file.h>
4
5 #if HAVE_OPENSSL
6 #include <openssl/err.h>
7 #endif
8
9 #include "sd-id128.h"
10
11 #include "blockdev-util.h"
12 #include "capability-util.h"
13 #include "chattr-util.h"
14 #include "constants.h"
15 #include "creds-util.h"
16 #include "efi-api.h"
17 #include "env-util.h"
18 #include "fd-util.h"
19 #include "fileio.h"
20 #include "fs-util.h"
21 #include "io-util.h"
22 #include "memory-util.h"
23 #include "mkdir.h"
24 #include "openssl-util.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "random-util.h"
28 #include "sparse-endian.h"
29 #include "stat-util.h"
30 #include "tpm2-util.h"
31 #include "virt.h"
32
33 #define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024))
34
35 bool credential_name_valid(const char *s) {
36 /* We want that credential names are both valid in filenames (since that's our primary way to pass
37 * them around) and as fdnames (which is how we might want to pass them around eventually) */
38 return filename_is_valid(s) && fdname_is_valid(s);
39 }
40
41 bool credential_glob_valid(const char *s) {
42 const char *e, *a;
43 size_t n;
44
45 /* Checks if a credential glob expression is valid. Note that this is more restrictive than
46 * fnmatch()! We only allow trailing asterisk matches for now (simply because we want some freedom
47 * with automatically extending the pattern in a systematic way to cover for unit instances getting
48 * per-instance credentials or similar. Moreover, credential globbing expressions are also more
49 * restrictive then credential names: we don't allow *, ?, [, ] in them (except for the asterisk
50 * match at the end of the string), simply to not allow ambiguity. After all, we want the flexibility
51 * to one day add full globbing should the need arise. */
52
53 if (isempty(s))
54 return false;
55
56 /* Find first glob (or NUL byte) */
57 n = strcspn(s, "*?[]");
58 e = s + n;
59
60 /* For now, only allow asterisk wildcards, and only at the end of the string. If it's anything else, refuse. */
61 if (isempty(e))
62 return credential_name_valid(s);
63
64 if (!streq(e, "*")) /* only allow trailing "*", no other globs */
65 return false;
66
67 if (n == 0) /* Explicitly allow the complete wildcard. */
68 return true;
69
70 if (n > NAME_MAX + strlen(e)) /* before we make a copy on the stack, let's check this is not overly large */
71 return false;
72
73 /* Make a copy of the string without the '*' suffix */
74 a = strndupa_safe(s, n);
75
76 return credential_name_valid(a);
77 }
78
79 static int get_credentials_dir_internal(const char *envvar, const char **ret) {
80 const char *e;
81
82 assert(ret);
83
84 e = secure_getenv(envvar);
85 if (!e)
86 return -ENXIO;
87
88 if (!path_is_absolute(e) || !path_is_normalized(e))
89 return -EINVAL;
90
91 *ret = e;
92 return 0;
93 }
94
95 int get_credentials_dir(const char **ret) {
96 return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret);
97 }
98
99 int get_encrypted_credentials_dir(const char **ret) {
100 return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret);
101 }
102
103 int open_credentials_dir(void) {
104 const char *d;
105 int r;
106
107 r = get_credentials_dir(&d);
108 if (r < 0)
109 return r;
110
111 return RET_NERRNO(open(d, O_CLOEXEC|O_DIRECTORY));
112 }
113
114 int read_credential(const char *name, void **ret, size_t *ret_size) {
115 _cleanup_free_ char *fn = NULL;
116 const char *d;
117 int r;
118
119 assert(ret);
120
121 if (!credential_name_valid(name))
122 return -EINVAL;
123
124 r = get_credentials_dir(&d);
125 if (r < 0)
126 return r;
127
128 fn = path_join(d, name);
129 if (!fn)
130 return -ENOMEM;
131
132 return read_full_file_full(
133 AT_FDCWD, fn,
134 UINT64_MAX, SIZE_MAX,
135 READ_FULL_FILE_SECURE,
136 NULL,
137 (char**) ret, ret_size);
138 }
139
140 int read_credential_with_decryption(const char *name, void **ret, size_t *ret_size) {
141 _cleanup_(erase_and_freep) void *data = NULL;
142 _cleanup_free_ char *fn = NULL;
143 size_t sz = 0;
144 const char *d;
145 int r;
146
147 assert(ret);
148
149 /* Just like read_credential() but will also look for encrypted credentials. Note that services only
150 * receive decrypted credentials, hence use read_credential() for those. This helper here is for
151 * generators, i.e. code that runs outside of service context, and thus has no decrypted credentials
152 * yet.
153 *
154 * Note that read_credential_harder_and_warn() logs on its own, while read_credential() does not!
155 * (It's a lot more complex and error prone given its TPM2 connectivity, and is generally called from
156 * generators only where logging is OK).
157 *
158 * Error handling is also a bit different: if we can't find a credential we'll return 0 and NULL
159 * pointers/zero size, rather than -ENXIO/-ENOENT. */
160
161 if (!credential_name_valid(name))
162 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
163
164 r = read_credential(name, ret, ret_size);
165 if (r >= 0)
166 return 1; /* found */
167 if (!IN_SET(r, -ENXIO, -ENOENT))
168 return log_error_errno(r, "Failed read unencrypted credential '%s': %m", name);
169
170 r = get_encrypted_credentials_dir(&d);
171 if (r == -ENXIO)
172 goto not_found;
173 if (r < 0)
174 return log_error_errno(r, "Failed to determine encrypted credentials directory: %m");
175
176 fn = path_join(d, name);
177 if (!fn)
178 return log_oom();
179
180 r = read_full_file_full(
181 AT_FDCWD, fn,
182 UINT64_MAX, SIZE_MAX,
183 READ_FULL_FILE_SECURE,
184 NULL,
185 (char**) &data, &sz);
186 if (r == -ENOENT)
187 goto not_found;
188 if (r < 0)
189 return log_error_errno(r, "Failed to read encrypted credential data: %m");
190
191 r = decrypt_credential_and_warn(
192 name,
193 now(CLOCK_REALTIME),
194 /* tpm2_device = */ NULL,
195 /* tpm2_signature_path = */ NULL,
196 data,
197 sz,
198 ret,
199 ret_size);
200 if (r < 0)
201 return r;
202
203 return 1; /* found */
204
205 not_found:
206 *ret = NULL;
207
208 if (ret_size)
209 *ret_size = 0;
210
211 return 0; /* not found */
212 }
213
214 int read_credential_strings_many_internal(
215 const char *first_name, char **first_value,
216 ...) {
217
218 _cleanup_free_ void *b = NULL;
219 int r, ret = 0;
220
221 /* Reads a bunch of credentials into the specified buffers. If the specified buffers are already
222 * non-NULL frees them if a credential is found. Only supports string-based credentials
223 * (i.e. refuses embedded NUL bytes).
224 *
225 * 0 is returned when some or all credentials are missing.
226 */
227
228 if (!first_name)
229 return 0;
230
231 r = read_credential(first_name, &b, NULL);
232 if (r == -ENXIO) /* No creds passed at all? Bail immediately. */
233 return 0;
234 if (r < 0) {
235 if (r != -ENOENT)
236 ret = r;
237 } else
238 free_and_replace(*first_value, b);
239
240 va_list ap;
241 va_start(ap, first_value);
242
243 for (;;) {
244 _cleanup_free_ void *bb = NULL;
245 const char *name;
246 char **value;
247
248 name = va_arg(ap, const char *);
249 if (!name)
250 break;
251
252 value = va_arg(ap, char **);
253 if (*value)
254 continue;
255
256 r = read_credential(name, &bb, NULL);
257 if (r < 0) {
258 if (ret >= 0 && r != -ENOENT)
259 ret = r;
260 } else
261 free_and_replace(*value, bb);
262 }
263
264 va_end(ap);
265 return ret;
266 }
267
268 int read_credential_bool(const char *name) {
269 _cleanup_free_ void *data = NULL;
270 int r;
271
272 r = read_credential(name, &data, NULL);
273 if (r < 0)
274 return IN_SET(r, -ENXIO, -ENOENT) ? 0 : r;
275
276 return parse_boolean(data);
277 }
278
279 int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed) {
280 _cleanup_(erase_and_freep) char *creds_password = NULL;
281 _cleanup_free_ char *cn = NULL;
282 int r;
283
284 /* Try to pick up the password for this account via the credentials logic */
285 cn = strjoin("passwd.hashed-password.", username);
286 if (!cn)
287 return -ENOMEM;
288
289 r = read_credential(cn, (void**) &creds_password, NULL);
290 if (r == -ENOENT) {
291 free(cn);
292 cn = strjoin("passwd.plaintext-password.", username);
293 if (!cn)
294 return -ENOMEM;
295
296 r = read_credential(cn, (void**) &creds_password, NULL);
297 if (r < 0)
298 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
299 else
300 *ret_is_hashed = false;
301 } else if (r < 0)
302 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
303 else
304 *ret_is_hashed = true;
305
306 *ret_password = TAKE_PTR(creds_password);
307
308 return r;
309 }
310
311 #if HAVE_OPENSSL
312
313 #define CREDENTIAL_HOST_SECRET_SIZE 4096
314
315 static const sd_id128_t credential_app_id =
316 SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58);
317
318 struct credential_host_secret_format {
319 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
320 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
321 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
322 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
323 * being able to directly associate a secret key file with a host. */
324 sd_id128_t machine_id;
325
326 /* The actual secret key */
327 uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
328 } _packed_;
329
330 static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) {
331 int r;
332
333 assert(fd >= 0);
334 assert(dirname);
335 assert(filename);
336
337 if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED))
338 return;
339
340 r = fd_is_encrypted(fd);
341 if (r < 0)
342 log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
343 dirname, filename);
344 else if (r == 0)
345 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
346 dirname, filename);
347 }
348
349 static int make_credential_host_secret(
350 int dfd,
351 const sd_id128_t machine_id,
352 CredentialSecretFlags flags,
353 const char *dirname,
354 const char *fn,
355 void **ret_data,
356 size_t *ret_size) {
357
358 _cleanup_free_ char *t = NULL;
359 _cleanup_close_ int fd = -EBADF;
360 int r;
361
362 assert(dfd >= 0);
363 assert(fn);
364
365 /* For non-root users creating a temporary file using the openat(2) over "." will fail later, in the
366 * linkat(2) step at the end. The reason is that linkat(2) requires the CAP_DAC_READ_SEARCH
367 * capability when it uses the AT_EMPTY_PATH flag. */
368 if (have_effective_cap(CAP_DAC_READ_SEARCH) > 0) {
369 fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
370 if (fd < 0)
371 log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
372 }
373 if (fd < 0) {
374 if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0)
375 return -ENOMEM;
376
377 fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400);
378 if (fd < 0)
379 return -errno;
380 }
381
382 r = chattr_secret(fd, 0);
383 if (r < 0)
384 log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m");
385
386 struct credential_host_secret_format buf = {
387 .machine_id = machine_id,
388 };
389
390 CLEANUP_ERASE(buf);
391
392 r = crypto_random_bytes(buf.data, sizeof(buf.data));
393 if (r < 0)
394 goto fail;
395
396 r = loop_write(fd, &buf, sizeof(buf));
397 if (r < 0)
398 goto fail;
399
400 if (fsync(fd) < 0) {
401 r = -errno;
402 goto fail;
403 }
404
405 warn_not_encrypted(fd, flags, dirname, fn);
406
407 if (t) {
408 r = rename_noreplace(dfd, t, dfd, fn);
409 if (r < 0)
410 goto fail;
411
412 t = mfree(t);
413 } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) {
414 r = -errno;
415 goto fail;
416 }
417
418 if (fsync(dfd) < 0) {
419 r = -errno;
420 goto fail;
421 }
422
423 if (ret_data) {
424 void *copy;
425
426 copy = memdup(buf.data, sizeof(buf.data));
427 if (!copy) {
428 r = -ENOMEM;
429 goto fail;
430 }
431
432 *ret_data = copy;
433 }
434
435 if (ret_size)
436 *ret_size = sizeof(buf.data);
437
438 return 0;
439
440 fail:
441 if (t && unlinkat(dfd, t, 0) < 0)
442 log_debug_errno(errno, "Failed to remove temporary credential key: %m");
443
444 return r;
445 }
446
447 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
448 _cleanup_free_ char *_dirname = NULL, *_filename = NULL;
449 _cleanup_close_ int dfd = -EBADF;
450 sd_id128_t machine_id;
451 const char *dirname, *filename;
452 int r;
453
454 r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id);
455 if (r < 0)
456 return r;
457
458 const char *e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
459 if (e) {
460 if (!path_is_normalized(e))
461 return -EINVAL;
462 if (!path_is_absolute(e))
463 return -EINVAL;
464
465 r = path_extract_directory(e, &_dirname);
466 if (r < 0)
467 return r;
468
469 r = path_extract_filename(e, &_filename);
470 if (r < 0)
471 return r;
472
473 dirname = _dirname;
474 filename = _filename;
475 } else {
476 dirname = "/var/lib/systemd";
477 filename = "credential.secret";
478 }
479
480 assert(dirname);
481 assert(filename);
482
483 mkdir_parents(dirname, 0755);
484 dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755);
485 if (dfd < 0)
486 return log_debug_errno(dfd, "Failed to create or open directory '%s': %m", dirname);
487
488 if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) {
489 r = fd_is_temporary_fs(dfd);
490 if (r < 0)
491 return log_debug_errno(r, "Failed to check directory '%s': %m", dirname);
492 if (r > 0)
493 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM),
494 "Directory '%s' is on a temporary file system, refusing.", dirname);
495 }
496
497 for (unsigned attempt = 0;; attempt++) {
498 _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL;
499 _cleanup_close_ int fd = -EBADF;
500 size_t l = 0;
501 ssize_t n = 0;
502 struct stat st;
503
504 if (attempt >= 3) /* Somebody is playing games with us */
505 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
506 "All attempts to create secret store in %s failed.", dirname);
507
508 fd = openat(dfd, filename, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
509 if (fd < 0) {
510 if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE))
511 return log_debug_errno(errno,
512 "Failed to open %s/%s: %m", dirname, filename);
513
514
515 r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size);
516 if (r == -EEXIST) {
517 log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
518 dirname, filename);
519 continue;
520 }
521 if (r < 0)
522 return log_debug_errno(r, "Failed to create credential secret %s/%s: %m",
523 dirname, filename);
524 return 0;
525 }
526
527 if (fstat(fd, &st) < 0)
528 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
529
530 r = stat_verify_regular(&st);
531 if (r < 0)
532 return log_debug_errno(r, "%s/%s is not a regular file: %m", dirname, filename);
533 if (st.st_nlink == 0) /* Deleted by now, try again */
534 continue;
535 if (st.st_nlink > 1)
536 /* Our deletion check won't work if hardlinked somewhere else */
537 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
538 "%s/%s has too many links, refusing.",
539 dirname, filename);
540 if ((st.st_mode & 07777) != 0400)
541 /* Don't use file if not 0400 access mode */
542 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
543 "%s/%s has permissive access mode, refusing.",
544 dirname, filename);
545 l = st.st_size;
546 if (l < offsetof(struct credential_host_secret_format, data) + 1)
547 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
548 "%s/%s is too small, refusing.", dirname, filename);
549 if (l > 16*1024*1024)
550 return log_debug_errno(SYNTHETIC_ERRNO(E2BIG),
551 "%s/%s is too big, refusing.", dirname, filename);
552
553 f = malloc(l+1);
554 if (!f)
555 return log_oom_debug();
556
557 n = read(fd, f, l+1);
558 if (n < 0)
559 return log_debug_errno(errno,
560 "Failed to read %s/%s: %m", dirname, filename);
561 if ((size_t) n != l) /* What? The size changed? */
562 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
563 "Failed to read %s/%s: %m", dirname, filename);
564
565 if (sd_id128_equal(machine_id, f->machine_id)) {
566 size_t sz;
567
568 warn_not_encrypted(fd, flags, dirname, filename);
569
570 sz = l - offsetof(struct credential_host_secret_format, data);
571 assert(sz > 0);
572
573 if (ret) {
574 void *copy;
575
576 assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */
577
578 copy = memdup(f->data, sz);
579 if (!copy)
580 return log_oom_debug();
581
582 *ret = copy;
583 }
584
585 if (ret_size)
586 *ret_size = sz;
587
588 return 0;
589 }
590
591 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
592 * to ensure we are the only ones accessing the file while we delete it. */
593
594 if (flock(fd, LOCK_EX) < 0)
595 return log_debug_errno(errno,
596 "Failed to flock %s/%s: %m", dirname, filename);
597
598 /* Before we delete it check that the file is still linked into the file system */
599 if (fstat(fd, &st) < 0)
600 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
601 if (st.st_nlink == 0) /* Already deleted by now? */
602 continue;
603 if (st.st_nlink != 1) /* Safety check, someone is playing games with us */
604 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
605 "%s/%s unexpectedly has too many links.",
606 dirname, filename);
607 if (unlinkat(dfd, filename, 0) < 0)
608 return log_debug_errno(errno, "Failed to unlink %s/%s: %m", dirname, filename);
609
610 /* And now try again */
611 }
612 }
613
614 /* Construction is like this:
615 *
616 * A symmetric encryption key is derived from:
617 *
618 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
619 *
620 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
621 * by a key derived from its internal seed key.
622 *
623 * 3. The concatenation of the above.
624 *
625 * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
626 * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
627 * concept to bind things to. Note that decryption of a key set up like this will be refused on
628 * systems that have a TPM and have SecureBoot enabled.
629 *
630 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
631 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
632 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
633 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
634 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
635 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
636 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
637 * then followed by the encrypted data, which begins with a metadata header (which contains validity
638 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
639 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
640 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
641 * unprotected data is included.
642 */
643
644 struct _packed_ encrypted_credential_header {
645 sd_id128_t id;
646 le32_t key_size;
647 le32_t block_size;
648 le32_t iv_size;
649 le32_t tag_size;
650 uint8_t iv[];
651 /* Followed by NUL bytes until next 8 byte boundary */
652 };
653
654 struct _packed_ tpm2_credential_header {
655 le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
656 * generally have. But keep the door open for more. */
657 le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
658 le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
659 le32_t blob_size;
660 le32_t policy_hash_size;
661 uint8_t policy_hash_and_blob[];
662 /* Followed by NUL bytes until next 8 byte boundary */
663 };
664
665 struct _packed_ tpm2_public_key_credential_header {
666 le64_t pcr_mask; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */
667 le32_t size; /* Size of DER public key */
668 uint8_t data[]; /* DER public key */
669 /* Followed by NUL bytes until next 8 byte boundary */
670 };
671
672 struct _packed_ metadata_credential_header {
673 le64_t timestamp;
674 le64_t not_after;
675 le32_t name_size;
676 char name[];
677 /* Followed by NUL bytes until next 8 byte boundary */
678 };
679
680 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
681 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
682 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
683 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
684
685 static int sha256_hash_host_and_tpm2_key(
686 const void *host_key,
687 size_t host_key_size,
688 const void *tpm2_key,
689 size_t tpm2_key_size,
690 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
691
692 _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
693 unsigned l;
694
695 assert(host_key_size == 0 || host_key);
696 assert(tpm2_key_size == 0 || tpm2_key);
697 assert(ret);
698
699 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
700
701 md = EVP_MD_CTX_new();
702 if (!md)
703 return log_oom();
704
705 if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
706 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
707
708 if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
709 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
710
711 if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
712 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
713
714 assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
715
716 if (EVP_DigestFinal_ex(md, ret, &l) != 1)
717 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
718
719 assert(l == SHA256_DIGEST_LENGTH);
720 return 0;
721 }
722
723 int encrypt_credential_and_warn(
724 sd_id128_t with_key,
725 const char *name,
726 usec_t timestamp,
727 usec_t not_after,
728 const char *tpm2_device,
729 uint32_t tpm2_hash_pcr_mask,
730 const char *tpm2_pubkey_path,
731 uint32_t tpm2_pubkey_pcr_mask,
732 const void *input,
733 size_t input_size,
734 void **ret,
735 size_t *ret_size) {
736
737 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
738 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL;
739 size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml;
740 _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL;
741 _cleanup_free_ struct metadata_credential_header *m = NULL;
742 uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
743 struct encrypted_credential_header *h;
744 int ksz, bsz, ivsz, tsz, added, r;
745 _cleanup_free_ void *pubkey = NULL;
746 size_t pubkey_size = 0;
747 uint8_t md[SHA256_DIGEST_LENGTH];
748 const EVP_CIPHER *cc;
749 sd_id128_t id;
750
751 assert(input || input_size == 0);
752 assert(ret);
753 assert(ret_size);
754
755 if (!sd_id128_in_set(with_key,
756 _CRED_AUTO,
757 _CRED_AUTO_INITRD,
758 CRED_AES256_GCM_BY_HOST,
759 CRED_AES256_GCM_BY_TPM2_HMAC,
760 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
761 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
762 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
763 CRED_AES256_GCM_BY_TPM2_ABSENT))
764 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
765
766 if (name && !credential_name_valid(name))
767 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
768
769 if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp)
770 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp);
771
772 if (DEBUG_LOGGING) {
773 char buf[FORMAT_TIMESTAMP_MAX];
774
775 if (name)
776 log_debug("Including credential name '%s' in encrypted credential.", name);
777 if (timestamp != USEC_INFINITY)
778 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp));
779 if (not_after != USEC_INFINITY)
780 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after));
781 }
782
783 if (sd_id128_in_set(with_key,
784 _CRED_AUTO,
785 CRED_AES256_GCM_BY_HOST,
786 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
787 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
788
789 r = get_credential_host_secret(
790 CREDENTIAL_SECRET_GENERATE|
791 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED|
792 (sd_id128_equal(with_key, _CRED_AUTO) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
793 &host_key,
794 &host_key_size);
795 if (r == -ENOMEDIUM && sd_id128_equal(with_key, _CRED_AUTO))
796 log_debug_errno(r, "Credential host secret location on temporary file system, not using.");
797 else if (r < 0)
798 return log_error_errno(r, "Failed to determine local credential host secret: %m");
799 }
800
801 #if HAVE_TPM2
802 bool try_tpm2;
803 if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
804 /* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a
805 * container tpm2_support will detect this, and will return a different flag combination of
806 * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
807
808 try_tpm2 = tpm2_support() == TPM2_SUPPORT_FULL;
809 if (!try_tpm2)
810 log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
811 } else
812 try_tpm2 = sd_id128_in_set(with_key,
813 CRED_AES256_GCM_BY_TPM2_HMAC,
814 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
815 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
816 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
817
818 if (try_tpm2) {
819 if (sd_id128_in_set(with_key,
820 _CRED_AUTO,
821 _CRED_AUTO_INITRD,
822 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
823 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
824
825 /* Load public key for PCR policies, if one is specified, or explicitly requested */
826
827 r = tpm2_load_pcr_public_key(tpm2_pubkey_path, &pubkey, &pubkey_size);
828 if (r < 0) {
829 if (tpm2_pubkey_path || r != -ENOENT || !sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD))
830 return log_error_errno(r, "Failed read TPM PCR public key: %m");
831
832 log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
833 }
834 }
835
836 if (!pubkey)
837 tpm2_pubkey_pcr_mask = 0;
838
839 _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
840 r = tpm2_context_new(tpm2_device, &tpm2_context);
841 if (r < 0)
842 return log_error_errno(r, "Failed to create TPM2 context: %m");
843
844 r = tpm2_get_best_pcr_bank(tpm2_context, tpm2_hash_pcr_mask | tpm2_pubkey_pcr_mask, &tpm2_pcr_bank);
845 if (r < 0)
846 return log_error_errno(r, "Could not find best pcr bank: %m");
847
848 TPML_PCR_SELECTION tpm2_hash_pcr_selection;
849 tpm2_tpml_pcr_selection_from_mask(tpm2_hash_pcr_mask, tpm2_pcr_bank, &tpm2_hash_pcr_selection);
850
851 _cleanup_free_ Tpm2PCRValue *tpm2_hash_pcr_values = NULL;
852 size_t tpm2_n_hash_pcr_values;
853 r = tpm2_pcr_read(tpm2_context, &tpm2_hash_pcr_selection, &tpm2_hash_pcr_values, &tpm2_n_hash_pcr_values);
854 if (r < 0)
855 return log_error_errno(r, "Could not read PCR values: %m");
856
857 TPM2B_PUBLIC public;
858 if (pubkey) {
859 r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
860 if (r < 0)
861 return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
862 }
863
864 TPM2B_DIGEST tpm2_policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
865 r = tpm2_calculate_sealing_policy(
866 tpm2_hash_pcr_values,
867 tpm2_n_hash_pcr_values,
868 pubkey ? &public : NULL,
869 /* use_pin= */ false,
870 /* pcrlock_policy= */ NULL,
871 &tpm2_policy);
872 if (r < 0)
873 return log_error_errno(r, "Could not calculate sealing policy digest: %m");
874
875 r = tpm2_seal(tpm2_context,
876 /* seal_key_handle= */ 0,
877 &tpm2_policy,
878 /* pin= */ NULL,
879 &tpm2_key, &tpm2_key_size,
880 &tpm2_blob, &tpm2_blob_size,
881 &tpm2_primary_alg,
882 /* ret_srk_buf= */ NULL,
883 /* ret_srk_buf_size= */ NULL);
884 if (r < 0) {
885 if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
886 log_warning("TPM2 present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
887 else if (!sd_id128_equal(with_key, _CRED_AUTO))
888 return log_error_errno(r, "Failed to seal to TPM2: %m");
889
890 log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
891 }
892
893 tpm2_policy_hash_size = tpm2_policy.size;
894 tpm2_policy_hash = malloc(tpm2_policy_hash_size);
895 if (!tpm2_policy_hash)
896 return log_oom();
897 memcpy(tpm2_policy_hash, tpm2_policy.buffer, tpm2_policy_hash_size);
898
899 assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
900 assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX);
901 }
902 #endif
903
904 if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
905 /* Let's settle the key type in auto mode now. */
906
907 if (host_key && tpm2_key)
908 id = pubkey ? CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
909 else if (tpm2_key)
910 id = pubkey ? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_TPM2_HMAC;
911 else if (host_key)
912 id = CRED_AES256_GCM_BY_HOST;
913 else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
914 id = CRED_AES256_GCM_BY_TPM2_ABSENT;
915 else
916 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
917 "TPM2 not available and host key located on temporary file system, no encryption key available.");
918 } else
919 id = with_key;
920
921 if (sd_id128_equal(id, CRED_AES256_GCM_BY_TPM2_ABSENT))
922 log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
923
924 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
925 r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
926 if (r < 0)
927 return r;
928
929 assert_se(cc = EVP_aes_256_gcm());
930
931 ksz = EVP_CIPHER_key_length(cc);
932 assert(ksz == sizeof(md));
933
934 bsz = EVP_CIPHER_block_size(cc);
935 assert(bsz > 0);
936 assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX);
937
938 ivsz = EVP_CIPHER_iv_length(cc);
939 if (ivsz > 0) {
940 assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX);
941
942 iv = malloc(ivsz);
943 if (!iv)
944 return log_oom();
945
946 r = crypto_random_bytes(iv, ivsz);
947 if (r < 0)
948 return log_error_errno(r, "Failed to acquired randomized IV: %m");
949 }
950
951 tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
952
953 context = EVP_CIPHER_CTX_new();
954 if (!context)
955 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s",
956 ERR_error_string(ERR_get_error(), NULL));
957
958 if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1)
959 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s",
960 ERR_error_string(ERR_get_error(), NULL));
961
962 /* Just an upper estimate */
963 output_size =
964 ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) +
965 ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) +
966 ALIGN8(pubkey ? offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size : 0) +
967 ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
968 input_size + 2U * (size_t) bsz +
969 tsz;
970
971 output = malloc0(output_size);
972 if (!output)
973 return log_oom();
974
975 h = (struct encrypted_credential_header*) output;
976 h->id = id;
977 h->block_size = htole32(bsz);
978 h->key_size = htole32(ksz);
979 h->tag_size = htole32(tsz);
980 h->iv_size = htole32(ivsz);
981 memcpy(h->iv, iv, ivsz);
982
983 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
984
985 if (tpm2_key) {
986 struct tpm2_credential_header *t;
987
988 t = (struct tpm2_credential_header*) ((uint8_t*) output + p);
989 t->pcr_mask = htole64(tpm2_hash_pcr_mask);
990 t->pcr_bank = htole16(tpm2_pcr_bank);
991 t->primary_alg = htole16(tpm2_primary_alg);
992 t->blob_size = htole32(tpm2_blob_size);
993 t->policy_hash_size = htole32(tpm2_policy_hash_size);
994 memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size);
995 memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size);
996
997 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size);
998 }
999
1000 if (pubkey) {
1001 struct tpm2_public_key_credential_header *z;
1002
1003 z = (struct tpm2_public_key_credential_header*) ((uint8_t*) output + p);
1004 z->pcr_mask = htole64(tpm2_pubkey_pcr_mask);
1005 z->size = htole32(pubkey_size);
1006 memcpy(z->data, pubkey, pubkey_size);
1007
1008 p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size);
1009 }
1010
1011 /* Pass the encrypted + TPM2 header as AAD */
1012 if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1)
1013 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
1014 ERR_error_string(ERR_get_error(), NULL));
1015
1016 /* Now construct the metadata header */
1017 ml = strlen_ptr(name);
1018 m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml));
1019 if (!m)
1020 return log_oom();
1021
1022 m->timestamp = htole64(timestamp);
1023 m->not_after = htole64(not_after);
1024 m->name_size = htole32(ml);
1025 memcpy_safe(m->name, name, ml);
1026
1027 /* And encrypt the metadata header */
1028 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1)
1029 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s",
1030 ERR_error_string(ERR_get_error(), NULL));
1031
1032 assert(added >= 0);
1033 assert((size_t) added <= output_size - p);
1034 p += added;
1035
1036 /* Then encrypt the plaintext */
1037 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1)
1038 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s",
1039 ERR_error_string(ERR_get_error(), NULL));
1040
1041 assert(added >= 0);
1042 assert((size_t) added <= output_size - p);
1043 p += added;
1044
1045 /* Finalize */
1046 if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1)
1047 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s",
1048 ERR_error_string(ERR_get_error(), NULL));
1049
1050 assert(added >= 0);
1051 assert((size_t) added <= output_size - p);
1052 p += added;
1053
1054 assert(p <= output_size - tsz);
1055
1056 /* Append tag */
1057 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1)
1058 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s",
1059 ERR_error_string(ERR_get_error(), NULL));
1060
1061 p += tsz;
1062 assert(p <= output_size);
1063
1064 if (DEBUG_LOGGING && input_size > 0) {
1065 size_t base64_size;
1066
1067 base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */
1068 assert(base64_size >= input_size);
1069 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100);
1070 }
1071
1072 *ret = TAKE_PTR(output);
1073 *ret_size = p;
1074
1075 return 0;
1076 }
1077
1078 int decrypt_credential_and_warn(
1079 const char *validate_name,
1080 usec_t validate_timestamp,
1081 const char *tpm2_device,
1082 const char *tpm2_signature_path,
1083 const void *input,
1084 size_t input_size,
1085 void **ret,
1086 size_t *ret_size) {
1087
1088 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL;
1089 _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
1090 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
1091 size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs;
1092 struct encrypted_credential_header *h;
1093 struct metadata_credential_header *m;
1094 uint8_t md[SHA256_DIGEST_LENGTH];
1095 bool with_tpm2, with_host_key, is_tpm2_absent, with_tpm2_pk;
1096 const EVP_CIPHER *cc;
1097 int r, added;
1098
1099 assert(input || input_size == 0);
1100 assert(ret);
1101 assert(ret_size);
1102
1103 h = (struct encrypted_credential_header*) input;
1104
1105 /* The ID must fit in, for the current and all future formats */
1106 if (input_size < sizeof(h->id))
1107 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
1108
1109 with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
1110 with_tpm2_pk = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
1111 with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC) || with_tpm2_pk;
1112 is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT);
1113
1114 if (!with_host_key && !with_tpm2 && !is_tpm2_absent)
1115 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
1116
1117 if (with_tpm2_pk) {
1118 r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
1119 if (r < 0)
1120 return log_error_errno(r, "Failed to load pcr signature: %m");
1121 }
1122
1123 if (is_tpm2_absent) {
1124 /* So this is a credential encrypted with a zero length key. We support this to cover for the
1125 * case where neither a host key not a TPM2 are available (specifically: initrd environments
1126 * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
1127 * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
1128 * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
1129 * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
1130 * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
1131 * they are trusted, even though they are not. */
1132
1133 if (efi_has_tpm2()) {
1134 if (is_efi_secure_boot())
1135 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
1136 "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
1137
1138 log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
1139 } else
1140 log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
1141 }
1142
1143 /* Now we know the minimum header size */
1144 if (input_size < offsetof(struct encrypted_credential_header, iv))
1145 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
1146
1147 /* Verify some basic header values */
1148 if (le32toh(h->key_size) != sizeof(md))
1149 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
1150 if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX)
1151 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
1152 if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX)
1153 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large.");
1154 if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
1155 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header.");
1156
1157 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
1158 * lower limit only) */
1159 if (input_size <
1160 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
1161 ALIGN8(with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0) +
1162 ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
1163 ALIGN8(offsetof(struct metadata_credential_header, name)) +
1164 le32toh(h->tag_size))
1165 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
1166
1167 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size));
1168
1169 if (with_tpm2) {
1170 #if HAVE_TPM2
1171 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
1172 struct tpm2_public_key_credential_header *z = NULL;
1173
1174 if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
1175 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
1176 if (!tpm2_hash_alg_to_string(le16toh(t->pcr_bank)))
1177 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
1178 if (!tpm2_asym_alg_to_string(le16toh(t->primary_alg)))
1179 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported.");
1180 if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX)
1181 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size.");
1182 if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX)
1183 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size.");
1184
1185 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
1186 * though, hence still just a lower limit test only) */
1187 if (input_size <
1188 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
1189 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
1190 ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
1191 ALIGN8(offsetof(struct metadata_credential_header, name)) +
1192 le32toh(h->tag_size))
1193 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
1194
1195 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
1196 le32toh(t->blob_size) +
1197 le32toh(t->policy_hash_size));
1198
1199 if (with_tpm2_pk) {
1200 z = (struct tpm2_public_key_credential_header*) ((uint8_t*) input + p);
1201
1202 if (!TPM2_PCR_MASK_VALID(le64toh(z->pcr_mask)) || le64toh(z->pcr_mask) == 0)
1203 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
1204 if (le32toh(z->size) > PUBLIC_KEY_MAX)
1205 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected public key size.");
1206
1207 if (input_size <
1208 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
1209 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
1210 ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + le32toh(z->size)) +
1211 ALIGN8(offsetof(struct metadata_credential_header, name)) +
1212 le32toh(h->tag_size))
1213 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
1214
1215 p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) +
1216 le32toh(z->size));
1217 }
1218
1219 _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
1220 r = tpm2_context_new(tpm2_device, &tpm2_context);
1221 if (r < 0)
1222 return r;
1223
1224 // TODO: Add the SRK data to the credential structure so it can be plumbed
1225 // through and used to verify the TPM session.
1226 r = tpm2_unseal(tpm2_context,
1227 le64toh(t->pcr_mask),
1228 le16toh(t->pcr_bank),
1229 z ? z->data : NULL,
1230 z ? le32toh(z->size) : 0,
1231 z ? le64toh(z->pcr_mask) : 0,
1232 signature_json,
1233 /* pin= */ NULL,
1234 /* pcrlock_policy= */ NULL,
1235 le16toh(t->primary_alg),
1236 t->policy_hash_and_blob,
1237 le32toh(t->blob_size),
1238 t->policy_hash_and_blob + le32toh(t->blob_size),
1239 le32toh(t->policy_hash_size),
1240 /* srk_buf= */ NULL,
1241 /* srk_buf_size= */ 0,
1242 &tpm2_key,
1243 &tpm2_key_size);
1244 if (r < 0)
1245 return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
1246 #else
1247 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
1248 #endif
1249 }
1250
1251 if (with_host_key) {
1252 r = get_credential_host_secret(
1253 0,
1254 &host_key,
1255 &host_key_size);
1256 if (r < 0)
1257 return log_error_errno(r, "Failed to determine local credential key: %m");
1258 }
1259
1260 if (is_tpm2_absent)
1261 log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
1262
1263 sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
1264
1265 assert_se(cc = EVP_aes_256_gcm());
1266
1267 /* Make sure cipher expectations match the header */
1268 if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size))
1269 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
1270 if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size))
1271 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
1272
1273 context = EVP_CIPHER_CTX_new();
1274 if (!context)
1275 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s",
1276 ERR_error_string(ERR_get_error(), NULL));
1277
1278 if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1)
1279 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s",
1280 ERR_error_string(ERR_get_error(), NULL));
1281
1282 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1)
1283 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s",
1284 ERR_error_string(ERR_get_error(), NULL));
1285
1286 if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1)
1287 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s",
1288 ERR_error_string(ERR_get_error(), NULL));
1289
1290 if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1)
1291 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
1292 ERR_error_string(ERR_get_error(), NULL));
1293
1294 plaintext = malloc(input_size - p - le32toh(h->tag_size));
1295 if (!plaintext)
1296 return -ENOMEM;
1297
1298 if (EVP_DecryptUpdate(
1299 context,
1300 plaintext,
1301 &added,
1302 (uint8_t*) input + p,
1303 input_size - p - le32toh(h->tag_size)) != 1)
1304 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s",
1305 ERR_error_string(ERR_get_error(), NULL));
1306
1307 assert(added >= 0);
1308 assert((size_t) added <= input_size - p - le32toh(h->tag_size));
1309 plaintext_size = added;
1310
1311 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1)
1312 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s",
1313 ERR_error_string(ERR_get_error(), NULL));
1314
1315 if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1)
1316 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s",
1317 ERR_error_string(ERR_get_error(), NULL));
1318
1319 plaintext_size += added;
1320
1321 if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name)))
1322 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
1323
1324 m = plaintext;
1325
1326 if (le64toh(m->timestamp) != USEC_INFINITY &&
1327 le64toh(m->not_after) != USEC_INFINITY &&
1328 le64toh(m->timestamp) >= le64toh(m->not_after))
1329 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing.");
1330
1331 if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX)
1332 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing.");
1333
1334 hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size));
1335 if (plaintext_size < hs)
1336 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
1337
1338 if (le32toh(m->name_size) > 0) {
1339 _cleanup_free_ char *embedded_name = NULL;
1340
1341 r = make_cstring(m->name, le32toh(m->name_size), MAKE_CSTRING_REFUSE_TRAILING_NUL, &embedded_name);
1342 if (r < 0)
1343 return log_error_errno(r, "Unable to convert embedded credential name to C string: %m");
1344
1345 if (!credential_name_valid(embedded_name))
1346 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing.");
1347
1348 if (validate_name && !streq(embedded_name, validate_name)) {
1349
1350 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
1351 if (r < 0 && r != -ENXIO)
1352 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
1353 if (r != 0)
1354 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
1355
1356 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name);
1357 }
1358 }
1359
1360 if (validate_timestamp != USEC_INFINITY) {
1361 if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp)
1362 log_debug("Credential timestamp is from the future, assuming clock skew.");
1363
1364 if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) {
1365
1366 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
1367 if (r < 0 && r != -ENXIO)
1368 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
1369 if (r != 0)
1370 return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use.");
1371
1372 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
1373 }
1374 }
1375
1376 if (ret) {
1377 char *without_metadata;
1378
1379 without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs);
1380 if (!without_metadata)
1381 return log_oom();
1382
1383 *ret = without_metadata;
1384 }
1385
1386 if (ret_size)
1387 *ret_size = plaintext_size - hs;
1388
1389 return 0;
1390 }
1391
1392 #else
1393
1394 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
1395 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1396 }
1397
1398 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1399 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1400 }
1401
1402 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1403 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1404 }
1405
1406 #endif
Unnamed repository; edit this file 'description' to name the repository.